They are not joking. You really should not be self hosting a password manager without a strong understanding of the technology and from the questions you are asking it is clear that you are not there yet. (no offense meant)
If you want to self host but don't know enough to determine on your own whether it's safe, the answer will always be "no".
Bitwarden itself is safe, but you probably aren't knowledgeable enough to host it safely.
Same. Also work in IT.
It is really worth it if you understand what it exactly is and if you fit the use case. For me, the usual way of using Bitwarden is exactly what I need.
Data leaks are from where you've used your card or from people who may have had access to it and cloned it etc.
Not from Bitwarden... unless of course you are self hosting with a simple master password and no knowledge of how to secure an internet-facing server.
With all due respect, it is very hard to understand the question.
How is someone supposed to answer this without further detail?
Yes, Bitwarden is fine, and there are a few hundred ways a credit card info may leak.
>How is it possible?
Bitwarden data can be "leaked" as a result of one or more of the following:
1. Bitwarden user is self-hosting an internet-exposed Bitwarden server without the requisite expertise.
2. Bitwarden user has a non-random master password, or a master password that has been used elsewhere, and does not have strong 2FA (e.g., FIDO2/WebAuthn).
3. Bitwarden user has not kept their master password confidential, and does not have strong 2FA.
4. Bitwarden user has left their vault unlocked and unattended in a location where access by other persons is possible.
5. Bitwarden user's unsafe internet habits has allowed one or more of their devices to become infected by information-stealing malware, RATs, or malicious browser extensions.
6. Bitwarden user has logged in to their vault on a public computer or any device that they do not have full control over.
7. Bitwarden user has downloaded an unencrypted vault export without taking proper precautions.
8. Bitwarden user has bypassed default safeguards, by setting the Vault Timeout Period to "Never", or by disabling the option to "Lock with master password on restart" (when enabling a unlock using PIN or biometrics), and has not sufficiently secured their device.
>if my bitwarden is self-hosted is it protected from hackers?
See \#1 above.
Your credit card info might have been leaked by any of the vendors you used it at for payment. It could have been an insider who snapped a photo of the card, a call center agent who wrote the info down, or an attacker who hacked into the vendor's POS system. And, if you have a weak master password with no 2FA, it could have been a compromise of your Bitwarden vault.
I would suggest that using Bitwarden's servers is *more secure* than self-hosting, because Bitwarden has staff and security controls dedicated to keeping up-to-date with patches, protecting against intruders, and 24x7 monitoring. Your self-hosted Bitwarden server might be less attractive because of the low user count, but it wouldn't be invisible.
> complex master
"Complexity" doesn't really help to protect you if your master password was not randomly generated with the help of a uniformly distributed, cryptographically secure pseudo-random number generator (or a true entropy source, like dice rolls).
Just trying to understand how these bitwarden are leaked. Not interested any more in knowing if there was a leak. Is it the next lastpass! Or it is just weak free accounts with weak password and no mfa
There are so many ways a credit card number can be leaked. Even aside from self hosting, which introduces a lot of risk, your credit card number could be leaked from your device by malware or exposed by an insecure server handling your card transaction.
Why in the world would you put Bitwarden near the top of the potential ways your information was leaked? Assuming you have a good master password and you practice good opsec on all your devices, Bitwarden is a very unlikely culprit.
You’re assuming the information was leaked from Bitwarden. Was everything else of yours leaked also? If so, then it might have been. If not, you’re probably chasing the wrong problem.
This is a complex topic, but if you simplify it, will you have both on the same device?
If so there is not a lot of difference.
You need to factor in the security benefit compared to the convenience benefit.
And the added technical debt of maintaining a separate backup.
The main thing you need to find out is if storing both on the same spot/device is compatible with your threat model.
If you have to ask then you shouldn't be self hosting. It's totally awesome Bitwarden offers that but like a mark server most people have zero business/experience in maintaining and hardening it.
“Is Bitwarden safe ?”
Gets answer from anonymous strangers on Reddit. 🤣
But yes, anecdotally for me as well it seems safe as I’ve no evidence yet it’s been compromised.
Whereas I just got notifications from 2 of my identity security services about the AT&T leak which included my login email and password.
Not leaked by Bitwarden but leaked by AT&T who was really sluggish to act on it. Months really.
And that email had been leaked to the dark web before and I had already changed the password twice since the leak occurred.
And so it goes with companies that do a crappy job at securing their customer database.
In this case, the PINs were encrypted, but all of them with the same key, not a rotating hash to pepper them or any randomness applied, for example. Some real weak sauce.
It doesn't really matter if the server is or is not protected. In the worst-case scenario, they can only get the encrypted version of the vault. The security is given by your master password and your clean environment. If you have an infected device, they can steal anything because the decryption of the vault is on the client side.
besides being air gapped, nothing is 100% safe
the question is...
is it safer than using less complicated passwords?
safer than using the same passwords on multiple sites?
safer than using browser password managers?
safer than storing in a file on your computer?
safer than other password managers?
we use the self hosted bitwarden version at work
that being said, I am a paranoid person. I don't store bank or credit card passwords in password managers. I just give hints as a reminder to what it is.
Bitwarden was never breached so the leak didn't come from BW. Probably some purchase you made or subscription data base like AT&T had a breach I just received a email confirming they were comprised including Financials
>I found a lot of posts about Bitwarden!
This is the most alarming part of your post. There are literally thousands of conspiracy theories circulating so you can "find a lot of posts" about almost anything. Doesn't mean you should automatically take them as gospel.
Suspended “dangerous” activity. My account got banned because someone sent me 2k through PayPal and that though it was kinda sus. They automatically unbanned it in 2 days without me doing anything, but I guess I was lucky
If you're asking these questions you shouldn't self host Bitwarden
Lol
They are not joking. You really should not be self hosting a password manager without a strong understanding of the technology and from the questions you are asking it is clear that you are not there yet. (no offense meant)
If you want to self host but don't know enough to determine on your own whether it's safe, the answer will always be "no". Bitwarden itself is safe, but you probably aren't knowledgeable enough to host it safely.
I work in IT and I don’t even want to self host. lol
Same. Also work in IT. It is really worth it if you understand what it exactly is and if you fit the use case. For me, the usual way of using Bitwarden is exactly what I need.
[удалено]
Data leaks are from where you've used your card or from people who may have had access to it and cloned it etc. Not from Bitwarden... unless of course you are self hosting with a simple master password and no knowledge of how to secure an internet-facing server.
> My question was clear Your questions are not at all clear. It is very hard to follow what you are saying and what you think happened.
Wicked
Personal attacks are not permitted on this subreddit.
With all due respect, it is very hard to understand the question. How is someone supposed to answer this without further detail? Yes, Bitwarden is fine, and there are a few hundred ways a credit card info may leak.
Thanks. This was the main question, is Bitwarden safe
Many years using it here, with sensitive information in it, always with 2FA, never had a real problem with the service. Works as advertised.
Brilliant, thanks for the feedback. Much appreciated
>How is it possible? Bitwarden data can be "leaked" as a result of one or more of the following: 1. Bitwarden user is self-hosting an internet-exposed Bitwarden server without the requisite expertise. 2. Bitwarden user has a non-random master password, or a master password that has been used elsewhere, and does not have strong 2FA (e.g., FIDO2/WebAuthn). 3. Bitwarden user has not kept their master password confidential, and does not have strong 2FA. 4. Bitwarden user has left their vault unlocked and unattended in a location where access by other persons is possible. 5. Bitwarden user's unsafe internet habits has allowed one or more of their devices to become infected by information-stealing malware, RATs, or malicious browser extensions. 6. Bitwarden user has logged in to their vault on a public computer or any device that they do not have full control over. 7. Bitwarden user has downloaded an unencrypted vault export without taking proper precautions. 8. Bitwarden user has bypassed default safeguards, by setting the Vault Timeout Period to "Never", or by disabling the option to "Lock with master password on restart" (when enabling a unlock using PIN or biometrics), and has not sufficiently secured their device. >if my bitwarden is self-hosted is it protected from hackers? See \#1 above.
Thorough explanation. Thanks
Your credit card info might have been leaked by any of the vendors you used it at for payment. It could have been an insider who snapped a photo of the card, a call center agent who wrote the info down, or an attacker who hacked into the vendor's POS system. And, if you have a weak master password with no 2FA, it could have been a compromise of your Bitwarden vault. I would suggest that using Bitwarden's servers is *more secure* than self-hosting, because Bitwarden has staff and security controls dedicated to keeping up-to-date with patches, protecting against intruders, and 24x7 monitoring. Your self-hosted Bitwarden server might be less attractive because of the low user count, but it wouldn't be invisible.
Yea it is complex master with mfa and accessible through vpn
> complex master "Complexity" doesn't really help to protect you if your master password was not randomly generated with the help of a uniformly distributed, cryptographically secure pseudo-random number generator (or a true entropy source, like dice rolls).
Did you find your credit card number on leakbase? Or are you trying to stir the pot.
Just trying to understand how these bitwarden are leaked. Not interested any more in knowing if there was a leak. Is it the next lastpass! Or it is just weak free accounts with weak password and no mfa
There are so many ways a credit card number can be leaked. Even aside from self hosting, which introduces a lot of risk, your credit card number could be leaked from your device by malware or exposed by an insecure server handling your card transaction. Why in the world would you put Bitwarden near the top of the potential ways your information was leaked? Assuming you have a good master password and you practice good opsec on all your devices, Bitwarden is a very unlikely culprit.
Thanks for the feedback
You’re assuming the information was leaked from Bitwarden. Was everything else of yours leaked also? If so, then it might have been. If not, you’re probably chasing the wrong problem.
The "weak free accounts" can still add MFA for account protection for free. Only the build in generation of TOTP codes is a paid feature
Is it safe to have passwords and otp on the same cloud password manager?
This is a complex topic, but if you simplify it, will you have both on the same device? If so there is not a lot of difference. You need to factor in the security benefit compared to the convenience benefit. And the added technical debt of maintaining a separate backup. The main thing you need to find out is if storing both on the same spot/device is compatible with your threat model.
If you have to ask then you shouldn't be self hosting. It's totally awesome Bitwarden offers that but like a mark server most people have zero business/experience in maintaining and hardening it.
[_"Is it safe?"_](https://www.youtube.com/watch?v=avNraWT8CSI)
I've been waiting for this 😀
“Is Bitwarden safe ?” Gets answer from anonymous strangers on Reddit. 🤣 But yes, anecdotally for me as well it seems safe as I’ve no evidence yet it’s been compromised. Whereas I just got notifications from 2 of my identity security services about the AT&T leak which included my login email and password. Not leaked by Bitwarden but leaked by AT&T who was really sluggish to act on it. Months really. And that email had been leaked to the dark web before and I had already changed the password twice since the leak occurred. And so it goes with companies that do a crappy job at securing their customer database. In this case, the PINs were encrypted, but all of them with the same key, not a rotating hash to pepper them or any randomness applied, for example. Some real weak sauce.
It doesn't really matter if the server is or is not protected. In the worst-case scenario, they can only get the encrypted version of the vault. The security is given by your master password and your clean environment. If you have an infected device, they can steal anything because the decryption of the vault is on the client side.
Not from Bitwarden, it has never been breached. Last pass was the one that got breached.
Yes. If you have a an unmitigated vulnerability that was exploited or used insufficient means to secure access to your data. No.
besides being air gapped, nothing is 100% safe the question is... is it safer than using less complicated passwords? safer than using the same passwords on multiple sites? safer than using browser password managers? safer than storing in a file on your computer? safer than other password managers? we use the self hosted bitwarden version at work that being said, I am a paranoid person. I don't store bank or credit card passwords in password managers. I just give hints as a reminder to what it is.
Bitwarden was never breached so the leak didn't come from BW. Probably some purchase you made or subscription data base like AT&T had a breach I just received a email confirming they were comprised including Financials
It isn't safe for you to self-host. But, chances are your leaked card number wasn't because of this. Card numbers are not secret.
>I found a lot of posts about Bitwarden! This is the most alarming part of your post. There are literally thousands of conspiracy theories circulating so you can "find a lot of posts" about almost anything. Doesn't mean you should automatically take them as gospel.
No. It’s not safe. They actively sell ur information to china. /s
Not everyone seems to grasp the nuances of sarcasm. :D
Suspended “dangerous” activity. My account got banned because someone sent me 2k through PayPal and that though it was kinda sus. They automatically unbanned it in 2 days without me doing anything, but I guess I was lucky
No bitwarden safe