undefined | Better HN

0 pointsdasil0038y ago0 comments

They issue is that your vault key must never be available to their system, otherwise when they get hacked with the most trivial XSS now your vault is pwned. Password vaults are a hugely valuable target, worth potentially thousands of dollars on the black market, you absolutely should not be using a service that has the ability or can acquire the ability to decrypt your vault. You're better off with a plaintext file in a nondescript location on your hard drive.

0 comments

mistercow8y ago

Just to clarify this, because it took me a second, the point (if I understand you) is that your password is available to them at the point when you log in to their support forums. Particularly bad, because it's a site that hosts a ton of user content.

It's also really dumb, because the whole point of the product is to make it easy to not reuse passwords. They could have even had the signup process automatically create those accounts for you and insert the passwords into your vault, and it would have been just as easy for the user.

j / k navigate · click thread line to collapse

0 pointsdasil0038y ago0 comments

0 comments

mistercow8y ago

j / k navigate · click thread line to collapse