|
|
|
|
|
|
by bogwog
2381 days ago
|
|
|
Use Pass (https://www.passwordstore.org/) to generate and store passwords locally, GNU Privacy Guard (https://gnupg.org/) to encrypt them, and then use git (https://git-scm.com/) to backup and sync your encrypted passwords on all your devices in a distributed way. Pass is an open source project by the guy who made WireGuard (https://www.wireguard.com/), and there are open source apps for iOS and Android too, which you can build yourself for maximum security. Setting this all up is not exactly easy, but once you get it going it's very easy to use, secure, and convenient. |
|
|
Essentially, I accidentally publicly exposed my private key. I thought I was clever for writing a Python script to dump all my passwords and then re-add them after setting up pass with a new key.
A year later, when I accidentally deleted my private key (reformatted laptop, phone bricked before set laptop back up), I spent a few hours trying to figure out if I made a mistake that would let me recover my passwords. I was very motivated :)
Eventually, I realized that since I'd been using git to sync pass between my phone and computer (the recommended setup) I could access versions of my encrypted data for every account more than a year old and decrypt them with the private key I leaked. I got back almost all my data.
Luckily I was using a private git repository for defense in depth, but many guides recommend a public reposity because they say gpg is very strong.
It all works, but only if you don't do something dumb like I did. Now I'm on 1password and happy knowing that experienced people are paid to make it and smart security researchers like Troy Hunt (of haveibeenpwned fame) have said it's the most secure password manager they've looked into.