A review of my experience with Bitwarden after several years of self-hosting it, and why I decided to move away from the password manager.
Note: this is not my article.
You must log in or # to comment.
I use KeepassXC on my laptop (completely offline), export the encrypted backup copy and store the backup offline copy and in cloud. Also, I manually import the backup file into my Keepass2AndroidOffline android app (it’s a hassle, but I’m okay with it)
But for normies (non-technical folks), the benefits and convenience of using a cloud-based password manager is far outweighed by any security vulnerabilities in such password managers.
Also, Bitwarden’s source code is open-source (unlike other closed-source password managers), so I trust it more.
Im one of the folks that reserve important items for local password manager and use bitwarden for all the various sites that if it got taken over it might be annoying but is not the end of the world.
Bitwarden’s npm distribution pipeline stayed compromised for approximately 19 hours and 334 developers had enough time to pull the malicious package before it was caught.
It was actually about 90 minutes
Everyone running bw in a CI pipeline just handed the attackers whatever else happened to live on that machine.
only if they installed bw in that time window
Otherwise yes, I agree it’d be better if the CLI was written in a non-JS/TS ecosystem. Perhaps Rust or Go. And the criticisms to
listincluding secrets are super valid.What’s with the downvotes? The article makes good points, and brings them across politely:
- it’s a $100M for-profit company
- it’s heavy (compared to Vaultwarden, a Bitwarden compatible Rust rewrite)
- its code base requires proprietary MS libraries and other esoteric (seen from the POV of a *nix user) stuff. I might have summarized this one badly, just read the chapter, it’s not long.
My guess is people are salty because
- they use Bitwarden and don’t like to see it criticized
- they got upset by the javascript overlay which is hilarious imo. I certainly got rick-rolled for a hot second.
FWIW, I don’t serve my password database on the www at all. It sits on my own server and I can access it with all my devices, but the software to do that is local only.
How does your phone and laptop outside of the network get to vault warden? Just using a VPN?
Not OP, but I do that with wireguard.
So a vpn
i really don’t get it either. i feel like op tends to write well researched and thought out blogs, which are nice to read too.
@op: you do good stuff!
My review of your post: you need to stop using so much emphasis on everything. Not every instance of the word Bitwarden needs to be italicized. Also five different ways of storing passwords sounds insane, and harping on for a dozen paragraphs about Bitwarden’s security incidents only to settle on another SaaS password manager sure is a choice.
The outward appearance might not be your style, but they make good points, provide facts to support them and most importantly, they remain polite about it.
I personally think the article is worth reading, at least until just before the last chapter, in which the author outlines their own convoluted ideas. And that’s where such things belong: in the last chapter.
only to settle on another SaaS
Do you mean Vaultwarden? AFAICS they do not “settle” on it, but they do argue that it is much lighter in almost every respect. And since it is Bitwarden compatible the comparison is valid.
Frankly, I think most people just got salty because of the javascript overlay which I found pretty funny; a mild prank and a good demonstration of the power of javascript.
Do you mean Vaultwarden? AFAICS they do not “settle” on it, but they do argue that it is much lighter in almost every respect. And since it is Bitwarden compatible the comparison is valid.
I don’t know which one I mean, because OP never says which SaaS password manager they switch to, they simply say they switch to a proprietary SaaS password manager:
For group A I’m going with a SaaS password manager that offers proper vault sharing, integrates with the tools clients actually use (SSO, browser extensions on corporate machines, audit logs), and takes the hosting burden off my plate. The platform is proprietary, which I would normally not be thrilled about, but given that the scope of this group is client work only, I’m accepting the trade-off.
But what if you don’t want to self host your password manager?
Any non terrible choices?
Enpass works well for me across platforms.
I don’t think Bitwarden is a terrible choice. That said, I share the author’s concerns in general.
How much does a non-selfhosted password manager cost? Weigh that against the cost of remote-mountable server storage, you can simply put your database there.
(Both costs can be 0 btw)The real cost is time and reliability, not money.
Use yubikeys
I prefer 1Password. They use a secure encryption key together with your master password. If you lose the encryption key, your data can’t be recovered. The key is only needed during the initial setup annd after that you unlock the vault on your device with your master password.
This means if their database ever gets hacked, your data is encrypted in a way that not even you could get at unless you have that secure key.
ProtonPass
What’s with the sketchy domain name? Doesn’t really instill trust enough for me to click on let alone listen to their opinion.
ETA: TIL about punycode. Thanks all 🙏
If the domain starts with
xn-it’s a telltale sign, that it’s a punycode domain name. Read: it does contain characters that are not ASCII characters. This is done as domains need to be ASCII only. The format of these domains is usuallyxn--allASCIIcharacters-allNonASCIIcharactersEncoded.tld. Example:täst.comisxn--tst-qla.com.If you manually type such a domain (containing characters like äöüéèçč…), many browsers will still display what you entered, but convert the domain into punycode in the background before connecting.
You can decode the domain of this post and it results in
マリウス.com.Thats interesting! And my translation addon says it translates to “Marius”
This is done as domains need to be ASCII only
They don’t need to, but a punycode-attack is done by using a letter of another language that looks almost identical. I think you still have to actively enable the defense against it (some about:config setting), the poster did.
DNS is ASCII only and so this conversion is done. It is not needed to display the “technical” domain name that results when you enter a domain name with non ASCII chars in apps, but yes, this prevents character confusion.
https://en.wikipedia.org/wiki/Internationalized_domain_name
In the Domain Name System, these domains use an ASCII representation consisting of the prefix
xn--followed by the Punycode translation of the Unicode representation of the language-specific alphabet or script glyphs. For example, the Cyrillic name of Russia’s IDN ccTLD isрф. In Punycode representation, this isp1ai, and its DNS name isxn--p1ai.
It’s just a punycode domain, it ought be rendered in Japanese:
Edit: I swear those replies weren’t there when I typed mine.
This is puny code, and allows for non ascii characters to be used as a domain name. Your lemmy client probably does not convert it to unicode and displays it as a random looking text https://en.wikipedia.org/wiki/Punycode
they even have a blog post telling you to never click domains that look like the domain of the blog :D
Your JS overlay is annoying and stupid.
