If you are interested in privacy you are probably interested in password storage … plus I wanted everyone to know about the inevitable future enshitification of this product. Spread the word and replacement recommendations are welcome too.
If you are interested in privacy you are probably interested in password storage … plus I wanted everyone to know about the inevitable future enshitification of this product. Spread the word and replacement recommendations are welcome too.
Yup, it is. On one hand, I would have wireguard configured regardless beacause I don’t like publicly exposing my server. On the other, if you had to do it just for this and don’t want to configure wireguard manually, just use zerotier, tailscale or netbird. They can be set up in like 15 minutes and after you get it working you don’t need to touch it again.
Eh, not worth it to me. Some of what I host is occasionally really handy to be able to access from a random machine, and I don’t want to have to deal with barriers to entry when I need in. I can appreciate the security benefits, but I’ll take my chances. Even if they break into my NextCloud, they’d have to crack an unreasonable password to break the password database open.
You are choosing more convenience over security, which is fine, BUT it’s good to know that syncing your passwords with NextCloud over the internet is not any more secure than syncing it over the internet any other way (that uses any encrypted transport method).
Not necessarily. Compromising Vaultwarden would allow you to inject malicious JavaScript into the login page to steal passwords. NextCloud in no way interacts with the password database, so it provides no attack surface to the password database itself. Compromising the client for my password manager would require a supply chain attack on a Linux distribution’s package repository or theft of the package signing keys for the Linux distro or the Android app
What do you mean by comprimising VaultWarden? Someone hacking into your server and changing the login page to include extra javascript? Because if they are gaining code execution on your system, then you might already be done for. I can see your point, but I’m not personally going to be worried about it specifically.
By compromising Vaultwarden, I mean exploiting some flaw in it to gain extra access that may facilitate further attacks. If they have code execution on my server, they can’t really do anything because the server never provides an interface to unlock the password database. They could attempt a more complicated malware attack on my clients, but that’s WAY more effort than an automated attack on Vaultwarden instances, probably by several orders of magnitude.
There’s this wild technology called a hotspot. You can use your already authenticated device to give another device access to your services indirectly.
That level of security is exactly the same as exposing your password manager to the “fucking” internet. Not sure why you criticized it before when you (incorrectly) assumed that I was doing that.
There’s also this dated technology called a wired connection that some other dated technologies require. Since I don’t get to choose every device I interact with or depend on, that’s not always available.
I would disagree. A Bitwarden instance identifies itself as such to every visitor that comes by. It advertises itself as a particularly high value target. By contrast, a lot of what a NextCloud instance hosts is often personal and more valuable to the user than a hacker, so it does not become clear if there’s anything of value inside.
It also decreases the attack surface of my password manager itself because there are fewer features in it that may have a potential exploit. Even if an attacker compromises the NextCloud instance, that may grant access to the file itself, but they still have to contend with the entire security of the password manager. No device will ever make any contact with the server for password purposes other than to sync the database file, and there’s no web interface to inject a password stealing JavaScript file.