Back

@atoponce I know just one password manager which also doubles up as 2FA code generator. It's called pass, and it's a CLI application. It encrypts the data using GPG, and distributes/backs up data using git.

Just added a new key? Well, do "pass git push" to send it over, encrypted, to your git server. Yes, you'll need to do "pass git pull" on the other installs.
I can only complain that adding 2FA keys is somewhat painful.

@dimpase I'm familiar with pass(1). It has a horrible vulnerability in that it leaks all accounts to the filesystem. No modern password manager today does this.

LastPass got heavily criticized for not encrypting URLs in the DB, rightfully so, because it leaks which accounts a user has stored in the DB. They've since fixed it.

Also, PGP can die in a fire. Heh.

@atoponce @dimpase That is not what we call a "vulnerability", rather behaving correctly (not trying to lock the user's own data away from them in hidden storage they can't find, inspect, or backup).

It's arguably a "lack of hardening", but the hardening doesn't belong at this layer. If user needs protection against physical seizure, they use FDE and strong passphrase. If they need protection against malicious local apps, they run those on a different account or in a sandbox.

@dalias @dimpase The vulnerability exposing accounts to the filesystem is closed if the data is not synced across computers and cloud providers. But if the data is synced, such as checked into GitHub or copied to Dropbox, the vulnerability is exposed.

@atoponce @dimpase "Data stored by the application is compromised if you're syncing it to somebody else's computer" is not a vuln in the application.

@dalias @dimpase I disagree. Provided your master password is sufficiently secure, you can sync a KeePass/KeePassXC database safely to 3rd party servers without risk of revealing any information as to the number of accounts they contain, or which accounts are stored.

@dalias @dimpase The context is pass(1) however, not data in general. pass(1) reveals which accounts you're protecting, even if the password for each account is encrypted with your PGP keys.

Syncing encrypted pass(1) files to 3rd party cloud providers is a security vulnerability that other password managers does not have.

@atoponce @dimpase I'm pushing back strongly on calling this a "vulnerability". "Your private data is exposed if you sync it to somebody else's computer" is the default expected outcome. You can say "Y has stronger confidentiality properties than X because it has built-in encryption of the secret store", but this does not imply "X has a vulnerability". "Vulnerability" means something does not honor the documented or expected access controls or similar.

@dalias @dimpase I guess we will end up agreeing to disagree then.

@dimpase @dalias I didn't call it grave.

@atoponce @dalias you called it horrible

@dimpase @dalias It is horrible. No password manager should be doing this. But it's not leading to the compromise of each account ("grave"), just leaking what they are ("bad", "horrible", "not good").

@atoponce @dimpase What I find really weird is the notion that passwords for 3p services you have accounts on are more private/sensitive (need an application layer level of encryption) than personal data files (which generally have no such protection built-in).

@dalias @dimpase I agree. What I don't understand why you would choose to leak metadata unnecessarily when stronger alternatives exist.

@atoponce @dimpase You don't leak any metadata unless you're leaking your own private files to a third party (for example by using some awful non-e2ee someone-else's-computer storage service). And in that case, names of sites you have accounts on are the least of your compromise.

@dalias @dimpase We've now come full circle. If you choose to keep the pass(1) data local, there is no exposure. If you choose to sync it to the cloud (someone else's computer), there is.

@dimpase @dalias kpcli(1) is a handy little Perl script for managing KeePass databases. It's still actively developed. I used it extensively before migrating my passwords to Bitwarden.

https://kpcli.sourceforge.io/

There is also keepassxc-cli(1) for KeePassXC.

https://github.com/keepassxreboot/keepassxc/blob/develop/docs/man/keepassxc-cli.1.adoc

I would recommend those if you want to stick with local/non-cloud password management. Otherwise, 1Password has a sweet CLI utility also.

https://developer.1password.com/docs/cli/get-started/

Unfortunately, BItwarden's CLI is not user-friendly.