IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Yikes.
It seems like the sensible thing in cases like this is to use a GPL-based tool. There's no guarantee that there isn't a bug or hole in it somewhere, maybe even in the compiler/libraries, but at least there isn't an explicit conflict in the business model. "Hey, we have important information here - we have them by the g'nads so we can eventually get money out of them!"

(sigh)

I can see the benefit of keeping stuff in the cloud, but it still seems more risky than relying on local DBs.

Cheers,
Scott.
New Risk/reward
I need to reliably secure my stuff across different locations and devices - my home PC, my home laptop, my phone, my work PC (where I can install a Chrome extension but not a Windows executable), etc.

Doing that safely and reliably with a homebrew solution is going to end in tears - either I'll end up with a binary blob I can't decrypt, or I'm going to end up spamming my master password somewhere it shouldn't go, or something else similarly inconvenient/catastrophic (delete as applicable) that I haven't foreseen.

Local solutions are are local, and that's their strength and their dealbreaking (for me) weakness.

(KeePass has had its problems.)

Yeah, LastPass got busted. I now still trust them (a bit :)) because they have had to respond to that. Do you trust a lock made by a locksmith who's had to learn from their mistakes, or a lock made by a locksmith whose handiwork is untested (whether by luck or judgement)?

Regarding the LastPass fuckup:

https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

1. It was a bad bug.
2. It was fixed in one day.
3. All (security) software has bugs. What matters is how the provider responds.

It is naïve to think that an open source solution will be any better. Security is a hard problem that, it seems, the open source approach doesn't help when it comes to real-world implementation. After all, OpenSSL was open source for a long, long time before anyone noticed that it was a complete bag of security bollocks. Stagefright is open source, and that was/is also a bag of security shit.

But all this aside - even a bad (and realistically, they're all at least passable) password manager is better than no password manager.

ETA: Holy crap, the KeePass website is fucking horrible to look at and use. It's like taking a trip back in time to 1998, and not in the good "hey man, let's surf the information superhighway!" way.
Expand Edited by pwhysall Sept. 4, 2016, 04:06:44 PM EDT
     Password managers - (pwhysall) - (14)
         Integration seems to be an arms race. - (static) - (10)
             That's extremely annoying to me. Leave my browser fields alone!!1 - (Another Scott) - (9)
                 Caveat Emptor: It looks like some of them are kinda evil. - (Another Scott) - (8)
                     I use keepass at work. Seems very sensible -NT - (boxley)
                     No two-factor auth for KeePass. Dealbreaker. - (pwhysall) - (2)
                         Use Yubico with it? - (Another Scott) - (1)
                             Interesting. - (pwhysall)
                     Encrypted, you say? - (scoenye) - (3)
                         Yikes. - (Another Scott) - (1)
                             Risk/reward - (pwhysall)
                         thats why logs need to be encrypted (wouldnt help since admin password was stole tho) -NT - (boxley)
         I like sticky notes with encryption - (boxley) - (2)
             Interesting. - (Another Scott) - (1)
                 I have a non technical friend whose idea of a password phrase involves his feelings - (boxley)

Pull. Snick! Push. Snick! Pull. Snick!
102 ms