Emilion
Viss
i was GONNA migrate to bitwarden / vaultwarden but i guess not, now.
sigh
zl2tod
kwayk42
schrotthaufen@Viss Don’t need a password manager if all your passwords are the same <Kayode Ewumi smart dot jpg/>
Svavar the NeurospicyThat's not Eddie Murphy in the meme, it's British filmmaker and actor Kayode Ewumi.
liquidlamp@schrotthaufen @Viss <Kayode Ewumi smart dot jpg/> is a pretty excellent password. Crack time is estimated in the centuries.
Sean RileyIts just (currently) the CLI…
@dogriley yeah, but that repo has connective tissue to the rest of bitwarden. suggesting that if attackers got into one repo, its plausible they may have gotten into more, and its just not been discovered.
which paints all of bitwarden as 'tainted'.
im not putting my creds into tainted code
Natanox 🇺🇦🇵🇸@Viss To be fair, Vaultwarden is completely unaffected. Which makes me rather happy, I wish to sleep this night. 🥲
FurryBeta@Viss I’m using Bitwarden, fwiw, but not using the CLI.
You know better than I do that there is no perfect security. We look at the offerings, mull the pros and cons, and make a decision.
I think I remember a security now or GRC podcast many years ago, where they used an easy to remember algorithm that you could use to encode you passwords with a salt, then write the encoded version down in your notebook. Don’t know if that would still hold up tho
@FurryBeta having a github repo infected by an attacker isnt like, a little oopsie
@Viss You have a point, it’s not. I guess what I’m trying and failing to to say, is no matter what safeguards are put into place, people are always the weakest link. Any momentary lapse can have major consequences in our connected world. It’s one thing if the safeguards were sloppy and lax from the get go, there was a history of bad security or “well we had all the boxes checked!” mentality. AFAIK, Bitwarden tries to be serious about security, but again, you’d know better
@FurryBeta there are knobs and levers present in github that could have prevented these sorts of things - ive done more than a dozen assessments where my resulting report incorporated the remediation guidance for how do specifically protect against this. bitwarden is 'arguably a security company', because they make a password vault, and you would think they would have taken the time to consider the security of their github repos
.. but they didnt
@FurryBeta and so if you take that in context - they are a security company who appears to either know know, not care, or otherwise not use a bunch of security controls present in their github repos, the question then becomes
.. .well how seriously do they ACTUALLY take security?
and if you have to ask that about a company who makes a password vault.. then maybe the safer play is to not use their password vault
@FurryBeta because where there is smoke, there is fire. and mistakes like these arent one-offs. mistakes like these leak habits. and if they made this flavor of mistake on github, chances are high they have made it elsewhere as well
@Viss Ah, these are all good points that I didn’t know about. Maybe I should be looking elsewhere then. Since I’m not a programmer, all I know of git is “git clone <site>”.
You said you where looking at other offerings, I’d be interested to know what you choose
@FurryBeta the well i was GONNA choose bitwarden and vaultwarden, til this supply chian compromise happened. im looking at keepassxc, but the syncing is 100% manual, so we'll see i guess
@Viss If they have had a history of bad practices, please let me know and I’ll switch to something else. I’ve gotten burned before by giving too much benefit of the doubt
@FurryBeta if you havent updated bitwarden since after the commit with the espionage in it, thats probably a good sign. i'd hold off on updating it for several months at least, just to be on the safe side. but we now know that code in their codebase was corrupted by a nation state attacker with the intention of stealing passwords
@Viss I primarily use browser extension for Firefox, and iOS apps. They auto update so I need to look at what versions they are and if they’re affected.
Any more, it seems like anything we get, we need to check not just once, but several times before clicking any links, even if we’re expecting a link. It’s actually rather sad
ocdtrekkie@Viss Someday password managers will stop being considered a recommended practice.
Ian Campbell 🏴@neurovagrant im not sure bitwardens github account getting popped qualifies as on prem tho :D
Chris Farris 
@Viss go to a password manager they said. It will be fine they said.