You don’t know Tavis Ormandy? https://en.m.wikipedia.org/wiki/Tavis_Ormandy

tl;dr “If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.”

I can only speak for myself but his article confirmed my suspicion about any Password Manager, even Bitwarden and I never have or will use any online Password Managers. I create all my Passwords individually with my own algorithm in my head and can always recreate them.

  • @atx_aquarian
    link
    English
    2
    edit-2
    1 year ago

    I tried his “try this example if you have NordPass” page, and it didn’t do anything in Brave mobile other than load a blank new tab. Maybe they’ve changed their mechanism, or maybe I should be less lazy and try it in another browser. For me on NordPass and Android, though, the password selection is shown on the keyboard, not within the content area.

    I also don’t know about his claim about the invalidity of any vendor’s “we can’t see your passwords” claims. If their software is audited (which is probably easiest with Bitwarden due to its open source–as long as you trust who distributed the built binary) to verify the code is encrypting your key/value store locally with your own passphrase prior to sending, they would have to crack the file to access its contents. But I take his point to be more about trusting their software to do what they claim, which, he points out, may even be out of their control if a malicious actor gets privileged access to modify their software. But, if I’ve understood that claim, then it is just as applicable for any centralized application; in other words, also don’t use web browsers in the first place.

    He’s got other points about APIs I’m not familiar with, so I have to admit I’ve only focused on 2 of several points. But, for the 2 I thought I followed, I wasn’t seeing those arguments go down the same road he did. This has gotten me thinking though, and I still won’t dismiss the thought entirely. Interesting article.