Password manager

Sorry if that sounds overly pessimistic - I’m honestly not trying to sound negative. I recognize there are serious issues to consider with any new system, and definitely more so in this case, and also that the organization is generally trying to handle a lot already with limited resources currently able to make the required changes.

No pessimistic at all. In fact I appreciate the bluntness. The truth is - given our focus on shoring up our core services via the new infrastructure and Alfredo’s transition from staff and board to just board, it’s not likely we will be launching any new services in the near future.

I think it would be productive to start a process of prioritizing new services - with the idea that we could set a goal of one new service in 2021 I don’t think we could make any pomises on when it would be launched, but that might be a more useful framework to consider.

I think a password manager is a good choice. I know there have been strong arguments from the board for a federated social network. And another would be some kind of static html generation system.

1 Like

My 2¢ on the order would be:

  1. Password manager. I agree that we should probably hos something and that it seems like Bitwarden is the one with the most energy behind it.
  2. Static site generator. I would really love to see that. Maybe we need a separate thread on that.
  3. Federated social media. I understand the desire to try this, but will admit skepticism. Is there a conversation on what the goals of a project like that are? People have tried this and failed, and I’m worried that it will end up like the Friendica instance we used to run ~10 years ago.
2 Likes

So keeping the thread on track with the password manager proposal…
I think overall the response is positive, but like jamie has mentioned based on the staff’s current and expected workload this year we have to seriously prioritize essential work and postpone any new services that WE would be expected to troubleshoot and support.

I think everyone here is still welcome to begin thinking through what this would like and how you might be able to help this become a reality.

I have some initial questions:

  • What kind of resources would be needed to host this?
  • Is this expected to integrate into the rest of our member database, centralized user authentication , etc? LDAP ?
  • Can this still run and still be useful as an isolated service?
  • Are there any well made/simple ansible playbooks to automate deployment of Bitwarden that look worth using or adapting to our needs?
  • Can we work on this slowly? Is this still useful 12-16 months from now?
  • Think of everyone you’d like to invite to use this who doesn’t always feel comfortable with technology, is BitWarden’s current documentation clear enough for them or will we need to add more detailed or simplified versions of documentation for members? Is it all localized?
2 Likes

And while you are trying to keep things on track, jaimev, sorry, but I’m going to derail again a bit (this was sitting in compose a couple days, sorry):

Password manager would be a great utility, but I’d personally defer in preference of a static site generator. As we’ve covered here, there are good alternatives which we could instead help document for now. The static site generator on the other hand might have a further reaching impact. It could help limit costs and security concerns, while making things easier for potentially a large number of members with limited website needs.

On the side: I’m mixed on the social media as well. While it would be ideal for MFMT to play a role in helping orgs move to a better social media experience - at the very least, for internal communication - I think it is much more limited benefit-to-cost wise. MFMT already provides a safer place to organize with email, pads, file storage, meetings, etc.

Related to all this, I know some members have no clue what the services actually are. Would it be good to perhaps summarize a small list of them on the front page under “What we do?” (or at least link to what appears to be the best resource: https://support.mayfirst.org/wiki/services?). I know that when I point someone at MFMT they basically have no idea from the site what the purpose is for joining - aside from an obvious shared political alignment. It takes effort and digging when you don’t know where to look to find out what you’ll be able to use (and otherwise avoid using - e.g. google docs, etc). The benefits page makes it a challenge to find also (a few do hide under Technical details - the last place a non-technical person will look). Storage amounts - which are hard for almost anyone to estimate - are at the top-level. Granted, they are related to membership cost, which is important, but even for that: I’m not even sure to what those apply? NextCloud? Email? Hosting? All three (or others as well) combined?

Anyway - wanted to dump this message before it got more off-track. I’ll review the threads otherwise when I have time and try to move comments as appropriate. Thanks!!

Hi all, I really think we should try to keep these threads on topic so that they are easier to follow. The other proposed services discussed here are all really important as well and each deserve their own thread. One of the benefits of Discourse is that it has some admin functions that will allow us to move posts around after the fact. If people don’t mind I’d like break out some of your posts into new separate threads.

Sorry… organization not my strong suite, and I’ve had pretty crap focus on/off for a bit now.

By all means, move away - it seems I cannot move things myself. I guess delete, re-post would be the alternative.

I’m interested in this thread for my org as well. Having a team password manager with individual password support that had few barriers to entry for less technical folks seems critical. I was thinking of hosting my own BitWarden instance, but if something like this was added to MayFirst that would be much better.

I would be interested in helping with some of the initial set up and testing. I don’t have a ton of expertise in infrastructure and self-hosting, but I have some experience setting up my own self-hosted applications and I’d like to gain experience so I can help out more around here.

I could go through the BitWarden documentation to get up to speed and also assess how approachable they are (your last bulletpoint).

I just learned this today and wanted to share. Fastmail has added email masking with an integration with 1Password - meaning those who use that password manager can create unique emails from 1Password that have the same domain as what they currently use, like so: some-site-specific-name33@mynormaldomain.com

I use bitwarden for passwords, fastmail for mail, and 33mail.com for email masking, but I’m really envious of something like this… Would be incredible to have something like this through mayfirst, though I imagine not at all easy to pull off…

It appears to me that KeePassXC is still a possible solution. An export of the organization’s IDs and passwords, secure email with attachment or an encrypted file on NextCloud, and a Merge into local KeePassXC would work. How often are passwords typically changed? Not that much of a hassle.

Hi, I would like to know if there was any news on this issue. I think implementing it on top of nextcloud would be the easiest way to do it.

I saw people using bitwarden with vaultwarden and it works great, but it’s a whole new stack.

Martín.

Unfortunately, no movement yet on adding a password manager, but for what it’s worth, my personal opinion is that a password manager should be the next new service we add.

Some good news: we finished coding the very last part of our new infrastructure overhaul (the web services). We did a presentation to the TIAS team about how it works a couple weeks ago and we are planning a membership-wide presentation in late August. Now the database, email and web services are complete, so we will be able to start moving people to the new infrastructure over the following months. The new infrastructure has always been the priority, causing us to defer any new projects. Now that we have turned a corner, I think we can realistically plan for new services in late 2023 or early 2024.

As for what to use…I continue to be reluctant to use the Nextcloud password manager app for a number of reasons.

  1. Upgrades: Upgrading Nextcloud is a big deal - it affects many of our members in many different ways. Also, since we have a number of third party apps, we cannot upgrade Nextcloud without ensuring that all available apps work properly with the new version of Nextcloud (we typically run through with a staging setup of Nextcloud and laboriously test to ensure everything works as expected). In one recent case, we ran into problems with circles - it took us several months of testing and debugging before we were ready to upgrade Nextcloud core without causing everone’s circles to be lost. As a result, we tend to upgrade Nextcloud infrequently. I would hate to be in a position where there is an outstanding password manager security bug, but we can’t upgrade the password manager because it requires a Nextcloud upgrade.

    In contrast, with a stand-alone password manager. I would be more inclined to upgrade more frequently to avoid security problems even if it means more bugs.

  2. Features Using the Nextcloud Passman app has one great feature: it’s integrated with Nextcloud. But otherwise, it’s a losing race. Bitwarden has more users and more support and probably will always be ahead of the game. Just taking a quick glance, for example, I noticed that Nextcloud’s passman only advertises an Android app. I also presused the list of issues and found that passman cannot share a group of passwords with a team which seems like a show stopper for most organizations. These are just a few problems based on a superficial look.

I think @martinszyszlican is right about bitwarden being a whole new stack - and I’m not enthusiastic about adding something complicated to our list of projects to maintain. However, in this case, I think it will be worth it. And, to lessen the burden, I’ve been following vaultwarden development - which is a API compatible drop in replacement for vault warden that is written to be more easily maintained. There is definitely some risk in pursuing a community off shoot like this, but I think it might be worth it to facilitate maintenance.


Desgraciadamente, todavía no se ha añadido un gestor de contraseñas, pero si sirve de algo, mi opinión personal es que un gestor de contraseñas debería ser el próximo nuevo servicio que añadamos.

Buenas noticias: hemos terminado de codificar la última parte de nuestra nueva infraestructura (los servicios web). Hicimos una presentación al equipo de TIAS sobre su funcionamiento hace un par de semanas y estamos planeando una presentación para todos los miembros a finales de agosto. Ahora la base de datos, el correo electrónico y los servicios web están completos, por lo que podremos empezar a trasladar a la gente a la nueva infraestructura en los próximos meses. La nueva infraestructura ha sido siempre la prioridad, lo que nos ha hecho aplazar cualquier nuevo proyecto. Ahora que hemos dado un giro, creo que podemos planificar de forma realista nuevos servicios para finales de 2023 o principios de 2024.

En cuanto a qué usar… sigo siendo reacio a usar la aplicación de gestión de contraseñas Nextcloud por varias razones.

  1. Actualizaciones: La actualización de Nextcloud es un gran problema - afecta a muchos de nuestros miembros de muchas maneras diferentes. Además, ya que tenemos una serie de aplicaciones de terceros, no podemos actualizar Nextcloud sin asegurarnos de que todas las aplicaciones disponibles funcionan correctamente con la nueva versión de Nextcloud (por lo general corremos a través de una configuración de puesta en escena de Nextcloud y laboriosamente prueba para asegurarse de que todo funciona como se esperaba). En un caso reciente, tuvimos problemas con los círculos: nos llevó varios meses de pruebas y depuración antes de estar preparados para actualizar el núcleo de Nextcloud sin que se perdieran los círculos de todo el mundo. Como resultado, tendemos a actualizar Nextcloud con poca frecuencia. No me gustaría encontrarme en una situación en la que hay un error de seguridad pendiente en el gestor de contraseñas, pero no podemos actualizar el gestor de contraseñas porque requiere una actualización de Nextcloud.

    En cambio, con un gestor de contraseñas independiente. Yo estaría más inclinado a actualizar con más frecuencia para evitar problemas de seguridad, incluso si eso significa más errores.

  2. **La aplicación Passman tiene una gran característica: está integrada con Nextcloud. Pero por lo demás, es una carrera perdida. Bitwarden tiene más usuarios y más apoyo y probablemente siempre estará por delante. Echando un vistazo rápido, por ejemplo, me di cuenta de que el passman de Nextcloud sólo anuncia una aplicación para Android. También he consultado la lista de problemas y he encontrado que passman no puede compartir un grupo de contraseñas con un equipo, lo que parece un obstáculo para la mayoría de las organizaciones. Estos son sólo algunos problemas basados en una mirada superficial.

Creo que @martinszyszlican tiene razón en que bitwarden es una pila completamente nueva, y no me entusiasma añadir algo complicado a nuestra lista de proyectos que mantener. Sin embargo, en este caso, creo que merecerá la pena. Y, para disminuir la carga, he estado siguiendo el desarrollo de vaultwarden - que es un reemplazo compatible con API para vault warden que está escrito para ser más fácil de mantener. Definitivamente hay un cierto riesgo en la búsqueda de una comunidad fuera de brote como este, pero creo que podría valer la pena para facilitar el mantenimiento.

1 Like