| ▲ | jrm4 15 hours ago | ||||||||||||||||||||||
Probably my biggest tech hill-i'll-die-on is: Password management involving a 3rd party is dumb and should never ever have been a thing. Before two parties had the secret (or something related to it) and now three parties have it and that's objectively worse -- even taking into account "the lazy user" or whatever. I know we're past that in a lot of places for a lot of people, but nope, my dad and his printed out sheet of password next to his desk is still beating every company out there. | |||||||||||||||||||||||
| ▲ | jasode 15 hours ago | parent | next [-] | ||||||||||||||||||||||
>3rd party is dumb and should never ever have been a thing. Before two parties had the secret (or something related to it) and now three parties have it and that's objectively worse There seems to be a misunderstanding of how typical cloud password vaults work. The 3rd parties like Bitwarden, 1Password, Apple iCloud Keychain, etc don't have access to the users' passwords. The scheme is based on Zero-Knowledge End-2-End-Encryption. The 3rd-party cloud is just a mechanism to store an encrypted blob and sync them to various devices. The client devices (users' desktop, users' smartphone) are the only ones that can decrypt the passwords. There are still only 2 parties with knowledge of the actual passwords. In contrast, the type of 3rd parties that do have knowledge/access to unencrypted plain text passwords would be Amazon storing users' wi-fi passwords, and Plaid storing users' bank account credentials & passwords. Gmail and MS Outlook.com would also be a 3rd party having a copy of users' passwords when they act as web clients to fetch email from other IMAP servers. >, my dad and his printed out sheet of password next to his desk is still beating every company out there. That doesn't work for users when they're not sitting at their desk and need passwords. Printing out a hardcopy sheet of passwords and carrying it the wallet or purse is a massive security risk. | |||||||||||||||||||||||
| ▲ | muppetman 15 hours ago | parent | prev | next [-] | ||||||||||||||||||||||
But it's not that though. They're hosting an encrypted version that they don't have the keys for. They are doing the backend sync for you, and writing the clients that YOU run, that sync yuur passwords everywhere. To suggest they have a copy of your passwords is to misunderstand what they're doing. It's the same as saying you host your Keypass on Dropbox so now Dropbox have a copy of your passwords/secrets. The value they are providing is seamless sync between a huge range of platforms/devices and making it as frictionless as possible to entry your password when you need to (biometrics to unlock the vault, browser addons to seemlessly enter the passwords etc) Your Dad has a single point of failure for all his accounts. That's not a win. | |||||||||||||||||||||||
| ▲ | xigoi 7 hours ago | parent | prev | next [-] | ||||||||||||||||||||||
> my dad and his printed out sheet of password next to his desk is still beating every company out there. Until your house gets flooded or burns down or you hire a really curious janitor. | |||||||||||||||||||||||
| ▲ | SV_BubbleTime 15 hours ago | parent | prev | next [-] | ||||||||||||||||||||||
Are you aware that the goal of these password managers is that they do not ever have your decrypted vault? | |||||||||||||||||||||||
| ▲ | baal80spam 15 hours ago | parent | prev [-] | ||||||||||||||||||||||
KeePass is a great middle-ground, which I've been using for the last decade (at least). Storing the vault is on you, it just makes it easy to keep stuff organised. | |||||||||||||||||||||||
| |||||||||||||||||||||||