Bitwarden have in my opinion is one of the BEST business models a user can ask for.
It's open-source, and I can self-host (100% free) and the free version is really, really good too, and then a premium version is $20/year which is very reasonably priced.
Also for cloud hosted password manager, you're always going to have attacks no matter what, but at least they are transparent about it .. (unlike say LastPass, Norton LifeLock, Keeper and possibly others).
For self-hosting it might be better security, solely because no one cares to attack it, but it's not going to be more secure form engineering best practices POV (but again I might be wrong .. I'm not a security engineer of any kind)
As a now almost 15 year long user (crazy to think about) of 1password I am unsure what attacks do you mean? Did passwords get lost and it was not disclosed or what did you mean by the lack of transparency?
I also don't really expect the self-hosted version to be a small self-contained go binary or something, they have millions of users their tech stack is going to be more complicated necessarily. But then vaultwarden exists too and is well maintained but is then somehow also inadequate. Who could possibly live up these unreasonable standards?
I'm a free Bitwarden user, I don't plan to self-host stuff, and... honestly I have no idea what this person is going on about.
And "Aside from the aforementioned technical details, Bitwarden is (and has always been) one of the subjectively worst applications on my phones and my desktop in terms of user interface. "
I love Bitwarden and use it every day, but I pretty much also agree with his post. I have Bitwarden for personal stuff and 1password for my, and the 1password experience is night and day better. It's just so good, it always works. Bitwarden sometimes (especially on Android) will just not autofill. On my PC sometimes it won't recognise the domain correctly even though I've got an entry set for "base domain" etc. I am ALWAYS fighting with it to get my passwords out. Look at the Bitwarden Reddit its full of similar complaints.
Of course the price between 1pass and Bitwarden reflects why 1pass is so much better. And you don't really realise how clunky BitWarden is if it's all you use, until you also have to use some other password manager.
And I could tell you the opposite about 1Password. About half of the time, the extension does not realize ond which domain it is and autofill is broken.
The Bitwarden UI/X changed relatively recently so that detail view is the default click action now, rather than fill. I don't think I've ever actually used the detail view, because the edit view does the same job.
Never mind that 'fill' is 100x more common as an action. So why on earth is that not the default? It is indeed an unfathomably stupid UI decision, beyond what I regularly see in other apps that I use.
I still hate it to this day, and find it incredibly clunky. In fact that alone is kind of making me want to give in and just use Apple.
Yes (after user protest as I recall) but then the new UI just diverges over time, and quite possibly gets features not in the old one. I want the latest UI, and ideally the default UI, I just also want that not to be stupid.
To be clear I don't even think I'm talking about taste here, although people did complain about that. I can't think of any good reason that 'fill' is not the default action on an app/extension whose core purpose is to fill things.
As a tangent, this site will overwrite its <title> and favicon if your browser changes tab to one of many random options, as well as showing an overlay highlighting the risk of keeping javascript enabled for once you're back.
I dug around and found them listed within the `kill.js` file[0]. It uses the visibilitychange[1] API and swaps it to one of the following:
Official Church of Scientology: Difficulties on the Job - Online Course
Ask HN: How could I safely contact drug cartels?
The internet used to be fun
am I boring - Google Search
what is punycode - Google Search
arguments for HN comment - Google Search
how to hack coworker's phone - Google Search
censorship on hacker news - Google Search
rust programming socks - Google Shopping
Adult entertainment clubs - Google Maps
Pick up lines suggestions - ChatGPT
Online debate argument suggestions - ChatGPT
The Flat Earth Society
Amazon.com: taylor swift merch
Amazon.com: waifu pillow
/adv/ - topple government - Advice - 4chan
r/wallstreetbets on Reddit
Infowars: There's a War on For Your Mind!
birds aren't real at DuckDuckGo
Lincoln MT Cabins For Sale - Zillow
The Anarchist Cookbook by William Powell | Goodreads
Well, I know Bitwarden is pretty demanding and also not so straightforward to do self-hosting.
But we have Vaultwarden which is ridiculously easy to deploy and also very lightweight while being immensely popular; has never had any major security incidents so far - and it has thousands of eyes on it for every single commit.
I've been hosting this for three years now and I have never had a single problem with it. always worked with my Bitwarden clients on all of my devices. So if you would like to, try Vaultwarden.
Not the original commenter. Just thought I would comment here. I'd be super interested in reading more information in why Bitwarden Lite is inadequate vs vaultwarden.
I don't self host Bitwarden so 90% of this doesn't really apply.
I did however want to comment on the tab changing it's favicon and title everytime you change to another tab. Quite a cool "advertising" method for what javascript can do.
I switched to self-hosted Vaultwarden a couple of years ago because of all the bad choices of Mozilla (I was using Firefox Sync and wanted something else badly). Sadly, Bitwarden's browser clients are antiquated (they don't auto-generate and save passwords as I sign up, I kind of have to create them manually ahead of time, and if anything botches in the signup, e.g. a server-side password validation rule), I now have a password that won't work, I have to find the entry in the database and update it to something else... geez, if it would just automatically overwrite the password every time I submit with a new one.
Vaultwarden's great, but the inferior browser clients just don't make up for it.
I'm back on Firefox Sync until I find something that's technically sufficient.
It's the first time I see someone else with the same setup.
Each time I read about the monstrosity of an external company owning all my passwords, taking into account all the leaks and supply chain attacks these days... I feel good "self hosting" what could be the most sensitive information that I have.
I agree that there are some goofy UX things. I don’t care about self-hosting. And the author goes to great care to write about every issue; then admits all software has issues and Bitwarden has fixed their issues as they come up.
Overall their actionable advice that different types of credentials might need different software is good.
Vaultwarden is a very lean implementation of Bitwarden but if you want to look into an alternative to the Bitwarden ecosystem, I recommend - AliasVault https://github.com/aliasvault/aliasvault - check it out!
Password management involving a 3rd party is dumb and should never ever have been a thing. Before two parties had the secret (or something related to it) and now three parties have it and that's objectively worse -- even taking into account "the lazy user" or whatever.
I know we're past that in a lot of places for a lot of people, but nope, my dad and his printed out sheet of password next to his desk is still beating every company out there.
>3rd party is dumb and should never ever have been a thing. Before two parties had the secret (or something related to it) and now three parties have it and that's objectively worse
There seems to be a misunderstanding of how typical cloud password vaults work. The 3rd parties like Bitwarden, 1Password, Apple iCloud Keychain, etc don't have access to the users' passwords. The scheme is based on Zero-Knowledge End-2-End-Encryption. The 3rd-party cloud is just a mechanism to store an encrypted blob and sync them to various devices. The client devices (users' desktop, users' smartphone) are the only ones that can decrypt the passwords. There are still only 2 parties with knowledge of the actual passwords.
In contrast, the type of 3rd parties that do have knowledge/access to unencrypted plain text passwords would be Amazon storing users' wi-fi passwords, and Plaid storing users' bank account credentials & passwords. Gmail and MS Outlook.com would also be a 3rd party having a copy of users' passwords when they act as web clients to fetch email from other IMAP servers.
>, my dad and his printed out sheet of password next to his desk is still beating every company out there.
That doesn't work for users when they're not sitting at their desk and need passwords. Printing out a hardcopy sheet of passwords and carrying it the wallet or purse is a massive security risk.
But it's not that though. They're hosting an encrypted version that they don't have the keys for. They are doing the backend sync for you, and writing the clients that YOU run, that sync yuur passwords everywhere.
To suggest they have a copy of your passwords is to misunderstand what they're doing. It's the same as saying you host your Keypass on Dropbox so now Dropbox have a copy of your passwords/secrets.
The value they are providing is seamless sync between a huge range of platforms/devices and making it as frictionless as possible to entry your password when you need to (biometrics to unlock the vault, browser addons to seemlessly enter the passwords etc)
Your Dad has a single point of failure for all his accounts. That's not a win.
KeePass is a great middle-ground, which I've been using for the last decade (at least). Storing the vault is on you, it just makes it easy to keep stuff organised.
I did this for years too until mobile devices became popular. I have ~4 mobile phones for various things (yes this isn't normal) and ~4 different computers/laptops I use. Trying to keep a Keypass in sync between them is a nightmare. A proper password manager (Bitwarden or other) removes all that hassle. I have fingerprint unlock on the the mobiles that support fingerprint, face unlock on the devices that support that etc. I have browser addons to make password entry quick and easy while remaining secure.
Once I moved to a password manager I realised how clunky and poor dragging a Keypass vault around was.
This! I’m using Strongbox on macOS and iOS and it’s just sooo good. It integrates with Apple’s AutoFill API and feels native - just like Apple’s Passwords app. But all the entries are in a KeePass database which I can sync via SyncThing, iCloud, Dropbox, whatever. And if the application should fail, I can use any other KeePass-compatible app or KeePass itself to get to my secrets.
Ahahahah, I am enjoying the little turn-off-your-Javascript warning that comes back when you click on a link in a new tab from the page to something linked in the article.
My tab's title: "Ask HN: How could I safely contact drug cartels?"
Bitwarden have in my opinion is one of the BEST business models a user can ask for.
It's open-source, and I can self-host (100% free) and the free version is really, really good too, and then a premium version is $20/year which is very reasonably priced.
Also for cloud hosted password manager, you're always going to have attacks no matter what, but at least they are transparent about it .. (unlike say LastPass, Norton LifeLock, Keeper and possibly others). For self-hosting it might be better security, solely because no one cares to attack it, but it's not going to be more secure form engineering best practices POV (but again I might be wrong .. I'm not a security engineer of any kind)
As a now almost 15 year long user (crazy to think about) of 1password I am unsure what attacks do you mean? Did passwords get lost and it was not disclosed or what did you mean by the lack of transparency?
That is my bad; I was thinking of LastPass[1] where it took them months to fully disclose and explain a very serious breach of data.
1Password seem to have a good transparency track record (I edited the original comment)
[1] https://news.ycombinator.com/item?id=34097142
I also don't really expect the self-hosted version to be a small self-contained go binary or something, they have millions of users their tech stack is going to be more complicated necessarily. But then vaultwarden exists too and is well maintained but is then somehow also inadequate. Who could possibly live up these unreasonable standards?
I'm a free Bitwarden user, I don't plan to self-host stuff, and... honestly I have no idea what this person is going on about.
And "Aside from the aforementioned technical details, Bitwarden is (and has always been) one of the subjectively worst applications on my phones and my desktop in terms of user interface. "
Really!!? How many apps has this person used?
I love Bitwarden and use it every day, but I pretty much also agree with his post. I have Bitwarden for personal stuff and 1password for my, and the 1password experience is night and day better. It's just so good, it always works. Bitwarden sometimes (especially on Android) will just not autofill. On my PC sometimes it won't recognise the domain correctly even though I've got an entry set for "base domain" etc. I am ALWAYS fighting with it to get my passwords out. Look at the Bitwarden Reddit its full of similar complaints.
Of course the price between 1pass and Bitwarden reflects why 1pass is so much better. And you don't really realise how clunky BitWarden is if it's all you use, until you also have to use some other password manager.
And I could tell you the opposite about 1Password. About half of the time, the extension does not realize ond which domain it is and autofill is broken.
To each their own (bugs).
Fair point - I've had no issue with it but I certainly don't use it as much as I do Bitwarden.
The Bitwarden Chrome extension is really bad, which is also the reason I've never been able to switch from 1Password to Bitwarden.
Yes, it's terrible. It's where I landed when I migrated from Keepass though so I've stuck with it.
1Password user here and it regularly shits the bed with autofill or recognising a domain.
Not to mention the absolutely garbage performance of the Windows desktop app.
[dead]
The Bitwarden UI/X changed relatively recently so that detail view is the default click action now, rather than fill. I don't think I've ever actually used the detail view, because the edit view does the same job.
Never mind that 'fill' is 100x more common as an action. So why on earth is that not the default? It is indeed an unfathomably stupid UI decision, beyond what I regularly see in other apps that I use.
I still hate it to this day, and find it incredibly clunky. In fact that alone is kind of making me want to give in and just use Apple.
There's a setting to make the old behavior default.
Yes (after user protest as I recall) but then the new UI just diverges over time, and quite possibly gets features not in the old one. I want the latest UI, and ideally the default UI, I just also want that not to be stupid.
To be clear I don't even think I'm talking about taste here, although people did complain about that. I can't think of any good reason that 'fill' is not the default action on an app/extension whose core purpose is to fill things.
Er yeah same. I can believe it's a PITA to self-host because why would they care to make it easy. It's open source, good luck.
$10/year seems pretty fair to avoid all that.
The clients are fine, could be smoother, but I've internalised the quirks by now.
As a tangent, this site will overwrite its <title> and favicon if your browser changes tab to one of many random options, as well as showing an overlay highlighting the risk of keeping javascript enabled for once you're back.
I dug around and found them listed within the `kill.js` file[0]. It uses the visibilitychange[1] API and swaps it to one of the following:
Official Church of Scientology: Difficulties on the Job - Online Course
Ask HN: How could I safely contact drug cartels?
The internet used to be fun
am I boring - Google Search
what is punycode - Google Search
arguments for HN comment - Google Search
how to hack coworker's phone - Google Search
censorship on hacker news - Google Search
rust programming socks - Google Shopping
Adult entertainment clubs - Google Maps
Pick up lines suggestions - ChatGPT
Online debate argument suggestions - ChatGPT
The Flat Earth Society
Amazon.com: taylor swift merch
Amazon.com: waifu pillow
/adv/ - topple government - Advice - 4chan
r/wallstreetbets on Reddit
Infowars: There's a War on For Your Mind!
birds aren't real at DuckDuckGo
Lincoln MT Cabins For Sale - Zillow
The Anarchist Cookbook by William Powell | Goodreads
Fifty Shades of Grey | Netflix
jeff bezos nudes - Google Image Search
zuckerberg nudes - Google Image Search
bigfoot nudes - Google Image Search
Rick Astley - Never Gonna Give You Up - YouTube
Pennsylvania Bigfoot Conference - Channel 5 - YouTube
Linus goes into a real girl's bedroom - Linus Tech Tips - YouTube
MrBeast en Español - YouTube
FTX Cryptocurrency Exchange
[0] https://xn--gckvb8fzb.com/js/kill.js [1] https://developer.mozilla.org/en-US/docs/Web/API/Document/vi...
I giggled but it’s dangerous as a prank (say if you were on that site during a break, then shared a screenshot of a design from your browser)
author of the site appears to be an anti-JS fringe person, and that's their method of "protest."
If you switch away and then come back to the tab, they have a popover explaining all of this.
I just went and disabled JS for their silly site.
This is absolutely hilarious, and I am totally using this trick when I get to making my own porn video hosting platform (which I won't).
Well, I know Bitwarden is pretty demanding and also not so straightforward to do self-hosting.
But we have Vaultwarden which is ridiculously easy to deploy and also very lightweight while being immensely popular; has never had any major security incidents so far - and it has thousands of eyes on it for every single commit.
I've been hosting this for three years now and I have never had a single problem with it. always worked with my Bitwarden clients on all of my devices. So if you would like to, try Vaultwarden.
You could have just posted "I didn't read the article" instead of this comment. It specifically addresses vaultwarden quite a number of times.
Not the original commenter. Just thought I would comment here. I'd be super interested in reading more information in why Bitwarden Lite is inadequate vs vaultwarden.
I don't self host Bitwarden so 90% of this doesn't really apply.
I did however want to comment on the tab changing it's favicon and title everytime you change to another tab. Quite a cool "advertising" method for what javascript can do.
Yea that threw me too. Very clever.
I switched to self-hosted Vaultwarden a couple of years ago because of all the bad choices of Mozilla (I was using Firefox Sync and wanted something else badly). Sadly, Bitwarden's browser clients are antiquated (they don't auto-generate and save passwords as I sign up, I kind of have to create them manually ahead of time, and if anything botches in the signup, e.g. a server-side password validation rule), I now have a password that won't work, I have to find the entry in the database and update it to something else... geez, if it would just automatically overwrite the password every time I submit with a new one.
Vaultwarden's great, but the inferior browser clients just don't make up for it.
I'm back on Firefox Sync until I find something that's technically sufficient.
I use pass[0], and it works well for me. It's secured by PGP and passwords are shared between devices using git.
[0] https://www.passwordstore.org/
It's the first time I see someone else with the same setup.
Each time I read about the monstrosity of an external company owning all my passwords, taking into account all the leaks and supply chain attacks these days... I feel good "self hosting" what could be the most sensitive information that I have.
ive been rather fond of keepass for the last however many years or decades now. Its all a blur.
Complaining about rent-seeking for $20/year? OK mate.
I don't see this claim being made anywhere? They say it's usually the time the rent seeking begins, not that it's begun.
I agree that there are some goofy UX things. I don’t care about self-hosting. And the author goes to great care to write about every issue; then admits all software has issues and Bitwarden has fixed their issues as they come up.
Overall their actionable advice that different types of credentials might need different software is good.
The rest seems like ax grinding.
Vaultwarden is a very lean implementation of Bitwarden but if you want to look into an alternative to the Bitwarden ecosystem, I recommend - AliasVault https://github.com/aliasvault/aliasvault - check it out!
Probably my biggest tech hill-i'll-die-on is:
Password management involving a 3rd party is dumb and should never ever have been a thing. Before two parties had the secret (or something related to it) and now three parties have it and that's objectively worse -- even taking into account "the lazy user" or whatever.
I know we're past that in a lot of places for a lot of people, but nope, my dad and his printed out sheet of password next to his desk is still beating every company out there.
>3rd party is dumb and should never ever have been a thing. Before two parties had the secret (or something related to it) and now three parties have it and that's objectively worse
There seems to be a misunderstanding of how typical cloud password vaults work. The 3rd parties like Bitwarden, 1Password, Apple iCloud Keychain, etc don't have access to the users' passwords. The scheme is based on Zero-Knowledge End-2-End-Encryption. The 3rd-party cloud is just a mechanism to store an encrypted blob and sync them to various devices. The client devices (users' desktop, users' smartphone) are the only ones that can decrypt the passwords. There are still only 2 parties with knowledge of the actual passwords.
In contrast, the type of 3rd parties that do have knowledge/access to unencrypted plain text passwords would be Amazon storing users' wi-fi passwords, and Plaid storing users' bank account credentials & passwords. Gmail and MS Outlook.com would also be a 3rd party having a copy of users' passwords when they act as web clients to fetch email from other IMAP servers.
>, my dad and his printed out sheet of password next to his desk is still beating every company out there.
That doesn't work for users when they're not sitting at their desk and need passwords. Printing out a hardcopy sheet of passwords and carrying it the wallet or purse is a massive security risk.
But it's not that though. They're hosting an encrypted version that they don't have the keys for. They are doing the backend sync for you, and writing the clients that YOU run, that sync yuur passwords everywhere.
To suggest they have a copy of your passwords is to misunderstand what they're doing. It's the same as saying you host your Keypass on Dropbox so now Dropbox have a copy of your passwords/secrets.
The value they are providing is seamless sync between a huge range of platforms/devices and making it as frictionless as possible to entry your password when you need to (biometrics to unlock the vault, browser addons to seemlessly enter the passwords etc)
Your Dad has a single point of failure for all his accounts. That's not a win.
> my dad and his printed out sheet of password next to his desk is still beating every company out there.
Until your house gets flooded or burns down or you hire a really curious janitor.
Are you aware that the goal of these password managers is that they do not ever have your decrypted vault?
KeePass is a great middle-ground, which I've been using for the last decade (at least). Storing the vault is on you, it just makes it easy to keep stuff organised.
I did this for years too until mobile devices became popular. I have ~4 mobile phones for various things (yes this isn't normal) and ~4 different computers/laptops I use. Trying to keep a Keypass in sync between them is a nightmare. A proper password manager (Bitwarden or other) removes all that hassle. I have fingerprint unlock on the the mobiles that support fingerprint, face unlock on the devices that support that etc. I have browser addons to make password entry quick and easy while remaining secure.
Once I moved to a password manager I realised how clunky and poor dragging a Keypass vault around was.
Fair enough. I don't use it on mobile (I try to do the fewest things possible on mobile so I manage without a password manager).
This! I’m using Strongbox on macOS and iOS and it’s just sooo good. It integrates with Apple’s AutoFill API and feels native - just like Apple’s Passwords app. But all the entries are in a KeePass database which I can sync via SyncThing, iCloud, Dropbox, whatever. And if the application should fail, I can use any other KeePass-compatible app or KeePass itself to get to my secrets.
Ahahahah, I am enjoying the little turn-off-your-Javascript warning that comes back when you click on a link in a new tab from the page to something linked in the article.
My tab's title: "Ask HN: How could I safely contact drug cartels?"
For those who were immediately curious; https://news.ycombinator.com/item?id=36731320
Spoiler: That whole thread is probably an excellent troll ("I might make this a startup"), except a ton of mid(dle brow) people had to ruin it.
I just saw a tab with a Google search for "Zuckerberg nudes" lololol
[dead]
Full of skill issues