This is quite misleading and frankly low effort. Besides the readability issues, the chart makes a clear distinction between Proton Pass and Bitwarden when it comes to privacy, citing their privacy policy.
As it happens, however, Proton’s server code is closed, unaudited[1] and not distributed, and the apps (web, Android and iOS) do not support setting different homeservers. This effectively means you cannot self-host your password manager and must be “locked” to Proton for what I consider to be one of the most fundamental and important pieces of technology a person can use.
Bitwarden, however, has opened their official C# server, their internal Rust SDK and the apps themselves too. Furthermore, they have several guides on how to self-host your own personal server, and have implemented settings in their apps to change the homeserver. There’s even an unofficial server, vaultwarden that is even better tailored for small, personal deployments.
All this to say: the fact they may collect some usage data on their website is very insignificant for their offering, in my opinion. The real value is in providing a secure vault that only the user can manage. If you need better privacy and/or anonymity, you should use tools specialized for that anyway, instead of blindly trusting a third-party’s Privacy Policy, no matter who they are. But then again, it’s the old game of threat models.
Ultimately, Bitwarden inspires more confidence than Proton, by giving those you can and want the ability to truly own their secrets.
As far as I’m aware, there’s only this audit by Cure53, in which they performed a white-box pen test on the API, with only its documentation provided, no code whatsoever. These audits are important from a cybersecurity point of view, but security is not the same as privacy and should not be taken as such. ↩︎
This is a terrible chart. There’s no obvious starting point and it seems to be made based on vibes rather than actual data. But thanks for the effort.
OP said to mind the clunkiness, so fair point. Though by far the worst part of this are the slightly skewed lines going to KeePassXC, KeePassDX, and Proton Pass…
Why is Proton better for privacy than Bitwarden? What do they do differently?
It’s not, it’s objectively worse
Why?
You can self host Bitwarden, that should tell you everything.
So, just your just speculating that it’s more secure because it can be self hosted?
I use Bitwarden myself, but you can’t make claims like that without something to back it up.
It is more secure as in you you are less likely to be caught in a leak/hack of their servers.
Unless you are a high value target, you are less likely to be the target of an attack.Or less secure, if you don’t secure your own server as well as they secure their servers.
Idk why people downvoted but yea you got to secure your server.
What stands out?
You can also selfhost bitwarden/vaultwarden for even better privacy.
Correct, IMHO go the vaultwarden route. Bitwarden self hosting seems finicky with multiple containers running together in a stack. Vaultwarden accomplishes this with a single container and a single bind mount.
As far as I can tell there is no difference between the two from a user point of view.
Agreed.
I do this too. On a vm hosted somewhere with an encrypted filesystem and only accessible from my home IP. If I need a password while on the way I use my VPN.
Your able to connect the official app to your local IP? Always get some certification errors.
Yeahhh. As your error implies, you need a valid certificate !
You can host your own CA and create your own rootCA, IntermediateCA and sign your certificate with those !
Add your IntermediateCA into the trust store of all your devices and use a reverse proxy of your choice to serve your services with your own domain (vaultwarden.home.lab).
Gotta use a domain name with a valid SSL cert on it.
You can even access your passwords if your server is offline. You just can’t add new entries !!
If your vault is locked on your phone for example it needs to contact the server. But granted, most of the time it is not needed.
I’m actually hosting it public-facing, because in theory, gaining access to the VM and the vault shoult be unproblematic - since the vault is only decrypted client-side
Agreed, but I like the extra layer.
In my eyes keepassxc and bit warden are the only two options also there is IOS keepass clients.
Please label the logos, it will be much better, easier to read and easier to share.
I wouldn’t trust proton. Data this sensitive has to be stored offline (unless you sent it encrypted) and only accessed with 100% open source software (no proprietary blobs). If you want to go extra tinfoil hat compile it yourself.
Edit: Left side recommendations are good, though.
Bitwarden isn’t only cloud, bad guide. What about vaultwarden and the plethora of other options?
AuthPass is also a great Android password manager.
To the people in here, that gets rude and condescending when I try to tell them, that there’s a better way to remember passwords, here’s just one page that explains how it might be done. And yes, this is as unbreakable as random passwords. And you can easily make part of password change for the site or app you use it for… But hey, feel free to keep attacking me, for knowing something that you didn’t…
Given that I have probably 500-1000 logins in my password manager, I still wouldn’t be able to remember each one if I made a memorable one for each. I do make the ones I use often memorable, but still need a password manager for the others.
That’s a lot of logins you have. Do you use them all? Feel free to do as you like. It’s just sad that you can’t accept that some people have different abilities and experiences than you.
Well, everything requires an account nowadays. Everything including my lightbulbs. Given the risks of password reuse, I always make a new username and password for each. If you’re reusing passwords between accounts, all it takes is for one of those services to get hacked and then hackers are able to get into everything. And, hackers have automated software to facilitate this. Given a million login credentials, they can easily check them against thousands of services.
That’s just sad - a lightbulb with a password. 😅 I’m not talking about reusing passwords, but thanks for you comment.
sometimes you move on from things you believe and then see people still with those beliefs
btw your wikihow article mostly just talks about security by obscurity, which password crackers already exploit
It’s okay that you don’t get the example as I said it was. It’s even okay that you haven’t moved on. What’s sad is, that you think it’s about a belief. I’ll take a wild guess here, and say that you might be religious too…
Anyway, if you don’t feel like doing it the smart way, just don’t. It’s really that easy. It must be sad, needing to comment on anything that you don’t like, because you do it differently.
In principle I agree with this and follow it, but these days every single friggin service requires a password and for some people there will come a point where they will be overwhelmed with the amount of passwords they have to remember and generating a random+storage is a lot easier than remembering.
Much like this https://xkcd.com/936/
If people get overwhelmed, then it’s because they don’t follow their own system. Remembering a system, is a lot easier than you seem to think. Every single person I’ve taught this, uses it. A few I know also uses Firefox’s build in password manager, because it’s easier across devices, but that’s about it. Not a single one uses any other password manager, and they don’t need to.
What did you make the chart with? It’s nice for something done on mobile
I used flowchart.fun if I remember correctly.
Decent chart but I’d argue that Proton is objectively the best of the cloud options. Aside from one or two features present in Bitwarden and other competitors, Proton Pass has an equally robust feature set, a great privacy policy, a solid reputation as being a company with great encryption implementations, and the aliases make it 100x more useful than it already is.
Bitwarden couldn’t get me to switch from Keepass XC. Proton Pass got me on board within a week of its launch.
You made it in 4chan https://boards.4chan.org/g/thread/105442269#p105442269
I wonder why more people don’t use their brain instead? I mean, a simple system, will make it easy to have unique passwords for every site/app, and for you to be able to remember them…
I tried that once, nah not for me.
You’re lucky to have such great memory, but most people do not. Life is too stressful to be also juggling the memories of more than 20 different passwords all the time.
Btw, you said in your other comment:
To the people in here, that gets rude and condescending when I try to tell them
The downvotes aren’t against you, but the comment. Its simply just disagreement with what you said, it isn’t hatred, just so you know.
I have a shitty memory, but I know myself, and how to work with me. That’s not a great memory I have, that’s common sense and knowing how I work.
You don’t really get the point here. You have to remember 1 system - not 20 passwords. Be as stressed as you want to, but even with a password manager, you have to remember the password for that. That’s 1 password you HAVE to remember, or all your passwords are lost.
I’m talking about remembering 1 system to make your passwords from - that will make different passwords for every app and site, that you can remember, because you remember the system behind it. You kan read about it here (though it is not the system that I use, it’s a great example): https://www.wikihow.com/Create-a-Password-You-Can-Remember
Let me put a system together for you, as an example.
You want a password for this site. It’s online, so you chose to put “ol” in your code. To make it unique, you chose to put “leml” for the first and last 2 characters. You like Guns’n Roses, and especially November rain, which you sing along to, so you put “WiLiYe” into it, for the first letter of each word, from the first line of the lyrics; “When I look into your eyes”.
Now you have both a unique code, and big and small letters. Now you separate it by using the ¤ sign, to also ad a special character, so your code looks like this now: olleml¤WiLiYe¤
Now for some numbers, that some sites like you to put in. Chose your lucky number, or maybe your birthday, and then add your lucky number. Say you were born 1989 in October (10th month), and your lucky number is 13. Then you can add 13 to both the year and the month. 2002 and 23. Put that on you code… olleml¤WiLiYe¤2002¤23
Now you have a unique code and a system you can remember. Even if you write your system down, it would be hard for others to figure out. It might look like: Type of connection, first and last two, first line high and low, born with luck… 3 times upper four (for the ¤ sign - at least on my keyboard).
Good luck figuring that out without any hints… :-)
Next time you come to another homepage, let’s say facebook, you code will look like: olfaom¤WiLiYe¤2002¤23 The first part is unique, and it can’t just be hacked, even though there are some similarities…
You should read this thread, had a lot of perspectives on this.
Because your brain is terrible at remembering random data. Your simple system is extremely unlikely to produce passwords of any particular quality.
Also, I have 170 passwords saved. I don’t know how many of those live in the category of “once every six months”, which is too infrequent to remember easily.
And using a simple system means that once somebody figures out the system, all your passwords become compromised potentially.
True. But you don’t figure out the system, and if you did, the system could be changed in a matter of minutes. To figure out the system, you would need more than 3 samples of the passwords, at any given moment, and the likelihood of that happening is just about the same as your password manager being hacked, having a vulnerability or you giving people access to it.
Please talk about your own brain, because you have no evidence that shows, that our brain is terrible at remembering. It’s actually quite good.
That you you can’t produce a quality password with a system, that’s on you. I can, easily.
It’s easy to remember a thousand password, if your system is good.
I can see, that your mind is made up, so further debate is fruitless. But it doesn’t change the fact, that I’m right here. 😉
What’s your system? I love hearing about people’s great systems for generating passwords. How much entropy does your system produce per password?
You’re extremely confident for someone disagreeing with literally every security professional I’ve talked to, and considering I work in the industry, that’s a lot of people.
Removed by mod
Uh huh. When was I rude? You started by calling me ignorant, and I just asked you some questions about your system. You seem extremely defensive, since it seems to take only the smallest disagreement for you to dismiss someone as ignorant, lacking common sense, and unable to hold a discussion. Take a breath, and try actually explaining your system so there can actually be a discussion of what is or isn’t wrong with it.
I’m not looking for a fight, but I am extremely skeptical of your scheme because it’s one that people bring up often, and it’s never done in a secure way. Maybe yours is, but there’s no way to know if you don’t actually say what it is.
You are looking for at fight. That’s obvious. That’s why any sane person wouldn’t want to engage with you in a debate. I don’t have a scheme, why do you lie? Please explain what “scheme” i have, since you already know it? With is ironic, since you want me to explain it to you… You want a fight, and you are very easily revealed.
Calm down, jeez. You said you have a system for generating passwords. Scheme is just a word for a system of doing stuff in a security setting.
I’m literally just asking what your system is and you’re acting like it’s the most aggressive thing ever.Do you expect everyone to agree with you immediately? Disagreement isn’t aggression, it’s the starting point for the debate you keep mentioning.
Ardens, I agree with trying to create your own password system - at least for your most commonly used things. My concept is a bit like this (don’t wanna give it all away): I keep at least 3 different emails and they have their own browser (Brave, Goanna engine (Palemooon or Basilisk), and Firefox, for example - ones with different engines) and I also use those browsers’ profile options for certain categories. Then, just so that i remember what I am using, I try to color-coordinate the browser’s theme and email theme. Ex: gold is for money/financial stuff and I use protonmail with an odd email name used for nothing else and I use a passphrase in a language I speak a tiny bit of. I assume that most company wesites have a minimum of 3 letters and I can either use the first 3 letters or the last 3 letters as part of my passphrase. If for my financial stuff, I can either add or multiple the numbers…if letter E is 5 and E is one of the letters, for financial, I can multiple by whatever number i choose but I stay consistent…so let’s say it is 3. Letter E is 5, so 5 x 3 = 15. If another letter in the company name is C and that corresponds to 3, then 3 x 3 = 9. And then there is a 3rd letter L which corresponds to 12, so 12 x 3 + 36. So, somewhere within my passphrase, instead of the ECL that is the company website’s name, I use 15936. I also must use a combo of caps and lowercase letters, at least one symbol. usually over 14 total characters and no more than 18 - because some websites set these rules. I can inject the number sequence anywhere I choose - maybe after the 3rd letter of my passphrase just so that I recall that number 3 as being for financial stuff. Example if my passphrase (in a different language) is mykiTTycatisythecutestintheworld =/becomes myk15936iTTycatisthecutestintheworld. Also, for common words such as is or the, swap that word out of symbols - in this example, the word “is” will become %$…so, myk15936iTTycat%$thecutestintheworld
I get tripped up for work passwords, though, because some employers force you to update your PW every 90 days. I usually just add a character and keep the rest the same…but, I can still get a bit forgetful.
There’s a principle in security, https://en.wikipedia.org/wiki/Kerckhoffs’s_principle, roughly summarized as “the enemy knows the system”. It’s the notion that you should be able to fully describe everything about your system except the secret key and still be secure.
My concept is a bit like this (don’t wanna give it all away):
That’s always a concerning thing to encounter at the beginning of a description. That implies that there’s an awareness that if you knew how the system worked it would be weaker, which in a security setting is considered a very notable defect.
If we’re looking at the actual security of the system you describe through that lens, the name of the company doesn’t add to your security. Neither does your word substitution rules. The secret in your system is the passphrase and the number you’re using to modify the letters from the company name.
Now, using a passphrase is good, but it kinda felt like you were implying that you use the same passphrase for all services and then modify it. That’s not a good idea, since it reduces your effective security to a single number.
Additionally, a passphrase should be random words, not a known phrase. If the phrase is grammatical it reduces the security pretty fast since it’s weirdly easy to guess word sequences.Adding a character to the end of a password during rotation is also a bad idea. Anyone breaking a password database will automatically try with a series of characters tacked onto the end specifically to catch that, so a password of yours that got leaked years ago can be used to figure out your current password just by checking it with different endings.
A better system would be to write a truly random password down on a sheet of paper along with 31 others. Now fold up the piece of paper and put it in your wallet.
You are already adept at keeping paper in your wallet secure, and anyone not in physical proximity to you has to fall back to the usual tricks to get at your stuff.
Better yet would be to use a password manager, ideally one you can export to something you carey, encrypted, with you while you go.Great system you have there. Yeah, places like work, that makes you switch often (witch is also a security risk in some ways), can be a problem. But they might have their own system added. You say every 3 months, and I’d probably put the season on the password then - like winter, spring, summer and fall…
Thanks for sharing some common sense here.
That wink really makes it cringe dude regardless of whether you’re right or wrong
That was very important for you to say, right? Were you upvote-hunting?
Feel free to join for a good debate, if you can stay on topic with your next comment.
I can’t remember over 1000 20+ character strings lol.
I’m sorry to hear that. I can - with ease. lol.
It’s not just a matter of memory. While our brains might be able to come up with one or two strong passwords/phrases on their own, there’s too much room for predictability and when that happens, you’d be no better off than if you used the same password for everything.
There really isn’t too much room for predictability. I guess you just don’t know how to make a strong password on your own, and that’s fair. But please don’t try to tell people that it can’t be done, since it’s been done for decades.
And unlike password managers, this system can’t be hacked - or corrupted, so people will stand there without their passwords to a 100 apps and homepages…
Good luck making passwords that are both memorable AND resistant to even basic brute force attacks. Only way that happens is through completely random generation via a password manager.
That’s not true, but you are free to believe that. So go use your password manager, which can be hacked, and then you all of your passwords are known.
I don’t mind people using their password managers. But I can see that some people really can’t handle, that I have a better system. Maybe because they feel a bit stupid right now - or something - who knows?
Considering the fact that virtually every expert in cybersecurity and cryptography agrees that you need a password manager, it definitely is true. Your issue is that you think you know better than everybody else… Let’s just hope your arrogance doesn’t cost you your accounts because then you’ll be getting a whole lot of “I told you so” from most folks.
Good to hear that every expert elected you to be their spokesperson. Trying to borrow ethos from other experts is just sad. But do you know why they will often say that? Because they know that a lot of people otherwise would use 1234 or abcd… So that’s the easy advice. The good advice would be to teach people to make a strong and memorable password.
Well, what might your arrogance cost you, since you are sitting here, trying to pass yourself of as spokesperson for **EVERY **expert in cybersecurity?
I’m just speaking common sense here, dude. It’s common sense, and if you do any ounce of research, you’ll see the exact same thing that I’m saying.
Coming up with a solid and strong master password is one thing. But trying to come up with some variations of a master password that you use across all your different sites is inevitably going to result in predictability and predictability is poor security.
Again, common sense info that you’ll find if you do any ounce of research, but it’s obvious that you have neither done your research nor do you want to do your research. You just want to sound like you’re smarter than everybody.
It has a major downside. What if you don’t have access to your password manager and need access to a service.
Perhaps a pc you gotta use you don’t trust completely so loggin in with your master passsord in a cloud based password manager, isn’t a good idea, even if you only want the password for a not so important service, you’d still be exposing yourself unnecessarily.
What if you want to type in your password in a printer with limited capability? You’d have to manually and painstakingly type in your long generated e-mail/dropbox/etc password. And more.
Some are perhaps niche circumstances but enough to keep me abay
Perhaps a pc you gotta use you don’t trust completely so loggin in with your master passsord in a cloud based password manager, isn’t a good idea, even if you only want the password for a not so important service, you’d still be exposing yourself unnecessarily.
Pre-Smartphone Era, you’d have a point.
These days, everyone has a smartphone that is compatible with password managers.
The Standard Operating Procedue is:
-
Don’t log in on an untrusted machine
-
If you must do it*, then find the password on your phone and type that in to the computer.
Then after you’re done, you generate a new password on your phone password manager app and change it using your phone.
If you don’t like to be distracted by smartphones, you can carry one turned off. If you don’t want to carry one for privacy reasons: Use an Offline Password Manager (Keepass) on Graphene OS, another Open Source Operating System, or a phone that has removable battery and with airplane mode on all the time.
If you need a password for work and work doesn’t allow phones, memorize that password on top of your password manager’s vault password. Two passwords to remember are still better than remembering 20.
What if you want to type in your password in a printer with limited capability? You’d have to manually and painstakingly type in your long generated e-mail/dropbox/etc password. And more.
You generate a shorter password specifically for the printer, just read it from your phone when you need it.
-
How often does any of that happen to you?
For the second one, that seems unlikely, and you can just type the password you read off your phone.
The printer scenario seems both unlikely, and has nothing to do with password managers.
If you’re memorizing your passwords, you need to factor in the likelihood you forget, and for the actual security of the password. It sounds like you’re memorizing weak passwords, which is the heart of the problem, not a downside to password managers.
Was that an answer to my comment, or to the post? It seems like it was meant for the post…?
