I worry a lot about password managers on mobile. Such as:
* if an app has a single developer (keepassium? strongbox?), how much money would it take them to add a back door? 1M USD? 10M USD? Let’s say they are exceptionally honest, and won’t take money. How about threats to their lives or families?
* if an app has a small number of engineers with commit access (bitwarden? 1paasword?) could any one of them be compromised by money or threats?
* Would password managers from Google/apple/microsoft fare better because they already face these risks and have controls? Or maybe not?
What's your threat model here? Some kind of mass hacking attempt? It would be easier to attack the service providers, rather than steal legitimate logins.
A targeted attack on a specific person? It would be easier to, as the famous XKCD suggests, drug and/or hit them with a wrench until they voluntarily hand over whatever information you want.
It's difficult to conceive of a situation where hacking password managers is the path of least resistance.
In the past two days, the official Syncthing Android client has been discontinued, making the use of KeePass harder. Bitwarden has been trying to move away from a fully FOSS system. And now this?
I've been using keepass for quite a number of years now. I have my database and a security key. I sync my database with dropbox (because I am too lazy to self-host something like nextcloud) between devices and just manually copy my key on everry device. My key was never synced through the internet.
I hope that's secure enough and works fine for me. I guess syncthing is just smaller and obviously doesn't need a third party?
Shameless plug: A few months ago I wrote a blog post [1] about integrating PasswordStore + GnuPG + TouchID on MacBook, and used that to automate my work VPN (Cisco AnyConnect) auto-connection [2], hence avoiding the need to interact with a very bad UI that is AnyConnect.
This seems to happen more and more often, or at least it feels that way to me. FLOSS projects that aren't highly critical but very useful are maintained by only one person which loses interest, burns out or simply has other priorities. Sometimes they don't even make an announcement like here and just ghost the project. Very sad, even though understandable.
Password Store sounds like a cool Unixy idea, but it's quite janky in my experience, especially if non-desktop-Unix systems are involved. The Android app was fine; it integrated with a GPG app that was less fine.
The point of `pass` is to offload the security aspect to gpg, so unless something goes wrong with that, I don't believe continued use, even if unmaintained, is very insecure.
In actually SSH into my desktop PC and use pass there to access my secrets.
Luckily, I only need to do this occasionally, so the inconvenience is bearable. Still waiting on the day where I randomly get logged out of an important app while not having internet access, or the power going out in my apartment right after I leave for two weeks (happened once, luckily didn't need my passwords then).
I worry a lot about password managers on mobile. Such as:
* if an app has a single developer (keepassium? strongbox?), how much money would it take them to add a back door? 1M USD? 10M USD? Let’s say they are exceptionally honest, and won’t take money. How about threats to their lives or families?
* if an app has a small number of engineers with commit access (bitwarden? 1paasword?) could any one of them be compromised by money or threats?
* Would password managers from Google/apple/microsoft fare better because they already face these risks and have controls? Or maybe not?
> add a back door?
What's your threat model here? Some kind of mass hacking attempt? It would be easier to attack the service providers, rather than steal legitimate logins.
A targeted attack on a specific person? It would be easier to, as the famous XKCD suggests, drug and/or hit them with a wrench until they voluntarily hand over whatever information you want.
It's difficult to conceive of a situation where hacking password managers is the path of least resistance.
In the past two days, the official Syncthing Android client has been discontinued, making the use of KeePass harder. Bitwarden has been trying to move away from a fully FOSS system. And now this?
I've been using keepass for quite a number of years now. I have my database and a security key. I sync my database with dropbox (because I am too lazy to self-host something like nextcloud) between devices and just manually copy my key on everry device. My key was never synced through the internet.
I hope that's secure enough and works fine for me. I guess syncthing is just smaller and obviously doesn't need a third party?
fwiw i've recently moved to sharing my kpdb using taildrive. The KeePass Android app can open databases from WebDAV
For iOS, Keepassium can use WebDAV as well.
> Bitwarden has been trying to move away from a fully FOSS system
Details?
https://news.ycombinator.com/item?id=41893994
The reason is the idea of a free operating system and software has been shattered and is now a guest in big corporations and Github.
It still kind of work but it is starting to crack in a few places.
Turns out living the FOSS dream is kind of hard.
[dead]
Shameless plug: A few months ago I wrote a blog post [1] about integrating PasswordStore + GnuPG + TouchID on MacBook, and used that to automate my work VPN (Cisco AnyConnect) auto-connection [2], hence avoiding the need to interact with a very bad UI that is AnyConnect.
Hopefully others find it useful.
[1]: https://gurjeet.singh.im/blog/passwordstore+gnupg+touchid
[2]: https://gurjeet.singh.im/blog/cisco-anyconnect-vpn-automatio...
“pass” in this context refers to a GPG-encrypted file based password manager: https://www.passwordstore.org/ https://en.wikipedia.org/wiki/Pass_(software) https://wiki.archlinux.org/title/Pass.
“pass” itself can be used in many contexts, but is primarily a desktop command-line tool. “Password Store” is the Android client for it.
This seems to happen more and more often, or at least it feels that way to me. FLOSS projects that aren't highly critical but very useful are maintained by only one person which loses interest, burns out or simply has other priorities. Sometimes they don't even make an announcement like here and just ghost the project. Very sad, even though understandable.
This is such a great application.
I feel like it's complete already and would be happy if it just continued to exist without much or any maintenance.
There is always need for maintenance on Android.
Password Store sounds like a cool Unixy idea, but it's quite janky in my experience, especially if non-desktop-Unix systems are involved. The Android app was fine; it integrated with a GPG app that was less fine.
Dang, this is rough. Pass is imo still the best password manager if you set it up right.
Hopefully someone picks this up.
This is actually a better outcome than finding out one day the app have a serious security problem.
While i like `pass` and that Android app looked really good, this is just not serious.
Because the fact that most people will end up trusting a random app as their password manager because it has 2k star on Github is crazy.
If you want to use `pass` on Android you should tinker something with termux .
The point of `pass` is to offload the security aspect to gpg, so unless something goes wrong with that, I don't believe continued use, even if unmaintained, is very insecure.
In actually SSH into my desktop PC and use pass there to access my secrets.
Luckily, I only need to do this occasionally, so the inconvenience is bearable. Still waiting on the day where I randomly get logged out of an important app while not having internet access, or the power going out in my apartment right after I leave for two weeks (happened once, luckily didn't need my passwords then).
That's saddening. APS used to be my daily driver once, and later I moved to Bitwarden.