I rely on Bitwarden (slooowly migrating from… a spreadsheet…) and am thinking of keeping a master backup to be SyncThing-synchronized across all my devices, but I’m not sure of how to secure the SyncThing-synchronized files’ local access if any one of my Windows or Android units got stolen and somehow cracked into or something. I’m curious about how others handle theirs. Thanks in advance for sharing!

  • catloaf@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    7 months ago

    I have encryption enabled on my devices. If they get stolen, a casual thief isn’t going to be able to break it. At most they’ll wipe it, but they’ll probably just fence it as-is or for parts.

    • fine_sandy_bottom@discuss.tchncs.de
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      This is the way OP. Centralised services are just too much a target for bad actors.

      You already have syncthing so most of the way there.

      Also built in TOTP / 2fa is pretty great.

      • shiftymccool@programming.dev
        link
        fedilink
        arrow-up
        0
        ·
        7 months ago

        Also built in TOTP / 2fa is pretty great.

        I can’t wrap my head around how this is a good idea. Isn’t the idea of mfa to protect against password theft? If your second factor is stored with your password, how does that help anything? Honest question, I see this everywhere but can’t figure out why it’s acceptable with security-minded folks

        • RobotZap10000@feddit.nl
          link
          fedilink
          arrow-up
          0
          ·
          7 months ago

          If someone were to pinch a password through a phishing site or a key logger they would still need to unlock your .kbdx file. The way I see it, if an attacker has cracked your database, you already screwed up 20 steps ago. (Sharing your .kbdx, using a weak password for it, not changing your other passwords) I think that 2FA on a different device is too much of a hassle for how much extra security it can bring.

        • Kayana@ttrpg.network
          link
          fedilink
          arrow-up
          0
          ·
          6 months ago

          Late reply, but for me personally, I started doing it because my Keepass database is already accessed using two factors (password and key file). Therefore, I’d gain very little by keeping the second factor of those sites external - essentially, those second factors are compounded into the second factor for the database.

        • fine_sandy_bottom@discuss.tchncs.de
          link
          fedilink
          arrow-up
          0
          ·
          7 months ago

          Yeah fair question. IMO it def makes things less secure, but it’s a question of how much less?

          As in, if all my passwords are “sexG0d” then 2fa is critically important, but if all my passwords are long and complex and unique then 2fa is still another layer but it’s much less critical.

  • Joël de Bruijn@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    7 months ago

    I prefer another tactic if I may share:

    • Database in production: let Bitwarden clients sync the native way Bitwarden offers.
    • Database in backup: let a dedicated backup service keep your database save.

    I dont know if this could be done automatic (just backup the production database) or if this has to be done by export (by hand once in a while).

    Doesnt matter from which device the backup originates because the native sync will keep them all the same usually in seconds.

    • Showroom7561@lemmy.ca
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      My wife does the same, and I can’t tell you how many times a day I have to help her reset passwords, figure out if something is an “1”, “i”, “l”, or “|”, or decide what needed to be capitalized.

      Even though I have Bitwarden installed for her, she just “prefers” paper like some people prefer to stub their toes.

      • GolfNovemberUniform@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        7 months ago

        You should try to teach her how to be more careful and clear when writing passwords. It can be hard if she’s living in constant rush but it’s a very useful skill. And btw I just always underline capital letters. Always works

  • pol5xc@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    Pass on Linux with a private git repo with search extensions for gnome and Firefox, and android password store on my phone.

  • tiny@midwest.social
    link
    fedilink
    English
    arrow-up
    0
    ·
    7 months ago

    Bitwarden keeps a local copy of the data that can exported if something ever happened to bitwarden. If you want to keep an encrypted backup you can export the CSV and store it on an encrypted drive as a backup but not big worry about syncing it to all devices

    • skilltheamps@feddit.de
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      7 months ago

      This is the correct answer, every device you use a bitwarden-client regularly on automatically becomes a backup

  • unknowing8343@discuss.tchncs.de
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    Bitwarden already stores a local copy on all devices you have it installed. Just make sure you load up those devices from time to time… And guess what, you are probaly already doing that with your phone and laptop (which actually contains generally 2 copies, 1 on your actual client and another for the browser extension. Add a third device for good measure and… Oh, you also have a backup on bitwarden.com, this thing literally backups itself everywhere!

  • Archon of the Valley@infosec.pub
    link
    fedilink
    English
    arrow-up
    0
    ·
    7 months ago

    Proton Pass. If you’re comfortable with cloud E2EE managers, it’s far more worth it than Bitwarden, since you get unlimited email aliases. Better for privacy and even security. Plus, I trust Proton, they have a phenomenal track record in terms of security and encryption.

    • Dymonika@beehaw.orgOP
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      they have a phenomenal track record in terms of security

      I read that they have bowed to email subpoenas in the past.

  • Manalith@midwest.social
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    I was using Bitwarden up until I moved my email service to Proton. Now, I just use all their things, but I didn’t have any issues with Bitwarden personal. I do have some issues with their organization accounts though.

    • Dymonika@beehaw.orgOP
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      7 months ago

      I do have some issues with their organization accounts though.

      Like what? And is Proton Pass open-source?

  • CCRhode@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    I’m agnostic about password managers, and I’m agnostic about sync’ing password repositories between devices. I believe there would be grave risks of losing access to my own repositories by misplacing their pass-phrases or bungling other kinds of authentication. I try not to put anything on portable devices that is super confidential. On the other hand, I restrict physical access to my desktop computer. I back it up continually, power it from an uninterruptible power supply, and run only a handful of server-side processes there. … so I feel safe … sort of.

    I suppose it may seem heretical to members of this community, but I put all my passwords in a plain-text *.csv file on my desktop machine that I maintain with my own python script.

  • Entertainmeonly@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    I don’t really understand why passwords are so hard. Take two words that have meaning to you. Two number sequences that are important. Then lastly decide on two symbols. That’s eight different passwords if you use one of each in that order, more if you want to mix the order. Now set rules to each. One word for personal one for business. One number set for fun the other for essential. The symbols are rather arbitrary but I try and stick with one for passwords I’m forced to make the other for passwords and logins I’m wanting to make. Obviously make unique passwords for any important stuff like baking and such but with this method I can log into accounts over ten years old within the first two tries. Usually it’s the user name or tag that gives me the real trouble.

    • Imprint9816@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      7 months ago

      Or just generate a random series of 5 words (through bitwarden) separated by the character of your choice and have a much better password that’s relatively easy to memorize.

      Relevant xkcd

    • InputZero@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      This might have been acceptable 20 years ago but it’s not a strong enough policy today. Data theft happens all the time and it’s in the interests of a company who’s security has been breached to not tell you that your data has been taken. You should assume that at anytime someone has several examples of your login credentials, not just one. You should use a password manager that isn’t Chrome, Firefox, Safari, ect.

    • lud@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      You entire system could be compromised quite quickly if someone figures out the pattern. It’s also susceptible to hybrid attacks.

  • zarenki@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    For years I’ve been using KeepassXC on desktop and Keepass2Android on mobile. Rather than sync the kdbx file between my devices, I have each device access it through the network. Either via sftp, smb, or nfs, but regardless I need to connect to my home’s VPN to access it when away from home since I don’t directly expose those things to the outside world.

    I used to also keep a second copy of the website-tied passwords in Firefox Sync, but recently tried migrating that to Proton Pass because I thought the PIN feature might help, then ultimately decided to move away from that too and start using the KeepassXC-Browser plugin instead. I considered Bitwarden too but haven’t tried it out yet, was somewhat deterred by seeing people say its UI seems very outdated.

      • not_amm@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        7 months ago

        Syncing files that you may open in both (or more) devices at the same time is unsafe with any service, but you can manage to avoid sync conflicts with KeePass if you do not open the same file at the same time or open the Android app in read-only mode. I’ve only had like 3-4 conflict files this year and they weren’t important.