Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If it's properly encrypted you should be able to publish it on github and still be more secure than entrusting it to a third party.


Publishing your vault of passwords on a public GitHub repository seems like a pretty bad idea, no matter how well you trust the client-side encryption code.

I'm no expert on the subject, but I suspect these password managers use a sophisticated mechanism of authentication (for accessing the vault) as well as encrypting of the actual contents of the vault.

The effect of this means that Bob's encrypted vault cannot be downloaded by an attacker without the attacker first authenticating to the server.


>Publishing your vault of passwords on a public GitHub repository seems like a pretty bad idea, no matter how well you trust the client-side encryption code.

If it's properly encrypted you can display your encrypted vault on a Times Square billboard and it doesn't matter, it's like that physics experiment[1], looks scary but there's nothing unsafe about it.

[1]https://youtu.be/xXXF2C-vrQE


And why do you think that authentication + encryption is going to be more secure than encryption alone? Either way, there's a secret. If you know the secret you can access the data and if you don't you can't. The UI/UX trappings of the mechanism don't change this fundamental dynamic.

What does change the dynamic is if you allow a third party to control the code that you run.


2FA is engaged at the authentication stage, so knowing the vault passphrase may not be sufficient.

Further, allowing anyone to download my encrypted vault just feels really uncomfortable and unnecessary.


You can use 2FA to encrypt. OK, it would be 2FE, not 2FA, but it's the same idea. Just encrypt using a Diffie-Helman key derived from a secret contained on a device. (Of course, if you're going to do this, you could just as well keep the vault itself on the device.)

> Further, allowing anyone to download my encrypted vault just feels really uncomfortable and unnecessary.

It is unnecessary. I said you could publish your vault on github and still be more secure than a third-party provider. I didn't say you should do this. Of course you should try to keep your vault away from prying eyes. But you should not rely on this for your security. You should only ever rely on one thing for data security, and that is the integrity of your secrets, which should be small enough to be stored in your brain or in a device that allows them to be used without being read (2FA/E). That's the whole point of encryption.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: