- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
If you are interested in privacy you are probably interested in password storage … plus I wanted everyone to know about the inevitable future enshitification of this product. Spread the word and replacement recommendations are welcome too.
Eh, not worth it to me. Some of what I host is occasionally really handy to be able to access from a random machine, and I don’t want to have to deal with barriers to entry when I need in. I can appreciate the security benefits, but I’ll take my chances. Even if they break into my NextCloud, they’d have to crack an unreasonable password to break the password database open.
You are choosing more convenience over security, which is fine, BUT it’s good to know that syncing your passwords with NextCloud over the internet is not any more secure than syncing it over the internet any other way (that uses any encrypted transport method).
Not necessarily. Compromising Vaultwarden would allow you to inject malicious JavaScript into the login page to steal passwords. NextCloud in no way interacts with the password database, so it provides no attack surface to the password database itself. Compromising the client for my password manager would require a supply chain attack on a Linux distribution’s package repository or theft of the package signing keys for the Linux distro or the Android app
What do you mean by comprimising VaultWarden? Someone hacking into your server and changing the login page to include extra javascript? Because if they are gaining code execution on your system, then you might already be done for. I can see your point, but I’m not personally going to be worried about it specifically.
By compromising Vaultwarden, I mean exploiting some flaw in it to gain extra access that may facilitate further attacks. If they have code execution on my server, they can’t really do anything because the server never provides an interface to unlock the password database. They could attempt a more complicated malware attack on my clients, but that’s WAY more effort than an automated attack on Vaultwarden instances, probably by several orders of magnitude.
There’s this wild technology called a hotspot. You can use your already authenticated device to give another device access to your services indirectly.
That level of security is exactly the same as exposing your password manager to the “fucking” internet. Not sure why you criticized it before when you (incorrectly) assumed that I was doing that.
There’s also this dated technology called a wired connection that some other dated technologies require. Since I don’t get to choose every device I interact with or depend on, that’s not always available.
I would disagree. A Bitwarden instance identifies itself as such to every visitor that comes by. It advertises itself as a particularly high value target. By contrast, a lot of what a NextCloud instance hosts is often personal and more valuable to the user than a hacker, so it does not become clear if there’s anything of value inside.
It also decreases the attack surface of my password manager itself because there are fewer features in it that may have a potential exploit. Even if an attacker compromises the NextCloud instance, that may grant access to the file itself, but they still have to contend with the entire security of the password manager. No device will ever make any contact with the server for password purposes other than to sync the database file, and there’s no web interface to inject a password stealing JavaScript file.
EDIT: Forgot to mention the worst part about KeePassXC. It’s vibecoded crap.
Hotspot does not imply that it needs to be wifi. You can share your internet connection via usb tethering too. (also a wild new technology, I know)
This ignores how modern internet attacks work. Hackers don’t sit around manually browsing websites. Automated botnets scan the entire IPv4 address space 24/7 looking for specific software signatures or known unpatched vulnerabilities. If a Nextcloud exploit drops today, a bot will breach the server before the hacker even knows what is stored inside.
Also, advertises itself to whom? I’m not exposing it to the internet. How many reports can you find of people getting their Vaultwarden instance hacked? This is a lot of assumptions that don’t track with reality.
You’re putting your database file in nextcloud. That increases the attack surface of your solution, a lot.
That’s *exactly *what a client for vaultwarden does…
Vaultwarden has a web interface, true. It’s also true that I’ve literally never used it for anythin other than creating the users. I haven’t opened it in years.
You’re choosing a very petty and small hill to die on, dude. Just admit that you prefer doing it your way even if there are better alternatives.
Some environments restrict USB access for security reasons. Some environments don’t have extra ports to spare. Sometimes, I just don’t have the right cable on hand even if the environment is otherwise fine.
No, I’m well aware of that. I mean that when the inevitable scans come, the Vaultwarden instance will freely identify itself as such. An attacker would automate the breach if they detected my NextCloud instance and had an exploit ready, but then what? The contents are too unpredictable to have a one size fits all approach from there. Even if they scan all the servers they breach for password databases, they have to contend with the fact that they still have no means to try to intercept the password. They may have a slightly easier time obtaining the database, but cracking a huge pile of password databases is an infeasible task.
Yes, if I did it the way you want, I could avoid exposing it and allowing it to advertise itself, but then I would be unable to access it without a VPN or other networking tool.
I never said that Vaultwarden had been hacked. I said essentially that Vaultwarden is a single point of failure that I do not want to risk exposing to the wider internet, and I don’t want to hide the services behind a VPN because that can complicate access. It’s a little less secure, but what’s the point of security if I can’t actually use it myself?
Of the overall system, yes. Of the password database itself, not really. Slightly less potential security through lack of access, but with a sufficiently secure password, cracking it isn’t realistic. That becomes exponentially more true if you’ve got a huge pile of password databases you need to crack, as would most likely be the case for anyone who breached my server.
Yes, and you’re just about get to the problem I have with the client if you’d finish my sentence before you got smug with me.
And it’s great that for your personal use case, that works our for you. But before you decide to act like a smug asshole, maybe consider that not every situation can resolve as cleanly as yours. There are a lot of reasons that restricting access to a VPN can at times be limiting. Sure, at home on your own hardware, not really, but some people need the same tools for different purposes in different environments.
Just think beyond your own experiences and accept that other people have different needs than you for a variety of reasons that they can’t always control.
Where are you even trying to use your password manager??? You’re absolutely batshit dude. I’m not reading this wall of text.
Corporate environments don’t like you tampering with how their networks are set up. You might be able to get your hands on a portable copy of your password manager or even get installation authorized, but you might not be able to force a hotspot VPN onto the machine, and you’ll have a WAY harder time getting a VPN cleared than you will getting a password manager to work.
You should also not be ysing a corporate laptop for your private stuff. If you do need to use it, you can do use the password manager the old way, just read from your phone and manually type it in.
Lastly, since you’re proposing a corporate scenario, you wouldn’t be able to install a random program on your laptop. IT would either block the installation or you’d have to explain why you’re installing random programs on your work computer.
This is getting pathetic dude, just move on.
Yeah, but some stuff kinda blurs the line, and some stuff is just useful both places. It’s not ideal, but I can maintain some separation with different NextCloud users and different database files.
Portable versions of password managers work sometimes. There are browser extensions you might be able to use. Most notably, both of these are more likely to be authorized than a VPN tunnel into my personal machines if I even need authorization for them. In some places and jobs, you might get a little influence over what gets installed, within reason, and an open source, strictly offline password manager is less of a threat than a VPN connection to an uncontrolled endpoint. I might be able to get a Vaultwarden client, but then I’m back to exposing Vaultwarden to the open internet, which was what I didn’t want to do.