A logged-in admin should not need to type the password

Google is obviously one of the biggest technology companies in the world, and is capable of hiring teams of highly skilled professionals who get paid a lot of money to keep their servers from being breached.

On the other hand, Google's business models revolves around collecting and sharing people's private information.

Therefore, we need to understand the difference between security, and privacy. Google provides security, but it does not provide privacy.

And even then, your data is not guaranteed to be perfectly safe. That article does not mention one of my favorite cases, where people got pictures from strangers in their Google Photos account.
To be fair, mistakes do happen even to the best of us. Nothing is perfectly secure, ever. The difference is, as I alluded to in an earlier post, that when this happens to a juicy target like Google, the damage is amplified.

However, talking about reputation, we can also find non-honest examples. Like when Google "mistakenly" hid microphones in Nest. Oops.

With all that said, the password manager that I use is KeePassXC:

I use and recommend KeePassXC on the desktop, and KeePassDX on the phone. The main pro is also a con, depending on how you see it: it's entirely offline and you have to manage your own backups, synchronization between devices, etc.

Choice of Password Manager(s) - #23 by zenzen

As always, you need to look into the balance between convenience and security. I'm comfortable using KeePassXC, although there are others available mentioned in that thread.

I know I can trust its technology because it's open source and one can examine the mechanism used to encrypt the database file. Which I've done, and while I cannot claim to be a competent programmer, it looks safe to me.

Thanks, I read a bit the articles you cited. In most, if not all, cases, it appears to be mistakes/glitches, which just happen, as you also say.

To me, all that shows that Google, being such a public company, is being forced, though exposure by journalists & also lawsuits, to take measures to correct/improve itself.

Which brings back the question about a relatively obscure product like KeePassXC: while the encryption tech could be OK, how do you know it's authors are trustworthy and don't include some kind of infostealers with it?
I guess being open source is supposed to prevent that... Even when downloading binaries?

I would not categorise KeePassXC as relatively obscure.
ref: https://www.howtogeek.com/best-free-password-managers/

As a security conscience tech power user, I for one am glad Linux isn't an open cesspool like Windows is. Just cause my system is mine, and I'm logged in, doesn't mean I want my system completely open to in person, or remote hack. Admin password is the last line of defense, if a hacker should get passed my firewall.

Having said all that, I understand why having to re-enter your password a bunch of times, to be annoying. If you have to run a lot of Terminal commands, just run sudo -i and you will only have to put in your password once, until you close the Terminal window.

If your running apps like Synaptic that require root privileges, keep the app open until your done with it. The whole reason why Linux is so secure, is because it naturally firewalls itself in administration access. Where as Windows, gives all apps admin access to do whatever they wish, at least was the case when I was last on Win7.

It is a miner annoyance yes, but as I just wrote their are ways to alleviate the annoyance. I rather have my OS hard password locked in admin access, then to have it open to attack at all times. Just my opinion as a linux user for over 10-years of experience.

Startreker Signature700×342 112 KB

I agree with @StarTreker

After 25 years on Linux I can tell you that typing the password now and then is a habit thing. You get use to it and it become the new norm.

Maybe you had disabled User Account Control in your windows 7?

What makes you think KeePassXC is obscure?

Open source doesn't prevent anything by itself. It simply allows people to take a look and examine the code at their own leisure, similar to a kitchen with big glass windows that people can look through. If you see the chefs working in anti hygienic conditions, using poor quality ingredients, etc., then you'd probably want to go somewhere else.

As for downloading binaries: do not download random stuff from random sites. Follow the directions given by the project itself, which should contain instructions on how to verify the download is secure using cryptographic signatures.
You can even build the binary yourself from its source code, and comparing the checksum of the resulting binary you built, with the one that is offered for download.

How far you want to go is up to you... how do you know that the dependency of the dependency of the dependency is safe to use? Well, you can go down the rabbit hole and build each and every library used throughout the project from its source code. This will give you the maximum amount of trust and assurances that the code is safe to use, but it's once again a trade off between convenience and security.

In reality, a single person couldn't possible verify this for every single piece of software that they use in their computers. So, trust is involved at some point whether we like it or not. But the fact that you can check means that everyone else can also check. This is what open source allows all of us to do.

"relatively obscure" in the sense of being less known than Google (much, much, much... less known).

Not by itself, of course, but because it means coders can (and some do) verify that code.
So, it boils down to: either you trust the sofware A or you have to verify it yourself. If you can't (or have no time to) do either... then use B, which you happen to trust more.

I like your explanations though... Building everything from verified sources sounds cool.
Cheers

Realistically, yes. Software is nowadays composed of a very large tree of packages that depend on each other and work together. This is why open source is more important than ever.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.