Proton pass Vs keepass

GrapheneLover

KeePass is the way to go if you're serious about your online security. Always make sure to make multiple backups of your vault file.

[deleted]

KeePass has been around since 2003 whereas Proton Pass has only been around for a few months. A fair comparison is not really possible at the moment.

Graphite

N1b KeePassXC/DX is the best offline Password Manager, but not long ago there was a bug which compromised the keyfile

Can you give details pls?

Oggyo

Graphite
They might be talking about this - https://www.cve.org/CVERecord?id=CVE-2023-24055

[deleted]

Graphite If it's possible on grapheneos that an attacker has write access to your device, then your keepass database is insecure.

N1b

leoLela What do you suggest? Is it enough to have backups of your keepass files, or should we also have a different database format? The second option sounds would be a maintenance nightmare.

A simple and up to date backup of your keyfile in 2 different places should be enough, if your threat model doesn't include protection against targeted attacks from 3 letter agencies that is. Better be safe than sorry though, I have 4 encrypted offline backups in different locations of my recovery files (Bitwarden, Aegis, Crypto Seeds, etc).

Graphite Can you give details pls?

Wish I could point you directly to it. I've heard it on the Michael Bazzell podcast and maybe read it in his book Extreme Privacy 4th edition sometime last year, but I can't find it right now. If I remember correctly, he used KeePassXC on MacOS and after an update his keyfile was irreversibly corrupted, so he lost access to all his passwords. The bug was patched within hours, but hundreds of people were affected. He had a hidden backup at a friends house (hollow coin with micro SD card behind a power outlet) so he could restore them after the patch. Maybe someone else can confirm or link the story, he does delete his old podcast episodes so it might be already gone. Couldn't find specifics about it in the KeePassXC patchnotes either...

Edit: Typos

Graphite

Oggyo They might be talking about this - https://www.cve.org/CVERecord?id=CVE-2023-24055

That's for keepass2 which only runs on Windows (or with mono) and it was the config file, not the keyfile. I was very involved with the effort to get the devs to recognize this problem and fix it. But they were quite stubborn in their philosophy of "it's game over if someone has write access", which IMO is BS. The dev added a halfassed fix, but still disputes the CVE.
I switched to KeePassXC which does not have such weird features like silent export on open or allows insecure 3rd party plugins.

On mobile, there are Keepass2Android and KeePassDX (not to be confused with XC) which does not operate the same way as the desktop variants. Write access doesn't compromise anything. With Storage Scopes, other apps can't even see the files from your keepass app. I go even further by having the KeePass database in a separate profile, and then sharing read only access to the main profile via sFTP. That way, if my phone is stolen whilst unlocked on the main profile, the database residing on the separate user profile is further protected by a long password which encrypts that profile's entrie file system.

[deleted]

[deleted] KeePassDX requires a passphrase, a key file and/or a hardware key. Your assumption is untrue.

[deleted]

This kind of attack is impossible on the Google password manager because an attacker would need my passphrase and my fido key, which I don't even have on me. So there you have it, you've got to be very careful with this kind of so-called privacy-friendly software, and you can count on me to mention this, as I'm sure others will, like it or not.

[deleted]

[deleted] or proton, it's the same capitalists at their head

Oggyo

Graphite
Oh yeah, now I remember the saga with the devs, too. :)
Thanks for clarifying that.

L8437

Graphite hi thanks everyone for the helpful replies.i think I'll stick with keepassdx for now

Can you please point me in the right direction regarding the sFTP? I don't know what this is, but your method sounds useful

Graphite

L8437

sFTP is only going to work using Keepass2Android. It is a secure (encrypted) File Transfer Protocol that works over a network. I keep it isolated to the local loopback so only apps on the device can actually connect. It's a way to transfer files between user profiles. You can use Syncthing, to keep a synced copy in each profile, but will defeat the purpose of protecting the database file in it's own encrypted file system. Which is why I disable caching of the database file too.
KeepassDX, I believe, cannot load database files directly from remote storage locations like WebDAV, sFTP, Google Drive, etc. But KP2A can.
My method just adds another layer of at rest encryption, for the common threat scenario of a lost/stolen phone while the main profile is open. Even without this additional layer, the encryption for your database is already very strong and you can even choose to increase it's strength in exchange for a few extra seconds to open the database.

Relaks

N1b If I remember correctly, he used KeePassXC on MacOS and after an update his keyfile was irreversibly corrupted, so he lost access to all his passwords.

I listened to this same podcast episode. I believe Bazzel explained that the bug seemed to only affect macOS users who stored their database file within a Veracrypt container, and then unlocking the database file from within that container.

[deleted]

I've just tested proton passe since everyone's talking about it, it's a far cry from the fluidity of google's manager... it automatically fills in the fields every other time and I have to rename all my mdp's. I don't keep it, it's not usable for the use I have in mind.

[deleted]

in fact i take back what i said, proton applications are completely unusable if you enter all your 2fa codes in protonpass. proton doesn't support fido keys in their applications, i don't really understand the principle but that's the way it is. At least I tried it, so no one can tell me I'm a google fanboy.

Graphite

[deleted] proton doesn't support fido keys in their applications

https://proton.me/support/two-factor-authentication-2fa
Proton supports two different types of 2FA. You can use:
Your smartphone (via an authenticator app)
A Universal 2nd Factor (U2F) or FIDO2 security key
https://proton.me/support/2fa-security-key

[deleted]

Graphite Now you're in for a big fat lie... I've just tested the application, the application downloaded from the playstore doesn't support fido2 keys. If someone sets all their passwords in protonpass, and sets the 2fa code in protonpass, then the applications become unusable if you uninstall and reinstall them. The same goes for proton on the Internet, it's unusable. I think they know all about this at proton... I hope for their sake

Graphite

Staying on Topic!
OP:

L8437 What are people's thoughts? I've been using keepass for a long time and I like the idea of it being offline and the magic keyboard too

But proton pass does look good too

Keepass and ProtonPass are two very different things. One's an app, the other a service.
I think all cloud based password vaults should be avoided. The benefit of having automatic sync to all your devices is not worth it, and can often be the thing that pwns your entire life. It is much better just to do syncing manually or with a separate app that syncs directly like syncthing.

Graphite

[deleted] Google manager is also encrypted and free with 2fa

For Google Password Manager, is the password and 2FA token different / separate from your Google account?

What happens if Google is legally compelled to hand over your entire Google account to LEA? I know the password vault is on the device, and E2EE. But can't Google perform a 2FA reset or add new keys to your account? They can also reset your Google account password. At that point, LEA can sync a password database, right? LastPass, on the other hand, at least can't reset a master password.
There is a lot of false sense of security with 2FA and password managers. If the provider (say Google or Lastpass) has the ability to reset your 2FA token, then your passwords are not really as secure as you think. At that point, only the "master password" is protecting your password database. But does Google Password Manager have a separate master password, or can they just reset your account password? If it were really secure with E2EE that Google itself can't access/change, then a Google account password reset or 2FA reset would invalidate existing password vaults, locking out the user (which is actually a good thing) unless they have their recovery codes. Let me know if this is how Google works.

[deleted]

Graphite Google implements fido keys much better than proton... If you set APP in your Google account, even Google can't open your account, unless there's a flaw in the fido protocol, which I highly doubt.

Graphite

[deleted] I've just tested the application

Oh, you meant the Android app, not the apps provided by Proton, which does support FIDO keys.
I guess they would have to open a browser webview to communicate with the hardware key. The benefit of FIDO over OTP as 2FA, is primarily phishing resistance, which wouldn't matter when using a native app anyway.

[deleted] Google implements fido keys much better than proton

Google, having deep integration with Android phones, would of course want to make security keys work within the non-web apps. Does this require Google Play Services? If so, that's a deal breaker for many.

[deleted] If someone sets all their passwords in protonpass, and sets the 2fa code in protonpass, then the applications become unusable if you uninstall and reinstall them

I don't understand what you are trying to do.

[deleted] If you set APP in your Google account, even Google can't open your account, unless there's a flaw in the fido protocol, which I highly doubt.

Are you saying you've tried Google Account recovery? Google does have the ability to reset/turn off 2FA.
If you want to test this. See if you can reset your Google Account without 2FA using a recovery email. If it is possible... then Google can absolutely access your account.

« Previous Page Next Page »