cross-posted from: https://infosec.pub/post/42164102
Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…
I know they’re convenient, but people should really stop using cloud-based password managers and start using local ones. I personally recommend KeepassXC.
deleted by creator
How do you recommend people sync between devices? What about devices that, for security reasons, do not allow flash drives or any external device to be plugged in?
Syncthing is great for syncing things like keepass dbs
Works on iOS?
There is Synctrain and Möbius Sync. They are not perfect due to iOS restrictions on apps running in the background, but they work well enough as long as I occasionally open them to make sure they sync.
I have my keepass file in a samba share on my raspberry pi running wireguard. But it’s easier just using nextcloud. Anyway, the file is encrypted.
At that point, why bother with the setup of samba shares and nextcloud or syncthing or whatever else and not use VaultWarden with its built in sync over WireGuard/TailScale?
KeePass features a built-in synchronization mechanism. I store my password file on google drive for ease of access on multiple devices. I set up triggers (on save, on custom button) to sync between the local copy and the cloud copy, using this guide: https://keepass.info/help/kb/trigger_examples.html#dbsync
Not a turnkey solution, but once setup it works like a charm.
Sadly this functionality is not included in KeepassXC, so I continue to use the original Keepass for this reason, but I agree, my setup is the same and I’m very happy with it.
You could use Github or similar. Your password file itself requires a password, so as long as the passwords are different you aren’t screwed if Github is compromised.
Either that or you could keep it on your phone and type your password in manually - Keepass lets you generate passphrases which makes typing them a lot easier.
Or you could store it on your own server and VPN in if you’re allowed to. It’s all pretty flexible.
So, absolutely no difference in security compared to having a properly secured self-hosted VaultWarden instance. Gotcha.
In the niche situation of not being allowed to connect USB drives to the computer you’re using? I guess.
There’s nothing stopping you from keeping it on an offline device and typing them in manually.
And keepass is perfectly cloud ready by placing the kdbx file into your cloud storage and sync using webDav or similar.