In the latest episode of “they will always sell you out” - they sold you out! Who would’ve thought.
Hoping for a good alternative client to appear, the writing is on the wall. Vaultwarden can’t exist without “leeching” off of Bitwarden.
I am confused. Aren’t their clients open source? How many milliseconds will take till 100s folks will fork it?
Their server is useless and Vaultwarden is already a superior option
While I agree that they are a “at risk” company, I don’t think the software itself is at risk
We really need a VaultWarden service run by a non-profit.
Sad. Replaced everything with keepassxc + syncthing
deleted by creator
I fucking knew this would happen years ago. Something always smelled “off” about BW.
namely the VC funding and the huge resource hungry clients to me
Goddammit. Why can’t we have nice things?
Well fuck this
I’m going to have to just write my own one of these fucking things aren’t I?
KeePassXC and Vaultwarden exist
And Strongbox for iOS. They communicate with KeepassXC to keep the vaults compatible with both software.
All hail the new Chief Enshittification Officer!
i was just thinking this week with the passphrase addition how good bitwarden is and when will the other shoe drop. There it is.
Keepass (all variants and forks) has a passphrase generator, been built-in for years.
The writing is on the wall for BW, and has been for quite some time now.
Keep ass what though? /s
why this over keepassxc?
When someone says “use KeePass”, we generally mean ”use an app based on KeePass".
Personally, I use the OG KeePass (work laptop), KeePass XC (all personal machines), Keepass2Android (personal Pixel), and Keepassium (work iPhone).
Whichever one you use is entirely subjective. Also, XC wouldn’t exist without the OG KeePass, so maybe don’t be a tribal weird-ass over it.
I’ve been wanting to move to KeePass from my current vaultwarden. What’s the most seamless way to synchronize the DB across GrapheneOS and Arch?
I trust Syncthing for syncing files, but it kind of feels insufficient for an actual encrypted database.
What works for you for syncing?
Personally, I use a plugin for passphrases and - last time I looked - the other forks didn’t handle them.
Does keepassxc support plugins now?
On my phone, I use KeePassDX from F-Droid and KeePassDroid (Not sure if that’s being maintained at the moment?)
The main point is; we need to support open source developers, so pick an open-source solution and contribute, donate, etc.
KeePassXC has passphrase generation built in
Jesus, I’m tired of switching password managers.
Password Store is the answer, if you don’t need passkey support. You can be sure it can’t be sold. It’s the golden middle: not self hosted, but not owned by anyone.
KeePassXC + KeePassDX is probably the best option, with the downside of no way to sync easily (syncthing is probably the best option there)
I might switch back at some point, been getting frustrated with the bitwarden extension performance always being so poor.
XC is really nice, but the devs are kinda dicks about not integrating some sort of syncing option, instead telling everyone who asks to “just point it to a local folder and use <insert sync tool of your choice> to keep that folder updated.” Which isn’t terrible advice, but some of us don’t have that option on managed devices.
I ended up using Keepass2Android and just pointing it at my webdav server, it seems to work pretty well!
On desktop it’s already taken care of since I put the DB in my folders that already sync via Syncthing.
My first password manager was KeePassXC.
Hooked it up with Syncthing, and I’ve never had issues aside from the occasion database duplicate.
Right, and it has a neat merge-database feature anyway, so no excuses for those holding back!
Sync however you want. Syncthing, Nextcloud, Dropbox, Gdrive etc.
Syncthing is the way to leave Google Drive, etc.
Is there a proper syncthing android client now, after the official android client was discontinued?
Solid question; there are only third-party apps. A recent discussion in !syncthing@lemmy.ml led me to most recently adopt BasicSync, which is incredibly low-profile and is probably the closest thing we can get to it.
However… if you want to get as pure as possible, you can apparently run Syncthing’s Linux version directly in Termux on Android without the need for a dedicated Android app. There are also entire alternatives to Syncthing like syncspirit (which can also be run through Termux and which I’m considering trying as well).
I use Nextcloud myself, but if people don’t want to host a server or fuck with syncthing, they can sync it however they want as long as they use a strong enough master password/phrase (which they should be anyway.).
Oh, well, I’m talking about not having to password-lock and unlock your stuff constantly. For long-term storage, sure, that’s fine; anything else would be way too tedious, though, no? I guess it depends on your use case and if you could locally automate the locking and unlocking or something.
I’m not sure what you mean. On my computer, I have to unlock the database every so often (you can set how long) with my master password. On my phone I unlock it with my fingerprint. The method of syncing the database is irrelevant.
Merge conflicts are a concern for KeePass, especially for those that don’t want to resolve them. Sync is difficult. AFAIK this is a very common issue with Syncthing setups.
Also, the portability from Bitwarden to KP leaves a bit to be desired, though that’s probably 90% on BW.
I switched over to keepass yesterday, and surprisingly the import from BW was perfect (as far as I can tell), even passkeys came over just fine.
Merge conflicts are a concern for KeePass
It’s really not that much of an issue. I sync my database between several devices, some of which are only used occasionally. Rarely do I ever have a merge conflict.
If you’re editing the database on multiple devices before they have a chance to sync with each other, maybe stop doing that. That’s what causes merge issues.
I’ve been using KeePass with Syncthing for 5+ years now and I think I’ve only had a sync issue once in all this time.
Granted I do make sure I only use the database on one device at a time (so not making edits on desktop and my phone at the same time) and I’m using XC and DX clients not the OG KeePass program.
I’m curious what is causing sync issues to make it “common”, I use my db every day.
Yeah, it’s not an uncommon use case to accidentally or even intentionally edit the database on two online devices - I do it all the time when I want a new login to be used on my laptop right after I signed up for some new website on my PC, and the laptop just happens to have an “unpushed” change from last evening, or I edit the new login’s metadata, or whatever.
With this, I’d have to keep a mental model of the versioning of each database and avoid even touching my phone like the plague if KeePass is open on my computer.
It’s not that big of a deal, it’ll probably be a problem once every few months, but it’s annoying to keep track of and worth talking about.
Hmm, I’ll have to play around with it a bit more then to see if I can trigger it.
My only gripe is the browser autofill. Sometimes it triggers correctly and sometimes it doesn’t. I’ve noticed if I let KeePass add in a new login itself after I’ve manually entered it then it’s much more receptive to suggesting that login correctly going forward. So I’m tempted to create a brand new database and login everything manually so KeePass will create the database entries itself to fix my gripe.
I’m using KeeWeb on Mac and Windows and Keepass2Android on my Android device and I don’t have any issues at all. I’m storing in OneDrive though, this is the one thing I’m using it for still.
I’m using Keepass2Android (and KeepassXC). It can copy the database from/to an sftp server, so it can easily merge the entries. I don’t have the sftp server exposed to the Internet, because when I’m not home, nobody will change the database at home.
I use KeePass with KeeAnywhere. KeePass can natively sync over network share, FTP, or WebDav. With plugins, it can sync over SSH, FTPS, Amazon S3 compatible buckets (including open source compatible versions you host yourself), Azure, Box, Dropbox, Google Drive, OneDrive, and more.
KeeAnywhere
That’s a neat one, although it doesn’t look like KeePass supports passkeys yet, at least I don’t see it in the feature list.
Rclone with any cloud provider is another great option that’s seldom mentioned. I posted my setup as a comment on another post. You may find it here - https://programming.dev/comment/23849767
Yeah the performance is what made me install the desktop app, but then it’s 1gb in size
KeePass isn’t going anywhere. They’re also dragging their feet on passkey support, so you might go with KeepassXC.
Yeah, there was. It was forked because of that, actually: https://codeberg.org/ChiPass
404
I edited the comment, see my reply to @wiccan2@thelemmy.club.
Yep works now.
Link gives 404
I edited the comment. It ended with a period before, I assume your client thought it was a part of the link. Does it work now?
Their AI policy looks very reasonable, and they certainly aren’t vibe coding. Everything is rigorously reviewed and tested by a handful of experienced, competent humans.
They also don’t effectively allow collaboration though, which is my cheif reason for using a cloud hosted password manager.
KeePass isn’t meant to be used that way. It’s a personal password manager. Always has been.
Valid. But it’s also valid that it now doesn’t work for me or anyone who also helps manage other people’s lives or works on a team ¯_(ツ)_/¯
What is “collaboration” in this context?
Sharing passwords between groups of people so everyone always has the up to date version. Not breaking the world if two people try to modify the same entry as some file syncing solutions do.
Hmm, interesting, though isn’t that a fault of the organization not having an account-linking system so that each person could have their own credentials but can still access the unified content? This workaround seems… flimsy, unless I’m not picturing a legit scenario in which no other method is as good, or something.
Sometimes it just makes sense to have a single team login.
Licensing for instance where each user costs money and not all users need a dedicated account to look at something of which only 1% is of importance to them.Fair. I’ve clearly not worked at a place like this before!
It’s the fault of my family organization or every company we use that my parent’s bank, Google, phone, laptop, etc don’t allow more than one set of credentials to access the same thing?
It’s not just that we need to be able to share credentials the once a blue moon I need to help them by logging into their account?You know why most cloud based services charge money? For stuff like this, because it’s not free to implement and maintain.
Easy and fault-proof password sharing and syncing needs software and hardware to do. You either set it up and maintain it yourself, or pay for a product that does it - like Bitwarden.
But your argument falls apart against something like Syncthing’s discovery networks combined with send-/receive-only folder types, which use no cloud yet allow the automatic, passive propagation of file updates to different users’ devices… right? No cloud, no self-hosting, yet automatic syncing across multiple devices…
Parallel creating, reading, updating, deleting password entries by multiple users.
Whoa, thanks. I had no idea this was a thing…
Sure they do. Multiple people can have a file open at the same time. I use it for exactly this every day at work.
With KeePassXC, that is. I don’t know if other flavors have different support. I use XC primarily for the browser extension.
And you can both modify the same things without causing horrible conflict issues? And you can share only parts of your vault with someone rather than having entirely different vaults you have to switch between? I’m assuming you mean putting the file somewhere like Google Drive, and you can access it offline even if you can’t edit it offline? For feature parity with Bitwarden, obviously ideally one could edit any time and it would resolve problems when it came back online if there were any but Bitwarden doesn’t allow this.
Yes, no conflicts. I don’t know if you can only share part of vault; I just created a separate one for a separate team.
I wouldn’t put it in Google Drive or anything like that. The separate sync logic will definitely cause conflicts.
I’m not worried about having access if I’m offline, because if I’m offline I’m not going to be able to log into anything anyway.
I guess a laptop, server, IoT device, or WiFi connection when your main device doesn’t have internet is out of scope for you?
Like fixing my laptop and not wanting to type the new password into my phone instead of copy/paste, sync when online?
And how are you sharing a file, to multiple people anywhere in the world realtime ish, without a cloud service you or someone else hosts? Doesn’t that necessitate some syncronization logic?It’s hosted on a local network share, so we don’t need Internet access.
If can’t copy paste, I just type it out.
We use a VPN to the office.
Two articles behind a paywall, one that won’t load, and another article that says the big problem with passkeys is…people are unfamiliar with them.
If anyone tells you that Passkeys are bad, they’re a liar. Way more safe than passwords, full stop.
Just don’t let Microsoft or Apple tie them to your device. You don’t have to do that.
There is no full stop there… A password that is sufficiently long will never be cracked no matter the hashing algorithm in use. Passwords are easily transferrable and can be communicated to a third party in the event of an emergency. They also provide tunable security, where you can trade off security for convenience if you want.
Some (not all, I know) passkeys are tied to a device. Stolen device means stolen passkey, and it’s potentially very difficult to recover from that. Passkeys are also locked to a certain standard, passwords have no such restrictions.
Tbh I don’t understand the move for passkeys replacing passwords. They should become the second factor when a user wants additional security. They’re perfect for that niche.
Passkeys provide a secure way to authenticate while also being convenient. With the tradeoffs you mentioned.
I don’t like the push for only allowing some vendors to issue keys and to not allowing exporting and backups. And password should still be an option.
Password can also very easily be stolen during phishing, while passkeys are phishing resistant.
And while a hardware passkeys can be stole and used, those who steal them will still need the pin to use them, and the two major hardware passkeys options now (Yubico and Token2) both have some pin brute force protection in their firmware to slow someone down long enough for an account to be secured another way.
As for passkeys on phones, they require the pin or biometric used to unlock the phones to be used.
“Difficult to recover from” was referencing setting all of your accounts back up. I should have also included “lost” and “broken” to make that more obvious. Many hardware (most? all?) passkeys do not allow for backup and restore.
But I do see an issue with stolen hardware passkeys being used for access too if they’re a primary factor. With the mitigations you mentioned hopefully holding up.
Are you calling me a liar? That’s pretty weird; it’s not like I’m telling you to stick to passwords while I move to passkeys. With that said, though, get Bypass Paywalls Clean (Mozilla-only, as far as I know) and you’ll never see another paywall again. I forgot about having that.
Just don’t let Microsoft or Apple tie them to your device. You don’t have to do that.
The problem is that this is where it’s eventually going to lead to.
At the very least you’re misguided or don’t know what you’re talking about. Passkeys are not vendor locked in and of themselves.
You can make the same argument against password managers because most iPhone users that use them, use Apple’s one.
They will almost certainly lead to vendor lock in. Why do you think they won’t? Apple’s password manager is definitely an example of vendor lock in. Many others have a simple to use export feature to CSV or something that others can understand
Edit: it could be that you don’t know what the WebAuthn/FIDO2 specification says or we understand it differently? Do you know how the attestation mechanism works? That ties the key to a device of software authenticator (the software authenticator is likely going to tie it to the device somehow, possibly even via a TEE).
Not really, Vaultwarden/bitwa4den offer passkey support. When I log into a service a popup shows on my extension, I click it and I’m in. It’s not gonna lead to device locking if you don’t want to…
except when the wide populace starts accepting it being device locked, and your opinion does not matter anymore to those making the decisions
I just got Bit warden this year! Gah. Where are we jumping?
KeePass
Full circle to sticky notes on monitor.
Vaultwarden
Vaultwarden relies on Bitwarden existing.
Not really. Convenience relies on the app and browser plugin, but they could be recreated like the server was.
Took me like 5 minutes to move back to KeepassXC.
i want to switch back to KeepassXC, but I very heavily use aliases in Proton Pass and can’t figure out a good way to still create those on the fly AND use Keepass as my default pass provider
Keepassdx supports creating aliases via addy.io I think
Maybe pay for one then?
I pay for bitwarden for the yubi key support and I’m also tired of switching.
Ah shit. Here we go again!
Can anyone say “Enshittification”!
Enshitification coming right up!
That’s troubling, I don’t like what this portends.
The new CEOs background especially suggests they’re spiffing up the company for a later sellout, why else would they pick a merger specialist for the role?
For once ADHD preventing me from completing a migration is a boon, I guess I’ll move back to keepass
