> No decent password manager will expose your passwords to a third party.
Unless you are verifying the source and compiling yourself, your password manager IS a third party.
> FWIW, I use "pass", which is a short bash script that's a thin wrapper around gpg. If you can't trust that, I'm not sure how you can use a computer.
Sure, I probably trust GPG and the devs behind it. But unless you are downloading from them directly and verifying binaries, or building yourself from their source (and comparing source), you aren't really just trusting them, you're trusting the people that are distributing GPG to you. If the provider is a well respected linux distro, I probably trust it, but it's quite a bit less trust than the GPG devs themselves get. There's a lot more hands involved there and many more places for someone to inject some nefarious code, or just plain screw up[1].
I guess the real point is that "decent" in "decent password manager", or any security product for that matter, has higher bar than in many other industries, but this many not be common knowledge.
Edit: For that matter, I guess the only reason I trust GPG at all is that enough decentralized volunteers will look at it that coercing them all into keeping silent (or silencing them in another manner) about any backdoor they find is probably impossible (or at least requires enough effort as to make it unfeasible).
I agree with everything you said, but you're looking too closely at just the last link in a long chain. Yes, it's important to trust your password manager. I base that trust on my inspection of the short bash script and on the reputation of GPG and the Ubuntu distribution system. But 95% of the passwords stored in there are being pasted into chrome, which is a gigantically complex piece of code with hundreds of developers. They're passing through the selection buffer of Xorg, which is also quite a beast with many contributors over time. And of course I have to trust the Linux kernel! Not to mention the hardware it's all running on, which I'm sure has many critical parts manufactured in a country that harbors and probably sponsors people hacking into US companies and infrastructure.
Looking at the whole picture, using something like LastPass or 1Password in place of bash+gpg is only marginally less secure, and since non-techies are more likely to actually use them than some console-based thing, encouraging their use is a net win for security. Saying "you shouldn't trust a password manager that you haven't inspected line-by-line" is ultimately counter-productive. The people that have the most to gain from password managers can't even read code, and certainly couldn't spot a hidden side-channel.
Unless you are verifying the source and compiling yourself, your password manager IS a third party.
> FWIW, I use "pass", which is a short bash script that's a thin wrapper around gpg. If you can't trust that, I'm not sure how you can use a computer.
Sure, I probably trust GPG and the devs behind it. But unless you are downloading from them directly and verifying binaries, or building yourself from their source (and comparing source), you aren't really just trusting them, you're trusting the people that are distributing GPG to you. If the provider is a well respected linux distro, I probably trust it, but it's quite a bit less trust than the GPG devs themselves get. There's a lot more hands involved there and many more places for someone to inject some nefarious code, or just plain screw up[1].
I guess the real point is that "decent" in "decent password manager", or any security product for that matter, has higher bar than in many other industries, but this many not be common knowledge.
Edit: For that matter, I guess the only reason I trust GPG at all is that enough decentralized volunteers will look at it that coercing them all into keeping silent (or silencing them in another manner) about any backdoor they find is probably impossible (or at least requires enough effort as to make it unfeasible).
[1]: https://www.schneier.com/blog/archives/2008/05/random_number...