For average user they are. They allow humans use long passwords without reuse. They're resistant to phishing. Online sync is necessary for multiple devices.
It's just LastPass that's uniquely bad. I don't understand how they are still in business. Their security track record is a series of embarrassments. Their UX is poor. Their browser extensions slow down the whole browser. And apparently their privacy is also suspicious.
But OTOH Firefox Lockwise/Sync is client-side encrypted, and the server just holds an opaque data blob for you.
> I don't understand how they are still in business.
For products this critical, that handle a relatively large amount of per-user data, inertia is massive. Once you get used to it, the thought of moving tens or hundreds of items to another service is daunting, for the average nontechnical user. (Yes, I know it's just "export this, import that", but for nontechies even the first step can be scary - "what is this thing I get? Am i deleting stuff? Where do I save it? Is this the right format? ..." etc etc). They had a couple of wobbles, "so what? Everyone gets hacked, even Facebook".
I've moved to Bitwarden years ago but I know I'm niche.
> I don't understand how they are still in business.
Dunno. UX was okay, it was easy to use. They were very responsive to fix security bugs (you can't blame having a security bug, but you can if they ignore it. Otherwise you should start by ditching your favourite OS)
>But OTOH Firefox Lockwise/Sync is client-side encrypted, and the server just holds an opaque data blob for you.
Back when I used lastpass that's also how they handled it (you can read through their open source command line client to see how it's implemented under the hood, it's fairly straightforward).
Come on, security isn't black or white, or absolute. I understand that my password manager may be flawed, but it sure was a huge upgrade from doing much simpler passwords, with my cats birthday in them, and +01, +02, +03 to make them "unique" between accounts. That sure made me feel vulnerable and unsecure. (And I do not really have a cat.)
Driving in a highway isn't secure, but only Japanese manga characters avoid leaving their town because of it. You pick your battles.
I just never save my core Google password and bank passwords in a password manager, and a willing to risk the vanishing possibility that my password manager might be evil or dumb. Also I am fairly aware of my deal with the devil with regards to having Google manage most of my online information.
Your threat model doesn't really make sense either. If your password manager is evil, you're probably screwed anyways because on non-sandboxed platforms (ie. windows, linux, maybe mac), there's basically zero security between applications so there are a variety of ways it can get your google/bank passwords. As for the "dumb" bit, that can almost be entirely mitigated by using a password manager that doesn't have network functionality.
Dropbox passwords, although it still leaves something be desired, looks very secure.
For what I have understood they store on their servers only an encrypted version of the passwords data. The encryption key is randomly generated from 12 words, that are not saved on their servers. Each new client that you want to connect to Dropbox passwords must be authorized by an existing client. I believe that it is at that time that the key is shared with the new client (if approved).
Is there someone here from Dropbox that could confirm this?
As per security, IMO this is currently the best compromise between security and usability.
1) the Netflix tier where my wife and in-laws are going to be sending it around insecurely and I don't really care what happens
2) the Random Bullshit tier where I really can't be bothered to remember another password
3) the Google and Financial tier where it's going to be a nightmare if it's compromised
The largest set is (2), and having a password manager for this one is extremely useful. I've tried prefix and mnemonic systems, but it can be a real hassle if it turns out you need to only use it a couple times a year and have to adapt for dumb character and length requirements. Having a manager for (1) is great too since I'm probably using it on multiple devices.
I don't put passwords from (3) anywhere and their knowledge will die with me.
Isn't the general consensus that nothing is secure, you just have different levels of difficulty to break in?
In that sense, they're just more secure than using a single simple password across multiple (potentially all) your logins. Or at least that's the goal...
They aren't completely secure but even the browser password managers enable good practices like having 64 random printable character passwords that are unique for every site. They're also resistant to phishing.
pornel|5 years ago
It's just LastPass that's uniquely bad. I don't understand how they are still in business. Their security track record is a series of embarrassments. Their UX is poor. Their browser extensions slow down the whole browser. And apparently their privacy is also suspicious.
But OTOH Firefox Lockwise/Sync is client-side encrypted, and the server just holds an opaque data blob for you.
toyg|5 years ago
For products this critical, that handle a relatively large amount of per-user data, inertia is massive. Once you get used to it, the thought of moving tens or hundreds of items to another service is daunting, for the average nontechnical user. (Yes, I know it's just "export this, import that", but for nontechies even the first step can be scary - "what is this thing I get? Am i deleting stuff? Where do I save it? Is this the right format? ..." etc etc). They had a couple of wobbles, "so what? Everyone gets hacked, even Facebook".
I've moved to Bitwarden years ago but I know I'm niche.
jve|5 years ago
Dunno. UX was okay, it was easy to use. They were very responsive to fix security bugs (you can't blame having a security bug, but you can if they ignore it. Otherwise you should start by ditching your favourite OS)
Former Lastpass user.
simias|5 years ago
Back when I used lastpass that's also how they handled it (you can read through their open source command line client to see how it's implemented under the hood, it's fairly straightforward).
I agree that its UI was pretty clunky though.
sverhagen|5 years ago
ramraj07|5 years ago
I just never save my core Google password and bank passwords in a password manager, and a willing to risk the vanishing possibility that my password manager might be evil or dumb. Also I am fairly aware of my deal with the devil with regards to having Google manage most of my online information.
gruez|5 years ago
Closi|5 years ago
dingaling|5 years ago
No program which knows your master password and which has network access can ever be considered secure.
ghego1|5 years ago
For what I have understood they store on their servers only an encrypted version of the passwords data. The encryption key is randomly generated from 12 words, that are not saved on their servers. Each new client that you want to connect to Dropbox passwords must be authorized by an existing client. I believe that it is at that time that the key is shared with the new client (if approved).
Is there someone here from Dropbox that could confirm this?
As per security, IMO this is currently the best compromise between security and usability.
Igelau|5 years ago
1) the Netflix tier where my wife and in-laws are going to be sending it around insecurely and I don't really care what happens
2) the Random Bullshit tier where I really can't be bothered to remember another password
3) the Google and Financial tier where it's going to be a nightmare if it's compromised
The largest set is (2), and having a password manager for this one is extremely useful. I've tried prefix and mnemonic systems, but it can be a real hassle if it turns out you need to only use it a couple times a year and have to adapt for dumb character and length requirements. Having a manager for (1) is great too since I'm probably using it on multiple devices.
I don't put passwords from (3) anywhere and their knowledge will die with me.
karamanolev|5 years ago
In that sense, they're just more secure than using a single simple password across multiple (potentially all) your logins. Or at least that's the goal...
xfz|5 years ago
https://kaizoku.dev/double-blind-passwords-aka-horcruxing
matheusmoreira|5 years ago