Differences

This shows you the differences between two versions of the page.

--- pwm [2026/05/23 15:02] – [For advanced users] particles
+++ pwm [2026/05/23 17:19] (current) – [For advanced users] particles
@@ Line 36: / Line 36: @@
 I don't really suggest using gopass/password store, because they inherently assume you are okay with the usernames and sites are not encrypted/plaintext. This can be okay for some people. From a purely cryptographic security perspective, KeePassXC is more secure out-of-the-box and can be tuned to be more secure by adjusting Argon2 parameters.
+I don't really find it comfortable to use anything using PBKDF2 with a custom iteration count these days. It gets into really odd territory where you have to judge the iteration count and actually care about it. [[https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html|OWASP's Password Storage Cheat Sheet]] includes suggestions on what to use. But this is a moving target, and it's kind of annoying to track it.
 ===== Awkward password managers =====
   - LastPass. LastPass has had corporate data breaches and security vulnerabilities that warrant not using it, probably at all.
   - Bitwarden. Bitwarden should not be as bad as it is, but there are routinely security vulnerabilities in this product. If you self-host Bitwarden or Vaultwarden and don't expose to the internet, your risk decreases dramatically because it turns into an offline password manager, but doing these activities requires some work. Vaultwarden also doesn't support Passkeys, which means you're stuck using passwords. I consider this quite bad.