[dyingkneepad]

The reasonable person inside me wants to use a password manager, yet the paranoid in my brain is terrified. I read all those texts explaining why password managers are better, yet I am still afraid. I keep thinking in attack vectors such as someone compromising the Play Store and submitting a malicious app or other similar stuff.

I even have a Bitwarden account and have some passwords stored on it.

I also considered "offline" managers like KeepassXC, but synchronization gets way worse, and there's also the issue about trusting someone else with your mobile apps.

I will probably end up convincing myself and keep using Bitwarden more at some point, but I will also probably do some kind of password peppering/salting along with it.

Am I really the only one here?

[Jedd]

> I also considered "offline" managers like KeepassXC, but synchronization gets way worse, and there's also the issue about trusting someone else with your mobile apps.

I'm using KeePassXC. Originally between three computers (Debian desktop, Debian laptop, and Microsoft laptop) where it was part of my git repo that I'd sync in between the machines as needed (git repo hosted within my own instance of gitolite, btw).

I've migrated more functionality into Syncthing - so now it's very rare that I ever need to do a manual merge within KeePassXC (which was always a robust operation anyway). KeePassXC has a setting to reload from disk if it sees that the password db file has changed, which makes this process seamless.

Part of my Syncthing setup is that I have a receive-only copy of my various repos on a Debian VM that runs a couple of archive tools (dirvish and borg) which provides for point-in-time restorations if needed.

So - I'm wondering what synchronisation problems you've had, and what you've tried. And what alternatives there are to trusting someone else's OS (replete with non-free components) on mobile, along with someone else's bundling of code into mobile packages?

There's a handful of keepass-compatible android apps, some of which are GPL, and Syncthing can keep a copy on Android easily enough, but ultimately there's a lot of trust in mobile land no matter how you slice it.

[WorldMaker]

Yeah, I find synchronization the least of my problems with the Keepass family. The file format uses GUIDs internally for most changes and most conflicts are easily merged/fixed. The fact that it is synchronized as files gives a lot of flexibility in options. You can use whatever cloud file sync provider you trust that month, and you have the flexibility to switch providers as your trust model and/or threat model change.

Mobile OSes are finally making it easier for arbitrary "file" sharing between such apps. (The iOS Files app is finally "decent" for this compared to just a few years ago.)

A similar file sync option to Syncthing I like to point out is Resilio Sync, a P2P device-to-device "torrent-like" sync tool. Among other things it also supports "encrypted shares" that cannot read inside the share but can still participate as a "seed" in the torrent-like share. Resilio Sync is relatively a lot more closed/commercial than Syncthing, but it's torrent-based underpinnings make it sometimes much faster with large shares. (As with everything, trade-offs to be made based on your personal threat model.)

[cycomanic]

Yes I always wonder why keepassxc does not get mentioned more when password managers come up. It's really an excellent piece of software. Some of the features that are crucial for me: 1. ssh-agent support 2. Browser plugins 3. Can provide secret service (i.e. be a substitute for gnome-keyring and kwallet) 4. Excellent oss android client 5. Absolutely snappy, starts in an instant, compared to electron apps it's like day and night

It also has yubikey support or can support other key files, which is good if you don't trust your cloud sync for example

[nolroz]

What Android client do you use if you don't mind me asking?

[CrendKing]

Keepass2Android is pretty much the de-facto standard client for KeePass database. Also open source.

[CrendKing]

I use Rclone to sync the database to a online storage. It is not triggered automatically, so every time I change the database I need to manually run a one-line script. But it's not that bad because once stable, one doesn't change the database often. Rclone also support strict one-way copy. On the mobile side, Keepass2Android can automatically sync down the database.

Also, not all hopes are lost. There is a 3-year-old ticket to add trigger system to KeePassXC: https://github.com/keepassxreboot/keepassxc/issues/1016

[skratlo]

This is one great setup, and you can change KeepassXC for any other thing, eg. https://www.passwordstore.org/

[jaredklewis]

What's your baseline? While there are theoretically more secure alternatives to using a password managers, the vast majority of people don't have the discipline or skill to implement them effectively.

Password managers make security tradeoffs, providing a nice balance of convenience and defense against many of the most important attack vectors.

So while it of course possible to come up with basically endless possible attack vectors for password managers (and indeed all software), it is most likely not a productive exercise.

Also, a small tangent, but if someone compromises the play store and is able to install malicious software on your phone, there are plenty of ways for tmem to get your password that don't involve password managers.

[signal11]

> the vast majority of people don't have the discipline or skill to implement them effectively.

I'd go so far as saying -- most people who think they have the discipline and skill, don't. Or rather, maybe they have it maybe for a few passwords (email, online banking, work, machine passwords).

But it's almost impossible to do well once you cross ~20 passwords. Remember trying out Goodreads years ago? Well, turns out someone's hacked into your account and is posting reviews critiquing travel books for not buying into Flat Earth Theory. You only notice when searching for your name on Google. Or even nastier scenarios.

[dyingkneepad]

The baseline is an encrypted libreoffice or txt file where passwords are stored. Then the file is somehow synchronized.

[scrollaway]

You're describing keepassxc. A keepass file is essentially an encrypted sqlite db.

How is an encrypted odt/txt better?

[SloopJon]

I definitely have some password manager anxiety. I'm not too concerned about hacks or losing my password database. For me, it's more about the sense of independence, and being able to log in to my accounts using just my noggin. I might be able to remember one or two strong passwords, but not dozens, which is kind of the selling point of a password manager.

I use KeePassXC with a password and key file. I sync the database, but not the file, using Syncthing. On the whole a satisfied customer, although the browser integration isn't perfect.

[als0]

The most important password is your e-mail. If you lose that then you can lose everything. It's the only password I don't save in a password manager.

[ChuckNorris89]

Uhm, that's why you should have 2FA/MFA.

Not having your password stored in a password manager doesn't make it bulletproof.

[als0]

I use 2FA/MFA when I can but most sites don't support it.

[tayo42]

password managers feel like vendor lock in. what happens if i need to move to another manager, or i need to sync everything to my phone. they go out of business, they decide to charge more. or if i pay for it and now i cant pay for it anymore.

if i sound like an idiot, id love to hear why btw! heh

[mcpherrinm]

I use 1Password, and they have an easy CSV export. The lock-in is very weak.

If they were to suddenly disappear, or I can't pay for it, I still have the local copies on my devices that I could export and move to some other system.

[pyhtel]

I started off with keepass, then moved to lastpass for better sync, then moved to 1password because I didn't like how lastpass works. Each of them support various forms of exporting/importing logins, so there's not much risk of vendor lockin with those. I'd assume it's the same for other managers, but you'd have to check.

My biggest issue has been that I only saved passwords when I started with keepass instead of username+passwords, which lastpass all imported as secure notes instead of logins.

[aaronax]

There are at least several apps for each platform that can work with KeePass files.

[crossroadsguy]

There are some passwords that I do not save anywhere, not even in a password manager:

- Email provider's (it's not Google)

- Domain registrar's

- 3 of my main bank account passwords

- Password of my password manager and KeePass db

- Cryptomator volume's password (I keep that Volume in Dropbox)

- Password of my laptop and phone (both 12-20 char long alphanumeric ones)

- PIN of my 2FA app

(I keep practising entering these passwords on my phone/laptop regularly)

Everything else are randomly generated strings by BitWarden and saved there.

Sometimes I have some hints that only I can make sense of and save it in KeepPass database.

[l0b0]

Oh, I would not want to use any kind of password manager with built-in synchronization either; an integrated solution presents a much more attractive target for black hats. I've been using KeePassXC and its predecessors, and sync to other machines using Git+SSH (no third party hosting either) and to my phone using adb for a few years now. YMMV.

[CrendKing]

In addition to all other people have said, many accounts still have 2FA as secondary protection. The cost for them to 1) compromise the whole Play store; 2) Make you update both the password manager app AND authenticator app; 3) Make you login to a valuable account is way more expensive than just install a keylogger or try various scams.

As the joke tells, I don't have to beat the chasing bear behind me, I only need to be faster than the guy running alongside me.

[jcynix]

You aren't the only one. Those "fancy" apps are too complex IMO to be trustworthy. Neither are other people's computers (aka clouds).

My secrets are stored in plain text files which are encrypted with GnuPG. Emacs (and vi too) can handle encrypted files easily, even on an Android device using the Termux (i.e. Debian) app. Syncing with rsync (even version control software is an option) works and with a bit discipline is not a major problem.

[signal11]

This is literally what pass(1) does. Although it's rather fun to write a bunch of shell scripts that provide equivalent functionality.

[domano]

I have keepass and sync via google drive to Mac, Windows, Ubuntu, iPad and Android. No issues at all and i still have the file physically.

[mekster]

You could use Enpass just on your own computer. You can also sync it online to have it synched to your mobile device too.

[SirensOfTitan]

Add MFA to the 1Password account so that sign ins from new devices need a second factor like a yubikey or Duo.

[izgzhen]

It is a bit like eating self-made food or eat what others cook. You have chances to get poisoned in both ways. I would choose to eat food prepared by others if I am not confident in my cooking skills.

[pavanky]

I use keepass + dropbox for syncing. You can replace dropbox with another syncing mechanism of choice, but this works out great.