Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Looks awesome! I've been using 1password, are there any big advantages that KeePass has over it?


I'm not sure about "big", it all depends on how much you trust 1password and what your threat model is. For me, the advantage of keepass is that I don't need to upload my credentials anywhere, or trust some closed source blob running in the browser, etc. It has a XML format that enables things like this client to be created.

1password has the advantage of excellent platform integration on iOS, and various browser extensions with auto-fill.


I use my own script to generate passwords. I don't store anything beyond a salt. The password is just a hash of the website name, the salt and a master password. Then I just copypaste the result. Simple is best.


Is there a name for this kind of scheme where you can generate a password every time because you have all the parts needed? I've been seeing that people do this but don't have a name for it.


Hashing?


> the advantage of keepass is that I don't need to upload my credentials anywhere

But if you want to sync your credentials across devices, you still have to upload them somewhere, right? Doesn't this just support sync via Dropbox? If so, aren't you then just playing the trust game between two third-parties?


You are uploading a file that is encrypted using very strong encryption, not plain text password.

An employee of that company, or if the file was leaked due to technical errors, a member of the general public won't be able to decrypt it. If one of the richest governments wanted to, they might be able to, but if you had reasons to be a target you'd know better than using this.

Also, take a look at SpiderOak.


Is strong-encryption something that 1password is fundamentally opposed to, or something they just haven't implemented yet? If I'm going to switch, the answer to question is pretty important.


I work for a competitor of 1password, and as far as I know 1password is one of the "serious" password managers and I really doubt they would store data unencrypted. Last time I checked, they did not offer cloud sync directly, but integrated with dropbox to store your encrypted vault. Not really sure what the previous comment wanted to imply.


>strong-encryption something that 1password is fundamentally opposed to?

where did you this idea?


The comment I replied to which suggested that strong-encryption was a differential between keepass and 1password.


As far as I can see, the comment you replied to contains no mention of these things. Can you quote the relevant part?


cmrx64: it all depends on how much you trust 1password and what your threat model is. For me, the advantage of keepass is that I don't need to upload my credentials anywhere

oneeyedpigeon: But if you want to sync your credentials across devices, you still have to upload them somewhere, right?

dorfsmay: You are uploading a file that is encrypted using very strong encryption, not plain text password

I took that to mean:

(with keepass) you are uploading a file that is encrypted ... not plain text password (as for 1password)

dorfsmay has now confirmed that was their meaning in this comment: https://news.ycombinator.com/item?id=11177045


Thanks. This was very cryptic, I'm surprised you pieced it together.


No, but my understanding is that with 1passsword and similar service the web client sends the password in unencrypted form to the server. A rogue employee, is even the combination of a bug and a leak would expose your password.

With keepassx, your password never leaves your device in unencrypted form.


This is very much untrue. 1Password syncs an encrypted vault through separate channel (e.g. Dropbox, iCloud) -- it has zero-knowledge of your passwords. It just picks up a big encrypted blob from wherever you store it.

"The easiest way for us to protect your data and data about you is to not have that data in the first place. You may be noticing a theme by now: we can’t reveal or abuse data that we don’t have.

We do not have your 1Password data. We do not know your 1Password Master Password. We don’t even know if you use 1Password. We do not know how many items you have in your vault or their type."

https://support.1password.com/private-by-design/#what-we-cou...


Thanks for the clarification.


Use a p2p sync program like BitTorrent sync or an alternative. Skip the cloud. It's just someone else's computer.


But it's someone else's computer that is pretty much guaranteed to be available, and probably more secure than mine.


There are mobile clients for phones if you don't have an always on machine.

Also, you're putting too much faith in other people's computers.

That said, most of these password managers use really strong encryption so having your password file exposed isn't much of an issue.


I'm a big fan of FLOSS solutions, but I can't recommend KeePass/KeePassX/... over 1password. There are many people implementing KeePass-related things and most of them don't know much about secure development (nor do I claim to). 1password on the other hand has audits and professional security people. As long as they don't turn evil and give you a bad binary blob, I would bet on your passwords being more secure with them than if you were using one of the KeePass* tools.


Sure, in theory, 1password MIGHT have better private auditing and review. But there's no reason to believe they do. To the contrary, when asked about open sourcing 1password, one of their developers explained that they don't do formal code review because it's too expensive, and that none of the external experts they consulted with have ever performed a full review.

https://discussions.agilebits.com/discussion/22686/open-sour...


It's free


It's not just free it is FLOSS.


I forgot to floss this morning :(




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: