• Signal app and protocol (end-to-end encrypted by default, but centralized server, no federation) - use it daily
• Matrix protocol (end-to-end encrypted, decentralized, federated, user gets to choose app to use) - finds it use, but can be slightly annoying when using multiple devices
• Delta Chat - please see notes below
• Simplex Chat - I haven't tested this

Matrix servers infinitely accumulate user data in the transport layer, namely encrypted messages and attachments as well as cleartext metadata about users and groups. A permanent metadata and room membership record may be ok, or even useful accountability-wise, for government officials but is not suitable for many people threatened by rising authoritarianism where “guilt by association” suffices for prosecution or worse. Operators of servers who can access all the social metadata about its users, and maybe even public messages, are becoming themselves a potential target for hacking or authoritarian repression.
Signal’s key architectural innovations were ephemeral message routing, usable E2EE with metadata-minimization where the transport server only stores messages temporarily and aims to know nothing about anything (except your phone number). Metadata-minimization is why Signal’s founder felt fine to entrust all “Signal Server” activities to Google, Amazon, Cloudflare, Microsoft, our very fine riders of the big tech apocalypse. A big step for cryptography in 2014 but a daring gamble, looking from 2025.
chatmail relays follow the Signal transport model and use SMTP and IMAP only for ephemeral message transport where the server keeps literally nothing except a (random) password and last login time. Turns out, if you hold those ancient protocols right, you can have a metadata-minimizing e-mail transport server with 0,001 EUR of costs per year per address.
https://lobste.rs/s/muk05v/reflections_on_matrix_criticism_over#c_1sijfo

Delta Chat

From the FAQ:

• Images, videos, files, voice messages etc. are handled as usual.
• For performance, images are optimized and sent at a smaller size by default, but you can send it as a “file” to preserve the original.

⚡️ Sign up to secure fast chatmail servers or use classic e-mail servers

• Chatmail relays Github repo - Chatmail relays are designed to be very cheap to run, and are automatically deployed and updated. Official list of relays.
• Besides the recommended usage of chatmail relays, you can use many classic email accounts in chatmail apps. List off email providers known to work with Chatmail.
• Chatmail core Github repo

List of clients is quite impressive, includes Android, iOS, a special "family-geared" Android client, a TUI client, and more.

Push notifications

Instant push notifications available for iOS and Android devices.

They seem to have put careful thought into how to handle notifications, especially on Android. By default, depends on Google FCM Push service or microG.
But you can change this to instead use a "background connection" or a "forced background connection".

Note that classic e-mail servers do not support Push Notifications for Delta Chat users.

Audio or video calls

Not really, at least not yet.

You can invite others to an audio/video chat, but it's essentially a Jitsi meeting (or whatever provider you choose). No ring tone on the other end, so you must have otherwise arranged the "call".

• https://delta.chat/en/help#how-can-i-use-audiovideo-calls-with-delta-chat
• https://support.delta.chat/t/i-made-a-video-call-app-with-15-second-ping
• https://github.com/WofWca/video-call-over-email
• https://github.com/WofWca/webxdc-video-call

webxdc apps

• https://delta.chat/en/help#webxdc
• https://docs.webxdc.org
• https://support.delta.chat/c/webxdc/20

Watch out for insecure copy-cats

As far as I can tell these services, also named ChatMail, have nothing whatsoever to do with Delta Chat.

• https://nextqconnect.com/chatmail
• https://chatmailsecure.com

Delta Chat setup flow

I would like to test using the same profile on multiple devices.
So on device 1 (phone) I downloaded and installed the Delta Chat app from the F-Droid appstore. Opened the app and followed the instructions to create my profile. That was painless.

On my second device (tablet) I downloaded and installed the ArcaneChat app from F-Droid. Opened the app, clicked on "Add second device" on the welcome screen which starts the camera viewfinder. On my already registered device (phone), I opened the app, opened Settings, and clicked "Add Second Device". (Note! Don't make the mistake of clicking the QR code icon next to "Settings", because that will not work for adding secondary device, only for inviting others to a conversation).

ArcaneChat TUI client

I chose to create ~/.local/git/arcanechat, set it up for python using direnv echo "layout python3 > .envrc", then installed the client using pip:

$ pip install -U arcanechat-tui[full]

This installs the arcanechat-tui binary, an alias arcanechat, as well as the deltachat-rpc-server in .direnv/python-3.10/bin/.

Next, how to configure the existing account?

• https://github.com/ArcaneChat/arcanechat-tui/issues/91 - Setup as second device
• https://github.com/ArcaneChat/arcanechat-tui/issues/96 - How to add account as second device?

Create a backup in ArcaneChat Android and transfer it to the computer.

$ arcanechat import <path-to-backup-tar>

Worked flawlessly with a single profile in the first device.

• Telecommunications metadata
  Your ISP learns every website you visit via a few different channels: DNS lookups, the IP address of sites, and TLS Server Name Indication (SNI). Most ISPs log and store this metadata for some time. Mitigation There's no need to use your ISP's DNS server. Run your own. You can't really getting around your ISP learning the IP addresses you visit. But with TLS encryption and the pervasive use of content distribution networks (CDN) by many website providers, the IP address itself does not really say much. The "leaking" of domain names via SNI is harder to get around, but newer versions of TLS improve on the situation.

• Web Site Data
  Any Web site that you go to is very likely to keep extensive logs of everything you do on the site, including what pages you visit and what links you click. They may also record what outgoing links you click. For example, Google Search does this. Mitigation Try to use alternative services, that don't track you. Such as Nitter instead of Twitter, Invidious instead of Youtube, DuckDuckGo instead of Google Search, Bibliogram or PixelFed instead of Instagram, Jitsi instead of Zoom, Signal instead of WhatsApp, and so on.

• Browser Sync Data
  Although the browsing history stored on your computer may not be directly accessible, many browsers offer a “sync” feature which lets you share history, bookmarks, passwords, etc. between browser instances (such as between your phone and your laptop). This information has to be stored on a server somewhere and so is potentially accessible. Mitigation Make sure that whoever hosts this server allows you to properly encrypt your data (in such a way that the server owner can never decrypt). Or even better, self-host the sync server yourself (Firefox sync can be self-hosted in this manner).

Discusses entropy as a measure of password strength, and includes two useful tables.
For example, a 30-character password using alphanumeric characters (mixing both small- and upper-case letters) achieves around 160 bits of entropy.

The article also includes guidelines for strong passwords, reproduced below:

• Use a minimum password length of 10 or more characters if permitted.
• Include lowercase and uppercase alphabetic characters, numbers and symbols if permitted.
• Generate passwords randomly where feasible.
• Avoid using the same password twice (e.g., across multiple user accounts and/or software systems).
• Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences.
• Avoid using information that is or might become publicly associated with the user or the account, such as username, ancestors' names or dates.
• Avoid using information that the user's colleagues and/or acquaintances might know to be associated with the user, such as relative or pet names, romantic links (current or past) and biographical information (e.g., ID numbers, ancestors' names or dates)..
• Do not use passwords which consist wholly of any simple combination of the aforementioned weak components.

Some guides on the why's and what's of password managers

• The best password manager in 2021, The New Oil
• A technical introduction to password managers, Tavis Ormandy. Via Alan Ralph.
• Wikipedia has an informative article on password managers.
• Internetstiftelsen har publicerat en utmärkt guide för hjälpa dig att komma igång med lösenordshanterare.
• Bra råd hos Myndigheten för samhällsskydd och beredskap (MSB) om hur du säkrar din lösenord.
• https://reddit.com/r/sweden/comments/1abpovo/%C3%A4r_det_inte_riskabelt_att_ha_l%C3%B6senordshanterare
• https://lemmy.ml/post/19156372

BitWarden

Open source password management solution, can be self-hosted (how-to)
Integrates with Ansible.

1Password

A cloud-hosted password manager. No longer recommended, as it has regressed into an Electron application mandating remote storage of your password vault.

KeePass

Free, open source, light-weight, and easy-to-use password manager.
These slides discuss the why? how? what? where? of KeePass (presented by F. Morsbach at the first CryptoParty in Uppsala, 2019)

KeePass is written in C# and therefore requires Microsoft's .NET platform.

• Plugins: A list of third-party plugins for KeePass
• Android: Keepass2Android
• iPhone: MiniKeePass
• Chrome / Firefox: Tusk
• Web App: KeeWeb

KeePassXC

Open source, cross-platform.
KeePassXC is developed in C++ and runs natively on all platforms.

• Easy to achieve cloud sync by simply storing your KeePassXC database inside your shared cloud folder (using Nextcloud, for example).

AuthPass

AuthPass supports the KeePass database (KDBX format).
Setup instructions.

Pass

Simple GPG/Git password manager. Adheres to the Unix philosophy, which makes it easy to integrate with anything, e.g., Ansible.
This is my password manager of choice :-)

• Excellent in combination with rofi or dmenu on the Linux desktop, and
• on Android, useable with a combination of Password Store and OpenKeychain.
• Rich ecosystem of plugins, tools: pass-rotate.
• Clever uses of pass, by Vikaly Parnas.

Dashlane

"An intuitive password manager with over with over 8 million users worldwide."
Not open source, as far as I know.

Passbolt

Free, open source, self-hosted, extensible, OpenPGP based.

LessPass

Stateless, open source password manager.

Psono

Open source and self-hosted password manager for teams.

Buttercup

Another open source password manager with desktop, mobile, and browser clients.

LastPass

One of the most widely-used password managers, but that does not mean it's the best. Parent company is LogMeIn. Completely cloud-based, and not open source, obviously. On that basis alone, I do not recommend it. LastPass has suffered a major breach, it is now effectively dead.

Password manager apps that integrate with Nextcloud?

• Keeweb for Keepass
• Enpass
• Passman
• Passwords, native Nextcloud app

More lists of password managers

• https://codeberg.org/alicia/awesome-privacy#password-managers
• https://nextcloud.com/blog/password-managers-for-nextcloud/
• https://github.com/Igglybuff/awesome-piracy#password-vaults
• https://protonmail.com/blog/open-source-password-managers/
• https://www.tomshardware.com/best-picks/best-password-managers
• https://european-alternatives.eu/category/password-managers