"The Quiet Renovation at Bitwarden" (it isn't good)
If you are interested in privacy you are probably interested in password storage ... plus I wanted everyone to know about the inevitable future enshitification of this product. Spread the word and replacement recommendations are welcome too.
The Quiet Renovation at Bitwarden - ByteHaven - Where I ramble about bytes
Back in March, I wrote about Bitwarden doubling their Premium price — and specifically how they did it. Buried in a feature announcement. Priced in fake...ByteHaven - Where I ramble about bytes
like this
don't like this
DashboTreeFrog
in reply to RotatingParts • • •like this
burning_beard, squirrel, decended_being, KidNamedLainah, Otter, MoonMelon, nkk, t҉̠̙ǵ̣̞̄ͪ͜x̸̱͚̳ͫ͐̑̈ͯͣ̚n̒͌҉͉̦̜̝ͅ, its_kim_love, MonsterTrick, zikzak025, BigJohnnyHines, TheMadCodger, AverageGoob, hexagon527, Keeponstalin, Fichtre, Vegan_Joe, pricklypearbear, ☂️-, zzz711, atrielienz, Sten, brightandshinyobject, bolundxis, f3nyx, sakuraba, neukenindekeuken, count_duckula, , trevor (he/they), EarlOfSam, nbailey, magical7952, EikoXin, Atonable8938, Chloé 🥕, altphoto, theboomr, pinball_wizard, scrooge101, exu, KimBongUn420, fartographer, TBi, HrMoon, mysterious_cake, Mindful, Triplepilot, matterofact, MayoDuckPie, Goddard Guryon, bonsai, asbestos, brachypelmide, bigbangdangler, ElectricWaterfall, kazerniel, rettetdemdativ, clasp8784, machiavellian, Nelots, Etnaphele, MoonlitSanguine, Water_Melon_boy y Internet like this.
Croquette
in reply to DashboTreeFrog • • •like this
webhead, bigbangdangler, kazerniel, hkspowers, perfectly_boiled_pizza y u235 like this.
hypnicjerk
in reply to Croquette • • •President Camacho likes this.
tehsYs
in reply to RotatingParts • • •like this
t҉̠̙ǵ̣̞̄ͪ͜x̸̱͚̳ͫ͐̑̈ͯͣ̚n̒͌҉͉̦̜̝ͅ, its_kim_love, ifalas, AverageGoob, hexagon527, Vegan_Joe, ☂️-, zzz711, Sten, brightandshinyobject, bolundxis, Dessalines, theboomr, TheMadCodger, HrMoon, replaceable [he/him], kazerniel y Water_Melon_boy like this.
slampisko
in reply to tehsYs • • •Nothing has beaten KeePass for me so far. It takes a bit of setting up if you want your database to sync among all your devices, but in other aspects it's perfect for me
EDIT: In case you're curious, I use KeePassXC on PC, KeePassDX on Android, and Syncthing to sync the database.
like this
its_kim_love, ttyybb, CountVlad47, Vegan_Joe, Robert7301201, ☂️-, TuxMark5, eli, bolundxis, f3nyx, sakuraba, Tanka, davel, Dessalines, yestalgia, tortina_original, TwiddleTwaddle, curbstickle, Cargon, NewOldGuard, MalReynolds, altphoto, Retro_unlimited, crunchpaste, Kilgore Trout, Kevin, HrMoon, Triplepilot, Leafimo, matterofact, NekuSoul, diffaldo, steel_for_humans, mastod0n, hkspowers, girsaysdoom y Water_Melon_boy like this.
comrade_twisty
in reply to slampisko • • •What drove me (and my family) from KeePass to Bitwarden was the family sharing and survivor access.
Until KeePass supports these it's not really up to par with Bitwarden.
Especially digital legacy management is a must have for a well rounded password manager.
like this
faede, bert, atrielienz, kaiyo, thru_dangers_untold, , yestalgia, NewOldGuard, 4am, theboomr, Triplepilot, EK13, steel_for_humans, kazerniel, tehsYs y u235 like this.
JillSteinsPuckeredAnus
in reply to comrade_twisty • • •don't like this
potustheplant y sakuraba don't like this.
comrade_twisty
in reply to JillSteinsPuckeredAnus • • •like this
potustheplant y sakuraba like this.
Auli
in reply to slampisko • • •like this
0^2, onlinepersona, Infernal_pizza, EK13 y steel_for_humans like this.
test_ [none/use name]
in reply to tehsYs • • •The author wrote a guide to self-hosting VaultWarden
blog.ppb1701.com/self-hosting-vaultwarden-taking-back-password-management-part-8-of-building-a-resil…
Self-Hosting Vaultwarden - Taking Back Password Management: Part 8 of “Building a Resilient Home Server” Series - ByteHaven - Where I ramble about bytes
ByteHaven - Where I ramble about byteslike this
Dessalines, , NewOldGuard, t҉̠̙ǵ̣̞̄ͪ͜x̸̱͚̳ͫ͐̑̈ͯͣ̚n̒͌҉͉̦̜̝ͅ y Kilgore Trout like this.
Thurstylark
in reply to test_ [none/use name] • • •like this
test_ [none/use name], y Infernal_pizza like this.
t҉̠̙ǵ̣̞̄ͪ͜x̸̱͚̳ͫ͐̑̈ͯͣ̚n̒͌҉͉̦̜̝ͅ doesn't like this.
FoundFootFootage78
in reply to tehsYs • • •like this
commander, HrMoon, mysterious_cake, Leafimo, matterofact y kazerniel like this.
don't like this
t҉̠̙ǵ̣̞̄ͪ͜x̸̱͚̳ͫ͐̑̈ͯͣ̚n̒͌҉͉̦̜̝ͅ y sakuraba don't like this.
Tundra
in reply to RotatingParts • • •psono.com/
privacyguides.org/en/passwords/?h=psono#psono
Psono - Self Hosted and Open Source Password Manager for Companies
psono.comlike this
t҉̠̙ǵ̣̞̄ͪ͜x̸̱͚̳ͫ͐̑̈ͯͣ̚n̒͌҉͉̦̜̝ͅ, Egonallanon, MonsterTrick, Vegan_Joe, yestalgia, trevor (he/they), exu, peridinium, Leafimo y NanoooK like this.
Egonallanon
in reply to Tundra • • •like this
Vegan_Joe, yestalgia, t҉̠̙ǵ̣̞̄ͪ͜x̸̱͚̳ͫ͐̑̈ͯͣ̚n̒͌҉͉̦̜̝ͅ y NanoooK like this.
thefactremains
in reply to RotatingParts • • •Open Source Password Manager for Teams | Passbolt
Passboltlike this
Vegan_Joe, ☂️-, zzz711, warmaster, yestalgia, peridinium, HrMoon y NanoooK like this.
onlinepersona
in reply to thefactremains • • •like this
HrMoon, Mindful y NanoooK like this.
Mr_WorldlyWiseman
in reply to RotatingParts • • •like this
sakuraba, pogmommy, yestalgia, BakedCatboy, Eager Eagle, Zachariah, NewOldGuard, magical7952, altphoto, pinball_wizard, Retro_unlimited, t҉̠̙ǵ̣̞̄ͪ͜x̸̱͚̳ͫ͐̑̈ͯͣ̚n̒͌҉͉̦̜̝ͅ, onlinepersona, TBi, HrMoon, Mindful, Triplepilot, greylinux1, ITGuyLevi y u235 like this.
Jul (they/she)
in reply to RotatingParts • • •Vaultwarden will survive. Since the client is open source, once they close the API and break compatibility of the clients with Vaultwarden, the old version of the app can simply be forked and rebranded. I also do hope that the KeyGuard app will continue to support vaultwarden as well since if bitwarden closes the API and makes a breaking change, as is likely to happen, it will break KeyGuard as well, but it will still work with VaultWarden for some time.
The real issue is that many people who are using Bitwarden aren't savvy enough to host Vaultwarden in a secure way. Many people are careless with things like secret keys and such and dont know how to properly secure a web facing app or a VPN into their local network. But anyone who self hosts should result learn those things anyway. This one just happens to be a particularly high risk since it contains all of your passwords for everything else.
like this
sakuraba, pogmommy, harsh3466, SmoothLiquidation, makothefrog, yestalgia, starsoaked_lily, , Zachariah, Zoop, NewOldGuard, refract, nfreak, Retro_unlimited, Ori Riaru, timmytbt, t҉̠̙ǵ̣̞̄ͪ͜x̸̱͚̳ͫ͐̑̈ͯͣ̚n̒͌҉͉̦̜̝ͅ, onlinepersona, fartographer, Mindful, Triplepilot, matterofact, MayoDuckPie, Goddard Guryon, bonsai, steel_for_humans, , kazerniel, _aj, Fmstrat, Water_Melon_boy y u235 like this.
twoBrokenThumbs
in reply to Jul (they/she) • • •like this
fartographer, TheMadCodger, mysterious_cake, Mindful, EK13, asbestos, 3BM7, sakuraba, HereIAm, SuperZorro, kazerniel, _aj, Nelots, Logi y Water_Melon_boy like this.
don't like this
t҉̠̙ǵ̣̞̄ͪ͜x̸̱͚̳ͫ͐̑̈ͯͣ̚n̒͌҉͉̦̜̝ͅ doesn't like this.
TheMadCodger
in reply to twoBrokenThumbs • • •like this
Mindful, EK13, HereIAm, kazerniel, Nelots, perfectly_boiled_pizza y Water_Melon_boy like this.
Jason2357
in reply to TheMadCodger • • •TheMadCodger likes this.
nibbler
in reply to Jul (they/she) • • •Just learned about KeyGuard. But I dislike their LICENSE:
All Rights Reserved
Jul (they/she) likes this.
Jul (they/she)
in reply to nibbler • • •Dultas
in reply to Jul (they/she) • • •Jul (they/she)
in reply to Dultas • • •asdfasdfasdf
in reply to Jul (they/she) • • •We really need a VaultWarden paid service, if there isn't anything against doing so in the license.
I don't know why the server needs any specialized software at all though. In the end, if it's just some password history, why not just have a client that allows generic storage backends and you can upload to Filen or S3 or whatever else you use?
Jul (they/she)
in reply to asdfasdfasdf • • •It uses a database and it's totally possible to use SQLite as the database and sync that elsewhere. You could then find or make a small client that just accesses that db directly rather than a web service, I suppose. Though there are already several apps out there that store passwords locally and their data files can be synced, if that's what you want.
But if you're doing that then you may not be using this in the most common way or may not understand the risk involved. This is likely to have every one of your logins, not just a single login that may or may not be used on other sites, but the specific username and password and which site it's associated with. On addition to access to those accounts, this links all of your accounts to a single identity which companies spend billions to do with advertising IDs, cookies, embedded scripts, and lots of other, usually shady, practices. This is a gold mine, though usually only for one or a few users, so generally not a major target unless you're being targeted personally for some reason. So, even if they don't get the passwords, th
... Mostrar másIt uses a database and it's totally possible to use SQLite as the database and sync that elsewhere. You could then find or make a small client that just accesses that db directly rather than a web service, I suppose. Though there are already several apps out there that store passwords locally and their data files can be synced, if that's what you want.
But if you're doing that then you may not be using this in the most common way or may not understand the risk involved. This is likely to have every one of your logins, not just a single login that may or may not be used on other sites, but the specific username and password and which site it's associated with. On addition to access to those accounts, this links all of your accounts to a single identity which companies spend billions to do with advertising IDs, cookies, embedded scripts, and lots of other, usually shady, practices. This is a gold mine, though usually only for one or a few users, so generally not a major target unless you're being targeted personally for some reason. So, even if they don't get the passwords, they've now linked every account you have on every site to your identity.
If you are allowing the database to be relatively easily obtained by syncing it to a central location accessible over the internet, a bad actor who gets it can even take their time brute forcing any encryption that may be present in the database, but if you don't keep encryption keys only on your local device because you want to be able to use it elsewhere, then you probably stored the keys along with the db and they dont even have to bother with that, or if it uses password based encryption, they just have to guess or brute-force a single password.
If it's behind a properly secured web service, then even if they find an exploit in the server software, they likely have to do many queries over time to get much data and the server can mitigate that risk and/or alert the owner about new logins and such. A database in the hands of the bad actor can't complain about too many attempts to access it or notify anyone that it's been copied.
So, IMHO, it's a bad idea to use synced local password managers unless you have a very robustly secure way of storing the database and the encryption keys.
WhyJiffie
in reply to Jul (they/she) • • •afaik everything is encrypted. not like a big blob, but the properties of items are encrypted separately, if the encrypted export format has anything to do with the database structure
SocialistVibes01
in reply to RotatingParts • • •like this
bmpvy, TiredTiger, Mindful y hellinkilla [they/them, they/them] like this.
girsaysdoom
in reply to SocialistVibes01 • • •Self-Hosting Software and Services - Privacy Guides
Privacy Guidesfira
in reply to RotatingParts • • •like this
Knacht, altphoto, unitedwithme, HrMoon, Lanske y EK13 like this.
don't like this
ChocolateFrostedSugarBombs, Kilgore Trout y DaGammla don't like this.
DaGammla
in reply to fira • • •like this
tc4m, asbestos, steel_for_humans, kazerniel, tomenzgg, hellinkilla [they/them, they/them], PrincessCharlotte [she/her, he/him] y sakuraba like this.
don't like this
PrivacyDingus y fira don't like this.
PrivacyDingus
in reply to DaGammla • • •Howdy, I work at Proton, this is incorrect: proton.me/blog/proton-non-profit-foundation
A nonprofit is the largest voting shareholder of Proton.
Proton is transitioning towards a non-profit structure | Proton
Andy Yen (Proton)like this
sleepydragn1, John, kazerniel, machiavellian, hellinkilla [they/them, they/them], fira, Soapbox y Shayko like this.
DaGammla doesn't like this.
DaGammla
in reply to PrivacyDingus • • •PrivacyDingus
in reply to DaGammla • • •DaGammla doesn't like this.
shortwavesurfer
in reply to RotatingParts • • •Keepassdx (AOSP, spydroid)
Keepassium (SpIOS)
like this
0423johangleason, ratzki, Leafimo y sakuraba like this.
don't like this
NekuSoul, ITGuyLevi y potustheplant don't like this.
Carlos Solís
in reply to shortwavesurfer • •Privacy reshared this.
shortwavesurfer
in reply to Carlos Solís • • •Carlos Solís
in reply to shortwavesurfer • •Privacy reshared this.
altphoto
in reply to RotatingParts • • •I just tested aliasvault and its pretty good. You can even just import your pre-enshitification Vaultwarden export file.
One thing I noticed though is that your entries must have a collection or else they don't export. But close to easy as pie to leave vaultwarden behind with their Nazi CEO.
t҉̠̙ǵ̣̞̄ͪ͜x̸̱͚̳ͫ͐̑̈ͯͣ̚n̒͌҉͉̦̜̝ͅ likes this.
don't like this
t҉̠̙ǵ̣̞̄ͪ͜x̸̱͚̳ͫ͐̑̈ͯͣ̚n̒͌҉͉̦̜̝ͅ, onlinepersona y TBi don't like this.
onlinepersona
in reply to altphoto • • •like this
TBi, Mindful, sakuraba y Carlos Solís like this.
altphoto
in reply to onlinepersona • • •potustheplant likes this.
don't like this
TBi, hubobes, Mindful y potustheplant don't like this.
onlinepersona
in reply to altphoto • • •like this
onlooker, TBi, Mindful, potustheplant, Domi y sakuraba like this.
altphoto
in reply to onlinepersona • • •don't like this
theolodis, Jason2357 y sakuraba don't like this.
onlinepersona
in reply to altphoto • • •sakuraba likes this.
(des)mosthenes
in reply to RotatingParts • • •like this
onlinepersona, arthurpizza, TheMadCodger, HrMoon, DampSquid, Triplepilot, cgTemplar, youmaynotknow, TwodogsFighting, NanoooK, kazerniel, AGD4 y clasp8784 like this.
youmaynotknow
in reply to (des)mosthenes • • •You still have some time to decide which route to go. If you're on the free version, stay there, but start looking for alternatives.
Proton Pass is an option. KeePass with Syncthing works great, but it is a dramatically different and more involved workflow.
I am using both, and deleted my Bitwarden account yesterday the moment I heard about this.
Also, I can't suggest enough that you export all your credentials to an encrypted json file every now and then, and store it on an offline storage device. This is important.
like this
(des)mosthenes, Punk_face, GoTeamBoobies y Carlos Solís like this.
Bluewing
in reply to (des)mosthenes • • •like this
HereIAm, AGD4, (des)mosthenes, hkspowers, clasp8784, bl4kers, stevestevesteve, Punk_face y u235 like this.
n1ckn4m3
in reply to (des)mosthenes • • •like this
kazerniel y (des)mosthenes like this.
Dultas
in reply to n1ckn4m3 • • •like this
SuperZorro y kazerniel like this.
kazerniel
in reply to n1ckn4m3 • • •Not sure if all tech, but definitely the ones that just want to grow grow grow. A counterexample (so far) is the Obsidian team.
100% user-supported
Steph Ango(des)mosthenes
in reply to (des)mosthenes • • •stevestevesteve likes this.
JakenVeina
in reply to RotatingParts • • •like this
HrMoon, Triplepilot, diffaldo, clasp8784 y WellTheresYourCobbler [ey/em, they/them] like this.
don't like this
potustheplant y kazerniel don't like this.
potustheplant
in reply to JakenVeina • • •like this
MadameBisaster, diffaldo y clasp8784 like this.
AHemlocksLie
in reply to potustheplant • • •clasp8784 likes this.
kazerniel doesn't like this.
dogs0n
in reply to AHemlocksLie • • •WireGuard 🥹
AHemlocksLie
in reply to dogs0n • • •potustheplant doesn't like this.
potustheplant
in reply to AHemlocksLie • • •AHemlocksLie
in reply to potustheplant • • •potustheplant doesn't like this.
potustheplant
in reply to AHemlocksLie • • •There's this wild technology called a hotspot. You can use your already authenticated device to give another device access to your services indirectly.
That level of security is exactly the same as exposing your password manager to the "fucking" internet. Not sure why you criticized it before when you (incorrectly) assumed that I was doing that.
AHemlocksLie
in reply to potustheplant • • •There's also this dated technology called a wired connection that some other dated technologies require. Since I don't get to choose every device I interact with or depend on, that's not always available.
I would disagree. A Bitwarden instance identifies itself as such to every visitor that comes by. It advertises itself as a particularly high value target. By contrast, a lot of what a NextCloud instance hosts is often personal and more valuable to the user than a hacker, so it does not become clear if there's anything of value inside.
It also decreases the attack surface of my password manager itself because there are fewer features in it that may have a potential exploit. Even if an attacker compromises the NextCloud instance, that may grant access to the file itself, but they still have to contend with the entire security of the password manager. No
... Mostrar másThere's also this dated technology called a wired connection that some other dated technologies require. Since I don't get to choose every device I interact with or depend on, that's not always available.
I would disagree. A Bitwarden instance identifies itself as such to every visitor that comes by. It advertises itself as a particularly high value target. By contrast, a lot of what a NextCloud instance hosts is often personal and more valuable to the user than a hacker, so it does not become clear if there's anything of value inside.
It also decreases the attack surface of my password manager itself because there are fewer features in it that may have a potential exploit. Even if an attacker compromises the NextCloud instance, that may grant access to the file itself, but they still have to contend with the entire security of the password manager. No device will ever make any contact with the server for password purposes other than to sync the database file, and there's no web interface to inject a password stealing JavaScript file.
potustheplant
in reply to AHemlocksLie • • •EDIT: Forgot to mention the worst par about KeePassXC. It's vibecoded crap.
Hotspot does not imply that it needs to be wifi. You can share your internet connection via usb tethering too. (also a wild new technology, I know)
This ignores how modern internet attacks work. Hackers don't sit around manually browsing websites. Automated botnets scan the entire IPv4 address space 24/7 looking for specific software signatures or known unpatched vulnerabilities. If a Nextcloud exploit drops today, a bot will breach the server before the hacker even knows what is stored inside.
Also,
... Mostrar másEDIT: Forgot to mention the worst par about KeePassXC. It's vibecoded crap.
Hotspot does not imply that it needs to be wifi. You can share your internet connection via usb tethering too. (also a wild new technology, I know)
This ignores how modern internet attacks work. Hackers don't sit around manually browsing websites. Automated botnets scan the entire IPv4 address space 24/7 looking for specific software signatures or known unpatched vulnerabilities. If a Nextcloud exploit drops today, a bot will breach the server before the hacker even knows what is stored inside.
Also, advertises itself to whom? I'm not exposing it to the internet. How many reports can you find of people getting their Vaultwarden instance hacked? This is a lot of assumptions that don't track with reality.
You're putting your database file in nextcloud. That increases the attack surface of your solution, a lot.
That's *exactly *what a client for vaultwarden does...
Vaultwarden has a web interface, true. It's also true that I've literally never used it for anythin other than creating the users. I haven't opened it in years.
You're choosing a very petty and small hill to die on, dude. Just admit that you prefer doing it your way even if there are better alternatives.
AHemlocksLie
in reply to potustheplant • • •Some environments restrict USB access for security reasons. Some environments don't have extra ports to spare. Sometimes, I just don't have the right cable on hand even if the environment is otherwise fine.
... Mostrar másNo, I'm well aware of that. I mean that when the inevitable scans come, the Vaultwarden instance will freely identify itself as such. An attacker would automate the breach if they detected my NextCloud instance and had an exploit ready, but then what? The contents are too unpredictable to have a one size fits all approach
Some environments restrict USB access for security reasons. Some environments don't have extra ports to spare. Sometimes, I just don't have the right cable on hand even if the environment is otherwise fine.
No, I'm well aware of that. I mean that when the inevitable scans come, the Vaultwarden instance will freely identify itself as such. An attacker would automate the breach if they detected my NextCloud instance and had an exploit ready, but then what? The contents are too unpredictable to have a one size fits all approach from there. Even if they scan all the servers they breach for password databases, they have to contend with the fact that they still have no means to try to intercept the password. They may have a slightly easier time obtaining the database, but cracking a huge pile of password databases is an infeasible task.
Yes, if I did it the way you want, I could avoid exposing it and allowing it to advertise itself, but then I would be unable to access it without a VPN or other networking tool.
I never said that Vaultwarden had been hacked. I said essentially that Vaultwarden is a single point of failure that I do not want to risk exposing to the wider internet, and I don't want to hide the services behind a VPN because that can complicate access. It's a little less secure, but what's the point of security if I can't actually use it myself?
Of the overall system, yes. Of the password database itself, not really. Slightly less potential security through lack of access, but with a sufficiently secure password, cracking it isn't realistic. That becomes exponentially more true if you've got a huge pile of password databases you need to crack, as would most likely be the case for anyone who breached my server.
Yes, and you're just about get to the problem I have with the client if you'd finish my sentence before you got smug with me.
And it's great that for your personal use case, that works our for you. But before you decide to act like a smug asshole, maybe consider that not every situation can resolve as cleanly as yours. There are a lot of reasons that restricting access to a VPN can at times be limiting. Sure, at home on your own hardware, not really, but some people need the same tools for different purposes in different environments.
Just think beyond your own experiences and accept that other people have different needs than you for a variety of reasons that they can't always control.
potustheplant
in reply to AHemlocksLie • • •Where are you even trying to use your password manager???? You're absolutely batshit dude. I'm not reading this wall of text.
AHemlocksLie
in reply to potustheplant • • •potustheplant
in reply to AHemlocksLie • • •You should also not be ysing a corporate laptop for your private stuff. If you do need to use it, you can do use the password manager the old way, just read from your phone and manually type it in.
Lastly, since you're proposing a corporate scenario, you wouldn't be able to install a random program on your laptop. IT would either block the installation or you'd have to explain why you're installing random programs on your work computer.
This is getting pathetic dude, just move on.
dogs0n
in reply to AHemlocksLie • • •potustheplant likes this.
AHemlocksLie
in reply to dogs0n • • •potustheplant doesn't like this.
dogs0n
in reply to AHemlocksLie • • •potustheplant likes this.
dogs0n
in reply to AHemlocksLie • • •That's a fair point, I was mostly pointing out in the original comment that VPNs are an option that stops your password manager being exposed to the internet (though if their NextCloud IS exposed to the internet and is syncing their password db, then there is not much difference).
Plus you can tunnel traffic that needs to go to your VPS through the VPN, leaving all other traffic untouched (ie not tunneled), if you are worried about leaving it connected by accident. This would be max convenience.
AHemlocksLie
in reply to dogs0n • • •potustheplant doesn't like this.
dogs0n
in reply to AHemlocksLie • • •Any password manager could be comprimised. A bug could even be installed on your system or malware. What's the difference?
NextCloud doesn't know how you open the password db, but KeePass (for example) does, so the specific comprimise you mention would be with that.
Specifically the syncing part being done with any tool, doesn't matter.
Who or how are you thinking Vaulwarden is being comprimised?
potustheplant likes this.
AHemlocksLie
in reply to dogs0n • • •potustheplant doesn't like this.
potustheplant
in reply to AHemlocksLie • • •You need two apps though and I personally have more faith in vaultwarden being stable than nextcloud.
Glad you "fucking" password manager isn't exposed to the internet. Mine isn't exposed either since I use tailscale to access it.
like this
Grey Cat y steel_for_humans like this.
AHemlocksLie
in reply to potustheplant • • •I just typed out a response to most of this, and rather than repeat all that, I'll copy a link here lemmy.zip/comment/26557132
A lot of it can be summed up in that compromising Vaultwarden means everything is screwed while compromising NextCloud is mainly a minor inconvenience. It provides neither information about the database's password nor any avenue to attempt to intercept the password.
"The Quiet Renovation at Bitwarden" (it isn't good) - Lemmy.zip
lemmy.zipkazerniel likes this.
potustheplant doesn't like this.
potustheplant
in reply to AHemlocksLie • • •EDIT: Forgot to mention the worst part about KeePassXC. It's vibecoded crap.
I replied to that comment. You're assuming that compromising vaultwarden is somehow easier than compromising nextcloud. No idea why. Intercept the password where? I'm using a local client and only syncing the vault. You seem to be pretty unfamiliar with how vaultwarden works.
nibbler
in reply to JakenVeina • • •like this
JakenVeina, diffaldo, penguins22 [none/use name], potustheplant y BigDiction like this.
John
in reply to JakenVeina • • •like this
potustheplant y JakenVeina like this.
JakenVeina doesn't like this.
sakuraba
in reply to John • • •John
in reply to sakuraba • • •cyberpress.org/hackers-exploit-keepass-password-manager-to-distribute-malware/
thehackernews.com/2023/05/keepass-exploit-allows-attackers-to.html
Hackers Exploit KeePass Password Manager to Distribute Malware and Harvest Credentials
Mandvi (Cyber Security News)sakuraba
in reply to John • • •thanks!
edit: oh it's phishing via ads, you could say OBS Studio has received multiple hacks in the same way
the second case assumes your computer is already compromised, I think at that point a RAM dump with my master password would be the last of my problems
WellTheresYourCobbler [ey/em, they/them] likes this.
hellinkilla [they/them, they/them]
in reply to JakenVeina • • •RotatingParts
in reply to JakenVeina • • •JakenVeina likes this.
JakenVeina
in reply to RotatingParts • • •KeePass is just an app that opens files, so yeah, you can access it on as many devices that you want yo setup file syncing with. Syncthing seems to be a popular choice.
You can setup vaults to be accessible with multiple passwords, if that fits your criteria. Me, I already share the vault with my wife, so that mostly covers the need for emergency access by someone else. If I ever wanted more, I'd probably just put some basic info into my will about how to access the file.
RotatingParts likes this.
magnue
in reply to RotatingParts • • •like this
AGD4, higashikata y RosaLuxemburgsGhost like this.
AGD4
in reply to magnue • • •Amen!
like this
Punk_face y CCMan1701A like this.
helpImTrappedOnline
in reply to RotatingParts • • •Its like AI decided that word gets the most clicks and its showing up everywhere.
like this
TheTux, sergiu, BrilliantBadger, diffaldo, sleepydragn1, , monovergent, iamjoekony, Echolynx y Punk_face like this.
HereIAm doesn't like this.
BrilliantBadger
in reply to helpImTrappedOnline • • •Yeah its like those sports headlines where they try vibe you up for some trash talk
"Player A had a perfectly blunt statement about Player B"
Only to read & find out they said Player B was great, such drama lol
All just rage bait everywhere, AI or human that's the clicks plan
like this
diffaldo y iamjoekony like this.
diaphragm w*rkplace
in reply to RotatingParts • • •like this
MadameBisaster, diffaldo, sleepydragn1, monovergent, AGD4, BigDiction, WellTheresYourCobbler [ey/em, they/them] y Echolynx like this.
gfgrvmpx doesn't like this.
Voxel
in reply to RotatingParts • • •My first 100 days at Bitwarden | Bitwarden
Bitwardenlike this
, gazab, monovergent, boelder, hellinkilla [they/them, they/them], Echolynx y Deer Tito (She/Her) like this.
Tinkerer
in reply to RotatingParts • • •like this
AGD4, stevestevesteve y NebulaNomad like this.
tomatolung
in reply to Tinkerer • • •The Article says:
... Mostrar másThe Article says:
like this
nw520, GoTeamBoobies y pirat like this.
godsammitdam
in reply to Tinkerer • • •It shouldn't in theory. Worst case is if bitwarden closes source, just fork the latest current open version and use it.
Ideally, a group, either independent or joining with vaultwarden devs, can build/maintain the frontend for vaultwarden that is bitwarden.
like this
stevestevesteve y boonhet like this.
belated_frog_pants
in reply to RotatingParts • • •like this
tomenzgg, Finalsolo963, BladeFederation, Echolynx, RosaLuxemburgsGhost y Punk_face like this.
yuman
in reply to RotatingParts • • •if you were looking for an excuse to torpedo this abomination, here it is. hosting this gargantuan stack just for an encrypted csv file? at least the client (electron) gobbles up RAM like it's free while being bug-compatible with whatever chrome version was current half a year ago.
sadly, news ain't great on the other side of the fence - keepassXC dev is all-in on vibeshitting; latest non-polluted version is 2.7.9.; works fine and the stuff they're working on is pretty far from essential. some unknown folks forked it but who's to say what their expertise is.
never thought I'd disable my autoupdate timers but here we are. keep your eyes open.
like this
iamjoekony, Water_Melon_boy, u235 y Kailn like this.
potustheplant
in reply to yuman • • •What do you mean by "gargantuan" stack? I have a single docker container for vaultwarden that was very easy to set up and it uses less than 100mb of ram.
Not sure about the client claims though. I haven't really looked into it that much. Are you saying all versions of the client and extensions of BitWarden have issues?
oneser
in reply to yuman • • •Water_Melon_boy likes this.
yuman
in reply to oneser • • •the dev vibecodes; I make a distinction between using the crap as a boilerplate helper and a full-blown agentic "hey computer, do this but do it super-good!". not only that, they got a super-asshole vibe as they removed claude traces from the repo and then flaunted that it's so people won't know what parts were vibeshat. "good luck finding the cutoff point", I'm paraphrasing here.
to each their own, but that's a hard pass for that fork from me.
like this
Water_Melon_boy y WhyJiffie like this.
Unfold1127 doesn't like this.
Betinem
in reply to RotatingParts • • •Free for private users, hosted in germany and end2end
sakuraba
in reply to RotatingParts • • •like this
sus, purplemonkeymad, y u235 like this.
sudoer777
in reply to RotatingParts • • •jsnfwlr
in reply to sudoer777 • • •jenesaisquoi
in reply to RotatingParts • • •likes this.
purplemonkeymad
in reply to jenesaisquoi • • •like this
, jenesaisquoi y WhyJiffie like this.
jenesaisquoi
in reply to purplemonkeymad • • •Carlos Solís
in reply to RotatingParts • •Sensitive content
WhyJiffie likes this.
Privacy reshared this.