I started using Bitwarden a few years ago, and I will never turn back. Passwords available across all my devices (android app, chrome extensions etc). You can also sign up with them (they have free which is pretty limited and a paid version) or you can selfhost.
I run it selfhosted, so I don’t pay and don’t have any limitations.
They have received a huge influx of users recently from 1password Lastpass after that breach.
I also use bitwardwn (paid). I used to use LastPass but left when they pulled that stunt a few years ago with their free tier where it is only mobile or desktop not both, and wanted too much for the feature, so I switched and haven’t looked back.
Now most of my passwords are randomly generated and a pain to type on devices like my google tv but I’ll take the tradeoff for more security
it simply is not plausable to remember so many complex passwords and services. i use bitwarden and i just need to remember one password, that’s it. can not recommend it enough.
Yup, with so many accounts we use today, and the necessity of having strong passwords, 2FA/TOTP, and not reusing passwords across accounts, a password manager is a basic necessity.
I’d still recommend Vaultwarden through VPN if you are used to manage servers, or a KeePass database synced through any cloud storage if you’re not into IT.
But what about Bitwarden? What you say about the breach is exactly what I’m worried about when having ONE source that has EVERY password. At least now I have different passwords for different sites so only one can be affected, it’s just a pain in the ass to have to go look them up. I save a portion of my passwords with cryptic messages that only I understand.
I can’t think of anything that hasn’t been hacked, I feel like it’s just a matter of time before these password sites are too if they haven’t already. :/
The way that Bitwarden stores your data, it is encrypted as a blob on AWS. If anyone compromises Bitwardens infrastructure, they can’t do anything because even Bitwarden doesn’t have the keys to decrypt your vault.
Your vault can only be decrypted with your master passwords, and decryption happens locally, on device. No decrypted information is sent over the internet.
As far as someone gaining access to your master password and this all other passwords stored in the pass manager, that is why 2 factor authentication exists.
I could give you my Bitwarden master password right now, but that won’t help if you don’t also have my 2fa code.
And that’s just talking about using the hosted version of Bitwarden.
If you self host, you don’t even have to have the app available to the public internet, and can access it purely through a vpn to your LAN.
Then the attacker would not only need to have access to your local network, also know your master password, and have access to your 2fa.
If they know that much about you, you have larger concerns.
So in short, your concern is mostly addressed and not really a concern if you utilize the features provided, such as 2fa
If someone compromise bitwarden infrastructure can (and probably will) silently release a “new” minor version of app and webapp so that every master password is sent to him, and then decipher passwords.
It will last only some hours at worst but will still collect a lot of passwords.
That’s only thing I’m worries about, but I still use bitwarden as I think my passwords being compromised in this evenience as nearly impossible
Bro, what I said is that an attacker who someways get access to production, can push modified source code that send cleartext password to him before everything else.
It absolutely shouldn’t be possible compromised or not for someone who has gained unlawful access to start pushing malicious code to production as long as proper security is in place
It shouldn’t be possible to break any service but hackers do that daily.
If proper security is in place they will need some 0day exploits, but it’s not impossible, just extremely difficult
I disagree, at least in terms of open source solutions. Assuming Bitwarden isn’t altering their server implementation without telling anyone, it is basically impossible for them to be hacked in the way you’re thinking, as the servers do not hold any decrypted vault data. If the service is propreitary, you cannot trust that they are encrypting all contents before reaching their server.
Even a full plaintext master database password breach shouldn’t affect a competant user, as you should obviously be using 2FA with a cloud password manager.
And even if your master password and bitwarden 2fa leaked and someone gained access to your vault, any accounts with 2FA enabled (so long as you aren’t keeping 2FA keys in Bitwarden, please dont do that. [The same applies to KeePass]) can’t be compromised without your second factor.
A good password manager will be encrypted on device using your master password and only the encrypted data ever synced anywhere. So if Bitwarden gets hacked, and the worst case scenario happens, that means an attacker makes off with the complete contents of your vault. But all they have is an encrypted file. To decrypt it, they need your master password. Bitwarden doesn’t have the keys to lose – they only have the lock, and only you have the key. So an attacker would need to compromise Bitwarden (the company) to get access to the vault, and then separately, compromise you personally to get your master password (the key).
Alternately, they could try to brute-force the master password offline. If you think you could guess a user’s password if you tried 100,000,000,000 guesses, and each guess took you 1 nanosecond, you could guess all hundred billion in a little under two minutes. Bitwarden uses techniques to make it intentionally very slow (slow if you’re a CPU at least) to generate the hashes needed to compare a password. If it takes you 100,000 nanoseconds per guess instead, then instead of two minutes, it takes almost 4 months. Those numbers are completely made up, by the way, but that’s the general principle. Bitwarden can’t leak your actual passwords directly, because they never get them from you. They only get the encrypted data. And if an attacker gets the encrypted data, it will take them quite a bit of time to brute force things (if they even could – a sufficiently good master password is effectively impossible to brute force at all). And that’s time you can use to change your important passwords like your email and banking passwords.
One important realization for people to have is that none of us get to choose perfection here. You don’t only have to worry about Bitwarden getting hacked. You also have to worry about you forgetting them. You have to worry about someone figuring out your “cryptic messages that only I understand” scheme. Security is generally about weighing risks, convenience, and impact and choosing a balance that works best for you. And for most people, the answer should be a password manager. The risks are pretty small and mitigation is pretty easy (changing your passwords out of caution if the password manager is breached), and the convenience is high. And because it’s, as you put it, “a pain in the ass” to manage good unique passwords yourself, virtually no one actually does it. Maybe they have one or two good passwords, and rest are awful.
I would love to use one, but to be honest, I have not found one that I trust, so far.
The perfect “password manager” would require 2FA, has some kind of “online backup” (cloud) that I can host myself and has to be open source. So far nothing really seems to offer all this.
I self host Vaultwarden at home on my server and it uses 2FA for logging into the system to access your saved passwords. It’s easy to set up and I use a Yubikey for mine. I use Docker to do this myself. It’s an adaptation of Bitwarden and is compatible the same Bitwarden app and browser plugins. Having everything on your own system ensures that it doesn’t go to the corporate controllers out there. Plus, you can find the source on Github for Vaultwarden so you can go over it if you are unsure about the security of it. :)
Keepass has been around for ages. It has 2FA via for example using an external file as the certificate in addition to a password. The database can be stored in Dropbox, google drive, or self hosted. I use synching for example.
I’ve been using KeePassXC for a while, I like it much better than the official client. But even the official client’s download page give you a list of alternative clients.
I use KeePassXC, especially because to generate and save complex and long passwords I wouldn’t be able to remember. Good thing about KeePassXC is, you can even add your authenticators in it.
I am also using 1Password since ages. Using a password manager is a great investment into your security. There are so many data leaks and reusing passwords is bad practice and will create headaches.
I am looking for alternatives though, since 1Password is getting worse.
1Password is an expense I cringe at every year. After trying several others, though,I settled on its expensive-but-simple option. The biggest advantage is that my family uses it - wife, daughter, parents, in-laws - on my family account. We have several shared vaults for passwords which affect subsets from in-laws sharing critical financial passwords with her, my parents with me, to my daughter and I teaming up on Starbucks and Panera.
The best part is that it’s simple enough for our octogenarian parents to use, and I help set it all up and got their emergency recovery kits created, filled out, and stored in their safety deposit boxes. As long as I can keep them using it I’ll keep paying for it.
The family plan has me sold too. Sharing login credentials including 2FA with my wife for things like our utility bills and streaming logins is extremely handy, and for other things like investment accounts set up for our son just feels necessary. I use the share feature a lot outside the family too. I’ll share my Paramount login with my friend, but the password is 20 random characters, so I send a link to my saved login and he can copy the user and password.
Started using RoboForm on Windows XP, switched to Mac, used several there, came back to Windows 7, used LastPass and then dumped LastPass after they were acquired by LogMeIn which, as predicted, poorly managed the product to where people are getting locked out of their passwords.
So now its 2023 and I’m back on RoboForm.
(If anyone has any reason to not use RoboForm I would appreciate, however I need to use password sharing occasionally, which is a feature)
Edit: just realized this is an Android group but RoboForm has a pretty good Android app, FYI.
I use Bitwarden with some trepidation. I keep hoping that eventually Proton Pass morphs into something that seems even more secure but right now it’s pretty basic.
If you’re willing to use a cloud-based solution, why do you have trepidation about Bitwarden (open source, great track record, standalone service) and not Proton Pass (also open source, and Proton has a great reputation for account security, but adding your password database to the same account you use for email, drive, vpn, and calendar, which is putting all your eggs in one basket IMO.
If you have trepidation trusting the security of your passwords to someone else, use KeePass.
I mean for example if proton decided to also add a secret key like 1password. Something that provides at least what to me would be like even more security. But it too new of a service right now, time will tell.
I recommend using a YubiKey on your Proton account if you want a strong second factor thats a bit easier to manage than a key file. If you use all or most of Proton’s apps, might be worth looking into.
Yup and yup. Usually recommend Bitwarden as a starter password manager and then keepassxc for the more advanced people who can handle their own syncing/backups. Regardless turn on 2fa to each account especially your phone carrier, email and bank
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.
6. Memes are not allowed to be posts, but are allowed in the comments.
7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.
8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.
I started using Bitwarden a few years ago, and I will never turn back. Passwords available across all my devices (android app, chrome extensions etc). You can also sign up with them (they have free which is pretty limited and a paid version) or you can selfhost.
I run it selfhosted, so I don’t pay and don’t have any limitations.
They have received a huge influx of users recently from
1passwordLastpass after that breach.I also use bitwardwn (paid). I used to use LastPass but left when they pulled that stunt a few years ago with their free tier where it is only mobile or desktop not both, and wanted too much for the feature, so I switched and haven’t looked back.
Now most of my passwords are randomly generated and a pain to type on devices like my google tv but I’ll take the tradeoff for more security
I take it you mean LastPass? I don’t recall 1password being breached. It’s what I use for work
Yes, I did mean LastPass. Typing while thinking about my stomach!
it simply is not plausable to remember so many complex passwords and services. i use bitwarden and i just need to remember one password, that’s it. can not recommend it enough.
I switched to bitwarden after LastPass changed their offering and I’m glad I did because LastPass has had a number of security breaches since then!
I don’t even know most of my passwords at this point!
Exactly. I don’t know any of my passwords except my vault password, which I change every 6 months
I also remember the Google password, which is not saved in bitwarden, so if something bad happens I can limit the damage.
Yup, with so many accounts we use today, and the necessity of having strong passwords, 2FA/TOTP, and not reusing passwords across accounts, a password manager is a basic necessity.
I’d still recommend Vaultwarden through VPN if you are used to manage servers, or a KeePass database synced through any cloud storage if you’re not into IT.
They are mandatory in current digital age.
Yes. Bitwarden.
Already do and most are receptive to it once you show them that every single one of them were caught up in a breach at some point.
But what about Bitwarden? What you say about the breach is exactly what I’m worried about when having ONE source that has EVERY password. At least now I have different passwords for different sites so only one can be affected, it’s just a pain in the ass to have to go look them up. I save a portion of my passwords with cryptic messages that only I understand.
I can’t think of anything that hasn’t been hacked, I feel like it’s just a matter of time before these password sites are too if they haven’t already. :/
The way that Bitwarden stores your data, it is encrypted as a blob on AWS. If anyone compromises Bitwardens infrastructure, they can’t do anything because even Bitwarden doesn’t have the keys to decrypt your vault.
Your vault can only be decrypted with your master passwords, and decryption happens locally, on device. No decrypted information is sent over the internet.
As far as someone gaining access to your master password and this all other passwords stored in the pass manager, that is why 2 factor authentication exists.
I could give you my Bitwarden master password right now, but that won’t help if you don’t also have my 2fa code.
And that’s just talking about using the hosted version of Bitwarden.
If you self host, you don’t even have to have the app available to the public internet, and can access it purely through a vpn to your LAN.
Then the attacker would not only need to have access to your local network, also know your master password, and have access to your 2fa.
If they know that much about you, you have larger concerns.
So in short, your concern is mostly addressed and not really a concern if you utilize the features provided, such as 2fa
If someone compromise bitwarden infrastructure can (and probably will) silently release a “new” minor version of app and webapp so that every master password is sent to him, and then decipher passwords.
It will last only some hours at worst but will still collect a lot of passwords.
That’s only thing I’m worries about, but I still use bitwarden as I think my passwords being compromised in this evenience as nearly impossible
Password is hashed locally. Only already hashed password is trasmitted over the internet.
Bro, what I said is that an attacker who someways get access to production, can push modified source code that send cleartext password to him before everything else.
It absolutely shouldn’t be possible compromised or not for someone who has gained unlawful access to start pushing malicious code to production as long as proper security is in place
It shouldn’t be possible to break any service but hackers do that daily. If proper security is in place they will need some 0day exploits, but it’s not impossible, just extremely difficult
Bitwarden is open source. You can see all the code for yourself: https://github.com/bitwarden
I know, but that won’t change the eventuality I described
I disagree, at least in terms of open source solutions. Assuming Bitwarden isn’t altering their server implementation without telling anyone, it is basically impossible for them to be hacked in the way you’re thinking, as the servers do not hold any decrypted vault data. If the service is propreitary, you cannot trust that they are encrypting all contents before reaching their server.
Even a full plaintext master database password breach shouldn’t affect a competant user, as you should obviously be using 2FA with a cloud password manager.
And even if your master password and bitwarden 2fa leaked and someone gained access to your vault, any accounts with 2FA enabled (so long as you aren’t keeping 2FA keys in Bitwarden, please dont do that. [The same applies to KeePass]) can’t be compromised without your second factor.
A good password manager will be encrypted on device using your master password and only the encrypted data ever synced anywhere. So if Bitwarden gets hacked, and the worst case scenario happens, that means an attacker makes off with the complete contents of your vault. But all they have is an encrypted file. To decrypt it, they need your master password. Bitwarden doesn’t have the keys to lose – they only have the lock, and only you have the key. So an attacker would need to compromise Bitwarden (the company) to get access to the vault, and then separately, compromise you personally to get your master password (the key).
Alternately, they could try to brute-force the master password offline. If you think you could guess a user’s password if you tried 100,000,000,000 guesses, and each guess took you 1 nanosecond, you could guess all hundred billion in a little under two minutes. Bitwarden uses techniques to make it intentionally very slow (slow if you’re a CPU at least) to generate the hashes needed to compare a password. If it takes you 100,000 nanoseconds per guess instead, then instead of two minutes, it takes almost 4 months. Those numbers are completely made up, by the way, but that’s the general principle. Bitwarden can’t leak your actual passwords directly, because they never get them from you. They only get the encrypted data. And if an attacker gets the encrypted data, it will take them quite a bit of time to brute force things (if they even could – a sufficiently good master password is effectively impossible to brute force at all). And that’s time you can use to change your important passwords like your email and banking passwords.
One important realization for people to have is that none of us get to choose perfection here. You don’t only have to worry about Bitwarden getting hacked. You also have to worry about you forgetting them. You have to worry about someone figuring out your “cryptic messages that only I understand” scheme. Security is generally about weighing risks, convenience, and impact and choosing a balance that works best for you. And for most people, the answer should be a password manager. The risks are pretty small and mitigation is pretty easy (changing your passwords out of caution if the password manager is breached), and the convenience is high. And because it’s, as you put it, “a pain in the ass” to manage good unique passwords yourself, virtually no one actually does it. Maybe they have one or two good passwords, and rest are awful.
1Password for years, never had any issues.
I would love to use one, but to be honest, I have not found one that I trust, so far.
The perfect “password manager” would require 2FA, has some kind of “online backup” (cloud) that I can host myself and has to be open source. So far nothing really seems to offer all this.
I self host Vaultwarden at home on my server and it uses 2FA for logging into the system to access your saved passwords. It’s easy to set up and I use a Yubikey for mine. I use Docker to do this myself. It’s an adaptation of Bitwarden and is compatible the same Bitwarden app and browser plugins. Having everything on your own system ensures that it doesn’t go to the corporate controllers out there. Plus, you can find the source on Github for Vaultwarden so you can go over it if you are unsure about the security of it. :)
Thanks for all the suggestions. I’ll check them out.
Keepass has been around for ages. It has 2FA via for example using an external file as the certificate in addition to a password. The database can be stored in Dropbox, google drive, or self hosted. I use synching for example.
IIRC it was partially “Windows only” and so not usable for me.
See https://github.com/lgg/awesome-keepass for a curated list of KeePass clients for various OSes! :)
I’ve been using KeePassXC for a while, I like it much better than the official client. But even the official client’s download page give you a list of alternative clients.
I dont know what you mean by KeePass being partially Windows only, as KeePass clients exist on MacOS, Linux, iOS and Android.
keepass might be but with it being open source it has a ton of ports mainly keepassxc for linux/macos/windows and keepassdx for android
keepassxc can do this, bitwarden also AFAIK
Bitwarden? Has 2FA, can self host, open source
I use KeePassXC, especially because to generate and save complex and long passwords I wouldn’t be able to remember. Good thing about KeePassXC is, you can even add your authenticators in it.
Would I recommend it? Yes.
Best one, hands down. We have a new community on here for KeePass. Come check it out at [[email protected]]
I am also using 1Password since ages. Using a password manager is a great investment into your security. There are so many data leaks and reusing passwords is bad practice and will create headaches.
I am looking for alternatives though, since 1Password is getting worse.
1Password is an expense I cringe at every year. After trying several others, though,I settled on its expensive-but-simple option. The biggest advantage is that my family uses it - wife, daughter, parents, in-laws - on my family account. We have several shared vaults for passwords which affect subsets from in-laws sharing critical financial passwords with her, my parents with me, to my daughter and I teaming up on Starbucks and Panera.
The best part is that it’s simple enough for our octogenarian parents to use, and I help set it all up and got their emergency recovery kits created, filled out, and stored in their safety deposit boxes. As long as I can keep them using it I’ll keep paying for it.
The family plan has me sold too. Sharing login credentials including 2FA with my wife for things like our utility bills and streaming logins is extremely handy, and for other things like investment accounts set up for our son just feels necessary. I use the share feature a lot outside the family too. I’ll share my Paramount login with my friend, but the password is 20 random characters, so I send a link to my saved login and he can copy the user and password.
I’ve been using 1password since 2019 . It’s worked really well for me.
I use bit warden and I love it. And yes, I would recommend using a password locker. Just make sure you do some research before selecting one.
I absolutely use a password generator/manager. Using Bitwarden.
Just moved from bitwarden to proton pass, so far so good. Would recommend keepass, bitwarden,1password but definitely not lastpass.
Started using RoboForm on Windows XP, switched to Mac, used several there, came back to Windows 7, used LastPass and then dumped LastPass after they were acquired by LogMeIn which, as predicted, poorly managed the product to where people are getting locked out of their passwords. So now its 2023 and I’m back on RoboForm.
(If anyone has any reason to not use RoboForm I would appreciate, however I need to use password sharing occasionally, which is a feature) Edit: just realized this is an Android group but RoboForm has a pretty good Android app, FYI.
I use Bitwarden with some trepidation. I keep hoping that eventually Proton Pass morphs into something that seems even more secure but right now it’s pretty basic.
If you’re willing to use a cloud-based solution, why do you have trepidation about Bitwarden (open source, great track record, standalone service) and not Proton Pass (also open source, and Proton has a great reputation for account security, but adding your password database to the same account you use for email, drive, vpn, and calendar, which is putting all your eggs in one basket IMO.
If you have trepidation trusting the security of your passwords to someone else, use KeePass.
I mean for example if proton decided to also add a secret key like 1password. Something that provides at least what to me would be like even more security. But it too new of a service right now, time will tell.
I recommend using a YubiKey on your Proton account if you want a strong second factor thats a bit easier to manage than a key file. If you use all or most of Proton’s apps, might be worth looking into.
Yup and yup. Usually recommend Bitwarden as a starter password manager and then keepassxc for the more advanced people who can handle their own syncing/backups. Regardless turn on 2fa to each account especially your phone carrier, email and bank
Also lock your SIM with a passcode!
I personally use pass, which uses gpg for encryption and can also use git repositories (I use it with my personal gitea instance).
I have no idea how anyone lives without one, there’s really no downside to using one if it’s set up properly