Password Managers: How to be secure but not wiped out in an emergency
Lately I've been increasingly worried about corrupted payloads of even open source password managers. Password managers are among the world's biggest honeypots. Maybe you trust the coders of the password manager. Maybe it's Open Source. But do you trust all of its upstream dependencies? And all their CI build processes? And each of their developers' security?
That's part of why I won't use an Electron-based password manager like BitWarden: there's no Electron app with a minimal dependency graph. Even Electron itself could easily fall victim if someone important in the development pipeline is compromised... And besides, Electron sucks anyway.
So, one way I can mitigate against the possibility of a malicious payload being delivered on password manager update is to not put all my eggs in one basket. For example, where I can, I authenticate with a Yubikey (if only by TOTP on Yubico Authenticator). Then my password isn't enough. But where do I store the recovery codes? Ugh: in the password manager.
I've been thinking on this for a while, and I haven't really found a perfect solution that provides me a way to store secrets without also being too reliant on one party's software. If I rely heavily on the password manager, that puts too much trust in it. If I rely more on a hardware token, that's too risky in case of loss of theft.
I put my recovery codes on paper. I've said elsewhere, but the threat model has changed. Heck, I even printed my password vault with paperba(c)k using wine once (shredded it shortly after because i didn't have a proper storage procedure.
It's a fair question, but then I might revisit the question, what is the threat model? Which is higher risk? Online attack, or Fire while at home, where you are isolated from a device you'd likely also try to use to call emergency services? It is a genuine question, rate of attack on the public is probably not that substantial, but fire is also not super likely.
Though you have got me thinking, an outdoor fire safe near the front of the property... though probably only possible if you live in suburbia.
I think those are all reasonable risks. No, they aren't likely, but you still have fire insurance, right?
An online attack targeting you as an individual consumer might be low, but they do happen, especially when there's money (eg, banking credentials) on the table. With password managers finally becoming more mainstream, I think that's a honeypot that criminals are unlikely to avoid. For example, consider thieves shoulder surfing your iPhone before stealing it, giving them access to Apple Keychain. In that WSJ article (see also related video without the paywall).
You can protect against the fire or lost device scenario by having your secrets in the cloud and recoverable without a physical token, but that then increases your vulnerability to theft like the WSJ mentioned.
For my lifestyle, this is even more challenging, because I don't really (right now, anyway) have a permanent domicile.