I run a small Pi based server and installed a self hosted version of Bitwarden on it. I found the extension didn't auto fill all my sites, plus an unsupported mistrust of using my browser with passwords that way. I used the browser extension in Firefox for a while then de-installed it. The first and only password manager I've used is BitWarden primarily from SN's endorsement. KeePass is just too geeky for them, and a password manager - no matter how secure - is of little use if they avoid using it. I trust KeePass for myself, but recommend Bitwarden for friends and family. But that also makes it less convenient to use. OTOH, that's where the offline nature of KeePass might be more secure - with no online component and nothing in the cloud and no integration with your browser. And with LP's "musical chairs" ownership of late, I'd consider Bitwarden to be the more trustworthy, between those two. There's an element of trust there, but it's a question of how much you trust the extension, not an issue with the security of the vault. What guarantees do we have that a new owner won't secretly change the browser extension so that when you unlock your vault, the vault's contents aren't leaked by the extension? Or what guarantees do we have that a browser flaw won't cause the extension to spill its secrets? The contents are unlocked on your computer, not in the cloud.īut therein lies the rub - and your point with regard to changing ownership is well taken. If done right, neither LP nor Bitwarden have access to the contents of your vault. I believe LP and Bitwarden have both done the vault part right, and I have no delusions KeePass' vault code is any better, so I don't consider one better than the others in that regard. If done right, the fact your vault may be in the cloud shouldn't be inherently riskier than an offline vault kept on a USB stick.
I believe Steve was impressed with the code behind LP's vault when he got a chance to privately review it, but the security of your master password can be a different matter. If you used a good master password, or if you changed it after notice of a breach, you were okay.
The issues were with the stewardship of your master password, stored in LP's cloud, not with the "blob" that is your vault. If you mean LastPass, I don't believe the "issues" were ever related to the security of your password vault.
0 kommentar(er)
