Hacker News new | past | comments | ask | show | jobs | submit login

There is a pretty large gap between "cloud based password storage" and "using the same password for each site".

1Password for /years/ worked with a local vault (and no remote sign-in requirement), and had relatively simple syncing to iOS via wifi (no idea on other OSes, that's what I use).

I've shared my password vault between these two places with no issues and it didn't need a cloud account and I wasn't re-using passwords.




That's literally the option though if you've managed to convince someone to use a password manager.

I convinced a family member and their response to the breach was "okay, who should I use instead? Or do I go back to using one password for everything?"


"okay, who should I use instead? Or do I go back to using one password for everything?"

Given that the "using one password for everything" is such a terrible idea that we can discount as probably worse than storing your passwords in a cloud-based vault then you land on what your family member has given you as the other option "what should I use instead".

Ultimately if* there are no password managers available that will do syncing of locally stored vaults, then there are actually multiple options here:

1. Accept that the convenience (of device sync) here trumps the security issue that storing passwords in a cloud based vault causes.

2. Should there be no options that allow for device sync /and/ local-only vaults then there is another option which is to not do automatic syncing.

Option 2. is somewhat inconvenient (how much depends on who you are and what you do), but it is still an option.

Personally, Option 1. is a line I'm not willing to cross. I see single repositories of 10s to 100s of thousands of peoples passwords as a "password piñata", a massive target for attack and so I'd take the inconvenience over the compromise. That said I'm lucky to have a 1Password 7 still so do have local vaults and sync, but there's not a chance in hell I'm uploading this stuff to a central repo.

* Enpass might do what you want. It was a suggestion in the comment thread here.


I'm not concerned for me, I'm concerned with what less sophisticated people are willing to put up with.

Our options are convenience of device sync or one password.

Or some other mechanism, because I have been told in no uncertain terms that's as far as it goes.

I can't even convince this family member to rotate their passwords. What makes you think they'll be willing to put up with more inconvenience?

Again, the problem is the unsophisticated user who only has so much brain space for this shit.


"Relatively simple" for you or me maybe; for my 70-year-old parent, not so much. The bar is high.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: