1

Hi guys, what do you think about Bitwarden as a cloud password manager? do you use it?

Comments
  • 2
    I do. It works fine and from what I understand is zero knowledge.
  • 3
    If you like gambling, cloud-services are perfect for storing sensitive or important information. But if you don't, better not take the risk giving your data to such a juicy target - even though they probably have dedicated secops.

    But even if the juicyness of a central password repository is ignored and you assume that they are better secured and more reliable than your own devices: They aren't replacing your daily-use devices in the threat model as the data still needs to be accessible from that devices. So you add more attack surface by using them.
  • 0
    @Oktokolo self host it?
  • 0
    @ScribeOfGoD Sure, that would be better. The best practicable solution is to store passwords local on the devices where you actually need them.
  • 0
    I use the self hosted version of bitwarden and I love it. I started hosting it for just myself, but now a lot of my friends and family are using my install as well
  • 4
    one question:

    is the software open source, and are all servers under your control?

    if yes: okay, go for it.

    if no: consider all your passwords leaked the instance you start using it.

    (that's the gist for _any and all_ tools that store your data in "The Cloud")
  • 0
    works exceptionally well. The kicker is self-hosted Bitwarden doesn't differ from the cloud one in the slightest. Bitwarden apps, including iOS one, as well as browser extensions allow specifying your own Bitwarden host, and they will connect to it seamlessly. Usually, self-hosted UX is somewhat degraded to disincentivize using it. Not the case with Bitwarden.

    About cloud Bitwarden, Oktokolo is not entirely correct. It's not a gamble. By analysing Bitwarden traffic, you can conclusively prove two things:

    1. Your password never gets transferred to Bitwarden's servers.

    2. All traffic is encrypted.

    If so, it doesn't matter if it's cloud or not. They can't decrypt it. But for the peace of mind, you can self-host Bitwarden, and you won't notice the difference.
  • 1
    I back up important data to encrypted 7zip archives with really long passwords and then upload them to Google Drive. Absolutely secure.
  • 0
    @BixelPitch bitwarden is free
  • 2
    @kiki You definitely can't prove absence of specififc information by analyzing encrypted traffic.

    But Bitwarden seems to be true FOSS and impements the zero-trust/knowledge principle. A very rare beast in the cloud sector. I didn't know that. And my initial post actually is wrong for Bitwarden.
Add Comment