Do you have any ideas for a password safe that stores its data locally (an encrypted cloud drive is available for synchronizing), offers clients for Linux, Win and Android and has some amenities like filling in passwords in browsers?
My family needs to learn password safety, and I want to make it easy for them.
While this is not exactly what you are looking for, have you considered deterministic password generators? There’s a nice explanation how they work in the Passwordmaker Pro Introduction.
The main downside of deterministic password generators is that their master password can be brute-forced from a single known password and the generator’s settings (so, don’t use the default settings…).
Their main advantage is that they don’t store the passwords anywhere, therefore you don’t need synchronization, or worry about the provider’s data safety (which, as the LastPass leak has shown, should in general not be trusted).
If deterministic generators aren’t an option for you, I’d also suggest KeePass.
You still need synchronization, and any deterministic password manager that doesn’t provide it will break eventually. Any time a site experiences a breach you’ll be forced to change your password, so you need to synchronize a counter for that for each account. Also, different sites have different (and often mutually incompatible) composition and length rules (in blatant violation of NIST SP 800-63b recommendations), which need to be synchronized to ensure generated passwords actually work for the account.
True. However the need for synchronization is rather infrequent and can easily be done via sneakernet.
There is something else I would like to highlight, about the problem if a single password gets leaked: At least with PasswordMaker Pro I wouldn’t only increase the counter for that one site, but rather change it (ideally to a new random number) globally, and change passwords everywhere. The way PasswordMaker Pro uses the counter is that it just gets appended to the input url before hashing. For the hash algorithms that aren’t using HMAC this is equivalent to just prepending that counter to the master password, so, a bad actor could just brute-force the combination of increment and master password, and get access to all sites that used the same master password and increment.
So, yeah, that’s another big downside. If one password gets leaked, you can either rely on the attacker never finding out that it’s a deterministic one, or you can do the same “change every password” dance that you have to perform if your password manager’s cloud service data gets leaked.
If your KeePassXC databate gets leaked and you had a secure master password (10+ Diceware words or similar), you can do nothing (it’s encrypted).
Yeah, PasswordMaker Pro isn’t built with protection against brute-forcing, sadly. That risk could be mitigated though, by choosing an algorithm that takes a few moments to compute a single password, instead of doing so in mere nanoseconds…
I’m half tempted to write such an app myself (would be a nice upgrade after doing the PasswordMaker Pro port for Sailfish OS), but I’m also in the middle of another spare time project, so, probably not anytime soon…