this post was submitted on 05 Jul 2023
1522 points (98.5% liked)

Android

27947 readers
197 users here now

DROID DOES

Welcome to the droidymcdroidface-iest, Lemmyest (Lemmiest), test, bestest, phoniest, pluckiest, snarkiest, and spiciest Android community on Lemmy (Do not respond)! Here you can participate in amazing discussions and events relating to all things Android.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules


1. All posts must be relevant to Android devices/operating system.


2. Posts cannot be illegal or NSFW material.


3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.


4. Non-whitelisted bots will be banned.


5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.


6. Memes are not allowed to be posts, but are allowed in the comments.


7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.


8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.


Community Resources:


We are Android girls*,

In our Lemmy.world.

The back is plastic,

It's fantastic.

*Well, not just girls: people of all gender identities are welcomed here.


Our Partner Communities:

!android@lemmy.ml


founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] Ad4mWayn3@lemmy.world 2 points 1 year ago* (last edited 1 year ago) (3 children)

I'm probably an ignorant paranoid about them, I know I should google a bit of them, but instead I'm going for the ol' trusty ask the community.

Do they save your passwords locally or in the cloud? If locally, what if I want to sign in in another device? What if I lose the device I have my passwords on? What if they hack my device? If in the cloud: How can I know the service is not stealing my information? If I can access it anywhere, wouldn't that mean it also needs a password? Wouldn't that make it twice as unsafe as it would only take one password to access the rest?

Edit: Damn, I got extremely useful answers, I'm starting to like lemmy!

[–] Hexarei@programming.dev 3 points 1 year ago* (last edited 1 year ago)

I use KeepassXC on desktop and KeepassDX on Android, and I'll step up to your questions for it, specifically:

Do they save your passwords locally or in the cloud?

Locally, as a file. I sync my file to a selfhosted Nextcloud instance so I can use it across devices. Other folks use Syncthing or even less-trustworthy services like Google Drive or Dropbox. The file is encrypted with a password, so as long as you choose a nice long encryption key phrase (Such as a long sentence or string of 10-15 random words).

If locally, what if I want to sign in on another device?

Do I own that device and trust it? If so, I just get the file from Nextcloud (either via sync or via browser download).

Do I not own that device and trust it? If so, still a couple of options. If you're on Android and rooted, there are various tools that will let you plug your phone into a USB port, pretend it's a USB keyboard, and auto-type your passwords. Even some non-root options for having your phone pretend it's a bluetooth keyboard to do the same. There's also devices like http://inputstick.com/ that don't require root.

Personally, though? I just show the password on my phone and type it out. I rarely ever need to do that kind of thing, so it doesn't affect me much.

What if I lose the device I have my passwords on?

Sync the file, not a problem. Assuming you have your phone setup with a screen lock and device-level encryption.

What if they hack my device?

Who is "they"? There's no "they" to get access with Keepass, so I'm going to assume you just mean "a bad actor". In that case, if someone gets access to your device, you should assume you're pwned, and follow your plan for when/if that happens (You do have an "I was pwned" plan, right? right?).

That said, the encrypted password database remains encrypted at rest on your disk - And thus it's highly unlikely for someone to gain access to your password database even if they get access to your device. They are much likely to pilfer browser cookies for access tokens and the like.

If in the cloud: How can I know the service is not stealing my information?

Keepass: File is encrypted, good luck to the cloud storage service.

Others, cloud-based: The "trustworthy" among these cloud services encrypt the file client-side, and only use the server-side as a place to store an encrypted database file and/or for features like sharing passwords (usually by splitting out a copy into a "partial" database and sharing that). I would feel comfortable telling a family member to pay for and use an open-source service like Bitwarden, because that's what it does. I, however, am more paranoid than that and refuse to use such a service.

Primarily because they could, at any time, decide to sneak in some kind of backdoor that would ship my passwords to them unencrypted... and no thanks.

If I can access it anywhere, wouldn’t that mean it also needs a password?

Of course. That's why you make your password manager password something super long and memorable for you but hard to guess for others. My current passphrase, for example, is a 19-word description of a memorable event that occurred during a tabletop RPG session, followed by the numerical date of that session. Completely unguessable for others, very easy for me to remember.

Wouldn’t that make it twice as unsafe as it would only take one password to access the rest?

Only if your master password is easily guessed or cracked. In most cases, the master password is used as an encryption key, so the longer the better - Which is true regardless of whether the file is local or through a cloud service.

Many (keepass included) also have support for requiring physical 2FA keys, or specific GPG encryption keys or the like. This is, I think, the least of your worries tbh.

[–] Schooner@lemmy.ml 2 points 1 year ago
  1. There are managers that will store them on their servers and others that are local.
  2. You can sync it through something like Google drive/Nextcloud.
  3. You should back up your password vault.
  4. Your device may be compromised, but your vault is still encrypted. Really depends on what kind of hack it is.
  5. You don't really unless they're an open source one like Bitwarden.
  6. Yes. Instead of remembering a lot of passwords, you remember the master password to your vault
  7. No. Because randomly generated passwords gated behind one secure password you remember is better than reusing the same/variations of one password.

You can try Bitwarden if you want a hosted solution that's easy to use. Or, use KeePassXC and compatible mobile apps while syncing it through a cloud service. I do the latter.

[–] AniDanny@lemmy.world 2 points 1 year ago

I've only used BitWarden, so this may not be a universal answer, but... you do access your password vault with a single password. Make sure it's complex but memorable. "WayneCommaAdam42069LOL!" for instance. Nobody's going to brute force that, but you'll also be able to remember it. Then once you're past that, you'll have a list of each login you save (each entry can include website, username, password, personal notes, etc). You can randomly generate a password, so that (for example) your lemmy.world password generates as "L812#zksKa01S@ks" and you can just copy/paste from your vault into the login page without having to remember that string of characters.

As for how BitWarden secures your passwords, since they're available to view after you get past the initial login... I've got no idea but a lot of people seem to vouch for it, so if BitWarden (or the other big trusted equivalents) gets compromised, we're all in a lot of trouble.

And of course, each site you log into will still have its own password recovery, 2FA, etc options. So even if something happens to BitWarden and you can't log into your bank account, you can still call up your bank and get your password reset.