I use local for important stuff (financial) and online ones for things that are not to important.
this post was submitted on 17 Feb 2026
243 points (89.6% liked)
Technology
81451 readers
4558 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
Many providers promise absolute security
This struck me as wrong, because that would be a technically impossible and liability-inviting thing to promise.
And after checking the homepages of the 3 services they tested, yep, none of them promise “absolute security.”
Would having a synced Keepass database with a composite key protect against this?
When I made my database I created a composite key file that never goes online. I locally copy it to any device that needs to access the database. The idea was even if the password got compromised you can't access the database without the key file
What if you have a house fire and lose all devices with the key
i really wasnt expecting a password manager related tech fearmongering on lemmy today
Don't store your stuff in the cloud unless you don't mind someone else accessing it.
If you store things in the cloud that you don't want other people to access, you better be encrypting it yourself and only opening it locally.
This has been a cardinal rule since day 1.
“We want our work to help bring about change in this industry,” says Paterson. “The providers of password managers should not make false promises to their customers about security but instead communicate more clearly and precisely what security guarantees their solutions actually offer.”
Great.
Now which password vault was the most cooperative and clear in their security communication and which one wasnt?
The author said that they have given the providers time to fix the issues. Now highlight the ones that did it the best.... >_>
They did gove some advice. They said to go with a vendor that is transparent about problems and reveals the results of their third party security audits. I’m sure if you read between the lines it means they likely reviewed several vendors and chose to spend their time attacking ones that are opaque about their security stance and used outdated encryption or bad implementations of E2E encryption. So all three are likely suspect. Like if 1Password were developed similarly to LastPass wouldn’t they have spent time attacking it?
Edit: https://support.1password.com/security-assessments/
1Password are posting the results of their external pen testing now.
About 1password publishing their pentesting results. Why put it behind a 'give me your email address' wall?
That alone is enough for me to instantly disregard them as an option.
Bitwarden did so too.
But IMO your assumption is a bit of interpreting bad/malicious faith into it.
I see it more like they are the more publicly known brands/services that do this and underwent the audit.
I have read the TLDR by the authors (linked a few times in the comments) and the answer by bitwarden.
Bitwarden said the, fixed the issue, are in the progress of doing it or are accepting it as "this is intended/a trade-off".
What is a bit sad is that they had more vulnerabilities than other vendors. But I trust them more as they are mostly OSS.
That's why mine is a physical book.
Really depends on your threat model whether this is a good idea. If cops raiding your home is part of it, a physical book might not be your best bet.
With pretty much every major company being hacked at some point, credit card companies being hacked, everyone selling our details and data, doge and palantir. Feels like post it notes under the keyboard isn’t that bad of an idea.
If someone breaks into my house to read them I have big problems already.
You have no idea how many times I’ve made that exact statement.
Post its have their problems but at least they can’t be read half a globe away
I'm slowly moving over to my own manager, I'm still struggling to get it to all work properly on all my devices though.
I use one of the password managers mentioned in the article, purely for the convenience of apps on all my devices, syncing and complex individual passwords. Should I be looking to move to self hosting something instead? Would my host (likely a synology Nas or raspberry pi) not then have the same risks?
I self host via vault warden. And I have it locked behind tailscale vpn. Aside from your server itself getting hacked, which is a risk, this is more secure than having passwords on the public internet.
I host a pi hole via diet pi already, vault warden is packaged for diet pi already, project for the weekend!
Love the raspis, just make sure the passwords are not stored on the sd card because those fail all the time hah.
Good shout! Easy to mount a folder from my Nas on it though
Security through layers. The flaws found here are about compromised server, so hosting your own server is a good first step. Next step is making the server only accessible via your own VPN. And of course hardening the server.
I believe Proton Pass does not have the design flaws shown in the article. For instance, if you lose your password, you lose your data. Your data is encrypted and decrypted on your device.
This is what all the listed password manager claim.
What was done here was tricking the client through the server to do things. So the fixes went into the client application.
Use a offline password manager. Problem solved.
Solves the security issue. Destroys the accessibility part
Just use Syncthing with your trusted host
I just sync it using my Nextcloud instance. No issues.
Bitwarden with a vaultwarden docker container on my home server. Access over a VPS.
I use an offline password manager, and sync an encrypted database with nextcloud. It's convenient enough, and secure enough for me. Easy to sync between my phone, desktop, and laptop. And I only need to remember two passwords, the nextcloud one, and the manager one. I don't think you can have it more secure and convenient all the same, at least not with current tech.
Many will argue that they need the convenience of an online password manager not knowing that what you stated is the safest form
I pitty the fool that stores anything important on ~~the cloud~~ somebody elses computer.
load more comments
(1 replies)
OMFG can people please fucking go away with this stupid "password managers are worthless" bullshit today. They are exactly as secure as promised, unless you went to the obviously shady ones that use web interfaces. People have been saying this for years, if you want security, keep your password manager offline.
load more comments
(18 replies)
view more: next ›