I’ve personally switched over to Bitwarden, and am in the process of getting my family out. I migrated (easily!) last year and have not regretted it once.
Bonus: you can (should you so desire) self-host the Bitwarden sync server, which was a draw for me, but so far I’m happy to let them handle server maintenance, backups, etc.
I’m self-hosting Vaultwarden and it’s been working flawlessly. NixOS makes it quite easy via services.vaultwarden. And on the clients the only thing you need to do is put in your custom URL at signup.
I’m possibly not the best at server maintenance, but all the apps work even when the server is down or the client can’t connect to the internet at all. They have a local copy of the encrypted database.
I also switched from LastPass to Bitwarden. I’ve wanted to do that since LogMeIn took over, but it was low prio until the breach last year (mentioned in the article).
I picked Bitwarden between all the alternatives for a few reasons:
managed solution. As LuminantJess says, I don’t want to deal with backup and security for such things as my passwords.
self-hosting is possible (should I ever choose to deal with backups and security afterall).
open source (unlike a lot of other options, starting with Google and Apple, via LastPass and the like) means I can set up some things like @muvlon mentions in his comment before relatiely easily.
The switch was relatively simple - export from lastpass, import in Bitwarden, and I kept both for maybe a month before a full switch.
Also running vaultwarden here, installation was easy, and having the official android and firefox/chrome addons from bitwarden that can talk with my own vaultwarden instance is very nice.
I would only ever use something that can be self-hosted and is open-source, so things like lastpass and 1pass wouldn’t be acceptable.
I still have / keep all passwords also in ‘pass’ (passwordstore.org) … as having a git log of everything, and it’s massive flexibility and programmability is a thing I wouldn’t want to lose.
Am I misunderstanding something or does bitwarden gate the generation of TOTP codes behind a paid plan for their hosted service, i.e., preventing a self hosted instance from being useful for TOTP?
The official Bitwarden server does, but the more efficient Vaultwarden server has no such limitations.
Although, it’s a personal policy decision of whether you want the same store to hold both authentication factors.
Anyone else stuck with federated LastPass at their company? That bit about federated users actually being (severely!) affected is news to me. We certainly didn’t de-federate and re-federate every single user. Anyone else confirm that’s still required?
How silly that I have to depend on community support for an enterprise-supported product…
This advise should have really been: “Depending on the length and complexity of your master password and iteration count setting, you may want to reset all your passwords.”
Relatedly, more fallout from the breach is in Brian Kreb’s latest post, confirming the argument that once the breach occurred, the message should have been “change all your passwords NOW.” Someone appears to be working through the accounts and mining crypto wallet pass phrases.
It’s wild to me that the best option for managing your authentication on the Internet is to give your credentials to a small company like 1Password or LastPass. How did that happen? I would sure be more comfortable if it were Google, Microsoft, Mozilla, or Apple managing them for me. Those companies have their problems but I trust they have a better chance at making a product secure.
(I know the answer, it’s business questions. Going back to Passport no one trusts the big companies with all the keys to the kingdom. But the current state of things where some tiny random company has them isn’t good either.)
It’s wild to me that the best option for managing your authentication on the Internet is to give your credentials to a small company like 1Password or LastPass. How did that happen?
But it’s not? There’s BitWarden, where you can self-host either their server, or VaultWarden. There’s pass, there’s KeePassXC, just to name a few.
(Btw, LastPass ain’t a small company. It’s developed by GoTo, who had over 3k employees and over 1.2 billion USD revenue in 2019 - I imagine both grew substantially since. That is to say, it is bigger and has more revenue than Twitter currently. Granted, they have more products in their portfolio than LastPass, but it’s no small company by any means.)
I would sure be more comfortable if it were Google, Microsoft, Mozilla, or Apple managing them for me. Those companies have their problems but I trust they have a better chance at making a product secure.
I’d rather not trust any of them. My passwords are safest when they’re not in the cloud at all.
I would sure be more comfortable if it were […] Apple managing them for me.
If you’re all-in on Apple’s operating systems, this is pretty much possible. iCloud can store your passwords (and optionally also TOTP data) in the cloud, end-to-end encrypted.
Yeah, in some ways. It’s a trade-off between security and convenience. There’s an ongoing debate about it, which I don’t have a strong opinion in. I was mostly trying to make the point that iCloud Keychain is relatively full-featured, and can replace apps like LastPass for many users.
The way I see it, it converts your static 1FA login into a time-sensitive 1FA login, which is still strict better than ONLY a password.
It does mean you have to protect your PC against infiltration as otherwise someone could sniff the TOTP password… but frankly that’s already true when you rely on a password manager.
It depends on the threat model. The threat model for TOTP is normally that the endpoint is compromised. For example, if there’s a browser vulnerability then someone could exfiltrate you password but if they steal a TOTP password then they need to use it immediately or it stops working. This become 1FA if an attacker who can compromise the bit of the channel that holds the password can also compromise the TOTP codes.
I wasn’t aware keychain worked with TOTP, but if it does then it depends somewhat how they implement it. For WebAuthn, the keys never leave the secure element (well, not as plaintext. The iCould thing does key exchange between two SEs and sends the encrypted keys from one to another) and so someone that compromises the browser can do more signing as the user, though I believe each request has to be accompanied by a fingerprint or face scan and there’s a secure path from the fingerprint reader to the SE. If TOTP is handled there as well, it’s probably fine. If it’s handled in the keychain daemon then someone with root access on the client can get the TOTP codes as well as the password.
I think Googles, and Apples “solution” to this problem was that companies should just let them handle the authentication AKA Login with Google/Apple. Considering how trigger happy both are for banning users, I wouldn’t trust that either (and not to mention the privacy concerns).
The big players are disinterested because its all risk, low reward. One screw up and the entire brand’s security reputation is permanently trashed (like LastPass), and you’ll probably get class actioned or arbitration to hell and back. Do it well and you get a slew of customer support burden and a small stream of cash at best (compared to their main money makers).
Apple’s iCloud Keychain works(even on Windows and under Chrome as an extension) as a general purpose password manager. I don’t use it, so I can’t comment on how well it works, but it probably works just fine.
PassKeys don’t require a third party gatekeeper. They are just private keys stored on your client (ideally in some form of HSM). The bit that does require Apple currently is syncing them between devices. This is quite hard to do securely because you want one HSM to provide an encrypted copy of the keys to another HSM (encrypted with a public key corresponding to the other HSM’s private key) but you don’t want that to be something an attacker can do if they have temporary access to your device. Apple does some key exchange via the iCloud infrastructure and requires you to be logged in on both devices, so at least an attacker would need to compromise both and persuade you to go through the biometric auto steps on both. I’d love to see an open standard for this but I have no idea how to design something that is both usable and secure for this.
I would sure be more comfortable if it were Google, Microsoft, Mozilla, or Apple managing them for me. Those companies have their problems but I trust they have a better chance at making a product secure.
Others have noted that Apple does offer a password manager, at least “If you’re all-in on Apple”. I’ll note that so does Google (if one uses Chrome everywhere), I think Mozilla at least used to (although I wouldn’t put them in a list of big companies with strong security), and I assume Microsoft at least has something for enterprise use.
I’ve personally switched over to Bitwarden, and am in the process of getting my family out. I migrated (easily!) last year and have not regretted it once.
Bonus: you can (should you so desire) self-host the Bitwarden sync server, which was a draw for me, but so far I’m happy to let them handle server maintenance, backups, etc.
I’m self-hosting Vaultwarden and it’s been working flawlessly. NixOS makes it quite easy via
services.vaultwarden. And on the clients the only thing you need to do is put in your custom URL at signup.I’m possibly not the best at server maintenance, but all the apps work even when the server is down or the client can’t connect to the internet at all. They have a local copy of the encrypted database.
I run mine on a raspberry-pi on my home network (using docker-compose). Super straight forward and backups are trivial too
I’m also planning to leave LastPass. What made you choose Bitwarden? Did you look at any other options?
I also switched from LastPass to Bitwarden. I’ve wanted to do that since LogMeIn took over, but it was low prio until the breach last year (mentioned in the article).
I picked Bitwarden between all the alternatives for a few reasons:
The switch was relatively simple - export from lastpass, import in Bitwarden, and I kept both for maybe a month before a full switch.
Also running vaultwarden here, installation was easy, and having the official android and firefox/chrome addons from bitwarden that can talk with my own vaultwarden instance is very nice. I would only ever use something that can be self-hosted and is open-source, so things like lastpass and 1pass wouldn’t be acceptable. I still have / keep all passwords also in ‘pass’ (passwordstore.org) … as having a git log of everything, and it’s massive flexibility and programmability is a thing I wouldn’t want to lose.
Am I misunderstanding something or does bitwarden gate the generation of TOTP codes behind a paid plan for their hosted service, i.e., preventing a self hosted instance from being useful for TOTP?
The official Bitwarden server does, but the more efficient Vaultwarden server has no such limitations. Although, it’s a personal policy decision of whether you want the same store to hold both authentication factors.
Good to know, thanks
As far as I’m concerned, LastPass is a lost cause.
If self-hosting / open source is not a requirement I still highly recommend 1Password.
I switched from LastPass to 1Password a couple of years ago and it’s an absolute delight.
My favorite features of 1Password:
Anyone else stuck with federated LastPass at their company? That bit about federated users actually being (severely!) affected is news to me. We certainly didn’t de-federate and re-federate every single user. Anyone else confirm that’s still required?
How silly that I have to depend on community support for an enterprise-supported product…
Relatedly, more fallout from the breach is in Brian Kreb’s latest post, confirming the argument that once the breach occurred, the message should have been “change all your passwords NOW.” Someone appears to be working through the accounts and mining crypto wallet pass phrases.
It’s wild to me that the best option for managing your authentication on the Internet is to give your credentials to a small company like 1Password or LastPass. How did that happen? I would sure be more comfortable if it were Google, Microsoft, Mozilla, or Apple managing them for me. Those companies have their problems but I trust they have a better chance at making a product secure.
(I know the answer, it’s business questions. Going back to Passport no one trusts the big companies with all the keys to the kingdom. But the current state of things where some tiny random company has them isn’t good either.)
But it’s not? There’s BitWarden, where you can self-host either their server, or VaultWarden. There’s pass, there’s KeePassXC, just to name a few.
(Btw, LastPass ain’t a small company. It’s developed by GoTo, who had over 3k employees and over 1.2 billion USD revenue in 2019 - I imagine both grew substantially since. That is to say, it is bigger and has more revenue than Twitter currently. Granted, they have more products in their portfolio than LastPass, but it’s no small company by any means.)
I’d rather not trust any of them. My passwords are safest when they’re not in the cloud at all.
If you’re all-in on Apple’s operating systems, this is pretty much possible. iCloud can store your passwords (and optionally also TOTP data) in the cloud, end-to-end encrypted.
Don’t you turn 2FA back into 1FA if you keep TOTP together with passwords?
Yeah, in some ways. It’s a trade-off between security and convenience. There’s an ongoing debate about it, which I don’t have a strong opinion in. I was mostly trying to make the point that iCloud Keychain is relatively full-featured, and can replace apps like LastPass for many users.
The way I see it, it converts your static 1FA login into a time-sensitive 1FA login, which is still strict better than ONLY a password.
It does mean you have to protect your PC against infiltration as otherwise someone could sniff the TOTP password… but frankly that’s already true when you rely on a password manager.
It depends on the threat model. The threat model for TOTP is normally that the endpoint is compromised. For example, if there’s a browser vulnerability then someone could exfiltrate you password but if they steal a TOTP password then they need to use it immediately or it stops working. This become 1FA if an attacker who can compromise the bit of the channel that holds the password can also compromise the TOTP codes.
I wasn’t aware keychain worked with TOTP, but if it does then it depends somewhat how they implement it. For WebAuthn, the keys never leave the secure element (well, not as plaintext. The iCould thing does key exchange between two SEs and sends the encrypted keys from one to another) and so someone that compromises the browser can do more signing as the user, though I believe each request has to be accompanied by a fingerprint or face scan and there’s a secure path from the fingerprint reader to the SE. If TOTP is handled there as well, it’s probably fine. If it’s handled in the keychain daemon then someone with root access on the client can get the TOTP codes as well as the password.
I think Googles, and Apples “solution” to this problem was that companies should just let them handle the authentication AKA Login with Google/Apple. Considering how trigger happy both are for banning users, I wouldn’t trust that either (and not to mention the privacy concerns).
The big players are disinterested because its all risk, low reward. One screw up and the entire brand’s security reputation is permanently trashed (like LastPass), and you’ll probably get class actioned or arbitration to hell and back. Do it well and you get a slew of customer support burden and a small stream of cash at best (compared to their main money makers).
Apple’s iCloud Keychain works(even on Windows and under Chrome as an extension) as a general purpose password manager. I don’t use it, so I can’t comment on how well it works, but it probably works just fine.
PassKeys don’t require a third party gatekeeper. They are just private keys stored on your client (ideally in some form of HSM). The bit that does require Apple currently is syncing them between devices. This is quite hard to do securely because you want one HSM to provide an encrypted copy of the keys to another HSM (encrypted with a public key corresponding to the other HSM’s private key) but you don’t want that to be something an attacker can do if they have temporary access to your device. Apple does some key exchange via the iCloud infrastructure and requires you to be logged in on both devices, so at least an attacker would need to compromise both and persuade you to go through the biometric auto steps on both. I’d love to see an open standard for this but I have no idea how to design something that is both usable and secure for this.
Maybe it’s that… but they’re also both pushing passkeys IIRC.
Others have noted that Apple does offer a password manager, at least “If you’re all-in on Apple”. I’ll note that so does Google (if one uses Chrome everywhere), I think Mozilla at least used to (although I wouldn’t put them in a list of big companies with strong security), and I assume Microsoft at least has something for enterprise use.