1. 8

Now that LastPass Free version supports sync across multiple devices (was a premium feature before) I’ve found about this bitwarden which has browser and mobile apps available and seems that everything is opensource under https://github.com/bitwarden

Anyone heard of it ?

  1.  

  2. 4

    Hey all. I’m the main developer behind bitwarden and would love to answer any questions you guys have. As mentioned in the OP, be sure to check out the source of the entire bitwarden platform at https://github.com/bitwarden. I’ll monitor this post for questions/comments and follow up as best I can.

    1. 3

      Hi @xxkylexx, & welcome. Thank you for offering to answer questions.

      Your website also makes the claim that bitwarden is the “safest way to store and sync your passwords”. Why do you say so? What’s your threat model and how do you distinguish your service from any of the other cloud password services listed in the comments?

      edit: saw answer to my biz model question above

      1. 1

        Thanks for the question. The claim can be somewhat subjective and certainly is bias coming from me, however, bitwarden is distinguished from other password managers because it is entirely open source. This eliminates the security through obscurity problem and provides an open platform for review.

    2. 4

      I see all these fancy password managers and I think… why not simply use an encrypted text file with your passwords on it? Less code, fewer vulnerability vectors.

      1. 16

        Actually, there are potentially more vulnerability vectors.

        1. On a number of platforms (Windows, OS X, Android, and Linux), any application can subscribe to the clipboard. So if you’re copying your login credentials, anything on your system that might be compromised can grab it.
        2. Along the same lines, the vectors for leaking an unencrypted text file are actually quite high. While all of the password managers I know of are vulnerable to various forms of scanning (except 1Password on Windows when operated on the secure desktop), the text file is likely to be unencrypted in full in scroll back history or something similar for quite some time. There are ways to avoid this, but they’re tricky and error-prone; you can look at the history of PGP secure notes for some background here on all the ways to mess things up.
        3. An encrypted text file can also be difficult to merge. While you may be able to automate the process to a degree, you are again put into a position where you have to run your decrypted password file through multiple tools, which again increases your attack surface. E.g., most naïve ways of doing this would at least temporarily store both versions of your file unencrypted on disk to feed to a merge tool.
        4. An encrypted text file also cannot store anything other than logins and passwords, which makes storing other forms of secure data hard. E.g., in 1Password, I track what login pages of sites I haven’t been to look like, and explicitly track the full login page URLs, so that I can catch myself if I somehow fall for the first part of a phishing attempt. You can obviously do that without a password manager, but you’re now reaching for something like a LibreOffice document, which expands your attack surface and increases complexity.
        5. Finally, most modern password managers provide several things beyond mere storage, including cryptographically secure password generation, service exploitation monitoring (e.g., WatchTower for 1Password), which lets you know when a site you use has had its passwords compromised, and more. It’s not that you cannot do these things yourself, but it requires a lot of effort (monitoring HaveIBeenPwned, hoping you know to use arc4random or an equivalent with proper distribution across your alphabet, etc.). Collectively, these can dramatically decrease your attack surface, by allowing you to respond more effectively and proactively to site compromises.

        If storing all your passwords in an encrypted text file works for you, that’s fine; more power to you. But I don’t think it’s accurate anymore to claim that going that route is more secure than alternatives.

        1. 7

          For the same reason you don’t manually decrypt and paste in your ssh private key every time you log in to a host—convenience.

          A password manager can also do some checks that humans may miss or flub, like stopping the pasting of your Gmail password into a convincing phishing site.

          1. 4

            You would like pass(1)

            1. 1

              That’s a bit presumptuous – I’m not pizzaiolo, but while I do personally employ (essentially) the encrypted-text-file method, I think “pass” is actually pretty grossly misdesigned.

              1. 1

                I have some issues with pass too: namely, it leaks metadata like names, creation time, and change history, and it encrypts without authenticating. Is there anything else I should know about?

                1. 2

                  There are little things like its somewhat oddball dependency list (tree? what?), but the metadata-in-the-clear aspect is definitely the major one for me (the gross misdesign I referred to).

            2. 2

              That would be hard to use on a mobile phone I think.

              1. 0

                I think it is not that hard to write a GUI application able to decrypt GPG encoded files, or read stdout by making subsequent calls to pass.

                1. 4

                  This is getting pretty seriously far away from the implied simplicity of “simply use an encrypted text file”.

              2. 1

                Depending on your use case, this might be the solution. I have written my own at http://pestilenz.org/~ckeen/blog/posts/pee.html

              3. 4

                I’d be 100% down with a peer to peer syncing solution, but considering they’re using azure to store everything centrally it makes me question how they intend to sustain this service and their longevity.

                1. 4

                  bitwarden is currently sponsored by the Microsoft BizSpark program which covers many of our operation costs and allows us to offer services for free to our users. We are working on our monetization strategy which will introduce additional premium features in the future. For now though, everything is free for users.

                  1. 2

                    Let me know when you find that p2p solution!

                    1. 4

                      I use pass to manage my passwords, and instead of using the integrated Git support for syncing, I know I’ll get lazy and forget to commit and push at times, I use Syncthing to keep everything in sync across all my devices. Syncthing works very well for me, easy to install and configure and adding other devices is trivial to do.

                      1. 1

                        Well, if you really trust the encryption, you could always use ipfs

                        1. 1

                          IPFS is great! I’ve used it to sync large files between my home and remote nodes from time to time.

                          If all you keep are website + password pairs (no username/login ID), then even if the encryption employed by IPFS is “broken”, the risk profile is still very low as any intermediary node that has a copy of your file will have no way of figuring out which user ID to pair with the password.

                    2. 2

                      Keepass is another open source password manager with many different front ends, including mobile.

                      1. 2

                        This is the first I’ve heard of it, and I’m left wondering what their business model is/will be.

                        1. 1

                          Would love to use it, but I use enpass.

                          1. 1

                            Cool! I’ve been hoping for something like this. I mean, I love 1Password, but it ain’t cheap.

                            The database is SQL Server.

                            Welp, 1Password it is.

                            1. 1

                              The core DAL is written in a way that can very easily be swapped out to your database engine of choice. See https://github.com/bitwarden/core/issues/10

                            2. 1

                              I like to use PasswordSafe. Free, open-source, and originally written by Bruce Schneier. There are compatible iOS and Android apps.

                              It looks like bitwarden does not have a desktop implementation?

                              1. 1

                                There is not a true desktop implementation yet. It is in the plans. However, desktop usage can be satisfied with the browsers extensions currently.

                              2. 1

                                Have there been any 3rd party security audits on this software? If not, are there any plans to do so?