this post was submitted on 26 May 2026

51 points (94.7% liked)

Fuck AI

7162 readers

1237 users here now

"We did it, Patrick! We made a technological breakthrough!"

A place for all those who loathe AI to discuss things, post articles, and ridicule the AI hype. Proud supporter of working people. And proud booer of SXSW 2024.

AI, in this case, refers to LLMs, GPT technology, and anything listed as "AI" meant to increase market valuations.

founded 2 years ago

MODERATORS

VerbFlow@lemmy.world

MrMcGasion@lemmy.world

TootSweet@lemmy.world

BigMikeInAustin@lemmy.world

cynar@lemmy.world

drmeanfeel@lemmy.world

pavnilschanda@lemmy.world

CriticalMedicine@lemmy.world

WonderfulWanderer@lemmy.world

Communist@lemmy.ml

eatCasserole@lemmy.world

SpaceNoodle@lemmy.world

NutWrench@lemmy.world

Soup@lemmy.cafe

iAvicenna@lemmy.world

Tinks@lemmy.world

wizblizz@lemmy.world

corus_kt@lemmy.world

Prandom_returns@lemm.ee

JimSamtanko@lemm.ee

TrickDacy@lemmy.world

TheFriar@lemm.ee

ArmokGoB@lemmy.dbzer0.com

HawlSera@lemm.ee

andrew_bidlaw@sh.itjust.works

MeDuViNoX@sh.itjust.works

33550336@lemmy.world

Nougat@fedia.io

Lost_My_Mind@lemmy.world

Quill7513@slrpnk.net

glowing_hans@sopuli.xyz

e8d79@discuss.tchncs.de

ThefuzzyFurryComrade@pawb.social

51

Is there an open source no-AI password manager out there? (todon.eu)

submitted 1 day ago by MxRemy@todon.eu to c/fuck_ai@lemmy.world

49 comments fedilink hide all child comments

Is there an open source no-AI password manager out there?

Trying to bail on BitWarden... KeePassXC (with SyncThing) seems to come up as the most recommended, but they've been using copilot. Seems like they might still have the strongest anti-ai stance of the available options though, despite that.
#PasswordManager #NOAI @fuck_ai

top 49 comments

sorted by: hot top controversial new old

[–] Brummbaer@pawb.social 4 points 16 hours ago

Keepass it's simple and it has been audited.

[–] Taleya@aussie.zone 2 points 17 hours ago

Password safe is the one i use

[–] technocrit@lemmy.dbzer0.com 1 points 16 hours ago (1 children)

Does an "AI" password manager even exist? I'm pretty sure that's a terrible idea.

[–] ChaoticNeutralCzech@feddit.org 2 points 16 hours ago

Of course, text prediction machines would create low-entropy passwords, that would be awful.

They mean "coded with AI".

[–] cyberpunk007@lemmy.ca 7 points 1 day ago

Been using keepassxc for well over a decade and syncing with nextcloud, but yes syncthing works too. Only once did my database go corrupt, but I have zfs snapshot and nextcloud has versioning too so it was no big deal.

[–] altphoto@lemmy.today 1 points 17 hours ago

Hmmm I'm using vaultwarden. Its a fork of bitwarden that is opensource. My problem with it is that you have to use the bitwarden app. But it is opensource and as the web corrected me last week when bitwarden's CEO went Nazi, it is completely unrelated to bitwarden. Except that at least one of bitwarden's engineers who is not a Nazi but works for one is allowed to work on vaultwarden by that Nazi CEO.

Maybe not a Nazi, but the new CEO is a private equity type that tend to enshitify things. So he started by removing the 'always free" and changing the company's stance on supporting equality to nothing...so Nazi.

[–] JangleJack@lemmy.world 11 points 1 day ago

I like KeePassXC and SyncThing for my own use. I am not sure that I am ready to apply a no-llm purity test if a dev is using a model appropriately. If the code becomes obfuscated somehow, that would be another matter. In the longer term I hope FOSS devs do not come to rely on paid cloud models or favor code quantity over quality.

[–] 30p87@feddit.org 16 points 1 day ago (1 children)

Then just the the normal/official KeePass client. Old as hell but probably therefore also AI free.

[–] MxRemy@todon.eu 4 points 1 day ago

@30p87 oh duh, how'd I miss that lol. Ty, this is perfect!

[–] nublug@piefed.blahaj.zone 7 points 1 day ago (1 children)

chipass is a strict no-ai fork of the last keypassxc version without ai code. it's got a banner warning that's it's in dev and may likely cause corruption so make regular backups of your db, but i've been using it for a week or so with no issues so far.

as for android, i'm using keepass2android as it's got a fancy cloud saving feature where i can keep the db saved in my nextcloud and easily sync the db on my desktop as well.

[–] MxRemy@todon.eu 5 points 1 day ago (1 children)

@nublug oooh, this needs to get added to the various no-ai lists out there

[–] nublug@piefed.blahaj.zone 5 points 1 day ago

https://codeberg.org/small-hack/open-slopware

is what i use and is where i learned of chipass. notably they don't mention keepass2android either way so i just lightly poked around its repo and didn't see any sign of llm so went with it for now.

[–] taq@thicc.horse 6 points 1 day ago

@MxRemy @fuck_ai I use and love "pass", a command line local password manager for linux. Instead of syncthing I use git to manage versioning and synchronization.
I know that's a super limited use case, but there are GUIs and TUIs available for pass, and other manager tools may be built on top of it, I'm not sure

[–] hexagonwin@lemmy.today 2 points 23 hours ago

keepassxc is fine.. i'm aware they're testing LLMs in the development process but last I checked it was sane enough and quite understandable

[–] CompactFlax@discuss.tchncs.de 5 points 1 day ago

https://pwsafe.org/

[–] Kazel@lemmy.dbzer0.com 2 points 1 day ago

keepass

[–] schwim@piefed.zip 4 points 1 day ago (2 children)

I don't know of any AI features in it but I could be wrong. I use Proton(after moving from 1PW to Bitwarden then to Proton): https://proton.me/blog/pass-open-source-security-audit

[–] qualia@lemmy.world 3 points 1 day ago (1 children)

Does Proton's pw manager have any missing features at the free tier compared to Bitwarden? For example Proton Calendar paywalls the ability to color code events. Not much, but just curious.

[–] schwim@piefed.zip 4 points 1 day ago (3 children)

I've no firsthand knowledge on it(went from paid BW to free Proton) but did find this comparison of features that seems to show what's added at each tier:

https://proton.me/pass/pricing

[–] dark@thelemmy.club -4 points 1 day ago

Battten down the hatches! Downvotes incoming!

[–] dark@thelemmy.club -4 points 1 day ago

Battten down the hatches! Downvotes incoming!

[–] dark@thelemmy.club -4 points 1 day ago

Battten down the hatches! Downvotes incoming!

[–] dark@thelemmy.club -2 points 1 day ago

Battten down the hatches! Downvotes incoming!

[–] phlegmatreec@lemmy.zip 1 points 1 day ago* (last edited 1 day ago)

Psono is something I've found recently. Looks promising.

[–] CubitOom@infosec.pub 2 points 1 day ago

[–] vala@lemmy.dbzer0.com 1 points 1 day ago (1 children)

No AI, no database, no vault.

Self hosted (html only, zero dependency).

https://github.com/matdombrock/nopaz

[–] MxRemy@todon.eu 1 points 1 day ago (1 children)

@vala whoaa what!! Lemme see if I understand this right... It's less of a password manager and more of a deterministic password generator? As in, it'll always spit out the same resulting password given the correct input passphrase + domain of the site being logged into? So you just essentially generate it again instead of ever storing it.

I'm so amazed and curious about this approach, what are the pros and cons? Obviously there's still the risk of someone learning your passphrase, but there's no hackable database of passwords. Do you get a different output from different variations of the same URL, like including a "/" at the end? What does saving the bookmark actually do, like pre-fill the URL field? Given that autofilling is supposed to be more secure than copy/pasting, is there some way to make this do that?

Sorry for the barrage but I'm very tempted by this one, it's neat!

[–] vala@lemmy.dbzer0.com 2 points 1 day ago* (last edited 1 day ago)

Yeah that's more or less how it works. You generate it deterministically every time.

what are the pros and cons?

Not really sure of the cons aside from the fact that you get significant "vendor"/algo lock-in. You need the exact same algo this app uses to get your password back out (good thing it's GPL).

Do you get a different output from different variations of the same URL, like including a "/".

Yeah an extra slash at the end means a whole new password. The "name" is not really a "URL" per se. It can be any string.

So for example "lemmy.dbzer0.com", "vala@lemmy.dbzer0.com", and "lemmy.dbzer0.com 2" are valid site names and will give different passwords.

That being said I could see omitting some special trailing chars, protocol strings etc.

What does saving the bookmark actually do, like pre-fill the URL field?

Basically every parameter of the password generator is codified into the URL. So bookmarking a URL allows you to load a page with prefilled data like:

Special chars
Length
Revision number
Algorithm
etc

These parameters are all required to be the same each time you need to generate the password. So it can help you avoid filling these forms each time + act as a reminder of what you used.

Given that autofilling is supposed to be more secure than copy/pasting, is there some way to make this do that?

It will auto-fill your master passphrase but if you mean auto-filling your credentials into sites, it would need to be made into a browser plugin to do that.

[–] rockSlayer@lemmy.blahaj.zone 1 points 1 day ago

I have a password manager app that I've been "developing" since college. I'm not a cryptologist or an expert in cyber security. I haven't updated it in years, and it lacks basic functionality. I have no plans to update it in the near future, I have shiny new projects to half bake. But it meets your criteria

[–] rob_t_firefly@lemmy.world -2 points 1 day ago (1 children)

You can always go back to simple, yet secure, passwords you remember with your brain.

There's even a generator.

[–] MxRemy@todon.eu 6 points 1 day ago (1 children)

@rob_t_firefly is it still best practice to use a different password for each account though? Because I have probably like 300 of them at this point, and I don't think I could remember that many no matter how memorable each one is

[–] rob_t_firefly@lemmy.world 2 points 18 hours ago* (last edited 17 hours ago)

It's still easy enough if you use a mental algorithm.

Say, for example, your chosen memorized password is "correct horse battery staple". Let's make that password different for every site and service you use without having to remember each one.

For instance, you're signing into your todon.eu account.

Now, let's say your favorite one-digit number is 5, because your Auntie Mabel's birthday is on the 5th and she always enjoys your visits.

Combine todon.eu and the numeral 5, by choosing the 5th letter in the address. That's N.

Now, to turn that N into an innocuous-looking word you can add to the others in your password. Going over to your favorite phonetic alphabet, you see that N is "November."

Guess what? Your secure password for todon.eu is now "november correct horse battery staple".

Signing into your old account on Myspace.com? Using the above pattern, your password is "alfa correct horse battery staple".

Once you get into the habit of doing this routine, it'll become second nature and you'll be able to figure out your passwords to anything without trouble, using just your one memorized stock password plus a simple memorized tweak.

You can also make your own rules for exceptions. Are you buying hacker magazines from 2600.com? You get to decide if you want to count the dot or the C as the fifth character, and what to type in for the dot. (Perhaps "dot.")

[+] 9tr6gyp3@lemmy.world -7 points 1 day ago (3 children)

They are all getting AI generated bug reports. Hate to say it, but AI is good at finding bugs/vulnerabilities, so most open source projects are heading into triage overload while the technical debt is caught up.

Any open source projects not merging or patching because "AI" discovered it will probably not be a secure place to store your passwords after a while.

[–] technocrit@lemmy.dbzer0.com 1 points 16 hours ago* (last edited 16 hours ago)

AI is good at finding bugs/vulnerabilities,

Ok, but there is absolutely zero "AI" involved in this process.

And, while debugging has been helped greatly by statistics, big data, computations, etc., these advancements have been ongoing for decades. There's nothing really new here.

[–] terranoid@lemmy.cafe 6 points 1 day ago* (last edited 1 day ago) (1 children)

AI isn't particularly good at finding bugs and vulns. It's just that barely anyone except the devs have ever looked at the source of most open source, and for the first time there's automated mass code review. And a lot of open source projects are kinda shit, unmaintained experiments that no one ever reviewed.

I don't mean to say it isn't finding bugs, it's just that the quality of the reports are often low, there's way more noise than signal, and there's always been low hanging fruit with random open source projects. I mean, half the time a big new vuln was announced is because some researcher finally sat down and took the time to look at something. Massive software projects were hard to sift through in an automated and repeatable fashion.

[+] DougPiranha42@lemmy.world -6 points 1 day ago (1 children)

You might want to look at the story about the Mythos model, apparently it is particularly good at finding vulnerabilities.

[–] anise@awful.systems 4 points 1 day ago (2 children)

It's really not. Out of the 23 000 something vulnerabilities claude claims to have discovered in open-source projects only 3-500 have been reported to repo owners,, only 65 have been confirmed and given any rating at all. This is not any more efficient than any other form of fuzzing, they just did a whole lot of it.

[–] 9tr6gyp3@lemmy.world 0 points 1 day ago (1 children)

Those are just the ones that Mythos has claimed so far. They stated that is only about 1% of all the vulnerabilities they discovered and were publicly announced. Firefox 150 had over 270 bug fixes, with 13 of them as high severity.

Mythos is also finding high severity vulnerabilities that have been in systems for over 20 years with no humans able to discover them during that time. Its patient, and can look at the entire repo and how it all works together.

[–] anise@awful.systems 2 points 1 day ago (1 children)

The problem is that I do not believe a word that anthropic says. They say this is only 1%, but do they have any proof to back it up? I am also sceptical of the claim that it can "look at the entire repo and how it all works together". It can produce an approximation which could give it an advantage over more traditional fuzzers, but most reported bugs are still very local(and/or non-existant) and easily ruled out if it could actually model the naur theory behind the code.

[–] 9tr6gyp3@lemmy.world 1 points 18 hours ago* (last edited 18 hours ago) (1 children)

They already explained how they have placed hashes inside all their bug reports for Project Glasswing and will reveal their report once there has been time for patches to be applied.

Mozilla, developer of one of the most active and heavily scrutinized open source repositories in existence today, blogged about it with their product known as Firefox. They agree with you that it doesn't do anything better that what a human researcher could find, but its perk is that it can relentlessly play that role and keep looking, while human researchers have to sleep, eat, and enjoy other activities:

https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/

[–] anise@awful.systems 1 points 11 hours ago (1 children)

I'll see when these hashes materialise, until then I have to assume LLM companies are lying always about everything.

See, the problem is that I am not talking about human researchers, I am talking about other methods of automated fuzzing. I believe mozilla is overstating how useful the LLM has actually been. This has many reasons, one of them being that their main source of income is trying to become an LLM company. If that project fails said company might have to make some unfortunate cuts.

[–] 9tr6gyp3@lemmy.world 1 points 10 hours ago

Im sure FreeBSD probably appreciates the bug reports as well, and I don't believe they are tied to LLMs. They have totally revamped their processes recently to accommodate for the influx of reports coming in.

[–] DougPiranha42@lemmy.world 0 points 1 day ago (2 children)

I’m struggling grasping your logic. I am very far from being an AI fanboy but I’m also not a luddite.
So we have tools now that can pretty much autonomously scan through any accessible codebase and find new vulnerabilities that were not found before. And you say that’s not a big deal because anyone could have found those vulnerabilities if they looked?
Of course, that’s the whole point, nobody was able to attack at that scale before, and now many actors are. Your argument reminds me of what was common to hear 15 years ago when nobody secured anything: “why would I complicate my life with security, nobody wants to hack me! and if one day the CIA decides to come after me, they can get through security anyways!” True, until you have botnets scanning every ip…

[–] anise@awful.systems 2 points 1 day ago

The problem is that not "many actors" are able to attack at this scale, because running a scan at this scale is extremely expensive. If I were to run a thousand fuzzers on a piece of code I will almost certainly find a vulnerability, but I can't do that because of the prohibitive cost. Anthropic is essentially buying marketing by doing this to make their product seem more useful than it is.

[–] luciferofastora@feddit.org 1 points 1 day ago (1 children)

The problem isn't that it's finding stuff. It's that it's also finding a ton of useless crap that a human has to sort through because the machines aren't reliable. If you get blasted with 100 new lengthy and overly detailed bug reports vomited up by a text generator and you have to triage them all to figure out if there even is a needle in that haystack, the added benefit is practically nullified by the overhead of actually utilising it.

[–] DougPiranha42@lemmy.world 0 points 18 hours ago (1 children)

Oh I know the response to this: you have to set up an agent team to triage the reports!
I understand why a team wouldn’t want to have anything to do with AI. I don’t understand why a user thinks software is compromised if they accept AI generated bug reports.

[–] luciferofastora@feddit.org 1 points 17 hours ago

For some, it may be a matter of trust: If I don't trust AI code, but you do, I don't trust you either.

For others, it will be a matter of hardline principles: If I don't want AI to get any foothold whatsoever, but you accept it in some form, you join the trend I oppose and I don't want to associate with you or contribute to the popularity metrics of your product (such as unique downloads).

I don't feel like discussing the merits of either stance, but I hope this helps you understand the premises leading to that conclusion at least.

[–] unmagical@lemmy.ml 3 points 1 day ago (1 children)

They're not that great at finding vulnerabilities. I've had to evaluate a couple of different models internally at work and what they're all pretty good at is generating a shit ton of noise I have to sift through. Cause yeah, maybe I should parameterize values always, but that one variable is server defined and controlled literally one function call higher and it's not a "high" vulnerability and why the fuck did you make the same mistake 24 times?

[–] 9tr6gyp3@lemmy.world 1 points 1 day ago

Depends on the model, and the way you ask it, for sure.