Oddbean new post about | logout
 i never heard of librewolf... trying it out, first thing, it takes forever to start because it wants gnome authentication, second thing it doesn't integrate with keepassxc and no way i'm keeping my passwords offsite with bitwarden.

happy to hear better advice, i need to get to my morning swim. 
 after some more research and poking around, yeah, i don't see any credible password manager support for librewolf. brave is still the best though you gotta manually disable a lot of craptoware. 
 Bitwarden works fine in Librewolf. 
 bitwarden is third party, offsite cached. or did I misunderstand the "sign up" page it threw up when I went to start using it? 
 you can self-host extremely easily 
 they don't make that very clear in the website. 
 if you have a yunohost its literally like 3 clicks

otherwise they have very detailed guides
available
even for airgapped machines

bitwarden is good yo
 https://bitwarden.com/help/install-on-premise-linux/
 
 cool, i'll look into how to do that soon, maybe drop a note about what i learned and set up. tis friday night, i'm chillin with system tweakage and music collection massage. 
 their guides make assumptions about wanting multiple devices to connect to it, and complex server setups.

what if i just want to have one device with one browser????

i'm sticking with keepassxc for now, it's working great. librewolf doesn't play nice with it so i'm not moving off brave any time soon. 
 sure then its overkill

lot of us have multiple devices for different threat models
having one password manager that automatically syncs between all of them is pretty useful

its takes 20 minutes to set up on a VPS.
in that case, you win out over brain drain vs keypass because you dont have to manually sync databses files

even still, for most folks
trusting bitwarden with your encrypted passwords isnt a big deal 
 i'm not a diversification cuckoo, i am a hawk, i keep my eggs in one nest and i watch it real close, and put it where it's hard to get at.
 one of the rules of signals intelligence is you don't send out a message unless you want to risk it being decoded. bitwarden breaks that rule. even brave sync breaks it on the metadata side. if my devices were ONLY locating each other and not sharing any other information that would be ok for me, but then how is that any different from me managing my own backups and using the fattest pipe I can - 10gbit USB-C cable. 
 just to be clear, i only need one backup, which is my primary and only pc system volume. there is only one keepassxc database, with only one password, and all of that is securely duplicated onto my backup.

the more links in a chain the more chances one of them can be easily broken.

i write software designed to operate as independent systems interacting with each other, and every time two things are doing the same type of job at the same time, we have a problem that will eventually blow out into a huge hassle.

when i need to do a wipedown, i can get it done and everything gone in under an hour. good luck chasing all your stray bits and pieces when you gotta move fast. 
 OK

someone breaking AES-256 encryption is not in my threat model.
and i also can and do have a secure offline backup that can be restored anytime. it doesn't require chasing down stray bits.

but its a difference in design philosophy and I respect your approach. 
 i'm not so stupid as to think that AES-256, which isn't even a protocol actually, it's a collection of them, and the difference that matters, can be broken.

it's always side channels and handshakes and this sort of thing.

i don't know how my brave sync got breached but a device appeared on the list that i definitely did not put there. so i presume it was the browser itself was penetrated, and specifically the access to the memory where that key is stored.

i think you are way too trusting, and let's just leave it at that.

anyone who pins their security on a web browser is on the road to trouble. 
 there is no simple self hosted server setup script in the AUR and this is the desktop app's first screen. nor is there any simple guide to using this like it was just a simple app like keepassxc.

idk why y'all are so in love with it, it's not made for anyone who's spending more time building than setting up servers on VPSs. cognitive load is expensive when your use of your brain has much higher value elsewhere.

third party hosting. no thanks.
https://image.nostr.build/0d2fba32fe15d9875c9ea843282418cad436d2d447a410e29ef0a6196acf6095.jpg