Objective: Secure & private password management, prevent anyone from stealing your passwords.
Option 1: Store Keepass PW file in personal cloud service like OneDrive/GoogleDrive/etc , download file, use KeepassXC to Open
Option 2: Use ProtonPass or similar solution like Bitwarden
Option 3: Host a solution like Vaultwarden
Which would do you choose? Are there more options ? Assume strong masterpassword and strong technical skills
I never understood how storing your password in an unified storage is better than just remembering it yourself
Because humans are generally unable to remember passwords varied enough to be secure.
Pease be satire! 😐
I’ve been happy with Keeper
Same. Zero knowledge is good enough for me tho I may eat them words.
Realistically, I only see 3 risks using Keeper: my device has malware which lets them grab my passwords from my clipboard as I copy them, malware that lets them take control of my device after I’ve unlocked my password manager, or if the cloud storage is completely wiped out in some freak accident.
1 and 2 are risks for anyone using any password manager. And 3 is extremely unlikely since they use AWS for storage wirh multi-zone and multi-region redundancy, and certainly much more reliable than self hosting.
The risk of actually having your passwords cracked, even if the cloud data is leaked, is practically 0 as long as you have a decent complexity and length master password and 2FA enabled. And the risk is just as low with a MITM attack or other network based interceptors because of the ZK architecture (as you mentioned) and high encryption used.
Anyone promoting other password managers as more secure either aren’t considering the risks to data loss due to self hosting or are buying too much into their password manager’s marketing. I think it’s totally reasonable to prefer other options due to feature support or subscription price though. A couple of features that Keeper had that made me choose it were:
- Ability to create Records which allows me to store anything including files. This allows me to upload sensitive records like tax returns or other documents you’d traditionally keep in a safe or filing cabinet.
- Family plan that makes it easy for me to share passwords with people on my plan (great for things like streaming services). This brought the price to a reasonable level.
There might be other password managers now that support these features, as I haven’t kept up with them. I subscribed to Keeper about 6 years ago and haven’t had a reason to switch. I’m open to suggestions if people know of other managers with better features.
Option 2, because once you start thinking about the ways your stuff could be stolen (“threat modelling”) you’ll see that realistically it’s the easiest option.
Keepass fIle in my own nextcloud instances, synced to my phone so I can also use keepass2android. This way if something happens I at least have another copy of it, beyond my backup system.
that’s actually exactly how I have my setup. I just use syncthing to keep everything dynamically backed up as I add passwords. my main login password is memorized and not written down anywhere so I think I’m good
I do the same, but synced to Dropbox from computers and phone.
I have the Proton password manager as well but not sure yet if I’ll do a full swap over.
I do 3 and have encrypted backups to Dropbox so I can easy restore/spin up a cloud server if I need to
Yep but use Microsoft.
To improve security of option 1 you could use a keyfile, that is either only transferred manually to devices or stored at a second cloud provider.
Option 2 would be your best bet. Great balance between security and convenience. Bitwarden is my go to because afaik it stores every detail encrypted (unlike mainstream PWs) and when you open your vault, the database gets transferred to your pc and is decrypted locally. Its essentially the same as option 1, just 1000x more convenient.
Id only selfhost vaultwarden if you want bitwardens premium features, if you dont then youre maintaining a service which you wouldnt really need. Not to mention if you selfhost on a machine on your network, you have to deal with exposing that machine to the internet, not really worth it imo.
Option 4: levy existing tools such as gpg and git using something like pass. That way, you are keeping things simple but it requires more technical knowledge. Depending on your threat model, you may want to invest in a hardware security key such as a yubikey which works well with both gpg and ssh.
Why use tools not meant for password management, when alternative tools explicitly meant for password management, which have similar levels of security, work just fine?
You’re essentially saying “instead of driving down the road, I like to ride my bike with rollerblades.”
I have a set up like this (age, passage, & git). Bitwarden’s browser integration works just fine, for the most part. The thing is, some of my passwords are not browser-based, and I spend large amounts of time in the terminal. Using a CLI-tool in this case lets me save a bit of time
Bitwarden has a cli tool which I find pretty useful. Together with jq you can even pipe the password or store it to a variable.
Ah I didn’t know that! Thanks, will be checking it out for sure
It is just how I prefer to do my computing. I tend to live on the command line and pipe programs together to get complex behavior. If you don’t like that, then my approach is not for you and that’s fine. As for your analogy, I see it more as “instead of driving down the road in a car, I like to put my own car together using prefabs”.
Been using option 3 but with Bitwarden for almost 5 years at this point. First started out on a VM in a cloud provider. Now it’s in a VM on unraid behind a local HAProxy or Cloudflare tunnel for remote access.
Bitwardens full docker stack provides great daily backups which I’ve had to restore on occasion or go back to one from months ago to dig out a password for my wife.
Been testing and hoping to move to the unified-container from them soon, assuming I can replicate encrypted backups like their solution.
I used option 1 (KeePass synced to Google Drive) for years. It’s nice that you know you have control of your passwords at all times, and as long as you can access your cloud storage account and can download a KeePass app, you can get your passwords. It works reasonably well most of the time, but I was consistently running into edge cases that weren’t as smooth as I’d have liked (mostly apps on Android)
I switched to vaultwarden (option 3), and immediately fell in love with things mostly just working. However, since I was hosting it out of my house, I had a bit of a disaster recovery problem. If i had say a fire, I could easily lose all copies of my vault, which would be… suboptimal.
After reviewing the options, I switched to straight bitwarden. I’ve been happy with the experience, and once I have disposable income, I plan to get pro long enough to have emergency contacts available so my family can still get important passwords in case of the worst.
All options have their pros and cons, but IMO password storage is something that deserves to be given proper consideration.
I’d never store my passwords in the cloud.
I did option 1 for a number of years but now I’m doing option 3 off a proxmox container and some cloud scripted backup. So far so good.
We just started doing option 3 at work and just keep it behind the firewall. It is going well so far.
I use option 1 with Syncthing for a distributed cloud solution
Same, works like a charm!
Ditto, but with Resilio Sync.
I’ve used Option 1 with my Nextcloud and it works perfectly. Other options seem more apropriate when you need scale, many user each with their own vault.
Stupid me, didnt even remember using nextcloud instead of commercial clouds. I like it
Option 1, with manual copying to mobile. I tried syncthing in the past but had problems with corrupted files
