Thats really disappointing. At least the selfhosted version means it would have to be a heavily targeted attack.
Comment on You probably can't trust your password manager if it's compromised
chocrates@piefed.world 17 hours ago
Bitwarden. Shit.
eodur@piefed.social 16 hours ago
Bazoogle@lemmy.world 2 hours ago
I don’t think it should be disappointing. Bitwarden welcomes third party security testing, especially given it is open source. The tests done were just tests, and the issues were already fixed.
eodur@piefed.social 2 hours ago
Yeah, after seeing their response I’m quite satisfied. They’re one of the good guys and I hope it stays that way.
cannedtuna@lemmy.world 17 hours ago
Which in turn is based off of KeePass, right? So double shit?
deceiver@infosec.pub 16 hours ago
no, Bitwarden isn’t “based off” anything
cannedtuna@lemmy.world 11 hours ago
Oh my mistake. Not sure why I thought that.
COASTER1921@lemmy.ml 16 hours ago
These attacks are more around the encryption and all require a fully malicious server. It sounds like Bitwarden is taking these seriously and personally I’d still strongly prefer it to any closed source solution where there could be many more unknown but undiscovered security concerns.
Using a local solution is always most secure, but imo you should first ask yourself if you trust your own security practices and whether you have sufficient hardware redundancy to be actually better. I managed to lose the private key to some Bitcoin about a decade ago due to trying to be clever with encryption and local redundant copies.
Further, with the prevalence of 2FA even if their server was somehow fully compromised as long as you use a different authenticator app than Bitwarden you’re not at major risk anyways. With how poorly the average person manages their password security this hurdle alone is likely enough to stop all but attacks targeted specifically at you as an individual.
philpo@feddit.org 8 hours ago
Just adding: Passkeys do migitate a lot of these issues as well.
chocrates@piefed.world 16 hours ago
I don’t have the self hosting maturity to share my db across my devices yet. I need to get on that.
W98BSoD@lemmy.dbzer0.com 13 hours ago
If it’s critical, don’t self host it. It’s not worth it.
I know people will argue; I just need something that works and that I don’t have to worry about patching.
AbidanYre@lemmy.world 15 hours ago
With vault/bitwarden the client handles that sharing for you.
philpo@feddit.org 8 hours ago
Personal recommendation: Start with a selfhosting support software like Casa, Yuno or (my recommendation) Cloudron. Start hosting the app there with frequent backups and occasionally export into regular Bitwarden as a failsafe.
And when you are comfortable switch over to properly self hosted Vaultwarden.