The origins of Bitwarden and how it is fending off the tech giants

Kyle Spearrin had never developed a mobile app or browser extension when he started building Bitwarden as a fun side project in 2015.

Nearly nine years later, Spearrin’s humble attempt at a free, open-source password manager has become one of the most popular ways to keep online accounts secure. Wirecutter, PCWorld, PCMag, and others say it’s the best free password manager, and CNet even calls it the best password manager overall. Bitwarden says it now has 8.5 million users, and it uses that audience to grow its enterprise subscription business. Bitwarden’s business side has tens of thousands of customers and helped fuel nearly 100% revenue growth last year, and the company now has roughly 200 employees.

“We really value that everyone should have access to a full-featured password management tool,” Spearrin says.

Very humble beginnings, and of course we’ve seen why tech giants like Apple, Google, etc embraced passkeys with such enthusiasm, as this would lock users into their ecosystem. Try using your Apple passkeys when migrating to say Android, or vice versa.

“If you are locked in with one vendor, you have a risk of being locked out of your account,” Magdanurov says. “Something can happen. Somebody can hack your account. Or their automated tools that block your account for violations can be triggered for some reason.”

So, whilst it is true many tech giants have been improving their offerings around password management, Bitwarden is managing to stay a step or two ahead of them with newer innovative features (some I did not even know about). And of course, one can self-host Bitwarden too.

A lot can also be learnt from buy-outs like LastPass went through. The ownership does dictate the philosophy, or changes to it.

Although I’m eyeing out Proton Pass’ rapid developments (I’m a paying Proton user) I’m still a paid tier user of Bitwarden as right now they’re doing their things right, and what I really like is that their paid tier is not expensive at all. I just feel that I am supporting what they do.

See fastcompany.com/91117788/how-b…
#Blog, #bitwarden, #opensource, #passwords, #security, #technology

Bitwarden begins adding passkey support to its password manager

Although Bitwarden now supports storing and logging in using passkeys from its browser extensions, it’s not currently possible to store passkeys in the company’s mobile app. According to Bitwarden’s FAQ, this feature is “planned for a future release.”

Finally, it arrived for me today on Bitwarden. Seems to work seamlessly enough, as the extension pops up automatically when you choose to add a passkey on a website. For sites with multiple logins, it prompts you to select which one to use.

The theory, for me at least, is that I can use these passkeys across all my OS’s and devices (when mobile support is finally added). In the meantime, for mobile, the normal ID and password still work as before.

See https://www.theverge.com/2023/11/2/23943173/bitwarden-passkey-support-released-browser-extension
#Blog, #bitwarden, #passkeys, #technology

Bitwarden finally brings 2FA logins to free users

Previously, you had to pay for Bitwarden’s premium plan to add 2FA for your stored logins. Bitwarden is claiming they are the only password manager to now include 2FA logins for free.

As a paying customer, I’ve long been using Bitwarden’s 2FA for logins, and it is pretty seamless. Bitwarden places the 2FA number ready in the device’s clipboard, to just paste in straight after completing the login screen process.

Today, 2FA is absolutely essential for any login security, until passkeys are the norm. It sounds like Bitwarden’s own passkey management for logins, will go live during October, and their own passkey access to Bitwarden, a while after that. It is not clear to me yet whether free tier users now also have 2FA login into Bitwarden itself. I’m using a Yubikey device for my 2FA when logging into Bitwarden, and that may still be for the paid service only.

I also noted when last renewing my Bitwarden subscription that they forced us to up our vault encryption iterations to 600,000. This was also a lesson learnt after the LastPass hack, where it was found the encryption iterations were way too low.

I’m eagerly awaiting to see how Bitwarden implements passkeys in October, as I’m dead set against using passkeys that tie me to any particular device or operating system. I have too many passwords to just lose or have to change.

See https://www.androidpolice.com/bitwarden-2fa-free-passkey/
#Blog, #2fa, #bitwarden, #security, #technology

#Bitwarden meckert.
Ich hatte da nie was geändert, weiß nicht einmal, was KDF-Iterationen sind. Jedenfalls stand das bei mir auf 200.000, erst bei 600.000 war Bitwarden (nein, eigentlich #Vaultwarden) wieder zufrieden.
Ah, hier gibts Erklärungen: https://bitwarden.com/help/kdf-algorithms/
Wer also (Bit|Vault)warden verwendet, sollte mal nachsehen. https://vault.example.com/#/settings/security/security-keys

KDF Algorithms | Bitwarden Help Center

This article describes the KDF algorithms and respective options available in Bitwarden.

You know what would be a neat standard?

Some standard endpoints every webpage implements to login, logout, change password and so on. So #Keepass, #1Password, #Bitwarden and so on could manage these things without opening the webpage manually and clicking around to search this functions.

Also changing email automatically. An extensible standard would be great.

TIL:
#TOTP can use an URI, which may not only contain the secret, but also the login, the hash algorithm and more: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
That applies at least also to #Bitwarden

Key Uri Format

Open source version of Google Authenticator (except the Android app) - google/google-authenticator

This Week in Security: ACME.sh, Leaking LEDs, and Android Apps

#hackadaycolumns #news #acme #bitwarden #thisweekinsecurity #hackaday
posted by pod_feeder_v2

GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol

A pure Unix shell script implementing ACME client protocol - GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol

Password manager Bitwarden will too soon be able to store passkeys, but here’s why you may want to wait a bit with passkeys

I did a post a few weeks back speculating around the same issues but listening now to Steve Gibson talking on the Tech News Weekly episode 284 podcast at https://twit.tv/shows/tech-news-weekly/episodes/284 has reinforced my thinking about passkeys.

Yes, Google, Apple, etc are trying to get their users to adopt THEIR passkey management systems as quickly as possible, as it essentially locks you into their authentication (and eco) system for now. Even these two companies are implementing passkeys slightly differently (single synced key vs per device), and unlike today where you can easily export your passwords from one password manager to another one (migration) it is not at all clear yet how this may happen with passkeys (if at all). I have over 700 passwords and there is little chance of me migrating those one by one to a different authentication system.

Just based on how Apple’s and Google’s approaches to passkeys differs, we can also see some differences in how we’d use them, so I’d like to make a more informed decision before I just jump in. As Steve says, passwords are still going to be here for quite a long time, so there is no rush to jump into using passkeys (as long as you use secure and unique passwords, along with good 2FA). While backup passwords still exist for passkey sites, they are still as secure as that weakest link.

So, yes, Bitwarden too will be rolling out their passkey implementation in 2023 (see https://www.ghacks.net/2023/05/24/password-manager-bitwarden-will-soon-be-able-to-store-passkeys/ without any firm date) and I’ll first have a good look at how they plan to implement it too. I do prefer something like Bitwarden (or similar) where it is a purely cross-platform implementation not tied to a particular vendor (apart from Bitwarden yes, but then you can also host their open-source solution yourself if you really wanted to). Personally, I would not use Apple’s system as I have twice switched away from using an iPhone, and I’m not getting locked into an ecosystem specific solution for that reason.

Bottom line though is there is no rush, and jumping in now with whoever you choose, is going to be your bed fellow for the foreseeable future, unless you only have 5 site passkeys to worry about. Passkeys are certainly an excellent step forward for online authentication, but it is about when and with whom I’m more concerned about.
#Blog, #bitwarden, #passkeys, #security, #technology

Was auch schön an #Bitwarden ist: Ich kann einen Notfallkontakt angeben, der nach n Tagen meiner Untätigkeit automatisch Zugriff auf meinen Vault bekommt.
Ich erinnere mich einer üblen Geschichte von @Matthias Vos 💉💉💉, in der ein Firmenchef alle betrieblichen Zugangsdaten mit ins Corona-Grab nahm.

My ceterum censeo:
You want #Bitwarden on any device you use, and if you are a geek, you want to run your own #Vaultwarden server.

Übrigens:
* Client: #Bitwarden
* Server: #Vaultwarden

Ihr wollt es. Ganz dringend.

Server für #Bitwarden (genauer: Vaultwarden) installiert.
Jetzt mal sehen, was man damit machen kann :-)

GitHub - dani-garcia/vaultwarden: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs

Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs - GitHub - dani-garcia/vaultwarden: Unofficial Bitwarden compatible server written in Rust, formerly known as ...

#Bitwarden ought to be rewritten in #$programming language or framework not controlled by the #nsa BFF, #microsoft

#Bitwarden Expands Capabilities for Managed Service Providers https://www.valdostadailytimes.com/news/business/bitwarden-expands-capabilities-for-managed-service-providers/article_20112d36-d802-572a-92c4-3633e79c154d.html https://en.wikipedia.org/wiki/Bitwarden

Move #lastpass to #bitwarden

Stop outsourcing #passwords !

https://pclosmag.com/html/Issues/202104/page01.html

#motdepasse #passwordsmanager

How to easily export your passwords from LastPass and import into open source Bitwarden

Today the new LastPass pricing goes into effect and I still see a few people asking how to transfer their passwords out. The link below helps with that. Bitwarden is open source and probably the closest alternative to LastPass in terms of functionality, complete with 2FA built-in for use with websites (so no need for Google's authenticator).

Bitwarden has a free tier, but its premium subscription is $10 vs LastPass which is $36 (For individual per annum costs).

See Import Data from LastPass | Bitwarden Help & Support

#technology #opensource #lastpass #bitwarden #passwordmanager

Use this article for help exporting data from LastPass and importing into Bitwarden. You can export your data from LastPass from their Web Vault or from a LastPass Browser Extension: A previous version of this article stated that you needed to use the Browser Extension to export Form Fills (e.g. Addresses and Payment Cards), however testing by...

- - - - - -

https://gadgeteer.co.za/how-easily-export-your-passwords-lastpass-and-import-open-source-bitwarden