Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Recommend a secure password manager
6 points by otar on June 17, 2015 | hide | past | favorite | 7 comments
This week alone we've been discussing:

* KeePass – questionable security

https://news.ycombinator.com/item?id=9727297

* LastPass Security Notice

https://news.ycombinator.com/item?id=9721212

I currently use KeePassX which is synced on my Dropbox and also have a key file on my USB.

From your experience, which password manager is the good choice? And what syncing, additional security layers (like key files, YubiKey...) could be used to gain maximum protection of the sensitive information?



> From your experience, which password manager is the good choice? And what syncing, additional security layers (like key files, YubiKey...) could be used to gain maximum protection of the sensitive information?

Every time someone asks 'which one has the best security', the first question you need to ask is - what's your threat model? Because that will impact what your requirements are. Personally, my threat model includes people physically getting hold of my laptop or phone, people using my computer when I'm not around, keylogging/malware, or websites having their passwords breached. It doesn't include the NSA, nation-state adversaries, spear-phishing attacks.

This impacts which software I use, how I've set it up, and my use cases.


I don't really see anything wrong with Lastpass. The secrecy of your vault (the encrypted passwords) depends on the strength of your master password. If you have a strong master password, the fact that someone managed to make off with some hashes should not bother you. To use a horrible simile, it's like when you have a bank vault filled with a lot of valuable stuff and three doors. Someone tried to rob it, put a dent in the first door, but couldn't get through them. Some people are flipping out that the door got banged on, but I don't really understand that because the door is still doing exactly what it was designed to do.

Maybe there's something I'm missing here, but I don't really see the trouble right now.


Password Safe? http://pwsafe.org/ Originally designed by Bruce Schneier: https://www.schneier.com/passsafe.html

I have found it to be good enough for me but then I only use it on one Windows desktop with occasional syncing to a laptop.


Links to related threads:

* KeePass – questionable security

https://news.ycombinator.com/item?id=9727297

* LastPass Security Notice

https://news.ycombinator.com/item?id=9721212


The first one is KeePass2.

KeePassX is still good. https://github.com/keepassx/keepassx


https://news.ycombinator.com/item?id=9727592 ?


What are your platform (OS/device) use requirements?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: