this post was submitted on 22 Apr 2024
28 points (100.0% liked)

Open Source

31375 readers
106 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

I rely on Bitwarden (slooowly migrating from... a spreadsheet...) and am thinking of keeping a master backup to be SyncThing-synchronized across all my devices, but I'm not sure of how to secure the SyncThing-synchronized files' local access if any one of my Windows or Android units got stolen and somehow cracked into or something. I'm curious about how others handle theirs. Thanks in advance for sharing!

top 50 comments
sorted by: hot top controversial new old
[–] mr_pip@discuss.tchncs.de 24 points 7 months ago (2 children)

keepassxc database synced with syncthing across devices

[–] absGeekNZ 5 points 7 months ago

This is the way

[–] fine_sandy_bottom@discuss.tchncs.de 4 points 7 months ago (1 children)

This is the way OP. Centralised services are just too much a target for bad actors.

You already have syncthing so most of the way there.

Also built in TOTP / 2fa is pretty great.

[–] shiftymccool@programming.dev 2 points 7 months ago (3 children)

Also built in TOTP / 2fa is pretty great.

I can't wrap my head around how this is a good idea. Isn't the idea of mfa to protect against password theft? If your second factor is stored with your password, how does that help anything? Honest question, I see this everywhere but can't figure out why it's acceptable with security-minded folks

Yeah fair question. IMO it def makes things less secure, but it's a question of how much less?

As in, if all my passwords are "sexG0d" then 2fa is critically important, but if all my passwords are long and complex and unique then 2fa is still another layer but it's much less critical.

[–] RobotZap10000@feddit.nl 3 points 7 months ago

If someone were to pinch a password through a phishing site or a key logger they would still need to unlock your .kbdx file. The way I see it, if an attacker has cracked your database, you already screwed up 20 steps ago. (Sharing your .kbdx, using a weak password for it, not changing your other passwords) I think that 2FA on a different device is too much of a hassle for how much extra security it can bring.

[–] Kayana@ttrpg.network 2 points 6 months ago

Late reply, but for me personally, I started doing it because my Keepass database is already accessed using two factors (password and key file). Therefore, I'd gain very little by keeping the second factor of those sites external - essentially, those second factors are compounded into the second factor for the database.

[–] unknowing8343@discuss.tchncs.de 13 points 7 months ago

Bitwarden already stores a local copy on all devices you have it installed. Just make sure you load up those devices from time to time... And guess what, you are probaly already doing that with your phone and laptop (which actually contains generally 2 copies, 1 on your actual client and another for the browser extension. Add a third device for good measure and... Oh, you also have a backup on bitwarden.com, this thing literally backups itself everywhere!

[–] d3Xt3r 9 points 7 months ago (1 children)

if any one of my Windows or Android units got stolen and somehow cracked into or something.

This shouldn't be a concern if you're using disk encryption and secure passwords, which is generally the default behaviour on most systems these days.

On Android, you don't need to worry about anything as long as you've got a pin/password configured, as disk encryption has been enabled by default for like a decade now.

On Windows, if you're on the Pro/Enterprise edition, you can use Bitlocker, but if you're on Home, you can use "device encryption" (which is like a lightweight Bitlocker) - but that requires a TPM chip and your Windows user account linked to a Microsoft account. If that is not an option, you could use VeraCrypt instead, which is an opensource disk encryption tool. Another option, if you're on a laptop, could be Opal encryption (aka TCG Opal SED), assuming your drive/BIOS supports it.

TL;DR: Encrypt yo' shit, and you don't need to worry about your data if your device gets stolen.

[–] bloodfart@lemmy.ml 2 points 7 months ago (4 children)

do not do anything in this post until you have backups that you know run and work.

device encryption is fantastic.

load more comments (4 replies)
[–] zarenki@lemmy.ml 8 points 7 months ago (3 children)

For years I've been using KeepassXC on desktop and Keepass2Android on mobile. Rather than sync the kdbx file between my devices, I have each device access it through the network. Either via sftp, smb, or nfs, but regardless I need to connect to my home's VPN to access it when away from home since I don't directly expose those things to the outside world.

I used to also keep a second copy of the website-tied passwords in Firefox Sync, but recently tried migrating that to Proton Pass because I thought the PIN feature might help, then ultimately decided to move away from that too and start using the KeepassXC-Browser plugin instead. I considered Bitwarden too but haven't tried it out yet, was somewhat deterred by seeing people say its UI seems very outdated.

[–] LucidBoi@lemmy.dbzer0.com 1 points 7 months ago (1 children)

Is syncing the .kbdx files using Syncthing unsafe?

[–] not_amm@lemmy.ml 2 points 7 months ago (2 children)

Syncing files that you may open in both (or more) devices at the same time is unsafe with any service, but you can manage to avoid sync conflicts with KeePass if you do not open the same file at the same time or open the Android app in read-only mode. I've only had like 3-4 conflict files this year and they weren't important.

[–] chebra@mstdn.io 3 points 7 months ago

@not_amm And I think Keepass (XC) has a merge function which can very easily resolve these conflicts.

[–] LucidBoi@lemmy.dbzer0.com 1 points 7 months ago (1 children)

Do the files pass through their servers unprotected? I don't really understand how Syncthing works under the hood.

[–] hedgehog@ttrpg.network 2 points 7 months ago

From https://docs.syncthing.net/users/faq.html#what-is-syncthing (bolding mine)

We believe your data is your data alone and you deserve to choose where it is stored. Therefore Syncthing does not upload your data to the cloud but exchanges your data across your machines as soon as they are online at the same time.

load more comments (2 replies)
[–] jaykay@lemmy.zip 7 points 7 months ago (1 children)

Im not sure if that’s what you mean but I just export the Bitwarden database in an encrypted json and have it backed up in cloud. I’m not sure why you need the backup synced with all devices tho

[–] Dymonika@beehaw.org 2 points 7 months ago (1 children)

I guess it's in cases when I may not be able to use Bitwarden, but... I suppose it can be used everywhere! Clearly, I'm new to this thing, so that's good to know!

[–] jaykay@lemmy.zip 3 points 7 months ago* (last edited 7 months ago) (1 children)

Oh, that changes things. So, Bitwarden can be used basically anywhere, as you said. Just log in and there you are. It’s even a website. They’re servers would have to die for it to be a problem. But that’s not a real problem actually as the app keeps a local copy on the device and every time you open the app, it syncs with their servers and updates the vault (database). So the devices are synced by default really. If you want to back it up anyway, there is a „export vault” button which you can use. If you choose with encryption it’s going to be encrypted with the master password I think :)

PS Bitwarden (company) stores only the encrypted version on their servers so that’s not an issue either

load more comments (1 replies)
[–] GolfNovemberUniform@lemmy.ml 6 points 7 months ago (2 children)

I write them on paper just because I'm very old schooled.

[–] Showroom7561@lemmy.ca 4 points 7 months ago (1 children)

My wife does the same, and I can't tell you how many times a day I have to help her reset passwords, figure out if something is an "1", "i", "l", or "|", or decide what needed to be capitalized.

Even though I have Bitwarden installed for her, she just "prefers" paper like some people prefer to stub their toes.

[–] GolfNovemberUniform@lemmy.ml 2 points 7 months ago

You should try to teach her how to be more careful and clear when writing passwords. It can be hard if she's living in constant rush but it's a very useful skill. And btw I just always underline capital letters. Always works

[–] OutlierBlue@lemmy.ca 2 points 7 months ago (2 children)

Do you stick them under your keyboard, or to the edge of your monitor?

[–] jaykay@lemmy.zip 2 points 7 months ago

Important ones under the keyboard, passwords 101

[–] GolfNovemberUniform@lemmy.ml 1 points 7 months ago

Nope, I try to store all of them in one physical file

[–] Jennykichu@lemmy.dbzer0.com 6 points 7 months ago (1 children)

Bitwarden. I would like to self host it one day (and keep that backed up) once I learn more about all that junk

[–] jjlinux@lemmy.ml 5 points 7 months ago (1 children)

Vaultwarden is super easy to set up anywhere (NAS, computer, Pi, etc). It's as simple as firing a docker yaml, and you're set.

[–] Jennykichu@lemmy.dbzer0.com 6 points 7 months ago (2 children)

I know what these words mean:

computer

These are the words I need to learn more about:

NAS pi firing docker yaml

[–] jjlinux@lemmy.ml 2 points 7 months ago

We've all been there at some point.

For when you do learn the definition of those terms:

https://noted.lol/vaultwarden/

[–] Rai@lemmy.dbzer0.com 1 points 7 months ago

I have a Pi (raspberry pi computer) set up as a NAS (network attached storage) and I have zero clue what a yaml is or how Docker works.

[–] JakenVeina@lemm.ee 5 points 7 months ago

KeePass on my phone and desktop, with the master file sync'd automatically to the server in my basement.

[–] tiny@midwest.social 5 points 7 months ago (1 children)

Bitwarden keeps a local copy of the data that can exported if something ever happened to bitwarden. If you want to keep an encrypted backup you can export the CSV and store it on an encrypted drive as a backup but not big worry about syncing it to all devices

[–] skilltheamps@feddit.de 4 points 7 months ago* (last edited 7 months ago)

This is the correct answer, every device you use a bitwarden-client regularly on automatically becomes a backup

[–] Imprint9816@lemmy.dbzer0.com 5 points 7 months ago* (last edited 7 months ago)

Bitwarden has an import tool. You should be able to convert your spreadsheet into the format they like and import relatively easily.

For backups, you can create encrypted backups through bitwarden. So it shouldn't matter if synching itself is a secure process as what your syncing is already encrypted.

[–] joeldebruijn@lemmy.ml 4 points 7 months ago* (last edited 7 months ago)

I prefer another tactic if I may share:

  • Database in production: let Bitwarden clients sync the native way Bitwarden offers.
  • Database in backup: let a dedicated backup service keep your database save.

I dont know if this could be done automatic (just backup the production database) or if this has to be done by export (by hand once in a while).

Doesnt matter from which device the backup originates because the native sync will keep them all the same usually in seconds.

[–] ILikeBoobies@lemmy.ca 3 points 7 months ago

Reset every time I need to log in

[–] pol5xc@lemmy.ml 2 points 7 months ago

Pass on Linux with a private git repo with search extensions for gnome and Firefox, and android password store on my phone.

[–] catloaf@lemm.ee 2 points 7 months ago

I have encryption enabled on my devices. If they get stolen, a casual thief isn't going to be able to break it. At most they'll wipe it, but they'll probably just fence it as-is or for parts.

[–] kevincox@lemmy.ml 1 points 7 months ago

I mostly just use Firefox Sync. For critical passwords or non-web passwords and other small keys I store them in pass.

[–] Frederic@beehaw.org 1 points 7 months ago
[–] ChallengeApathy@infosec.pub 1 points 7 months ago (2 children)

Proton Pass. If you're comfortable with cloud E2EE managers, it's far more worth it than Bitwarden, since you get unlimited email aliases. Better for privacy and even security. Plus, I trust Proton, they have a phenomenal track record in terms of security and encryption.

load more comments (2 replies)
[–] Manalith@midwest.social 1 points 7 months ago (2 children)

I was using Bitwarden up until I moved my email service to Proton. Now, I just use all their things, but I didn't have any issues with Bitwarden personal. I do have some issues with their organization accounts though.

load more comments (2 replies)
load more comments
view more: next ›