I never got over the fact that I somehow need to trust to an absurdly high degree a proprietary software to store ALL my passwords. Is this really a good idea?
Even if they did, there’s some really smart technology at play here. I think your paranoia here is unjustified. I felt the same way until I read about their technology. At that point I felt comfortable using their service.
Anyway, iirc, 1password is architected in a way where a breach won’t actually disclose the passwords of their users, but I’m too tired to do the requisite double-checking to verify it
You are right in a way. I always assume company sysadmins have access to company data, even if they say the opposite, and I always assume there are undisclosed data leaks. Which may seem a little paranoid.
It’s like closing your car’s door when leaving it alone: Is it paranoid to assume that always there are someone willing to steal stuff?
No, I don’t think it’s healthy to move through life in such a paranoid state. If I thought that, I wouldn’t use a password manager and that would leave several problems unsolved, chiefly I would only be able to remember a couple passwords, opening my identity up for hacking several orders of magnitude likelier to actually happen than 1password’s entire technology stack failing at its one job.
A lot of weird hate for 1Password on Lemmy the past couple days. I highly recommend reading their white paper, I think most of the hate comes from ignorance of what they are actually doing.
It’s the choice between trusting one company (or if you self host, trusting yourself) to have their security all in order and properly encrypt the password vault. Using one password for every site you use means that you have to trust each of those sites equally, because if one leaks your password because they have atrocious password policies (eg. storing it in plain text), it’s leaked everywhere and you need to remember every place you used it before.
Good password managers allow audits, and do at times still get hacked naturally (which isn’t 100% preventable). Yet neither of these should result in passwords being leaked. Why? Because they properly secure your master password so it can’t be reverse engineered to plain text, and without the master password your encrypted password vault is just a bunch of random bytes. And even in the extreme situation it did, you know to switch to a better password manager, and you have a nice big list of all the places where you need to change your password rather than trying to remember them all.
Human memory is fallible and we want the least amount of effort, because of that we usually make bad passwords.
Your average site does not have their password security up to date (There’s almost a 0% chance not one of your passwords can be found here).
If you data is encrypted accordingly, it doesn’t matter if it gets leaked in any way or stolen by some rogue employee, so long as they do not have your master password.
So yes, I’d say that’s a good idea.
You can use KeePass, but you’ll have to figure out a way to have your password vault available on other devices (can do it by using any cloud shares, i.e. GDrive). This way you’ll be in charge of almost every aspect of your passwords. But you’ll have to take care of backups and keep everything in sync.
I’m sorry but no. I’m physically incapable of not moving the capital letter one space and I’m not entrusting my passwords to what I’ve irrationally decided IS named KeepAss. I just can’t.
It seems bitwarden is a bit more user friendly and also quite good in terms of security and privacy related issues (FOSS as well!) . Thanks for the help!
I read a bit into bitwarden and it seems quite good, also with browser extension etc. Maybe I will think about my stance on password managers and give it a try
I never got over the fact that I somehow need to trust to an absurdly high degree a proprietary software to store ALL my passwords. Is this really a good idea?
There are libre off-line password managers. Variants of Keepass for example.
Indeed it’s a bad idea to store passwords in a propietary system. Specially a cloud based one being hacked time to time, like 1password.
I’m unaware of 1password ever getting hacked.
Even if they did, there’s some really smart technology at play here. I think your paranoia here is unjustified. I felt the same way until I read about their technology. At that point I felt comfortable using their service.
I mean, just three days ago we had this incident, which is probably what they are referring to: https://blog.1password.com/okta-incident/
Anyway, iirc, 1password is architected in a way where a breach won’t actually disclose the passwords of their users, but I’m too tired to do the requisite double-checking to verify it
https://www.forbes.com/sites/daveywinder/2023/10/24/no-1password-has-not-just-been-hacked-your-passwords-are-safe/?sh=583d97333a09
Yeah I did my research long ago. I don’t think this anything to worry about
https://cybersecuritynews.com/1password-hacked/?amp
You are right in a way. I always assume company sysadmins have access to company data, even if they say the opposite, and I always assume there are undisclosed data leaks. Which may seem a little paranoid.
It’s like closing your car’s door when leaving it alone: Is it paranoid to assume that always there are someone willing to steal stuff?
https://www.forbes.com/sites/daveywinder/2023/10/24/no-1password-has-not-just-been-hacked-your-passwords-are-safe/?sh=583d97333a09
1password employees don’t have access to the data let alone anyone else. The encryption is not bullshit
That’s a common good practice.
It’s still good idea to assume the opposite.
If you can see plain text passwords, some malicious actor at their side can too. No matter if it’s encrypted at rest.
No, I don’t think it’s healthy to move through life in such a paranoid state. If I thought that, I wouldn’t use a password manager and that would leave several problems unsolved, chiefly I would only be able to remember a couple passwords, opening my identity up for hacking several orders of magnitude likelier to actually happen than 1password’s entire technology stack failing at its one job.
A lot of weird hate for 1Password on Lemmy the past couple days. I highly recommend reading their white paper, I think most of the hate comes from ignorance of what they are actually doing.
https://1passwordstatic.com/files/security/1password-white-paper.pdf
It’s the choice between trusting one company (or if you self host, trusting yourself) to have their security all in order and properly encrypt the password vault. Using one password for every site you use means that you have to trust each of those sites equally, because if one leaks your password because they have atrocious password policies (eg. storing it in plain text), it’s leaked everywhere and you need to remember every place you used it before.
Good password managers allow audits, and do at times still get hacked naturally (which isn’t 100% preventable). Yet neither of these should result in passwords being leaked. Why? Because they properly secure your master password so it can’t be reverse engineered to plain text, and without the master password your encrypted password vault is just a bunch of random bytes. And even in the extreme situation it did, you know to switch to a better password manager, and you have a nice big list of all the places where you need to change your password rather than trying to remember them all.
Human memory is fallible and we want the least amount of effort, because of that we usually make bad passwords. Your average site does not have their password security up to date (There’s almost a 0% chance not one of your passwords can be found here). If you data is encrypted accordingly, it doesn’t matter if it gets leaked in any way or stolen by some rogue employee, so long as they do not have your master password. So yes, I’d say that’s a good idea.
Nicely said, thanks for the long read!
You can use KeePass, but you’ll have to figure out a way to have your password vault available on other devices (can do it by using any cloud shares, i.e. GDrive). This way you’ll be in charge of almost every aspect of your passwords. But you’ll have to take care of backups and keep everything in sync.
I have this issue with bit warden
I’m sorry but no. I’m physically incapable of not moving the capital letter one space and I’m not entrusting my passwords to what I’ve irrationally decided IS named KeepAss. I just can’t.
Just imagine keeping your passwords in your ass and you should be fine.
I’ve had that dream before, didn’t help…
And then there’s KeePassXC.
Get it? Keep-Ass-Sexy :)
https://en.wikipedia.org/wiki/KeePassXC
I like Vaultwarden. Open source rust server compatible with bitwarden.
It seems bitwarden is a bit more user friendly and also quite good in terms of security and privacy related issues (FOSS as well!) . Thanks for the help!
Or simply can use, Bitwarden or Protonpass
I read a bit into bitwarden and it seems quite good, also with browser extension etc. Maybe I will think about my stance on password managers and give it a try
Syncthing works very well for cross platform syncing