[haunter]

What if https://bitwarden.com/ gets hacked? Please don't say self-host cause that's not an option for most regular people. At least with KeePassX/KeePassXC you can use that own its own without an online account.

The fact that I have to create an account and an online vault with a master password is the biggest turnoff for me. https://vault.bitwarden.com/#/register

[ffpip]

> What if https://bitwarden.com/ gets hacked

They only store the encrypted vaults, which is useless without your master password. So even if it is hacked, the only thing the hackers get is an encrypted blob.

> you can use that own its own without an online account.

That is because KeePassX/KeePassXC is an offline app that reads a database (.kdbx file) you have on your computer. Bitwarden is for people who want to use their password manager on multiple devices. So an account is necessary.

How do you use Keepass across multiple devices. Please don't say Syncthing cause that's not an option for most regular people. And if you use something like Dropbox, what if https://dropbox.com gets hacked?

> The fact that I have to create an account

This is for authentication (needed it for syncing it across multiple devices).

[gorjusborg]

i am fully aware i wear tin foil, but my passwords will never be online.

simply collecting them makes them a potentially valuable target, and even though encrypted, it cam be cracked with enough time and money.

edit: KeepassXC user here too.

[rand49an]

I would assume that the most likely issue you would face is malware running on your own computer that captures the master key or sends passwords back to an attacker. Not someone gaining access to the encrypted password vault and then cracking it - unless you have a very week key.

[gorjusborg]

No weak key here, and you may be right, but my main concern is that encryption is only strong in a given time period.

If someone could gain a copy of a known high-value ciphertext, they may not be able to crack it now, but time is on their side, and I can't recover the file once it is out there. My only recourse is to speculatively rotate passwords inside the file.

[Gormo]

> What if https://bitwarden.com/ gets hacked?

Bitwarden is self-hostable FOSS. You can easily run your own server instance, if you are, wisely, concerned about the security risks inherent in SaaS.

[DonHopkins]

...but not wisely concerned about the security risks of running your own SaaS on your own server, and have enough spare time and energy to meticulously implement proper security procedures, and keep it up to date, safe and secure, 24/7.

He said "Please don't say self-host" for a good reason. Do you really believe that most regular people have the free time and technical skills and security chops to "easily run your own server instance" safely and securely?

If you think that's "easy", then you're doing it wrong.

Linux is only free if your time is worthless. ;)

[Gormo]

> ...but not wisely concerned about the security risks of running your own SaaS on your own server, and have enough spare time and energy to meticulously implement proper security procedures, and keep it up to date, safe and secure, 24/7.

Run it behind a VPN? Use a properly secured containerized image? Implementing good security is much easier at small scales than at large scales.

> Do you really believe that most regular people have the free time and technical skills and security chops to "easily run your own server instance" safely and securely?

Who's talking about "regular people"? We're discussing what solutions we -- users of HN -- find most effective for our own use.

> Linux is only free if your time is worthless. ;)

My experience, especially in a business context, has been quite the the opposite. Implementing complex projects with proprietary vendor solutions involves a vastly greater amount of time dealing with requirements analysis, project scoping, contract negotiations, support escalations, etc., only to be locked into something proprietary and idiosyncratic, a sealed black box where even trivial modifications require another round of analysis, project scoping, etc. usually with a heft cash payout.

Conversely, the time we spend setting up and maintaining self-hosted FOSS solutions improves our own knowledge and skills such that every subsequent project becomes incrementally easier, and therefore much faster to implement.