this post was submitted on 16 Aug 2023
44 points (94.0% liked)

Privacy

31859 readers
222 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I dont agree with many things apple does at all, and I also think their password manager has flaws like revealing usernames without authentification.

It is pretty handy though, to have a file where the entries are stored unencrypted, and if the password manager detects an entry it prompts to decrypt exactly that field, maybe with a fingerprint.

KeepassDX needs to run in the background and be completely unlocked to even detect apps or password fields.

Do you know any existing app that can do this?

all 41 comments
sorted by: hot top controversial new old
[–] [email protected] 26 points 1 year ago (3 children)

Bitwarden if you want it in the cloud, Keepass if you want it on the device. I'd recommend PrivacyGuides.org's recommendations this time. They are rather careful as to what they recommend, still doesn't mean they always get it right.

[–] [email protected] 10 points 1 year ago (2 children)

You can also self-host Bitwarden using Vaultwarden.

[–] [email protected] 6 points 1 year ago (1 children)

You can also run Bitwarden proper locally but unless you really know how to run and maintain a web server I wouldn’t recommend this.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

The official docker image uses a lot more resources than the vaultwarden container, but it allows significantly more than 100 users. If it’s just for yourself and your family I suggest just going with Vaultwarden.

[–] [email protected] 1 points 1 year ago (1 children)

Why would any private person need this?

[–] [email protected] 1 points 1 year ago

You don’t. I meant to say that only large organizations need the official Bitwarden docker setup, but I did not communicate that clearly enough.

[–] [email protected] 3 points 1 year ago (1 children)

Yes, but that is still cloud based. Keepass is local

[–] [email protected] 3 points 1 year ago (2 children)

Well, only if you host it in the cloud. Not if you host it at home, for example.

[–] [email protected] 4 points 1 year ago (1 children)

I think what they meant is that one option uses network connectivity while the other functions entirely offline

[–] [email protected] 2 points 1 year ago

No, I did mean cloud based. Thank you anyways

[–] [email protected] 2 points 1 year ago (1 children)

Which would make it hardly accessible outside of your home. Still not locally saved as well. And imho if he is not sure which password manager he should choose, he should maybe not self host just yet.

[–] [email protected] 3 points 1 year ago (1 children)

Bitwarden keeps a local encrypted copy of the database and only connects to the server for synchronisation.

[–] [email protected] 0 points 1 year ago (1 children)

I am aware. Why are you telling me this?

[–] [email protected] 1 points 1 year ago (1 children)

Maybe because it seems you claim self-hosting bit warden is cloud only and that self-hosted is not accessible outside the house?
Note: I do not recommending self-hosting bitwarden

[–] [email protected] 2 points 1 year ago (1 children)

Note: I do not recommending self-hosting bitwarden

Why not? I have my own instance running on my NAS and I love to have it self-hosted because this way I keep the passwords where I know nobody else can get them.

[–] [email protected] 1 points 1 year ago (1 children)

Because a password manager is critical and if you ask me I’d say no. If you have the know how and understand the risk you won’t be asking

[–] [email protected] 1 points 1 year ago (1 children)

Well, I work in the IT so I know some stuff about security in the digital world. But these systems (password managers in general) are built to be secure and not just tell every password they store without some security measures. Yes, I know there can be security holes, bugs and so on. But that's why these tools get thoroughly tested.
You always have to take risks in the world of computers. So what's the point? Being as secure as possible? Then better not even bother with password managers at all because they all can have security holes.
It's more about how much you trust a password manager and how much you trust yourself in how cautious you use it. The risk is always there.

[–] [email protected] 1 points 1 year ago (1 children)

Ok. I’m quite the IT person myself, and I can say I’d not recommend you running your own either.

[–] [email protected] 1 points 1 year ago (2 children)

That's fair. Everyone has a different opinion. But I think it's always better to self-host Bitwarden than using the cloud service because then your passwords are stored in a place where you have full control of. Afaik if you use the official Bitwarden vault your passwords are stored on some Amazon servers.

[–] [email protected] 2 points 1 year ago (2 children)

Self hosting is not for everyone. You need to understand backup, redundancy and recovery. That would be the main reason I don’t recommend self-hosting. Bitwardens self-hosting package are mature enough for me.

So it’s more about loosing all your passwords than someone breaking in to your vault

[–] [email protected] 1 points 1 year ago

Actually it's not that big of a problem. All clients make a local copy of the server's database when they sync. So even when the server is unavailable you still keep your local copy on your client. Every client of Bitwarden offers the option to export your whole database. This means you could easily use that to import your exported database to any other instance.
The only "big problem" I see is to learn how to self-host. Most people are not tech-savvy so they don't know how to do it and don't even want to learn it.

[–] [email protected] 1 points 1 year ago (1 children)

Security is only one part of it. If you host a password manager yourself then things like availability, backups, disaster recovery and monitoring also become your responsibility. I'm hosting my own vaultwarden but there is only a very limited amount of people I would suggest self hosting a password manager to, because I know they have the knowledge to do it and understand the risks.

[–] [email protected] 1 points 1 year ago

Since every client of Bitwarden makes a copy of the whole database on the server when it syncs, it's not like all your credentials are lost when the server gets unavailable. You can make an export of your database on that client and import it on another instance. This said you already have a built-in backup feature.

[–] [email protected] 7 points 1 year ago (2 children)

KeePassDX + Syncthing is the best solution.

[–] [email protected] 1 points 1 year ago (1 children)

Use that but its not about that topic. Its about storing unencrypted metadata (or usinh android Keystore for example) and having autofill work always even if the database is locked, and its quickly unlocked just for that entry

[–] [email protected] 2 points 1 year ago

I don't think any password managers that don't have that feature currently are likely to implement this feature after the beating that LastPass took in the press about it:

LastPass breach is worse than you think because URLs were unencrypted

Maybe an app might be able to cache the metadata locally but I don't think it would be something people expect to be unprotected at this point.

[–] [email protected] 1 points 1 year ago

I like this solution but it's not really entry level

[–] [email protected] 1 points 1 year ago (1 children)

What do you think about PrivacyTools.io? Are they on the same level as PrivacyGuides.org?

[–] [email protected] 2 points 1 year ago

As announced on July 27th, and on Sept 14th, 2021, The Team Formerly Known As PrivacyTools.io – the entirety of the team providing privacy-related advice & services to you for the past couple years – has transitioned to PrivacyGuides.org and r/PrivacyGuides. Please join us there. :) For more recent news regarding The Reddit Blackout, see: https://lemmy.one/post/74432.

Taken straight from the privacytools.io subreddit description. This will tell you more.

Privacytools.io does seem to be quite outdated currently. There are other good sources out there however.

[–] [email protected] 13 points 1 year ago (3 children)

The recently released Proton Pass is also open-source and audited, keeps all the entries (including metadata) encrypted, and has a nice UI on mobile.

[–] [email protected] 2 points 1 year ago

it's worth mentioning that protonpass unlocks biometrical on mobile devices and the browser-plugins support 6-digit pin codes.

[–] [email protected] 2 points 1 year ago

Also, for little money gain unlimited mail aliases (and the desktop UI is also nice :) )

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (1 children)

Kinda confused, you want a password manager that stores entries unencrypted but when you need them, the manager encrypts the entry and then prompts you for authetication to autofill the entry? That seems kinda dumb but if its just for convenience to not input your masterpassword everytime, keepassdx allows biometric unlocking. Think it'll take as much time as what you described without potentially exposing any unencrypted entry info

Edit: Before someone jumps at my throat, security wise using biometrics is also kinda a no no but I understand not everyone has the same threat model so go for it if you want

[–] [email protected] 5 points 1 year ago (2 children)

If I understand it correctly, the passwords are stored encrypted, but not the additional data, like website-URLs and app-names. This way the password manager only needs to temporarily decrypt a specific password when it's needed for auto-fill. In regards to the passwords that's probably a bit safer than keeping all the data and the passwords unencrypted in memory. But the cost is that all the other data is stored unencrypted.

[–] [email protected] 4 points 1 year ago

Ohh thats kinda interesting I didnt know this. I appreciate the info

[–] [email protected] 1 points 1 year ago
[–] [email protected] 3 points 1 year ago (1 children)

Use KeePassXC. Audited, code, open-source, highly customizable, zero cloud stuff.

[–] [email protected] 3 points 1 year ago (1 children)

Think its for mobile since they mentioned keepassdx

[–] [email protected] 1 points 1 year ago

Yes I already use these. On Linux I use Kwallet, store my huge random Keepass password in there and unlock the Keepass database by fetching that password using a shortcut.

But still, then the password storage is open. Not as elegant as an on-demand password requester, especially on Android