KeePassXC doesn’t do any cloud syncing stuff. If you want your vault to be available on multiple devices, it’s up to you how to achieve that (e.g. by putting the vault database file inside dropbox/gdrive/nextcloud, etc). Some people prefer this approach because they don’t trust centralized vault services.

1Password and BitWarden are competitors and offer largely similar services (e.g. syncing your vault across all devices you own). BitWarden paid service is cheaper though, so it’s more popular. Note that bitwarden free account is already good enough, the paid service offers some convenient features which actually pretty nice to have though, such as storing TOTP data in your vault.

VaultWarden is an alternative implementation of bitwarden server. If you’re into self-hosting and want to host bitwarden vault on your own server, you can install it in your own server. It implements almost all bitwarden features, even those that only available in the highest subscription tier.

I’d understand if it were the kind of ‘fuck off, abusive liar’, but more often than not it’s about something so minor, certainly not worth the extra negativity added to the community.

I don’t mind weird and different opinions on things. In fact, that’s what make the discussion interesting instead of some boring echo chambers. I just wish people wouldn’t be so aggressive about it and hurling personal attacks left and right. The old discussion board had thing called netiquete to keep the discussion civil, but here in certain communities it’s like the wild west.

Normally I’d agree with you, but in the case of lastpass, I have to disagree. Ever since they’re bought by LogMeIn, not only they significantly increased the price, they also have security incidents after security incidents, with the worst one in 2022, not to mention a bunch of vulnerabilities that seems so basic it shouldn’t be a problem on other password managers. There were also shenanigans where they seemingly intentionally broke data export to slow down exodus of their users to other password managers.

They were recently spun off as a separate company from GoTo/LogMeIn, but at this point I have lost faith and would not recommend lastpass at all.

ISO 8601 gang unite!

Even the head mod of piracy subreddit was ousted from the subreddit for attempting to migrate the sub to a lemmy instance, and the redditors that remain there actually cheered! It’s wild, you would expect pirates, who always at risk of having their subreddit shut down, would understand the need to migrate.

It’s actually starting to get common for open source password manager to get audit, often free of charge by a security company. Whether the project actually compete with a commercial project doesn’t seem to matter because the goal is to assess security.

KeePassXC was recently audited for example: https://keepassxc.org/blog/2023-04-15-audit-report/

1Password, another popular opensource password manager, has also been audited: https://support.1password.com/security-assessments/

Bitwarden (including the selfhosted component) has also been audited: https://bitwarden.com/help/is-bitwarden-audited/

So it’s not really strange for people expressing interest to get vaultwarden audited.

It’s super easy to self host (assuming you’re familiar with docker), doesn’t take too much server resource, and will give you access to features normally gated behind bitwarden subscriptions. Way better then the official self-hosted version. The main disadvantage is while it’s open source, the code hasn’t been audited yet, which might be a deal breaker for people obsessed with security.

I have migrated to bitwarden years ago, but still curse myself why I didn’t immediately delete my lastpass account back then before the breach.

All vault data has been stolen in the past, and while the data is encrypted, apparently the encryption is not strong enough and there are reports that some of the vault has been decrypted by hackers: https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/

Self-hosters donating to themselves

Don’t jynx it man, your head gasket might decided it’s time to blow after you posted that comment.

So this is why Indonesian names for hippo, sea urchin and seal are weird af. They are actually direct translation from their dutch names!

Tuxedo Scuba Bird

JWT sounds great on paper until you have to deal with logout and revocations. Might as well use standard session cookies.

Kia owners still need those steering wheel lock these days.

I’d love to be proven wrong, but I have suspicion that it will be solved by the good ol’ planned obsolescence: “Your device will no longer supported after 2038. Buy this shiny new device and receive 10% discount by entering our coupon code: YAY2K38”

True, most people don’t out of laziness, but at least people who care would still have an alternative option instead of the mess we have now. Also, in a parallel universe where the internet is not crippled, maybe 20 years of p2p development would be enough to propel it the point of mainstream usability, but I guess we’ll never know.

It actually takes power away from ordinary users and put it in the hand of big corporation. It might sound ridiculous, but you’ll start to notice this if you compare how people use the internet 20 years ago vs now. For example, it’s no longer possible to communicate to other people over internet without going through an intermediary. Sending text, files, voice and video calls, all need to go through an intermediary to make sure your data went though. Even modern p2p protocols requires intermediaries in the form of stun/turn servers or chance are high that the participants can’t see each other.

As an exercise, try to communicate (text, voice, video, file transfer, gaming) with a group of friends over the internet without using any 3rd party service except DNS. It used to be no brainer in the past, but today it’s outright impossible if both party are behind a CGNAT, which is very likely (and almost 100% will happen if you live in a 3rd world country due to disproportionate IP blocks allocation that favor western countries).

Over the years, this trains internet users into thinking that the internet is not useable without getting an account on tech giants’ online services. Imagine if this restriction does not exist. The internet might be less centralized today, the internet giants might not be as giant, and people might use more p2p tech to communicate with each other and might have better privacy because they have less data captured by those 3rd party services.

I’m sure we’ll come up with a shitty way to work around the issue later. Recent example is how IPv4 was supposed to run out years ago, but thanks to shitty workaround deployed by telcos, no one felt the need to migrate to IPv6 even though the workaround makes the internet more restrictive and shittier.