Hacker News new | comments | show | ask | jobs | submit login
Bitwarden – Open Source Password Manager (bitwarden.com)
337 points by GutenYe 41 days ago | hide | past | web | favorite | 160 comments



I switched from LastPass to bitwarden in November, and I love it.

- it's FOSS, and audited, so it's software I can trust

- great UX on Firefox, chrome, and even Edge. I had my issues, but the project improved them away very quickly.

- sharing support for families or organizations.

- convenient standalone clients for win/Mac/Linux... And even the CLI.

- built in 2FA code generation for each entry, so I don't need a separate app for that.

- the best autofill I've experienced, on desktop browser and even on mobile(!)

- open API so there are third party clients available

- the lead developer is super responsive on GH, so I've been able to contribute.

- cheaper than the alternatives (at least at the time), and I feel good about where my money is going.

I can't recommend it strongly enough. It's one of the OSS applications that has a permanent place on all my devices, right up there with Firefox quantum in my "great examples of OSS" liste.


There's a bounty program but AFAIK there hasn't been an audit yet: https://github.com/bitwarden/core/issues/27


It's been awesome. The one feature I'm still missing from LastPass is being able to mark some entries as more secure and reprompting auth on those.


Is storing the 2FA codes alongside your password a wise idea?


Yes, if the attack vector you're trying to close is a compromised keyboard/network/terminal and not a stolen-while-unlocked device.

"Catching" one 2FA code doesn't let you compromise someone's account.

Losing (or having compromised) the hardware running your password manager while that password manager is unlocked is a totally different thing from logging into a web site once from a library computer.


> Yes, if the attack vector you're trying to close is a compromised keyboard/network/terminal and not a stolen-while-unlocked device.

however, not having the TOTP key in your password manager would also protect against malware on your machine running the password manager from gaining access to your account.


It depends on the use case, but generally speaking, yeah.

It's less secure than a dedicated device for storage of the 2FA secrets and code generation, sure, but I don't see how it's any less secure than using a service like Duo to manage and sync your secrets.

Furthermore, I'd argue it's substantially more secure than the recovery process for almost all of the services I use, most of which offer an option to reset by SMS.

Finally, keeping your 2FA secrets in your password manager is very likely not to change the attack surface for most people anyhow, as most people keep their recovery codes in their password managers as well.


As long as you're not using Gboard your probably safe.


Care to expand on that thought? What's wrong with Gboard?


How easy is it to move from one Bitwarden server to the next?


I tried it out now, there is a csv import/export function.


Can it import Keepass DBs? I dread retyping all my passwords.


Yes: export the Keepass content (XML/CSV?)- then Import on Bitwarden.


I really, really want to be a big fan of Bitwarden. I even used it for the past year and a half. However, the last time HN talked about Bitwarden 7 months ago, I listed some reasons[0] why Bitwarden still fell massively short of 1Password, and I feel that those three points have not been addressed (which I believe impacts the friction/convenience of using Bitwarden).

My three points then were:

1. A stand-alone desktop app. Quite annoying to have to open up a browser every time I want to access a password. Basically, it's as inconvenient as Keychain on OSX if you're not using a browser when you need a login info. This could be solved if the browser plugin popup could be persisted as its own window.

2. iOS app is not polished. Not sure about Android app as I've not used it. (* biggest problem then was how slow search was. It has been improved although nowhere as fast as 1Password's—still)

3. In the Safari extension, I would love to be able to search and use item entries that are not specific to the domain. Sometimes, I have other info in secured notes or password entries without a domain that I want to get to from the extension. In these cases, I've had to leave the browser and open the actual app to get access to them.

I just migrated from Bitwarden to 1Password a few days ago and have been much happier since—especially with 1Password's ability to generate 2 factor tokens and put them in your pasteboard automatically so you don't ever have to pull up an Authenticator app!

[0]: https://news.ycombinator.com/item?id=15734260


There has been a standalone Windows desktop app since February. https://bitwarden.com/#download

> Especially with 1Password's ability to generate 2 factor tokens and put them in your pasteboard automatically so you don't ever have to pull up an Authenticator app!

Bitwarden also does this.


Thanks for letting me know! Somehow, it wasn't very obvious to me on both desktop app and OTP feature.

I still felt its sluggish performance on launch/search/sync was slowing me down a lot throughout the day.


> I still felt its sluggish performance on launch/search/sync was slowing me down a lot throughout the day.

I recently switched (maybe 5 weeks or so, ago, from 1Password to Bitwarden, after finding out about it on HN) I imported ~400 odd logins from 1Password, I honestly don't find it any slower than 1 Password.

I did notice that with Discord, both 1Password and Bitwarden now integrate with the new iOS password apis.


Maybe it's just my phone (6) but you may find that once you get 1000+ logins, Bitwarden falls apart pretty quickly. I've heard the same from people with 800+ logins. I remember it used to be very quick when I initially used it with a few plugins.

IIRC from their Github issue threads, Bitwarden is using Xamarin, and performant UI has been a consistent struggle with many login entries.


Bitwarden has had some performance issues in the past with managing larger (>~250) logins, but they've been greatly improved in the last few months and I no longer have an issue. My password database currently contains 870 logins.

Bitwarden's support via IRC/gitter was exceptional when I was experiencing issues with it. Not only did they fix the problem, but they provided a custom build for me with more verbose logging enabled and worked with me directly to figure out what the issue was. It was fixed in a couple of hours and I was able to run the patched build without issue until the fix had been merged and released.


Not Xamarin but Xamarin.Forms, basic Xamarin doesn't have issues with UI performance.


how in God's name do you end up with _thousands_ of logins, or even 800? I work in a pretty large MSP in IT with tons of different programs, websites, and clients. Even if I added every single password (which I most surely would not do), I can't imagine there being more than two or three hundred. Conservatively, if every of two hundred clients has thirty passwords, that's still only 600.


Two hundred times thirty is 6000


...well this is awkward.


Lol :)


640kb ought to be enough for everyone, right? Because it's not your use case doesn't mean that it's the same for everyone.

I have over 1500 entries in my password manager. That's the result of using it for years and having every single account I signed up for registered in it. Including random forums I only ever posted once for support. So yes, people can have more than 100 entries in their password manager.

I switch from LP to bitwarden because I didn't trust LP anymore. It's fine but I find the autofill very dumb (will usually overwrote your password or random fields in various forms), and doesn't do subdomain matching well. Search or just opening the extension (on Firefox) is sluggish, and the android app is very slow (open and search). Automatically putting the 2FA in the clipboard has never worked for me either (Firefox on Linux). But I'll keep using it anyway because it's FOSS and not LP. You can even self host your instance if you like.


Well, I don’t have 1000+ logins. Especially not among those I use frequently. However, I use password manager for far more than just logins.

Also, having combed through my entire catalog by having to manually import Bitwarden to 1Password, I’ve realized all those random startups I’ve made a login for or various sites for applications (job/school/etc) really add up quickly!


I've been a 1Password user for about 10 years, but I never moved to 1Password 6, as I didn't want to sync my vault to their servers (even if it's E2E encrypted). I've moved from being primarily an OSX user to Linux, and as a result, my experience has progressively gotten worse enough on 1PW (broken FF extension, general jankiness running on Wine) that I'm finally looking switch off, either to KeePassXC or to Bitwarden.

As far as a desktop app, it's electron-based, but there is a cross-platform Bitwarden app that seems to work well enough (responsive, minimizes to tray, etc).

I've yet to import all my passwords into Bitwarden (still comparing the Ruby, Go, and Rust standalone server implementations), so I guess we'll see where the experience is after I fully switch.

Regarding 2FA, while it doesn't totally expose you, if you put your token in your PW manager, you've definitely significantly weakened your security.


If you want to use 1Password on Linux, the experience is alright nowadays. I've been using this:

https://addons.mozilla.org/en-US/firefox/addon/1password-x-p...

..and it works great. Same as 1Password X for Chrome, it does not require a desktop app, and handles certain things like TOTP a bit more seamlessly.


You don't have to sync your vault in 1Password 6.


Nor in 1Password 7 (the latest version). They do push it pretty hard, and given their evasiveness/dishonesty about the business implications of subscriptions and the push I wouldn't blame anyone for being concerned that stand alone license+vault support might be removed in a future version (they have said there will be no more free version updates IIRC though). However, for the time being subscriptions and 1P's cloud service remain optional and possibly disappointing only in terms of eliminating what might have been, not anything that already existed.


share your sorrows regarding broken FF extension, most notably FT Deepdark. I haven't upgraded beyond FF 56 for same reason. (Sorry for deviating from main topic here)


I used 1Password for years on iOS and stored my Vault in iCloud. But AgileBits’s intention to change to subscription model was a deal breaker. Then they made some bad design decisions at the time of iOS 11 upgrade. I lost my vault, and given their hostility towards non-subscribers, I no longer feel comfortable trusting the product won’t fail again. I changed to BitWarden to handle my low-level net passwords, and that’s perfectly adequate.


Someone else pointed it out but it’s worth repeating that the convenience of having your 2FA on your laptop/desktop might be making a significant security trade off. It’s not really 2FA if it’s on the same device.


That’s true. I had lost sight of that... well, I wish more places would support a Yubikey!


Bitwarden itself allows you to require a Yubikey for each credential retrieval. I'm not sure how that would differ from having the Yubikey itself be the credential, from an attack surface standpoint.


Er, there IS a desktop client for Linux/windows/iOS. Also a CLI client, FWIW. And an API so you can fork and improve it yourself if you like.

I can't speak to the iOS or Safari versions, but it's just angularjs underneath the FF extension, so I imagine it's quite similar to what I've used. And I quite like the Ux.

And bitwarden has included a 2FA generator for at least a year.


Wait, there's an official cli client now?

[ed: here it is https://help.bitwarden.com/article/cli/#quick-start

Seems a little more gnarly for scripting than pass (pass leverages gpg agent for getting a passphrase/keeping a "session" - but might work for my primary need - simplyfing VPN logins) ]


> 1. A stand-alone desktop app. Quite annoying to have to open up a browser every time I want to access a password.

It looks like the have a native desktop app for Win/Mac/Lin? https://bitwarden.com/#download


There are also two Bitwarden-compatible API implementations in Rust[0] and Ruby[1]. Their main advantage, IMO, is them doing away with the requirement of Microsoft SQL Server.

[0] https://github.com/dani-garcia/bitwarden_rs

[1] https://github.com/jcs/bitwarden-ruby


This is an AWS Serverless version which can run pretty much completely in Free Tier and you have HA out of the box https://github.com/vvondra/bitwarden-serverless


There's also a Go implementation: https://github.com/VictorNine/bitwarden-go/


This is great ammo for answering when anyone asks why Bitwarden (or OSS in general) is better than LastPass or 1passsword...


I thought it was very cool of Kyle, the Bitwarden dev, to give Joshua, the Ruby dev, a heads up about breaking API changes ahead of time.

https://github.com/jcs/bitwarden-ruby/issues/32


If anyone wants an open source command line driven password manager that doesn't require signing up or hosting anything, I recommend checking out "Pass". It piggy backs off GPG encryption.

https://www.passwordstore.org/

I use it to manage over 300 passwords and other sensitive blobs of text (it lets you save arbitrary text snippets) and also has some nifty quality of life features like auto-copying a password to your clipboard for 30 seconds when you want to access a specific password.


I like and use pass regulary, but it has some inconveniences.

- It doesn't encrypt the paths to the passwords

- It doesn't use a structural language for the password files, so additional information like username has to be stored in the path of the password

- It doesn't work with (Update: X.509) smartcards/gpgsm

- It's written in bash. That has pros and cons...


> - It doesn't use a structural language for the password files, so additional information like username has to be stored in the path of the password

You can use multi-line passwords with the -m flag without leaking any information in the path.

You can put whatever you want in the password entry, in whatever text format you want.

So you can save an entry like this:

areallygoodstrongpassword

Username: someusername

Secret API key: abc123

It's also really smart about what happens when you copy that entry to your clipboard. It will copy just the first line for easy password pasting.

There's a demo of me using it to store AWS credentials in this write up: https://nickjanetakis.com/blog/managing-your-passwords-on-th...

> - It doesn't encrypt the paths to the passwords

Yep, but the upside is you have tab complete in your terminal for accessing your passwords.

If you planned to put it up on github you could always encrypt the folder / file names using https://github.com/cryptomator/cryptomator or a comparable tool. I don't publish my pass fields on my public github account, so I never ran into this problem.


> - It doesn't use a structural language for the password files, so additional information like username has to be stored in the path of the password

only the first line of an encrypted file is considered to be the password. So you can just but your username or any other account-related information on the following lines.

> - It doesn't encrypt the paths to the passwords

To elaborate: One of the problems with this approach is that it may leak websites where you have accounts to people who gain access to your pass repo/directory even without gaining control of your gpg key.

> - It doesn't work with smartcards/gpgsm

What do you mean by that? I use pass with my yubikey as a gpg "smartcard"?


>> - It doesn't use a structural language for the password files, so additional information like username has to be stored in the path of the password

> only the first line of an encrypted file is considered to be the password. So you can just but your username or any other account-related information on the following lines.

I didn't know that. But what I would have preferred was copying the username with one command and copying the password with another.

>> - It doesn't work with smartcards/gpgsm

> What do you mean by that? I use pass with my yubikey as a gpg "smartcard"?

I haven't tried that with a yubi key, but with a corporate X.509 id card. And that needed gpgsm. I had to patch pass in order for it to work, because gpgsm uses different parameters that gpg.


https://github.com/bitwarden/core/blob/master/README.md

SQL Server 2017, really? Interesting choice. Open source but we have to pay licenses for the database if we want to self host. I wonder what was wrong with PostgreSQL or MySQL even if they're using .NET Core as a language.

Edit: there is an issue for that https://github.com/bitwarden/core/issues/10


> Open source but we have to pay licenses for the database if we want to self host.

As Bitwarden states in the core readme (https://github.com/bitwarden/core#requirements) "These dependencies are free to use." And if you lookup the licensing on MSFTs website (https://www.microsoft.com/en-us/sql-server/sql-server-2017-p...) you can see that the SQL Server Express version is free.

Note: No, I'm not an MSFT employee and not related in any way to the mentioned company. I'm just a (not so regular) human being who first looks up information before posting statements.


I'm not in the Microsoft stack so I have no idea how much SQL Server and SQL Server Express are compatible. I only know they exist.

The README requires SQL Server so I might be excused thinking that it would work only with that software. Nice to know that it does work on the free version too. I googled and looked on MS site and didn't find out if SQL Server Express exists for Linux too, but I'm on my phone right now. I only managed to involuntarily download a .exe :-)


> I googled and looked on MS site and didn't find out if SQL Server Express exists for Linux too, but I'm on my phone right now.

There you go: https://hub.docker.com/r/microsoft/mssql-server-linux/

:)


Thanks. Same binary for both versions but setting an environment variable makes it switch to Express.


right.


Yes, SQL Server Express is available for Linux.


Ah shit, its a . NET program :(

It all sounded really good until this point. I was even going to say you could add support for postgres, but I don't know a lot of open source devs who are using. NET.


Keepass2 is also Open-Source and .Net because as far as I know .Net offers some extra security on Windows like locking the desktop while entering the master password.


Can you please give me a link about locking desktop while entering a master password in KeePass? I want to know more about it.



Pretty sure they were in the BizSpark program from Microsoft so that probably influenced alot of their technology choices


They were, check this discussion on HN two years ago https://news.ycombinator.com/item?id=12676979


Having worked with many RDBMSs in the past, MSSQL is one of the very few that I would recommend for new installations.

Basically, my flow chart for DB selection:

Do you have an enterprise worth of money to burn on the deployment and maintenance? Oracle.

Are you deploying to Windows? MSSQL.

Else: Postgres.


> Do you have an enterprise worth of money to burn on the deployment and maintenance? Oracle.

Even then I'd actively try to avoid it.

Source: three years installing, configuring and supporting it.


I don't disagree - but with an "enterprise worth"† of money to burn, you can hire someone like you to suffer through it!

†: Now that I've used it twice, I move that we make an "enterprise worth" a unit of measurement of money, like a "Library of Congress" is a unit of measurement of storage.


For years I've discouraged use of clouds for storing passwords. But because Bitwarden is FOSS software, encrypts data on the client, has good cross-platform support, and can operate if the company goes out of business they have won me over for the storage of secrets I'm not reserving for the sneakernet.


Last time I checked Bitwarden was not encrypting data on the client. Did that change?

Also, OSS does not mean secure. Without audits from security experts, I can’t trust it.

Bitwarden is objectivity less secure than 1Password or Keepass actually, at the very least because it doesn’t have a desktop application.


> Since all of your data is fully encrypted before it ever leaves your device, only you have access to it. Not even the team at Bitwarden can read your data, even if we wanted to. Your data is sealed with end-to-end AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256.

From the linked page (https://bitwarden.com/)


Bitwarden has a desktop client.

If you are hosting it on your private server does it change your outlook on its security?


No, it’s worse.


Very thorough argument.


Matches the question, but should be obvious why.

I do not have the inclination or resources to secure and keep my server up to date, unless we are talking about a periodic "apt upgrade" that I could configure to run automatically, but no more than that. And at the very least I know how to reasonably secure a Linux server, at least initially.

If running your own server gives you peace of mind in terms of security, then read more about how security works and the threat model you'll face. Just to give an obvious example ... running your own Wordpress is one of the worst thing you can do on your own server, putting your whole server at risk, not just your website.


> running your own Wordpress is one of the worst thing you can do on your own server, putting your whole server at risk, not just your website.

My personal experience says this is 100% true.

Even when I've managed to stay on top of WP updates my server is invariably targeted more often by automated attacks more often than others that are hosting static sites and other frameworks. I strongly suspect that attackers maintain lists of server addresses that host WordPress sites and use that to make assumptions about their running services. If they know that it's a "self-hosted" webserver, even if they can't break WordPress there's a very good chance that some other unmatched vulnerability exists.


> If running your own server gives you peace of mind in terms of security, then read more about how security works and the threat model you'll face.

I don't know about this argument. On the one hand you can configure something as secure as you like/can, on the other hand you have to trust other people to do their best. If you don't trust them with your passwords, you would also not trust them to do their best.

If you host yourself a paranoid me would host their instance accessible only inside a stable VPN xor by tunneling a port via SSH.


Your right in the aspect that OSS does not mean secure... don't agree with the down-votes here.

OSS can often mean less secure. Unless you have the capabilities to fully audit the software you shouldn't fully trust OSS... unless it has an external audit.



There’s also https://github.com/gopasspw/gopass with some more features for teams while being compatible with pass.


Great tool. I use it together with keybase.


How are you using it with Keybase.io?


You can use keybase git as the backing storage for pass: https://keybase.io/blog/encrypted-git-for-everyone


Can I take advantage of this on my mobile device or browser? Can I share with my team? It's not really apples to apples.


> Can I take advantage of this on my mobile device

Yes. See the list of compatible clients on the page: https://www.passwordstore.org/#other

I personally use it on android happily.

> Can I share with my team?

Yes. Just encrypt to multiple gpg ids, which can be customized per folder as well with a simple list in the ".gpg-id" file.

I admit that you can only use it as such with tech-savvy team members. If you want usability such that non-technical people can work with it, you'll likely want something else, like 1password.


Yes. You can. [0]

I run passff [1], to get Firefox to use it, and Android-Password-Store [2] on my phone.

[0] https://www.passwordstore.org/#extensions

[1] https://github.com/jvenant/passff#readme

[2] https://github.com/zeapo/Android-Password-Store#readme


Theres also browserpass [0], it works great in firefox and chrome as well.

A great great plugin is pass-otp [1], using this I have migrated the storage of all OTP secrets from my phone to pass. And then I export it from pass to my phone. That way I still have my OTP secrets if I loose my phone and don't have to hassle with recovery of accounts just because of loosing the phone. For sure the OTP needs to be changed at that point but still worth it.

It's also worth to mention that browserpass [0] integrates pass-otp [1] so whenever I log in to a page (that has an OTP secret) using browserpass it shows a litle box in the top right corner with the current OTP code that I can copy-paste to the site.

[0]: https://github.com/browserpass/browserpass

[1]: https://github.com/tadfisher/pass-otp


Dropbox. It's just files. Or make a company/webservice around it if that's too complicated.


First paragraph on their page disqualifies it completely. I do not want my passwords on anybody’s servers.

Our secure cloud syncing features allow you to access your data from anywhere, on any device! Your vault is conveniently optimized for use on desktop, laptop, tablet, and phone devices.


> I do not want my passwords on anybody’s servers.

What about your own server?

https://help.bitwarden.com/article/install-on-premise/


To me, this disqualifies it:

> Each Bitwarden installation requires a unique installation id and installation key.

If I’m self hosting, I want it to be independent of the code provider. It is bad enough, to me, that I have to pay a subscription fee to self-host “advanced” features like Yubikey auth. That’s the same kind of annoying that my own install still must link to their server that can die at any moment.

Let me buy the software to self-host with all of the features. The “subscription” and “integrated” mindset has no place in “I’m doing it myself” installs.


>That’s the same kind of annoying that my own install still must link to their server that can die at any moment.

With software like a password manager, if it's not actively maintained you're not going to want it anyway. So the same risk of the developers either discontinuing the product OR changing the pricing model applies just about evenly.

Being open source, at least the community can fork and maintain the software if the developers ever did throw in the towel, similar to TrueCrypt's forks.


I run my own server; it works great and is incredibly easy to set up. I would highly recommend people check this software out.

It's maybe not as feature rich as other password managers, but it is being actively developed and the few times I had questions I got a quick response from Kyle (the creator).


> I run my own server

If you think it matters where the data is stored (which shouldn't matter because it should be client side encrypted), running your own server would also be a risk. Because you cannot possibly have the same resources to monitor your server/router for suspicious activity...


That's true, but at the same time, there's something to be said for not storing my eggs in the huge basket with everyone else's eggs in it too.

By separating the storage of passwords, we drive down the economic interest in breaking into any one of the individual baskets.


Maybe I do, maybe I don't want my passwords to be at the same target as others, maybe I don't trust the hosting provider or Bitwarden the company (which you could argue, then I shouldn't trust the software, but I can monitor its behavior).


I still think it matters where data is stored because I don't trust most companies to not have back doors.

Since its all my own equipment and I have a background in this sort of stuff, I know what I am looking for when it comes to intrusions.


I had considered setting it up until I saw that SQL Server won't start unless the container has 2G of RAM. That quadruples the price of a VM on hosting providers from the usual minimum.

What is essentially a small CRUD app with encryption requirements shouldn't need 2G just for a database app.



It’s expensive to setup, if you need to rent a VPS it’s going to cost $5 per month which is probably the most expensive option and if you can’t trust somebody else’s server, you definitely CANNOT trust your own VPS ;-)


Maybe you should have read a bit more than just the homepage title.

"HOST IT YOURSELF Don't want to use the Bitwarden cloud? You don't have to. With Docker you can easily host Bitwarden's entire infrastructure stack on the platform of your choice."


Thanks to the comments there I finally did. First I was excited with the possibility of setting up my home server. But after reading more, the complexity of the setup and required resources are way to much for my use case. I think this is great for a small business, but it is huge overkill for me (home use). I just want my laptop to sync with my iDevices. Peer to peer vault sync built into the app would be much easier and does not require server running all the time. Plus it does not put man in the middle for simple sync. Nothing wrong with Bitwarden for small business or even enterprise it is just not for personal use if you want your secrets secret.


The 'point' of solutions in this space is that they allow password access across devices. They use end-to-end encryption and support self hosting, what else could they do?


1Pasword for ages had ability to sync your computer and iDevices on the same WiFi network by opening direct connections. A bit more inconvenient than cloud base sync, but convenience was always death to security :-) Self hosting may be the answer.


It's encrypted on the client.


I'm using KeepassXC on desktop, Keepass2Android on mobile and Dropbox for syncing the database and I'm quite happy with it. Bitwarden looks a bit more polished, but are there any other advantages over Keepass?


Check also KeePass Dx for Android, it has some nice features like Fingerprint for fast unlocking, AutoFill and a nicer Material Theme.


KeePass DX doesn't support syncing the database natively. With Keepass2Android, you don't need to install the Dropbox client to save the database to cloud providers.


Other then the design being a tiny bit different I can't see what KeePass Dx offers that differentiates itself from Keepass2Android?


Same, and for accessing it over the web (for when I'm not on my own machine) I use keeweb (https://keeweb.info/)


I love Bitwarden. I signed up when it first launched and happy to see it continue to add features. One of the only projects I pay to support the project rather than to get access to the additional premium features.


I recently switched to BitWarden from Lastpass after trying a few different options including pass, Enpass and KeePass options.

95% of my usage is in the desktop browser, and the UI of their add-on is great, IMO.

Lastpass' had been getting worse for some time, and their shuttering of Xmarks finally left me with no good reason to stay.

Using the add-on with Firefox on my phone is reasonable, although could be a bit better. Phone experience in general I'd say is also quite reasonable - not used it that much yet, but I think it is quite comparable to other offerings.


Was the data transfer easy between the 2? I'm thinking of doing the same.


Yes, it was very easy. Just follow the instructions from here: https://help.bitwarden.com/article/import-from-lastpass/


Do pay attention to the HTML encoded characters mentioned on that page because I was going crazy trying to figure out why some passwords didn't work after I imported them.


At the time I migrated from pass, there were no custom import/export - but bitwarden csv support is enough that you should be able to migrate anything where you can get at your logins in any structured format via some minor scripting.


On problem with password managers (that are using web authentication to create/manage an account for backing up the password manager in the cloud) is that the authentication password can be leaked during the authentication process. For example, the storage provider for password manager backup can simply read the password from the authentication web page since this web page is hosted at the provider. This is problematic if the authentication password is also used to encrypt the password manager, i.e. the provider could decrypt the password manager with the authentication password. You would actually need two passwords; one for authentication and one for encryption. Unfortunately, you usually don't even have the option to choose two passwords.

To solve this problem I'm working on FejoaAuth (https://fejoa.org/fejoapage/auth.html). FejoaAuth uses an authentication protocol that does not leak the user password to the provider who is going to store the password manager. This protocol is run in a trusted browser plugin in order to ensure the correct execution of the protocol. Thus you can use a single password for authentication and password manager encryption.


I've been a Keepass user for so long I just haven't wanted to switch. I just don't want to use someone else's server... or setup my own. Even so best of luck to them.


Yeah. You may sync your keepass db using Google.Drive-like services -- I do this


If you were curious about the Open Source part (I was) - https://github.com/bitwarden/


I've been using this for the last few months and couldn't be happier. I use the browser extensions in Firefox, Chrome and Edge, as well as the desktop, Android and web apps.


How does it compare to KeePassXC and 1Password?


I found KeePassXC to be fairly clunky and didn't work well on Android with regards to autofilling forms, but that was a while back and it may have improved since then. Also with Bitwarden I've elected to have them host my encrypted passwords so I don't need to worry about setting up my own sync provider. I don't know much about 1Password but I didn't trust them to put too much effort into their Android app since they were predominantly an Apple shop.


> didn't work well on Android with regards to autofilling forms

Works pretty well, I use "Keepass2Android Password Safe" and it supports the newest APIs to enable fully automatic filling once you tell it which app belongs to which account. For syncing I use my own nextcloud server.


Their (1Password) Android app is great. As you pointed out though, iOS always gets the UI\UX benefits first because they're focused predominately on the Apple eco.


Thank you!


What's the difference between their browser extension and web app (the vault)?


I like Enpass. Syncs to my own nextcloud. What other password managers can do that out of interest?


The Standard UNIX Password Manager (password-store): https://www.passwordstore.org


I also use Enpass. It needs more of a mention in these threads.


I suspect Enpass doesn't get much mention on HN threads because it is not (or at least, does not obviously appear to be) open source, which I've observed is of paramount interest to a large number of HN readers -- full disclosure: including me.

Because it is not open source [0], we must take statements like the following purely on faith in their PR department, rather than being able to independently verify:

https://www.enpass.io/kb/if-enpass-is-an-offline-password-ma...

"Indeed Enpass is an offline password manager and saves your data locally on your device and in any case, we do not (and we can not) access any of your data. But yes, Enpass does connect to the internet with the sole purpose to give best user experience."

I'm sure they're really nice people, and do their best, etc, etc, but passwords are the linchpin crown jewels. Enpass could secretly and instantaneously become bad actors or incompetent stewards of said crown jewels, and we wouldn't know, since we cannot see what they are doing. One of many risks I would not take.

[0] Please correct me if my search-engine-fu is weak today, but I can find no official Enpass open source repos or code anywhere.


One fine day Enpass pulled the their app from BlackBerry users - no warnings, no refunds: https://www.enpass.io/blog/discontinuing-the-support-for-enp...

There are quite a few comments from paying customers, who were locked out of their data. According to timestamps, Enpass team successfully ignored these comments for months.

Perhaps this should be mentioned whenever Enpass surfaces as an option...


Here’s why I switched from 1Password—

I recently picked up a Pixelbook and have gone all in on ChromeOS. Its replaced my MBP. But unfortunately, that meant parting ways with 1Password.

I needed a new password manager with the following: Self hosted TOTP support (have since decided not to use this) A web UI IOS app with face/Touch ID.

I tried the 1Password subscription but 1Password X just felt too clunky and I wasn’t in love with storing on their server.

Keepass/XC/whatever was a hot mess for me. I really wanted to use it and the idea of keeping and syncing a single db file still really appeals to me, but the ecosystem is such a mess. I tried running a self hosted container for Keepass Web but I kept having to enter a Dropbox API key on every client. I also couldn’t find an iOS app that supported Face ID or the option for storing TOTP. Maybe it’s a better experience on Android. On top of that, the UI was pretty jarring all around.

Bitwarden still has some work in the UI department. The lack of keyboard shortcuts and a native app adds some resistance but it’s manageable for me.


This is nice product, but server requirement completely eliminates it as a candidate instead of 1Password for me. I still can't find a better open-source solution which works completely offline on desktop, browsers and mobile devices with the possibility of synchronization using 3rd-party services, decent UI and at least the ability to store TOTP passwords.

Enpass is good, but it's proprietary too.


Any reason not to use Firefox's own password sync? It's been working fine for me so far.



It was probably posted in response to the firefox lockbox announcement.


1Password works great on iOS and macOS but it's not open source... and there's the subscription they try to impose... and their servers... So I was looking to replace it. Bitwarden could be the one in the near future as Keepass is a real pain on iOS and mac for a non-techie. The problem I still have with bitwarden is that the app won't work unless connected to the internet. If the connection is missing you can't add or edit anything, store on your device and sync later :-(


"Each Bitwarden installation requires a unique installation id and installation key."

Sorry, it doesn't count as open source if everyone needs your permission to run it.


It's open source, not to hard to remove this requirement


The time investment to prove or disprove this statement is more than I'm willing to give. I'd prefer to spend my time working with projects whose maintainers aren't hostile to my privacy.


> whose maintainers aren't hostile to my privacy

How are they violating your privacy?


It's full of shills every time there's an article about password managers. I wonder if they come from LastPass or 1Password.


If you're searching for an open-source self-hosted alternative that offers corporate features like LDAP integration take a look at SysPass (https://github.com/nuxsmin/sysPass). Doesn't look as nice as Bitwarden though.


This looks like it could be better than LastPass. Bitwarden is the only password manager that I've seen that officially supports Opera, Vivaldi, and Brave. I wonder what the browser support on Android is like. LastPass seems to work only on Chrome on Android, but I like to use Firefox, Opera, and Samsung's optimized browser.


Firefox mobile can use the extension and the native android app is fully supported by Android's password completion support as well.


> Bitwarden is the only password manager that I've seen that officially supports Opera, Vivaldi, and Brave.

Brave bundles their extensions, and have gone months between updates in the past. Be aware of that if you use it, as it's a potential security issue with a password manager.

> I wonder what the browser support on Android is like.

Android support is excellent. The only nagging issue I had was that the "URL" for an app is usually something like "com.github", while the URL stored in the login is "github.com". Bitwarden is good about partial matches, so it's rare that I had to search for the login I wanted.

> LastPass seems to work only on Chrome on Android, but I like to use Firefox, Opera, and Samsung's optimized browser.

I moved off Android a few months ago, but I was using Brave and Bitwarden integrated seamlessly. It ties in to the "accessibility" framework I think, and offers an option in the system dropdown menu when a login is detected.


We evaluated Bitwarden to use as our company vault for shared accesses, however found OneLogin to have a better UI, additional functionality (especially when it came to syncing with our Google directory) and the price (for enterprise) wasn't too much less than OneLogin (which is negotiable anyways).


I personally would be a little wary or OneLogin, they suffered a breach in the past[1]. I know a lot of services are breached but one keeping my secrets I want rock solid.

https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-...


to be fair, many of them could be breached already, u just don't know about it yet. At least with OneLogin there was a disclosure and pressure from the public to improve their opsec.


If somebody wrote code to let me send the second factor from a nominated device as my banks use of Symantec technology does.. it would be cool: I keep meaning to remind myself having the second factor inside 1password is not a second independent factor.


What I really like about Bitwarden is, that you can define several URLs for one entry, I have some services which can be accessed from several addresses (same account) though.

It is also possible to define how a URL is matched which is a nice feature too.


I love the Linux app, and the integration on browser extensions and Android app, but the Android app is very limited on features. I love projects like this, and support them as a paid member, just like ProtonMail.


I love bitwarden, and have converted to it. However i just learned about https://passman.cc/ Has anyone used that?


Yes, I'm using it currently and have for over a year. It works well enough. However; The mobile apps haven't shown progress in over a year. Development on the main app is very slow. The browser extensions work, but do have minor quirks.

Honestly it feels like a dead project, It's not but it's lacking in resources and the devs are lacking in time from what I've been able to gather from the issue tracker. https://github.com/nextcloud/passman/issues I do sometimes worry I'm one nextcloud update away from losing access to my passwords as a recent one did mess with the interface a bit, it's still functional but some ui elements are mis-aligned.

I've been considering switching to bitwarden for a while, It's interface is much nicer, and more polished. I've mostly been waiting for one of the alternative API implementations to mature a bit, because I don't want to have to run a big honking MS-SQL container on my little VPS. I'm also going to have to write my own importer, or mangle the data a bit because the cvs format for passman isn't compatible with any of the import formats for bitwarden.

Or maybe I'll just give up and migrate to pass or gopass(https://www.gopass.pw/) worth looking at if you like pass). I think I want too much from my password manager =/


Can you keep the database on a local disk, Dropbox etc?


https://github.com/dani-garcia/bitwarden_rs is an api-compatible backend and uses SQLite as a database engine. You can also build it outside of Docker. I'm not sure how well SQLite binary files sync to Dropbox, but definitely you can run on local disk.

source: https://news.ycombinator.com/item?id=17504187


Not in the same way as other password managers. But you can set up your own Bitwarden instance using Docker if you don't want to trust them with your passwords.


Seriously? A password manager where the desktop app is build ontop of unsecure electron.


I get that Electron is undesirable, but what do you mean by unsecure? Also, can you list some alternatives if you don't want them building a desktop app in Electron?


Malware can sweep through the memory to find passwords by reading memory directly from another process' address space.


This is a risk in desktop software written in other languages and with other gui frameworks as well, no?


What are the advantages and disadvantages of Bitwarden over KeePassXC?


A web UI and iOS app that supports Face ID and TOTP codes.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: