[bigfatfrock]

> because KeepassXC + syncing is way too difficult for normal people

I've been debating for ages if this is a hurdle that can be overcome by packaging or even hand-holding support. When I show "normal people" my pass+sync setup they beg me to implement it for them. Once it's running it's near-zero maintenance.

[dcow]

Password management is like exercise. Even when people say they understand the value and want to do it, they don't. Even if you implement it for them, if it's not something that slots perfectly into their existing routine, they're not going to do it. Thankfully passkeys are here.

[tjoff]

It's fine, even bad password management is better than passkeys.

Thankfully the incredible hype for passkeys has been dead for years now and people are starting to question it.

[runiq]

Is this... is this sarcasm? I honestly can't tell anymore.

[tjoff]

It is not.

[archi42]

Would you care to elaborate? It also matters what counts as "bad password manager" to you - Poor crypto? Poor UX? A reddit post ;-)? LastPass?

With passkeys, both the website and the user can be pretty sure that the "password" is secure. The website knows that it's based on enough entropy, and the user knows that the website can not loose it.

Of course if I use a random generated 80 char password I only mildly care if the website stores it plain text or not.

But if I was a site operator, I could additionally trust that the users are using secure passwords. Without insane strength requirements (which people only work around anyway, e.g. Passw0rd!123 is usually accepted, but thisisasuperlongpassphrase often is not).

I'm in the business of testing security, which means I sometimes crack passwords. No matter how much training you put your employees through: Somebody gonna use ${some name}${0 or 1 special char}${some birthday} - is it's the spouse, kids or affairs data, your guess is as good as mine.

[tjoff]

Management, not password manager.

I'm not talking about technical merits, we all know passkeys are so complex they might work decently as obfuscation alone ;)

No, all that crap is meaningless when you give all your keys to an entity that simultaneously locks you in and couldn't give a fuck about you.

[cryptos]

I did that for quite some time, but I had severe issues with multiple editing users and with android apps. All the tricks I tried, like nested vaults didn't fully work in the end. So I ended up with 1Password.

[przmk]

Where did you manage to find "normal people" that begged you to install a password manager for them? I have yet to come across one person who wanted one.

[archi42]

There are normal people out there who have been hacked, or knew someone who was.

Also, some normal people are computer-smart enough to understand problems like credential-stuffing, if someone explains it to them.

[lie07]

Would love to know how you have it setup.

[peterpans01]

can you share how do you set this up?

[freeone3000]

I store the password vault in dropbox. Done.

[dcow]

100% serious question: how is using dropbox (one cloud) to sync passwords any better or more secure than using a password manager that syncs your vault for you (another cloud)? I see so many "I don't trust <insert pw manager> so I use dropbox" comments around these parts and I just don't understand what real or perceived threat is being mitigated.

[Brian_K_White]

It's valuable that the syncing mechanism is seperate because that makes it agnostic. Parent comment uses Dropbox, I use Google Drive, someone else uses OneDrive, someone else uses iCloud, someone else uses Syncthing or Nextcloud, etc.

You don't have to trust the single cloud provider to encrypt and not be able to spy. The vault is encrypted on your own device using fully open software, and the cloud only ever sees a blob they have no keys to, directly or indirectly. The encrypting/decrypting software was not written by the cloud provider.

You don't have to trust any single cloud provider to stay up, be available in your country, stay friendly to you. If Dropbox goes down or kills your account, you just flip to any of 20 other options.

You say you don't understand why someone prefers Dropbox over the special custom syncing, but I don't understand what the excuse is for a special vendor-specific implimentation of something that is already generic and agnostic. It's like using a browser that uses it's own version of http to download files and only works with one web site that has the matching special server.

It's not a remotely equivalent comparison between "one cloud" and "another cloud". One is a single vendor-specific, custom purpose, single-provider thing, the other is agnostic and infinite, use any method you want from any provider you want any time you want.

For me it's not about "mitigating a real or percieved threat". It's just basic system resilience and principle to avoid special things and prefer generic/agnostic things, and keep concerns seperated. But it is also more secure not to trust any integrated cloud provider, vs having the cloud be just storage that doesn't know anything about the blob being stored, and can't even if they turn bad, or are pressured by a government, or get hacked, etc.

[chpatrick]

I guess the idea is that you trust open source software to encrypt the vault, so Dropbox couldn't do anything with it even if they wanted to. That's also true for the open source Bitwarden clients though.

[freeone3000]

It’s small enough for dropbox’s free tier so it saves me a subscription.

[dcow]

Ah! Threat to the wallet I see. That Dropbox referral credit must still be paying dividends.

[teo_zero]

> store the password vault in dropbox

No local backup? Do you rely on the network working all the time?

I do something similar on the mobile phone (the reasining is, if there's no network, there's nothing I need to login to) but I also keep a local copy on my laptop (that I sometimes operate with limited connectivity). Without any automatic syncing, one of the two copies will be stale.

[anilakar]

Back in the day we tried to sync KeePass vaults at work and ended up with a conflict about once a week, which is way too often. Not sure if other password managers have solved this.

[Dylan16807]

> No local backup? Do you rely on the network working all the time?

Normal dropbox behavior keeps a copy on every computer.

[teo_zero]

> Normal dropbox behavior

Ah, you mean by using some app or daemon. I excluded that possibility because on at least one of my laptops I'm not allowed to install anything, so for me "normal" behavior is using Dropbox as a container for files to download when needed.

[Dylan16807]

Well if you do that then you get plenty of copies; just restrain your delete key finger a bit. It does risk some staleness, but only rarely.

And maybe you could write a small shell script to keep that particular file up to date?

Also the one program I've used that opens keepass files directly from dropbox servers keeps a local copy.

[gregwebs]

I did this a long time ago but eventually ended up with conflicts. Password managers write new entries in a file and easily avoid conflicts whereas agnostic file managers will immediately conflict if sync wasn’t working for a while on a device

[sublimefire]

I use it (Keepass) for a while and never got the conflict on the desktop client (osx), nor on Firefox. But the iOS app does not like the file on the Google Drive and occasionally it needs to be reloaded.

[ekianjo]

You can use syncthing too. Works just as well.

[dwightgunning]

Is there a robust Syncthing app for iOS? Last time I checked there was only an affiliate project and their story wasn't convincing.

[subarctic]

I use mobius sync and I'd say the app itself is fine, you just have to open it whenever you want things to sync. That's one of the things I miss from Android. Also you can't sync your camera folder

[jcotton42]

Mobius Sync works really well, the only caveat is that it's not completely free (you're limited in the sync size unless you pay $5, but that's a one-time thing), and that while it can background sync, it's not continuous, and you'll want to open the app if you need to make sure something's synced.

[dsp_person]

it was just discontinued for android :(

[conradev]

Nope. I have a cloud Syncthing box that is accessible over SSH, and I use ShellFish to read/write my synced folders. It works okay, especially for lazily sending stuff from my phone to my laptop.

[SkiFire13]

Instructions unclear, I have no password vault.

[kcmastrpc]

Right, doesn't everybody just use the same password everywhere? I don't see the point of these things.

[KPGv2]

You laugh, but that's apparently what I did a decade and a half ago.

I recently mounted a HDD that was at my parents' house. Most files are from 2009-2012ish. I was there one summer between undergrad and grad school and used it for a couple months.

I found an Opera password list that I'd exported, presumably to copy over to my new laptop. It was fun last night skimming the list, seeing which websites I'd completely forgotten about that I used to have accounts for. Almost none of them even exist anymore besides the big players (Slashdot, Apple, etc.), but the point is *almost all of them had the same password*. o.O

[sigzero]

KeepassXC also doesn't have templates for things. It's in the works. When it comes out I might take another look at it.