Bitwarden safety

RuedigerJoe

hey @ all,

im new to password managers and ofc Bitwarden is a quit famous option. can someone tell me the do's and dont's with this one, its limitations in privacy and security. any information is welcome. thanks in advance!

Ruediger

edit
maybe, if there're strong criticisms towards this exact pw manager, an alternative would help!

Eagle_Owl

RuedigerJoe
Hi RuedigerJoe,
I don't know what „im” and “ofc” mean (typos?), but Bitwarden is an excellent password vault.
For individuals and private use it's free of charge, but not limited in functions a private person needs.

Tip: if you want to use it on servers not in the USA, then go slowly through the registering process and change the server location first, which is hidden on their website: search for “Server: bitwarden.com”, it is a pull-down menu!
There is the option to select a server in Europe! This can easily be overlooked!
By clicking on this pull-down menu it appears the second choice: “Server: bitwarden.eu”

But with a secure master password, it doesn't matter on which server the encrypted password vault file is stored anyway. I just wanted to mention it because it is important to some people.

Bitwarden is the only open source password vault that is available for all common platforms, so whether Android OS, iOS, Windows, macOS, Linux, web browser – one password vault for all devices.
Good if you use different operating systems or want/need to switch in the foreseeable future.
Full administration of the password vault is possible online via the web browser, where you can also activate 2FA (yes, even for the free version!).

2FA: You should also use this urgently, because if you really do use a master password that is cracked, the attacker also needs the second factor – he doesn't have it, so you'll still be safe.

As best apps for 2FA, I recommend Aegis Authenticator (Android OS) and OTP Auth (iOS).

A big advantage of Bitwarden in comparison with other online solutions:
Also the meta data are encrypted!

I am using Bitwarden since March 2023 and I am very happy with it!
Previously, I only used offline solutions (iOS/macOS: Strongbox, Android: KeePassDX).
– Also excellent, but as soon as you want to set up several user profiles in GrapheneOS or simply use many devices with passwords, Bitwarden is much more convenient and still secure. And it's easier to keep track of hundreds of credentials.

Phead

RuedigerJoe
I had good experiences with it and nothing to complain about. It's available as browser extension for all major browsers so you can use it on any desktop OS as well.

However, I switched to Proton Pass recently since I am using their other services anyway and wanted to reduce the amount of parties and I have to trust in one way or another. There are sometimes problems with autofill but I accept that in exchange for peace of mind.

DeletedUser115

RuedigerJoe Bitwarden is generally regarded as a good password manager that is reasonably secure.

One tip - try to avoid using Web Vault (Bitwardern's web app) to the extend possible. Its TLS is terminated on Cloudflare which means you have to trust them as another party.

N1b

RuedigerJoe The user Eagle_Owl made an excellent review which I agree 100% to, when it comes to convenience plus privacy and security, there's no better password manager than Bitwarden in my opinion.

They have one special feature that I'm missing everywhere else and only few people talk about: Emergency Access. In other password managers, if you need to prepare people to access your vault (e.g. in case you die), you'll have to trust them with your login credentials. 1password let's you print out an access key but that's pretty much the same thing, whoever gets that paper will access your vault.

Bitwarden allows (for premium users) to set up the account in a way that specific other Bitwarden accounts (free ones included) can request to access all or some of your passwords. Now you have to accept or deny that request it in your account, but if a certain time passes without reaction, the request will be accepted automatically. I have set up 2 weeks for my account. So if I die or something else happens that incapacitates me, my wife can ask for access and after two weeks she gets everything she needs to continue my business or access my funds. If some attacker would try to get into my account via emergency access, I'd see it and deny it within 2 weeks. It's a genius concept and I wonder why nobody else is offering it (at least no one I would trust).

antsyboy

Just clarifying your confusion with what you thought were typos. I am not intending to add to this conversation as I am not qualified to talk about the security of password managers, but I have had a really good experience with Bitwarden and have even swapped back from it after using other options like KeePassXC.

Eagle_Owl I don't know what „im” and “ofc” mean (typos?)

"im" Is a misspelled version of "I'm" that is perceived as more casual, and used in places where less formal communication and things like proper capitalization / grammar are not focused on as much, such as in texting between close friends.
"ofc" Is an abbreviation for "of course" also commonly used in less formal contexts such as texting.
Hope this helps!

RuedigerJoe

Eagle_Owl Tip: if you want to use it on servers not in the USA, then go slowly through the registering process and change the server location first, which is hidden on their website: search for “Server: bitwarden.com”, it is a pull-down menu!
There is the option to select a server in Europe! This can easily be overlooked!
By clicking on this pull-down menu it appears the second choice: “Server: bitwarden.eu”

Thanks! Would this still be possible after registration? I wouldnt count myself AS one of those folks, who actually need this (not the thread model) but some extra percaution never hurt anyone...

RuedigerJoe

Eagle_Owl Tip: if you want to use it on servers not in the USA, then go slowly through the registering process and change the server location first, which is hidden on their website: search for “Server: bitwarden.com”, it is a pull-down menu!
There is the option to select a server in Europe! This can easily be overlooked!
By clicking on this pull-down menu it appears the second choice: “Server: bitwarden.eu”

ok, so just for clarification:
i deleted my old account and started a new one on EU servers, since i couldnt find the option afterwards.

patienttruth99

Eagle_Owl great write up!

Is there any reason that Aegis seems to be the prevailing recommendation over andOTP for Android?

RuedigerJoe

antsyboy "im" Is a misspelled version of "I'm" that is perceived as more casual, and used in places where less formal communication and things like proper capitalization / grammar are not focused on as much, such as in texting between close friends.
"ofc" Is an abbreviation for "of course" also commonly used in less formal contexts such as texting.

Thanks for clarifying :)

Thanks to everyone! This was the push i needed to go that route aswell. Will do some more research, but feel much more educated now.

[deleted]

Phead I would rely more on compartmentalization rather than putting all my eggs in one basket, however good it may be. I don't use password manager (yet), one party less to trust. Wherever I can, I try to go local instead of using online services (talking Proton Drive and Calendar), fewer interested parties and passwords to remember.

Phead

[deleted]
True, I've been using KeepassDX and Aegis for a while but it was increasingly difficult to switch between devices and keep passwords and logins in sync. So, I went for a cloud solution and am happy so far. I have no reason to mistrust Proton and their implementation of the encryption algorithms. Using a strong password and 2fa with a third party offline app is fine for me for now.

Eagle_Owl

RuedigerJoe
No, it is not possible to change the server retrospectively!
This is also why I pointed this out.

If you choose the free version, you can simply delete the password vault you first chose, give it up and create a new one with the other server location, but this will cause extra work for you and Bitwarden.

Eagle_Owl

RuedigerJoe
Sorry for my late answer.
Yes, that's the only possible way afterwards.

I don't know, whether EU servers are better because of the new maybe coming crazy laws and easier access for EU law enforcement if you are living in the EU (I guess, because of your name …), but as I mentioned before: if you have selected a very secure master password, then the location of the server is not relevant.

[deleted]

patienttruth99 andOTP is unmaintained

patienttruth99

[deleted] thanks!