I wrote a bit about my plans to change the way I manage passwords (tl;dr 1Password --> Syncthing + KeePassXC)
Would love any and all feedback.
https://sts10.github.io/post/password-management-keepassxc-and-syncthing/
@djsundog whoa hadn't thought of that.
I've got other issues with Pass though-- would have to figure out some type of Auto-type or browser auto-fill for it to really compete with KeePassXC, which I like a lot.
@schlink Just wanna thank you for writing the blog post because I've been using LP for a loong time and had no idea about the vulns ._.
I moved to KeePass now but haven't worked out proper syncing yet.
@grainloom oh thanks. But I didn't mean to imply that LastPass still has unpatched vulnerabilities. In fact I applaud how they've handled them so far.
That said, hope you enjoy KeePass and find a syncing solution that works for you! Feel free to leave a comment if you have suggestions
@schlink Well, their Firefox extension broke after an update, so I wasn't planning on using them from now on anyways.
I don't really have any suggestions but I'm interested in what your evaluation of pass will be.
@grainloom oh bummer. After exploring LastPass a bit more I had filed it away as a great recommendation or non-techincal folks, but maybe I'll send them to 1Password.
And re: pass-- it's funny. As comfortable as I am on the command line, I think I'd still be a little uneasy handling such sensitive stuff. I'd also need some sort of auto-typing feature to make it comparable to KeePassXC...
@schlink I'm surprised there isn't a Keepass2 implementation for iOS. There are two for Android, and one of them is really good.
@gcupc oh, didn't mean to imply there weren't. There's MiniKeePass and a few others (see: http://keepass.info/download.html).
My issue is that I wouldn't be able to get at my KeePass db on my iphone unless I used something like Dropbox or Google Drive. At least that's my understanding.
@schlink oh. On Android, I use Nextcloud, but there's also an unofficial Syncthing.
@gcupc yeah-- read about the Syncthing Android route-- cool that it's offered.
What's Nextcloud like? I couldn't get a feel for it after a cursory skim of their website. Seemed a bit more intense of a setup than Syncthing? Though if they offered an iOS option that might be a winner...
@schlink they do have an iOS app, I believe. But nextcloud is much more heavyweight than Syncthing. It's not just a syncing solution. It's self-hosted cloud storage, contacts, calendar, plus optional apps for things like notes and document editing.
It's more like Google Drive or Office365 than just sync.
@gcupc ah OK. Syncthing is right about what I can handle-- I'm really relying on the defaults being sane and secure tbh. That said, another thing I want to get off of is Google Calendar
@schlink yeah, combined with davdroid on Android, nextcloud has replaced pretty much all of the Google ecosystem for me (except for Android itself, obviously, and play services, which are insidiously hard to get rid of).
@gcupc where is all your nextcloud stuff hosted? a machine that you physically own and have access to? Nextcloud servers? Somewhere else?
@schlink home machine. Many people run it at home behind NAT so as not to worry too much about the security stuff, and VPN in.
@gcupc ah alright-- a bit over my head at this point. Always more to learn!
@schlink @paulsheprow IMO Nextcloud is your best choice. Self host, or find a provider that you are willing to trust.
@gcupc @paulsheprow Haven't looked into it, though I realize Google Calendar is a sleeper pick for hardest Google service to quit.
privacytools.io (a common starting point for me on such questions) doesn't have a section on calendars, but a search of their subreddit may be a good place to start https://www.reddit.com/r/privacytoolsIO/search?q=calendar&restrict_sr=on
@schlink It would be real tough for me, but I'd sure like to. Enjoyed the keepass/syncthing post btw
@paulsheprow Thanks!
I've got a more general one on privacy/security that I try to keep relatively up-to-date (Don't think I linked to it in the keepass post)
https://sts10.github.io/post/2016-11-12-some-privacy-and-security-measures/
@schlink in regards to Plan C, there are a few lightweight options for running your own git server rather than trusting github, and it would allow you to modify the security of the git server to match your threat profile or threat profile substitute.