I know this is not just a privacy question but also a security question. For years I was using nordpass and tied all of my passwords to my gmail. After this I learned the dangers of using a cloud based password manager that can read your passwords and I switched to strongbox. Later I was told that strongbox is not open source and that worried me. What makes this more troubling is that all of my private info is tied into notes in strongbox, and on nord I had passwords that the associated websites would not allow me to change and I did not have the option to discontinue. I am scared that
A. if nordpass were breached, all of my passwords would be exposed and
B. Strongbox is able to see my current passwords since I switched over to it.
What threats do I realistically face and what do I do to mitigate them?
I would rather self host the official Bitwarden image. But company hosted Bitwarden or Proton Pass are going to be simpler and better options from a usability and user experience point of view
Unless you can turn back time, all you can do is improve your opsec goin forward and change all your credentials to new ones. This includes emails to aliases and passwords too with your new password manager.
I would delete strong box immediately because I’ve never heard of them, their copyright footer on their website still says 2023, and the website design makes me believe it’s ran by 1 person (it was until recently according to the blog).
According to Nord you must delete your Nord account (not just nordpass) to fully remove your data. They may still retain basic information in accordance with their retention policies.
Customer billing information and payment details are kept by Nord for 10 years from the last payment transaction.
Nord will use your email for marketing communication for 1 year after the end of your Subscription or until you exercise your right to opt-out, whichever comes first.
If the call with our support team is recorded, recordings will be retained for a maximum period of 2 years unless further retention is required for legal or compliance purposes.
I guess if they are breached this somehow could reveal a email you used in the past along with your name and address? Your logins will be gone though. If they were caught retaining this data it wouldn’t end well for them.
Nordpass is E2EE from what I see, so this shouldn’t be a concern. Ideally you’d migrate to a FOSS password manager like Bitwarden, but this doesn’t mean Nordpass has access to your passwords.
Also, have you ever self hosted before? I would be very careful of hosting critical information on a first go.
Why dont you migrate your passwords to Bitwarden and scrub the Nordpass account? Bitwarden is pretty much FOSS and is E2EE. After that, you can try self hosting your own Bitwarden version and migrate from the cloud version. This would make the process more incremental, and you’d more easily migrate.
However the move to strongbox is questionable, I’ve never heard of them. I’d suggest exporting your data, ensure you can access it, and manually deleting data from there, then your account.
Part of that is the due diligence of doing backups and backups testing. Its a lot of work that most people don’t want to do. If you don’t want to do that (and I urge you to really think if you want to do that), I suggest a cloud enabled password manager like BitWarden and ProtonPass and call it a day.
The likelihood of them having a catastrophic failure leading to data loss and wiping out your all data is smaller than your chance of a catastrophic failure.
Go to your password manager and relog in and change and reset passwords to all accounts. Also enable 2FA if the password managers have that feature.
They’ve been around. IIRC they were the old recommendation for iOS password managers in the previous site.
