Well, I know Bitwarden is pretty demanding and also not so straightforward to do self-hosting.
But we have Vaultwarden which is ridiculously easy to deploy and also very lightweight while being immensely popular; has never had any major security incidents so far - and it has thousands of eyes on it for every single commit.
I've been hosting this for three years now and I have never had a single problem with it. always worked with my Bitwarden clients on all of my devices. So if you would like to, try Vaultwarden.
Ahahahah, I am enjoying the little turn-off-your-Javascript warning that comes back when you click on a link in a new tab from the page to something linked in the article.
My tab's title: "Ask HN: How could I safely contact drug cartels?"
I'm a free Bitwarden user, I don't plan to self-host stuff, and... honestly I have no idea what this person is going on about.
And "Aside from the aforementioned technical details, Bitwarden is (and has always been) one of the subjectively worst applications on my phones and my desktop in terms of user interface. "
I don't self host Bitwarden so 90% of this doesn't really apply.
I did however want to comment on the tab changing it's favicon and title everytime you change to another tab. Quite a cool "advertising" method for what javascript can do.
Password management involving a 3rd party is dumb and should never ever have been a thing. Before two parties had the secret (or something related to it) and now three parties have it and that's objectively worse -- even taking into account "the lazy user" or whatever.
I know we're past that in a lot of places for a lot of people, but nope, my dad and his printed out sheet of password next to his desk is still beating every company out there.
Bitwarden have in my opinion is one of the BEST business models a user can ask for.
It's open-source, and I can self-host (100% free) and the free version is really, really good too, and then a premium version is $20/year which is very reasonably priced.
Also for cloud hosted password manager, you're always going to have attacks no matter what, but at least they are transparent about it .. (unlike say LastPass, Norton LifeLock, Keeper and possibly others).
For self-hosting it might be better security, solely because no one cares to attack it, but it's not going to be more secure form engineering best practices POV (but again I might be wrong .. I'm not a security engineer of any kind)
>And the free version is really, really good too, and then a premium version is $20/year which is very reasonably priced.
I've been paying a flat $10 since 2022. Today, I got an email saying my renewal price goes up to $20 plus tax, which totals $25. The loyal member 25% discount just eliminates the tax for me.
Given that all I've used it for is password and login storage and TOTP all these years, I don't find a 200% price increase to be reasonable. I've cancelled the premium, I can run my TOTP somewhere else.
Vaultwarden is a very lean implementation of Bitwarden but if you want to look into an alternative to the Bitwarden ecosystem, I recommend - AliasVault https://github.com/aliasvault/aliasvault - check it out!
I agree that there are some goofy UX things. I don’t care about self-hosting. And the author goes to great care to write about every issue; then admits all software has issues and Bitwarden has fixed their issues as they come up.
Overall their actionable advice that different types of credentials might need different software is good.
As a tangent, this site will overwrite its <title> and favicon if your browser changes tab to one of many random options, as well as showing an overlay highlighting the risk of keeping javascript enabled for once you're back.
I dug around and found them listed within the `kill.js` file[0]. It uses the visibilitychange[1] API and swaps it to one of the following:
Official Church of Scientology: Difficulties on the Job - Online Course
Ask HN: How could I safely contact drug cartels?
The internet used to be fun
am I boring - Google Search
what is punycode - Google Search
arguments for HN comment - Google Search
how to hack coworker's phone - Google Search
censorship on hacker news - Google Search
rust programming socks - Google Shopping
Adult entertainment clubs - Google Maps
Pick up lines suggestions - ChatGPT
Online debate argument suggestions - ChatGPT
The Flat Earth Society
Amazon.com: taylor swift merch
Amazon.com: waifu pillow
/adv/ - topple government - Advice - 4chan
r/wallstreetbets on Reddit
Infowars: There's a War on For Your Mind!
birds aren't real at DuckDuckGo
Lincoln MT Cabins For Sale - Zillow
The Anarchist Cookbook by William Powell | Goodreads
I switched to self-hosted Vaultwarden a couple of years ago because of all the bad choices of Mozilla (I was using Firefox Sync and wanted something else badly). Sadly, Bitwarden's browser clients are antiquated (they don't auto-generate and save passwords as I sign up, I kind of have to create them manually ahead of time, and if anything botches in the signup, e.g. a server-side password validation rule), I now have a password that won't work, I have to find the entry in the database and update it to something else... geez, if it would just automatically overwrite the password every time I submit with a new one.
Vaultwarden's great, but the inferior browser clients just don't make up for it.
I'm back on Firefox Sync until I find something that's technically sufficient.
There are not obvious solutions for all use cases, because some of those use cases implies sharing with others under different conditions (because they are role passwords, device/software passwords and other ways to be unique even if multiple people can use and update them), while others are personal (and may or not be used from different devices). Using the same password repository for all, specially if it depends on a single player the access of the repository or the client application could be risky. Having an open format for the database, if self hosted/replicated is something good to have
I agree with the suggestion of using keepass/keepassxc/etc for personal passwords and other solutions for sharing with different partners. It was a good experience in general to use pass (or some alternative UI, like gopass) to use gpg+git to securely share passwords in an environment where that was possible. But sometimes you have to adapt to what already is being used or is accepted by the other players, and not always that is the safest in your opinion, in those cases limit your exposition.
Nothing seems to draw out the ire more than pet peeves with your password manager. I still vividly recall the issue that made me leave 1Password in a huff to start using Bitwarden.
I don’t self-host, and I’m satisfied with the UX—it just does what it needs to.
One thing I’m not a fan of—-new features. Or the drive to add new features, without extraordinary care. I much rather use slow and boring for my password manager than deal with _woops, I did it again_ development.
You should keep regular backups of your BW vault as a plain JSON file. KeepassXC can now import BW vaults natively (passkeys included). If anything were to happen to Bitwarden you can migrate to KeepassXC as a stop-gap measure.
This is such a HN blog post it's almost funny. You wanted to selfhost and you can but it wasn't easy or particularly Linux friendly, so you got a Rust server from the community, but you wanted something officially supported, so they made a specifically lightweight self-hostable version but it's in a programming language you don't like. :( Those bastards!
23 comments
[ 4.2 ms ] story [ 56.5 ms ] threadBut we have Vaultwarden which is ridiculously easy to deploy and also very lightweight while being immensely popular; has never had any major security incidents so far - and it has thousands of eyes on it for every single commit.
I've been hosting this for three years now and I have never had a single problem with it. always worked with my Bitwarden clients on all of my devices. So if you would like to, try Vaultwarden.
My tab's title: "Ask HN: How could I safely contact drug cartels?"
And "Aside from the aforementioned technical details, Bitwarden is (and has always been) one of the subjectively worst applications on my phones and my desktop in terms of user interface. "
Really!!? How many apps has this person used?
I did however want to comment on the tab changing it's favicon and title everytime you change to another tab. Quite a cool "advertising" method for what javascript can do.
Password management involving a 3rd party is dumb and should never ever have been a thing. Before two parties had the secret (or something related to it) and now three parties have it and that's objectively worse -- even taking into account "the lazy user" or whatever.
I know we're past that in a lot of places for a lot of people, but nope, my dad and his printed out sheet of password next to his desk is still beating every company out there.
Until your house gets flooded or burns down or you hire a really curious janitor.
[0] https://www.passwordstore.org/
It's open-source, and I can self-host (100% free) and the free version is really, really good too, and then a premium version is $20/year which is very reasonably priced.
Also for cloud hosted password manager, you're always going to have attacks no matter what, but at least they are transparent about it .. (unlike say LastPass, Norton LifeLock, Keeper and possibly others). For self-hosting it might be better security, solely because no one cares to attack it, but it's not going to be more secure form engineering best practices POV (but again I might be wrong .. I'm not a security engineer of any kind)
I've been paying a flat $10 since 2022. Today, I got an email saying my renewal price goes up to $20 plus tax, which totals $25. The loyal member 25% discount just eliminates the tax for me.
Given that all I've used it for is password and login storage and TOTP all these years, I don't find a 200% price increase to be reasonable. I've cancelled the premium, I can run my TOTP somewhere else.
Overall their actionable advice that different types of credentials might need different software is good.
The rest seems like ax grinding.
I dug around and found them listed within the `kill.js` file[0]. It uses the visibilitychange[1] API and swaps it to one of the following:
Official Church of Scientology: Difficulties on the Job - Online Course
Ask HN: How could I safely contact drug cartels?
The internet used to be fun
am I boring - Google Search
what is punycode - Google Search
arguments for HN comment - Google Search
how to hack coworker's phone - Google Search
censorship on hacker news - Google Search
rust programming socks - Google Shopping
Adult entertainment clubs - Google Maps
Pick up lines suggestions - ChatGPT
Online debate argument suggestions - ChatGPT
The Flat Earth Society
Amazon.com: taylor swift merch
Amazon.com: waifu pillow
/adv/ - topple government - Advice - 4chan
r/wallstreetbets on Reddit
Infowars: There's a War on For Your Mind!
birds aren't real at DuckDuckGo
Lincoln MT Cabins For Sale - Zillow
The Anarchist Cookbook by William Powell | Goodreads
Fifty Shades of Grey | Netflix
jeff bezos nudes - Google Image Search
zuckerberg nudes - Google Image Search
bigfoot nudes - Google Image Search
Rick Astley - Never Gonna Give You Up - YouTube
Pennsylvania Bigfoot Conference - Channel 5 - YouTube
Linus goes into a real girl's bedroom - Linus Tech Tips - YouTube
MrBeast en Español - YouTube
FTX Cryptocurrency Exchange
[0] https://xn--gckvb8fzb.com/js/kill.js [1] https://developer.mozilla.org/en-US/docs/Web/API/Document/vi...
If you switch away and then come back to the tab, they have a popover explaining all of this.
I just went and disabled JS for their silly site.
Vaultwarden's great, but the inferior browser clients just don't make up for it.
I'm back on Firefox Sync until I find something that's technically sufficient.
I agree with the suggestion of using keepass/keepassxc/etc for personal passwords and other solutions for sharing with different partners. It was a good experience in general to use pass (or some alternative UI, like gopass) to use gpg+git to securely share passwords in an environment where that was possible. But sometimes you have to adapt to what already is being used or is accepted by the other players, and not always that is the safest in your opinion, in those cases limit your exposition.
I don’t self-host, and I’m satisfied with the UX—it just does what it needs to.
One thing I’m not a fan of—-new features. Or the drive to add new features, without extraordinary care. I much rather use slow and boring for my password manager than deal with _woops, I did it again_ development.