I guess I’ll be spending tomorrow figuring out best practices for self-hosting #Bitwarden’s server component (or #KeePass) on something I can safely access via @tailscale, since my 15+ year relationship with #1Password is finally catastrophically and utterly failing me.
Should I open up a Zoom as some sort of support group so we can suffer together?
For now five days, #bitwarden developers refuse to realize that the problems with their #Firefox extension is solely due to the transfer from GitHub to addons.mozilla.org. The latest version of the extension on addons.mozilla.org is half the size of the previous ones and of the GitHub version (they should be identical!): https://github.com/bitwarden/clients/issues/6286
It looks like BitWarden is following suit with 1Password and returning "uv:true" in WebAuthn authentication requests even though the user isn't prompted for anything more than to confirm the use of a passkey. The unlocking of the vault is considered the user-verifying event...
As an end user I appreciate the streamlined experience. But as an RP I'm disappointed - what if vault unlock occurred 5/10/30 minutes prior? Someone could cruise by someone's desk when the vault is unlocked and auth as the vault owner and the RP would be none the wiser 😢
It's a tough middle point that passkey providers have to try and find 🥴
As a developer the biggest irritation I have with #1Password is that it doesn't take ports into account when displaying suggested logins; so logins saved for localhost:1234 will also be displayed for localhost:9876.
I mentioned it on the birdsite a while ago and they responded saying such a feature would be useful but it never materialised.
Thinking about moving to #bitwarden but initial testing shows the same limitation - unless there is a setting somewhere.
If you're using #bitwarden, make sure to change the KDF algorithm to Argon2id^1 which is much more robust against GPU-powered attacks compared to its counterpart.
I've cracked billions of #passwords from tens of thousands of #data#breaches in the past 12+ years, and because of this, I likely know at least one #password for 90% of people on the Internet. And I'm not alone! While I primarily crack breached passwords for research purposes and the thrill of the sport, others are selling your breached passwords to criminals who leverage them in #AccountTakeover and #CredentialStuffing attacks.
Use a #Diceware style #passphrase - four or more words selected at random - for passwords you have to commit to memory, like your master password!
Enable MFA for important online accounts, including cloud-based password managers!
Harden your master password by tweaking your password manager's KDF settings! For #Bitwarden, use Argon2id with 64MB memory, 3 iterations, 4 parallelism. For #1Password and other PBKDF2 based password managers, set the iteration count to at least 600,000.
Use unique, randomly generated passwords for all your accounts! Use your password manager to generate random 14-16 character passwords for everything. Modern password cracking is heavily optimized for human-generated passwords, because humans are highly predictable. Randomness defeats this and forces attackers to resort to incremental brute force! There's no trick you can do to make a secure, uncrackable password on your own - your meat glob will only betray you.
Use an ad blocker like #uBlock Origin to keep you safe from password-stealing #malware and other browser based threats!
Don't fall for #phishing attacks and other social engineering attacks! Browser-based password managers help defend against phishing attacks because they'll never autofill your passwords on fake login pages. Think before you click, and never give your passwords to anyone, not even if they offer you chocolate or weed.
#Enterprises: require ad blockers, invest in an enterprise password management solution, audit password manager logs to ensure employes aren't sharing passwords outside the org, implement a Fine Grained Password Policy that requires a minimum of 20 characters to encourage the use of long passphrases, implement a password filter to block commonly used password patterns and compromised passwords, disable #NTLM authentication and disable RC4 for #Kerberos, disable legacy broadcast protocols like LLMNR and NBT-NS, require mandatory #SMB signing, use Group Managed Service Accounts instead of shared passwords, monitor public data breaches for employee credentials, and crack your own passwords to audit the effectiveness of your password policy and user training!
I just had to steal this #meme from #reddit, it's about #selfhosting all your stuff. Instead of being relient on the constant threath of loosing your #google account. Or what about losing your centrally accessed #twitter account because #elonmusk thinks you are not worty of his platform?
Bitwarden’s been throwing warnings on my phone telling me to scale back my hashing parameters because they might fail on this device.
Of course, now that I post about it, it’s not doing it so I can’t screenshot it… #Bitwarden#PasswordHashing#Infosec
Has anyone got #goldwarden running on their #linux distribution? The application opens for me, but none of the buttons are clickable. I tried to make sense of the Getting Started section in the wiki and used the commands outlined alongside flatpak run to no avail. https://github.com/quexten/goldwarden
Would be nice not to have to stare at #bitwarden ('s) smeary scaled #electron UI and instead use a nice #gtk4 app like Goldwarden. 🤓️
So I learned the hard way to maybe not randomly generate passwords I don't have memorized at all via services like @bitwarden when I need said password to utilize an app to clock into work, because when there's an issue with the password service missing your encryption key that "impacts a small number of users" and turns out I'm one of the lucky few, it definitely makes things difficult.
Still love #Bitwarden and since I began using it in 2017, have never had to check out github bug reports or community boards or the subreddit to see if others are experiencing similar issues (though to be fair, I haven't found anyone talking about the same error I am getting on any of those sites, and I googled a LOT while troubleshooting).
Do I do the workaround to be able to install #bitwarden in #nixos by permitting the insecure package #electron which is listed in the error message as EOL #endoflife
{
nixpkgs.config.permittedInsecurePackages = [
"electron-24.8.6"
];
}
or is there a better solution (other than bitwarden-cli).
I have a mystery when it comes to synchronizing with #vivaldi my user. For some reason the backup creation password has not worked for me, whereby the data is encrypted.
But I had backed up the key in a text file. And as a security measure copy that content into #Bitwarden notes....
my #1password annual plan is ending on the next month... time to switch for #Bitwarden#openSource :opensource: solution & celebrate their new EU servers 👌
Primary storage ist via #bitwarden with a local #vaultwarden installation (both needs to be version 23.10 at least)
Secondary storage is a #yubikey 5 NFC which I carry with me. This one alllows me to use the passkey on my iPhone (iPad not tested yet)
Tertiary storage is another (cheaper) Yubikey which is deposited in a safe at home
Both Yubikeys are protected by a PIN which my wife knows. That way I canot lose access to my account and have taken precautions in case I become incapacitated.
But this setup requires quite some time for each web site to switch to passkeys. That's why I am so angry with companies like Paypal who make it practically unusable.
So, nun knapp 600 Passwörter und sichere Notizen von #bitwarden nach #ProtonPass gezügelt.
Ging schneller als schnell.
Besonders schön: auch alle #TOTP wurden problemlos übernommen.
Einziges Manko: Anhänge kann ProtonPass bisher noch nicht.
Just finished helping my grandfather solve some of his issues with #thunderbird. He didn't know how to create lists of contacts. I quickly set this up and closed maybe 1000 tabs (I don't know how he opened that many). I was also surprised to see he still uses #Firefox, although all his extensions were gone. Reinstalled #Bitwarden, #uBlockOrigin and #istilldontcareaboutcookies. Now he's fully open sourced again. He even mentioned that he thought about sponsoring Thunderbird.
Same API, same features, same UI, and support for other DBs than MSSQL.
One single stand-alone application vs. Bitwarden’s 10 Docker containers. 70MB of RAM vs. 2GB. 3MB of db storage vs. 300MB.
Why was a password manager supposed to take so many resources in the first place? Just because it runs on a Microsoft-only stack and on .NET’s inefficient VM? Just because somebody thought that it was a good idea to separate everything into different containers (even icons and 2fa are modeled as separate services in Bitwarden)?
It reminds me of my recent migration from Mastodon to Akkoma. I got more features, 5GB of RAM freed up and 300GB of storage freed up almost overnight.
Writing and running inefficient software that pointlessly consumes all the resources available on a machine should be a crime in a world with limited resources.
It makes me think of how much shitty bloated software like @bitwarden, probably based on awfully inefficient languages and frameworks like Java, Ruby on Rails and .NET, is running out there, pointlessly sucking up resources for doing simple jobs that could easily be done with 99% less resources.
Today’s developers, spoiled by IDEs, powerful machines, docker-compose and shortsighted “just throw more RAM at the problem” approaches, have forgotten how to write efficient software. Time for them to learn how to write good efficient software again. Software doesn’t eat the world. Only shitty software built on shitty framework does.