Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
You don't need to trust them. I use "pass" (https://www.passwordstore.org), a simple CLI password manager that operates using a GPG key you control (which I have on a Yubikey). Then, you can upload the GPG-encrypted password store wherever your want in order to sync-up your passwords.
I self-host Vaultwarden[1] on a $6/mo DigitalOcean droplet. It took awhile to set up, but I know that I control the data, the backups, and the security.
[1] https://github.com/dani-garcia/vaultwarden
I use https://git-secret.io for this. But it's not user friendly enough to be used for everyday web browsing and account access. I personally use it to store things like root passwords or reset tokens, which I very rarely access.
> I've been having my own methods for safe handling of passwords on the web.
I use a local password manager, KeePass: https://keepass.info/
It's probably the only good middle ground for keeping track of passwords, SSH certificates and other data, a password protected local database that i can move to USB sticks or SD cards for backups, or keep inside of an encrypted 7z archive, or a VeraCrypt file if i cared that much.
You not only get to have a simple way to use it (it's just a file that's compatible with the software, like SQLite is also really easy to use), but also get to pick where/how you want to store that data in an easy to understand manner.
Right now it's great for all of my vaguely relevant access credentials, from numerous e-mail accounts, to online shopping accounts, to even access data for online platforms, hosting solutions, servers etc. with as many separate databases as i choose.
In my eyes, it's also really great for letting you randomly generate secure passwords - i don't know almost any of the non-essential service passwords and because it's so easy to generate new ones for accounts, i'm not plagued by "password-reuse-itis" either. When coupled with 2FA, it's pretty decent from a security standpoint.
It also has a clearly understandable attack surface - infected password manager binaries, stealing passwords when in memory or malware on the system (like keyloggers, clipboard watchers), someone stealing the database AND the master password, asking me nicely for it with a 5$ wrench: https://xkcd.com/538/
For why people use web based ones which aren't so clearly understood or dependable (your list of risks would be a lot longer with those), i'm not sure. It's probably just convenience.
In addition, plasma-pass, qtpass, android password store (https://github.com/android-password-store/Android-Password-S...) are nice as well. Throw in a NFC Yubikey and OpenKeychain on android, then you can lock them with hardware keys. Since pass uses git, syncing can be done to a private repo on your home network or even just a cheap usb stick.
In addition, plasma-pass, qtpass, android password store (https://github.com/android-password-store/Android-Password-S...) are nice as well. Throw in a NFC Yubikey and OpenKeychain on android, then you can lock them with hardware keys. Since pass uses git, syncing can be done to a private repo on your home network or even just a cheap usb stick.
Also, there's a firefox extension https://addons.mozilla.org/en-US/firefox/addon/passff/ (on github: https://github.com/passff/passff)
It requires the user to run a daemon that reads ~/.passwordstore passwords and feed it to the extension https://github.com/passff/passff-host - but the design is pretty transparent to inspection if you're inclined to check
Also, there's a firefox extension https://addons.mozilla.org/en-US/firefox/addon/passff/ (on github: https://github.com/passff/passff)
It requires the user to run a daemon that reads ~/.passwordstore passwords and feed it to the extension https://github.com/passff/passff-host - but the design is pretty transparent to inspection if you're inclined to check
It's a good idea that I've considered. However, I didn't anticipate the need for this when I originally designed Hashpass in 2014, and adding it now would be a breaking change.
I am still considering it, but there would need to be a very slow, very careful rollout plan. Probably some transition period where users can opt into the new scheme, and then eventually make the new scheme the default but still support the old scheme, and finally remove the old scheme to make things simple again.
Since this is a Chrome extension which collects no information from users, I have no way of contacting users about this. So I would need to wait long enough that users discover it themselves in the UI. All told, I'd guess it would take about a year for the full migration.
Still, it's not unlike me to go to great lengths to remove minor annoyances like this.
Anyone is welcome to discuss things like this with me via GitHub issues: https://github.com/stepchowfun/hashpass