Hacker News new | past | comments | ask | show | jobs | submit login

In my opinion, it should be a bare minimum for something as important as a password manager to be free software. Others have mentioned Bitwarden and Keepass in this thread, both of which meet that criteria, but personally I'll stick with pass since I don't need a GUI.



Huh, you are saying that something that is so important you want for free, and that the company building this product for you should forgo money and work simply for free? Wouldn't the opposite make far more sense that something that is so important you should pay 'more' for? They are free options that you are welcome to, but for people who want more they pay for it.


Nowhere did I mention money. It's primarily a trust issue when it comes to proprietary solutions like 1Password safekeeping your passwords. Look at Bitwarden for example: "All of our source code is hosted on GitHub and is free for anyone to review". Yet they have paid plans for individuals and businesses.


The only way to guarantee that your keyring is secure long-term is for the source code (and change history) of your password manager to be inspectable and verifiable. A promise made by a corporation is not sufficient.

You can pay a corporation to buy a product with more features or better service. But you can't pay a corporation to hold or maintain a principle. There will always be someone who can offer them more money to hold the opposing principle. Principled people who work for a corporation eventually leave and are replaced with apethetic or differently principled people.

In this case, the principle is the privacy and security of the credentials in your keyring. How much money do you think a bad actor would be willing to pay for these? How much money do you think a bad actor would be able to pay to a corporation that secures credentials for a huge number of users, and who can push arbitrary updates without pesky source code validation getting in the way? You and I don't have enough money to win this game.

Look at another high value target for comparison -- browser extensions that have a large installed userbase. Browser extensions are frequently bought for tens to hundreds of thousands of dollars by ad/tracking/malware vendors in order to quietly replace the extension with one that does their bidding, without the users' knowledge.

What's the solution to this problem? Open-source, inspectable, verifyable software that is maintained by a person or a community that shares your principles. I trust the work of Jason Donenfeld (pass, wireguard) and Raymond Hill (uBlock Origin) more than the work of any corporation selling a similar product at any price.

The incentive structure of corporations in general precludes them from being given the level of trust required for certain products.


And what makes you think that Jason or Raymond won't wake up one day and decide they had a change in principles? Just like people, companies have reputations and values. Individuals are not immune to malevolence.


Companies swap out their internal functionaries regularly, and regression to the mean suggests that as an organization they're likely to lose any principles they may have started with.

People can certainly lose their principles, but from observing past behavior (e.g. the number of times Raymond has told moneyed interests to fuck off), I believe that certain people are capable of holding certain principles for longer than a corporation would be able to.

Secondly, these individuals and communities recognize the inherent problem with needing to trust them, so they jump through hoops to make sure that publicly available binary builds are reproducible and verifiable. They publish their open-source software in a way that doesn't require you to trust them as much as you would need to trust a corporation with a closed-source product.

Not only do many corporations not bother doing this, many corporations that maintain open source products deliver binaries that obviously have more stuff baked in than their source code would suggest. For some categories of product, like a password manager, open source with reproducible builds is table stakes, not an optional feature.


You can absolutely pay a company to hold a principle.

Consider the number of companies now who are promoting sustainability as a core value, because it gives them an edge up on competition in big government tenders.

More common than you'd think, especially in physical product supply!


> who are promoting [...] as a core value

> because it gives them an edge up on competition

That's... literally the opposite of holding a principle. They're doing a thing that they don't otherwise care about because it results in an advantage today. What happens when the money runs out? When the fad shifts? When someone offers them more money to do something that conflicts with this principle?

You hold a principle because you believe (logically, axiomatically, morally, etc.) that it is correct, regardless of all other incentives that might pull you towards or away from it.

If the only reason that someone claims to hold a principle is because you're paying them, they're not actually holding that principle.


Not free as in beer, but free as in freely auditable/accessible. Trusting your life to a black box controlled by other people is a lot to ask.


https://en.wikipedia.org/wiki/Free_software

Free software can still be paid software.


"Free" doesnt always mean "Free beer",

"Free Software" has a specific (and different meaning) than Open source.

https://www.gnu.org/philosophy/free-sw.en.html

I think this is what OP meant not wanting their software to be available at no cost.


Free software doesn't mean for free. It means being able to audit it to see if it has no backdoors.


I use pass(1) as well. I love that it allows me to use my yubikey.

Also a 1password user. Can't deny it's a wonderful product.


What does that even mean? There is free alternatives. I use 1password because it does a good job.


...as in freedom, not beer.

It means the gp considers the problem space sensitive enough that the source should be available for inspection and modification.


The latter in particular means that if there's a thing you wish the software did and it doesn't you can fix that.

The more central to your everyday life something is, the more important that is. We take this for granted elsewhere in our lives.

You buy a refrigerator, the fridge company doesn't get to tell you that too bad you're only allowed to keep soda in their $80 dedicated "Soda rack" and that little shelf is only for vegetables - you can just put your soda there anyway, and if you want you can even make or buy a gizmo that dispenses cans just the way you want, screw their $80 plastic garbage, you made one from stainless steel scrap at community college.

You can take Free Software like pass to pieces to understand how it works too.

The thing I keep coming back to is how it uses 'tr' to get random passwords, because it's so simple and yet when you step back it's obviously the correct design. The method goes like this:

Unix 'tr' has a mode where it just ignores all input except the character classes you selected which pass through. So e.g. you can say you want passwords with just A-Z0-9. Hook it up to /dev/urandom and the device spews random bytes into it. All the ones that aren't acceptable are just thrown away. Then you catch the desired length of output from 'tr' and you're done.

I've seen software attempt to try to bodge a budget of random bits into a fixed character set, which is very difficult to do safely and correctly - but 'pass' just doesn't try to do that at all, why bother when you can make as many random bytes as you want anyway?


> The latter in particular means that if there's a thing you wish the software did and it doesn't you can fix that.

Yeah, that's not really relevant to me... Along with ~99.5% of people out there, I will not be fucking around making customizations to my password manager. There are things you tinker with, and then there are things that hold passwords to your financial and professional life. I have not yet and will not anytime soon be rolling out my own crypto or my own password manager and trusting it with real-life credentials.


For anyone wondering, pass refers to this[1] project.

[1]: https://git.zx2c4.com/password-store/tree/README




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: