Thank you to Bitwarden for relicensing a thing to Free/Open License!
Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good. But for anyone with more advance needs (or who doesn't trust a password manager built into a web browser, I always recommend Bitwarden because KeepassXC + syncing is way too difficult for normal people.
>, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good.
But a lot of "normal people" actually need a secrets manager which is larger in scope than just a "websites urls passwords manager". This means a password manager with extra metadata fields for users to add notes, associated email aliases, etc. E.g. if a website has an extra step of "Confirm your identity by answering this question : What was your childhood pet's name?", users want a place to save the answer ("BugsBunny") in the "notes" field of a password manager.) Another example would be the secret PIN unlock code for the spouse's phone. That's not a website url, it's just a "secret" that needs to be stored in an encrypted file.
Firefox password manager is too bare-bones with the only 2 fields being "Username" & "Password".
The better UI/UX for normal people is to have a unified app to store all their secrets instead of having some secrets in the Firefox password manager and other non-web-url secrets saved separately in yet another app.
I completely agree with you! Almost everyone needs to store more than only usernames and passwords for websites. Think of PIN for credit cards and the like.
This ^ passwords just don’t live in Firefox when you are using apps that need passwords across platforms (mac ios windows) and apps. This is where Bitwarden shines.
AFAIK Firefox also doesn't store bank-account or creditcard details.
Here's why I recommend bitwarden to "my mom":
- It stores and fills in all your website passwords on your phone and on your laptop
- It makes it easy to generate new passwords for all these places
- It stores your PIN for your bank-accounts (in many EU country payments with PIN are the default)
- It stores your creditcard info and 3d passwords or other extra secrets it requires.
- It's the perfect place to store SSN, Tax IDs, "whats was the name of your first pet?" and so on.
I've never understood the rigid structure of e.g. Firefox or even lastpass, where they e.g. insist on having an URL or even insist on a username/password. I want secret notes with optional metadata - metadata that may follow a predefined structure (username, OTP secret, url, etc) but not always. Bitwarden does this much better IMO.
Absolutely, everyone I recommend BW to appreciates the notes feature as well - it's handy to have a place to jot down important things that aren't log-ins!
> Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good
Interesting, I've always felt that browser-based password managers provided remarkably little value for most people. Using them on mobile is tricky and platform dependent, it's easy to have local-only, non-synced data and then lose it, and being multi-device is trickier, especially in a work context.
On the other hand, people generally understand installing an app on each device they own and that app doing it for them.
Firefox password sync just works. It's one of those things I never think about.
Watching friends and family struggle with bespoke, poorly integrated password managers makes me cringe and is one of the big reasons I enjoy the seamless experience of the built-in Firefox password manager.
Does it require a Firefox account? Does it only store them locally if you haven't signed in to Firefox? This is the sort of failure I've seen, where people think their passwords are synced but because they didn't sign in years ago it's actually not backed up at all. At least on Chrome you get reminded of that all the time on YouTube/Google search, etc.
I know for Safari all the sync is via iCloud meaning if you're not signed in it's locally stored and vulnerable in that way. Especially as many people can't/don't sign in to their own iCloud on work computers, or don't have a Mac.
Firefox reminds you a bunch of times, too. Would be nice if you could just link a new device via QR code (creating an account for you in the background).
The original Firefox sync worked like this (with a unique code and pairing instead of an explicit account) (this is so on the nose I suspect you may know this).
Didn't expect to click on that link and end up on a blog post I wrote 10 years ago! The old Firefox Sync / PAKE stuff was fantastic for getting sync going between devices... but people wanted backup, not sync. I wonder if we'd do anything differently confronted with the same challenge today.
it just works for websites. it does not "just work" for apps where as the platform ones do or have a chance to work with apps.
Kind of hope regulation will force apple/google/ms to allow iterations for 3rd parties to integrate with the os but on the other hand that will open a host of issues
It does on iOS, but I believe the onus is on the app developer to enable the autofill feature in the form, or at least make sure that the app hints to iOS that it can be filled with a password. I'm making that assumption because there are lots of apps which don't trigger the native Apple password manager either (which is a lousy user experience). However, if one works then both do. The UI offers a choice of password manager and Face ID works to unlock it.
I use both. Apple's manager supports OTP generation which is nice, but on desktop websites, Firefox is often more convenient.
I use the Strongbox app on iOS [0] and the KeepassXC app my Linux laptop. The passwords.kdbx file sits on my Onedrive, which the Strongbox app can access. On Linux I use a Onedrive client [0] that I use to sync several folders within my home folder. Strongbox supports both Keepass and pwSafe database formats. It also integrates well with iOS, with autofill supported (also supports Yubikey unlock and Apple Watch unlock).
This discussion is about an open source password manager. I wonder why you are recommending a closed source software? Are you aware that many people prefer open source for security software for a reason?
Correct. I did not realise this and am disappointed, having paid a pretty penny for the lifetime license. Reading the github thread, the surreptitious way they changed things is a bit of a dick move.
Yep, it's the same problem on Android. Some app developers go full asshole with the password text boxes. There was one electric utility here that I lambasted hard and they finally fixed their form which not only didn't trigger the password manager, it literally blocked all pasting.
iOS already has all of the API required to integrate a password manager with the OS. Third party password managers can already integrate with both browsers and apps to provide passwords and password generation
Technically maybe someone could make you navigate to that url in the future, through mitm or some sort of DNS poisoning, and autofill a form with your password and then auto submit it.
That is such a laughable statement. 1Password has incredible UI/UX. Even has e-mail masking with Fastmail. And auto-enters TOTPs, for the less-important one’s you feel comfortable saving in your password manager.
Firefox sync made the criminal sin of implementing end-to-end encryption, enabling it by default, and being insufficiently clear to people that their passwords are lost forever when they forget the master password.
This provides a really terrible UX to "normal" users. I woulnd't recommend that option to anybody who doesn't already know what E2E is and what tradeoffs it has.
Google's implementation is a lot better in that regard, at least they offer plenty of avenues for account recovery.
Presumably the passwords themselves have recovery/reset procedures? I can't think of a good reason to add another risk surface to a password manager given that
I'm not sure how it is on iOS, but I've been using firefox as my password maanger on android. It's a trivial change in the settings and works across all apps as well.
I also recommend it to my friend group, as they can use firefox with uBlock Origin, and also have their passwords synced.
All serious browser vendors offer sync to logged in users. That’s multi-device, cross platform and pretty foolproof. I still prefer Bitwarden because of self-hosting and integrating nicely with the iOS ecosystem. But there’s not much wrong with the browser approach.
I have the opposite problem. If I forget to log into bitwarden, passwords just get saved into firefox / chrome, so now I've got some passwords in bitwarden, some in chrome, some in firefox, and worst of all bitwarden doesn't seem to have an easy way to unify these databases.
This is obviously true for the HN crowd, but for normal people I think there's a distinction. Don't underestimate the value of centering a brand and an icon on a home screen around a single function.
> Interesting, I've always felt that browser-based password managers provided remarkably little value for most people.
They provide the value of "you should, by design, have no idea what most of your passwords are; if you know any significant number of your passwords you probably have bad passwords".
And both Firefox and Chrome sync passwords between devices.
The comment I was replying to said "browser-based password managers provided remarkably little value"; it didn't say "little value relative to other password managers".
Much as with cell phone cameras, "the best camera is the one you have with you"; the best password manager is the one you have with you.
If Mozilla released a separate passwords app so you could manage and access your passwords outside of Firefox I think the two would be more comparable. That would promote your passwords as part of your Mozilla account, not just Firefox.
Bitwarden excels here, and i think is the model to beat. However, Mozilla would have the advantage since their browser integration would essentially be built-in and first class.
Otherwise, unless you use Firefox exclusively for everything I just don't think a single browser is the right place to manage passwords. I would say that's true even for a broad audience, given the importance of passwords and security in the modern age.
Bitwarden is also nice in that you can "lock" access to your passwords while keeping the browser open. That way, for the 99% of the time you're just browsing the internet you essentially don't have access to all your passwords "open". The last time I looked at this I had to enter my master password on opening Firefox, even if I didn't need access to my passwords. That meant that "unlocking your vault" is essentially tied to opening the browser. That alone was enough for me to bail on it.
> If Mozilla released a separate passwords app so you could manage and access your passwords outside of Firefox I think the two would be more comparable
Ah yes I remember that now, I had forgotten about that!
Funny, especially now that I see Apple are now going the other way with a dedicated "Passwords" app on iOS 18 and macOS 15. And for Apple to do this - against their instinct for featureless simplicity and implicit integration - to give passwords their own "shop front" as a dedicated app I think really does acknowledge the first-class importance that passwords now have, even for a broad audience.
It's a shame as I think Mozilla could really compete well in this space. They are both cross-platform, have their their own browser and have a good reputation on privacy. It's a killer combo. Bitwarden is evidence you can make it work and you don't need massive big-tech budgets to make a difference.
I'm glad that Bitwarden moved quickly to resolve this. At least for me, Firefox's password manager isn't really a replacement. Bitwarden is approved by my employer, self-hostable, and supports logins for the litany of apps across my browsers and mobile devices. Whether it's the mobile app, mobile website, or site in my browser, Bitwarden just works for the most part. It's also quite nice that Bitwarden can store arbitrary information like CCs, secure notes, and how I capitalized the answers to security questions and other account recovery/login information.
> It's also quite nice that Bitwarden can store arbitrary information like CCs, secure notes, and how I capitalized the answers to security questions and other account recovery/login information.
+1. I use my password manager (currently 1Password, but I have been looking at self-hosting Bitwarden/Vaultwarden) more for storing credit card information and security questions.
Most built-in password managers don't cut it on that front.
Vaultwarden is great! I've been running it for years (since it was bitwarden-rs) on a free-tier GCP VM. I use a cronjob to back up the DB to Backblaze B2 with rclone.
The downside is you can only share to other users on your Vaultwarden instance. You can't e.g., set up emergency sharing to family members who use cloud Bitwarden.
BW clients support having several accounts at once so you're not forced to choose. Your family can have a regular bitwarden.com account and your vw.example.com account just for emergency access
> Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good.
I use both Bitwarden and Firefox and I would strongly encourage everyone to not use the password manager in Firefox. Do you know the tab sync across devices is broken in firefox? It was broken since Aug 24 and it is still not fixed https://bugzilla.mozilla.org/show_bug.cgi?id=1913795 . If they can't sync tabs across devices, i wouldn't trust them to sync my passwords.
Interestingly, password syncing is one of the most reliable things I've seen Firefox doing during the last years. If you don't even have to think about it, that means it "just works"
Browser password managers and their related files are the usual targets of the sophisticated malware creators. Not many people use good master passwords either if any.
I think that the Firefox password manager is good, however, relying on the browser is a terrible form of vendor lock-in. You need to use another browser (for any reason), you also need to switch password manager. Also, Firefox on Android is not great, and Bitwarden has a better integration.
Finally, Bitwarden (the payed version) manager also passkeys and OTP codes, the Firefox password manager not.
I use both, and I agree, even if I’m very happy with Firefox. There are lots of apps outside of browsers that need passwords. It’s very common these days. Besides, does it support passkeys? That’s getting increasingly common as well.
> because KeepassXC + syncing is way too difficult for normal people
I've been debating for ages if this is a hurdle that can be overcome by packaging or even hand-holding support. When I show "normal people" my pass+sync setup they beg me to implement it for them. Once it's running it's near-zero maintenance.
Password management is like exercise. Even when people say they understand the value and want to do it, they don't. Even if you implement it for them, if it's not something that slots perfectly into their existing routine, they're not going to do it. Thankfully passkeys are here.
Would you care to elaborate? It also matters what counts as "bad password manager" to you - Poor crypto? Poor UX? A reddit post ;-)? LastPass?
With passkeys, both the website and the user can be pretty sure that the "password" is secure. The website knows that it's based on enough entropy, and the user knows that the website can not loose it.
Of course if I use a random generated 80 char password I only mildly care if the website stores it plain text or not.
But if I was a site operator, I could additionally trust that the users are using secure passwords. Without insane strength requirements (which people only work around anyway, e.g. Passw0rd!123 is usually accepted, but thisisasuperlongpassphrase often is not).
I'm in the business of testing security, which means I sometimes crack passwords. No matter how much training you put your employees through: Somebody gonna use ${some name}${0 or 1 special char}${some birthday} - is it's the spouse, kids or affairs data, your guess is as good as mine.
I did that for quite some time, but I had severe issues with multiple editing users and with android apps. All the tricks I tried, like nested vaults didn't fully work in the end. So I ended up with 1Password.
Where did you manage to find "normal people" that begged you to install a password manager for them? I have yet to come across one person who wanted one.
100% serious question: how is using dropbox (one cloud) to sync passwords any better or more secure than using a password manager that syncs your vault for you (another cloud)? I see so many "I don't trust <insert pw manager> so I use dropbox" comments around these parts and I just don't understand what real or perceived threat is being mitigated.
It's valuable that the syncing mechanism is seperate because that makes it agnostic. Parent comment uses Dropbox, I use Google Drive, someone else uses OneDrive, someone else uses iCloud, someone else uses Syncthing or Nextcloud, etc.
You don't have to trust the single cloud provider to encrypt and not be able to spy. The vault is encrypted on your own device using fully open software, and the cloud only ever sees a blob they have no keys to, directly or indirectly. The encrypting/decrypting software was not written by the cloud provider.
You don't have to trust any single cloud provider to stay up, be available in your country, stay friendly to you. If Dropbox goes down or kills your account, you just flip to any of 20 other options.
You say you don't understand why someone prefers Dropbox over the special custom syncing, but I don't understand what the excuse is for a special vendor-specific implimentation of something that is already generic and agnostic. It's like using a browser that uses it's own version of http to download files and only works with one web site that has the matching special server.
It's not a remotely equivalent comparison between "one cloud" and "another cloud". One is a single vendor-specific, custom purpose, single-provider thing, the other is agnostic and infinite, use any method you want from any provider you want any time you want.
For me it's not about "mitigating a real or percieved threat". It's just basic system resilience and principle to avoid special things and prefer generic/agnostic things, and keep concerns seperated. But it is also more secure not to trust any integrated cloud provider, vs having the cloud be just storage that doesn't know anything about the blob being stored, and can't even if they turn bad, or are pressured by a government, or get hacked, etc.
I guess the idea is that you trust open source software to encrypt the vault, so Dropbox couldn't do anything with it even if they wanted to. That's also true for the open source Bitwarden clients though.
No local backup? Do you rely on the network working all the time?
I do something similar on the mobile phone (the reasining is, if there's no network, there's nothing I need to login to) but I also keep a local copy on my laptop (that I sometimes operate with limited connectivity). Without any automatic syncing, one of the two copies will be stale.
Back in the day we tried to sync KeePass vaults at work and ended up with a conflict about once a week, which is way too often. Not sure if other password managers have solved this.
Ah, you mean by using some app or daemon. I excluded that possibility because on at least one of my laptops I'm not allowed to install anything, so for me "normal" behavior is using Dropbox as a container for files to download when needed.
I did this a long time ago but eventually ended up with conflicts. Password managers write new entries in a file and easily avoid conflicts whereas agnostic file managers will immediately conflict if sync wasn’t working for a while on a device
I use it (Keepass) for a while and never got the conflict on the desktop client (osx), nor on Firefox. But the iOS app does not like the file on the Google Drive and occasionally it needs to be reloaded.
I use mobius sync and I'd say the app itself is fine, you just have to open it whenever you want things to sync. That's one of the things I miss from Android. Also you can't sync your camera folder
Mobius Sync works really well, the only caveat is that it's not completely free (you're limited in the sync size unless you pay $5, but that's a one-time thing), and that while it can background sync, it's not continuous, and you'll want to open the app if you need to make sure something's synced.
Nope. I have a cloud Syncthing box that is accessible over SSH, and I use ShellFish to read/write my synced folders. It works okay, especially for lazily sending stuff from my phone to my laptop.
You laugh, but that's apparently what I did a decade and a half ago.
I recently mounted a HDD that was at my parents' house. Most files are from 2009-2012ish. I was there one summer between undergrad and grad school and used it for a couple months.
I found an Opera password list that I'd exported, presumably to copy over to my new laptop. It was fun last night skimming the list, seeing which websites I'd completely forgotten about that I used to have accounts for. Almost none of them even exist anymore besides the big players (Slashdot, Apple, etc.), but the point is *almost all of them had the same password*. o.O
I recommend Bitwarden family plans to non-technical people. It's pretty user friendly, and you can give people emergency access. A couple of recent deaths in my life have made me painfully aware that this is something that many people really need.
It's kind of funny to see how gen x in particular deals with aging. For example, menopause memes as gen x women hit perimenopause. We're supposed to be all nonchalant and cynical, and it's interesting to see those attitudes hit the immovable object of aging.
I used Firefox password manager for years, and moved to Bitwarden for:
- Passkey syncing
- Bitwarden on Android works properly, compared to Firefox's dedicated password app that's abandoned.
- TOTP support (to use with some apps I don't want the strongest security)
But you are maybe right, if the only browsers you use are Firefox desktop/mobile.
There will always be different opinions, but my opinion is that storing your TOTPs in your password manager is at best a reduction in security because you're reducing your 2 factors down to 1 factor. If the password manager gets compromised (even phished! It needn't involve the password manager's servers getting hacked), then you gain nothing by having 2FA enabled.
I would strongly advise using something like Aegis on Android, or Gnome Authenticator on desktop (or both). I like to duplicate/backup my seeds so that I'm not SOL if my phone breaks, but I do it by having them on my laptop, desktop, and phone. That way as long as I have one of the three devices, I can always get in, and then they're not "in the cloud." Though, "in the cloud" is still better than "in the cloud alongside all my passwords."
The only true 2nd factor is a setup where your totp codes live on a separate piece of physical hardware. If your totp codes are in an app on your phone, and your password is in a different app on your phone, you're not pure 2nd factor despite convincing yourself that you are. Anything that is convenient is not real 2FA. Real 2FA needs to be pick two of: a password in your head, a verifiable biometric signature, a code/key on your phone or separate physical hardware yubikey.
I'm not saying I think everyone needs real 2FA. I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer. 2FA is a hack put in place to mitigate passwords being relatively insecure and phishable. It's supplanted by Passkeys.
I think you're letting perfect be the enemy of good. It doesn't have to be pure 2FA to be better than 1FA. Being in separate apps does give some benefits. It's always going to be harder to compromise two apps than it is to compromise just one of them (even if the difficulty increase is marginal, it's non-zero). Often simply not being low-hanging fruit is enough to save you from an attack.
There are plenty of things for which a 2FA in PW manager is fine, but the most important things I think it's an unnecesary and regretful reduction in security. For example, email account. Email is the "forgot password" way to get access to almost everything, so it's worth a trifling inconvenience in having to load your 2FA into a different app. Same with things like AWS, Cloudflare, and other high-value targets. For the vast majority of people, keeping your Twitter seeds in your PW manager is fine, but it's foolish to do that with your email and other high-value targets, and IMHO if you're already going to have to have two apps, you might as well just standardize and keep the seeds in your authenticator app, and your passwords in your vault. YMMV
I did read your second paragraph. There is some ambiguity, but I ultimately decided you weren't agreeing with me because you said (emphasis added):
> I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer.
If you're storing your 2FA codes in your PW manager, then you're NOT using separate apps. You're using the same app (your PW manager). My argument is that you should use separate apps for the things that matter, like your email (which can be used to get access to almost every other account), and since you're already using separate apps for those things, you might as well just be consistent so you don't have to remember where each TOTP token is stored.
I see three levels we've discussed:
1. Pure 2FA using hardware token or equivalent (which I agree is rarely needed)
2. Impure 2FA but separate app for storing passwords and TOTP tokens (which I'm advocating for)
3. Storing TOTP tokens in PW manager (which you appear to be arguing for in 99.999% of cases, which is basically all of them)
If you are actually advocating for level 2, then we agree, but from reading your 2nd paragraph it seems pretty clearly to be arguing for level 3.
> Real 2FA needs to be pick two of: a password in your head, a verifiable biometric signature, a code/key on your phone or separate physical hardware yubikey.
My thumbprint isn't stored on my phone, so I have two factors.
From the PCI Security Standards supplement on MFA,
> The issue with authentication credentials embedded into the device is a potential loss of independence between factors—i.e., physical possession of the device can grant access to a secret (something you know) as well as a token (something you have) such as the device itself, or a certificate or software token stored or generated on the device. As such, independence of authentication factors is often accomplished through physical separation of the factors; however, highly robust and isolated execution environments (such as a Trusted Execution Environment [TEE], Secure Element [SE], and Trusted Platform Module [TPM]) may also be able to meet the independence requirements.
So your phone can constitute a token, while the biometric constitutes the second factor. I don't know about Apple phones, but Google's requirements for biometrics are:
> Capturing and recognizing your fingerprint must happen in a secure part of the hardware known as a Trusted Execution Environment (TEE).
> Hardware access must be limited to the TEE and protected by an SELinux policy.
> Fingerprint data must be secured within sensor hardware or trusted memory so that images of your fingerprint aren't accessible.
I think you misunderstood me. I agree that biometric plus password or device key would constitute two factors. I perhaps believe that you can’t really trust the device to have performed biometric verification without some sort of software attestation. So if the security if your protocol depends on two factor, you’d need to yes have a biometric signature or remote attestation that a biometric check has been performed.
That's a pretty user-hostile attitude. Sure, some combinations of factors are pretty unergonomic, but I'd call that a bug, not a feature.
It's also incorrectly suggesting that somehow complexity/painful usability automatically yields security, while usually the opposite is true:
An effective secure authentication solution absolutely must consider usability, or it's doomed to be circumvented by users in one way or another (either via some insecure practice, or by your users simply ceasing to be your users).
This depends on the threat model. Having 2FA in the PW manager defends against someone phishing the password and database leaks on the server side,
which are the most common in my threat model. But note that if they can phish your pw, they can probably phish your 2FA as well.
It does obviously not protect against the scenario where someone is breaking into your password vault.
I tend to enable 2FA but conveniently save the token in the PW manager for relatively low equity stuff, just to make it less enticing for an attacker, but use hardware FIDO for everything actually important.
> TOTP is trivially phishable . . . via social engineering
Is it? I've been on the Internet since the 80s and haven't been phished a single time (despite being the recipient of many obvious attempts). Maybe I could be phished, but I think that's evidence it's not trivial.
I have to wonder how many people sophisticated enough to use and pay for a password manager like Bitwarden could be "trivially" phished.
That's great for you, but also a sample size of one (probably technically sophisticated) user, i.e. irrelevant to the bigger picture.
The phishability of TOTP really is exactly as bad as that of passwords, except that a once-phished TOTP isn't reusable by the attacker(s), unlike a phished password.
But even one-time access is often catastrophic, especially if it allows the attacker to rotate credentials.
Indeed, when that's the case I think the PW manager is fine.
Though, if you already have to have an app for the important stuff like your email, then IMHO it's actually simpler to just keep them all in one place even if you don't care too much about some of the tokens. Just one less thing you have to remember (i.e. where did I put service X's token again? was that in bitwarden or Aegis? etc).
It's still 2 factors though, if someone discovers your password they don't automatically know the TOTP key. So I use TOTP in my password manager for sites where I wouldn't use 2FA otherwise (because using my phone would be inconvenient), so it's still a security improvement for me. And for critical accounts I do use Aegis on my phone.
That list makes for a nice slidedeck but the separation (like many things in tech) isn't as clear cut as the metaphor.
"Something you know" (password) becomes "something you have" as soon as you store/autogenerate/rotate those passwords in a manager (which is highly recommended).
"Something you have" in the form of a hw key is still that device generating a key (password) that device/browser APIs convey to the service in the same way as any other password.
"Something you are" is a bit different due to the algorithms used to match biometric IDs but given that matching is less secure than cryptographic hash functions - this factor is only included in the list for convenience reasons.
The breakdown of this metaphor is one of the reasons passkeys are seen as a good thing.
Not sure what you mean, it's still a second unique token that an attacker would need to know to access my account, so it's improving my security even when stored in my password manager. This was in response to grandparent's opinion that it's "at best a reduction in security".
I'm not talking about my password vault getting breached, in that case I'd be fucked either way.
> I'm not talking about my password vault getting breached, in that case I'd be fucked either way.
But that's the whole point. If your password vault is breached, the second factor is what prevents you from being fucked. That's why putting your seeds in the vault is a reduction in security. It may be a reduction/risk that you're willing to take for convenience, but it's still a reduction.
Aegis is no more secure than storing your TOTPs in your password manager - 2 factors primarily protect against remote attacks, which don't have direct access, in which case the app your 2nd factor lives in is moot. If your threat model involves direct access you need dedicated hardware for your 2nd factor. Most people are fine with TOTP in pw manager.
(I do use Aegis as I like the UX but that's a separate topic)
No, factors are supposed to have different qualities, such as:
"Something you know"; "something you have"; "something you do"; "something you are [biometrics]"; "somewhere you are [geolocation]".
Passwords are in your head - "something you know".
TOTP codes are generated by a hardware token - "something you have".
If the TOTP codes are crammed into your password manager, then the factors are no longer distinguished by these qualities, but they're now the same factor, and it's not true MFA anymore, whether or not they're split up across devices, or apps.
Actually, they are pretty much split up. To get access to my passwords and TOTP secrets, the attacker needs one of my devices (something I have) and its password (something I know) or my face/fingerprint (something I am).
The whole point of a fully featured password manager like 1Password or Bitwarden is to rely on it instead of the security of the service you're using. And that implies that you must trust the security of the vault itself.
Of course, each device you have is an additional (an equally dangerous) attack surface. However, most people should be more worried if someone hacks into their devices than their Facebook accounts anyway.
2FA via TOTP implies two things: 1) you know a password; 2) you know the seed. This is why people criticize that approach. In practice, knowing a password and having a file (seed) seem different enough, and work against some phishing threats.
Logging in through a password manager requires that you know a password (your master password), and have a file (your vault).
I mean, if you're using a password manager, you're already protecting against 99% of the things that 2FA is designed to protect against. If you really wanted to, it would probably make the most sense to enable 2FA on your password manager?
Not really — I do it just for peace of mind, TBH. Although your primary password could be cracked somehow, so it doesn't hurt to have this additional layer.
Yes, through TOTPs will run you a (worth it imo) $10/year subscription. Passkeys have been supported for a while (free) on all major platforms, and I haven't seen any issues with it.
Given that Mozilla just acquihired a bunch of Meta advertising execs, I think the prudent plan would be to cautiously diversify away from putting sole trust in Firefox.
> because the built-in password manager in Firefox is too good
If only they could add labels to the name/password combination. I have several accounts stored for a website, with generated gibberish logins that I cannot change and sometimes it takes me multiple tries to get to the correct account.
Also, sometimes a site has two password fields - two secret codes - and for this usecase the password manager doesn't work very well either and remembers only one field.
Other than that, I love how it just works, you add a password on one device and have it seamlessly available on the other with a very little setup. It's a nice experience.
> the built-in password manager in Firefox is too good
Too good in what way that according to you "normal" people shouldn't be using Bitwarden? Or do you just like the Firefox one but are overselling it a bit too much?
I use Firefox, but I do not trust the Mozilla products. Bitwarden costs me $10/year so I wonder what is so amazing and groundbreaking about Firefox password sync, and does it work across browsers?
For me, the reason bitwarden is excellent is sharing account login data with my family (I have an org account w a few members) for next to no money / year.
Also, I regularly hop between 3 machines + a personal phone and a work phone, and I love being able to have access to my logins + secure notes across all 5 devices.
What finally brought me to using BW was that I simultaneously needed to backup/sync my TOTPs across mobile/desktop devices, and came to have the need for sharing an increasing number of passwords with my SO. It delivered beautifully on all of that.
This isn't an area I know much about, but wouldn't there be a security risk involved with storing the TOTP seeds alongside the passwords? Or is that not a real concern?
Totally correct, the lame excuse being that it didn't make the situation worse for the reason that those factors were anyway authenticated using the same device previously already. But at least I am now in much less trouble in case this device gets lost/broken/stolen/…
It's a valid concern. Especially if you use the same BW for password and TOTP for the same service, you've effectively reduced 2 factors to 1. If you really must sync both your TOTP secrets and your passwords, those should be completely separate systems.
> I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good
I wouldn't say it's good, but it does its job, if you can live with the insecurity and limitations. It's very comfortable, which is the only reason I'm still using it over KeePass and Bitwarden. KeepPass has no reliable Browser-integration, and Bitwarden is hard to selfhost. Firefox Passwordmanager is just there, always works, syncs without hassle, usability at it's peak (for this job).
I actually switched from Firefox's password manager to Bitwarden. There used to be a bug on Android where the autofill button sometimes would stop doing anything.
Can someone also comment on how secure the built in password in manager in Firefox is to unsophisticated malware attacks that simply copy your browser extension data and such. Compared to bitwarden which requires a password to unlock it, and as I understand stores everything encrypted on disk.
If you don't use a master password, it's unsafe. And even with master password, I vaguely remember it's not that safe either, but that might be outdated info.
Does the FF password manager still irrecoverably nuke your password with no versioning/undo when you accidentally or intentionally use the „forget this website” option in the history panel?
The problem with the Firefox (or Chrome) password managers is that they only work on their browsers. Bitwarden works on any browser, on windows, macos, linux, ios, android.
This (along with syncing on iOS) is what made me switch from `pass` to Bitwarden. Password sharing (and self-hosting sync with vaultwarden) are killer features for me.
It's not end-to-end encrypted (if you enable account sync), so Microsoft can technically see your passwords. Feel free to switch or not switch based on that information.
> Mozilla accounts uses your password to encrypt your data (such as bookmarks and passwords) for extra security. When you forget your password and have to reset it, this data could be erased. To prevent this from happening, generate your unique account recovery key before forgetting or resetting your password.
