Buttercup looks to be using AES-CBC with PBKDF2 and no authentication, but I only took a very brief look so I may have missed important details. That’s not secure if an attacker can alter the vault file, and PBKDF2 isn’t a great KDF to use. If you use this, you definitely need a 128-bit or higher entropy passphrase (10 Diceware words). You usually want that anyway, but using a weaker string for your master password will be less secure than you expect compared to something using a modern KDF.
Thanks for the insightful response. I’m gonna spend some time searching for all those terms you mentioned because much of it is stuff I’ve only heard in passing or never heard of at all. I’ll try to find what works well enough for me. Wish me luck!
As a US consumer, I can’t use a lot of these VPNs. When you dig into how local governments are trying to break encryption in many countries overseas it makes you slow to sign up for services. The worst case would be you use a service, get invested and a few weeks later new legislation you’re not following/in the know about gets passed and some of your data is now in some foreign governments jurisdiction more so than it was before.
It’s not that Germany or Sweden in particular do that today but I also haven’t quite looked into its bounds, if five-eyes alliance reaches them, etc. There is a lot you have to be cognizant of.
Also I like Bitwarden but Vaultwarden is the way to go; just make sure to donate/pay somehow for bitwarden if you use its clients.
Not necessarily, plenty of good programs written in C89 for example.
With something that is heavily library dependent, having a more recent development stack may mean better maintained libraries but definitely not a sure thing.
You can selfhost bitwarden, there’s also vaultwarden, an open bitearden api implementation. You could host this on an internal-only server. But you also can sync your single password file with a lot devices and use keepass, I just find that a bit annoying. You also cannot share some passwords with your relatives easily that way.
Hey it’s fine if you trust them, it’s a very convenient service and from what I found it’s pretty secure, since there’s no way to recover logins if you forget your master pass. But i personally don’t like the idea of having passwords on someone else’s server and I’m too stoopid to set-up my own instance on a docker container server thingy. Syncthing just works for me, got GUI and everything.
keepass is a different paradigm. it uses a locally encrypted file. many frontends for it (use keepassxc and keepassdx). dont have to rely on some 3rd party, even if they say they have e2ee. theres no better privacy (and security) for an app than not using it with the internet. im not too concerned about ui for pw manager personally, the less time i spend w it unlocked the better. only (slight) problem for me: multi device usage (i just copy the file onto my phone occasionally). general rule of thumb: if it can be selfhosted, it is best to.
i think bitwarden is the best one of its type, it comes down to your needs and threat model
I really like the cross device sync, even tho it’s a security risk of course. also, I don’t know anything about self hosting (might get into it when I got the time), so bitwarden might be the best pw manager for my requirements rn.
just a side note for everyone out there that uses bitwarden: you can reset your password with just your email. that means the admin can see your passwords. The only 3 upstream password managers that don’t have that “feature” are 1Password, lastpass and keypass (not counting gpg-based script in bash n friends). Lastpass is obviously a mediocre solution (too many breaches), keypass isn’t for everyone (UX). 1Password is a very solid solution and it has public security audits
I’ve got nothing with agilebits/1Password - i just use it after spending days researching (also I’m a former IT security engineer)
If that were true that it wouldn’t be just a side note because it would render the whole Bitwarden product useless. It’d pretty much mean that they are not encrypting passwords at all, so even worse than infamous LastPass. But as the other comment pointed out, it’s pretty much not like that.
Been using Bitwarden since it was on horrendous light blue theme, and I’m fully aware that users cannot easily reset their master password through email ever since.
Bitwarden can’t find or change your password, and their admins absolutely can’t see them either.
You’re talking about the “admin password reset” feature offered to organizations (and which doesn’t concern lambdas users at all), which must be explicitly activated and which allows admins not to see our password, but to trigger a password reset with notification to the user.
Once the password has been reset, all you have to do is change it, and nobody else has access to it.
Five and eleven eyes doesn’t matter if the service is encrypted and open sourced. Also, did you know that Switzerland has no superior privacy laws comparing to Germany? It’s all marketing bluff.
A single IP address, which would mean nothing with VPN use. Germany is literally part of the spying eyes. That is the difference here. Proton giving out one address vs the surveillance network of a NATO state?.. Lol
Ok? It does not matter LOL other states authorites can ask swis for information like what happend with the activist. Vpns are not private lol. You probably use your email for personal things like this lemmy account and you probably don’t use a vpn with it all the time so your email is already linked to you. Email is defenetly not private and was never made to be. If vpns are so private why is tor a thing?
So why are my German relatives super-scared of pirating because of the government finding out, and get me to torrent all their shit for them and mail it to them on cheap hardrives?
Correction: It’s not the government, it’s private law firms doing this. Your IP is public when you torrent, they just have bots monitoring the most active trackers and try to extort money from the people they catch.
Five and eleven eyes doesn’t matter if the service is encrypted and open sourced. Also, did you know that Switzerland has no superior privacy laws comparing to Germany? It’s all marketing bluff.
I self-host (postfix and dovecot) and will admit of all the self-hosted stuff I have it’s the most annoying/time-consuming to manage but doable if you’re willing to spend a lot of time reading and updating things. I wouldn’t recommend it to the vast majority of people though.
I read some horror stories about folks who self-hosted for years and how they eventually quit and moved to an established email provider. It didn’t seem like something I wanted to deal with.
Do you think using one of those federated email networks where it’s invite only and between people you know would have any appreciable use cases in conjunction with an established provider? I can think of having a small org use it maybe but not between friends or family.
And that proves what exactly? Swiss law required them to hand over an IP address. Swiss ptivacy is not absolute. They have laws. An IP address didn’t grant them access to the encrypted emails. Proton openly admits they had no idea who the user was. The activist should have used a VPN, which Proton also offers as a service, and then whatever activity trail they linked to the IP would have died at Proton’s VPN network.
Add comment