this post was submitted on 05 Jul 2023
1387 points (98.2% liked)

Android

28031 readers
135 users here now

DROID DOES

Welcome to the droidymcdroidface-iest, Lemmyest (Lemmiest), test, bestest, phoniest, pluckiest, snarkiest, and spiciest Android community on Lemmy (Do not respond)! Here you can participate in amazing discussions and events relating to all things Android.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules


1. All posts must be relevant to Android devices/operating system.


2. Posts cannot be illegal or NSFW material.


3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.


4. Non-whitelisted bots will be banned.


5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.


6. Memes are not allowed to be posts, but are allowed in the comments.


7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.


8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.


Community Resources:


We are Android girls*,

In our Lemmy.world.

The back is plastic,

It's fantastic.

*Well, not just girls: people of all gender identities are welcomed here.


Our Partner Communities:

!android@lemmy.ml


founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] Hexarei@programming.dev 3 points 1 year ago* (last edited 1 year ago)

I use KeepassXC on desktop and KeepassDX on Android, and I'll step up to your questions for it, specifically:

Do they save your passwords locally or in the cloud?

Locally, as a file. I sync my file to a selfhosted Nextcloud instance so I can use it across devices. Other folks use Syncthing or even less-trustworthy services like Google Drive or Dropbox. The file is encrypted with a password, so as long as you choose a nice long encryption key phrase (Such as a long sentence or string of 10-15 random words).

If locally, what if I want to sign in on another device?

Do I own that device and trust it? If so, I just get the file from Nextcloud (either via sync or via browser download).

Do I not own that device and trust it? If so, still a couple of options. If you're on Android and rooted, there are various tools that will let you plug your phone into a USB port, pretend it's a USB keyboard, and auto-type your passwords. Even some non-root options for having your phone pretend it's a bluetooth keyboard to do the same. There's also devices like http://inputstick.com/ that don't require root.

Personally, though? I just show the password on my phone and type it out. I rarely ever need to do that kind of thing, so it doesn't affect me much.

What if I lose the device I have my passwords on?

Sync the file, not a problem. Assuming you have your phone setup with a screen lock and device-level encryption.

What if they hack my device?

Who is "they"? There's no "they" to get access with Keepass, so I'm going to assume you just mean "a bad actor". In that case, if someone gets access to your device, you should assume you're pwned, and follow your plan for when/if that happens (You do have an "I was pwned" plan, right? right?).

That said, the encrypted password database remains encrypted at rest on your disk - And thus it's highly unlikely for someone to gain access to your password database even if they get access to your device. They are much likely to pilfer browser cookies for access tokens and the like.

If in the cloud: How can I know the service is not stealing my information?

Keepass: File is encrypted, good luck to the cloud storage service.

Others, cloud-based: The "trustworthy" among these cloud services encrypt the file client-side, and only use the server-side as a place to store an encrypted database file and/or for features like sharing passwords (usually by splitting out a copy into a "partial" database and sharing that). I would feel comfortable telling a family member to pay for and use an open-source service like Bitwarden, because that's what it does. I, however, am more paranoid than that and refuse to use such a service.

Primarily because they could, at any time, decide to sneak in some kind of backdoor that would ship my passwords to them unencrypted... and no thanks.

If I can access it anywhere, wouldn’t that mean it also needs a password?

Of course. That's why you make your password manager password something super long and memorable for you but hard to guess for others. My current passphrase, for example, is a 19-word description of a memorable event that occurred during a tabletop RPG session, followed by the numerical date of that session. Completely unguessable for others, very easy for me to remember.

Wouldn’t that make it twice as unsafe as it would only take one password to access the rest?

Only if your master password is easily guessed or cracked. In most cases, the master password is used as an encryption key, so the longer the better - Which is true regardless of whether the file is local or through a cloud service.

Many (keepass included) also have support for requiring physical 2FA keys, or specific GPG encryption keys or the like. This is, I think, the least of your worries tbh.