The data breach incident at LastPass, which happened more than three years ago, is still enabling cryptocurrency theft. Cybercriminals managed to steal approximately $35 million to date by cracking stolen LastPass vaults
Fake LastPass, Bitwarden breach alerts lead to PC hijacks
An ongoing phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming that the companies were hacked, urging them to download a supposedly more secure desktop version of the password manager
Really disappointing that
@vivaldibrowser on Android still doesn’t support proper autofill for password managers like @ProtonPass.
Works flawlessly on desktop — but mobile keeps blocking the standard Android Autofill API.
Why ignore this for years? It’s 2025, this shouldn’t still be broken.
Hi Fedi,
I have been using
@bitwarden since 2019, and been a premium subscriber for most of that time. Due to their recent hyping of AI, I am interested in switching away.
Update 2025-07-14
So far I am liking Gnome Secrets (desktop) and Keepass2Android (Phone). However, there does not seem to be a way to get Secrets to autofill on websites. https://gitlab.gnome.org/World/secrets/-/issues/34
I'll give Bitwarden a few weeks to see if they can resolve their AI issues. If not, I'll probably suck it up and lose autofill.
Options I am currently considering are Nextcloud Passwords , KWalletManager, and a Keepass-based password manager synced using Nextcloud. I have questions and concerns about each, and I'm hoping you can address my concerns for at least one of these three options, or suggest something else.
Before getting into those, I'll just say I also considered and rejected Proton Pass, on the grounds that
a) The server software is proprietary,
b) Logging in requires a Captcha. I can pass the captcha, but I'm always afraid that I will fail it.
c) The CEO has said and done bad things,
d) The company is also into AI.
So, what are the options I am considering?
Keypass with Nextcloud for syncing
This is the recommendation I see the most. I have three concerns: two regarding use on Android and the other on desktop.
First, on Android, one Bitwarden feature I use heavily is "unlock with pin." Downloading my Bitwarden vault from the server requires entering my very long Bitwarden password plus 2fa. Unlocking my vault on my device to which I am already logged in only requires entering a short password. That's good, since entering my full password on my phone takes a long time.
Keepass doesn't seem to have a native feature like this, but I can sort of replicate it by having a strong password for my Nextcloud account and a weak password for my keepass file.
The concern I have with doing this is that it would mean the folks who run my Nextcloud server, or anyone who hacks them, would have access to my password vault encrypted with a fairly weak password. Is this something I should be worried about? Is there a way to use a strong password for my Keepass vault without needing to take a long time to type it every time I need to log in to anything?
Note that I don't think I can use biometrics. I don't have clear fingerprints, and my phone (Pixel 6a) doesn't AFAIK support face ID.
Next up is the question of which Keepass-compatible apps to use, on both desktop and Android. There seem to be a lot of choices on Android and I have no idea how to narrow it down.
EDIT: The two that people seem to like are Keepass2Android (only on Google Play) and KeepassDX (on F-Droid). Both seem very nice.
I am able to log in to this one with my Disroot Nextcloud account. However, I see a red banner at the bottom of the app saying "Cannot connect to server. Tap to retry." (Retrying regenerates the same banner).
This one I also can't log in, but there is no error message, I just get sent back to the login screen.
I also tried logging into the desktop flatpak and I am seeing white text on white background.
KWalletManager
I have a rule that if I want to use my computer to do X, and there's a KDE app which does X, then I will give the KDE app a fair try. KDE has a password manager, so I have to at least consider it.
The issue here is I can't figure out any way to sync it with Android. Can this be done?
It's a service like Bitwarden: one company provides a desktop app, a mobile app, a browser extension, and a service to sync all of them. One thing to note is that it seems like all of their repositories have very little activity: The Android repository has had no commits for close to three years, the web vault has had no commits for close to two years, and the desktop repository (which is Electron) has had no commits since April 2024. That might not be a bad thing if it's working, but I don't think I'm qualified to assess the difference between "this software has unpatched security issues we aren't fixing" and "This software is working perfectly so we don't need updates."
Much like Keepass, it stores all passwords as a single encrypted file and expects you to use another program to sync. There are iOS and Android apps that are compatible.
The trouble here, as with Keepass, is getting the desktop app to autofill on websites. It does nominally have an "autofill" feature, but it can't detect when the site you are viewing corresponds to an entry: you have to open the desktop app, search for the relevant entry, open it, and then click "autofill." It's a lot less convenient than clicking the icon for Bitwarden's browser extension.
Well, great. Now
@bitwarden is going to ad AI bullshit to their services. I left Bitwarden a few months back for different reasons but I'm kind of glad that I did. I switched to
@1password. If they add AI to their services (are they already?), I'm just going to call it quits on all of them and just move completely to
@keepassxc. I can simply just host my own with Keepassxc and not have to worry about any AI crap. I'm using Keepassxc now but not for everything. That might change in the very near future.
Password managers are one of the most effective ways of securely storing passwords for multiple sites and platforms, but a new report tells us that cybercriminals are increasingly targeting them in their attacks. @DigitalTrends has the details:
" What about Proton VPN? I think they are in Europe."
A division of Proton is now a US-based company. Particularly, Proton Wallet. Their Terms of Services, also goes into lengths concerning Us Laws and Us Customers. It goes beyond just the CEO's support for fascism leadership (Donald Trump).
Naturally, making this list is not easy. These are two types of companies I avoided in making my list.
Those who actually fall under US-jurisdiction because they are based or owned by a company in the USA.
More than often, I will stumble over a company that appears to be outside the USA, but later find they are owned by another corporation based inside the USA, and so they do fall under US-jurisdiction.
Those who voluntarily give up their sovereignty to the United States. The 2nd type, who voluntarily gives up their sovereignty in the way of US jurisdiction, have whole sections of their terms concerning US Laws and US based customers. If a fascist government says jump, these people will ask, how high?!
When
@protonprivacy calls Proton Pass an "identity manager", they're not kidding. It's more than just a password manager, it really does let you easily manage your digital IDs online.
Proton Pass continues to get better and better, to the point where I genuinely can't see myself using any other password manager. I still keep an offline, duplicate backup in KeePassXC (with more sensitive logins exclusive to that) just to have, but for almost everything else, Proton Pass is more than enough and it makes it a breeze to keep accounts secure.
KeePassXC doubles down on AI use ( keepassxc.org )
!!! SEE IT AGAIN !!! "Is Your Password Manager Safe? | Clickjacking Found in Most Password Manager Extensions" | Saturday Premier 👀👏
https://scribe.disroot.org/pictrs/image/e93e15ce-8f5a-4c9a-af5f-9c19b6e89aa2.jpeg ...
"Is Your Password Manager Safe? | Clickjacking Found in Most Password Manager Extensions" | Saturday Premier 👀👏
https://scribe.disroot.org/pictrs/image/b6a73b8e-bc5d-49f7-927e-41e14fe5ccdd.jpeg ...