UnOrdinary

Which threat model is good enough to store Passwords?

Really, any threat model is as a password manager is advised. Remembering multiple complex passwords is more difficult than one good complex, yet, easy to recall password. If you try to manage it all manually, the higher the chance your passwords will end up with a pattern -- or worse, simple.

Which Password management we need to use?

This is up to you, based on your own threat model and personal preference as both KeePass and Bitwarden are highly recommended password managers.

    KeePassDX is fine for me. Just remember a password should be the first step, next a TOTP 2FA as a minimum, FIDO2 as maximum.

    Bitwarden is really nice... Except some things like change password or enable FIDO thing can only be done on the website... 🙀 Not good. Keepass it is for evalda

    General threat question. If your using GOS, exec spawn on, sandboxed play services, fully verified Audit, keyboard doesn't have any network permissions, and a centuries strong pass phrase for keepassdx what benefit does fido2 or 2fa provide?

      One annoying thing I notice about Bitwarden is if I get to a website and Bitwarden is locked then the dialog will pop up to unlock Bitwarden but if I do and select the credential, it doesn't autofill. If I keep the Bitwarden app unlocked then autofill works fine. Kind of annoying

      lberrymage Maybe I'm misunderstanding something. given what I described for the usage of keepassdx.

      "If your using GOS, exec spawn on, sandboxed play services, fully verified Audit, keyboard doesn't have any network permissions, and a centuries strong pass phrase for keepassdx"

      How could you get phished for your keepassdx password? I do understand that for web site interaction 2FA is needed for some websites. For me specifically financial ones, the rest I really don't care about. but for protecting the password of your keepassdx database I'm not sure.

          Galt007 FIDO2 whether using your phone or a dedicated key ie Yubikey they are tied to a specific domain. This means even if the phishing portal was near perfect the ksy won't allow you to pass when the underlying domain is phishy 😉 even if the URL in the address bar has been spoofed. KeePass will allow you to paste if the URL is spoofed in the address bar and TOTP can be input and access stolen if relayed and used again in the time window.

            @Galt007 I think @MetropleX is talking about securing your web sites with FIDO2... Not keepass itself... KeepassXC also supports yubikey that works like adding entropy to your master password... Hope it makes sense 😸

            @DeletedUser115 @MetropleX good dialogue thanks. Yes I question the value of a fido2 token for the password for keepassDX itself. If your pass phrase is strong enough to withstand a centuries brute force attack. then I think your good. Yes a yubikey can add more entropy but if you lose it your sort of screwed right? For my websites that are critical to me they all use Fido. so someone could get access to login but without authentication (via a fido authentication application) they get stopped. Am i missing something?

              Galt007 Yeah... I don't use yubikey with keepass personally.... The way I think about it is your master password is something you know, your kp database is something you have... Already 2fa in a way 👠

                @DeletedUser115 right, same way i think. and If desktop ever is fully supported I'll have a pretty secure method to access some websites vs the linux box i have. Really dont want to buy a chromebook just to do this.