zxcvbn VS awesome-selfhosted

Lightweight is an understatement here.

A client's project (with not necessarily technical customers) has had pretty reasonable success using the Dropbox originated library[1] for this, `zxcvbn`[2], on both frontend via js (for "instant" feedback) and on the backend via php (to enforce the requirements when writing password hashes to the database)

1: https://dropbox.tech/security/zxcvbn-realistic-password-stre...

2: https://github.com/dropbox/zxcvbn

use zxcvbn to check your password strength more thoroughly

source if anyone wants the whole list https://github.com/dropbox/zxcvbn/blob/master/data/passwords.txt

Password strength is evaluated based on the zxcvbn library.

In contrast, let's consider the password "zxcvbn214". How might we assign an entropy to this password? Is it 369? Or 266 * 103? Anyone familiar with a QWERTY keyboard or Dropbox's password strength estimator knows that "zxcvbn" is hardly a random sequence of letters. This same principle applies to "l33t" speak, e.g. replacing all "e"s with 3s and "a"s with 4s. These strategies may "trick" simple entropy calculations into estimating a high entropy, but it won't trick sophisticated attackers. This leads to strength over-estimation, which is, I argue, the worst thing we can do in this context.

> except for ZXCVBN

You mean the Low-Budget Password Strength Estimator?

https://github.com/dropbox/zxcvbn

Yeah, that name is totally legit.

For any part of the password that the zxcvbn cannot match to a known pattern, it uses a brute-force cardinality of 10, i.e., it estimates that the number of guesses required to crack a password or password segment of length N is equal to 10N (equivalent to the number of guesses required to exhaust all possibilities if your password consisted only of numbers).

We took a similar approach to passphrase stretching in EnvKey[1] v1 (EnvKey is a secrets manager, not a passwords manager, but uses end-to-end encryption in a similar way). We used PBKDF2 with iterations set a bit higher than the currently recommended levels, as well as Dropbox's zxcvbn lib to try to identify and block weak passphrases.

Ultimately, I think it's just not good enough. Even if you're updating iteration counts automatically (which is clearly not a safe assumption, and to be fair not something we did in EnvKey v1 either), and even with safeguards against weak passphrases, using human-generated passphrases as a single line of defense is just fundamentally weak.

That's why in EnvKey v2, we switched to primarily using high entropy device-based keys--a lot like SSH private keys, except that on Mac and Windows the keys get stored in the OS keychain rather than in the file system. Also like SSH, a passphrases can optionally be added on top.

The downside (or upside, depending how you look at it) is that new devices must be specifically granted access. You can't just log in and decrypt on a new device with only your passphrase. But the security is much stronger, and you also avoid all this song and dance around key stretching iterations.

1 - https://github.com/envkey/envkey

2 - https://github.com/dropbox/zxcvbn

None of these lists ever seem to be as fleshed out, up to date, or well organized as https://github.com/awesome-selfhosted/awesome-selfhosted , though imo any more attention on the self hosted scene is awesome. We're now self hosting everything at my co-op, and it's a dream. Saves us money, provides learning opportunities, potentially is getting us work (managed hosting providers asking if we can be a devshop for their clients, for example), and lets us give back to the FOSS community as we uncover bugs.

We use:

* Matrix / Synapse for comms (slack alternative) (managed hosting through etke.cc)

There are a ton of resources about HW aspects of home labs for beginners but not so much for what to run on them and why. There are lists like https://github.com/awesome-selfhosted/awesome-selfhosted but they are confusing for absolute beginners like me. Are there any good SE project guides you know?

This[1] seems like a well maintained repo.

And thank you for the pointers, we'll try to get ourselves added here :)

[1]: https://github.com/awesome-selfhosted/awesome-selfhosted

I've always felt like FOSS as a philosophy has been tangled up in trying to participate effectively in capitalism, when that was never really the point, nor really very possible unless you're lucky, nor really worth it. The origin of FOSS as I understand it from reading books like "Hackers" is from people that were mad that access was being restricted to systems and code from people that really wanted to use these systems and code, and hack them, and learn from them. I recall that one of the things Stallman likes to brag about from that time is not related to FOSS at all, but instead successfully decrypting a bunch of passwords, emailing the decrypted passwords to people, and recommending they instead set the password to an empty string instead. It was about keeping access to the system Free as in Beer.

I suppose some have argued that FOSS represents a Public Commons in the way that fields and wells and physical markets used to, but none of those things survived capitalism, so I don't see why a technological commons should be expected to either.

For me I've been thinking lately that perhaps those interested in FOSS should instead consider how we can use FOSS to detach ourselves from needing to participate in global capitalism at all. Is there FOSS technology we can use to liberate people from things they need to spend money on right now? An example could be the Global Village Construction Set: https://www.opensourceecology.org/gvcs/ a set of open source designs for things like hydraulic motors or microcombines or steam engines that you can build on your own, usually not for cheap, but for far, far cheaper than you could buy from John Deere. Here's another cool project, some guy has just been building things like solar panels and basic circuit boards on his property from very base components for years: https://simplifier.neocities.org/

Some other FOSS liberation examples:

Combining a tool like Jellyfin with Sonarr, Radarr, and etc, can liberate people from their 5 different media subscriptions. Or at least they can still buy DVDs and put them on Jellyfin to have the convenience of streaming with the media library of their own choosing.

Deploying Matrix or another FOSS communication tool can let organizations have enterprise-level communication software without paying HUGE seat-based license fees to corporations like Slack.

In fact there's many ways to liberate yourself from paid SaaS in this list: https://github.com/awesome-selfhosted/awesome-selfhosted at my co-op we self-host and deploy all our services for this reason, it saves us a TON of money.

I don't have many other examples to mind because this is something I'm actively still researching. Friends in Venezuela though especially tell me how FOSS technology can liberate in ways I wouldn't expect here with my 64gb RAM machine with the latest processor, that I can easily replace components on on a whim. Such as how they can keep all their broken down machines pieced together from junkyards running pretty ok on various linux distros, and how they can sell creative work using free tools like gimp (no, really) or darktable. Like as not they'll just pirate software, though, but apparently FOSS often runs better on shitty hardware.

Anyway my long term plan is to find or build more and more things that let people just not spend money on things anymore. That could be by making it easier to not have to throw things away anymore, or building tools to replace proprietary ones, or, idk, other ways I haven't thought of.

Dashboard in what sense? Is this what you had in mind or no?

https://github.com/awesome-selfhosted/awesome-selfhosted#per...

I often skim through various "awesome lists" (e.g. [1]) and communities interested in open source apps like r/selfhosted [2]

[1] https://github.com/awesome-selfhosted/awesome-selfhosted

[2] https://www.reddit.com/r/selfhosted/

1. https://nextcloud.com/ https://proton.me/drive https://github.com/awesome-selfhosted/awesome-selfhosted#fil...

2. Download all data locally then upload elsewhere.

3. https://help.dropbox.com/security/privacy-policy-faq#7.-How-...