I genuinely don't know why people don't use offline databases like keepass. The conveinance of online password management is not worth the hassle they can cause. All be it lastpass appears to be tge worse!
Because I have four devices I need my passwords on, on three different OSs, and no admin on one.
All of my banks use a mobile app for confirming transactions, which requires me to login. Sometimes that requires reauth not just biometrics. I'm not going to go home and try and type a 20-30 character password into a phone when trying to pay for car parking.
I use "pass" with a yubikey and happily use it from Windows, Linux, Android.
It syncs via git and syncthing.
I think I've been using this longer than BitWarden gas existed and will be using it after something happens with BitWarden and triggers another migration.
Once again, a one-time learning and cost of setup has saved me countless headaches and time not spent migrating over the years.
Back when 1Password honored its offline, non-subscription license we bought, we could store the encrypted vault in a cloud storage service like Dropbox (or your own server) and simply set up other instances of the 1Password client to use the vault on that folder.
Exactly what I'm doing with my keepass database. I have an offline keyfile that's never in the cloud for added security. I've found this to be the best solution.
First a password manager would never store a key unencrypted on the cloud.
When implemented correctly a password manager storing the database shouldn't have any information (keys) to decrypt the database. Only the user & the client knows this information, and it never leaves the client.
There is still the matter of authenticating to the password manager service to retrieve the database. There's a couple of ways to do it, but usually a strong password hash (least desirable and I think this is what LastPass uses) or a Password Authenticated Key Exchange (PAKE) in which the service keeps an authenticator to verify your password/credentials but the authenticator cannot be reversed or attacked to determine the password (similarly observing the PAKE transaction over the wire or MITMing it won't allow any attack to find the password).
Even if the authentication aspect fails and someone could download all the databases, the database should be protected with at minimum a slow password hash, so a dictionary attack should be very slow. I believe LastPass has stuffed this up in the past. On the other hand, 1Password took a proactive stance despite a hit to the UX by requiring a password + "secret key" which is I believe at least a 128-bit secret that's mixed together to come up with a high entropy password that is used to encrypt the database - so an attacker will have a hard time with any 1P database.
Put bluntly, as a 1P user I'm the least bit concerned that the database is stored in the cloud. I guess the only thing I have to worry about is a surreptitious version of 1Password being distributed to my machine which may capture/exfil my password & secret key. I guess not being open source is a net negative here. So I do place some trust and faith in AgileBits to protect their supply chain and software distribution. Their reputation depends on the security of the service after all.
I agree. If you don't totally own your password manager, you are at the mercy of the company that does.
I use password store (pass command-line utility) at its core it's GPG encrypted files in a local git repo, with a convenient command-line utility to manage them. It's cloud-free, runs on my local machine. If you need to sync, you can use git push/pull to do that.
I don't use it from mobile as I do very little on my phone that requires a password, but if you need that there are options:
I've been using Bitwarden for a very long time without any hassle. It just works. Technology-wise it's effectively the same thing as KeePass+Dropbox, just bundled. It's even open source, so I could export my data and self-host it if needed.
I would be careful about judging the experience of all online password managers based on LastPass.
Can the DBs get merged or are they subject to conflict race conditions?
A years ago experienced hassle and data loss (not of passwords) due to local-first sync solutions such that I’m very wary of them now.
Race condition? In the context of my usage that's not possible and I'm only the only user, and am accessing the data on one device at a time. Even less so since I'm essentially using sneakernet rather than cloud storage for "sync".
All of my banks use a mobile app for confirming transactions, which requires me to login. Sometimes that requires reauth not just biometrics. I'm not going to go home and try and type a 20-30 character password into a phone when trying to pay for car parking.