back to article For password protection, dump LastPass for open source Bitwarden

For better or worse, we still need passwords, and to protect and organize them, I recommend the open source Bitwarden password manager. LastPass is perhaps the world's most popular password manager. It's also arguably the most broken password manager. There's a better, safer open source alternative. But before I dive into …

  1. Freezus
    Thumb Up

    +1 for Bitwarden

    There was a thread on here many years ago that convinced me to get a premium subscription and I've never looked back. The UI is great, straight to point with no unnecessary bloat, particularly the iOS apps... a rare thing these days! The LastPass debacle is making me think I should switch to my own server too. Anyhow... +1 for Bitwarden

    1. wiggers

      Re: +1 for Bitwarden

      Yes, I migrated from LP to DashLane. After a while they changed their UI and it was really bad. Actually prevented me from logging in to a bank account! Now a happy Bitwarden user and I get the functionality for free that I had with the paid sub to DashLane.

    2. AMBxx Silver badge
      Happy

      Re: +1 for Bitwarden

      I switched to Bitwarden when LastPass started charging (I'm half Scottish and live in Yorkshire - wallet is welded shut). Maybe 3 years ago?

      I was a bit disappointed with Bitwarden at first - auto fill was very flaky, especially on mobile. Since then, it's continually improved and is now better than LastPass used to be. Recent addition of passphrase instead of plain passwords a great improvement as 20+ random characters is a pain to type.

      1. stuartko

        Re: +1 for Bitwarden

        You may not want to keep autofill turned on. Search for an article on the Freedom To Tinker site titled: "No boundaries for user identities: Web trackers exploit browser login managers"

        The article is from 2017, and I don't know if various web browsers or password manager plugins have fixed the problem or not, but I turned off autofill back in 2017 and haven't tried it since.

    3. Anonymous Coward
      Anonymous Coward

      Re: +1 for Bitwarden

      "...on here many years ago that convinced me to get a premium subscription..."

      Wait... I was going to post that the article seems a bit like guerrilla style advertising for Bitwarden and you're telling me that you've already been sold by another article here years ago? ... journalism today.

    4. Orv Silver badge

      Re: +1 for Bitwarden

      The thing that gives me pause about Bitwarden is it's free, which (by standard Internet tropes) means I'm the product. What about me are they selling?

      1. Derezed
        Thumb Up

        Re: +1 for Bitwarden

        It has a premium version with extra bells and whistles. Good marketing if you have a free tier too.

    5. To Mars in Man Bras!
      Thumb Down

      Re: +1 for Bitwarden

      >The UI is great

      Really. I think the Bitwarden UI on the browser plugins is awful. It completely closes and loses state if you switch away from it [for example to refer to some info you want to put in there] and, if you do remember to pop it out into a floating window, so that it doesn't disappear, it loses whatever info you've already entered.

      This has been flagged up several times, as far back as 2019, as an issue and the developers' response has been a Jobsian "You're holding it wrong!"

      * https://github.com/bitwarden/clients/issues/839

      * https://community.bitwarden.com/t/pop-out-to-a-new-window-should-retain-current-site-match-or-search-results/4644

      * https://community.bitwarden.com/t/kepp-current-tab-filter-when-pop-out-to-new-window/7856

      I also find that the autofil works about one time in 100 on my Android devices, even though all the necessary settings and permissions are in place. The only thing Bitwarden has going for it, over any other password manager, is the price and the semi-open-sourcery.

      1. Claptrap314 Silver badge

        Re: +1 for Bitwarden

        "Make it so they can't get in, and you won't be able to get out."

        Security tends to be in direct conflict with convenience. There is are a LOT of nasties out there that can take advantage of a tab switch. I expect that this is considered a security feature.

  2. Fonant

    The most popular authenticator apps, such as Google and Microsoft's, are tied at the hip to major companies.

    I use Authy, which does the job nicely, cross-platform. https://authy.com (website under maintenance at time of posting).

    1. Phil Kingston

      BitWarden has TOTP generator built-in too. No need for MS, Google or Authy's offerings.

    2. Anonymous Coward
      Anonymous Coward

      Et tu!?

      Authy is owned by Twilio now. But I still use it and love it!

      I find it hilarious all my financial institutions have switched to SMS two factor but in their terms of service acknowledge the security risks (but make it my problem).

    3. tezboyes

      I used Authy up until New Year. Over the holidays and prompted by the LastPass scandal I did a little bit of due diligence on the different solutions, especially with regards to transparency.

      I had been using BW for passwords for a few years - and yes the UI still needs some improvement, but over the time I've been using it there have been good changes.

      So I switched to the base premium version of BW at that point and moved my TOTP there too. Plus bought myself a YubiKey as a present :)

      That move was a little painful, one of the reasons being that there doesn't appear to be any way to query Authy for the order token/key - which was one of the few reasons I switched!

      One thing though that I think 1Password does slightly better is the encryption key for the Vault doesn't just rely on the Master Password.

      But with the addition of the Yubikey and ability to approve logins from the App that BW have added over time, I've been able to change what was already a pretty strong password to a very strong one.

  3. Tom 38
    WTF?

    The most popular authenticator apps, such as Google and Microsoft's, are tied at the hip to major companies.

    I too prefer hardware tokens to TOTP authenticator apps, but these are standard implementations of TOTP. How are they tied at the hip to anything?

    1. Phil O'Sophical Silver badge
      Coat

      My first thought was "what does Top Of The Pops have to do with passwords?" Showing my age, I suppose...

      1. spireite Silver badge

        One of the earliest passwords....?

        JS4v1113

        1. This post has been deleted by its author

    2. tangentialPenguin

      As far as I know TOTP apps create tokens based on details of the website. So they have a record of every website you have an account for and (again AFAIK) they're not encrypted.

      1. storner
        Boffin

        Not correct. They use a pre-shared key (some 30-odd mix of letters and numbers) which is generated when you setup the 2FA - this key is combined with the current time to give you the 6-digit token.

        There's an RFC for that, if you want the details.

        1. tangentialPenguin

          There's a key shared, but every TOTP app I've used asks for an issuer to go along with it.

          1. dgeb

            That's just a label so that *you* can identify which code to use - if you import with a QR code it will usually prepopulate that, but you're free to enter the PSK manually and call it whatever you like.

    3. Gene Cash Silver badge

      TOTP? Tied Onto The Penis?

      EXPN?

      1. Total_Blackout

        Good enough for me.

  4. Anonymous Coward
    Anonymous Coward

    SafeInCloud

    I’ve used SafeInCloud for years. I like the fact it uses a cloud storage provider of your choice to store the DB.

    However, Bitwarden sounds like it’s worth a look.

  5. Phil O'Sophical Silver badge

    For free, you also get a cloud-based store for all your passwords, Bitwarden Web Vault;

    Why is this necessarily any more secure than LastPass, or any other password manager? At the end of the day, most of these breaches come down to human error and/or social engineering, and being open source doesn't magically exempt software from that sort of attack. Personally I have no particular desire to delegate my password security to a third party, whether they are stored "in the cloud" or not.

    1. jonha

      AFAIK Bitwarden stores all passwords in an encrypted binary blob which gets sent to the local device and is decrypted there, ie your master password (which can be as strong as you want/can remember) never leaves your device. And same for encrypting.

      Having said that, I use BW for websites that are uncritical (like El Reg) but not for banking and the like... these things sit in a local KeePass database with a strong password and a keyfile.

      1. Anonymous Coward
        Anonymous Coward

        As does last pass, so the original question stands...

        1. yoganmahew

          Lastpass only encrypts username and passwords, all other data in your vault is in clear text (base64 encoded). That means they've lost all the information necessary to phish you, all the notes (e.g. your second factor pin that you stored in a note). Everything else is gone, almost certainly. They would be telling us if it was limited and they aren't.

          1. Roland6 Silver badge

            @yogan - You've obviously upset someone for the down vote.

            You are right LastPass's marketing combined with media references to 'vaults' does make it seem all the information in your 'vault' is securely encrypted by the master password, yet as you note the lack of detail in the disclosure does seem to indicate that only the passwords were encrypted, not the aide-memoire notes, payment cards, bank accounts and 'custom items'...

            Whilst it would seem breaches occur, ie. we should expect account credential data to be targeted and accessed by unauthorised third parties, given the constant trickle of warnings from HaveIBeenPwned over recent years. What is perhaps a little disturbing about the silence from LastPass is the lack of information on what they are changing to improve security.

            Zoom took their security issues on the nose and announced a security enhancement programme, I'm concerned that as yet LastPass - or any of the other password manager vendors/teams, have announced a similar security review, given we can be fairly sure (until this incident) the majority of cloud-based 'vaults' will have implemented a similar level of security as LastPass only as yet they have not knowingly been compromised.

            1. yoganmahew

              Thank you Roland!

              There are a couple of good episodes on Security Now about the Lastpass fiasco (is it a fiasco yet?). https://twit.tv/shows/security-now

              Included in the show notes are links to how to download your vault and see what is encrypted/what was exposed.

              1. Roland6 Silver badge

                An advisory...

                Thanks Yogan!

                Managed to listen to the full show.

                To everyone I suggest you watch at least the first 53 minutes of this episode:

                https://twit.tv/shows/security-now/episodes/905

                The problems uncovered aren't unique to LastPass, BitWarden has a number of similar weaknesses !

                It would seem LastPass and the spotlight the security community have thrown on the latest breech should be a wake-up call to all providers of credential managers. As a user, you need to check your settings/advanced settings, and if you are a long-term user of LastPass (like myself) or other product, you should do this as a matter of urgency.

                A password iteration count of 100,100 should be a minimum - the video recommends increasing this by at least a factor of 10. Long-term LastPass users may find this value to be 5000 (as it was in my case) or even 1...

            2. Effigy

              Secure notes are encrypted, not just passwords.

              Phil's question hasn't been answered in the comments or in the article: what reason do I have to think that the same headline won't appear for BitWarden a year from now?

              It matters because I'm being told to take on another migration to something that isn't better. For this effort we should move to a team-aware offline solution (git-crypt or the like).

    2. captain veg Silver badge

      For me the problem is not that there's a cloud-based store, but that the thing is run by for-profit company.

      I have no reason to suspect that the company running Bitwarden is anything other than ethical and trustworthy.

      Right up until the point that some other company (or crazed billionaire) decides to buy it. Then all bets are off.

      -A.

      1. Helcat

        This is one reason I'm cautious about password stores: That you're reliant on a third party's ethics (in addition to their security).

        I don't think there is a perfect solution (even if you write your own) but BitWarden sounds like a better option than some I've worked with (LastPass being one of them). Like you: will have to wait and see if some crazed corp (or billionaire - even millionaire... crazy is as crazy does) takes over.

    3. hoola Silver badge

      Exactly, I was thinking exactly the same thing.

      It is stored in the cloud somewhere therefore there is a possibility (however remote) that it can be compromised.

      Even if you setup your own server there is still issues of vulnerability.

      Surely the best option is to NOT save you passwords in a cloud-based application. KeePass springs to mind as something I have used for many years.

      At the end of the day most people just store the passwords in the web browser anyway, it is the easiest and the average user will always take the simplest route or the one that is offered first.

      1. Strahd Ivarius Silver badge
        Trollface

        and then you store your Keypass DB in Google Drive...

    4. DualPolarity

      It's not, they just want to sell you a premium subscription

      Use Keepass with a NAS and offsite encrypted backup. No more cloud please, this fad has gone on long enough

      Everyone keeps telling me how "great" cloud management is yet at the past 3 jobs I've had, all clients seem to have more trouble getting the automated systems to work than it would be to just create accounts manually, and when the auto provision systems fail the mess is wayy longer to clean up than just doing it the old fashioned way

  6. Psy-Q

    While BitWarden is great, also consider the competition such as Passbolt.

    A risk with BitWarden seems to be that it's another one-man-show type of project, at least last I checked, Kyle was the only developer.

    There's a truly open source version of BitWarden's backend server called Vaultwarden: https://github.com/dani-garcia/vaultwarden It's a lot lighter too and doesn't require Microsoft SQL Server. BitWarden's Docker setup will install MS SQL in a container for you, but still...

    The ties to Microsoft exist because BitWarden (the company) was initially supported by MS and I think one of the stipulations was that MS SQL and C# be used.

    1. dizwell

      Former Lastpass subscriber and Bitwarden user here: I won't use the cloud directly for this sort of thing now. KeepassXC for me keeps things local, and whilst I do use Dropbox to share the vault across devices, the use of a manually-transferred key file makes sure that even if you got my vault and could crack my password, you still won't have access to the vault's contents. It's certainly less convenient, I suppose, but I learnt years ago that when it comes to security or convenience, pick one. :)

      1. thondwe

        Another switcher - Lastpass had one job - and they blew it - and I didn't realise there's unencrypted and "hacker useful" data in there, even if they can't practically decrypt due to complex master passwords.

        I've switched to Bitwarden as I need a "family friendly" solution - have had my kids on Lastpass for years and they do use it - so any switch need to be usable which means I steer clear of anything too hairshirt!

        Hopefully Bitwarden won't make similar mistakes!

    2. Locky

      +1 for Vaultwarden

      A thread here pointed me towards it at some point and my Pi Zero hasn't looked back since.

      Hourly backups to my OneDrive and dynamic DNS updates incase the ISP decides to change my IP are a few of the add-ons I've thrown in.

      At some point someone will break into BitWardens service ala LastPass problems, but they are much less likely to find mine on a random ip. And if the vulnerabilities don't get patched I can export my data and import into a n other service.

  7. tony72

    KeePass

    I'll stick with KeePass, and syncing my database between my devices with Resilio Sync. I'll never feel happy putting my password db in the cloud, regardless whether the software used is open-source or not, so that's the best solution I can come up with.

    1. JohnTill123
      Facepalm

      Re: KeePass

      Absolutely correct. The cloud is just "someone else's computer" and why would you put your sensitive data there?

      Keep your sensitive data to yourself. It's that simple.

      1. Steve Button Silver badge

        Re: KeePass

        So I guess the banks and the government all keep your data on.... somewhere?

        This old trope about "someone else's computer" is getting a bit old. You have got to trust someone with your data, and avoiding "The Cloud" is going to get harder and harder. Deal with it, and take appropriate measures to make sure you are not the low hanging fruit. Such as using unique and decent pass phrases, and U2F. And taking extra precautions with things that are extra sensitive (like where you keep your money).

        1. VicMortimer Silver badge
          Flame

          Re: KeePass

          "Somebody else's computer" is as true now as it ever was. You think it's "getting old" because you don't like the truth.

          There is no "cloud". The "cloud" does not exist. It is now and always has been somebody else's computer, a computer you do not own, do not control, and which WILL eventually get hacked because it's a massive target.

          Your bank isn't safe because there's any chance it won't be compromised. Your bank is only safe because government insures your money when the compromise happens.

          For your password storage, you're a fool if you put it on somebody else's computer.

          KeePass is a far better option than keeping your passwords on somebody else's computer.

          1. Dimmer Bronze badge

            Re: KeePass

            Agree with the “other users computer” and “keepass” but FDIC does not insure your account if it is hacked, only if the bank fails and that has limits. There are a lot of misconceptions that they don’t care to correct. Read the fine print.

            FDIC’s purpose is the same as the federal reserve, do what ever it takes to protect the banking institutions, and only the customers if it will prevent a bank run.

            Some people still think banks contain enough cash to cover their accounts.

            Guys, thanks for post about problems and solutions. Keep them coming

          2. Anonymous Coward
            Anonymous Coward

            Re: KeePass

            I think "the cloud" does exist - it's somebody else's computer that they've shared out across the Internet.

            Another vote for local KeePass with local sync across devices.

            Off-site backup? Err, only if I'm off site at the time, which to be honest is an acceptable risk for me - unless someone steals all my devices at the same time or my house burns down, in which case I have quite some other things to worry about.

          3. zuckzuckgo Silver badge

            Re: KeePass

            But how is your computer not part of the cloud (more secure than somebody else's computer)? Is it always disconnected from the internet? Do you only use a custom operating system and software so as to avoid having common attach vectors?

        2. captain veg Silver badge

          avoiding "The Cloud" is going to get harder and harder

          Er, how?

          I run several internet-facing servers on a domestic ADSL connection. The servers are located in my lounge.

          OK, they're (mostly) for my personal use. How is a corporate scenario any different?

          At my place of employment we used to run internet-facing servers in-house. Literally inside the same building. This worked perfectly.

          Later the higher-ups in America decided that we should instead use a corporate datacenter in Ohio. This worked tolerably well.

          After a palace coup, the new higher-ups in America decreed that we had to use AWS. This works very poorly and costs a fortune.

          My home servers are still humming along.

          -A.

          1. Lost Neutrino

            Re: avoiding "The Cloud" is going to get harder and harder

            In view of your implied 99.999% system availability, I would recommend offering your home server cloud facilities to your higher-ups in America. Perhaps with an introductory discount of 15% when they move from AWS? You'll be set for life! And I'll come and work for you. I promise to be extra careful when hoovering the carpet around the servers, too!

        3. Doctor Tarr

          Re: KeePass

          @steve button. I agree. Use all the precautions available but don't be afraid of the cloud. The online services we use are all hitting someone else's computers whether cloud based or internal DC. All our passwords are already out there on these servers anyway - hopefully encrypted.

          Running servers to manage a password DB is totally impracticable for 99.99%+ of people, even for those like me who know how. And if you're running home infrastructure are you sure you're doing a better job on the security than teams who are 100% dedicated to it. I doubt it but it's unlikely that the ones doing it will be honest with themselves.

      2. Anonymous Coward
        Anonymous Coward

        Re: KeePass

        Where do you keep your off site backups?

        1. Lost Neutrino

          Re: KeePass

          Anywhere you like! The KeePass store is just a single, encrypted file. For example DropBox, AWS, floppy disk at your mother-in-law's, etc, anywhere. Also, KeePass allows you to synchronise directly with a KeePass data file on another computer - without having to use an external (cloud) service. And if you create a key file (in addition to a master password), then you even have 2FA.

      3. Anonymous Coward
        Anonymous Coward

        Re: KeePass

        The other problem with the cloud is you need to maintain an account with that cloud provider... if they go bust or your account lapses, then your data disappears

        all those precious photos backed up from your phone... zap!

        There is/was a story on the BBC News site recently about a woman who had been running a business based around a blog... then the cloud host closed down and she nearly lost everything

    2. drankinatty

      Re: KeePass

      Specifically keepassxc the follow-on to keepassx and compatible with keepass files. The only downside to keepassxc is the damn ridiculous Qt build that takes 20 minutes compiling away on what should be a 5 second build. But you take the good with the bad. keepassxc is actively developed and imports all previous keepass and keepasx databases.

      Clean user interface (though I will always prefer the original keepasx interface under KDE3 -- hard to beat). The keepassxc interface is flexible enough it can be made to look close -- putting only the details you need in summary view and a single-click to bring up the details. The only "network" involved in moving a copy of the database to the iphone via "Files" and you have your encrypted database available there to.

      I've never trusted and won't trust some cloud based service with the keys-to-the-kingdom...

  8. b0llchit Silver badge
    Boffin

    Control your data

    ...run your own Bitwarden server.

    This is the only way to ensure you are in control. It also means that you need to know what you are doing.

    Unfortunately, most people have absolutely no clue what they are doing when it involves computers (or, for that matter, most technology). They are consumers and don't care how stuff works. It is not something that would come up in their minds. They are nothing more than consuming users.

    As with all security and privacy issues, you need to know what you are doing and actively control everything you do. It is a continual process that needs to be adhered to for all time.

    So is this an option for the majority of people? No.

    Is it a solution for the knowledgeable? Maybe or not because they already know what to do and how to do it and may do their own thing anyway.

  9. v13

    Don't rely on a single password

    BitWarden has the same flaw as LastPass: it relies on a single password and anyone that has access to your vault is only a password away. Spoiler: you're a terrible password generator and you can't remember cryptographically strong passwords.

    Instead, use a password manager that has a second factor. You can use 1Password which also has a secret that 1Password itself doesn't know. Or you can put a Keepass database on Google Drive and lock it with both a password and a key file, and not store the keyfile on Google Drive.

    Both of the above ensure that if someone gets your encrypted database from the cloud, they'll have a very hard time cracking it.

    1. Chris359

      Re: Don't rely on a single password

      Maybe I misunderstand how Bitwarden works, but when I log in, it uses MFA, so it needs both my master password and a one time token.

      Is that just for the Bitwarden site and not the underlying vault data?

      1. Optimaximal

        Re: Don't rely on a single password

        Unfortunately it's just for the initial login, unless you tell it to sign in and out (with associated MFA prompt) every time you view a password.

        1. Anonymous Coward
          Anonymous Coward

          Re: Don't rely on a single password

          Indeed, exactly the same as how lastpass does it.

          If people want to use open source on moral grounds that's fine (although they probably won't find bitwardens license suits their morals) but Bitwarden implements the same security model as lastpass. I'm intrigued how people think its somehow more secure. At least when lastpass lose all your personal data there is someone you can take to court for it.

          1. Dog11
            Thumb Up

            Re: Don't rely on a single password

            If people want to use open source, there's always Password Safe (https://www.pwsafe.org/), the program by Bruce Schneier. It's Win only, but there are a flock of compatibles for other platforms (see their "Other Platforms" page). I've been using it for 2 decades. It doesn't natively do cloud or sync, though you could have it do backups to the cloud, or I suppose put the datafile there.

          2. tezboyes

            Re: Don't rely on a single password

            Nearly but not quite, there are some differences.

            For one, the whole of the BW Vault data is encrypted, not just a couple of attributes.

            Further, as this code is open source it is audited.

            As a general point related, BW have been (as far as we know) pretty transparency, they don't appear to be hiding any skeletons....

            And yes whilst there isn't /currently/ an additional secret key for vault decryption, that is a high up on the wishlist item for folk now. Hopefully they can add that in the near future.

    2. Phil Kingston

      Re: Don't rely on a single password

      There are ways to improve that though. I've memorized a 20-something character password generated by a machine and then one of a pair of YubiKeys is required to access my password manager. All browser password managers turned off. I'm sure I could do better, but I'm happy with that security posture for my personal stuff. It's certainly going to be more of a challenge to any would-be attacker than Jonno next door, so hopefully he's the low-hanging fruit

    3. MJB7

      Re: Don't rely on a single password

      "you're a terrible password generator" - this is true. So don't generate the password yourself. Both Bitwarden and diceware will let you generate a cryptographically secure passphrase which works just fine.

      Reading between the lines though, it is disappointing to see that Bitwarden don't use a secret from the second factor to decrypt the vault.

      1. Helcat

        Re: Don't rely on a single password

        I believe the reference is to you generating the password to your password locker.

        There are ways to generate complex passwords that can be remembered. They're not as 'secure' as a random password, but it then comes to a question of how the hackers are getting your passwords: Are they shoulder surfing, are they brute forcing, or are they intercepting the password in transit.

        Some years back there was a problem with HeartBeat messages after an upgrade to software forgot to validate the actual message length with the supplied length - a check bit error if you like. This meant you could send a Heart beat/keep alive message of 'Dog', '100' and get the 96 characters following your heartbeat message returned (3 characters sent, message separator and the next message(s) that were received. This allowed 'hackers' to keep pinging compromised nodes on the internet to intercept login credentials, including passwords that were at that point, unencrypted. This then allowed the hackers to get access to accounts and lock the owners out.

        TLDR: Don't rely on one system for your security. Use layered systems, meaning if you use a password vault, have a separate one for other parts of the system (as an example). Oh, and if you can, monitor user behaviour: It's another layer that can expose hackers after they've gotten in to your system. May not sound easy, but if a user has a habit of logging in and visiting El Reg (what else would they be doing first thing in the morning? Other than working, obviously) and today they log in, try getting into confidential files, get their password wrong twice and be looking through areas of your system they've never paid attention to before... best to go see what's going on. They might be trying to get client info before quitting their job, or it could be a hacker's in and rummaging around.

    4. Hubert Cumberdale

      Re: Don't rely on a single password

      "you're a terrible password generator and you can't remember cryptographically strong passwords"

      I have four words for you: correct horse battery staple.

  10. Richard Tobin

    Trust

    "Maybe you trust your brother. Me? I'm not so trusting." As usual, the question is not whether you trust your brother, but whether you trust everyone he trusts. And everyone they trust...

  11. Anon103

    see the register article, redlinked in this post, log me in spun off LastPass – after this breach

  12. PatchdaySundae

    Why not share via Bitwarden?

    @author: Why?

    >> You can also share passwords with this plan. Do not, I repeat, do not do this.

    Why are you adamantly against sharing passwords via Bitwarden?

    IMHO there are good reasons to do so (think: parents sharing password for their wifi router or mutual email account) in order to keep >2 individuals ready to work.

    Or do you assume that even Bitwarden can't do this securely?

    1. storner

      Re: Why not share via Bitwarden?

      Completely agree - there are lots of password I want to share with a limited set of users. Like the password for the online newspaper subscription, passwords for various accounts at webshops that the whole family uses etc.

      1. captain veg Silver badge

        Re: Why not share via Bitwarden?

        > there are lots of password I want to share with a limited set of users

        Write it down on a scrap of paper. Pass it round. If you're particularly paranoid, burn the scrap of paper.

        -A.

    2. Potemkine! Silver badge

      Re: Why not share via Bitwarden?

      Why are you adamantly against sharing passwords

      Because when a secret is known by more than one, it isn't a secret anymore.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why not share via Bitwarden?

        Yes but some information must be both shared and still secured. If you can setup shared access with separate authentication mechanisms that is best but not always possible.

        Financial institutions with badly designed web access and aging parents is one situation where this crops up for me.

      2. JohnTill123

        Re: Why not share via Bitwarden?

        Absolutely correct!

        Three can keep a secret, if two of them are dead. - Benjamin Franklin.

      3. Martin M

        Re: Why not share via Bitwarden?

        But certain people *are* trusted. If I and my wife can’t trust each other to look after our young kids’ school and Minecraft passwords etc., we would frankly have bigger problems than credential management. Some paranoia is justified, and some is excessive.

      4. Rob F

        Re: Why not share via Bitwarden?

        I've worked at a number of MSP's before and having an enterprise grade password sharing system is paramount. Ideally you'd have everything authenticating through an individual's identity for each client, but there are just some systems that won't allow it or it's prohibitively expensive for the services cost model.

        The password gets wiped from the systems memory and the password is never shown on screen in clear text. Every access for the password is audited and there is granular control on access for each password, if you need it.

        It also helps you with password rotation with reminders to change passwords etc.

        It isn't completely foolproof, but nothing ever is. I'm not aware of any of the systems that were used ever having a password based breach.

  13. The Basis of everything is...

    Keepasses and Syncthing works well

    I've used Keepass for years since a (now former) employer who handled stuff for a bunch of very security aware clients made us standardise on it. And taking a leaf out of their book, I don't put all passwords in the same file.

    Example

    Mobile file has everything you may need to access from a device while out and about. This is synchronized to all devices and desktop using Syncthing. No cloud involved, and any updates while away also get synchronized back home too.

    Home file has everything else, lives solely on desktop (with backup) and never goes anywhere near a mobile device.

    For the really paranoid you could use an Offline file on removable storage for really important passwords that you don't use frequently if you don't think your deskop is secure enough.

    Most likely issue for me is mobile broken or gets lost / stolen, in which case if somebody gets into it they have a chance to crack Keepass and be rewarded with a bunch of low value passwords. I suspect you'd make much more money from selling the knowledge on how to crack Keepass than cashing in some almost-expired airline and hotel points...

    Of course the strength of your master passwords / fingerprint reader is still a weakness. And if you're truly paranoid you'd not be using a fingerprint reader as your frontline security method would you?

  14. This post has been deleted by its author

    1. zuckzuckgo Silver badge
      Trollface

      Re: ...and not as paranoid as I am.

      At least downloading files never resulted in any security breaches...

    2. GioCiampa
      FAIL

      Re: ...and not as paranoid as I am.

      HIBP doesn't ask for passwords...

      1. This post has been deleted by its author

  15. Mike 137 Silver badge

    Someone else's computer

    If you want your credentials to remain confidential, keep them to yourself. I have nothing against password manager tools (provided they have adequately secure access mechanisms themselves) but keep them local. Putting all your passwords on a remote server over which you have no control just does not make sense if you want to keep them secret. I know it's a convenient option, but does that outweigh losing the lot one day?

    It's no more sensible than handing all the private and copyright content you generate to some "cloud service" with a vested interest in it, but rather more dangerous.

    1. zuckzuckgo Silver badge

      Re: Someone else's computer

      >Putting all your passwords on a remote server over which you have no control ..

      I would think that putting all your passwords on a remote server over which you do have control is just as much a security risk. Unless you are a top security expert or believe security through obscurity helps.

      1. AVee
        Joke

        Re: Someone else's computer

        If you don't believe security by obscurity helps, just store your passwords by replying to this message.

    2. Joe Dietz

      Re: Someone else's computer

      Unless you are prompted for a password each and every time you need to access your secrets... They really aren't any safer locally than in the cloud. https://www.upsightsecurity.com/post/data-protection-api-or-now-you-have-two-problems

      1. Mike 137 Silver badge

        Re: Someone else's computer

        "Unless you are prompted for a password each and every time you need to access your secrets... They really aren't any safer locally than in the cloud"

        Which is why I said "(provided they have adequately secure access mechanisms themselves)" The point at issue is whether you control the security of the platform. If not, you have a huge risk you can't minimise. If you do, of course you can screw up, but that's something you can in principle control (or at least take responsibility for).

        1. Joe Dietz

          Re: Someone else's computer

          That's the problem though. Your control over the system is the weak point of using your local system to store passwords! You have access to all of your data all of the time, ergo so does any attacker that you happen to let in though a momentary lapse of humanity. And beyond that, the password itself isn't really that interesting, the hot new trend is local token theft. I don't need your password if you already authenticated for me, I have something better - a token! Again, if you are NOT asked for a password on each and every API call that your browser/application might be making, and if you are in control of your system, the same attacker can just read your keystrokes too.

          It's all a shell game. The only "secure" device I might trust is inherently entirely out of my control because it won't let me control my own data.

  16. terry 1
    Facepalm

    Had bitwarden for years

    ..one day I will remember the master password and unlock it :(

    1. JohnHMorris

      Re: Had bitwarden for years

      I used RoboForm for many years. Lots and lots of passwords. Migrated systems and moved to "another" password manager. But a large number of passwords remained in RoboForm. Like you I forgot the master password! (And handwritten it down and some safe place.) Then last year, 10 years later, I remembered the password! LOL.

      1. tezboyes

        Re: Had bitwarden for years

        You shouldn't hire yourself out to that guy who's allegedly lost the password to all his crypto!

  17. MisterHappy
    Coat

    Use a book & write them down

    As long as it's not in labelled "Passwords", it's a lot more unlikely that someone will break into your home and look in every book in your bookshelf.

  18. StrangerHereMyself Silver badge

    Just don't

    Don't use a cloud based password storage solution because you'll always be beholden to someone else's whim and (lack of) expertise.

    I use Password Safe, which is basically a small local database for all my passwords and logins. It also generates strong passwords. Since it's not available through the internet there's no way to hack it or get at it it's vastly more secure (although at the cost of some convenience). There's also a Linux version available.

    If you use cloud solutions you're gonna get burned.

    1. DrXym

      Re: Just don't

      You can use it in the cloud - just save the password file in a shared folder like Google Drive or Dropbox. Then it gets synced between devices. Obviously there is risk to this, but providing you use a strong password I think the risk is acceptable.

      1. StrangerHereMyself Silver badge

        Re: Just don't

        Some things are not to be meddled with. My password database is certainly one of them.

        I also don't store any of my precious IP and source code in the cloud (GitHub et al.). I keep hearing about all sorts of break-ins in cloud providers (CircleCI being the latest) and strengthen my belief I made the right choice.

        1. DrXym

          Re: Just don't

          The way I see it is, that first someone has to break the cloud service AND break a password protecting the password database AND know that amongst the tens of millions of files that they have a short opportunity to grab there is a password database there.

          So I think providing you use a strong password you have nothing to worry about.

  19. Boufin

    There is a great Android client for Password Safe too. I use the Phone copy as my backup (master is on my main machine).

    1. oldstevo

      I do the exact same thing. Have been using PasswordSafe on my phone, on my Windows box and on Linux as well, for more years than I can remember

  20. JohnHMorris

    Concerning password management and LastPass, there are some great comments here. And nice articles on The Register, which is no surprise.

    But I have a couple of important questions which always seem to get lost. I can run a server myself including for remote access. But ...

    QUESTIONS FOR TOP PASSWORD AND AUTHENTICATION USE CASES

    1. FAMILY SHARES - what to do to provide password and/or authentication security services for multiple family members?

    2. ADMINISTRATION - how to ensure that the selected service can be easily maintained and used by someone other than myself?

    . . . "in case I'm no longer available". There are a very large number of recipes floating around.

    1. thondwe

      Bitwarden - does do sharing - see "Collections" - assume self hosting also has this feature.

      Admin - As soon as you run a service (be it passwords, backups, Plex servers etc, remote access/VPN,...) for more than just yourself - e.g. family - you become the single source of failure. you are also the person they trust with their data. So unless you have a house full of trustworthy geeks, you might well be safer paying for a 3 party service...

  21. Rich 2 Silver badge

    Don’t trust any of it

    The idea of dumping password data into some server (I refuse to say “cloud”) that you have no control over, don’t know where it is, etc etc is a complete anathema to me. Eventually it WILL be hacked and your passwords (maybe) recovered. It’s asking for trouble - truly bonkers!

    As for…

    “The company admits the Bitwarden License does not qualify as open source under the Open Source Initiative (OSI) definition”

    …who gives a monkeys what the self-appointed OSI think?

    1. Flocke Kroes Silver badge

      Re: Don’t trust any of it

      OSI approval is a low bar for getting some appearance of openness for a lock-in licence. Failing to get it actually means something.

  22. camasaki

    Anonymize it

    Maybe we need to store only our passwords in these vaults and not pur email or usernames.

    1. Roland6 Silver badge

      Re: Anonymize it

      I like how everyone seems to have missed the obvious: The personal password vault held by the likes of LastPass is just a special case of a credentials store - every website that requires credentials will have a vault for those credentials.

      1. JulieM Silver badge

        Re: Anonymize it

        A service that you need to log into doesn't store its passwords in a form that would be useful to anyone who recovered the file in which they are contained. Look at /etc/shadow on your own machine. The passwords are scrambled by applying some complex mathematical operations to the plain text. When somebody enters a password, its validity is checked by applying exactly the same maths to the plain text entered by the user and comparing it to the stored, scrambled password. Since you can neither recover the plaintext password (the mathematics deliberately include stages which involve discarding digits from the result, so "doing the whole thing in reverse" would require you to try all possible values for the dropped digits at each stage. This isn't impossible, it just takes a long time; as computers get more powerful, it can be done more quickly, so password scrambling algorithms sometimes need updating) nor bypass the scrambling process to have an already-scrambled password checked, a scrambled password file is essentially useless.

        A password manager, on the other hand, needs to store user identifiers, passwords and the sites for which they are applicable; and these need to be stored either in plaintext, or encrypted in a manner which is recoverable by the rightful owner. You would hope that the final stage of decryption would be done only at the client end, using a key which is only held by the client and not kept anywhere on the central server ..... but you could only ever be certain of that by thoroughly analysing the Source Code.

  23. KahunaAZ

    I just did this exact thing. imported LP DB into BW and moved on. Bought prem as well. Much better price than LP anyway.

  24. Anonymous Coward
    Anonymous Coward

    What's wrong with the old encrypted Excel file stored locally?

    AES256 encryption. Secure as you need. No possibility of the file being lifted from some random cloud server.

    Works for me!

    1. Roland6 Silver badge

      Re: What's wrong with the old encrypted Excel file stored locally?

      The convienence of auto fill and password updates being shared between devices.

      Obviously, you can export your passwords into a .csv and turn this into an Excel encrypted backup. Although I remember seeing some article marking password managers down for having a facility to bulk export their repository...

    2. v13

      Re: What's wrong with the old encrypted Excel file stored locally?

      You can't use it on PC and mobile, and it can't generate passwords. But worst of all, it's Excel...

    3. RPF

      Re: What's wrong with the old encrypted Excel file stored locally?

      Syncing across 3 devices all with 3 different OSes is quite tricky with this solution.

      I've dumped Data Guardian AES256-bit encrypted files + DropBox for BitWarden because this was just too damn hard to keep working/using.

  25. Anonymous Coward
    Anonymous Coward

    No, no no

    Here’s a tip guys.

    You write down your passwords and hide the paper under your keyboard.

    But, shhhhhh, OK?

    1. Rich 2 Silver badge

      Re: No, no no

      That’s probably more secure than storing on the internet

      1. Lost Neutrino

        Re: No, no no

        You are probably right. Nobody bothers to look for passwords under keyboards anymore. So much easier to get a whole bunch of them from some "your data is important to us and we take your data security seriously" web service.

  26. hayzoos

    Some computer on the internet

    For those that insist on only keeping their password store locally...

    You are storing passwords you need to use on the internet, correct?

    Your local password store is on a computer that is on the internet, correct?

    I fail to see how this is any more secure than on some computer on the internet.

    I need to be able to access my password store from a multitude of devices, all on the internet. The solution I choose claims to use proper publicly vetted encryption and makes the source code available so the implementation can be reviewed. I was using Roboform, but they were evolving in a direction which went against my needs and they never implemented a Linux client. I moved to Bitwarden for the cross platform clients, "open source", and a number of other reasons. One thing that stood out was the ability to export your passwords if you wanted to use another solution. Many of their competitors rather choose lock in with no export. My master password is currently 24 characters randomly generated, I am considering 48 for the next one. I memorize in 8 character chunks, currently 3 soon 6. Not that hard and cryptographically secure.

    1. Rich 2 Silver badge

      Re: Some computer on the internet

      The difference is I use one password per site. If it gets hacked, I only have one online account to worry about. Rather than all of them

  27. streaky
    Big Brother

    Vaultwarden

    Just saying. Don't forget to donate.

  28. Derezed

    Took the plunge two weeks ago

    Snap! While having passwords on the cloud doesn’t fill me with joy, I’m too lazy to use any other solution.

    The response from Lastpass is what sealed the deal: shocking.

  29. Dabooka

    Little black book

    Said it before and I'll say it again, my LBB still seems to be more reliable than all of these things.

    2FA where offered and unique email addresses seems to remain the only way forward

  30. Ozan

    Vaultwarden

    I ditched last pass long time ago when they changed hands and started using bitwarden implementation called vaultwarden. It's written in rust, compatible with bitwarden clients and it is small enough to run in a cheapest server you can rent. However, if I had better resources, I would run the official bitwarden inside docker containers. Their scripts will do the work for you.

    Also, I heard in vaultwarden comments that bitwarden people actually help third parties to stay compatible (Take it with a spoon of salt, thou).

    https://github.com/dani-garcia/vaultwarden

  31. OrangeDog

    Learning from experience

    On the other hand, LastPass has been attacked multiple times, and have recovered and fixed the issues that lead to them. Resulting in a stronger product and experienced security staff.

    How can you tell whether alternatives aren't more vulnerable but simply haven't been targeted yet, as they're not currently as big?

  32. Blacklight

    In addition to haveibeenpwned - have a look at https://leakpeek.com/ - that lets you stick in a username, email address etc, and it will show you partially redacted passwords it has for you....

    It doesn't show (that I've seen) the source, but it certainly helped me confirm which passwords were nobbled and then by proxy, what the source was.

  33. TheInstigator Bronze badge

    I can't help but think ....

    ... there is no foolproof solution that exists.

    By migrating and changing your passwords you are of course, mitigating risk, but there's no guarantees what happened to LastPass won't happen to Bitwarden (or any other company)

  34. russmichaels

    Other risks

    Here are some other things you may not have considered, such as the indirect risks caused by other users who you have shared logins with an or who use LastPass and have access to your systems.

    https://michaels.me.uk/lastpass-hacked-how-serious-is-it-things-you-may-not-know/

  35. apsteinmetz

    I'm sticking with LastPass, for now

    The brand promise of LastPass was "Even if we get hacked, we don't know your password and it would be practically impossible to brute force a good master password." This seems to still be valid. I have deobfuscated my vault and the unencrypted info are my URLs and time of last visit. My master password had 65 bits of entropy. I'm pretty relaxed. As you say a lot of my dumb old passwords are already out there and I get phishing attempts all the time. That's life, not LastPass. What I am doing is:

    1. changed master password (I know that doesn't cure this problem since the bad guys have the vault locked with the old MPW).

    2. changing passwords at sensitive sites (you can have netflix) even though it's low risk. We all use 2FA, as well, right?

    3. waiting to see what LastPass does to restore trust. I may go to bitwarden, if I'm not satisfied but switching has costs, eh?

  36. zacharyfoster291

    Sorry for the nitpick, but "Spoiler alert: odds are your passwords are already out there. Don't believe me? Check your email address or phone number on HaveIbeenPwned ..." This is not accurate. All that does is say that your email address or phone number is out there. It doesn't mean that your password has been exposed, it only means your user/phone was found in a dump unencrypted.

  37. cje

    The writting was on the wall for some time now

    I switched from LastPass to Bitwarden years ago. You could see this coming after the take-over and service failures.

    Also had the misfortune of working for two companies that used LP, and my fellow IT colleagues refused to see the problems with it. I didn't stay long with either company because their security practices were a joke and used such weak passwords they should have just left the front door open

  38. David Gosnell

    Did LP actually delete old data, I wonder?

    I dumped LP when it was no longer free for cross-device. I just hope they actually deleted my data when I left.

  39. Anonymous Coward
    Anonymous Coward

    No one sees the forest through the trees

    I made an account to post this, because I feel like a crazy man in my industry

    We keep this arms race of encryption and security going why? Because we built a highway to everyone's front, and back, door

    Not every device needs internet access

    Like whatever device you keep your passwords in

    The airgap is making a huge comeback because we who grew up with this finally understand what those who built it were thinking: they weren't, they only cared about "faster, easier, and cheaper"

    Well now it's so easy and cheap that you need a special 2FA device to protect your account, because it's so "accessible"

    Now you can't even trust that, as MFA spamming attacks are on the rise. What's next?

    The airgap, and a return to on-prem behind lock and key

    1. Lost Neutrino

      Re: No one sees the forest through the trees

      > Not every device needs internet access

      Good thinking. Let's ask Microsoft, Apple, Ubuntu, Red Hat, Dell, HP, etc, etc to send us their software updates on a CD by regular mail.

      Before LANs and Internet, another local area networking technology prevailed: SneakerNET, wasn't it?

  40. Pickels

    Ruminations

    When it was just me I used mSecure. However over the years we needed to share more credentials. I moved to LP 7 years ago. (Well the anniversary was on the 12th). I was on the phone with them yesterday and they clarified/claimed that BOTH the notes field within the Password template and the notes within the Notes template are encrypted.

    I only realized that there was atleast confusion and at worst exposure to my notes data after listening to last week's Risky Biz podcast

    One thing this highlights to me...I allowed myself too much convenience. I need more compartments. In retrospect it is silly that I stored the 2FA enrollment key (for various no LP servers) in the notes field. I think i need to make a delineation between credentials and their supporting security questions and answers (i have to store both questions and answers because I use random answers...besides trying to remember if I decided Matthew was my bestfriend in grade 1...oh no remember Matthew broke my Lego ...Andy was my best friend...wait but he went by Andrew in those day. And how long before the whole world knew my paternal grandmother was...)

    Anyway I am not dumping LP yet. The first thing I am going to do is reset all my 2FAs...ugh there are over 200...but this was my bad. Atleast my master password is 40 characters long and stored nowhere except in my wetware. And given the current understanding of human memory I think of it as pretty unlikely anyone besides me can retrieve it. Now come to think of it my wife has the power. She did manage to retrieve it and it is stored on a piece of paper in her safety deposit box. It has a cryptic reminder that someone else has the 2FA bypass code.

    On average I am not a security maximalist. There are tradeoffs for sure. However our clients are absolutists. They will dump us in droves if they ever have to say to their clients that we were taking acceptable business risks

    1. yetanotheraoc Silver badge

      Re: Ruminations

      I also used mSecure for the convenience but recently took a step backwards, now using KeePass / kpcli on the desktop only. It's painful no longer having passwords on mobile. For frequently used ones I have about a dozen memorized. For one-offs I scratch them on a bit of paper in my pocket, or simply wait until I am back at the desktop.

      "In retrospect it is silly that I stored the 2FA enrollment key (for various no LP servers) in the notes field. I think i need to make a delineation between credentials and their supporting security questions and answers"

      I have always operated on the assumption the notes field is insecure. Even if the database is encrypted as a blob, I'm worried about shoulder-surfers when I am viewing a record. Only the password field is hidden! When signing up for the service if they ask for personal info then it would only go in the note in a highly obfuscated form. Each actual secret for a service gets its own record in the password manager, e.g. for Verizon I have one "password" but 14 records...

      * Verizon online

      * Verizon sec? 1st school (Note the shortened question is in the title.)

      * Verizon sec? Current pin

      * Verizon sec? Old pin (Still need it sometimes!)

      * Verizon sec? ssn4 (By my design they do not have my correct SSN on file.)

      And so on.

  41. Anonymous Coward
    Anonymous Coward

    physical 2FA keys

    Big problem with these is that they are expensive and not one of them will work on all my devices.

    1. tezboyes

      Bigger problem, so few sites even have basic two step setup, never mind two factor, and definitely not hardware key use!

  42. jollyboyspecial Silver badge

    The whole idea of storing passwords in the cloud just seems ridiculous to me. How many things have been 100% secure right up until the day they are not? Sure you have to have passwords for things that are online and hopefully everybody realises that there is always risk involved. But by storing your passwords for those things online you are automatically making each password only 50% as secure.

    If there's a risk of any given password being compromised then storing that password elsewhere is twice the risk of it being compromised.

    I'm far too old to remember all those passwords. And I'm far too sensible to use the same password for more than one thing. So I've got to store them somewhere, but that somewhere is in a local database.

  43. sreynolds

    Nothing beats....

    Little paper book and a relatively fireproof safe.

    Or if you are feeling adventurous etchings on aluminum stored in a safe.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like