Can someone please help me understand why you would want to have your passwords in the cloud? I’ve been using Keepass for about the past 15 years. I always just sync the db between computers/mobiles. Its never been an issue. Is having it in the cloud really that big of an advantage?
False sense of security.
The moment to fuck up certificate issuing and don’t use a wildcard certificate, the subdomain is public and will be probed to hell and back. And due to regex, probably by bots specialized to probe password vaults.
Wish you best of luck and security.
But I’ll stay here :)
there’s also the fact that hackers probably don’t know I’m hosting it. Where as bitwarden hosted makes for a very very juicy target
Please point me to where keepass is mentioned
Besides that:
Yes, keepass is only an encrypted database-container but that comes with it’s own downsides.
Syncthing can manage the syncing with stun-servers circumventing the port forwarding issue but it’s also a burden to manage it.
Btw a geuine question:
How does keepass manage simultanious access by two devices? Is the database write-locked during an editing action?
And how does it combat silent corruption?
I’ve been using Keepass for about the past 15 years.
When you jump into the middle of a conversation, this is what happens. In fact, I already answered your question. Even though you seem to be acting in bad faith, and you’re trying to get a “gotcha” out of me… I’ll elaborate a little
I use a Nextcloud Server (there are other network sync tools as well). I have the Keepass file on the server which syncs with my remote devices. If I make changes to the database, it syncs with the cloud server which pushes the changes to the other devices. I have NEVER had a situation where I needed to make changes to the databases on two or more devices in parallel, nor can I think of a use case. My guess is that in such a situation, whichever file was saved last would be the one last saved by Nextcloud (overwriting the other edit). So your “gotcha” is valid but rare. The other option is to use the web app for Keepass in Nextcloud (not sure if it’s still being developed though, it’s been a long time since I used that).
Anyway, the point of my question was to understand why people use a cloud service for this when it can be easily done (and be safer) than relying on a 3rd party cloud. From what I can tell it’s “convenience”.
You need to turn down your suspicions.
Can’t ask questions without drawing the wrath of some users here…
Anyway:
I thought about it but in the end went with Bitwarden just because it’s convenient and didnt feel like entering the security minefield.
Same was for pictures (kept them on my PC and that was backed up to another drive) and E-Mail.
As my gear improved I started to use Immich.
E-Mail is still outsourced as I can’t and don’t want to deal with getting put on spam-lists and having to deal with getting of of it (had the pleasure of getting my domain already marked by google safe browsing).
The “gotcha” about conflicting (as you put it and trying to infer further bad faith conversations) was more about edge cases biting you in the ass.
Not fun having to search accounts if you expect them to be securely saved in the vault but not being there.
Anyway, the point of my question was to understand why people use a cloud service for this when it can be easily done (and be safer) than relying on a 3rd party cloud. From what I can tell it’s “convenience”.
That’s mine and being under the assumption a corp that is specializing and programming a security product is probably better at it than me.
And so far the behavior from Bitwarden after being audited and their current breach-history gives me enough faith for now.
They had some oof-moments like master-password are used to encrypt the vault and weak encryption protocols with weak encryption parameters on top
But they werent enough to start a transition elsewhere.
Syncing is a problem without a seamless solution. The official syncthing app for Android is abandoned and syncthing-fork isn’t trustworthy and feels vibe coded. Nextcloud is way too bloated for simple vault syncing.
I’m personally warming up to the idea of using pass.
Natural disaster -> no longer can access everything you have online, including bank and insurance accounts, at precisely the time you most don’t want to deal with that.
If something happens to me and I am incapacitated, or worse, my wife or my brother can request access to my vault and without any action in my side for a week they will have access to my vault. (Emergency access feature in bitwarden)
So it does not add the stress of needing to call ALL the utility companies, bank, school … To reset passwords or request emergency access.
I saw that first hand with my brother in law who had an accident and went into a coma. We were lucky that his computer wasn’t locked and all his password accessible on it.
Pretty much this. Cloud storage isn’t perfect, but it sure does make proper 3-2-1 backup hygiene easier. 3 backups, on 2 different mediums, 1 of them off site. Cloud storage accomplishes both the 2 and 1, because it is both a different medium and off site.
The fact that you can automatically sync remotely is a big bonus too, because off-site backups historically have a problem where they fall out of date without active attention. For instance, if you have a tape backup system stored in a warehouse across town, those tapes are only as up-to-date as the last time you took the time to drive across town and update them. But with cloud storage, you can automatically sync your folders to keep things up to date in near real time. Plus, your traditional off-site backup is only as secured from things like natural disasters if you’re willing to travel fairly long distances to make them. Those tapes in a warehouse across town won’t survive if the entire town is hit by a natural disaster like a wildfire or flood.
For instance, maybe I make an update on my laptop, and then want to access it on my phone. Even with SyncThing, my laptop and phone won’t sync with each other unless they’re able to find each other on the same network. If I’m not on a trusted network at the time, (e.g. I’m at work on my employer’s WiFi, or traveling and using hotel WiFi) that makes syncing difficult. But with cloud storage, they can both essentially use that as a relay. My laptop updates the cloud, and then my phone pulls that update. Now both devices are up-to-date without actually needing to discover each other on a trusted network.
I’m currently (for the past 5 or six years) using a nextcloud server (remote) where I store the master. My desktop is typically where I make changes but sometimes on my mobile devices. No mater where I edit the database it gets synced. Knock on wood, but I’ve never had as issue.
You can have both and keep a local copy via export once in a while.
If the cloud goes down the also most likely your bank website.
If you’re talking about other types of secrets then the first sentence will apply
Can someone please help me understand why you would want to have your passwords in the cloud? I’ve been using Keepass for about the past 15 years. I always just sync the db between computers/mobiles. Its never been an issue. Is having it in the cloud really that big of an advantage?
Not interested in selfhosting and risk a data breach.
It’s imple: Who is better equipped to combat a hack? You or Bitwarden?
Definitely me.
there’s also the fact that hackers probably don’t know I’m hosting it. Where as bitwarden hosted makes for a very very juicy target
False sense of security.
The moment to fuck up certificate issuing and don’t use a wildcard certificate, the subdomain is public and will be probed to hell and back. And due to regex, probably by bots specialized to probe password vaults.
Wish you best of luck and security.
But I’ll stay here :)
You do realize that a keepass db is simply an encrypted file, right? Its not a web server.
Please point me to where keepass is mentioned
Besides that:
Yes, keepass is only an encrypted database-container but that comes with it’s own downsides.
Syncthing can manage the syncing with stun-servers circumventing the port forwarding issue but it’s also a burden to manage it.
Btw a geuine question:
How does keepass manage simultanious access by two devices? Is the database write-locked during an editing action?
And how does it combat silent corruption?
When you jump into the middle of a conversation, this is what happens. In fact, I already answered your question. Even though you seem to be acting in bad faith, and you’re trying to get a “gotcha” out of me… I’ll elaborate a little
I use a Nextcloud Server (there are other network sync tools as well). I have the Keepass file on the server which syncs with my remote devices. If I make changes to the database, it syncs with the cloud server which pushes the changes to the other devices. I have NEVER had a situation where I needed to make changes to the databases on two or more devices in parallel, nor can I think of a use case. My guess is that in such a situation, whichever file was saved last would be the one last saved by Nextcloud (overwriting the other edit). So your “gotcha” is valid but rare. The other option is to use the web app for Keepass in Nextcloud (not sure if it’s still being developed though, it’s been a long time since I used that).
Anyway, the point of my question was to understand why people use a cloud service for this when it can be easily done (and be safer) than relying on a 3rd party cloud. From what I can tell it’s “convenience”.
You need to turn down your suspicions.
Can’t ask questions without drawing the wrath of some users here…
Anyway:
I thought about it but in the end went with Bitwarden just because it’s convenient and didnt feel like entering the security minefield.
Same was for pictures (kept them on my PC and that was backed up to another drive) and E-Mail.
As my gear improved I started to use Immich.
E-Mail is still outsourced as I can’t and don’t want to deal with getting put on spam-lists and having to deal with getting of of it (had the pleasure of getting my domain already marked by google safe browsing).
The “gotcha” about conflicting (as you put it and trying to infer further bad faith conversations) was more about edge cases biting you in the ass.
Not fun having to search accounts if you expect them to be securely saved in the vault but not being there.
That’s mine and being under the assumption a corp that is specializing and programming a security product is probably better at it than me.
And so far the behavior from Bitwarden after being audited and their current breach-history gives me enough faith for now.
They had some oof-moments like master-password are used to encrypt the vault and weak encryption protocols with weak encryption parameters on top
But they werent enough to start a transition elsewhere.
Syncing is a problem without a seamless solution. The official syncthing app for Android is abandoned and syncthing-fork isn’t trustworthy and feels vibe coded. Nextcloud is way too bloated for simple vault syncing.
I’m personally warming up to the idea of using
pass.It’s convenient, but not much moreso than keeping the encrypted file in your google drive or whatever and pulling it down once in a while.
I’ve tried storing encrypted blobs including a keepass database on Google drive and I always end up with hundreds of conflict copies
Natural disaster -> no longer can access everything you have online, including bank and insurance accounts, at precisely the time you most don’t want to deal with that.
Meant as a negative to cloud vaults?
In that case: Bitwarden (as an example) can work offline and records can be exported from it.
Personal disaster as well.
If something happens to me and I am incapacitated, or worse, my wife or my brother can request access to my vault and without any action in my side for a week they will have access to my vault. (Emergency access feature in bitwarden)
So it does not add the stress of needing to call ALL the utility companies, bank, school … To reset passwords or request emergency access.
I saw that first hand with my brother in law who had an accident and went into a coma. We were lucky that his computer wasn’t locked and all his password accessible on it.
Pretty much this. Cloud storage isn’t perfect, but it sure does make proper 3-2-1 backup hygiene easier. 3 backups, on 2 different mediums, 1 of them off site. Cloud storage accomplishes both the 2 and 1, because it is both a different medium and off site.
The fact that you can automatically sync remotely is a big bonus too, because off-site backups historically have a problem where they fall out of date without active attention. For instance, if you have a tape backup system stored in a warehouse across town, those tapes are only as up-to-date as the last time you took the time to drive across town and update them. But with cloud storage, you can automatically sync your folders to keep things up to date in near real time. Plus, your traditional off-site backup is only as secured from things like natural disasters if you’re willing to travel fairly long distances to make them. Those tapes in a warehouse across town won’t survive if the entire town is hit by a natural disaster like a wildfire or flood.
For instance, maybe I make an update on my laptop, and then want to access it on my phone. Even with SyncThing, my laptop and phone won’t sync with each other unless they’re able to find each other on the same network. If I’m not on a trusted network at the time, (e.g. I’m at work on my employer’s WiFi, or traveling and using hotel WiFi) that makes syncing difficult. But with cloud storage, they can both essentially use that as a relay. My laptop updates the cloud, and then my phone pulls that update. Now both devices are up-to-date without actually needing to discover each other on a trusted network.
I’m currently (for the past 5 or six years) using a nextcloud server (remote) where I store the master. My desktop is typically where I make changes but sometimes on my mobile devices. No mater where I edit the database it gets synced. Knock on wood, but I’ve never had as issue.
You can have both and keep a local copy via export once in a while. If the cloud goes down the also most likely your bank website. If you’re talking about other types of secrets then the first sentence will apply