I'd prefer people are using any password manager than go for perfection and then quit completely because it was a terrible UX. KeePass may be more secure against certain specific attacks, but it is largely irrelevant if people are going to contrast it against using no password manager at all because it was too cumbersome.
You might think you'd notice if the site you're on had a different URL than the one you're expecting, but that level of constant vigilance might turn out to be more difficult to maintain than you expect. Especially when you take into account some of the more exotic phishing techniques like IDN homograph attacks.
Sorry, not doomed to fail.
I'm not gonna use a password manager that is "context aware" and has the capability to auto-fill for sensitive sites - that's just my threat model. I'm okay with context aware storing of less critical passwords.
This is literally one of the last major attack vectors since password managers became somewhat more popular.
They all do encryption well, even the ones that keep the database on a server you don't control it's most probably actually encrypted, etc. They do the basic password manager thing. They keep your passwords.
Every time there's something wrong/vulnerable with a password manager, it is because it's a browser extension and the attack surface between the password manager and the browser is being attacked.
> I share your wariness of the browser extensions, but you're betting that a software bug is more likely than human error.
Well, it literally has been.
(this is why I'm using Keepass and no browser extension for my passwords)
Can you give an example?
I seem to remember reading about similar stuff done elsewhere, but don't remember the details (or apparently a useful search term :P).
There is an option to autofill, but it's buried in advanced settings and Bitwarden will display a warning if you try to enable it. (This message ought to be worded more explicitly—it currently says "this feature is in beta" rather than "this feature will decrease you're security"—but, still, not a default.)
why should I as someone who is securing my own passwords care about your preferences or what will and won't work for someone else too lazy to be concerned?
KeePass is barely decent for personal use only, and only for the desktop.
The quality of the available apps differs from platform to platform. For example Bitwarden has a decent iOS app, 1Password has a superb iOS app and in contrast the available KeePass app for iOS is a piece of shit – no offense intended but it's basically unmaintained, barely usable and does no sync so you'd better watch out for conflicts.
And just like I think a password manager shouldn't be a browser extension, I also don't think it should encourage behaviour like sharing passwords among people ... I mean, really? That's literally password reuse, don't feel good about it. Of course a password manager shouldn't encourage it.
"Our son Jim made this password using his password manager thingy so it's probably really secure and now we use it for all our banking and government stuff"
I mean it's sincerely better to keep a "family password" on a post-it, so you don't confuse it with passwords you're actually trying to keep secure.
There are multiple .kdbx apps, like MiniKeePass on iOS, which is decent, but it's lacking active development at the moment.
There is Strongbox on iOS and it's by far the best mobile KeePass-experience i've ever had.
Slightly? Just thinking about the synchronization between machines makes this an understatement in my opinion.
The keepass application can perform "auto-type" which works for all sensible applications and websites that have username/password input fields and a log-in button.
Recently, more and more websites split the log-in into two screens, first email and then password. This completely breaks auto-type and is horrible in every way. Please don't do it.
You are right that this is a good approach for many it will certainly break for many as well.
Re a) https://keeweb.info/ toss this onto any ol' free tier web host you want. No app install necessary. It's not as nice as the apps, but it works.
Re b) Is there an environment that both has a web browser that you want password management with and doesn't let you access any consumer cloud sync service?
I mean, installing browser extensions to deliberately get around their security measures seems a little bit counterproductive. They aren't more secure than local apps. Do you take this company's security measures seriously or is it just some hurdle to get around for you?
Yes, which is why I posted the alternative to installing an app. You can use Keepass + drive/dropbox sync without installing anything using keeweb.
You do not need to install apps to access drive, dropbox, etc...
What are you on about? Synchronization is easy, you can use just about any service you like.
The fact that it's not kept on a server by the same commercial party that also sold you the security product, is a feature. And obviously necessary, since KeePass is free and open source.
I see leaking credentials bugs with browser-extension operated online storage commercial password software all the time on HN. Obviously you're paying for shiny, not security.
KeePass is the best at what it does and stays local as any password manager should do. If you need more security & portability encrypt the DB with VeraCrypt, sync with whatever service you trust.
I don't know if the iOS client is that bad, but the Android one is just fine.
People are moving from LastPass to BitWarden because it is a better product. Plus many dislike LastPass's owners due to the LogMeIn pricing/business practices (like difficulty cancelling/early cancellation to avoid additional billing/aggressive sales people/etc).
The only advantage BitWarden may have is its backend is open source software and you can run a copy yourself (although most choose not to). If you're running it yourself BitWarden is likely your primary contender. If you aren't the difference is largely academic.
>How We Use the Information We Collect and Receive
>LogMeIn may access (which may include, with your consent, limited viewing or listening) and use the data we collect as necessary (a) to provide and maintain the Services; (b) to address and respond to service, security, and customer support issues; (c) to detect, prevent, or otherwise address fraud, security, unlawful, or technical issues; (d) as required by law; (e) to fulfill our contracts; (f) to improve and enhance the Services; (g) to provide analysis or valuable information back to our Customers and users. 
(e) is a very broad and loosely defined category. A contract can include Anything and this ambigious statement enables LogMeIn to inturn do anything with data they collect from all their services (including Lastpass).
In the new firefox updates, Lastpass won't let you open/run the extension until you provide it the abiltiy to monitor all browsing behavior (whereas on chrome I have it restricted to monitor sites when the extension is clicked/activated)... I will not be renewing my premium service and am looking to migrate away to another service.
I tried KeePass XC on the side and I’ve gotta say, very formidable option if you want one that is FOSS and with no central server. My only real issue is the mobile app story.
Considered doing the self-hosted approach, but wound up paying to support the project.
How does BitWarden compare to 1Password?
Maintaining a single node just for a Bitwarden service isn't a "set and forget" endeavour. It is easy to misconfigure Linux to be insecure, most distro's ship with too much software, and auto-update is often inadequate to maintain a secure environment.
There's far too many compromised Linux servers out in the world that people set up "to do one thing" turned on auto-update and then forgot about for years. Botters and spammers love them.
This has little to do with Bitwarden itself and everything to do with how much knowledge and time is required to correctly run any internet accessible server. People are inherently lazy and it is very easy to get apathetic when it just continues to work, until something bad happens.
Some people, organizations, or groups can, absolutely.
While this is definitely a valuable question to ask, self-hosting is still valuable for many. Also, as we have seen repeatedly, assuming a random company will devote resources towards security can be a very silly assumption.
Yes it is. It's a docker image, you're not setting up anything about the host that's exposed to the internet. Toss on watchtower to auto-update it and why would you ever need to touch it again?
The system hosting docker isn't getting updates, no, but it's not publicly reachable, so that's low risk. The system that is publicly reachable is entirely contained & auto-updated, so that's covered. What else is there to worry about?
Sorry, but nope. The Docker container itself is a fully functional machine. It also holds your most prized data (password database/password host). Turning on auto-updates and watchtower then leaving it unmaintained indefinitely was exactly the problem I was posting about above.
Scary that people think Docker is a security solution. It isn't. The Docker container is a full machine. The Docker host is a full machine. You've now doubled your points of failure and are zero percent more secure.
What? It's not unmaintained at all. It's continuously maintained by the updates to the container. That's the whole point. Just because the user that did the deployment isn't the one doing the maintenance doesn't mean it's unmaintained.
The end-user isn't the one building the docker container, maybe that's where you're getting confused. Bitwarden themselves are maintaining it. That's how they are shipping the software for self-hosted deployments. Professionally maintained and self-hosted. That's why docker enters the picture, not for some imagined security reason as you incorrectly claim.
by iframing popupfilltab.html (i.e. via moz-extension,
ms-browser-extension, chrome-extension, etc). It's a
// or y.src="moz-extension://...";
It is an undeniably more secure option to use password managers without their associated extensions. Certainly less convenient, but ponder carefully your threat model.
The Mozilla bug (1344788) has been open for three years with no meaningful action in 2. It's been stuck waiting for security review, with nobody empowered to do it.
Leakage of credentials seems like more than a "minor" bug - particularly for software whose whole purpose is to securely store those credentials.
The two most common (and successful) attack vectors have been via password reuse and low password quality. Convenience, context aware, device agnostic, browser based, password managers have been successful in convincing the general public to use a password manager at all.
The use of a password manager allows people to have per-site and higher quality (e.g. long/difficult to remember) passwords. This has had a positive impact on people's security.
KeePass and similar "offline" solutions avoids some specific attack vectors. However, both "offline" solutions and browser-based extensions also share a great deal of vectors. For example if bad-ware has local execution inside the user's context, all bets are off (assuming you're running KeePass and the database is decrypted in memory, which you need to in order to retrieve a password).
It is fine to suggest options people feel are superior, but ultimately the conveniences are a security benefit within themselves because people are actually using and sticking to password managers (thus avoiding password re-use/low quality passwords).
Security has always been a balance between usability and safety, and when you set security policy, you always do it in the context of who is using it and their needs.
Integrating the password manager into the browser makes a lot of things easier as an end user. If I told my parents/grandparents and non-programmer friends to use something like DBG or Password Safe, they would just go back to guessable and reused passwords. Given the choice, I would rather have them use a browser based password manager.
If we're really talking about how to move the needle on protecting logins, I would rather push FIDO/U2F. Keeping a cryptographic second factor on your keychain, phone, or computer carries more added safety at a lower usability cost.
Also, generating all passwords off one master password deterministicly sounds like an awful, awful idea. If someone manages to get one of my passwords, they can try performing an offline attack against the encoding password. If they succeed, they have everything.
Your documentation says:
> If you need to change all of your passwords, change the sentence.
Note that this works the other way, too: unless you are changing all your passwords, you cannot change the sentence.
Since it is extremely unlikely that I'd ever want to change all 400 passwords at once, in effect that means I'm never going to be able to change the sentence.
All password changes, then, will be done by changing the per-site word. The documentation suggests:
> Use a different word for different sites. Be consistent with case (e.g. google, facebook, twitter, etc.)
OK, that's easy for the initial password, but what happens when I want change my Google password and have to change the word? The obvious approach is to change it to "google2", and the next time change it to "google3", and so on.
Am I expected to remember what variation each of my 400 sites is on? That's probably not practical for most of us, so I'm going to have to have that stored somewhere, and am going to need that storage available to me whenever I need to reconstruct a password, so I need it stores some way that syncs across my devices.
Your document lists not having the burden of storage as an advantage of the generated password approach, but I don't see how to deal with remembering the words without having storage. The burden of storing the words, or storing the version suffix of the words, is less than that of storing encrypted passwords because it isn't as bad if they get out, but it is still a burden.
The document says of password manager master passwords:
> This "master password" is a weak point. If the "master password" is exposed, or there is a slight possibility of potential exposure, confidence in the passwords are lost.
Exposure is also pretty big if the sentence for password generation gets exposed. I think most people are going to use words for sites that are simple, like the ones given as examples in the documentation ("google", "facebook", "twitter"). If I'm able to get someone's sentence, there is a good chance I'll be able to guess their words for a lot of major services.
It seems to me that the main security advantage this approach has is that it is not using a browser plugin, so for a remote site to compromise it they are going to have to find a way to spy on the user when they are typing in the master sentence. For something running in the browser to do that, it's going to have to both find a bug in the browser that lets it get past the browser's security, and find some exploit in the OS that lets it once it escapes the browser to get past the operating system's security that protects processes from each other.
I just can't imagine it, I'm forced to use it with a client, and it has hands down the worst UI experience I've ever seen.
You add the extension, easily add/generate/create/autofill your login info. It's usually as simple as clicking an icon that appears in the relevant field.
Also their registration flow is horrendously awful. Try setting up a Family plan where you log out of your personal and log into your family plan and you'll see how frustratingly sticky it is.
Too many buttons and features for such a simple problem. Development is cancer.
I've seen plenty of awful registration flows, so I'm sure that's true. I haven't had to do that for a few years.
password management isn't a hard problem (outside of security concerns), why the hell did they end up with that UI?
it's ridiculous that I have to go to the edit page just to copy a password. Neither Keypass, nor LastPass, nor any other password manager I've used, suffers from this.
And the amount of time it took for me to figure out how to create a password and allow others access to it is kind of silly.
I think companies like this devote their resources to back end shit and keep the front end shit simple on purpose to prevent even the hint of a security bug that would make them look bad.
Team of 15-30 people, need shared username/password credentials for web, FTP, and DB systems. Also other arbitrary secure "notes", e.g. SSH key. Needs 2FA as well.
With that said, LastPass or something similar is an easier solution for a team.
I worked at a company that used LastPass. The whole service was a complete train wreck, but I used it and therefore contributed to their ability to claim to be the most popular password manager.
I switched to Bitwarden and haven't faced an issue since.
This story reminded me that I hadn't deleted my LastPass account yet, and when I did I got a buggy error message, something to the effect of "Error: .A" after the double-confirm. Looks like the deletion went through, though... just an error in the process, which is uninspiring.
"Your LastPass Premium subscription will renew at $36 per year; this reflects the 2019 updated list price."
I think I'm going to switch to Bitwarden after reading some of the comments in the thread.
I'm tired of the fill problems on iOS and Firefox and the price increases compound my irritation.
Just one example (this one from 2017) of many: https://bugs.chromium.org/p/project-zero/issues/detail?id=12.... Fundamental architectural flaws.
For more HN references, see https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
"KeePass and KeePassX are both good choices. If you really must use an online one, at least LastPass are responsive to researchers and have a competent security team, I would use them."
Asked about the experience he had reporting a 1Password vulnerability, he says:
Sadly I paid for a 10 year plan and have 4 years to go. Saved me some money, but for what product? I use 1Password for work, and it is MUCH better than LastPass.
Since they moved to a dedicated app instead of just a plugin on Mac, it is borderline unusable for me.
Almost never actually fills in my passwords (often have to click copy password), often thinks I am on a different website than I am, or just gives me an empty white box when I click the LastPass button.
They get used by KeePassXC in yubico challenge-response mode, which I believe works as follows, take the HMAC(KDF(password), nonce) and use it as the challenge to the yubikey, and the response that's returned is the master key for the database. That's why it needs the yubikey whenever you save the database and open it, as it generates a new nonce each time. It's still vulnerable to a playback attack if someone recorded the interaction and had that exact copy of the database but that's also still true of one protected without it. But with that, they have to get both of them at the same time, an old copy of the database can't be attacked by a different challenge/response than the one it was secured with. I used to use the keys in HOTP mode for this with KeePassX before KeePassXC supported this mode, but that made for an easier to attack setup since there needed to be a copy of things to predict what the OTPs being generated would be. This also made syncing a lot harder because there was an additional state file that was re-generated every time the database was unlocked.
Their approach is somewhat unique though. Once you log into any Apple device with a secure enclave (including all current macbooks, iphones, and ipads) that device becomes a second factor for authenticating future logins (which is prompted via an OS-level popup instead of a separate app or hardware dongle). So your computer itself can be the second factor which means you don't ever notice the 2FA enforcement, unlike most other systems that use a TOTP code or dongle.
What do you mean? They still have browser extensions for all major browsers.
I use Firefox and the LastPass extension without needing to use the Mac app.
He adds about Lastpass:
"I consider them competent, I've reported some pretty complex issues and found they handle them well. Attack surface is definitely massive, I always recommend KeePass or just use a book if that's too complicated"
The other feature I like in dedicated password managers is that they tend to have a lot more options about what kind of password/passphrase you can generate. Some other features that i regularly use is storing non password content like software licenses, sharing certain passwords with my spouse, etc.
Doesn't tie me to one browser or their security model.
I've seen very few security researchers recommend it, while they will recommend other services.
This of course assumes you are comfortable knowing that they could access your accounts while you're still alive if they wanted to, and trusting that they won't.
It's not exactly the same as LastPass' "contingency plan" feature (since you're simply sharing some credentials all the time), but it works well enough for me.