[smt88]

Most people use a work machine and a mobile device, so cloud syncing is absolutely necessary.

LastPass and its competitors theoretically have zero-knowledge storage of everyone's passwords, so even a full breach of their servers would fail to leak passwords.

[autoexec]

> Most people use a work machine and a mobile device, so cloud syncing is absolutely necessary.

I keep a password database on the company network with all my work passwords and I have no need to keep a copy of those credentials on a bunch of my personal devices or cloud servers.

My personal passwords are stored on my own personal devices. Syncing between them can be done using any number of methods without uploading to the cloud, but even if I wanted to use somebody else's servers to do that a properly encrypted file with a very strong password could be safely stored anywhere, so there's no need to limit myself to one company's servers. I can use whatever works best for my needs and won't have to worry about what I'd do if the one I was using goes under or becomes unavailable. In exchange for a little extra work you gain a ton of utility and resiliency

[smt88]

Yeah, again: all of this is great for you, but it doesn't change the fact that you are a very, very niche case. You can't just dismiss cloud syncing of passwords because you are the edge case who doesn't need it.

> I keep a password database on the company network with all my work passwords and I have no need to keep a copy of those credentials on a bunch of my personal devices or cloud servers.

That doesn't work for mobile devices. Most people have a work mobile device.

> even if I wanted to use somebody else's servers to do that a properly encrypted file with a very strong password could be safely stored anywhere

This is literally how LastPass and 1Password handle it. If you lose your key, the file in the cloud becomes useless.

> In exchange for a little extra work...

"A little extra work" that is beyond the skills of the vast majority of users.

> ...you gain a ton of utility and resiliency

As someone who used KeePass for more than 10 years until recently, I can honestly say that it was a massive reduction of utility and had no resiliency benefits.

[fezfight]

You've picked a strange subset of 'most' for the people you're imagining. They are savy enough to know what a password manager is, but not savy enough to deal with an offline one. Are you sure its not just a few people like you?

[HelloMcFly]

> They are savy enough to know what a password manager is, but not savy enough to deal with an offline one.

Not the person you responded to, but: I think that most people are savvy enough to know what a password manager is, and most people are not savvy enough to be interested in the work necessary to setup, personalize, and maintaining an offline password manager that functions well across multiple devices. That doesn't sound like a niche subset to me, but I could be way off.

[fezfight]

My point is to illustrate that the commenter is speaking out of their respective ass. None of us know what the average person thinks, we are a group of tremendous nerds who are engaging, not just reading, in the comments section to a post about a flipping password manager.

[smt88]

I'm speaking out of personal experience trying to get non-average users (my friends and family, some of whom work in non-technical roles at software companies) to understand and use password managers.

Most of them can't and won't invest the time just to switch to 1Password. The average person isn't going to exceed that bar by a margin that even I, a software developer, wouldn't bother with.

When something is too technical for even an average developer to bother with (because it's unnecessary, not because it's hard), it is totally hopeless for the average user.

[HelloMcFly]

Many of us in this forum are people that have tried to influence those around us - family, friends, coworkers - to use better security practices such as password managers. Those personal experiences alongside the prevalence and adoption of cloud-sync enabled password managers (including browsers) creates a reasonable foundation from which to form a not-fully-ignorant opinion.

[nicoburns]

I’ve sold some friends and family on password managers, and the cloud syncing has been a key part of getting them to accept it. The alternative is often shortish passwords shared between systems.

[Msw242]

I'm savvy enough to maintain an offline password manager, but fuck that noise.

It's already painful enough to use a cloud password manager; why would I burn hours more of time to maintain a worse experience?

[noctis]

How about cloud storage? iCloud, OneDrive, Google Drive, etc. Good apps support those out of box; for desktop install their client and use the file as you normally would.

[sixothree]

Have you literally not used the password save feature in iOS? What about this password manager makes you think the people using it can duplicate the features using an offline version?

[archi42]

Copying files has the disadvantage of requiring some merge mechanism, or not permitting parallel modification.

I found vaultwarden to be a nice alternative. It runs on my server at home, to which I connect the relevant devices by VPN. It still requires the server to be online for modification (& the VPN connected), which I find to be a bit annoying, but it solves the concurrent modification issue. Plus, passwords are encrypted at rest and the browser extension verifies I'm using the password on a legitimate website (anti-phishing).

But if you're happy with your variant, I guess that's fine as well :)

[AdamJacobMuller]

> even a full breach of their servers would fail to leak passwords

This is a dangerous fallacy. Nothing fundamentally would prevent someone who attacked their infrastructure from pushing a malicious app update or a malicious extension update which exfiltrated the decrypted library from the client side.

[smt88]

I wasn't specific about that. I should have said a full dump of their database.

Yes, if someone got into their supply chain, they could push a malicious update. That's also true of KeePass and every other password manager. There's no way to avoid that vector.

[woojoo666]

Are there any instances of this happening? I feel like it would be caught so fast it's not worth trying

[asoberbeck]

> As customers downloaded the update, they unwittingly pulled down and installed the backdoor at the same time. The malicious code was itself cleverly designed, would execute commands, and provided remote admin access. The hackers then used that foothold to create and cryptographically sign the necessary security tokens to hoodwink systems into believing subsequent access to other accounts and resources was legitimate.

https://www.theregister.com/2020/12/15/solar_winds_update/

[woojoo666]

Wow that is worrying how long it took to catch....seems like companies need to be monitoring their releases more carefully

[armada651]

You can sync the encrypted KeePass database using Dropbox and then your zero-knowledge cloud storage won't just be theoretical.

Simply secure the database with a password and keyfile then copy the key file manually to your mobile devices and workstation.

That way you can be certain that your cloud provider has zero knowledge of your key file and also doesn't control the application in which you enter the master password.

[vlan0]

While this is true, and I did this for the better part of 2010s, it was pretty clunky. Especially if one needs a platform for their wife or children to also use.

I'm gonna ride out LastPass until webauthn really takes off. Which could be soon based on what we're hearing from the mobile vendors.

[rlpb]

> Which could be soon based on what we're hearing from the mobile vendors.

I'd really like to see wider webauthn support, so I'm curious to know what you mean by what you're hearing from the mobile vendors please?

[vlan0]

https://www.apple.com/newsroom/2022/05/apple-google-and-micr...

[armada651]

Yeah I'm definitely not saying this is the right solution for everyone, but for my personal password database I'm willing to sacrifice a bit of polish to make sure the zero-knowledge claim is iron clad.

[collegeburner]

You don't even need Dropbox, for a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem. From Windows or Mac, this FTP account could be accessed through built-in software.

[andreareina]

I've had multiple failures to merge (including corrupted databases) with keepass. I'm still using it but I'm considering moving to {bit,vault}warden

[Timothycquinn]

I sync my keepass using signal's 'note to self' feature.

[ta988]

A breach in the software distribution and signing servers would be quite disastrous.

[jrm4]

That "theoretically" is carrying significantly more water in this example than is smart to assume.

[jackdawipper]

hack code, roll out app updates... you see where this is going?