I recommend OneShallPass (http://oneshallpass.com) over KeePass. It's open source and auditable like KeePass, but:
1) It doesn't have to be compiled or installed, since it's just a monolithic HTML page with all JS/CSS inline.
2) It has a free, optional hosted service that stores encrypted passwords with pure client-side decryption, so you can get your passwords from any web-enabled device without having to trust the host.
> 2) It has a free, optional hosted service that stores encrypted passwords with pure client-side decryption, so you can get your passwords from any web-enabled device without having to trust the host.
This is an unbelievably audacious security shell game; I can't really believe this nonsense idea has somehow managed to gain traction.
The server is ephemerally delivering the code that supposedly encrypts your content securely.
By saving the HTML file and opening your local copy. You can audit the code and verify yourself that nothing will go over the wire unencrypted to their servers, so you get the benefit of them hosting the encrypted passes without having to trust them with your data. If you want it available anywhere, you don't want to save the file locally, and you don't trust the host, just host it yourself or grab it from Github.
> And hoping it includes all the java it needs, and doesn't go out and pick up some 3rd party library?
What Java? It's a self-contained, monolithic HTML file with JS and CSS inline. What dependency are you imagining you're not going to have?
> You would have to audit it to ensure it never includes everything else, or posts anything externally with every release.
Exactly as you would with KeePass, or any other conceivable solution. If you don't want to audit future releases, save the last one you audited and use that.
Don't forget to audit your browser (the thing without a version number anymore and with various metatemplates and it dynamically downloads on every load) and it's implementation of ECMAScript. But everyone already knew that.
By that logic, you can't know KeePass is safe without auditing Mono, your compiler, your checksum tool, the editor you used for the audit, the logic gates of your CPU, etc. Auditing anything is impossible.
If you can't get a copy of Firefox that you trust hasn't been altered as part of a conspiracy to make you believe OneShallPass is a legit password manager, you've got bigger problems.
Additional features:
- It works offline.
- You can import or export your passwords in CSV form.
- If you choose to delete your account, it is immediately and irrevocably destroyed.
1) It doesn't have to be compiled or installed, since it's just a monolithic HTML page with all JS/CSS inline.
The obvious and huge difference then would be that KeePass requires a password or key file to open but an HTML page requires only a browser or text editor. Major, major difference to me.
> The obvious and huge difference then would be that KeePass requires a password or key file to open but an HTML page requires only a browser or text editor. Major, major difference to me.
Did you spend even two seconds looking at OneShallPass? Literally the second thing on the page is a field asking for a passphrase, and yet you came here to complain that it doesn't require a passphrase.
The passwords are encrypted. The fact you can read the decryption algorithm in your text editor doesn't let anyone know your passwords, any more than you being able to download and read the source of KeePass lets you read other people's KeePass passwords.
1) It doesn't have to be compiled or installed, since it's just a monolithic HTML page with all JS/CSS inline.
2) It has a free, optional hosted service that stores encrypted passwords with pure client-side decryption, so you can get your passwords from any web-enabled device without having to trust the host.