thanks guys for the answers – I think we’re on the right track Basically I’m looking for an alternative for Keepass2 which is more convenient. Some of my requirements are platform independency and syncing.
Keepass2 (which has a “limited” sync feature) is only running via wine/Mono on Linux and has some other limitations reg. syncing.
A solution like Enpass (dealbreaker: not open source) or Bitwarden would be exactly what I need, and I’m just trying to understand the concept and implications before using sth. new.
thanks for the consideration, but actually the video does not contain any news for me. While I’m not very familiar with many protocols, you can assume that I have some understanding of crypto concepts and algorithms.
I should have the wits to understand Bitwarden’s concept with your help, so please bear with me for a little more.
And yes, I need some trust, but I can try to reduce it by not using proprietary SW and e.g. using Tails Linux for highly security critical tasks.
And of course I’m also happy to rely on security audits and code reviews for crypto SW, because neither I’m capable nor do I have the time to review and understand it all on my own.
@tgreer, Davidz, @Nik1
I will repeat myself. Your master password doesn’t go anywhere. You are NOT sending it anywhere. It stays on your computer.
I think we’re getting closer to me understanding Bitwarden’s concept.
I know that the Bitwarden browser extensions are no web applications – I’m not concerned about those.
But when I create my account, I’m not necessarily having the browser extensions installed – I’m using Bitwarden’s website and a form where I have to enter my master password.
Here (and I may be wrong) I implicitly assume that the data entered there is sent to the web server (and the master password and email probably are the only sources for the KDF – I don’t see another offline-only “secret key” being used as in the video suggested by @Nik1).
This is the one issue which deterred me when checking Bitwarden.
(With Keepass2, it’s easy to realize that the password never has to leave the local system.)
@tgreer , Davidz
Or did you only refer to the browser extensions that are used later on?
Basically this thread boils down to this question…