I’m sure someone already made a graph plotting the hours wasted learning vs the seconds gained not moving your mouse.

I’m sure it’s a classic because people tend to latch on to any opportunity to start waffling after reading just the title. Ironically, you start your comment telling me I didn’t read yours and you end it with admitting that I address exactly that which you go on about. So which is it?

What bothers me most is that your solution is not realistic, you’re just proselytizing out of idealism but who is it really aimed at? Who’s going to self host a password manager? Uncle Jim and aunt Betty? You know what the average person is capable of? Writing down their passwords on a piece of paper, usually 4 separate ones with different versions for every time they’ve lost it. At best, they allow a key manager on their device to save a password when they enter it, and if the stars align and all their devices use the same OS and they authenticate, then maybe there is even some synchronization involved. That’s a lot of ands and maybes, but you suggest to ignore that and instead use a solution where they not only understand all those steps but also set it up for themselves.

The masses are not going to wake up one day with the know how to do these things, it’s not even going to happen gradually. I don’t even want to do it, and I was born with a computer and run servers for a living. What is going to happen is that solutions that are easy enough to use will become safe enough in order to minimize the risks. Anything else is a pipe dream.

Does nobody read the article? 1Password works on any platform but the attack is Mac only because it’s actually getting passwords from a Mac’s keychain through older versions of 1Password.

Your comment is irrelevant to the issue at hand because it’s a local attack and your suggested alternative could therefore be just as vulnerable.

Self hosting is cool for 0.0001% of the population, for anyone else it’s either too difficult or a hassle. It’s also an oversimplification that I have to “trust” the cloud company and imply that a self hosted solution is inherently safe. You run that program on a computer with 100 different apps, each of which is an attack vector and you’re just you, without the backup of a small army of developers hunting down issues and independent parties auditing the whole shebang.

The only thing self hosting has going for it is that the target is incredibly small, but this is not as big a factor as you suggest because of the maturity of some of these services who basically just store a blob of data you encrypted locally and access to their servers or even your data is usually without danger.

What is silly is the idea that that is in any way relevant to what we were discussing here. And I use the word discussing lightly. There’s a big difference between the insinuation that a foreigner is at risk for tunneling into the Russia and the Russian government eavesdropping on its population.

Nothing is going to happen when your traffic moves through Russia. In fact, you have more chance that something will happen to you if you don’t.

Please do tell what could go wrong. Is the internet sheriff going to turn up?