this post was submitted on 14 Sep 2024
484 points (96.9% liked)
Privacy
32100 readers
747 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This still requires a server setup, focused entirely on passwords. Why do that?
Why not just use KeePass or KeePassXC, and use Syncthing for this and general files, or KeePassXC's keeshare sync to sync the files without any hosting, server, or other services.
Extremely simplified tldr: both of these are like a authenticated private bittorrent, where the "tracker" only helps you find yourself on another devices, no data is ever sent outside of your authenticaed devices, and all transmissions are encrypted as well.
Few reasons, with the most important being convenience. Syncthing is going to see just a binary blob as the password storage is encrypted. This means it is impossible for syncthing to do proper synchronization of items inside the vault. Generally this is not a problem, but it is if you happen to edit the vault on multiple devices and somehow syncthing didn't sync yet the changes (this is quite common for me on android, where syncthing would drain the battery quite quickly if it's always actively working). For bitwarden on the other hand the sync happens within the context of the application, so you can have easy n-way merge of changes because its change is part of a change set with time etc.
Besides that, the moment you use syncthing from a threat model point of view, you are essentially in the same situation: you have a server (in case of syncthing - servers) that sees your encrypted password data. That's exactly what bitwarden clients do, as the server only has access to encrypted data, the clients do the heavy lifting. If the bitwarden server is too much of a risk, then you should worry also of the (random, public, owned by anybody) servers for syncthing that see your traffic.
Keeshare from my understanding does use hosting, it uses cloud storage as a cloud backend for stateful data (Gdrive, Dropbox etc.), so it's not very different. The only difference would be if you use your private storage (say, Synology Drive), but then you could use the same device to run the bit/vaultwarden server, so that's the same once again.
The thing is, from a higher level point of view the security model can only be one of a handful of cases:
The more you go down in the list, the more you get convenience but you introduce a bit of risk. Tl;Dr keepass with keyshare/syncthing has the same risks (or more) than a Bitwarden setup with bitwarden server.
In addition to all the above, bitwarden UX is I would say more developed, it has a better browser plugin, nice additional tools and other convenience features that are nice bonuses. It also allows me to have all my family using a password manager (including my tech illiterate mom), without them having to figure out anything, with the ability to share items, perform emergency accesses etc.
Edit: I can't imagine this comment to be deemed off topic, so if someone downvoted simply to express disagreement, please feel free to correct or dispute what I wrote, as it would certainly make for an interesting conversation! Cheers
There's often the 'security vs. convenience' tradeoff, but for most people you have both sides with Bitwarden over KeePass.
Bitwarden is undoubtedly more convenient. If you can create an account, you can use it. I have a family account, and have both of my parents using it. The love it now, but given the friction to get them there in the first place, it would impossible to get them on KeePass. Especially because they wanted their passwords on all devices.
Regardless of using Vaultwarden or KeePass, you need to have quite a bit of expertise to self host. And you are trusting your own ability to secure your attack surface. I'm sure many if not most in this thread can, but it would take me quite a while to convince myself I have. I would much rather trust security professionals.
Somewhat, although, potentially related. Have you seen Bitwarden's git repos? It is immaculately organized.
Consistent, clear naming convention. There is literally one called 'self-host'. If you put that much effort into keeping your code that useable/available/auditable etc. Oh yea. I'm going to trust you to handle security for me
This is one of the rare cases where I believe security through obscurity applies.
What is the most ripe attack target: the password hosting service with millions of user credentials, or literally some random IP address using syncthing that could be sending literally anything that you don't know is passwords or porn.
Companies like Bitwarden and 1Password and LastPass are doomed to have failures, just like any major corporation. They are too big with too much attack surface, and clearly advertise that they have stuff worth stealing.
Me? My KeePass vault is synced via Syncthing with no relay data, so it only ever exists on my phone and desktop, and is encrypted with what is today functionally unbreakable encryption. Today at least (RIP when quantum chips get good).
And my data is a blade of grass in a field. Sure there is a narrow chance someone snooping on my entire geographic area and stealing packets like the FBI could grab some packets in transmission. But they show nothing, and mean nothing. And the FBI has easier ways to get our data anyways.
Point is, I'd rather take my odds as a heavily encrypted file syncs between singular devices like a drop of water in the ocean, versus putting all my diamonds in Joe's Diamond Emporium and just hoping no one decides to steal MY diamonds when it (inevitably) gets robbed.
In this circumstance, you can turn on simple versioning for the password vault. It will keep both vault copies and you can merge your changes together manually in the event this happens, no loss of data.
For mobile I just give syncthing full permission to run in the background and have never had issues with the syncing on the folders I designate. Not saying it doesn't happen, but I believe this can be solved.
However KeePassXC's sync feature does sync the vault.
Syncthing does not have a server. The relay only serves to match your current client (device A) with the IP of your other client (device B). Nothing else passes through it unless you opt into using relaying in case you have NAT issues.
If you are paranoid, the software is open source and you can host your own relays privately, but again, it is similar to a matchmaking service, not data transfer.
Syncthing is a direct device to device transfer. No server in the middle unless you want it.
https://docs.syncthing.net/users/relaying.html
Agree on the versioning issue. In fact I mentioned that the issue is convenience here. It is also data corruption, but you probably are aware of that if you setup something like this. Manually merging changes is extremely annoying and eventually you end up forgetting it to do it, and you will discover it when you need to login sometime in the future (I used keepass for years in the past, this was constantly an issue for me). With any natively sync'd application this is not a problem at all. Hence +1 for convenience to bitwarden.
How does it work though? From this I see you need to store the database in a cloud storage basically.
I use this method for my notes (logseq). Never had synchronization problem, but a lot of battery drain if I let syncthing running in the background.
I guess this can be very common or even always the case for people using some ISPs. In general though, you are right. There is of course still the overall risk of compromise/CVEs etc. that can lead to your (encrypted) data being sent elsewhere, but if all your devices can establish direct connections between each other, your (encrypted) data is less exposed than using a fixed server.
This would also defeat basically all the advantages of using keepass (and family) vs bitwarden. You would still have your data in an external server, you still need to manage a service (comparable to vaultwarden), and you don't get all the extra benefits on bitwarden (like multi-user support etc.).
To be honest I don't personally think that the disclosure of a password manager encrypted data is a big deal. As long as a proper password is used, and modern ciphers are used, even offline decryption is not going to be feasible, especially for the kind of people going after my passwords. Besides, for most people the risk of their client device(s) being compromised and their vault being accessible (encrypted) is in my opinion way higher than -say- Bitwarden cloud being compromised (the managed one). This means that for me there are no serious reasons to use something like keepass (anymore) and lose all the convenience that bitwarden gives. However, risk perception is personal ultimately.
KeePassXC you would put the sync-file itself into syncthing or something, and then KPXC would resolve changes between the sync file back to the main vault. I don't use this method directly so I might be incorrect on the details, but it is possible to setup in a device to device manner.
You keep saying external server for syncthing, but again: syncthing does direct data transfers, encrypted end to end, between devices. It does not use cloud hosting or servers. It has the equivalent of a 90s FPS matchmaking lobby, so you can find your own devices latest IP.
You register the devices with each other with their generated ID codes. Then you ask the matchmaking server when it last saw that alias. It gives you the last IP that checked in with that unique alias. It then contacts that OP, and performs a handshake. If it passes, your two devices can now sync directly. The matchmaking relay has 0 data of yours, and 0 ability to associate your unique ID with a name, hardware, or anything other than a last seen IP. When on the same LAN, devices don't even query the matchmaking relay if you don't want. It's totally offline.
If you elect to, you can allow relays to let you tunnel of you have NAT issues, and your end to end encrypted data can be synced through a relay. In those cases then yes, you are extending a bare minimum trust, and you fully encrypted data would temporarily pass on the relay's RAM. If this makes you paranoid, you can easily add a password to the sync folder itself, encrypting it unless another user inputs the password on the other end. Adding another layer if you wanted.
I just get nothing from Bitwarden that syncthing and KeePass don't offer more easily. Syncthing works for tons of devices and other purposes as well, preventing to host a password sharing only tool, and just letting you use a direvy device to device sync tool. I don't know how or why you would have vault conflicts, but it really does sound like something fixable. Running this for years and I've never run into it.
Looking at keepassXC doc I couldn't find such setup. Maybe it's possible, but maybe it also leads to trouble down the road. The "official way" seems to use cloud storage.
I mention that but with a specific context.
And from my (consumer) PoV this is functionally equivalent to have the data stored on a server. It might not be all the data (at once), it might be that nobody dumps the memory, but I still need to assume that the encrypted data can be disclosed. Exactly the same assumption that should be made if you use bitwarden server.
Personally it doesn't. As I said earlier, it's way more likely that your entire vault can be taken away by compromising your end device, than a sophisticated attack that captures encrypted data. Even in this case, these tools are built to resist to that exact risk, so I am not really worried. However, if someone is worried about this in the case of bitwarden (there is a server, hence your data can be disclosed), then they should be worried also of these corner cases.
You can say many things, but that keepass + syncthing is easier is not one of them. It's a bespoke configuration that needs to be repeated for each device, involving two tools. bitwarden (especially if you use the managed service) works out of the box, for all your devices with 0 setup + offers all features that keepass doesn't have (I mentioned a few, maybe you don't need them, but they exist).
At the time I did not use syncthing, I just used Drive (2014-2017 I think), and it was extremely annoying. The thing is, I don't want to think about how to sync my password across devices, and since I moved to bitwarden I don't have to. This way I don't need to think about it, and also my whole family doesn't have to. Win-win.
That said, if you are happy with your setup, more power to you. I like keepass, I love syncthing, I have nothing against either of them. I just came here to say that sometimes people overblow the risk of a server when it comes to a password manager. Good, audited code + good crypto standards means that the added risk is mininal. If you get convenience/features, it's a win.