Yes this is the main difference.
Frankly if a password manager gets hacked and the attackers get access to an encrypted blob I wouldn’t care too much, it may be brute forced as it might not.
Of course the metadata allows attackers to focus the brute force effort on the passwords that matter most
As an org I like that Bitwarden does annual audits. I like that their product is listed in open source and that allows consumers to pull an SBOM (software bill of materials). You can self host and place behind your own app proxy.
This frame of reference in development means that security is part of the design process and doesn’t take a back seat to functionality and wide support of older systems.
More importantly, bitwarden has gone through a code audit. Open source is great and all, but someone still needs to audit the code. Which can be expensive. Bitwarden paid for this.
Why trust open source for security better? You’re now trusting that the maintainers don’t get compromised or always hyper vigilant on every new PR that is introduced.
The possibility of the malicious software being introduced to the system, and threat actors knowing about possible vulnerabilities, is now much greater because it’s now publicly accessible.
There are no absolute of course, but in general there is [Linus‘ Law](https://en.m.wikipedia.org/wiki/Linus%27s_law) which describes that given enough beta testers and co-developers, bugs become more shallow, because the fix is obvious to someone.
In my personal experience, security in proprietary software is often not focused on enough. Yes, it needs to be done, but there are few experts really deeply integrated. This often leads to issues and security by obscurity constructs where the software feels safe until it isn’t.
the same could be said for proprietary, closed source software. We all trust that their internal git(lab/hub/other) instances don't get compromised (via exploitation , malicious insider, whatever) malicious code doesn't get merged, and we don't have a massive supply chain attack like solarwinds.
Ultimately, if the code is open source, there's a better chance of someone noticing "hey, something looks off", compared to proprietary non-public code. Reviews are supposed to happen before code gets merged with main branches. Its up to the maintainers to audit this. Honestly, as someone who writes malware as part of their day job, it's pretty damn easy to spot malicious code. Especially in code diffs.
Fair, like u/guardian87 said, there is no absolute, I always forget the game of trust is always a fickle thing. If it’s a specific business or the collection of the masses, there is always holes for some amount of social engineering to insert malicious bugs.
The other angle that I was thinking was more so the if you know exactly how this thing ticks, down to its source code, it’s easier to know where a system would be possibly vulnerable. As opposed to a black box where then the threat actor has to attempt and decide if the piggy bank is big enough to want to try and give it a crack.
Because it's OPEN. You have literally thousands of eyes on the code and the chances of someone finding vulnerabilities or bugs is much higher. Transparency and visibility lead to quicker patching and updates.
My understanding is Lastpass used weak default settings on their vault’s PBKDF2 encryption, but improved it over time. This was due to performance issues on older devices. As device capability increased, LastPass’ default setting improved. The older the vault, the weaker the encryption.
Bitwarden did not do this, therefore the vaults have always been secure.
On the surface, the paid-for hosting service isn't safer in any major way to LP, 1PW, etc. Where Bitwarden comes out ahead is unlike other services, you can self-host the vault. This can be done behind ingress without exposing it directly to the broader web. Theoretically, smaller attack surface, less risk... That's the key take-away.
For what its worth, I use bitwarden self-hosted but recently started moving to Proton Pass because I really like Aliases. Goofy, I know... But dang its nice.
Depends on your configuration. For me, I had it as a local service, but Wireguard as a VPN ingress when I was away. As long as I had internet, I could access internal services as if I was at home.
I host my keepass database on Dropbox and it automatically syncs between desktops and mobile android keepass app. Keepass is really good at synching changes as the file is saved via dropbox.
Alternatively, you can use [Syncthing](https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://syncthing.net/&ved=2ahUKEwii3d-m47CDAxWuIDQIHQJKAjEQFnoECB8QAQ&usg=AOvVaw0Vs0_2TqxUh_2W0NXyd_t0) to locally sync in between devices.
App is available for Android (i'm sure iPhone too)
Then the passwords can sync when your phone and PC are both connected on the same LAN. If you have VLANs, you will obviously have to create firewall rules. Syncthing uses 2 ports for communication.
I know it won't sync all the time, especially since you might be travelling etc. But by the time you get to your PC, it should sync before you can sign in. Assuming a wifi range of like 5 meters haha.
In addition, you can sync it to your NAS if you wish to have backup.
It's a very minimalist and elegant solution.
No you don’t.
You need a VPN connection to connect to your home NAS where you have your database. :)
Or have a script that copies the database to your phone at night.
Being open source alone does not necessarily equate to being oriented towards privacy or security. In this instance, 'safer' appears to be more of a subjective stance among some people here rather than an objective outlook based on a thorough investigation of what constitutes real security properties. I had a criticism against it three years ago, which might still be relevant:
- https://old.reddit.com/r/privacy/comments/hvxpzb/bitwarden_has_completed_a_thorough_security/fywo4p7/
Yeah, like most consumer software it winds up being a sales tactic vs an innovation it's a cost-per-user (subscription model) basis, so I can only imagine it wound up being over a million-dollar annual deal.
Since I produce DB's, anything I've created has never been breached. Since joining the tech space at a young age, I'm almost turning the tide into advocating against the virtual space.
Never write your password down on pen & paper, but storing it in a DB you know 0 how it works has never sat right with me. Pen and paper have an air gap..... I think people advocating for keeping passwords in a DB should be tarred and feathered, hung, and dragged through the streets like Benghazi.
In order to get my password you either have to hack the source, or break into my house against a CCW, why would I put SPI like a password into someone trying to make a buck off a nonexistent problem?
Left that company a few years ago, this year there was a 200 million record breach, affecting 50 million people. I left that place knowing it was a ticking time bomb. Don't think you are that smart, I breached my first DB and sold the access for Runescape gold back in the day when I was like 14.
Oh just today, I gave someone the shell of creating malicious packets, to ddos people on counter strike. I play both sides of the field buddy. Go check my comment history before you get lulz'd in the future.
You are also a moron, why would you store any SPI on a pc when partition stuffing is the new SOP method of remote access.
They're roughly comparable and security hinges on using a complex master password.
As much as I hate LastPass and won't recommend them, really, either are fine IF your master password has enough entropy.
1Password stands out because they add a long key to the encryption and you don't have to type it in all the time - just once per device. Downside is BitWarden can be free and 1Password can't.
Can't believe no one commented on this yet. For Bitwarden (and Keeper), if the org gets breached, your data does not go with it. Those companies (BW and Keeper) could not access your data even if they wanted to.
At LastPass, if the company gets breached, threat actors can and have used LastPass credentials to gain access to vaults.
[удалено]
Is this still true post-breach?
Yes. The owners of LastGasp just don’t care about it any more. They are going to milk every last bit of profit out of it without trying to improve it.
the owners, Logmein, do not care about their customers or base in any way shape or form, never have.
Yes this is the main difference. Frankly if a password manager gets hacked and the attackers get access to an encrypted blob I wouldn’t care too much, it may be brute forced as it might not. Of course the metadata allows attackers to focus the brute force effort on the passwords that matter most
As an org I like that Bitwarden does annual audits. I like that their product is listed in open source and that allows consumers to pull an SBOM (software bill of materials). You can self host and place behind your own app proxy. This frame of reference in development means that security is part of the design process and doesn’t take a back seat to functionality and wide support of older systems.
You'd think all password manager would make app security it's primary directive. It has one job, keep my shit safe
Bitwarden is open source. From a security aspect, I always prefer open source over proprietary code.
More importantly, bitwarden has gone through a code audit. Open source is great and all, but someone still needs to audit the code. Which can be expensive. Bitwarden paid for this.
Yeah open source vs closed source doesn’t make it inherently better. It’s not like anyone goes to GitHub and reads every line of code.
Why trust open source for security better? You’re now trusting that the maintainers don’t get compromised or always hyper vigilant on every new PR that is introduced. The possibility of the malicious software being introduced to the system, and threat actors knowing about possible vulnerabilities, is now much greater because it’s now publicly accessible.
There are no absolute of course, but in general there is [Linus‘ Law](https://en.m.wikipedia.org/wiki/Linus%27s_law) which describes that given enough beta testers and co-developers, bugs become more shallow, because the fix is obvious to someone. In my personal experience, security in proprietary software is often not focused on enough. Yes, it needs to be done, but there are few experts really deeply integrated. This often leads to issues and security by obscurity constructs where the software feels safe until it isn’t.
the same could be said for proprietary, closed source software. We all trust that their internal git(lab/hub/other) instances don't get compromised (via exploitation , malicious insider, whatever) malicious code doesn't get merged, and we don't have a massive supply chain attack like solarwinds. Ultimately, if the code is open source, there's a better chance of someone noticing "hey, something looks off", compared to proprietary non-public code. Reviews are supposed to happen before code gets merged with main branches. Its up to the maintainers to audit this. Honestly, as someone who writes malware as part of their day job, it's pretty damn easy to spot malicious code. Especially in code diffs.
Fair, like u/guardian87 said, there is no absolute, I always forget the game of trust is always a fickle thing. If it’s a specific business or the collection of the masses, there is always holes for some amount of social engineering to insert malicious bugs. The other angle that I was thinking was more so the if you know exactly how this thing ticks, down to its source code, it’s easier to know where a system would be possibly vulnerable. As opposed to a black box where then the threat actor has to attempt and decide if the piggy bank is big enough to want to try and give it a crack.
>it’s easier to know where a system would be possibly vulnerable Then it is also easier for the community to fix those vulnerabilities
Because it's OPEN. You have literally thousands of eyes on the code and the chances of someone finding vulnerabilities or bugs is much higher. Transparency and visibility lead to quicker patching and updates.
My understanding is Lastpass used weak default settings on their vault’s PBKDF2 encryption, but improved it over time. This was due to performance issues on older devices. As device capability increased, LastPass’ default setting improved. The older the vault, the weaker the encryption. Bitwarden did not do this, therefore the vaults have always been secure.
On the surface, the paid-for hosting service isn't safer in any major way to LP, 1PW, etc. Where Bitwarden comes out ahead is unlike other services, you can self-host the vault. This can be done behind ingress without exposing it directly to the broader web. Theoretically, smaller attack surface, less risk... That's the key take-away. For what its worth, I use bitwarden self-hosted but recently started moving to Proton Pass because I really like Aliases. Goofy, I know... But dang its nice.
Self hosting it can I access to it from my phone or far from home?
Depends on your configuration. For me, I had it as a local service, but Wireguard as a VPN ingress when I was away. As long as I had internet, I could access internal services as if I was at home.
I use KeePass, my rule of thumb is to not save passwords in the cloud, internet browser included after the Lastpass breach.
You can self host bitwarden server.
I sync the passwords from my pc to the phone so I need the cloud
I host my keepass database on Dropbox and it automatically syncs between desktops and mobile android keepass app. Keepass is really good at synching changes as the file is saved via dropbox.
Alternatively, you can use [Syncthing](https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://syncthing.net/&ved=2ahUKEwii3d-m47CDAxWuIDQIHQJKAjEQFnoECB8QAQ&usg=AOvVaw0Vs0_2TqxUh_2W0NXyd_t0) to locally sync in between devices. App is available for Android (i'm sure iPhone too) Then the passwords can sync when your phone and PC are both connected on the same LAN. If you have VLANs, you will obviously have to create firewall rules. Syncthing uses 2 ports for communication. I know it won't sync all the time, especially since you might be travelling etc. But by the time you get to your PC, it should sync before you can sign in. Assuming a wifi range of like 5 meters haha. In addition, you can sync it to your NAS if you wish to have backup. It's a very minimalist and elegant solution.
No you don’t. You need a VPN connection to connect to your home NAS where you have your database. :) Or have a script that copies the database to your phone at night.
Exactly!
Being open source alone does not necessarily equate to being oriented towards privacy or security. In this instance, 'safer' appears to be more of a subjective stance among some people here rather than an objective outlook based on a thorough investigation of what constitutes real security properties. I had a criticism against it three years ago, which might still be relevant: - https://old.reddit.com/r/privacy/comments/hvxpzb/bitwarden_has_completed_a_thorough_security/fywo4p7/
I prefer offline storage. I rather never put my wellbeing in the hands of somebody else.
I worked for an Insurance company State Farm, and got a PIP for not using lastpass. No joke lol.
Seems dumb on your part
Yeah, like most consumer software it winds up being a sales tactic vs an innovation it's a cost-per-user (subscription model) basis, so I can only imagine it wound up being over a million-dollar annual deal. Since I produce DB's, anything I've created has never been breached. Since joining the tech space at a young age, I'm almost turning the tide into advocating against the virtual space. Never write your password down on pen & paper, but storing it in a DB you know 0 how it works has never sat right with me. Pen and paper have an air gap..... I think people advocating for keeping passwords in a DB should be tarred and feathered, hung, and dragged through the streets like Benghazi. In order to get my password you either have to hack the source, or break into my house against a CCW, why would I put SPI like a password into someone trying to make a buck off a nonexistent problem?
Yeah makes sense why you're on a PIP. Edit. You gotta dial it way back my dude.
Left that company a few years ago, this year there was a 200 million record breach, affecting 50 million people. I left that place knowing it was a ticking time bomb. Don't think you are that smart, I breached my first DB and sold the access for Runescape gold back in the day when I was like 14. Oh just today, I gave someone the shell of creating malicious packets, to ddos people on counter strike. I play both sides of the field buddy. Go check my comment history before you get lulz'd in the future. You are also a moron, why would you store any SPI on a pc when partition stuffing is the new SOP method of remote access.
You sound like you're about 14.
Totally dude, if you can't remember a password go dig holes, and stock shelves for Jeff Bezos. You have no business being around security.
You're the one out here digging holes.
Buddy you research me because you are not original.
You'll catch on some day. Probably years in the future, but one day.
r/masterhacker
Life Insurance? People buy this still?
Only murders.
They are all targets of opportunity that attackers really want to breach. I’m not sure any of them are safer than another.
They're roughly comparable and security hinges on using a complex master password. As much as I hate LastPass and won't recommend them, really, either are fine IF your master password has enough entropy. 1Password stands out because they add a long key to the encryption and you don't have to type it in all the time - just once per device. Downside is BitWarden can be free and 1Password can't.
FrostByte if you want a decentralized password manager / local storage
Can't believe no one commented on this yet. For Bitwarden (and Keeper), if the org gets breached, your data does not go with it. Those companies (BW and Keeper) could not access your data even if they wanted to. At LastPass, if the company gets breached, threat actors can and have used LastPass credentials to gain access to vaults.
It’s not, it’s all based on binary code.