I like bitwarden, but there are a lot of weird things that make me want to move or find a self-hosted solution. This feature may actually cause me to leave. I actually ended up buying a subscription and then refunding it in less than an hour.
So what's going to happen? Are they going to cache my location? Or are they storing a cookie on my side? Neither sounds great. Ever hear of a VPN? That's going to make my life easier....
Some more general complaints:
The storage thing is really weird. Did you know it is just stored on their server? So you can't store locally. But the worst part, when you want to retrieve the item then you download it and it just appears in your download folder. This is TERRIBLE and both of these make it absolutely useless. I got to download it when I need it, hope I have internet in that situation, and then delete it after because I'm... storing sensitive information, right?
The new design is just terrible and could only be designed by someone who assumes you never open the panel to fill in the website. Yet... that's the *most common* reason I open that.
Things like this give me concern that those designing the tool aren't thinking about other things. When it comes to security, all the little things matter a lot.
Of course there's frustrating things that I know they have little to no control over, like all the dumb Microsoft logins I'm forced to have and then annotate because I keep logging into the wrong account. But I do like that it integrates with Firefox's relay. The only thing I wish is that it wouldn't name the mask "Generated by Bitwarden." but "the fucking website name" (sure, append "Generated by Bitwarden" but no one cares and this does nothing to help brand recognition, it just makes things confusing).
I looked into this a while back and it was quite complicated. If you're used to hosting your own infra, it may not be a big deal, but it's definitely not a simple task for even an advanced desktop user. I ended up choosing KeepassXC, which just uses a dumb file on disk that I sync with Git.
I don't disagree with you, but a lot of people don't understand any of those steps. 3 is the step most people will understand, I think you can understand that LetsEncrypt can be confusing the first time, and well... DNS... that's notorious for people being confused on.
What people consider "advanced user" varies quite a bit and there's a lot of subdomains in computing. (Though maybe the term is also degrading...)
It strikes me that if you aren’t advanced enough for this then you probably aren’t advanced enough to safely manage your password manager locally. If you don’t have a good understanding of things like DNS, do you understand the vulnerabilities you need to mitigate for in a self-hosted situation? I don’t self-host, even though I could get it working and I self-host plenty of other things, because I’m not a security expert and I think it is more likely I would put my password manager at greater risk than Bitwarden.
A lot of advanced users don't have servers, and they don't want to expose their desktop or an appliance to the internet. Moreover, are you going to trust your precious password information on a leased server run by Linode or whoever?
On topic, I use Bitwarden, but their changes to the iOS application are very annoying. I've been logged out repeatedly (at least once per week) and it keeps requiring me to input my password, without any way to reduce the overhead. It's so frustrating that I've been considering switching to the native iOS password app; if it was available on Linux, I would bid farewell to Bitwarden.
I had issues with this (new iPhone user and ... well... I'm having fun...)
A problem I had was my encryption settings. Definitely I am a bit overkill[0], but this might be worth checking. I use Argon2 and tried to find the max settings I could use on my iPhone16. Make sure the KDF memory is lower than 256MB. Keep iterations low (<=10) and parallelism not too high (4 seems about right). So do something like 128MB, 8 iterations, 4 parallel and you'll be good. If this reddit post is anywhere near accurate, should cost in the tens of millions of dollars to crack your master passphrase[1]. But users there also are saying they can get higher settings so YMMV. (BTW, these settings should be changed from the bitwarden website)
[0] Philosophy has always been: make it as secure as possible without being meaningfully impactful. Which is always above the standard security levels.
you don't even need to have your DNS turned on or run a reverse proxy - how often are passwords updating? my instance is local network only and the phone, desktop, and chromium extensions sync when I'm at home.
This is my issue with hardware keys too. It's been unclear to me how I have a backup and what's the best way to ensure that that backup is constantly in sync.
Plus, is a website going to support it? So many websites are shifting to OAuth, and making it the __only__ form of authentication. I really don't like this AND they usually only support a very limited set of authorities which is almost exclusively "Google and Apple", so I can't even run my own. The fuck is the "O" mean in "OAuth" then?! (╯°□°)╯︵ ┻━┻ I'm trying to __reduce__ my (meta-)data exposure, not increase it!
Like good god, I don't know if it is a conspiracy or stupidity that's causing all this centralization and I'm not sure there's a meaningful difference. (unintentional or implicit conspiring rather than explicit)
This is Hacker News, surely there's people here that are fighting/pushing back. It's unclear to non-security experts like me how to actually do this besides not use a service (far easier said than done. These choices are often forced upon people)
And you can just self host local only, it's what I do. clients sync at home and don't lose the data when you leave the house. Even updates on one client (ie mobile) will propagate to others
Sure, but then I need to spin up a server, lock everything down, pay money, deal with all that other stuff, and well... this isn't going to work for: my partner, my parents, my friends, my family, and so on.
So what's going to happen? Are they going to cache my location? Or are they storing a cookie on my side? Neither sounds great. Ever hear of a VPN? That's going to make my life easier....
Some more general complaints:
The storage thing is really weird. Did you know it is just stored on their server? So you can't store locally. But the worst part, when you want to retrieve the item then you download it and it just appears in your download folder. This is TERRIBLE and both of these make it absolutely useless. I got to download it when I need it, hope I have internet in that situation, and then delete it after because I'm... storing sensitive information, right?
The new design is just terrible and could only be designed by someone who assumes you never open the panel to fill in the website. Yet... that's the *most common* reason I open that.
Things like this give me concern that those designing the tool aren't thinking about other things. When it comes to security, all the little things matter a lot.
Of course there's frustrating things that I know they have little to no control over, like all the dumb Microsoft logins I'm forced to have and then annotate because I keep logging into the wrong account. But I do like that it integrates with Firefox's relay. The only thing I wish is that it wouldn't name the mask "Generated by Bitwarden." but "the fucking website name" (sure, append "Generated by Bitwarden" but no one cares and this does nothing to help brand recognition, it just makes things confusing).