Don’t get me wrong, I will still use different passwords and enable 2FA for 95% or so of the accounts and websites I use. But there are other things I stopped doing and while I know I should probably put more effort on them, I just haven’t bothered.

For example, using email aliases is something I don’t really do except for very specific usecases. Most of the time I use one of 5 or 6 legit emails instead of trying to use one of the services I literally already used such as Firefox Relay, SimpleLogin or at least DuckDuckGo’s.

Another thing I should really do is delete my unused accounts, this was one of my first blogposts and it’s kind of nostalgic looking back at younger me writing so enthusiastically about having a responsible digital life or whatever. I would love if you guys check it out as well, it still has some good advice!

Despite it all, one of the things I still manage to do sometimes is keeping my family members’ accounts in check, ever since I moved my parents to using more FOSS like a password manager, they have managed to keep at it, and when they move devices I usually help them retrieve the important info from them as well.

My password manager of choice is still KeepassXC, at some point I was using pass, but those days are long gone now. I have a little too many devices and managing PGP can be a bit annoying. I still use pass in some scripts but nowhere near as often as before, I think it’s still a pretty neat password manager to be honest, maybe I’ll revisit it…? Nah. I’m good.

This is day 66 of #100DaysToOffload

From there to nowadays, a lot of things have changed, I don’t care about features as much as I care about the freedoms that software and services allow me to have over the code, as well as my own data.

When it comes to messaging, there are now a lot more options that can be compelling even for users who don’t particularly care about their privacy (even though they should), since they also provide with most of the features that popular app which don’t respect our freedoms offer.

Telegram

Telegram was the first messaging app I tried that wasn’t Whatsapp, and I really liked how it worked, when I started using it I didn’t really know how important encryption is, I just assumed that the people behind it wouldn’t lie, and since the YouTube channel recommended it, then it must be good.

Of course, there are a lot of opinions regarding how Telegram doesn’t use E2EE by default, and how they have access to all of your messages, but I still give it some benefit of the doubt since I still have to see a news article mentioning a data breach of their servers or anything like it.

The truth is that the features it offers are simply great, I personally now only use it for chat groups (which shouldn’t be considered private anyways), channels and for quick file sharing to myself or family who have it installed.

I don’t know why nobody has tried to fork Telegram’s UI and apply a different protocol or backend to it, it shouldn’t be that hard, right?

Signal

I really like Signal in principle, but I am not a fan of their crypto business. I just can’t get anyone to install it, and that’s probably my fault due to the time I already spent trying to convince my friends and family to switch to Telegram back when I still was trying to use it for personal messaging.

This app really needs usernames, because there is no other reason to use it otherwise, at least in my case. The moment they do, I honestly have no problem ditching Telegram (for personal messaging) and probably sticking to a fork client that doesn’t include any of the crypto nonsense.

Matrix

Matrix is growing more and more, it is actually a protocol that can be used by any software working as a client. I really like it, but the apps that use it are not of my liking, Element, which is the recommended client, is simply too slow and unresponsive for me, and it tries too hard to look and feel like Discord.

The ability to host your own matrix server is awesome, but it comes with some problems too, since you are not only relying in your own server, but also in the server that hosts your friend or family. For all you know they haven’t even enabled HTTPS or something dumb like that. But if they are not self-hosting, then they are probably using matrix.org, just like 99.9% of matrix users, which means that decentralization isn’t really a thing, and there is a lot of metadata that can still be obtained from it.

A lot of its sponsors are also into crypto stuff, and I wouldn’t be surprised if the project starts becoming even more bloated than it already is.

XMPP

I know a lot of people don’t even know this, even among the couple of readers I have, but somehow XMPP is the place where I have had some of the best conversations with people from the Internet. Telegram has always been for groups, I don’t give my phone number so Signal isn’t for Internet people, and Matrix is also mostly for communities. XMPP is really simple and works both with PGP and OMEMO based encryption, there are quite a lot of good clients to choose from, and has great multi-platform support. The only thing about it is that it can be a bit too simple if you want stickers and such, and the protocol is quite old, so the codebase is probably quite patched up.

Nevertheless, if you don’t wanna use PGP encrypted email, I would say this is the best way to chat with me privately, unless…

Briar

This morning I felt quite inspired to try out Briar, a peer to peer communication platform that also works over the Tor network when it needs to. The way it works seems to be incredibly secure, and its also not as invested into the crypto world like Signal and Session, another app which is quite similar and I’ll talk about later.

I decided to do a quick post in Mastodon and invite some people to chat a bit via Briar, and I have to admit, the experiment went a lot better than I thought. I think its fairly clear that this app is the most secure and private one of the bunch, there is nothing stored in any server, simply your device and your friend’s. Of course this comes with some caveats, but at least for most conversations, it is pretty good.

The app is also in continuous development, so a lot of features are going to be implemented in the future.

It has some problems, but they are mostly quality of life improvements and some details that make the user experience a bit clunky, but its a lot better than last time I used it, quite a while ago.

They recently launched a Linux client, which is super alpha software as of now, since it doesn’t support anything but one to one messages, but its a good start!

Some interesting features are Private Groups, where only you can add people, Forums, which are basically private groups where other people can also invite people, and Blogs, which are public posts for everyone to see. You can even add RSS feeds for you to read, and you can “Reblog” them, so your contacts can have access to it, without making any connections to the original website!

I really, really like this app, I will try to use it more often, make sure to reach me out if you want my contact link, or I might post it publicly later in my contact page.

Session

I kinda didn’t feel like talking about Session, mostly because I felt it was less reliable than Briar and they seem to be as involved with crypto currencies as Signal, if not more. The development is also mainly done is Australia, which is not the place you want your private services to come from. Of course, this is all personal opinion, they still work over Tor and the code is still there for everyone to check, I just don’t feel as comfortable recommending this service compared to previous mentions for one reason or another.

Of course, I am not against it, I can still use it just fine and I would love it if you can help me find out why its not as bad as I believe by leaving a reply or sending me an email. I am open to discussion and changing my opinion if that’s the case.

Wrapping up

Se yeah, I feel like this was it, as you can see this is not the biggest dive into what makes each of these apps special, I didn’t mention stuff like Threema, Tox or Jami because I don’t actually use any of them in any degree, and I have had at least some experience with the services I actually talked about.

I guess this was it for today! This is post 93/100 for #100DaysToOffload

I am not really sure if it was just the ROM itself, the recovery I used or maybe I have been doing it wrong all this time, but this time I did not have any bootloops, no need to reboot multiple times, no failures while installing Magisk or graphical glitches and overall bugs. Everything simply worked out.

Yes, I did a couple of reboots because that’s what needs to be done when installing Magisk and restoring Migrate backups, but I did not got stuck watching a logo spin or having apps crashing as soon as I opened them. Maybe its just that my phone is already at such a mature state where roms simply don’t break as easily, or maybe its jut a result of my experience where I didn’t immediately got out of my way to get the first Android 12 rom that came out, but regardless, installing this was a breeze, I did not lost any data, a flawless transition from my previous ROM.

I took quite a lot of measures this time, since I was fairly afraid of doing the jump, it always happens when a few months go by and I stick to the same rom for too long.

I copied my Downloads, Pictures, Podcasts, DCIM and other common folders that contained information I deem worthy of salvation, I did backups of app data, I even did a full backup from my recovery (which is Orange Fox in case you are interested).

But everything was not needed at all. Of course that does not mean I won’t do all of this procedure again next time, since you never know what could happen!

Anyways, everything’s fine, I am having fun, and Android 12 looks nice! So lets go over some of the things about the software itself.

The rom I am using is MSM Extended, it has quite a lot of features. Android 12 has some smooth animations, the theming works great, notifications are a bit bloated but they work, its fine overall.

When it comes to Android privacy and roms, I always see everyone recommending Lineage, but I find it incredibly weird that basically nothing else gets mentioned other than Pixel exclusive roms. Besides, privacy is not the only reason there is to switch roms, if you want features, customization, better defaults and the best Android has to offer, there are a lot of options to use, such as Resurrection Remix, Paranoid, Pixel Experience, Dot OS. The list keeps going.

Privacy and security are important, but they are not Android’s strongest field, at all, so just enjoy the life with the faster, cleaner and most customizable experience smartphones can have. Or well, that’s what I think of this.

This has been day 91 of #100DaysToOffload

But anyways, I am happy with how things have turned out, since I can still have fun and experiment with what I got today. So since my semester is over and I no longer have an academic use for my Raspi right now, I decided to set it up as a Nextcloud server for my family and personal use.

I have selfhosted a lot of cool services on my Pi in previous times. Stuff like Radicale, Miniflux or Pi-hole. But because of University, I ended up losing all of them because of some problems that made me have to reinstall my OS, I wasn’t happy about it, but I was running a distro that had some missing packages, so I wouldn’t be able to do my school projects unless I distro-hopped.

The point is, I decided to follow this tutorial, and after finally figuring out how to enable PHP8 on my apache server, I got it all working just fine. I won’t be able to really explain everything, but the tutorial covers it quite well and the part of enabling modules is a matter of looking it up (a2enmod is the command needed).

The problem now was, how do I access it from outside my LAN? I had already said many times that I could not open my router ports since I am behind a NAT and as such, I can’t really access my public IP and forward ports or stuff like that.

However, I discovered a tool/service called ZeroTier that basically let’s me be own boss and create my own network of devices. I didn’t even need to look up at a tutorial to figure how it works. But if you want one, there you go.

Now all I had to do was download the app for my phone that works like a VPN and gives me access to my Nextcloud instance from anywhere in the world. The app is FOSS, But it isn’t on F-Droid, so I went with the a fork of it, just to have it my way and get it via IzzyOnDroid’s repo.

So yes, I now have my own instance of Nextcloud. Right now I’m only using my SD card to store everything, but I am planning on getting a 2TB external SSD to be able to mount it and get more storage for it.

This is day 66 of #100DaysToOffload

I decided to kill two birds with one stone and setup both KeepassXC and Syncthing on his phone and laptop, because not only is it cool, it would also allow me to create and extra synced folder between him and me, since we tend to share a lot of files and its always a pain sending them either via Email or Telegram, which is what we used to do most of the time. Now all he has to do is drag and drop the files and they will be synced to my device in no time.

KeepassXC it the obvious choice if Syncthing is already there, because it means there is no need to store the file in some server. Its also really easy to have an idea of all the passwords you have to change and it gives you some statistics and reports to see how many insecure accounts and duplicate passwords there are. In his Android device I also installed the KeepassDX client, and I enabled multi-factor authentication in a lot of accounts. I still missed quite a few, because a lot of government or public service sites don’t care about security that much here, sadly.

For my mom I decided to go with Bitwarden, for the sake of simplicity. She does not have that many accounts, and she might actually be able to delete a keepass file by mistake just because of the absurd amount of files she has in her laptop. In the end I just changed all her passwords, installed the app in her phone and even recovered some old accounts she had not bothered using.

I also noticed that she actually uses the desktop email client that comes with Windows, which, while kinda decent, is still a Microsoft proprietary product, so I decided to mix it up a bit and install Thunderbird for her.

As far as I could tell she found it pretty nice and the search feature is actually pretty fast and epic. It was quite amazing to see that she had 70,000 emails unread, so I also took care of a lot of those, which were mostly Facebook and Pinterest notifications, because of course they are.

I am considering switching her to something like Solus OS, her laptop is from 2013 and has 4GB of ram, it actually feels pretty fast and smooth for how old it is, but that’s mostly because of the SSD we got for it.

Anyways, this was actually a longer post, but I closed neovim by mistake and I had forgotten to save the file. But hey, if this is what got in, is because its what I considered actually important!

This has been day 63 of #100DaysToOffload

By now its old news, but the Twitch leak happened the same day I was getting my vaccine, and while waiting I talked a friend who was worried about the security of his account, turns out, both of us as soon as we woke up changed our passwords and got ready to get the shot (Astra Zeneca btw).

Regardless, because of this and other conversations in the Fediverse, I decided to check my accounts once again, change some passwords and enable multi-factor authentication everywhere I could. I already had a ton of accounts with it, but I knew I had ignored some sites since I didn’t care enough back then, or I didn’t bother to find the option.

Basically, MFA allows you to get a unique code that changes over time. This means that even if someone gets access to your password, they only have 30 seconds to try and guess the code until it changes. Sadly, not every website implements this feature properly. Twitch for example, requires you to add your phone number first, even if you don’t use MFA via SMS and use an authenticator app, the most recommended way of getting the codes.

I was sad to see that less than a third of all my online accounts provided good MFA support. I have like 150 accounts total, and I used to have a lot more, and while some don’t really need it (local accounts, router passwords), there are is a big amount of sites that don’t even bother for some reason.

Some interesting places that do not offer Multi-Factor authentication are the following:

• Vivaldi: While I really like this browser, the lack of OTP based MFA was a little annoying, they have an Encryption password that is just a second password apart from the one you set yourself, however, both are of the something your know type (which is not enough, at all), while MFA is something you have. It looks like there is a thread about implementing MFA in their forums, so hopefully the devs work on it soon.
• Matrix: I kinda want to give Matrix a pass, even tho there is no TOTP based authentication, it still requires something you have, in this case, another device, to authenticate your session and gain access to encrypted chats. Still, there is a lot of metadata still accessible, which can be very very compromising.
• Spotify: It does not surprise me at all, this streaming service is getting more and more problematic as time goes on. I still use it, because it is convenient, and I can’t afford to pay for music in something like Bandcamp. Still, no way to secure an account.
• HackerNews: This is a news aggregator that is quite similar to Reddit. To me, all the data here is basically worthless, I do use it but I don’t comment often. Still, it would be sad to have to remove the email alias I assigned to it in case there is some leak.
• Wikipedia: Well, this is the place I get my homework from. Everyone can contribute, there are a lot of articles about basically everything. As far as I could tell, while this account is not important for me either, no MFA still sucks. Fandom, another Wiki used to create sites for specific topics, comics, movies, etc does not support it either.

There are many other sites that don’t have MFA and there are also some that surprisingly delivered. Stuff like the WCA, which is a site that keeps tracks of speedcubing competitions and world records is the kind of website that I would expect to not have the highest security, and yet, they actually did it. Mathworks and Autodesk also have it, which is quite surprising, especially taking into account that National Instruments nor Texas Instruments offer the option (Yes, I study Engineering btw)

Anyways, this is a friendly reminder to check if you have MFA enabled in all of your accounts that support it, and its important to encourage the developers of every account you log into, so they get to work on it.

This has been day 58 of #100DaysToOffload. I once again took a while to post something, but that’s how it is sometimes. Anyways, have a good day!

Pass is an extremely simple tool to manage your passwords by using GPG encryption on plain text files, allowing fairly customizable folder structure.

It follows the Unix philosophy of doing one thing and doing it right. It can be extended with different clients and plugins that expand its functionality and allow features like auto-typing, otp support and filename encryption, which is kinda nice.

Pass functionality

I am going to assume you know how to make and deal with gpg keys. But I will leave some sources if you wanna deal with that.

So, all I did was run

pass init <gpg-id> 

Where you use the id of a preexisting gpg key you have. After that, to save a password you use

> pass insert personal/example.com/account-name
Enter password for account-name: account-password

If you’re creating a new account, you can use: pass generate <account-name> which will make a random password and save it automatically.

Pass uses the first line of a file as password, and you can add extra lines to it if you so wish. Therefore you can use the -m flag to continue adding lines when creating a new entry.

I set up my files like this:

password
url: example.com
login: account@example.com
otpauth: otp_url_thing
autotype: login :tab pass :enter :delay :otp :enter
comment: whatever

I already explained enough of Pass itself, but this is not an in-depth tutorial, so if you wanna know more about pass itself you can visit its website

My personal setup

Coming from Keepass, I used pass-import and the following command

pass import keepass keepass_file.kdbx

This means I dont need to risk a plain text file such as CSV, which is kinda cool.

But, how do I actually use it?, well, on Linux I use rofi-pass, a great utility that makes use of rofi and has support for a lot of features, including auto-typing and otp support if you have the extension pass-otp installed. These tools read the lines I showcased before, which is pretty practical. I am quite a fan of how simple it is to configure and extend pass, and the amount of existing tools that make use of it is great.

There are some browser extensions. I tried PassFF , but in the end I decided to only depend on rofi, since its simpler and safer than a plugin in my opinion.

Pass on Android

On my android device I decided to install Password Store which is a great client that supports auto-fill and other things.

However, how do I sync everything up?. The answer is pretty simple. Syncthing, a program that need no presentation.

I just shared my password-store folder to android and called it a day.

Password store needs OpenKeychain to gain access to your gpg keys. To export your private key you have to run this command from your terminal:

# In my case is gpg2, your distro might just use gpg
gpg2 --output secret_key.gpg --armor --export-secret-key <gpg-id>

Just copy it to your device and import it from the OpenKeychain app. it should prompt you to input your passphrase and now you can use it on Password Store.

The app works surprisingly well on browsers, compared to other password managers for Android, although its not as good on some apps, of course your mileage may vary, most of them should work just fine.

Pass on Windows

I again used Syncthing to keep everything up to date. I installed gpg4win to get everything gpg needs to work and I imported my key using Kleopatra, which gets installed automatically. You could also use the command line but I didn’t know it was available when I did it.

I was unable to find a working solution similar to rofi-pass, I am a fan of Wox launcher, but it didn’t have a plugin for pass, and it hasn’t been updated in a while so I decided to go for browser-pass which is a browser plugin. I would have preferred a native program to do it but it is what it is.

There is actually a native program, QtPass. But it doesn’t have some pop-up shortcut and I didn’t feel like finding out how to do keyboard shortcuts on Windows.

Browserpass is wonderful though, and it is still being updated, so I will still use it, and I will use QtPass for native applications.

Some Troubleshooting

During my experimentation, I faced many problems. Sometimes saving new passwords or edited changes on existing entries would not work. This happened because the .gpg-id file used by pass was trying to encrypt the files with a non existent key, since, Password Storeoverwrote it (I assume that it is a subkey that only existed on android and the rest of my devices are not aware of it).

Another problem is getting the password-store folder location to be found by both of these programs. The plugin settings provide a way to set a custom folder, and so does QtPass, I placed my folder in C:\Users\my-user\password-store and managed to use it quite easily.

Final thoughts

I am really liking this setup, pass supports using git to manage branches and that kinda stuff. But I decided to keep it simple and just use Syncthing as mentioned before, I dont really have a secure git instance or somthing like that, and since the filenames are not encrypted this can be a bit of leaked metadata, but that isnt really a problem locally, and its probably no big deal if I make a private repo on Codeberg or something like that.

I kinda wanted to make this blog a bit longer, but its honestly not that difficult to do the switch and I just provided a few sources across this post that could can be helpful if you need something more.

This is day 37 of #100DaystoOffload

I have been an huge fan of Bitwarden, which Wikipedia page states:

Bitwarden is a free and open-source password management service that stores sensitive information such as website credentials in an encrypted vault. The Bitwarden platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a CLI. Bitwarden offers a cloud-hosted service as well as the ability to deploy the solution on-premises.

Not only it offers a pretty great free option, it completely decimates most of the competition besides LP when it comes to security, privacy and transparency.

I can only think of a couple of options when that can be better. Pass, a pretty minimal option that follows the UNIX philosophy (and might be a bit too extreme), and KeepassXC. I chose the latter, and to be honest, I am quite happy with the results. Bitwarden allowed me to export my database as a .csv file, and importing it to my .kdbx (not to be confused with xkcd) database.

But honestly, I am not here to tell you which password manager to use, if you are switching to a new one, or if you just have some time. you should do some house keeping.

🔑 Get rid of weak passwords

One of the features Bitwarden locks behind a paywall, is the ability to look for duplicated passwords. I was aware of the existence of multiple accounts sharing the same passwords. Back when I switched to Bitwarden, I was using my browser’s built-in autofill feature (don’t do that please), but I still used the same password everywhere. And I had been living with that for years.

You are probably doing that too for some of your accounts, I suggest you to do yourself a favor and change those passwords as soon as you can. Luckily, KeepassXC can show me duplicated passwords, and if you are self-hosting or paying for Bitwarden, you can have that functionality too.

There is something important to keep in mind. If you come from LastPass (or any other proprietary manager), you should consider changing all of your passwords. You really have no idea of what they are doing behind the curtains. For all you know, they might release all of your information to the Web the moment you stopped using their service (or even if you still are).

💀 Get rid of your old accounts

Funnily enough, the moment I started going through all of those accounts with repeated passwords, I realized I had a bunch of accounts that were deactivated, breached or were from a dead website/forum.

I have been deleting accounts I don’t need, changing the passwords of those I have to keep, and requesting the deletion of some that don’t offer any way to delete them myself. So far, my recycle bin contains 64 accounts and counting, which will get automatically deleted after a certain time (quite handy if I require to get some back).

✨ Enjoy a cleaner, private and epic setup

Maybe you have heard of Inbox Zero, the digital minimalism practice where you get rid of all of your old emails that you won’t really read. Well I have never really done that. But I assure you that it does not feel as great as having a completely tidy and well organized database of passwords and accounts.

This was not a matter of clicking a “Delete All” button or using some magic script, but the product of 4+ hours (in my case, your mileage may vary) of going through bloated menus, sending/replying emails, logging to multiple accounts, checking if they still exist, taking the time to debloat my database and have only the accounts I need in there.

Wrapping up

I am quite happy with how everything turned out. I really can’t encourage you enough to try and do this, even if you are already using KeepassXC or any other manager. This has been day 28 of #100DaystoOffload, I guess I should give this a hashtag huh?

Are you ready for a #PasswordDebloat ?

Because of that, if you want to be safe on the internet, there are only a few trustworthy options: Bromite, and Fennec. Some other options are Brave or Vivaldi, but they are a bit more more controversial (still good in my opinion), so you probably would want to choose one of the first two for the maximum amount of security and control.

🔒 Light yet private browsers?

However, in my experience, all of these browsers have a problem, they are too heavy for my needs, They are fine if I want to use the browser to explore the web or do online shopping, but most of the time, using an app that takes over 100 Mb just to display an article I visit through links from social media or Youtube videos, its kind of bloated.

Therefore, I started looking for lighter browsers that were better for my usage, while still providing some privacy, and decided to share them with you.

Via Browser

Since I am using a custom ROM, my device comes with Via preinstalled, a very lightweight and powerful browser, I have used it from time to time. It offers built-in ad blocking, tons of customization and features, a very minimal interface, custom scripts and a lot of other things. The only gripe I have with it is that it’s Chinese, and even though I don’t think the developer is doing anything sketchy, I would rather avoid any trouble, if you don’t mind (Like I do sometimes), it is a very good choice.

DuckDuckGo Privacy Browser

This is a good one, it is available on F-Droid, which is the link I provided, so it is open source, and quite a decent option. I love the fact that it triggers the private mode on my keyboard by default, a feature that might be available in some others, but you would have to enable it manually. It also offers a quick button to delete all of the data used in the browsing session. which is quite nice feature.

Firefox Klar / Focus

I don’t have a lot to say about this one, I have used it before, but I was unable to find it on the F-Droid repos, however, at the time of this blog, the Google Play version was last updated January 19th of 2021, so I assume its still in development. I would not really use this one, because it is a lot heavier than the rest (around 50), since its using its own engine. It offers a button to delete everything just like DDG browser, but it is not as customizable.

Smart Cookie Web

My current favorite, it is extremely lightweight, as customizable as Via, and more, it offers tabs (like on desktop browsers) and a lot of privacy features, it also has its own set of add-ons that you can install, a built-in reader mode, and so much more. I chose this browser because it feels super complete, while still being less than 5 Mb of download. It might totally replace Bromite or Fennec, at least for me.

Just go with what you like

Each and everyone of this browsers are nothing but one more option, and is up to you to choose, in fact, you can simply not install any of them and continue with you current one. But each of these has been used by me and they also look kinda nice :D

This is the 5th blog for the #100DaystoOffload challenge, this time it was quite hard to start, but in the end, I think it turned out right, and I hope it’s helpful for you. If you have any other browser recommendations, make sure to share them with me!

I still find it difficult to stay loyal to one browser or another, to be honest, I have only been using SCW for half a week or so, and I factory reset my phone quite often. I have been browsing less and less in favor of RSS readers. So as I said, I quite prefer these lighter, simpler options for browsing quick questions or open links. And not so much for more personal or important browsing.