I recently made the switch from LP to bitwarden and have been incredibly happy about it. I can self host everything + the autofill and UI polish (browser extensions, mobile app, CLI) is much better. AND it's FLOSS ((A)GPLv3).
Even including the self hosting setup, my all-in migration time was <30 minutes.
I looked through a ton of other options like keepass and the author's own PfP. But mobile, web, and yubikey support are all very important requirements for me.
In the comments on the article, someone asks about Bitwarden. The author mentions there's a possible vulnerability, but in depth research isn't worth it, because he doesn't get paid for reporting vulnerabilities. This scares me about all these 'better than Lastpass' open source alternatives. First, they tend to get less attention from the infosec community. Secondly, I need to make sure to properly secure the server I'm running it on myself, of which I'm not 100% sure I can do myself, nor most developers I've worked with, let alone any person not working in IT.
Audits can be hit and miss, I’ve seen high quality code review companies just miss major and obvious mistakes in the security by simply not tracing the execution logic step by step in critical code sections and instead just scan the code for common known mistakes based on code fragment matching.
The same could be said for proprietary applications, which may never see third party audits because 'meh, customers have no access to our source and IP protection or something'
They're 'paying' you by being part of a movement to improve society for everyone; which includes free use of their software.
Sure, you can't eat that, but man does not live on bread alone.
You'd tell a neighbour if they'd accidentally left their car door open, wouldn't you? Most people would even shut the door if they weren't around. Same principle.
> Most people would even shut the door if they weren't around. Same principle.
This is a poor example because finding bugs requires a lot more effort than giving a door a push (which I find a little spurious - I wouldn't touch my neighbours' car).
There is in practice an almost infinite amount of things you can donate time to and all else being equal (for example, they're all password managers) I doubt you'll convince most people by telling them they should do it because "it makes things better for everyone", they could be making everything better for everyone and still getting paid - that's the superior option. Even if I think you are correct.
I appreciate that they have a good way of contacting them with security issues, and if I found any by accident or used to tool daily myself I might report stuff. However, I will not dedicate time hacking something I do not use myself, to report stuff for free.
If you can pass your password database via something like dropbox (or your own nextcloud), then KeePass has had audits, for example by the European Commission's EU Free and Open Source Software Auditing project. And you don't have to trust your server that does the syncing.
The semi-recent ability for it to work with android's built in password filling has been really nice for me. It now works properly with firefox android out of the box, selecting the correct username/password based on the url. Previously the best way was to use the keyboard that it comes with and select the password yourself. Now it works everywhere.
> I need to make sure to properly secure the server I'm running it on myself
I think, for practically everyone, it is far more likely that shared infrastructure (like LP or hosted bitwarden) would be centrally compromised. For example, this post mentioned compromising a safety check for all lastpass users by finding a single vulnerability on a single lastpass domain.
Unless you go to extreme lengths with your personal opsec, a targeted attack by a skilled attacker is pretty much sure to be able to compromise you.
(In fairness, I don't actually know if self hosted bitwarden is enough for all classes of attacks or if I should also compile the clients myself in order to remove any references to the main bitwarden domain)
> I think, for practically everyone, it is far more likely that shared infrastructure (like LP or hosted bitwarden) would be centrally compromised.
I believe the opposite to be true. Any use of Shodan or any vulnerability scan of the public internet provides strong evidence that centralized, funded and focused services do security better than 99% of orgs and individuals.
You can’t run infrastructure and app security better than a specialist SaaS company. You don’t have the same time and money.
Yes, the blast radius is smaller for self-hosting, but that’s small comfort when you are still inside the blast radius.
Attackers will spend resources proportional to the expected reward. Alone I am a low value target, but using a standardized solution makes me part of a huge reward pool. As such my strategy is to require manual work by the attacker to compromise me.
Combining a few of the shelf components (dropbox + keepass in my case) should be easy enough to not screw up so badly it isn't worth putting your eggs in a different basket as everyone else.
In terms of intentions, Bitwarden is very open and attempts to do everything right while putting itself under scrutiny. I suspect that as the company gains more and more users they will grow into the top choice, ie, when they get the cash to hire 1-2 more developers (or even afford a high-paying bug bounty system, )
For example, I chimed in on github semi recently about there being a lack of automated tests and within a week somebody claimed to have decided to prioritize it. With other companies, 1) we wouldn't have known, and 2) we wouldn't ever know if it was fixed
TLDR, long term looks great for bitwarden, short term makes me a tiny bit nervous though
Edit: looks like they added 3 test files that I could find, which isn't terribly comprehensive but I assume there are more I missed on the other repos...
Switched to it somewhat over a year ago from LastPass after I read up on LastPass’ ‘security’. The only thing I dislike about Bitwarden is that on their iOS app it sometimes takes a while (>30s) to load the search function. I love that their chrome extension has a dark mode!
Bitwarden is using Microsoft technologies. If running a MSSQL server is too much for you, you can use alternative servers which are fully compatible with the official clients:
I did. Linked me to the article saying to hand edit my CSV file to figure out which fields are too big and delete the data. This is a years long outstanding issue.
I second it. I also switched from LastPass to Bitwarden. The main reason was now my data which are online is more valuable than it used to be a few years ago and I don't want to be the scapegoat of their failure in case if it happens.
Another reason, It has a polished app and works flawlessly on all the platforms and I can host it myself.
How did you perform the switch? I reviewed lastpass export function and it outputs an entirely non compliant csv file. It's probably impossible to parse...
Even including the self hosting setup, my all-in migration time was <30 minutes.
I looked through a ton of other options like keepass and the author's own PfP. But mobile, web, and yubikey support are all very important requirements for me.