[HN Gopher] Bitwarden SDK relicensed from proprietary to GPLv3
___________________________________________________________________
Bitwarden SDK relicensed from proprietary to GPLv3
Author : ferbivore
Score : 900 points
Date : 2024-10-24 22:41 UTC (1 days ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| ferbivore wrote:
| Also:
| https://github.com/bitwarden/clients/issues/11611#issuecomme...
|
| Previously: https://news.ycombinator.com/item?id=41893994
| teach wrote:
| Thank you. I had missed this story and was struggling to piece
| things together from the varied comments.
| Scipio_Afri wrote:
| Well that's one way to handle that effectively and in what seems
| to be open source way without fuckery; glad to hear it cause that
| was going to be a bit annoying migrating away from them.
| weikju wrote:
| Props for them to step in the right direction, it wasn't obvious
| at all for a few days what they would do.
| chx wrote:
| Repeatedly: when people post shit like this they more or less
| guarantee the next company won't even try. People! this is one
| of the few companies which open sources their product. The time
| to doubt and preach is not here yet... by far.
| AdmiralAsshat wrote:
| Not really. It was keeping them honest. This wasn't like the
| Winamp thing. Bitwarden has proudly proclaimed itself as
| "Open Source" from day one. It's right on their front page.
| It's in their marketing materials. It's in their podcast
| advertisements.
|
| I _pay_ for Bitwarden based on the premise that it is open
| source. If it tries to pull a Meta and decide that "open
| source" suddenly means whatever they want it to mean in
| defiance of the commonly-understood meaning, I want to know
| about it.
|
| I'm glad they righted the ship on this.
| threatofrain wrote:
| GPLv3 is interesting because it means to use their code in a
| commercial setting, then you must also have the guts to open
| source too.
| hk1337 wrote:
| I don't believe that is entirely accurate. I believe it depends
| on the application and what you're doing with it whether or not
| you would be required to open source it. Like, if you're
| distributing the application as a product, not necessarily saas
| application?
| HeatrayEnjoyer wrote:
| Yes, this is why AGPL is superior.
| nine_k wrote:
| Yes, GPL3 only works for directly distributed software. But
| an important part of BitWarden is exactly such software, in
| the form of a browser extension.
| odo1242 wrote:
| Not necessarily. You can run a "Bitwarden hosting service" or
| something like that without violating GPL. You'd only have to
| make your changes available on request if you changed the
| actual Bitwarden source code or linked some other library into
| it and shared that modified version with someone else (just
| running it on a server doesn't mean you need to open source
| changes, for example)
| hedora wrote:
| Yeah; GPLv3 seems designed to give pure *aaS companies an
| unfair advantage over people that want to give users the
| option to buy commercially supported hardware that runs the
| company's software.
|
| For instance, Google can use bash in their backend
| infrastructure, but Apple cannot ship it on MacBooks or iOS
| anymore.
| jcotton42 wrote:
| > Yeah; GPLv3 seems designed to give pure *aaS companies an
| unfair advantage over people that want to give users the
| option to buy commercially supported hardware that runs the
| company's software.
|
| SaaS didn't exist when the GPL was drafted. If that's an
| issue for you, there's the AGPL.
| npteljes wrote:
| Not if offered as a service. That's why they introduced the
| AGPL, that one has the service restriction too. In terms of a
| service offering, GPL software is free for the taking, and the
| restrictions don't apply as the distribution clause doesn't
| trigger.
| sublimefire wrote:
| The context is inaccurate because it is actually dual licensed
| so thinking about GPLv3 alone is not painting the whole
| picture.
|
| > The default license throughout the repository is your choice
| of GPL v3.0 OR BITWARDEN SOFTWARE DEVELOPMENT KIT LICENSE
| unless the header specifies another license. Anything contained
| within a directory named bitwarden_license is covered solely by
| the BITWARDEN SOFTWARE DEVELOPMENT KIT LICENSE.
| minebreaker wrote:
| https://github.com/bitwarden/clients/issues/11611#issuecomme...
|
| > We have made some adjustments to how the SDK code is organized
| and packaged to allow you to build and run the app with only
| GPL/OSI licenses included. The sdk-internal package references in
| the clients now come from a new sdk-internal repository, which
| follows the licensing model we have historically used for all of
| our clients (see LICENSE_FAQ.md for more info). The sdk-internal
| reference only uses GPL licenses at this time. If the reference
| were to include Bitwarden License code in the future, we will
| provide a way to produce multiple build variants of the client,
| similar to what we do with web vault client builds.
| jdlyga wrote:
| Bitwarden is still excellent, but keep an eye on them over the
| next few years. Remember that Bitwarden was originally a LastPass
| alternative without the fuckery.
| odo1242 wrote:
| I mean, it still is. It's honestly gotten better too - for
| evidence, it's the one password manager that never gets
| recommended by sponsored YouTubers but _always_ gets
| recommended by non-sponsored YouTubers.
| afavour wrote:
| It depresses me that Bitwarden has also taken VC funding,
| just like 1Password. It's still a great product but as with
| any VC product I'm just waiting for the other shoe to drop
| when it's revenue generation time.
| KPGv2 wrote:
| I honestly don't think the password manager market could
| bear more than $3-5/mo for an individual user or family.
|
| I used 1Password for years until they went from one-time
| payment to monthly sub and removed local sync so you could
| only use multiple devices by paying them. I think a big
| decision there was that they wanted $10/mo or something. I
| can't remember, but at the time it seemed ludicrous.
|
| Years later, when my new laptop couldn't run the final
| local-sync version of 1Password, I finally decide to look
| into password managers again, and lo and behold $3/mo. I
| signed up immediately.
| prophesi wrote:
| The LastPass fuckery was long and frankly egregious.
|
| Though I don't understand why this git commit is what's linked
| here. I'd rather hear the discussions on it.
| https://github.com/bitwarden/clients/issues/11611
| hnbad wrote:
| After reading through the issue thread and the final reply by
| Bitwarden, I think the only context this provides is that the
| headline should rather be something like "Bitwarden SDK fixes
| dependency licensing issue".
|
| The opening comment and the final reply are the only valuable
| contributions in that issue. Everything in between is random
| people jumping in to feign outrage or telling people to use
| Vaultwarden (which btw recently was in the news for more
| significant negative reasons). If anything it's a perfect
| example of the sad state of online discourse.
| ferbivore wrote:
| This wasn't an "issue", it was working as intended. The
| GPLv3 client intentionally depended on proprietary code.
| The CTO's comments on bitwarden/clients#11611,
| bitwarden/sdk#898 and fdroid/fdroiddata!15353 make it clear
| this was deliberate. They've now changed their stance
| because of the backlash.
|
| It looks to me like people expressed genuine concerns about
| being lied to by a company, one they'd trusted with their
| passwords no less. Calling it "feigned outrage" is a bit
| rude.
| kevincox wrote:
| Real links for easy clicking:
|
| https://gitlab.com/fdroid/fdroiddata/-/merge_requests/153
| 53
|
| https://github.com/bitwarden/clients/issues/11611
| SirGiggles wrote:
| > (which btw recently was in the news for more significant
| negative reasons)
|
| Do you by chance mean CVE-2024-{39924, 39925, 39926}?
| hedora wrote:
| Interestingly, none of those impact me, since they
| involve an authenticated attacker. I trust all the users
| that can log into my vaultwarden instance.
|
| Were there any other recent issues?
| ok_dad wrote:
| Luckily if they die another will rise up. At this point I'm
| thinking I'll just use the Apple Keychain if Bitwarden gets up to
| no good again.
| lxgr wrote:
| Two things are preventing me from doing that: I occasionally
| want to access my passwords in a browser (and I do not want to
| log in to iCloud on that machine), and I'd feel really bad
| about having my passkeys stored in an Apple service with
| absolutely no way of exporting them in case I ever do switch
| platforms. (Bitwarden at least includes passkeys in their JSON
| export format, as far as I know.)
| ValentineC wrote:
| As another commenter has mentioned, Apple Passwords allows
| export to simple CSV:
|
| https://support.apple.com/en-
| us/guide/passwords/mchl35b12625...
|
| What I dislike about Apple Passwords is how tightly coupled
| everything is.
|
| I just tried to set it up on my Windows 10 machine with a
| local account, but it requires Windows Hello to be turned on,
| which can't be done except with a Microsoft account.
|
| Kinda ridiculous of them to force arbitrary restrictions on
| us.
| lxgr wrote:
| > Apple Passwords allows export to simple CSV
|
| Not of passkeys, to my knowledge.
|
| > What I dislike about Apple Passwords is how tightly
| coupled everything is.
|
| That's definitely also discouraging me as well.
| rascul wrote:
| What was the no good that Bitwarden got up to?
| abathur wrote:
| https://news.ycombinator.com/item?id=41893994
| Capricorn2481 wrote:
| Sounds like this is what they open sourced? So I don't
| really see the issue.
| ValentineC wrote:
| It was "source available", but licensed under their
| proprietary Bitwarden licence and not GPLv3.
| freedomben wrote:
| It probably doesn't matter for you if you'll never be leaving
| Apple's ecosystem, but for anyone else, I think that's
| something to keep in mind before moving to a non-portable
| solution like Apple keychain.
| accrual wrote:
| I would love to use Apple keychain but you're right - as a
| mixed OS user, it's a tough sell.
| crossroadsguy wrote:
| > non-portable solution like Apple keychain
|
| Yes, non-portable across different OEMs. But Apple Passwords
| app lets you export your passwords in a nice little simple
| csv file. It was a suspicion-filled (because it's Apple)
| pleasant surprise to find that out.
| rqtwteye wrote:
| In the old Apple passwords thing, they used to have that
| export feature but they took it away at some point. Learned
| this the hard way when I switched to Linux for a while.
| chillfox wrote:
| If I wasn't busy playing with AI stuff then I would be very
| tempted to build my own password manager cloud service, it
| feels like a chance to shine shows up at least once every two
| years in that space.
|
| I don't know what it is, but password managers just love the
| high-speed enshittification train.
| TechDebtDevin wrote:
| Its not very easy and you shouldn't do it unless your domain
| is cryptography. This is something I've tried to do myself as
| well and realized it's better off left to the pros.
| MisterKent wrote:
| People here are incredibly hard to please. Very clearly a
| packaging issue that got blown out of proportion.
|
| They've done largely the right things for _years_ in terms of
| security. They've operated pretty transparently in terms of open
| sourcing. They've allowed vaultwarden to exist, and eventually
| created a self hostable version as well.
|
| But one bad release with a license screw up and nobody is willing
| to give them an inch?
|
| I will continue to use bitwarden, and am willing to give them the
| benefit of the doubt. Especially considering this action above.
| They are a company that is perfectly toeing the free/oss and
| commercial line.
| sneak wrote:
| For a long time their KDF was bad and the iteration count was
| low. When I reported it to them they got really hostile and
| evasive about it.
|
| Years later they switched to Argon, somehow solving all of the
| blocking problems they had repeatedly claimed they couldn't
| fix.
|
| I don't trust the org at all. The software is ok but I only use
| it because it sucks marginally less than all my other options.
|
| People who care about software freedoms don't release
| proprietary software. Organizations like this or Microsoft are
| just engaging in open source cosplay.
| gertop wrote:
| > When I reported it to them they got really hostile
|
| You're not the one who first reported it, but I did see your
| comments at the time. Calling _them_ hostile is really the
| pot calling the kettle black, uh?
| gitaarik wrote:
| To me the story also sounds a bit like GP was a bit
| impatient and felt a bit ignored while the company was
| already working on the issue but just didn't respond
| promptly to per personally.
| j_crick wrote:
| You build a hundred solid bridges and you get called John the
| Good Bridge Builder. But lest you once screw up your software
| licensing and people notice and it blows up, you'll end up as
| John the Software Screwer in the annals of history... until
| next week.
| gitaarik wrote:
| Well it is kinda blasphemy to swear with evil proprietaryness
| in a loving FOSS community
| ValentineC wrote:
| And then we have WordPress, former champion of open source
| and GPL, with all their soap opera drama.
| WesolyKubeczek wrote:
| It seems though, that in the world of software, you can
| unfuck a sheep.
|
| What worries me, though, that people who should have known
| better commit such oopsie daisies more and more (across many
| projects, I don't mean this one only), almost as if they are
| testing the waters to see what they can get away with.
| j_crick wrote:
| > almost as if they are testing the waters to see what they
| can get away with.
|
| I think if it's a pattern then it's no accident. Of course
| people will test things. Kids, dogs, it's all the same: if
| you can get away with something, why not do it?
| froggerexpert wrote:
| > But one bad release with a license screw up and nobody is
| willing to give them an inch?
|
| I don't have a lot of context on the issue.
|
| Is it clear it was just a packaging bug, rather than a move
| towards partially proprietary?
| odo1242 wrote:
| Yeah - they've always used an open-core licensing model with
| like a few features (used only by business
| users/applications) behind a proprietary license. They just
| ended up mixing the code in a way such that the
| (theoretically open-source) app ended up having some utility
| functions for the business version mixed in. Since the client
| apps don't use that functionality, they split the repository
| so that you can build the app without using any proprietary
| code.
| froggerexpert wrote:
| Fair. I didn't know Bitwarden was open-core. In light of
| this, accidental packaging mixup sounds plausible.
| ferbivore wrote:
| The idea that this is was "just a packaging bug" is damage
| control by Bitwarden. It was a deliberate change, per the
| CTO's comment on https://github.com/bitwarden/sdk/issues/898
| and elsewhere. They slowly worked their way towards adding
| this SDK dependency to every client, and the SDK was
| intentionally not open-source. The public outrage is the
| _only_ reason Bitwarden is GPLv3 again.
| the_duke wrote:
| Minor correction: the official self-hosted version existed
| BEFORE vaultwarden!
| hiatus wrote:
| > Very clearly a packaging issue that got blown out of
| proportion.
|
| CTO: > There are no plans to adjust the SDK license at this
| time. We will continue to publish to our own F-Droid repo at
| https://mobileapp.bitwarden.com/fdroid/repo/
|
| https://github.com/bitwarden/sdk/issues/898
|
| Doesn't seem like a mistake or unintentional action.
| PaulKeeble wrote:
| Once an organisation has tried once they invariably do it again
| and again until they find a way to getting what they want. The
| customers tire of complaining over and over about little
| enshitifcations and eventually the company wins. Once they start
| it always goes the same way it just often takes a few goes before
| most give in.
|
| It will years until it becomes awful but the process has started.
| It's really a shame every company has to do this with otherwise
| good products.
| gitaarik wrote:
| If that would be the case, I wouldn't have expected them to
| change it back. I don't think it was that bad of an impact for
| them, they are already big enough in non-hardcore-open-source
| communities that they could pull it off and afford to lose some
| customers to go propietary. I'm actually really positively
| surprised by them that they actually picked up on this issue
| raised by the community and that they fixed it very promptly.
|
| Yes the trust was seriously damaged, but this move does restore
| it largely for me.
| sneak wrote:
| Doesn't GPL mean that it can't be forked and published into the
| Apple iOS app store?
|
| Presumably they are able to do it because they own the rights and
| can grant a non-GPL license to Apple for distribution.
|
| This seems to me to still be a "nobody can fork this [and still
| have a viable iOS app] but us".
| cxr wrote:
| The last time anyone did a serious published review of the App
| Store terms for GPL compatibility was probably 10+ years ago.
|
| I remember pre-COVID trying to validate the popular claim that
| the App Store terms were incompatible with GPLv3 but being
| unable to do so. None of the provisions that were originally
| called out by the FSF were in the App Store terms anymore at
| that point. Certainly nothing I found in the terms at the time
| indicated any incompatibility.
| FateOfNations wrote:
| Whenever I've heard about someone having problems publishing a
| fork on the App Store, it was a trademark rather than a
| copyright issue. If you fork it, you must completely re-brand
| it to publish it on the App Store.
| throwaway290 wrote:
| Don't forget disclosing the source to users!
| master-lincoln wrote:
| Everybody can fork this and build an iOS app. You just can't
| distribute through the app store as far as I understand. Would
| be good now if there were other means to install an app on iOS
| for non-devs, but users chose to ignore that issue when they
| joined the walled garden that is Apple Inc
|
| Maybe the European Union comes to the rescue... (for Europeans)
| blendergeek wrote:
| Thank you to Bitwarden for relicensing a thing to Free/Open
| License! Unfortunately, I no longer recommend Bitwarden for
| normal people because the built-in password manager in Firefox is
| too good. But for anyone with more advance needs (or who doesn't
| trust a password manager built into a web browser, I always
| recommend Bitwarden because KeepassXC + syncing is way too
| difficult for normal people.
| lxgr wrote:
| Can it store TOTPs and passkeys as well? These are two things
| encountered even by "regular people" more and more.
|
| Especially keeping passkeys platform-independent is a huge
| advantage, in my view.
| Uvix wrote:
| Yes, Bitwarden can store both.
| lxgr wrote:
| I was referring to Firefox with that question.
| odo1242 wrote:
| It can't, you need a browser extension for that.
| Uvix wrote:
| Ah, sorry for misunderstanding.
| freedomben wrote:
| There will always be different opinions, but my opinion is
| that storing your TOTPs in your password manager is at best a
| reduction in security because you're reducing your 2 factors
| down to 1 factor. If the password manager gets compromised
| (even phished! It needn't involve the password manager's
| servers getting hacked), then you gain nothing by having 2FA
| enabled.
|
| I would strongly advise using something like Aegis on
| Android, or Gnome Authenticator on desktop (or both). I like
| to duplicate/backup my seeds so that I'm not SOL if my phone
| breaks, but I do it by having them on my laptop, desktop, and
| phone. That way as long as I have one of the three devices, I
| can always get in, and then they're not "in the cloud."
| Though, "in the cloud" is still better than "in the cloud
| alongside all my passwords."
| magackame wrote:
| Doesen't having the seeds available on all of the devices
| make it not 2FA? You now need only one device to login at
| any given time.
| mason55 wrote:
| The second factor isn't a second device, it's the TOTP
| code.
| AStonesThrow wrote:
| No, factors are supposed to have different qualities,
| such as:
|
| "Something you know"; "something you have"; "something
| you do"; "something you are [biometrics]"; "somewhere you
| are [geolocation]".
|
| Passwords are in your head - "something you know".
|
| TOTP codes are generated by a hardware token - "something
| you have".
|
| If the TOTP codes are crammed into your password manager,
| then the factors are no longer distinguished by these
| qualities, but they're now the same factor, and it's not
| true MFA anymore, whether or not they're split up across
| devices, or apps.
| akho wrote:
| 2FA via TOTP implies two things: 1) you know a password;
| 2) you know the seed. This is why people criticize that
| approach. In practice, knowing a password and having a
| file (seed) seem different enough, and work against some
| phishing threats.
|
| Logging in through a password manager requires that you
| know a password (your master password), and have a file
| (your vault).
| KPGv2 wrote:
| Or alternatively something you are (fingerprint)
| alongside something you have.
| AyyEye wrote:
| Sometimes the TOTP is forced on me for a service I really
| don't care about. That's most of mine, actually.
| freedomben wrote:
| Indeed, when that's the case I think the PW manager is
| fine.
|
| Though, if you already have to have an app for the
| important stuff like your email, then IMHO it's actually
| simpler to just keep them all in one place even if you
| don't care too much about some of the tokens. Just one
| less thing you have to remember (i.e. where did I put
| service X's token again? was that in bitwarden or Aegis?
| etc).
| saint_yossarian wrote:
| It's still 2 factors though, if someone discovers your
| password they don't automatically know the TOTP key. So I
| use TOTP in my password manager for sites where I wouldn't
| use 2FA otherwise (because using my phone would be
| inconvenient), so it's still a security improvement for me.
| And for critical accounts I do use Aegis on my phone.
| hsdropout wrote:
| That's not 2FA, that's two of the same factor.
|
| The factors are:
|
| - Something you know
|
| - Something you have
|
| - Something you are (biometrics)
| saint_yossarian wrote:
| Not sure what you mean, it's still a second unique token
| that an attacker would need to know to access my account,
| so it's improving my security even when stored in my
| password manager. This was in response to grandparent's
| opinion that it's "at best a reduction in security".
|
| I'm not talking about my password vault getting breached,
| in that case I'd be fucked either way.
| freedomben wrote:
| > _I 'm not talking about my password vault getting
| breached, in that case I'd be fucked either way._
|
| But that's the whole point. If your password vault is
| breached, the second factor is what prevents you from
| being fucked. That's why putting your seeds in the vault
| is a reduction in security. It may be a reduction/risk
| that you're willing to take for convenience, but it's
| still a reduction.
| lucideer wrote:
| That list makes for a nice slidedeck but the separation
| (like many things in tech) isn't as clear cut as the
| metaphor.
|
| "Something you know" (password) becomes "something you
| have" as soon as you store/autogenerate/rotate those
| passwords in a manager (which is highly recommended).
|
| "Something you have" in the form of a hw key is still
| that device generating a key (password) that
| device/browser APIs convey to the service in the same way
| as any other password.
|
| "Something you are" is a bit different due to the
| algorithms used to match biometric IDs but given that
| matching is _less secure_ than cryptographic hash
| functions - this factor is only included in the list for
| convenience reasons.
|
| The breakdown of this metaphor is one of the reasons
| passkeys are seen as a good thing.
| odo1242 wrote:
| I mean, if you're using a password manager, you're already
| protecting against 99% of the things that 2FA is designed
| to protect against. If you really wanted to, it would
| probably make the most sense to enable 2FA on your password
| manager?
| dcow wrote:
| The only true 2nd factor is a setup where your totp codes
| live on a separate piece of physical hardware. If your totp
| codes are in an app on your phone, and your password is in
| a different app on your phone, you're not pure 2nd factor
| despite convincing yourself that you are. Anything that is
| convenient is not real 2FA. Real 2FA needs to be pick two
| of: a password in your head, a verifiable biometric
| signature, a code/key on your phone or separate physical
| hardware yubikey.
|
| I'm not saying I think everyone needs real 2FA. I think
| 99.999% of the time storing your 2FA codes in your PW
| manager, or just moving on to Passkeys, is the right
| answer. 2FA is a hack put in place to mitigate passwords
| being relatively insecure and phishable. It's supplanted by
| Passkeys.
| KPGv2 wrote:
| > Real 2FA needs to be pick two of: a password in your
| head, a verifiable biometric signature, a code/key on
| your phone or separate physical hardware yubikey.
|
| My thumbprint isn't stored on my phone, so I have two
| factors.
|
| From the PCI Security Standards supplement on MFA,
|
| > The issue with authentication credentials embedded into
| the device is a potential loss of independence between
| factors--i.e., physical possession of the device can
| grant access to a secret (something you know) as well as
| a token (something you have) such as the device itself,
| or a certificate or software token stored or generated on
| the device. As such, independence of authentication
| factors is often accomplished through physical separation
| of the factors; however, highly robust and isolated
| execution environments (such as a Trusted Execution
| Environment [TEE], Secure Element [SE], and Trusted
| Platform Module [TPM]) may also be able to meet the
| independence requirements.
|
| So your phone can constitute a token, while the biometric
| constitutes the second factor. I don't know about Apple
| phones, but Google's requirements for biometrics are:
|
| > Capturing and recognizing your fingerprint must happen
| in a secure part of the hardware known as a Trusted
| Execution Environment (TEE).
|
| > Hardware access must be limited to the TEE and
| protected by an SELinux policy.
|
| > Fingerprint data must be secured within sensor hardware
| or trusted memory so that images of your fingerprint
| aren't accessible.
| dcow wrote:
| I think you misunderstood me. I agree that biometric plus
| password or device key would constitute two factors. I
| perhaps believe that you can't really trust the device to
| have performed biometric verification without some sort
| of software attestation. So if the security if your
| protocol depends on two factor, you'd need to yes have a
| biometric signature or remote attestation that a
| biometric check has been performed.
| freedomben wrote:
| I think you're letting perfect be the enemy of good. It
| doesn't have to be pure 2FA to be better than 1FA. Being
| in separate apps _does_ give some benefits. It 's always
| going to be harder to compromise two apps than it is to
| compromise just one of them (even if the difficulty
| increase is marginal, it's non-zero). Often simply not
| being low-hanging fruit is enough to save you from an
| attack.
|
| There are plenty of things for which a 2FA in PW manager
| is fine, but the most important things I think it's an
| unnecesary and regretful reduction in security. For
| example, email account. Email is the "forgot password"
| way to get access to almost everything, so it's worth a
| trifling inconvenience in having to load your 2FA into a
| different app. Same with things like AWS, Cloudflare, and
| other high-value targets. For the vast majority of
| people, keeping your Twitter seeds in your PW manager is
| fine, but it's foolish to do that with your email and
| other high-value targets, and IMHO if you're already
| going to have to have two apps, you might as well just
| standardize and keep the seeds in your authenticator app,
| and your passwords in your vault. YMMV
| dcow wrote:
| No I'm specifically not. Did you read my 2nd paragraph?
| It's essentially your argument here.
|
| The person I was responding to was arguing that totp in
| pw manager is no good. Maybe you meant to reply to them
| and not me?
| freedomben wrote:
| I did read your second paragraph. There is some
| ambiguity, but I ultimately decided you weren't agreeing
| with me because you said (emphasis added):
|
| > I think 99.999% of the time storing your 2FA codes _in
| your PW manager_ , or just moving on to Passkeys, is the
| right answer.
|
| If you're storing your 2FA codes in your PW manager, then
| you're NOT using separate apps. You're using the same app
| (your PW manager). My argument is that you should use
| separate apps for the things that matter, like your email
| (which can be used to get access to almost every other
| account), and since you're already using separate apps
| for those things, you might as well just be consistent so
| you don't have to remember where each TOTP token is
| stored.
|
| I see three levels we've discussed:
|
| 1. Pure 2FA using hardware token or equivalent (which I
| agree is rarely needed)
|
| 2. Impure 2FA but separate app for storing passwords and
| TOTP tokens (which I'm advocating for)
|
| 3. Storing TOTP tokens in PW manager (which you appear to
| be arguing for in 99.999% of cases, which is basically
| all of them)
|
| If you are actually advocating for level 2, then we
| agree, but from reading your 2nd paragraph it seems
| pretty clearly to be arguing for level 3.
| dcow wrote:
| I may be arguing for (3) but then I'm not letting the
| perfect be the enemy of the good. I don't fancy the
| security types that do that.
| lxgr wrote:
| > Anything that is convenient is not real 2FA.
|
| That's a pretty user-hostile attitude. Sure, some
| combinations of factors are pretty unergonomic, but I'd
| call that a bug, not a feature.
|
| It's also incorrectly suggesting that somehow
| complexity/painful usability automatically yields
| security, while usually the opposite is true:
|
| An effective secure authentication solution absolutely
| must consider usability, or it's doomed to be
| circumvented by users in one way or another (either via
| some insecure practice, or by your users simply ceasing
| to be your users).
| dcow wrote:
| I'm speaking to how things are practically implemented,
| not making a statement about ideals.
| czarit wrote:
| This depends on the threat model. Having 2FA in the PW
| manager defends against someone phishing the password and
| database leaks on the server side, which are the most
| common in my threat model. But note that if they can phish
| your pw, they can probably phish your 2FA as well.
|
| It does obviously not protect against the scenario where
| someone is breaking into your password vault.
|
| I tend to enable 2FA but conveniently save the token in the
| PW manager for relatively low equity stuff, just to make it
| less enticing for an attacker, but use hardware FIDO for
| everything actually important.
| guerby wrote:
| Same here.
|
| TOTP is trivially phishable via evil nginx just like your
| password, and via social engineering.
|
| FIDO2 is not phishable and you have no secret to give out
| to social engineering attacks.
| KPGv2 wrote:
| > TOTP is trivially phishable . . . via social
| engineering
|
| Is it? I've been on the Internet since the 80s and
| haven't been phished a single time (despite being the
| recipient of many obvious attempts). Maybe I could be
| phished, but I think that's evidence it's not trivial.
|
| I have to wonder how many people sophisticated enough to
| use and pay for a password manager like Bitwarden could
| be "trivially" phished.
| lxgr wrote:
| That's great for you, but also a sample size of one
| (probably technically sophisticated) user, i.e.
| irrelevant to the bigger picture.
|
| The phishability of TOTP really is exactly as bad as that
| of passwords, except that a once-phished TOTP isn't
| reusable by the attacker(s), unlike a phished password.
|
| But even one-time access is often catastrophic,
| especially if it allows the attacker to rotate
| credentials.
| lucideer wrote:
| Aegis is no more secure than storing your TOTPs in your
| password manager - 2 factors _primarily_ protect against
| remote attacks, which don 't have direct access, in which
| case the app your 2nd factor lives in is moot. If your
| threat model involves direct access you need dedicated
| hardware for your 2nd factor. Most people are fine with
| TOTP in pw manager.
|
| (I do use Aegis as I like the UX but that's a separate
| topic)
| odo1242 wrote:
| Yes, through TOTPs will run you a (worth it imo) $10/year
| subscription. Passkeys have been supported for a while (free)
| on all major platforms, and I haven't seen any issues with
| it.
| bigfatfrock wrote:
| > because KeepassXC + syncing is way too difficult for normal
| people
|
| I've been debating for ages if this is a hurdle that can be
| overcome by packaging or even hand-holding support. When I show
| "normal people" my pass+sync setup they beg me to implement it
| for them. Once it's running it's near-zero maintenance.
| lie07 wrote:
| Would love to know how you have it setup.
| peterpans01 wrote:
| can you share how do you set this up?
| freeone3000 wrote:
| I store the password vault in dropbox. Done.
| dcow wrote:
| 100% serious question: how is using dropbox (one cloud)
| to sync passwords any better or more secure than using a
| password manager that syncs your vault for you (another
| cloud)? I see so many "I don't trust <insert pw manager>
| so I use dropbox" comments around these parts and I just
| don't understand what real or perceived threat is being
| mitigated.
| freeone3000 wrote:
| It's small enough for dropbox's free tier so it saves me
| a subscription.
| dcow wrote:
| Ah! Threat to the wallet I see. That Dropbox referral
| credit must still be paying dividends.
| chpatrick wrote:
| I guess the idea is that you trust open source software
| to encrypt the vault, so Dropbox couldn't do anything
| with it even if they wanted to. That's also true for the
| open source Bitwarden clients though.
| Brian_K_White wrote:
| It's valuable that the syncing mechanism is seperate
| because that makes it agnostic. Parent comment uses
| Dropbox, I use Google Drive, someone else uses OneDrive,
| someone else uses iCloud, someone else uses Syncthing or
| Nextcloud, etc.
|
| You don't have to trust the single cloud provider to
| encrypt and not be able to spy. The vault is encrypted on
| your own device using fully open software, and the cloud
| only ever sees a blob they have no keys to, directly or
| indirectly. The encrypting/decrypting software was not
| written by the cloud provider.
|
| You don't have to trust any single cloud provider to stay
| up, be available in your country, stay friendly to you.
| If Dropbox goes down or kills your account, you just flip
| to any of 20 other options.
|
| You say you don't understand why someone prefers Dropbox
| over the special custom syncing, but I don't understand
| what the excuse is for a special vendor-specific
| implimentation of something that is already generic and
| agnostic. It's like using a browser that uses it's own
| version of http to download files and only works with one
| web site that has the matching special server.
|
| It's not a remotely equivalent comparison between "one
| cloud" and "another cloud". One is a single vendor-
| specific, custom purpose, single-provider thing, the
| other is agnostic and infinite, use any method you want
| from any provider you want any time you want.
|
| For me it's not about "mitigating a real or percieved
| threat". It's just basic system resilience and principle
| to avoid special things and prefer generic/agnostic
| things, and keep concerns seperated. But it is also more
| secure not to trust any integrated cloud provider, vs
| having the cloud be just storage that doesn't know
| anything about the blob being stored, and _can 't_ even
| if they turn bad, or are pressured by a government, or
| get hacked, etc.
| ekianjo wrote:
| You can use syncthing too. Works just as well.
| dwightgunning wrote:
| Is there a robust Syncthing app for iOS? Last time I
| checked there was only an affiliate project and their
| story wasn't convincing.
| subarctic wrote:
| I use mobius sync and I'd say the app itself is fine, you
| just have to open it whenever you want things to sync.
| That's one of the things I miss from Android. Also you
| can't sync your camera folder
| conradev wrote:
| Nope. I have a cloud Syncthing box that is accessible
| over SSH, and I use ShellFish to read/write my synced
| folders. It works okay, especially for lazily sending
| stuff from my phone to my laptop.
| dsp_person wrote:
| it was just discontinued for android :(
| jcotton42 wrote:
| Mobius Sync works really well, the only caveat is that
| it's not completely free (you're limited in the sync size
| unless you pay $5, but that's a one-time thing), and that
| while it can background sync, it's not continuous, and
| you'll want to open the app if you need to make sure
| something's synced.
| teo_zero wrote:
| > store the password vault in dropbox
|
| No local backup? Do you rely on the network working all
| the time?
|
| I do something similar on the mobile phone (the reasining
| is, if there's no network, there's nothing I need to
| login to) but I also keep a local copy on my laptop (that
| I sometimes operate with limited connectivity). Without
| any automatic syncing, one of the two copies will be
| stale.
| anilakar wrote:
| Back in the day we tried to sync KeePass vaults at work
| and ended up with a conflict about once a week, which is
| way too often. Not sure if other password managers have
| solved this.
| Dylan16807 wrote:
| > No local backup? Do you rely on the network working all
| the time?
|
| Normal dropbox behavior keeps a copy on every computer.
| gregwebs wrote:
| I did this a long time ago but eventually ended up with
| conflicts. Password managers write new entries in a file
| and easily avoid conflicts whereas agnostic file managers
| will immediately conflict if sync wasn't working for a
| while on a device
| sublimefire wrote:
| I use it (Keepass) for a while and never got the conflict
| on the desktop client (osx), nor on Firefox. But the iOS
| app does not like the file on the Google Drive and
| occasionally it needs to be reloaded.
| SkiFire13 wrote:
| Instructions unclear, I have no password vault.
| kcmastrpc wrote:
| Right, doesn't everybody just use the same password
| everywhere? I don't see the point of these things.
| KPGv2 wrote:
| You laugh, but that's apparently what I did a decade and
| a half ago.
|
| I recently mounted a HDD that was at my parents' house.
| Most files are from 2009-2012ish. I was there one summer
| between undergrad and grad school and used it for a
| couple months.
|
| I found an Opera password list that I'd exported,
| presumably to copy over to my new laptop. It was fun last
| night skimming the list, seeing which websites I'd
| completely forgotten about that I used to have accounts
| for. Almost none of them even exist anymore besides the
| big players (Slashdot, Apple, etc.), but the point is
| *almost all of them had the same password*. o.O
| dcow wrote:
| Password management is like exercise. Even when people say
| they understand the value and want to do it, they don't. Even
| if you implement it for them, if it's not something that
| slots perfectly into their existing routine, they're not
| going to do it. Thankfully passkeys are here.
| tjoff wrote:
| It's fine, even bad password management is better than
| passkeys.
|
| Thankfully the incredible hype for passkeys has been dead
| for years now and people are starting to question it.
| runiq wrote:
| Is this... is this sarcasm? I honestly can't tell
| anymore.
| tjoff wrote:
| It is not.
| archi42 wrote:
| Would you care to elaborate? It also matters what counts
| as "bad password manager" to you - Poor crypto? Poor UX?
| A reddit post ;-)? LastPass?
|
| With passkeys, both the website and the user can be
| pretty sure that the "password" is secure. The website
| knows that it's based on enough entropy, and the user
| knows that the website can not loose it.
|
| Of course if I use a random generated 80 char password I
| only mildly care if the website stores it plain text or
| not.
|
| But if I was a site operator, I could additionally trust
| that the users are using secure passwords. Without insane
| strength requirements (which people only work around
| anyway, e.g. Passw0rd!123 is usually accepted, but
| thisisasuperlongpassphrase often is not).
|
| I'm in the business of testing security, which means I
| sometimes crack passwords. No matter how much training
| you put your employees through: Somebody gonna use ${some
| name}${0 or 1 special char}${some birthday} - is it's the
| spouse, kids or affairs data, your guess is as good as
| mine.
| przmk wrote:
| Where did you manage to find "normal people" that begged you
| to install a password manager for them? I have yet to come
| across one person who wanted one.
| archi42 wrote:
| There are normal people out there who have been hacked, or
| knew someone who was.
|
| Also, some normal people are computer-smart enough to
| understand problems like credential-stuffing, if someone
| explains it to them.
| cryptos wrote:
| I did that for quite some time, but I had severe issues with
| multiple editing users and with android apps. All the tricks
| I tried, like nested vaults didn't fully work in the end. So
| I ended up with 1Password.
| sigzero wrote:
| KeepassXC also doesn't have templates for things. It's in the
| works. When it comes out I might take another look at it.
| danpalmer wrote:
| > Unfortunately, I no longer recommend Bitwarden for normal
| people because the built-in password manager in Firefox is too
| good
|
| Interesting, I've always felt that browser-based password
| managers provided remarkably little value for most people.
| Using them on mobile is tricky and platform dependent, it's
| easy to have local-only, non-synced data and then lose it, and
| being multi-device is trickier, especially in a work context.
|
| On the other hand, people generally understand installing an
| app on each device they own and that app doing it for them.
| mrwm wrote:
| I'm not sure how it is on iOS, but I've been using firefox as
| my password maanger on android. It's a trivial change in the
| settings and works across all apps as well.
|
| I also recommend it to my friend group, as they can use
| firefox with uBlock Origin, and also have their passwords
| synced.
| tetris11 wrote:
| Yep, since Android 12 I think you can set Firefox as your
| main password manager.
|
| It's genuinely delicious
| simfree wrote:
| Firefox password sync just works. It's one of those things I
| never think about.
|
| Watching friends and family struggle with bespoke, poorly
| integrated password managers makes me cringe and is one of
| the big reasons I enjoy the seamless experience of the built-
| in Firefox password manager.
| _fs wrote:
| Does it have the ability to unlock with faceID on ios?
| phaerus_iconix wrote:
| Yes it does.
| danpalmer wrote:
| Does it require a Firefox account? Does it only store them
| locally if you haven't signed in to Firefox? This is the
| sort of failure I've seen, where people think their
| passwords are synced but because they didn't sign in years
| ago it's actually not backed up at all. At least on Chrome
| you get reminded of that all the time on YouTube/Google
| search, etc.
|
| I know for Safari all the sync is via iCloud meaning if
| you're not signed in it's locally stored and vulnerable in
| that way. Especially as many people can't/don't sign in to
| their own iCloud on work computers, or don't have a Mac.
| notpushkin wrote:
| Firefox reminds you a bunch of times, too. Would be nice
| if you could just link a new device via QR code (creating
| an account for you in the background).
| codys wrote:
| The original Firefox sync worked like this (with a unique
| code and pairing instead of an explicit account) (this is
| so on the nose I suspect you may know this).
|
| This blog post goes over some of that history:
| https://blog.mozilla.org/services/2014/04/30/firefox-
| syncs-n...
| callahad wrote:
| Didn't expect to click on that link and end up on a blog
| post I wrote 10 years ago! The old Firefox Sync / PAKE
| stuff was fantastic for getting sync going between
| devices... but people wanted backup, not sync. I wonder
| if we'd do anything differently confronted with the same
| challenge today.
| g8oz wrote:
| Hey I love the syncing
| neobrain wrote:
| > Does it require a Firefox account? Does it only store
| them locally if you haven't signed in to Firefox?
|
| The passwords are available offline, so they are stored
| locally.
| mikae1 wrote:
| But does it work for non-website passwords like the PIN for
| the door at your workplace or the usernames and passwords
| for your computers?
| archermarks wrote:
| Yes. You can add whatever passwords. It asks you for a
| URL but you can put anything in.
| gouggoug wrote:
| > It asks you for a URL but you can put anything in.
|
| Well, that's kind of the problem isn't it?
|
| Yes, you can put bogus URLs, but it's far from a great
| user experience
| RamRodification wrote:
| door://businesstreet/23/A/front
| globular-toast wrote:
| Someone understands URLs! The URL will be 30 years old
| soon[0], and still many people don't know what it really
| is.
|
| [0] https://datatracker.ietf.org/doc/html/rfc1738
| bowsamic wrote:
| No end user understands URLs this way. Unless Firefox
| teaches them this, then this is nonsense
| RamRodification wrote:
| Yes, It's a joke. Sorry
| bowsamic wrote:
| Is it? I thought you were being serious
| RamRodification wrote:
| Yes, it's a joke. Sorry.
| bowsamic wrote:
| Why, though? Isn't it actually a good suggestion?
| nutrie wrote:
| Agree! And it's funny.
| tverrbjelke wrote:
| Where is the joke? I don't get it!
| eitland wrote:
| Why not both?
| dbolgheroni wrote:
| Not supported. It can't be anything.
| INTPenis wrote:
| Technically maybe someone could make you navigate to that
| url in the future, through mitm or some sort of DNS
| poisoning, and autofill a form with your password and
| then auto submit it.
| nox101 wrote:
| it just works for websites. it does not "just work" for
| apps where as the platform ones do or have a chance to work
| with apps.
|
| Kind of hope regulation will force apple/google/ms to allow
| iterations for 3rd parties to integrate with the os but on
| the other hand that will open a host of issues
| joshvm wrote:
| It does on iOS, but I believe the onus is on the app
| developer to enable the autofill feature in the form, or
| at least make sure that the app hints to iOS that it can
| be filled with a password. I'm making that assumption
| because there are lots of apps which don't trigger the
| native Apple password manager either (which is a lousy
| user experience). However, if one works then both do. The
| UI offers a choice of password manager and Face ID works
| to unlock it.
|
| I use both. Apple's manager supports OTP generation which
| is nice, but on desktop websites, Firefox is often more
| convenient.
| phs318u wrote:
| I use the Strongbox app on iOS [0] and the KeepassXC app
| my Linux laptop. The passwords.kdbx file sits on my
| Onedrive, which the Strongbox app can access. On Linux I
| use a Onedrive client [0] that I use to sync several
| folders within my home folder. Strongbox supports both
| Keepass and pwSafe database formats. It also integrates
| well with iOS, with autofill supported (also supports
| Yubikey unlock and Apple Watch unlock).
|
| [0] https://apps.apple.com/app/strongbox-password-
| manager/id8972...
|
| [1] https://abraunegg.github.io/
| BodyCulture wrote:
| This discussion is about an open source password manager.
| I wonder why you are recommending a closed source
| software? Are you aware that many people prefer open
| source for security software for a reason?
| delfinom wrote:
| Yep, it's the same problem on Android. Some app
| developers go full asshole with the password text boxes.
| There was one electric utility here that I lambasted hard
| and they finally fixed their form which not only didn't
| trigger the password manager, it literally blocked all
| pasting.
| monocularvision wrote:
| iOS already has all of the API required to integrate a
| password manager with the OS. Third party password
| managers can already integrate with both browsers and
| apps to provide passwords and password generation
| ClassyJacket wrote:
| Can Firefox password manager work in other apps on Android?
| attendant3446 wrote:
| Looks like yes[1]
|
| 1. https://support.mozilla.org/en-US/kb/end-of-support-
| firefox-...
| kome wrote:
| yes and it's perfect. firefox (with ublock) are really
| the best experience on android.
| miki123211 wrote:
| Firefox sync made the criminal sin of implementing end-to-
| end encryption, enabling it by default, and being
| insufficiently clear to people that their passwords are
| lost forever when they forget the master password.
|
| This provides a really terrible UX to "normal" users. I
| woulnd't recommend that option to anybody who doesn't
| already know what E2E is and what tradeoffs it has.
|
| Google's implementation is a lot better in that regard, at
| least they offer plenty of avenues for account recovery.
| bandrami wrote:
| Presumably the passwords themselves have recovery/reset
| procedures? I can't think of a good reason to add another
| risk surface to a password manager given that
| KPGv2 wrote:
| Can you identify the password managers that do not
| implement end-to-end encryption so I can avoid them
| forever?
| Nathanba wrote:
| that's not my experience, I've lost bookmarks due to
| firefox sync multiple times.
| jorvi wrote:
| That is such a laughable statement. 1Password has
| incredible UI/UX. Even has e-mail masking with Fastmail.
| And auto-enters TOTPs, for the less-important one's you
| feel comfortable saving in your password manager.
| floydnoel wrote:
| > people generally understand installing an app on each
| device they own and that app doing it for them.
|
| an app like Firefox or Chrome, perhaps?
| danpalmer wrote:
| This is obviously true for the HN crowd, but for normal
| people I think there's a distinction. Don't underestimate
| the value of centering a brand and an icon on a home screen
| around a single function.
| JoshTriplett wrote:
| > Interesting, I've always felt that browser-based password
| managers provided remarkably little value for most people.
|
| They provide the value of "you should, by design, have no
| idea what most of your passwords are; if you know any
| significant number of your passwords you probably have bad
| passwords".
|
| And both Firefox and Chrome sync passwords between devices.
| wruza wrote:
| This is the value of any password manager, not a browser-
| based one.
| lrem wrote:
| All serious browser vendors offer sync to logged in users.
| That's multi-device, cross platform and pretty foolproof. I
| still prefer Bitwarden because of self-hosting and
| integrating nicely with the iOS ecosystem. But there's not
| much wrong with the browser approach.
| usrusr wrote:
| Multi device is all nice and well, but what if you use
| products from more than one browser vendor?
| lrem wrote:
| Then you're a rare corner case that's served by something
| third party.
| CJefferson wrote:
| I have the opposite problem. If I forget to log into
| bitwarden, passwords just get saved into firefox / chrome, so
| now I've got some passwords in bitwarden, some in chrome,
| some in firefox, and worst of all bitwarden doesn't seem to
| have an easy way to unify these databases.
| trinsic2 wrote:
| That's a bit much to put on a 3rd party password manager.
| Thaxll wrote:
| Keepass file on Google drive is kind of trivial though.
| throwuxiytayq wrote:
| Never store anything remotely important on a Google service.
| arnavpraneet wrote:
| I know we are kidding but damn the news Google Drive is
| being sunsetted by December would ruin a lot of people's
| days
| ClassyJacket wrote:
| At this rate they'll sunset google search and their
| advertising business just because.
| teo_zero wrote:
| Never store _the only copy_ of anything remotely important
| on any online service.
|
| Storing copies is ok, though, provided that sensitive
| information is encrypted.
| gertop wrote:
| Firefox's password manager stores passwords in clear text
| unless you use a master password (very few people do).
|
| This means that any process on the computer can read them.
|
| It also means that, unless you also use full disk encryption, a
| stolen device means you're fucked.
|
| Chrome and Safari use the OS's keychain at least, so there is
| some level of security.
|
| And a standalone password manager has its own encryption.
| mikehotel wrote:
| This has been the case for a long time, and has not changed
| even in 2024. Please use a Primary Password if you are
| storing passwords in Firefox.
|
| https://support.mozilla.org/en-US/kb/where-are-my-logins-
| sto...
| sublimefire wrote:
| Browser password managers and their related files are the
| usual targets of the sophisticated malware creators. Not many
| people use good master passwords either if any.
| twilo wrote:
| Is the Firefox one better than the one Edge has? I've been
| using that for a while and it seems quite good overall.
| odo1242 wrote:
| It's not end-to-end encrypted (if you enable account sync),
| so Microsoft can technically see your passwords. Feel free to
| switch or not switch based on that information.
| notpushkin wrote:
| Firefox isn't end-to-end encrypted either anymore, IIRC.
| odo1242 wrote:
| It still is, as is all Firefox Account data
| morsch wrote:
| They say it is: https://support.mozilla.org/en-US/kb/sync
| notpushkin wrote:
| I stand corrected! https://support.mozilla.org/en-
| US/kb/reset-your-firefox-acco...
|
| > Mozilla accounts uses your password to encrypt your
| data (such as bookmarks and passwords) for extra
| security. When you forget your password and have to reset
| it, this data could be erased. To prevent this from
| happening, generate your unique account recovery key
| before forgetting or resetting your password.
| throwuxiytayq wrote:
| Does the FF password manager still irrecoverably nuke your
| password with no versioning/undo when you accidentally or
| intentionally use the ,,forget this website" option in the
| history panel?
| Ayesh wrote:
| I used Firefox password manager for years, and moved to
| Bitwarden for: - Passkey syncing - Bitwarden on Android works
| properly, compared to Firefox's dedicated password app that's
| abandoned. - TOTP support (to use with some apps I don't want
| the strongest security)
|
| But you are maybe right, if the only browsers you use are
| Firefox desktop/mobile.
| ezst wrote:
| What finally brought me to using BW was that I simultaneously
| needed to backup/sync my TOTPs across mobile/desktop devices,
| and came to have the need for sharing an increasing number of
| passwords with my SO. It delivered beautifully on all of that.
| CaptainNegative wrote:
| This isn't an area I know much about, but wouldn't there be a
| security risk involved with storing the TOTP seeds alongside
| the passwords? Or is that not a real concern?
| 3np wrote:
| It's a valid concern. Especially if you use the same BW for
| password and TOTP for the same service, you've effectively
| reduced 2 factors to 1. If you really must sync both your
| TOTP secrets and your passwords, those should be completely
| separate systems.
| ezst wrote:
| Totally correct, the lame excuse being that it didn't make
| the situation worse for the reason that those factors were
| anyway authenticated using the same device previously
| already. But at least I am now in much less trouble in case
| this device gets lost/broken/stolen/...
| SPBS wrote:
| Built-in password managers don't work across apps. They only
| work for the browsers they're built into.
| conradev wrote:
| It's also the only browser that doesn't support Passkeys yet :(
| frenkel wrote:
| Does it support sharing passwords with family members?
| Yodel0914 wrote:
| This (along with syncing on iOS) is what made me switch from
| `pass` to Bitwarden. Password sharing (and self-hosting sync
| with vaultwarden) are killer features for me.
| techwizrd wrote:
| I'm glad that Bitwarden moved quickly to resolve this. At least
| for me, Firefox's password manager isn't really a replacement.
| Bitwarden is approved by my employer, self-hostable, and
| supports logins for the litany of apps across my browsers and
| mobile devices. Whether it's the mobile app, mobile website, or
| site in my browser, Bitwarden just works for the most part.
| It's also quite nice that Bitwarden can store arbitrary
| information like CCs, secure notes, and how I capitalized the
| answers to security questions and other account recovery/login
| information.
| ValentineC wrote:
| > _It 's also quite nice that Bitwarden can store arbitrary
| information like CCs, secure notes, and how I capitalized the
| answers to security questions and other account
| recovery/login information._
|
| +1. I use my password manager (currently 1Password, but I
| have been looking at self-hosting Bitwarden/Vaultwarden) more
| for storing credit card information and security questions.
|
| Most built-in password managers don't cut it on that front.
| psd1 wrote:
| It's more than self-hostable!
|
| There's at least one API-compatible alternative (vaultwarden)
| which works with the official client.
|
| Yay to breaking down walls.
| seabrookmx wrote:
| Vaultwarden is great! I've been running it for years (since
| it was bitwarden-rs) on a free-tier GCP VM. I use a cronjob
| to back up the DB to Backblaze B2 with rclone.
| trinsic2 wrote:
| Its Bitwarden only for personal use. Do they have a solution
| for Multi-use password sharing?
| leshenka wrote:
| in Vaultwarden you can have "organizations" that are like
| groups of people and you can have passwords there that are
| accessible by members
|
| No idea how this maps into Bitwarden's own offerings though
| but all clients support this kind of thing
| spiffytech wrote:
| The downside is you can only share to other users on your
| Vaultwarden instance. You can't e.g., set up emergency
| sharing to family members who use cloud Bitwarden.
| leshenka wrote:
| well this is true the other way around
|
| BW clients support having several accounts at once so
| you're not forced to choose. Your family can have a
| regular bitwarden.com account and your vw.example.com
| account just for emergency access
| bloopernova wrote:
| Yes, my wife and I each have our own bitwarden account, and
| an "organization" where shared passwords go. It's worked
| great for quite a few years now.
| elric wrote:
| I recommend Bitwarden family plans to non-technical people.
| It's pretty user friendly, and you can give people emergency
| access. A couple of recent deaths in my life have made me
| painfully aware that this is something that many people really
| need.
| bloopernova wrote:
| Gen X and boomer techies are getting older.
|
| It's kind of funny to see how gen x in particular deals with
| aging. For example, menopause memes as gen x women hit
| perimenopause. We're supposed to be all nonchalant and
| cynical, and it's interesting to see those attitudes hit the
| immovable object of aging.
| xnzakg wrote:
| I actually switched from Firefox's password manager to
| Bitwarden. There used to be a bug on Android where the autofill
| button sometimes would stop doing anything.
| sph wrote:
| > the built-in password manager in Firefox is too good
|
| Too good in what way that according to you "normal" people
| shouldn't be using Bitwarden? Or do you just like the Firefox
| one but are overselling it a bit too much?
|
| I use Firefox, but I do not trust the Mozilla products.
| Bitwarden costs me $10/year so I wonder what is so amazing and
| groundbreaking about Firefox password sync, and does it work
| across browsers?
| ahiknsr wrote:
| > Unfortunately, I no longer recommend Bitwarden for normal
| people because the built-in password manager in Firefox is too
| good.
|
| I use both Bitwarden and Firefox and I would strongly encourage
| everyone to not use the password manager in Firefox. Do you
| know the tab sync across devices is broken in firefox? It was
| broken since Aug 24 and it is still not fixed
| https://bugzilla.mozilla.org/show_bug.cgi?id=1913795 . If they
| can't sync tabs across devices, i wouldn't trust them to sync
| my passwords.
| digital_voodoo wrote:
| Interestingly, password syncing is one of the most reliable
| things I've seen Firefox doing during the last years. If you
| don't even have to think about it, that means it "just works"
| Anunayj wrote:
| Can someone also comment on how secure the built in password in
| manager in Firefox is to unsophisticated malware attacks that
| simply copy your browser extension data and such. Compared to
| bitwarden which requires a password to unlock it, and as I
| understand stores everything encrypted on disk.
| slightwinder wrote:
| If you don't use a master password, it's unsafe. And even
| with master password, I vaguely remember it's not that safe
| either, but that might be outdated info.
|
| This was going around the last days:
| https://github.com/Sohimaster/Firefox-Passwords-Decryptor
| vitro wrote:
| > because the built-in password manager in Firefox is too good
|
| If only they could add labels to the name/password combination.
| I have several accounts stored for a website, with generated
| gibberish logins that I cannot change and sometimes it takes me
| multiple tries to get to the correct account.
|
| Also, sometimes a site has two password fields - two secret
| codes - and for this usecase the password manager doesn't work
| very well either and remembers only one field.
|
| Other than that, I love how it just works, you add a password
| on one device and have it seamlessly available on the other
| with a very little setup. It's a nice experience.
| vitro wrote:
| > have several accounts stored for a website
|
| Another usecase for named logins are those multiple routers
| that you administer for your friends and family that all have
| http://192.168.1.1
| Shorel wrote:
| > Unfortunately, I no longer recommend Bitwarden for normal
| people because the built-in password manager in Firefox is too
| good.
|
| I don't doubt the quality of Firefox's password manager, or
| your honesty.
|
| But normal people just don't use Firefox.
| blendergeek wrote:
| Normal people don't use Bitwarden either. And I suppose I
| don't know any normal people which isn't too surprising.
|
| Normal people use Apple's built-in password manager.
| kwanbix wrote:
| The problem with the Firefox (or Chrome) password managers is
| that they only work on their browsers. Bitwarden works on any
| browser, on windows, macos, linux, ios, android.
| wrasee wrote:
| If Mozilla released a separate passwords app so you could
| manage and access your passwords outside of Firefox I think the
| two would be more comparable. That would promote your passwords
| as part of your Mozilla account, not just Firefox.
|
| Bitwarden excels here, and i think is the model to beat.
| However, Mozilla would have the advantage since their browser
| integration would essentially be built-in and first class.
|
| Otherwise, unless you use Firefox exclusively for everything I
| just don't think a single browser is the right place to manage
| passwords. I would say that's true even for a broad audience,
| given the importance of passwords and security in the modern
| age.
|
| Bitwarden is also nice in that you can "lock" access to your
| passwords while keeping the browser open. That way, for the 99%
| of the time you're just browsing the internet you essentially
| don't have access to all your passwords "open". The last time I
| looked at this I had to enter my master password on opening
| Firefox, even if I didn't need access to my passwords. That
| meant that "unlocking your vault" is essentially tied to
| opening the browser. That alone was enough for me to bail on
| it.
| greensh wrote:
| there used to be an android/ios app by mozilla called
| lockwise which did exactly that iirc.
| https://support.mozilla.org/en-US/kb/end-of-support-
| firefox-...
| wrasee wrote:
| Ah yes I remember that now, I had forgotten about that!
|
| Funny, especially now that I see Apple are now going the
| other way with a dedicated "Passwords" app on iOS 18 and
| macOS 15. And for Apple to do this - against their instinct
| for featureless simplicity and implicit integration - to
| give passwords their own "shop front" as a dedicated app I
| think really does acknowledge the first-class importance
| that passwords now have, even for a broad audience.
|
| It's a shame as I think Mozilla could really compete well
| in this space. They are both cross-platform, have their
| their own browser and have a good reputation on privacy.
| It's a killer combo. Bitwarden is evidence you can make it
| work and you don't need massive big-tech budgets to make a
| difference.
| openopenopen wrote:
| > If Mozilla released a separate passwords app so you could
| manage and access your passwords outside of Firefox I think
| the two would be more comparable
|
| They used to have one called LockWise
| https://support.mozilla.org/en-US/kb/end-of-support-
| firefox-...
| t0bia_s wrote:
| Syncthing android app is not developed anymore. Hopefully
| syncthing-fork will be.
|
| https://old.reddit.com/r/Syncthing/comments/1g7zpvm/syncthin...
| alerighi wrote:
| I think that the Firefox password manager is good, however,
| relying on the browser is a terrible form of vendor lock-in.
| You need to use another browser (for any reason), you also need
| to switch password manager. Also, Firefox on Android is not
| great, and Bitwarden has a better integration.
|
| Finally, Bitwarden (the payed version) manager also passkeys
| and OTP codes, the Firefox password manager not.
| klabb3 wrote:
| I use both, and I agree, even if I'm very happy with Firefox.
| There are lots of apps outside of browsers that need
| passwords. It's very common these days. Besides, does it
| support passkeys? That's getting increasingly common as well.
| slightwinder wrote:
| > I no longer recommend Bitwarden for normal people because the
| built-in password manager in Firefox is too good
|
| I wouldn't say it's good, but it does its job, if you can live
| with the insecurity and limitations. It's very comfortable,
| which is the only reason I'm still using it over KeePass and
| Bitwarden. KeepPass has no reliable Browser-integration, and
| Bitwarden is hard to selfhost. Firefox Passwordmanager is just
| there, always works, syncs without hassle, usability at it's
| peak (for this job).
| seabrookmx wrote:
| Have you tried vaultwarden (formerly bitwarden-rs)?
|
| It's trivial to self host. I've been running it in a GCP free
| tier VM for years.
| jasode wrote:
| _> , I no longer recommend Bitwarden for normal people because
| the built-in password manager in Firefox is too good._
|
| But a lot of "normal people" actually need a _secrets manager_
| which is larger in scope than just a "websites urls passwords
| manager". This means a password manager _with extra metadata
| fields_ for users to add notes, associated email aliases, etc.
| E.g. if a website has an extra step of _" Confirm your identity
| by answering this question : What was your childhood pet's
| name?"_, users want a place to save the answer ("BugsBunny") in
| the "notes" field of a password manager.) Another example would
| be the secret PIN unlock code for the spouse's phone. That's
| not a website url, it's just a "secret" that needs to be stored
| in an encrypted file.
|
| Firefox password manager is too bare-bones with the only 2
| fields being "Username" & "Password".
|
| The better UI/UX for normal people is to have a _unified app to
| store all their secrets_ instead of having some secrets in the
| Firefox password manager and other non-web-url secrets saved
| separately in yet another app.
| cryptos wrote:
| I completely agree with you! Almost everyone needs to store
| more than only usernames and passwords for websites. Think of
| PIN for credit cards and the like.
| qwertyuiop_ wrote:
| This ^ passwords just don't live in Firefox when you are
| using apps that need passwords across platforms (mac ios
| windows) and apps. This is where Bitwarden shines.
| jvdvegt wrote:
| I don't know about iOS, but Firefox syncs my passwords
| between my Linux machine and Android phone just fine.
| PawgerZ wrote:
| Bitwarden also stores authenticator keys for MFA and
| passkeys. The custom fields, notes section, and attachments
| are invaluable to me as well.
| socratics wrote:
| Absolutely, everyone I recommend BW to appreciates the notes
| feature as well - it's handy to have a place to jot down
| important things that aren't log-ins!
| ants_everywhere wrote:
| Given that Mozilla just acquihired a bunch of Meta advertising
| execs, I think the prudent plan would be to cautiously
| diversify away from putting sole trust in Firefox.
| angra_mainyu wrote:
| For me, the reason bitwarden is excellent is sharing account
| login data with my family (I have an org account w a few
| members) for next to no money / year.
|
| Also, I regularly hop between 3 machines + a personal phone and
| a work phone, and I love being able to have access to my logins
| + secure notes across all 5 devices.
|
| All for the cost of a coffee/month.
| pmontra wrote:
| What if you want to use a password where you don't have Firefox
| installed or from somebody's else computer?
|
| The same applies to the password manager any other browser.
|
| I carry with me my keepass db inside my phone and I can use it
| anywhere at any time.
| rnewme wrote:
| I enjoy Ecrypted Fossil SCM instance (encryption over sqlite
| extension)
| Klaphark wrote:
| All the browser password managers are not really secure enough
| and give a false sense of security.
| BrandoElFollito wrote:
| > because the built-in password manager in Firefox is too good
|
| I just checked it and it looks really basic, right? No OTP, no
| multiple URLs, no special URL matching?
|
| Where is its "goodness" (I may have missed something entirely)
| SV_BubbleTime wrote:
| > built-in password manager in Firefox is too good.
|
| lol, sorry but this is a ridiculously narrow opinion and
| wouldn't even apply to my SO and me as a two person team.
|
| Hmm, maybe I want my passwords on my phone?
| AzzyHN wrote:
| I don't know why people are saying this is a bad thing.
| crossroadsguy wrote:
| Similarity to past experiences of start of the declines of
| service/apps.
| Capricorn2481 wrote:
| What app got worse after going open source that you're
| thinking of?
| crossroadsguy wrote:
| > after going open source
|
| I wasn't thinking that at all. BW started as open source
| afaik.
| alt227 wrote:
| Its not 'going open source' as they were always open
| source, its change of license.
|
| Plenty of other products started slipping downhill after
| management saw a need to change the license. Why else would
| you change your license terms if its not to then be able to
| change your business practises down the road?
| 3np wrote:
| Choosing GPL over AGPL for this kind of project combined with
| the previous recent CTO messaging is very telling if you
| consider the architecture of the software(s).
| wmf wrote:
| Telling what?
| jgauth wrote:
| This update is great news. I was disappointed to see the issue
| that got raised last week, and I had started to consider looking
| for alternatives. I'm going to assume an honest mistake on their
| end and keep recommending their product. However, if they make a
| similar move again, I will assume the worst and move on.
| ValentineC wrote:
| To be fair, Bitwarden clients are mostly GPL and can be forked,
| and there's Vaultwarden for self-hosting.
|
| We just need to rally together a community that would maintain
| such a fork.
| ferbivore wrote:
| The iOS client can never be meaningfully forked, ironically
| due to the GPL. If Bitwarden goes fully hostile that's lost
| forever.
| ValentineC wrote:
| I don't understand; isn't the repo licensed under GPL?
|
| https://github.com/bitwarden/ios?tab=GPL-3.0-1-ov-file
|
| Is proprietary config required to build the IPA file?
| shelled wrote:
| BitWarden has lost the trust. Besides recently there was a
| blocker bug on iOS and on Reddit I found out it happened earlier
| as well. They didn't even want to debug it and when I suggested
| this and asked whether they have any issue logged on Github where
| I could provide logs they went radio silent. Follow ups went
| completely unanswered. And yeah before that they had given a
| solution (because reinstall/re-login nothing had worked) - export
| your data, delete your account, create the account again, and re-
| import your data - that "should" work. Honestly it was worse than
| "restart your computer".
|
| I guess it's time for another FOSS player here. It's fine, such
| things are cyclical I guess. Happened to Lastpass and Authy and
| someday it will happen to Ente and 2FAS and so on.
| Capricorn2481 wrote:
| > BitWarden has lost the trust. Besides...
|
| I'm confused what you're responding to. You're making it sound
| like this was a bad decision and your anecdote was another
| thing for the pile, but this is a good decision.
| hnbad wrote:
| Someone else linked the GitHub issue that triggered this
| change and most of the replies are in the same tone as the
| comment you're responding to.
|
| Which is all the more ridiculous as this looks like it wasn't
| really a big license change decision but more of a "forgot to
| change the license on a component from our internal default".
| Assuming malice seems like the most boneheaded reaction to
| this given that there are no other indications Bitwarden was
| trying to do anything nefarious and the previous license
| state would have made every single library or tool depending
| on it non-free.
|
| This is different from criticisms of Mozilla for example
| which often boil down to "Mozilla positioned itself as
| privacy-focused but adds a privacy-violating feature you have
| to opt out of while claiming it's actually fine". Bitwarden
| never was 100% FLOSS to begin with but introducing downstream
| license problems is clearly against their own interest.
| Unless you believe Bitwarden is run by evil idiots who do
| evil things for no good reason (business or otherwise)
| whatsoever and then quickly cover their tracks only when
| called out, "oops" is the only explanation that passes the
| sniff test.
|
| Here's what someone from Bitwarden said in that issue:
|
| https://github.com/bitwarden/clients/issues/11611#issuecomme.
| ..
|
| I think the submission should be rephrased as "Bitwarden SDK
| fixed license of sub-component" or something. Which of course
| sounds less bold and interesting and newsworthy because it
| really isn't.
| kuschku wrote:
| > forgot to change the license on a component from our
| internal default".
|
| https://gitlab.com/fdroid/fdroiddata/-/merge_requests/15353
| #...
|
| > Additionally, one thought that came to mind in evaluating
| this that might make this not possible is that our rust
| SDK, a dependency, is not published under an OSS license.
| See https://github.com/bitwarden/sdk . I assume that is a
| problem that might disqualify us from the main [fdroid]
| repo still.
|
| https://gitlab.com/fdroid/fdroiddata/-/merge_requests/15353
| #...
|
| > At the moment, there are no plans to adjust the SDK
| license.
|
| Doesn't sound like a mistake:
|
| https://github.com/bitwarden/sdk/issues/898#issuecomment-22
| 2...
|
| > There are no plans to adjust the SDK license at this
| time. We will continue to publish to our own F-Droid repo
| at https://mobileapp.bitwarden.com/fdroid/repo/
| hnbad wrote:
| > [O]ur goal is to make sure that the SDK is used in a
| way that maintains GPL compatibility.
|
| This does, though:
|
| https://github.com/bitwarden/sdk/issues/898#issuecomment-
| 242...
|
| It seems they reconsidered after the change impacted
| their F-Droid release. They've always been Open Core not
| fully Open Source so the SDK not being OSS isn't
| surprising. It just seems like they didn't think about
| the consequences of integrating a non-OSS SDK into their
| OSS clients.
|
| Your first quote actually explicitly says that this
| incompatibility only became apparent after the fact:
|
| > one thought that came to mind in evaluating this
|
| So, yeah, a mistake although it's not so much they
| "forgot to change the license" but didn't consider which
| license it should use and stuck with the default.
|
| > There are no plans to adjust the SDK license at this
| time
|
| This doesn't mean it was an intentional choice or well
| thought out. It would have been pretty stupid to say
| "yeah, we actually just went with proprietary because
| it's the internal default and didn't think about the pros
| and cons of keeping it that way" so in lieu of wanting to
| make a decision then and there or signaling radio
| silence, that's just a standard corporate non-answer.
| Always42 wrote:
| I have been using bitwarden for some time, and actually pay for
| it because i like it so much. should i switch?
| nocoder wrote:
| What would be a good way to backup the passwords stored in
| Bitwarden? I am worried that someday suddenly bitwarden could
| stop working and I will lose access to all the stored passwords?
| Should I have a physical copy of all the passwords stored in a
| vault at home?
| s2l wrote:
| Desktop: keepass variants.
|
| Android: Keepass2 android.
|
| Use syncthing to stay in sync.
| cja wrote:
| How to use Syncthing on Android now that the app has gone?
| TheFreim wrote:
| There is a fork: https://github.com/Catfriend1/syncthing-
| android
| s2l wrote:
| For this type of data, preference could be toward fully
| open source stack (i.e. fdroid, etc).
|
| Another thing I recommend is to enable versioning on
| syncthing for the database. This way accidental changes can
| be reverted easily.
| nichos wrote:
| Export your BE vault and import it into key pass. Then store
| that file somewhere safe.
| fy20 wrote:
| If you have some sort of home server, I'd recommend hosting
| vaultwarden (an open-source implementation of the BitWarden
| server). It works fine with the official apps. Their enterprise
| model requires a standard API, so it's not going to break
| anytime soon.
| beAbU wrote:
| This does not take the need for separate backups way though.
| In fact, I'd argue it makes it even more important to
| maintain a 3-2-1 backup of your vault.
|
| Running vaultwarden on a home server is one small disaster
| away from losing everything. Homelabs typically don't enjoy
| the same level of protections and redundancies compared to a
| commercial DC.
| Happily2020 wrote:
| The simplest way of doing this would be to export your
| bitwarden vault in plaintext (as a json or csv) and then store
| it as a password protected zip file.
|
| This should be easy to encrypt and decrypt on all operating
| systems, and would make it easy to move your vault to a new
| password manager.
| hexfish wrote:
| Frankly I would worry about that with any third party that
| holds my data. There are a few Bitwarden exporters on Github
| that also account for attachments (something the builtin
| exporter doesn't for some reason).
| aae42 wrote:
| BW synchronizes all your data on each client... if you logged
| in before, and your server goes down, you can still log in to
| a recent client, it just won't be able to update
|
| you could recover from that
| palata wrote:
| I personally went (a year ago) to pass:
| https://www.passwordstore.org/.
|
| It just creates a git repository that I can back up wherever I
| want.
| jannes wrote:
| You can do JSON exports within the apps. But careful, all your
| passwords are unencrypted in the JSON.
| RyeCombinator wrote:
| Can somebody ELI5?
| wmf wrote:
| AFAIK they went closed source the other day which triggered
| backlash and now they're opening back up.
| jth1 wrote:
| My understanding is they were never closed source. Some of
| their code is GPL and some is proprietary, but all is source-
| available on GitHub. There was a bug where you couldn't build
| their client without a proprietary dependency, but they have
| fixed that so you can now build their client with only GPL
| code again.
| palata wrote:
| I don't think it was a bug. They dismissed it and clearly
| said that they had no intention to adjust the license:
| https://github.com/bitwarden/sdk/issues/898.
| renewiltord wrote:
| To be honest, it looks like he just had an internal model
| of "internal code no gpl", "external code gpl" and
| mindlessly answered based on that. The fact that it made
| the latter impossible seems to have been successfully
| impressed on him.
|
| Overall, I'll stay a Bitwarden customer. People fuck up
| and I'm a tit-for-tat-with-random-forgiveness tactic
| user, not grim-trigger.
| palata wrote:
| I could accept that he doesn't understand how open source
| licenses work, or doesn't care, and that it was not meant
| as a shady move. But still I wouldn't call it a bug, and
| it does not inspire confidence. Still it's not LastPass-
| bad.
|
| This said, I still recommend Bitwarden to my family. I
| moved to pass (https://www.passwordstore.org/) a while
| ago just because it corresponds better to my needs and I
| have more control.
| chx wrote:
| People are dicks to one of the last companies which operate in
| a transparent manner and open source their product.
|
| There was a bug, it got fixed. Nothing to see here, move along.
| palata wrote:
| This doesn't look like a bug:
| https://github.com/bitwarden/sdk/issues/898
| aussieguy1234 wrote:
| I started using BitWarden as my main password manager after the
| LastPass security breaches.
| powersnail wrote:
| It's a welcome change. It still feels like they are trying to be
| too smart on licensing, especially how to combine GPL and
| proprietary licensed code, which I think is the root cause of the
| whole drama. The open core model works better as a hosted
| service, where you are not distributing the amalgamation of GPL
| and proprietary. Open core in client code seems a bit too rife
| for potential misunderstandings and confusions.
|
| Hope it works out for them, though. It's a good product.
| amszmidt wrote:
| Not entirely there yet ... Some parts of have been re-licensed,
| some have been licensed under the old non-free software SDK
| license. E.g,
|
| https://github.com/bitwarden/sdk-internal/commit/db648d7ea85...
| ferbivore wrote:
| The non-GPLv3 bits are for their separate Secrets Manager
| product. It doesn't look like that's advertised as open-source.
| Bitwarden has always been open-core and not fully GPLv3, and
| that seems understandable; they need something to sell after
| all.
| rochak wrote:
| No good thing ever lasts, especially in the world of tech. So,
| I'll be sticking with Bitwarden until they somehow eventually
| fuck it up and something else takes its place.
| crossroadsguy wrote:
| What will be ideal is a FOSS competitor. At least in personal
| usage segment until. Until they also start looking at big money
| and enterprise/professional (which is fine), then another
| competitor will come in. As long as the chain of export-import-
| export doesn't break.
| petterroea wrote:
| Thank you Bitwarden for listening. This kind of stuff gives me
| hope for the business model of Open Source.
| mbix77 wrote:
| Such a pity they are starting to try to move to proprietary
| model. I have been using them for years. I thought they were
| different than other "open-source" companies (e.g. Redis).
|
| What are the alternatives for an open-source cross-platform
| password manager? Anybody has used Vaultwarden already?
| tmpfs wrote:
| We have been working on a open-source, cross-platform
| alternative called SOS[1]. The source code is on github[2] and
| includes a self-hostable server for syncing. It is well
| documented[3] for those that want go build on top of it.
|
| Would love your feedback if you can take it for a spin!
|
| [1] https://saveoursecrets.com/ [2]
| https://github.com/saveoursecrets/sdk [3] https://docs.rs/sos-
| sdk/latest/sos_sdk/
| chx wrote:
| No, they are not. They have a separate product which is closed
| source and there was a accidental mixup between the
| dependencies of the two. They fixed it quick. As I posted
| repeatedly in this issue: we need to be much much more lenient
| and supportive of one of the very few companies which still
| try. If this is the support they get why would anyone else even
| bother?
| ferbivore wrote:
| This was not an accidental mixup. Have you actually read the
| previous issue threads? Their stance was that "there are no
| plans to adjust the SDK license" before the backlash.
| NicuCalcea wrote:
| I've been using KeePass (mostly through third-party clients)
| for years and never saw a reason to switch to anything else.
|
| It doesn't sync between devices by default, but I see that as
| an advantage, you can use a cloud provider like Dropbox, your
| own server, FTP, Syncthing, whatever you're comfortable with.
| itfossil wrote:
| Nice to see Bitwarden make a course correction here. I wasn't
| looking forward to switching to another password manager, so I'm
| quite happy.
| ryukafalz wrote:
| Yeah, likewise. I'm a Bitwarden subscriber but I'd been looking
| into alternatives recently because of the licensing kerfuffle.
| But switching password managers is a pain, so I'm glad to not
| feel like I have to now.
| creesch wrote:
| Are there other alternatives that are 1) open source 2) offer
| the same integration to begin with and finally 3) have been
| audited or are popular enough to be under constant scrutiny?
|
| There is of course the KeePass ecosystem, but that is why I
| included my second point, as with KeePass you are responsible
| for vault syncing, having clients for all platforms, etc.
|
| I suppose that it is good to be aware of other options. At
| the same time, jumping ship so easily also doesn't seem
| realistic or ideal behavior to me.
| Glazui wrote:
| I've recently learned about PassBolt, but it doesn't meet
| criteria 3 I'm afraid
| KPGv2 wrote:
| The audited part is going to be tough to meet because it's
| a very niche skill people generally won't do constantly for
| free.
| zie wrote:
| I have no affiliation, just found them this week, but
| https://psono.com/ exists. So 1 and 2 are met and 3 is
| half-way there maybe? It's a self-audit but they have been
| around a while. Apache2 licensed.
|
| Again, I literally found them the other day, and other than
| a cursory check to make sure the UI/UX is friendly enough
| to compete with BW or 1P, I haven't had a chance to look
| through their code at all yet. I have no idea if the
| promises they document are met.
| chickahoona wrote:
| Hi, Sascha here, the main developer behind Psono. Psono
| has been audited multiple times so far, usually on a
| yearly bases. The last one here
| https://psono.com/blog/security-audit-2024 (you will also
| find a link to the audit itself)
| g19fanatic wrote:
| i use the keepass ecosystem with app.keeweb.info. Its an
| open source webclient that can directly pull from your
| google drive (and other places!). I use a google drive
| through keeweb for syncing, 2 clicks and its syncd. Auto
| pulls when past pw.
|
| keepass works in browser (how I use it on a computer), can
| work offline (which is good in air-gapped instances, one of
| my reqs) and works directly on my android phone without
| issue.
| creesch wrote:
| It is actually sort of how I used it as well, though
| through nextcloud. It did still remain a hassle. It also
| requires all different apps to be maintained and equally
| safe.
|
| Keeweb for example has not had an active maintainer since
| 2022 https://github.com/keeweb/keeweb/issues/2022
| WD-42 wrote:
| https://www.passwordstore.org/
| hedora wrote:
| I decided that vaultwarden should not have an internet
| accessible port. Are there any that meet those requirements
| and also let you (reliably!) edit/create passwords when
| offline?
|
| Also, sometimes the bitwarden client decides to blow away
| my local copy of the password database. I'd like it to
| store it pesistently on all machines so I have to lose my
| phone, my laptop, my vaultwarden server and its two backups
| before I get locked out of everything.
|
| Currently, the phone + laptop don't count as backup copies.
| BrandoElFollito wrote:
| > I decided that vaultwarden should not have an internet
| accessible port
|
| So how does your browser extension work when outside your
| LAN? via Tailscale or similar VPN mesh? And for people
| who use it outside of the LAN entirely?
| hedora wrote:
| The app (and iOS keyboard integration) degrades to read
| only mode. It works about 95% of the time. I'd rather it
| work 100% of the time, and be read-write.
|
| I don't run the browser extension. (There have been too
| many other password managers with exploitable password
| bugs.)
| sirdvd wrote:
| Switching is decisively a pain. But apparently this episode
| was what I needed to start looking seriously into
| VaultWarden.
| horsawlarway wrote:
| Huge VaultWarden fan here. It's been running absolutely
| unattended for about 3 years from a machine in my basement
| now, and it's great.
|
| I back things up fairly often, but otherwise I would have
| no idea I'm not just using the enterprise grade Bitwarden
| license. Things just work, features are there.
|
| Side-note - VaultWarden is incredibly reliable for a self-
| hosted free solution (I have 1 pod restart 27 days ago due
| to a power outage, but otherwise it basically does not fall
| over. No memory leaks, no high cpu consumption, no
| reliability problems)
| idonttalkenough wrote:
| Tacking onto this comment as another thumbs up for
| vaultwarden. "incredibly reliable" is exactly the way to
| describe it, in the world of tech headaches the password
| manager is the last thing you want to be worrying about
| and I can say with confidence that vaultwarden is a
| reliable well-oiled machine.
|
| Backups are also fairly easy so if need be a DR can be
| done (and automated) with very little hassle. The
| vaultwarden backend does depend upon the bitwarden apps
| for client devices but also features it's own web UI.
| cmeacham98 wrote:
| Your comment was marked dead FYI, I vouched for it.
|
| Normally this would mean you are shadow banned, but I
| don't see any other comments in your history getting this
| treatment - perhaps this comment caught the ire of some
| anti-spam algorithm.
| xelamonster wrote:
| I mean it reads like ad copy, and the entire first
| paragraph takes so many words to say nothing more than "I
| agree." As comments go, I have to say I've seen better.
| Brian_K_White wrote:
| I got more out of it than this one.
| hedora wrote:
| Old versions of vaultwarden broke recently (for just
| about everyone?) due to incompatible changes on the iOS
| client.
|
| Breakage is not ideal, but here's how they handled the
| second, more subtle compatibility break:
|
| https://github.com/dani-garcia/vaultwarden/issues/5069
|
| I haven't worked up the courage / time to back up my
| database and upgrade the docker container; will probably
| get to it this weekend. However, I can't imagine using
| bitwarden with the official server (too bloated to be
| trustworthy), or with their cloud thing. I got burnt by
| lastpass. I'm not putting my passwords in a giant high-
| value target again.
| BrandoElFollito wrote:
| Same here - I just see that versions change from time to
| time (yeah I know I should do that manually but there we
| are).
|
| One thing I do not like (or, say, "miss") in
| Bitwarden/Vautwarden is the ability to make decrypted
| backups. I run the service for my immediate family and
| would like to have access to some people's passwords (of
| course with their agreement) to make sure they are fine.
|
| A solution is to use Organizations but you cannot have a
| "organization-only account" - an account that would
| exclusively save to an organization without a private
| vault.
|
| The "solution" is to tell people to move what they save
| to such and such Org but this works fine with me,
| recently with my wife but somehow my father does not do
| it and we sometimes end up with tense moments when it is
| time to get to some accounts :)
| apitman wrote:
| Vaultwarden is great, but it's only half the equation. If
| bitwarden does go user-hostile eventually, who's going to
| fork all the client apps and extensions?
| AzzyHN wrote:
| VaultWarden is great. But I don't use it, because I trust
| Bitwarden's infrastructure more than my own, for now at
| least.
| spl757 wrote:
| KeePassXC (and I assume the other versions) can import an
| encrypted JSON Password Protected (NOT Account Restricted)
| export from Bitwarden.
|
| I use them both. I have KeePassXC for my local machine, and
| Bitwarden for things I may need out and about.
|
| With the browser plugins for both it's not that hard to
| manage them both, at least in my opinion.
|
| I was hoping to see some course correction on this from
| Bitwarden, even if the over-stated impact was really just to
| the SDK. They appear to understand the look of their
| licensing move was going to cost them more than it probably
| should have. Most companies refuse to change course at all,
| so I at least see it as encouraging.
|
| edit to fix a typo
| EasyMark wrote:
| There is little chance I'll ever move to keepassxc as that
| requires me to maintain it myself and take the chance on
| deleting something very precious. I'll stick with the cloud
| solutions for now.
| slenk wrote:
| I found psono and spun up a self-hosted instance. I may just
| try to keep them in sync for a while while this business
| fully settles
| Beijinger wrote:
| I may check it out again. But I love the commercial product
| enpass.io (I use the free version, don't need it on my cell
| phone).
| la_fayette wrote:
| We moved to passbolt and we are happy with it.
| AdmiralAsshat wrote:
| So, crisis averted?
| solarkraft wrote:
| I'm relieved. Maybe the company would have survived this somehow,
| but they sure wouldn't have been the techies' darling anymore and
| that was going to be expensive.
|
| I hope they realized that being FOSS is their moat and it nets
| them a lot of goodwill (it's the whole reason I bother with their
| not-quite-the-best product in the first place). The bold claim
| ,,the most trusted password manager" was kind of justifiable
| while it was FOSS (if we don't count keepass), without it not at
| all.
|
| I'm still not sure how I feel about them now. I can now somewhat
| trust that the applications will remain free software, but trust
| in the company has eroded a bit. I still haven't seen official
| communication about this.
| whimsicalism wrote:
| the gh or had official communication. it was obviously a dep
| issue blown out of proportion
| apitman wrote:
| I'm cautiously optimistic, but still concerned about the long
| term.
|
| * I just don't see how taking $100 million can be good for
| users in the long run. By far the most likely outcomes are
| bloat or enshittification.
|
| * bitwarden does not appear to be very forkable, ie it's a
| complex system written in C#. The existence of Vaultwarden
| helps a lot with this, but what about the client apps?
| Forkability is the second most important protection against
| user-hostile action, behind being open source in the first
| place.
|
| I hope it works out. I'm a recent adopter of bitwarden, and so
| far the UX has blown keepass out of the water.
| _bin_ wrote:
| The client apps can pretty easily be forked and maintained.
| We probably wouldn't see much feature growth but I also don't
| think we need that so much. Lots of OSS projects have been
| messed up by fundraising and communities often just fork them
| and keep them around so I'm not too worried. Besides, garbage
| features could probably just be unsupported by Vaultwarden,
| which has worked extremely well for me and been nothing but
| stable.
| EasyMark wrote:
| I hope that they keep it a password manager and don't try
| to turn it into a "security multitool" or something. I like
| it how it is. They've been careful about adding things and
| I appreciate that. If they wanted to say move from an
| electron app to a qt or tauri app I could appreciate that
| as well.
| EasyMark wrote:
| Eh it's not as good as never having the OSS'ness of it
| challenged but it also shows they're open to feedback and
| willing to reassess when customers get out the pitchforks and
| torches. It's a story as old as time.
| reptation wrote:
| I looked into Bitwarden but hard to see what it offers over Psono
| and the pricing is significantly steeper.
| aiono wrote:
| Good to see this. Bitwarden is one of the few companies that I
| actually like. And even them can dissappoint when profitability
| requires it seems.
| funvill wrote:
| As a exercise I created my own password manager in response to
| the license issues with BitWarden last week.
|
| Its rough, but functional, an exercise not a real product, never
| expected to be a real product.
| https://github.com/funvill/FancyGorillaPasswordManager
|
| The tech is easy. Website, Browser extension, iOS, Android,
| Windows, Linux, MacOS apps done in less then a day.
|
| Gaining trust is hard, who is going to trust a random guy on the
| internet.
| Thoreandan wrote:
| The summary says "SDK relicensed from proprietary to GPLv3", the
| linked commit puts the Bitwarden license into LICENSE_SDK.txt,
| not GPLv3. Am I missing something?
| mananaysiempre wrote:
| The change to package.json of the sdk-internal package
| indicates it's now GPL3.
|
| This comment might be more illuminating:
| https://github.com/bitwarden/clients/issues/11611#issuecomme...
| imaginebit wrote:
| does it potentially compromise the data security?
___________________________________________________________________
(page generated 2024-10-25 23:01 UTC)