Thread 106345724

Thoughts, Bitwarden and Poton pass bros?

>>106345724 (OP)
use case?

>>106345724 (OP)
Keepass XC.

>>106345734
sippybippy

>>106345724 (OP)
1Password
accept no substitutes

>>106345724 (OP)
I'm not giving Google my fucking passwords, they already have my email which is practically a skeleton key to any account

>>106345856
thats the problem with things these days, too many eggs in the same basket. Ive got too much inertia/history to completely ditch my gmail account. However, Im going to move my main email for banking and other important things etc, to another email service. One that mainly does email only.

>>106345724 (OP)
i use an unencrypted passwords.txt file on my desktop
this is more secure than any of these retard cloud solutions

>>106345936
this, but passwords.kdbx

>>106345724 (OP)
I think Google uses TPM on PC to "store" the passkeys (it probably stores a key so it can use encrypted passkeys passed from the PC, but that's just a detail). Bitwarden and Keepass don't use the TPM yet.

>>106345734
>supports totp
>easily integrate with ssh and gpg
>good security model
>100% free
how can they stay winning like this? All other online 'password managers' have really no guarantees in terms of security. The single fact that you can 'recover' a lost master key means they must be storing something in cleartext.

Also, online passwords managers like lastpass and 1password have vpn-type review sites rooting for them using the most disingenuous methods possible. Anyway, for me unless a password manager provides better management of ssh/gpg keys and totp I'll stick with keepassxc

>>106345989
TPM in theory improve security, but there are real thread models where an attacker spoofs a program's certificate so that the tpm gives the key away

>>106345734
tpbp.

>>106346129
>The single fact that you can 'recover' a lost master key
Both bitwarden and proton pass are zero knowledge.

>>106345856
That's exactly why you shouldn't mind giving them your passwords. The marginal risk is literally zero.

This entire thread is chat bots. Google Password Manager has existed independent of Chrome for over three years.

>>106346173
the single fact that they require me to use a non-free (thus non publicly audited) network to use their password manager means it's garbage. Under LEA request, they could just add an interception layer that intercepts users' login credentials to get access to their passwords. Meanwhile, I can use any commercial drive (google drive, microsoft or my company's nextcloud) to sync my keepass db and nothing would happen to it if it leaked.

A few years ago, proton mail intercepted credentials of their users to help lea arrest activists. They even did a damage control article:
https://proton.me/blog/climate-activist-arrest

>>106346129
you can self host vaultwarden. no trust required.

also the real point of failure are the fucking browser extensions. but without those, using passwords is annoying as hell.

>>106346146
if an attacker can manipulate program key attestation from your machine's TPM you're already his bitch and there's nothing you can do other than hope he's more retarded than you are and doesn't hijack all of your accounts right away

>>106346129
>online password managers.
The fact that such a retarded abomination even exists. Normies please kys already.

>>106345734
>>106346129
Been using it for over a decade. Used KeePass2 before switching to KeePassXC after finding that it finally does everything I need so I no longer need to use KP2 plugins, and KeePassDX on phone. Some entries in the database outlived the sites they were for. Now I'm syncing via Syncthing so it's all completely offline. Syncing when away from home? VPN back to the home network. Local, private, secure.

>>106346262
Normies are still safer with that shit than the alternative: same passwords everywhere (and you know that is the most likely alternative). If you're not a normie, host your own, have it only accessible via wireguard.

Nothing inherently wrong with online password managers.

>>106346223
>they could just add an interception layer
Intercept what? Your master password never leaves the device. Not sure if you understand "zero knowledge" and "end to end encryption" means.

>>106346295
how do they allow lost key recovery if they don't have some information in clear that they can decrypt at their will?
I don't think you understand that this model is fundamentally flawed.

>>106346336
Have you tried to find out?

>>106346336
https://bitwarden.com/help/forgot-master-password/
Read, nigga

>>106346367
i never mentionned bitwarden
1password and lastpass just glow because of this anti-feature

>>106346234
Does it truly never phones home? Wanted to try it out, but kind of in doubt if it's worth it at all.

>>106346490
>1password and lastpass
Proprietary shit, of course it glows.

>>106346234 #
Does it truly never phone home? Kinda want to try it out, but in doubt if it's worth it at all.

>>106346251
Don't use your email used for accounts from PC, then they won't be able to reset logins.

>>106345734
>offline
Obsolete and hardly useful.

>trusting googlel
Big yikes

>>106345724 (OP)
>trusting google when their own MFA app is dogshit

>>106346336
>how do they allow lost key recovery
They don't. Read up on zero-knowledge. Proton Pass and Bitwarden for example will never show you what your master password is because they simply do not have access to it. You can setup recovery methods to regain access, but you can never get your master password back, only reset it.

The entire way products like this work is that you generate an actual encryption key (DEK) behind the scenes which is encrypted by your master password AND any recovery method used (ie: recovery file, keys, etc). The DEK is what encrypts/decrypts your actual data. Your password/recovery phases decrypt/encrypt the versions of the DEK. If you're using a cloud product they only store your encrypted files from you. Without your password or recovery phase they can't access your unencrypted DEK => they can't access your unencrypted data.

Btw all of their code for both products are open source so you can literally audit this yourself, but i'm guessing you won't.


Unless you're a nutter that thinks AES-GCM is cracked then this is largely a nothing burger.
>>106346223
>A few years ago, proton mail intercepted credentials of their users to help lea arrest activists.
Did you read your own article lmao?
>Under no circumstances can our encryption be bypassed, meaning emails, attachments, calendars, files, etc. cannot be compromised by legal orders.
>Proton Mail does not give data to foreign governments; that’s illegal under Article 271 of the Swiss Criminal code. We only comply with legally binding orders from Swiss authorities.
>The fact that Proton Mail was not able to hand over any messages even under legal order proves that our encryption works, and very likely will be of great assistance to the activist in this case.
The only thing Proton provided to authorities was an IP address of the user, which is what they admitted to.

>>106345891
Care to name drop it? Proton is glowing these days.

Why not just host your own vault warden and use Aeigs for OTP what the fuck are you doing OP?

>>106347124
Fastmail Email isnt really private and never really will be. So I prioritized features for the price, and fastmail does well there.

Still the King plus Notepad.

>>106345724 (OP)
pass
pass-otp

What more do you need?

>>106347236
>just leak all your metadata bro
>just use gpg to encrypt your entries, because why not bro?
>you do love gpg, right?
seriously? pass has no advantages over keepassxc.
and pass in 2025 is basically abandonware.

>>106347330
>metadata
oh noes.
>and pass in 2025 is basically abandonware
What more do you need? It just works.

Bitwarden just werks for me. Why would I change?
I changed from LastPass when they wanted to charge and importing to Bitwarden took like 10 seconds. It's open source, free and works. What's this got?

>>106345989
TPM is a piece of shit and the inventor should hang.

>>106347471
What's wrong with verifying trusted boot components, preventing malicious code at startup?

>>106346195
So if you get banned from google, you can lose your passwords to things that don't require that email address? Kill yourself faggot.

>>106347677

how hard it could possibly be to get trusted boot on mbr 100% ext4

>>106346696
>he doesn't know

>>106345724 (OP)
Time to use that list of sites you're storing passwords for to build a better advertising profile.

Keepass. Host it on a webdav server and you can access a synced copy between devices.

Keepass. I just copy the database file around.

>>106345724 (OP)
that's a very phallic logo...
why do gays ruin everything?
>inb4 hurr you're the faggot seeing cocks durr
not my fault you've been conditioned and blinded to having dicks in front of your face.

>>106349560
Is everything ok at home, anon? Do you want to talk about it?

>>106347124
I pay for Zoho because they REDEEM. Its got a bit of a bloated toolset these days, like gmail. But they let you have 100 aliases per email account which comes in handy.

>>106345724 (OP)
He trusts password managers made and promoted by the establishment.
Tee hee.

>>106351482
sure

The only secure password storage is writing them down on a paper and putting it in a fireproof safe. Everything else is cope.

>>106345790
Its not a bad method actually. Just keep your passwords 8 seed randomwords.

>>106352719
What if you need to log in and you aren't home?

>>106345790
I actually do this. Common passwords are memorized but most end up in the book. I work remote so unless someone breaks into my house and knows to look for the boring looking standard composition notebook, there's little risk.

>>106345724 (OP)
thats not new dumbass
ive been using it for at least 6 months (i think more like a year)
i do wonder what they store the passwords in tho. must be an internal service, seeing as the GCP secret manager is limited to 600 read requests per min per project, which is abysmal for anything at googles scale

>>106345724 (OP)
I WhatsApp (You) myself all my passwords.

>>106346696
Dumb, lazy tripfagger

>>106345790
passwords are outdated. use a passkey

>>106345770
>>106345856
This

>>106345790
>remembering your per-site 128 character passwords

>>106345943
make it more secure and name it notpasswords.kdbx

>>106345734
>constantly avoids vulnerabilities that lastpass/1password/bitwarden have to deal with especially the most recent one from this week
makes me laugh every time
keepasschads winning

>>106354407
It's offline. Of course it doesn't have a DOM-based extension clickjacking vulnerability. Passwords handwritten in a notebook are similarly invulnerable. But at least if your house is struck by lightning, your handwritten passwords will be safe. Your KDB password databases will not.

Uploading your passwords to big brother tech servers is 65iq shitskin behavior. kys

The OP image and topic points to an article that is 2 and a half years old

>>106354473
did you just steal some guy's trip to say retarded shit under his name or something because what kind of retarded thought process is this
never heard of backups?
for anything?
not just a password file but literally anything you care about?

>>106355452
Is your backup plugged in? I did mention a lightning strike. There's also burglary, flooding, your house burning down, and so on. The point is, your situation is fragile if you're depending on an offline password manager. A cloud password manager run by a credible firm offers resiliency and security guarantees that you can't match, not to mention the convenience of easily getting to your passwords on multiple devices. You're paying a heavy tax for your paranoia, in the form of having your time wasted, by managing your passwords offline.

>>106355540
How has nobody replied to you? Your database will be just fine, if you use syncthing to keep it synced between multiple devices. If my desktop was lost, then I would just reopen my keepass database on my phone.

>>106345734
/thread

>>106356150
You're making my point. Yes, you could jump through a bunch of hoops to maintain password databases on all of your devices and to keep backups at multiple locations; I never said that was impossible. Or, you could use a cloud-synced password manager like a hundred million other people before you, enjoy the added benefits (security, redundancy, quality of life), and then be amazed as nothing terrible happens to you.

>>106345724 (OP)
Looks like a dick

>>106356370
it's super easy to sync the file with any sort of cloud storage

>>106345770
This thing is legit just the best PW manager out there.
There is 0 usecase for Bitwarden. Buggy piece of shit, just recently that 2FA codes were messed up lol.

Its either 1Password or Keepass. Everything else ist just garbage

>>106345724 (OP)
How long until they shut it down and make you lose all your passwords?

>>106356370
Hoops? Are you retarded? It's just one folder and hitting 'sync this'. I haven't had to do anything else since the simple interaction. Maintaining the whole thing is just having the service running in the background.

Also
>password databases
What are you talking about? Its just one database and its synced across multiple platforms.

>then be amazed as nothing terrible happens to you.
Its been almost a decade with keepass, and I haven't had any issues whatsoever

I used to use KeePass. Though, these days, I use Chrome for my banking, bill pay, and emails, and I use Firefox for my trash browsing. Chrome has a fantastic password manager that seamlessly integrates with Android and is backed up on the cloud for your Google account. I actually trust Google, unlike your typical G-tard who worships nothing but open source then cries like a little faggot when their shit is hacked or broken with no one volunteering a fix.

>>106359727
Sorry, I'm through interacting with trolls for today. You'll have to communicate like an adult, addressing my arguments directly without slurs and profanity, if you want discussion.

>>106354407
>>106354473
KeepassXC-Browser extension is confirmed vulnerable:
https://x.com/marektoth/status/1958773833835397408

Since it was the KeepassXC devs that requested the testing and they are the ones that made the extension, a fix is probably coming soon. In the meantime, as long as you have autofill off and the database set to lock automatically on a suitable timer (one minute or less), you will be fine.

I watched a guy called Chad shill his authenticator service recently, I like everything about it except the fact it's based on Le Bluetooth and that they only have a .deb client for Linux.

What's the closest alternative to it that has an RPM binary and doesn't rely on Bluetooth?