Password manager and physical security keys


#21

is the Apple pasword manager (iPhone / Safari) safer?


#22

I am not an expert but in this blog post the EFF mentions KeePassXC as a possible good password manager.


#23

I have been using enpass which is has browser plugins as well as a stand alone app. It is available for multiple platforms including phones. I would love to have a physical security key for it but not there yet. It does take some time to get used to it but well worth it.


#24

Sure, the tech savvy can examine the code etc. What about the ones who can’t do code? Do we just trust the tech savvy Purism users? Maybe paranoia is taking me over, but how does one makes sure about anything or anyone you have never seen face to face? Their word and general understanding of how things build up?


#25

Warning: This may go a bit off-topic.

This argument of “open source” is regularly misunderstood. The core of this argument is really: How does this compare to “closed source”?

The answer is: There is no-one able to verify the proper functioning (at least not easily, not without reverse engineering, sniffing network traffic, etc.) with undisclosed implementation details. On the other hand, with source code publicly accessible (and some transparency in place, e.g. to understand which version of the code corresponds to the binary you’re using) some behavior can easily, seriously easily, be verified – provided some programmer experience. And, provided a sufficiently large audience, there is a certain probability that this happens.

Whether you can or want to trust those people that look at the code is not much different than trusting a layer you hire for a lawsuit. How do you understand whether that person is actually acting in your best interest? – The more experience you have in law (and with impertinent human behavior), the better you can. Of course, when you’re a lawyer yourself you may have the easiest position to understand of what’s actually happening with your case.

Bottom line: What of the two choices above do you prefer? I prefer being able to look at the code (and into a bug tracker).


#26

Here are the two mentioned broken down for more info. I was curious after @bittner posted. Hope it helps.


#27

I’m worried to make publicity for a bigger company, but for completeness sake: A key called Titan (Tech Crunch) has been released, recently. This is about two-factor-auth needs to go mainstream, which is okay.

What I don’t like about that big company: Their advertising says, “the software that’s embedded on each key […] protects against tampering”. Aha! So we need to be able to inspect the code to verify that it doesn’t also send data to third parties, such a government agencies.

P.S.: Bad luck big G, there’s already a titanpasswordmanager.org open source project :laughing:


#28

I am not aware of anything that exists now and that wholly satisfies all of your criteria. If you are willing to compromise on some of your criteria, you can get close. I recommend reviewing Wikipedia’s list of password managers and paying special attention to those that are non-proprietary and that support two-factor authentication.