• 0 Posts
  • 4 Comments
Joined 1 year ago
cake
Cake day: July 30th, 2023

help-circle


  • In theory, if I were to use an online solution, bad actors wouldn’t be able to pull my vault from memory.

    It’s the same issue once you login to your vault via browser extension. They have to download your vault locally on login to decrypt it when you enter your password anyway*. Even if they don’t store your vault password in memory, they either store the entire vault (unlikely for size reasons) or a more temporary key to access the vault. Local compromise is full compromise already.

    *If they don’t, then they either made a giant technological leap, or they’re storing your passwords on a simple database on their servers and that’s not what you want from a password manager.


  • Yup, I have been using KeePassXC locally since (one of) the first big LastPass breaches. I thought “password manager company… they know encryption” and then kept some of the most important things stored in my vault including notes of Bitcoin seedphrases etc. Thought "even if they get hacked, they wouldn’t let anyone exfil the huge amount of data from the USER VAULT SERVER… thought “my passphrase is like 25-30 chars long, nobody will crack that”…

    5 years after my last login and I find out the breach happened, user vaults were exfil’d, the encryption was absolute shit, and the notes weren’t even encrypted.

    I don’t trust cloud companies to keep promises or know what they’re doing today. and anything self-hosted isnt Internet accessable unless it’s on dedicated hardware subnetted off and wouldn’t matter if it got hacked.