Back

@atoponce I know just one password manager which also doubles up as 2FA code generator. It's called pass, and it's a CLI application. It encrypts the data using GPG, and distributes/backs up data using git.

Just added a new key? Well, do "pass git push" to send it over, encrypted, to your git server. Yes, you'll need to do "pass git pull" on the other installs.
I can only complain that adding 2FA keys is somewhat painful.

@dimpase I'm familiar with pass(1). It has a horrible vulnerability in that it leaks all accounts to the filesystem. No modern password manager today does this.

LastPass got heavily criticized for not encrypting URLs in the DB, rightfully so, because it leaks which accounts a user has stored in the DB. They've since fixed it.

Also, PGP can die in a fire. Heh.

@atoponce @dimpase That is not what we call a "vulnerability", rather behaving correctly (not trying to lock the user's own data away from them in hidden storage they can't find, inspect, or backup).

It's arguably a "lack of hardening", but the hardening doesn't belong at this layer. If user needs protection against physical seizure, they use FDE and strong passphrase. If they need protection against malicious local apps, they run those on a different account or in a sandbox.

@dalias @dimpase The vulnerability exposing accounts to the filesystem is closed if the data is not synced across computers and cloud providers. But if the data is synced, such as checked into GitHub or copied to Dropbox, the vulnerability is exposed.

@atoponce @dimpase "Data stored by the application is compromised if you're syncing it to somebody else's computer" is not a vuln in the application.

@dalias @dimpase I disagree. Provided your master password is sufficiently secure, you can sync a KeePass/KeePassXC database safely to 3rd party servers without risk of revealing any information as to the number of accounts they contain, or which accounts are stored.

@atoponce @dimpase This applies to any data. Yes if you encrypt it locally before syncing, only the ciphertext is exposed. But you don't say your photos app has "a vuln exposing your nudes" when you sync to somebody else's computer.

@dalias @dimpase The context is pass(1) however, not data in general. pass(1) reveals which accounts you're protecting, even if the password for each account is encrypted with your PGP keys.

Syncing encrypted pass(1) files to 3rd party cloud providers is a security vulnerability that other password managers does not have.

@dalias @dimpase I guess we will end up agreeing to disagree then.