Mastodawn

I'm really disappointed to see #bitwarden falling into the slop hole. Can anyone recommend a #passwordmanager , ideally #selfhosted , that doesn't use LLM slop in its core product, OR in its contributing commits?
#askfedi

2something Mar 17

@violet I use Gnome Secrets on desktop and KeepassDX on Android, and I use Nextcloud to sync them. I did a big comparison of password managers in the quoted post.

The Gnome Secrets developer recently said they do not use LLMs.
https://gitlab.gnome.org/World/secrets/-/issues?sort=created_date&state=closed&first_page_size=20&show=eyJpaWQiOiI2NTYiLCJmdWxsX3BhdGgiOiJXb3JsZC9zZWNyZXRzIiwiaWQiOjIzNjk2MH0%3D

Unfortunately, Nextcloud does use AI, and I don't know of a way to sync password between Linux and Android that doesn't involve software using AI.

RE: https://transfem.social/notes/aa2w3yuz3tfz0hdp

@2something damn. Well, more information helps me pivot my research. Thanks friend

David S Mar 17

@2something @violet

Syncthing will do the sync. It wraps up some other projects so there is a possibility something uses AI (I haven't checked)

walnut 🌱Mar 17

@2something @violet
Gnome secrets looks nice. I like the browser extension keepassxc and others have, does it have something like that?

As for syncing I haven't checked for certain that it does not use AI, but syncthing and syncthing-fork on Android might be worth investigating.

2something Mar 17

@walnut @violet I tried setting up syncthing awhile ago and I was unsuccessful (even to sync between my desktop and laptop).

Gnome Secrets does not have an associated browser extension, unfortunately. I just copy passwords from the desktop app into my browser, which is a bit slower but not by too much.

walnut 🌱Mar 17

@2something @violet
Shoot (to both statements).
The main reason I like the browser extension is domain matching, so I don't have to worry quite as much if it's a phishing site.

@violet I think I think keepass family is the standard here?

XC did also start doing AI, though

@astraluma fml, keepass was the chosen one. I thought it was safe. I hate it here.

I would make my own, but my specialty was python, which has now been tainted too. Fuck it aaaaallllll

@violet a few of us did a deep dive

cpython has claude contributions, but it looks like minimal code

which is honestly expected in a project that large

@violet KeePassXC went in on AI code review and such

@astraluma extremely disappointed to hear

@violet oh, to be clear:

I'm not terribly familiar with KeePass (I'm currently pretty happy giving 1pass money), but I know there's more than KeePassXC

@astraluma my work is in connecting disparate systems, so deep level python skunk works isn't my forte. What are the ramifications of the taint moving forward, in your opinion?

For context, I'm wary of Zen browser for being forked from FF for having any slop taint, so these reservations aren't specific to python

@violet I think it's mostly "a couple of people were sloppy about its use"

none of the regular cpython contributors seem to be using AI in easily tracable ways. There's about a dozen suspect commits, and they're all small changes in dusty corners.

Predicting going forward is going to depend a lot on how you feel about the prospects of AI in development.

@violet My current semi-reasoned prediction is that the bubble is going to pop and LLMs are going to get dramatically more expensive to use.

As tokens become a meaningful resource, I expect less of them will be spent on FOSS work.

As someone who doesn't like AI and is quite ready for this bubble to pop and this hype cycle to end, I'm hoping this will mean that cpython remains minimally tainted.

@violet at this point, I don't think it's reasonable to do non-trivial computing without some software that's been touched by AI in some way.

witch_t *navi Mar 17

@violet i use `pass`[1], though it's very non-traditional so it might not be what you want

a directory structure encrypted with pgp and synced with `git`, implemented as a shell script

extensions like pass-otp also add support for totp, and there's an android app/client and browser extension for autocomplete on those platforms as well

(for folks that hate pgp, `passage`[2] exists that uses `age` instead, but no android app for that one, not sure if it works with the browser ext)

it is also mostly a "done" project, as most of the complex logic is done in gnupg/age and git, or extension plugins, pass itself barely needs changes or fixes ever

1: https://www.passwordstore.org/
2: https://github.com/FiloSottile/passage

Pass: The Standard Unix Password Manager

Pass is the standard unix password manager, a lightweight password manager that uses GPG and Git for Linux, BSD, and Mac OS X.

@navi that wouldn't work for my use cases, but thanks for the heads up!

D. Moonfire Mar 17

@navi @violet It is anecdotal, but I used to use gpg to encrypt my password file and it worked out pretty well.

Then Iowa flooded in 2008 and I ended up being separated from my laptop for a month. I had a thumb drive with my passwords, but it took me a long time to find a program I could get gpg installed onto it enough to get to my password file.

So, if you do go that approach, make sure you have a "I don't need my laptop, Cedar Rapids will only be underwater for a few days" turning into three months of living with my inlaws with their Windows 95 computer, one horror movie scene, and the inability to even get back to the apartment for a month.

witch_t *navi Mar 17

@dmoonfire @violet

i have a pass android client, and i can remote onto my vps and use gpg from there as long as i have access to my pgp keys somewhere

though i should probably build a better backup system for the key itself, unsure how yet

D. Moonfire Mar 17

@navi @violet I'm in the same boat. I couldn't access my safe deposit box either for a month then so.... not sure where to back things up when I make poor decisions (in the "I don't need the laptop" case, the water had already gotten up to the bridge I took, and I-380 was backed up so badly that it would have taken me 1.5 hours to go six miles, so I thought it would only be a few days and I would get back to my apartment. Won't make that mistake again.)

Clover Mar 17

@navi @violet @dmoonfire a laminated piece of paper in a little safe at home, or somewhere obscure to hide it or at a bank safe deposit box or such works relatively well (or both)

it lasts for a long time, and is fairly easily accessible even in the event of something going wrong

Lynn, eh?Mar 17

@violet I'm using KeepassDX on my phone and Syncthing to sync it with my desktop KeepassXC.

Becky Mar 17

@violet @astraluma

1Password has been awesome, my polycule’s resident techspert has had it running locally for ages (well, locally in the cloud, but eh. Not through another server)

@Beckydog @astraluma I never trusted 1pass since their last couple snafus, especially since I had to use them at work. Are they slop free?

@violet @Beckydog did 1pass have a snafu?

I know LastPass has had several.

@Beckydog @violet @astraluma isn't it proprietary software? i would argue against using proprietary software for anything, especially anything security-sensitive

also, if you go to 1password.com

@lumi @Beckydog @astraluma you are working better than I can this morning. Even researching adjacent to the slop is melting my brain 😭😭😭

Thanks Lumi

@violet @Beckydog @astraluma ofc

Becky Mar 17

@lumi @violet @astraluma

I can only speak from a user point of things, but there’s no Ai in it afaik!

@Beckydog @violet @astraluma sadly, it's not like you can check, as it is proprietary software. and from their website, it seems like they do embrace it, so i think there is a high likelihood there is genai-generated code in it

@lumi @Beckydog @violet i wouldn't equate "shipping features or solutions for AI" to "going all-in on genAI"

in the context of this bubble and having investors, having some kind of AI thing is pretty much a requirement for a tech company.

But 1pass has always been big on developer, automation, servers, etc, so them re-spinning those existing features for AI would have low impact on their product.

@astraluma @Beckydog @violet if we assume that 1password cares about ethics, this is a good argument

but they're proprietary software, so i don't buy it

@lumi @Beckydog @violet you don't need ethics to be against AI?

You can be against on the basis of "new hype technologies have a history of being immature and risky" or "genAI code tends to lack nuance and be kinda crap, and we're a security product" or "we use a B-list tech stack, and the AI just isn't very good at it"

@astraluma @Beckydog @violet i guess i'm less optimistic about it

@lumi @Beckydog @violet that's valid

but no situation has been improved by overestimating the risks

and yes, ultimately, it is all proprietary code and we can only speculate.

but so far, all I'm seeing is that 1password is only shipping AI integrations. Which is basically the same as Just's MCP server https://just.systems/man/en/model-context-protocol.html

Model Context Protocol - Just Programmer's Manual

@lumi @Beckydog @violet if your goal is nothing that even acknowledges AI, yeah, 1pass does that.

but like i said elsethread, it's going to be real hard to do non-trivial computing with that standard in this moment

@astraluma @Beckydog @violet that is definitely fair. it being proprietary is a much bigger no-no to me

ben Mar 17

@lumi @Beckydog @violet @astraluma 1password recently put its prices up citing ‘AI-generated titles’ or some such as one of the exciting new features that this price increase would be paying for.

I don‘t have a huge amount of faith in their judgment as a result.

@Beckydog @violet I've been a really happy 1password customer for a while. How do you self-host?

Becky Mar 17

@astraluma @violet I, am afraid I have no idea! But I can ask the techspert if she’ll help?

princess pancake

@violet there is the:
- no

We're currently using Chrome's password manager with a custom E2EE passphrase (so it's not signed with a key Google owns (well, encrypted but it probably takes only like your unlock pattern to get it out of their HSMs and TLS can be added and removed :)), probably overkill as a random creature but who knows it might come handy) because:
- Bitwarden literally doesn't work
- 1Password is probably to follow with their business plan of providing credential storage to agents
- LastPass (lmao)
- KeePassXC doesn't sync and would fail your requirements
- Proton Pass (feds)
- ...?
- Firefox' password manager we used before Bitwarden

@natty @violet you use chrome??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

@natty @violet not using chrome is like. digital hygiene 101. bweh

princess pancake

@[email protected] @violet

is it really? The only thing we don't get is uBO

I've been a Firefox user 99% of my life, autofill literally doesn't work for me on mobile, at work I have no choice (I'll let you think about that one for a while), and on Android you don't need to use the same browser as you're using for autofill. On desktop we have no choice unless we wanna painstakingly copy/paste stuff (yes we tried figuring out if we can do autofill but not really)

@natty @violet not using firefox is digital hygiene 102

use a fork of either where you’re able

princess pancake

@[email protected] @violet You do realize most forks actually increase your fingerprint area right?

@natty @violet i don’t because you’re incorrect

@natty @zaire @violet that's where fingerprint noising comes in
Every respected privacy browser should do this

@natty @violet @zaire also syncthing exists

Ernest de León Mar 17

@violet I believe Vault Warden is a self-hosted equivalent to Bitwarden.

ben Mar 17

@ernestdeleon @violet unfortunately the bitwarden clients are also vibecoded

Oh FFS @bitwarden 🤬

@violet I use syncthing to sync my keepass database around. It's encrypted on transport so even though it passes through community nodes if you're away from your other devices it is still syncing away from home (it is optional).
There's also the option of using nextcloud, there's both using the web dav service with keepass or the passwords app, though I don't recommend the app.
Personally I use floccus for bookmarks with the nextcloud and keepassxc via syncthing.
The cool thing about keepassdx is that there's an autofill keyboard so even if the app doesn't support it you can do it manually

@violet the best part about the way I have it setup is that it doesn't matter what browser I use, the sync is the exact same. so like if you have a browser that does 90% of the things, but you need another browser every once in a while, you keep sync with them. and I never ended up using any of the features that sync provides other than passwords and bookmarks so it's everything I need.
though one downside to using a third party password manager is that they can cut the speed of your browser by about a third, so if you're on chromium, the extension extensity lets you quickly toggle the extension off, but you can also press alt+F E(on vivaldi it's ctrl+shift+E, and sometimes it's Alt+F L E), or if you're on firefox, you press ctrl+shift+A to bring up the extensions page.

Phalanx

@violet What part exactly did you identify as slop?

Johns Mar 17

@violet All I'm getting here is that I should find the time to see th Signal chat protocol and follow it to implement a password manager.

Oh well, looks like I'm going to be busy! (If someone else wants to do that I'm more than happy to let them, it's been a long while since I did a big project).

chfkch

#bitwarden #passwordmanager #selfhosted #askfedi

@violet
I mean you can use an alternative server (VaultWarden) and an alternative client. The protocol is still good.