Password Manager Sanity for the Plebian Coder
Then there is KeePass, which had an original version that relied on Mono which is a Microsoft owned company with some patent issues, then there was a cross platform fork, but a quick search on HN history for KeePass has some serious flaws pointed out.
Then I saw there is TOTP and Yubi Key Support, at which point embedded in the comments people who had worked on KeePassXC merges and patches had issues with TOTP, arguing it was only storing TOTP, and furthermore that was a bad idea since then everything would be in one place.
It's not that I expect there to be one answer, or that I want all the answers handed to me, or that I am not willing to put in the work to learn more about this stuff, but honestly without being a crypto professional, full time hobbiest or expert or spending a month doing your own code audits,
Outside of making sure the (open source ones) crypto is implemented correctly,
is there any framework of analysis to go through that the average coding plebian can apply to considering what is safe for PassWord managers? aka any browser extension is unsafe, or if browser extension, these are the main things to rule out.
Is it not safer to write things down on a piece of paper after running your own random password generator offline, and switching those frequently?
Also, I see alot of talk about many new Password managers, but what about Password Safe written by Scheiner? I don't see anything in HN history about Password Safe, but it seems pretty secure.
Is a Yubi key always a good solution? Would it not be safer to have the equivalent of a Yubi key in your own head as your own primary or secondary one password fits all?
I know there are many many debates, and I'm sure they will occur here too, but is there an even slightly reasonable way for someone to navigate choosing a good password manager?
0 comments
[ 17.1 ms ] story [ 1553 ms ] threadNo comments yet.