
Bitwarden – Free and Open Source Password Manager - mordocai
https://bitwarden.com/
======
bad_user
Feedback for the author:

You have copied LastPass, however LastPass isn't a good design to copy.
Passwords and sensitive info isn't only for "Sites". You also have Wifi
networks, routers, credit cards, etc, not to mention many people need custom
fields, like for Apple's stupid secret questions, or for recovery codes, etc.
You've also taken the name Site too literally. Throwing an error if the URL is
empty is a mistake. Don't assume the user doesn't know what he's doing and I
doubt this app needs URLs to function.

I never liked LastPass because it's rigid on how you can store data. Surely
username+password+ website is common enough, but give the user the opportunity
to add custom fields. This is how KeePass and 1Password work, it's a proved
design ;-)

On Android, when using the password generator on editing a new site, in order
to complete the process I had to copy/paste the new password. This is bad, on
Android at least, as the clipboard on Android is public and any app can
register a listener for clipboard events. And again, on viewing the password,
it got truncated, so the user is forced to copy/paste it.

I'm also uneasy about having my data uploaded to your servers. I realize data
is encrypted before that, but given this is supposed to be open source, it
would have been better if the apps were able to work offline or with Dropbox,
then add the server stuff as an add-on.

~~~
zokier
> On Android, when using the password generator on editing a new site, in
> order to complete the process I had to copy/paste the new password. This is
> bad, on Android at least, as the clipboard on Android is public and any so
> can listen to it. And again, on viewing the password, it got truncated, so
> the user is forced to copy/paste it.

I think KeePass circumvents this by having a virtual keyboard that is used to
deliver the passwords securely to the destination application/form. I haven't
heard of any better solutions, or any serious attacks against the virtual
keyboard method.

~~~
synotna
LastPass does this

~~~
mivv
Only for apps it doesn't support natively or can't find the form fields for.
For most apps it will autofill the fields if it can find them.

Sometimes your only option is copy/paste tho.

------
CiPHPerCoder
You're using AES-256-CBC without authenticating the ciphertext. Your threat
model might preclude chosen-ciphertext attacks, but every crypto code auditor
will flag that as suspicious (if not an outright vulnerability).

Read these two links:

[https://paragonie.com/blog/2015/05/using-encryption-and-
auth...](https://paragonie.com/blog/2015/05/using-encryption-and-
authentication-correctly)

[https://gist.github.com/atoponce/07d8d4c833873be2f68c34f9afc...](https://gist.github.com/atoponce/07d8d4c833873be2f68c34f9afc5a78a)

You want AES-GCM or AES-CBC + HMAC-SHA2 (Encrypt then MAC).

------
Ralz
Posted by the author "xxkylexx" on Reddit:

"After Lastpass got acquired by LogMeIn last year I decided to start looking
elsewhere. Being a software developer myself, I turned toward open source
solutions but it immediately became apparent that nothing existed that was as
convenient and as user friendly as Lastpass. I also realized that everyone
seemed to charge money for these closed-source solutions (and rightfully so I
suppose, a password manager is essential!). bitwarden was born from this
search and I have been developing on it every night since. This week marks the
complete 1.0.0 release of bitwarden! There are apps for iOS and Android on the
stores, browser extensions for Chrome, Firefox, and Opera, and a convenient
website vault. It's free, open source, and cross platform. Feel free to let me
know any feedback that you may have or if you are interested in contributing
in any way. You can check out the main product website at
[https://bitwarden.com/"](https://bitwarden.com/")

~~~
gingerlime
What about Mitro? (Now passopolis). It's open source and really well made
great password sharing functionality.

~~~
ptman
Is it alive? Last time I checked it looked really dead.

~~~
gingerlime
I don't know how much development went into it since it was abandoned by Mitro
/ adopted by Passopolis, but Passopolis is live and I'm using it very happily.

I truly hope the project will live on and improve even further, but it's
already amazingly useful for our team and a pleasure to use.

------
netik
It would be really wonderful if the password manager didn't contain
surveillance software, monitoring every time the plugin has been opened via
Google Analytics. Can you remove that?

[https://github.com/bitwarden/browser/tree/master/src/scripts](https://github.com/bitwarden/browser/tree/master/src/scripts)

~~~
xxkylexx
I had a feeling people might make a fuss about this. I am really just using it
to learn about how the product is being used at the moment since it is so new
and I would like to improve the experience for people. I have intentions on
adding an opt-out flag in settings for this.

~~~
netik
If you do that, it should be one of the first questions asked when the plugin
first starts up and be absolutely transparent about what data is collected.

It's less about 'making a fuss' and more about 'providing additional data to
adversaries.' Remember, the NSA piggybacked on Google Analytics tokens for
years to track users.

~~~
smcnally
> Remember, the NSA piggybacked on Google Analytics tokens for years to track
> users.

Makes all the sense in the world they'd do so, and I have no recollection of
that. Do you have the links to share while I look myself for same? TY

~~~
netik
Yes, that's in the Snowden docs:

[https://www.washingtonpost.com/news/the-
switch/wp/2013/12/10...](https://www.washingtonpost.com/news/the-
switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/)

[http://www.digitaltrends.com/web/nsa-google-
cookies/](http://www.digitaltrends.com/web/nsa-google-cookies/)

------
cyphar
Can you please specify the license of all of the projects? As far as I could
tell within 5 minutes of checking, none of the projects have license
information. A project without a license is actually proprietary (not a free
software project). Thanks.

EDIT: I actually found a comment from the author on reddit saying they'll
license it under GPLv3.
[https://www.reddit.com/r/programming/comments/56ojub/after_1...](https://www.reddit.com/r/programming/comments/56ojub/after_1_full_year_of_late_night_development_ive/d8lyk2h)

~~~
dublinben
A promise isn't a license. The headline is currently misleading until there is
an explicit license file for each section.

~~~
cyphar
While that is true (and I agree in principle), I'm actually fairly sure that a
promise "the current license is GPLv3" is as legally binding as actually
putting the license file in the repo -- since it's a statement by the
copyright holder of the licensing.

The wording wasn't "we might license it under X", or "I'm considering
licensing it under X". The exact wording is:

> I'll have a license added tonight at some point. It will be GNU GPLv3.

Which to me reads as "I'll have a license [file] added tonight...". But meh,
that's for courts to decide not random people on the internet cosplaying as
lawyers.

EDIT: This is all moot anyway because the author did end up using GPLv3[1].

[1]:
[https://github.com/bitwarden/core/blob/master/LICENSE.txt](https://github.com/bitwarden/core/blob/master/LICENSE.txt)

------
xxkylexx
Hi all. I am the author of this project if you would like to ask any
questions. Many have been answered on Reddit already but I will participate
here as well. You can view the project source at
[https://github.com/bitwarden](https://github.com/bitwarden) or the main
product website at [https://bitwarden.com/](https://bitwarden.com/)

~~~
eikenberry
I'm unfamiliar with the C# ecosystem and am curious about whether this is
cross platform or not. With the MS freeing the .NET bits it seems like it
should work except that it mentions that it uses SQL Server, which I didn't
think had been freed. Thanks.

~~~
xxkylexx
This is an ASP.NET Core application, however, it references the full .NET
Framework currently (instead of .NET Core which is full cross platform). I am
working to make it run on .NET Core but it requires some third party library
dependencies to be addressed first. This is being tracked here
[https://github.com/bitwarden/core/issues/3](https://github.com/bitwarden/core/issues/3)
. I anticipate this to run on .NET Core in the near future and therefore be
truly cross platform for Windows, Mac, and Linux.

~~~
sdegutis
Why did you choose C# and AST.NET Core, instead of another cross platform
solution? Was it just your familiarity with the language and platform, or are
there other strengths to these over alternatives?

~~~
xxkylexx
This primarily just comes from my love for the language/framework and long
professional history and expertise of using it for building web applications.

------
jfindley
Your crypto choices seem somewhat unusual. PBKDF2, while not necessarily
unsafe, is a fairly old KDF to choose for a new product. Can you go into more
detail about your rationale for choosing this over newer KDFs? Why did you
choose AES256-CBC over other, safer modes? Why are you doing crypto in
javascript despite shipping browser extensions and mobile clients?

I don't want to imply that these things automatically make it insecure, but to
me at least they raise questions, and none of your copy appears to address
this. Thanks!

~~~
Todd
My guess is that it's because PBKDF2 is provided as part of the .NET
Framework.

~~~
nathanaldensr
It is? I've been using the PBKDF2 NuGet package, which I do not believe is
from Microsoft. Are there classes I've missed that are built into .NET?

EDIT: It seems .NET does support it, but only with SHA-1.

~~~
dsp1234
Note that .net core supports sha1 through sha512[0]

[0] -
[https://github.com/aspnet/DataProtection/blob/00d593f1f29884...](https://github.com/aspnet/DataProtection/blob/00d593f1f29884f88c5e630a18dff96b7134e1c9/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs#L40)

~~~
nathanaldensr
Thanks; this is really helpful to know. I'm in the process of converting a
bunch of repos to .NET Standard so it looks like I can just ditch the PBKDF2
NuGet package.

------
thothamon
Is it just me, or do custom clouds make people nervous? Why can't it be on
Dropbox or some other cloud that acts like regular files?

I don't trust third-party clouds for many reasons; for one, what's to stop
them from holding my data hostage and making me pay a ransom? Or just charging
for the service with no (or difficult) alternatives? How do I know the data is
backed up well, so a server farm fire won't destroy it? How do I know how
secure the cloud is, physically, by host, by software or any other way? I'm
sure I could easily come up with a half-dozen other reasons why it's a concern
without trying very hard.

I find it hard to believe that any cloud service with some basic primitives
couldn't host my data just fine. Why must I use everyone's individual cloud
service?

This complaint is no doubt semi-bogus in this case since it's OSS software,
and I could fork it and add Dropbox support. That's valid. But everyone is
using their own cloud, and it's bothersome.

~~~
seszett
> _I don 't trust third-party clouds_

But Dropbox "or some other cloud that acts like regular files" is a third-
party cloud.

Why can't this be shipped with a server that I can host myself without running
SQL Server, .Net and whatever else?

The server is just supposed to store already encrypted credentials, right? I'm
pretty sure a very small PHP/sqlite backend should be able to do the trick.

------
mordocai
The author is answering questions on reddit
([https://www.reddit.com/r/programming/comments/56ojub/after_1...](https://www.reddit.com/r/programming/comments/56ojub/after_1_full_year_of_late_night_development_ive/)).
I didn't see a hackernews submission so went ahead and posted it.

------
rodolphoarruda
This is a PM asking, so please bear with me. I understand the argument that
when the source code is available for inspection things tend to be more
transparent, because it would allow the community to identify and remove
backdoors or likes. But when it comes to distribution, e.g. via Play Store,
how can the end users know the version made available for installation is "A"
(with backdoor) or "B" (without backdoor)?

~~~
resfirestar
Ideally you would be able to build it yourself and compare the checksums, but
often that requires some extra effort to prevent particulars of the compile
environment from affecting the binary. Debian is working with moderate success
to make their packages reproducible.[1] On the Android side, F-Droid builds
apps themselves from public repos.[2]

[1]
[https://wiki.debian.org/ReproducibleBuilds](https://wiki.debian.org/ReproducibleBuilds)
[2] [https://f-droid.org/wiki/page/Inclusion_How-
To](https://f-droid.org/wiki/page/Inclusion_How-To)

------
jarnix
I would like to host this service myself, it should not need too many
resources right? Is there an opensource lastpass that someone here is using ?

~~~
m3adow
[https://padlock.io](https://padlock.io) was mentioned in another post. From
first view it seems padlock + padlock-cloud could fit your needs.

------
bad_user
To the author: the title here and the homepage claims this is Open Source, but
I'm seeing no license information in the repository. Please clarify the
license.

Otherwise this seems like great work. Thanks.

I'm currently using KeeWeb on the desktop. Unfortunately the KeePass app
available for iPhone isn't that great. KeePass2Android is pretty OK though.

Will take this for a ride.

------
lucb1e
There are a few reasons why I don't use stuff like 1Password or LastPass:

\- Not open source (or in part, e.g. the server side is closed);

\- Uploads stuff to the cloud (I want to self-host);

\- Not available on mobile;

Bitwarden sounded quite good at first: mobile, sync and open source. I can
inspect the code and run the web part (the vault, they call it) myself. Then I
had a look at the web part:

[https://github.com/bitwarden/web/blob/master/src/Web/Program...](https://github.com/bitwarden/web/blob/master/src/Web/Program.cs)

It's C#. I'm not going to run a Windows Server just for this.

~~~
hisyam
1Password doesn't upload stuff to the cloud (except for Team/Family sync). You
can choose which folder you can store your vault.

~~~
lucb1e
1Password is closed source. And I don't want it to not upload anything, I want
it to upload to my own server.

~~~
jbmorgado
Yes, and you can do exactly that and upload where you like.

Seems like you are making a fuss about a piece of software that you didn't
really bother learning how it actually works.

~~~
lucb1e
That still doesn't make it open source?

I want to use a password manager, I just can't find any that work everywhere
and don't depend on third party services (and I want to inspect the source
code). I'm not making a fuss on purpose.

------
johnhenry
Alternatively, [https://padlock.io/](https://padlock.io/) is useful.

~~~
MaKleSoft
Author of Padlock here. Thanks for mentioning! Happy to answer any questions
as to how Padlock compares to Bitwarden!

~~~
johnhenry
Thanks! Well, since I've got your attention, how does Padlock Compare to
Bitwarden? Maybe you could point out some major differences in what works
better in Padlock than in Bitwarden? What doest Bitwarden do better and how
does Padlock plan to improve? (Although, this may not be the right forum for
this...).

~~~
MaKleSoft
Yeah, maybe not the right forum to cover all of your questions in detail but
here are a few bullet points (note: I cust came across bitwarden, too, so this
is just from what I gathered from the website and the little time I've spent
playing around with it):

Similarities:

\- Open Source

\- Cross Platform

\- It appears to be possible to host your own server

Differences:

\- As pointed out somewhere else, Bitwarden is very limited in what you can
store. It seems to be primarily for storing website logins and does not offer
any customisation options for storing other kinds of data. Padlock is much
more flexible in that it allows you to add any number of fields to any given
record.

\- Apart from the mobile apps, the primary way to access your data seems to be
the website served over https. This is a terrible idea for a ton of reasons
and I could spent all day going into all of them but lets just say that there
is simply no way to handle your data in a secure and private manner this way
(either you have to do crypto client-side which is inherently insecure for a
website served over the net or you have to do it server-side which means you
have to send your master password to the server). By contrast the Padlock app,
although based on web technologies (it's built with Polymer), is only
available as a packaged (and code signed!) app for all platforms. This means
that you can safely do client-side encryption without having to worry about
the integrity of the source code. Padlock Cloud on the other hand is built on
the principle of Zero-Knowledge, meaning no unencrypted sensitive data is ever
sent to the server.

I could go on forever, but this will have to do for now. If you have any
specific questions, let me know!

------
drukenemo
When it comes to a password manager I want to pay for it. I personally use
1password and trust them. I want to pay for a reputable service that is
specialized in it and is interested in providing security and maintenance.

~~~
touristtam
Ok but I'll play the devil's advocate here: Can you really trust a closed
source code?

------
bwindels
Nice project, I like my flat-file password manager though, KeePass. Also OSS,
and agnostic to how to store/share the database (both an advantage and
disadvantage).

~~~
stephengillie
KeePass works very nicely on top of Dropbox and other cloud storage. The
KeePass Android app interoperates with the Dropbox Android app, handling
password and key file sync and updates.

For example, I can create a password in KeePass on my phone, for a new app. I
can then immediately open KeePass on my PC, find the new credential, and sign
into the app's website. Dropbox handles all the file updates in the
background.

------
Nelkins
The Android mobile app looks good for Xamarin (smooth transitions, list views,
etc). Previous apps I've seen just seem a bit slow.

~~~
xxkylexx
Thanks! Building mobile apps was actually a first for me with this project (my
background is in .NET & web development).

------
remir
One feature I like in 1Password is Wifi-sync. Passwords are synced between a
phone and computer instead of using the "cloud". Is this something you would
be interested in implementing?

------
aalvarado
There were two questions on Reddit that hasn't been answered I think, one was
how is the cloud server being paid for and how is data being stored and
transmitted?

~~~
aalvarado
Was replied further down by the author:

> The product is currently sponsored by the Microsoft BizSpark program (see
> [https://bizspark.microsoft.com/](https://bizspark.microsoft.com/)) which
> provides services in Azure. The product website and web vault are hosted as
> static GitHub pages. Everything else is a client-side application.

------
dexterdog
Did anybody else all of a sudden start getting spam from keepersecurity.com
shortly after signing up for bitwarden?

~~~
xxkylexx
We have no affiliation with keeper. They are just sending you spam like they
do for everyone. Just a coincidence.

~~~
dexterdog
It just seemed fishy. I hadn't received anything from them since 2012.

------
educar
This looks great! Is this self-hostable?

------
thebyrdman
Seems like a password manager on mobile creates a large surface area for the
benefits. I prefer KeePass

~~~
educar
What do you use for auto-fill on chrome with keepass?

~~~
NeutronBoy
Rather than an extension, I just use the auto-type functionality.

------
hossbeast
Sticking with KeePass

------
aidos
The author (xxkylexx) the posted on this page but has been marked as dead.
Maybe a false flagging?

"Hi all. I am the author of this project if you would like to ask any
questions. Many have been answered on Reddit already but I will participate
here as well."

~~~
vonklaus
Responding to xxkylexx (child comment)

Only users who specifically enable "show dead" in their profile can see your.
They are read only and can not be replied to. It is quite likely most users
can not see them, as show dead is opt-in only.

If you as a user; or this post have been flagged as spam/other (likely) you
should reach out to HN via their contact info which I believe is listed in the
guidelines section.

You shouldn't litigate this in the thread (nor would anyone see it) but, Dang
is often quick to respond and both quite helpful and reasonable to legitimate
inquiries.

\---

Bitwarden looks to be quite interesting. The client on ios does not support
the 5c, which is a shame since I have one. Curious if there is a hardware
limitation as the service appears cloud-based and it would be nice if a
software solution existed for users of slightly older phones.

Good luck!

~~~
xxkylexx
Thanks. I reached out to the email listed in the guidelines.

Unfortunately I can only support the ARM64 architecture for iOS currently due
how Xamarin builds the project. When I introduce additional architectures
(i.e. ARMv7) it increases the size of the app from 50mb to 100mb.

~~~
vonklaus
Thanks, that clears it up. I have never used xcode but if there is a straight
forward way for me (and other users) to load it up, that would be cool. If
there is no way to add a legacy client to the app store, it might be good for
adoption to have a link to docs explaining the process (if it is easy enough)
to put it on older phones.

