484

Concerns Raised Over Bitwarden Moving Further Away From Open-Source (www.phoronix.com)

submitted 15 hours ago by AsudoxDev@programming.dev to c/technology@lemmy.world

103 comments fedilink hide all child comments

(page 2) 50 comments

sorted by: hot top controversial new old

[-] DudeImMacGyver@sh.itjust.works 10 points 11 hours ago

sigh

[-] telescopius@lemm.ee 22 points 14 hours ago

This is disheartening.

[-] solsangraal@lemmy.zip 16 points 15 hours ago

so what's the best pw manager?

[-] winterayars@sh.itjust.works 69 points 15 hours ago

Honestly, it's Bitwarden right now. This move signals their intent to change that, though.

[-] solsangraal@lemmy.zip 6 points 15 hours ago

so the "no longer open source" means they'll be moving to a saas model or something? i'm not super cybersecurity savvy but bitwarden is what i use

[-] winterayars@sh.itjust.works 66 points 14 hours ago

No, technically they already are SaaS company. That's mostly how they make their money.

Also it should be noted "no longer open source" doesn't mean they've done a "our code is now closed and all your passwords are ours" rug pull like some other corporations. This is a technical concern with the license and it no longer meets proper FOSS standards (in other words, it has a restriction on it now that you wouldn't see in, for example, the GPL).

So by and large the change is very minimal, the code is still available, it's still the best option. However, this does matter. It may be a sign of the company changing directions. It's something they should get pushback about.

[-] dustyData@lemmy.world 9 points 12 hours ago* (last edited 12 hours ago)

The SDK was never FOSS, and was never under the GPL. Hence why they can add the text mentioned in the article. You don't get to change the text of a FOSS license to begin with. It isn't unheard of for text like this to be part of proprietary software that integrates with and uses FOSS that are under different licenses.

That said, this is concerning, but whether it changes BW's FOSS state is a matter of legal bickering that has been going on for decades.

load more comments (1 replies)

load more comments (3 replies)

[-] anamethatisnt@lemmy.world 30 points 14 hours ago

Vaultwarden is a nice self hosted bitwarden alternative
https://github.com/dani-garcia/vaultwarden

Some prefer using KeepassXC and sync the database between devices
https://www.ctrl.blog/entry/keepass-vs-bitwarden-server.html

[-] ilmagico@lemmy.world 23 points 14 hours ago

+1 For KeePassXC and the KeePass ecosystem. Yes, you need to sync the database yourself, but you can use any file sharing service you like, e.g. google drive, dropbox... or selfhost something like nextcloud (like I do), which for me is actually a point in its favor.

Based on this news, I think I made the right choice back then when I decided to go with KeePass.

load more comments (1 replies)

[-] winterayars@sh.itjust.works 22 points 14 hours ago

Vaultwarden is Bitwarden--at least for now, this change may push them apart.

[-] ChillPill@lemmy.world 9 points 15 hours ago

Keepass? No cross device support, you need to manage that yourself through something like Google Drive...

[-] ilmagico@lemmy.world 15 points 14 hours ago

What do you mean "no cross device support"? KeePassXC supports Win, Mac, Linux and there are iOS and Android apps available...

As for the lack of cloud and requirement to provide your own synchronization, for some (like me) that's a feature, not a limitation :)

[-] hedgehog@ttrpg.network 8 points 14 hours ago

Do any of the iOS or Android apps support passkeys? I looked into this a couple days ago and didn’t find any that did. (KeePassXC does.)

[-] ilmagico@lemmy.world 4 points 14 hours ago* (last edited 14 hours ago)

From a quick search, Keepass2Android doesn't have it, not clear if they're working on it: https://github.com/PhilippC/keepass2android/issues/2099

KeePassDX similarly has an open issue, not clear when/if it will be implemented: https://github.com/Kunzisoft/KeePassDX/issues/1421

Good to know about Strongbox on iOS, though I'm on android so no bueno for me.

[-] ilmagico@lemmy.world 2 points 14 hours ago* (last edited 14 hours ago)

I don't use passkeys so I don't know. Maybe I should research into passkeys, what's the benefit over plain old (long, randomly generated) passwords?

[-] jqubed@lemmy.world 5 points 13 hours ago

I’m no expert in this but the passkeys really on some sort of public key, cryptographic pair. Your device will only send your encrypted cryptographic secret when it gets the correct encrypted cryptographic secret from the destination. This makes it much harder to steal credentials with a fake website or other service.

[-] ilmagico@lemmy.world -1 points 13 hours ago* (last edited 13 hours ago)

Ok, from a quick search, it seems passkeys rely on some trusted entity (your browser, OS, ...) to authenticate you, so, yeah, I'm not sure if I like that. The FIDO alliance website is all about how easy, convenient and secure passkeys are, and nothing about how they actually work under the hood, which is another red flag for me.

I'll stick to old-fashioned, long, secure, randomly generated passwords, thanks.

[-] 4am@lemmy.world 3 points 12 hours ago

Passkeys rely on you holding a private key. The initial design was that a device (like a browser or computer/phone) stored the private key in a TPM-protected manner, but you can also store it in a password manager.

This is more secure than a password because of the way private/public key encryption works. Your device receives a challenge encrypted with the public key, decrypts with the private key and then responds. The private key is never revealed, so if attackers get the public key they can’t do shit with it.

Just be sure that your private key is safe (use a strong master password for your PM vault) and your passkey can’t be stolen by hacking of a website.

[-] ilmagico@lemmy.world -1 points 11 hours ago

I see, that makes sense and should be more secure, in theory. Thanks for the explanation.

The issue I have is, whether I need to trust a third party with my private key, e.g. Google with Android, Microsoft with Windows, etc. (yes on linux it's different, but that's not my only OS).

Also if the private key does get compromised (e.g. local malware steals it), hopefully there's an easy way to revoke it.

[-] anamethatisnt@lemmy.world 2 points 14 hours ago

Keepass2Android doesn't have it yet, but seems to be working on it
https://github.com/PhilippC/keepass2android/issues/2099

Strongbox seem to have their implementation done for iPhone
https://strongboxsafe.com/updates/passkeys/

[-] solsangraal@lemmy.zip 6 points 15 hours ago

lol that's what i used before i switched to bitwarden-- didn't have any complaints, but the database key file thing was kind of a pain

[-] Marthirial@lemmy.world 1 points 11 hours ago

Agh, gross.

load more comments (1 replies)

[-] DarkThoughts@fedia.io 3 points 11 hours ago

Sooo, where's ProtonPass at? They're open source and non-profit, right?

[-] AsudoxDev@programming.dev 8 points 11 hours ago

The server is not open source and I wouldn't trust a business that is not just working on password managers.

load more comments (5 replies)

load more comments

this post was submitted on 20 Oct 2024

484 points (98.8% liked)

Technology

58792 readers

2818 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS