Looking at keepassXC doc I couldn’t find such setup. Maybe it’s possible, but maybe it also leads to trouble down the road. The “official way” seems to use cloud storage.

You keep saying external server for syncthing, but again: syncthing does direct data transfers, encrypted end to end, between devices.

I mention that but with a specific context.

• people with certain ISPs will need to use the relay transfer feature because direct connections can’t be established. Similarly, if you work in an office and you use the corporate network, you usually can’t have device-to-device working (can be both from a technical POV and from a policy POV).
• even with 0 data transfers, servers still have some trust in establishing your direct connections. I know that syncthing uses keys to establish connections, but that’s why I mentioned CVEs. If there is one, your sync connection could be hijacked and sent elsewhere. It’s a theoretical case, I don’t think it’s very likely, but it’s possible. The moment you have a server doing anything, you are extending trust.

In those cases then yes, you are extending a bare minimum trust, and you fully encrypted data would temporarily pass on the relay’s RAM

And from my (consumer) PoV this is functionally equivalent to have the data stored on a server. It might not be all the data (at once), it might be that nobody dumps the memory, but I still need to assume that the encrypted data can be disclosed. Exactly the same assumption that should be made if you use bitwarden server.

If this makes you paranoid

Personally it doesn’t. As I said earlier, it’s way more likely that your entire vault can be taken away by compromising your end device, than a sophisticated attack that captures encrypted data. Even in this case, these tools are built to resist to that exact risk, so I am not really worried. However, if someone is worried about this in the case of bitwarden (there is a server, hence your data can be disclosed), then they should be worried also of these corner cases.

I just get nothing from Bitwarden that syncthing and KeePass don’t offer more easily.

You can say many things, but that keepass + syncthing is easier is not one of them. It’s a bespoke configuration that needs to be repeated for each device, involving two tools. bitwarden (especially if you use the managed service) works out of the box, for all your devices with 0 setup + offers all features that keepass doesn’t have (I mentioned a few, maybe you don’t need them, but they exist).

I don’t know how or why you would have vault conflicts, but it really does sound like something fixable

At the time I did not use syncthing, I just used Drive (2014-2017 I think), and it was extremely annoying. The thing is, I don’t want to think about how to sync my password across devices, and since I moved to bitwarden I don’t have to. This way I don’t need to think about it, and also my whole family doesn’t have to. Win-win.

That said, if you are happy with your setup, more power to you. I like keepass, I love syncthing, I have nothing against either of them. I just came here to say that sometimes people overblow the risk of a server when it comes to a password manager. Good, audited code + good crypto standards means that the added risk is mininal. If you get convenience/features, it’s a win.

Agree on the versioning issue. In fact I mentioned that the issue is convenience here. It is also data corruption, but you probably are aware of that if you setup something like this. Manually merging changes is extremely annoying and eventually you end up forgetting it to do it, and you will discover it when you need to login sometime in the future (I used keepass for years in the past, this was constantly an issue for me). With any natively sync’d application this is not a problem at all. Hence +1 for convenience to bitwarden.

However KeePassXC’s sync feature does sync the vault.

How does it work though? From this I see you need to store the database in a cloud storage basically.

For mobile I just give syncthing full permission to run in the background and have never had issues with the syncing on the folders I designate.

I use this method for my notes (logseq). Never had synchronization problem, but a lot of battery drain if I let syncthing running in the background.

Nothing else passes through it unless you opt into using relaying in case you have NAT issues.

I guess this can be very common or even always the case for people using some ISPs. In general though, you are right. There is of course still the overall risk of compromise/CVEs etc. that can lead to your (encrypted) data being sent elsewhere, but if all your devices can establish direct connections between each other, your (encrypted) data is less exposed than using a fixed server.

If you are paranoid, the software is open source and you can host your own relays privately,

This would also defeat basically all the advantages of using keepass (and family) vs bitwarden. You would still have your data in an external server, you still need to manage a service (comparable to vaultwarden), and you don’t get all the extra benefits on bitwarden (like multi-user support etc.).

To be honest I don’t personally think that the disclosure of a password manager encrypted data is a big deal. As long as a proper password is used, and modern ciphers are used, even offline decryption is not going to be feasible, especially for the kind of people going after my passwords. Besides, for most people the risk of their client device(s) being compromised and their vault being accessible (encrypted) is in my opinion way higher than -say- Bitwarden cloud being compromised (the managed one). This means that for me there are no serious reasons to use something like keepass (anymore) and lose all the convenience that bitwarden gives. However, risk perception is personal ultimately.

Few reasons, with the most important being convenience. Syncthing is going to see just a binary blob as the password storage is encrypted. This means it is impossible for syncthing to do proper synchronization of items inside the vault. Generally this is not a problem, but it is if you happen to edit the vault on multiple devices and somehow syncthing didn’t sync yet the changes (this is quite common for me on android, where syncthing would drain the battery quite quickly if it’s always actively working). For bitwarden on the other hand the sync happens within the context of the application, so you can have easy n-way merge of changes because its change is part of a change set with time etc.

Besides that, the moment you use syncthing from a threat model point of view, you are essentially in the same situation: you have a server (in case of syncthing - servers) that sees your encrypted password data. That’s exactly what bitwarden clients do, as the server only has access to encrypted data, the clients do the heavy lifting. If the bitwarden server is too much of a risk, then you should worry also of the (random, public, owned by anybody) servers for syncthing that see your traffic.

Keeshare from my understanding does use hosting, it uses cloud storage as a cloud backend for stateful data (Gdrive, Dropbox etc.), so it’s not very different. The only difference would be if you use your private storage (say, Synology Drive), but then you could use the same device to run the bit/vaultwarden server, so that’s the same once again.

The thing is, from a higher level point of view the security model can only be one of a handful of cases:

• the password data only remains local
• the password data is sync’d with device-to-device (e.g. ssh) connections
• the password data is sync’d using an external connection that acts as a bridge or as a stateful storage, where all the clients connect to.

The more you go down in the list, the more you get convenience but you introduce a bit of risk. Tl;Dr keepass with keyshare/syncthing has the same risks (or more) than a Bitwarden setup with bitwarden server.

In addition to all the above, bitwarden UX is I would say more developed, it has a better browser plugin, nice additional tools and other convenience features that are nice bonuses. It also allows me to have all my family using a password manager (including my tech illiterate mom), without them having to figure out anything, with the ability to share items, perform emergency accesses etc.

Edit: I can’t imagine this comment to be deemed off topic, so if someone downvoted simply to express disagreement, please feel free to correct or dispute what I wrote, as it would certainly make for an interesting conversation! Cheers

So, not carbonara. Pasta with lemon is awesome, I also love pasta with tuna, both also work together, but it’s not a carbonara.

I will go out on a limb here and guess those were not ravioli and some form of pelmeni instead? There are types of them that are usually eaten with sour cream and jam. But the dough used is quite different from the ravioli one, and the filling is cheese (not meat or ricotta/spinach).

Was that the case?

It actually makes sense, because Italian history is far from a continuum. In fact, most “Italian cuisine” is actually less than 100 years old!

Most of Italian recipes are very simple. The focus usually is on quality on the ingredients and if they are good, a pizza with just mozzarella and tomatoes is already delicious. That said, even in Italy there are plenty of types of pizzas, but most of them don’t have 20 ingredients, I suppose the point is that you actually want to taste what you eat, which is not the case when you mix many different things. There is a very messy and rich pizza (capricciosa) with a lot of toppings though (more than one obviously, but this is the most common).

Personally I am a margherita person, simple and boring is perfect, as long as it tastes great.

P.s. Giuseppe :)

It’s not about being right, it’s about making something that tastes good. Besides that, there are also well established cultural traditions. But as long as people call their garbage pizzas “NY pizza”, or whatever and it’s well distinguished by “Italian pizza” (or Neapolitan, etc.), I don’t see the problem.

Completely different dough in terms of consistency and taste. Bread and pizza are quite different, so many ingredients that work on pizza don’t work on sandwiches and vice versa. Having said that, people can eat what they please.

For what is worth, that’s not how (most?) Italians think about pizza. It’s not a “container” in which you put a bunch of things, but each pizza type is basically a separate dish.

I personally don’t care what people put on their pizza, I simply avoid places that make “pizzas” in a non-italian fashion, like the american (supposedly NY style) ones where you get crust, 2 fingers of industrial cheese and a whole plant of oregano.

It’s very similar for pasta, which many people think as a bread replacement.

Blind (I mean literally, he said he supports doesn’t matter what) support to Putin and his imperial effort, public support for the ongoing invasion of Ukraine, helped gathering money for military equipment, showed up to the front to “support troops” and other stuff like that.

Wikipedia has a few lines, with a few sources linked.

You can see also a video (in Russian): https://smotrim.ru/video/2587296

Essentially the equivalent of an IDF groupie. Yuck.

Technically wouldn’t being a democracy be an aggravating factor for Israel wrongdoings, which makes the population more responsible compared to Russian or Belarussian one (therefore including athletes)?

I don’t really agree with the rationale, although I personally wouldn’t have supported a ban on Israelis athletes (similarly to how I generally don’t agree with the same ban on Russian athletes - unless you are specifically a supporter of values that go against the Olympics such as genocide…- e.g., I agree with Karjakin being banned from any chess competition).

What do you mean by “use”? Here the whole debable was about pre-school from what I understand. Russian is still studied as a language in primary school, let alone spoken home etc.

Also Latvian and Russian are quite different languages, although not so different as for example Estonian and Russian (where BTW similar measures in educations have been passed).

They can’t add sneaky code to the process (without getting caught). For sensitive game code every single change needs to be tracked and reviewed by the authority. You get audited at least once a year, and then all the changes are reviewed. Authorities outsource the job for the technical reviews to specialized companies.

Also, what’s the point? The games already provide a margin to the host, why risking to go out of business for such an irrelevant gain (a few more %)? Add to this that usually casino games writers do just that, write games and sell those to N casinos. So the incentive for the casino games writers are even smaller.

Finally, yes you can write “license X”, but you can cross-check that information from the regulator itself, you don’t need to trust just the line on the site. The point is you as a customer can choose a trustworthy site, ideally one who is licensed in countries where regulations are quite tight (in Europe I would say Denmark), before putting your money somewhere.

At some point you need to trust “someone”, that’s how the whole world works. The gambling authorities are no different than the authorities that enforce the safety certifications for electrict equipment, or cars, or whatever.

If your concern is that you would lose money on casino games because the site rigged it, it’s a relatively silly concern. You will lose because the casino games are designed to make you lose in the long term, on average.

How can players be sure they are honest?

At the bottom of each gambling sites usually there are the banners for the license(s) the company holds. Complying with licenses (e.g., Maltese) ensures that the due paperwork (i.e., proving that Casino games are functioning according to their certification) is taken care of. So yes, national gambling authorities usually are the ones who protect people from scammers.

They run rigged games in predatory ways.

I don’t know what you mean by this. Games have a fixed margin which is usually disclosed or can be computed (exactly like the 0 and 00 in the roulette skews the odds in the house’s favor if you want to do just black/red). There are then whole chapters in national regulations about random number generators to ensure the odds are correct and the games are not rigged (i.e., a game certified for 98% should have that outcome). Are games designed to have the house win a 2,5,7,9% margin? Sure, but this is out there in the open, there is nothing to “rig” in the same way having 0 or 00 is not “rigging” a game of roulette.

They happily let organised crime launder money for a cut.

At least in Europe, you get audited quite often and AML regulations are very tight. Laundering money via online gambling companies with their cooperation seems quite unlikely to me (and inefficient, possibly, but I don’t know).

They fight regulations designed to reduce problem gambling.

Some do, but not all, and not in all cases. Addicts are bad for business for gambling companies, or at least for some of them, moderate long-term customers are generally better (and require way less effort).

I don’t know what you know about gambling, I definitely think that the ethics are questionable, and I left the industry when I could also for those reasons, but the company I worked for was not very bad in this regards. Maybe you worked/had experience with some of the shady ones (like those who operate in illegal markets using a single license from a random tiny country)?