Hacker News new | past | comments | ask | show | jobs | submit login

1. Honestly I made bad experiences with PW managers. After having a corrupted PW database a couple of times I stopped using them.

2. I do that. In addition I use this: http://winhelp2002.mvps.org/hosts.htm I have a python script that builds a host file from several sources.

4. Most readers here should be able to build their own router with a banana pi and IPfire




I completely agree re: password managers. Lots of options and competition but nobody has yet really, really nailed it.

I eventually got many not-so-technical family members and friends to adopt Dashlane - which is easy to use and provides great support.

> 2. I do that. In addition I use this: http://winhelp2002.mvps.org/hosts.htm

That's a good idea - you can also configure a local bind/dnsmasq/unbound server to block based on these lists with ACL's (sure if you google each you'll find tutorials, like this one: https://github.com/jodrell/unbound-block-hosts)

Some of the better home router distros will also do this at the local network level


> nobody has yet really, really nailed it.

I don't see how you could do better than something like 1Password. What is missing in your opinion?


1Password relies upon a single, strong password for your "vault", which is vulnerable to sniffers and intermittent surveillance.

I don't understand why they don't offer (at least) 2-factor key for the vault.

Also, they support TouchID on iOS devices, very useful. But in the US, at least one case of someone being legally required to unlock via TouchID, whereas offering up a passcode is still debatable.

So at least offer a short PIN-and-TouchID, and support some 2-factor like Googly Authenticator.

They must have at least considered these things. I don't understand any security issues with this. Implementation is work, and perhaps a support hassle for them.

What are the technical reasons?


>single, strong password for your "vault"

This is pretty much the nature of password managers. That password is only ever entered locally. If an attacker can grab local keystrokes, it's game over anyway.

>they don't offer (at least) 2-factor key for the vault

Neither TOTP nor any kind of push/SMS token can be used to secure data at rest. These are mechanisms to authenticate to a server. You could have "2 factor" for data at rest by storing part of the key separately, but there'd be nothing dynamic about it; copying the key material once would be sufficient to use it forever.

LastPass offers 2-factor to authenticate to the LastPass website, but your vault is cached encrypted on the client side, and such a cached copy can be opened using only the master password. (IIRC there is an option to disable this, which works by erasing the cached copy at the end of a session. Hardly bulletproof, and precludes having any sort of backup resilient to the failure of LastPass itself).


Thanks. I must think more about this.

I can understand that TOTP cannot be used for encryption.

But the app is asking for authentication. Zero-knowledge proof game might apply. Of course the local app must have the decrypted key in memory.

I wish we could defend against the Evil Maid...


One defends against the Evil Maid with physical security techniques. And by doing your own cleaning :).

The app is not asking for authentication, it's asking for encryption. Else an attacker could bypass the app's logic and read its data directly.


Open source would be nice. So I can, you know, check it's not dodgy.


> That's a good idea - you can also configure a local bind/dnsmasq/unbound server to block based on these lists with ACL's (...)

Take a look on FreeContributor [1]

[1] https://tbds.github.io/FreeContributor/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: