[Dedime]

This whole LastPass kerfuffle has solidified my choice to continue using FOSS + self hosted password managers only. If my passwords get stolen, I'd rather be responsible for the loss than wait for a company to put out a squirrely statement.

[yonixw]

I was self-hosted enthusiast myself, until I found out that self-updating is not fun, not always compatible and thus not secure*. And therefore, I take the hard pill of SaaS even if security wise, it is hard to swallow.

*Not secure: It will always catch you off guard, and will require a lot of work, so you will postpone it which is, not secure.

[t0astbread]

What about an offline password manager? Like pass[1] or one that supports the KeePass format. Then you could use your regular file synchronization tool to synchronize the database files. You could also use a P2P sync tool like Syncthing. (Of course this makes more sense if you already have some kind of file sync setup.)

[1] https://www.passwordstore.org/

[jimmydorry]

That would be roughly equivalent to lastpass then.

[t0astbread]

How so? The password database is still encrypted with a master password which is completely independent of the file sync mechanism. So the master password is not involved in anything network-facing.

[jimmydorry]

Lastpass simply downloads your password database as an encrypted blob which you unlock locally with your master password. The fact that this unlocking is somewhat automated does not change the fact that it acts identically to your proposed solution.

[t0astbread]

Okay, I don't wanna go into a fight over Lastpass because I don't know its tech deep enough to make a judgement (and HN reply limit would prevent it anyways). My point is, there are still some general differences between an online password manager and an offline password manager + file sync combination:

- There's no way a flaw in an authentication protocol could compromise a master password (because the file sync software is completely detached from the password manager).

- Someone who compromised your master password can't get your passwords without first obtaining your database files.

That being said, I don't think online password managers are inherently insecure or anything like that.