- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
If you are interested in privacy you are probably interested in password storage … plus I wanted everyone to know about the inevitable future enshitification of this product. Spread the word and replacement recommendations are welcome too.
You must log in or # to comment.
Been self-hosting Vaultwarden for a while. The backend is going nowhere, but I fear for the Android and Firefox clients in particular, unless the Vaultwarden dev bothers to maintain those too.
giggles in proton pass
Don’t assume that proton won’t eventually want to sell up.
I still wish there was something where it had better syncing conflict management than KeePass but wouldn’t make you unable to do anything or randomly make your passwords completely inaccessible if you or your server went offline like Bitwarden.
I run vaultwarden at home without access to it from the outside world and once the sync is done I can be offline without issue.
Yeah I’m done with cloud providers for this shit, I’m going all in for Keepass
I just migrated to keepassxc last night!
God, capitalism sucks
How will this affect vaultwarden? I’ve been using it for 5 years and absolutely love it. I’m worried that I’ll need to switch to something else though?
It shouldn’t in theory. Worst case is if bitwarden closes source, just fork the latest current open version and use it.
Ideally, a group, either independent or joining with vaultwarden devs, can build/maintain the frontend for vaultwarden that is bitwarden.
The Article says:
A Note for Vaultwarden Users
Whether self-hosting stays viable long-term is the real question worth sitting with.
Right now it works because Bitwarden’s clients are open source and the server API is public. Vaultwarden implements that API, and the official apps can’t tell the difference. That depends on Bitwarden continuing to publish open source clients and not restricting which servers they’ll talk to — neither of which is guaranteed under new management.
The brake on the worst case: self-hosting is a listed Enterprise feature that generates real revenue. Killing it upsets paying business customers. That matters.
The catch: what Bitwarden sells to enterprises is their own official server stack, not Vaultwarden. Vaultwarden exists in a space they’ve tolerated but never endorsed. If the calculus shifts, the tolerance ends without any announcement. Just let the API drift until compatibility breaks on its own.
I don’t think that’s imminent. But I also thought the free tier commitment was ironclad, and “Always free” isn’t on the page anymore.The real safety net is that Bitwarden’s clients are Apache 2.0 licensed. A fork would need a rebrand to stay clear of the trademark — different name, tweaked UI, same engine — but that’s a speed bump, not a wall. The web vault works through any browser regardless of what happens to the apps, so worst case you’d lose autofill temporarily while a fork caught up. Inconvenient, not catastrophic. Vaultwarden itself is already proof the model works.
Watch the clients. If they go closed, the community will notice fast, and the fork will follow.
Not very trust inspiring. There’s a lot of flowery words encircling enshittification.
It does claim to want to always offer a free tier, but all the new values and buzzwords are funneled towards the paid versions.
He completely misunderstands the product. Transparency is paramount. Not trust.
OOP is AI writing about AI
Is is time block headlines with “quiet”? Its like AI decided that word gets the most clicks and its showing up everywhere.
Yeah its like those sports headlines where they try vibe you up for some trash talk
“Player A had a perfectly blunt statement about Player B”
Only to read & find out they said Player B was great, such drama lol
All just rage bait everywhere, AI or human that’s the clicks plan
I guess I need to go back to a handy notebook.
Amen!
Hey Login seems promising Free for private users, hosted in germany and end2end
if you were looking for an excuse to torpedo this abomination, here it is. hosting this gargantuan stack just for an encrypted csv file? at least the client (electron) gobbles up RAM like it’s free while being bug-compatible with whatever chrome version was current half a year ago.
sadly, news ain’t great on the other side of the fence - keepassXC dev is all-in on vibeshitting; latest non-polluted version is 2.7.9.; works fine and the stuff they’re working on is pretty far from essential. some unknown folks forked it but who’s to say what their expertise is.
never thought I’d disable my autoupdate timers but here we are. keep your eyes open.
What do you mean by “gargantuan” stack? I have a single docker container for vaultwarden that was very easy to set up and it uses less than 100mb of ram.
Not sure about the client claims though. I haven’t really looked into it that much. Are you saying all versions of the client and extensions of BitWarden have issues?
Can you explain the issues with KeePass? Or is there another thread?
the dev vibecodes; I make a distinction between using the crap as a boilerplate helper and a full-blown agentic “hey computer, do this but do it super-good!”. not only that, they got a super-asshole vibe as they removed claude traces from the repo and then flaunted that it’s so people won’t know what parts were vibeshat. “good luck finding the cutoff point”, I’m paraphrasing here.
to each their own, but that’s a hard pass for that fork from me.
A password manager is literally the poster child for “I would rather it lack features, but be built carefully by an expert.”
This is my unverified understanding of the situation.
KeepassXC team added Copilot to their workflow to manage PRs and code some basic (according to KeepassXC) stuff.
Why the hell is anyone using anything other than KeePass?
- I want to get to my passwords on multiple devices. 2. Bitwarden has a nice feature where you can set up a trusted person to be able to get into your account by sending you an email and if you don’t respond “no” after a set period of time, they get access. This can be very valuable if the you are incapacitated or dead and that (trusted) person needs to take care of things using your passwords. Are those things available in KeePass, if so, great and I’ll have another look!
KeePass is just an app that opens files, so yeah, you can access it on as many devices that you want yo setup file syncing with. Syncthing seems to be a popular choice.
You can setup vaults to be accessible with multiple passwords, if that fits your criteria. Me, I already share the vault with my wife, so that mostly covers the need for emergency access by someone else. If I ever wanted more, I’d probably just put some basic info into my will about how to access the file.
Way too complicated for average user.
The one that has had multiple hacks. I’m good mate.
Do you have a source on these hacks for KeePass?
thanks!
edit: oh it’s phishing via ads, you could say OBS Studio has been ‘hacked’ in the same way
the second case assumes your computer is already compromised, I think at that point a RAM dump with my master password would be the last of my problems
I use vaultwarden in my company - need to share some passwords/group with specific other users etc.
Doesn’t keepass only work on a single device? Meaning that you have to handle syncing the database file yourself. I prefer selfhosting vaultwarden. Maybe these changes will make me migrate to something else but for now I’m very satisfied with vaultwarden and the bitwarden client.
Yeah, I just leave the file in a NextCloud sync directory. All my desktops and laptops download it automatically, and it’s trivial to download to my phone. As an added bonus, my fucking password manager isn’t exposed to the open internet where every hacker who finds it is gonna wonder what’s inside.
You need two apps though and I personally have more faith in vaultwarden being stable than nextcloud.
Glad your “fucking” password manager isn’t exposed to the internet. Mine isn’t exposed either since I use tailscale to access it. Your comment leads me to believe that your NextCloud instance IS exposed to the internet. Wouldn’t that mean that if a hacker gets access to your account they could also get your keepass file as well?
I just typed out a response to most of this, and rather than repeat all that, I’ll copy a link here https://lemmy.zip/comment/26557132
A lot of it can be summed up in that compromising Vaultwarden means everything is screwed while compromising NextCloud is mainly a minor inconvenience. It provides neither information about the database’s password nor any avenue to attempt to intercept the password.
EDIT: Forgot to mention the worst part about KeePassXC. It’s vibecoded crap.
I replied to that comment. You’re assuming that compromising vaultwarden is somehow easier than compromising nextcloud. No idea why. Intercept the password where? I’m using a local client and only syncing the vault. You seem to be pretty unfamiliar with how vaultwarden works.
No, I’m assuming that compromising NextCloud is less devastating than compromising Vaultwarden, so I’m taking a calculated risk that my database’s password is secure enough to offset the slightly increased risk of access to the encrypted database because I don’t always get to choose all the software I get to use in every environment I work with, so I might have to use the web client if I can’t get the local client.
As for you only using the local client, congrats, we don’t always get to choose what we use outside the home.
As an added bonus, my fucking password manager isn’t exposed to the open internet
WireGuard 🥹
At that point, is it really easier than NextCloud? I don’t have to worry about forgetting to disconnect and wasting my VPS’s bandwidth or ruining my ping for games. On PCs and laptops, the file is immediately local, and on mobile, it’s easier to download an updated version of the database than it is to mess with the VPN.
That’s a fair point, I was mostly pointing out in the original comment that VPNs are an option that stops your password manager being exposed to the internet (though if their NextCloud IS exposed to the internet and is syncing their password db, then there is not much difference).
Plus you can tunnel traffic that needs to go to your VPS through the VPN, leaving all other traffic untouched (ie not tunneled), if you are worried about leaving it connected by accident. This would be max convenience.
Compromising Vaultwarden provides an opportunity to inject malicious JavaScript and steal the database password when it’s opened. NextCloud can never leak any info about how I open my password database.
Any password manager could be comprimised. A bug could even be installed on your system or malware. What’s the difference?
NextCloud doesn’t know how you open the password db, but KeePass (for example) does, so the master pass comprimise would be with that.
Specifically the syncing part being done with any tool, doesn’t matter.
Who or how are you thinking Vaulwarden is being comprimised?
Yup, it is. On one hand, I would have wireguard configured regardless beacause I don’t like publicly exposing my server. On the other, if you had to do it just for this and don’t want to configure wireguard manually, just use zerotier, tailscale or netbird. They can be set up in like 15 minutes and after you get it working you don’t need to touch it again.
Eh, not worth it to me. Some of what I host is occasionally really handy to be able to access from a random machine, and I don’t want to have to deal with barriers to entry when I need in. I can appreciate the security benefits, but I’ll take my chances. Even if they break into my NextCloud, they’d have to crack an unreasonable password to break the password database open.
You are choosing more convenience over security, which is fine, BUT it’s good to know that syncing your passwords with NextCloud over the internet is not any more secure than syncing it over the internet any other way (that uses any encrypted transport method).
There’s this wild technology called a hotspot. You can use your already authenticated device to give another device access to your services indirectly.
Even if they break into my NextCloud, they’d have to crack an unreasonable password to break the password database open.
That level of security is exactly the same as exposing your password manager to the “fucking” internet. Not sure why you criticized it before when you (incorrectly) assumed that I was doing that.
damn I just migrated to bitwarden a few months back :(
thanks for all the suggestions - i’ve since moved to proton pass, not sure if I want to self host this aspect of my security stack - but will be watching closely
It’s a very easy migration from Bitwarden to a self-hosted and OSS Vaultwarden, if you have means to self-host. Appreciably, many don’t want to self-host their own apps and I’m not defending Bitwarden’s enshittification at all. It comes for all tech at some point :(
I would say that Vaultwarden might not be the best introduction to self hosting given the critical nature and sensitivity of the data. And if you do maybe block the admin page from external sources.
I’ve been using it for years. But I have been waiting for this day to come. Because it always comes at some point without fail.
It always comes right after I migrate my family members. Same thing with lastpass and I’m still trying to get people off that.
You still have some time to decide which route to go. If you’re on the free version, stay there, but start looking for alternatives.
Proton Pass is an option. KeePass with Syncthing works great, but it is a dramatically different and more involved workflow.
I am using both, and deleted my Bitwarden account yesterday the moment I heard about this.
Also, I can’t suggest enough that you export all your credentials to an encrypted json file every now and then, and store it on an offline storage device. This is important.
I just tested aliasvault and its pretty good. You can even just import your pre-enshitification Vaultwarden export file.
One thing I noticed though is that your entries must have a collection or else they don’t export. But close to easy as pie to leave vaultwarden behind with their Nazi CEO.
VaultWarden != BitWarden!
I know. Either way I’m out unless they fork.
VaultWarden literally is a fork, what are you on about?
VaiultWarden is a new implementation of the Bitwarden API. It started from scratch, never was a fork. It’s possible they (or other people) will fork the Bitwarden client.
Fork means they don’t share. But its not like that.
Are you a bot? It doesn’t seem like you understand what you’re talking about.
They website says they are not but there’s is an employee of bitwarden who is allowed to contributed.
I don’t know. I will be on my toes at any notion of Nazi CEO contribution or attribution.
Again, vaultwarden is not bitwarden, I think I’m having a stroke reading this
