• solsangraal@lemmy.zip
        link
        fedilink
        English
        arrow-up
        6
        ·
        13 days ago

        so the “no longer open source” means they’ll be moving to a saas model or something? i’m not super cybersecurity savvy but bitwarden is what i use

        • winterayars@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          73
          ·
          13 days ago

          No, technically they already are SaaS company. That’s mostly how they make their money.

          Also it should be noted “no longer open source” doesn’t mean they’ve done a “our code is now closed and all your passwords are ours” rug pull like some other corporations. This is a technical concern with the license and it no longer meets proper FOSS standards (in other words, it has a restriction on it now that you wouldn’t see in, for example, the GPL).

          So by and large the change is very minimal, the code is still available, it’s still the best option. However, this does matter. It may be a sign of the company changing directions. It’s something they should get pushback about.

          • dustyData@lemmy.world
            link
            fedilink
            English
            arrow-up
            11
            arrow-down
            1
            ·
            edit-2
            13 days ago

            The SDK was never FOSS, and was never under the GPL. Hence why they can add the text mentioned in the article. You don’t get to change the text of a FOSS license to begin with. It isn’t unheard of for text like this to be part of proprietary software that integrates with and uses FOSS that are under different licenses.

            That said, this is concerning, but whether it changes BW’s FOSS state is a matter of legal bickering that has been going on for decades.

            • KairuByte@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              9
              ·
              13 days ago

              You can’t retroactively change FOSS licensing, but oft times you can alter the licensing moving forward. Not always the case, of course. But in no way are all FOSS licenses set in stone.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            12 days ago

            From the update, it looks like they consider it a bug, which they’re working to resolve. Let’s see how they resolve it before jumping to conclusions.

      • ilmagico@lemmy.world
        link
        fedilink
        English
        arrow-up
        24
        arrow-down
        1
        ·
        13 days ago

        +1 For KeePassXC and the KeePass ecosystem. Yes, you need to sync the database yourself, but you can use any file sharing service you like, e.g. google drive, dropbox… or selfhost something like nextcloud (like I do), which for me is actually a point in its favor.

        Based on this news, I think I made the right choice back then when I decided to go with KeePass.

        • kill_dash_nine@lemm.ee
          link
          fedilink
          English
          arrow-up
          7
          ·
          13 days ago

          As someone who used to use KeePass, went to LastPass, and then Bitwarden (Vaultwarden), I finally got my non-tech literate wife to use Bitwarden. I’m concerned that KeePass might end up being more difficult if it comes down to it. I believe that KeePass had some sort of browser integration but it really has been a long time since I used it so who knows the current state. Curious how browser integration is today.

          • GHiLA@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            12 days ago

            The big issue isn’t using it, it’s syncing it.

            User A used KeePass to order pizza and changed the Papa John’s(heaven forbid) password while they were at it, on their desktop.

            syncing: “oh! This file changed! Neat!”

            User B picks up their phone and wants to order Papa John’s at work. They try, but the password isn’t right. Huh. They check KeePass. No issues. They go to change the password because they think something is wrong.

            (All the while, they never thought to see if syncthing had been woken up in the background lately)

            They change the password, update KeePass,

            syncthing opens later, goes: "Oh, hi, User B’s phone! I have a ne- Oh! You have a new password file too!!? Small world! I’ll take both!

            Now there’s two files, two users who think they both made corrections to a password, syncthing thinking nothing is wrong, and someone has to now merge the newer KeePass file over the old ones by hand and realize what happened, but the bigger problem is, no one knows anything is wrong yet and it doesn’t even take two users. This can just be you ordering on your phone after modifying on your desktop.

            well, it’s just pizza.

            As an example. Imagine an insurance app, or a banking app, or the DMV… And you won’t know for months down the line. It gets old.

            • kill_dash_nine@lemm.ee
              link
              fedilink
              English
              arrow-up
              2
              ·
              12 days ago

              Ah yeah, the fun of how that works. I recall that I had previously set up WebDAV to try to simplify my source of truth but I think that was just with the original KeePass app, not KeePassXC. I also wasn’t trying to share passwords among multiple people but I do recall having issues when I was using Dropbox to sync to my phone since I would have to actually make sure Dropbox had updated the copy of the file which required me opening the app at the time.

            • ilmagico@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              12 days ago

              I use KeePassXC on desktop and Keepass2Android on, well, android, and sync via nextcloud. They all seem to handle syncing correctly, merging changes made on one side, or showing a notification about a conflict, and KeePassXC can definitely merge the two “conflicted copies” together reliably with a couple of clicks (yes, a no-click solution would be better, I know, but it’s not “manual”). Keepass2Android integrates directly with nextcloud and seems to handle it fine.

              The situation can definitely be improved but it’s not so bad for me. Also, two different people should probably use two different database files and not share passwords ;)

              Not sure how syncthing handles conflicts, it’s been many years since I tried it.

          • ilmagico@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            12 days ago

            I use KeePassXC’s browser integration daily and it works pretty well with Firefox (linux), well enough that I’m not complaining, but I cannot compare it with Bitwarden cause I never used it. On Android I use Keepass2Android and works well with autofill, but again, I can’t really compare it.

            Something tells me Bitwarden works better, just by virtue of being a commercially supported product, but I have no complaints with KeePassXC & Keepass2Android (KeePassDX works well on android too). Original KeePass desktop client was never great though.

    • oaklandnative@lemmy.world
      link
      fedilink
      English
      arrow-up
      24
      ·
      13 days ago

      Proton Pass is open source and the company that runs it recently reincorporated as a Swiss non-profit to ensure their privacy mission can’t be bought out by venture capitalists etc.

      https://www.reddit.com/r/ProtonPass/comments/153t85q/proton_pass_is_open_source_and_has_now_passed_an/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button

      https://proton.me/blog/proton-non-profit-foundation

    • ChillPill@lemmy.world
      link
      fedilink
      English
      arrow-up
      15
      arrow-down
      2
      ·
      13 days ago

      Keepass? No cross device support, you need to manage that yourself through something like Google Drive…

      • ilmagico@lemmy.world
        link
        fedilink
        English
        arrow-up
        21
        arrow-down
        4
        ·
        13 days ago

        What do you mean “no cross device support”? KeePassXC supports Win, Mac, Linux and there are iOS and Android apps available…

        As for the lack of cloud and requirement to provide your own synchronization, for some (like me) that’s a feature, not a limitation :)

        • hedgehog@ttrpg.network
          link
          fedilink
          English
          arrow-up
          9
          arrow-down
          1
          ·
          13 days ago

          Do any of the iOS or Android apps support passkeys? I looked into this a couple days ago and didn’t find any that did. (KeePassXC does.)

          • ilmagico@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            13 days ago

            I don’t use passkeys so I don’t know. Maybe I should research into passkeys, what’s the benefit over plain old (long, randomly generated) passwords?

            • jqubed@lemmy.world
              link
              fedilink
              English
              arrow-up
              5
              ·
              13 days ago

              I’m no expert in this but the passkeys really on some sort of public key, cryptographic pair. Your device will only send your encrypted cryptographic secret when it gets the correct encrypted cryptographic secret from the destination. This makes it much harder to steal credentials with a fake website or other service.

            • ilmagico@lemmy.world
              link
              fedilink
              English
              arrow-up
              4
              arrow-down
              5
              ·
              edit-2
              13 days ago

              Ok, from a quick search, it seems passkeys rely on some trusted entity (your browser, OS, …) to authenticate you, so, yeah, I’m not sure if I like that. The FIDO alliance website is all about how easy, convenient and secure passkeys are, and nothing about how they actually work under the hood, which is another red flag for me.

              I’ll stick to old-fashioned, long, secure, randomly generated passwords, thanks.

              • deejay4am@lemmy.world
                link
                fedilink
                English
                arrow-up
                4
                ·
                13 days ago

                Passkeys rely on you holding a private key. The initial design was that a device (like a browser or computer/phone) stored the private key in a TPM-protected manner, but you can also store it in a password manager.

                This is more secure than a password because of the way private/public key encryption works. Your device receives a challenge encrypted with the public key, decrypts with the private key and then responds. The private key is never revealed, so if attackers get the public key they can’t do shit with it.

                Just be sure that your private key is safe (use a strong master password for your PM vault) and your passkey can’t be stolen by hacking of a website.

                • ilmagico@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  arrow-down
                  2
                  ·
                  13 days ago

                  I see, that makes sense and should be more secure, in theory. Thanks for the explanation.

                  The issue I have is, whether I need to trust a third party with my private key, e.g. Google with Android, Microsoft with Windows, etc. (yes on linux it’s different, but that’s not my only OS).

                  Also if the private key does get compromised (e.g. local malware steals it), hopefully there’s an easy way to revoke it.

                  • hedgehog@ttrpg.network
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    12 days ago

                    Your Passkeys have to be stored in something, but you don’t have to store them all in the same thing.

                    If you store them with Microsoft’s Windows Hello, Apple Keychain, or Google Password Manager, all of which are closed source, then you have to trust MS/Apple/Google. However, Keychain is end to end encrypted (according to Apple) and Windows Hello is currently not synced to the cloud, so if you trust those claims, you don’t need to trust that they won’t misuse your data. I don’t know if Google’s offering is end to end encrypted, but I wouldn’t trust it either way.

                    You can also store Passkeys in a password manager. Bitwarden is open source (though they did recently introduce a proprietary, source available SDK), as is KeepassXC. 1Password isn’t open source but can store Passkeys as well.

                    And finally, you can store Passkeys in a compatible security key, like the YubiKey 5 series keys, which can each store 100 Passkeys. This makes them basically immune to being stolen. Note that if your primary interest in Passkeys is in the phishing resistance (basically nearly perfect immunity to MitM attacks) then you can get that same benefit by using WebAuthn as a second factor. However, my experience has been that Passkey support is broader.

                    Revoking keys involves logging into the particular service and revoking them, just like changing your password. There isn’t a centralized way to do it as far as I’m aware. Each Passkey is only used for a single service, after all. However, in the same way that some password managers will offer to automatically change your passwords, they might develop a similar for passkeys.

              • ilmagico@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                12 days ago

                I was finally able to find some technical detail on passkeys on FIDO website, and yeah, it actually looks like it’s a real improvement over passwords: it’s simple, uses proven technology (public/private keys), and should be much more secure than passwords.

                Also, nothing in the “specs” says I need to entrust my private key with the OS or a third party, which is good.

                That said, it seems some OS support is required nonetheless, to show the pin / biometrics prompt (or is it?), and on android at least, I’d need to buy a new device with Android 14 to use a non-Google passkey provider…

      • solsangraal@lemmy.zip
        link
        fedilink
        English
        arrow-up
        6
        ·
        13 days ago

        lol that’s what i used before i switched to bitwarden-- didn’t have any complaints, but the database key file thing was kind of a pain