Hi everyone! For… I guess over a year now? I’ve been observing and trying out lots of software recommended by the privacy community and internet as a whole. With that time, I’ve been able to slowly put together a list of all the software I personally believe to be the best for their own various reasons. I finally have enough to be able to share it with all of you!
I’m also looking for feedback. I haven’t tried all the software on that list, and I’m sure there’s software I’ve never heard of that needs added. I’m looking for your feedback on what you think should be added, removed, or changed. That includes the list itself, if you think there are any design improvements.
Do note: Any software marked with a ⭐️ I am not looking for feedback on. This is software that I firmly believe is the best of the best in its category, and likely will not be changed. However, if there is a major issue with the software that you can provide direct proof of, then there is a chance it will be changed in the next release. There are no grantees.
The sections marked with ℹ️ are lacking, and can use your help! Some software there may not be the best one, or may have many software or sections missing. I am absolutely looking for help and feedback here, and would love your help!
My goal with this project is to help people find the best software from many standpoints, and to prove that there really are good open source alternatives for almost anything! I hope this helps someone, and I look forward to your feedback!
Thank you all for reading and taking the time to look through my list!
Edit: This project has moved to GitLab!
This still requires a server setup, focused entirely on passwords. Why do that?
Why not just use KeePass or KeePassXC, and use Syncthing for this and general files, or KeePassXC’s keeshare sync to sync the files without any hosting, server, or other services.
Extremely simplified tldr: both of these are like a authenticated private bittorrent, where the “tracker” only helps you find yourself on another devices, no data is ever sent outside of your authenticaed devices, and all transmissions are encrypted as well.
Few reasons, with the most important being convenience. Syncthing is going to see just a binary blob as the password storage is encrypted. This means it is impossible for syncthing to do proper synchronization of items inside the vault. Generally this is not a problem, but it is if you happen to edit the vault on multiple devices and somehow syncthing didn’t sync yet the changes (this is quite common for me on android, where syncthing would drain the battery quite quickly if it’s always actively working). For bitwarden on the other hand the sync happens within the context of the application, so you can have easy n-way merge of changes because its change is part of a change set with time etc.
Besides that, the moment you use syncthing from a threat model point of view, you are essentially in the same situation: you have a server (in case of syncthing - servers) that sees your encrypted password data. That’s exactly what bitwarden clients do, as the server only has access to encrypted data, the clients do the heavy lifting. If the bitwarden server is too much of a risk, then you should worry also of the (random, public, owned by anybody) servers for syncthing that see your traffic.
Keeshare from my understanding does use hosting, it uses cloud storage as a cloud backend for stateful data (Gdrive, Dropbox etc.), so it’s not very different. The only difference would be if you use your private storage (say, Synology Drive), but then you could use the same device to run the bit/vaultwarden server, so that’s the same once again.
The thing is, from a higher level point of view the security model can only be one of a handful of cases:
The more you go down in the list, the more you get convenience but you introduce a bit of risk. Tl;Dr keepass with keyshare/syncthing has the same risks (or more) than a Bitwarden setup with bitwarden server.
In addition to all the above, bitwarden UX is I would say more developed, it has a better browser plugin, nice additional tools and other convenience features that are nice bonuses. It also allows me to have all my family using a password manager (including my tech illiterate mom), without them having to figure out anything, with the ability to share items, perform emergency accesses etc.
Edit: I can’t imagine this comment to be deemed off topic, so if someone downvoted simply to express disagreement, please feel free to correct or dispute what I wrote, as it would certainly make for an interesting conversation! Cheers
There’s often the ‘security vs. convenience’ tradeoff, but for most people you have both sides with Bitwarden over KeePass.
Bitwarden is undoubtedly more convenient. If you can create an account, you can use it. I have a family account, and have both of my parents using it. The love it now, but given the friction to get them there in the first place, it would impossible to get them on KeePass. Especially because they wanted their passwords on all devices.
Regardless of using Vaultwarden or KeePass, you need to have quite a bit of expertise to self host. And you are trusting your own ability to secure your attack surface. I’m sure many if not most in this thread can, but it would take me quite a while to convince myself I have. I would much rather trust security professionals.
Somewhat, although, potentially related. Have you seen Bitwarden’s git repos? It is immaculately organized.
Consistent, clear naming convention. There is literally one called ‘self-host’. If you put that much effort into keeping your code that useable/available/auditable etc. Oh yea. I’m going to trust you to handle security for me