Thats really disappointing. At least the selfhosted version means it would have to be a heavily targeted attack.
Comment on You probably can't trust your password manager if it's compromised
chocrates@piefed.world 2 weeks ago
Bitwarden. Shit.
eodur@piefed.social 2 weeks ago
Bazoogle@lemmy.world 2 weeks ago
I don’t think it should be disappointing. Bitwarden welcomes third party security testing, especially given it is open source. The tests done were just tests, and the issues were already fixed.
eodur@piefed.social 2 weeks ago
Yeah, after seeing their response I’m quite satisfied. They’re one of the good guys and I hope it stays that way.
cannedtuna@lemmy.world 2 weeks ago
Which in turn is based off of KeePass, right? So double shit?
deceiver@infosec.pub 2 weeks ago
no, Bitwarden isn’t “based off” anything
cannedtuna@lemmy.world 2 weeks ago
Oh my mistake. Not sure why I thought that.
COASTER1921@lemmy.ml 2 weeks ago
These attacks are more around the encryption and all require a fully malicious server. It sounds like Bitwarden is taking these seriously and personally I’d still strongly prefer it to any closed source solution where there could be many more unknown but undiscovered security concerns.
Using a local solution is always most secure, but imo you should first ask yourself if you trust your own security practices and whether you have sufficient hardware redundancy to be actually better. I managed to lose the private key to some Bitcoin about a decade ago due to trying to be clever with encryption and local redundant copies.
Further, with the prevalence of 2FA even if their server was somehow fully compromised as long as you use a different authenticator app than Bitwarden you’re not at major risk anyways. With how poorly the average person manages their password security this hurdle alone is likely enough to stop all but attacks targeted specifically at you as an individual.
chocrates@piefed.world 2 weeks ago
I don’t have the self hosting maturity to share my db across my devices yet. I need to get on that.
W98BSoD@lemmy.dbzer0.com 2 weeks ago
If it’s critical, don’t self host it. It’s not worth it.
I know people will argue; I just need something that works and that I don’t have to worry about patching.
AbidanYre@lemmy.world 2 weeks ago
With vault/bitwarden the client handles that sharing for you.
philpo@feddit.org 2 weeks ago
Personal recommendation: Start with a selfhosting support software like Casa, Yuno or (my recommendation) Cloudron. Start hosting the app there with frequent backups and occasionally export into regular Bitwarden as a failsafe.
And when you are comfortable switch over to properly self hosted Vaultwarden.
philpo@feddit.org 2 weeks ago
Just adding: Passkeys do migitate a lot of these issues as well.
lobut@lemmy.ca 2 weeks ago
Yeah I use MFA on anything that matters.
It means my authenticator is just riddled with items but it is what it is.