Hacker News new | ask | show | jobs
by gruez 1246 days ago
>Use a VPS that uses SSH with key-based authentication, store the git tree of your passwords there.

I'm not sure whether that's actually better than storing it on github (or any other professionally managed git instance). Sure, you gain some security by obscurity (because your VPS isn't a juicy target like github is), but that's about it. If the FBI is after you, they can send a letter to your VPS provider just like they can send a letter to github. I probably also expect github to do a better job at keeping their systems secure than an amateur sysadmin. In both cases the chance of getting hacked is fairly low, but the whole point of a password manager is that you don't have to rely on the storage service being secure to keep your passwords safe. If you need to rely on the storage service (eg. git server) to be not compromised for your passwords to be safe, then that kills a large benefit of using a password manager.
2 comments
yellowapple 1246 days ago
> If the FBI is after you, they can send a letter to your VPS provider just like they can send a letter to github.

And unless that VPS is in the US or provided by a US company, it's unlikely the FBI will get much of a useful response to that letter. Some countries' LEAs cooperate with the FBI and other American LEAs, but not all.

link
phoe-krk 1246 days ago
The VPS does not have my private GPG key, stored locally, and hence cannot use it to decrypt the passwords.
link
gruez 1246 days ago
Right, but if an attacker has access to the VPS, it can pull off the various shenanigans that's described in the OP? That's the whole thesis of the article. If you have access to the underlying storage of pass (eg. the git instance if you're using git to sync everything), then you can perform some attacks. The attacks aren't catastrophic (ie. attackers being able to decrypt your passwords with no intervention), but they're still pretty bad nonetheless.
link
phoe-krk 1246 days ago
If the attacker has userspace access to my VPS or - even worse - my daily driver, then I have much bigger fish to worry about than. The attacker is then a single zero-day away from gaining root access and being able to keylog everything I input on my physical keyboard or send via SSH, at which point the issues mentioned in the article become meaningless.
link