Privacy

48683 readers

1075 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago

MODERATORS

251

"The Quiet Renovation at Bitwarden" (it isn't good) (blog.ppb1701.com)

submitted 1 day ago by RotatingParts@lemmy.ml to c/privacy@lemmy.ml

112 comments fedilink hide all child comments

If you are interested in privacy you are probably interested in password storage ... plus I wanted everyone to know about the inevitable future enshitification of this product. Spread the word and replacement recommendations are welcome too.

you are viewing a single comment's thread
view the rest of the comments

[–] irotsoma@piefed.blahaj.zone 34 points 1 day ago (4 children)

Vaultwarden will survive. Since the client is open source, once they close the API and break compatibility of the clients with Vaultwarden, the old version of the app can simply be forked and rebranded. I also do hope that the KeyGuard app will continue to support vaultwarden as well since if bitwarden closes the API and makes a breaking change, as is likely to happen, it will break KeyGuard as well, but it will still work with VaultWarden for some time.

The real issue is that many people who are using Bitwarden aren't savvy enough to host Vaultwarden in a secure way. Many people are careless with things like secret keys and such and dont know how to properly secure a web facing app or a VPN into their local network. But anyone who self hosts should result learn those things anyway. This one just happens to be a particularly high risk since it contains all of your passwords for everything else.

[–] twoBrokenThumbs@lemmy.world 15 points 1 day ago (1 children)

This is why despite me self hosting some things I don't rely on vaultwarden. I'm a flawed person and my family has no idea about anything. I don't need to stretch my imagination very far to think of a handful of reasons why it would fail my situation. I'll gladly pay for a password manager to not have to deal with that.

[–] TheMadCodger@piefed.social 9 points 1 day ago (1 children)

Same! I self host a number of things, but I just didn't trust myself with something as important as this. I had been paying for bitwarden even though the free plan was sufficient, just to show support. But obviously not if they go this route. I will also gladly pay for a password manager to not have to deal with that.

[–] Jason2357@lemmy.ca 3 points 1 day ago

That's where I was for years until I got that surprise $80CAD credit card charge a few weeks ago. Now I have 11 months to either go with someone else or figure out a self-hosted solution I can trust. It will need several layers of backups the family can actually access in an emergency.

[–] nibbler@discuss.tchncs.de 3 points 1 day ago (1 children)

Just learned about KeyGuard. But I dislike their LICENSE:

[–] irotsoma@piefed.blahaj.zone 1 points 14 hours ago

Yeah, not the best. But at least there is an alternative.

[–] asdfasdfasdf@lemmy.world 2 points 1 day ago (1 children)

We really need a VaultWarden paid service, if there isn't anything against doing so in the license.

I don't know why the server needs any specialized software at all though. In the end, if it's just some password history, why not just have a client that allows generic storage backends and you can upload to Filen or S3 or whatever else you use?

[–] irotsoma@piefed.blahaj.zone 1 points 13 hours ago (1 children)

It uses a database and it's totally possible to use SQLite as the database and sync that elsewhere. You could then find or make a small client that just accesses that db directly rather than a web service, I suppose. Though there are already several apps out there that store passwords locally and their data files can be synced, if that's what you want.

But if you're doing that then you may not be using this in the most common way or may not understand the risk involved. This is likely to have every one of your logins, not just a single login that may or may not be used on other sites, but the specific username and password and which site it's associated with. On addition to access to those accounts, this links all of your accounts to a single identity which companies spend billions to do with advertising IDs, cookies, embedded scripts, and lots of other, usually shady, practices. This is a gold mine, though usually only for one or a few users, so generally not a major target unless you're being targeted personally for some reason. So, even if they don't get the passwords, they've now linked every account you have on every site to your identity.

If you are allowing the database to be relatively easily obtained by syncing it to a central location accessible over the internet, a bad actor who gets it can even take their time brute forcing any encryption that may be present in the database, but if you don't keep encryption keys only on your local device because you want to be able to use it elsewhere, then you probably stored the keys along with the db and they dont even have to bother with that, or if it uses password based encryption, they just have to guess or brute-force a single password.

If it's behind a properly secured web service, then even if they find an exploit in the server software, they likely have to do many queries over time to get much data and the server can mitigate that risk and/or alert the owner about new logins and such. A database in the hands of the bad actor can't complain about too many attempts to access it or notify anyone that it's been copied.

So, IMHO, it's a bad idea to use synced local password managers unless you have a very robustly secure way of storing the database and the encryption keys.

[–] asdfasdfasdf@lemmy.world 1 points 2 hours ago

Yeah I was imagining a system more like Password Store - use Git to version control secrets which are encrypted using some form of asymmetric encryption.

You store the private key somewhere you control, like a USB drive or something. Same as Bitwarden's master password.

[–] Dultas@lemmy.world 1 points 23 hours ago (1 children)

Good to know KeyGuard is an alternative. My main worry was with the extension no longer being compatible as, like you said, I doubt they'll continue to keep the client and API open.

[–] irotsoma@piefed.blahaj.zone 1 points 13 hours ago

Yeah, fortunately Vaultwarden has enough users that probably someone will eventually create an extension for it. And in the mean time you just have to make sure to use an old version of the existing extension until that happens. It's not like the changes in Bitwarden will affect Vaultwarden directly. The old client versions will still work until Vaultwarden changes something.