[autoexec]

Not enough data to say what the impact of this is. Good for them disclosing it early while they investigate.

> we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.

One way to prevent risk to your passwords in the event of a security breach is to not store them in the cloud at all. KeePass is great!

[smt88]

Most people use a work machine and a mobile device, so cloud syncing is absolutely necessary.

LastPass and its competitors theoretically have zero-knowledge storage of everyone's passwords, so even a full breach of their servers would fail to leak passwords.

[autoexec]

> Most people use a work machine and a mobile device, so cloud syncing is absolutely necessary.

I keep a password database on the company network with all my work passwords and I have no need to keep a copy of those credentials on a bunch of my personal devices or cloud servers.

My personal passwords are stored on my own personal devices. Syncing between them can be done using any number of methods without uploading to the cloud, but even if I wanted to use somebody else's servers to do that a properly encrypted file with a very strong password could be safely stored anywhere, so there's no need to limit myself to one company's servers. I can use whatever works best for my needs and won't have to worry about what I'd do if the one I was using goes under or becomes unavailable. In exchange for a little extra work you gain a ton of utility and resiliency

[smt88]

Yeah, again: all of this is great for you, but it doesn't change the fact that you are a very, very niche case. You can't just dismiss cloud syncing of passwords because you are the edge case who doesn't need it.

> I keep a password database on the company network with all my work passwords and I have no need to keep a copy of those credentials on a bunch of my personal devices or cloud servers.

That doesn't work for mobile devices. Most people have a work mobile device.

> even if I wanted to use somebody else's servers to do that a properly encrypted file with a very strong password could be safely stored anywhere

This is literally how LastPass and 1Password handle it. If you lose your key, the file in the cloud becomes useless.

> In exchange for a little extra work...

"A little extra work" that is beyond the skills of the vast majority of users.

> ...you gain a ton of utility and resiliency

As someone who used KeePass for more than 10 years until recently, I can honestly say that it was a massive reduction of utility and had no resiliency benefits.

[fezfight]

You've picked a strange subset of 'most' for the people you're imagining. They are savy enough to know what a password manager is, but not savy enough to deal with an offline one. Are you sure its not just a few people like you?

[HelloMcFly]

> They are savy enough to know what a password manager is, but not savy enough to deal with an offline one.

Not the person you responded to, but: I think that most people are savvy enough to know what a password manager is, and most people are not savvy enough to be interested in the work necessary to setup, personalize, and maintaining an offline password manager that functions well across multiple devices. That doesn't sound like a niche subset to me, but I could be way off.

[fezfight]

My point is to illustrate that the commenter is speaking out of their respective ass. None of us know what the average person thinks, we are a group of tremendous nerds who are engaging, not just reading, in the comments section to a post about a flipping password manager.

[Msw242]

I'm savvy enough to maintain an offline password manager, but fuck that noise.

It's already painful enough to use a cloud password manager; why would I burn hours more of time to maintain a worse experience?

[noctis]

How about cloud storage? iCloud, OneDrive, Google Drive, etc. Good apps support those out of box; for desktop install their client and use the file as you normally would.

[sixothree]

Have you literally not used the password save feature in iOS? What about this password manager makes you think the people using it can duplicate the features using an offline version?

[archi42]

Copying files has the disadvantage of requiring some merge mechanism, or not permitting parallel modification.

I found vaultwarden to be a nice alternative. It runs on my server at home, to which I connect the relevant devices by VPN. It still requires the server to be online for modification (& the VPN connected), which I find to be a bit annoying, but it solves the concurrent modification issue. Plus, passwords are encrypted at rest and the browser extension verifies I'm using the password on a legitimate website (anti-phishing).

But if you're happy with your variant, I guess that's fine as well :)

[AdamJacobMuller]

> even a full breach of their servers would fail to leak passwords

This is a dangerous fallacy. Nothing fundamentally would prevent someone who attacked their infrastructure from pushing a malicious app update or a malicious extension update which exfiltrated the decrypted library from the client side.

[smt88]

I wasn't specific about that. I should have said a full dump of their database.

Yes, if someone got into their supply chain, they could push a malicious update. That's also true of KeePass and every other password manager. There's no way to avoid that vector.

[woojoo666]

Are there any instances of this happening? I feel like it would be caught so fast it's not worth trying

[asoberbeck]

> As customers downloaded the update, they unwittingly pulled down and installed the backdoor at the same time. The malicious code was itself cleverly designed, would execute commands, and provided remote admin access. The hackers then used that foothold to create and cryptographically sign the necessary security tokens to hoodwink systems into believing subsequent access to other accounts and resources was legitimate.

https://www.theregister.com/2020/12/15/solar_winds_update/

[woojoo666]

Wow that is worrying how long it took to catch....seems like companies need to be monitoring their releases more carefully

[armada651]

You can sync the encrypted KeePass database using Dropbox and then your zero-knowledge cloud storage won't just be theoretical.

Simply secure the database with a password and keyfile then copy the key file manually to your mobile devices and workstation.

That way you can be certain that your cloud provider has zero knowledge of your key file and also doesn't control the application in which you enter the master password.

[vlan0]

While this is true, and I did this for the better part of 2010s, it was pretty clunky. Especially if one needs a platform for their wife or children to also use.

I'm gonna ride out LastPass until webauthn really takes off. Which could be soon based on what we're hearing from the mobile vendors.

[rlpb]

> Which could be soon based on what we're hearing from the mobile vendors.

I'd really like to see wider webauthn support, so I'm curious to know what you mean by what you're hearing from the mobile vendors please?

[vlan0]

https://www.apple.com/newsroom/2022/05/apple-google-and-micr...

[armada651]

Yeah I'm definitely not saying this is the right solution for everyone, but for my personal password database I'm willing to sacrifice a bit of polish to make sure the zero-knowledge claim is iron clad.

[collegeburner]

You don't even need Dropbox, for a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem. From Windows or Mac, this FTP account could be accessed through built-in software.

[andreareina]

I've had multiple failures to merge (including corrupted databases) with keepass. I'm still using it but I'm considering moving to {bit,vault}warden

[Timothycquinn]

I sync my keepass using signal's 'note to self' feature.

[ta988]

A breach in the software distribution and signing servers would be quite disastrous.

[jrm4]

That "theoretically" is carrying significantly more water in this example than is smart to assume.

[jackdawipper]

hack code, roll out app updates... you see where this is going?

[zikduruqe]

Or just use the tools already on your computer.

www.passwordstore.org and stand up your own bare git repo.

[aborsy]

Pass with Yubikey is great! It’s amazing how much this simple shell script can conveniently do.

You can literary audit this password manager in 30 mins! Thus, I feel it’s more secure than a complex solution like LastPass, since the code is small and a Yubikey touch gives you a chance at one password (with other password managers the whole vault is unlocked and all passwords are at risk and may be extracted at once).

Pass has advantages over other password managers (even though it has some limitations too).

[aaaaaaaaata]

Creator of pass is the creator of Wireguard, which is awesome for similar reasons.

Guy's a legend.

[b0afc375b5]

I loved keepass but I wanted to manage my passwords in the cli. Found out that pass exists, switched to it, and have been using it ever since.

I have my pass repo somewhere on the internet and the android/ios clients have been adequate for me.

[Barrin92]

>One way to prevent risk to your passwords in the event of a security breach is to not store them in the cloud at all.

If your passwords are encrypted you can put that file on a Times Square billboard and it doesn't matter. That is the entire point of encryption, moving sensitive data across adversarial channels. If you don't trust the encryption of the software you're using, well that's a good indication to not use it at all. But if you do there's literally zero point to not use a cloud provider.

[octobus2021]

A wise sysadmin said in the days of my youth: "The only perfect firewall is a pair of scissors" :)

[woleium]

and a soldering iron https://www.bleepingcomputer.com/news/security/data-exfiltra...

[octobus2021]

I was going to add "and Faraday Cage" until I got to

For the current experiment, researchers argue that malware that managed to infect an air-gapped [offline] computer can transform and modulate locally stored files into audio signals and relay them to another nearby computer via connected speakers, headphones, earphones, or earbuds.

Which still require infecting offline computer somehow (and connected machine in close proximity as well).

Point taken though, nothing is perfect. And if everything else fails, there's always social engineering :)

[irrational]

I have 5 laptops, 6 mobile devices and a desktop machine that I am constantly moving between. All of them are ios or macos. I have been using lastpass since it is so simple and works flawlessly. Will keepass work as simply for my use case?

[gorbachev]

Early? It happened two weeks ago. That doesn't fit my definition of early.

[jackdawipper]

by disclosing it early you mean two weeks later