The origins of Bitwarden and how it is fending off the tech giants

Kyle Spearrin had never developed a mobile app or browser extension when he started building Bitwarden as a fun side project in 2015.

Nearly nine years later, Spearrin’s humble attempt at a free, open-source password manager has become one of the most popular ways to keep online accounts secure. Wirecutter, PCWorld, PCMag, and others say it’s the best free password manager, and CNet even calls it the best password manager overall. Bitwarden says it now has 8.5 million users, and it uses that audience to grow its enterprise subscription business. Bitwarden’s business side has tens of thousands of customers and helped fuel nearly 100% revenue growth last year, and the company now has roughly 200 employees.

“We really value that everyone should have access to a full-featured password management tool,” Spearrin says.

Very humble beginnings, and of course we’ve seen why tech giants like Apple, Google, etc embraced passkeys with such enthusiasm, as this would lock users into their ecosystem. Try using your Apple passkeys when migrating to say Android, or vice versa.

“If you are locked in with one vendor, you have a risk of being locked out of your account,” Magdanurov says. “Something can happen. Somebody can hack your account. Or their automated tools that block your account for violations can be triggered for some reason.”

So, whilst it is true many tech giants have been improving their offerings around password management, Bitwarden is managing to stay a step or two ahead of them with newer innovative features (some I did not even know about). And of course, one can self-host Bitwarden too.

A lot can also be learnt from buy-outs like LastPass went through. The ownership does dictate the philosophy, or changes to it.

Although I’m eyeing out Proton Pass’ rapid developments (I’m a paying Proton user) I’m still a paid tier user of Bitwarden as right now they’re doing their things right, and what I really like is that their paid tier is not expensive at all. I just feel that I am supporting what they do.

See fastcompany.com/91117788/how-b…
#Blog, #bitwarden, #opensource, #passwords, #security, #technology

This has to work as well as anything…

#passwords #caturday

#passwords #humor

A Step Forward for SSH Security on Haiku

#haikudepotserver #haikuos #passwords
posted by pod_feeder_v2

A Step Forward for SSH Security on Haiku - Desktop On Fire!

This is a quick and dirty native ssh_askpass implementation for Haiku

#humor #passwords

New AI-Driven Cyberattack Can Steal Your Data Just By Listening to You Type: Need to Blur Video and Mute Sound now!

A new study published by a number of British researchers reveals a hypothetical cyberattack in which a hacker could leverage recorded audio of a person typing to steal their personal data. The attack uses a home-made deep-learning-based algorithm that can acoustically analyze keystroke noises and automatically decode what that person is typing. The research showed that typing could be accurately de-coded in this fashion 95 percent of the time.

So yes if you’re recording videos for YouTube, are in a Zoom call, etc and are busy typing your password in, just blurring the video is no longer sufficient. It’s true too, that sound penetrates though walls, and does not need any direct line of sight either. I suppose you could start to randomly hit the shift key, while typing in passwords, to try throw off any analysis. Also using a password manager to auto-fill fields will eliminate this.

See https://gizmodo.com/ai-acoustic-cyberattack-deep-learning-hackers-1850714550
#Blog, #audio, #passwords, #security, #technology

Sniffing Passwords, Rickrolling Toothbrushes

#classichacks #reverseengineering #crc #passwords #security #sniffing #toothbrush #hackaday
posted by pod_feeder_v2

Sniffing Passwords, Rickrolling Toothbrushes

If you could dump the flash from your smart toothbrush and reverse engineer it, enabling you to play whatever you wanted on the vibrating motor, what would you do? Of course there’s no question: yo…

Open-Source KeePassXC Password Manager Review

All in all, KeePassXC definitely earns mention among the best password managers, though it comes with some sizable asterisks. The biggest one is that as an open-source product, it may be free, but it also lacks the polish of many industry leaders. As such, it’s not for everybody, though anybody that likes old-school cool will love it.

Yes it’s also not had any independent 3rd party security audit (but then again you download and use it locally on your machine). I’d certainly still benchmark it with either the free, or paid version, of open-source Bitwarden (which you can also self-host for free) which has some rich functionality as well as cloud sync across all devices.

See https://www.howtogeek.com/879987/keepassxc-password-manager-review/
#Blog, #opensource, #passwordmanagers, #passwords, #security, #technology

Why You Should Use a Password Manager Instead of Browser-Based Ones, and How to Get Started

You do need some sort of proper password manager today, mainly because you cannot re-use the same passwords across different websites. So having a unique password, as well as a unique user ID/Email for each one, means you cannot remember 500+ combinations across all websites. Yes, for example, Bitwarden will also generate, and remember, a unique e-mail address login for each website (through either a 3rd party service, or even just with your existing service by making use of plus addresses). A unique e-mail address means even more added security, as any hacker has to guess both a unique e-mail address and a unique password and cannot use your know e-mail address.

A browser-based password manager can do the very basics but usually does not do the more advanced functionality such as generating user IDs, 2FA filling as well as access security, can be locked independently of the browser, and more. Their use is also limited to just that browser. I regularly use more than one brand of browser, and I work across different OSs. I need something that will sync across all browsers on all devices.

Many password managers will provide a free tier with some limitations (some are even completely free) but it is important to tick off what features you will need to use.

Even if you do pay for a good password manager, it is probably worth it, as our website accesses are unlocking more and more valuable resources from banking to online investments, our e-mail, our remote work logins, our identities, etc.

As sites transition to passkeys, so should all current password managers be adding this functionality in the coming year.

See https://www.howtogeek.com/141500/why-you-should-use-a-password-manager-and-how-to-get-started/
#Blog, ##passwordmanagers, #passwords, #security, #technology

The Problem With Passwords

#hackadaycolumns #rants #securityhacks #passwords #security #securitytheatre #hackaday
posted by pod_feeder_v2

The Problem With Passwords

By now it’s probable that most readers will have heard about LastPass’s “Security Incident”, in which users’ password vaults were lifted from their servers. We’r…

Sehr hilfreich - TNX

#security #passwords #keepassxc

♲ Mike Kuketz :mastodon: - 2022-08-17 16:21:48 GMT

Lesenswert: Dreiteilige, praxisnahe Artikelserie zum Umgang/Bedienung/Synchronisation von KeePass* im Alltag auf Desktop und Android. 👇

Start hier: https://www.kuketz-blog.de/keepassxc-auto-type-und-browser-add-on-im-alltag-nutzen-passwoerter-teil1/

Mike Kuketz :mastodon: (@kuketzblog@social.tchncs.de)

6.65K Posts, 25 Following, 14.2K Followers · #Sicherheit | #Datenschutz | #Hacking Impressum: https://www.kuketz-blog.de/impressum/ Kuketz-Blog: Selbstbestimmt im Netz ✊ Privater Account unter: 👇 https://social.tchncs.de/@kuketz

Microsoft, Apple, Google, and hundreds of tech companies accelerate push to eliminate passwords, supporting standards developed by the FIDO Alliance and the W3C

Google, Microsoft, and Apple are important in this regard because they represent the greatest volume of single-sign capabilities for sites other than their own. So if you want a change away from passwords, without their support, it drags out for years, never reaching any tipping point to be effective. Note though that what is being adopted are open alliance standards, and not proprietary to Google, Apple, or Microsoft.

We do have 2FA (2-Factor Authentication) already, but it often falls back onto insecure e-mail or text messages. We’re going to also have to finalise, or have options between biometrics vs device specific. Many don’t want biometrics (or their hash) saved, not because it’s invasive (it does not store your actual fingerprint), but because it cannot be changed (or does using a different finger count, although most of us still have a limit of 10?). Biometrics are the most convenient and usually not lost, but that also counts against them for the same reason. A device such as YubiKey, fob, phone, etc can easily be lost or left at home, and you lose access.

But yes, passwords do need to go, along with that useless advice of updating a password every 30 days.

See https://www.theregister.com/2022/05/05/microsoft-apple-google-fido/

#technology #security #passwords #authentication
#Blog, ##authentication, ##passwords, ##security, ##technology

The Force won’t save you from these breached #passwords #StarWarsDay

source: https://specopssoft.com/blog/the-force-wont-save-you-breached-passwords-starwarsday/

Top 20 Star Wars themed passwords found in breached lists:

yoda
starwars
ewok
hansolo
darthvader
bobafett
darthmaul
grogu
obiwankenobi
lukeskywalker
macewindu
anewhope
plokoon
mandalorian
princessleia
kyloren
kuiil
iamyourfather
quigonjinn
rogueone

#password #security #starWars #fans #fail #problem #login #news

The Force won’t save you from these breached passwords #StarWarsDay

If your colleagues are Star Wars fans, they might be at risk for breached password use. This May the 4th, the unofficial Star Wars fandom holiday, Specops...

Gestion et Partage des mots de passe avec #nextcloud

Je ne trouvais pas une solution simple pour partager mes #motdepasse avec d'autres utilisateurs de mon Nextcloud

J'avais essayé #passman mais je n'étais pas satisfait.

J'ai essayé aujourd'hui #passwords et c'est super génial. Un peu délicat à comprendre pour utiliser l'extension sur son navigateur internet préféré mais c'est bien expliqué dans la FAQ : https://git.mdns.eu/nextcloud/passwords/-/wikis/Users/Extension

https://nextcloud.com/blog/password-managers-for-nextcloud/

Et vous qu'utilisez vous ? #zaclys

@zaclys@diaspora-fr.org : merci pour vos services.

I hate when they keep rejecting my password because I’m missing a symbol or capital letter

#humor #passwords

How did #LastPass master #passwords get compromised?

TL;DR: It appears that LastPass #infrastructure has been compromised, all other explanations being rather unlikely. And, surprisingly, it isn’t given that the attackers actually know these master passwords.

The question is why is the master password stored in the cloud in clear text?

Source: https://palant.info/2021/12/29/how-did-lastpass-master-passwords-get-compromised/

#hack #security #software #danger #warning #news #bug

How did LastPass master passwords get compromised?

LastPass accounts are under attack. I look into how user’s master passwords might have leaked.

It's forced password reset time at work again.

And I think this is an opportune time for a reminder that A PASSWORD THAT YOU CANNOT REMEMBER IS USELESS.

The best passwords are ones that you can remember, but that cannot be easily guessed or bruteforced. And that means they need to be meaningful to you in some way, but meaningless and non-obvious to anyone else. It should not be a piece of public-record information, it should not refer to something that everyone knows about you, it should not be a common dictionary word.
But also, it shouldn't be line noise.

Unfortunately what a lot of administrators who have little or no practical experience in the real world, or are simply following rules written by people with a similar lack of real world understanding, often tend to do is something like this:
1. Find the list of available password constraints.
2. Go down the rule list and just check every box. Because why would they be there if you weren't supposed to use them?
3. Set password expiry to the shortest allowed interval.

This isn't a recipe for secure passwords. It's a recipe for forcing people to write down passwords on sticky notes on their desks. Or message it to themselves on their phones. Somewhere, ANYWHERE, that they can copy it from when ever they need it, because they can't remember what this month's there-was-a-cat-fight-on-the-keyboard password is.
And if you can copy your password whenever you need it, it's likely someone else with physical access can as well. It becomes less a question of "How strong a password did you choose" and more one of "How well did you hide your password".

To a large extent, as long as you're not using common dictionary words, password complexity rules are of rather little value. As long as a brute-force password scanner is including "special" (non-alphanumeric) characters in its keyspace anyway, it matters not one whit whether your password contains two of them, fourteen, or none. It matters not in the slightest whether your password contains short repeats or runs of characters. A brute-force password scanner is going to try every possible permutation anyway. Once you're already avoiding simple dictionary attacks and making an attacker scan an extended keyspace, THE ONLY meaningful parameter in the strength of a password is its length. And that means that a reasonably-obfuscated password that you can actually remember and type from memory without errors is just as strong, in the real world, as one that looks as though someone closed their eyes and dumped a bucket of billiard balls over your keyboard. Probably stronger, because you don't have to write it down or otherwise record it.

The real heart of this is that we need to move away from passwords. They are a lousy means of security. We're starting to see wider use of biometric authentication, but biometric security has its own drawbacks too — if your biometric "credentials" are successfully spoofed, how do you change them?

Two-factor authentication is becoming more widely used, but it's not perfect and it's not foolproof, and some forms — one-time-code verification via SMS, for example — can easily be bypassed by means such as SIM-swapping attacks. It is a truism of security that the strongest security schemes combine three factors — something you have, something you know, and something you are.

But if you're relying on ONE factor — something you know — and then making that one thing so cryptic and arcane that the average person cannot practically be expected to remember it without writing it down somewhere, then you don't have security any more. You have security theater.

#security #passwords

Die spinnen, die bei Hetzner:

Invalid characters, allowed are: A-Z a-z 0-9 ä ö ü ß Ä Ö Ü ^ ! $ % / ( ) = ? + # - . , ; : ~ * @ [ ] { } _ ° §

Na, ihr kommt bestimmt drauf, wo nur diese Zeichen erlaubt sind. Genau, beim PASSWORT.

Mein Verbrechen? KeepassXC's Password Generator hat mir ein "<" in's Passwort geschummelt. Schlingel.

#hetzner #passwords #alleskaputt

You Know this, but..... "Microsoft warns BILLIONS of passwords have been hacked – check yours now"

https://www.the-sun.com/tech/3950378/microsoft-billions-passwords-hacked-check-now/

#security #passwords

Microsoft warns BILLIONS of passwords have been hacked – check yours now

MICROSOFT has issued a stark warning to those who reuse their passwords across multiple online accounts. In a blog post this week, the US tech titan said it had identified an uptick in the use of &…

The Postmortem Password Problem - Google, LastPass, Bitwarden, etc allow you to set Emergency Contacts

Death and passwords: two things we just can’t avoid. With so much of our lives tied up in cloud services nowadays, there’s good reason to worry about what happens to these accounts if we drop dead tomorrow. For many of us, important documents, photos, financial information and other data will be locked behind a login prompt. Your payment methods will also expire shortly after you have, which could lead to data loss if not handled promptly. The most obvious way to address this is to give a trusted party access in case of emergency.

The article below is food for thought certainly, but not comprehensive at all in terms of what services offer this. Emergency contacts are trusted users you nominate, who will either gain access by default if you are not using the account for a period and fail to respond to prompts, or else they can request access. A good password manager will quickly enable the accesses they need to get to photos, documents, social media accounts, etc. It's your choice, but it's worth also considering from your family's perspective too. Or yes you could save the master password on a piece of paper in your safe (assuming your family knows what to find where - you've planned all that haven't you...).
https://hackaday.com/2021/09/01/the-postmortem-password-problem/

See The Postmortem Password Problem

#technology #death #passwords

Death and passwords: two things we just can’t avoid. With so much of our lives tied up in cloud services nowadays, there’s good reason to worry about what happens to these accounts if w…

https://gadgeteer.co.za/postmortem-password-problem-google-lastpass-bitwarden-etc-allow-you-set-emergency-contacts

The Postmortem Password Problem

Death and passwords: two things we just can’t avoid. With so much of our lives tied up in cloud services nowadays, there’s good reason to worry about what happens to these accounts if w…