Must have thoroughly documented encryption and security practices (whitepaper)
Must have a published audit from a reputable, independent third-party (ROS and NCC)
All non-essential telemetry must be optional (yes? Not sure)
Telemetry should be opt-in (disabled by default) or not collected at all (not sure)
Should be open-source and reasonably self-hostable (yes, Github)
I’m putting it here to know what you think about it and if it could be an interesting alternative to Bitwarden for a cloud based password manager : )
You can’t enable 2FA for your account without paying for premium.
According to their security whitepaper, they’re using PBKDF2. I couldn’t find any details about the iteration count. It also seems like the whitepaper itself is incomplete.
Disclosure: I am not a cybersecurity expert. I’m only concerned about the use of PBKDF2 after hearing about the LastPass situation, especially since 2FA isn’t even an option that’s available on the free plan.
Letting users rotate the randomly generated master password because they “dont like it”, is a very bad idea. You’re limiting the range of possible words to only those which sound appealing, reducing entropy.
Four words is not enough in my opinion for a master password, the default seems a bit weak, though they do let you pick a custom password at least.
Paywalling 2FA is also a very bad idea, especially considering how this is a password manager…
Other than that, this does look very interesting, the interfaces look very polished and well-made, i might selfhost it and switch to it from vaultwarden.
Edit: There doesn’t appear to be an option in the apps to customise the server url. They’re hardcoded to the public padloc server, meaning if i selfhost i’ll probably have to just stick to the web interface which is a shame…