Oddbean new post about login | logout bitwarden is third party, offsite cached. or did I misunderstand the "sign up" page it threw up when I went to start using it?
you can self-host extremely easily
they don't make that very clear in the website.
if you have a yunohost its literally like 3 clicks otherwise they have very detailed guides available even for airgapped machines bitwarden is good yo https://bitwarden.com/help/install-on-premise-linux/
their guides make assumptions about wanting multiple devices to connect to it, and complex server setups. what if i just want to have one device with one browser???? i'm sticking with keepassxc for now, it's working great. librewolf doesn't play nice with it so i'm not moving off brave any time soon.
sure then its overkill lot of us have multiple devices for different threat models having one password manager that automatically syncs between all of them is pretty useful its takes 20 minutes to set up on a VPS. in that case, you win out over brain drain vs keypass because you dont have to manually sync databses files even still, for most folks trusting bitwarden with your encrypted passwords isnt a big deal
i'm not a diversification cuckoo, i am a hawk, i keep my eggs in one nest and i watch it real close, and put it where it's hard to get at. one of the rules of signals intelligence is you don't send out a message unless you want to risk it being decoded. bitwarden breaks that rule. even brave sync breaks it on the metadata side. if my devices were ONLY locating each other and not sharing any other information that would be ok for me, but then how is that any different from me managing my own backups and using the fattest pipe I can - 10gbit USB-C cable.
just to be clear, i only need one backup, which is my primary and only pc system volume. there is only one keepassxc database, with only one password, and all of that is securely duplicated onto my backup. the more links in a chain the more chances one of them can be easily broken. i write software designed to operate as independent systems interacting with each other, and every time two things are doing the same type of job at the same time, we have a problem that will eventually blow out into a huge hassle. when i need to do a wipedown, i can get it done and everything gone in under an hour. good luck chasing all your stray bits and pieces when you gotta move fast.
OK someone breaking AES-256 encryption is not in my threat model. and i also can and do have a secure offline backup that can be restored anytime. it doesn't require chasing down stray bits. but its a difference in design philosophy and I respect your approach.
i'm not so stupid as to think that AES-256, which isn't even a protocol actually, it's a collection of them, and the difference that matters, can be broken. it's always side channels and handshakes and this sort of thing. i don't know how my brave sync got breached but a device appeared on the list that i definitely did not put there. so i presume it was the browser itself was penetrated, and specifically the access to the memory where that key is stored. i think you are way too trusting, and let's just leave it at that. anyone who pins their security on a web browser is on the road to trouble.
there is no simple self hosted server setup script in the AUR and this is the desktop app's first screen. nor is there any simple guide to using this like it was just a simple app like keepassxc. idk why y'all are so in love with it, it's not made for anyone who's spending more time building than setting up servers on VPSs. cognitive load is expensive when your use of your brain has much higher value elsewhere. third party hosting. no thanks. https://image.nostr.build/0d2fba32fe15d9875c9ea843282418cad436d2d447a410e29ef0a6196acf6095.jpg
