Ask HN: Password Gorilla last commit 3 years – give up on open source pwd mgr?

20 points

10 years ago

I've read everything I can find on HN and other sources about password managers. I was influenced by this paper "On the Security of Password Manager Database Formats" (http://www.cs.ox.ac.uk/files/6487/pwvault.pdf), it indicates PasswordSafeV3 is the only DB secure vs. Read/Write attacks (safe to store the DB in the cloud). Eventually I decided on Password Gorilla (https://github.com/zdia/gorilla) based on criteria I'll list below.

Now I realize that the github repo hasn't had a commit in 3 years, 3 years of new vulnerabilities. There is an updated (2014-10-27) version linked to their site, but this is obviously not part of the open source code in repo, so I may as well just trust the fancy new closed source products.

I'm in a quandry:

- 2nd choice: pwdsafe.org is a secure DB and source code is available on sourceforge, so theoretically I can trust that malicious/crap code in there would discovered by security researchers. But it is only available for OSX from unknowns that are not open source. (https://pwsafe.org/downloads.shtml) - 3rd choice: [KeePassX](https://github.com/keepassx/keepassx), active development, fails the standard of RW attacks researched in the paper. Open source yet inferior database is unsafe to store on G-drive, dropbox.

It looks like I have no choice but go ahead and trust an unknown software developer and hidden source code, even for the 'open source' product, might as well go with LastPass or Dashlane, which are closed source but which at least have resources and very active development and responsiveness to reported vulnerabilities. Oh and LastPass was acquired by LogMeIn so trust is even shakier.

My criteria for choosing: - OSX and Linux - Open Source, because I believe that it meets a higher standard of security - Must time-out or reauthenticate after inactivity - Support 2 Factor Authentication - iOS client would be nice - I'm only storing tier-two passwords.

13 comments