Would it make sense for Librem One to eventually include a password manager (perhaps based on the likes of BitWarden)? Maybe it could be called “Librem Passwords?”
I think their goal is to provide alternatives for services such as communication, storage, etc that are owned by big corporations which are tracking you and do shady stuff with your data.
BitWarden/KeePassXC are great open source projects by themself, so even if Librem forked it, it would be just a rebranded version without any actual advantage.
Good points.
That said, I’d still personally prefer to have password management rolled into the one subscription bundle rather than having to get it separately. I’d trust Purism to make the right choice. They’d certainly be better at evaluating BitWarden vs. KeePassXC than I would.
I was paying for LastPass and it’s quite expensive. I didn’t know any better and had used it for years. Only just beginning my awakening to FOSS, am out of my depth and am grateful for any guidance.
We aren’t offering one but I’ll pass the feedback along. In the mean time…
Bitwarden has free cloud syncing, apps for iOS and Android, browser extensions, but also allows for self hosting as well. Has the option of $10/yr for extra features like hosting TOTP codes.
KeePassXC gives you a single database file that you’re in charge of syncing with other devices and has browser extensions. It’s a desktop only app but there are seperate mobile apps that are compatible with the same database file.
While I’m in the process of switching to Bitwarden (that seems to be the best compromise in a free/libre open source + convenience game) myself I’m starting to understand that the real solution is somewhat in the GNOME keyring.
With Seahorse everyone using GNOME has a super-convenient credentials management application typically preinstalled. All passwords you’re currently using with your browsers (Firefox, Chromium, etc.), WiFi keys, SSH keys, etc. are all in the keyring, encrypted with your login password. It’s super-convenient.
If there just were a synchronisation across devices! – As soon as GNOME has become the desktop of our Librem 5 mobile phones we’d be covered! Only missing would be all our non-free devices (your family’s Androids and iPhones, for example). Hence, we’d have to come up with Android and iPhone apps, that may help us migrate password management to the GNOME keyring.
How does that sound? Any other opinions?
Related links:
- What is Gnome Keyring / Seahorse and why is it …
- KeyringDroid - an apparently discontinued Android app
Is GNOME and Seahorse predicted to be on the Librem 5 already installed?
Password Safe is a nice keepass compatible gome-compliant application. Currently available on Flathub for easy install.
The main thing it is missing is browser integration. On a desktop/laptop, this isnt an issue. On a phone, any password manager without system or browser integration would pose a challenge.
As for seahorse - it really isn’t useful as a daily password keeper, at least for the way I use things.
A password manager (like keepass) is crucial PLUS a cloud storage possibility for the keyfiles!!! Take the example of librem 5 + a desktop computer + another Android device (sorry for all those “Linux only”, but I still keep my Android phone for certain evil stuff like …): I did not find a single one cloud storage provider that supports these three systems for free or small charge.
Except Dropbox: yes, but 3 devices max. now since a couple of months (and too close to google, so not my choice) and expensive.
My questions:
- who knows a cloud storage provider easy to use for those 3 systems???
- how will librem5 manage passwords? Is there any solution cloud synchronisation in sight for (linux+android+windows)?
I think, Smart keyword management is the most important topic before we talk about about any other app.
Possible solution: for those who pay $70 for librem1, provide them with some cloudspace for keepass .kdbx-files.
Regards
Is choosing the cloud provider our self a must have for you? Otherwise i would recommend bitwarden
It’s free for unlimited devices and keys and has apps for linux mac window adroid and ios and browserplugins.
But you have to use their cloud hosting or host it on your own server. No dropbox, nextcloud or what ever support as far as i know.
Why are we talking “Dropbox” and password managers in one and the same sentence? Dropbox is the most dangerous service for file storage that Edward Snowden was warning about. If you put your files there it’s like sending them to the NSA directly. If they are encrypted this doesn’t change a lot: It’s just a matter of time they are cracked open as Snowden explains in his original documentary.
It’s like talking about privacy enforced by 1-to-1 encrypted chats on WhatsApp. We must stop trusting those services at all, please. Because, even if they wanted to oppose their government they can’t. By the US legislation they have to “serve the best interests of national security”. Even against EU legislation on EU territory. There are no limits.
</off_topic>
There are two other candidates for (trustworthy?) password managers that I recently stumbled upon:
- KeeWeb (an active project implementing a KeePass-compatible application; project website)
- Firefox Lockwise (not sure how secure, usable and trustworthy it is; it’s fresh and new; Wikipedia article)
A larger list of password managers is also available from Wikipedia.
Any opinions on those candidates? My initial enthusiasm for Bitwarden has a bit vanished…
I’m wondering whether both LastPass and Purism will ever be able to withstand the power of the US National Security. They are operating on US territory, they are owned by US citizens, hence they are bound to the US legislation. Even if they or you encrypt your passwords they will have to hand over any keys and any data of your account to inquirers. In the cloud your data is plain text. Period.
There is no safe place for your data in the cloud as long as it’s operated by companies that are bound to influences of western governments (that have ties with the US). Of course it’s not much different with other nations’ governments (let’s name the Russians, the Chinese, the Germans and Brits, so everyone here is happy).
There has to be a federated management of our password data. A Purism device (just as an example) has to be able to manage data on any target “cloud” you choose. Whether it’s from Purism themselves, self-hosted in your living room, or by the small hoster you trust or the specialized security firm just around the corner. Only a diverse eco system will make it sufficiently difficult, or possible, to keep your data safe.
That’s why I’ve always been irritated by Purism’s cloud offering, from the beginning. I hope that this is just a marketing issue they have (they’re not good at marketing, hear us @BryanLunduke?) and in the end it turns out what they want is federated services.
Master Password is kind of interesting. No cloud, but passwords are easy to duplicate give your credentials.
I could see building a password manager on top of tarsnap…
My vision is a secret manager to manage credentials, key files, customer numbers etc… (already exists I think) but with autotype to external devices as a USB or Bluetooth keyboard. So all your credentials are stored on the L5. You need one of them on your desktop, android or whatever? Connect it to the L5 and let the L5 autotype it for you. This way the synchronization problem fades away (given that you have your L5 with you when you need your credentials like a key for a door). What’s left are backups for data safety.
I don’t agree that cloud is automatically unencrypted because everybody could encrypt the data independent from the cloud service. That said I am not a fan of the cloud. It starts with this abused word. For me cloud is outsourcing of data centers on different levels e.g. IaaS or PaaS. Sometimes it is used as outsourcing client functionality. I don’t like this. This mixes things up. E.g. storing and syncing personal contacts could be done by any conventional server (often enough common desktop hw with own “cloud”).
As always different solutions have advantages and disadvantages. The disadvantage with internet services is that many of them does not deserve our trust. We try to arrange with this by using workarounds like fake data input or encrypt data before upload. For credentials I personally choose not to enter them anymore into any device that I don’t own. Credentials are probably a relatively high value information. Even if I upload them as ciphertext someone with high computing power might get a copy of them and now has time to find a way in until you change your passwords so that the attacker has to start over again. Better choose a strong aka long master password. I am much to paranoid. ^^
And changing my dozens of passwords is cumbersome. I wondered if it would be a good idea if there would be a protocol or interfaces between lokal password managers and services to login, signin and change the password. What could possibly go wrong? Sounds like recipe for catastrophe. But the web tech is already too complex.
Maybe the future is asynchronous public key authentication like FIDO2. I personally don’t like the FIDO2 keys and I am not alone. Possibly there could be software based implementations or better usage of the L5’s smartcard for that. Anyway passwords will stay for decades at least for legacy systems.
It would be really nice to see Librem handing the syncing of KeePass DBs.
Just a KeePass password sync as part of the L1 service.
An extra bonus would be a beautiful KeePassXC with a handful of plugins pre-installed and, if possible, Firefox set up with KeeVault defaulting to Purism’s server.
I know there’s KDE Connect but while searching for that I found GSConnect, which is a GNOME extension that does the same things.
GSConnect is a complete implementation of KDE Connect especially for GNOME Shell with Nautilus, Chrome and Firefox integration. It does not rely on the KDE Connect desktop application and will not work with it installed.
KDE Connect allows devices to securely share content like notifications or files and other features like SMS messaging and remote control. The KDE Connect team has applications for Linux, BSD, Android, Sailfish and Windows.
KeePassX allows multiple databases and .key files + passwords for each db. I thought they all did but it seems like some KP programs build in certain functionality and their own UI.
The original from https://keepass.info supports a huge amount of plugins for all different things including OTP.
Why trust cloud or apps for managing your passwords? Even another security firm in Switzerland has been found breached by CIA.
https://www.securityweek.com/report-claims-cia-controlled-second-swiss-encryption-firm
What I do is, use libreoffice writer, type listing of accounts and passwords then save the file to usb flash drive and also print it out using printer that’s not on network then lock both of them up inside fireproof safe with locks. We should also use our brain to remember our own passwords which is most safe place. But to trust someone running servers or programming apps to handle your passwords? What happens if servers crashed and you need passwords? Even hacked? What if something happens to apps you cannot use or access anymore? Stuff like these happen everyday. Too risky.
Spideroak could work