Switched from KeepassXC to Bitwarden and it's been mostly great.
The three major things that were not great have been
- Import required a lot of manual cleanup due to poor mapping between the tools
- while BW has a browser plugin, it doesn't communicate locally, it takes to BW servers. I need multiple browser instances during the day, and having to sign in once on the desktop is best, and a browser extension could talk to my local instance like KeypassXC did.
- limited TOTP other than sha, 6 pin, and 30 seconds. Others do exist, but if the clients doesn't support them, the services don't want to risk locking out all the users.
Overall I'm glad I'm using it, and might look into PRs in the future, but it would be nice to see a bit of UX love in the apps.
Lots of people I respect use Bitwarden, and it always seems to score really highly in these kinds of things. At the same time, the thought of having all my passwords protected by an open source program absolutely terrifies me. I know on some level this is irrational: closed source programs are hacked and cracked all the time, the programs themselves could be running on an open source operating system, closed source programs have had the most breaches (e.g LastPass). But I don’t know if I can get over it. I suppose the analogy is that I’m not sure I’d want to store a valuable physical item in a bank that openly posted it’s entire layout, vault, patrol details etc for all to see. Like yeah there’s something to be said for the wisdom of crowds and utilising that to make something secure, but surely it only takes one genius to come along who sees things differently, spots the flaw and exploits it? And the obfuscation of a closed source program feels like it’s an extra line of defence.
- The bank that says "We have strong security measures," which it details for in full and you can audit to any depth you like and see they are in place, and you can see that security professionals have taken them up on their word and offered feedback which has been implemented
- The bank that says "We have strong security measures," and then they say for security reasons they can't tell anyone about any of them and you have to take them at their word that they even exist
I just realised that my number feature request for BitWarden has been fulfilled! It's now possible to easily search the notes of entries. That's very handy when I want to list all my accounts that use a certain email address or phone number, which I do when I'm about to discontinue an email address or phone number.
They paid probably. Not sure about reputation of this report, but a lot of them is just an ad catalogue with fancy comparison graph on top. Graph has to be at least somewhat reasonable, but if it showed last pass on the bottom, they wouldn't pay for participation and here we are.
A friend and colleague was raving about it. However, I acknowledge it's only one data point and so I should take even my friend's opinion with a grain of salt.
The three major things that were not great have been - Import required a lot of manual cleanup due to poor mapping between the tools - while BW has a browser plugin, it doesn't communicate locally, it takes to BW servers. I need multiple browser instances during the day, and having to sign in once on the desktop is best, and a browser extension could talk to my local instance like KeypassXC did. - limited TOTP other than sha, 6 pin, and 30 seconds. Others do exist, but if the clients doesn't support them, the services don't want to risk locking out all the users.
Overall I'm glad I'm using it, and might look into PRs in the future, but it would be nice to see a bit of UX love in the apps.