- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
If you are interested in privacy you are probably interested in password storage … plus I wanted everyone to know about the inevitable future enshitification of this product. Spread the word and replacement recommendations are welcome too.
Doesn’t keepass only work on a single device? Meaning that you have to handle syncing the database file yourself. I prefer selfhosting vaultwarden. Maybe these changes will make me migrate to something else but for now I’m very satisfied with vaultwarden and the bitwarden client.
Yeah, I just leave the file in a NextCloud sync directory. All my desktops and laptops download it automatically, and it’s trivial to download to my phone. As an added bonus, my fucking password manager isn’t exposed to the open internet where every hacker who finds it is gonna wonder what’s inside.
You need two apps though and I personally have more faith in vaultwarden being stable than nextcloud.
Glad your “fucking” password manager isn’t exposed to the internet. Mine isn’t exposed either since I use tailscale to access it. Your comment leads me to believe that your NextCloud instance IS exposed to the internet. Wouldn’t that mean that if a hacker gets access to your account they could also get your keepass file as well?
I just typed out a response to most of this, and rather than repeat all that, I’ll copy a link here https://lemmy.zip/comment/26557132
A lot of it can be summed up in that compromising Vaultwarden means everything is screwed while compromising NextCloud is mainly a minor inconvenience. It provides neither information about the database’s password nor any avenue to attempt to intercept the password.
EDIT: Forgot to mention the worst part about KeePassXC. It’s vibecoded crap.
I replied to that comment. You’re assuming that compromising vaultwarden is somehow easier than compromising nextcloud. No idea why. Intercept the password where? I’m using a local client and only syncing the vault. You seem to be pretty unfamiliar with how vaultwarden works.
Is RiiR still all the rage? Perhaps it’s time to oxidize KeePass. There are a few libraries for kdbx files and at least one ready-made CLI.
No, I’m assuming that compromising NextCloud is less devastating than compromising Vaultwarden, so I’m taking a calculated risk that my database’s password is secure enough to offset the slightly increased risk of access to the encrypted database because I don’t always get to choose all the software I get to use in every environment I work with, so I might have to use the web client if I can’t get the local client.
As for you only using the local client, congrats, we don’t always get to choose what we use outside the home.
WireGuard 🥹
At that point, is it really easier than NextCloud? I don’t have to worry about forgetting to disconnect and wasting my VPS’s bandwidth or ruining my ping for games. On PCs and laptops, the file is immediately local, and on mobile, it’s easier to download an updated version of the database than it is to mess with the VPN.
Yup, it is. On one hand, I would have wireguard configured regardless beacause I don’t like publicly exposing my server. On the other, if you had to do it just for this and don’t want to configure wireguard manually, just use zerotier, tailscale or netbird. They can be set up in like 15 minutes and after you get it working you don’t need to touch it again.
Eh, not worth it to me. Some of what I host is occasionally really handy to be able to access from a random machine, and I don’t want to have to deal with barriers to entry when I need in. I can appreciate the security benefits, but I’ll take my chances. Even if they break into my NextCloud, they’d have to crack an unreasonable password to break the password database open.
You are choosing more convenience over security, which is fine, BUT it’s good to know that syncing your passwords with NextCloud over the internet is not any more secure than syncing it over the internet any other way (that uses any encrypted transport method).
Not necessarily. Compromising Vaultwarden would allow you to inject malicious JavaScript into the login page to steal passwords. NextCloud in no way interacts with the password database, so it provides no attack surface to the password database itself. Compromising the client for my password manager would require a supply chain attack on a Linux distribution’s package repository or theft of the package signing keys for the Linux distro or the Android app
What do you mean by comprimising VaultWarden? Someone hacking into your server and changing the login page to include extra javascript? Because if they are gaining code execution on your system, then you might already be done for. I can see your point, but I’m not personally going to be worried about it specifically.
There’s this wild technology called a hotspot. You can use your already authenticated device to give another device access to your services indirectly.
That level of security is exactly the same as exposing your password manager to the “fucking” internet. Not sure why you criticized it before when you (incorrectly) assumed that I was doing that.
There’s also this dated technology called a wired connection that some other dated technologies require. Since I don’t get to choose every device I interact with or depend on, that’s not always available.
I would disagree. A Bitwarden instance identifies itself as such to every visitor that comes by. It advertises itself as a particularly high value target. By contrast, a lot of what a NextCloud instance hosts is often personal and more valuable to the user than a hacker, so it does not become clear if there’s anything of value inside.
It also decreases the attack surface of my password manager itself because there are fewer features in it that may have a potential exploit. Even if an attacker compromises the NextCloud instance, that may grant access to the file itself, but they still have to contend with the entire security of the password manager. No device will ever make any contact with the server for password purposes other than to sync the database file, and there’s no web interface to inject a password stealing JavaScript file.
EDIT: Forgot to mention the worst part about KeePassXC. It’s vibecoded crap.
Hotspot does not imply that it needs to be wifi. You can share your internet connection via usb tethering too. (also a wild new technology, I know)
This ignores how modern internet attacks work. Hackers don’t sit around manually browsing websites. Automated botnets scan the entire IPv4 address space 24/7 looking for specific software signatures or known unpatched vulnerabilities. If a Nextcloud exploit drops today, a bot will breach the server before the hacker even knows what is stored inside.
Also, advertises itself to whom? I’m not exposing it to the internet. How many reports can you find of people getting their Vaultwarden instance hacked? This is a lot of assumptions that don’t track with reality.
You’re putting your database file in nextcloud. That increases the attack surface of your solution, a lot.
That’s *exactly *what a client for vaultwarden does…
Vaultwarden has a web interface, true. It’s also true that I’ve literally never used it for anythin other than creating the users. I haven’t opened it in years.
You’re choosing a very petty and small hill to die on, dude. Just admit that you prefer doing it your way even if there are better alternatives.
That’s a fair point, I was mostly pointing out in the original comment that VPNs are an option that stops your password manager being exposed to the internet (though if their NextCloud IS exposed to the internet and is syncing their password db, then there is not much difference).
Plus you can tunnel traffic that needs to go to your VPS through the VPN, leaving all other traffic untouched (ie not tunneled), if you are worried about leaving it connected by accident. This would be max convenience.
Compromising Vaultwarden provides an opportunity to inject malicious JavaScript and steal the database password when it’s opened. NextCloud can never leak any info about how I open my password database.
Any password manager could be comprimised. A bug could even be installed on your system or malware. What’s the difference?
NextCloud doesn’t know how you open the password db, but KeePass (for example) does, so the master pass comprimise would be with that.
Specifically the syncing part being done with any tool, doesn’t matter.
Who or how are you thinking Vaulwarden is being comprimised?
Sure, any manager could be compromised, but no client that handles my password database in any way connects to the internet, and all of them come from either signed Linux packages or signed Android apps. If Vaultwarden has a security vulnerability, you can steal the key and the database. If NextCloud is compromised, you can steal the database but not the key. To compromise the password manager client would require either stealing the publishing keys or getting the original author to publish a malicious version.
I see your point, but if your server can only be accessed through a VPN, I think the risk is mitigated. Maybe I’m being naive.