The thing is, ownership of any of these can change at any time. Bitwarden, Mullvad, and Tutanota could be sold to very different owners.
That is up to and including something like uBlock Origin, which only has one developer, and would suddenly be very different if that developer died and the project had to be forked.
You can never trust that the person who takes on the reigns has the same ideals as the people running them now.
Hell, Mullvad was abused to the point they removed access to Port Forwarding on their VPN service, which has led to many people needing to switch to crummier, shadier VPNs that still offer port forwarding access. That's not Mullvad's fault, but it is an example of them having to change their philosophy and what they offer because of abuse.
Trust should only go so far, and loss of trust should be very easy. There's not a good reason to keep "trusting" something when it has fundamentally changed from its initial ideals.
Hell, Mullvad was abused to the point they removed access to Port Forwarding on their VPN service, which has led to many people needing to switch to crummier, shadier VPNs that still offer port forwarding access. That’s not Mullvad’s fault, but it is an example of them having to change their philosophy and what they offer because of abuse.
Hell, Mullvad was abused to the point they removed access to Port Forwarding on their VPN service, which has led to many people needing to switch to crummier, shadier VPNs that still offer port forwarding access.
Unfortunately port forwarding also allows avenues for abuse, which in some cases can result in a far worse experience for the majority of our users. Regrettably individuals have frequently used this feature to host undesirable content and malicious services from ports that are forwarded from our VPN servers. This has led to law enforcement contacting us, our IPs getting blacklisted, and hosting providers cancelling us.
The result is that it affects the majority of our users negatively, because they cannot use our service without having services being blocked.
The abuse vector of port forwarding has caught up with us, and today we announce the discontinuation of support for port forwarding. This means that if you are a user of forwarded ports, you will not be able to add or modify the ports you have in use.
They made a smart call that has probably increased the long term privacy of their users.
People were using port forwarding to host illegal shit, and governments were getting pissed off about it. Mullvad has been able to prove in court that they don't keep logs, but that's not a perfect deterrent; a properly motivated government, perhaps if somebody is using Mullvad to host CSAM, might attempt to legally force Mullvad to put logging in and add anti-canary clauses.
Preventing port forwarding keeps customers as consumers rather than hosters, and avoids this issue.
Five and eleven eyes doesn't matter if the service is encrypted and open sourced. Also, did you know that Switzerland has no superior privacy laws comparing to Germany? It's all marketing bluff.
A single IP address, which would mean nothing with VPN use. Germany is literally part of the spying eyes. That is the difference here. Proton giving out one address vs the surveillance network of a NATO state?... Lol
So why are my German relatives super-scared of pirating because of the government finding out, and get me to torrent all their shit for them and mail it to them on cheap hardrives?
Correction: It's not the government, it's private law firms doing this. Your IP is public when you torrent, they just have bots monitoring the most active trackers and try to extort money from the people they catch.
And that proves what exactly? Swiss law required them to hand over an IP address. Swiss ptivacy is not absolute. They have laws. An IP address didn't grant them access to the encrypted emails. Proton openly admits they had no idea who the user was. The activist should have used a VPN, which Proton also offers as a service, and then whatever activity trail they linked to the IP would have died at Proton's VPN network.
Five and eleven eyes doesn't matter if the service is encrypted and open sourced. Also, did you know that Switzerland has no superior privacy laws comparing to Germany? It's all marketing bluff.
keepass is a different paradigm. it uses a locally encrypted file. many frontends for it (use keepassxc and keepassdx). dont have to rely on some 3rd party, even if they say they have e2ee. theres no better privacy (and security) for an app than not using it with the internet. im not too concerned about ui for pw manager personally, the less time i spend w it unlocked the better. only (slight) problem for me: multi device usage (i just copy the file onto my phone occasionally). general rule of thumb: if it can be selfhosted, it is best to.
i think bitwarden is the best one of its type, it comes down to your needs and threat model
I really like the cross device sync, even tho it's a security risk of course. also, I don't know anything about self hosting (might get into it when I got the time), so bitwarden might be the best pw manager for my requirements rn.
You can selfhost bitwarden, there's also vaultwarden, an open bitearden api implementation. You could host this on an internal-only server.
But you also can sync your single password file with a lot devices and use keepass, I just find that a bit annoying. You also cannot share some passwords with your relatives easily that way.
Hey it's fine if you trust them, it's a very convenient service and from what I found it's pretty secure, since there's no way to recover logins if you forget your master pass. But i personally don't like the idea of having passwords on someone else's server and I'm too stoopid to set-up my own instance on a docker container server thingy. Syncthing just works for me, got GUI and everything.
You do also kind of put all your eggs in one basket so to speak though. I don't have anything against Proton and the pricing makes sense if you value all their services and pay for Ultimate (though by my estimate, less sense if you are only looking for a smaller handful of services). However, if you go fully into Proton for everything, you're placing your trust into an entire stack of services and it can end up a single point of failure.
I trust their privacy claims but if you backup your email and calendar you can just as easily move elsewhere if Proton does go down. Having only one provider can make things a lot easier to manage.
Still can't bring myself to use proton pass. I'll be much happier when proton drive better integrates with desktop machines as well but calendar, VPN, email and the bonus simplelogin premium are way too useful.
I already know both Videos and i am still convinced that ProtonMail is the best Mail provider. Them giving the IP Address to the French authorities "for no reason" is a claim I hear parroted a lot, but it's simply not true. Also, if the French activist had used Tor or even just the free tier of ProtonVPN they wouldn't have to worry about any of that, so it all comes down to bad opsec
Proton wouldn't have to disclose the real IP from anyone using their VPN, you can read their Blog-Post on that here. I think they fixed the next point, but why wouldn't it redirect to a clearnet site? You are already using tor, hopefully on the "Most Secure" setting, so why would you care? VPNs can be secure (like proton or, even better, mullvad), but I agree that most of them aren't. I also agree that E-Mail was not designed to be secure, but that doesn't mean that it can't be. PGP exists, and since proton is heavily pushing for you to use it, I think it's okay to use their service.
Cock.li is a nice Mail provider with a not so nice owner and while the philosophy behind it is pretty cool it's AFAIK also on every spamlist possible. Also the domains are, aside from airmail.cc, just not good for any professional usecase
The lock in and the lies. The first being your inability to read your emails in another client. Second is the lie that it's secure when email is inherently not second. It's making a false promise.
Oh and I forgot the new issue, being that you can't zoom mail, which is infuriating.
Disclaimer: I pay for Tutanota and have for a few years. But I'm tired of it. Will switch to another season once K-9 becomes Thunderbird for Android
As a US consumer, I can't use a lot of these VPNs. When you dig into how local governments are trying to break encryption in many countries overseas it makes you slow to sign up for services. The worst case would be you use a service, get invested and a few weeks later new legislation you're not following/in the know about gets passed and some of your data is now in some foreign governments jurisdiction more so than it was before.
It's not that Germany or Sweden in particular do that today but I also haven't quite looked into its bounds, if five-eyes alliance reaches them, etc. There is a lot you have to be cognizant of.
Also I like Bitwarden but Vaultwarden is the way to go; just make sure to donate/pay somehow for bitwarden if you use its clients.
just a side note for everyone out there that uses bitwarden: you can reset your password with just your email. that means the admin can see your passwords. The only 3 upstream password managers that don't have that "feature" are 1Password, lastpass and keypass (not counting gpg-based script in bash n friends). Lastpass is obviously a mediocre solution (too many breaches), keypass isn't for everyone (UX). 1Password is a very solid solution and it has public security audits
I've got nothing with agilebits/1Password - i just use it after spending days researching (also I'm a former IT security engineer)
Bitwarden can't find or change your password, and their admins absolutely can't see them either.
You're talking about the "admin password reset" feature offered to organizations (and which doesn't concern lambdas users at all), which must be explicitly activated and which allows admins not to see our password, but to trigger a password reset with notification to the user.
Once the password has been reset, all you have to do is change it, and nobody else has access to it.
If that were true that it wouldn't be just a side note because it would render the whole Bitwarden product useless. It'd pretty much mean that they are not encrypting passwords at all, so even worse than infamous LastPass. But as the other comment pointed out, it's pretty much not like that.
Been using Bitwarden since it was on horrendous light blue theme, and I'm fully aware that users cannot easily reset their master password through email ever since.
The thing is, ownership of any of these can change at any time. Bitwarden, Mullvad, and Tutanota could be sold to very different owners.
That is up to and including something like uBlock Origin, which only has one developer, and would suddenly be very different if that developer died and the project had to be forked.
You can never trust that the person who takes on the reigns has the same ideals as the people running them now.
Hell, Mullvad was abused to the point they removed access to Port Forwarding on their VPN service, which has led to many people needing to switch to crummier, shadier VPNs that still offer port forwarding access. That's not Mullvad's fault, but it is an example of them having to change their philosophy and what they offer because of abuse.
Trust should only go so far, and loss of trust should be very easy. There's not a good reason to keep "trusting" something when it has fundamentally changed from its initial ideals.
It's a real shame too. It was a nice feature.
Could you explain what happened?
As clear as I can make it out, it seems like it was related to a search warrant that was executed on Mullvad.
https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised/
Because just a little over a month after the news of the failed raid, there was news of them removing port forwarding.
https://mullvad.net/en/blog/2023/5/29/removing-the-support-for-forwarded-ports/
Emphasis mine.
They made a smart call that has probably increased the long term privacy of their users.
People were using port forwarding to host illegal shit, and governments were getting pissed off about it. Mullvad has been able to prove in court that they don't keep logs, but that's not a perfect deterrent; a properly motivated government, perhaps if somebody is using Mullvad to host CSAM, might attempt to legally force Mullvad to put logging in and add anti-canary clauses.
Preventing port forwarding keeps customers as consumers rather than hosters, and avoids this issue.
Same thing just happened with IVPN :-\
bruh, i can't be the only one confused why state farm's drive safe app was being touted...
Okay buddy
My brain saw Adobe Flash. Was about to have some bad news for OP
Ah, the new pokemon game that just came out.
the mole creates the tunnel for the road, and the shield is for the travelers' protection
Why do you trust a Germany based secure email over something like Proton? At least Mullvad is Sweden based.
Here is an alternative Piped link(s): https://piped.video/watch?v=IeXaYR4ed9c
https://piped.video/watch?v=QCx_G_R0UmQ
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source, check me out at GitHub.
Because in Germany we value privacy and the protection of personal data
Not more than the Swiss. Germany is part of the spy dragnet. It does not offer the same level of privacy protection.
Five and eleven eyes doesn't matter if the service is encrypted and open sourced. Also, did you know that Switzerland has no superior privacy laws comparing to Germany? It's all marketing bluff.
A single IP address, which would mean nothing with VPN use. Germany is literally part of the spying eyes. That is the difference here. Proton giving out one address vs the surveillance network of a NATO state?... Lol
So why are my German relatives super-scared of pirating because of the government finding out, and get me to torrent all their shit for them and mail it to them on cheap hardrives?
Correction: It's not the government, it's private law firms doing this. Your IP is public when you torrent, they just have bots monitoring the most active trackers and try to extort money from the people they catch.
Piracy is not privacy
Sure. Ask the CCC...
https://www.engadget.com/protonmail-climate-activist-ip-swiss-french-authorities-233004304.html
Europol requested it. Even though you think your service is not under 14 eyes there still is gonna be many other problems.
You can always find problems with the service itself.
And that proves what exactly? Swiss law required them to hand over an IP address. Swiss ptivacy is not absolute. They have laws. An IP address didn't grant them access to the encrypted emails. Proton openly admits they had no idea who the user was. The activist should have used a VPN, which Proton also offers as a service, and then whatever activity trail they linked to the IP would have died at Proton's VPN network.
Protonmail then went to court, and got the law changed so it doesn't happen again https://www.reuters.com/technology/proton-wins-swiss-court-appeal-over-surveillance-rules-2021-10-22/
Five and eleven eyes doesn't matter if the service is encrypted and open sourced. Also, did you know that Switzerland has no superior privacy laws comparing to Germany? It's all marketing bluff.
Selfhosting an email is very hard but I think that at the end it’s worth it
Until Gmail/Hotmail decides your IP is a spammer and forever you have deliverability issues from then on
Interesting, is this a wild spread problem? I have heard of people that host email services for years and have no problems.
Here is an alternative Piped link(s): https://piped.video/watch?v=IeXaYR4ed9c
https://piped.video/watch?v=QCx_G_R0UmQ
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source, check me out at GitHub.
KeePass is also a good password manager, it's open source and you get to store the password database anywhere you like.
I have bitwarden and mullvad, but what's the other one?
It’s Tutanota, an email service
keepass > bitwarden
vpn providers should be reviewed regularly
email is inherintly insecure/non-private, self hosted is best
why do you prefer keepass to bitwarden? has it better privacy or is it just a personal preference because you like the UI more for example?
keepass is a different paradigm. it uses a locally encrypted file. many frontends for it (use keepassxc and keepassdx). dont have to rely on some 3rd party, even if they say they have e2ee. theres no better privacy (and security) for an app than not using it with the internet. im not too concerned about ui for pw manager personally, the less time i spend w it unlocked the better. only (slight) problem for me: multi device usage (i just copy the file onto my phone occasionally). general rule of thumb: if it can be selfhosted, it is best to.
i think bitwarden is the best one of its type, it comes down to your needs and threat model
Idk if anyone else mentioned this but bitwarden can be selfhosted.
good point!
I use syncthing to sync my KeePass file, and I highly recommend it. Very easy to set up
I really like the cross device sync, even tho it's a security risk of course. also, I don't know anything about self hosting (might get into it when I got the time), so bitwarden might be the best pw manager for my requirements rn.
It's possible to sync keepass using syncthing, i use it that way.
not on iOS, at least last I looked into it.
Well I have both my kidneys. Edit: there's a fork of it on the app Store called Möbius sync.
sorry i didnt mention but yeah like the other reply says u can absolutely sync, i just personally prefer not to
Many use syncthing to sync their keepass files I personally just use my nextcloud
Mainly cuz it doesn't store your passwords on someone else's computer.
You can selfhost bitwarden, there's also vaultwarden, an open bitearden api implementation. You could host this on an internal-only server. But you also can sync your single password file with a lot devices and use keepass, I just find that a bit annoying. You also cannot share some passwords with your relatives easily that way.
Hey it's fine if you trust them, it's a very convenient service and from what I found it's pretty secure, since there's no way to recover logins if you forget your master pass. But i personally don't like the idea of having passwords on someone else's server and I'm too stoopid to set-up my own instance on a docker container server thingy. Syncthing just works for me, got GUI and everything.
Totaly valid choice!
its more user friendly. Just a file you have to have. You can encrypt that double and tripple on bitwarden nope.
You do also kind of put all your eggs in one basket so to speak though. I don't have anything against Proton and the pricing makes sense if you value all their services and pay for Ultimate (though by my estimate, less sense if you are only looking for a smaller handful of services). However, if you go fully into Proton for everything, you're placing your trust into an entire stack of services and it can end up a single point of failure.
I trust their privacy claims but if you backup your email and calendar you can just as easily move elsewhere if Proton does go down. Having only one provider can make things a lot easier to manage.
Still can't bring myself to use proton pass. I'll be much happier when proton drive better integrates with desktop machines as well but calendar, VPN, email and the bonus simplelogin premium are way too useful.
Here is an alternative Piped link(s): https://piped.video/watch?v=IeXaYR4ed9c
https://piped.video/watch?v=QCx_G_R0UmQ
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source, check me out at GitHub.
For anyone still using Mullvad and wants port-forwarding, I recommend AzireVPN.
Good list! I use all of them too.
I don't get what you mean, Mullvad supports port forwarding
They very recently stopped supporting it.
According to this blog post, they don't seem to 🙂 https://mullvad.net/en/blog/2023/5/29/removing-the-support-for-forwarded-ports/
I trust bitwarden, but android app doesnt trust me!
wdym?
One of these is Bitwarden. What are the other two?
Mullvad, Tut(o/a)nata
I might swap bitwarden by passbolt as it uses a more recent programming stack, although vaultwarden looks to be a good alternative too.
No love for KeePass?
That mole is sus to me, I am more like into Snakedragons.
I heard it was a mythical creature
mine is larger for sure
Translation of the logos?
bitwarden (password manager) top, mullvad (vpn) left, tutanote (email provider) right
Thx!
tutanota is terrible though
Tutanota is one of the few good E-Mail services that i can think of, what's so terrible about tutanota?
Here is an alternative Piped link(s): https://piped.video/watch?v=IeXaYR4ed9c
https://piped.video/watch?v=QCx_G_R0UmQ
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source, check me out at GitHub.
I already know both Videos and i am still convinced that ProtonMail is the best Mail provider. Them giving the IP Address to the French authorities "for no reason" is a claim I hear parroted a lot, but it's simply not true. Also, if the French activist had used Tor or even just the free tier of ProtonVPN they wouldn't have to worry about any of that, so it all comes down to bad opsec
Proton wouldn't have to disclose the real IP from anyone using their VPN, you can read their Blog-Post on that here. I think they fixed the next point, but why wouldn't it redirect to a clearnet site? You are already using tor, hopefully on the "Most Secure" setting, so why would you care? VPNs can be secure (like proton or, even better, mullvad), but I agree that most of them aren't. I also agree that E-Mail was not designed to be secure, but that doesn't mean that it can't be. PGP exists, and since proton is heavily pushing for you to use it, I think it's okay to use their service.
Cock.li is a nice Mail provider with a not so nice owner and while the philosophy behind it is pretty cool it's AFAIK also on every spamlist possible. Also the domains are, aside from airmail.cc, just not good for any professional usecase
The lock in and the lies. The first being your inability to read your emails in another client. Second is the lie that it's secure when email is inherently not second. It's making a false promise.
Oh and I forgot the new issue, being that you can't zoom mail, which is infuriating.
Disclaimer: I pay for Tutanota and have for a few years. But I'm tired of it. Will switch to another season once K-9 becomes Thunderbird for Android
As a US consumer, I can't use a lot of these VPNs. When you dig into how local governments are trying to break encryption in many countries overseas it makes you slow to sign up for services. The worst case would be you use a service, get invested and a few weeks later new legislation you're not following/in the know about gets passed and some of your data is now in some foreign governments jurisdiction more so than it was before.
It's not that Germany or Sweden in particular do that today but I also haven't quite looked into its bounds, if five-eyes alliance reaches them, etc. There is a lot you have to be cognizant of.
Also I like Bitwarden but Vaultwarden is the way to go; just make sure to donate/pay somehow for bitwarden if you use its clients.
just a side note for everyone out there that uses bitwarden: you can reset your password with just your email. that means the admin can see your passwords. The only 3 upstream password managers that don't have that "feature" are 1Password, lastpass and keypass (not counting gpg-based script in bash n friends). Lastpass is obviously a mediocre solution (too many breaches), keypass isn't for everyone (UX). 1Password is a very solid solution and it has public security audits
I've got nothing with agilebits/1Password - i just use it after spending days researching (also I'm a former IT security engineer)
It's so out of context it's almost untrue.
Bitwarden can't find or change your password, and their admins absolutely can't see them either.
You're talking about the "admin password reset" feature offered to organizations (and which doesn't concern lambdas users at all), which must be explicitly activated and which allows admins not to see our password, but to trigger a password reset with notification to the user.
Once the password has been reset, all you have to do is change it, and nobody else has access to it.
https://bitwarden.com/help/forgot-master-password/
https://bitwarden.com/help/account-recovery/
If that were true that it wouldn't be just a side note because it would render the whole Bitwarden product useless. It'd pretty much mean that they are not encrypting passwords at all, so even worse than infamous LastPass. But as the other comment pointed out, it's pretty much not like that.
No you can't reset your bitwarden master password with just an email. I invite you to try and let is know how it went.
Been using Bitwarden since it was on horrendous light blue theme, and I'm fully aware that users cannot easily reset their master password through email ever since.