I worry a lot about password managers on mobile. Such as:
* if an app has a single developer (keepassium? strongbox?), how much money would it take them to add a back door? 1M USD? 10M USD? Let’s say they are exceptionally honest, and won’t take money. How about threats to their lives or families?
* if an app has a small number of engineers with commit access (bitwarden? 1paasword?) could any one of them be compromised by money or threats?
* Would password managers from Google/apple/microsoft fare better because they already face these risks and have controls? Or maybe not?
Does that not apply to anything in life? How difficult is it to get code into any open-source software package or distribution really? I work in high-security environments, and I'm always wondering how you can really guarantee that any Debian, Ubuntu or Arch developer is honest and not compromised themselves, any software package installed is 100% clean, and any software library module and container image is fully checked. And that's not getting into tin foil hat assumptions about a shady government agency having access to the major app stores, Github, common distributions or email hosters.
There simply is no way anymore to check the several million lines of code even a minimal setup requires somewhere in the stack. Even an in-depth code review of a medium sized web application – with deps – has already become a gargantuan task most companies simply can't afford.
It is just slightly more difficult and longer to target it in a large company because you usually have to actually be hired by that company and do not necessarily have the choice of the team/products you will be working on.
But adding backdoors and vuln, yes totally possible on random products that person would be affected to. There is review fatigue the same way there is fatigue in a lot of processes.
> It is just slightly more difficult and longer to target it in a large company because you usually have to actually be hired by that company and do not necessarily have the choice of the team/products you will be working on.
There are lots of examples at almost all the fortune 500. Because they do not sneak in as just some random employee.
Cisco is very well known for backdoors in their equipment.
Adding a backdoor is not the difficult part, leaving no trace is.
People don't know who you are on github, but it's easy for top name companies to track who created the backdoor in great detail. Actually the power of tracing real person is one of the the best defenses.
At least with keepassDX on android there is no internet access permission needed by default, but if a compromised update suddenly required it I don't know if Android would prompt about it since all apps have internet access granted without prompting :(
I also wish it was possible to block automatic updates of specific apps on the play store... So at least we could be in control over updating critical apps such as these without having to micromanage updates for all apps.
On GrapheneOS there is a prompt when installing an app that asks if you would like to grant network access. I am not sure if that pop up displays if network access is added later in an app update though.
What's your threat model here? Some kind of mass hacking attempt? It would be easier to attack the service providers, rather than steal legitimate logins.
A targeted attack on a specific person? It would be easier to, as the famous XKCD suggests, drug and/or hit them with a wrench until they voluntarily hand over whatever information you want.
It's difficult to conceive of a situation where hacking password managers is the path of least resistance.
The idea is to sell the dump, this is the case for nearly every dataset you see reported on Have I Been Pwned. I'm not really sure how there is even any question about oh why would anyone do this?
The comment was referring to Keepassium and Strongbox, which do not store credentials on their servers so it's not exactly the same. While conceivably a compromised Keepass wrapper could decrypt and send the dump of each and every file it opens, I doubt it would pass unnoticed.
pass clients can totally be backdoored. They decrypt the secret to plain text and add it to your clipboard or whatever... could easily shuttle it off somewhere else at that point.
I would tend to trust Apple more as they define attack vectors and mitigations in their platform security guide. Also they have a holistic approach to this from hardware through to software, not just an app tacked crudely onto whatever APIs were lying around.
I would NOT trust Microsoft though. I've had enough problems with Authenticator and so have other users in our org that I refuse to put data near it. Not concerned so much about other people getting access to it but me losing my data.
In the past two days, the official Syncthing Android client has been discontinued, making the use of KeePass harder. Bitwarden has been trying to move away from a fully FOSS system. And now this?
I've been using keepass for quite a number of years now. I have my database and a security key. I sync my database with dropbox (because I am too lazy to self-host something like nextcloud) between devices and just manually copy my key on everry device. My key was never synced through the internet.
I hope that's secure enough and works fine for me. I guess syncthing is just smaller and obviously doesn't need a third party?
You have financial gain to show when proprietary software ends. When FOSS ends, you just have the experience. That’s fine for some, know what you’re getting into.
The license doesn't have anything to do with the financial gain. There are plenty of proprietary freeware and OSS devs who sell their apps on the playstore.
Shameless plug: A few months ago I wrote a blog post [1] about integrating PasswordStore + GnuPG + TouchID on MacBook, and used that to automate my work VPN (Cisco AnyConnect) auto-connection [2], hence avoiding the need to interact with a very bad UI that is AnyConnect.
This seems to happen more and more often, or at least it feels that way to me. FLOSS projects that aren't highly critical but very useful are maintained by only one person which loses interest, burns out or simply has other priorities. Sometimes they don't even make an announcement like here and just ghost the project. Very sad, even though understandable.
A lot of FOSS projects are started by young people, often students. At some point, life hits, with spouses and children and real jobs demanding lots of time. Slowly people burn out, and most of the time, other people want to scratch their own itch and don't necessarily continue what already exists.
I guess password managers are relatively simple at the core but have to fulfil very different requirements so there isn't one obvious piece of software that everybody can focus on. See also bike-shedding vs building a nuclear reactor.
A better philosophy on how to herd cats would be useful in the FOSS world, though. It's a formidable force, but terribly scattered.
It happens also to proprietary apps maintained by individual developpers / small teams. At least in this case an open source project is easier to fork even if original dev becomes unresponsive/unreachable.
In actually SSH into my desktop PC and use pass there to access my secrets.
Luckily, I only need to do this occasionally, so the inconvenience is bearable. Still waiting on the day where I randomly get logged out of an important app while not having internet access, or the power going out in my apartment right after I leave for two weeks (happened once, luckily didn't need my passwords then).
The point of `pass` is to offload the security aspect to gpg, so unless something goes wrong with that, I don't believe continued use, even if unmaintained, is very insecure.
The Android app will by necessity receive the decrypted passwords from GPG to display and copy them to the clipboard. It could do whatever else it wants with them.
Consumer softwares in the current environment can probably only live a few years at most (if you count security in, probably months) without maintenance. The author's decision to pull it from play store is very sensible and should be appreciated.
Password Store sounds like a cool Unixy idea, but it's quite janky in my experience, especially if non-desktop-Unix systems are involved. The Android app was fine; it integrated with a GPG app that was less fine.
I worry a lot about password managers on mobile. Such as:
* if an app has a single developer (keepassium? strongbox?), how much money would it take them to add a back door? 1M USD? 10M USD? Let’s say they are exceptionally honest, and won’t take money. How about threats to their lives or families?
* if an app has a small number of engineers with commit access (bitwarden? 1paasword?) could any one of them be compromised by money or threats?
* Would password managers from Google/apple/microsoft fare better because they already face these risks and have controls? Or maybe not?
Does that not apply to anything in life? How difficult is it to get code into any open-source software package or distribution really? I work in high-security environments, and I'm always wondering how you can really guarantee that any Debian, Ubuntu or Arch developer is honest and not compromised themselves, any software package installed is 100% clean, and any software library module and container image is fully checked. And that's not getting into tin foil hat assumptions about a shady government agency having access to the major app stores, Github, common distributions or email hosters.
There simply is no way anymore to check the several million lines of code even a minimal setup requires somewhere in the stack. Even an in-depth code review of a medium sized web application – with deps – has already become a gargantuan task most companies simply can't afford.
> Or maybe not?
This.
It is just slightly more difficult and longer to target it in a large company because you usually have to actually be hired by that company and do not necessarily have the choice of the team/products you will be working on.
But adding backdoors and vuln, yes totally possible on random products that person would be affected to. There is review fatigue the same way there is fatigue in a lot of processes.
> It is just slightly more difficult and longer to target it in a large company because you usually have to actually be hired by that company and do not necessarily have the choice of the team/products you will be working on.
There are lots of examples at almost all the fortune 500. Because they do not sneak in as just some random employee.
Cisco is very well known for backdoors in their equipment.
Adding a backdoor is not the difficult part, leaving no trace is. People don't know who you are on github, but it's easy for top name companies to track who created the backdoor in great detail. Actually the power of tracing real person is one of the the best defenses.
> Let’s say they are exceptionally honest, and won’t take money. How about threats to their lives or families?
The more I think about it, the better I understand TrueCrypt's sudden demise.
yes, it's my biggest worry too.
At least with keepassDX on android there is no internet access permission needed by default, but if a compromised update suddenly required it I don't know if Android would prompt about it since all apps have internet access granted without prompting :(
I also wish it was possible to block automatic updates of specific apps on the play store... So at least we could be in control over updating critical apps such as these without having to micromanage updates for all apps.
On GrapheneOS there is a prompt when installing an app that asks if you would like to grant network access. I am not sure if that pop up displays if network access is added later in an app update though.
I'm pretty sure I got prompted once or twice before updating to app with new permissions added.
> add a back door?
What's your threat model here? Some kind of mass hacking attempt? It would be easier to attack the service providers, rather than steal legitimate logins.
A targeted attack on a specific person? It would be easier to, as the famous XKCD suggests, drug and/or hit them with a wrench until they voluntarily hand over whatever information you want.
It's difficult to conceive of a situation where hacking password managers is the path of least resistance.
The idea is to sell the dump, this is the case for nearly every dataset you see reported on Have I Been Pwned. I'm not really sure how there is even any question about oh why would anyone do this?
Isn’t it the same threat model as Lastpass breach? Login credentials seem to be worth money, and crypto keys even more.
The comment was referring to Keepassium and Strongbox, which do not store credentials on their servers so it's not exactly the same. While conceivably a compromised Keepass wrapper could decrypt and send the dump of each and every file it opens, I doubt it would pass unnoticed.
I'm really confused. How do you think that would work with an opensource password manager like pass / password-store.org
- The data is stored in Git at a location of your choosing and security level
- The data encryption is provided by GnuPG using your personal key
This is why I use it, there's no potential for anyone to add a back door, except me.
BitWarden, LastPass, etc etc... you have a point, and I would not trust these companies one iota.
Apple, Google etc...uhm... not in a million years.
pass clients can totally be backdoored. They decrypt the secret to plain text and add it to your clipboard or whatever... could easily shuttle it off somewhere else at that point.
You build it from source if you have concerns, so no, it can't "totally be backdoored".
I would tend to trust Apple more as they define attack vectors and mitigations in their platform security guide. Also they have a holistic approach to this from hardware through to software, not just an app tacked crudely onto whatever APIs were lying around.
I would NOT trust Microsoft though. I've had enough problems with Authenticator and so have other users in our org that I refuse to put data near it. Not concerned so much about other people getting access to it but me losing my data.
In the past two days, the official Syncthing Android client has been discontinued, making the use of KeePass harder. Bitwarden has been trying to move away from a fully FOSS system. And now this?
A fork of syncthing had been in development and released for a while though, so use of keepass isn't really getting harder unless this developer also pull the plug. https://f-droid.org/en/packages/com.github.catfriend1.syncth...
I've been using keepass for quite a number of years now. I have my database and a security key. I sync my database with dropbox (because I am too lazy to self-host something like nextcloud) between devices and just manually copy my key on everry device. My key was never synced through the internet.
I hope that's secure enough and works fine for me. I guess syncthing is just smaller and obviously doesn't need a third party?
At least the Play Store version has: https://github.com/syncthing/syncthing-android/issues/2064 But isn't https://f-droid.org/en/packages/com.nutomic.syncthingandroid... still being kept up-to-date?
I switched to f-droid at least, remember to Backup your config before uninstalling the Play Store version.
It's discontinued, period (https://github.com/syncthing/syncthing-android/issues/2064#i...). The fork seems to be fine currently though.
> Bitwarden has been trying to move away from a fully FOSS system
Details?
https://news.ycombinator.com/item?id=41893994
fwiw i've recently moved to sharing my kpdb using taildrive. The KeePass Android app can open databases from WebDAV
For iOS, Keepassium can use WebDAV as well.
> Bitwarden has been trying to move away from a fully FOSS system
Again, as Harvey Dent said it…
Turns out living the FOSS dream is kind of hard.
Why? The app can still be built / installed / source forked etc.
That is the FOSS dream.
Tbh the same struggle affect proprietary software.
It is more about individual developpers/small teams versus large companies.
You have financial gain to show when proprietary software ends. When FOSS ends, you just have the experience. That’s fine for some, know what you’re getting into.
The license doesn't have anything to do with the financial gain. There are plenty of proprietary freeware and OSS devs who sell their apps on the playstore.
Indeed, but it more acute when people don't give anything back, and hobbies don't last forever.
it's not FOSS or not. Basically, who owns it or who pays for it. People have interest and people need earnings to live. Business is business.
The reason is the idea of a free operating system and software has been shattered and is now a guest in big corporations and Github.
It still kind of work but it is starting to crack in a few places.
[dead]
“pass” in this context refers to a GPG-encrypted file based password manager: https://www.passwordstore.org/ https://en.wikipedia.org/wiki/Pass_(software) https://wiki.archlinux.org/title/Pass.
“pass” itself can be used in many contexts, but is primarily a desktop command-line tool. “Password Store” is the Android client for it.
Shameless plug: A few months ago I wrote a blog post [1] about integrating PasswordStore + GnuPG + TouchID on MacBook, and used that to automate my work VPN (Cisco AnyConnect) auto-connection [2], hence avoiding the need to interact with a very bad UI that is AnyConnect.
Hopefully others find it useful.
[1]: https://gurjeet.singh.im/blog/passwordstore+gnupg+touchid
[2]: https://gurjeet.singh.im/blog/cisco-anyconnect-vpn-automatio...
This seems to happen more and more often, or at least it feels that way to me. FLOSS projects that aren't highly critical but very useful are maintained by only one person which loses interest, burns out or simply has other priorities. Sometimes they don't even make an announcement like here and just ghost the project. Very sad, even though understandable.
A lot of FOSS projects are started by young people, often students. At some point, life hits, with spouses and children and real jobs demanding lots of time. Slowly people burn out, and most of the time, other people want to scratch their own itch and don't necessarily continue what already exists.
I guess password managers are relatively simple at the core but have to fulfil very different requirements so there isn't one obvious piece of software that everybody can focus on. See also bike-shedding vs building a nuclear reactor.
A better philosophy on how to herd cats would be useful in the FOSS world, though. It's a formidable force, but terribly scattered.
It happens also to proprietary apps maintained by individual developpers / small teams. At least in this case an open source project is easier to fork even if original dev becomes unresponsive/unreachable.
https://github.com/android-password-store/Android-Password-S...
For a useful discussion
This is actually a better outcome than finding out one day the app have a serious security problem.
While i like `pass` and that Android app looked really good, this is just not serious.
Because the fact that most people will end up trusting a random app as their password manager because it has 2k star on Github is crazy.
If you want to use `pass` on Android you should tinker something with termux .
In actually SSH into my desktop PC and use pass there to access my secrets.
Luckily, I only need to do this occasionally, so the inconvenience is bearable. Still waiting on the day where I randomly get logged out of an important app while not having internet access, or the power going out in my apartment right after I leave for two weeks (happened once, luckily didn't need my passwords then).
The point of `pass` is to offload the security aspect to gpg, so unless something goes wrong with that, I don't believe continued use, even if unmaintained, is very insecure.
The Android app will by necessity receive the decrypted passwords from GPG to display and copy them to the clipboard. It could do whatever else it wants with them.
I think termux has some limitations here (due to missing libraries), namely gpg decryption via hardware keys.
Dang, this is rough. Pass is imo still the best password manager if you set it up right.
Hopefully someone picks this up.
This is such a great application.
I feel like it's complete already and would be happy if it just continued to exist without much or any maintenance.
Consumer softwares in the current environment can probably only live a few years at most (if you count security in, probably months) without maintenance. The author's decision to pull it from play store is very sensible and should be appreciated.
There is always need for maintenance on Android.
That maintenance can be relatively minimal if you aren't distributing the app through the playstore. Like once per n android release.
Password Store sounds like a cool Unixy idea, but it's quite janky in my experience, especially if non-desktop-Unix systems are involved. The Android app was fine; it integrated with a GPG app that was less fine.
That's saddening. APS used to be my daily driver once, and later I moved to Bitwarden.
I use `pass` and am sad about this. This whole password thing, by far, is not a solved problem in my book. But thank you for your contributions!