53 comments

[ 3.6 ms ] story [ 116 ms ] thread
Didn't even know there was such an application. On Linux I use the browser plugin and occasionally the webbased interface.
Title should be corrected to Linux, it's happening in multiple distros according to that thread.
Probably hardware acceleration in the chrome application host. I've seen this behavior in SyncTrayzor (syncthing client) recently.
I've been developing my own TUI Bitwarden client recently: https://github.com/luryus/wden

I need passwords outside of the browser quite frequently (when SSHing to servers and so on), and the official Electron app just feels clunky and heavy to use and keep running constantly in the background. So creating a small and lightweight client optimized for my own usage patterns has been really useful. It may be useful for others, too, while the official client is broken.

There's an official CLI though isn't there?
Yes, but it is quite uncomfortable to use, requiring you to get a session key and storing it somewhere. Instead, I've had good experiences with [rbw]. Maybe that would also be interesting for GP.

I've used to rbw for a rofi (and rofi-like frontend): https://github.com/fdw/rofi-rbw/

[rbw]: https://github.com/doy/rbw/

You can detach the browser addon into its own window too, I would be too cautious using any third party clients like that.
I used Bitwarden until the time I was locked out of my LOCAL vault because of something goofy on the Bitwarden side.

I'm on enPass now.

Genuinely curious here: why not keypass?
This is an odd question, bc it seems to assume my road to enpass would have to go through an evaluation of keypass.
It's just that keypass seems to me more reknown (I had never heard of Enpass before), so I would have assumed one would have compared both before choosing one or the other. I was then wondering what were the benefits of Enpass over Keypass. Not that I have any preference or bias: I know keypass and wondered how it compared to a similar solution.
Just to make you happy, I looked up Keypass.

It doesn't support the platforms I use, so it's a nonstarter.

Yeah lol, I used Linux until the time I was locked out of my LOCAL PC because of something goofy on a Linux update side. I'm on Windows now. You get the point !?
It seems like you're trying (and failing) to suggest that my reaction was akin to becoming frustrated with linux and returning to Windows.

This is a silly thing to assert. There are lots of password managers, but there's no good reason for a locally-run one to lock me out because the software vendor fucked something up.

Mine did this within the past month but it worked again after I installed updates (openSUSE Tumbleweed in case anyone wondered)
Whatever one of these password managers you may use, always remember to regularly export to the cleartext. Keep a 50 megabyte encrypted container around for it. Mount, export, unmount. Whenever you remember to do it, at least every couple of months. Even if it's not always up to date at least you won't be locked out of everything when these situations happen.
Why not use some better and entirely open solution, like pass?

https://www.passwordstore.org/

As a user of pass for like 4 years, I enjoy reading all those silly threads on password managers doing this and that. Fantastic. And it’s not even an upgrade to use the GUI app here, I can take any often used password of mine with pure Ctrl + R in my terminal, just a second and it’s here, with no need to do extra backups, all the history is in git, and no party will ever change anything about my passwords.

Nearly all of my need for passwords is web-related. Autofill is incredibly convenient and also an anti-phishing measure, because it won't autofill fake sites, which would give me time to notice something was up.

There doesn't seem to be major super popular audited autofill stuff, seems like the ecosystem is mostly smaller projects and the main focus is on the CLI.

The remainder of the times I need passwords are mostly on mobile.

1. There are plugins and web clients: https://www.passwordstore.org/#extensions

2. Of course pass has mobile version, and to my liking it looks and works much better than 1Password that I migrated from. (And to my liking as well Bitwarden looks much worse, if we would ever happen to talk about looks in a password manager, lol. Of course that is highly subjective.)

3. I have shared stored with my work mates. That is different hit repositories that has those text files encrypted with more than one gpg key, and it works so incredibly well. And is free, forever. We manage that with gopass (a fork written in Go), as it’s easier to work with for not-so-techies.

For Android the mobile app seems to be last updated in 2021 and not compatible with the latest Android version. I would switch to pass immediately if they had both a well maintained and audited browser extension and mobile app.
I won’t argue on the mobile Android, as I don’t have the latest and greatest Android, but the app is quite good on Android. My iPhone is fine with latest version, though.

I never use web app, so cannot comment on that.

> Why not use some better and entirely open solution, like pass?

Bitwarden is entirely open source?! https://github.com/bitwarden/

You aren't even locked in to using them as the data store.

Pass is just text files encrypted with gpg. I needed just one password on one work computer, where I had my gpg key, but not all my passwords. Decrypted the file and that was it.

Honestly, I cannot get the longing to store your passwords with some company that claims it would be free and open source forever. What is free and open source by the way? Their client? What about their server they store your password? (I assume you can sync that to their server, I’m not their customer.)

The server is open source too and there's even two separate implementations of it. The official one and a community one named Vaultwarden. Bitwarden is fully open source and you can very easily selfhost it.
> What is free and open source by the way? Their client? What about their server they store your password? (I assume you can sync that to their server, I’m not their customer.)

You didn't even bother to click the link and educate yourself did you? The server, client and mobile app are all open source. You can even store the encrypted DB yourself on your own server.

I hear you, and you're not wrong, but there's no way I can get regular users to do that.
And what about KeepassXC?
Ugly. For a non-nerd average person.

I quite like it when I interacted with it, but personally I prefer pass as way simpler and more elegant solution.

There is keepassxc-cli for nerds like you ;)
Won’t argue with regular users.

Although, I don’t see why I would self-host BitWarden for my family, when their needs are 10 passwords for social media and bank apps. It all stored in their default iPhone (or Android) password managers and I just have the duplicate of sensitive (usually bank) info in my pass vault as well. That works for me very well, as if I would ever need to migrate my mom, aunt, wife or anyone else, I can easily copy those 10 passwords manually. And its zero maintenance system for me.

Look how far we have come...we use a encrypted container to protect a text-file, let's talk about software bloat. What about "gpg --encrypt"?
Great solution if didn’t use a smartphone.
GPG was suggested as an alternative to:

> Keep a 50 megabyte encrypted container around for it. Mount, export, unmount

Which of the options do you think would be easier to work with on your smartphone? The are many PGP implementations for smartphones in the case you have to recover. Just move the file.

People who only use smartphones are just screwed anyway.
Insert infamous HN comment on how Dropbox will never succeed because you can do the same with git and a linux shared folder.
What is easier to use? A container or a single command?

What is faster to setup? A container or your already installed command?

What is easier to move and more portable? Your container or a pgp encrypted file?

Do you move your encrypted file into Dropbox or your encrypted container? ;)

When the single command is gpg, I’m not so sure…
The container is easier. Veracrypt container DOS formatted is easier and more portable than GPG.
Look you have to be more precise everyone was thinking you're talking about Docker/Podman.

>>and more portable than GPG.

LLM's have hallucination too ;)

Haha, I didn't even think of that
Most of these managers have a keepass export option. Best option
Great tip! Thanks. Crazy that I put at least some thought in my backups and other security and stepped over this one.
(comment deleted)
A whole browser shipped only just to display a freaking list of passwords..
I've been using it only in browsers (Firefox mostly) for so long that I had forgotten it had a client other than mobile.
Yet another example of why Electron sucks. Is it really that hard to make a native client, especially these days when we have so many cross-platform development frameworks?