Secrets in IT, part one:

Basic things are hard for even seasoned IT professionals, not to mention average non-it people.

Basic things like authentication. Basic things like backups. Basic things like the combination of those two.

Let's start from the authentication end of things: you're using a password manager right?

Ok. Is it dependent on a single company / closed source components? Pretty much anyone not using KeePass(x(c)) fail this. Companies get compromised, get shut down or acquired.

Ok, you've got a password manager you're confident in, executable code-wise. You naturally have multiple devices. How do you share the password data seamlessly? The picture is quite bleak. With a lot of of proprietary solutions.

KeePass fails hard on this.

You've got your open-source password manager syncing seamlessly between your devices. How do you handle 2FA logins?

Do you use your password manager to provide TOTP? Congrats, you no longer have a _second_ factor.

Do you use an independent second factor like a security key or authenticator app? Great, until...you want to combine auth and backups. You always have backups right?

You never store your backup login methods in your password manager right? Because then it's no longer second factor and no longer a backup then.

You have a backup process/tool right? You never store backup account logins in your password manager right? (When you want to restore a bricked device or after a home fire, if your password manager data is not there and the offsite backup credentials are in the pw manager data, chicken and egg problem much?)

You do backup your password manager though, right? If the pw manager syncing solution is compromised or has a data corruption bug or suffers from physical data loss, you still want to have the ability to login to all those sites right?

Strong Auth (pw manager, no credential sharing) + 2FA + Backup (offsite) is devilishly hard, with many pitfalls and plently of opportunities to create circular dependencies that you notice only too late.

Final point: this is hard even if carefully map out how to make it work. There isn't a solution nowhere close enough that would work with little or no thought from users and require minimal maintenance over the years, that would gracefully deal with hundreds of user accounts accumulated over the years, that would gracefully deal with device rotation, 2FA rotation over the years.

Follow

@szbalint not really a solution to all the problems that you mention but I think it covers a bunch of them: I use pass with the companion android app (and openkeychain). Sync by storing everything in a git repo. Takes a bit of work to setup but is quite simple to maintain. No solution for 2FA though.

@alex this is precisely my solution as well. ive gone a step further, and the git repo is stored in my personal gitea instances.

@0x3F Nice. I haven't got a personal git server set up yet, Gitea looks like a nice option.

Sign in to participate in the conversation
Mastodon

memoryandthought.me is one server in the network