- #Remembear vs one password update
- #Remembear vs one password password
- #Remembear vs one password plus
- #Remembear vs one password mac
#Remembear vs one password plus
I currently use 2 YubiKeys with OTP and 2 YubiKeys plus 2 Solos with FIDO U2F on top of an Authenticator App as backup. Going through gpg just seems to complicated and fragile to me, and has annoying restrictions like not really allowing multiple yubikeys.
#Remembear vs one password password
> I wish there were something that used (as a second round of encryption) a key residing on a yubikey to decrypt the password of individual entries, without going through gpg. I'm not sure the fingerprint phrase is adequate to mitigate that danger Yes, this is the MITM I referred to in another post. > IMO the relevant thread model is more that they can convince / coerce / do it themselves the provider to change the javascript that does the client side decryption. I wish there were something that used (as a second round of encryption) a key residing on a yubikey to decrypt the password of individual entries, without going through gpg. But I've not had enough to time to look much further.
I'm not fully convinced by bitwarden, especially the 2nd factor integration IMO isn't good enough. I use bitwarden for a good fraction of my login data, because I don't currently consider this part of my thread model. IMO the relevant thread model is more that they can convince / coerce / do it themselves the provider to change the javascript that does the client side decryption. Use a secure enough passphrase etc (and if that's not good enough, they could also just brute force into most of your accounts anyway). If it were just the risk of brute-forcing, I have a hard time believing this to be a real problem. This is important because it should be part of your risk assessment. We are talking about two governments here: the US government (most password managers are from US companies and are hosted in US clouds) and your own (who can attempt to ask for the data), this is no issue, but I believe you should by default not trust them. If you have a strong password, it will take them longer to brute-force your database. > With the cloud, you can assume that the government has access to the encrypted database. If they want to screw me over (including working together with US government) they can and (since we are part of Nine Eyes) likely will. That is why I prefer to stick to my local government/jurisdiction. If you include the government in your threat assessment they are very likely able to get access to your server (VPS or my example). If that gets compromised by hackers, they have access to private data of mine anyway. Availability is solved by having decent uptime on my cable provider, about 25 mbit upload. Integrity I solve with offsite backups of the most important data. You might be able to use Lets Encrypt instead. You need to do a CIA threat assessment yourself.Ĭonfidentiality I solve by using WireGuard hence I don't mind if I use HTTP or HTTPS with self signed certificate. It has to be user-friendly enough (which Bitwarden IMO is). This is a great question which everyone should ask themselves. You can interpret that as me trusting providers but I have no real idea. Personally, I don't really think about it that much so I don't have a good answer. The connection works but isn't always reliable when running non-natively ie WINEĪs for security, they're all fairly well audited I think? Remembear and 1Password both have external audits they pass, and provide remediation plans for any findings.
No worrying about will it work on mobile or if the browser extension is useless without an application.įor example, 1Password X is a standalone extension so you could use it on Linux while Dashlane requires the desktop application running on the host. Pass is the one thing that seems fairly universal I think and it's all just text files which makes things really nice.
#Remembear vs one password mac
You could put the whole directory tree in a tomb as well but that extension is only supported on mac only or something. I use a private repo since site names are still metadata.
#Remembear vs one password update
I never really understood how it "syncs" but it's just git! Push and pull to update on every device. Lastpass, 1Password, Bitwarden, Dashlane, Remembear, KeePass(X) and I've finally settled on regular ol' pass. I've used pretty much every password manager under the sun at one point or another.
0 kommentar(er)
