Hacker News new | past | comments | ask | show | jobs | submit login
Bitwarden login down due to Azure outage (bitwarden.com)
116 points by yakz on Sept 16, 2023 | hide | past | favorite | 123 comments



I 'mirror' my Bitwarden login entries in a KeepassXC database, so I have an offline carbon copy incase Bitwarden's servers are wiped or not accessible, or for whatever reason, I can't access my Bitwarden vault. I would suggest everyone do the same. The only pain point is remembering to make a carbon copy of each entry you add to Bitwarden, in the KeepassXC database.

I also make copies of my KeepassXC database in several cloud storage services incase of a house eating event which destroys my hard-drives (unlikely but still a possibility). I really don't like the idea of being locked out of my digital life.

Terence Eden has a good article about this potential scenario;

https://shkspr.mobi/blog/2022/06/ive-locked-myself-out-of-my...

For those wondering why I use Bitwarden as-well as KeepassXC:

1.) Redundancy. Can't get at my KeepassXC?, then I try Bitwarden. Can't get at my Bitwarden? Then I try KeepassXC. Can't get access to both? Then I'm screwed (but this is unlikely).

2.) Browser extension. I like to be able to login easily to sites using their extension.

3.) LOCKSS (Lots of copies keeps stuff safe). Having a cloud-based mirror of my login entries stored in Bitwarden is marginally better than solely relying on KeepassXC.

4.) Logging into KeepassXC is sometimes more complicated than logging into Bitwarden. I have a long seven word passphrase for KeepassXC, and use a keyfile which I have to 'hunt down' in the filesystem each time I go to access KeepassXC (I have disabled the ability to store the last used database & keyfile for security reasons). With Bitwarden I just open the app and if it's unlocked, I get quick access to everything.


What exactly is Bitwarden getting you if you're doing this copy process? I have only used Keepass and haven't read why Bitwarden would be superior for some scenarios over what I am already doing.


> haven't read why Bitwarden would be superior

1. Out-of-the-box integrated sync with a dedicated default host: keepass has 8 different sync plugins, all with different levels of maintenance & UX, each for separate sync backends, all requiring separate 3rd party backend account setup

2. Consistent cross-device features & UX: Keepass has 3 browser plugins with varying levels of browser support (not sure if any have mobile support?)

On top of the above, Bitwarden is open source and allows self-hosted sync


I didn't know KeePass(XC) had sync plugins, let alone eight, since I just sync the file myself as part of the same infrastructure that syncs everything else under my homedir.


Yeah I just have my KeePass file in my own Nextcloud and I can access it on any device. I have never needed to mess with a sync plugin.


Do you sync your homedir to your phone? I presume you're an android user?


Linux user. My phone runs postmarketOS.


3. Easy password sharing, free for 2 person organizations.


Yes! This too. My partner & I have used this for shared / family / household billing accounts / etc. for years.


> What exactly is Bitwarden getting you

1.) Redundancy. Can't get at my KeepassXC?, then I try Bitwarden. Can't get at my Bitwarden? Then I try KeepassXC. Can't get access to both? Then I'm screwed (but this is unlikely).

2.) Browser extension. I like to be able to login easily to sites using their extension.

3.) LOCKSS (Lots of copies keeps stuff safe). Having a cloud-based mirror of my login entries stored in Bitwarden is marginally better than solely relying on KeepassXC.

4.) Logging into KeepassXC is sometimes more complicated than logging into Bitwarden. I have a long seven word passphrase for KeepassXC, and use a keyfile which I have to 'hunt down' in the filesystem each time I go to access KeepassXC (I have disabled the ability to store the last used database & keyfile for security reasons). With Bitwarden I just open the app and if it's unlocked, I get quick access to everything.


What does the painful process of hunting for a keyfile offer in terms of security when bitwarden on the same machine doesn't have that protection?


Thanks! I will probably just stick with Keepass but this was a nice write-up to consider.

1) I have my database replicated several places already. Cloud storage, mobile, FTP server, etc.

2) I don't use a browser extension on desktop, but I know there is one. On mobile the accessibility permissions allow it to suggest login information both in third party apps and in the browser. I've found it works fairly well. If you aren't able to open your database quickly it might not be as convenient.

3) This sounds the same as what I was considering for (1). Historical backups would be important for recovering from possible corruption, but I have not run into this yet for Keepass.

4) Understood. Bitwarden doesn't support keyfiles?

I have been close to splitting my Keepass DB up into several, but haven't pulled the trigger on that effort.


4. is ... interesting :-) You made access to KeePass more obscure for "security reasons." But fear not: "With Bitwarden I just open the app." Okay cool.


I manually export my Bitwarden vault to KeePass from time to time as well. The benefit of still using Bitwarden for me is that I can access and update my main vault from any linked device (desktop PC, laptop, phone) without needing to synchronize data between devices. It's far from an ideal way, but you can have a little more confidence that you will have access to your data (although it might be a slightly outdated snapshot of the data) even if you can't access the Bitwarden server. That is exactly what happened today, and I was still able to retrieve my password from the local copy.


My understanding that BW have superior auto-fill features and wide support for different OS. Keepass don't have auto-fill for browsers, Keepass have to rely on third-party to provide the auto fill features and various apps for all variety of OS.

I'm a Keepass user since 2006 and never had a problem with them. My database is saved in OneDrive and always keep local copy in my system. If OneDrive is down, my local copy is always there for me.


KeePassXC does have auto-fill for browsers. And also Auto-Type which allows you to enter your credentials to _any_ application possible. All this works without any third party plugins.


When Bitwardens servers are inaccessible mobile and windows app continue to work just fine using a cached version.

In my case even sync new passwords once the seever/Internet comes back up.


Indeed, it worls online fine. Also there is a stand alone desktop version, no need for keypass.

I do use keypass to save things I don't want to expose in an online service, no matter how secure it is.


I just host my own Bitwarden. I try to self host as much as possible and be anti cloud


Using something like vaultwarden? I'm curious how do you keep it secure from intrusion? I'm looking to do the same


> Using something like vaultwarden? I'm curious how do you keep it secure from intrusion? I'm looking to do the same

The official bitwarden self hosted setup works flawlessly. Hosting it at home and access it through tailscale.


Anti public cloud here as well


I'm working on a product to solve this problem (i.e. where do you backup your seed, high value keys / secrets, 2FA codes). The approach is social recovery (threshold cryptography) for the root seed, and a digital agent component (i.e. DWN - distributed web noted) SaaS or self hosted. The digital agent is used for encrypted backups and to communicate with other parties (contacts). Does this sound interesting to you?


> I 'mirror' my Bitwarden login entries in a KeepassXC database

I do this manually and I want to know if you automate it and how.


Genuine question: why all the hassle when it’s so easy to reset passwords?


Password reset assumes two things:

A - the service doesn't encrypt your data (or has access to your private keys), and

B - that you have access to the second factor which is used to reset your password (e.g. a backup email address).

Secure password managers do not have access to your private key (i.e. the encryption key), as such if you lose the seed there is no recovery.

In the case with other services (i.e. they can reset your password) there is a chance you could lose access to your backup email or phone number used for resetting.

Edit: some services do allow reset by proving your "identity" (e.g. bank), in which case you have to go through customer service and provide requested information. (I put "identity" in quotes, because nefarious actors can sometimes prove this too).


Why not just periodically backup your bitwarden vault to external storage?


From GP:

> incase of a house eating event which destroys my hard-drives

I worry about this as well. Yes, a friend's house is an option, but not everybody has friends or family in the same city, and if they're further away, updating copies is a pain.


Ah, fair point. I should do something like that for my own setup then. My current setup may also be vulnerable to that failure mode.


How is Dropbox shared folder is a pain in updating copies across cities?


Syncing your password safe to Dropbox is a completely different scenario, with a corresponding different threat model.

It may work for some people, but on average, I'd say it's worse than relying on a dedicated/"native" password safe cloud syncing service.

In any case, it's certainly not an alternative to a physical offline copy.


On the contrary, it's very similar - you share a keyfile to your friends in a different city and then you encrypt your password safe with that extra keyfile that hasn't touched Dropbox. This solves the threat model issue while also relieving you of the pain of syncing the password safe (in this case syncing is even more convenient than your same-city-physical-visit model)


Assuming that the keyfile is only for emergencies: How do you unlock the password safe day to day?


In a manner much easier than a physical visit: with a double click?

(though you don't do it every day, you do it whenever you export bitwarden safe for backup purposes)


why not just self host at this point? this seems like security theater.


I've been considering this, but to be honest, I don't trust myself to keep up with updates and other aspects of opsec for something that I only use for myself and would have to do consistently and reliably at nights and weekends.

That would probably be balanced out with my self-hosted instance hopefully being less of a target, but the downside there is that I might not even know that my database was compromised and it's down to my passphrase strength now.

With Bitwarden's SaaS, I'd hope that I would hear about such a compromise before too long, giving me time to rotate passwords while GPUs gnaw at my (and everybody else's) passphrase.

Additionally, there are certain opportunities for account access recovery that are much harder or impossible when self-hosting, e.g. things like a cool-down period and a warning e-mail before allowing a less-secure 2FA method.


Why not just use KeePassXC ?


1.) Redundancy. Can't get at my KeepassXC?, then I try Bitwarden. Can't get at my Bitwarden? Then I try KeepassXC. Can't get access to both? Then I'm screwed (but this is unlikely!).

2.) Browser extension. I like to be able to login easily to sites using their extension.

3.) LOCKSS (Lots of copies keeps stuff safe). Having a cloud-based mirror of my login entries stored in Bitwarden is marginally better than solely relying on KeepassXC.

4.) Logging into KeepassXC is sometimes more complicated than logging into Bitwarden. I have a long seven word passphrase for KeepassXC, and use a keyfile which I have to 'hunt down' in the filesystem each time I go to access KeepassXC (I have disabled the ability to store the last used database & keyfile for security reasons). With Bitwarden I just open the app and if it's unlocked, I get quick access to everything.


1. You can store your encrypted KeepassXC kdbx file anywhere you wish.

2. KeepassXC has a browser extension.

3. Refer to point 1.

4. Using a keyfile is optional and IMO don't see how it adds any security benefits to the master passphrase.

The only reason Bitwarden "just opens" from the last session is because of the very features you have disabled in KeepassXC (remember last used kdbx).

Launching KeepassXC for me has exactly the same steps as Bitwarden has. Open program, put correct passphrase (or insecure PIN on Bitwarden for the lazy folks) and the password database unlocks.


> 4. Using a keyfile is optional and IMO don't see how it adds any security benefits to the master passphrase.

I believe it fulfills the same 2FA role as does the Secret Key in 1Password <https://support.1password.com/secret-key-security/>: combining something you know (passphrase) with something you have (keyfile/Secret Key), thus making a potential Dropbox breach (or wherever you store your .kdbx) not subject to offline dictionary attacks -- err, unless you also stored your keyfile in Dropbox in which case, yes, it wouldn't add any security benefits


A strong passphrase should be good enough to deter dictionary attacks, even if your kdbx file is leaked.

And even then the ciphers used to encrypt the kdbx file are highly configurable, you can future-proof the key derivation function as much as your hardware can reasonably afford to unlock the file.

Besides using a keyfile for daily use is impractical. For correct usage, you'd have to keep it in a separate drive from your kdbx (in a USB flash perhaps), as you very well mentioned. But then in the menu you'd have to go to the directory the keyfile is stored in every single time you want to unlock your database if am not mistaken about how the feature works on KeepassXC.


KeePassXC even had the advantage that I only have to unlock once for both desktop app and browser extension.

BitWarden requires separate unlocks.


I have a paper notepad where I keep my secrets. No fucker can hack me.


However, that leads to the problem of either always carrying it with you, which makes it more likely to be lost or stolen, or not having it with you when you want access to it.

The lack of backups is also a concern.


> The lack of backups is also a concern.

Carbon copy


Not sure that's a great solution - it implies you either have to

1. Carry around your carbon copy with you - making it not really any backup at all

2. Remember to make your carbon copy at a later time every time you create or update a password - pretty cumbersome and prone to forgetting

Plus if you have any decent number of passwords you're dealing with many pages (*2 for the carbon copy), which is also error prone. What about longer passphrases as well? I have a bunch of very long phrases I use as encryption keys and such that would be very annoying to manually write out.


Same applies for using mobile phones as 2FA.


Depends on the 2FA app and where it backs its codes up.


My wife used to have one of those. The amount of times she called me to read a password from the notebook because she forgot it at home is… well… quite staggering


Thinking about this scenario, but combined with AI voice impersonation, makes me very uncomfortable.


relevant: https://news.ycombinator.com/item?id=37500895

The "hang up and call back" defense also would work with your "wife clone attack" too


"Hey, I dropped my phone and wallet into the river when getting off the ferry, somebody was kind enough to borrow me a few quarters to make this call, please, I really need my Google password so I can log in at work and contact the bank and order new cards and a phone" – what would you do?

Sure, very often the story won't check out, people will be able to detect the fake AI voice etc., but that's always been ok for the scammers – as long as it works sometimes.


"we don't have any ferries here, be-gone imposter!"


So you lose everything everywhere in the event of a fire, flood, etc? That doesn't sound like an improvement...


Just never take it outside or the camera satellites will snap a pic


Oh, please.

Everyone know the satellites are arranged into a constellation to form a massive C.T. scanner.

So leaving the house is irrelevant.


So you're saying my passwords need a tinfoil hat too? :o


Obligatory XKCD: https://xkcd.com/538/


Obligatory: that comic is one of the few (only?) times Mr Munroe got a topic completely, absolutely and utterly wrong and made a really, really bad comic. That it gets pushed an astonishingly high number of times on technical forums kind of illustrates though how little critical thinking even people who should know better do sometimes I guess. And I suppose how fractally wrong it is can be a good starter for discussion.

Edit: commenting about downvotes is almost always pointless. But pointing out the truth about this comic always gets lots of commentless downvotes, and so this time I want to say that you people are wrong, and you are actively misinforming people. Security is about economics, increasing the time/cost for attackers vs defenders. Additionally, different security measures are about specific threat models. Encryption is entirely orthogonal to physical attacks, which are addressed by physical defenses. But physical attacks are much more expensive and riskier, if they're possible at all, vs electronic. And encryption still yields the important value of knowing you were attacked at all. If you are going through an airport and they demand your password at gunpoint, you can surrender it right away and you've lost nothing, but now you also know they were interested and all the data is likely compromised. Whereas if it was all unencrypted, they could have just quickly and transparently copied it all off, added a root kit, etc with you never being the wiser. But in much of the world, official services threatening you physically isn't legal. And if it's criminals, how often is the "lead pipe" a thing vs "we stole this from some tourist and we don't even know who it belongs to" or the like?

XKCD is rightfully popular. But this comic is shallow and bad. It shouldn't be held up as at all valuable in security discussions on HN or anywhere else.


Perhaps you could take this opportunity where you’ve gotten the attention of an audience to, instead of criticize, educate us? I don’t see what’s wrong with this comic at all. It’s saying that if someone really wants to get into your laptop, they can torture you for your credentials. They could similarly ransom/blackmail you or any number of other approaches that don’t involve attempting a brute force decryption.

Perhaps you think the link was to a different comic (maybe the entropy one about the horses and the batteries) and didn’t actually click it?


Sorry, I just edited to add that. But

>I don’t see what’s wrong with this comic at all.

Everything is wrong with that comic.

>It’s saying that if someone really wants to get into your laptop, they can torture you for your credentials.

Can they? Please take a moment to actually think about this. What if they stole the laptop out of my car while I'm traveling? How do they even find me? Is it worth them sending a warm body and paying for airfare to follow me home if they do? How do they keep me from shooting them when they break into my house or attack me to torture me? Or my friends or family from shooting them? How do they evade law enforcement? Again, is all this worth it? And how am I worse off if I instantly give the password vs if it was plain text and they never had to let me know at all? What does encryption have to do with physical attacks? It's completely stupid.

Seriously, if you think this is correct take it to the logical conclusion: why bother wish any password beyond abc123? After all, they can "just" torture you for it right? Why bother with HTTPS? Attackers can "just" torture bank IT for the accounts anyway right? Except obviously that's not how it works.

>They could similarly ransom/blackmail you or any number of other approaches that don’t involve attempting a brute force decryption.

Again, no they generally cannot. It's impossible to be secure against an omniscient attacker with infinite resources, but IRL there is no such thing. Not even the biggest most powerful security agencies. If the cost of attacking is higher than the value of whatever it is, the security is good. Forcing attackers away from cheap, undetectable attacks into expensive, noisy attacks is what it's all about!

This comic pushes one of the most fundamental misconceptions about security, and in a doomer despair sort of way. "Why bother taking any steps, the CIA/KGB/whomever can still get you!" is not a reasonable message or argument.

Edit: another real common flaw in thinking about security is inventing fanciful threat models vs real ones, which is bad because it can mean poor allocation of limited resources. It happens a lot in certain parts of the gun community for example, egged on of course by those with things to sell: people worried about defending their homes might spend 4, even 5 figures on firearms, yet then also have a crummy door and lock that would take approximately 3.8 seconds to kick in. It would be much more effective and have higher ROI to invest much less money in basic physical security first. Decent frame/door/bolt, shatter resistant first floor windows (or film on the windows), cosmetic but spiky bush beneath them, etc won't keep out determined attackers. But most likely attackers aren't determined. They aren't after "you" they're after "someone", low hanging fruit. You don't have to be Fort Knox, you just need to be enough of a pain that police are more likely to show up in time and make it not worth it. Or enough of a pain that they go next door as cold as that is to say. It's another sort of "preoptimization is the root of all evil", focusing on outliers vs the common case.


> why bother wish any password beyond abc123? After all, they can "just" torture you for it right? Why bother with HTTPS?

I think you're missing the point of the comic. It isn't arguing against basic defense; it's the lengths necessary in "the crypto nerd's imagination" that it's calling out


>it's the lengths necessary in "the crypto nerd's imagination" that it's calling out

As well as being a classic example of a strawman, how is the "crypto nerd" wrong? Encryption cipher in these cases is perfectly transparent to the user, there is zero advantage in using something broken vs something secure. We've long, long ago passed the point where hardware symmetric encryption couldn't keep up with the speed of storage. An end user will observe no in-use difference between AES256 and ROT-13. The "crypto nerd" correctly focused on the real threat profiles. How do you supposed the percentage of people facing

>beat with lead pipe

compares with

>someone stole a phone or notebook off a bar table or from a car for drug money, if it's unencrypted maybe someone takes a shot at it, if it's not it instantly gets wiped and sold, or if it has some sort of protection against that it gets chop shop'd and the parts sold

? Which one of these makes sense to focus on? And even in the first case, how do you imagine someone is worse off spilling the password immediately with blubbering apoligies once the lead pipe comes out, vs if they never needed to be asked at all?


> Encryption cipher in these cases is perfectly transparent to the user

It's not the specific cipher that it's making fun of, but the "let's build a $x supercomputer to crack it." Honestly, half of the things you say in your edit/replies are really making the same point.

But maybe I'm wrong and "everything" about the comic is actually stupid, wrong, etc. Even so, I'm not going to get too upset about it


I think you are reading a lot into a two panel comic that isn't really there. the punchline is simply that the nerd didn't understand their threat model in two ways: 1) someone who would consider spending a million dollars to decrypt your hard drive probably would consider physical attacks as well, and 2) no one is likely to invest that amount of resources into accessing a random nerd's hard drive in the first place.

I read the overall message as being the flip side of what you say here:

> If the cost of attacking is higher than the value of whatever it is, the security is good.

if the effort/resources spent on defense is greater than the value of the thing being defended, it is a waste. full disk encryption was not commonly used by consumers when the comic was published in 2009, and would have come with a significant performance penalty on laptop hardware of the era. the feature wasn't even included in vista home SKUs. it probably wasn't a worthwhile tradeoff for this hypothetical nerd.


I wouldn’t have downvoted your original comment if you had explained this to begin with.


I think what you're missing, is the comic shows a scene with two guys, and the discussion shows the guy is in the other room.

And points out how encryption is useless in such a situation. And this is just the sort of situation you end up in, if the law decides you'd better hand over your password.

You are beaten(depending upon who is the law), or physically grabbed at gunpoint, and thrown in jail.. until you hand over the password.

So the point is, encryption is useless in some circumstances.

I don't see anyone in that comic, claiming that encrypted passwords are useless. Or that someone hacking you from half way around the world, will fly to your house and kidnap you.

Instead, it's a point to think on. Are the steps being taken, useful and helpful for the planned scenario?

Really, you should level your complaints at people using this humorous comic wrong. Not the author.


>I think what you're missing, is the comic shows a scene with two guys, and the discussion shows the guy is in the other room.

There are no guys in the other room 99.999999999% of the time. And it's mostly out of scope.

>And points out how encryption is useless in such a situation

Which is wrong. You're doing a great job of illustrating the problem. Encryption is not useless, it's still doing its exact job which is forcing the threat model to shift from undetectable electronic to real world physical. Thanks to encryption, you now have knowledge and choice. You now know that they wanted the data, enough to commit crimes for it. You know they have it if you comply.

>And this is just the sort of situation you end up in, if the law decides you'd better hand over your password.

I'm interested in your statistics on times when the FBI beat American citizens with lead pipes to get them to hand over their passwords. Please do share. Then also share the big smiles on defense attorney faces afterwards during the resulting motions to suppress all evidence and subsequent 7-8 figure civil rights lawsuits. In countries that allow jail or torture for it, well first many may choose not to travel there. Or travel there only with throwaway data. Even there though encryption still serves some value, again in knowing but also opening up more degrees of freedom for how to respond. In a western country that requires decryption but does still have some respect for human rights and rule of law, you may for example be able to have your defense lawyer insist on witnesses to the access, and that the access warrant will be limited in scope ahead of time. Here encryption makes it far harder to plant evidence transparently, or conduct completely unrestricted fishing expeditions. It may allow more avenues for appealing a case. Same reason that you should never consent to just allow police to "look around" your house or car. Sure, they can beat you up and break in. But there would be consequences to that.

>So the point is, encryption is useless in some circumstances.

Again, it's not useless. Physical attacks are outside of encryption's threat model, indeed forcing attackers into physical attack is the exact point. That's vastly more expensive for attackers than non-physical attacks, and gives far more options for defenders. If your data is unencrypted, it can just be silently copied off with you none the wiser.

>Really, you should level your complaints at people using this humorous comic wrong. Not the author.

You just used this comic wrong though! Because it's a bad comic, and the message is all wrong. I think it's fairly obvious that it wasn't intended to some super subtle wrong point to promote discussion, or if it was then it's too subtle because I've never seen it cited in any way but played straight.

----

Edit to reply to below:

>You are instead blathering on about all sorts of other scenarios, and failing to see that the encryption is utterly useless in that circumstance, because the point is you will give up your password, period.

As I took the time and made real effort to explain to you, encryption is not at all useless in those scenarios. There is more to encryption then merely giving up the password or not, same as there is more to a lock or safe then whether it gets broken into or not. You are wrong. And then of course having failed to address anything, you retreat into "oh it's all humor (somehow)".

Still, good to know you're the kind of person that finds torture and flagrant rights violations funny. As an American I'm not into that myself, but will acknowledge humor is highly subjective.


There are no guys in the other room 99.999999999% of the time. And it's mostly out of scope.

This is completely irrelevant. As I said, the comic is talking about the situation in that comic. Physical presence, force being used, device and person in same room.

You are instead blathering on about all sorts of other scenarios, and failing to see that the encryption is utterly useless in that circumstance, because the point is you will give up your password, period.

You fail to get this truth, and the joke, and I cannot help you sadly.

But by no means, are you making a sensible argument against the author of the comic.

Good lord man, it's a comic, it's meant to be funny. Are you German??

There's something about German culture, or maybe just growing up with the German language, that trains minds to miss some types of humour.


I think you're reading things into the comic that I'd argue are not there:

Nowhere is Randall saying that the crowbar is the only or the most likely attack scenario to worry about.

He's simply mentioning that it's there and worth keeping in mind, especially when going overboard with other security measures not appropriate in the threat model.


Double check you didn't get redirected to the wrong comic. The one the parent commented is absolutely correct.


> Obligatory: that comic is one of the few (only?) times Mr Munroe got a topic completely, absolutely and utterly wrong and made a really, really bad comic.

Not few, it's pretentious most of the times. I am with you on the criticism, XKCD is the loud, smart-ass kid in the room that everyone thinks is smart because he's using big words.


My understanding of this XKCD:

It’s a subtle yet poignant reminder that our inclination, as tech-savvy individuals, is often to envision sophisticated technical exploits when considering hacking scenarios. However, the stark reality is that, in the vast majority of cases, both individuals and organizations fall prey to breaches not through intricate code manipulation, but rather via the art of social engineering. (beating the sh*t out of someone can be thought as an extreme form of social eng.) This comic underscores the importance of understanding and mitigating the very human vulnerabilities that persist at the heart of cybersecurity.


Assuming all passwords are long, random, and unique. Preferably paired with MFA where possible.


> If you are using Tor, try changing your exit node.

Bitwarden doesn't run an onion service? Anyone who acknowledges Tor and wants to support users there and doesn't have an onion is missing out.


appears to be a localized outage as there's no mention on https://azure.status.microsoft . Though, that's more of a PR status than actual status.


There’s no mention of Azure on the Bitwarden status page.


Yeah no idea where OP got Azure from?


Bitwarden's help pages state storage is in Azure cloud: https://bitwarden.com/help/data-storage/#on-bitwarden-server...

So if there is an observation of an issue, it's reasonable to connect those dots, plus their statement on that page "All uptime, scalability, security updates, and guarantees are backed by Microsoft and their cloud infrastructure" pretty much says any issues are MS/Azure problems.


This is editorializing the title, which isn’t allowed on HN.

Bitwarden themselves aren’t blaming Azure.


After four hours, it's on Bitwarden and not Microsoft if they haven't failed over to a paired region by now. Ideally it's active/active and doesn't need failover.


I’m not a bitwarden user, does this mean users can’t access their secrets on their own machine if they are logged out? Because that’s not how 1Password works. I suspect that isn’t the case but it sounds like it to me


There is a difference between logged out and locked(default state of the client after opening the browser/restarting android/something you can configure in your settings). If it's only locked you can get your data, no problem. If you're logged out, no data is stored on the client. Not sure if this distinction exists in 1password.


1Password stores data locally and syncs. So, this wouldn’t impact 1Password as far as I am aware. They use AWS, not Azure though.


Bitwarden works offline. You can just not sign in on a new device.


I just tried it myself on a machine completely logged out, and the login page is simply spinning.


That is deeply concerning, no?


No. A temporary outage affecting logging in does not sound “deeply” concerning at all, especially if people who are logged in are still able to use the app normally. I don’t use Bitwarden, but this outage does not affect my opinion of Bitwarden’s hosted service.

I’m not aware of any SaaS that achieves 100% uptime. If you want to control your own destiny, I hear that you can self-host bitwarden, but the uptime will almost certainly be lower than a well-managed hosted service.


I use Bitwarden and am able to access and create secrets


But are you able to log out of the desktop client or mobile client, then log in and see your things?


If the title here says “Bitwarden login down”, I think it is extremely reasonable to assume the answer is “no”. Because that’s what it means for the login to be down.


just run your own and use vaultwarden so your passwords aren't on someone else's server


I have more faith in Bitwarden's ability to secure their servers than I do in my ability to secure my own server. Bitwarden has people who work on this full time, and I do not.

I do self-host things, but nothing so security-sensitive.


>I have more faith in Bitwarden's ability to secure their servers than I do in my ability to secure my own server. Bitwarden has people who work on this full time, and I do not.

First: E2EE. You're thinking in terms of a web gui, not a E2EE client-server where the server itself is untrusted. If done properly (and I've seen no indication Bitwarden's isn't) that would mean that server compromise is irrelevant anyway beyond uptime.

But second in general: Bitwarden has people attacking it full time, and necessarily must be on the public internet with untrusted clients. And I do not. One's own server doesn't need to be on the public internet at all, you can have 100% of access exclusively through a Wireguard or other secure VPN. You have completely control of every single client, because they're all yours. Server blocked from internet entirely, update it out of band, or at least restrict what it can talk to to exclusively upstream update servers. This massively reduces attack surface. If only trusted clients can access something, then compromising it means going through a trusted client. But if the trusted client is compromised in this scenario you're hosed regardless. The server is irrelevant.

There's lots of good reasons of course not to run your own thing, but the security aspect gets overdone with false equivalences. It's the equivalent of people pointing at what the likes of Amazon or Google or whomever have to do for database work. But while they have far more resources, they also have far more demands and requirements. Stuff that is very challenging at hyperscale can be done far more simply but still effectively at small/medium scale. It's not wrong to think about the tradeoffs, but worth being cautious of apples to watermelons comparisons.


I don't trust them either, so the only way I am OK running anything self-hosted is behind private VPN. Wireguard is great for this since it is a silent protocol and no mass scanning of internet will reveal it is running there. It can be found out only by snooping on data traffic but even then it has good security. On top of that I also use https for internal-only services.

Another great option is Cloudlare with it's "cloudflared" tool. Combine that with OIDC+forwardauth and I would be OK exposing some not so critical systems to the internet.


I self host vault-warden on my home network, but it is not publicly accessible. Like all my services I self host, I keep them internal only, then use wireguard to have an always on vpn back to my home network.

This way, I only have to focus on making sure my vpn is secured.


This is what stopping me from migrating to Bitwarden. Do I trust their servers and hope they are not as bad as Lastpass? Or do I need to host everything myself and accidently leak it? I've had plenty of Wordpress sites through the years that were exploited before they introduced auto update. I've also heard that the autofill is quite bad.

I wish password protection was a lot simpler.


Well, any server will at some point crash / need a (partial) restore / need an urgent update / have a power outage / etc, including the one your run yourself - which you also need to manage yourself, which can sometimes be an issue when you're busy.

- It's great they offer it of course, as for many people it _is_ a good fit.


Unless you own a datacenter I don’t think that’s a full solution to the “passwords on someone else’s server” problem.


Considering I just lost power to my house containing my homelab due to a storm, absolutely lol


When I looked into running it locally on my own server, I couldn’t get it to work because it required https. I connect to my local server with WireGuard without exposing it otherwise to the internet, so I don’t have a need for https. There’s probably a way to set up https, but I gave up after a few hours trying various workarounds while the rest of my local services continue to work via http and WireGuard.


I tried to self host for some services in Docker and they requires https as well. I gave up trying to set up my own after few days of trying set up https, it is way out of my league and I don't have experience with it. I remember Caddy provides automatic https right out of the box. Maybe try looking into Caddy?


Plain Wireguard would require more work to replicate this feature, but I remembered hearing that Tailscale offers a beta feature to provision certificates, which I still need to try out sometime.

https://tailscale.com/kb/1153/enabling-https/


I trust Bitwarden more than my own abilities, but I have been thinking to do this just as a backup and have it offline unless I need it.


>so your passwords aren't on someone else's server

being able to transmit information across open or even adversarial channels is the literal reason encryption exists

This is security theater, if your security method is keeping your data local you can use notepad, you don't need to go through the hassle of setting up a password manager


Well, I run my own vaultwarden instance (it's great), but I host it on a free Oracle (ewww) cloud instance. At least if that goes down, I can just run it from my last backup and host it in my house until I find something more resilient.


I do that & make sure it’s only accessible by connecting via my WireGuard VPN. Works amazingly and I would bet probably more secure than just a master password.


I did not realize bit warden uses azure. I will now be changing password managers. Never trust MS to do anything.


Bitwarden is E2EE, it doesn't matter where its hosted.


What is a good safe way to take a backup of your vault?


Safety is in your hands but the bitwarden client allows you to export your vault https://bitwarden.com/help/export-your-data/


(which also allows for encrypted exports https://bitwarden.com/help/encrypted-export/ )


Yesterday I bought their premium, guess I broke it!! But as other mentioned, I do have a plan B and C and even D.


self hosted vaultwarden (formerly bitwarden_rs) is not down fwiw

must be in a different AZ


Ha. Back when I was considering learning C# to compliment my Azure skills and get a safe, sustainable job in enterprise I remember finding Bitwarden as one of the only major C# projects on GitHub I could find. I had a strong hunch after that who they were hosted by.


Yeah... tried to edit a password before and took me a few attempts. It was odd because bitwarden always works very well for me.


1Password or you’re doing it wrong.


This sends some schadenfreude into my veins for those people that constantly advocate for using a password manager in the most annoying way possible. Congrats, you now have a single point of failure for all your accounts.


Not at all a single point of failure, as others have mentioned, this is only for logging into new devices, devices which are already setup will have a local copy of the database. Plus you can export the database to have a backup that can be restored elsewhere. I keep a database backup (encrypted of course) on a flash drive with my yubikey for instance.

Have never had a point where I haven't been able to access my passwords.


That's not what I was referring to, but the single master password that decrypts everything. Though this would be bad as well.


You can have 2FA on it (eg with a Yubikey in my case), and also most people have their email address as single point of failure in that sense, as most password resets simply rely on sending a link to the registered email.


Bitwarden stores a (encrypted) local copy of your vault on your device. So as long as you were signed in somewhere using any of the desktop app, mobile app or browser extension then you should still be able to access your passwords during this outage. It's just the sync that isn't working (and if you need to sign in on a new device).


It still works fine as long as you don’t log out. Nothing is broken on my end.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: