1. 47
  1. 15

    I just started trying out bitwarden with the vaultwarden reimplementation. It was shocking how easy it was to set up 2fa and everything. The official documentation is great and helps walk through all kinds of password importing.

    They have a great free tier also and an official docker image that you can self-host a single account, just in case you’re worried about lock in.

    1. 5

      and an official docker image that you can self-host a single account, just in case you’re worried about lock in.

      I used that for a while and found it unstable. Probably due to a relatively underprovisioned VPS. I’ve found bitwarden_rs (now vaultwarden) equally easy, more stable, and much lighter on resource usage.

      1. 1

        Doesn’t vaultwarden allow you to do any number of accounts? Or is your second paragraph about bitwarden provided resources?

        1. 1

          Correct, vaultwarden can do all the accounts and groups that the enterprise version of bitwarden can.

          The second paragraph is about the official bitwarden self hosted free version.

      2. 8

        I really like Bitwarden’s (apparent?) commitment to an open service and APIs that you can interact with either with officially supported clients, or other open-source projects. If anything, it makes me trust that I could move a vault’s data fairly easily.

        Are there similar articles around for services like LastPass or 1Password?

        1. 4

          1Password has their security design whitepaper (PDF) which describes their approach in a similar level of detail.

          1. 1

            I don’t think the whitepaper says much about open APIs/unofficial clients, but it does go into a great amount of detail regarding how their system works.

            That whitepaper is a good chunk of the reason why I’m personally using 1Password: I was impressed by the thoughtfulness that went into their security. But I’m operating under the assumption that I’ll only be able to use their official clients – which I’m okay with, but I think Bitwarden is better on that front.

        2. 2

          Really interesting post. As an aside, the Stretched Master Key diagram breaks the site’s responsive design by stretching the page out.

          1. 2

            Thank you so much :D the breaking diagram gonna be fixed soon :D

          2. 1

            Unfortunately the only way to generate passwords requires copying and pasting the password from the “Generate Password” menu item into the target field, allowing anything that can access your clipboard to access your password.

            1. 16

              This is not accurate. You can generate a password and select it as the password to use for a new record, through the new record interface.

              1. 4

                Can you describe this process for my sake?

                1. 6

                  Absolutely! To the right of the Password field on the New Record screen, there is a Generate button (circling arrows), which takes you to Generate with a Select action available in the top right. Choosing Select on this Generate screen inserts the generated password. You can then save the record and fill as normal.

              2. 1

                Don’t you need to copy it to use it anyhow?

                1. 1

                  Actually, I’ve tried this a few different ways, but it seems like you never need to use the generator if you use the + button in all the apps. If I do use the generate function in the web browser, it doesn’t let me specify parameters, but picks up the parameters from the “tools” page.

                  1. 1

                    With at least Lastpass the extension can fill in fields in the browser and so doesn’t require the user ever reading the plaintext.

                    1. 3

                      Bitwarden has browser extensions for every browser that I have heard of and some that I hadn’t: https://bitwarden.com/download/

                2. 1

                  My only complaint with bitwarden is that their OTP 2FA should be write only - meaning that I shouldn’t be able to recover/view the OTP PSK from my previous 2FA setup.

                  1. 6

                    It’s still gonna need the ‘original’ secret…. so there will be ways to extract it anyway. I see it as just another password.

                    1. 1

                      It still protects you from any phishing and mitm situations, right?

                      1. 1

                        TOTP does not really prevent those things. How would it? A phishing page can forward everything you enter into it to the original server. It only makes “slow” / “offline” phishing impossible, so it just forces phishers to apply the credentials ASAP to get the cookie/token/whatever. And MitM can always just grab the resulting cookie/token directly. (Yeah yeah the “teleportation” of a cookie to a very different location&device can be treated as suspicious but at that point we’re in last resort territory, not security-by-design territory.)

                        TOTP is crappy security theater compared to WebAuthn (U2F), which actually protects against phishing.

                        1. 1

                          Totally agree. I do prefer it to sms and email second factors, but anything that doesn’t allow exporting the secret is 1000× better and anything that generates the secret itself without exportability is 1000× better than that.