Differences

This shows you the differences between two versions of the page.

--- pwm [2026/05/23 14:27] – particles
+++ pwm [2026/05/23 17:19] (current) – [For advanced users] particles
@@ Line 30: / Line 30: @@
 This section is for advanced users. By "advanced users" I mean people who care about things like what Argon2id is, PBKDF2 parameters, and security issues and remediation.
-I don't use [[hosted_pwm|cloud-based password managers]] or suggest them to security conscious people. The attack I worry about with these is not realistic, but I consider it unacceptable for security professionals or high risk individuals((High risk individuals like people who would be targeted by governments, intelligence agencies, malware, crypto people, etc.)) to use these services.
+I don't use [[hosted_pwm|cloud-based password managers]] or suggest them to security conscious people. The attack I worry about with these is not realistic, but I consider it unacceptable for security professionals or high risk individuals((High risk individuals like people who would be targeted by governments, intelligence agencies, malware, crypto people, etc.)) to use these services. There are other documented attacks and faults with these password managers.
+For advanced users, consider a custom KeePassXC setup, [[pwm_personal|like the one I use]]. The basic gist could apply to any offline-only password manager, but basically you need your own solution to access your vault from where you need to access it, a backup solution, and probably a plan for how to recover if you need to do that.
+I don't really suggest using gopass/password store, because they inherently assume you are okay with the usernames and sites are not encrypted/plaintext. This can be okay for some people. From a purely cryptographic security perspective, KeePassXC is more secure out-of-the-box and can be tuned to be more secure by adjusting Argon2 parameters.
+I don't really find it comfortable to use anything using PBKDF2 with a custom iteration count these days. It gets into really odd territory where you have to judge the iteration count and actually care about it. [[https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html|OWASP's Password Storage Cheat Sheet]] includes suggestions on what to use. But this is a moving target, and it's kind of annoying to track it.
+===== Awkward password managers =====
+  - LastPass. LastPass has had corporate data breaches and security vulnerabilities that warrant not using it, probably at all.
+  - Bitwarden. Bitwarden should not be as bad as it is, but there are routinely security vulnerabilities in this product. If you self-host Bitwarden or Vaultwarden and don't expose to the internet, your risk decreases dramatically because it turns into an offline password manager, but doing these activities requires some work. Vaultwarden also doesn't support Passkeys, which means you're stuck using passwords. I consider this quite bad.