I am of the opinion that most passwords and other personal information should not be stored on public cloud-based systems like LastPass, Bitwarden, Dashlane, etc. It cannot be overstated how prime of targets these services' databases are for hackers to try to find a route in. LastPass has been hacked many times, and it is only a matter of time before the others are. I used to use these services too, but my opinion has changed.
The thought of “let me have all my passwords, credit cards and identity numbers accessible from any device in the world” should sound ridiculous, but everyone is so used to using these services due to the convenience that it’s no longer absurd to think this way.
Think: if you can access your passwords and personal information over the Internet from any device in the world, that means that other people could too. Using an offline system that is only accessible locally on your personal physical devices eliminates the threat of your entire private database being hacked over the Internet.
Furthermore, it is absurd to have access to an entire database of your personal information on a phone that could be lost, compromised by a shady app or a myriad of other situations. I think it makes the most sense to have only the logins for mobile apps that you’d need right away while mobile (ex. Uber) available on your phone.
My recommendation: Use local, non-cleartext storage systems that do not sync to the cloud and save encrypted backups in multiple offline locations. One example is KeePassXC, which has the option to disable syncing.
For the techies here:
- Yes, of course account 2FA is great, but it isn’t an end-all solution. Hardware 2FA is highly recommended.
- Sure, self-hosted fixes my main issue (it’s not the “public” cloud), but you have to know what you’re doing to actually make it secure. It’s outside the scope of this post designed for general users.
- Yes, local password storage has a personal-mistake risk. Multiple backups on different devices mitigates this.
Best,
Daniel