A review of my experience with Bitwarden after several years of self-hosting it, and why I decided to move away from the password manager.
  • NGC2346@sh.itjust.worksEnglish
    2 hours

    Dude it affected devs through Bitwarden CLI, it aint that deep my boy, and self hosting it protects you in this regard because you dont need to update your instance the millisecond a vulnerability or a malware is pushed, giving the time to review the changelog and changes.

    Chill out.

  • punrca@piefed.worldEnglish
    21 hours

    I use KeepassXC on my laptop (completely offline), export the encrypted backup copy and store the backup offline copy and in cloud. Also, I manually import the backup file into my Keepass2AndroidOffline android app (it’s a hassle, but I’m okay with it)

    But for normies (non-technical folks), the benefits and convenience of using a cloud-based password manager is far outweighed by any security vulnerabilities in such password managers.

    Also, Bitwarden’s source code is open-source (unlike other closed-source password managers), so I trust it more.

    • HubertManne@piefed.socialEnglish
      20 hours

      Im one of the folks that reserve important items for local password manager and use bitwarden for all the various sites that if it got taken over it might be annoying but is not the end of the world.

  • Eager Eagle@lemmy.worldEnglish
    22 hours

    Bitwarden’s npm distribution pipeline stayed compromised for approximately 19 hours and 334 developers had enough time to pull the malicious package before it was caught.

    It was actually about 90 minutes

    Everyone running bw in a CI pipeline just handed the attackers whatever else happened to live on that machine.

    only if they installed bw in that time window

    Otherwise yes, I agree it’d be better if the CLI was written in a non-JS/TS ecosystem. Perhaps Rust or Go. And the criticisms to list including secrets are super valid.

  • A_norny_mousse@piefed.zipEnglish
    1 day

    What’s with the downvotes? The article makes good points, and brings them across politely:

    • it’s a $100M for-profit company
    • it’s heavy (compared to Vaultwarden, a Bitwarden compatible Rust rewrite)
    • its code base requires proprietary MS libraries and other esoteric (seen from the POV of a *nix user) stuff. I might have summarized this one badly, just read the chapter, it’s not long.

    My guess is people are salty because

    • they use Bitwarden and don’t like to see it criticized
    • they got upset by the javascript overlay which is hilarious imo. I certainly got rick-rolled for a hot second.

    FWIW, I don’t serve my password database on the www at all. It sits on my own server and I can access it with all my devices, but the software to do that is local only.

    • PotatoesFall@discuss.tchncs.deEnglish
      7 hours

      I didn’t downvote, but personally I’m upset that this article doesn’t give you a good alternative, only a ridiculously complex new setup that is unrealistic and impractical for most users.

    • femtek@lemmy.blahaj.zoneEnglish
      1 day

      How does your phone and laptop outside of the network get to vault warden? Just using a VPN?

    • TerHu@lemmy.dbzer0.comEnglish
      1 day

      i really don’t get it either. i feel like op tends to write well researched and thought out blogs, which are nice to read too.

      @op: you do good stuff!

  • turdas@suppo.fiEnglish
    1 day

    My review of your post: you need to stop using so much emphasis on everything. Not every instance of the word Bitwarden needs to be italicized. Also five different ways of storing passwords sounds insane, and harping on for a dozen paragraphs about Bitwarden’s security incidents only to settle on another SaaS password manager sure is a choice.

    • A_norny_mousse@piefed.zipEnglish
      1 day

      The outward appearance might not be your style, but they make good points, provide facts to support them and most importantly, they remain polite about it.

      I personally think the article is worth reading, at least until just before the last chapter, in which the author outlines their own convoluted ideas. And that’s where such things belong: in the last chapter.

      only to settle on another SaaS

      Do you mean Vaultwarden? AFAICS they do not “settle” on it, but they do argue that it is much lighter in almost every respect. And since it is Bitwarden compatible the comparison is valid.

      Frankly, I think most people just got salty because of the javascript overlay which I found pretty funny; a mild prank and a good demonstration of the power of javascript.

      • turdas@suppo.fiEnglish
        19 hours

        Do you mean Vaultwarden? AFAICS they do not “settle” on it, but they do argue that it is much lighter in almost every respect. And since it is Bitwarden compatible the comparison is valid.

        I don’t know which one I mean, because OP never says which SaaS password manager they switch to, they simply say they switch to a proprietary SaaS password manager:

        For group A I’m going with a SaaS password manager that offers proper vault sharing, integrates with the tools clients actually use (SSO, browser extensions on corporate machines, audit logs), and takes the hosting burden off my plate. The platform is proprietary, which I would normally not be thrilled about, but given that the scope of this group is client work only, I’m accepting the trade-off.

  • ccunning@lemmy.worldEnglish
    1 day

    What’s with the sketchy domain name? Doesn’t really instill trust enough for me to click on let alone listen to their opinion.

    ETA: TIL about punycode. Thanks all 🙏

    • Elvith Ma'for@feddit.orgEnglish
      1 day

      If the domain starts with xn- it’s a telltale sign, that it’s a punycode domain name. Read: it does contain characters that are not ASCII characters. This is done as domains need to be ASCII only. The format of these domains is usually xn--allASCIIcharacters-allNonASCIIcharactersEncoded.tld. Example: täst.com is xn--tst-qla.com.

      If you manually type such a domain (containing characters like äöüéèçč…), many browsers will still display what you entered, but convert the domain into punycode in the background before connecting.

      You can decode the domain of this post and it results in マリウス.com.

      • YoFrodo@lemmy.worldEnglish
        1 day

        Thats interesting! And my translation addon says it translates to “Marius”

      • MonkderVierte@lemmy.zipEnglish
        1 day

        This is done as domains need to be ASCII only

        They don’t need to, but a punycode-attack is done by using a letter of another language that looks almost identical. I think you still have to actively enable the defense against it (some about:config setting), the poster did.

        • Elvith Ma'for@feddit.orgEnglish
          1 day

          DNS is ASCII only and so this conversion is done. It is not needed to display the “technical” domain name that results when you enter a domain name with non ASCII chars in apps, but yes, this prevents character confusion.

          https://en.wikipedia.org/wiki/Internationalized_domain_name

          In the Domain Name System, these domains use an ASCII representation consisting of the prefix xn-- followed by the Punycode translation of the Unicode representation of the language-specific alphabet or script glyphs. For example, the Cyrillic name of Russia’s IDN ccTLD is рф. In Punycode representation, this is p1ai, and its DNS name is xn--p1ai.

    • TerHu@lemmy.dbzer0.comEnglish
      1 day

      they even have a blog post telling you to never click domains that look like the domain of the blog :D

  • deegeese@sopuli.xyzEnglish
    1 day

    But what if you don’t want to self host your password manager?

    Any non terrible choices?

    • philpo@feddit.orgEnglish
      6 hours

      Passbolt seems to be a upcoming competitor. It’s EU based, OSS, etc., but has not been audited as much as BW and has not achieved feature parity so far.

      But it looks very promising.

    • A_norny_mousse@piefed.zipEnglish
      23 hours

      I don’t think Bitwarden is a terrible choice. That said, I share the author’s concerns in general.

      How much does a non-selfhosted password manager cost? Weigh that against the cost of remote-mountable server storage, you can simply put your database there.
      (Both costs can be 0 btw)

    • KairuByte@lemmy.dbzer0.comEnglish
      24 hours

      I prefer 1Password. They use a secure encryption key together with your master password. If you lose the encryption key, your data can’t be recovered. The key is only needed during the initial setup annd after that you unlock the vault on your device with your master password.

      This means if their database ever gets hacked, your data is encrypted in a way that not even you could get at unless you have that secure key.