Librem One Password Manager: "Librem Passwords?"


#1

Would it make sense for Librem One to eventually include a password manager (perhaps based on the likes of BitWarden)? Maybe it could be called “Librem Passwords?”


#2

I think their goal is to provide alternatives for services such as communication, storage, etc that are owned by big corporations which are tracking you and do shady stuff with your data.

BitWarden/KeePassXC are great open source projects by themself, so even if Librem forked it, it would be just a rebranded version without any actual advantage.


#3

Good points.

That said, I’d still personally prefer to have password management rolled into the one subscription bundle rather than having to get it separately. I’d trust Purism to make the right choice. They’d certainly be better at evaluating BitWarden vs. KeePassXC than I would.

I was paying for LastPass and it’s quite expensive. I didn’t know any better and had used it for years. Only just beginning my awakening to FOSS, am out of my depth and am grateful for any guidance.


#4

We aren’t offering one but I’ll pass the feedback along. In the mean time…

Bitwarden has free cloud syncing, apps for iOS and Android, browser extensions, but also allows for self hosting as well. Has the option of $10/yr for extra features like hosting TOTP codes.

KeePassXC gives you a single database file that you’re in charge of syncing with other devices and has browser extensions. It’s a desktop only app but there are seperate mobile apps that are compatible with the same database file.


#5

While I’m in the process of switching to Bitwarden (that seems to be the best compromise in a free/libre open source + convenience game) myself I’m starting to understand that the real solution is somewhat in the GNOME keyring.

With Seahorse everyone using GNOME has a super-convenient credentials management application typically preinstalled. All passwords you’re currently using with your browsers (Firefox, Chromium, etc.), WiFi keys, SSH keys, etc. are all in the keyring, encrypted with your login password. It’s super-convenient.

If there just were a synchronisation across devices! – As soon as GNOME has become the desktop of our Librem 5 mobile phones we’d be covered! Only missing would be all our non-free devices (your family’s Androids and iPhones, for example). Hence, we’d have to come up with Android and iPhone apps, that may help us migrate password management to the GNOME keyring.

How does that sound? Any other opinions?

Related links:


#6

Is GNOME and Seahorse predicted to be on the Librem 5 already installed?


#7

Password Safe is a nice keepass compatible gome-compliant application. Currently available on Flathub for easy install.

The main thing it is missing is browser integration. On a desktop/laptop, this isnt an issue. On a phone, any password manager without system or browser integration would pose a challenge.

As for seahorse - it really isn’t useful as a daily password keeper, at least for the way I use things.


#8

A password manager (like keepass) is crucial PLUS a cloud storage possibility for the keyfiles!!! Take the example of librem 5 + a desktop computer + another Android device (sorry for all those “Linux only”, but I still keep my Android phone for certain evil stuff like …): I did not find a single one cloud storage provider that supports these three systems for free or small charge.

Except Dropbox: yes, but 3 devices max. now since a couple of months (and too close to google, so not my choice) and expensive.

My questions:

  • who knows a cloud storage provider easy to use for those 3 systems???
  • how will librem5 manage passwords? Is there any solution cloud synchronisation in sight for (linux+android+windows)?

I think, Smart keyword management is the most important topic before we talk about about any other app.

Possible solution: for those who pay $70 for librem1, provide them with some cloudspace for keepass .kdbx-files.

Regards


#9

Is choosing the cloud provider our self a must have for you? Otherwise i would recommend bitwarden
It’s free for unlimited devices and keys and has apps for linux mac window adroid and ios and browserplugins.
But you have to use their cloud hosting or host it on your own server. No dropbox, nextcloud or what ever support as far as i know.


#10

Why are we talking “Dropbox” and password managers in one and the same sentence? Dropbox is the most dangerous service for file storage that Edward Snowden was warning about. If you put your files there it’s like sending them to the NSA directly. If they are encrypted this doesn’t change a lot: It’s just a matter of time they are cracked open as Snowden explains in his original documentary.

It’s like talking about privacy enforced by 1-to-1 encrypted chats on WhatsApp. We must stop trusting those services at all, please. Because, even if they wanted to oppose their government they can’t. By the US legislation they have to “serve the best interests of national security”. Even against EU legislation on EU territory. There are no limits.

</off_topic>

There are two other candidates for (trustworthy?) password managers that I recently stumbled upon:

A larger list of password managers is also available from Wikipedia.

Any opinions on those candidates? My initial enthusiasm for Bitwarden has a bit vanished… :worried:


#11

I’m wondering whether both LastPass and Purism will ever be able to withstand the power of the US National Security. They are operating on US territory, they are owned by US citizens, hence they are bound to the US legislation. Even if they or you encrypt your passwords they will have to hand over any keys and any data of your account to inquirers. In the cloud your data is plain text. Period.

There is no safe place for your data in the cloud as long as it’s operated by companies that are bound to influences of western governments (that have ties with the US). Of course it’s not much different with other nations’ governments (let’s name the Russians, the Chinese, the Germans and Brits, so everyone here is happy).

There has to be a federated management of our password data. A Purism device (just as an example) has to be able to manage data on any target “cloud” you choose. Whether it’s from Purism themselves, self-hosted in your living room, or by the small hoster you trust or the specialized security firm just around the corner. Only a diverse eco system will make it sufficiently difficult, or possible, to keep your data safe.

That’s why I’ve always been irritated by Purism’s cloud offering, from the beginning. I hope that this is just a marketing issue they have (they’re not good at marketing, hear us @BryanLunduke?) and in the end it turns out what they want is federated services.


#12

Master Password is kind of interesting. No cloud, but passwords are easy to duplicate give your credentials.

https://masterpassword.app/


#13

A password equivalent to http://tarsnap.com/ would absolutely be welcome here.