There have been too many data breaches from cloud-based services to trust another one. I have a Proton account for email and online storage, but I won’t use their password service because it’s cloud based.
Lastpass leaked their password database in 2022, and bad actors are still using it to access peoples files, stealing passwords and hundreds of thousands of dollars in crypto.
DON’T trust anything important to cloud-based storage or services. Use Keepass. Use Syncthing if you need to keep the database on multiple devices.
(I see other comments using Dropbox. Dropbox = cloud. Don’t store anything security related in the cloud.)
So was LastPass. But when they’re source code leaked, turned out their encryption method was crappy. Just because something is encrypted doesn’t mean that it’s safe.
The key is that proton pass and bit warden and keypass are open source and have all passed independent security audits.
You could totally talk about E2EE if the client was SA/Electron. If the blob is just getting transferred and stored and the passphrase is never transferred, that’s E2EE.
Come to think of it, if they throw in extra keys when you make your blob, it’s still E2EE, even if they have a key for it. Perhaps we need to think differently about E2EE being then end all.
I know I can probably google this. But where are the passwords from Keepass stored? Or what makes it harder to hack?
I still use 1Password because the subscription is still running and I was planning to switch to Proton Pass once that is over. I know 1Password is harder to crack due to their 2nd master key password (or whatever they call it)
Keepass just uses a (local) file, but it expects and can handle if the file is modified externally. That’s important because it means you can store it on a network share, or in some sort of synchronized storage, self hosted or not (next cloud, sync thing, Google drive, whatever). It’s just up to you. If you have it open on your PC and you add an entry on your phone, your PC won’t “overwrite” it, but integrates any changes you’re making there at the same time.
For example the android client has direct support for a long list on storage services for this exact reason.
There have been too many data breaches from cloud-based services to trust another one. I have a Proton account for email and online storage, but I won’t use their password service because it’s cloud based.
https://blog.lastpass.com/posts/notice-of-recent-security-incident
Lastpass leaked their password database in 2022, and bad actors are still using it to access peoples files, stealing passwords and hundreds of thousands of dollars in crypto.
DON’T trust anything important to cloud-based storage or services. Use Keepass. Use Syncthing if you need to keep the database on multiple devices.
(I see other comments using Dropbox. Dropbox = cloud. Don’t store anything security related in the cloud.)
Isn’t protonpass E2EE?
So was LastPass. But when they’re source code leaked, turned out their encryption method was crappy. Just because something is encrypted doesn’t mean that it’s safe.
The key is that proton pass and bit warden and keypass are open source and have all passed independent security audits.
You can’t talk about E2EE on a closed source client.
What is this fight club? /s
You could totally talk about E2EE if the client was SA/Electron. If the blob is just getting transferred and stored and the passphrase is never transferred, that’s E2EE.
Come to think of it, if they throw in extra keys when you make your blob, it’s still E2EE, even if they have a key for it. Perhaps we need to think differently about E2EE being then end all.
lol I’ll just mute this convo
I know I can probably google this. But where are the passwords from Keepass stored? Or what makes it harder to hack?
I still use 1Password because the subscription is still running and I was planning to switch to Proton Pass once that is over. I know 1Password is harder to crack due to their 2nd master key password (or whatever they call it)
Keepass just uses a (local) file, but it expects and can handle if the file is modified externally. That’s important because it means you can store it on a network share, or in some sort of synchronized storage, self hosted or not (next cloud, sync thing, Google drive, whatever). It’s just up to you. If you have it open on your PC and you add an entry on your phone, your PC won’t “overwrite” it, but integrates any changes you’re making there at the same time.
For example the android client has direct support for a long list on storage services for this exact reason.
They are are stored encrypted on your computer if I’m not mistaken