| After rereading my initial comment and the responses to it, I absolutely agree that my tone was unduly harsh and condescending. I did not at all intend that when I wrote the comment, but it was clearly the result regardless. I apologize to everyone in this thread for not communicating my concerns more constructively. I have tried to reply to each comment in a much more constructive way. -----------------------
> Heh, every company I have worked for, I have had to share passwords to tools in some form or the other - private keys, certificate files, shared account passwords to name a few. See my comment acknowledging that I was flat out wrong to argue that users never have a need to share passwords: https://news.ycombinator.com/item?id=15996129. As a developer needing to share passwords, there are plenty of secure ways to achieve sharing passwords without resorting to using email. For example, Hashicorp Vault [1] is a free and secure option which has gained lots of traction in the marketplace in recent years. > So, you are willing to "vouch" for some random closed source software without every seeing the code and yet here you vilify code that is open. It is quite widely accepted that password managers are the best practice for sharing passwords. The SecurityPlanner project recommends LastPass [2], has some very well respected folks from the security community on their advisory and peer review boards [3], including Bruce Schneier, Gary Belvin, and Iulia Ion. Also, the EFF recommends using a password manager [4]. Troy Hunt has an article explaining and recommending password managers (e.g. 1password) [9]. Also, most of the mainstream commercial password managers publish white papers on their security architecture and often undergo pen tests, security audits, etc. For example, see [5] [6] [7] [8]. Password managers utilize end to end encryption by encrypting the password on your device before sending it to their servers (for syncing between devices, etc). Without seeing the source code, you can observe the traffic over the wire to prove that these password managers are implementing end to end encryption and only sending cipher text over the wire to the remote server. In contrast, the Pass.sh service sends plain text passwords over the wire to their servers, which means that their servers have access to the plain text password. [1] https://www.vaultproject.io/
[2] https://securityplanner.org/#/tool/password-manager
[3] https://securityplanner.org/#/who-we-are
[4] https://ssd.eff.org/en/node/23/
[5] https://lastpass.com/enterprise/security
[6] https://support.1password.com/security-assessments/
[7] https://keepersecurity.com/security.html
[8] https://www.dashlane.com/download/Dashlane_SecurityWhitePape...
[9] https://www.troyhunt.com/only-secure-password-is-one-you-can... |