Well, I don't trust cloud services. But there is value to encrypting the local password store, in case an adversary compromises your machine. But if it's a persistent compromise, they can get the credentials for the encrypted password store Compartmentalization seems the best approach. If someone compromised this VM, they could get my GnuPG keys, Bitcoin in a local wallet, passwords, and everything else about Mirimir. But they'd get nothing about other personas, which live in other VMs, and on other host machines. And they're all Linux, which is less likely compromised than Windows. So hey.
I've been looking at password managers recently and only one I found had the potential to be about as secure as a password manager could be, and even they screwed it up. Almost all of them depend on the clipboard to transfer a secure password from the password manager to the application with the login dialogue. Who needs a keylogger when every running process on the machine has legitimate access to the clipboard. It would probably be more secure to type your wifes name as the password, at least that keyboard input method passes it directly to the login dialogue. That brings me to the one password manager I found with potential. It is called puff. It is has its own soft keysboard that has to be selected as the default input method while using it, so it replaces the regular keyboard to send the password directly to the login dialogue as keystrokes. I say they almost got it right because when you use its password generator to create a new secure password, instead of putting it in the new password dialogue, it copies it to the clipboard. Obviously defeating the purpose of having its own input method when it already copied to the clipboard when you created it. I wrote the devs about that but it doesnt look like its under much development anymore.
So, this is a conventional trade between convenience and security. As long as one is aware of the risks and limitations of each approach, then good-enough security/privacy can still happen. We never get guarantees! The value of this report is of course to remind a person of the risks, that nothing is "safe" as such, although may be safe-enough. That knowledge then allows various mitigations and risk limits, which may be operational as Mirimir's described. For example, I use Lastpass as a very convenient browser password manager (with Yubikey). But only for sites I don't care very much about, and I don't store the full password in it, I supplement a decorative Pin. Banking passwords are only ever entered into a live usb session, from memory. Master passwords are only ever entered into an airgapped computer (to manage secondary password records, recovery keys, and generated certificates).
The blog post that article is referring to is very disputable to put it mildly. The protection provided by any password manager against brute force attacks is insufficient if you're using a short master password. So how is that news? The first comment says it all. And the second comment is relevant if it comes specifically to KeePass. No, really - that blog post is simply clickbait.
For me the best answer is to augment "any" password with U2F. I scored a bank and email that support both conventional user/pass & U2F. If the site you are using has enabled full U2F then your passwords could just be above average in entropy. The REAL protection comes from the chip's encrypted response to the U2F call for authentication. Nobody is going to respond under any circumstance with the correct encryption key unless the physical chip is being used. Its tomorrow's answer to the weakness of passwords only. Its light years better than google auth, or authy too.
Yep, this is the Shangri-La at the moment. Congratulations on getting a bank to do it - where I am, I don't have any choice, their two-factor protections are risible. But they hate U2F because they can't monetise you back end with that.
I read the article expecting some sort of pitch, I was not disappointed. It was in the first sentence. I read the linked article from the first paragraph, @summerheat pretty much sums it up in post #6 above.
