Why I'm on #TeamKeePassUltras
Photo by Paula: https://www.pexels.com/photo/grey-metal-lockers-is-open-170453/
Recently I got into a discussion about cloud password managers like LastPass, 1Password and the like. People argued that they were great because they offer flexibility, synchronisation, and enable users to automatically choose secure passwords. And while I concurred to these arguments, I still took the position of the opposite side.
I am strongly against any form of online/cloud/managed password managers where I (or an entity I trust) don't control everything in a transparent way. Why?
First let me make my, the what I call, "the conspiracy theory argument": It's the least important argument for me, but is suited just right for paving the way to my main arguments. Most companies are US based. National security letters are a fact. And companies like Lavabit and, presumably, the Open Source Drive/File encryption project Truecrypt had their fair share of experience with them. The US and especially the NSA shows that it has no sane moral limits on what type of data to access, accumulate, and analyse. Would they stop at companies offering password managers? I don't think so. Others take the stance: "Why should they send a NSL to LastPass, if they can access the data they are after directly through others means?" but enough on that point.
My main argument is the following: "If I can't trust them, why should I use them?" A cloud password manager is a blackbox. I put my credentials in, hit save, and that's it. What happens in the background? Is the data stored secure? Are the algorithms used still considered secure? Are there no unencrypted backup copies? How does their security concept look like? Are the servers patched regularly? Am I being informed to re-generate my passwords in case the password-generation algorithm had a flaw and was, for example, tied to the systems date and time (wired.com)? I can't know.
Just search for the name of your cloud password provider and add the lovely word "breach". They were already dozens of it for all online password managers out there. Despite people ironically choosing or recommending them as to be "more secure".
But more secure in comparison to what?
You don't have to use an online/cloud password manager. A locally installed password manager like KeePass works the same way.
"But it doesn't synchronize automatically with all my devices!" - Ah, so it's comfort you are after? Yeah, well that is the common trade-off you have to choose: Comfort, or security. However, you do know KeePass has a build in sync which allows to sync two KeePass database files? I use that and it works fine.
Or I just copy over the file from my Linux workstation onto my Smartphone when I know that I had added no new entry on my smartphone. There are enough tools to allow the accessing of Windows/NFS/whatever file shares from Smartphones. Even via SSH utilizing SCP.
Additionally online password managers with sync-features who do allow to host your own instance do exist! Take for example Bitwarden: https://bitwarden.com/help/install-on-premise-linux/
This would give you the security of hosting it yourself and automatic sync-feature so many people desire. If not made accessable to the internet, but online in your local network you can still sync your smartphone, without opening your crucial application to the biggest security risk in human history: The internet.
Sure, not everybody has the knowledge to selfhost such an application. That's a fair point which Jürgen Geuter aka tante pointed out years ago in his writing "Host your own is cynical". But that's exactly the reason why I make this blogpost about me and my viewpoint. I have the knowledge, and I constantly observe broken promises by the very companies who gave them. And yet I still use KeePass. As I like the simplicity.
That's why I'm on #TeamKeePassUltras. An OpenSource application available for all operating systems out there. A simple file, a key, a passphrase and that's it.