Password Managers
-
@jasgot said in Password Managers:
I'm trying to wrap my head around the idea of my passwords being stored on someone else's storage; in the cloud.
How do you reconcile this? What specifically makes you think it is safe to do so?Easiest to reverse the question...
Try wrapping your brain around storing passwords locally on your own infrastructure. That's less secure on average (dramatically so) than on cloud. So if you can answer this for local, you've proven cloud is better (because cloud is better.)
There's nothing to reconcile. You want passwords to be secure, cloud is more secure and more importantly, available when needed.
The same thing makes it safe there as does locally ... encryption. If the password system is not encrypted then it isn't safe anywhere. If it is properly encrypted, it is safe anywhere. That doesn't mean that you want to expose it, but it means you could.
So because we have good encryption local storage is safe enough. Since cloud is better (more secure, more available), there's nothing to reconcile.
-
@jasgot said in Password Managers:
I have been avoiding password managers for years because I simply don't trust other people or organizations with my passwords.
Well, but... no one is asking you to do that. You are asking them to store the ENCRYPTED data of your passwords. You don't have to trust anyone. You should still use a vendor you trust, of course, but there's no need for trust. That's the point. With proper encryption you don't care that someone else theoretically (and it's truly only theoretical, the access to your data is generally greater on your own infrastructure than in the cloud) has access to the physical boxes.
Remember ALL super high security systems are run this way. From military to government to Wall St. - there are datacenters (cloud or otherwise, it's all the same from an access perspective) and the security assumption is always that the physical access should be protected, but that bad actors will get in, and encryption makes it so that the access has no value.
-
@dashrender said in Password Managers:
@jasgot said in Password Managers:
@rojoloco said in Password Managers:
@eddiejennings said in Password Managers:
I was a LastPass customer to turned to BitWarden.
BitWarden here too, still trying to get management buy in to deploy it for everyone.
@eddiejennings said in Password Managers:
I was a LastPass customer to turned to BitWarden.
I'm trying to wrap my head around the idea of my passwords being stored on someone else's storage; in the cloud.
How do you reconcile this? What specifically makes you think it is safe to do so?
I have been avoiding password managers for years because I simply don't trust other people or organizations with my passwords. But I am finding the sheer number of password I have -- to be getting too cumbersome to manage; so I am considering it again.
LastPass was does all the work locally only. Only the encrypted blob and your email address is stored on their system.
That's normal. I don't know anyone who does it otherwise, that's considered base functionality to be considered a viable password manager.
-
Still using LastPass Families. Works well for us, no reason to switch to something else.
-
@scottalanmiller said in Password Managers:
You are asking them to store the ENCRYPTED data of your passwords. You don't have to trust anyone. You should still use a vendor you trust, of course, but there's no need for trust. That's the point.
If you use an online password manager or anything not open source you still have to trust them.
Because you don't know what they do with your master password, encryption keys and other things.
Lastpass for example have passed security audits but still have had multiple breaches. There also have been examples of malicious browser extensions grabbing passwords.
As with anything, "safe" doesn't really mean safe, it means a little bit safe. And often safe enough - depending on what you are protecting.
-
@pete-s said in Password Managers:
Because you don't know what they do with your master password, encryption keys and other things.
Last I seen, LastPass doesn't have your master password.
LP stores a hash of your email address and master password on your computer (not its servers), which it uses as an encryption key to encode your log-in details for other sites (with a 256-bit AES cypher), before storing them on its servers.
They don't know your details or encryption key, so create a unique ID token for you by hashing your password and local encryption key together. That ID token is then hashed with a random number when you create your account.
-
@obsolesce said in Password Managers:
Last I seen
So you have validated their source code? Or did you read it from their webpage?
Just to be clear, I'm not saying Lastpass doesn't do what they say they do. I only state that you don't know.
I'm sure their intensions are good but software is not perfect. That why there are plenty of vulnerabilities and bugs in everything.
-
@pete-s said in Password Managers:
That why there are plenty of vulnerabilities and bugs in everything.
You can't take from them something they don't have...
-
@pete-s said in Password Managers:
If you use an online password manager or anything not open source you still have to trust them.
You still have to simply trust open source.
Can you read all the code and know that their encryption is valid? That there are no exploitable bugs?
-
@jaredbusch said in Password Managers:
@pete-s said in Password Managers:
If you use an online password manager or anything not open source you still have to trust them.
You still have to simply trust open source.
Can you read all the code and know that their encryption is valid? That there are no exploitable bugs?
True, but it a lot easier to put more trust in something that is completely transparent and can be verified by independent sources.
-
For what it's worth: https://github.com/bitwarden
-
@eddiejennings said in Password Managers:
For what it's worth: https://github.com/bitwarden
Yeah, that's what makes it my top choice today, I think.
-
People that are using bitwarden, are you self-hosting?
-
-
@krzykat no
-
@krzykat said in Password Managers:
People that are using bitwarden, are you self-hosting?
No, but it is on our radar to consider soon as we keep growing and it becomes more important, and more cost effective, once you get to any size.
-
New gig is using Bitwarden, converting from Zoho Vault
-
@jt1001001 said in Password Managers:
New gig is using Bitwarden, converting from Zoho Vault
Interesting. Is it self-hosted? Do you know the reason for the move?
-
Yet another +1 for using Bitwarden and not self-hosting. I actually did self-host it for a bit a couple of years ago, but changed my mind and moved to their hosted service.
-
@Pete-S I have no idea why they moved. I guess the higher ups want to migrate? Cost I think is about the same. We are not self hosted only 15 users so far