We use Bitwarden at work. Bitwarden and Keepass are the two on my "trusted" list. Keepass has higher trust because it's offline only. But Bitwarden has a very good reputation and has open sourced both the clients and the server, so they are a close enough second for me, and it's much more convenient having cloud sync.
> I've personally never seen in my (for now short) career anything else than Keepass.
KeePass (https://keepass.info/) is excellent for personal usage or for infrequently changing credentials in a team setting, which is why i've also had a good run with it!
That said, for something a bit more centralized and more easily manageable, i've seen solutions like TeamPass be used: https://teampass.net/
Well, TeamPass in particular has a pretty horrible UI (not respecting what i click with my mouse and janky dragging of items around, as well as weird display rules), but in general i feel like many companies out there might want a web app of sorts, even if only available in the internal network and self hosted.
I'm not sure how big of a problem this really is. Yes, it's definitely more difficult for a non-technical user to manage this, but if they have an idea about how important keeping their passwords safe is then would they trust that to a third-party? I don't think my mom would trust any service with her passwords.
Workplace uses 1Password. I've been using it personally for years and I love it. Completely worth the subscription cost though it has its quirks
I like Bitwarden and the work they do and I'm sure they're trustworthy seeing as they've been audited and such but the android app and some of the UI is clunky to say the least. I tried switching from LastPass (which is awful) and ended up going to 1Password
I've not found much reason to swear or cringe at 1Password... maybe ever. I was a bit frustrated once when it gave the wrong popup when filling out my addresses. What is your use case if you don't mind me asking?
1Password once "forgot" an autogenerated password for a government webservice, where I had to used a snailmailed one time password. I needed to get another OTP for registration. It never happened to me again, but having a wrong password stored was really annoying.
I've switched to Bitwarden recently and, for the most part, am happier than before.
Same here. Like, literally. 1PW just seems so much clunkier and more difficult to work with. The thing being, 1PW does have a handful of enterprise-level features that seem to be more efficient for managing passwords across the enterprise. That seems to be about the only edge it appears to have, which is why it probably appears more attractive to corporations.
> I prefer supporting open source for personal use.
Same here. Opensource also adds to security in this case.
Also BitWarden's server has no knowledge of your phrase, and hence cannot, never ever, read your data. Forgetting your phrase means you lose your wallet. 1Pass and competitors do not have such guarantee, and allow one to retrieve access to the wallet by other means.
1Password's servers also cannot read your data. They use a client generated secret key in addition to your usual password to encrypt your vaults. It's been detailed pretty well
Are all clients open source? If I loose all my keys is there no way to recover the data?
And how does this work when I share passwords with my colleagues in a vault? They dont have my "client generated secret key", so how can they read my passwords?
I know companies write stuff to sell their products, but I dont trust that, I prefer open source and the laws of logic over marketing.
1Password has a pretty good white paper explaining their security design (PDF behind the link): https://1passwordstatic.com/files/security/1password-white-p.... The parts "How Vault Items Are Secured" and "How Vaults Are Securely Shared" go into sharing passwords in a vault.
So I'm reading on pg 22. The red block. How hard is it for 1Pass --basically a mandated MITM-- to send a false request to Alice when Bob made a request?
That whitepaper is a piece of marketing text. Not saying their audit did not take place. But they are soooooo powerful in their own system that they basically have access to everything.
If you loose bitwarden keys what will they do to recover data? They have similar security protocols so I doubt being open source would help that. It's not about being open source or not. That's just security
1Password says explicitly that you're not sharing the actual item in your vault and that it's creating a copy of it. It's probably generated client side and pushed to an external sharing service
I mean, I understand trusting open source but your statements seem like non-sequiturs. 1Password has been audited and has been an industry standard for a while. They seem to know security so at some level I don't find it difficult to trust them. Of course, I don't deny trusting open source and that's completely valid but not with these specific points
>If you loose bitwarden keys what will they do to recover data?
They cannot. That's closely related to why it is so secure, and why they can never see you data. That's why I use it.
It's sometimes called "zero knowledge".
> 1Password has been audited and has been an industry standard for a while.
MSFT products were also audited, and much used, and very insecure. Also 1Pass may be subpoena'd into sharing your data. I do not trust 1Pass, but you do you and feel free to do trust them :)
I moved to Bitwarden from Lastpass last year. Ironically I remember needing some premium feature, and having issues subscribing to premium. Support was 0/10, and made me move to Bitwarden, but I was really happy with Lastpass. Feature I miss today is security checkup.
Glad it wasn't just me. I was trying to get a repeatable issue with a particular site resolved, and support was beyond useless, i.e. unresponsive for up to two weeks, repeating the same scripted BS they had sent me previously, etc. Despite my pleading I was never able to get to a level 2 where someone could actually look at my problem.
Support USED to be great, ~2-3 years ago when I first signed up. I noticed around a year ago when I made a support request that it went way downhill. I get the impression that they outsourced it to India.
When I have to enter my master password into the browser, I'm left with the Lastpass tab focused instead of the site that I'm trying to log into. Although this is annoying for me, it's probably a major obstacle for people who aren't very good at computers.
Note for context - we are in a company that for obvious and less obvious reasons has a detailed list and tiering of allowed open source software for various purposes; while we have more control over our laptop than most companies such size, policies are fairly firm on what we are and aren't actually supposed to install.
> The most trusted open source password manager for business
OP here; this hype bothered me, but to avoid being accused of editorialising the target link, I try to include any strap line in full in the HN link description field.
PasswordState licensing and support was great. I administed it for a small robotics company. PasswordState devs added a requested feature in about 3 weeks from a forum post I made.
We're on the process of migrating from LastPass to self-hosted Psono[0]. I've not yet used Psono enough to say anything except that it seems better than LastPass, but that's not a hard goal to reach. With LastPass the whole UI/UX seemed awfully complex and cluttered and devoid of many handy QoL features like copying a password straight to clipboard. Their Chrome extension is also a true heavyweight[1].
Love Bitwarden, I personally onboarded dozen … but they must heavily invest in UI/UX and fix their apps (+ extensions) It’s not easy and intuitive for non-techies.
I just switched to it from LastPass which, well, has even worse UX in my opinion. It's an extremely low bar to clear and I agree Bitwarden is quirky too, but for me it's still firmly been an upgrade.
The only thing I miss is an "add to bitwarden?" dialog when I sign up somewhere. Their docs say it exists but I've never managed to get it to appear :-)
That's because web developers are not great at sticking to conventions and standards for this stuff. Product owners and UX designers seem to ignore aligning their signup and signin UX with obvious requirements for enabling people to use a password manager. If they'd make this a hard requirement, it would happen.
It's not that hard even; we did that for our login form. Works great with Bitwarden. And on mobile too. But you have to know how to name things so that password managers can do their magic.
Frequent mistakes caused by essentially ignorance on this front:
- Splitting the email and password form across two screens. That somehow became fashionable. There are ways to do this and not break password managers. But why do this at all? Having to click the fill button twice is ugly and should be flagged as a bug if you ever see that. There's no need for that regardless of the UX.
- Having a login form but then not using field names like "email" and "password" that a password manager would recognize as such. There are a few more things you need to think about: https://hiddedevries.nl/en/blog/2018-01-13-making-password-m.... Just do it right.
- Not having password managers on the radar as a thing that the UX MUST support (not optional). Non technical people like designers and product owners tend to be a bit sloppy with their own security and they won't necessarily even be aware this is a thing that they need to worry about. So, they don't notice when it doesn't work. They probably don't even use a password manager themselves. And they certainly won't test it.
- Developers not caring enough to do anything about this unprompted; by e.g. just raising the topic with their PMs or just implementing things correctly to begin with. I've actually brought up this topic and usually this is not controversial at all and simple to resolve.
FWIW I'm a developer, and I think password managers are awful to code against. They don't document their expectations (to the best of my knowledge), it's hard to test because you need multiple password managers installed, plus the browser's built-in ones. I mean, even the link you shared feels more like alchemy than engineering (through no fault of the author, I might add): "do it kinda sorta like this and then hopefully it'll work most of the time!"
And it's hard to figure out why it doesn't work when it doesn't. The feedback cycle is nonexistent.
> Splitting the email and password form across two screens.
This is done because it's an easier way to support both local login and SSO(like oauth or saml). By taking the username first you can determine whether to ask them for a password or send them to a sso provider.
It doesn't have to be implemented this way but it is seen as easier.
Yes, unfortunately a lot of implementations for this break password managers. It doesn't have to be that way and there are ways to fix it. But it complicates things a bit. And it's a pattern that actually gets copied a lot by products that definitely don't do any form of SSO.
Also, a typical opendid flow or SSO would not actually require an email field at all. So splitting the screens is kind of redundant in that case. E.g. a Github signin would be done with a button click and a few redirects.
> The only thing I miss is an "add to bitwarden?" dialog when I sign up somewhere. Their docs say it exists but I've never managed to get it to appear :-)
I have seen this occasionally but it is fairly random and unreliable. And then sometimes it pops up for stuff I clearly don't want to save, like OTP.
It has asked me lots of times, but just yesterday it didn't for a new account in none less than google.com. Its code to detect when to ask must be... weak, to say the least.
So I went on to add a new entry manually. Oh my, the UX to do so is quite bad. There is such low hanging fruit here for improvement, like copying the "UI on a new tab" style that LastPass does... meanwhile Bitwarden insists on doing everything on a stateless pop-up window [0]. LastPass UI might be worse for some (that's debatable), but the UX of opening it on a new tab is simply superior, just for the fact of it being stateful. I don't get why Bitwarden doesn't adopt it.
I'm happily paying for Bitwarden to support its development, but would never consider suggesting it to my grandpa or to serious business. The flow and experience is just far away from what is expected; a very good software, but with still too many rough edges.
It doesn't work very well in Firefox's private browsing. Only thing you can do is autofill by right clicking a text field and autofill from there, or the keyboard shortcut. But you cannot unlock it in private browsing.
Stateless UI is annoying at best. There's a few times where this has slipped my mind, so I paste a generated password in a new item, and then go to copy the email, and the new item is gone. If I didn't use a clipboard manager, this would have meant losing the generated password.
The browser addon is completely separate from the desktop app. It's annoying as it means you have unlock them separately when you need them. I used to be a 1Password customer, and I absolutely adored the seamless experience of the browser extension utilising the desktop app when it's installed.
They are trying to do some improvements to make it partially work in private tabs. If I understood correctly, there will still be some issues until they refactor the whole extension for Manifest V3 (deadline is Jan/2023).
Oh my, thanks for that link, I hadn't noticed. It's disappointed that addressing this[0] took 5 years and a whole lot of denying it's their fault, and that it is Mozilla's fault[1]! All it took was Chrome introducing a deadline...
Agreed. I've been using Bitwarden for ages now and this drives me insane.
If you open the popup menu and need to copy/paste/refer to more than one piece of info from it [because autofill doesn't always work or for example, you need more info to login than just username & password] you have to go back each time and re-open the menu, then the sub-menu [if you have more than one account info saved for a domain], to re-find the saved info and copy the next item.
It's made doubly annoying by the fact that there's a button to open the popup in its own mini-window, which allows you to go back and forward to that window, copy/pasting all the 'stuff' you need. However, when you click this button, the new window which opens doesn't retain whatever was in it in its popup version. So you still have to drill down through menus to find the appropriate info again.
I reported this as a bug several years ago on their Github and got a ridiculous reply from the developers, saying that behaviour was deliberate and wouldn't be changed. Apparently they couldn't envisage a situation whereby a user converting the popup menu into a separate mini window would actually want to retain the info therein, rather than having to search it out again.
When faced with total pig-headedness like that from developers, my natural support for their open source efforts evaporates pretty quickly.
The search function is also piss-poor. I've got several Gmail accounts and quite often a site will allow me to login using my Google account. Obviously that won't show up in Bitwarden's popup, as I'm not on a Google domain. So I type 'gmail' into the searchbox and it returns every single one of the 100s of websites where I've got an '...@gmail.com' username, rather than prioritising the Gmail logins which I've actually saved titled 'Gmail <account name>'.
So yes, it's great that it's open source and free [for private use]. But the usability is pretty poor and the developers unresponsive to feedback.
Oh. And incidentally, it barely ever works properly on Android --even with all the required settings and permissions allowed. I might as well keep all my passwords in a text document on my phone. It'd be quicker than waiting in vain for Bitwarden to offer to fill in a login, then opening the app itself to copy/paste the required info and waiting the several seconds while it creaks into action, decrypting my vault.
Detecting a new login is not one of BW's strengths. It's never detected one for me. But you can train yourself to "create new login" via the browser extension, _instead of_ expecting the extension to pick it up. This does work better for single-page creation flows. (Instead of using the web page to create a user/pass, enter it into the extension.)
It's pretty business unfriendly IMO, as most users simply cannot pick up a new, rarely used flow.
I switched away from 1P after they dropped the perpetual license option. They failed me by taking VC money and then chasing growth at users' expense. Not that the other PWM vendors aren't worse -- some of them much worse.
With bitwarden I never missed the "add to bitwarden" dialog. As a paying user. I love that they offer Android app. It has its moments like the integration with keyboard does not always work, but I can use it from the shot it's drawer.
If you generate passwords (or passphrases!) they are stores 8n history, so there's always a backup :)
I wouldn't say it was extremely simple but I managed to move our company from LastPass to Bitwarden a few months ago. There is definitely an export & import process available. I did have to do some minor CSV cleanup on what LP generated though. Additionally, I purged and repeated the import process a few times once I familiarized myself with how "Collections" and company-wide sharing works in BW. But in the end it was certainly worth it despite the effort.
Yes - you can dump out your passwords from lastpass as a CSV and slurp them straight into Bitwarden.
I switched from Lastpass when they started demanding more money - and whilst not perfect, am very happy with Bitwarden. Functionality is all there, just a bit clunky in places - but you get used to it.
Bitwarden is great, I use their paid subscription to manage access to everything. Syncs my passwords, notes and credit card information across my phone and Firefox on many devices.
Only issue I have is the lack of native UI and lack of encrypted notes, which LastPass has.
I switched to 1Password simply because I liked the browser extension, and the Mobile app better. I had issues with autocomplete with bitwarden on phone
I'm a techie and it's not intuitive for me either. Honestly, their UI is just bad, despite being my choice of a password manager. It's not a matter of habit, I stumble upon it every damn time I have to open its extension window.
I've had this issue before. If you're on Firefox, open up the history sidebar with ctrl + h,then in the top left corner click on the word History to open the dropdown and select Bitwarden. You'll be able to have it "open" without clicking the extension popup.
No, I have no trouble opening it (sorry that I wasn't clear enough). I meant that my entire UX in that window is full of mistakes and confusion. To name a few, clicking on an item shows "unable to autofill" message as if I wanted to autofill my gmail password on other sites and not open a card. Lock button is hidden obscured in a settings menu. Password length slider is too sensitive in a generator tab. And the window is always not high enough to include most important options. It feels half-assed all over the place.
I use Biwarden extensively, in self-hosted mode (vaultwarden), for a few years now.
It is truly excellent, especially the fact that you can "move" an entry to an organization, where everyone has the same ownership and rights (and not merely "share" it). Plus a ton of wonderful things.
There are two minor points I am missing:
- the ability to control someone's passwords. Typical usage: the 24/7/365 support for my parents, where I would like to be able to access their passwords (they also would like that, obviously). There would be a simple solution: the ability to force someone to file entries only in an organization. But it is not possible (and new entries will go to the personal vault by default).
- the ability to discard the Android pop-up, sometimes it completely blocks the ability to manually fill in something. An "escape" kind of gesture.
Having tried almost every other solution available over the past 25 years I also self host vaultwarden in a docker container and I'm pretty happy with it.
I've been wanting to set up vaultwarden with Docker. However the setup guide[1] uses caddy with ports 443 and 80, but I already have traefik set up with those ports, so docker-compose aborts. My docker knowledge is quite minimal, so I am unsure how (or if) I can resolve this.
Now - I used traefik and caddy extensively (and everything I do is in docker these days) and caddy is so much, much better than traefik.
I used traefik v1 and v2 and struggled with having an optimal configuration. With caddy it just works.
The main difference is that with traefik you usually try to squeeze your configuration in the docker-compose.yaml, but end up with a traefik configuration as well.
With caddy you have everything in a caddy file - in my case adding a service with plenty of things set up (filtering for networks etc. is a matter of adding
On top of that, the caddy community is great - some questions may seem simple for the ones who are used to proxies etc. but are very hard to understand for the newcomers. There are always kind guidance for these people in the forum.
You can set an organisation policy to disable personal ownership, which forces every password to be saved into an org, unless the user is an org owner or administrator.
The thing is that I still want BW to give me the possibility to choose a site to fill in (so I do need the popup). It is just that sometimes I need it out of the way, and there is no gesture for that (such as sliding it to the side for instance, or long pressing to make it go away)
Are you referring to the popup created by the autofill service that is integrated in Android (https://developer.android.com/guide/topics/text/autofill)? In that case you can activate the inline autofill functionality (assuming that your keyboard supports that) so that no popup will show up.
I frankly thing password managers are the most stupid thing.
We fake users inputing text to input boxes and spend crazy time figuring out how to do that and how to get around various sites trying to block that, so the site can still pretend it’s actual user inputting the password. Plus the manager needs to work around arbitrary password rules. Plus they usually don’t work at OS level; so you still need to remember that stupid iTunes password, that stupid Windows password, that stupid Google password on Android login. Plus you still need random PINs in random banks and other systems.
It’s better than memorizing, of course, and slightly better than writing it on paper somewhere (although that’s actually not that horrible honestly).
It’s just, they feel like a patch-fix from 1990s to a problem from 1990s.
I don’t want password manager. I wish I didn’t need password manager.
I agree partially. Passwords are posing an indirect security issue. But in my opinion this is more due to the handling of those by humans.
So many different places where you can login, you need 20+ passwords. These should all be very long so that they are deemed secure enough.
Remembering this is a chore leading to one of two things
- the user tends to create short passwords or mneonics that only change a few letters/numbers per password
- the user will use a password manager, completely giving up control in case of a disastrous failure (e.g. data deletion) and having potentially finicky setups.
There should be better options for the broad usership than passwords, but password managers are imho a good solution for today.
Generate two random 32 length strings. For the sake of this example, let them be 2quvs7jriTXQK8sFv4LzBZRtSN9hqp9q and qFTNX4f5sduaLYShWx96EyZw9ZRNLmqY.
Designate the first to "heads" and the second to "tails". Every time you're prompted to login with a password, flip a coin and enter that designated password. If it fails, then enter the second password.
For those interested in basic cryptography, feel free to point out the major and obvious flaw in this approach.
Web3 is the solution to all our problems!... obviously not
But something I've seen is that is making mainstream using private and public keys. We have Client certificates but those are hard to create and use, and not really compatible with mobile.
I think a good workflow will be something similar to connecting to SSH, instead of a static password you sign a challenge with your key pair.
What happens if siteName changes? What happens if you lose your memory?
Wait was it "TransferWise" or "Transferwise" or "Wise" or "wise" or "transferwise"?
I don't hate the idea, but what happens when you stumble upon a website that does not accept % in passwords, or needs less then 8 characters or one of the other random things that do exist? Then you have an algo for this, and a algo for that, you end up back at the same place.
This was my strategy for some time, but I switched to using a proper password manager (Bitwarden). If your algorithm is discovered you're in as much trouble as if you used the same password across multiple sites.
There are a few auth schemes that cut out of the middleman of the password while providing the same level of security. SQRL and Microsoft Passwordless Login both come to mind.
Personally a happy user of 1Password. Reasons being:
- "It just works" for me and my non-tech-family
- It's only $50/year
Maybe BitWarden is just as good or better. But why take the gamble and migrate everything and everyone, when I have multiple happy 1P users for a low yearly cost?
I find the attitude of many folks on HN, arguably a forum full of logicians, baffling at times. I don't use 0 dollars to contextualize the cost of 1Password (or any productivity software). I value the time that I save with it. It saves me so much time, I don't mind paying $4, let alone $10.
Not paying for something because it's not free is being penny wise, pound foolish.
Perhaps there are situations where people are budgetting for the pot that the $4 a month comes out of, or are concerned about the number of services they are paying for and not receiving anything.
Depend on your platform. MacOS/iOS/iPadOS come with a more than decent integrated password manager for free. It almost never fail to identify password field and work both for web site and compatible applications.
The paying part is when you want to sync key-chain between device and require an iCloud subscription which start at $0,99 and bundle other features.
While I would never trust a "free service" (fremium backed with pro account/bundling is still ok AFAIC), it's still hard to consider $4/month for a syncing service cheap. It's literally the price of a cheap VPS service!
PS: From another angle if security is really your priority maybe $4 is not expensive enough. Password manager don't protect you from an hostile OS vendor and on top of that you now have to trust another entity. High levels of security require a global approach and paying more for a Password manager might provide a false sense of security.
I have to use 1Password for some shared work stuff and I find Bitwarden comparable but I am happier with Bitwarden as it is open source and so central to my personal security.
> No idea why people still throw money at proprietary password managers.
I've tried Bitwarden for a few days with their Firefox plug-in. During those few days there were multiple occasions were it would create a password for me, but wouldn't save the login.
I switched to 1password and it is way better in letting you know if it saved a password or not. I also ran in to some other small issues with the Bitwarden ux that made it less than ideal to use.
I want to like Bitwarden, but 1password just seems to be better at managing passwords.
The main difference seems to be that BitWarden is server software that added mobile, whereas 1Password is mobile software that added a server. So the former is pretty strong on the backend (robust API, can run your own, client-agnostic) whereas the latter works better on the client side, without the "glitching" that sadly is common on BW.
I've been a BW user for years (relatively early adopter), and they are improving. At the moment I wouldn't consider anything else, for the simple reason that I could host it myself tomorrow if they went closed-source or shut down. For something like secret management, continuity planning is a must IMHO. I think they have been very good at doing things The Right Way since early days. Also 1Password always looked very Apple-focused and I'm trying to move away from that.
I've heard a that 1Password looks Apple-focused before (Sometimes as a negative, sometimes as a positive), but I mainly use the Firefox plugin (in Linux) and it works great.
Beeing user Bitwarden for some years. Switched from Android to iOS, switched browsers, never lost a single password. It's the best service around, I'm thinking about purchasing the premium even if I don't need the extra features only to contribute for the project.
I’ve strongly considered to migrate from Keepassxc to Bitwarden for making things simpler. At the moment, the way I use Keepass is: password + only storing the db on Google Drive + adding the key file to any device I want to access from (smartphone and laptop) via usb cable. This way I can keep the db up to date across devices while keeping it “safe” as the key file is not being shared across the network.
So, as I said, I’ve considered Bitwarden for being open source and cheap and for simplicity but despite reading the implementation they do and knowing they have had successful audits the paranoid in my cannot stop thinking on the “what ifs”. I have all my life on Keepass: from access to the bank, to government taxes stuff, to the pi-hole web ui etc etc. I feel I have more control now with my clunky approach. If I migrate to a managed solution and for any reason my data gets compromised on their side I would be utterly fucked.
For what little it's worth from a random internet person, I agree with you 100%. I do it the same way as you, with the database stored on Dropbox, and an offline key file. I just can't make myself trust an online service for this stuff, as irrational as that may be.
Even if KeePass turned out to have some expoloitable vulnerabilities, it's still running solely on my machine, and I don't allow it to connect to the internet at all. I suppose yes, if someone breaks into my computer I could be in trouble, but if they can do that, they can just steal my session cookies anyway, password manager or not.
I use keepass. I've solved the cross device problem by using syncthing. It is amazingly convenient and hasn't given me any problems across 3 computers and 3 phones. The only thing is, if you sit with your pw db open for extended period of time, you may need to sync it from storage in order to pick up changes that a different device has made recently.
Since everyone's asking for a good password manager for their use-case, I may as well so the same. Thanks in advance for any replies.
I've been looking for an alternative to Enpass, which:
1) Supports using WebDAV as a backend (or an "app" exists for Nextcloud, if one exists).
2) Supports biometric authentication on Windows and Android.
3) Has a client which unlocks off the system keyring on Linux (Enpass doesn't do this).
4) Uses in-line autofill (through the Keyboard) on Android. Enpass said they'd add this month's back... but never did.
5) Has a not-ugly UI which at least partially matches GTK/Qt on Linux, Fluent on Windows, and MD2/Material You on Android.
6) Has Chrome and Firefox extensions that "take over" as Autofill like the Enpass extensions do (you can see it in Chrome Settings -> Autofill, if an extension does).
I don't mind if it's paid, as long as it isn't relatively expensive (i.e. no more than Enpass because I got that on discount).
I've used Bitwarden for over 4 years now after first hearing about it on HN. I really can't complain. I have Bitwarden on my phone, on my browser (chrome + firefox) and it works flawlessly for me. I even have the Mac app but I almost never have to use it.
I'd highly recommend it in case anyone here's looking to switch to Bitwarden.
I've used LastPass previously, but that was so long ago that it'd hardly be a fair comparison to Bitwarden now - but I remember not being satisfied with LastPass enough to export my data and switch.
I tried to use Vaultwarden implementation with one caveat: I don't need to use any plug-ins - my everyday passwords are at my fingertips anyway, for anything else I'm fine with logging in and copy-pasting the login and password.
And here comes the thing which makes VW (and a couple of other password managers I tried in the last couple of years) usage abysmal: the web-interface just sucks.
First of all - the process of adding a new login-password info requires too many clicks to set something more than just a login, password, (web-site) address. You want to add some tag? Click 'add', click 'type', click to the value field, type in. Want more than one tag? Repeat for each one. Okay, that would be tolerable if this was just once in a while task, but here comes the next one:
Second and more important - awful search. VW just doesn't have the search functionality. It just loads ALL your accounts and filters them in the UI.. and sometimes even fails to do that. Like I see '$something' in the account description, type it in the 'search' field.. and have an empty result.
For me personally the lack of useful search (including server-side search) makes the thing unusable.
Are my requirements (sane web-gui, working search, usable without browser/apps addons) unreasonable?
Afaik the Web-Interface of Vaultwarden is exactly the same as the normal bitwarden web client. The only thing they added was their admin interface, which you wouldn't normally see anyways.
> It just loads ALL your accounts and filters them in the UI
Server-side search would only work if you decrypt the data on the server, which is explicitly not wanted.
> Server-side search would only work if you decrypt the data on the server
Or do not store it encrypted (aside from passwords) in the first place, or have a separate server-side encryption for non secrets, so it would be still encrypted at rest.
It is all understandable, yet I don't have an option (except using almost a decade old RatticDB).
I love the autofill keyboard shortcut, a real productivity boost.
To auto-fill login information, use the following default shortcuts. If there are multiple Login items with the detected URI, the last-used login will be used for the auto-fill operation. You can cycle through multiple Logins by repeatedly using the keyboard shortcut:
On Windows: Ctrl + Shift + L
On macOS: Cmd + Shift + L
On Linux: Ctrl + Shift + L
I use Bitwarden, it's brilliant. But I wish a password manager would figure out a way to fill in passwords where they ask for 1st, 5th, 11th letters like many banks do.
It doesn't need to be automated, if I can tell it which HTML element to read and parse as an index and which text elements to fill in, then that's good enough for me.
No you can't? I'm aware you can point it at different fields and add additional information. But you can't make it fill in a password field that asks for 3 random characters.
I moved from LastPass when it turned on its subscribers. I tried Keepass..loved it's offline model but it was not a smooth experience. Then I tried Bitwarden.. found it useful and user-friendly and I ended up buying subscription for my entire family.
Though it looks and sounds good, how would security be impacted by using the google chrome-based electron runtime to run the desktop client’s TypeScript and CLI runtime to run the server’s C# code? Wouldn’t this increase potential attack surface and probability of introducing vulnerabilities through more complexity (though this could be said for writing more of the stack oneself)? Im thinking about pass (https://www.passwordstore.org/) and KeePass 1.x (https://keepass.info) for comparison.
Here's hoping that Bitwarden stays on the same course for the foreseeable future. I've seen plenty of excellent product like this fall victim to monetizing everything like CCleaner.
I use several password managers for various reasons, but I like Bitwarden. I use it both for work and privately. I think it is a bit unclear how Bitwarden the company is setup. That is the only thing that bothers me. Passwords are often not “real” secrets, so it does not matter that much.
Generally, I would really like a hardware password manager. Maybe in a chip that you can have in your body. With some MFA so no one can use it when you are dead or passed out.
I’ve been using Bitwarden, LastPass and 1Password for the past few years. Of the three, Bitwarden gave me the least problems. LastPass is by far the worst. While 1Password is generally good about keeping up with its features, it is on the pricy side and UI is not great.
I liked Bitwarden so much I asked them if I can pay for it several years in advance. No dice there.
My recommendation is to pair Bitwarden with Yubikey.
Some one else said BW doesn’t always detect new logins. Is this not true? That comment doesn’t appear to have downvotes or people stating otherwise.
Another few comments have said BW sometimes loses track of a pw or login. Maybe when created?
Not sure. Is this stuff not true? I’m on a family plan for 1PW and it has been mostly flawless for me. However if that family plan ever breaks up, i would love to BW
Seems like they have some version of it implemented:
> Q: I need an old password! Can I view the history of a password that I changed in Bitwarden?
> A: Yes! You can view the last 5 passwords for any Login Item. Open the item in question and select the “1” next to Password History near the bottom of the window.
Wait, you mean password history? As in being able to see the old password once you generate a new one or otherwise update it? Because Bitwarden definitely has that.
Spun up a Vaultwarden docker and gave it a try. You are correct, it does have password history. That's great. It was probably there the whole time and I didn't notice when I evaluated last.
I see it doesn't have history anywhere else, such as secure notes, which 1password does have.
Might still be too tough to give up the extra types and tags, but having history on the passwords is a great step. Quite tempting indeed.
Absolutely. Keepass gives you only a file that you have to sync by yourself and when you have multiple device editing the same file... Well...
On the other hand, Bitwarden lets you self-host a complete server that handles everything. If you want something less resources intensive you can take a look at Vaultwarden which is a re-implementation of the server in Rust instead of C#. The main advantage is that it uses MySQL or Postgres instead of the heavy MS SQL Server.
It is funny, because to me "only a file you have to sync (and backup)" sounds more like an advantage than setting up an entire server environment just so you can access your passwords.
If you're the sole user, it's probably not worth self-hosting {Bit,Vault}warden. However, the ability to share passwords and, optionally, TOTP codes is super helpful. My wife and I both used KeePass before and the combination of syncing the DB across devices and inability to share (a subset of) passwords was a killer.
{Bit,Vault}warden} both now support emergency access which will be useful if it's ever needed
Meh, heavily depends on your setup. The lack of good apps on mobile devices that integrate with their respective OS (iOS/android) is a bit of a problem. It's also 3rd party apps (some closed source) and not official ones which is its own problem (-> trust).
Apart from that bitwarden is just wayyy easier, you simply tell the (official) app the URL to your vault and it's basically good to go. You don't have to worry about synchronization one bit. The app is also fairly nice and has all the features you need. Bitwarden also does the browser integration well, unlike keepass where it's a major pia.
I guess it depends if you sync you passwords across multiple devices, and also potentially add new passwords on multiple devices.
I personally don't.
Sure I have a password manager on my phone, but it only gets a small subset of my passwords anyway. Similar any password I add on my phone is very likely to be somewhat irrelevant mostly throwaway.
> when you have multiple device editing the same file... Well...
You are implying that this is a problem, but KeePass actually explicitly supports this and merges your changes. I've been using KeePass like this for many years and never had a problem editing the database from multiple devices.
If you do self-host, please consider still buying premium from Bitwarden. It's only $10 per year. It's well worth the money and since you're still using the clients, which are still developed Bitwarden, it'll help towards keeping the product alive.
Considering it costs a fifth of 1Password, and has had an almost-fully-featured free option since early days, I suspect that Premium income is not their main source of funds. Maybe they got investment to survive while they built a business-friendly product. Maybe they consult for businesses running their own servers.
I’ve been trying to switch from KeePass to Bitwarden so that my partner and I can share some passwords but KeePass just works, so it’s been hard to change over.
She just askes me to get the password for her. I have chosen to store some of her rarely used account passwords to save her from having to go through the password reset process every time she wants to access the accounts.
I attempted to set her up with her own database but it's difficult to manage accounts that we both share in two separate databases.
If you use Keeweb, you can put the database file on a shared drive and open it from there. I set that up for some shared passwords in our company with Google Drive.
share the password database, do not add passwords at the same time in multiple places, always sync->add->sync.
Most people do not add passwords often, so that works just fine.
You also can have multiple database file, one for the common shared password which is always read only synced from a single source. And one for local passwords which are not yet, or should not, go into the shared database.
It depends how you use it, if you dont need to synchronise the database between machines (much) then KeePass is likely the easiest solution and works very well, beyond that Vaultwarden makes it easy to maintain a single centralised database accessed from multiple systems
It scratches different itches; Bitwarden (/Vaultwarden) is good if you need to sync lots of devices and users to the same database; KeePass is less overhead with 3 or fewer devices and a single user.
This was my reason to go away from KeePass(XC) with NextCloud for sync. I would inevitably run into a sync issues (also due to the need for NextCloud to be always up of course, also self-hosted) and I never found a nice way to integrate KeePassXC into android or iOS, Bitwarden just works, on any OS (allthough what I find annoying is that you have to sync the vault before you get new stuff by going into the app and syncing, just using it does not update it, so frequently I find myself missing passwords on iOS and then I need to manual sync first). Oh, and there is an issues with using it in private tabs on FireFox which has existed since I started using it.
Could it be that you weren't using it correctly? KeePass database files aren't supposed to remain open (for security of course) and it has quite a number of options to automatically close it after certain amount of time or when the window isn't focus, computer is locked, etc. This would trigger a sync with the (NC) server and assuming that all your clients follow the same usage pattern and close the DB after a small window of time, there shouldn't be any conflict.
> NextCloud to be always up of course, also self-hosted
You could use NextCloud's own hosting. But then Bitwarden's server needs to always be up too, and optionally self-hosted.
> Bitwarden just works
A low bar to recommend a password manager, don't you think so?
My remarks are from the self hosting perspective. To ensure an up-to-date KeePassXC db across all my devices I needed Nextcloud to always be reachable. KeePassXC was not smart about sync, so add one pw on a device before syncing, add one on another and you have two divergent databases that you have to manual reconcile. Bitwarden does not have this issue, and it also keeps itself synced, even if I only set up the add-on in the browser (with KeePassXC you always need the full program installed). With KeePass(XC) it's just an extra layer you need to be aware of, decoupling sync from the db.
For me BW has always just worked, meanwhile I have several KeePassXC dbs with a date in their name because of conflicts. Which arguably is because of NextCloud issues, which are my own "fault" (issues include, on work PC file sync services are not allowed, on Server somehow NC disconnects after every container update, since it is "headless" I often notice this very late, the shitty state of NC client packaging on Ubuntu will let you install very old clients that may stop syncing, you need to be aware of this... etc). Perhaps KeePass(XC) just works if you outsource syncing, but then still, it is easier to have sync conflicts than with BW.
And then there is the ability to share PWs with relatives with a BW account on the same server, KeePass does not have this concept as far as I am aware.
> you have to sync the vault before you get new stuff
I had that problem on iOS, and it disappeared since I moved to Android. There is probably an issue in what they are (not) allowed to do in background on iOS.
Is there a good, real comparison of password managers for personal use out there somewhere? I've tried looking in the past and haven't found one that isn't just ads. I've been a long time LastPass user but I'm looking to switch away.
Features I need:
* Cross-platform (iOS, macOS, Windows)
* Easy to use browser plugins (the LastPass safari plugin is awful and non-discoverable via Safari plugin search)
* Autofill in browsers (Safari and Firefox) and mobile (iOS)
* Internet-based sync (I don't really want to manage my own backend)
Nice to haves:
* Account creation detection
* TOTP
* Yubikey support
* XKCD-style password generation for passwords I want a shot at remembering
KeypassXC & Strongbox on iOS.
Keypass has browser extensions, strongbox has autofill on iOS. Use iCloud drive as a database (windows iCloud app needs to be setup) There are occasional sync issues but I recommend keeping a local backup on each device.
The combination has all of the features you mentioned including xkcd password generation & Yubikey.
Only downside is that the desktop extension requires the app to be open in the background. For that, I have the app minimize to system tray so it isn’t in the task bar.
Strongbox settings menus are an absolute disaster to learn, but it has extensive customization. Make sure you only give the app 32mb of memory or autofill will crash.
I see lots of people deriding LastPass... just wondering what exactly Bitwarden or 1Password do better? I find LastPass a bit clunky at times, and once or twice a year it won't actually save a password, but seems ok in general?
I left after they increased the premium price from $12 to $36 within a few years.
I read a few comments from people that this was a classic LogMeIn move where they buy a service, hike the price and squeeze out everything they can before slowly letting the service die off.
I'm happy to pay a reasonable price for services and bitwarden's $10 price (the old LastPass price) shows that's the reasonable price.
I switched to 1Password for LastPass mainly due to trust (due to LogMeIn), bad mobile app (always asking me to give it permissions it needs then forgetting, and more), no TOTP support, problems with extension and more that I thankfully cannot remember. Switching was a great decision.
Last year there were a few stories about how they embed trackers in their software. So I decided to go with a paid solution that will never spy on me (BW).
I wish google would provide a basic password manager as part of their workspace. It's 2022 and passwords are more painful than ever. In an ideal world we would have SSO everywhere, but it's just not happening.
They are slowly extending the Chrome password manager to be a more general-purpose password store, at least on Android. But tbh I think Google already knows my secrets more than they should, handing them all passwords would be a step too far for me.
I switched from LastPass (basically used it since their beginning) to Bitwarden about a year ago. Would never go back. So far have heard good things only about it and it is open source. Works like a charm for me.
We use Dashlane at work and its probably the worst software i have ever used. I have no idea what they do with their funding but it doesn't seem like it gets spent in making the app function correctly.
My companies uses bitwarden. Not a fan. UI is clunky and requires too many clicks. I haven’t used any of the other password managers so I can’t give a good comparison.
HashiCorp Vault solves a different problem. Password managers target the end user password management problem, whereas HashiCorp Vault targets the bootstrapping problem for servers/services.
Yes, it is. Then again you'd be shocked at how much companies pay for SAAS apps today. I like to think you use FOSS when you're small b/c you can't afford the good stuff, then you get so big you want to switch back to FOSS b/c so many companies are taking you for a ride.
I expected a blog article with actual feedbacks from companies and data, but ended up on bitwarden.com main page.
Baseless claims can be quite common when it comes to marketing, but I'm genuinely curious: which password manager is used in your workplace, if any?
I've personally never seen in my (for now short) career anything else than Keepass.