593 private links
- Signal app and protocol (end-to-end encrypted by default, but centralized server, no federation)
- Matrix protocol (end-to-end encrypted, decentralized, federated, user gets to choose app to use)
- Delta Chat (I am not sure about this one, I know too little at the moment)
- Simplex Chat
-
Telecommunications metadata
Your ISP learns every website you visit via a few different channels: DNS lookups, the IP address of sites, and TLS Server Name Indication (SNI). Most ISPs log and store this metadata for some time. Mitigation There's no need to use your ISP's DNS server. Run your own. You can't really getting around your ISP learning the IP addresses you visit. But with TLS encryption and the pervasive use of content distribution networks (CDN) by many website providers, the IP address itself does not really say much. The "leaking" of domain names via SNI is harder to get around, but newer versions of TLS improve on the situation. -
Web Site Data
Any Web site that you go to is very likely to keep extensive logs of everything you do on the site, including what pages you visit and what links you click. They may also record what outgoing links you click. For example, Google Search does this. Mitigation Try to use alternative services, that don't track you. Such as Nitter instead of Twitter, Invidious instead of Youtube, DuckDuckGo instead of Google Search, Bibliogram or PixelFed instead of Instagram, Jitsi instead of Zoom, Signal instead of WhatsApp, and so on. -
Browser Sync Data
Although the browsing history stored on your computer may not be directly accessible, many browsers offer a “sync” feature which lets you share history, bookmarks, passwords, etc. between browser instances (such as between your phone and your laptop). This information has to be stored on a server somewhere and so is potentially accessible. Mitigation Make sure that whoever hosts this server allows you to properly encrypt your data (in such a way that the server owner can never decrypt). Or even better, self-host the sync server yourself (Firefox sync can be self-hosted in this manner).
Discusses entropy as a measure of password strength, and includes two useful tables.
For example, a 30-character password using alphanumeric characters (mixing both small- and upper-case letters) achieves around 160 bits of entropy.
The article also includes guidelines for strong passwords, reproduced below:
- Use a minimum password length of 10 or more characters if permitted.
- Include lowercase and uppercase alphabetic characters, numbers and symbols if permitted.
- Generate passwords randomly where feasible.
- Avoid using the same password twice (e.g., across multiple user accounts and/or software systems).
- Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences.
- Avoid using information that is or might become publicly associated with the user or the account, such as username, ancestors' names or dates.
- Avoid using information that the user's colleagues and/or acquaintances might know to be associated with the user, such as relative or pet names, romantic links (current or past) and biographical information (e.g., ID numbers, ancestors' names or dates)..
- Do not use passwords which consist wholly of any simple combination of the aforementioned weak components.
Some guides on the why's and what's of password managers
- The best password manager in 2021, The New Oil
- A technical introduction to password managers, Tavis Ormandy. Via Alan Ralph.
- Wikipedia has an informative article on password managers.
- Internetstiftelsen har publicerat en utmärkt guide för hjälpa dig att komma igång med lösenordshanterare.
- Bra råd hos Myndigheten för samhällsskydd och beredskap (MSB) om hur du säkrar din lösenord.
- https://reddit.com/r/sweden/comments/1abpovo/%C3%A4r_det_inte_riskabelt_att_ha_l%C3%B6senordshanterare
BitWarden
Open source password management solution, can be self-hosted (how-to)
Integrates with Ansible.
1Password
A cloud-hosted password manager. No longer recommended, as it has regressed into an Electron application mandating remote storage of your password vault.
KeePass
Free, open source, light-weight, and easy-to-use password manager.
These slides discuss the why? how? what? where? of KeePass (presented by F. Morsbach at the first CryptoParty in Uppsala, 2019)
KeePass is written in C# and therefore requires Microsoft's .NET platform.
- Plugins: A list of third-party plugins for KeePass
- Android: Keepass2Android
- iPhone: MiniKeePass
- Chrome / Firefox: Tusk
- Web App: KeeWeb
KeePassXC
Open source, cross-platform.
KeePassXC is developed in C++ and runs natively on all platforms.
- Easy to achieve cloud sync by simply storing your KeePassXC database inside your shared cloud folder (using Nextcloud, for example).
AuthPass
AuthPass supports the KeePass database (KDBX format).
Setup instructions.
Pass
Simple GPG/Git password manager. Adheres to the Unix philosophy, which makes it easy to integrate with anything, e.g., Ansible.
This is my password manager of choice :-)
- Excellent in combination with rofi or dmenu on the Linux desktop, and
- on Android, useable with a combination of Password Store and OpenKeychain.
- Rich ecosystem of plugins, tools: pass-rotate.
- Clever uses of pass, by Vikaly Parnas.
Dashlane
"An intuitive password manager with over with over 8 million users worldwide."
Not open source, as far as I know.
Passbolt
Free, open source, self-hosted, extensible, OpenPGP based.
LessPass
Stateless, open source password manager.
Psono
Open source and self-hosted password manager for teams.
Buttercup
Another open source password manager with desktop, mobile, and browser clients.
LastPass
One of the most widely-used password managers, but that does not mean it's the best. Parent company is LogMeIn. Completely cloud-based, and not open source, obviously. On that basis alone, I do not recommend it. LastPass has suffered a major breach, it is now effectively dead.
Password manager apps that integrate with Nextcloud?
More lists of password managers
- https://codeberg.org/alicia/awesome-privacy#password-managers
- https://nextcloud.com/blog/password-managers-for-nextcloud/
- https://github.com/Igglybuff/awesome-piracy#password-vaults
- https://protonmail.com/blog/open-source-password-managers/
- https://www.tomshardware.com/best-picks/best-password-managers
- https://european-alternatives.eu/category/password-managers