With today's hubbub over Twitch being hacked and their information being leaked, I'd like to bring up BitWarden, which is one of the better free password managers, and has been extremely useful today in securing my various accounts (because I'm a dumb-dumb who used the same password everywhere, so one leak and I had to change everything...). It was super easy to install and add everything to, and now I'm annoyed that I hadn't done it sooner.
I like bitwarden - https://bitwarden.com/
Ignore the pricing spam, the basic version is free and completely functional. You can pay extra to be able to add 2fa and a few other things. Browser extensions, apple/android comaptibility, desktop client.
This! Set up a password manager (Bitwarden is free and open-source), turn on 2FA everywhere you can (not SMS 2FA if you can avoid it), and stop using the same password everywhere.
After Lastpass got acquired by LogMeIn last year I decided to start looking elsewhere. Being a software developer myself, I turned toward open source solutions but it immediately became apparent that nothing existed that was as convenient and as user friendly as Lastpass. I also realized that everyone seemed to charge money for these closed-source solutions (and rightfully so I suppose, a password manager is essential!).
bitwarden was born from this search and I have been developing on it every night since. This week marks the complete 1.0.0 release of bitwarden! There are apps for iOS and Android on the stores, browser extensions for Chrome, Firefox, and Opera, and a convenient website vault. It's free, open source, and cross platform.
Feel free to let me know any feedback that you may have or if you are interested in contributing in any way. You can check out the main product website at https://bitwarden.com/
> Since all of your data is fully encrypted before it ever leaves your device, only you have access to it. Not even the team at Bitwarden can read your data, even if we wanted to. Your data is sealed with end-to-end AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256.
I really like Bitwarden and it was easy to import passwords from Lastpass. I have tried to set up KeePass several times but it always ends with me frustrated about something isn't working the way I want and I delete it.
And that my friends, is why you use a different password for every site you visit. Me, I recommend BitWarden, which takes care of this.
Open source, works well in browser and on mobile.
Upvoted for visibility, also you MUST MUST MUST use meaningfully unique passwords for each of your services.
If you reuse, the moment some dumb website host loses their unsalted MD5 hashes and your password is cracked in milliseconds, you have now leaked creds for all your accounts. If your email account is included in that, they can reset ALL your other accounts and get access to everything, even if those passwords were different.
There are tools to make it easy to manage strong unique passwords on sites, and browser plugins + mobile apps to make it convenient and autofill.
Fido2 is one of the more secure types of 2FA with a security key and up until now it wasn't supported on mobile. Not sure about the other
https://bitwarden.com/help/article/setup-two-step-login-fido/
The data stored on your local device is encrypted with your master password. It is only decrypted when you unlock your vault and then it resides in RAM, not local storage.
https://bitwarden.com/help/article/data-storage/
That said, hacker with access to your device could capture you master password. So only install software from trusted sources, don't click on links, etc.
I'm using Bitwarden and it's awesome.
And if you want a subscription, it's very cheap and it gives you 1GB encrypted file storage and some other stuff for $10 a year.
edit: formatting
Bitwarden.com used for years and never looking back to 1password or selfhosted bitwarden_rs. If you go selfhosted solution, remember to donate to bitwarden.
(dont have any relation to bitwarden)
Damn, they really must be getting desperate if they're stooping to that level
If anyone wants any recommendations for password managers, Bitwarden is pretty good, has a free tier, and for those who are into that is also open source
Yes your vault is stored locally so if Bitwarden exploded you would still have access to your data in the app / extension etc. You can also periodically do exports. Finally, it’s open source so subject to being forked or maintained by the community in the event the company went under or something however unlikely it is
Yes if you self host you will utilize docker containers. Deployment instructions here - https://bitwarden.com/help/article/install-on-premise-linux/ No support for raspberry pi currently but believe that is something they’re supposed to be releasing.
I remind folks self hosting is a privacy feature not a security feature. Unless you’re a very talented IT professional, letting Bitwarden & Azure handle securing the servers etc is prob the best :-) I self host a test instance for learning / practice etc. but “daily drive” the cloud offering
This easy: https://bitwarden.com/help/article/import-from-chrome/#export-from-chrome
I prefer Bitwarden as it's better and has much more features than any browser-based password manager, and it works on any browser or device.
that sounds all cool and stuff but the 1password client and server code are still proprietary/closed source
so you can't actually verify that they are promising
local AES-CBC 256 bit encryption and PBKDF2 SHA-256 hash for master password / secret key with TLS encryption is actually pretty standard for password manager
Bitwarden for example does it too
> automatically generated so it’s more random and secure than your local device password.
this is actually an attack vector for the cost of usability
truly randomization is actually a little bit harder than people think
Cloudflare did a blog post on how they use for example lava lamps as one randomization source because of that
For all those posting here about LastPass... I highly suggest a switch to BitWarden. It is open source, a free app although you can pay in order to get syncing (which seems fair). You can self-host the syncing server if you are ultra-paranoid but their service is cheap enough.
Most importantly... because they are open source the code is available for all to see and understand and has been independently verified as secure.
I used LastPass for quite a while but to me, BitWarden is better in every way. The killer feature for me was that you can put your MFA tokens into it and it will automatically copy the current generated # to your clipboard ready to paste once the page comes up.
If OP has good 2FA on the vault (like a Yubikey), I would argue that it's ok to use Bitwarden for your TOTP seeds.
And I do strongly encourage 2FA on the Bitwarden account. SMS has known weaknesses, email relies on the security of the email account, and TOTP means relying on another app, since you obviously can't use Bitwarden for THAT.
You might also appreciate this Bitwarden blog post.
I posted this to /r/programming the other day and figured I would share it with the awesome /r/webdev community as well since there are many web development components.
>After Lastpass got acquired by LogMeIn last year I decided to start looking elsewhere. Being a software developer myself, I turned toward open source solutions but it immediately became apparent that nothing existed that was as convenient and as user friendly as Lastpass. I also realized that everyone seemed to charge money for these closed-source solutions (and rightfully so I suppose, a password manager is essential!). > >bitwarden was born from this search and I have been developing on it every night since. This week marks the complete 1.0.0 release of bitwarden! There are apps for iOS and Android on the stores, browser extensions for Chrome, Firefox, and Opera, and a convenient website vault. It's free, open source, and cross platform. > >Feel free to let me know any feedback that you may have or if you are interested in contributing in any way. You can check out the main product website at https://bitwarden.com/
1Password is now VC controlled. I have no faith that they have the users’ best interests at heart anymore. Let’s face it, they serve their investors first. That’s how VC funded companies work.
BitWarden has been extensively audited using SOC 3, which means the audit hasn’t just been done by third parties but the reports are also available publicly. 1Password is only SOC 2 compliant. Moreover BitWarden is HIPAA compliant too. Every way you look at it, BitWarden is just better.
LastPass is pretty good, but I recently switched to bitwarden because it has pretty much all the same features, has a browser extension available for pretty much every browser (and yes, it's compatible with Firefox 57), can be self-hosted, and is also libre-free and open-source.
LastPass is known for severe performance issues. You might want to consider switching to Bitwarden (but maybe it's better to try disabling it first, before you do the effort to switch)
uBlock Origin is also a lot more economic on resources than ABP, so it probably pays to switch your ad blocker too.
I don't know of the other add-ons, try disabling them to see if it makes a difference.
Oh, and check if multi-process is enabled :) You can do that in about:support
.
Here you go: https://bitwarden.com/blog/building-a-strong-security-stack/
While there are some great recommendations in there I wouldn’t suggest you ever go 100% off of one resource, it’s usually good to poke around and see what others say about these.
whoops, that was our mistake. It should be gone soon. The best way is to follow our github repos (for the absolute most granular info) - and then checking out the release notes mentioned above on bitwarden.com/help. You can also subscribe to status.bitwarden.com via RSS and get notified of any issues/updates/releases, etc.
Bitwarden uses zero-knowledge protocol, all the data is encrypted before it leaves your computer. You don't need to care at all if all data is public while in transit as it is encrypted. Nobody can read your data.
Check this:
This ^ u/carrotcakegal!!! If you haven’t done so yet, change your email, google, social media, and all other sensitive account passwords, IMMEDIATELY! Good time to start using a password manager like Bitwarden or 1Password and make sure you setup 2FA at the very least on your password manager and email accounts!
Congrats on your newfound freedom and dodging the sociopath bullet! Take care now. Bye bye then.
It sounds dumb, but because they've been compromised.
In each case Lastpass addressed the issue immediately and openly and a resolution was made within days.
In no case, to my knowledge, was an actual vault ever compromised without simply guessing the master password with personal or socially engineered knowledge.
Additionally, it's fairly obvious what encryption they're doing from independent analysis.
If you'd like an opensource option, you might look at Bitwarden. Here's an opinion piece comparing the two from an end user (non-technical) perspective; he generally says he prefers Bitwarden in many ways, but at the end of the day if you're concerned about the actual security of the two you're probably better off with Lastpass.
Yes, me, too!
8mVZDvyD!uaCLQ#oHc^%[email protected]!k
Literally just made it up on-the-spot thanks to a Bitwarden. If I were to use it (which I won't), I wouldn't have to remember it.
Bitwarden has a self-hosting version.
https://bitwarden.com/pricing/business/
I can't provide experience with the self-hosted version, but I use bitwarden for 3 years now and I would never change. It works!
Depends on what you mean by support.
If you mean complete synchronisation, then no, there is no app that can do that.
If you want to ditch Google Password and use a better alternative, then you can export all of your data from there and import it into Bitwarden.
> 1. Does free version of BW support 2FA (Authenticator or similar, not harware device)
Free supports TOTP and email for 2FA.
>1. Does free version of BW have password challenge (security checkup) to check for duplicate account passwords, weak passwords, etc?
That's only at the premium level.
>1. Are you able to subscribe to Premium 1 month at a time or only for the full year?
No, it's a full year for $10. When you factor in the per-transaction costs for a monthly payment and how cheap it is, I think that's fair.
>1. Are you able to share usernames/passwords on free version or is that only premium?
Not entirely sure what you're asking? At the free level you and your partner can share a single "collection". Read this and see if this is what you want. If it's more than two of you, or if you need more than one collection, you'll need a paying plan.
>1. What is the purpose of the 'Free org' account? What is sharing a collection mean?
See the previous answer.
>1. How do you export passwords from Lastpass if you are locked into the mobile app?
I just saw someone else answer this! Sign up for their premium trial, export your vault, and then cancel the trial.
Are you asking about how to make the switch? Start here.
I don't understand your question about $36/year. That's the LastPass price. Bitwarden has a $10/year premium subscription, but there's no need to buy that right away.
Why not keep the 6 other passwords in your password manager on your phone?
If that's not an option, length is more important than complexity. It can be something easy to type (think sentence, multiple dictionary words, etc).
Anything outside my password manager gets a sentence with some capitals, numbers, and punctuation. Something like "MyRedditUsernameIsColtman151." scores as taking centuries to crack by Bitwarden and is very easy to remember and type both. If you make it something personal, it'll be even more impossible to guess.
https://bitwarden.com/password-strength/ if you want to play around with it.
Why not just use 1Password, as you seem to like it more, and if they ever increase the price to the point that you can't justify it (I have never had a price increase, but I guess your one will increase if you are no longer a student) then just switch to bitwarden?
Bitwarden is open source, runs on every OS, can be self hosted on your own server, and has an easy to use migration assistant to move your passwords from other password manager apps.
Se il proprietario del sito puo' ottenere la mia password in qualche modo, vuol dire che non è stata salvata correttamente.
Ti rimando alle FAQ di Bitwarden dove spiegano come loro salvano le tue password in modo sicuro (è il primo esempio che mi viene in mente): encryption.
Here is an article from their site for where on the system is stored - https://bitwarden.com/help/article/data-storage/ You can delete these files & directories for your respective system and clients
As others have said though , the data is encrypted and useless without your master password.
https://bitwarden.com/help/article/releasenotes/
2021-05-11
The Bitwarden team is pleased to release a set of features and updates continuing our mission of making password management easy and accessible for individuals and businesses:
Privacy & Security Options for Send: Use a new Send Privacy option to hide your email from recipients (see here for details). To prevent abuse, File Sends will now require a verified email address. Additionally, Enterprise Organizations can implement a new policy to set the availability of the Hide Email option (see here for details).
How can Firefox without TMP be unusable, but not Chrome? Firefox's default tab management is not good, but Chrome's is even worse (by far). And unfixable.
But TMP works totally fine for me, so I wouldn't worry about that too much. XMarks is not e10s-compatible, so that add-on is probably disabling multiprocess for you. Also, Lastpass has known performance issues in its Firefox add-on, and recently, quite a few security issues in their add-ons in general. You might want to try Bitwarden, it's FOSS. I don't know about Tab Menu, uBlock Origin is definitely fine.
Bitwarden offers several forms of 2FA: The free options are either email (they email you a 6 digit code), or TOTP which requires some kind of Authenticator app (to generate a 6 digit code based on the time of day).
In premium there are additional methods like Duo, Yubico OTP, and FIDO2/Webauthn.
You can have multiple forms of 2FA enabled at the same time as well, for redundancy. Technically that’s a slight decrease in security but for the average user it’s negligible and in your case—concerned about not locking yourself out while traveling—it’s probably a good idea.
In any case, once you enable some form of 2FA you should immediately store your 2FA Recovery Code in a safe place. This code will disable 2FA on your Bitwarden vault, enabling you to login in again in the event that you’ve lost your primary form of 2FA.
So back to your question, which I assume is referring to a TOTP (Time-based One Time Password) using an authenticator app: depending on which app you’re using, and what devices you’re using them on, there are ways to have backups. Some apps enable you to backup to the cloud, for example.
You can search this subreddit for about a gazillion discussions on TOTP apps. The short version is for iOS: Authy, Raivo OTP (open source), or OTP Auth (also works on macOS). For android Aegis or Authy. I don’t use windows, so I can’t recommend a desktop app, but there surely are some.
If you haven’t already, check out: https://bitwarden.com/help/article/setup-two-step-login/
And: https://bitwarden.com/blog/basics-of-two-factor-authentication-with-bitwarden/
Situations like this are becoming more and more common and it's exactly why I encourage people to NOT allow apps or websites to store your credit or debit or payment info. Please use a trusted password manager like Bitwarden, which is opensource and free for personal use.
Password managers can securely store your logins and credit card/debit card/payment info and input that info automatically when you need to make your purchase. Sure, it's one extra step to unlock your password manager, but it much better than having to stress out about if your payment details have been compromised and go through the hassle of closing out your cards and ordering new ones, not to mention the worry about identity theft.
They have a little breakdown on their site (towards the bottom): https://bitwarden.com/pricing
For most people I think the vault health reports are the most useful, basically checking how many times a password is reused in your vault, strength etc.
For people that are looking to make things extra secure the advanced 2FA supports things like Yubikey and with premium you also have the option of self hosting your vault.
Honestly I mostly just stick with the vault health feature and pay the 10 dollars a year to support the project even though I would likely also be perfectly well served with the free version. :)
Also verify your Vault Timeout Action in Settings is set to Log Out, not Lock.
If worse comes to worse, login to the web vault and go to Settings and at the bottom click on "Deauthorize Sessions". That will log you out everywhere and reset any "Remember me" settings, forcing a relog and 2FA again.
I recommend bitwarden over keepass.
It's open source, never been compromised, fully 256 bit encrypted, has been peer audited, and works really well on all operating systems including Android and iOS, and you can host it on your own server.
Bitwarden: gratuito, open source, selfhostabile, facile da usare, molto sicuro, multipiattaforma. Usavo LastPass ma quando hanno introdotto severe limitazioni all'uso senza pagare ne ho provati diversi altri e questo è re.
Es gibt diverse Services, wie z.B. Bitwarden, die ein Emergency Access feature haben. Kurzfassung: man fügt vertrauenswürdige Kontakte hinzu (du lädst sie ein, sie akzeptieren). Vertrauenswürdige Kontakte können dann jederzeit Zugriff auf deinen Account beantragen und du kannst es dann entweder akzeptieren oder ablehnen. Zudem kannst du eine Zeit definieren, z.B. 7 Tage, und wenn du während diesem Zeitfenster nicht reagierst, wird ebenfalls der Zugang verschickt. Sowas kann man dann halt für Masterpasswörter, Anleitungen, usw. nutzen.
Bei Bitwarden ist Emergency Access als Feature z.B. bei dem $10/year Plan dabei. Nutze ich selber (noch) nicht, aber das sah bisher am vielversprechendsten aus.
All the things you mention plus individual (or zipped together) copies of any important document/txt/pdf files from my PC, just as an off-site backup and for access should I need them.
I’ve heard of one person saving their wedding photos there, as well.
Also, with the Send functionality, you could put pretty much any file under 500MB that you want to securely share with someone else.
Hi!
You'll just create an Organization and select the Family plan. Then you'll invite members to your Family Organization.
Here's some helpful documentation:
https://bitwarden.com/help/article/getting-started-organizations/
Not sure if this only applies to self-hosting (that’s what I do, so I’m just backing up the whole instance), but there is an option to use the CLI: https://bitwarden.com/help/article/export-your-data/
Great question!
The cloud is the system of record. If you edit an item that is “out of date” the app will let you know that you need to sync before editing.
There’s more info on syncing here: https://bitwarden.com/help/article/vault-sync/
>Bitwarden uses end-to-end encryption for all vault data. Only your email and master password can decrypt your vault. Bitwarden does not have the ability to see any data in your vault.
>
>Since your data is fully encrypted before ever leaving your local device, no one from the Bitwarden team can ever see, read, or access your data. Bitwarden servers only store encrypted and hashed data. This is an important step that Bitwarden takes to protect you. To put it simply, your data is encrypted at the moment it is stored on your device and remains that way until you view it with your unique email and master password combination.
If you’re willing to do the work, you can accomplish something similar already with a combination of Custom Fields (Just create a text field named Yubikey and set it to “Yes”) and Advanced Searches (>fields:Yubikey to show ones you set, >-fields:Yubikey to show ones where the text field does not exist).
Can even make it more specific. If you set the field for all entries to Yes or No, you can show them with:
>+fields:Yubikey +Yes
Or
>+fields:Yubikey +No
It’s fine until you want to log in to your bank account/retirement account/whatever on your work PC and have to manually type in your password. Also (speaking from experience), Apple wants to keep you reliant on them, so they make it the absolute most inconvenient pain in the ass to move your passwords out of your keychain. I recently moved to a password manager (and moved my mom as well), and my god it was a nightmare. You essentially have to copy and paste the website, username, and password for each site individually.
Don’t get me wrong I love Apple and I’m typing this up from my iPhone, but damn if they don’t make it a nightmare to leave.
Compare that to a password manager (I use Bitwarden and I could not recommend them enough) where you can export the entire list as a CSV, json, maybe some other format depending on your password manager, and directly plug that into your next password manager (or encrypted backup, etc., you get the picture).
Some of the better password managers are just as convenient as Apple keychain with the immense improvement of portability to any operating system you can imagine.
TL;DR - keychain is a trap meant to keep you trapped with Apple; get a password manager.
That user is wrong
https://bitwarden.com/help/article/data-storage/
Also see their article on encryption. Your encrypted data is stored on their servers, cached to your phone and decrypted with your master password locally. You can log out of all your devices and delete all your apps and your data is still available at vault.Bitwarden.com ( the cloud )
You can do that easily with the Bitwarden CLI and PowerShell. Once you're logged in, just run this command:
bw list items | ConvertFrom-Json | Where-Object { $.login -and $.login.password.Length -le 8 } | Select-Object name
Let us learn from CJT's unfortunate tech mishap and invest in a password manager.
Bitwarden is a great free and open-source solution. More options here https://www.privacytools.io/software/passwords/
The Teams and Enterprise plans have Event Logs which will show when a shared password in an Organization was used by someone. Other than that, AFAIK, Bitwarden does not show when passwords were last used, only when a password or custom field was last changed.
A cursory search of the forums does not show any posts for something like this, but if you'd like to see it added to Bitwarden you can create a feature request for it in the Feature Request forum section.
Everything in your 'vault' is encrypted but there is your Bitwarden account data itself such as, but not limited to, your name, email, billing data, IP address etc. stored on their servers which isn't encrypted. This is no worse than LastPass. In fact it's better because I think LastPass stored quite a bit outside of the encrypted storage such as URLs equivalences etc. when I last checked.
the forks are not security audited so if that is important to you, or you need that for compliance then you can use the Official Server to Self Host if you are an enterprise customer
I use Bitwarden.
They have desktop apps for Windows, Mac and Linux, mobile apps for android and iOS, browser plugins for all major browsers, command line tools and even a web based vault.
Everything is synchronized across all platforms automatically. You can let them do the synchronization for you (thats what I do), or you can even self-host the synchronization server, since the whole project is opensource.
Check them out: https://bitwarden.com/download/
I would also recommend Bitwarden.
I use Bitwarden! Open source, recently passed an independent security analysis (results posted on their blog), good UI, browser plug-ins for all major browsers, & native applications for all major operating systems (mobile & desktop). I hear that KeePass or derivatives of it, like KeePassX, are also a good alternative for the reasons /u/Ductal_Cat_In_Situ mentions.
Quick plug for some added security/privacy tips with password managers (regardless of app choice):
Set up multiple databases: 1 for each aspect of your life. For example, 1 for business/work/academics (UWorld, work email, Anki sync, institutional info, etc.) and 1 for personal (social media, personal email, etc.). That way, one breach of security doesn't compromise all security in your digital life.
Slightly less convenient because you will have to log out/in to the apps and add-ons when switching between contexts and remember 2 (or however many databases you create) master passwords instead of 1. You could set up multiple browser profiles as well and just switch profiles instead of logging out/in of the add-on which is simpler (easy to create profiles in Chrome, little more complicated in Firefox but still easy).
I have been using BitWarden since switching from keepass a year or so ago. Little more convenient and looks nice as a browser extension. Of course convenience is at odds with security... my database is stored by them, but that was already the case with lastpass. Use keepass if you want to manage it yourself. Edit: scratch that, I forgot BitWarden can be self hosted!
I use Bitwarden. The interface is equivalent in power to LastPass and 1P, but it's open-source and hasn't had any security issues in the way that Bitwarden or 1P has occasionally seen.
The actual password manager you use isn't as critical as your security hygiene, though, as long as you pick something reputable. The most important thing you can do is not memorize any passwords except one single, complex password that unlocks the others. All of your secondary passwords that are actual logins should be randomly generated.
Best Black Friday deal might be to switch to Bitwarden free. Their paid plans are less as well.
I really like 1Password and upgraded their standalone products on a regular basis, but I dislike subscription only plans.
Ah-HAH! The .pux format is not as arcane as we had feared. It is a zip file with some metadata, the file attachments (great idea. BTW), and a JSON file.
The good news is that JSON files are quite legible and easy to work with. This is actually the preferred export format for Bitwarden. The bad news is that massaging the JSON for importing into Bitwarden requires a small matter of programming 😶
Bitwarden says what's needed, but they don't offer a lot of constructive help on how to make those changes.
I use bitwarden to sync passwords between web browsers. It has extension support for chromium browsers and safari on iOS, as well as just about every platform you can think of.
Bless up. This is amazing. I didn't realize you can also do the same to auto copy TOTPs. Here's the documentation page if people want more info.
1 and 2. Agreed. Some things in Bitwarden aren't as intuitive. LastPass is ugly indeed, but they did a good job with navigation using the keyboard instead of the mouse.
Despite the several issues with Bitwarden, notably the ones mentioned in 1 and 2, I still use Bitwarden. I think it's still the best free password manager. With BW, you can access your vault from an unlimited number of devices for free (with LP, either PC only or mobile only). Also, BW is open-source. Their philosophy surrounding cybersecurity seems much more transparent and genuine. BW can generate great passwords, even strings of words. Just to name a few advantages. Searching BW vs LP can give you a better idea.
Bitwarden is the way. Clients exist for everything under the sun and it's priced reasonably.
It is open source and if you're really finnicky about privacy/security you can self-host the whole thing.
Edit: https://bitwarden.com/help/article/is-bitwarden-audited/
You should really, really start using a password manager instead. That way you can have unique and very secure passwords for each page you register for, and just have to remember one. I prefer this one, because it works great, is easy to use, and is free/open source software: https://bitwarden.com/
Bitwarden is a good option. They're run as a service and have a lot of the advanced sharing features like lastpass but all of the code is open source (front and back end, I believe you could run your own instance) and their free version is very generous.
>does it require a paid account or something?
Yes. Any paying plan will suffice, including the basic $10/year.
>can anyone give me a couple of product recommendations for similar options?
Any FIDO2/WebAuthn certified token will suffice. I can give a personal recommendation for the Yubikey 5 NFC. My son uses a Google Titan. Hopefully others can talk about others.
>the procedure for using something like a Yubikey on an iPhone
I think your best choice there is NFC. Others may have had success, i.e. with cabling converting from Apple's proprietary connector to USB, but I don't know a lot about that.
>I don’t store any payment info in BW or on any service currently either but I guess I might do at some point if I feel confident enough about the setup.
How can we make you feel more confident? I mean, a good master password plus a hardware security token is a pretty damn good setup.
>I do occasionally need to share login credentials or other sensitive info in either direction with a couple of people
Not for immediate consideration, but Bitwarden supports the notion of an "organization", which contains one or more "collections", which are shares with other Bitwarden users. You can create a single organization with one collection and with limited sharing when you sign up for the premium tier. For sharing with more people, you would have to sign up for a Family plan or even a Teams subscription, but that is probably overkill for you. Look here for more information.
Do you just need to share passwords with one person? Bitwarden allows you to have one organization, with up to two collections. You invite your partner to the organization, and you have all the organization features.
Start here: https://bitwarden.com/help/article/getting-started-organizations/
I've been using bitwarden for I think 3 years and have confidence in it.
Anything with regards to security is always relative to what you are worried about and nothing is perfect for all scenarios.
But I think for average users with general concerns and common threats, bitwarden is a good candidate because it is:
More than likely, OP does not have a password manager, but was using the same 1 or 2 passwords everywhere, which could be contributing to the problem. If they had a password manager and it had been compromised, I think it would have been listed in the list of services.
Some people prefer more "hardcore" softwares (namely keepass xc) but these come with their own unique risks.
Most people are much safer using bitwarden than not using bitwarden. of course if you leave your vault unlocked on your unencrypted phone and leave your phone on the bus, you are SOL. Nothing is perfect.
I believe this feature was added after the Cure53 audit. You can download the report from this page and read more about it.
Mainly you would do it if you had reason to believe your key was compromised, as it would be possible to decrypt your vault even after a password change were such a thing to occur.
SHA-256 is a hash function, AES-256 is an encryption function
A hash is a one-way function. Given the output, there is no way to figure out the input unless you give it the same exact input and it matches the output.
Encryption is a 2-way function. You can get back the original by using decryption.
Usually, for password protection, we want to use Hash functions as we don't want anyone to break the decryption key and reverse our password. Calculating a hash from the right input is trivial. Trying to brute force can be made to be very painful, using the right combo of hashing functions and parameters.
​
Bitwarden goes into more detail here https://bitwarden.com/help/article/what-encryption-is-used/
Bitwarden's desktop applications and browser extensions decrypts your vault when you unlock it. This is all kept in memory. I believe your Master Password and username are kept in the memory as well when it is unlocked. When the app or extension is locked then the data, including your Master Password, is cleared from memory. As far as I know, this is something that 1Password, LastPass, and Dashlane do not do.
**EDIT**
I found this which you may appreciate: https://bitwarden.com/help/article/data-storage/#on-your-local-machine
URI's should not contain www
. This is so that when you enter https://google.com
it works for anything.google.com
as well, and not just www.google.com
.
This is a helpful guide for URI's and how matching works, like the default 'base domain' matching in this example. https://bitwarden.com/help/article/uri-match-detection/
It's not ideal.
Use Bitwarden's passphrase generator and shift through the words and use that to help you make a sentence. You want to avoid personal things and go with words you don't use often. The more odd, funny, or fake the sentence the better.
Using the passphrase generator here are some examples I came up with.
Keyboard shortcuts for auto fill in browser extension
People coming from last pass especially are upset about the auto fill on page load that they are used to not being the same in bitwarden but I prefer the Shortcuts heavily
For the first two issue: i suggest to use Bitwarden (https://bitwarden.com/). It has a good Android integration. Sync passwords, 2FA and even small files between the PC and the phone. And everything is saved in the cloud.
This feature is already available in the web vault.
>Vault Health Reports are available for Premium users, including members of Paid Organizations (Families, Teams, or Enterprise).
More details about this feature here: https://bitwarden.com/help/article/reports/#reused-passwords-report
Steht schon ein paar mal hier, aber ebenfalls: Bitwarden
In der kostenlosen Version schon sehr gut, und für einen 10er im Jahr bekommt man noch ein paar kleine Features mehr.
Das Ding läuft so ziemlich überall (https://bitwarden.com/download/) und da die Daten direkt durch die Bitwarden Cloud gesynced werden, hast du auf jedem Gerät einen aktuellen Stand. Bei iOS/iPadOS funktioniert auch das automatische Ausfüllen von Passwörtern auf Webseiten sehr gut (bei Android vermutlich auch, kann ich aber selbst nicht testen).
Stuff like bitwarden or lastpass. These are browser extensions and/or mobile apps that store your passwords (in some secure, encrypted way) and auto-populate them when needed.
For example, I want to change my reddit password because my current one is just "MyDogsName123" which while easy to remember is also easy to guess/brute force. On the reddit password change screen I'll see an extra button / right click menu with the option to "generate password" with the following sub options:
It'll then generate some gibberish fitting your criteria and save it locally and/or encrypted on some server. Next time you go to log in, it'll auto-populate the login info for you (often after entering a master password, PIN, or fingerprint match).
Hey you, yea you the one reading this. download Bitwarden right now and have it capture your passwords. It’s free and open source and if you do decide to upgrade it’s only 10 dollars a year.
Yeah you can use it anywhere. They have extensions for Chrome, FireFox, Safari, Edge, Opera, Brave, Vivaldi, Tor. Mobile apps on iOS and Android. Desktop apps for Windows, Mac, Linux. Even command line stuff if that's your fancy.
And if all else fails you can just go to vault.bitwarden.com.
When you sign up to a website it will prompt you to save your login info. You can also generate random letters/numbers/symbols for a more secure password.
Q: What is the Browser Extension asking permission for?
A: On installation, the Browser Extension will ask permission to access your clipboard in order to use the scheduled clipboard clear function (accessed in the Options menu).
When this optional feature is enabled, clipboard clear will clear any Bitwarden entries made by or filled on a configurable interval. Access to the clipboard allows Bitwarden to do this without removing a clipboard item not associated from the Bitwarden application by checking the last-copied item again the last-copied item from your Vault. Please note, this feature is off by default.
They have access to your encrypted data, since they host the servers you store it on.
But they do not have access to your plain-text passwords.
See here and here for more information, or check the other "Security" related FAQs in the help section for more detailed explanations of how your data is encrypted before it is sent to their servers.
J'en parlais hier pour vendre Bitwarden qui est ma solution depuis ~1 an. La version gratos est très complète, et y'a un abonnement à 10€/an qui apporte le TOTP et 1 Go de stockage chiffré !
>I have a file that has all my passwords, including bank and some stocks. On the mac I have whole disk encryption and feel fairly secure about that, so I keep this file on the mac.
I just died a little - you know that Filesystem encryption doesn't protection you from attacks while you're logged in. One malware, one folder shared to much and everyone in the world has access to all your passwords.
It's way worse then writing your passwords on a piece of paper.
At the very least get something like KeePassX that encrypts the database itself as well. If you are able to run a server (even a RaspberryPi should be fine - tought you need bitwarden_rs for that) then use Bitwarden - or if you trust them you can get an free account from them as well:
Bitwarden is probably the one that I would choose. Open Source, free, cross platform and as far as I know the only one whose source code has passed a full 3rd party security audit.
Not OP, just another bitwarden fan. I also switched directly from Firefox's password manager, so I can't really compare it to other popular services. But I chose bitwarden because it's open-source, and seems genuinely interested in making an open and competent project first, and profits second. They even provide directions on hosting your own cloud password server, whether you don't trust their servers or you worry they'll get shut down.
Most of the important features are free. A subscription is a paltry $10/year, which I paid just to support the project. This adds TOTP support among other things, which I've found surprisingly handy. When you select a password for a TOTP-enabled account, it puts the 2FA key in your clipboard, so you can just paste it in where needed.
As far I can see, the Bitwarden issue is that they don't specify the use of the MAC when they say "AES-CBC", leading people to assume they don't. If you look at their interactive crypto page:
https://bitwarden.com/help/crypto
You can see that the master password derives a MAC key. If you view page source, you can see that it it uses that key in a encrypt-then-mac fashion, using HMAC-SHA256. The final encrypted data is in the format encType + '.' + iv.b64 + '|' + ct.b64 + '|' + mac.b64.
To share service/admin-type passwords?
There are a couple for doing this type of thing. You could use KeePass. There are also on-prem password keepers such as Bitwarden. I actually really like Bitwarden.
I apologize for not quite grasping what you are asking.
That sounds like a bug, but keep in mind that anyone with access to the desktop can view the note anyway as it has already been decrypted.
> Master password re-prompt is not an encryption mechanism. This feature is an interface-only guardrail that a sophisticated user may find ways to work around. We recommend never leaving your Vault unlocked when unattended or on a shared workstation.
https://bitwarden.com/help/article/managing-items/#protect-individual-items
sorry, you are misleading.
features that were around years ago are still around. but to get any new features, you need to subscribe. or buy the new (wasn't around last time i had checked) $80 "one-time" plan. funny, i thought i bought a "one-time" plan when i paid for each platform individually.
how is bitwarden self-hosting any different than enpass's only option of self-hosting? both applications give you the option to host the data yourself. bitwarden allows you to host it in the cloud inexpensively, enpass doesn't have that as an option. bitwarden also supports YubiKey, U2F and Duo for additional security, not an option in enpass.
bitwarden has gone through several years of security audits, and is completely open-source. want to review their code? you can. enpass is closed source other than the sqlcipher security engine they use to encrypt the database. so if you really value security, the choice is pretty obvious.
Ah, ok, this is starting to be interesting. There is a provision for custom fields, but it's designed for text fields, not drop-downs.
That notwithstanding, you might be able to add a custom field with the label of your drop-down and set the value of that custom field. Based on my knowledge of how DOM and HTML form submission operate, that stands a chance of succeeding.
Good luck,