Password manager

A common need (that organizations frequently do not realize they have) is a password manager. This should allow for both passwords shared with a group and individual passwords kept in one place.

Has May First ever looked into hosting one?

I would say a browser extension is a must-have.

The two libre, self-hostable ones i know about that meet this criteria:

  • BitWarden is the most robust solution with team features like collections and shared items and enterprise services like support, an audit trail, and password vault heath reports. It is full LibreSaaS with no proprietary pieces and its business model is primarily LibreSaaS but it has solid self-hosting documentation.
  • passbolt is also fully libre software, advertises team features but seems very simple, most similar to (the proprietary) LastPass. As such it is what i’m most comfortable with, personally. It prioritizes a pay-for-local-install business model of making money from self-hosters but also has LibreSaaS plans.

But probably makes most sense to pick one that is built into, or at least works with, Nextcloud. Anyone know about these options?

1 Like

Thanks for raising this. I’ve been thinking about the question lately because of Firefox’s newfound ability to import KeePass databases and sync them. It is making me wonder if I should give up on KeePass and just move over to FF.

That said, I already use MF as my cloud password manager quite effectively; I simply keep my KeePass database on MF-hosted NextCloud, and then it’s quite easy to access it, fully synchronized across multiple clients and platforms.

I’ve also heard great things about BitWarden.

1 Like

I’m in the same boat as @ntnsndr. I use keepassxc on my desktop computer, with the KeePassXC firefox extension and Keepass2android on my phone and I keep the database on Nextcloud. Keepass2android has a special feature allowing you to specify that you keep your database on Nextcloud and it keeps it in sync.

There is still a small amount of friction to get the browser/keepass communication working, but over all it does a very good job.

Having said that, I think @ben-agric has a point. Getting all these pieces to work together is really tough. There is a lot of software you have to install in separate pieces. I’m not sure if there other solutions make it easier - maybe it really is tough to get a password manager operating (that’s the allure of just switching to Firefox - all you have to do is install Firefox on your computer and phone and ensure you are logged in).

I’ve also been keeping my eye on Nextcloud’s password manager. I’ve been very cautious with Nextcloud and all the Nextcloud apps because…

  • I don’t want to become overly dependent on Nextcloud. Even though it’s free software, if they went in a direction we didn’t like we would be in big trouble
  • I don’t want to become overly dependent on a hard to maintain app. If the password management app stops development, we could be in a position where we have to decide to either upgrade Nextcloud and drop the password manager, or not upgrade Nextcloud and keep the password manager.

So far, the password manager seems quite well supported. And yet, I would somehow feel better launching a password manager that was independent of Nextcloud just to reduce the long term maintenance risks.

2 Likes

I just took a peek at bitwarden and passbolt - they look very promising. I’d be interested in a comparison of the three (including keepassxc with Nextcloud) to see which have the least amount of friction for new users to get up and running.

Yeah, KeepassXC has been working fine here as well provided everyone has an operable sync client (which has not been exactly rock-solid, at least for me).

BitWarden I’ve definitely seen the most support of, generally.

Of course, there’s pass + git, too :smiley:

Also of note, Chromium users will soon not be able to sync passwords with Google (thankfully!), so not a bad time to make a point to the membership regarding password managers, generally.

1 Like

Ref: https://blog.chromium.org/2021/01/limiting-private-api-availability-in.html

I have recommended KeepassXC in the past. Helping people understand up front the importance of having a good master password and backing up the database file itself is really important. I think backing up that file via NextCloud is not a bad solution for members who are already using NextCloud and don’t feel comfortable managing their own offline backups. I would recommend the latter for members with special security requirements.

I also really like pass and find it very easy to manage on the command line although I see there are some gui interfaces for it.

I personally use Bitwarden’s hosted offering, I need to share a subset of my passwords with my family. I had been using KeepassXC, with the file hosted on nextcloud for many years. I recommend Bitwarden to any of my clients who don’t have a password manager and aren’t already using Lastpass. If there could be a hosted Bitwarden instance, I would happily test it out.

3 Likes

I was cribbing from my old notes – https://agaric.gitlab.io/raw-notes/notes/2019-03-26-libre-software-and-libresaas-password-managers/ – and as @wolcen said we’re using KeePassXC plus NextCloud. I should try out the Firefox extension and Android app.

How does that work with having both personal and group passwords? That requires different vaults/files correct?

(I still use LastPass for my personal.)

@jamila does Bitwarden allow you to have some passwords to yourself, and others shared with your family?

Thanks all!

One complaint I have with keepassxc is that the browser integration is a bit flakey. On the desktop, username/password fields are not always auto-detected. Sometimes clicking on the icon magically fills in my username and password, sometimes it doesn’t - even on the same login screen (works one day, not another day). So I find myself manually going to keepass, looking it up, and copy/pasting.

Also, I pull in the keepass browser extension via the Firefox extension store, but I pull in Keepassxc via Debian, so the extension and program are not always the same version.

Same with mobile. I’m curious if this is a common problem across all of them, or if bitwarden, for example, is smoother. I assume using Firefox’s password manager would be the smoothest of all (except, perhaps for storing passwords not used by the browser).

Yup, it can do several different buckets of sharing. I have clients that use it with many different internal teams.
I like that for bitwarden, if you lose your main password, the default is there is no way to recover your account.
Also they just added an optional feature where you can delegate someone who can access your account in case of emergency or death, which I really appreciate.

3 Likes

I’m really glad this is being brought up. My experience working with grassroots groups and individual organizers is that password management is one of the most common security challenges.

I’m using Bitwarden and find it much easier to use than KeepassXC. I do find the performance to be a bit slow at times and there isn’t a loading animation so a few seconds waiting for Bitwarden to process and it can seem like a request didn’t go through. I should bring that up with them…

Anyways, I also agree with Jamie’s wariness of relying on Nextcloud. I find them to implement a lot of apps in a subpar way so that’s another reason to be cautious about relying on their password management tool.

Jamila - The ability to share different buckets with Bitwarden is awesome! I didn’t know that. And being able to delegate access to your account is a key feature for groups where the main point of contact leaves and becomes unreachable.

As a way to move forward, I like Jamie’s suggestion of comparing KeepassXC, Bitwarden and Passbolt. If someone drafts a rubric/spreadsheet I’d be happy to fill in what I know about KeepassXC and Bitwarden (never used Passbolt).

3 Likes

So what are the security implications of hosting Bitwarden for members?
Since it is end to end encrypted is our concern limited to preserving the integrity of the encrypted data and preventing any kind of man in the middle compromise of the service itself?
I imagine stability and uptime are critical. Even slight delays like what Clayton describes could really interrupt someone’s workflow. It seems like Bitwarden can do some local caching, does anyone know more about that?

Hello, I want to add that there are multiple solutions to use NextCloud to share passwords with members. Since we are already using this for calendars, I think it should be strongly considered https://nextcloud.com/blog/password-managers-for-nextcloud/

Hi Martin, see jamie’s comments regarding NextCloud above.

In my experience so far most NextCloud apps aren’t as polished as other
dedicated free software packages that provide the same functionality.
But often that tradeoff is acceptable since our members are already
syncing with NextCloud and for some tasks it just makes sense for them
to be bundled together under the same authentication.

I do feel like a password manager deserves to be independent though. I
am not convinced that online password managers are the best idea for
everyone but based on what folx are commenting here they appear to be
quite useful for some people.

Agreed that online password managers are not the best idea for everyone, there are definitely folks with security threats that would recommend against them.
That said, most of the organizations I work with don’t have any password manager system in place when I start with them, and the ones that do are all on Lastpass (who just nerfed their free offering). Also, now that almost no organizations that I work with are working in the same physical place, the need has gone way up for a trusted way to share passwords among staff.
Agreed that integrity, stability, and uptime are critical.
As for caching, here is their data storage help page. There is an encrypted at rest local cache until log out by default.
https://bitwarden.com/help/article/data-storage/

Urgency and interest in this going up for me, and probably a lot of others as well. LastPass is being bought by a firm with a horrible record on privacy and protection of political dissidents (as in, making money explicitly by sacrificing both).

I’m also a KeePassXC user. I like it, but password management has changed since the KeePass model. It’s typical to want to share passwords with a team, share individual passwords with a trusted vendor, etc. Passbolt and Bitwarden are better choices for organizations.

This is anecdotal from being part of online self-hosting communities, but:

  • Almost everyone chooses Bitwarden over Passbolt when choosing. Bitwarden seems to have a larger userbase.
  • Almost everyone chooses bitwarden_rs over classic Bitwarden. It’s an API-compatible Rust-based server, which has better performance.

Two nice things about pass (and I have not used either one yet):

  • It can use git to share/update passwords;
  • you can set up “sub-wallets” that encrypt the passwords to different sets of GPG keyids. So you can share different sets of keys with different sets of people.

All keys are encrypted to PGP public keys.

1 Like

Just curious if any further ideas or decisions have come up here…while we have a “working” system, something with more granular sharing, and solid in-browser support is something we’d consider moving to. In terms of helping us/others to decide when/if to take action, I’d like to ask what we might anticipate for a timeline, generally?

Is a timeline such as “likely at least several months away, if ever” appropriate whenever discussions expressing desire/need for potentially new systems comes up?