Cloud-based systems like LastPass, Dashlane and 1Password work across multiple devices, but you have to store your passwords on someone else's server. These services usually cost money (since server maintenance costs money) and they're not proprietary, which means you don't know what they're doing with your passwords. And even if they are storing your password securely, these companies could get breached and the only thing stopping hackers from getting all your passwords is your master password.
KeePassXC is local-installation only and free (in both senses) which makes it ideal for a work machine, but it will not automatically sync across multiple devices so it's not as convenient for personal use (unless you never leave your house). I guess you could run a home server to sync the password database across multiple devices, but that comes with its own security risks.
Then you have the option of writing your passwords in a notebook and locking that away in a secure place. It also ensures that if your own machine gets compromised, your passwords are safe (unless the attacker installs a keylogger and just waits for you to enter your password). However this method is also not really compatible with multiple devices from any location unless you carry this notebook with your everywhere (which weakens the security of your "password database"). Plus it doesn't have the option to automatically fill in password fields and assuming that you have secure passwords, this will probably just be very time-consuming.
I have pass on my laptop and android. Its synced to a git repo on my webserver. Works fine.
Noah Baker
Your brain. What a uselessly large amount of text. Literally for what purpose would you need this shit. I easily remember 6 complex passwords.
Cooper Bell
And how often do you change those 6 complex passwords? When someone compromises one of those passwords, you will be indefinitely vulnerable unless you realise you've been breached (which may or may not be obvious).
James Jones
Just use Pass or KeePass and use a git repo or any cloud storage to sync your passwords. It won't matter even if you throw it on Google drive, since your passwords are encrypted anyway.
Use pass/gopass. Pass is the simpler thing, gopass will help if you want different sets of passwords (be it to share with family members or to keep some passwords off your smartphone).
6 passwords mean either that you really aren't doing much online, or you're reusing passwords.
This is only barely acceptable if you derive some FIDO2 or some HOTP/TOTP auth, but otherwise it's just retarded - any of the sites may grab your password and compromise all others.
Maybe even multiple passwords because you might at some point mistype/confuse which one you used and try the other one.
It'd still be far more sane to have 6 password wallets that provide unique passwords to all individual sites. There is almost no chance of the site compromising the wallet, so they just can't reuse your password and gain access to, say, all other shops or bank accounts or social network accounts or hosting providers or whatever else you're doing.
Landon Murphy
a paper and a pen
Carter Diaz
>t. gramps
Sebastian Thompson
And what if your house burns down? How will you get into your accounts? You can't just ask them to reset your password because your email password has been destroyed by the flames too.
Isaac Bennett
Arguably, paper is almost as easy to copy as digital data.
You can leave your passwords in a safe in your holiday shack or a bank or something. Not absolute security, but reasonable?
Xavier Stewart
I agree, but for normalfags it is maybe the best thing (tied with a set of FIDO2 auth keys that however aren't accepted everywhere yet).
Probably only Jow Forums or less dumb can handle working with pass and gpg/git repositories.
Sebastian Hernandez
If you are even remotely intelligent, you will never have your shit compromised.
Adam Stewart
ur brayn
Ethan Stewart
You are no such thing if you reuse passwords between websites.
It just means if ANY of the websites are compromised, all of the websites using this password are compromised too, and you generally have nearly fuckall in terms of insight into how safe the password entry prompt in that website / software using a login prompt (and the transport channel inbetween and so on) is right now.
The only safe thing to do is have different logins between sites, or maybe at least to cryptographically irreversibly derive passwords from one of your handful of secrets in TOTP/HOTP fashion.
Hudson Ross
>What is the optimal password management system? An omnipotent, omnibenevolent AI that managed all forms of data access for every human being.
Luis Myers
But what if one of the services that you use suffers a data breach and you need to change your password for that site? Syncing the new password between your various paper copies becomes difficult. The main selling point of password managers is not that they store passwords, but that they manage passwords (make them easy to generate, change and use).
Xavier Price
Paper IS manageable even then. You just strike the old password or write a new password list and do x copies on your copy-printer. [Have the date added in the header/footer of the print and you're never going to be confused either.] Best thing for normies tied with FIDO2.
However, that's just "for normies". Your familiy and so on. If you know your computers at least like most of Jow Forums, pass/gopass is certainly better.
Justin Hall
>If you are even remotely intelligent, you will never have your shit compromised.
Assuming that all your paper copies are securely stored in each location, you'd need to physically travel to each location, unlock the safe, modify your list, lock the safe and then travel back. Plus you need to ensure that each of those locations are truly secure. If someone manages to break into just one of those safes, your passwords are right there in plaintext.
A more secure option would be using a local-installation password manager like KeePassXC and requiring multi-factor authentication (either via something like a Yubikey or a keyfile). That way you can upload the database to cloud storage and even if that gets stolen and the attacker bruteforces your master password, they still have an additional layer of security preventing them from viewing your password.
Angel Murphy
That's what I do. Only that I also encrypt the database with another password before uploading it to the cloud. Only the paranoid survive.
Benjamin Russell
Yea, you won't expect your uncle and mom to travel to "safe" locations. They'll have it in the bookshelf or file next to their desk in plaintext.
It doesn't protect them against someone physically breaking in or some trusted person in their house accessing the passwords, just against the next inevitable idiot website that stores passwords in plaintext or with cryptographically broken hashes or that looses control over the login prompt or domain or gets MITM'D or whatever else.
Even FIDO2 hardware keys also probably won't be entirely safe against getting stolen.
But you can't do everything that'd be safe with normal people. They'll either lock themselves out OR they'll choose some insecure AND proprietary botnet variant of keeping passwords because it's convenient. Paper is still better for them.
Again, for you it should probably be pass/gopass, but they can't handle it.
Daniel King
KeepassXC + syncthing
You got syncing without the cloud and a great password manager on all devices You're welcome
Brody Brooks
KEEPASS-XC + Syncthing
Joseph Foster
What even is syncthing? From the less than helpful website it sounds just like a glorified torrent and I don't get why anyone should bother with it?
Angel Wright
It's an open source program that syncs folders between devices only using your router So you would have the password database on,both your phone and pc and when either changes it will sync them without the file ever going on the internet, Only through your local area network. Of course you can have it so it syncs with only your home router only fir maximum security
It works simple too, You just have it on both machines and just have the ids match and voila
Robert Cooper
Fuck i need to sleep, I cannot type a sentence anymore
Xavier Hall
pass / gopass with its git repository and gpg2 are generally nicer even if you also want to use syncthing
keepass(xc) isn't all that brilliant with syncing passwords and generally not really as logical as gopass
Syncthing is glorified torrent, but you can more easily form small private networks and use staggered file versioning.
Robert Turner
Okay so it's a user friendly version of my file sync setup. Thanks for the explanation user.
Logan Bailey
rsync > syncthing
Jonathan Edwards
Are you able to set up multi-factor authentication with pass/gopass?
This a very naive way of thinking. When it comes to passwords you should always assume that every password that you use for a given site will get compromised since a lot of things can happen that are out of your control. Either you will get MITM'd, keylogged, someone will be looking over your shoulder, the site will be breached, the site you use is actually evil, the function used to hash your password is no longer secure, your password was just stored in plaintext, etc. Because of this, there are somethings you should do: 1) Never use the same password for multiple sites. This way if one password gets compromised, you will only ever be compromised on that one site. 2) Use complex passwords that are difficult to bruteforce. Assuming the password wasn't just stored in plaintext, that will make it very difficult for an attacker to get your actual password even if they successfully breach the site. 3) Change your passwords somewhat regularly. Even if your session gets compromised once, the passwords you use in that session will eventually be worthless. This also helps deal with cases where you don't know that you're password has been compromised and the attacker has just been silently using your account.
Quite frankly all of these things are not easy to do for humans, which is where password managers come into play. They make it easy to do all these things. With the solutions that have some sort of syncing, they also make it possible to securely share these passwords among trusted devices. Obviously the security of your password database relies heavily on your master password, but remembering one strong password is far easier than remembering multiple strong passwords. Plus you can always secure that password database even further with multifactor authentication.
Tyler Martinez
>password is stored in plaintext in your bash history Based retard
On Linux, you could also additionally put the whole thing into a tomb (managed LUKS volume) and so on. People came up with various wrappers and addons and things around the core gpg+git thing.
You can use any Hash method OpenSSL has to offer: gost-mac md4 md5 md_gost94 ripemd160 sha1 sha224 sha256 sha384 sha512 sm3 sm3WithRSAEncryption streebog256 streebog512 whirlpool
Don't use exactly my version Idiot!
Xavier Hall
I've said it once and I'll say it again cat passwords.txt | grep pornhub.com
Caleb Phillips
What's Jow Forums's opinion on Stateless Password Managers such as lesspass.com/
>the only thing stopping hackers from getting all your passwords is your master password.
Ahh yes, I'm sure these almighty hackers will have a breeze cracking salted, hashed PBKDF2 passwords iterated 100,000+ times from an already ridiculously strong password
Jordan Perry
>Cloud-based systems >password management kys
Jacob Adams
Passwordstore / pass with any of the numerous gui front ends, for easy management.
Sync? See here: You can also keep a copy of your password store on a usb drive and use diff / sync software to merge new entries at the end of every day if you like a more interactive approach. Pass is great, and there are extensions available for firefox and chromium-based browsers as well.
Joseph Gomez
I wrote my own, as a CLI program. Having someone else managing my passwords bothered me so much that I wrote that shit.
Dominic Morris
grep pornhub.com passwords.txt
Michael Mitchell
>the only thing stopping hackers from getting all your passwords is your master password. Shock horror!
>To break a 10 character password that uses letters, numbers, and symbols, such as "%ZBGbv]8g?", it would take (1.7*10^-6 * 80^10) seconds / 2 or 289217 years. This would take about 3 years on a supercomputer or botnet.
How does it work if you don't mind my glowing. Do you use a database or just store hashed passwords or how did you implement it?
Nathaniel Foster
I did basically what said. I have a master password, salt, AES 256 encryption. I store a database using SQLite that stores a salted hash for access and the encrypted passwords. It generates random passwords (as of now from dev/urandom) for every new entry. I'm currently using 30 bytes per service password.
You can upload your database to something like Google Drive. Even if hackers get a hold of database file, they still need to decrypt it which depends on your password strength.
Grayson Cox
Talking about KeepassXC btw
Ethan Hernandez
Look at this gnu master
Jace Martin
Keepass and keep it synced using your favourite file storage service