Something like 2/3rds of the world uses chrome for desktop. I’d bet that number is higher for windows specifically. If you’re the rare person who doesn’t use chrome then you’re savy enough to know this doesn’t apply to you
yggstyle@lemmy.world
on 28 Jul 2024 16:27
nextcollapse
A better statement should be: you should remain vigilant and light on attachment to any banner. If an ill wind blows and you don’t like it, it’s time to move. Control your data- aspire to be a digital nomad.
Firefox isn’t without it’s own issues, recently. Google used to be viewed as a paragon once, too.
kbin_space_program@kbin.run
on 28 Jul 2024 17:00
collapse
Google was always incorrectly viewed as a paragon.
yggstyle@lemmy.world
on 28 Jul 2024 18:02
collapse
Once upon a time I think they were largely harmless … but once they started leaning into profit over quality they went rotten in a hurry. Exactly why I’m concerned with mozilla’s path.
TimeSquirrel@kbin.melroy.org
on 28 Jul 2024 19:03
collapse
Must have been when it was still a bunch of servers in a garage.
BearOfaTime@lemm.ee
on 28 Jul 2024 16:27
nextcollapse
I don’t use the password manager in Firefox, what a terrible idea.
Use an independent password manager, something purpose-built.
And using Linux? Hahaha, right, right. Call me when there’s a serious OneNote, or even more importantly, Excel competitor. (Or even a standard shell on Linux, or the same set of tools built in).
Aatube@kbin.melroy.org
on 28 Jul 2024 16:53
nextcollapse
Use an independent password manager, something purpose-built.
KLISHDFSDF@lemmy.ml
on 28 Jul 2024 17:06
nextcollapse
Call me when there’s a serious OneNote…
OneNote works on the web, but there’s also Notenook if someone is looking for similar features with an app for offline access + End-to-end encryption and open source alternative. I’ve got it syncing to my Android, Windows, Linux and Mac clients without issue.
…or even more importantly, Excel competitor.
There’s OnlyOffice which has a spreadsheet. Yeah it’s not Excel which has existed for a million years, but it should work for the vast majority of users’ basic needs. It may not work for your specific use case, but it is a viable alternative that exists today. If you want more online collaborative features (like the o365 version has) you can use CryptPad, which provides an end-to-end encrypted and open-source collaboration suite, including the web version of OnlyOffice Spreadsheets.
Or even a standard shell on Linux…
What does this even mean? Nearly every major Linux distro sets bash as the default shell, and if not the default, is probably already installed and called if needed. Not sure I understand the problem here.
…or the same set of tools built in
Stick to a single OS and you get the same set of tools built in? This is a strange statement to be making against a system that not only thrives on diversity but has lots of niche systems that require a myriad of default tools.
I do completely agree about not using any browser’s built-in password manager.
tabular@lemmy.world
on 28 Jul 2024 18:02
nextcollapse
It is not the software which can lack seriousness, but the developer and the user. One is proprietary where the developer controls the user’s computing - the other is free software where the user is in control (free as in freedom).
AlexanderESmith@social.alexanderesmith.com
on 28 Jul 2024 19:25
nextcollapse
I agree that using browser-based password managers is not a good idea, but everything else you said was willfully ignorant.
OneNote isn't that special, and you don't need Windows to use it.
There are half a dozen excel competitors that are feature complete (OpenOffice, LibreOffice, GSuite, Zoho, Gnumeric...)
All shells use the same standard tools, excepting a few bulit-ins (because most tools are external to the shell). Some shells have different syntax, but most of them share most syntax. In 90% of cases, the default shell is bash, or an offshoot (dash, etc), which are all descendants of sh, so unless you're using an extended feature set, scripts are cross-compatible.
lemmyvore@feddit.nl
on 28 Jul 2024 21:10
nextcollapse
Firefox Sync was purposefully built too, they didn’t wake up one day to find it on the porch in a basket.
It syncs passwords, works on desktop and mobile and can do some other cool stuff — syncs tabs and bookmarks, alerts you to password breaches, send tabs from one device to another, lets you export your passwords etc. It’s a good password manager.
Hexarei@programming.dev
on 29 Jul 2024 12:19
nextcollapse
Funny troll is funny
ZarkleFarkle@sh.itjust.works
on 29 Jul 2024 14:32
collapse
Say there’s no standard shell on Linux again and I’ll Bash your head in
ArcaneSlime@lemmy.dbzer0.com
on 28 Jul 2024 16:45
nextcollapse
Well, there does keep being more reasons by the day…
Ilovethebomb@lemm.ee
on 28 Jul 2024 20:32
collapse
admin@lemmy.my-box.dev
on 28 Jul 2024 16:14
nextcollapse
I guess now is as good a time as any for them to start using a proper password manager.
Personally, I recommend Keepass - it has multiple clients for all platforms, and you can keep the file in sync with a program of your own choosing, like Dropbox, syncthing or whatever you like.
SaltySalamander@fedia.io
on 28 Jul 2024 16:23
nextcollapse
Yeah. Daily and weekly cloud backups solve that for myself for sure.
nialv7@lemmy.world
on 28 Jul 2024 17:59
nextcollapse
I use syncthing so there’s a copy of my password database on each of my devices.
ThePantser@lemmy.world
on 28 Jul 2024 18:33
nextcollapse
I am hosting on Home Assistant which itself gets a backup to my Google drive and my personal machine. So there are two backups, as long as HA doesn’t create a corrupted backup 3 weeks in a row I am good.
Borg backup to borgbase is not very expensive and borg will encrypt the data plus the vault is also encrypted
communism@lemmy.ml
on 29 Jul 2024 01:32
nextcollapse
I would rather lose my passwords than have my password database be accessed by someone else. Most websites have a “forgot password” function, and for passwords that don’t have that (e.g. to decrypt my hard drive or log into my computer) I’ve memorised the passphrase and always type it manually anyway. And for passwords where neither applies, it’s probably not a huge loss anyway if I’ve not prepared for the possibility of losing my password db for that particular password.
russjr08@bitforged.space
on 29 Jul 2024 04:39
collapse
As long as you’re still signed into BW from any of your devices, you can always export the vault from there.
All your services should be using https. Vaultwarden in particular won’t even run without https unless you bypass a bunch of security measures.
This is how to setup local only and external https, I highly recommend this as a baseline setup for every homelab. It allows you to choose how much security you want on a per app basis and makes adding new apps trivially easy.
Anyone with the knowledge to self host will quickly discover 3-2-1. If they choose to follow it, that’s on them but data loss won’t be from ignorance
Wistful@discuss.tchncs.de
on 28 Jul 2024 17:09
nextcollapse
Keepass XC on PC, Keepass DX on Android, Syncthing to sync database
Works flawlessly!
nekusoul@lemmy.nekusoul.de
on 28 Jul 2024 17:59
nextcollapse
Most amazingly, this setup is also unexpectedly resilient against merge conflicts and can sync even when two copies have changed. You wouldn’t expect that from tools relying on 3rd party file syncing.
I still try to avoid it, but every time it accidentally happened, I could just merge the changes automatically without losing data.
How did you enable merge conflict resolution for KeePassXC databases?
PlexSheep@infosec.pub
on 29 Jul 2024 06:04
nextcollapse
By ignoring the conflict files
nekusoul@lemmy.nekusoul.de
on 29 Jul 2024 07:49
collapse
Depends a bit on the clients.
KeePass: Will ask you if you want to synchronize/overwrite/discard the database when saving.
KeePassXC: Will autoreload the database in the background, so merge conflicts shouldn’t happen in the first place. Otherwise there’s ‘Merge database’ in the menu.
KeePass2Android: So I mixed up the names and this is the client I actually use. This one does all changes to an internal copy of the database that is then synchronized on request.
KeePassDX: As far as I can see it also has a mechanism similar too KeePass2Android.
Assuming you only have one desktop and mobile client you should never run into any issues. If you do have multiple KeePassXC clients it’s all fine as well assuming Syncthing always has another client it can sync with.
slumberlust@lemmy.world
on 28 Jul 2024 20:19
collapse
If it’s my mother, post it notes stuck to the laptop…
admin@lemmy.my-box.dev
on 28 Jul 2024 18:18
nextcollapse
If you never, ever need your passwords outside of your home, that’s great advice - it’s as secure as can be against digital theft. Less so against fire though, and backups are out of the question.
nous@programming.dev
on 28 Jul 2024 18:24
nextcollapse
You can have backups of physical books. Just copy the text from one to the other. Yeah it is manual work but so is writing the first one in the first place. You can then store the second copy in a fire resistant safe or at a friends or family members house (maybe inside a safe as well).
tabular@lemmy.world
on 28 Jul 2024 18:54
nextcollapse
Well you can write a copy and keep it in a shed if it’s unlikely to also catch fire.
Shdwdrgn@mander.xyz
on 28 Jul 2024 19:29
nextcollapse
I just store all my passwords in robots.txt on my web server, makes it easy for me to access them anywhere I go…
I have a firesafe at home for important papers, passports and some emergency cash. I keep my passwords there.
thejoker954@lemmy.world
on 29 Jul 2024 06:54
collapse
Backups are easy? Just copy to another piece of paper and store somewhere else.
I’m just being facetious though.
admin@lemmy.my-box.dev
on 29 Jul 2024 09:27
collapse
I’m not being facetious though. Off-site backups of a digital password collection are easy to setup and maintain. But when you change your password or add a new entry, it’s going to be a pain in the ass to have to drive over and update a physical copy.
If you can live with those downsides, that’s fine. But in my opinion it would be facetious to pretend a physical backup is “just as good/usable” as a digital one.
-edit: whoops, misread that as implying that I was being facetious. As you were sir -
Ilovethebomb@lemm.ee
on 28 Jul 2024 20:31
collapse
This is the first suggestion here that’s actually within the technical abilities of most people, even most Lemmy users.
The level of technical knowledge some of people here seem to think the general public has is absurd.
admin@lemmy.my-box.dev
on 28 Jul 2024 20:50
nextcollapse
If getting a Dropbox account is too difficult for them, I seriously wonder why they’d be subscribed here, or reading articles about password management in browsers.
Ilovethebomb@lemm.ee
on 28 Jul 2024 21:05
nextcollapse
Because I’m interested in tech news, especially since the world we live in can’t function without it.
Besides, Lemmy seems to seriously overestimate the technical abilities of, well, most people.
I’m usually the one promoting technical literacy to all but in this case I honestly don’t use a password manager.
Ilovethebomb@lemm.ee
on 29 Jul 2024 08:20
collapse
It’s honestly seemed like more trouble than it’s worth, there’s a few websites where I just reset my password every time.
Hexarei@programming.dev
on 29 Jul 2024 12:13
collapse
The thing that makes it worth it to me is long, randomly generated passwords that I don’t have to know.
None of the sites and services I use require me to type out a password thanks to browser integration and auto type (for desktop apps and such), along with autofill service on android.
Then along with that I can even store other things like account recovery codes (for 2fa) or security questions (which also get randomly generated answers)… It’s a handy thing to have IMHO
GissaMittJobb@lemmy.ml
on 28 Jul 2024 19:57
nextcollapse
Bitwarden is probably a more pragmatic choice for most users, given that it’s free and without having to manage the syncing yourself.
Any password manager is better than the alternative, though.
I’m not sure what you’re comparing it to. Keepass is free too, in fact it’s open source. In my opinion, local software and database that is under your control is always superior to cloud.
Keepass over Bitwarden offers a lot of plugins and integrations, again, if you want more customization or automation.
But, I would say you can use any online password manager as long as it’s end to end encrypted, so Bitwarden is a good choice.
GissaMittJobb@lemmy.ml
on 28 Jul 2024 22:01
nextcollapse
Also, local software and database is always superior to cloud.
Now there’s an unfounded blanket statement if I ever saw one.
Statement related to previous cloud hacks i assume.
Should have say: self-hosting is always superior to cloud hosting.
Bitwarden (the client) + Vaultwarden (the self-hosted server) is a good combo if you have some knowledge on how to setup it.
GissaMittJobb@lemmy.ml
on 29 Jul 2024 11:23
collapse
Should have say: self-hosting is always superior to cloud hosting.
That statement still comes with a pretty damn big caveat though - you need to have the know-how, the time to invest and the hardware (i.e money) to actually set something like this up.
If all of those are true, then self-hosting can definitely be an attractive option for you.
It’s only true for a vanishingly small fraction of the population, though.
Hence, Bitwarden is a pragmatic solution that will be superior for the vast majority of the population.
evulhotdog@lemmy.world
on 29 Jul 2024 03:57
nextcollapse
I think your bias may be showing. The average computer user doesn’t even think about using a password manager. It just exists and works in their browser.
fmstrat@lemmy.nowsci.com
on 29 Jul 2024 12:35
collapse
No dislike for Keepass here, but I prefer Bitwarden. It’s also super easy to self host with Vaultwarden.
Katana314@lemmy.world
on 29 Jul 2024 20:54
collapse
Never trust your credentials to yourself, you can be bought out by beer, poor decisions, and tripping over the cables connected to your home server you cobbled together.
FauxPseudo@lemmy.world
on 28 Jul 2024 17:10
nextcollapse
That’s definitely a change from companies just leaving passwords around for anyone to find.
knacht1@lemmy.world
on 28 Jul 2024 18:21
nextcollapse
Bitwarden here. Works well.
Evil_Shrubbery@lemm.ee
on 28 Jul 2024 18:42
nextcollapse
They didn’t vanish, it’s just that now only Google has them.
sidgames5@lemmy.zip
on 28 Jul 2024 19:42
nextcollapse
I like to think that most people would just contact the devs privately to get a fix pushed asap instead of ransoming everyone’s passwords.
Feathercrown@lemmy.world
on 29 Jul 2024 20:47
collapse
Right, but my point was that there aren’t public bugs in encryption algorithms just hanging around. Asking for those is categorically bad faith.
dorythefish@discuss.online
on 28 Jul 2024 23:59
collapse
One of the mobile clients corrupted all passwords for me. I ended up losing only 2 passwords, and only 1 I wasn’t able to restore. Good lesson on why backups are important though :)
PrettyFlyForAFatGuy@feddit.uk
on 29 Jul 2024 12:40
collapse
One of the reasons i use Mega to sync my keepass db across devices where it’s needed. They have version control, so if it gets corrupted then i can restore from a previous version
ZarkleFarkle@sh.itjust.works
on 28 Jul 2024 20:33
nextcollapse
I put all my passwords in a text document, then print it on a little strip of paper and shove it up my ass. Whenever I take a crap, I dig it out from the turds and try to memorise some of them again. Then I shove it back up there where noone else can find my data and I won’t lose it.
ZarkleFarkle@sh.itjust.works
on 28 Jul 2024 20:34
nextcollapse
Forgot to mention I delete the text document and set fire to the computer’s hard drive. The passwords are only ever in my ass, with the rest of my personal shit.
Crackhappy@lemmy.world
on 28 Jul 2024 21:05
collapse
Following up your own shit post with another shit post is shit post gold.
lemmyvore@feddit.nl
on 28 Jul 2024 21:01
nextcollapse
This tracks very close to my idea of the suppository flask stick.
postnataldrip@lemmy.world
on 28 Jul 2024 21:50
nextcollapse
Ah yes, KeepAss
Eximius@lemmy.world
on 29 Jul 2024 02:44
nextcollapse
The server side literally doesn’t matter. Even if it is FOSS they could do anything they please with it, other than reading it, because it’s all encrypted. They could wipe all passwords if they so wanted.
I switched to Pass recently after having used Bitwarden for a couple years. I’d say Bitwarden still has a slight edge in terms of features, but Pass has gotten good enough and it’s included in my Proton subscription.
homesweethomeMrL@lemmy.world
on 28 Jul 2024 20:37
nextcollapse
No $10 gift card?
Lame.
ChaoticEntropy@feddit.uk
on 28 Jul 2024 20:41
nextcollapse
Premium Bitwarden is so cheap and effective that I find it difficult to justify using an alternative.
Evotech@lemmy.world
on 28 Jul 2024 21:16
nextcollapse
Still. Back it up
ChaoticEntropy@feddit.uk
on 28 Jul 2024 21:21
nextcollapse
Well sure… I have a local offline encrypted copy, rather than a whole separate password manager.
Not a bad idea to back up to a json, but every computer you’ve used has a local encrypted copy you can export from using the app or extension.
communism@lemmy.ml
on 29 Jul 2024 01:26
nextcollapse
Keepass with syncthing is completely free and doesn’t rely on cloud hosting
boyi@lemmy.sdf.org
on 29 Jul 2024 04:43
nextcollapse
I use encfs and sync it to dropbox etc. Then use gopass password manager to store password in the encfs folders. Not fully auto-integrated but good enough for me.
communism@lemmy.ml
on 29 Jul 2024 01:35
nextcollapse
Me when I don’t use Chrome, I don’t use Windows, and I don’t use browser password saving either
MrsDoyle@lemmy.world
on 29 Jul 2024 03:46
nextcollapse
A friend has a notebook next to her computer with all her passwords in it. Initially I was horrified - what if you’re burgled? - but actually it’s genius. Much more secure than letting a browser remember them, and she doesn’t even need to memorise a Bitwarden password.
braindamagebuddy@lemmy.world
on 29 Jul 2024 06:17
nextcollapse
Yeah, these newfangled password requirements ruined my life. I refuse to sign up for any website that doesn’t let me use hunter2.
smeeps@lemmy.mtate.me.uk
on 29 Jul 2024 09:33
collapse
Ah, my girlfriend’s approach. No matter how much I show her a pwned password or set her up on my Vaultwarden, she’s not interested
captain_aggravated@sh.itjust.works
on 29 Jul 2024 05:32
nextcollapse
In a household it’s probably not that bad. There aren’t many people breaking into homes looking for account details.
I’ve had my identity stolen several times, and every single time it was stolen from a Fortune 500 company.
PlexSheep@infosec.pub
on 29 Jul 2024 05:59
nextcollapse
It’s a primitive password manager, primitive because unencrypted and not integrated into your devices, but far better than not having a password manager.
MrsDoyle@lemmy.world
on 29 Jul 2024 13:56
collapse
That’s an excellent idea! I’ll mention it to her.
SkyeStarfall@lemmy.blahaj.zone
on 29 Jul 2024 15:09
nextcollapse
What if the notebook gets destroyed or lost, though? That’s my biggest concern here
sexual_tomato@lemmy.dbzer0.com
on 29 Jul 2024 19:04
collapse
My mom told me that she was made fun of for having a book of hand written account credentials related to running her business (6 people total). I told her it was the best way to do it that wasn’t massively overcomplicated for her situation and to keep it up. The only recommendation I made is that she use different long passwords for every site since she’s already not memorizing them.
Personally I’m not convinced this isn’t the best way unless you’re being targeted by physical bad actors
JackbyDev@programming.dev
on 30 Jul 2024 00:09
collapse
Where is this book? In the office? I’d say that’s absolutely horrible. If it’s at home I think that’s more okay.
0x0@lemmy.dbzer0.com
on 30 Jul 2024 01:31
collapse
Or maybe behind a keyed lock in the office? Not a keypad, a physical key.
JackbyDev@programming.dev
on 30 Jul 2024 02:54
collapse
Nah, most locks are really crappy.
CileTheSane@lemmy.ca
on 30 Jul 2024 07:02
collapse
Sure, if someone knows her physical address, knows how to disable the building alarm, knows what drawer she keeps the passwords locked in, and knows how to pick the lock, she could be in trouble. But that is a very targeted attack and if someone is that determined she’s screwed anyway.
99.9% of attacks are the “low hanging fruit, protected from repercussions by not physically being there” kind.
JackbyDev@programming.dev
on 30 Jul 2024 13:00
collapse
Someone like an employee, janitor, or maintenance worker who has physical access to the building already is what I’m talking about. That’s definitely a low hanging fruit type of attack. See your boss’s passwords while your pissed off, snap a picture with your phone, fuck with them later.
robocall@lemmy.world
on 29 Jul 2024 05:33
nextcollapse
To set a scene, you awake in the middle of the night because your phone is making noise. Blearily you unlock it, glance at a prompt, and then approve a login and fall back asleep. The intruder now has access to your password manager!
They attempt to log into your bank and drain your life savings, but despite having your password it sends another prompt to your phone. This time, you wake up enough to realize something is wrong. This time, you deny the prompt.
The entire second paragraph cannot happen if your MFA is a single factor. Don’t store MFA in your password manager!
Hexarei@programming.dev
on 29 Jul 2024 12:22
nextcollapse
If your MFA is stored in your password manager, you’re not getting prompts to your phone about it. You’re just prompted for a otp code that you have to go out of your way to copy/paste or type in from the manager.
subtext@lemmy.world
on 29 Jul 2024 12:27
nextcollapse
I mean yeah it’s less secure than if they were separated. But my mom is never going to use a separate app for passwords and 2FA, so the two in one app is still better than nothing.
Telorand@reddthat.com
on 29 Jul 2024 21:29
nextcollapse
Bruh, if my phone is sending me notifications in the middle of the night, the first thing I’m doing is uninstalling whatever app is sending me notifications.
If people are that gullible to fall prey to an attack like this, managing OTP in two apps is probably more than they can handle anyway. Everybody has a different threat model, and it’s okay if it’s not covered by hardware passkeys and locally hashed and managed databases.
JackbyDev@programming.dev
on 30 Jul 2024 00:05
collapse
Blearily you unlock it, glance at a prompt, and then approve a login and fall back asleep.
The idea that people would approve that is wild to me.
Mate, I’ve had users who were sharing an account that only some of them had MFA prompts for. They didn’t bother checking who had initiated the prompt, they just approved it because it was easier. And that was while they were fully awake and thinking…
JackbyDev@programming.dev
on 30 Jul 2024 16:59
collapse
What’s funny to me is that doing this while you know your target is asleep probably has a higher success rate just because they’re more likely to press the wrong thing just because their eyes are groggy. I can read my phone without my glasses but when I wake up in the night that’s not the case right away.
EddoWagt@feddit.nl
on 29 Jul 2024 09:33
nextcollapse
Not really as you’re still protected from password breaches, which is most likely to happen anyways, especially if you self host.
If you’re actively being targeted for your bitwarden password, you likely have bigger problems
Technically yes if my vault gets compromised I would be fucked. I have it firewalled tho and only accessible from home (or VPN to home). So should be pretty secure. I used google authenticator but found it a major pita (can’t even search entries on Android, wtf?). If they make this more user friendly I’ll gladly switch back to a seperate OTP store.
WarlordSdocy@lemmy.world
on 29 Jul 2024 09:35
nextcollapse
I was thinking about self hosting but I was worried it would be less secure. I don’t really know a lot about setting that kind of thing up (I do have programming experience but don’t have a lot of server hosting experience outside of doing it for games like Minecraft) and I feel like I’d mess it up and it would be a lot easier to get into than a hardened server. Especially cause the odds I get a virus or something is probably higher then the odds someone breaks into bitwarden’s server. Idk if I’m wrong about this, would love to be corrected if I am, was just my initial thoughts when I switched over from a different password manager to bitwarden.
krimson@lemmy.world
on 29 Jul 2024 12:12
nextcollapse
It’s pretty easy to setup using docker, you do need to know that ofcourse and how to setup dns and stuff.
I have it firewalled so my vault is not accessible from the internet, only from home or vpn to home.
subtext@lemmy.world
on 29 Jul 2024 12:29
nextcollapse
If you don’t trust yourself 110%, don’t host it yourself. Too risky. I self-host everything, but I leave email and passwords to someone else because it’s just too important.
SkyeStarfall@lemmy.blahaj.zone
on 29 Jul 2024 15:07
collapse
I think the bigger thing to worry about is, what would happen if your server fails or is destroyed? Would you have a backup of all your passwords? And if yes, are those backups updated regularly and stored in a safe place that also won’t get destroyed if the server gets destroyed (like, say, a house fire)?
Then, yes, you got the cybersecurity angle too
It’s a lot to think about for something as important and fundamental to everything you do on the internet as passwords (and accounts)
The most secure practice for any high-value accounts (email etc) is to use WebAuthn with a hardware key like a Yubikey.
TOTP is still vulnerable to phishing (a fake login page can ask for both a password and a TOTP code) so business/corporate environments are moving away from them.
The paid features aren’t free if you self-host either. You still need a premium account to use premium features with a self-hosted Bitwarden, unless you modify the code and remove the licensing checks. Licenses are pretty cheap though.
The major features are free if you use Vaultwarden, which is an alternative server implementation.
Hexarei@programming.dev
on 29 Jul 2024 12:22
nextcollapse
So does keepass
Dreamless4561@sh.itjust.works
on 29 Jul 2024 21:44
collapse
Yep, for only $10 per year. But just make sure to keep backups of your vault and/or make an emergency kit.
No-one should be using any password manager built into any browser, neither Chromium-based nor Firefox-based. Browser password databases are almost trivially easy for malware to harvest.
Go with something external, BitWarden or 1Password, or if you are entirely within the Apple ecosystem their new password system built into iOS 18 is apparently really good.
WhyFlip@lemmy.world
on 29 Jul 2024 20:01
nextcollapse
I use Keepass. Free, secure, great.
rekabis@lemmy.ca
on 29 Jul 2024 21:27
nextcollapse
I have that as an offline DB. Holds 100% of all creds that can go offline (no 2FA, unfortunately) and a bunch of extra stuff that most other managers aren’t flexible enough to do.
JackbyDev@programming.dev
on 30 Jul 2024 00:00
collapse
That’s what I used before 1password. The UI is a bit finicky but it works great. Plus you can shove it into DropBox or other various cloud sync things to get a “cloud” version lol.
Oh, so you mean local vs external, not browser-based vs other local solutions.
orbitalmayo@lemmy.world
on 29 Jul 2024 21:34
collapse
How does this work if accessing Bitwarden via the browser extension? I don’t like needing to type my master password in all the time as it’s long, so I have the setting turned on that times the vault out periodically, but so it’s also unlockable with a pin rather than requiring the master password every time. I understand the pin is shorter, but does the protection of the vault still stand?
Telorand@reddthat.com
on 29 Jul 2024 22:36
collapse
That’s a good question. I don’t actually know the answer to that. I know the passwords are hashed locally when your vault is locked and before being synced, but I’m not sure whether it’s in plaintext when it’s unlocked or if it uses some kind of on-demand decryption. It’s probably in their docs, I should think.
What makes the built-in database easier to attack than a separate one?
For performance reasons, early versions weren’t even encrypted, and later versions were encrypted with easily-cracked encryption. Most malware broke the encryption on the password DB using the user’s own hardware resources before it was even uploaded to the mothership. And not everyone has skookum GPUs, so that bit was particularly damning.
Plus, the built-in password managers operated within the context of the browser to do things like auto-fill, which meant only the browser needed to be compromised in order to expose the password DB.
Modern password managers like BitWarden can be configured with truly crazy levels of encryption, such that it would be very difficult for even nation-states to break into a backed-up or offline vault.
Go with something external, BitWarden or 1Password,
When it comes to security software, I usually recommend sticking to open-source solutions, which is why I’d recommend Bitwarden over 1Password. Their whole stack (backend, frontend, and native apps) is all open-source. A premium account is well worth the $10/year.
You can self-host their server, or self-host Vaultwarden which is an unofficial API-compatible reimplementation of the Bitwarden backend designed to be lighter weight. Note that Vaultwarden is unofficial and hasn’t gone through the same security audits as Bitwarden has. It’s a good piece of software though.
Use ButWarden myself for a login-only subset of my KeePass content. I absolutely recommend it every chance I get, but some people prefer 1Password because reasons. And 1Password is pretty much the best closed-source option out there, which is why I do so… anything to give people options that keep them away from clusterf**ks like LastPass.
Definitely true… Using 1Password is still better than reusing the same password for every site. I’ve never used it but it gets a lot of good feedback, especially from Mac users.
JackbyDev@programming.dev
on 29 Jul 2024 23:59
collapse
The only problems I’ve had with 1password are usually not 1password’s fault. Like needing to log into something that opened through the Gmail’s app’s built in browser that closed the page when the app loses focus.
I wish there was a way to link passwords and have note fields that are hidden by default. I’ve got a lot of stuff at work that is linked to my LDAP password but for various reasons uses different usernames on different sites. It’d be nice if there was a way to tell it “I know this password is reused, I promise it’s okay”
I migrated from Bitwarden to 1password because I wanted something that works better on Linux. With 1password-cli and PAM integration mainly. Bitwarden worked beautifully under Windows, but once I switched over to Linux, I realised that 1password had more Linux friendly features. I track some discussions over bitwarden that talk about implementing those features, I might come back at some point.
threaded - newest
“Chrome users” or “Chrome under windows users” would be closer to the truth. Still, quite a screw up.
Something like 2/3rds of the world uses chrome for desktop. I’d bet that number is higher for windows specifically. If you’re the rare person who doesn’t use chrome then you’re savy enough to know this doesn’t apply to you
.
A better statement should be: you should remain vigilant and light on attachment to any banner. If an ill wind blows and you don’t like it, it’s time to move. Control your data- aspire to be a digital nomad.
Firefox isn’t without it’s own issues, recently. Google used to be viewed as a paragon once, too.
Google was always incorrectly viewed as a paragon.
Once upon a time I think they were largely harmless … but once they started leaning into profit over quality they went rotten in a hurry. Exactly why I’m concerned with mozilla’s path.
Must have been when it was still a bunch of servers in a garage.
I don’t use the password manager in Firefox, what a terrible idea.
Use an independent password manager, something purpose-built.
And using Linux? Hahaha, right, right. Call me when there’s a serious OneNote, or even more importantly, Excel competitor. (Or even a standard shell on Linux, or the same set of tools built in).
Why? You're talking as if browser password managers aren't purpose-built. "I love entering a password to fill my passwords for me instead of entering a password" —statement dreamed up by the utterly deranged. (I think we all should just use auto-locking.)
Web-based stuff like Notion and Google Keep
LibreOffice Calc with Tabbed UI
what is that
OneNote works on the web, but there’s also Notenook if someone is looking for similar features with an app for offline access + End-to-end encryption and open source alternative. I’ve got it syncing to my Android, Windows, Linux and Mac clients without issue.
There’s OnlyOffice which has a spreadsheet. Yeah it’s not Excel which has existed for a million years, but it should work for the vast majority of users’ basic needs. It may not work for your specific use case, but it is a viable alternative that exists today. If you want more online collaborative features (like the o365 version has) you can use CryptPad, which provides an end-to-end encrypted and open-source collaboration suite, including the web version of OnlyOffice Spreadsheets.
What does this even mean? Nearly every major Linux distro sets bash as the default shell, and if not the default, is probably already installed and called if needed. Not sure I understand the problem here.
Stick to a single OS and you get the same set of tools built in? This is a strange statement to be making against a system that not only thrives on diversity but has lots of niche systems that require a myriad of default tools.
I do completely agree about not using any browser’s built-in password manager.
It is not the software which can lack seriousness, but the developer and the user. One is proprietary where the developer controls the user’s computing - the other is free software where the user is in control (free as in freedom).
I agree that using browser-based password managers is not a good idea, but everything else you said was willfully ignorant.
Firefox Sync was purposefully built too, they didn’t wake up one day to find it on the porch in a basket.
It syncs passwords, works on desktop and mobile and can do some other cool stuff — syncs tabs and bookmarks, alerts you to password breaches, send tabs from one device to another, lets you export your passwords etc. It’s a good password manager.
Funny troll is funny
Say there’s no standard shell on Linux again and I’ll Bash your head in
Well, there does keep being more reasons by the day…
How do you know someone runs Linux?
Don’t worry, they’ll tell you.
.
I guess now is as good a time as any for them to start using a proper password manager.
Personally, I recommend Keepass - it has multiple clients for all platforms, and you can keep the file in sync with a program of your own choosing, like Dropbox, syncthing or whatever you like.
Vaultwarden ftw
Exactly! Self hosted FTW. Chances of a data breach… Typically pretty minor if you are smart.
Chances of losing the data is higher with selfhosting too. Unless you’re doing some sort of multizone replication, or course.
Yeah. Daily and weekly cloud backups solve that for myself for sure.
I use syncthing so there’s a copy of my password database on each of my devices.
I am hosting on Home Assistant which itself gets a backup to my Google drive and my personal machine. So there are two backups, as long as HA doesn’t create a corrupted backup 3 weeks in a row I am good.
Borg backup to borgbase is not very expensive and borg will encrypt the data plus the vault is also encrypted
I would rather lose my passwords than have my password database be accessed by someone else. Most websites have a “forgot password” function, and for passwords that don’t have that (e.g. to decrypt my hard drive or log into my computer) I’ve memorised the passphrase and always type it manually anyway. And for passwords where neither applies, it’s probably not a huge loss anyway if I’ve not prepared for the possibility of losing my password db for that particular password.
As long as you’re still signed into BW from any of your devices, you can always export the vault from there.
(But yes, actual backups are always a plus)
Keep vaultwarden behind wireguard for local only access then also use https certs and good master password. Very secure like this
Why https if the traffic is already encrypted by the vpn?
Security in layers.
All your services should be using https. Vaultwarden in particular won’t even run without https unless you bypass a bunch of security measures.
This is how to setup local only and external https, I highly recommend this as a baseline setup for every homelab. It allows you to choose how much security you want on a per app basis and makes adding new apps trivially easy.
youtu.be/liV3c9m_OX8?si=TSWXoN_8SJDpAHaW
+1 for a self-hosted Vaultwarden instance. If you’re technically capable and have extra hardware laying around this is the best way to go.
Although a backup is still required or you are gambling on hardware outliving your need for your data.
100%. Make sure to follow the 3-2-1 backup rule with all things you do.
Anyone with the knowledge to self host will quickly discover 3-2-1. If they choose to follow it, that’s on them but data loss won’t be from ignorance
Keepass XC on PC, Keepass DX on Android, Syncthing to sync database
Works flawlessly!
Most amazingly, this setup is also unexpectedly resilient against merge conflicts and can sync even when two copies have changed. You wouldn’t expect that from tools relying on 3rd party file syncing.
I still try to avoid it, but every time it accidentally happened, I could just merge the changes automatically without losing data.
How did you enable merge conflict resolution for KeePassXC databases?
By ignoring the conflict files
Depends a bit on the clients.
Assuming you only have one desktop and mobile client you should never run into any issues. If you do have multiple KeePassXC clients it’s all fine as well assuming Syncthing always has another client it can sync with.
Ah, I can do it inside the client, thank you!
I store my DB in Dropbox and use KeePass2Android on phone which has built in Dropbox sync.
Yeah but then you have to trust Dropbox
And I do, have used it for 10+ years I think. Keyfile is also used so even with leaked DB file and password, it should be inaccessible.
Shoutouts to paper and pen.
Keep the booklet in a safe place.
Typically, the drawer just below the keyboard (in my experience)
.
If it’s my mother, post it notes stuck to the laptop…
If you never, ever need your passwords outside of your home, that’s great advice - it’s as secure as can be against digital theft. Less so against fire though, and backups are out of the question.
You can have backups of physical books. Just copy the text from one to the other. Yeah it is manual work but so is writing the first one in the first place. You can then store the second copy in a fire resistant safe or at a friends or family members house (maybe inside a safe as well).
Well you can write a copy and keep it in a shed if it’s unlikely to also catch fire.
I just store all my passwords in robots.txt on my web server, makes it easy for me to access them anywhere I go…
/s
I have a firesafe at home for important papers, passports and some emergency cash. I keep my passwords there.
Backups are easy? Just copy to another piece of paper and store somewhere else.
I’m just being facetious though.
I’m not being facetious though. Off-site backups of a digital password collection are easy to setup and maintain. But when you change your password or add a new entry, it’s going to be a pain in the ass to have to drive over and update a physical copy.
If you can live with those downsides, that’s fine. But in my opinion it would be facetious to pretend a physical backup is “just as good/usable” as a digital one.
-edit: whoops, misread that as implying that I was being facetious. As you were sir -
This is the first suggestion here that’s actually within the technical abilities of most people, even most Lemmy users.
The level of technical knowledge some of people here seem to think the general public has is absurd.
If getting a Dropbox account is too difficult for them, I seriously wonder why they’d be subscribed here, or reading articles about password management in browsers.
Because I’m interested in tech news, especially since the world we live in can’t function without it.
Besides, Lemmy seems to seriously overestimate the technical abilities of, well, most people.
We’re lost
I’m usually the one promoting technical literacy to all but in this case I honestly don’t use a password manager.
It’s honestly seemed like more trouble than it’s worth, there’s a few websites where I just reset my password every time.
The thing that makes it worth it to me is long, randomly generated passwords that I don’t have to know.
None of the sites and services I use require me to type out a password thanks to browser integration and auto type (for desktop apps and such), along with autofill service on android.
Then along with that I can even store other things like account recovery codes (for 2fa) or security questions (which also get randomly generated answers)… It’s a handy thing to have IMHO
Bitwarden is probably a more pragmatic choice for most users, given that it’s free and without having to manage the syncing yourself.
Any password manager is better than the alternative, though.
I’m not sure what you’re comparing it to. Keepass is free too, in fact it’s open source. In my opinion, local software and database that is under your control is always superior to cloud.
Keepass over Bitwarden offers a lot of plugins and integrations, again, if you want more customization or automation.
But, I would say you can use any online password manager as long as it’s end to end encrypted, so Bitwarden is a good choice.
Now there’s an unfounded blanket statement if I ever saw one.
Statement related to previous cloud hacks i assume.
Should have say: self-hosting is always superior to cloud hosting.
Bitwarden (the client) + Vaultwarden (the self-hosted server) is a good combo if you have some knowledge on how to setup it.
That statement still comes with a pretty damn big caveat though - you need to have the know-how, the time to invest and the hardware (i.e money) to actually set something like this up.
If all of those are true, then self-hosting can definitely be an attractive option for you.
It’s only true for a vanishingly small fraction of the population, though.
Hence, Bitwarden is a pragmatic solution that will be superior for the vast majority of the population.
I think your bias may be showing. The average computer user doesn’t even think about using a password manager. It just exists and works in their browser.
No dislike for Keepass here, but I prefer Bitwarden. It’s also super easy to self host with Vaultwarden.
Never trust your credentials to a private company, they could be bought out by state actors.
The xz compromise having demonstrated that FOSS projects are totally immune to interference from state actors…
Right that’s why you shouldn’t trust those either
Never trust your credentials to yourself, you can be bought out by beer, poor decisions, and tripping over the cables connected to your home server you cobbled together.
That’s definitely a change from companies just leaving passwords around for anyone to find.
Bitwarden here. Works well.
They didn’t vanish, it’s just that now only Google has them.
Keepass has been working with no issues
All of them are vulnerable to bugs though. Just a matter of luck.
Which bugs breaks Keepass encryption?
If he knew, do you think he’d be wasting time talking here about it instead of, I don’t know, ransoming millions of user passwords?
I like to think that most people would just contact the devs privately to get a fix pushed asap instead of ransoming everyone’s passwords.
Right, but my point was that there aren’t public bugs in encryption algorithms just hanging around. Asking for those is categorically bad faith.
One of the mobile clients corrupted all passwords for me. I ended up losing only 2 passwords, and only 1 I wasn’t able to restore. Good lesson on why backups are important though :)
One of the reasons i use Mega to sync my keepass db across devices where it’s needed. They have version control, so if it gets corrupted then i can restore from a previous version
I put all my passwords in a text document, then print it on a little strip of paper and shove it up my ass. Whenever I take a crap, I dig it out from the turds and try to memorise some of them again. Then I shove it back up there where noone else can find my data and I won’t lose it.
Forgot to mention I delete the text document and set fire to the computer’s hard drive. The passwords are only ever in my ass, with the rest of my personal shit.
Following up your own shit post with another shit post is shit post gold.
This tracks very close to my idea of the suppository flask stick.
Ah yes, KeepAss
Spectacular
I’m scared of downloading after that Mexican party
sh.itjust.works
Have you ever tried anal, my beautiful gentleman?
Maybe, but it would have to be personal and in my ass if I had or ever did.
Sounds like a security risk.
Switches to Proton Pass
Oh those government-suckers with proprietary servers. Good luck trusting your password to a shady entity
The server side literally doesn’t matter. Even if it is FOSS they could do anything they please with it, other than reading it, because it’s all encrypted. They could wipe all passwords if they so wanted.
I switched to Pass recently after having used Bitwarden for a couple years. I’d say Bitwarden still has a slight edge in terms of features, but Pass has gotten good enough and it’s included in my Proton subscription.
No $10 gift card?
Lame.
Premium Bitwarden is so cheap and effective that I find it difficult to justify using an alternative.
Still. Back it up
Well sure… I have a local offline encrypted copy, rather than a whole separate password manager.
Not a bad idea to back up to a json, but every computer you’ve used has a local encrypted copy you can export from using the app or extension.
Keepass with syncthing is completely free and doesn’t rely on cloud hosting
I use encfs and sync it to dropbox etc. Then use gopass password manager to store password in the encfs folders. Not fully auto-integrated but good enough for me.
I self host my own Vaultwarden instance (a bitwarden server written in Rust) and it’s more reliable than Google’s password manager.
No password manager is 100% safe. Make back-ups.
“Here’s what you need to know” - Avoid anything Google.
And backup your password vault
Me when I don’t use Chrome, I don’t use Windows, and I don’t use browser password saving either
A friend has a notebook next to her computer with all her passwords in it. Initially I was horrified - what if you’re burgled? - but actually it’s genius. Much more secure than letting a browser remember them, and she doesn’t even need to memorise a Bitwarden password.
I just make all of my passwords password123 then I don’t have to worry about memorizing them
*********** that’s what I see
Maybe they’re using one of those instances that censors things, lol
It’s an ancient meme. web.archive.org/web/20040604194346/…/bash.org/?24…
Really? hunter2
Yeah, when you type hunter2, all I see is *******
Yeah, these newfangled password requirements ruined my life. I refuse to sign up for any website that doesn’t let me use hunter2.
Ah, my girlfriend’s approach. No matter how much I show her a pwned password or set her up on my Vaultwarden, she’s not interested
In a household it’s probably not that bad. There aren’t many people breaking into homes looking for account details.
I’ve had my identity stolen several times, and every single time it was stolen from a Fortune 500 company.
It’s a primitive password manager, primitive because unencrypted and not integrated into your devices, but far better than not having a password manager.
Assuming the laptop is running bitlocker (often on by default), has a user password, and is offline, that’s pretty decent.
Notebook refers to a paper notebook. Not a laptop.
And in which world is bitlocker on by default? Nope.
A world where we all go insane from explaining “we can’t just ‘hack’ your bitlocker key” over and over to every older relative we have…
This one
tomshardware.com/…/windows-11-24h2-will-enable-bi…
Just add the same memorized bit to the end. Something simple like “123” would work. Even if the book is stolen it won’t do them any good.
Kind of like salting.
This concept is also known as Double Blind Passwords or Horcruxing.
That’s an excellent idea! I’ll mention it to her.
What if the notebook gets destroyed or lost, though? That’s my biggest concern here
My mom told me that she was made fun of for having a book of hand written account credentials related to running her business (6 people total). I told her it was the best way to do it that wasn’t massively overcomplicated for her situation and to keep it up. The only recommendation I made is that she use different long passwords for every site since she’s already not memorizing them.
Personally I’m not convinced this isn’t the best way unless you’re being targeted by physical bad actors
Where is this book? In the office? I’d say that’s absolutely horrible. If it’s at home I think that’s more okay.
Or maybe behind a keyed lock in the office? Not a keypad, a physical key.
Nah, most locks are really crappy.
Sure, if someone knows her physical address, knows how to disable the building alarm, knows what drawer she keeps the passwords locked in, and knows how to pick the lock, she could be in trouble. But that is a very targeted attack and if someone is that determined she’s screwed anyway.
99.9% of attacks are the “low hanging fruit, protected from repercussions by not physically being there” kind.
Someone like an employee, janitor, or maintenance worker who has physical access to the building already is what I’m talking about. That’s definitely a low hanging fruit type of attack. See your boss’s passwords while your pissed off, snap a picture with your phone, fuck with them later.
<img alt="" src="https://lemmy.world/pictrs/image/105cbf63-7444-4b06-bd84-d3b962e22887.gif">
feel like “aaand it’s gone” would fit better here
Recently started using Bitwarden and it works really well. You can even ditch authenticator because it has OTP built in too.
I selfhost it though because I trust nobody with this type of sensitive data, encrypted or not.
By storing your passwords and otp in the same place it becomes 1 factor authentification
Modern problems require modern solutions
Not if you use 2 factor to access the password manager.
It’s still just one factor. You just secured it better.
To set a scene, you awake in the middle of the night because your phone is making noise. Blearily you unlock it, glance at a prompt, and then approve a login and fall back asleep. The intruder now has access to your password manager!
They attempt to log into your bank and drain your life savings, but despite having your password it sends another prompt to your phone. This time, you wake up enough to realize something is wrong. This time, you deny the prompt.
The entire second paragraph cannot happen if your MFA is a single factor. Don’t store MFA in your password manager!
If your MFA is stored in your password manager, you’re not getting prompts to your phone about it. You’re just prompted for a otp code that you have to go out of your way to copy/paste or type in from the manager.
I mean yeah it’s less secure than if they were separated. But my mom is never going to use a separate app for passwords and 2FA, so the two in one app is still better than nothing.
Bruh, if my phone is sending me notifications in the middle of the night, the first thing I’m doing is uninstalling whatever app is sending me notifications.
If people are that gullible to fall prey to an attack like this, managing OTP in two apps is probably more than they can handle anyway. Everybody has a different threat model, and it’s okay if it’s not covered by hardware passkeys and locally hashed and managed databases.
The idea that people would approve that is wild to me.
Mate, I’ve had users who were sharing an account that only some of them had MFA prompts for. They didn’t bother checking who had initiated the prompt, they just approved it because it was easier. And that was while they were fully awake and thinking…
What’s funny to me is that doing this while you know your target is asleep probably has a higher success rate just because they’re more likely to press the wrong thing just because their eyes are groggy. I can read my phone without my glasses but when I wake up in the night that’s not the case right away.
Not really as you’re still protected from password breaches, which is most likely to happen anyways, especially if you self host.
If you’re actively being targeted for your bitwarden password, you likely have bigger problems
.
Technically yes if my vault gets compromised I would be fucked. I have it firewalled tho and only accessible from home (or VPN to home). So should be pretty secure. I used google authenticator but found it a major pita (can’t even search entries on Android, wtf?). If they make this more user friendly I’ll gladly switch back to a seperate OTP store.
I use aegis for the MFA portion.
I was thinking about self hosting but I was worried it would be less secure. I don’t really know a lot about setting that kind of thing up (I do have programming experience but don’t have a lot of server hosting experience outside of doing it for games like Minecraft) and I feel like I’d mess it up and it would be a lot easier to get into than a hardened server. Especially cause the odds I get a virus or something is probably higher then the odds someone breaks into bitwarden’s server. Idk if I’m wrong about this, would love to be corrected if I am, was just my initial thoughts when I switched over from a different password manager to bitwarden.
It’s pretty easy to setup using docker, you do need to know that ofcourse and how to setup dns and stuff.
I have it firewalled so my vault is not accessible from the internet, only from home or vpn to home.
If you don’t trust yourself 110%, don’t host it yourself. Too risky. I self-host everything, but I leave email and passwords to someone else because it’s just too important.
I think the bigger thing to worry about is, what would happen if your server fails or is destroyed? Would you have a backup of all your passwords? And if yes, are those backups updated regularly and stored in a safe place that also won’t get destroyed if the server gets destroyed (like, say, a house fire)?
Then, yes, you got the cybersecurity angle too
It’s a lot to think about for something as important and fundamental to everything you do on the internet as passwords (and accounts)
backups aren’t that big of a deal with bitwarden as every client keeps a copy of the database that can be restored.
so no more authy? BITWARDEN HAS THAT BUILT IN??? thats AWESOME
Yep, and Vaultwarden too!
Though the most secure practice is to store them separately.
Alr
The most secure practice for any high-value accounts (email etc) is to use WebAuthn with a hardware key like a Yubikey.
TOTP is still vulnerable to phishing (a fake login page can ask for both a password and a TOTP code) so business/corporate environments are moving away from them.
Sure, hardware keys are superior!
I’m only talking about best practtices when using TOTPs in particular.
It is a paid feature though if you don’t selfhost
Oh
But it’s cheap! $10 a YEAR when I last checked.
alr
The paid features aren’t free if you self-host either. You still need a premium account to use premium features with a self-hosted Bitwarden, unless you modify the code and remove the licensing checks. Licenses are pretty cheap though.
The major features are free if you use Vaultwarden, which is an alternative server implementation.
So does keepass
Yep, for only $10 per year. But just make sure to keep backups of your vault and/or make an emergency kit.
Alr
And it can also store passkeys to effortlessly sync between desktop/Android/iOS
No-one should be using any password manager built into any browser, neither Chromium-based nor Firefox-based. Browser password databases are almost trivially easy for malware to harvest.
Go with something external, BitWarden or 1Password, or if you are entirely within the Apple ecosystem their new password system built into iOS 18 is apparently really good.
I use Keepass. Free, secure, great.
I have that as an offline DB. Holds 100% of all creds that can go offline (no 2FA, unfortunately) and a bunch of extra stuff that most other managers aren’t flexible enough to do.
That’s what I used before 1password. The UI is a bit finicky but it works great. Plus you can shove it into DropBox or other various cloud sync things to get a “cloud” version lol.
What makes the built-in database easier to attack than a separate one?
It’s protected by the user’s login password. If an attacker can steal that or knows it already, the passwords are all there for them to see.
Bitwarden (on the other hand, for example) has 2FA options to unlock the database.
Oh, so you mean local vs external, not browser-based vs other local solutions.
How does this work if accessing Bitwarden via the browser extension? I don’t like needing to type my master password in all the time as it’s long, so I have the setting turned on that times the vault out periodically, but so it’s also unlockable with a pin rather than requiring the master password every time. I understand the pin is shorter, but does the protection of the vault still stand?
That’s a good question. I don’t actually know the answer to that. I know the passwords are hashed locally when your vault is locked and before being synced, but I’m not sure whether it’s in plaintext when it’s unlocked or if it uses some kind of on-demand decryption. It’s probably in their docs, I should think.
For performance reasons, early versions weren’t even encrypted, and later versions were encrypted with easily-cracked encryption. Most malware broke the encryption on the password DB using the user’s own hardware resources before it was even uploaded to the mothership. And not everyone has skookum GPUs, so that bit was particularly damning.
Plus, the built-in password managers operated within the context of the browser to do things like auto-fill, which meant only the browser needed to be compromised in order to expose the password DB.
Modern password managers like BitWarden can be configured with truly crazy levels of encryption, such that it would be very difficult for even nation-states to break into a backed-up or offline vault.
When it comes to security software, I usually recommend sticking to open-source solutions, which is why I’d recommend Bitwarden over 1Password. Their whole stack (backend, frontend, and native apps) is all open-source. A premium account is well worth the $10/year.
You can self-host their server, or self-host Vaultwarden which is an unofficial API-compatible reimplementation of the Bitwarden backend designed to be lighter weight. Note that Vaultwarden is unofficial and hasn’t gone through the same security audits as Bitwarden has. It’s a good piece of software though.
Use ButWarden myself for a login-only subset of my KeePass content. I absolutely recommend it every chance I get, but some people prefer 1Password because reasons. And 1Password is pretty much the best closed-source option out there, which is why I do so… anything to give people options that keep them away from clusterf**ks like LastPass.
Definitely true… Using 1Password is still better than reusing the same password for every site. I’ve never used it but it gets a lot of good feedback, especially from Mac users.
The only problems I’ve had with 1password are usually not 1password’s fault. Like needing to log into something that opened through the Gmail’s app’s built in browser that closed the page when the app loses focus.
I wish there was a way to link passwords and have note fields that are hidden by default. I’ve got a lot of stuff at work that is linked to my LDAP password but for various reasons uses different usernames on different sites. It’d be nice if there was a way to tell it “I know this password is reused, I promise it’s okay”
I migrated from Bitwarden to 1password because I wanted something that works better on Linux. With 1password-cli and PAM integration mainly. Bitwarden worked beautifully under Windows, but once I switched over to Linux, I realised that 1password had more Linux friendly features. I track some discussions over bitwarden that talk about implementing those features, I might come back at some point.