Says it works on Raspberry Pi 2 or newer. Do you have a 1?
It felt like a hidden cost to run the official server as I had to upgrade my server instance for an extra $5/mo.
Do you get TOTP support and Organizations on your custom server for free?
EDIT: I just tried it, and yes, you do get (at least) TOTP support for free. Haven't tried orgs, but I'm going to convert it for Dokku now and host it somewhere as a backup plan.
I don't think this is the case. There's really no way to use the license with a custom server anyway.
It basically gives you all of the premium features for free, as opposed to the official server which requires a license.
I really wanted to run the official server, but they offered no option of a lifetime license (only a yearly license). For what it's worth, I would have been willing to pay a lot more for a license that never expired.
The whole reason I'm hosting the server myself in the first place is because I want _full_ control, so a subscription based license doesn't really fit well there.
Given that the project is licensed under the GPL, the license is effectively a donation anyway, so I hope they consider offering a lifetime license for those who want to self-host.
The pricing is odd. For example you can't self host it yourself without paying for a license. The code is AFAIK open source, so you could maintain your own fork with the required code branches removed, if you wanted to. I do hope the author doesn't pull a bait and switch, after enough users go down this route. Don't get me wrong, I'm actually not looking into hosting it myself, I'm glad to pay for a hosted service, but with open source I want that possibility to be there and I don't want licensing per user for self-hosting either.
And currently I like what the author has been doing. Adding some code in there that makes it require a license, but that you can remove, is totally fine. But I'm seeing more and more open source apps turning proprietary nowadays and I don't look kindly to such bait and switches, because I end up using those apps because they are open source. Like it is the case for Bitwarden, otherwise there are often better proprietary options available.
From a usability standpoint, Bitwarden is unfortunately inferior to 1Password in every way. But it works fine for our purposes, for now. And Bitwarden is better than LastPass in case you're wondering, even if it has some missing features.
The official servers are slow. I just had multiple login failures. I'm assuming that it's experiencing issues due to being featured on HN right now, but this isn't the first time that it's happening.
But as long as it is _open source_ and as long as it does a reasonable job, then I'll keep supporting it. Because I'd rather pay for open source solutions.
What happens to the SaaS offering if he gets run over by a car?
If that guy gets hit by a bus and if the app is useful enough (and it is), then a fork will happen. And I can always do some contributions myself. And if I'm wrong and that fork doesn't happen, then nobody (with resources) wants it, in which case might as well let it die.
The bus factor for open source stuff is great, even with zero contributors at any point in time.
In contrast when a proprietary app gets killed (either due to acquisition or b/c it's not profitable) then it's gone for good. If a proprietary app changes, to include ads or anything that you don't like, there's absolutely nothing you can do but switch to something else or bend over.
Anyways, BitWarden works absolutely flawlessly. There are a few things here and there that I'd wish it had, like the ability to create templates for custom categories, but apart from that, it does an amazing job. The websites autocomplete works really well, and I was pleased to see that I can unlock my vault on my phone with my fingerprint reader.
Migrating data from KeePassXC to BitWarden went smoothly. I took a moment to clean my database and reorganize a few stuff. The database takes a bit of time to load, but nothing that's a real bother.
The only thing I don't store in BitWarden is the 2FA TOTP I use (mainly Google Authenticator) as I feel it breaks the entire concept for 2FA. I've seen people on HN do it, but to me it just feels wrong.
Does Bitwarden have that autotype option? If not, I'm wondering how difficult it would be to build it myself, if only for the desktop clients.
Has anyone else been successfully using Bitwarden in a team setting? If so, how do you work around the limitation I mentioned and other such things?
If a user forgets his/her password, then you can always create a new account. All the collections belonging to the organizations will be there. The personal stuff is lost, but you can argue that the personal items don't belong to the organization.
Also the same user account can belong to multiple organizations. The model is different from say 1Password, where the app can login into multiple accounts.
Secrets are only stored encrypted, and the key is derived from the master password, not known to any admins. Cracking the admin account or the entire server gives the intruder very little.
So, it's a feature. You may not want this feature, though.
You can though. If you lose your private SSH key, you regenerate it, and the server admin resets your public key. Zero data loss.
I think the better analogy would have have been a disk encryption key. But note that consumer facing encryption tech (Mac, Windows) generally doesn't stick to "user forgot key = user lost data".
> So, it's a feature. You may not want this feature, though.
Yeah, I must agree I do not want this.
I understand it is more secure but it is also more user hostile.
I'll take the risk of a compromised admin (assuming strong password and TFA of course) over "sorry you lost all your data."
Data integrity is just as much a part of security as data privacy.
This is exactly the same data loss as when you lose your master password.
Just like you store multiple passwords in your password vault, your SSH key can give you access to multiple servers.
If you lose it, you have to "reset" your public key on _every_ server, just like you have to reset _every_ password that you stored in your password vault.
Though of the purposes of having password manager is managing with large numbers of disparate systems.
Whereas an SSH is simply the authentication mechanism, and may or may not be shared across large numbers of systems.
HN passwords are not always recoverable. (Only if you have entered an email address).
By the same token, if the admin did not have access to all the sites and your passwords, the admin can set a new master password, but cannot restore the access to the sites.
The rationale for it not being a privacy violation, which was a concern that came up a couple of times, was that the machines were company property anyway.
Our company has to be very careful about that kind of stuff. Because once you have it you own it and you're responsible for it. Our ATP system, for example, scans for credit cards and SSNs in user and shared directories, sends us an alert and we ask the employee to remove it.
Although it is a bit of a hassle to setup on mobile devices (I use Pass for iOS), the security and functionality it provides is worth it.
Namely that it requires copy and pasting. Any program on your computer can read your clipboard.
And for a normal user who are more vulnerable to phishing, there isn't automatic domain checking. It would be their normal work flow to copy a password into a malicious site.
Suppose you go to gooogle.com instead of google.com, the extension won't fill out info because it doesn't recognize you having an user/pass for gooogle.com
Have a reasonable security model please
Even beyond that, copy and pasting is training users to copy and paste. This is an even bigger threat imho. There is no layer of extra validation.
Same with Bitwarden: https://help.bitwarden.com/article/can-bitwarden-see-my-pass...
Create the encrypted vault in your preferred cloud storage service and locally and sync across all devices.
What makes you so sure that dropbox and icloud will never be shut down?
They might, but then they’re trivial to replace and you have a backup.
That never seems to stop them.
How much money could Google Reader possibly have cost to maintain?
I’ve been really happy with it, and it’s a one-time cost (per device though). The company who makes it also makes an open source encryption layer for SQLite.
All of the software written by "Bitwarden" is open source. The fact that it uses some pre-existing propriety software doesn't change that. If it did, then that logic could really be extended to any piece of software written for Windows.
You can write open source code for Windows all day long and it doesn't change the fact the your code is open source.
However, to claim that you need transparency for your security product and then build it on top of a proprietary storage engine is incongruent.
Also, there are many server implementations other than the official one.
They rely on it to store encrypted data.
If I recall correctly they use an authenticated aes cipher - and the Free software part can verify that correct data is read back (ie: it decrypts and authenticates).
I have the Firefox extension and use the iOS app, also. Chrome extension works well, too when I need it, but I don’t use Chrome often.
You can self-host it since it’s open source if you’re worried about their servers shutting down for whatever reason.
Apart from that, it's been audited, and praised on HN multiple times.
They've done an external audit, and I've studied the architecture, but other than that I can't speak for it's safety. But it seems legit in all ways I can imagine.
As for reliability and browser integration it's much better than anything I've tested prior. Works great on all platforms I use.
- no issues whatsoever. The rust implementation is rock solid.
- I have clients for Android, Linux, OSX, Windows and browser plugin for every browser I use. Again, a friction-less experience.
- I was able to import my 1Password vault into Bitwarden without issues
- Android client is quite slow compared to 1Password
- The Firefox plugin on OSX tends to freeze Firefox. Not so much an issue for me anymore, since I moved to Linux
- The bitwarden_rs server does not support multiple users
I'm confused by this. I'm running bitwarden_rs and I have two users? Perhaps they just recently added support for multiple users? I've only been running it for a few weeks.
Edit: I should note, I’m talking about Bitwarden_rs. Maybe the official one doesn’t? That’s be strange though given it supposedly the same one the hosted version is running with a license lock on some features.
I would say they are similar, but I always had problems with 1Password's syncing across clients. Not sure if they resolved that in the meantime.
What I like also about Bitwarden is that it's open-source, and in general the UI feels more light-weight and performant.
I do like BitWarden's TOTP support, though.
* very polished UI, pleasure to use
* good UX in general
* I have constant issues with it loosing connection with browser. Extension just randomly stops working for few days. Tried to fix it multiple times, never succeeded
* Price (too expensive for my private use)
* Very simple app, easy to use
* More reliable than 1Password for me
* Fills login pages quicker than 1Password
* Feels quicker and more snappy than 1Password
* Lacks 1Password polish, generally UX and UI needs some work
* Can't login using fingerprint on Mac
* Crashes on my iPad when trying to save new credentials (need to report it as a bug, but I didn't go around to it yet)
* Slow on Android
All in all, I'm very satisfied with Bitwarden and use it daily.
1pass does a few things better (2FA, background agent so I don't have to log into the browser and desktop app separately, general level of polish), but apart from that they're largely interchangeable for me.
Bitwarden is essentially the work of one person.
Are you suggesting that we only rely on Apple Keychain and Chrome password sync due to their MegaCorp backing?
* It stores an encrypted file on a cloud storage platform of your choice (gdrive/dropbox etc) and syncs across devices.
* No subscription fees
How is this possibly a replacement for Bitwarden considering they don't have any limits on the number of passwords for the free accounts?
It was ok but not great. Eventually I decided to migrate off it and was not impressed by their export functionality. I had to literally go through every entry to make sure it made sense, check against the GUI to make corrections, and even then reimporting into either LastPass or 1Password was another full round of checking item per item.
I hope it got better but if you're on it I'd advise you look into that as soon as possible as your database only tends to grow and with it the difficulty of migrating off when the time comes.
So that might have sounded like a rant, but my only issue was that I didn't understand the pricing for self-hosted. My one year is up soon and I will be renewing my license as we've (as in me and my wife) been happy with Bitwarden.
(Sharing is useful if you set up new accounts for other users.)
I use the bitwardern docker version for people to use, I have it installed, but for my own use, sticking with keepass.
Would recommend it to everyone in need of a password manager now.
That's not my experience. The account details stay open for me.
For me the UX is not amazing, but ok. A bit better than LastPass, a bit worse than 1password.
I copy the password, go to paste it in and it loses the selected account:
Here, I go to add an account. I generate a new password and then I try to paste it into the text box to verify it meets the website's password rules. I then go back to hit save, confirming that it worked and it loses the entry.
I use Bitwarden myself and I only need the copy/paste button for stuff like email and WiFi passwords. If you're manually copying and pasting data, you're probably overlooking one of the many (sometimes not clearly indicated) features Bitwarden has.
Hope this helps!
I used (paid for across Windows/macOS/iOS) 1Password for years but switched to Bitwarden because AgileBits kept openly making progressively more hostile moves against customers like me, and weren’t remotely apologetic about it. I would strongly advise anyone considering use of their products against it. Capturing and controlling use is more important to them now than serving users.
I'm genuinely curious about some examples of these "hostile moves"?
Definitely consider it over the $5/month subscription to 1Password or if you need shared vaults.
Shelter is FOSS, Island is not.
For example, can I share a password with both “marketing” and “customer support”
The lack of this is one of the biggest pains I have with LastPass
Bitwarden is great for personal use, but I can't use it at work cause of this one missing feature. If anyone knows of a way to make it have multiple logins per site, I'm all ears as I would love to get rid of DashLane and it's horrible Chrome Extension.
Both are always available, no matter it's for www.server.com or mail.server.com
I’m using Bitwarden_rs as a server, but the official Apps all support it great, so it would strike me as a surprise if the official server didn’t have this ability too.
I just had a thought. What I would like is password protected, "password notepad". When activated, it remembers the text of passwords, shows it to you in text when you go to a website and then you type it into the site. (people looking over your shoulder is a way overestimated danger, the password-hiding thing dates to shared terminals).
The thing I hate about password managers is I am afraid I would stop knowing my passwords. This would allow me to remember my passwords since I would type them each time.
I've only seen Firefox and Chrome's built-in password managers so maybe this exists already. But it seems a decent way to do it.
That is a feature. The handful of passwords I know are mostly long passphrases. The rest are long random strings, generally up in the 30-something character range.
In fact, I don't even know some of my logins anymore: I will use or at least append random characters to most accounts that don't have any 'social' functions (that I care about). I also use a unique email per site.
If an account is compromised, it's got a very low chance it'll even connect to another account I own (at least not without human interpretation), and zero chance of helping with cracking any of my other passwords (other than hinting you can skip guessing anything <30 characters).
I have backups of my password file, I have email recovery (to a domain I own) - knowing individual accounts is just unnecessary.
I've been doing it since ~2001. The only downside is long e-mail addresses, but my password manager deals with that for the most part.
Subdomain is important, otherwise you get dictionary-style spam email attacks (as well as everything coming to whoever owned the domain before you, if anyone). I've never noticed that style of attack to the sub-domain.
I've also got very little actual spam to this. A handful of e-mail addresses were obviously leaked/sold but by far the bulk of the spam I get comes to my primary e-mail address which I never use to sign up for anything.
* Encourages bad (easy to type, and potentially memorable) passwords and password reuse (probably the single best way to get compromised). (I have several hundreds of unique passwords.)
* Makes phishing easier. (People are bad at consistently checking the URL bar correctly char for char and every time.)
* Is inconvenient.
* Can be done with any existing password manager.
* About shoulder looking... I don't know about you, but I frequently need my passwords at work when colleagues are watching, or when I'm sharing my screen in a (often recorded) conference call.
"Makes phishing easy"
- The manager would be checking the URL bar in the same fashion as a regular password manager.
- Is not terribly inconvenient
"Can be done with any existing password manager"
- Great, I suppose I should just get started using them then.
The big issue these days is users sharing a password between sites, so having them unique/random is the game.
Depends on your environment. I personally have learnt at least two people's email passwords just from watching them type (not to use, just to see how easy it was), and I've seen an instance of a Windows Domain admin password being shoulder-surfed. Making it easier seems questionable.