I use it currently, but I’ve seen a few people say it’s bad for privacy or something? Is this true? If so, what alternatives do you suggest?

Bitwarden uses MicroSoft SQL Server as the only DB server option.

It is also the one they run on their main service, so it is not fully FLOSS and I would not consider that DB server reliable at all given its nature.

As Helix pointed before, there is a fully FLOSS replacement compatible with API and clients called Vaultwarden, which is also written in Rust and allow MySQL/MariaDB and PostgreSQL DB servers AFAIR.

Mr. Upsy
creator
link
fedilink
6um mês

Ahhh, that must be what people meant; the Microsoft thing.

@emilygage@lemmy.ml
link
fedilink
21um mês

Bitwarden is fine from a privacy standpoint so keep using it if you like it.

alternatives

I use and recommend KeePassXC.

Cyclohexane
link
fedilink
17
edit-2
um mês

It’s good yes. Though one thing I don’t like I’d that when you want to access just one password, the whole vault is available unencrypted and there’s a risk it can be read from memory. But this is a worry in all password managers afaik.

@morrowind@lemmy.ml
link
fedilink
16um mês

That’s nonsense, bitwarden is great for privacy and the best password manager for casual users.

Sr Estegosaurio
link
fedilink
7
edit-2
um mês

KeePassXC is also a great contender. But I agree that Bitwarden rocks. (if you selfhost Vaultwarden even more)

@shreddy_scientist@lemmy.ml
link
fedilink
13
edit-2
um mês

I would assume the individuals who claimed BitWarden has privacy issues are not very well versed on the topic. If you wanted to check out some alternatives, a site I trust has the four highest rated password managers/generators from a security and privacy standpoint to be: BitWarden, LessPass, KeePassXC & Spectre. LessPass and Spectre generate passwords with no storage needs though. BitWarden is audited four times each year by a third party and I have only ever seen surface level issues identified which are always quickly amended.

@quaver@lemmy.ml
link
fedilink
3
edit-2
um mês

LessPass and Spectre are really bad ideas. They sounded cool to me too until I thought about it more.

If your password for one site is compromised, you can’t change it, ever, which is already a dealbreaker. Moreover, the algorithm for creating the password is very fast - which means that if someone finds out your password for one service, they can brute force your master password extremely fast relative to other password managers. And they don’t even need access to your vault. Keep in mind, I’m not a security expert at all so I might be wrong about this.

Bitwarden and Keepass XC are the only password managers I recommend because attackers need access to your vault/database to be able to crack anything, and the cryptography used is intentionally slow as to make brute forcing less practical. The most ideal is to self host or use an offline database like Keepass does, which makes the risk of your database being compromised practically zero unless you’re some high profile target.

Yep, unless you want to use something like Keepass and roll your own sync with something like syncthing, then I think Bitwarden is really good.

Sr Estegosaurio
link
fedilink
6um mês

Pretty good solution imho.

@quaver@lemmy.ml
link
fedilink
3um mês

Keepass XC and Syncthing is exactly what I do and it’s been amazing.

Tmpod
mod
admin
link
fedilink
13
edit-2
um mês

That isn’t true. BitWarden is a very good password manager. Great apps on all platforms (even terminal) with perfect sync.

I’d you don’t trust the main BitWarden.com server, then you can run the official server, or the lighter and community recommended vaultwarden server. It’s tiny, easy to deploy and effective.


Edit: links

@Helix@feddit.de
link
fedilink
12um mês

There’s an Open Source implementation called Vaultwarden. You should certainly export your passwords from Bitwarden so they can’t keep them hostage.

Alternatives include Passbolt (no offline client, weird French crypto implementation of RSA), KeePassXC (best for single users, not good for sharing) and QtPass/gopass/pass (best solution if you are very proficient with GPG and like the command line).

@fishonthenet@lemmy.ml
link
fedilink
7
edit-2
um mês

You should certainly export your passwords from Bitwarden so they can’t keep them hostage.

imo your tone is a bit blowing this out of proportion, you can stay on the free tier, pay regularly for a very good service or even self-host. they are not keeping your password “hostage”.

@Helix@feddit.de
link
fedilink
1um mês

Yes, that’s why I said you should export the passwords regularly, so they can not hold them hostage. Whether they currently do it or just remove some features when you stop paying is irrelevant since they could change that tomorrow.

@cruon@lemmy.ml
link
fedilink
3um mês

I’d like to add that Password Store has built-in integration in GNU Emacs and you can easily navigate your vault via pass. Further, syncing your passwords with other devices is only a matter of creating a Git respository, and using Android Password Store and OpenKeyChain to access and decrypt them on mobile.

@Helix@feddit.de
link
fedilink
2
edit-2
um mês

I have years of experience with GPG and still didn’t manage to set up a shared password repository with pass and derivates which is usable by people without my experience. I’m talking junior devs, senior devs and junior admins here. I only managed to make it work between a few DevOps and admin people. Our senior DevOps guy didn’t even bother because it has so many papercuts.

The most promising client to me apart from gopass (not to confuse with go-pass) was QtPass but even that was lightyears away from KeePassXC in terms of UX.

Maybe another thing to add is that there’s pass-import which can convert several different formats of password stores between each other and to pass itself.

Mr. Upsy
creator
link
fedilink
2um mês

What do you mean by “keep them hostage”? Why would they do that?

@Helix@feddit.de
link
fedilink
0um mês

You pay for their service and when you stop paying, you lose access to the passwords you didn’t synchronise to your local client before that happens.

Mr. Upsy
creator
link
fedilink
1um mês

I use the free personal plan myself.

I use Bitwarden. It is easy and simple to use.

IΛM0DΛY
link
fedilink
8um mês

It’s absolutely the best password manager a person could invest in, they’ve had it for years and have never had any issues with breaches or anything else unlike the competition.

@Eighei2e@lemmy.ml
link
fedilink
1
edit-2
um mês

Centralized services are questionable for privacy in general. That’s especially true for a password manager, where if the service is compromised in a way that leaks your passwords then all of your accounts are compromised.

If you’re at all worried about potentially being profiled by governmental actors as a privacy concern, I’d keep as far away from hosted password managers and email as possible. There’s no such thing as a hosted service that doesn’t share information with the government on request and both of those services immediately give away the whole game if compromised.

@sproid@lemmy.ml
link
fedilink
2um mês

Can you provide more details? We cannot debate if there are no detailed claims.

Mr. Upsy
creator
link
fedilink
1um mês

It was mainly just passing gossip about them being affiliated with Google or something. I couldn’t find anything on the topic, and I didn’t necessarily believe the claims. I just thought I’d ask here just in case.

@sproid@lemmy.ml
link
fedilink
2um mês

I trust Bitwarden. And even if they use Google analytics does not make them untrustworthy. It would be something that needs to be improved.

@blkpws@lemmy.ml
link
fedilink
0
edit-2
um mês

No. Hire self-hosting way or do it yourself and use KeepassXC or any open source and self-hosted methods.

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 8 users / day
  • 18 users / week
  • 131 users / month
  • 496 users / 6 months
  • 5 subscribers
  • 701 Posts
  • 3.37K Comments
  • Modlog