379
"The Quiet Renovation at Bitwarden" (it isn't good) (blog.ppb1701.com)
submitted 5 days ago by RotatingParts@lemmy.ml to c/privacy@lemmy.ml
133 comments fedilink hide all child comments

If you are interested in privacy you are probably interested in password storage ... plus I wanted everyone to know about the inevitable future enshitification of this product. Spread the word and replacement recommendations are welcome too.

you are viewing a single comment's thread
view the rest of the comments
[-] irotsoma@piefed.blahaj.zone 1 points 4 days ago

It uses a database and it's totally possible to use SQLite as the database and sync that elsewhere. You could then find or make a small client that just accesses that db directly rather than a web service, I suppose. Though there are already several apps out there that store passwords locally and their data files can be synced, if that's what you want.

But if you're doing that then you may not be using this in the most common way or may not understand the risk involved. This is likely to have every one of your logins, not just a single login that may or may not be used on other sites, but the specific username and password and which site it's associated with. On addition to access to those accounts, this links all of your accounts to a single identity which companies spend billions to do with advertising IDs, cookies, embedded scripts, and lots of other, usually shady, practices. This is a gold mine, though usually only for one or a few users, so generally not a major target unless you're being targeted personally for some reason. So, even if they don't get the passwords, they've now linked every account you have on every site to your identity.

If you are allowing the database to be relatively easily obtained by syncing it to a central location accessible over the internet, a bad actor who gets it can even take their time brute forcing any encryption that may be present in the database, but if you don't keep encryption keys only on your local device because you want to be able to use it elsewhere, then you probably stored the keys along with the db and they dont even have to bother with that, or if it uses password based encryption, they just have to guess or brute-force a single password.

If it's behind a properly secured web service, then even if they find an exploit in the server software, they likely have to do many queries over time to get much data and the server can mitigate that risk and/or alert the owner about new logins and such. A database in the hands of the bad actor can't complain about too many attempts to access it or notify anyone that it's been copied.

So, IMHO, it's a bad idea to use synced local password managers unless you have a very robustly secure way of storing the database and the encryption keys.

[-] WhyJiffie@sh.itjust.works 1 points 2 days ago

This is likely to have every one of your logins, not just a single login that may or may not be used on other sites, but the specific username and password and which site it's associated with. On addition to access to those accounts, this links all of your accounts to a single identity which companies spend billions to do with advertising IDs, cookies, embedded scripts, and lots of other, usually shady, practices. This is a gold mine, though usually only for one or a few users, so generally not a major target unless you're being targeted personally for some reason. So, even if they don't get the passwords, they've now linked every account you have on every site to your identity.

afaik everything is encrypted. not like a big blob, but the properties of items are encrypted separately, if the encrypted export format has anything to do with the database structure

[-] irotsoma@piefed.blahaj.zone 2 points 2 days ago

That's positive at least. I hadn't looked at that part. Still having the whole dump of data and attacking it locally vs having to query a web server repeatedly for each attempt is a major advantage. This is why I significantly prefer Vaultwarden over a synchronized database, especially if it's publicly synchronized in a publicly accessible git server or something making it relatively trivial to copy.

[-] asdfasdfasdf@lemmy.world 1 points 3 days ago

Yeah I was imagining a system more like Password Store - use Git to version control secrets which are encrypted using some form of asymmetric encryption.

You store the private key somewhere you control, like a USB drive or something. Same as Bitwarden's master password.

[-] irotsoma@piefed.blahaj.zone 1 points 3 days ago

Yeah, there's still a risk if you're exposing the encrypted passwords. For example there is still some risk that governments have backdoors in some kinds of encryption, which of course means other malicious actors do as well. And there's still brute forcing which is mitigated with a webserver layer in front of the raw data.

But there are lots of existing applications for that like keypass and its forks. Vaultwarden is more about the web services front end to the data than the data storage itself. And a web service benefits from a relational database over a flat file.

this post was submitted on 18 May 2026
379 points (99.2% liked)

Privacy

48752 readers
494 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz