6
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 17 Feb 2026
6 points (75.0% liked)
Technology
84275 readers
318 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
tl;dr:
and an observation or two:
And simultaneously less secure because it's up to you to handle keeping your vault synced between various devices and most people are significantly worse at keeping systems secure than the professionals at the password managers.
Self hosting a server of some kind or using something like Keepass on a single device (with offline backups) is the most secure option, but as usual with security doing so trades significant convenience for security. For most people who are uninterested in making sure their servers are kept up to date week to week letting professionals handle it is the better option.
Sure, but at the end of the day even if you don't update your vaultwarden server or you rely on an insecure storage sync system like dropbox, your actual vault is encrypted with a key that only you know. Even if your server is hacked or the kdbx is leaked, your passwords are safe until someone breaks AES.
Contrast that with hosted services, who could very easily attach their own keys to your encryption key (whether now or in the future at the behest of the state) and you'd be none the wiser. E2EE doesn't matter much when the other end is controlled by someone else.
I'm not disagreeing that most people just want something to work without thinking about, and for that reason I'm glad that services like bitwarden and lastpass and protonpass exist. My intent was not FUD, just shining a light on the fact that keeping your passwords secure does not require trusting a company.
not really the case: https://lemmy.ml/comment/24008121
how would official Bitwarden be able to accomplish that? apart from this vulnerability, they can't use their servers to add their own keys.
It is not less secure.
If the Bitwarden servers are compromised (either by hacking or by being forced to by the government of the country where they are hosted) then code could be run which would allow the attacker to receive your plaintext password and that is used to decrypt your data.
If a user is so horrible at syncing that they accidentally synced their database file to a public Twitter post, it is still protected by AES-256 which can't be broken by a simple subpoena.
In either case, syncthing is pretty simple to use and is the common recommendation for the kind of small personal file sync that you need here. It also adds an additional security layer, on top of the unbreakable AES-256 encryption, to the whole setup.
These attacks can happen through server impersonation as well. The actual cloud servers need not be compromised, just the user's browser has to be. This attack can then leak passwords and allow malicious parties to even gain access on the actual cloud servers apparently.