Again? At this point, I would think the only people willing to use them are the people who don't keep up with this kind of news, which is a lot of people I guess.
I remember an early LastPass vulnerability exploiting a bug in URL regex parsing behavior of the LastPass browser extension. IIRC it basically gave RCE to any website in the browser extension context. That exploit is the reason I don’t use a browser extension for my password manager (which isn’t LastPass).
The tradeoff is basically copy/paste from password manager, vs input directly from browser extension. IMO, copy/paste clearly exposes the smaller attack surface, because it exposes max one password through the clipboard buffer (assuming no further chaining of exploits to escape extension or browser sandboxes). Whereas a browser extension must interface with the vault, which exposes potentially multiple passwords to compromise by methods only possible when the extension is installed.
(Incidentally, this logic might also explain the popular hesitancy of 1Password users to ~~upgrade~~ migrate to an electron version of the app.)
I want to pay for it to increase the probability people can work on it in a sustainable way focussing on my interests at least to some extent. I also want a fully managed product working on the devices I use.
I am not sure since I didn't look for another product for a long time now. Is there something that provides the above while still being open source?
True, it definitely has the best autofill of the popular options, but in my experience, Bitwarden is 90% there.
Personally, I‘d rather use something open source that feels less like a lock-in in the long term over those remaining 10%, but both are definitely great options.
Them being proprietary means they can invest in marketing and UX and QA.
That's how you get a company of 500 employees to buy your product that "just works" in all browsers, operating systems and mobile devices over a free one that needs every single user to fiddle with a custom solution.
Spending $5 per user and month is way way way cheaper than wasting 1h of an employee's time even once.
I'd do a password manager and a VPN provider. Then spend a ton of money on ads on podcasts and youtube videos (which is odd since neither VPN hosting nor password managers make enough money to pay for that many ads).
They'd probably all have a similar catchy name. Maybe one that implies that it's from a foreign country known for having more consumer protections but is actually based 10 minutes outside of Langley Virginia.
World‘s most popular password manager? That‘s kind of disheartening, given both their user experience and track record security-wise…
Then again, I‘d been using them for many years myself until quite recently, mostly due to not knowing that much better free alternatives exist by now:
For all around functionality/quality, I‘d still go with 1password; for a free (as in beer and speech) option and/or if you value self hosting, I can recommend Bitwarden.
Ah, so it's basically the "sync an encrypted database file" model that 1password used to use until their recent migration to their own cloud service?
I used to use that as well, but I've since come around to the idea of having a sync server that is a bit more than just a file relay. It complicates the security model a bit, but it allows using browser extension only clients (without needing to give them access to my file syncing account), rate limiting, 2FA, a higher chance of being able to rotate the passphrase without leaving copies of the old database hanging around everywhere, password sharing and much more.
35 comments
[ 4.0 ms ] story [ 82.7 ms ] threadThe tradeoff is basically copy/paste from password manager, vs input directly from browser extension. IMO, copy/paste clearly exposes the smaller attack surface, because it exposes max one password through the clipboard buffer (assuming no further chaining of exploits to escape extension or browser sandboxes). Whereas a browser extension must interface with the vault, which exposes potentially multiple passwords to compromise by methods only possible when the extension is installed.
(Incidentally, this logic might also explain the popular hesitancy of 1Password users to ~~upgrade~~ migrate to an electron version of the app.)
I am not sure since I didn't look for another product for a long time now. Is there something that provides the above while still being open source?
Personally, I‘d rather use something open source that feels less like a lock-in in the long term over those remaining 10%, but both are definitely great options.
That's how you get a company of 500 employees to buy your product that "just works" in all browsers, operating systems and mobile devices over a free one that needs every single user to fiddle with a custom solution.
Spending $5 per user and month is way way way cheaper than wasting 1h of an employee's time even once.
They'd probably all have a similar catchy name. Maybe one that implies that it's from a foreign country known for having more consumer protections but is actually based 10 minutes outside of Langley Virginia.
Oh wait...
Then again, I‘d been using them for many years myself until quite recently, mostly due to not knowing that much better free alternatives exist by now:
For all around functionality/quality, I‘d still go with 1password; for a free (as in beer and speech) option and/or if you value self hosting, I can recommend Bitwarden.
I used to use that as well, but I've since come around to the idea of having a sync server that is a bit more than just a file relay. It complicates the security model a bit, but it allows using browser extension only clients (without needing to give them access to my file syncing account), rate limiting, 2FA, a higher chance of being able to rotate the passphrase without leaving copies of the old database hanging around everywhere, password sharing and much more.
In my view, it's worth the tradeoff.
I don't follow the advice, and instead choose pass(1) with Yubikey touch-to-decrypt. Being offline, this removes a large attack surface.
If I need to log into something on my phone, I have to be near my desktop.
I'd be happy to sync my passwords via git-over-ssh-over-wireguard if the need arose.
They might as well just shut down at this point, I can't imagine anyone but the uninformed would want to use them at this point.