• Hexarei@programming.dev
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    I use KeepassXC on desktop and KeepassDX on Android, and I’ll step up to your questions for it, specifically:

    Do they save your passwords locally or in the cloud?

    Locally, as a file. I sync my file to a selfhosted Nextcloud instance so I can use it across devices. Other folks use Syncthing or even less-trustworthy services like Google Drive or Dropbox. The file is encrypted with a password, so as long as you choose a nice long encryption key phrase (Such as a long sentence or string of 10-15 random words).

    If locally, what if I want to sign in on another device?

    Do I own that device and trust it? If so, I just get the file from Nextcloud (either via sync or via browser download).

    Do I not own that device and trust it? If so, still a couple of options. If you’re on Android and rooted, there are various tools that will let you plug your phone into a USB port, pretend it’s a USB keyboard, and auto-type your passwords. Even some non-root options for having your phone pretend it’s a bluetooth keyboard to do the same. There’s also devices like http://inputstick.com/ that don’t require root.

    Personally, though? I just show the password on my phone and type it out. I rarely ever need to do that kind of thing, so it doesn’t affect me much.

    What if I lose the device I have my passwords on?

    Sync the file, not a problem. Assuming you have your phone setup with a screen lock and device-level encryption.

    What if they hack my device?

    Who is “they”? There’s no “they” to get access with Keepass, so I’m going to assume you just mean “a bad actor”. In that case, if someone gets access to your device, you should assume you’re pwned, and follow your plan for when/if that happens (You do have an “I was pwned” plan, right? right?).

    That said, the encrypted password database remains encrypted at rest on your disk - And thus it’s highly unlikely for someone to gain access to your password database even if they get access to your device. They are much likely to pilfer browser cookies for access tokens and the like.

    If in the cloud: How can I know the service is not stealing my information?

    Keepass: File is encrypted, good luck to the cloud storage service.

    Others, cloud-based: The “trustworthy” among these cloud services encrypt the file client-side, and only use the server-side as a place to store an encrypted database file and/or for features like sharing passwords (usually by splitting out a copy into a “partial” database and sharing that). I would feel comfortable telling a family member to pay for and use an open-source service like Bitwarden, because that’s what it does. I, however, am more paranoid than that and refuse to use such a service.

    Primarily because they could, at any time, decide to sneak in some kind of backdoor that would ship my passwords to them unencrypted… and no thanks.

    If I can access it anywhere, wouldn’t that mean it also needs a password?

    Of course. That’s why you make your password manager password something super long and memorable for you but hard to guess for others. My current passphrase, for example, is a 19-word description of a memorable event that occurred during a tabletop RPG session, followed by the numerical date of that session. Completely unguessable for others, very easy for me to remember.

    Wouldn’t that make it twice as unsafe as it would only take one password to access the rest?

    Only if your master password is easily guessed or cracked. In most cases, the master password is used as an encryption key, so the longer the better - Which is true regardless of whether the file is local or through a cloud service.

    Many (keepass included) also have support for requiring physical 2FA keys, or specific GPG encryption keys or the like. This is, I think, the least of your worries tbh.