How reliable are server side password managers?

[libert19]

I use LastPass since several years, most of info is there and it would be hard to migrate it. How reliable are these pwd managers, especially the ones who store info on their servers?

[mocacinno]

I use LastPass since several years, most of info is there and it would be hard to migrate it. How reliable are these pwd managers, especially the ones who store info on their servers?

IIRC, lastpass uses aes-256 encryption, and apparently your key never leaves your local system (the encryption should happen on your system before the encrypted data is sent to lastpass). If this is true, their security model would be reasonably safe...

However, i would NOT use an online password manager for keeping seed phrases or private keys... But that's just my personal opinion... I would never store something that important on a cloud server, no matter how good their scheme is... If somebody gets their hands on your master password, or if your browser is compromised, or if you fall victim to a MITM, or if the encryption scheme is ever broken your passwords are up for grabs...

Also, this is just lastpass, it does not mean other online password managers are equally safe... And i did not check lastpass'es sourcecode, so i'm just believing what they tell me...

[ranochigo]

If the code for your password manager is open source, you can verify that the data sent to the server is encrypted, and that they don't have your plain-text passwords. That is pretty much it, so it is safe as long as they don't get hacked and you don't use some ridiculously weak master password.

I'd say password managers are secure *enough*. They are competent in ensuring your security, more so than the average user and the risk of a catastrophic failure is low. That being said, it isn't difficult to migrate from LastPass. I don't see the need for a cloud password storage personally, it introduces an additional attack surface even if the convenience outweighs the risks. I'm currently using KeePass and migrating from LastPass was easy and straightforward.

[BlackHatCoiner]

In my opinion, most are not. LastPass specifically isn't open source which would be the main discouragement to use it. I highly recommend against on using a software that uses cryptography and isn't open source.

There have been times when messages got unencrypted due to poor usage of cryptography. The users are forced to trust the programmers; having the source code available for anyone to check, shows a form of dignity across the users.

[mocacinno]

--snip--

I'm currently using KeePass and migrating from LastPass was easy and straightforward.

Keepass +1
I've been using it for a long, long time... It's a well described format, there are (open source) tools to read a keepass database for about any OS you can imagine, offering various feature sets (like auto filling passwords, merging databases,...).

I tried trezor's password manager for a while, but i found it a tad bit "clumsy" (for the lack of a better word) for everyday use... Plus, at that time, they did require a cloud connections... I have no idear if they improved their password manager, i only tried it out when it first hit the market, and moved straight back to keepass after a couple of weeks...

I'm actually entertaining the idear of running vault, probably on an rPi or on my NAS... But for the time being, i'm loving keepass

[ABCbits]

According to https://restoreprivacy.com/password-manager/reviews/lastpass/, there are some serious privacy concern and past data breach. LastPass collect some user data and based in US.

If you really need online password manager, consider BitWarden instead which is open-source and have better security history. Otherwise, i would recommend KeePassXC instead.

[libert19]

That being said, it isn't difficult to migrate from LastPass. I don't see the need for a cloud password storage personally, it introduces an additional attack surface even if the convenience outweighs the risks. I'm currently using KeePass and migrating from LastPass was easy and straightforward.

Aight, I thought one has to migrate in data entry way, didn't know export existed.

[NeuroticFish]

I use Bitwarden (personal free). Of course, not for seed/private key. And of course, most of those services I keep the passwords for have 2FA which I've clearly enabled.
Bitwarden is also open source, also uses AES-256 end-to-end encryption; I find it a good option. You can also export the passwords ("vault") - encrypted or unencrypted.

https://bitwarden.com
https://github.com/bitwarden

[Husires]

I use LastPass since several years, most of info is there and it would be hard to migrate it. How reliable are these pwd managers, especially the ones who store info on their servers?

Using any Online tool requires:

• Being open source: You must make sure that what you claim that the services you provide are true and that no one can see the things you save.
• Synchronization issues: Synchronizing between multiple devices can allow multiple scammers to access your passwords.
• Add-on installation: Installing add-ons always gives a loophole that enables many hackers to access your currencies
• Copy and paste: Copying and pasting words and always needing to connect to the Internet are all gaps that need someone who understands the basics of online security.

If there was a well-reviewed open source option out there, it might be the best choice.

[libert19]

Copy and paste: Copying and pasting words and always needing to connect to the Internet are all gaps that need someone who understands the basics of online security.

I turn off the Internet before copying anything sensitive, is it good enough?

Edit: oh you mean, while saving passwords pwd manager needs to be connected to Internet (at least lastpass). Regarding this I use app that blocks Internet access to apps except ones I allow to.

If there was a well-reviewed open source option out there, it might be the best choice.

Bitwarden, keepass have been suggested. Leaning to keepass more.

[SmokerFace]

Well, it totally depends upon the requirements and also owns satisfaction. In my opinion, you can use any password manager which suits your requirements.
Also as about my own experience, I had LastPass & Bitwarde. Both were up to the mark as per requirements.
Never faced any issues while using them. Bitwarde was the first one that I had used now shifted myself to LastPass. Highly recommended.

[mocacinno]

Maybe relevant to this thread, since it specifically is about lastpass, which was the initial topic of discussion:

https://www.theverge.com/2021/12/28/22857485/lastpass-compromised-breach-scare

Sure, it was a scare... but if you didn't trust a thirth party to begin with, there would have been nothing to be scared about  ... if you keep your passwords on your own device (maybe even offline), there is nobody to send you e-mails, try to send you to a phising site, databases to be hacked,...