93 points by felixc 3 days ago | 55 comments
grouchypumpkin 3 days ago
* if an app has a single developer (keepassium? strongbox?), how much money would it take them to add a back door? 1M USD? 10M USD? Let’s say they are exceptionally honest, and won’t take money. How about threats to their lives or families?
* if an app has a small number of engineers with commit access (bitwarden? 1paasword?) could any one of them be compromised by money or threats?
* Would password managers from Google/apple/microsoft fare better because they already face these risks and have controls? Or maybe not?
wvh 3 days ago
There simply is no way anymore to check the several million lines of code even a minimal setup requires somewhere in the stack. Even an in-depth code review of a medium sized web application – with deps – has already become a gargantuan task most companies simply can't afford.
prmoustache 3 days ago
This.
It is just slightly more difficult and longer to target it in a large company because you usually have to actually be hired by that company and do not necessarily have the choice of the team/products you will be working on.
But adding backdoors and vuln, yes totally possible on random products that person would be affected to. There is review fatigue the same way there is fatigue in a lot of processes.
PinguTS 3 days ago
There are lots of examples at almost all the fortune 500. Because they do not sneak in as just some random employee.
Cisco is very well known for backdoors in their equipment.
azurezyq 3 days ago
KeePassium 3 days ago
The more I think about it, the better I understand TrueCrypt's sudden demise.
hggigg 3 days ago
I would NOT trust Microsoft though. I've had enough problems with Authenticator and so have other users in our org that I refuse to put data near it. Not concerned so much about other people getting access to it but me losing my data.
too_damn_fast 3 days ago
prmoustache 3 days ago
dailykoder 3 days ago
I hope that's secure enough and works fine for me. I guess syncthing is just smaller and obviously doesn't need a third party?
kreyenborgi 3 days ago
I switched to f-droid at least, remember to Backup your config before uninstalling the Play Store version.
zinekeller 3 days ago
tjoff 3 days ago
Details?
josephcsible 3 days ago
felixc 3 days ago
“pass” itself can be used in many contexts, but is primarily a desktop command-line tool. “Password Store” is the Android client for it.
gurjeet 3 days ago
Hopefully others find it useful.
[1]: https://gurjeet.singh.im/blog/passwordstore+gnupg+touchid
[2]: https://gurjeet.singh.im/blog/cisco-anyconnect-vpn-automatio...