Mailing List Archive

On Wed, 17 Feb 2021 at 01:04, Dale <rdalek1967@gmail.com> wrote:
> Anyone have info on switching from Lastpass to Bitwarden? Thoughts?

I'm in the same situation. I even paid for Lastpass in the past, back
when you had to pay to get it on mobile, but the price I'm looking at
now is way too high.

From what I read elsewhere, Bitwarden seems well regarded, and among
the top choices for those choosing to switch now. I'd even be willing
to pay for a service like this, but Bitwarden's basic paid tier, at
only $10, doesn't seem to give me anything extra that would use.
Still, good to know that I could support them for a much lower price
than Lastpass.

It's also a bonus that it's open source.

People seem to find it really easy to switch, so at the moment I'm
thinking about just moving all my passwords and having both for a bit,
just to try it out.

Regards,
Arve

Arve Barsnes wrote:
> On Wed, 17 Feb 2021 at 01:04, Dale <rdalek1967@gmail.com> wrote:
>> Anyone have info on switching from Lastpass to Bitwarden? Thoughts?
> I'm in the same situation. I even paid for Lastpass in the past, back
> when you had to pay to get it on mobile, but the price I'm looking at
> now is way too high.
>
> >From what I read elsewhere, Bitwarden seems well regarded, and among
> the top choices for those choosing to switch now. I'd even be willing
> to pay for a service like this, but Bitwarden's basic paid tier, at
> only $10, doesn't seem to give me anything extra that would use.
> Still, good to know that I could support them for a much lower price
> than Lastpass.
>
> It's also a bonus that it's open source.
>
> People seem to find it really easy to switch, so at the moment I'm
> thinking about just moving all my passwords and having both for a bit,
> just to try it out.
>
> Regards,
> Arve
>
>


Since my post, I've created a account.  I even imported my passwords
from Lastpass which wasn't hard at all.  So far, it works fine.  Heck, I
may even pay for the small plan.  I don't mind paying a little for
something but Lastpass doesn't offer any features in the paid plans I
needed in the past.  The only reason I'd consider it with Bitwarden,
it's open source. I've donated to a couple addons that I use a lot in
Firefox as well.  I'm just a little picky is all. 

One thing I thought of, keep Lastpass installed on Seamonkey and just
update the passwords as needed.  Some passwords I only change once a
year or so anyway.  I can get the new password from Bitwarden, go to
Seamonkey and update Lastpass directly or while logging in.  Either way,
it should work and I'd only be using Lastpass in Seamonkey which means
one device type and even one device period. 

I suspect a lot of users are going to be moving from Lastpass because of
this change.  If their service was far better then people may pay it. 
Thing is, it isn't.  As was pointed out in a couple things I read, they
have been hacked in the past.  What was taken was encrypted but still,
they got hacked.  Bitwarden is open source which means a lot of eyeballs
looking at the code.  For that reason, or a good part of it, it has
never been hacked.  It seems that with the Lastpass changes, Bitwarden
will offer for free what Lastpass doesn't and be more secure as well. 

I like how these password managers work.  I've read that even if a court
order is served to Lastpass, Bitwarden or others that work the same way,
all they get is encrypted files.  Unless they can crack it, it does them
no good.  It's one reason I like using them. 

I figured if Bitwarden had any serious problems, I'd hear from someone
pretty fast.  As I continued to research it, I just couldn't find
anything recent that was bad.  Some say it is a little cludgy and all
but at times, I want to strangle Lastpass.  On a few sites, it just does
not want to auto-fill or fill at all until I force it to by doing a lot
of clicking and selecting.  I've had a site or two where I had to go to
the vault and copy the password and then paste it in manually.  I don't
like having passwords in my clipboard.  Sort of negates having a good
password tool.  ;-)

If anyone has some info on it, I'm listening.  I'm sure someone here
uses Bitwarden. 

Thanks.

Dale

:-)  :-) 

Hi all!

I'm using app-admin/pass. There is an android app (password store) and if
you have a vps server, you can sync it remotely using git. Or maybe with a
wireguard vpn?

The android app is maybe not as good as lastpass, but for me it's enough
and free :)

And I think the price should not change for the next decade ;)

Regards,

rba


Le mer. 17 févr. 2021 à 08:04, Arve Barsnes <arve.barsnes@gmail.com> a
écrit :

> On Wed, 17 Feb 2021 at 01:04, Dale <rdalek1967@gmail.com> wrote:
> > Anyone have info on switching from Lastpass to Bitwarden? Thoughts?
>
> I'm in the same situation. I even paid for Lastpass in the past, back
> when you had to pay to get it on mobile, but the price I'm looking at
> now is way too high.
>
> From what I read elsewhere, Bitwarden seems well regarded, and among
> the top choices for those choosing to switch now. I'd even be willing
> to pay for a service like this, but Bitwarden's basic paid tier, at
> only $10, doesn't seem to give me anything extra that would use.
> Still, good to know that I could support them for a much lower price
> than Lastpass.
>
> It's also a bonus that it's open source.
>
> People seem to find it really easy to switch, so at the moment I'm
> thinking about just moving all my passwords and having both for a bit,
> just to try it out.
>
> Regards,
> Arve
>
>
>

On Tue, 16 Feb 2021 19:04:01 -0500,
Dale wrote:
>
> Howdy,
>
> Lastpass is forcing people to use only one device type or pay a fee.?
> I've used the free version of Lastpass for years and it works well for
> me.? I use it on my desktop and my cell phone too.? However, I don't
> want to be limited to one device type and I also don't care much for
> paying for the service either. After doing some searching, it seems
> Bitwarden is pretty close to Lastpass.? Anyone here used both that can
> tell me if there is any differences between the two, bad differences for
> sure?? The new restrictions don't start for a while, March I think, so I
> have time to switch.? According to search info, I can even export from
> Lastpass and import to Bitwarden pretty easily.?
>
> The only downside I've found so far is that Bitwarden isn't available
> for Seamonkey.? Thing is, Lastpass hasn't updated the addon for
> Seamonkey in 2 or 3 years either so I'm using a older legacy version
> anyway.? I'm not sure how much of a downside that is but I won't be able
> to use a password manager at all for Seamonkey.? I hate to say this but
> Seamonkey is going to die if people don't start getting addons working
> with it.? Firefox has tons of addons that Seamonkey doesn't.? I like
> that it is a browser and email all in one but it is getting more limited
> every day.?
>
> Anyone have info on switching from Lastpass to Bitwarden?? Thoughts??

hmmm, I never got a notice like that, but I am a premium user, so
maybe that is the reason. It was worth it so I could give emergency
access.

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com

John Covici wrote:
> On Tue, 16 Feb 2021 19:04:01 -0500,
> Dale wrote:
>> Howdy,
>>
>> Lastpass is forcing people to use only one device type or pay a fee. 
>> I've used the free version of Lastpass for years and it works well for
>> me.  I use it on my desktop and my cell phone too.  However, I don't
>> want to be limited to one device type and I also don't care much for
>> paying for the service either. After doing some searching, it seems
>> Bitwarden is pretty close to Lastpass.  Anyone here used both that can
>> tell me if there is any differences between the two, bad differences for
>> sure?  The new restrictions don't start for a while, March I think, so I
>> have time to switch.  According to search info, I can even export from
>> Lastpass and import to Bitwarden pretty easily. 
>>
>> The only downside I've found so far is that Bitwarden isn't available
>> for Seamonkey.  Thing is, Lastpass hasn't updated the addon for
>> Seamonkey in 2 or 3 years either so I'm using a older legacy version
>> anyway.  I'm not sure how much of a downside that is but I won't be able
>> to use a password manager at all for Seamonkey.  I hate to say this but
>> Seamonkey is going to die if people don't start getting addons working
>> with it.  Firefox has tons of addons that Seamonkey doesn't.  I like
>> that it is a browser and email all in one but it is getting more limited
>> every day. 
>>
>> Anyone have info on switching from Lastpass to Bitwarden?  Thoughts? 
> hmmm, I never got a notice like that, but I am a premium user, so
> maybe that is the reason. It was worth it so I could give emergency
> access.
>


This is the announcement.

https://support.logmeininc.com/lastpass/help/what-can-i-expect-to-change-for-lastpass-free-on-march-16-2021

I suspect the reason you didn't get the notice, it won't affect you
since you are already a paying user.  While they may get some users to
pay with this new setup, I bet they lose a lot more than they gain, user
wise.  After all, I was able to switch in well under 5 minutes.  I have
three Firefox profiles and a cell phone and it still didn't take long. 
Most of that was downloading the app or addon.  If my DSL was faster, 2
or 3 minutes maybe.  I spent more time composing my first message about
this switch.  lol

I have my important passwords on a encrypted USB stick.  If I get hit by
lightening or something, I have a family member who can decrypt the USB
stick and have the password and other info as well.  To be honest tho,
it isn't needed.  My bank and such already has the paperwork needed to
close accounts and take care of other things.  Still, I'm not worried
about forgetting or losing my password, I'd be more worried about it
getting corrupted and not being able to login whether I'm a paying user
or not. It could happen even tho I suspect it is very rare. 

I guess time will tell how well this works. ;-)

Dale

:-)  :-)

On Wed, 17 Feb 2021 06:15:52 -0600, Dale wrote:

> I suspect the reason you didn't get the notice, it won't affect you
> since you are already a paying user.  While they may get some users to
> pay with this new setup, I bet they lose a lot more than they gain, user
> wise.

Maybe, but many people haven't heard of Bitwarden and will think they
have no option but to pay.

I was never keen on the idea of giving all my passwords to someoelse,
even if they say they can't access them. I've been using Bitwarden for
about a year, I used KeePassX before then and am really happy with it.


--
Neil Bothwick

/ For security reasons, all text in this mail
is double-rot13 encrypted. /

Neil Bothwick wrote:
> On Wed, 17 Feb 2021 06:15:52 -0600, Dale wrote:
>
>> I suspect the reason you didn't get the notice, it won't affect you
>> since you are already a paying user.  While they may get some users to
>> pay with this new setup, I bet they lose a lot more than they gain, user
>> wise.
> Maybe, but many people haven't heard of Bitwarden and will think they
> have no option but to pay.
>
> I was never keen on the idea of giving all my passwords to someoelse,
> even if they say they can't access them. I've been using Bitwarden for
> about a year, I used KeePassX before then and am really happy with it.
>
>


I simply googled for 'alternatives to Lastpass' and Bitwarden was one of
a few that came up.  Several links were articles comparing the two.  If
a person doesn't like what Lastpass is doing, it won't take much to find
other password managers.  They may pick something besides Bitwarden but
still, they have the option of switching. 

I logged into my credit card on my cell phone, about the only thing I
use on my cell phone anyway, it worked OK once I figured out how to get
it to fill the info in.  I might add, Lastpass has issues with that site
as well.  If I didn't know better, I'd think the website tries to
prevent people from using a password manager.  In a way, it is sort of
stupid to do that since people reused passwords a lot before password
managers came along.  Heck, even I used the same password for financial
type sites for a long time.  Once I started using Lastpass, I used
different passwords and even different lengths of passwords based on the
site.  It's a lot more secure as long as the master password is a good
one.  I had a really simple password for some sites that a hacker would
most likely die from laughter than anything else if they wanted to hack
it.  LOL

Good to know others like Bitwarden tho.  That helps.  <thumbs up>

Dale

:-)  :-) 

On 2021-02-17, Dale <rdalek1967@gmail.com> wrote:

> Lastpass is forcing people to use only one device type or pay a fee.
> [...]
> Anyone have info on switching from Lastpass to Bitwarden? Thoughts?

After doing a bit of reading, I've decided that I'm switching from
Lastpass to Bitwarden. I've been happy with Lastpass for several
years, and even got decent e-mail support when I had questions about
the command line utility. So, I considered giving them some money, but
they wanted $36 per year for Premium (that seemed expensive), and I
had no use for anything that $36 got me.

I've read postings from several people who have exported their
passwords from Lastpass and then imported them to Bitwarden with no
problems, I'll give that a go sometime in the next couple weeks. I may
even give Bitwarden $10. That seems like a more reasonable price, and
it actually gets me something I can use: encrypted online file
storage.

--
Grant

On Wed, Feb 17, 2021 at 3:01 AM Dale <rdalek1967@gmail.com> wrote:
>
> I suspect a lot of users are going to be moving from Lastpass because of
> this change. If their service was far better then people may pay it.
> Thing is, it isn't. As was pointed out in a couple things I read, they
> have been hacked in the past. What was taken was encrypted but still,
> they got hacked.

So, while I echo most of the sentiments in this thread already so I
won't repeat them, I do try to be careful about how I look at past
reports of hacks.

Important considerations are:
1. Why were they hacked?
2. What did they do when they were hacked?
3. What were the consequences?
4. What is likely to happen in the future?

When it comes to security the future is much more important than the
past. We look at the past as a predictor of the future. However, you
have to always keep this in mind.

One thing I admire about Lastpass is that when they were hacked, they
immediately went public with it, disclosing at all times what was
known and explaining the impact to customers as best as they
understood it. They took steps to get users to change passwords/etc
which would protect them if the encrypted data was cracked in the
future. The way they handled the incident definitely made their
customers safer.

Likewise as best as anybody can tell the consequences of the breach
were very limited. They ensured that customer vaults had solid
encryption, which gave them defense in depth - the breach of the
encrypted data wasn't able to be leveraged into a breach of the
unencrypted password data inside.

These should both be seen as factors in their favor, and it is the
sort of thing that you can't really see until somebody is actually
hacked.

I think one of the more concerning issues for their future was the
change in management when logmein bought them. I think people had
concerns about the new management.

I definitely like that bitwarden is FOSS. One concern with ANY of
these web-based tools is that while they may very well be securely
implemented, the fact is that the actual code is remotely managed. At
any time somebody who obtains control over their infra could push out
updates that cause your client to compromise your data in a number of
ways. This requires more sustained control than just a quick snatch
of the encrypted cloud password store, but it is definitely a risk,
whether the code is FOSS or not. After all, Gentoo is FOSS, but if
somebody was able to gain control over the repositories/keys/etc they
could push literally anything in an update to your system, and unless
you're looking very carefully at your ebuilds you could have arbitrary
code running as root in no time. Obviously that is something infra
and the portage design tries to make unlikely, but it is definitely a
threat model really for any software distribution of any kind. The
automated nature of updates to these cloud-based password managers
makes these sorts of attacks potentially easier to pull off (though
I'd they would have resources dedicated to detecting a compromise like
this and mitigating it).

--
Rich

Rich Freeman wrote:
> On Wed, Feb 17, 2021 at 3:01 AM Dale <rdalek1967@gmail.com> wrote:
>> I suspect a lot of users are going to be moving from Lastpass because of
>> this change. If their service was far better then people may pay it.
>> Thing is, it isn't. As was pointed out in a couple things I read, they
>> have been hacked in the past. What was taken was encrypted but still,
>> they got hacked.
> So, while I echo most of the sentiments in this thread already so I
> won't repeat them, I do try to be careful about how I look at past
> reports of hacks.
>
> Important considerations are:
> 1. Why were they hacked?
> 2. What did they do when they were hacked?
> 3. What were the consequences?
> 4. What is likely to happen in the future?
>
> When it comes to security the future is much more important than the
> past. We look at the past as a predictor of the future. However, you
> have to always keep this in mind.
>
> One thing I admire about Lastpass is that when they were hacked, they
> immediately went public with it, disclosing at all times what was
> known and explaining the impact to customers as best as they
> understood it. They took steps to get users to change passwords/etc
> which would protect them if the encrypted data was cracked in the
> future. The way they handled the incident definitely made their
> customers safer.
>
> Likewise as best as anybody can tell the consequences of the breach
> were very limited. They ensured that customer vaults had solid
> encryption, which gave them defense in depth - the breach of the
> encrypted data wasn't able to be leveraged into a breach of the
> unencrypted password data inside.
>
> These should both be seen as factors in their favor, and it is the
> sort of thing that you can't really see until somebody is actually
> hacked.
>
> I think one of the more concerning issues for their future was the
> change in management when logmein bought them. I think people had
> concerns about the new management.
>
> I definitely like that bitwarden is FOSS. One concern with ANY of
> these web-based tools is that while they may very well be securely
> implemented, the fact is that the actual code is remotely managed. At
> any time somebody who obtains control over their infra could push out
> updates that cause your client to compromise your data in a number of
> ways. This requires more sustained control than just a quick snatch
> of the encrypted cloud password store, but it is definitely a risk,
> whether the code is FOSS or not. After all, Gentoo is FOSS, but if
> somebody was able to gain control over the repositories/keys/etc they
> could push literally anything in an update to your system, and unless
> you're looking very carefully at your ebuilds you could have arbitrary
> code running as root in no time. Obviously that is something infra
> and the portage design tries to make unlikely, but it is definitely a
> threat model really for any software distribution of any kind. The
> automated nature of updates to these cloud-based password managers
> makes these sorts of attacks potentially easier to pull off (though
> I'd they would have resources dedicated to detecting a compromise like
> this and mitigating it).
>


I was actually using Lastpass when the hack happen.  I even mentioned
earlier that while they were hacked, the hackers didn't gain anything
because what they got was encrypted.  Still, they are closed source.  If
their code was open source then it could be that the hack would not have
happened since someone would have spotted the hole the hackers used. 
Who knows if there is another hole that hasn't been discovered yet.  I
didn't know about Lastpass being bought so this explains why the change
is likely happening.  After all, the new owners had to spend money to
buy Lastpass and one way to get it back is to make more people pay or
raise prices on the ones that already pay, or both. 

I've already switched.  The export and import was easy enough.  While
the GUI looks different, it seems to do the same things.  It's early yet
but so far, it works well enough.  I suspect we are not alone in this
switch.  Others may switch to something besides Bitwarden but I bet
Lastpass is losing a lot of users. 

Dale

:-)  :-) 

Dale,

On Wednesday, 2021-02-17 23:08:12 -0600, you wrote:

> ...
> ? Still, they are closed source.? If
> their code was open source then it could be that the hack would not have
> happened since someone would have spotted the hole the hackers used.?

I don't think so. They hacked the Lastpass servers exploiting some vul-
nerability in some software running there ... Windows, Word, Excel, you
name it. Maybe they too used the bug in SolarWinds' remote maintenance
software, but then ... wasn't the Lastpass hack way earlier?

Sincerely,
Rainer

Dr Rainer Woitok wrote:
> Dale,
>
> On Wednesday, 2021-02-17 23:08:12 -0600, you wrote:
>
>> ...
>>   Still, they are closed source.  If
>> their code was open source then it could be that the hack would not have
>> happened since someone would have spotted the hole the hackers used. 
> I don't think so. They hacked the Lastpass servers exploiting some vul-
> nerability in some software running there ... Windows, Word, Excel, you
> name it. Maybe they too used the bug in SolarWinds' remote maintenance
> software, but then ... wasn't the Lastpass hack way earlier?
>
> Sincerely,
> Rainer
>

I did say it could have been found.  Still, if they allowed their
system/software to be tested by others, then even that security hole
could have been found and fixed which would have prevented the hack. 
Regardless of this, they are closed sourced, they got hacked and it
could have been prevented if they allowed others to see their code. 
That's one thing about open source software, there can be millions, ten
of millions or more, of people looking at it.  It reduces the odds of
bad code lasting long.  It can happen but it reduces it a lot. 

I still trusted Lastpass.  I would still be using it except for the fact
they decided to take away features I need unless I pay more than it is
worth to me.  Since I need to switch anyway, may as well find a open
source option that has a better chance of having good code.  Maybe it
won't be hacked at all.  One can hope. 

Dale

:-)  :-) 

Am Tue, Feb 16, 2021 at 06:04:01PM -0600 schrieb Dale:
> Howdy,
>
> Lastpass is forcing people to use only one device type or pay a fee. 
> I've used the free version of Lastpass for years and it works well for
> me.

Call me Ishmael^wold-fashioned. I don’t trust the Internet with anything
sensitive. Even if the other party behaves trustworthy (trustwortily?). If
it’s on someone else’s system, it’s out of my reach. A password database not
only contains the passwords themselves, but naturally also what I have
passwords for in the first place.

> I use it on my desktop and my cell phone too.

On top of that, I don’t trust Android with sensitive stuff, either. Sure, I
have mail, calendar and contacts on my mobile devices (synced against a
local Radicale instance on my raspberry). But nothing that involves money;
No banking app, no paypal app, I don’t even have a credit card. The
exception is the app for our railway system that is directly linked to my
back account (but most of the times I buy the ticket at a vending machine
and pay cash).

So the natural answer for my password needs is keepass (by now the XC
variant). I sync it between my Linux machines with all other files using
unison.

> Anyone have info on switching from Lastpass to Bitwarden?

I’m aware this doesn’t answer your question,

> Thoughts? 

but I wanted to make a case for another viewing angle on the matter.

--
Gruß | Greetings | Qapla’
I recently bought a hula hoop. And what can I say—it fits!

On Thu, 18 Feb 2021 15:22:52 +0100, Frank Steinmetzger wrote:

> Call me Ishmael^wold-fashioned. I don’t trust the Internet with anything
> sensitive. Even if the other party behaves trustworthy (trustwortily?).
> If it’s on someone else’s system, it’s out of my reach. A password
> database not only contains the passwords themselves, but naturally also
> what I have passwords for in the first place.

[snip]

> So the natural answer for my password needs is keepass (by now the XC
> variant). I sync it between my Linux machines with all other files using
> unison.

That's what I was using, but I now run my own BitWarden server, so I get
the convenience and the security.


--
Neil Bothwick

If at first you don't succeed, you'll get a lot of free advice from
folks who didn't succeed either.

On Thu, 18 Feb 2021 10:04:21 -0500,
Neil Bothwick wrote:
>
> On Thu, 18 Feb 2021 15:22:52 +0100, Frank Steinmetzger wrote:
>
> > Call me Ishmael^wold-fashioned. I don?t trust the Internet with anything
> > sensitive. Even if the other party behaves trustworthy (trustwortily?).
> > If it?s on someone else?s system, it?s out of my reach. A password
> > database not only contains the passwords themselves, but naturally also
> > what I have passwords for in the first place.
>
> [snip]
>
> > So the natural answer for my password needs is keepass (by now the XC
> > variant). I sync it between my Linux machines with all other files using
> > unison.
>
> That's what I was using, but I now run my own BitWarden server, so I get
> the convenience and the security.

If I were to run my own bitwarden server, which seems not to be in
the tree, is there a way I can use windows, mac and ios to get
passwords from it?

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com

On Thu, 18 Feb 2021 10:36:46 -0500, John Covici wrote:

> > That's what I was using, but I now run my own BitWarden server, so I
> > get the convenience and the security.
>
> If I were to run my own bitwarden server, which seems not to be in
> the tree, is there a way I can use windows, mac and ios to get
> passwords from it?

It's no different to using their server, you just change the address in
the client(s). There is a docker image for a server on Bitwarden's site,
but it's heavyweight with lots of dependencies, and unnecessary for
lightweigth use. I use the image from https://hub.docker.com/u/bitwardenrs


--
Neil Bothwick

I am sitting on the toilet with your article before me. Soon it will be
behind me.

Frank Steinmetzger wrote:
> Am Tue, Feb 16, 2021 at 06:04:01PM -0600 schrieb Dale:
>> Howdy,
>>
>> Lastpass is forcing people to use only one device type or pay a fee. 
>> I've used the free version of Lastpass for years and it works well for
>> me.
> Call me Ishmael^wold-fashioned. I don’t trust the Internet with anything
> sensitive. Even if the other party behaves trustworthy (trustwortily?). If
> it’s on someone else’s system, it’s out of my reach. A password database not
> only contains the passwords themselves, but naturally also what I have
> passwords for in the first place.
>
>> I use it on my desktop and my cell phone too.
> On top of that, I don’t trust Android with sensitive stuff, either. Sure, I
> have mail, calendar and contacts on my mobile devices (synced against a
> local Radicale instance on my raspberry). But nothing that involves money;
> No banking app, no paypal app, I don’t even have a credit card. The
> exception is the app for our railway system that is directly linked to my
> back account (but most of the times I buy the ticket at a vending machine
> and pay cash).
>
> So the natural answer for my password needs is keepass (by now the XC
> variant). I sync it between my Linux machines with all other files using
> unison.
>
>> Anyone have info on switching from Lastpass to Bitwarden?
> I’m aware this doesn’t answer your question,
>
>> Thoughts? 
> but I wanted to make a case for another viewing angle on the matter.
>


Thing is, your stuff is likely on the internet already.  You have a bank
account?  If so, that bank is almost certainly connected to the
internet.  I don't know of a bank that isn't.  I doubt a bank can exist
without being connected to the internet given a lot of money transfers
are electronic anyway.  I'm sure any account you have, power, water or
any other account is connected to the internet in some way.  If you have
credit of any kind, they have your info on the internet already.  It's
how they work.  You may not put it there or access it yourself but it is
already there for a hacker if they want it.  You may think you are
protecting yourself but really, you're not.  You're just not accessing
it or putting it to use for your own advantage.  If someone steals my
info and uses it, I'll likely know quickly.  I monitor my bank, credit
card and credit info using the internet that way if it is stolen, I'll
know it sooner.  I can make use of the internet to protect myself
instead of refusing to use the tool and waiting on a letter that takes
days or even weeks to arrive, if one is ever sent. 

Pretending the internet doesn't exist just isn't good.  It exists
whether you use it or not.  Just keep in mind, people who have info on
you use it and so does the ones who might want that info.  I consider
that a false sense of security.  You may feel secure but you are sadly
mistaken.  Unless you live with no digital footprint at all, likely
impossible, you already have info out there. 

I still trust Lastpass and for those willing to pay for it, I'd
recommend it in a heart beat.  It's widely used and secure.  Bitwarden
however is as or even more secure.  It also has a better pricing
structure.  I can manage with the free version but will likely pay for
the paid plan soon.  I feel it is worth that. 

Just my angle of view.  ;-)

Dale

:-)  :-)

Am Thu, Feb 18, 2021 at 03:04:21PM +0000 schrieb Neil Bothwick:

> > So the natural answer for my password needs is keepass (by now the XC
> > variant). I sync it between my Linux machines with all other files using
> > unison.
>
> That's what I was using, but I now run my own BitWarden server, so I get
> the convenience and the security.

That’s an interesting plot twist.

--
Gruß | Greetings | Qapla’
Please do not share anything from, with or about me on any social network.

The shortest brass joke ever: “Piano”.

Am Thu, Feb 18, 2021 at 10:07:17AM -0600 schrieb Dale:

> > Call me Ishmael^wold-fashioned. I don’t trust the Internet with anything
> > sensitive. Even if the other party behaves trustworthy (trustwortily?). If
> > it’s on someone else’s system, it’s out of my reach. A password database not
> > only contains the passwords themselves, but naturally also what I have
> > passwords for in the first place.
>
> Thing is, your stuff is likely on the internet already.  You have a bank
> account?  […] If you have
> credit of any kind, they have your info on the internet already.  It's
> how they work.

> You may think you are protecting yourself but really, you're not.

Your point is valid. Let’s call what I do minimising the attack surface. :)

> Pretending the internet doesn't exist just isn't good.  It exists
> whether you use it or not.  Just keep in mind, people who have info on
> you use it and so does the ones who might want that info.

Hence my reluctance to put everything out there. Granted, lastpass is one of
the brighter examples. On the other extreme, people™ give away their details
to rebate systems just to “save” a few bucks on their next grocery shopping.

> I consider that a false sense of security.  You may feel secure but you
> are sadly mistaken.  Unless you live with no digital footprint at all,
> likely impossible, you already have info out there. 
>
> I still trust Lastpass and for those willing to pay for it, I'd
> recommend it in a heart beat.  It's widely used and secure.

Well argued.


[.rant mode on, feel free to skip, I shall hold my peace thereafter]

The general tendency of both private individuals and companies towards
dependence on cloud services is just something I can’t grasp. A car
manufacturer has no business knowing in real-time where I might go, but
still they take that data simply because it is there. They might not do
anything fishy with it *now*. But who knows about two years hence, or what
the best governments money can buy think of next, or insurance companies
(give us your data or we’ll raise your premiums). Usually, the benefits only
go up the chain, not to you, the customer (or rather the “consumer”).
As you say – the data is already out there. And I have absolutely no control
over what company A tells company B tells company C and what each company
does with it. Promises and assurances from entities and politicians are
worth crap these days, either by decision (“changed circumstances, we need
that now”) or by accident (“oops, we left our database open, we apologise,
but your privacy is still important to us”).

Avoiding Windows is a good start, I think we can all agree on that at least.

[rant mode off]

> Just my angle of view.  ;-)

:)

--
Gruß | Greetings | Qapla’
Please do not share anything from, with or about me on any social network.

No mabob without a thingy.

On 2021-02-18, Neil Bothwick <neil@digimed.co.uk> wrote:

> That's what I was using, but I now run my own BitWarden server, so I get
> the convenience and the security.

Ah-ha! And _that's_ what I could use an $11 VPS for!

On 2021/02/17 at 06:51am, Dale wrote:

> I simply googled for 'alternatives to Lastpass' and Bitwarden was one of
> a few that came up.? Several links were articles comparing the two.? If
> a person doesn't like what Lastpass is doing, it won't take much to find
> other password managers.? They may pick something besides Bitwarden but
> still, they have the option of switching.?

I recently switched from LastPass to Bitwarden and this is exactly what
I did. Many articles rated both highly, making me feel better about
Bitwarden. I also liked that it is open source AND more affordable. I
wish I could run my own server, but my security-foo is not strong enough
to risk exposing not only my computer, but my passwords to the entire
internet.

However, there is another option that I've not seen anyone mention
(apologies if I missed it): use local password manager (such as the
excellent KeePassXC) for financial / very important sites, and an
in-browser, Internet-connected manager for general sites of little
consequence (like Slashdot, for example). I personally keep everything
in KeePassXC and a subset of frequently used, non-financial sites in
Bitwarden. I'm much more likely to log into a news site or perhaps even
a shopping site from various computer. But, banking sites or other
financial sites? ONLY from my Gentoo computer, because I am most
confident of its security.

Similarly, use different browsers for different purposes. I use Firefox
for daily browsing, with hardcore security installed (ublock matrix, for
example). Google Chrome is only for Google sites. Another browser is for
banking and other shopping. Still has strong security, but not as strong
because, at least for me, that tends to break those sites. Also, this
browser only ever goes to those sites.

In short, I guess I'm saying there is no need for either / or
thinking. There are lots of ways to approach security.

> I logged into my credit card on my cell phone, about the only thing I
> use on my cell phone anyway, it worked OK once I figured out how to
> get it to fill the info in.? I might add, Lastpass has issues with
> that site as well.? If I didn't know better, I'd think the website
> tries to prevent people from using a password manager.

I agree - sites should be encouraging password managers, not
discouraging them. I forget which site is was, but I had to deal with
one that somehow disabled copy and paste (even with middle mouse button)
in the password set up / change field. I used pwgen to make a 25
character random password and then had to type the monster into the
site, twice! I'm sure most other people (less careful types) would just
have switched to an easier password. Luckily / Oddly, the site did allow
pasting into the password field for regular log in.

--
Chris Spackman (he / him) chris@osugisakae.com

ESL Coordinator The Graham Family of Schools
ESL Instructor Columbus State Community College
Japan Exchange and Teaching Program Wajima, Ishikawa 1995-1998
Linux user since 1998 Linux User #137532

On 2021-02-17, Dale <rdalek1967@gmail.com> wrote:

> Anyone have info on switching from Lastpass to Bitwarden? Thoughts?

I just did it this afternoon.

The whole process took about three minutes:

1. Sign up for Bitwarden account
2. Export .csv from Lastpass
3. Import .csb to Bitwarden
4. Install Chrome plugin.

Everything "just worked". I was so impressed, I coughed up the $10 for
premium.

I'll have to do some experimenting with the CLI app for doing backups...

--
Grant

On Thu, Feb 18, 2021 at 03:22:52PM +0100, Frank Steinmetzger wrote:
> So the natural answer for my password needs is keepass (by now the XC
> variant). I sync it between my Linux machines with all other files using
> unison.

That is also what I use. I also personally use my phone with KeepassDX
for when I'm not next to my personal PC, and I have the databases synced
together through Syncthing. However, on the topic of Syncthing, I
haven't had any issue so far, but I also haven't been able to find
anywhere if the thing encrypts traffic that's sent from anywhere to
anywhere else. From what I understand of Syncthing though, it seems to
give each machine a unique ID, let's you give them names and then
specify a shared folder, then using the local networks it can find
other devices running Syncthing, and on the wider internet, it seems to
connect to some random "discovery servers" that seem like their purpose
is to act as a way to have the devices find each other if they're on
other networks so that the shared directories stay synced at all times.
I just wish I knew if the files are encrypted e2e or not when using this.

Kusoneko.

On Fri, 19 Feb 2021 22:07:21 -0500, Kusoneko wrote:

> That is also what I use. I also personally use my phone with KeepassDX
> for when I'm not next to my personal PC, and I have the databases synced
> together through Syncthing. However, on the topic of Syncthing, I
> haven't had any issue so far, but I also haven't been able to find
> anywhere if the thing encrypts traffic that's sent from anywhere to
> anywhere else. From what I understand of Syncthing though, it seems to
> give each machine a unique ID, let's you give them names and then
> specify a shared folder, then using the local networks it can find
> other devices running Syncthing, and on the wider internet, it seems to
> connect to some random "discovery servers" that seem like their purpose
> is to act as a way to have the devices find each other if they're on
> other networks so that the shared directories stay synced at all times.

That's correct. Syncthing is P2P, the only traffic that goes through
their servers is for discovery. If even that is too much for you, you can
run your own discovery server.

> I just wish I knew if the files are encrypted e2e or not when using
> this.

According to Syncthing's own FAQ "Data that is sent over the network is
compressed (optionally) and encrypted (always). "


--
Neil Bothwick

Bagpipe for free: Stuff cat under arm. Pull legs, chew tail.