Local vs cloud storage of the password manager database?

G

GenGenTe2020-07-25 15:24:13

Passwords

GenGenTe, 2020-07-25 15:24:13

I can't choose between a local password manager (KeepassXC) and a cloud-based one (Bitwarden). Logically, the latter is slightly less reliable than the former, where the database is stored only on the device. But some malware/keylogger can get on the device and steal the file with passwords. I also heard that there are vulnerabilities in autocomplete passwords in MP browser extensions. And if you use cloud-based MP, then, I suppose, the file will not be stored on the device, but only in the provider's cloud? Well, the only danger here is that this cloud will be hacked ... but then all the databases of all users will be stolen, and each of them is protected by a master password and is somehow encrypted, so who then and why should take on hacking these clouds of managers passwords, who will be on the dark web then buy all this encrypted data, How long does it take to decipher everything? In general, I really don’t understand which option is more likely and easier to hack - with local storage or cloud storage ...
You can also find normal 2FA, only Google has it, and integrated TOTP in the password managers themselves does not make sense, as I understand it, since there are codes on one device, your database is right there, and so on. And I don’t want to buy any physical tokens for 5 thousand.

I don’t understand anything, but I have an idea that perhaps there are programs that help hide the database file with passwords in some kind of container (?), which they can’t even steal through malware? Although there are keyloggers and things that see the password entered or copied to the clipboard or autofilled through a browser extension, there are no defenses against them? I don’t know at all whether it’s worth being paranoid for the sake of all this, I’m not some kind of minister.

Please answer in the simplest possible language, since I am completely far from this and similar topics, I wrote the theses above only based on watching various videos on YouTube and reading forums.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

H

hint000, 2020-07-25
@hint000

is it worth being paranoid for the sake of all this, I'm not some kind of minister

Paranoia is the duty of system administrators and infosecure people. Ministers are not pranayama, they just do not care.
Numerous deputies, advisers, secretaries, assistants, secretaries of deputies and assistant advisers can think for ministers... And those who are not yet a minister must think for themselves. :)
Here I am a system administrator, I have an average level of paranoia. I have never used password managers and never intend to. And I don't care if the database is in the cloud or local. Just no, that's all, because paranoia.

K

Kelv13, 2020-07-25
@Kelv13

I think that cloud-based means that the encrypted container is both on the device and its copy is somewhere in the cloud... In this case, cloud-based, with the same complexity as the local one, is more reliable in in the sense that if you lose your device, there is a container with passwords in the cloud.
A normal password manager is, in my opinion, more secure than a database file in an encrypted container - when an encrypted container is opened, the entire unencrypted file becomes available to potential malware.
As for paranoia, it depends both on the psyche and on the rates) If you are walking through an unfamiliar forest at night using gps on your smartphone and it suddenly blocks, then the paranoia is justified and the physical token will justify itself. And if you receive 1 letter per month in the mailbox, you can lose it forever)
I heard a couple of times that password managers were hacked - Laspass seems to be one of them ...
2FA is recommended to use, regardless of security reasons, at least you will know that an access attempt is taking place ... Many services use third-party applications that generate dynamic codes for 2FA.
As they wrote above about convenience and safety, security is built this way today, that the more fences you need to climb, the more reliable. There may not be enough strength or patience for the next fence) If passwords are collected to sell for 1 dollar, no one will spend a day trying to get another dollar)