Lately I’ve been increasingly worried about corrupted payloads of even open source password managers. Password managers are among the world’s biggest honeypots. Maybe you trust the coders of the password manager. Maybe it’s Open Source. But do you trust all of its upstream dependencies? And all their CI build processes? And each of their developers’ security?
That’s part of why I won’t use an Electron-based password manager like BitWarden: there’s no Electron app with a minimal dependency graph. Even Electron itself could easily fall victim if someone important in the development pipeline is compromised… And besides, Electron sucks anyway.
So, one way I can mitigate against the possibility of a malicious payload being delivered on password manager update is to not put all my eggs in one basket. For example, where I can, I authenticate with a Yubikey (if only by TOTP on Yubico Authenticator). Then my password isn’t enough. But where do I store the recovery codes? Ugh: in the password manager.
I’ve been thinking on this for a while, and I haven’t really found a perfect solution that provides me a way to store secrets without also being too reliant on one party’s software. If I rely heavily on the password manager, that puts too much trust in it. If I rely more on a hardware token, that’s too risky in case of loss of theft.
What’s a security-aware nerd to do?
Use KeePassXC. Only place passwords that will be needed on a device. Don’t upload to a server that you do not own.
I think if you’re using Keepass/Strongbox, and using e2e iCloud encryption, that’s good enough for most users.
Just have a backup somewhere.
No no no, not Keepass, Strongbox, or iCloud. That isn’t trustworthy.
KeePassXC.
Why?
Why is KeePassXC better than KeePass?
Strongbox, iOS, and iCloud are closed source so using them places all trust blindly with their developers. Third-party audits are impossible. Their privacy policies are all that users have to go on. After Snowden, privacy policies don’t mean much.
Strongbox is Open Source.
You can use it locally, over wifi, whatever.
I viewed their page without JS and missed their GitHub link. That’s good, but I won’t trust Apple until their OS is reproducible from source. The license is also incompatible with the Apple App store.
Really, anything distributed through the Apple App Store isn’t compatible with AGPL. For that matter, it’s not necessarily clear that GPL is compatible with the app store at all.
What do you do for backups?
3-2-1