Why do people use password managers that store all the data on their own servers? Having a centralized database filled with full login information for hundreds of thousands of accounts across all your users (and accounts users clearly care about, mind you, otherwise they wouldn't go out of their way to use a password manager) makes for such an obvious jackpot attack vector that causes situations like this.
I've used Enpass for years now which lets you sync your password database to DropBox, Google Drive, iCloud, etc. So I still have to protect whichever cloud storage account I'm syncing with, but at least it's not an obvious place to find passwords for thousands of users. And if someone did have access to my Google or Apple account, they could reset a lot of my logins anyway.
And I know this isn't technically as safe as the self-hosted options, but it offers the same convenience as LastPass without the obvious painting-a-target-on-your-own-back by handing all your passwords over to The Passwords Store.
> Why do people use password managers that store all the data on their own servers?
> sync your password database to DropBox, Google Drive, iCloud, etc.
So instead of storing it all on one service, store it on one out of three others?
Yes, you can set up your own hosting etc., but 1., will your average user do that, and 2., will they be able to maintain an adequate security posture of their self-hosted server?
Besides centralization being, as always, hard to avoid in practice, having a password-specific storage service also has several advantages over a generic "bucket of data" cloud drive.
For example, I'd expect a (competent) provider to invest some resources into
- Server-side deletion when I change my master password (cloud storage often keeps file versioning around for extended periods of time)
- Access logging, i.e. making sure that it is architecturally very hard to download my encrypted vault from an unknown device without triggering some sort of after-the-fact notification to me
- Limiting API and service attack surfaces, i.e. not offering their storage as part of a suite with other services that have different threat models, such as photo and video storage (accessible to backend batch jobs to rescale/reencode the media for multi-device viewing etc.), data sharing and others
Just chiming in to say I've been satisfied as an Enpass user as well. Felt like a good middle-ground to me and I bought the app before the restructured their pricing model so I was grandfathered in.
For me, the usability of a password manager depends on convenient, secure password sharing that only seems possible with a hosted option of some sort. Granted, one or more of those options might be self-hostable, but that brings other complexities.
Completely against slowness, memory hogging, and discspace wasting.
…Okay, not /completely/. I merely whinge about it too much, and occasionally stumble upon some tiny gloriously responsive app that does what I need.
[Flame=ON]
But mostly I whinge. Like "Excel 2010 is so _fast_. Sure, newer versions do /some/ things faster, but even their startup time is so slow that I often consider whether it's even worth opening them to Do A Thing or worth closing them when I'll then have to wait for them to open again later.".
Hiding Electron's nature behind more hamsters (faster hardware) and bigger cages (memory+storage) doesn't seem to work for me.
[Flame=OFF]
I've used Enpass for years now which lets you sync your password database to DropBox, Google Drive, iCloud, etc. So I still have to protect whichever cloud storage account I'm syncing with, but at least it's not an obvious place to find passwords for thousands of users. And if someone did have access to my Google or Apple account, they could reset a lot of my logins anyway.
And I know this isn't technically as safe as the self-hosted options, but it offers the same convenience as LastPass without the obvious painting-a-target-on-your-own-back by handing all your passwords over to The Passwords Store.