I started digging into opensource password managers and found that they all suck major ball sack. I ended up picking nothing. My two runner-ups were bitwarden. It works on Linux, Android, whatever apple’s shit runs on, and even runs on PC’s with the OS that you usually delete first thing. But the major drawback is that I can’t trust it. It’s got a “premium” version, and that has always meant a slow steady spiral into “you must pay now that we have you by the balls” situation. Another drawback is that it’s centralized, kill the company and so go your passwords I suppose.

The other runner up is called liso. This one comes with two major drawbacks. One is that is browser only so far. The other one is that it doesn’t work on Linux yet. Such a shit shit option. Everything else out there wants you to pay for encryption.

I did end up learning about pass on Linux. It creates encrypted passwords and there’s some compatibility with guis and maybe available on Android??? Big question mark. I’ve tried nothing yet. My password list seems to grow daily.

So what’s your favorite one?

@imgprojts@lemmy.ml
creator
link
fedilink
11M

Just this week LastPass was hacked. Not the password database I guess, but it really points out how silly the idea of holding everyone’s passwords in your server is.

Reminder that Bitwarden is backed by Microsoft SQL Server even in self-hosted instances (you must use it as backend database service).

Vaultwarden is a re-implementation that allows you, between other features, to use FLOSS database servers instead.

@imgprojts@lemmy.ml
creator
link
fedilink
32M

I feel like Microsoft has too much power. With linked in, they know if you’re working, where and if you got connections. That company strives to rub me the wrong way in so many ways. But it’s cool that there is a floss version.

My worries are not focused in how much power that company has but the importance about digital rights, including software freedom between others.

@imgprojts@lemmy.ml
creator
link
fedilink
12M

Oh I agree. Reducing digital rights is Microsoft’s #1 priority.

Cannot go wrong with KeePass (including derivatives). Works on all my devices, no cloud nonsense, everything is local and I can use Unison and Syncthing to sync it all up.

KeePass XC/DC (keepass-cli most of the time) with Syncthing is amazing.

  • Fully offline.
  • It can be sync inys your own local network.
  • Secure.
  • Powerfull. (it really has a TON of useful features)
  • Fully FLOSS.
  • Works on all platforms.
@imgprojts@lemmy.ml
creator
link
fedilink
22M

This is the direction I’m heading to for sure.

Dessalines
banned
link
fedilink
12M

I do the same. It really is the best solution that’s fullly E2EE, and doesn’t require you to host a server.

They can’t compromise a server if you don’t even have one.

Tmpod
mod
link
fedilink
6
edit-2
2M

BitWarden,¹ it just works really really well everywhere. The app is pretty much the same on every platform (which is a good thing imo) and you also have a CLI in case you prefer (may also be useful in some sort of backup script, I suppose). I personally use the cloud service they provide, but you could very easily and cheaply get a vaultwarden² server up and running and be the total master of your passwords, using a $2.5/m VPS or something like that.


¹ https://bitwarden.com
² https://github.com/dani-garcia/vaultwarden


Edit: links
Edit: also, the premium Bitwarden plan doesn’t mean that at all, imo. The plan can be very useful if you really need those features (sidenote: I advise ever using the TOTP thing, that’s just putting all your eggs into one basket and defeating the purpose of 2FA), it’s very cheap ($10/y iirc) and you can always export all your data with the CLI, setup a server and import that data.

@imgprojts@lemmy.ml
creator
link
fedilink
02M

But they limit password sharing to two people. It’s weird. Why? Is that a really good feature? Will they just change policy and screw you over later?

Tmpod
mod
link
fedilink
22M

It is a way to make some income out of an open-source project. If you want the convenience of their managed server, then you have to pay to access limitless orgs (the way to share secrets), otherwise you’re limited to just a 2-person org. The family pack is quite accessible imo, at $40/y for a 6-person org.
Your other solution is, like I mentioned before, host your own server. vaultwarden supports orgs, like you can see in their feature list: https://github.com/dani-garcia/vaultwarden/wiki

BitWarden is really great and a good example of a successful FLOSS project. I get the overall “companies just want to screw you up”, but one must not get completely blinded by it ;)

Keepass!

Personal favorite: Bitwarden, It just works really well without issues and the free version is more than enough for a regular usage. And if you do NOT trust the company or you want the premium features without paying for them then you can self host it for yourself! Another great password manager is Keepass!

My favourite is Bitwarden. FOSS, privacy-respecting, secure and possible to self host: what more could you want?

bluepenquin
link
fedilink
12M

GNOME Secrets on PC and KeepassDX on Android.

Padloc might have what you want.

  • AGPL.

  • Unlimited devices.

  • Multiplatform.

KeepassDX on Android. KeePassXC on Linux. Sync my password file via Syncthing on my local network.

@imgprojts@lemmy.ml
creator
link
fedilink
12M

This is working well. My only complaint is that android doesn’t allow Syncthing to write/update to the SD card. It can backup the SD card, but it cannot update a change to it. This is definitely Google’s fault. Whatever is going through their minds, it’s definitely not helping me as a user of memory cards.

As many said combination of KeePassXC on computer and KeePassXD on android. I sync file with syncthing. For security I have setup three word passphrase, made of words representing unique stuff that was on my desk at the time of creating file, words are connected with symbols not spaces. Even if someone gets my password database file, it will be useless for them.

KeePass has many adventages:

  • local file, no need for internet to check passwords
  • tested and trusted file format
  • compared to pass (other local solution) encrypts metadata
  • can store more then password: ssh keys, otp
  • tons of applications supporting file format - death of one doesn’t mean anything
@cout@lemmy.ml
link
fedilink
2
edit-2
2M

KeePassXD

You mean KeePassDX?

@imgprojts@lemmy.ml
creator
link
fedilink
12M

Yes. I was actually reading about this one last night after I posted. I decided to give it a try. In a few minutes I got my Google passwords out and translated. Now I need to add my other ton of passwords.

There are importers for most of the password storage options. I would recommend separate database for import and then merging import db with your actual database, backing up everything before.

If you’re using a centralised sync system keepass allow keyfiles.

I use passphrase + keyfile. And I don’t sync the keyfile only copy it manually.

KeePass DX/XC. Offline, you can choose to sync database in any cloud way you want, create offline backups, does not matter.

Amicese
link
fedilink
12M

gpg

I would not recommend PGP/GPG for anything. There are a ton of reasons to ditch it and move to something better, for every single usecase.

Amicese
link
fedilink
12M

Why?

Sr Estegosaurio
link
fedilink
2
edit-2
2M

There was a really good article about why pgp/gpg is a pice of radioactive waste that should be avoided at all costs. Both the standard and the de facto implementation.

Sadly I don’t have the link with me rn. Let me search it.

Edit: here’s the link https://latacora.micro.blog/2019/07/16/the-pgp-problem.html

Also, use age & signify over pgp.

Amicese
link
fedilink
22M

It’s not a good look for the blog author when they suggested using Signal and WhatsApp, proprietary but open-source apps.

Is age and signify battle tested?

Signal is not propietary. And in terms of security the Signal protocol is the best with diferenre you can get out there.

Signal is validated over sms and uses a ton of Google APIs. I’ll pass.

Okey, I agree on the fact that their server and client may be far from perfect. But the only problem with their protocol is that it’s not decentralised.

Amicese
link
fedilink
0
edit-2
2M

And in terms of security the Signal protocol is the best with diferenre you can get out there.

https://dessalines.github.io/essays/why_not_signal.html#why-not-signal

SIgnal is just as bad as insecure western social medias.

Why do so many crypto bros favor Signal?


I’ll ask this again: Is age and signify battle tested?

Signal is far from being perfect. And I would love a decentralised (p2p/federated) chat protocol implementing the Signal protocol. At the time being their protocol is best, we may question their main server and some of their practices, but at the time being I couldn’t find anything better.

SIgnal is just as bad as insecure western social medias.

Hmmm… I don’t think so.

Why do so many crypto bros favor Signal?

I’m not a cryptobro. :c

I’ll ask this again: Is age and signify battle tested?

Their as not as old and extended as PGP but their are based on solid cryptography.

Amicese
link
fedilink
0
edit-2
2M

Did you read all of this page? It shows the alternatives. (Matrix, XMPP)

Their as not as old and extended as PGP but their are based on solid cryptography.

Explain.

Sr Estegosaurio
link
fedilink
3
edit-2
2M

I would not consider Matrix an alternatdve to Signal. The Matrix protocol is messy and I had a lot of " matrix moments™" (even with that I still use it and prefer it over Discord, or other glowy apps.). XMPP with omemo is great, no need for a phone number and decentralised. I like it.
(I think that I heard somewhere about the signal protocol on XMPP or something like that. Which, in my opinion could be the best of both worlds.)

Explain.

What I mean is that obviusly is not as battle tested as PGP/GPG since is not that old and it’s not as spread as it, now. But PGP is extremely complicated, overextended, with terrible defaults and backwards compatability with some stuff from the stone age. The de facto implementation is also quite bad.

As I still have to use PGP for some things (sadly) I use a better implementation: sequoia-pgp I reccomend it. https://sequoia-pgp.org

Btw, sorry for my terrible wording and lack of lexic. I’m still learning. :D

Amicese
link
fedilink
02M

I would not consider Matrix an alternatdve to Signal. The Matrix protocol is messy and I had a lot of " matrix moments™"

How is the matrix protocol messy? It had extraneous metadata, but it got removed in a version.

Also, what is a “matrix moment”?

XMPP with omemo is great, no need for a phone number and decentralised. I like it.

Why not just use that then?

What I mean is that obviusly is not as battle tested as PGP/GPG since is not that old and it’s not as spread as it, now.

That’s a problem when choosing security tools. How do you know the reliability of the tool if it hasn’t been battle tested enough?

But PGP is extremely complicated, overextended, with terrible defaults and backwards compatability with some stuff from the stone age.

I would need to scan the GPG source code to try to understand your point, but I don’t have the time or will to do so.

What terrible defaults though? GPG’s defaults seem fine to me. I might be missing stuff tho.

Great read! Thanks for sharing.

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 1 user / day
  • 5 users / week
  • 49 users / month
  • 149 users / 6 months
  • 0 subscribers
  • 98 Posts
  • 297 Comments
  • Modlog