Am I the only one who just cannot STAND MFA? Having to get a notification text etc. Like what if I don’t want to give an app capability to notify my phone? What if I want something totally NOT connected to my phone?
I just envision a future where there is some near-circular dependency of passwords/phrases/notifications/authenticators/keys/email verifications etc across different devices and services - the end result is that it is absolute PiTA to log into anything or recover any account if anything is ever lost. Sort of an endless personal bureaucracy for authentication. It’s a future I am personally trying to avoid at all costs
Yubikeys etc seem like something I could potentially get behind, but it still doesn’t seem perfect persay… anyway, maybe I am just a geezer
Passwords, credit card numbers, social security numbers, etc are old outdated technology that can't go away fast enough. They're unfixably insecure...identifying yourself to someone by giving your secret identifying information to them immediately allows them to impersonate you! We've had the technology to fix this problem for close to 50 years now: public-key cryptography. We can't get to a password-less world fast enough IMO.
I know a lot of HN doesn't have much use for blockchain, but if there's one thing that blockchain has done for the world it's been to substantially spur the use and development of public-key auth systems, especially on the UX front. This is because it had no choice. If you try to use an inherently broken password auth system for completely decentralized digital currency, it will immediately descend into unusable chaos because of the vulnerability. Traditional finance (credit cards), government identification systems (social security), etc have so much existing infrastructure that innovating in this area is hugely costly and slow, but it's absolutely the direction we need to go.
What you are talking about? I reset user's forgotten passwords daily. People can't remember simplest of passwords and you can easily ask them to give you their passwords if you are persuasive enough. Human brain is weakest link not passwords, credit card numbers or social security numbers. They are just fine and will be for a long time.
MFA is not going away, but neither is it going to become what you are describing.
MFA using an SMS is not secure.
If people reliably made good passwords and never reused them, we probably wouldn't need MFA as much.
Unfortunately, we live in a society. Bitwarden will remember your TOTP codes for you across any device you login from. It will even copy the code to you paste buffer during a login.
I enable MFA everywhere i can, even for stupid stuff. Its just not an inconvenience using bitwarden.
and if developers would always mitigate brute force attacks/limit the amount of attempts you can do.not limit the amount of accounts you can try to access from a single source
and it’s all developers will give you the tools to check every login session, including ip addresses used, and number of failed attempts
and off everybody uses full disk encryption and other measures so that your passwords cannot be stolen, such as only use signed applications and proper sandboxes
SIM-swap is a real thing, but it has an unreasonably large amount of mindshare in discussions about login security in non-security communities. Phishing is a gazillion times more common because it actually scales. Both SMS and TOTP are equally weak to phishing, yet people frequently shit on services for using SMS and not TOTP.
SMS has weaknesses. Especially if you are a particularly high-interest target. But the benefit of "everybody already has a phone" is immense and the true recovery mechanism for "oh shit I dropped my phone in the toilet" is valuable. Something like a yubikey is the complete solution to login problems that don't involve malware or some security vuln, but they are an extra thing that people need to buy so the pathway to "everybody uses a yubikey" is a mess.
Both Android and iPhone are now offering similar functionality though phones, which mitigates the "you need to buy a new thing" problem, though it is harder to set up an effective backup here.
But this comes down to bad security practices at the telco, doesn't it?
I don't know about other countries, but you can't even buy/activate SIM cards in Germany without "proper" identification through VideoIdent or another system where your passport is checked against. At least that's what I remember.
I'm not sure any type of "I've lost my SIM, please use this one" would work on German carriers without proper ID.
Moving numbers als requires some kind of paperwork, it's not that easy after all.
Sort of yeah, it wouldn't be possible with my carrier for example as they would just tell you "login online and swap it" because things like switching sim etc. is just something you do there and not something you call them about. And to login to the website you must use the national 2factor authentication.
So essentially they would have to breach the national 2factor authentication system first here.
And there is absolutely no way that you could "social engineer" the guy on the other end of the phone who works for the telecompany as there is no way you shouldn't be able to use their online tools.
Passwordless is going to be great. Though, this is just for unlocking your bitwarden account.
Real cross-device passwordless is likely coming in the next year or so. WebAuthn/Passkey is in its 3rd public working draft[1] and once finalized, we'll likely start to see it across sites. Most devices, browsers and managers have added or are adding support for it: Apple, Microsoft, Google, Auth0, Duo, 1Password, etc. If you haven't seen it, Auth0's demo is helpful[2].
Passkeys are definitely the future, and I think will eventually eliminate a lot of phishing attempts and other insecurity caused by passwords. I'm hoping that we will eventually see transferable, secure identities that you can use to log in anywhere, rather than having to constantly create account credentials for everything.
As a side note, if you want to try out passkeys now and don't want to tie it to your device, I would like to plug my solution, Bulwark Passkey (https://bulwark.id). It's open source, allows you to export your credentials if you want, and supports all browsers since it emulates a virtual USB device.
My apologies; I open-sourced VirtualFIDO awhile ago but only open-sourced the actual frontend (Bulwark Passkey) about a week ago, and I forgot the license. It should be MIT licensed now.
The threat vector for your passkeys being stolen is the same as current passwords, that's true (because they're just in some syncing database), but it solves many issues that are the leading cause of account compromise these days, mainly phishing and reused passwords.
So, for me, there is no real upside, other than not needing to click "generate password" in my password manager.
What downsides are there? E.g, will it work on rooted phones? Will apps start adding mandatory pin numbers on top (like they do for biometrics), or will Google/Apple's app stores disallow it? How do I "log out" to avoid tracking without being implicitly logged back in? What happens if I routinely wipe my browser settings? Can I use some other person's computer to login in a pinch? (Such as when my phone is off network?)
In principle, browser and os vendors could work through all these "niche" use cases, but I'll be pleasantly surprised if they actually did.
Heya! I just tried installing Bulwark on my Windows 10 machine. Install went fine, but when I try to run the app, I get the Admin privilege prompt, and then.... nothing. No sign of the program crashing, or any kind of error.
Ah, that is odd. If you don't mind, could you go to %AppData%/Bulwark Passkey and taking a look at main.log or device.log and see if you see any errors in there? I would really appreciate it!
Edit: I was able to reproduce the issue; it looks like WebView2 (which Bulwark Passkey relies on) is already installed on Windows 11 but not on Windows 10. I released a new version on https://bulwark.id that has that WebView now embedded in the app itself, would you mind downloading that and seeing if that works? Thank you for the report!
I released it a week ago. It's moving along pretty well! The USB emulation method works well, as it can support any browser. So far, I haven't gotten too much push back from the more hardcore security crowd, since I'm upfront about the fact that it is a software implementation.
Personally, I think that the main blocker for adoption of passkeys is ease of use, as if you can't transfer your credentials either off of your device or away from your Apple/Google/etc account, then I think it will be a hard sell to users.
Sadly, the demo didn’t seem to work on my devices. Tried it on desktop Chrome and my Android phone (Galaxy S22); Chrome says that a "notification was sent" to the phone, but there’s nothing. Seems like it’s supposed to work wirelessly, but I didn’t have any success via a USB cable either. Android Chrome does react to it, and shows that it’s connected, but desktop Chrome’s dialog keeps just spinning until it times out.
Wireless is over BLE, so your motherboard needs to be recent enough to have it, or if you have one of those Intel PCIe wi-fi adapters, the USB2 cable should be plugged in to a header on the motherboard (the wifi functionality is pure PCIe, but for some reason Bluetooth is over USB).
It’s an Intel Wi-Fi 6 AX200, which should have BLE support; I use BLE game controllers with it all the time. But it’s weird that it doesn’t work with a USB cable either, even when using the motherboard headers. I’m on Linux (Fedora), not sure if that matters or not.
For a moment there I had hoped that maybe it would solve the problem in the opposite direction: I'm typing the master password so mechanically when I'm on my laptop, that I really struggle to remember it when I have to type it on a screen - to the point that I must go sit at a computer open a notepad, let muscle memory take over and then look at the screen to see what I typed /facepalm
Anyway, in all seriousness, while this is a scenario that happens very rarely, it still makes me wonder if it would be possible to do the pasdwordless login the other way, i.e. authenticate the phone using a trusted laptop (maybe a fingerprint enabled one)?
I'm in exactly the same boat. Incapable of typing my master password on a mobile screen because it's just muscle memory.
I've had times where I've needed to get into my account in a hurry and had to find a POS terminal with a keyboard so I could activate the muscle memory.
i use a regular english sentence as my master password; seems to strike the right balance between not brute-forceable and easy to remember. am i missing some potential drawback to doing that?
One thing to consider is that you can infer your password structure by ear (e.g. how many times the space bar was used, any modifier keys), making dictionary attacks much scarier, especially if your threat model includes people in close proximity/public areas.
>> am i missing some potential drawback to doing that?
My work machines (government) check for "commonly used words" and will generally reject natural language even if squashed between punctuation marks. "P@ssword" would probably slip through, but "GodIHateRememberingAllTheseStupidPasswords!@#!@" doesn't.
I just have the master password saved in my browser. I realise this is probably sub-optimal for a lot of people but for my workflow (i.e. the kinds of passwords I put in BitWarden) it works out OK.
I had this same experience. The fine print says you have to log in without passwordless at least once, and after that it starts working. It's a low-risk pilot of the feature I think, but will be more useful to me when it comes to the extension. It's strange that you have to sign in to the app at least once, seems to negate one of the common use cases.
The only hesitation for me is as other folks mentioned - never typing the master password again might make remembering the pass phrase challenging..
I just looked at the requirements to host your own Bitwarden server. Why does a password manager need 2GB of ram (4GB recommended) and 25GB[1] of storage? That seems quite excessive, how much data and traffic does this thing need to handle for me plus family members?
It is written in Rust and is much lighter on resource requirements.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
ecce485b8b3a bitwarden 0.06% 46.58MiB / 1.937GiB 2.35% 1.63MB / 28.1MB 17.5MB / 81.9kB 11
As well as what sibling said about it being E2EE and just using a standard API for storage, there are awesome tools these days so you can (and I think should) lock down your instance fairly well. Now when I run services like that I access them exclusively via WireGuard or Nebula, no exposure to the public internet at all. It's reliable, dependable and performant enough to pretty much put everything inside of by default. And for something as lightweight as this it should be fine running it at home off of most connections, if you don't have a fixed IP can bounce through even the cheapest VPS instance and still store nothing in the cloud (or run something like Nebula and automate that bit so that it's an encrypted mesh and only a minimal Lighthouse node need be 3rd party). If your instance is just for yourself then even the server can still be another of your devices. Selfhosting absolutely has its challenges and costs but the surface area for exploiting bugs drops a lot when there is no 3rd party or shared environment involved.
> if you don't have a fixed IP can bounce through even the cheapest VPS instance and still store nothing in the cloud
I've been meaning to look into this with wireguard, but I'm having trouble searching for/finding how to do this. Is "bastion host" what I'd want? Also is there a way to ensure the VPS cannot access the network as well, and just tunnels it essentially?
>I've been meaning to look into this with wireguard, but I'm having trouble searching for/finding how to do this. Is "bastion host" what I'd want? Also is there a way to ensure the VPS cannot access the network as well, and just tunnels it essentially?
First, yes a search phrase like that should get you the right terms, though there isn't anything inherently special about it. If multiple systems are connected to one system with wireguard giving them all access to a given subnet is straight forward. As far as the VPS, it can indeed access that subnet too, since it's acting as part of the subnet, but you can use normal firewall rules on the far side internally to control what can talk to what and how. And in this kind of specific instance the WG is more about controller public facing surface area, the Bitwarden/Vaultwarden traffic in flight is itself encrypted.
Second though, having said all that I think if you worried about the VPS bit (or even if not) you should take a look at the Nebula SDN [0, 1] instead. It's built on the Noise encryption framework as well. There, the fixed IP node (the "Lighthouse") primarily acts to let other nodes know their mutual addresses, and they then attempt to form a direct link with no bouncing through a bastion, it's a real mesh. This generally works even if both are NAT'd, and if not it's transparent fallback and still encrypted between them. Depending on distance between nodes this can be a lot lower latency as well. With Nebula you establish an internal CA (super easy built-in tool for it) and that doesn't (and absolutely shouldn't) live on the lighthouse.
I'm fortunate enough to have fixed IPs available to me at home and office and have tended to use WG a lot just because it's had more advanced support and performance in constrained environments for me (kernel support in Linux and now BSDs). Nebula has been super slick though and I've been using it more and more. It makes all this really easy.
Anyway, hope this helps a bit. It's really exciting to me how much open source networking power is now available to everyone. It's a bit of a counter decentralization force IMO to the last few decades push towards central service providers.
Do you use tricks to get https (like it can be done with Tailscale) or do you not bother anymore and rely on the transport encryption layer solely (like wireguard)?
I’m in the process of moving towards putting stuff behind new vpn solutions (Tailscale/ Wireguard in my case). It does feel good to drop https though. Or does it really not matter? What do HNers think?
The easy alternative is to purchase a domain, and use let's encrypt to create a wildcard certificate for you. I use the integration with my reverse proxy and it's pretty easy. You want a wildcard certificate because of the Certificate Transparency Logs, if you do it by subdomain then the list of registered subdomains will be public.
Certs on multiple devices - you can most likely still use let's encrypt as most things nowadays have native integration. Otherwise you'll likely have to do it manually
I recommend a domain you don't use for other things online
I have my own instance at home as non business user, also residential connection with dynamic IP, and I've picked to connect through ZeroTier, a private VPN based on wireguard
ZeroTier is definitely not based on WireGuard, it's its own custom protocol. Just thought you should know. It's their own and it used to be marketed as "a global network switch", it operates with 2400 MTU and fragments your packets when sending them (because MTU is 1500 on the internet). It also means you can send data over ZeroTier without IP addresses, broadcast and multicast should work too.
However, it's not WireGuard. WireGuard operates on L3, there's no L2 headers, you can't run MPLS over it, you can't add VLAN tags to it, you route all the traffic.
As long as you're not bridging yourself into the ZeroTier network there shouldn't be any issues though, but fragmenting always kills performance.
Aiui, the server's really just a storage backend implementing the correct API - vaultwarden can't really do any harm, it just stores what the client (encrypts and) tells it to. Worst case it doesn't store, and you still (but only) have a copy on the client.
It includes a MS SQL server among other things, so for serving single digit users its gonna be heavy. Check out Vaultwarden as an alternative for small scale self-hosting.
Honest question: do you believe that you’ll be able to guarantee the same/better uptime, performance, and security compared to the SaaS version? Hosting your own password manager seems like something you really shouldn’t do, just like hosting your own e-mail. This stuff is critical to your life.
Better security for sure. Bitwarden is a massive target while I am not. The chance that bitwarden has a databreach is way bigger than the chance that my server gets hacked. No one cares about my server, I am nobody not worth attacking. As long as I don't leave any big holes that can be found by an untargeted attack (which I won't, I run everything behind a personal VPN) it is safer.
You’re probably not worth individually attacking, but a brief look at the failed ssh login logs of any insignificant server shows that you probably are worth automated attacks… so I suppose the question is “Are you more vulnerable due to a) the risk of getting pwnt by an automated attack (due to a misconfiguration or being even a little slow to install a critical patch) or b) due to the risk of bitwarden getting pwnt by a sophisticated targeted actor?”
Further complicating this math is the E2EE nature of it, so it’s not just enough to pwn a server, you’d need to also compromise the client application.
Actually, now that I think about it, if you can compromise the client you don’t even need to compromise the server. I’m not really sure under what scenarios running your own server would protect you in in that case.
> Further complicating this math is the E2EE nature of it, so it’s not just enough to pwn a server, you’d need to also compromise the client application.
The webvault is both a server and a client, and you can't not use it. As soon as you sign into it once (which you must, with the official apps) you have allowed unsigned ephemeral javascript code to run against your decrypted vault.
I can contest to this, I am by no mean important and none of my servers that I own have any importance, BUT I have thousands of people trying to remote into the servers every day and also thousands of requests into some of my webservers with things like /admin /phpmyadmin or whatever, you name it.
So yeah even if you aren't a big target then you are still a target for automated attacks as they just pick whatever IPs they can find and try to breach.
Well, based on what everyone fears is happening over at lastpass, attackers just download all the encrypted vaults, then brute force the master passwords.
I have a hard-to-guess master password, but it wouldn't surprise me if they could crack it with a 2026 vintage GPU farm.
Anyone who doubts you should run zxcvbn and more modern entropy estimators against their passwords. Our intuitions are not good. Offering password-based encryption to normal users is borderline unethical.
The Bitwarden webvault infrastructure is a doomsday target. If it's compromised, no evidence of a client backdoor will exist except in the server logs. You can't avoid using it, because you need to sign into the webvault to configure 2FA. Want to change the encryption passphrase? Guess what, you need to use the webvault. Bitwarden's vault encryption is essentially reduced to the security model of TLS.
And? If you don't trust TLS then I assume you don't trust web banking, or purchasing anything over the internet for that matter. Might as well give up on technology and go find yourself a nice quiet pastoral life.
For me personally, I don't actually trust any of that.
Any purchase I do online is done with a virtual card that links to a bank account that only ever has the amount I need to pay for whatever it is I am currently purchasing. That way it doesn't matter if the information is stolen etc. because there is no more money to use and I can cancel the card as easily as I can create a new.
For banking I also only use my banks official app, I don't know how exactly it works and I assume it does use some form of http and whatnot, but I wouldn't trust using a bank through the browser as you never know what kind of thing an extension or something have in there.
I trust the cryptography behind TLS. I don’t trust every website using TLS. The difference between end-to-end encryption and transport-layer encryption is the website operator can recover the plaintext. And the point of the comment I responded to was that Bitwarden data is not recoverable. I’m glad that you think E2EE is a waste of effort though.
Following up, I find it funny that this old meme comment thought orders and banking are our most trusted activities, and not our communications and data storage.
"Bitwarden has the right to suspend or terminate your access to all or any part of the Website at any time, with or without cause, with or without notice, effective immediately. Bitwarden reserves the right to refuse service to anyone for any reason at any time."
Who would trust their passwords to a service with such a clause?
Yup, it's not rocket science if you already run your own services. An entire generation of techies seem to be completely scared of running their own machine and think it's some kind of massively difficult task.
Same or better uptime might not be granted, but I've been hosting my instance for quite a bit of time now, and the only downtime I've had were due to my ISP.
I'm using vaultwarden too (bitwarden_rs when I first deployed it), and have absolutely no complains whatsoever.
Also, after your device synced with the server at least once, you can still access and export all your passwords, even if the server is down. This is the main selling point for me : even in a disaster scenario, your passwords are "naturally" replicated.
Mine is exposed behind a reverse proxy, with a subdomain != Bitwarden, and a wildcard certificate. Never seen anything weird in the logs since (before, I had a named certificate including subdomain, and I was seeing regular pokes from unknown IPs, so better be on the safe side)
Again, the main bitwarden instance is a huge target. Mine is just a small instance with less than 10 users, which will probably never encounter a targeted attack.
> Also, after your device synced with the server at least once, you can still access and export all your passwords, even if the server is down. This is the main selling point for me : even in a disaster scenario, your passwords are "naturally" replicated.
Watch out for the browser extension clients though - they're prone to session expiry and insisting you relogin which is a problem if the remote server is down or gone.
Hosting your own is a twenty minute setup, more or less, and $5/mo on Hetzner. Uptime, in my experience, is 5 nines.
With SaaS, I am losing the main reason that I am using Bitwarden - that I don't want the X agency to force Bitwarden to give them my passwords.
And I know that if said agency (it varies by country and target) could definitely hack the VPS if I was important enough, that is not part of my threat profile. Self hosted is far less likely to get auto vacuumed than SaaS data.
>> I don't want the X agency to force Bitwarden to give them my passwords.
Then you do not understand how bitwarden works,
Bit Warden has the same access to your passwords that Hetzner does, i.e they have only encrypted access to the binary storage.
The only thing agency X could get from bitwarden is an encrypted vault that is useless with out your master key, all encryption and decryption is done client side. THis by the way is the same access Hetzner would have to turn over if Agency X asks for a copy of your VM running vualtwarden
Those minimums are taken from Docker. The person above asked why they were what they were, I answered. You're just further reinforcing what I explained.
Running something in a Docker container adds very very little overhead - to the point that it's almost immeasurable. The resource utilization is specifically because of the services that have been packaged in the containers.
If you were running the Bitwarden server on bare metal (which you can definitely do), the requirements would still be the same.
HN has reached the point, that it will heavily downvote an objective fact because it goes against the pointed narrative. They took a dependency, copied its system requirements, and someone asks "why?" and that is the actual answer.
A lot of the other answers (multiple Dockers, slimmer image) really address how Docker themselves have these exact system requirements listed, but why do they need to when the point isn't to answer the actual request asked by get lost into a predisposed critique.
If you are looking for something like a password manager but for passkeys, I would like to plug my own product Bulwark Passkey (https://bulwark.id). It allows you to sync accounts across devices and is entirely open source.
Overall, I think what passkeys need right now is more flexibility. Nobody is going to switch to passkeys if they are locked to their Apple account, for example.
Thank you for having an honest FAQ, especially about keys not being backed by hardware and its implications. Some competitors implementing a comparable mechanism have been very quiet about it and have severely undermined my trust in them. Hopefully we'll see OS and hardware vendors provide APIs so that third party passkey managers can leverage secure hardware in the future.
Yeah, trust is a big thing for me when it comes to security software, so I wanted to be upfront about what the software is good/bad against. I personally think that moving away from passwords is worth it, even if the credentials aren't stored in silicon, but I can appreciate those people who want their keys stored as securely as possible.
Admittedly I've done a little research, but every time I read about I don't understand how passkeys/fido/yubikey works. Is it guaranteed that all the services I use support passkey/yubikey/fido? If not, what should I do? Have some of services in a passkey/fido/yubikey (like yours) and the remaining in Bitwarden or other password manager?
Can someone ELI5 how this works? I went to fidoalliance.org and honestly, I didn't understand a thing. I still don't understand Yubikey and its MFA, it feels so cumbersome and huge PITA to do it every-time. Am I missing something? My workflow now is: CMD+SHIFT+L, enter master-password once and that's it for the current OSX login session. Will Passkey or FIDO or Yubikey improve this speed of interaction?
Passkeys are still pretty new, and only some websites support them so far, though many are adding support right now. You can take a look at https://passkeys.directory for a list of major websites that support it.
At least with Bulwark Passkey, its a separate app that you only have to log into once when you open it. Then, when logging into a website, you hit Approve on the app and it should just work. Speedwise, it should be about similar to an optimized password flow, but security-wise it will be much better since you can't phish passwords from it.
When my subscription renewed last month I did a double take when I saw it was only $10. Had completely forgotten how cheap it was. Hopefully the recently VC cash injection doesn't massively inflate that.
This is a really great user experience. One thing I wonder about is if people start logging in without their password all the time, will they slowly forget what their password is over time?
Partly to force memory reinforcement, I set the password cache time of gpg-agent on my machine to 24 hours maximum. Thus I have to enter my password once a day, which helps me to remember it; but it isn't overly burdensome.
That's is exactly what happened when I configured the LastPass browser extension to remember my password. I needed it to switch USB security keys and had no idea what it was.
The saved password in my other browser's extension saved me.
My master password is "public" (I put it in a mail draft, also a note on my phone and printed it out on a piece of paper, just to be sure), and I have 2FA enabled via Yubikey. I never really understood why I had to always provide my master password anyway when logging in even on a trusted device, as the whole point of a password vault is to no longer have to remember any passwords... but we are getting there, eventually.
I'm not sure what service you're using, so this might or might not apply to you:
Consider that some password managers use MFA to allow you to connect to their online service that will download a synced, encrypted copy of your password vault, but the vault itself is only wrapped with a key derived from your master password.
If someone was to obtain a copy of your vault, decrypting it would be trivial with a weak or compromised master password in that case.
CTAP supports an extension called hmac-secret that would allow you encrypt your vault, which would mitigate this issue (While introducing others potentially -- for instance, hmac-secret does not require user verification so anyone with your yubikey could decrypt it). Of course there are other mechanisms to encrypt a vault other than a key derived from a password that you can use with a Yubikey, like PGP, but I don't know of any commercial password manager that does it that way.
You bring up good points: ideally, there would be no need to remember a passphrase at all! Especially since the passphrase has to be long and unwieldy in order to be resistant to offline dictionary attack.
The thing I worry about is that the security of the passphrase is only as secure as the mechanism guarding it. If it's written on a piece of paper, then how is the paper secured? It could be put in a vault, but then the vault itself is a conspicuous target for thieves. Hiding the paper somewhere is probably pretty reasonable, but if it's too well hidden, it could get forgotten or accidentally thrown out over time.
I use a YubiKey as well as an ultimate backup, and it has a PIN code mechanism that will lock after a few incorrect attempts, so that is a reasonable tradeoff for security and usability I feel.
I wonder if the best solution is to have a distributed copy of a recovery passphrase to friends and family. Then separately have a distributed copy of the vault itself (in my case, it's GPG-protected Password Store). This must have been an area of study already, I need to do some research!
How long before you need 3 devices to log into something?
Like the other commenter I don't want or need MFA. It's more complicated and a pain to use. Just seems like a convenient opportunity for online companies to gather more data points about you. Keepassxc with a key file is still going strong for me. You've no need for my phone number! And I don't want my device linked to any account.
Hopefully you can turn this off. I've seen cases where attackers enter an email address and just keep spamming the login form until the owner accepts the notification. Obviously 2fa would help here but not everyone uses that.
If the computer is compromised or backdoored, it will have access to private keys for websites that I access on that computer, one per each touch, not the database of all private keys.
For example, I may not connect my Yubikey to some computers at all.
Hardware keys are made not to give out secret keys without physical touch.
Firmware in Yubikey is not updated, unlike over the air phone update.
Bitwarden can't import my ssh keys from lastpass export <facepalm>
it say: [1198] [SecureNote] "username id rsa ssh": The field Notes exceeds the maximum encrypted value length of 10000 characters. But this id_rsa has only 1415 symbols
1password has imported csv as well without any issue or alert.
But to secure my hardware security key I need a PIN, too otherwise anyone can just borrow it. Also I still need a backup in case I actually lose it somewhere. And when I get recommended to reinstall my browser to fix a problem and I accidentally deleted my profile I might lose access to accounts.
PassKey is great but also may cause vendor lock-in looking at Google and Apple in particular.
Does anyone have any insights to how enterprises will be managing passkeys for corporate accounts with the potential of creds being leaked to potential compromised devices.
A compromised Apple developer account login pushing out a compromised Bitwarden mobile app to the Apple App Store that steals everyone's master passphrases.
If the Bitwarden developer account is compromised, one can indeed send an app that steals the passwords. But the devs would (most likely) see that someone else is pushing updates, and that would be the end of Bitwarden, so you can consider it is their job to not let that happen :-).
This is not specific to Bitwarden though, it's the same for all apps. Now because Bitwarden is open source, you can actually compile and install it yourself (if you're confident that the sources you are compiling are the legitimate ones, and not a fork that will steal your passwords ;-)).
Same applies for e.g. Signal Messenger: since it's difficult to check what version of the code is coming from your store, you can always compile it from source and install it yourself.
That's an app store issue, but to follow up bitwarden is opensource, so you could verify the checksums and compile it yourself if you really wanted to be dead sure.
Yes, and worth every penny in my experience. It's really a great app, and a great service.
Happily paid my $10 after using it around the office for a few months (paid Teams account).
We came from KeePass, so the whole cloud thing was new. But it's "just worked" remarkably well.
The multiple-profiles feature was a game changer, allowing me to access both my work credentials and personal credentials from the same app, while keeping them entirely separate is really nice.
I just envision a future where there is some near-circular dependency of passwords/phrases/notifications/authenticators/keys/email verifications etc across different devices and services - the end result is that it is absolute PiTA to log into anything or recover any account if anything is ever lost. Sort of an endless personal bureaucracy for authentication. It’s a future I am personally trying to avoid at all costs
Yubikeys etc seem like something I could potentially get behind, but it still doesn’t seem perfect persay… anyway, maybe I am just a geezer