[t0astbread]

What about an offline password manager? Like pass[1] or one that supports the KeePass format. Then you could use your regular file synchronization tool to synchronize the database files. You could also use a P2P sync tool like Syncthing. (Of course this makes more sense if you already have some kind of file sync setup.)

[1] https://www.passwordstore.org/

[jimmydorry]

That would be roughly equivalent to lastpass then.

[t0astbread]

How so? The password database is still encrypted with a master password which is completely independent of the file sync mechanism. So the master password is not involved in anything network-facing.

[jimmydorry]

Lastpass simply downloads your password database as an encrypted blob which you unlock locally with your master password. The fact that this unlocking is somewhat automated does not change the fact that it acts identically to your proposed solution.

[t0astbread]

Okay, I don't wanna go into a fight over Lastpass because I don't know its tech deep enough to make a judgement (and HN reply limit would prevent it anyways). My point is, there are still some general differences between an online password manager and an offline password manager + file sync combination:

- There's no way a flaw in an authentication protocol could compromise a master password (because the file sync software is completely detached from the password manager).

- Someone who compromised your master password can't get your passwords without first obtaining your database files.

That being said, I don't think online password managers are inherently insecure or anything like that.