Can Bitwarden Password Manager be added to Disroot?
As Bitwarden can be self-hosted. And it’s gaining popularity. A One Man Show - that’s what I have heard on reddits, blogs.
As of Today 1:43 AM (GMT+6) Wednesday, May 23, 2018
Behind the scenes with the Bitwarden password manager
Why I migrated from LastPass to Bitwarden?
BitWarden doesn’t care about security.
Can it happen?
Similar question was asked before, it was about a nextcloud app called passman.
After long discussions between admins and with some of disrooters on matrix, we have decided against hosting password manager.
The reasons are simple. We find this to be too much of a responsibility and preasure that we dont want to carry.
The security stand point is one thing, and although passman does encrypt end to end, we have to be 100% sure there are no possible flaws in the code, exploits etc.
The other part is the fact passman does not keep copy of passwords locally on device. So if for some reason data on our servers gets corrupt or in anyway inaccessible, we will be responsible for users losing important passwords in case they did not keep a backup (which is hard to do with passman).
This responsability adds another level of preasure during extended downtime (i.e. system maintenance and updates). While the service is temporarily inaccecible people will be unable to e.g.: login to your bank to pay bills or any other services your life depends on.
Of course you can still use our service to store passwords (whether plain text, keepass and other), but that is your own decission which also gives you option to keep backups and most importantly isn’t a service we offer, promote or maintain.
I hope everyone understands our decission and can live with it.
Read more here: passman - password management with NextCloud
Indeed any password management system that relies on accessing a remote storage location or service in order to load your password database (encrypted or otherwise) is flawed: Firstly if you can’t reach the remote location for any reason, you are stuffed, secondly, if anything bad happens to that remote storage location, you are really stuffed!
An alternative solution is to use a more traditional password manager that creates a local encrypted database file which you can then sync between devices and locations. It’s encrypted so not really much of a risk unless you are like someone in Mr. Robot or whatever…
Personally I am using KeepassX* compatible apps and then sync the locally stored encrypted databases with a copy in a secure central location using Syncthing, but there are many ways to do this and probably easier to use than Syncthing! Perhaps the Nextcloud sync apps would work? https://nextcloud.com/install/#install-clients for this, IDK, I have not tried it.
As long as you make sure that the central password database is always updated with latest changes made in the manager apps you are gold.
There are numerous password managers out there: (incomplete list) https://en.wikipedia.org/wiki/List_of_password_managers
so take your pick, but remember, your passwords and data are only as secure as the machine you are using to access them with, so be sure you are set up as securely as you can be (not really a topic to detail here), and that relying on a remote web service to perform this task doesn’t seem like it’s best use of function for this specific purpose, but that’s not to say it is necessarily a bad or risky idea (even if it is!) but rather just not really necessary, and certainly not something I would want the responsibility of if I were the server admin!