I looked into this a while back and it was quite complicated. If you're used to hosting your own infra, it may not be a big deal, but it's definitely not a simple task for even an advanced desktop user. I ended up choosing KeepassXC, which just uses a dumb file on disk that I sync with Git.
I don't disagree with you, but a lot of people don't understand any of those steps. 3 is the step most people will understand, I think you can understand that LetsEncrypt can be confusing the first time, and well... DNS... that's notorious for people being confused on.
What people consider "advanced user" varies quite a bit and there's a lot of subdomains in computing. (Though maybe the term is also degrading...)
A lot of advanced users don't have servers, and they don't want to expose their desktop or an appliance to the internet. Moreover, are you going to trust your precious password information on a leased server run by Linode or whoever?
On topic, I use Bitwarden, but their changes to the iOS application are very annoying. I've been logged out repeatedly (at least once per week) and it keeps requiring me to input my password, without any way to reduce the overhead. It's so frustrating that I've been considering switching to the native iOS password app; if it was available on Linux, I would bid farewell to Bitwarden.
I had issues with this (new iPhone user and ... well... I'm having fun...)
A problem I had was my encryption settings. Definitely I am a bit overkill[0], but this might be worth checking. I use Argon2 and tried to find the max settings I could use on my iPhone16. Make sure the KDF memory is lower than 256MB. Keep iterations low (<=10) and parallelism not too high (4 seems about right). So do something like 128MB, 8 iterations, 4 parallel and you'll be good. If this reddit post is anywhere near accurate, should cost in the tens of millions of dollars to crack your master passphrase[1]. But users there also are saying they can get higher settings so YMMV. (BTW, these settings should be changed from the bitwarden website)
[0] Philosophy has always been: make it as secure as possible without being meaningfully impactful. Which is always above the standard security levels.
you don't even need to have your DNS turned on or run a reverse proxy - how often are passwords updating? my instance is local network only and the phone, desktop, and chromium extensions sync when I'm at home.
This is my issue with hardware keys too. It's been unclear to me how I have a backup and what's the best way to ensure that that backup is constantly in sync.
Plus, is a website going to support it? So many websites are shifting to OAuth, and making it the __only__ form of authentication. I really don't like this AND they usually only support a very limited set of authorities which is almost exclusively "Google and Apple", so I can't even run my own. The fuck is the "O" mean in "OAuth" then?! (╯°□°)╯︵ ┻━┻ I'm trying to __reduce__ my (meta-)data exposure, not increase it!
Like good god, I don't know if it is a conspiracy or stupidity that's causing all this centralization and I'm not sure there's a meaningful difference. (unintentional or implicit conspiring rather than explicit)
This is Hacker News, surely there's people here that are fighting/pushing back. It's unclear to non-security experts like me how to actually do this besides not use a service (far easier said than done. These choices are often forced upon people)
