they claim to be "zero trust" / "zero knowledge" yet there is no way to set the master password through the mobile / desktop client, they redirect you to their web app, which you can obviously not trust, at anytime they, or someone that compromised their server could serve you custom js that'd steal your master password.what a fucking joke, how are people even recommending this shit.i'll stay on keepass thanks.
>>106825770>what a fucking joke, how are people even recommending this shit.normally people just selfhost vaultwarden but you decided to be a consumer
>>106825770just host your own bitwarden/vaultwarden server?
>>106825770>"if I use the cloud version, it has the risks of a cloud version!!" This is what troonix does to people.
>>106825782same problem applies when you self host, you still have to go through the webapp.this should ALWAYS be settable through the client.
>>106825806you don't trust the html files served from your own device?
>>106825806but the webapp is hosted on your server and doesnt need any internet connectivity brainletto
>>106825788>>106825800>>106825806to add to that, the prroblem still applies if you self host.and even then, they could have made it so that you could set it through the client, this is not a muh cloud version problem, this is a bad design problem, the master password should never be set through a web page, there is no reason you cannot do it through the client.>>106825811even if you trust bitwarden, they could be compromised by a third party, same thing if you self host, the whole point is that it's an unecessary weakness, it should not exist at all, there is no reason you couldn't set the password from the localy installed client.
>>106825824there is no security difference betweeen a selfhosted website and a program>even if you trust bitwardenI use vaultwarden
>>106825770my only problem with bitwarden is that their client (desktop, mobile and browser extension) constantly insists on being updated. browser extension basically updates automatically. this opens users to attacks from feds since they could force company behind bitwarden to deploy a version that steals your master password.
>>106825815> no internet connectivitywell done, you lost the whole point of a sync service...>>106825843> there is no security difference betweeen a selfhosted website and a programthere is, my computer isn't the same threat model as a vps.the vps could be compromised an my computer not, in such case, if the master password was set through the client, it'd not be an issue, however if it is set through a web app it is.and muh run it on a local machine now gets to huge level of cope on something that just is a bad design.
>>106825843>>106825854> i use vaultwardensame thing, master password is still set through the web app afaik.
>>106825848that too.you don't *have* to use the extension though.afaik you can also block auto update of them or install it through a git clone instead of the store.
>>106825770Donβt care, all my passwords are the same. The important accounts have 2FA anyway.
>>106825854use vpn to connect to your home network, brainlet.
>>106825854kek retard
>>106825770how often are you changing your master password? have you opened a ticket with them?
>>106825869> all my password are the samenot a good idea in general> The important accounts have 2FA anyway2FA is a meme and a pita>>106825876cope, i don't want my password manager to stop synching because i had a power break at home or my isp got a seizure.
>>106825865>afaik you can also block auto updatehuh, you're right. I didn't know that. thanks anon.
>>106825887I typed up a response but then I realized you were a NIGGER
>>106825887>not having an ups and backup internetback to /v/
>>106825897i'm whiter than you faggot.i'm Swiss.
>>106825898i don't play gayms
>>106825910I typed up a response but then I realized you were a NIGGER
>>106825918you just have no counter argument so you resort to insults, you are the one acting like one.a nigger would not tell you that he hates niggers.
password managers are glowie scams
>>106825897>>106825918
>>106825806A webapp is just a client that gets downloaded in your web browser, you moron. If you're selfhosting Vaultwarden, then the webapp files live in your own server and then get downloaded onto your client device as needed. None of this involves making connections to Bitwarden's servers.Just say that you're a tech-illiterate retard in your initial post next time. Regardless, Bitwarden is shit, selfhosted or not. Use Keepass instead.
a niggars fujucked my cockis harrible so harriblewhy does niggars does that
>>106826043retard, it's a web page, each time you load it the server sends js to your browser.at any time they could decide to send some other js that would just send them your master password as plaintext.if it was a local client this couldn't be done as the code is already on your machine and not downloaded through the web each time.the whole point is that with this mechanism, if the server, self hosted or not is compromised, then your master password can be stolen.this problem could be avoided entirely if it was being set from the localy installed client instead of a web page.you are the one that's fucking tech illiterate, this has been a known issue forever in anything that claims "zero knowledge".you fundamentaly cannot trust a web page not to steal what you input into it even if they claim so.you can for software you build and run on your machine assuming the machine is not compromised.
>>106825770Passbolt is better
>>106826078The absolute state of g lmao>wot if your computer gets hacked when you self host?!? Huh, have you thought of that?! That wouldn't have happened if you self host and use a desktop app instead (somehow)
>>106826252retard, you keep defending bad design, that's beside the point.you essentialy have to trust the server when with a better design you wouldn't have to.instead of having to trust one computer, you have to trust 2.you are just coping and only niggers behave like that.there are no reasons for it to be less secure than it could be, especialy when it's such a trivial change.
>>106826327>you HAVE to run the webapp on a different computerLmfao stop embarrassing yourself retard
>>106826516you have, the whole point of bitwarden is to sync accross device, otherwise you may as well use keepass.you just cannot justify the web app, there are no technical reason for it, it only increase the attack surface for no reason whatsoever.it is widely known that web app for any client side encryption is retarded and a bad practice.
>>106826561>you haveSays who? You think webapps only work if served remotely?
>>106826002TF is your shit so dirty forLiteral greasy stains on your monitor base lmfaoYou are nigger tier
>>106826584there is no grease on it it's textured.show skin or stfu.
>>106826566no, but you lose the whole point of using bitwarden if not remotely.the whole point is to sync between different computers.and anyway, that's beside the point, the part that store the password should not have to be running in a trusted environment for security not to be compromised.i'm starting to think you are a shill paid by them.
>>106826698>and anyway, that's beside the point, the part that store the password should not have to be running in a trusted environment for security not to be compromised.this has to be bait
>>106826729this is not, they claim "zero knowledge" but the current architecture isn't.they can tell that they don't store your master password.but technicaly nothing would prevent them to.they could not store it for most users and then decide to change another js file for some specific users such that they can steal their master password.you just completly ignore the point because you want to be right, you know that i am, so now stfu and admit it.there are no reasons to not let the user login through the localy installed client, NONE.forcing to use the web app reduce security and trust for NO reason at all.
>>106826751>and anyway, that's beside the point, the part that store the password should not have to be running in a trusted environment for security not to be compromised.damn does Bitwarden have secret technology to extract data from self hosted private environments?
>>106826764>but technicaly nothing would prevent them to.Wanted to cite this
>>106826764i'm talking about their cloud solution, point being they lie about it being "zero knowledge".also, even in the self hosted case, that issue still applies if a hacker compromise your server, you may do all the mental gymnasitcs you want, that's still more attack surface for NO reason at all, NONE.
>>106826777>>106826764Finally i'll add that if they make such dubious decision, that obviously reduce the trust i have in the whole product in general.you can't deny it's bad design, there are NO reason to do it, ZERO, NILCH.even if you say "muh self hosting", that's beside the point, bad design is bad design.
>>106826777>cloud solution>zero knowledgeGenuinely how fucking retarded are you?
>>106826787>there are NO reason to do itOk sar only c# winshit apps from now on pls
>>106826855this is doable, only one change from the way they are doing it and it can be zero knowledge.the idea is that they only store data that was encrypted on the client before they received it, and thus, they cannot access it.>>106826861i hate pajeet langs, and already proved that i am white as well.i also don't use winshit.heck, the program is a gui, there is a cli too.my only point is that you shouldn't need webshit to set and change your master password.and if you want to talk about jeets, there is nothing more jeet like than webshit.
>>106826855>>106826904also they CLAIM zero knowledge, thus my whole point that they are liars.
what do people think about keeweb if I want to stay with keepass on chrome os?
>>106826078>retard, it's a web page, each time you load it the server sends js to your browser.The server in question being your own personal server sitting in your house, you mouth breather.>at any time they could decide to send some other js that would just send them your master password as plaintext.They would have to update the server's code, which is open source in the case of Vaultwarden, and you would then have to install that update. So you're welcome to just go check the Github and see whether they're doing anything like this.>the whole point is that with this mechanism, if the server, self hosted or not is compromised, then your master password can be stolen.That is true of literally every program you run on every device you own. At some point you have to either trust SOME things or just forsake computers entirely and do everything on paper, which may actually be a reasonable position in 2025.tl;dr: you're a dumb negro.
>>106825770Just wanted to say that bitwarden's auto complete sucks and is the main reason I use keepassxc instead
>>106827227>The server in question being your own personal server sitting in your house, you mouth breather.maybe for you, i don't want to bother with a home server just for a password manager, i rather use a vps even if i don't fuly trust it.> They would have to update the server's code, which is open source in the case of Vaultwarden.not necessarily no, if your server is compromised the attacker could just replace the existing installation with a modified one, or just spoof it at the request level without even having to modify the server itself.still apply for their cloud option especialy since they claim "zero knowledge", so false advertisement with that architecture.> At some point you have to either trust SOME thingsmy point is that the device running the server code shouldn't need to be trusted, but just for the fact that you have to use the web page to set and change the master password, you have to, just admit this is bad design when there are literaly no technical limitation preventing it from setting it on the client side.> dumb negroi already proved i'm white, have you ?>>106826002
>>106827383>my point is that the device running the server code shouldn't need to be trusted, but just for the fact that you have to use the web page to set and change the master password, you have toWhy? Do you think web apps are some magical server only component?
>>106828020the setting and changing of the master key can ONLY be done through the web page.this is an attack vector that wouldn't be an issue if you did it from a localy installed client.especialy if you built it yourself or use a binary that was built deterministicaly ie nixos.nothing about magick.it is a fact that if you type your master key in the web page they serve you, they could theoricaly steal it, either through being compromised by a hacker, either because glowies asked them to steal your master key for them, or other various reasons.you shouldn't even need to trust the server, and you don't have to if you set the master password from a localy installed client, you have to if you do it through a web page served to you by the server.what are you not understanding ?
Why do people get mad about something they don't use?
>>106828417because i wanted to use it but it turns out to be utter shit, yet people still recomend it.
>>106828400NTA. You realize depending on the display server you use, everything running on your computer can read all inputs (keyboard, mouse) of different client applications? Why is that better than just the web server getting that data?
>>106828455Unrelated that's another threat model.If you enter credentials in the web page and your computer is not compromised but the server is, they can steal your credentials, they couldn't if your could set your master key from the localy installed client.If your computer is running malicious software, your password manager is the least of your worry.I trust more my own computer than the server, i know exactly what software I'm running.Point being, it's needless attack surface, there is no technical reason preventing them from making it trustless, they claim to be zero knowledge but that's false.Anyway, this glows a thousand miles, the feds could ask them to target specific users and steal their key any time they change it with the status quo.
>>106826002nice job providing your fingerprints to the entire internet dumbfuck, now some alphabet boys know you use this degenerate website
>>106830440They already knew and i don't use them for anything.
>>106825857are you retarded or just pretending to be?
>>106832106> no argumentopinion discarded
