Hacker News new | past | comments | ask | show | jobs | submit login

I switched from LastPass to bitwarden in November, and I love it.

- it's FOSS, and audited, so it's software I can trust

- great UX on Firefox, chrome, and even Edge. I had my issues, but the project improved them away very quickly.

- sharing support for families or organizations.

- convenient standalone clients for win/Mac/Linux... And even the CLI.

- built in 2FA code generation for each entry, so I don't need a separate app for that.

- the best autofill I've experienced, on desktop browser and even on mobile(!)

- open API so there are third party clients available

- the lead developer is super responsive on GH, so I've been able to contribute.

- cheaper than the alternatives (at least at the time), and I feel good about where my money is going.

I can't recommend it strongly enough. It's one of the OSS applications that has a permanent place on all my devices, right up there with Firefox quantum in my "great examples of OSS" liste.

There's a bounty program but AFAIK there hasn't been an audit yet: https://github.com/bitwarden/core/issues/27

It's been awesome. The one feature I'm still missing from LastPass is being able to mark some entries as more secure and reprompting auth on those.

Is storing the 2FA codes alongside your password a wise idea?

Yes, if the attack vector you're trying to close is a compromised keyboard/network/terminal and not a stolen-while-unlocked device.

"Catching" one 2FA code doesn't let you compromise someone's account.

Losing (or having compromised) the hardware running your password manager while that password manager is unlocked is a totally different thing from logging into a web site once from a library computer.

> Yes, if the attack vector you're trying to close is a compromised keyboard/network/terminal and not a stolen-while-unlocked device.

however, not having the TOTP key in your password manager would also protect against malware on your machine running the password manager from gaining access to your account.

It depends on the use case, but generally speaking, yeah.

It's less secure than a dedicated device for storage of the 2FA secrets and code generation, sure, but I don't see how it's any less secure than using a service like Duo to manage and sync your secrets.

Furthermore, I'd argue it's substantially more secure than the recovery process for almost all of the services I use, most of which offer an option to reset by SMS.

Finally, keeping your 2FA secrets in your password manager is very likely not to change the attack surface for most people anyhow, as most people keep their recovery codes in their password managers as well.

As long as you're not using Gboard your probably safe.

Care to expand on that thought? What's wrong with Gboard?

How easy is it to move from one Bitwarden server to the next?

I tried it out now, there is a csv import/export function.

Can it import Keepass DBs? I dread retyping all my passwords.

Yes: export the Keepass content (XML/CSV?)- then Import on Bitwarden.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact