so the “no longer open source” means they’ll be moving to a saas model or something? i’m not super cybersecurity savvy but bitwarden is what i use
Shirasho@lemmings.world
on 20 Oct 16:57
nextcollapse
It means we have less insight on what they are doing with our passwords.
solsangraal@lemmy.zip
on 20 Oct 16:58
nextcollapse
great…
winterayars@sh.itjust.works
on 20 Oct 17:06
collapse
It doesn’t mean that in this case, except perhaps very indirectly.
winterayars@sh.itjust.works
on 20 Oct 17:04
collapse
No, technically they already are SaaS company. That’s mostly how they make their money.
Also it should be noted “no longer open source” doesn’t mean they’ve done a “our code is now closed and all your passwords are ours” rug pull like some other corporations. This is a technical concern with the license and it no longer meets proper FOSS standards (in other words, it has a restriction on it now that you wouldn’t see in, for example, the GPL).
So by and large the change is very minimal, the code is still available, it’s still the best option. However, this does matter. It may be a sign of the company changing directions. It’s something they should get pushback about.
dustyData@lemmy.world
on 20 Oct 19:22
nextcollapse
The SDK was never FOSS, and was never under the GPL. Hence why they can add the text mentioned in the article. You don’t get to change the text of a FOSS license to begin with. It isn’t unheard of for text like this to be part of proprietary software that integrates with and uses FOSS that are under different licenses.
That said, this is concerning, but whether it changes BW’s FOSS state is a matter of legal bickering that has been going on for decades.
KairuByte@lemmy.dbzer0.com
on 21 Oct 02:53
collapse
You can’t retroactively change FOSS licensing, but oft times you can alter the licensing moving forward. Not always the case, of course. But in no way are all FOSS licenses set in stone.
sugar_in_your_tea@sh.itjust.works
on 21 Oct 16:23
collapse
From the update, it looks like they consider it a bug, which they’re working to resolve. Let’s see how they resolve it before jumping to conclusions.
ChillPill@lemmy.world
on 20 Oct 16:54
nextcollapse
Keepass? No cross device support, you need to manage that yourself through something like Google Drive…
solsangraal@lemmy.zip
on 20 Oct 16:56
nextcollapse
lol that’s what i used before i switched to bitwarden-- didn’t have any complaints, but the database key file thing was kind of a pain
Ok, from a quick search, it seems passkeys rely on some trusted entity (your browser, OS, …) to authenticate you, so, yeah, I’m not sure if I like that. The FIDO alliance website is all about how easy, convenient and secure passkeys are, and nothing about how they actually work under the hood, which is another red flag for me.
I’ll stick to old-fashioned, long, secure, randomly generated passwords, thanks.
Passkeys rely on you holding a private key. The initial design was that a device (like a browser or computer/phone) stored the private key in a TPM-protected manner, but you can also store it in a password manager.
This is more secure than a password because of the way private/public key encryption works. Your device receives a challenge encrypted with the public key, decrypts with the private key and then responds. The private key is never revealed, so if attackers get the public key they can’t do shit with it.
Just be sure that your private key is safe (use a strong master password for your PM vault) and your passkey can’t be stolen by hacking of a website.
I see, that makes sense and should be more secure, in theory. Thanks for the explanation.
The issue I have is, whether I need to trust a third party with my private key, e.g. Google with Android, Microsoft with Windows, etc. (yes on linux it’s different, but that’s not my only OS).
Also if the private key does get compromised (e.g. local malware steals it), hopefully there’s an easy way to revoke it.
Your Passkeys have to be stored in something, but you don’t have to store them all in the same thing.
If you store them with Microsoft’s Windows Hello, Apple Keychain, or Google Password Manager, all of which are closed source, then you have to trust MS/Apple/Google. However, Keychain is end to end encrypted (according to Apple) and Windows Hello is currently not synced to the cloud, so if you trust those claims, you don’t need to trust that they won’t misuse your data. I don’t know if Google’s offering is end to end encrypted, but I wouldn’t trust it either way.
You can also store Passkeys in a password manager. Bitwarden is open source (though they did recently introduce a proprietary, source available SDK), as is KeepassXC. 1Password isn’t open source but can store Passkeys as well.
And finally, you can store Passkeys in a compatible security key, like the YubiKey 5 series keys, which can each store 100 Passkeys. This makes them basically immune to being stolen. Note that if your primary interest in Passkeys is in the phishing resistance (basically nearly perfect immunity to MitM attacks) then you can get that same benefit by using WebAuthn as a second factor. However, my experience has been that Passkey support is broader.
Revoking keys involves logging into the particular service and revoking them, just like changing your password. There isn’t a centralized way to do it as far as I’m aware. Each Passkey is only used for a single service, after all. However, in the same way that some password managers will offer to automatically change your passwords, they might develop a similar for passkeys.
I was finally able to find some technical detail on passkeys on FIDO website, and yeah, it actually looks like it’s a real improvement over passwords: it’s simple, uses proven technology (public/private keys), and should be much more secure than passwords.
Also, nothing in the “specs” says I need to entrust my private key with the OS or a third party, which is good.
That said, it seems some OS support is required nonetheless, to show the pin / biometrics prompt (or is it?), and on android at least, I’d need to buy a new device with Android 14 to use a non-Google passkey provider…
I’m no expert in this but the passkeys really on some sort of public key, cryptographic pair. Your device will only send your encrypted cryptographic secret when it gets the correct encrypted cryptographic secret from the destination. This makes it much harder to steal credentials with a fake website or other service.
+1 For KeePassXC and the KeePass ecosystem. Yes, you need to sync the database yourself, but you can use any file sharing service you like, e.g. google drive, dropbox… or selfhost something like nextcloud (like I do), which for me is actually a point in its favor.
Based on this news, I think I made the right choice back then when I decided to go with KeePass.
As someone who used to use KeePass, went to LastPass, and then Bitwarden (Vaultwarden), I finally got my non-tech literate wife to use Bitwarden. I’m concerned that KeePass might end up being more difficult if it comes down to it. I believe that KeePass had some sort of browser integration but it really has been a long time since I used it so who knows the current state. Curious how browser integration is today.
GhiLA@sh.itjust.works
on 21 Oct 14:11
nextcollapse
The big issue isn’t using it, it’s syncing it.
User A used KeePass to order pizza and changed the Papa John’s(heaven forbid) password while they were at it, on their desktop.
syncing: “oh! This file changed! Neat!”
User B picks up their phone and wants to order Papa John’s at work. They try, but the password isn’t right. Huh. They check KeePass. No issues. They go to change the password because they think something is wrong.
(All the while, they never thought to see if syncthing had been woken up in the background lately)
They change the password, update KeePass,
syncthing opens later, goes: "Oh, hi, User B’s phone! I have a ne- Oh! You have a new password file too!!? Small world! I’ll take both!
Now there’s two files, two users who think they both made corrections to a password, syncthing thinking nothing is wrong, and someone has to now merge the newer KeePass file over the old ones by hand and realize what happened, but the bigger problem is, no one knows anything is wrong yet and it doesn’t even take two users. This can just be you ordering on your phone after modifying on your desktop.
well, it’s just pizza.
As an example. Imagine an insurance app, or a banking app, or the DMV… And you won’t know for months down the line. It gets old.
kill_dash_nine@lemm.ee
on 21 Oct 15:58
nextcollapse
Ah yeah, the fun of how that works. I recall that I had previously set up WebDAV to try to simplify my source of truth but I think that was just with the original KeePass app, not KeePassXC. I also wasn’t trying to share passwords among multiple people but I do recall having issues when I was using Dropbox to sync to my phone since I would have to actually make sure Dropbox had updated the copy of the file which required me opening the app at the time.
I use KeePassXC on desktop and Keepass2Android on, well, android, and sync via nextcloud. They all seem to handle syncing correctly, merging changes made on one side, or showing a notification about a conflict, and KeePassXC can definitely merge the two “conflicted copies” together reliably with a couple of clicks (yes, a no-click solution would be better, I know, but it’s not “manual”).
Keepass2Android integrates directly with nextcloud and seems to handle it fine.
The situation can definitely be improved but it’s not so bad for me. Also, two different people should probably use two different database files and not share passwords ;)
Not sure how syncthing handles conflicts, it’s been many years since I tried it.
I use KeePassXC’s browser integration daily and it works pretty well with Firefox (linux), well enough that I’m not complaining, but I cannot compare it with Bitwarden cause I never used it. On Android I use Keepass2Android and works well with autofill, but again, I can’t really compare it.
Something tells me Bitwarden works better, just by virtue of being a commercially supported product, but I have no complaints with KeePassXC & Keepass2Android (KeePassDX works well on android too). Original KeePass desktop client was never great though.
oaklandnative@lemmy.world
on 20 Oct 20:55
collapse
Proton Pass is open source and the company that runs it recently reincorporated as a Swiss non-profit to ensure their privacy mission can’t be bought out by venture capitalists etc.
If they're moving away from open source/more monetisation then they're going to do one of two things.
1: Make the client incompatible (e.g you'll need to get hold of and prevent updating of a current client).
2: DMCA the vaultwarden repo
If they're going all-in on a cash grab, they're not going to make it easy for you to get a free version.
schizo@forum.uncomfortable.business
on 20 Oct 18:59
nextcollapse
Don’t forget option 3: someone writes a vaultwarden client independent of the closed-source crap.
If you can write a server that fully supports the client via the documented API, then you know everything you’d need to do to make a client as well.
humorlessrepost@lemmy.world
on 20 Oct 23:32
collapse
That’s not a third option in the same list (things they are going to do), it’s an item in an entirely different list (foss responses to their actions).
You can’t “dmca” the fork that was created while it was still open source. They could only prevent it from getting future updates (directly from them).
If you mean they shouldn't. I'd agree. But, as has been seen a lot on youtube. "They" can DMCA anything they want, and the only route out is usually to take them to court.
I mean I'd hope if they're going in this direction they will be decent about it. But, it's not the way things seem to be lately.
DMCA is a tool for suppression of free information. It doesn’t require evidence that you’ve made a good faith effort to consider fair use or other legal complexity as it’s meant to take down the information before that is settled in court, but most commonly used to suppress information from a person or group who can’t afford to fight it in court. Microsoft’s Github has a history of delete first without risking their own necks to stand up for obviously fraudulent takedowns much less ones with unsettled law like APIs/SDKs.
unskilled5117@feddit.org
on 20 Oct 17:07
nextcollapse
This is an important issue IMO that needs to be addressed and the official response by Bitwardens CTO fails to do so.
There is not even a reason provided why such a proprietary license is deemed necessary for the SDK. Furthermore this wasn’t proactively communicated but noticed by users. The locking of the Github Issue indicates that discussion isn’t desired and further communication is not to be expected.
It is a step in the wrong direction after having accepted Venture Capital funding, which already put Bitwardens opensource future in doubt for many users.
This is another step in the wrong direction for a company that proudly uses the opensource slogan.
solsangraal@lemmy.zip
on 20 Oct 17:11
nextcollapse
tabarnaski@sh.itjust.works
on 21 Oct 11:47
collapse
Except if it’s free software.
sunzu2@thebrainbin.org
on 20 Oct 17:56
nextcollapse
Welp, I guess another time to move here soon.
And I just fucking vouched for them to a friend recently 🤡
Didn't know about VC funding these parasites using their funding to turn everything into shite.
What's the current "best" alternative? Keepass?
foggenbooty@lemmy.world
on 20 Oct 21:12
nextcollapse
I haven’t jumped yet, but the Proton suite is looking more and more appealing. I’ve been eyeing them as a Gmail replacement, but I’ve been happy with my VPN and password management providers. As this reduces the bundle makes more sense.
They have a solid value proposition but don't like putting all my eggs all in one basket both for security and monopoly reasons.
They seem to be gunning for one stop shop and I think they are doing decent shop but I just don't like the idea after what Google did to us.
Situation is a bit different but gonna need to tka the lessons and not let these corpos do this again.
foggenbooty@lemmy.world
on 21 Oct 00:58
nextcollapse
That’s a good practice, and I think you’re right that is what they’re going for. I don’t think that means you shouldn’t consider them, but it does lower their value proposition as the bundle is the better deal.
this isnt a full solution obviously, but I figured it’d be nice to know: Proton lets you set different passwords for your email and password manager, so at least from a security standpoint its not all behind the same password, even if it is still from the same company
It’s not open source, but I got a lifetime license for Enpass over a decade ago and it’s done everything I’ve ever needed it for. I think stacksocial occasionally has new lifetime codes for sale. I like the idea of Proton Pass as others have said, but it feels a bit like putting all my eggs in one basket, which is a mistake I already made with Google before (context: I use Proton for email). I think Keepass is the next best option if dedicated to staying FOSS.
They’re basically trying to get rid of vaultwarden and other open source forks. I expect they’ll get a cease and desist and be removed from github at some point in the not too distant future if they don’t make some changes. I have a vaultwarden instance and use the bit warden clients. Guess I’ll need to look for alternatives in case Bitwarden decides to get aggressive.
By trying to make things simple, this ends up making it more complicated and convoluted than anything
DarkThoughts@fedia.io
on 20 Oct 20:42
nextcollapse
Unix elitist think the average user is willing to just memorize a gazillion different commands. No, nope. Not ever going to use a command line password manager.
Because unless you paid someone else to set up an account for you, you had to get there somehow. And if you’re using the built in password manager from your browser, none of this article is relevant to you anyway.
WhyJiffie@sh.itjust.works
on 21 Oct 01:46
nextcollapse
have you heard about bookmarks? browser addons? smartphones? URL-checked autofill?
Yes, that’s why I mentioned account setup. You need to get to the site to bookmark it.
And pass has a browser extension too: github.com/uri/browserpass
Keepass was where I started before moving to pass and then vaultwarden.
Most people use an extension on web and an app that uses the system autofil functionality on mobile (at least on android, I’ve not used iOS for a long time)
You don’t have to open anything, or type anything other than a password. On mobile you just use your fingerprint, don’t have to type anything at all.
If you’re taking about initial setup that’s also gonna be a lot more complicated for an average user than bitwarden.
A command line tool is not even remotely a comparable user experience. It may work wonderfully for you, and I’m glad it does, but it’s pretty out of touch to suggest that it’d be a good fit for most people
I might be mistaken, but ultimately a password manager is basically nothing more than a database of passwords in an encrypted zip file, right? That could entirely be self-hosted with off the shelf open source applications stringed together.
All you’d need is a nice UI stringing it all together.
Edit: I’m not sure why people are downvoting me.
Is that not what a password manager essentially is?
I’ve done basically this in the past by encrypting a text file with GPG. But a real password manager will integrate with your browser and helps prevent getting phished by verifying the domain before entering a password. It also syncs across all my devices, which my GPG file only worked well on my desktop.
wintermute@discuss.tchncs.de
on 20 Oct 19:58
nextcollapse
Keepass is exactly that. Basically all the client side parts, and the database is a single encrypted file that you can sync however you want.
I see it as it’s easy to self host. But I’m not skilled nor rich enough to guarantee the availability of it. I don’t want to be stuck on a holiday without my passwords because my server back home died from black out or what have you.
I pay for bitwarden and the proton mail package to keep the password management market a bit more competitive and it actually works out cheaper. It would be nice to have protons anonymous emails built in, but I can live with it.
But I might have to reconsider if Bitwarden is going a different direction that what I’m paying for.
It’s the “stringing it all together” that could be problematic.
If you have multiple clients (desktop/cellphone) modifying the same entry (or even different entries in the same “database” ). You need something smart enough to gracefully handle this or atleast tell you about it.
I did the whole “syncing” KeePass and it was functional, but it also meant I needed to handle conflicts - which was annoying. I switched and really appreciate the whole “it just works” with self-hosted bitwarden.
Thank you for the update! I would like to keep using it. I’ve been very happy with Bitwarden both as a password manager and a TOTP authenticator. I have even recommended it to my boss as an enterprise solution for us to use at work, and so far we are planning on replacing our current password database solution with Bitwarden.
Unfortunately, with “enshittification” being so common these days, it was very easy to believe they were also going to the dark side. I will remain cautiously optimistic after learning it was a packaging bug.
Here’s a link to the post on X (yes, I hate X, too) in case anyone else is doubtful:
Yeah, I was worried about it too. I’ve become pretty cynical when it comes to everything becoming enshittified, but I’m hoping they stick to their word.
Suavevillain@lemmy.world
on 20 Oct 20:35
nextcollapse
Well this ain’t good. I don’t really feel like switching apps.
DoucheBagMcSwag@lemmy.dbzer0.com
on 20 Oct 23:55
collapse
That’s how they get you. Jump ship now
Anyone looking at this…what alternatives are out there?
GhiLA@sh.itjust.works
on 21 Oct 14:01
nextcollapse
KeePassxc with syncthing
Nextcloud with their password solutions
A notebook
sugar_in_your_tea@sh.itjust.works
on 21 Oct 16:22
collapse
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
I’m not going to jump ship just yet, though I may get around to updating my backup.
There are plenty of alternatives, so feel free to shop around. But don’t jump the gun just because of a random Phoronix article with an update that says basically the opposite of what the article claims. Wait some time to see if there are actual changes coming.
DoucheBagMcSwag@lemmy.dbzer0.com
on 21 Oct 17:25
collapse
Yeah no. This is clearly backpedaling and you should look to get away
sugar_in_your_tea@sh.itjust.works
on 21 Oct 17:28
collapse
The password manager SDK is not intended for public use and is not supported by Bitwarden at this stage. It is solely intended to centralize the business logic and to provide a single source of truth for the internal applications. As the SDK evolves into a more stable and feature complete state we will re-evaluate the possibility of publishing stable bindings for the public. The password manager interface is unstable and will change without warning.
There are two ways to take this:
this is temporary as they’re refactoring code to reduce duplication across clients
refactoring is an excuse to create fully proprietary clients going forward
Until I see evidence of the latter, I’ll stick with the project, but I’ll be more consistent about creating backups so I can switch easily if I need to.
DudeImMacGyver@sh.itjust.works
on 20 Oct 20:44
nextcollapse
sigh
DarkThoughts@fedia.io
on 20 Oct 20:51
nextcollapse
Sooo, where's ProtonPass at? They're open source and non-profit, right?
AsudoxDev@programming.dev
on 20 Oct 20:55
collapse
The server is not open source and I wouldn’t trust a business that is not just working on password managers.
DarkThoughts@fedia.io
on 20 Oct 21:23
nextcollapse
and I wouldn't trust a business that is not just working on password managers.
Because..? They're a privacy tool oriented company, no?
AsudoxDev@programming.dev
on 20 Oct 22:18
collapse
Because they aren’t focused on just one single service. Bitwarden is a single business only focusing on their password manager, whereas proton has a suite of tools. Passwords need to be stored absolutely in a robust and safe way. I don’t trust proton with anything at all, and the proton pass is no exception. The client might be open source, but the backend is not. It’s also not as mature as bitwarden.
These are valid points.
There are many password managers, most of which it wouldn’t take much to poke holes in, especially if open source is a main criteria.
What are some that you would consider with Bitwarden now being off the table?
AsudoxDev@programming.dev
on 21 Oct 05:21
collapse
Its worth noting I don’t think they’re actually a company anymore, I think they’re now a non-profit (I may be mistaken, but that’s my present understanding)
ocassionallyaduck@lemmy.world
on 20 Oct 20:52
nextcollapse
Syncthing fork seems to still be under active development
prosp3kt@lemmy.dbzer0.com
on 21 Oct 04:50
nextcollapse
I was thinking the same. But, it is safe to share the password database like this?
GhiLA@sh.itjust.works
on 21 Oct 14:00
nextcollapse
Consider the possibility that someone could get your database.
It isn’t a safe. You can’t weld through the side of it and get in. You either make it ridiculous or impossible to get in.
Use something memorable, but insane.
My password is a three-line film quote with numbers in some of the places for letters.
Haikus work great. Memorable, complex. Wrote it yourself? Even better.
ocassionallyaduck@lemmy.world
on 24 Oct 21:47
collapse
Syncthing is encrypted transfers.
The database is encrypted.
And you can set it to not use relays for data, only matchmaking between your own devices.
So it’s an encrypted file, encrypted again, and sent directly from an IP you own to an IP you own.
Routhinator@startrek.website
on 21 Oct 12:57
collapse
I’ve always loved Keepass, however I moved away from it in 2012 as it and any file based vault has brute forcing issues. You need to track every copy of it that has been made and if any copy falls out of your hands, like if you lose a device, you need to do a password rotation on 100% of your passwords. Since its a file, its not possible to prevent brute forcing.
Telodzrum@lemmy.world
on 21 Oct 16:14
nextcollapse
everything’s a file
ocassionallyaduck@lemmy.world
on 24 Oct 21:55
collapse
An online database is still a file ultimately. A SQL or other DB file stored in a webserver, accessed through a web interface.
Vaultwarden, etc, are the same, only the database file is less directly visible IMO. Keepass IMO is simple. The DB in a bespoke format, stored outside the application.
You could put the vault in system32 and name it “trustedinstaller.log”, and if someone saw you had keepass they wouldn’t even know where your vault is.
Given the number of well documented breaches of online password vaults, I would much rather do a private device to device sync via syncthing and keep it out of webservers.
ShittyBeatlesFCPres@lemmy.world
on 20 Oct 21:01
nextcollapse
Oh, for fuck’s sake. Can we have a decent password manager that isn’t tied to a browser or company? I pay for Bitwarden. I’m not being cheap. But open source is more secure. We can look at the code ourselves if there’s a concern.
wetsuiterest@lemmy.blahaj.zone
on 20 Oct 21:09
nextcollapse
They now require a non-free Bitwarden SDK component. That’s what this whole conversation is about.
aisteru@lemmy.aisteru.ch
on 21 Oct 04:44
nextcollapse
Could you ELI5 please?
AsudoxDev@programming.dev
on 21 Oct 05:30
collapse
“You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.”
fmstrat@lemmy.nowsci.com
on 21 Oct 10:49
nextcollapse
Only the desktop client. And the response is that not being able to compile sans SDK is an issue they will resolve.
I still think this is bad directionally, but we need to see what happens.
sugar_in_your_tea@sh.itjust.works
on 21 Oct 16:19
collapse
And the whole conversation is about a bug, not a change in direction…
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
This need not be the case, though! There’s an open source client on Android called Keyguard. I don’t think the desktop app was at all useful anyway. You can just log into your Vaultwarden through any browser. The desktop app is pointless.
SaharaMaleikuhm@feddit.org
on 21 Oct 13:32
nextcollapse
It is a license problem. The license condition of the SDK which is required to build the client app change to limit the usage of it. The new license states that you can only use the Bitwarden SDK for Bitwarden. It is against the Freedoom-0 of the Free Software Foundation.
The limitation of English language is that it is hard to differentiate between Free (as in Free bear) and Free (as in Freedoom). Also open source which could mean complaining with FOSS and that source is available. This been unfortunately have been abused before.
sugar_in_your_tea@sh.itjust.works
on 21 Oct 16:18
collapse
From the article, it’s a packaging bug, not a change in direction.
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
sugar_in_your_tea@sh.itjust.works
on 21 Oct 17:25
collapse
Here is the code in question. Basically, it’s a source-available, but not FOSS internal SDK, with the following language:
The password manager SDK is not intended for public use and is not supported by Bitwarden at this stage. It is solely intended to centralize the business logic and to provide a single source of truth for the internal applications. As the SDK evolves into a more stable and feature complete state we will re-evaluate the possibility of publishing stable bindings for the public. The password manager interface is unstable and will change without warning.
So I think the “bug” here is in not linking the original repo in the NPM package, and there’s a decent chance that this internal SDK will become FOSS in the future once it stabilizes. That said, it’s currently not FOSS, but it’s too early IMO to determine whether Bitwarden is moving in a non-FOSS direction, or if they’re just trying to keep things simple while they do some heavy refactoring to remove redundancy across apps.
Given their past, I’m willing to give them the benefit of the doubt, but I’ll be making sure I have regular backups in case things change.
shortwavesurfer@lemmy.zip
on 21 Oct 09:21
nextcollapse
That’s far from the best option. It’s working, but it’s super complicated compared to Bitwarden and other cloud password managers. Imagine telling your grandma “just use keepass”, she would never be able to make it work. But Bitwarden? Lastpass? That’s possible
cy_narrator@discuss.tchncs.de
on 24 Oct 00:30
collapse
Is it so?
I feel like anyone who can open up and edit ms word can do it, just double click on the keepass.kdbx file and it opens up prompting for a password.
Syncing is a bit of a problem and I wrote an article on how I do it here in the easiest way I found. Though MEGA cloud does not have a good reputation among general public, their share link is something you can write in a piece of paper and keep in a safe.
“Just double click the keepass.kdbx” is not what it is. You need to go to your explorer, find the file in the folder structure and double click it. You then need to search for the website you are on and copy the password, then you need to go back to the website within 12 seconds and paste the password. That’s inconvenient for everyone, but for a tech-illiterate grandma it’s impossible.
Compare that to Bitwarden: You go to the website, click on the bitwarden icon and then click on the login details. Or even better, you can enable auto-complete with a single click and it automatically fills the login details when on the website, without clicking anything. That’s far more convenient and easier.
Just as a FYI: My grandma has a sticky note on her laptop that shows exactly which buttons to press to get to her emails, with things like “Click this twice within 2 second, be fast!!” for a double click. It doesn’t say “lef mouse button”, she draw her touchpad and an arrow. She is not able to find her mails when the website changes the layout.
sugar_in_your_tea@sh.itjust.works
on 21 Oct 16:18
collapse
In this case, zero, because it’s a packaging bug, not an actual change in direction. Read the update on the article:
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
Next time, before jumping to conclusions, wait a day or two and see if the project says something.
I really hope that this is actually the case, but I am not very optimistic. This doesn’t seem to be a mistake. They intentionally move functionality of their clients to their proprietary SDK library. The Bitwarden person stated this in the Github issue and you can also check the commit history. Making that library a build-time dependency might actually have been a mistake. That does not change the fact, that the clients are no longer useful without that proprietary library going forward. Core functionality has been move to that lib. I really don’t care if they talk to that library via some protocol or have it linked at build time. I wouldn’t consider this open source, even if that client wrapper that talks to that library technically is still licensed under GPLv3.
sugar_in_your_tea@sh.itjust.works
on 21 Oct 22:15
collapse
They intentionally move functionality of their clients to their proprietary SDK library.
Proprietary is a strong word IMO. Here’s the repo, it’s not FOSS, but it is source available. It’s entirely possible they make it more open once it stabilizes, but it’s also possible they make it less open as well. It’s still early, so we don’t know what the longer term plans look like.
I don’t think we should be panicking just yet, but I’ll certainly be checking back to see what happens once this internal refactor is finished, and I’ll be making some more regular backups just in case they are, in fact, trying to take it proprietary. I don’t think that’s the case (why would they? I don’t see the benefit here…), but I guess we’ll see.
Proprietary is a strong word IMO. Here’s the repo, it’s not FOSS, but it is source available.
Yeah, that’s what I meant by “proprietary”. I guess having the source to look at is better than nothing, but it still leaves me uneasy. Their license lets them do anything they want (ignoring that - as it stands - their license is void due to the linkage with GPLv3 code, but they said they want to fix that). I have no idea what their plan is.
I don’t think it is in their best interest to go the route they appear to be going. Having truly open source clients seems to be a selling point for quite a few customers. But what do I know…
sugar_in_your_tea@sh.itjust.works
on 21 Oct 23:02
collapse
Agreed. If they end up not making this component FOSS, I’ll probably leave and take my paltry $10/year with me (which I don’t need to pay since the features I use are all in the free version). But I’ll give them a year or so to work out whatever refactoring they’re doing before making that call, I’m certainly not going to jump ship just because a new component is merely source-available.
NanoooK@sh.itjust.works
on 21 Oct 01:10
nextcollapse
That’s what I’m using mostly, but the convenience of having auto fill in firefox and being able to share some logins made me want to try bitwarden. Also, it’s not complicated to sync between several devices.
It’s just a packaging bug and they said they will fix it.
magnus@lemmy.ahall.se
on 21 Oct 08:36
nextcollapse
Daniel García, owner of the Vaultwarden repo, has recently taken employment for Bitwarden.
The plot thickens.
sugar_in_your_tea@sh.itjust.works
on 21 Oct 16:16
collapse
Honestly, if he can replace the current Bitwarden BE w/ Vaultwarden, that would be awesome! The last time I looked at the Bitwarden self-hostable BE, it was super heavy, which is the entire reason I was interested in Vaultwarden.
I’m running a couple of Vaultwarden instances, and it would be really nice if Bitwarden employed Garcia to improve the Rust backend. But as the bitter cynic I am, I guess it is an effort to shut down and control as much of the open source use of Bitwarden as possible.
The worst case, someone will most likely fork Vaultwarden and we can still access it with Keyguard on mobile and the excellent Vaultwarden web interface :)
magnus@lemmy.ahall.se
on 21 Oct 19:14
nextcollapse
Phew, looks good on the news with the packaging bug (if they didn’t just got cold feet for worse PR/backlash than they expected and this is a backtracking).
In this case, hopefully Garcia is employed for his expertise and can be deployed to further open source relations :)
sugar_in_your_tea@sh.itjust.works
on 21 Oct 22:12
collapse
And I am an ardent optimist, hence why I see it as a good thing.
But yes, worst case someone will fork it, and I’ll probably use that fork.
ArkyonVeil@lemmy.dbzer0.com
on 21 Oct 11:34
nextcollapse
Are you saying it’s a bait and switch like Google, where they suck people in with a good product then enshittify it once they’re hooked?
ArkyonVeil@lemmy.dbzer0.com
on 21 Oct 22:04
collapse
I’m not thoroughly aware of their dealings, but these amounts of private investment aren’t going to pay for themselves. If you raise 100 million, investors typically want a billion back, or more.
From the looks of it, Bitwarden might’ve tried to go with the Open Source model to get free development resources, trust (because it’s an open source PASSWORD manager), and general goodwill. But now that they’ve deemed that got enough of a market share (or investors are starting to breathe down their necks), it’s time to start raising the walled garden.
Even if they claim after the fact that it was a “Bug” that the client couldn’t be built without their proprietary sdk. The very fact one exists is a bad enough sign, specially when its influence is spreading.
VC is a devil’s bargain. Raising VC money is NEVER a good sign.
Yeah well said. Looking forward to the day they try to force an “updated” privacy policy on users, or start charging 69.99/year.
Routhinator@startrek.website
on 21 Oct 11:49
nextcollapse
Alright does anyone have opinions on Nextcloud Passwords? There’s apps for it and it would sync to my Nextcloud.
I hate this. Bitwarden has been a good app.
GhiLA@sh.itjust.works
on 21 Oct 13:55
nextcollapse
Nextcloud passwords is just a client for a KeePass vault.
I guess it’s as good or bad as that can be, but I’m sure it’s limited in functionality to KeePassxc with plugins.
Routhinator@startrek.website
on 21 Oct 14:48
nextcollapse
TIL… Thanks.
EDIT: Been playing with it a bit now and if it uses keepass as the DB the advantage I see right now is that having it in Nextcloud means automatic sync, and there are several autofill and syncing apps for various OSes and password sharing and automated checks for breaches. It’s probably a better option for anyone with Nextcloud than going the Keepassxc/syncthing route.
You can encrypt the entire vault and all the contents,… but imo, that should be a default setting.
Seriously, as-is, you log into Nextcloud, click on passwords and every password is literally right there. I’m sure they’re encrypted in the database but fffff.
I switched from keepass to Bitwarden because individual entries started randomly disappearing. I’m still discovering missing accounts after switching a couple of weeks ago. Sometime to do with how keepass was opening the files, because when an entry went missing it was gone even from backup files I hadn’t touched since before the entry disappeared.
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
According to Bitwardens post here, this is a “packaging bug” and will be resolved.
I use to always recommend bitwarden to people. Now i feel like an idiot for doing so with them switching up. Ill be making the effort to move to keepassxc soon and host it myself.
GhiLA@sh.itjust.works
on 21 Oct 13:54
nextcollapse
…host it?
…is there something I’ve been missing out on? Can one host a KeePass vault online? We have web apps? I only know about the Nextcloud ones. I’ve just been using syncthing and merging the conflicts when they happen.
Just because I didn’t see a response on this one, you might have read it already in other comments but the packaging bug is a cop out. They are still intending to migrate over to the proprietary SDK, and it will eventually become a requirement for the platform. The only difference was that at the state of the project it wasn’t supposed to be a requirement in order to compile, but they do still very intently have a restrictive license on the SDK and you aren’t allowed to use the sdk outside of the project. meaning that it has to be present for the program to work and that you’re not allowed to use it in other programs.
Why they call it a packaging bug I’m not sure because the end result is the same the package is required for the program to work and that package that is required is not GPL
That being said some other comments have gone a little bit more in detail on it and might be a little more descriptive than me
gwen@lemmy.dbzer0.com
on 21 Oct 14:29
nextcollapse
can we start reading the articles and not just the headlines??? it literally says it’s a packaging bug
sugar_in_your_tea@sh.itjust.works
on 21 Oct 16:12
nextcollapse
In general, if it’s Phoronix, I assume the headline is a bit more exaggerated. They put out pretty good content, but they also put out a lot of content, so the editing can be a little lacking IMO.
It is really not just a packaging bug. If you read that comment of the Bitwarden person a little further, you’ll notice that he’s talking about that proprietary “SDK” library that they are integrating with their clients. Even if they manage to not actually link it directly with the client, but rather let the client talk to that library via some protocol - it doesn’t make the situation any better. The client won’t work without their proprietary “SDK”, no matter if they remove the build-time dependency or not.
Highsight@lemmy.world
on 22 Oct 02:45
nextcollapse
When I read this this morning, I had concerns, but then I did some research. The SDKs source is fully available for all to look at and compile. The main issue that people bring up is the license that states:
3.3 You may not use this SDK to develop applications for use with software other
than Bitwarden (including non-compatible implementations of Bitwarden) or to
develop another SDK.
This part seems to be what most people take issue with, as it makes the sdk no longer modifiable, yet a requirement of the core source itself. The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.
From a security standpoint, since the SDK is source available, it can be audited by anyone still (and compiled) so personally, I’m fine with this.
The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.
I don’t see why this should make any difference at all. Sure, I get why he is are saying they are going to fix it - he thinks that this gets them in compliance with the GPLv3. But from a practical point of view there is no difference at all. The software is useless without that SDK part. Even if it does indeed get them in the clear from a legal point of view (which I am not convinced that it actually does), it is still a crappy situation.
I think, it would look way less shady, if they said they are going fully source-available and not pretend that they are keeping the client open source. I would still dislike that, of course. At least that wouldn’t have eroded the trust in them as much as it did for me.
Some guy at bitwarden clicks a button wrong on a license drop-down option and all these people crawl out of the woodwork to declare the end of bitwarden being trustworthy. Nothing in the article or the company’s statements indicates an actual move away from open source. Big nothingburger
Maybe you want to read the comment by kspearrin in that Github issue again. They are clearly moving away from open source. He explicitly states that they are in the process of moving more code to their proprietary “SDK” library.
No one is listening I’m sorry to say. I corrected a couple people but then realized it was pointless. The discussions in the crossposted communities (which - holy shit I don’t think I’ve seen something so thoroughly spammed across multiple tech communities before) are just as bad or worse.
To me that just like an excuse for the current mess. Did you read the original GitHub issue?
Their CTO also seems to have questionable ideas about the GPLv3.
I’m going to keep using Bitwarden because KeepassXC sucks, but not as a paying user. Once this package inclusion is removed, if it is removed, i’ll pay again.
vrighter@discuss.tchncs.de
on 22 Oct 03:09
collapse
I never had any success getting it to work consistently with Firefox.
vrighter@discuss.tchncs.de
on 22 Oct 12:44
nextcollapse
on some sites the plugin fails to properly detect which fields correspond to which, true (usually when javascript fuckery is involved). But fixing that by manually pointing out the fields once on such sites is easy enough for me. I also switched firefox to use keepassxc for passkeys, which makes them actually portable and usable for me.
I daily drive Firefox as my browser, maybe it’s an issue with the branch? I’ve never had this issue myself. On the rare occasion that that it doesn’t properly detect password field I can just right click and shows as a menu option that I can fill password fill TOTP or email, I’ve never had it just not work at all. Excluding mobile, but that’s strictly an issue with how Android does Auto filling because they can’t have the service that fights to do both and since Firefox has its own autofill service it’s a coin flip of whether or not it uses keypass or Firefox built in password manager
threaded - newest
so what’s the best pw manager?
Honestly, it’s Bitwarden right now. This move signals their intent to change that, though.
so the “no longer open source” means they’ll be moving to a saas model or something? i’m not super cybersecurity savvy but bitwarden is what i use
It means we have less insight on what they are doing with our passwords.
great…
It doesn’t mean that in this case, except perhaps very indirectly.
No, technically they already are SaaS company. That’s mostly how they make their money.
Also it should be noted “no longer open source” doesn’t mean they’ve done a “our code is now closed and all your passwords are ours” rug pull like some other corporations. This is a technical concern with the license and it no longer meets proper FOSS standards (in other words, it has a restriction on it now that you wouldn’t see in, for example, the GPL).
So by and large the change is very minimal, the code is still available, it’s still the best option. However, this does matter. It may be a sign of the company changing directions. It’s something they should get pushback about.
The SDK was never FOSS, and was never under the GPL. Hence why they can add the text mentioned in the article. You don’t get to change the text of a FOSS license to begin with. It isn’t unheard of for text like this to be part of proprietary software that integrates with and uses FOSS that are under different licenses.
That said, this is concerning, but whether it changes BW’s FOSS state is a matter of legal bickering that has been going on for decades.
You can’t retroactively change FOSS licensing, but oft times you can alter the licensing moving forward. Not always the case, of course. But in no way are all FOSS licenses set in stone.
From the update, it looks like they consider it a bug, which they’re working to resolve. Let’s see how they resolve it before jumping to conclusions.
Keepass? No cross device support, you need to manage that yourself through something like Google Drive…
lol that’s what i used before i switched to bitwarden-- didn’t have any complaints, but the database key file thing was kind of a pain
What do you mean “no cross device support”? KeePassXC supports Win, Mac, Linux and there are iOS and Android apps available…
As for the lack of cloud and requirement to provide your own synchronization, for some (like me) that’s a feature, not a limitation :)
Do any of the iOS or Android apps support passkeys? I looked into this a couple days ago and didn’t find any that did. (KeePassXC does.)
Keepass2Android doesn’t have it yet, but seems to be working on it
github.com/PhilippC/keepass2android/issues/2099
Strongbox seem to have their implementation done for iPhone
strongboxsafe.com/updates/passkeys/
I don’t use passkeys so I don’t know. Maybe I should research into passkeys, what’s the benefit over plain old (long, randomly generated) passwords?
Ok, from a quick search, it seems passkeys rely on some trusted entity (your browser, OS, …) to authenticate you, so, yeah, I’m not sure if I like that. The FIDO alliance website is all about how easy, convenient and secure passkeys are, and nothing about how they actually work under the hood, which is another red flag for me.
I’ll stick to old-fashioned, long, secure, randomly generated passwords, thanks.
Passkeys rely on you holding a private key. The initial design was that a device (like a browser or computer/phone) stored the private key in a TPM-protected manner, but you can also store it in a password manager.
This is more secure than a password because of the way private/public key encryption works. Your device receives a challenge encrypted with the public key, decrypts with the private key and then responds. The private key is never revealed, so if attackers get the public key they can’t do shit with it.
Just be sure that your private key is safe (use a strong master password for your PM vault) and your passkey can’t be stolen by hacking of a website.
I see, that makes sense and should be more secure, in theory. Thanks for the explanation.
The issue I have is, whether I need to trust a third party with my private key, e.g. Google with Android, Microsoft with Windows, etc. (yes on linux it’s different, but that’s not my only OS).
Also if the private key does get compromised (e.g. local malware steals it), hopefully there’s an easy way to revoke it.
Your Passkeys have to be stored in something, but you don’t have to store them all in the same thing.
If you store them with Microsoft’s Windows Hello, Apple Keychain, or Google Password Manager, all of which are closed source, then you have to trust MS/Apple/Google. However, Keychain is end to end encrypted (according to Apple) and Windows Hello is currently not synced to the cloud, so if you trust those claims, you don’t need to trust that they won’t misuse your data. I don’t know if Google’s offering is end to end encrypted, but I wouldn’t trust it either way.
You can also store Passkeys in a password manager. Bitwarden is open source (though they did recently introduce a proprietary, source available SDK), as is KeepassXC. 1Password isn’t open source but can store Passkeys as well.
And finally, you can store Passkeys in a compatible security key, like the YubiKey 5 series keys, which can each store 100 Passkeys. This makes them basically immune to being stolen. Note that if your primary interest in Passkeys is in the phishing resistance (basically nearly perfect immunity to MitM attacks) then you can get that same benefit by using WebAuthn as a second factor. However, my experience has been that Passkey support is broader.
Revoking keys involves logging into the particular service and revoking them, just like changing your password. There isn’t a centralized way to do it as far as I’m aware. Each Passkey is only used for a single service, after all. However, in the same way that some password managers will offer to automatically change your passwords, they might develop a similar for passkeys.
I was finally able to find some technical detail on passkeys on FIDO website, and yeah, it actually looks like it’s a real improvement over passwords: it’s simple, uses proven technology (public/private keys), and should be much more secure than passwords.
Also, nothing in the “specs” says I need to entrust my private key with the OS or a third party, which is good.
That said, it seems some OS support is required nonetheless, to show the pin / biometrics prompt (or is it?), and on android at least, I’d need to buy a new device with Android 14 to use a non-Google passkey provider…
I’m no expert in this but the passkeys really on some sort of public key, cryptographic pair. Your device will only send your encrypted cryptographic secret when it gets the correct encrypted cryptographic secret from the destination. This makes it much harder to steal credentials with a fake website or other service.
From a quick search, Keepass2Android doesn’t have it, not clear if they’re working on it: github.com/PhilippC/keepass2android/issues/2099
KeePassDX similarly has an open issue, not clear when/if it will be implemented: github.com/Kunzisoft/KeePassDX/issues/1421
Good to know about Strongbox on iOS, though I’m on android so no bueno for me.
Agh, gross.
Vaultwarden is a nice self hosted bitwarden alternative
github.com/dani-garcia/vaultwarden
Some prefer using KeepassXC and sync the database between devices
www.ctrl.blog/…/keepass-vs-bitwarden-server.html
Vaultwarden is Bitwarden–at least for now, this change may push them apart.
+1 For KeePassXC and the KeePass ecosystem. Yes, you need to sync the database yourself, but you can use any file sharing service you like, e.g. google drive, dropbox… or selfhost something like nextcloud (like I do), which for me is actually a point in its favor.
Based on this news, I think I made the right choice back then when I decided to go with KeePass.
As someone who used to use KeePass, went to LastPass, and then Bitwarden (Vaultwarden), I finally got my non-tech literate wife to use Bitwarden. I’m concerned that KeePass might end up being more difficult if it comes down to it. I believe that KeePass had some sort of browser integration but it really has been a long time since I used it so who knows the current state. Curious how browser integration is today.
The big issue isn’t using it, it’s syncing it.
User A used KeePass to order pizza and changed the Papa John’s(heaven forbid) password while they were at it, on their desktop.
syncing: “oh! This file changed! Neat!”
User B picks up their phone and wants to order Papa John’s at work. They try, but the password isn’t right. Huh. They check KeePass. No issues. They go to change the password because they think something is wrong.
(All the while, they never thought to see if syncthing had been woken up in the background lately)
They change the password, update KeePass,
syncthing opens later, goes: "Oh, hi, User B’s phone! I have a ne- Oh! You have a new password file too!!? Small world! I’ll take both!
Now there’s two files, two users who think they both made corrections to a password, syncthing thinking nothing is wrong, and someone has to now merge the newer KeePass file over the old ones by hand and realize what happened, but the bigger problem is, no one knows anything is wrong yet and it doesn’t even take two users. This can just be you ordering on your phone after modifying on your desktop.
As an example. Imagine an insurance app, or a banking app, or the DMV… And you won’t know for months down the line. It gets old.
Ah yeah, the fun of how that works. I recall that I had previously set up WebDAV to try to simplify my source of truth but I think that was just with the original KeePass app, not KeePassXC. I also wasn’t trying to share passwords among multiple people but I do recall having issues when I was using Dropbox to sync to my phone since I would have to actually make sure Dropbox had updated the copy of the file which required me opening the app at the time.
I use KeePassXC on desktop and Keepass2Android on, well, android, and sync via nextcloud. They all seem to handle syncing correctly, merging changes made on one side, or showing a notification about a conflict, and KeePassXC can definitely merge the two “conflicted copies” together reliably with a couple of clicks (yes, a no-click solution would be better, I know, but it’s not “manual”). Keepass2Android integrates directly with nextcloud and seems to handle it fine.
The situation can definitely be improved but it’s not so bad for me. Also, two different people should probably use two different database files and not share passwords ;)
Not sure how syncthing handles conflicts, it’s been many years since I tried it.
I use KeePassXC’s browser integration daily and it works pretty well with Firefox (linux), well enough that I’m not complaining, but I cannot compare it with Bitwarden cause I never used it. On Android I use Keepass2Android and works well with autofill, but again, I can’t really compare it.
Something tells me Bitwarden works better, just by virtue of being a commercially supported product, but I have no complaints with KeePassXC & Keepass2Android (KeePassDX works well on android too). Original KeePass desktop client was never great though.
Proton Pass is open source and the company that runs it recently reincorporated as a Swiss non-profit to ensure their privacy mission can’t be bought out by venture capitalists etc.
reddit.com/…/proton_pass_is_open_source_and_has_n…
proton.me/blog/proton-non-profit-foundation
Vaultwarden updated link
Open source version of bitwarden written in rust.
Where is the foundation to support foss?!?
This is by no means to a slight towards bitwarden. Solid product and community
You have your link formatted backwards. It should be Vaultwarden, with the link in the parentheses.
If they're moving away from open source/more monetisation then they're going to do one of two things.
1: Make the client incompatible (e.g you'll need to get hold of and prevent updating of a current client).
2: DMCA the vaultwarden repo
If they're going all-in on a cash grab, they're not going to make it easy for you to get a free version.
Don’t forget option 3: someone writes a vaultwarden client independent of the closed-source crap.
If you can write a server that fully supports the client via the documented API, then you know everything you’d need to do to make a client as well.
That’s not a third option in the same list (things they are going to do), it’s an item in an entirely different list (foss responses to their actions).
You can’t “dmca” the fork that was created while it was still open source. They could only prevent it from getting future updates (directly from them).
If you mean they shouldn't. I'd agree. But, as has been seen a lot on youtube. "They" can DMCA anything they want, and the only route out is usually to take them to court.
I mean I'd hope if they're going in this direction they will be decent about it. But, it's not the way things seem to be lately.
DMCA is a tool for suppression of free information. It doesn’t require evidence that you’ve made a good faith effort to consider fair use or other legal complexity as it’s meant to take down the information before that is settled in court, but most commonly used to suppress information from a person or group who can’t afford to fight it in court. Microsoft’s Github has a history of delete first without risking their own necks to stand up for obviously fraudulent takedowns much less ones with unsettled law like APIs/SDKs.
This is an important issue IMO that needs to be addressed and the official response by Bitwardens CTO fails to do so.
There is not even a reason provided why such a proprietary license is deemed necessary for the SDK. Furthermore this wasn’t proactively communicated but noticed by users. The locking of the Github Issue indicates that discussion isn’t desired and further communication is not to be expected.
It is a step in the wrong direction after having accepted Venture Capital funding, which already put Bitwardens opensource future in doubt for many users.
This is another step in the wrong direction for a company that proudly uses the opensource slogan.
nothing lasts forever without being enshittified
not in capitalism no
Except if it’s free software.
Welp, I guess another time to move here soon.
And I just fucking vouched for them to a friend recently 🤡
Didn't know about VC funding these parasites using their funding to turn everything into shite.
What's the current "best" alternative? Keepass?
I haven’t jumped yet, but the Proton suite is looking more and more appealing. I’ve been eyeing them as a Gmail replacement, but I’ve been happy with my VPN and password management providers. As this reduces the bundle makes more sense.
They have a solid value proposition but don't like putting all my eggs all in one basket both for security and monopoly reasons.
They seem to be gunning for one stop shop and I think they are doing decent shop but I just don't like the idea after what Google did to us.
Situation is a bit different but gonna need to tka the lessons and not let these corpos do this again.
That’s a good practice, and I think you’re right that is what they’re going for. I don’t think that means you shouldn’t consider them, but it does lower their value proposition as the bundle is the better deal.
this isnt a full solution obviously, but I figured it’d be nice to know: Proton lets you set different passwords for your email and password manager, so at least from a security standpoint its not all behind the same password, even if it is still from the same company
It’s not open source, but I got a lifetime license for Enpass over a decade ago and it’s done everything I’ve ever needed it for. I think stacksocial occasionally has new lifetime codes for sale. I like the idea of Proton Pass as others have said, but it feels a bit like putting all my eggs in one basket, which is a mistake I already made with Google before (context: I use Proton for email). I think Keepass is the next best option if dedicated to staying FOSS.
They’re basically trying to get rid of vaultwarden and other open source forks. I expect they’ll get a cease and desist and be removed from github at some point in the not too distant future if they don’t make some changes. I have a vaultwarden instance and use the bit warden clients. Guess I’ll need to look for alternatives in case Bitwarden decides to get aggressive.
This is disheartening.
pass: the standard unix password manager
By trying to make things simple, this ends up making it more complicated and convoluted than anything
Unix elitist think the average user is willing to just memorize a gazillion different commands. No, nope. Not ever going to use a command line password manager.
Is typing “pass” into a terminal really that much harder than typing <passwordmanager>.com into a browser?
I really don't know why you think I'm doing that in the first place.
Because unless you paid someone else to set up an account for you, you had to get there somehow. And if you’re using the built in password manager from your browser, none of this article is relevant to you anyway.
have you heard about bookmarks? browser addons? smartphones? URL-checked autofill?
keepass is superior to pass. it even has a CLI.
Yes, that’s why I mentioned account setup. You need to get to the site to bookmark it. And pass has a browser extension too: github.com/uri/browserpass
Keepass was where I started before moving to pass and then vaultwarden.
Most people use an extension on web and an app that uses the system autofil functionality on mobile (at least on android, I’ve not used iOS for a long time)
You don’t have to open anything, or type anything other than a password. On mobile you just use your fingerprint, don’t have to type anything at all.
If you’re taking about initial setup that’s also gonna be a lot more complicated for an average user than bitwarden.
A command line tool is not even remotely a comparable user experience. It may work wonderfully for you, and I’m glad it does, but it’s pretty out of touch to suggest that it’d be a good fit for most people
.
I like pass and used it for a while, but sharing passwords with it wasn’t nearly as straightforward as it is with bitwarden.
Goddammit. It’s getting to the point I’m going to have to figure out how to write my own app for this.
It shouldn’t even be that complex…
I might be mistaken, but ultimately a password manager is basically nothing more than a database of passwords in an encrypted zip file, right? That could entirely be self-hosted with off the shelf open source applications stringed together.
All you’d need is a nice UI stringing it all together.
Edit: I’m not sure why people are downvoting me. Is that not what a password manager essentially is?
Yup, thanks. Was thinking along these same lines.
That is the bare minimum of a password manager like Bitwarden.
I’ve done basically this in the past by encrypting a text file with GPG. But a real password manager will integrate with your browser and helps prevent getting phished by verifying the domain before entering a password. It also syncs across all my devices, which my GPG file only worked well on my desktop.
Keepass is exactly that. Basically all the client side parts, and the database is a single encrypted file that you can sync however you want.
I see it as it’s easy to self host. But I’m not skilled nor rich enough to guarantee the availability of it. I don’t want to be stuck on a holiday without my passwords because my server back home died from black out or what have you.
I pay for bitwarden and the proton mail package to keep the password management market a bit more competitive and it actually works out cheaper. It would be nice to have protons anonymous emails built in, but I can live with it.
But I might have to reconsider if Bitwarden is going a different direction that what I’m paying for.
It’s the “stringing it all together” that could be problematic.
If you have multiple clients (desktop/cellphone) modifying the same entry (or even different entries in the same “database” ). You need something smart enough to gracefully handle this or atleast tell you about it.
I did the whole “syncing” KeePass and it was functional, but it also meant I needed to handle conflicts - which was annoying. I switched and really appreciate the whole “it just works” with self-hosted bitwarden.
<img alt="" src="https://lemmy.ca/pictrs/image/013883b6-2b8a-469d-a96e-d55a2dbf2d23.jpeg">
Thank you for the update! I would like to keep using it. I’ve been very happy with Bitwarden both as a password manager and a TOTP authenticator. I have even recommended it to my boss as an enterprise solution for us to use at work, and so far we are planning on replacing our current password database solution with Bitwarden.
Unfortunately, with “enshittification” being so common these days, it was very easy to believe they were also going to the dark side. I will remain cautiously optimistic after learning it was a packaging bug.
Here’s a link to the post on X (yes, I hate X, too) in case anyone else is doubtful:
x.com/Bitwarden/status/1848135725663076446
Yeah, I was worried about it too. I’ve become pretty cynical when it comes to everything becoming enshittified, but I’m hoping they stick to their word.
Well this ain’t good. I don’t really feel like switching apps.
That’s how they get you. Jump ship now
Anyone looking at this…what alternatives are out there?
KeePassxc with syncthing
Nextcloud with their password solutions
A notebook
I’m not going to jump ship just yet, though I may get around to updating my backup.
There are plenty of alternatives, so feel free to shop around. But don’t jump the gun just because of a random Phoronix article with an update that says basically the opposite of what the article claims. Wait some time to see if there are actual changes coming.
Yeah no. This is clearly backpedaling and you should look to get away
Maybe. Here’s what they say in the readme of the project people are complaining about:
There are two ways to take this:
Until I see evidence of the latter, I’ll stick with the project, but I’ll be more consistent about creating backups so I can switch easily if I need to.
sigh
Sooo, where's ProtonPass at? They're open source and non-profit, right?
The server is not open source and I wouldn’t trust a business that is not just working on password managers.
Because..? They're a privacy tool oriented company, no?
Because they aren’t focused on just one single service. Bitwarden is a single business only focusing on their password manager, whereas proton has a suite of tools. Passwords need to be stored absolutely in a robust and safe way. I don’t trust proton with anything at all, and the proton pass is no exception. The client might be open source, but the backend is not. It’s also not as mature as bitwarden.
These are valid points. There are many password managers, most of which it wouldn’t take much to poke holes in, especially if open source is a main criteria.
What are some that you would consider with Bitwarden now being off the table?
Vaultwarden
Its worth noting I don’t think they’re actually a company anymore, I think they’re now a non-profit (I may be mistaken, but that’s my present understanding)
Keepass vault synced over syncthing.
I keep not regretting it.
Was going to be my solution as well, bjt Syncthing-Android just got discontinued.
What? I need syncthing-android, where is it going?
F-Droid syncthing-fork is still actively developed and had a patch in the last few weeks.
Good to know
F-Droid syncthing-fork is still actively developed and had a patch in the last few weeks.
So hopefully this isn’t the end.
This is incredible <img alt="" src="https://lemmy.world/pictrs/image/a359d32d-d35a-4f8a-98f2-a6fffa45205a.jpeg">
Right next to each other lol
Syncthing fork seems to still be under active development
I was thinking the same. But, it is safe to share the password database like this?
Consider the possibility that someone could get your database.
It isn’t a safe. You can’t weld through the side of it and get in. You either make it ridiculous or impossible to get in.
Use something memorable, but insane.
My password is a three-line film quote with numbers in some of the places for letters.
Haikus work great. Memorable, complex. Wrote it yourself? Even better.
Syncthing is encrypted transfers.
The database is encrypted.
And you can set it to not use relays for data, only matchmaking between your own devices.
So it’s an encrypted file, encrypted again, and sent directly from an IP you own to an IP you own.
I’ve always loved Keepass, however I moved away from it in 2012 as it and any file based vault has brute forcing issues. You need to track every copy of it that has been made and if any copy falls out of your hands, like if you lose a device, you need to do a password rotation on 100% of your passwords. Since its a file, its not possible to prevent brute forcing.
everything’s a file
An online database is still a file ultimately. A SQL or other DB file stored in a webserver, accessed through a web interface.
Vaultwarden, etc, are the same, only the database file is less directly visible IMO. Keepass IMO is simple. The DB in a bespoke format, stored outside the application.
You could put the vault in system32 and name it “trustedinstaller.log”, and if someone saw you had keepass they wouldn’t even know where your vault is.
Given the number of well documented breaches of online password vaults, I would much rather do a private device to device sync via syncthing and keep it out of webservers.
Oh, for fuck’s sake. Can we have a decent password manager that isn’t tied to a browser or company? I pay for Bitwarden. I’m not being cheap. But open source is more secure. We can look at the code ourselves if there’s a concern.
Keepassxc? Vaultwarden?
Isn’t Vaultwarden used with non-free Bitwarden clients?
The clients are free.
They now require a non-free Bitwarden SDK component. That’s what this whole conversation is about.
Could you ELI5 please?
“You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.”
This is a condition when using their SDK. This is not considered a free (as in freedom) component because it violates freedom 0: www.gnu.org/philosophy/free-sw.en.html#four-freed…
Only the desktop client. And the response is that not being able to compile sans SDK is an issue they will resolve.
I still think this is bad directionally, but we need to see what happens.
And the whole conversation is about a bug, not a change in direction…
This need not be the case, though! There’s an open source client on Android called Keyguard. I don’t think the desktop app was at all useful anyway. You can just log into your Vaultwarden through any browser. The desktop app is pointless.
True, but the firefox extension is nice.
Keyguard isn’t open source. Have a look at their license. It just says “All rights reserved”.
Pass.
pass
Keepass: Am I a joke to you?
Love Keepass. Love that I can sync it however I want. Love that there are multiple open source client options across several operating systems.
Android syncthing announced they’re stopping development this year. Open source got fucked double today
terrible day. There is a fork called syncthing-fork that is under current development. I hope both projects merge.
Notepad.exe
Its open source now right?
Nothing in the article or in the Bitwarden repo suggests that it’s moving away from open source
It is a license problem. The license condition of the SDK which is required to build the client app change to limit the usage of it. The new license states that you can only use the Bitwarden SDK for Bitwarden. It is against the Freedoom-0 of the Free Software Foundation. The limitation of English language is that it is hard to differentiate between Free (as in Free bear) and Free (as in Freedoom). Also open source which could mean complaining with FOSS and that source is available. This been unfortunately have been abused before.
From the article, it’s a packaging bug, not a change in direction.
I was referring to this which started it all.
Here is the code in question. Basically, it’s a source-available, but not FOSS internal SDK, with the following language:
So I think the “bug” here is in not linking the original repo in the NPM package, and there’s a decent chance that this internal SDK will become FOSS in the future once it stabilizes. That said, it’s currently not FOSS, but it’s too early IMO to determine whether Bitwarden is moving in a non-FOSS direction, or if they’re just trying to keep things simple while they do some heavy refactoring to remove redundancy across apps.
Given their past, I’m willing to give them the benefit of the doubt, but I’ll be making sure I have regular backups in case things change.
Its called Keepass. You are welcome
They have confirmed it was a packaging bug and will be resolved.
Well, I guess not having password manager yet did had some benefit because now I know not to use bitwarden
EDIT: The article has been updated and it was described as a “packaging bug” and not an intended change.
How many times do I need to pack up and move to the next “best option”
Sadly as many times as needed, complacency is how these companies get “loyal customers” who are willing to put up with bs
Just go to Keepass and its over
That’s far from the best option. It’s working, but it’s super complicated compared to Bitwarden and other cloud password managers. Imagine telling your grandma “just use keepass”, she would never be able to make it work. But Bitwarden? Lastpass? That’s possible
Is it so?
I feel like anyone who can open up and edit ms word can do it, just double click on the
keepass.kdbxfile and it opens up prompting for a password.Syncing is a bit of a problem and I wrote an article on how I do it here in the easiest way I found. Though MEGA cloud does not have a good reputation among general public, their share link is something you can write in a piece of paper and keep in a safe.
“Just double click the keepass.kdbx” is not what it is. You need to go to your explorer, find the file in the folder structure and double click it. You then need to search for the website you are on and copy the password, then you need to go back to the website within 12 seconds and paste the password. That’s inconvenient for everyone, but for a tech-illiterate grandma it’s impossible.
Compare that to Bitwarden: You go to the website, click on the bitwarden icon and then click on the login details. Or even better, you can enable auto-complete with a single click and it automatically fills the login details when on the website, without clicking anything. That’s far more convenient and easier.
Just as a FYI: My grandma has a sticky note on her laptop that shows exactly which buttons to press to get to her emails, with things like “Click this twice within 2 second, be fast!!” for a double click. It doesn’t say “lef mouse button”, she draw her touchpad and an arrow. She is not able to find her mails when the website changes the layout.
In this case, zero, because it’s a packaging bug, not an actual change in direction. Read the update on the article:
Next time, before jumping to conclusions, wait a day or two and see if the project says something.
Not sure who downvoted you, you literally quoted the article.
I really hope that this is actually the case, but I am not very optimistic. This doesn’t seem to be a mistake. They intentionally move functionality of their clients to their proprietary SDK library. The Bitwarden person stated this in the Github issue and you can also check the commit history. Making that library a build-time dependency might actually have been a mistake. That does not change the fact, that the clients are no longer useful without that proprietary library going forward. Core functionality has been move to that lib. I really don’t care if they talk to that library via some protocol or have it linked at build time. I wouldn’t consider this open source, even if that client wrapper that talks to that library technically is still licensed under GPLv3.
Proprietary is a strong word IMO. Here’s the repo, it’s not FOSS, but it is source available. It’s entirely possible they make it more open once it stabilizes, but it’s also possible they make it less open as well. It’s still early, so we don’t know what the longer term plans look like.
I don’t think we should be panicking just yet, but I’ll certainly be checking back to see what happens once this internal refactor is finished, and I’ll be making some more regular backups just in case they are, in fact, trying to take it proprietary. I don’t think that’s the case (why would they? I don’t see the benefit here…), but I guess we’ll see.
Yeah, that’s what I meant by “proprietary”. I guess having the source to look at is better than nothing, but it still leaves me uneasy. Their license lets them do anything they want (ignoring that - as it stands - their license is void due to the linkage with GPLv3 code, but they said they want to fix that). I have no idea what their plan is. I don’t think it is in their best interest to go the route they appear to be going. Having truly open source clients seems to be a selling point for quite a few customers. But what do I know…
Agreed. If they end up not making this component FOSS, I’ll probably leave and take my paltry $10/year with me (which I don’t need to pay since the features I use are all in the free version). But I’ll give them a year or so to work out whatever refactoring they’re doing before making that call, I’m certainly not going to jump ship just because a new component is merely source-available.
Great, I’ve just started to use it last week 🤡
Just switch to KeePassXC
That’s what I’m using mostly, but the convenience of having auto fill in firefox and being able to share some logins made me want to try bitwarden. Also, it’s not complicated to sync between several devices.
KeepassXC supports auto fill in Firefox if you install their plugin!
It’s just a packaging bug and they said they will fix it.
Daniel García, owner of the Vaultwarden repo, has recently taken employment for Bitwarden.
The plot thickens.
Honestly, if he can replace the current Bitwarden BE w/ Vaultwarden, that would be awesome! The last time I looked at the Bitwarden self-hostable BE, it was super heavy, which is the entire reason I was interested in Vaultwarden.
I’m running a couple of Vaultwarden instances, and it would be really nice if Bitwarden employed Garcia to improve the Rust backend. But as the bitter cynic I am, I guess it is an effort to shut down and control as much of the open source use of Bitwarden as possible.
The worst case, someone will most likely fork Vaultwarden and we can still access it with Keyguard on mobile and the excellent Vaultwarden web interface :)
Phew, looks good on the news with the packaging bug (if they didn’t just got cold feet for worse PR/backlash than they expected and this is a backtracking).
In this case, hopefully Garcia is employed for his expertise and can be deployed to further open source relations :)
And I am an ardent optimist, hence why I see it as a good thing.
But yes, worst case someone will fork it, and I’ll probably use that fork.
I wonder~ I wonder~ I wonder whyyyy…
<img alt="" src="https://lemmy.dbzer0.com/pictrs/image/792ec04a-89e0-46bf-9838-c49824785075.webp">
I don’t understand.
Are you saying it’s a bait and switch like Google, where they suck people in with a good product then enshittify it once they’re hooked?
I’m not thoroughly aware of their dealings, but these amounts of private investment aren’t going to pay for themselves. If you raise 100 million, investors typically want a billion back, or more.
From the looks of it, Bitwarden might’ve tried to go with the Open Source model to get free development resources, trust (because it’s an open source PASSWORD manager), and general goodwill. But now that they’ve deemed that got enough of a market share (or investors are starting to breathe down their necks), it’s time to start raising the walled garden.
Even if they claim after the fact that it was a “Bug” that the client couldn’t be built without their proprietary sdk. The very fact one exists is a bad enough sign, specially when its influence is spreading.
VC is a devil’s bargain. Raising VC money is NEVER a good sign.
Yeah well said. Looking forward to the day they try to force an “updated” privacy policy on users, or start charging 69.99/year.
Alright does anyone have opinions on Nextcloud Passwords? There’s apps for it and it would sync to my Nextcloud.
I hate this. Bitwarden has been a good app.
Nextcloud passwords is just a client for a KeePass vault.
I guess it’s as good or bad as that can be, but I’m sure it’s limited in functionality to KeePassxc with plugins.
TIL… Thanks.
EDIT: Been playing with it a bit now and if it uses keepass as the DB the advantage I see right now is that having it in Nextcloud means automatic sync, and there are several autofill and syncing apps for various OSes and password sharing and automated checks for breaches. It’s probably a better option for anyone with Nextcloud than going the Keepassxc/syncthing route.
Oh really? Where’s the keepass file stored? This would be very cool if so
Are you sure?
Because last time I tried that it was THE worst password manager that i ever tried in my life. I’d feel safer with the ie6 password manager
You can encrypt the entire vault and all the contents,… but imo, that should be a default setting.
Seriously, as-is, you log into Nextcloud, click on passwords and every password is literally right there. I’m sure they’re encrypted in the database but fffff.
(I tried it out on my install just now)
(I use KeePassxc mostly)
It’s a packaging bug, the headline is false.
And it still is. There’s no reason to stop using Bitwarden, and I will continue my plans to switch to Vaultwarden.
As @Krzd@lemmy.world said, it’s a packaging bug, not an actual change in license. If you read the article, it says as much in the update.
Keepass. Keep it simple.
If you want to roll your own with keepass that’s fine, but most people will want a more comprehensive solution.
I switched from keepass to Bitwarden because individual entries started randomly disappearing. I’m still discovering missing accounts after switching a couple of weeks ago. Sometime to do with how keepass was opening the files, because when an entry went missing it was gone even from backup files I hadn’t touched since before the entry disappeared.
Sound like something you did with replacing files. KeePass is dead simple, and that’s why it’s great.
Nah, the timeline looks like this:
Like, it should be in the backup, I proved it was in the original before and after creating the backup. Heck if I know why they went missing.
3rd party sync of the database can have a lot of problems
According to Bitwardens post here, this is a “packaging bug” and will be resolved.
I use to always recommend bitwarden to people. Now i feel like an idiot for doing so with them switching up. Ill be making the effort to move to keepassxc soon and host it myself.
…host it?
…is there something I’ve been missing out on? Can one host a KeePass vault online? We have web apps? I only know about the Nextcloud ones. I’ve just been using syncthing and merging the conflicts when they happen.
I used to keep a copy of my kepass file in a free Dropbox account.
I mean sync it between my devices using something like sync thing
They literally posted that this is a packaging bug and will be resolved.
That’s good news
Just because I didn’t see a response on this one, you might have read it already in other comments but the packaging bug is a cop out. They are still intending to migrate over to the proprietary SDK, and it will eventually become a requirement for the platform. The only difference was that at the state of the project it wasn’t supposed to be a requirement in order to compile, but they do still very intently have a restrictive license on the SDK and you aren’t allowed to use the sdk outside of the project. meaning that it has to be present for the program to work and that you’re not allowed to use it in other programs.
Why they call it a packaging bug I’m not sure because the end result is the same the package is required for the program to work and that package that is required is not GPL
That being said some other comments have gone a little bit more in detail on it and might be a little more descriptive than me
can we start reading the articles and not just the headlines??? it literally says it’s a packaging bug
In general, if it’s Phoronix, I assume the headline is a bit more exaggerated. They put out pretty good content, but they also put out a lot of content, so the editing can be a little lacking IMO.
…in the update that came out after this article was posted and the discussion took place.
mb i didnt see the update part
It is really not just a packaging bug. If you read that comment of the Bitwarden person a little further, you’ll notice that he’s talking about that proprietary “SDK” library that they are integrating with their clients. Even if they manage to not actually link it directly with the client, but rather let the client talk to that library via some protocol - it doesn’t make the situation any better. The client won’t work without their proprietary “SDK”, no matter if they remove the build-time dependency or not.
When I read this this morning, I had concerns, but then I did some research. The SDKs source is fully available for all to look at and compile. The main issue that people bring up is the license that states:
This part seems to be what most people take issue with, as it makes the sdk no longer modifiable, yet a requirement of the core source itself. The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.
From a security standpoint, since the SDK is source available, it can be audited by anyone still (and compiled) so personally, I’m fine with this.
I don’t see why this should make any difference at all. Sure, I get why he is are saying they are going to fix it - he thinks that this gets them in compliance with the GPLv3. But from a practical point of view there is no difference at all. The software is useless without that SDK part. Even if it does indeed get them in the clear from a legal point of view (which I am not convinced that it actually does), it is still a crappy situation.
I think, it would look way less shady, if they said they are going fully source-available and not pretend that they are keeping the client open source. I would still dislike that, of course. At least that wouldn’t have eroded the trust in them as much as it did for me.
oh shit i didnt know that, mb man
Some guy at bitwarden clicks a button wrong on a license drop-down option and all these people crawl out of the woodwork to declare the end of bitwarden being trustworthy. Nothing in the article or the company’s statements indicates an actual move away from open source. Big nothingburger
Maybe you want to read the comment by kspearrin in that Github issue again. They are clearly moving away from open source. He explicitly states that they are in the process of moving more code to their proprietary “SDK” library.
600 upvotes and only 10 downvotes on literal fake news. I wish readers were less lazy, it’s very frustrating.
Edit: made my statement a bit less toxic. I was mad.
No one is listening I’m sorry to say. I corrected a couple people but then realized it was pointless. The discussions in the crossposted communities (which - holy shit I don’t think I’ve seen something so thoroughly spammed across multiple tech communities before) are just as bad or worse.
Community is fine, your comment is at the top, along with others pointing this out.
It’s the “non-community” if you will boosting this. The passerby’s not reading comments.
How is it fake news? They are moving functionality into a proprietary SDK and have a whole framework ready to get around the GPL.
Why would it be fake news? Because they called it a “packaging bug”?
Yes.
To me that just like an excuse for the current mess. Did you read the original GitHub issue? Their CTO also seems to have questionable ideas about the GPLv3.
<img alt="" src="https://lemmy.ca/pictrs/image/7c75864d-1394-467a-adfc-3d0071430b2f.jpeg">
oh thank god
The community’s reaction is a but funny if this was a honest mistake
Thats not good :(
I’m going to keep using Bitwarden because KeepassXC sucks, but not as a paying user. Once this package inclusion is removed, if it is removed, i’ll pay again.
what sucks about keepassxc?
I never had any success getting it to work consistently with Firefox.
on some sites the plugin fails to properly detect which fields correspond to which, true (usually when javascript fuckery is involved). But fixing that by manually pointing out the fields once on such sites is easy enough for me. I also switched firefox to use keepassxc for passkeys, which makes them actually portable and usable for me.
I daily drive Firefox as my browser, maybe it’s an issue with the branch? I’ve never had this issue myself. On the rare occasion that that it doesn’t properly detect password field I can just right click and shows as a menu option that I can fill password fill TOTP or email, I’ve never had it just not work at all. Excluding mobile, but that’s strictly an issue with how Android does Auto filling because they can’t have the service that fights to do both and since Firefox has its own autofill service it’s a coin flip of whether or not it uses keypass or Firefox built in password manager