I've been working with Bitwarden for a number of years now, self-hosting for free. I've had a number of issues and questions along the way and their support staff has responded well faster than their stated response times and always been extremely helpful...even when the issue was self-inflicted. Can't say enough good things about them.
@@jonathandawson3091 BitWarden is good until your passwords are leaked like LastPass. I prefer KeyPass and store my passwords offline encrypted. I don't trust any company storing my data on their own server.
I've been hosting Vaultwarden (rewrite of Bitwarden) on my Docker host for the last 12 months or so and it's been a pleasure to use and maintain, always good to explore alternatives, and will give KeePassXC a go alongside to compare 👍
I moved to KeePassXC back in August when the initial news about LastPass dropped. It's a great solution, requires a bit of extra effort to setup and maintain due to the nature of the product using a DB file. I'm thinking that moving forward I'll be spinning up Vaultwarden for my daily use, and use KeePassXC to store my keys with a hardware token (YubiKey) Spare key is not stored with DB file, primary key is on me at all times and the DB file is offline/cold/secure in both a safe and safety deposit box. What are your experiences with deploying Vaultwarden? *Edited for spacing and clarity, content did not meaningfully change.
@@NOX-ID47 I've only had the one instance running and it's been going since my initial deployment, very straightforward using docker compose, I believe there is support for SQL however my data is stored in an sqlite DB so the configuration was even simpler. One port exposed via haproxy reverse proxy on my pfsense box and all my devices, (phones, tablets, laptops and browser extensions), sync effortlessly and handle totp etc. I don't offer the service out to anyone else and it's just for my use, I back up my database locally and off-site weekly/monthly using a duplicati container, all encrypted. It has been a great experience and the feature set doesn't leave me wanting for anything.
Vaultwarden is NOT a fork of Bitwarden. There is much confusion on this topic, but Vaultwarden is in fact a complete rewrite in RUST of the Bitwarden server to be a compatible backend for the official upstream clients. Unfortunately being a rewrite, there are still of course some features Vaultwarden is missing, and some that will never be added according to devs.
I've been using Keepass for ages. Probably more than 15 years. I like it. It's simple and I have the option to decide where my encrypted file is being stored. However, for my work, we have more than 400 people who need to be able to share passwords within the organization and we are currently using pleasant password server but I am leaning towards looking more at Bitwarden in the near future. I haven't looked into bitwarden in-depth just yet but something that will be important for us is LDAP integration and things that allow us to provision access for all users easily.
KeePassXC is compatible with KeePass databases. It's rewritten in c++, much better program, so it's a pretty much a drop in replacement. But yes, for the 400 person use case, then bitwarden is the obvious solution.
The clincher with password managers is really is it on-prem, or is it cloud? Most are cloud based, and that's not necessarily a bad thing. And there are even some "new" ones, like Uniqkey where they've taken user friendliness and admin insight (without exposing actual passwords) pretty far. Purely commercial, though, but any company will wind up paying a couple bucks per user and month for anything commercial. User friendly simplicity is imo a real key factor for companies that aren't like Lawrence Systems, ie they're not full of mega nerds. Users hate complexity. You could never sell an average company on using Keepass, because it's just not suited to it in its current form. Bitwarden as well is a bit of a stretch but it's closer. Still pretty "techy", though. Nerds forget just how godawful users can be at this stuff.
I use KeyPassXC and Keypass2Android (with password + Yubikey) and I sync everything with Syncthing. I really like the Pageant/OpenSSH agent integration for my git and other ssh needs.
KeePassXC user here. Works well in Linux, Windows and Android devices. Database is sync'd with self-hosted Nextcloud. Key file is also used as extra layer of security.
@@shanehart2017 For me "Keepass2Android" does the job quite well on my phone. Comes with an own keyboard to avoid keylogging by third-party-keyboards and can be set up to fetch the database via webdav, which makes synchronizing with my Nextcloud really easy, while it also keeps a cached version on your phone, so you're not screwed, if you have no connection to your cloud for some reason.
Thanks for the comparison. I'm a long-time user of KeyPassXC and Keypass2Android and share the file via a self-hosted nextcloud (and previously owncloud). I only became aware of bitwarden very recently - actually since the LastPass announcement in December and I watched your install vid a day or so ago and figured I should give it a whirl just for kicks. I'm glad for this comparison since you've highlighted a key difference in the approach which _definitely_ makes it more intriguing to run it up. Be golden if I can get bitwarden to run on my RPi4 rather than spin up another VM
I too am using the exact same setup as you are. Very easy to set up and maintain. I do make use of a key file to add another layer of security. YubiKey is my next thing to try with it.
I used KeePass as my password manager for 5-10 years. I ended up switching to Bitwarden because I was using my phone more and more and accessing my passwords from it was feeling more like a chore. I love Bitwarden but haven’t left KeePass completely. I use KeePassXC to store a backup of my Bitwarden vault and another database for a backup of my TOTP codes.
Thanks for your excellent content... I wholeheartedly agree with your comment that if the LastPass breach forced people to think about their security then it was a good thing, no disrespect to those who have lost their details but it has forced the debate. Having watched your content I am now slowly migrating all my passwords over to BitWarden, something I have been putting off for some time now. Keep up the good work...
Switched to bitwarden after last pass issues. Wow it's so much better. Love the otp code intagration into the extention. Saves so much time not needing to go to my phone.
Bitwarden has better browser integration, while KeepassXC is more flexible and secure. I personally use both. One effectively acts as a backup to the other.
I just spent the last day and a half moving everything from Lastpass to Bitwarden, updating passwords and generally cleaning house. The ability to have all the data synced between my phone and laptop, as well as my wife's phone and laptop, is really nice.
Try this. On say your desktop, make a password change on a web site. Then go to your Apple phone (for example) and try to login to said site with Bitwarden login. In my experience, I have to manually initiate a forced sync both on the device I made the change on AND the phone before it will update the new password in the vault. It’s not automatic and that has become extremely annoying.
@@curtispavlovec As I said, I spent a day updating all my relevant passwords. The various instances of bitwarden seemed to sync them across the devices just fine.
I started with keepass then transitioned to XC because the browser extension got pulled from the chrome web store (it's probably back by now) I eventually migrated to vaultwarden which was previously known as bitwardenrs. The only thing I miss about keepass is its superior favicon importer.
I started with Dashlane, migrated to Lastpass, then migrated once again to Bitwarden... In the background I've been experimenting with Keepass in multiple forms all throughout, with the intention of self hosting eventually, but it still didn't happen so far... so Bitwarden it is. Fact is, as I'm taking care of not only my own password management but also my mom's, the most convenient and easy method always wins, and so far that has been the case of Bitwarden for me. Perhaps this changes when I settle on a distro choice for a home server and manage to configure it all to my liking, but until then, I'm really glad that Bitwarden has been working as well as it does, particularly with all the crap that happened with Lastpass recently. Very glad that I also decided to move things after Lastpass changes in plans. I'm just not entirely sure anymore if I'd go for a more crude raw sync scheme with Keepass vaults, or just self host Bitwarden instead...
Not much to add. Your bottom line assessment is the same as mine. My use case is home use, so I have KeepassXC on a couple macbooks, a windows 10 PC, a Linux PC, and a couple iPhones via Keepassium which is compatible. They all access and share the same kdbx file on a self-hosted NextCloud server. It's great for personal use as you say. I'd probably have to give it a good round of thought process to use it for an enterprise - even a small one. So for an enterprise, BitWarden probably does make more sense. Thanks for the thoughtful comparison. I don't see any area where I'd disagree.
Happy New Year Tom. I use as main KeepassXC for mac and windows. My data is been synchronized with nextcloud and i got extra security layer KEYFILE which i keep only on my local device (iphone and macbook or pc but not in cloud). I personally choose KeepassXC because of ssh-agent and ssh autotype omg when u start using that u won’t go back hehe. I do use Bitwarden for backup passwords. Hopefully this helps people why KeepassXC is much stronger with features than Bitwarden and no need to host a server for vaultwarden
Yep, one of the reasons why I love using KeepassXC. Keyfile is a must have and make sure it's not sync'd anywhere. It's sorta PITA getting the key file onto my mobile devices without using some kind of a sync service such as Nextcloud (self hosted) but once it's there it's a layer of security that I love having. There is one feature I wish KeePassXC had is multiple key files on a key ring. Meaning each device have it's own key file to the same database in case one gets compromised you just invalidate that key file in your database.
I was a die-hard last past user when it was $11 a year. Then they triple the price and I was introduced to bitwarden and I haven't looked back. Bitwarden has been great on my PC as well as my Android. And it's only 10 bucks a year if you want to support them which of course I would recommend.
I've been using KeepassXC for years with the Keepass file saved on my OneDrive. To access from a mobile device i use StrongBox on my iPad/iPhone and this syncronises to the OneDrive copy of the database file. OneDrive has a good strong password with 2FA enabled and the KeePass file also has a strong password. For me hosting a Bitwarden server would be 'ok' but IMHO would be less secure than my current way of doing it.
Same, I use KeepassXC for my desktop and the app on my Android devices. I store the database file to my free google drive space. So its always cached and backed up for free plus there is a plugin for Firefox if you choose to use it.
Syncing files around is not a good solution compared to a client/server model. I use XC, but my phone is not involved in anything secure. If I did want to do something like that then bitwarden would be the way to go.
I'm just using classic KeePass 2. For a phone there is a KeePassDX, though it has annoying bug, which they still can't fix - if you changed your fingertip, KeePassDX access by fingertip breaks permanently with no way to reset it.
Based on your review I have converted from LastPass to Bitwarden. Working great and I actually like the user experience better. I appreciate your reviews!
keepassXC's TOTP is basically the only way i can MFA, because i don't have a cell phone ... nor do I have a mobile device that I allow anywhere near anything resembling anything else I use.
😂 totally loved your TL;DR version for RUclips: TL;DW => Content was interesting but just for that comment, I had to watch it all the way through 🙂 Keep up the good work! Have been using Bitwarden for years now. Have brought this to my clients as a security enhancement as well, even could convince some of them to implement a YubiKey-Rollout-Programm to have MFA in the Workflow. Explaining why you need 2 YubiKeys (one for your Key-Ring and one for the store) took a while for them to understand but now they are happy.
I use KeePassXE. Once you've set it up on your network it is good to go. It is for sure a hassle to set it up but the rewards for it blows every other password managers out there.
Nice comparison. I also want to have a purely local pw manager. The reason is to store pw for purely local system and in case I loose internet connectivity. Yes, it has gone down several times in 2022, for a few hours and another time for 3 days.
well the video did address that both solutions will use the last cached version of the passwords in the event of loss of access. Or at lest BW does so even without power you can still see the last password on record. But if you want it yeah both have local implimentations
@@LAWRENCESYSTEMS Yeah but if you didn’t force sync just before it died you won’t have the latest vault data. This is a problem I noticed right away with Bitwarden. The sync is clumsy and slow and often I have to manually initiate a forced sync on multiple devices to get current vault data. It’s absurd to me. The sync should be automatic and constant when a vault update is made on any platform or device out to the others.
@@LAWRENCESYSTEMS Maybe it’s specific to Apple devices? I updated passwords this weekend for several sites and when I changed the passwords on my Chromebook and then went to log in using Bitwarden on my iPhone it always had the old (now wrong!) password until I manually initiated a sync on both my Chromebook and my iPhone. Had to do that each time I made any password change.
Switched from Lastpass when they started charging for more than one device a few years ago, Since then been using BitWardn/Vaultwarden self hosted without any issues.
Storing 2-fa OTP codes in a password manager are handy for accounts you don’t really care about but the website locks users out randomly sometimes because they think the user has been hacked when they haven’t. They might be less likely to do that if you the user has 2-fa enabled.
Not a problem to put keepassxc database in Google Drive for example, raw or inside crtyptomator vault for another layer of security. Together with hardware key, key file and strong password.
I've been using KeepassXC for about 2 years now. I think it is safer since the database is under your control and also since, in addition to a strong password, you can and should generate a database access key, making the risk of data exposure even more difficult. . I keep the key encrypted in my Cryptomator container, also stored in the cloud. After all this I keep the database synchronized between 3 cloud drivers and I can use it safely. Good luck trying to hack my database!!
I do agree that having TOTP in your password manager decreases you security. But what i have been doing lately is using Bitwarden and having the TOTP keys to my not-so-sensitive accounts in keepassxc. More convenient than using my phone while still allowing me quick access
Wooooah! I never thought about using a password manager to validate that the URL is not being spoofed. To borrow nomenclature from the airline industry, you're adding one more swiss cheese layer of protection before a potential critical failure
It can be topped. For the highest security you want the database, password keyfile and database password all to reside on different systems. If you store the database on a private Nextcloud server or NAS and leave the keyfile on the decrypting client system only, then KeePass will fetch the database in RAM and clear it after it has been closed. That way an attacker would not have access to both in one go. For the password, obviously, the separate system is your brain.
People rag on LastPass because LastPass discovered that their system was compromised. But the problem with self-hosted solutions is that you'll never know when your system is compromised. It will never be in the news. No one will alert you to the problem. Most people who self-host are nowhere near as smart as the folks at LastPass, and there's a high likelihood that the self-hoster's attack surface is a lot bigger than they realize. The end result will likely be the same or worse than what we saw with LastPass.
I'd like to think that people who are smart enough to know how to self-host are smart enough to keep that database file is offline. Can't really hack it if it's offline on an encrypted drive.
@@WinterIsComing-x7f Sure, _some_ people are smart enough. But I'd be willing to bet that the majority are not. And some of those people are going to open ports on their firewall to some ancient WordPress installation that allows an attacker access to everything.
@@AlexDresko I think "common sense" is what is needed when dealing with security. You can be a genius in setting up a Linux server but don't bother securing it is not going to be a good day.
You make a fair point. But, what happened at LP aptly illustrates that smartness isn't the end-all/be-all. The reason people are leaving LP isn't that they were breached, so much as the company has demonstrated on ongoing culture of irresponsibility and sloppiness in keeping their customer's data safe. For example, some customer's 'Password Iterations Count' was left at 5000, 500, or even ONE, while others had been automatically updated to 100,100. Some vault data was left unencrypted. These are things we have just found out since the last breach, and this with smart people on their staff.
@Jo Blow Keep in mind that the Bitwarden two-step login only protects the login and not the encrypted vault. The LastPass attackers bypassed the logins entirely by accessing the vaults directly. I'm not saying the same will happen to Bitwarden. Just be aware that the master passphrase needs to be strong to prevent attackers who do have the vault.
@@ericesev I don't have this issue with KeePassXC as I use both key file and password to decrypt the database. Plus the database (encrypted vault) is stored locally.
HNY Tom - I'm an individual that has multiple locations/machines that I need to have PW available on. I'm also aging out so I don't have the sophistication (or desire really) to host anything myself in the cloud. LP provided all that by hosting the blob on their end that can get DL'd to a new location as I need to. From your description Bitwarden sounds like a closer fit to that model than KeePass. Would you speak to that mixed use case for those of us who enjoy trying to keep up with tech but are losing that battle and have to rely on other systems for the hard stuff.
Tom you should talk about why salting your passwords within a password manager is important. In the event a services is breached, they only have a portion of the password.
I use bitwarden in my person life and business. Will never look back. I do keep an off and on site encrypted and locked drive backup. Bitwarden helps considering all my passwords are different, very random and have like a couple hundred at this time.
I hear what you're saying about storing passwords and totps separately, but since we're presumably trending towards passkeys, aren't we going to have to get used to having one passkey vault (i.e. one credential) vs. a vault and totp generator/vault anyway, or do you think in the future you'll host multiple passkey vaults with different master passwords, with a portion of passkeys in each, to reduce the damage of a single vault compromise?
I know I'm late to reply, but multiple password managers may someday let us store passkeys in them, and use a master password (or another passkey) to lock the vault. 1Password already lets you store passkeys in it. Bitwarden is also adding support for passkeys in the near future. I heard about these things from RUclips videos, and from blog posts made by 1Password and Bitwarden.
im still a Last Pass user but trying to find the right next manager for me i have been with them for over 4 years and my current plan Expires on April 15, 2023 so i have untill then to fully move to another manager
Could you recommend an offline / secure entropy calculator for a master password? Bitwarden recommends 14 random characters. My master password is long, but must be memorable, which is why I mix random characters and passphrases so that it exceeds 20 characters. Still, I'd like to calculate the entropy, and that would require me to enter the password somewhere to have it calculated.
KeePassXC is a great, much simpler, system. If you don't need mobile / significant multi-user capabilities, then I think XC is the better option. Otherwise Bitwarden is the way to go.
Would be nice to have aegis like authenticator to integrate into bitwarden & have secure QR code scanning on both mobile & desktop, both onscreen on same device & camera to scan from another device. Wonder if yubikey or hardware keys have integration in any way?
Self-hosted bitwarden for me. Keypass a(and all its variant) is very good for a single device (i.e. one single PC), but when you want to use on multiple devices, you start to need to sync, and it is where it goes ballistic... sync failed, conflicts,... Also, I could not find a proper Android client. Bitwarden is way better for that, I use it with 4 PC + 1 phone connected to it, never got an issue. Browser integration is also very good and in Android, just superb.
For a homelab keepassxc is pretty good. I have the database on a NFS share, which my mobile / desktops can all access. If you VPN back home you can still access the database, which i don't do anymore, so I have been thinking of safe ways round this. Linux does also have pass, which can be synchronized with github using gpg encryption key pairs.. never tried that aspect of it, but i have used pass and it works really well with dmenu/rofi/fzf etc... This could work on android with Termux, but never tried it. Key pairs & passphrase should be fairly safe on github i would imagine. There are apparently ways of sharing a repo at the pass init stage, but not sure how fliexble it is overall. Edit: I forgot, nextcloud now has their own password management, which i've used a little, but not fully.
I have the keepass database on my Google driver (account protected by password and 2fa of course) and the key is always locally never in the cloud. Do you think it's better to have the database on syncthing?
I was a Keepass user for years but, for next to no cost, Bitwarden does so much more. Bitwarden is a modern car where Keepass is an ox cart. Both are sufficiently and similarly secure. You can also easily import from Keepass into Bitwarden and neither holds your data hostage. The sloppy greedy marketing centric folks at Lastpass and similar arguably have the inferior option.
Hello Bitwarden won't recognize a login page that only asks for the username (once the username is entered, the NEXT page asks for the password). How to get Bitwarden to recognize this situation? It works ok if the page asks for both the username and password.
I use keepass and keepass2android. My database file is stored on my onedrive. My office356 account is protected by 2fa and my office365 password is not stored in my keepass file.
I'd make use of a key file in addition to your master password to add another layer of security. Office365 is a large infrastructure that's constantly being hammered by hackers. If somehow that encrypted database gets stolen at least with the key file and master password they will have a hard time cracking it.
I use keepass and bitwarden only reason i use bitwarden is i kind of consider it a off site backup so if i lose my database file for keepass i still have access to bitwarden.
What about Dashlane, I like the features you mention here for an organisation type, thinking on moving to Bitwarden but not sure if I can migrate from my Dashlane, any words on Dashlane?
Bitwarden is great but sorting and organizing passwords is both bad and clunky to do. Still using to have everything synced, but it's not good. Especially compared to commercial solutions like Secret Server (ex thycotic)
Automatically handling TOTP is not necessarily a bad thing; it makes it way more likely users will not mind TOTP nearly as much. The primary function of two-factor is to make sure that even if an attacker gets the password (by phishing some of the truly clueless, which sadly happens) they still can't get in. They're way less likely to get the TOTP credentials, it's basically not a thing. Password management needs to be smooth and easy, and arguably there's still work there to do there for Bitwarden, too. Anything much beyond a ping on the phone and a question "is this you?" is probably too much work.
Yep, it's good feature to have, I wouldn't use it, but for reugular people that don't want hassle, but would still want to do something, it's much better than not using totp at all.
I would be interested to hear the opinions on master password. How are you all managing this? Write it down in a safe? But it’s inconvenient to get out each time. If it’s easy to recall then it’s not secure. Something in between?
Question about 2FA. If they have a copy of the data does it provide any benefit? Meaning does 2fa provide security for accessing it over the web or do the hackers still need it when they have the encrypted file. (My password was acceptable. It have yubikey 2nd factor)
No, if an attacker has a copy of the encrypted vault, 2FA does not apply. 2FA protects your login to the cloud servers. You need the 2FA to login and download the encrypted vault. The encrypted vaults from LastPass/Bitwarden/1Password do not require 2FA to open the vault. So if someone were to steal the encrypted vault without logging in, the 2FA would not provide any protection. This is what happened with LastPass.
Vault encryption does not mean a thing if the company fully controls the client, this is an issue both for password managers and end-to-end encrypted communication services, as long as bitwarden (as an example) control the software you use, each update is a window to add and/or remove a "feature" that would route your data via the same secure channel to them but encrypted with their key, to read bypassing the vault, and for web clients both the time of update and the specific update target (i.e. user) is fully controlled by the service provider, so one should assume that they have full control of your data....
@@ericesev with KeePass there are two key differences: 1) you control when and if to update and have access to the code to review and/or build yourself (or someone you trust) 2) there are lots of independent and different clients to chose from (KeePassXC vs. KeePass is a prime example) ...point #2 is a double-edged sword -- on one hand each new implementation is a new risk, but on the other, each team is motivated to uphold the reputation and knows that with the source in the open (contrary to bitwarden's paid service) it is trivial to verify the binaries as well as to check the source itself. (do not know about bitwarden in this regard, self-hosting could have the same advantages)
@@ericesev and for completeness, when using an app, you can completely block its access to the network thus making this vector exfiltration far less likely... ...that is unless you use a browser plugin which makes an app no better than a website you do not control. If security is a requirement I usually recommend using an app (KeePass/KeePassXC or the like) without any browser integration and sync via something like syncthing (preferably) -- there are enough eyes on these projects to make a fuss if something odd would start happening and you (reasonably) control the whole chain from GUI to vault and from machine to machine....
@@AlexNaanou It just comes down to trust for me. How can I trust the binaries from KeePass/syncthing match the source? Per Ken Thompson's Reflections on Trusting Trust; How can I trust the compiler used to compile KeePass wasn't malware? My comment wasn't meant as a criticism against KeePass. I was only stating that one needs to trust KeePass too. I think we just draw the line differently on where we are willing to place our trust.
@@ericesev I'd agree with you on the trust issue, but there are limits to it... If you are paranoid you could compile everything yourself, you could compare the binaries to the official ones (though this is a can of worms I'll not get into) but if that is really needed is threat-scale (or paranoia-scale ;) ) dependent.... the end result is that your data is under your control with some potential vectors of outside attack that can be mitigated based on again threat-scale and need or simply left to trust, that is not a big compromise IMHO. But if you compare that to a service that you do not control, then the threat surface is orders of magnitude larger, in addition to all the app issues you've touched on, the service-provider employs lots more people (usually), outside contractors, outsources some work, any link in this chain can be or get careless, they can be or get malicious, the web infrastructure can get compromised, your browser (or extension) can get compromised, ...etc. and contrary to the app, you have no way to audit, test, sandbox any of that, you are transferring quite sensitive data to a domain completely outside of your control based fully on trust.
Usint Selfhosted Bitwarden and im very very happy with it. Its also NOT open to the outside world. Unless i login via a VPN/Wireguard to my homenetwork then i can use it.
What do you thing about Microsoft Authenticator. It stores also passwords and TOTP. But I have no idea how safe it ist. I don't think that much like Bitwarden or KeePass. But it is very easy to use for employees. For critical passwords we use some shared KeePass databases. Would be cool to have some easy way to share credentials or critical information to groups of employees. But I don't think this works well with encrypted databases.
While KeepassXC lacks the ability to sync one database to another in real time you can use any sync'ing tool like OneDrive or Nextcloud to sync everyone's database to the master. This is fine for small number of people but for large groups I'd use something like BitWarden Enterprise.
I would like to give Bitwarden a shot, but I don't have any certificates and don't plan on getting them, since I don't want to open my home network... Any ideas on how to still self host bitwarden?
I don't know how the bitwarden implementation of letsencrypt is, but..... it is possible to get certificates from letsencrypt without opening your firewall - you'd need to use DNS validation instead [letsencrypt will ask you to add a TXT value to DNS to prove you own the domain, rather than needing to have port 80 open to vlaidate]
Started off with KeePassXC, then moved to BitWarden as we grew and had a team. BitWarden is a great product but I found it lacking in the actual sortability of what you put in it, for example making a fodler called clients was a bit of a pain! Anyway we use KeeperMSP now and couldnt be happier, we resell it to clients - its Security Audited. Not Open Source or Self-Hosted BUT I can live with that. My users and indeed my clients have Keeper lcoked down with strong Master Password and FIDO2 login.
I personally use bitwarden. No way I could keep track of all the passwords all over the place. I've also started using gmail's ability to augment your email address so then I have different usernames at sites to go along with unique passwords.
@@LAWRENCESYSTEMS Am I mistaken with Keepass then, I use XC on Android with my Webdav server, on Windows normall Keepass with the webdav URL. Have a nice 2023!
@@edwardvanhazendonk Tom is correct. The old version of KeePass2 did have that feature. I've moved to KeePassXC and use Nextcloud to sync the database.
Domain matching auto fill is annoying because at least with LastPass for now it likes to store the full URL! Which means a whole lot of gibberish after the website and if it doesn't match on that when I come back to that website and it forwards me to a different landing page for login it won't auto fill which then breaks the automation forcing me to manually fill of course then there's also the sites that prevent you from auto filling Hulu!
How to Setup Self Hosted Bitwarden
ruclips.net/video/SSLGa0LjTrA/видео.html
KeePassXC - Cross-Platform Password Manager
keepassxc.org/
I've been working with Bitwarden for a number of years now, self-hosting for free. I've had a number of issues and questions along the way and their support staff has responded well faster than their stated response times and always been extremely helpful...even when the issue was self-inflicted. Can't say enough good things about them.
In the meanwhile KeepassXC cannot do simple things like bulk editing.
@@jonathandawson3091What do you mean by bulk editing? Also, what other simple things are problematic about KeePassXC?
@@martinlutherkingjr.5582 Bulk editing, e.g add/remove tag, change icon, set notes, etc. for a number of passwords at once.
@@jonathandawson3091 BitWarden is good until your passwords are leaked like LastPass. I prefer KeyPass and store my passwords offline encrypted. I don't trust any company storing my data on their own server.
@@roberth_pereira you can self host bitwarden if you don‘t want to trust them with your passwords
I've been hosting Vaultwarden (rewrite of Bitwarden) on my Docker host for the last 12 months or so and it's been a pleasure to use and maintain, always good to explore alternatives, and will give KeePassXC a go alongside to compare 👍
I moved to KeePassXC back in August when the initial news about LastPass dropped. It's a great solution, requires a bit of extra effort to setup and maintain due to the nature of the product using a DB file.
I'm thinking that moving forward I'll be spinning up Vaultwarden for my daily use, and use KeePassXC to store my keys with a hardware token (YubiKey)
Spare key is not stored with DB file, primary key is on me at all times and the DB file is offline/cold/secure in both a safe and safety deposit box.
What are your experiences with deploying Vaultwarden?
*Edited for spacing and clarity, content did not meaningfully change.
@@NOX-ID47 I've only had the one instance running and it's been going since my initial deployment, very straightforward using docker compose, I believe there is support for SQL however my data is stored in an sqlite DB so the configuration was even simpler.
One port exposed via haproxy reverse proxy on my pfsense box and all my devices, (phones, tablets, laptops and browser extensions), sync effortlessly and handle totp etc.
I don't offer the service out to anyone else and it's just for my use, I back up my database locally and off-site weekly/monthly using a duplicati container, all encrypted.
It has been a great experience and the feature set doesn't leave me wanting for anything.
@@jsnwal Thanks for sharing.
Vaultwarden is NOT a fork of Bitwarden. There is much confusion on this topic, but Vaultwarden is in fact a complete rewrite in RUST of the Bitwarden server to be a compatible backend for the official upstream clients.
Unfortunately being a rewrite, there are still of course some features Vaultwarden is missing, and some that will never be added according to devs.
@@KentSapp you are correct it is a rewrite, amended my OP
I've been using Keepass for ages. Probably more than 15 years. I like it. It's simple and I have the option to decide where my encrypted file is being stored. However, for my work, we have more than 400 people who need to be able to share passwords within the organization and we are currently using pleasant password server but I am leaning towards looking more at Bitwarden in the near future. I haven't looked into bitwarden in-depth just yet but something that will be important for us is LDAP integration and things that allow us to provision access for all users easily.
KeePassXC is compatible with KeePass databases. It's rewritten in c++, much better program, so it's a pretty much a drop in replacement. But yes, for the 400 person use case, then bitwarden is the obvious solution.
@@entelin i am actually using KeePassXC. It's good. :)
The clincher with password managers is really is it on-prem, or is it cloud? Most are cloud based, and that's not necessarily a bad thing. And there are even some "new" ones, like Uniqkey where they've taken user friendliness and admin insight (without exposing actual passwords) pretty far. Purely commercial, though, but any company will wind up paying a couple bucks per user and month for anything commercial. User friendly simplicity is imo a real key factor for companies that aren't like Lawrence Systems, ie they're not full of mega nerds. Users hate complexity. You could never sell an average company on using Keepass, because it's just not suited to it in its current form. Bitwarden as well is a bit of a stretch but it's closer. Still pretty "techy", though. Nerds forget just how godawful users can be at this stuff.
I use KeyPassXC and Keypass2Android (with password + Yubikey) and I sync everything with Syncthing. I really like the Pageant/OpenSSH agent integration for my git and other ssh needs.
KeePassXC user here. Works well in Linux, Windows and Android devices. Database is sync'd with self-hosted Nextcloud. Key file is also used as extra layer of security.
What android app are you using? There is only 3rd party apps available?
@@shanehart2017 For me "Keepass2Android" does the job quite well on my phone. Comes with an own keyboard to avoid keylogging by third-party-keyboards and can be set up to fetch the database via webdav, which makes synchronizing with my Nextcloud really easy, while it also keeps a cached version on your phone, so you're not screwed, if you have no connection to your cloud for some reason.
I use both! Bitwarden for website access and KeePassXC for local network systems.
Happy New year 🎉. This is EXACTLY the topic I was researching today. It's my among my tier 1 resolutions to upgrade to tight security & privacy.
Thanks for the comparison. I'm a long-time user of KeyPassXC and Keypass2Android and share the file via a self-hosted nextcloud (and previously owncloud). I only became aware of bitwarden very recently - actually since the LastPass announcement in December and I watched your install vid a day or so ago and figured I should give it a whirl just for kicks.
I'm glad for this comparison since you've highlighted a key difference in the approach which _definitely_ makes it more intriguing to run it up. Be golden if I can get bitwarden to run on my RPi4 rather than spin up another VM
I too am using the exact same setup as you are. Very easy to set up and maintain. I do make use of a key file to add another layer of security. YubiKey is my next thing to try with it.
I used KeePass as my password manager for 5-10 years. I ended up switching to Bitwarden because I was using my phone more and more and accessing my passwords from it was feeling more like a chore. I love Bitwarden but haven’t left KeePass completely. I use KeePassXC to store a backup of my Bitwarden vault and another database for a backup of my TOTP codes.
Thanks for your excellent content... I wholeheartedly agree with your comment that if the LastPass breach forced people to think about their security then it was a good thing, no disrespect to those who have lost their details but it has forced the debate. Having watched your content I am now slowly migrating all my passwords over to BitWarden, something I have been putting off for some time now. Keep up the good work...
Switched to bitwarden after last pass issues. Wow it's so much better. Love the otp code intagration into the extention. Saves so much time not needing to go to my phone.
Bitwarden really is much better than LastPass. I have used both.
saves time but undermines the entire point of 2FA
Bitwarden has better browser integration, while KeepassXC is more flexible and secure. I personally use both. One effectively acts as a backup to the other.
I just spent the last day and a half moving everything from Lastpass to Bitwarden, updating passwords and generally cleaning house.
The ability to have all the data synced between my phone and laptop, as well as my wife's phone and laptop, is really nice.
Try this. On say your desktop, make a password change on a web site. Then go to your Apple phone (for example) and try to login to said site with Bitwarden login. In my experience, I have to manually initiate a forced sync both on the device I made the change on AND the phone before it will update the new password in the vault. It’s not automatic and that has become extremely annoying.
@@curtispavlovec As I said, I spent a day updating all my relevant passwords. The various instances of bitwarden seemed to sync them across the devices just fine.
I started with keepass then transitioned to XC because the browser extension got pulled from the chrome web store (it's probably back by now) I eventually migrated to vaultwarden which was previously known as bitwardenrs.
The only thing I miss about keepass is its superior favicon importer.
I started with Dashlane, migrated to Lastpass, then migrated once again to Bitwarden...
In the background I've been experimenting with Keepass in multiple forms all throughout, with the intention of self hosting eventually, but it still didn't happen so far... so Bitwarden it is.
Fact is, as I'm taking care of not only my own password management but also my mom's, the most convenient and easy method always wins, and so far that has been the case of Bitwarden for me.
Perhaps this changes when I settle on a distro choice for a home server and manage to configure it all to my liking, but until then, I'm really glad that Bitwarden has been working as well as it does, particularly with all the crap that happened with Lastpass recently. Very glad that I also decided to move things after Lastpass changes in plans.
I'm just not entirely sure anymore if I'd go for a more crude raw sync scheme with Keepass vaults, or just self host Bitwarden instead...
I agree with stored totp... The places I feel the most bad of using them, I add the ''Master password re-prompt'' to the entries.
Not much to add. Your bottom line assessment is the same as mine. My use case is home use, so I have KeepassXC on a couple macbooks, a windows 10 PC, a Linux PC, and a couple iPhones via Keepassium which is compatible. They all access and share the same kdbx file on a self-hosted NextCloud server. It's great for personal use as you say. I'd probably have to give it a good round of thought process to use it for an enterprise - even a small one. So for an enterprise, BitWarden probably does make more sense. Thanks for the thoughtful comparison. I don't see any area where I'd disagree.
Happy New Year Tom. I use as main KeepassXC for mac and windows. My data is been synchronized with nextcloud and i got extra security layer KEYFILE which i keep only on my local device (iphone and macbook or pc but not in cloud). I personally choose KeepassXC because of ssh-agent and ssh autotype omg when u start using that u won’t go back hehe. I do use Bitwarden for backup passwords. Hopefully this helps people why KeepassXC is much stronger with features than Bitwarden and no need to host a server for vaultwarden
Yep, one of the reasons why I love using KeepassXC. Keyfile is a must have and make sure it's not sync'd anywhere. It's sorta PITA getting the key file onto my mobile devices without using some kind of a sync service such as Nextcloud (self hosted) but once it's there it's a layer of security that I love having. There is one feature I wish KeePassXC had is multiple key files on a key ring. Meaning each device have it's own key file to the same database in case one gets compromised you just invalidate that key file in your database.
KeepassXC + SyncThing is where it's at. 'Nuff said.
Been using bitwarden for years. Really happy with it.
I was a die-hard last past user when it was $11 a year. Then they triple the price and I was introduced to bitwarden and I haven't looked back. Bitwarden has been great on my PC as well as my Android. And it's only 10 bucks a year if you want to support them which of course I would recommend.
I've been using KeepassXC for years with the Keepass file saved on my OneDrive. To access from a mobile device i use StrongBox on my iPad/iPhone and this syncronises to the OneDrive copy of the database file. OneDrive has a good strong password with 2FA enabled and the KeePass file also has a strong password.
For me hosting a Bitwarden server would be 'ok' but IMHO would be less secure than my current way of doing it.
Same, I use KeepassXC for my desktop and the app on my Android devices. I store the database file to my free google drive space. So its always cached and backed up for free plus there is a plugin for Firefox if you choose to use it.
Syncing files around is not a good solution compared to a client/server model. I use XC, but my phone is not involved in anything secure. If I did want to do something like that then bitwarden would be the way to go.
I'm just using classic KeePass 2.
For a phone there is a KeePassDX, though it has annoying bug, which they still can't fix - if you changed your fingertip, KeePassDX access by fingertip breaks permanently with no way to reset it.
KeePassXC can convert the database from KeePass 2 without an issue.
I'm self-hosting Bitwarden in a Docker container on my unRAID server, and it's been working very well for my needs.
Based on your review I have converted from LastPass to Bitwarden. Working great and I actually like the user experience better. I appreciate your reviews!
Great to hear!
keepassXC's TOTP is basically the only way i can MFA, because i don't have a cell phone ... nor do I have a mobile device that I allow anywhere near anything resembling anything else I use.
😂 totally loved your TL;DR version for RUclips: TL;DW => Content was interesting but just for that comment, I had to watch it all the way through 🙂
Keep up the good work!
Have been using Bitwarden for years now. Have brought this to my clients as a security enhancement as well, even could convince some of them to implement a YubiKey-Rollout-Programm to have MFA in the Workflow. Explaining why you need 2 YubiKeys (one for your Key-Ring and one for the store) took a while for them to understand but now they are happy.
I use KeePassXE. Once you've set it up on your network it is good to go. It is for sure a hassle to set it up but the rewards for it blows every other password managers out there.
Nice comparison. I also want to have a purely local pw manager. The reason is to store pw for purely local system and in case I loose internet connectivity. Yes, it has gone down several times in 2022, for a few hours and another time for 3 days.
well the video did address that both solutions will use the last cached version of the passwords in the event of loss of access. Or at lest BW does so even without power you can still see the last password on record. But if you want it yeah both have local implimentations
Bitwarden apps cache the passwords when offline.
@@LAWRENCESYSTEMS Yeah but if you didn’t force sync just before it died you won’t have the latest vault data. This is a problem I noticed right away with Bitwarden. The sync is clumsy and slow and often I have to manually initiate a forced sync on multiple devices to get current vault data. It’s absurd to me. The sync should be automatic and constant when a vault update is made on any platform or device out to the others.
@@curtispavlovec I have not had any issues with the sync and how fast it happens.
@@LAWRENCESYSTEMS Maybe it’s specific to Apple devices? I updated passwords this weekend for several sites and when I changed the passwords on my Chromebook and then went to log in using Bitwarden on my iPhone it always had the old (now wrong!) password until I manually initiated a sync on both my Chromebook and my iPhone. Had to do that each time I made any password change.
Happy New Year 🥳 Thanks for your continued coverage of this issue.
Switched from Lastpass when they started charging for more than one device a few years ago, Since then been using BitWardn/Vaultwarden self hosted without any issues.
Storing 2-fa OTP codes in a password manager are handy for accounts you don’t really care about but the website locks users out randomly sometimes because they think the user has been hacked when they haven’t. They might be less likely to do that if you the user has 2-fa enabled.
I prefer KeepassXC, specially since they added support for faceID on windows. Easy to setup and looks nicer.
@@sirmongoose if you keep login to 10-15 shuts every day I doubt you can stands
Not a problem to put keepassxc database in Google Drive for example, raw or inside crtyptomator vault for another layer of security. Together with hardware key, key file and strong password.
I am using a self-hosted keepass and have been for several years. Of course I use MFA whenever possible.
Bitwarden and Aegis are my password manager and 2FA tools of choice.
I Use Keepass XC (Windows/Mac) and Keepass Touch (iPhone and iPad) with the Local Sync Function of Keepass Touch
As TOTP is use Authy
I've been using KeepassXC for about 2 years now. I think it is safer since the database is under your control and also since, in addition to a strong password, you can and should generate a database access key, making the risk of data exposure even more difficult. . I keep the key encrypted in my Cryptomator container, also stored in the cloud. After all this I keep the database synchronized between 3 cloud drivers and I can use it safely. Good luck trying to hack my database!!
I do agree that having TOTP in your password manager decreases you security. But what i have been doing lately is using Bitwarden and having the TOTP keys to my not-so-sensitive accounts in keepassxc. More convenient than using my phone while still allowing me quick access
KeePass 4 Lyfe!
Although, BitWarden does make more sense for businesses, shared access, etc.
Wooooah! I never thought about using a password manager to validate that the URL is not being spoofed.
To borrow nomenclature from the airline industry, you're adding one more swiss cheese layer of protection before a potential critical failure
Keepass + Syncthing cannot be topped. Remember, convenience is the enemy of security.
It can be topped. For the highest security you want the database, password keyfile and database password all to reside on different systems. If you store the database on a private Nextcloud server or NAS and leave the keyfile on the decrypting client system only, then KeePass will fetch the database in RAM and clear it after it has been closed. That way an attacker would not have access to both in one go. For the password, obviously, the separate system is your brain.
Bitwarden make it easy to share passwords within a family. Great tool
People rag on LastPass because LastPass discovered that their system was compromised. But the problem with self-hosted solutions is that you'll never know when your system is compromised. It will never be in the news. No one will alert you to the problem. Most people who self-host are nowhere near as smart as the folks at LastPass, and there's a high likelihood that the self-hoster's attack surface is a lot bigger than they realize. The end result will likely be the same or worse than what we saw with LastPass.
I'd like to think that people who are smart enough to know how to self-host are smart enough to keep that database file is offline. Can't really hack it if it's offline on an encrypted drive.
@@WinterIsComing-x7f Sure, _some_ people are smart enough. But I'd be willing to bet that the majority are not. And some of those people are going to open ports on their firewall to some ancient WordPress installation that allows an attacker access to everything.
@@AlexDresko I think "common sense" is what is needed when dealing with security. You can be a genius in setting up a Linux server but don't bother securing it is not going to be a good day.
You make a fair point. But, what happened at LP aptly illustrates that smartness isn't the end-all/be-all. The reason people are leaving LP isn't that they were breached, so much as the company has demonstrated on ongoing culture of irresponsibility and sloppiness in keeping their customer's data safe. For example, some customer's 'Password Iterations Count' was left at 5000, 500, or even ONE, while others had been automatically updated to 100,100. Some vault data was left unencrypted. These are things we have just found out since the last breach, and this with smart people on their staff.
Why enable 2FA if you store the TOTP secret in the same place as the password? Is there any security benefit to 2FA at that point?
Yes, if a site lost control of the passwords but not their TOTP it would help.
@Jo Blow Keep in mind that the Bitwarden two-step login only protects the login and not the encrypted vault. The LastPass attackers bypassed the logins entirely by accessing the vaults directly. I'm not saying the same will happen to Bitwarden. Just be aware that the master passphrase needs to be strong to prevent attackers who do have the vault.
I tie my TOTP in with Bitwarden and implement Duo but may switch to FIDO
@@ericesev I don't have this issue with KeePassXC as I use both key file and password to decrypt the database. Plus the database (encrypted vault) is stored locally.
HNY Tom - I'm an individual that has multiple locations/machines that I need to have PW available on. I'm also aging out so I don't have the sophistication (or desire really) to host anything myself in the cloud. LP provided all that by hosting the blob on their end that can get DL'd to a new location as I need to. From your description Bitwarden sounds like a closer fit to that model than KeePass. Would you speak to that mixed use case for those of us who enjoy trying to keep up with tech but are losing that battle and have to rely on other systems for the hard stuff.
Just use Bitwarden and their back end.
Tom you should talk about why salting your passwords within a password manager is important. In the event a services is breached, they only have a portion of the password.
Happy New Year Tom !! bitwarden IMO is my choice.
I use bitwarden in my person life and business. Will never look back. I do keep an off and on site encrypted and locked drive backup. Bitwarden helps considering all my passwords are different, very random and have like a couple hundred at this time.
I hear what you're saying about storing passwords and totps separately, but since we're presumably trending towards passkeys, aren't we going to have to get used to having one passkey vault (i.e. one credential) vs. a vault and totp generator/vault anyway, or do you think in the future you'll host multiple passkey vaults with different master passwords, with a portion of passkeys in each, to reduce the damage of a single vault compromise?
I know I'm late to reply, but multiple password managers may someday let us store passkeys in them, and use a master password (or another passkey) to lock the vault. 1Password already lets you store passkeys in it. Bitwarden is also adding support for passkeys in the near future. I heard about these things from RUclips videos, and from blog posts made by 1Password and Bitwarden.
im still a Last Pass user but trying to find the right next manager for me i have been with them for over 4 years and my current plan Expires on April 15, 2023 so i have untill then to fully move to another manager
Thank you for making this video!
Could you recommend an offline / secure entropy calculator for a master password? Bitwarden recommends 14 random characters. My master password is long, but must be memorable, which is why I mix random characters and passphrases so that it exceeds 20 characters. Still, I'd like to calculate the entropy, and that would require me to enter the password somewhere to have it calculated.
In Linux you can use cracklib-check locally
KeePassXC is a great, much simpler, system. If you don't need mobile / significant multi-user capabilities, then I think XC is the better option. Otherwise Bitwarden is the way to go.
There is a keepass version for android and I believe one for the iphone.
Would be nice to have aegis like authenticator to integrate into bitwarden & have secure QR code scanning on both mobile & desktop, both onscreen on same device & camera to scan from another device.
Wonder if yubikey or hardware keys have integration in any way?
Self-hosted bitwarden for me. Keypass a(and all its variant) is very good for a single device (i.e. one single PC), but when you want to use on multiple devices, you start to need to sync, and it is where it goes ballistic... sync failed, conflicts,... Also, I could not find a proper Android client. Bitwarden is way better for that, I use it with 4 PC + 1 phone connected to it, never got an issue. Browser integration is also very good and in Android, just superb.
Should I worry about typing my master pass into keepassxc in Windows, considering M$ keylogs everything anyway?
KeepassXC > Cryptomator > Syncthing
For a homelab keepassxc is pretty good. I have the database on a NFS share, which my mobile / desktops can all access. If you VPN back home you can still access the database, which i don't do anymore, so I have been thinking of safe ways round this. Linux does also have pass, which can be synchronized with github using gpg encryption key pairs.. never tried that aspect of it, but i have used pass and it works really well with dmenu/rofi/fzf etc... This could work on android with Termux, but never tried it. Key pairs & passphrase should be fairly safe on github i would imagine. There are apparently ways of sharing a repo at the pass init stage, but not sure how fliexble it is overall.
Edit:
I forgot, nextcloud now has their own password management, which i've used a little, but not fully.
I choose BitWarden
When used on android/ios does it (bitwarden, etc) support apps too, or just webpages?
I have the keepass database on my Google driver (account protected by password and 2fa of course) and the key is always locally never in the cloud. Do you think it's better to have the database on syncthing?
I was a Keepass user for years but, for next to no cost, Bitwarden does so much more. Bitwarden is a modern car where Keepass is an ox cart. Both are sufficiently and similarly secure. You can also easily import from Keepass into Bitwarden and neither holds your data hostage. The sloppy greedy marketing centric folks at Lastpass and similar arguably have the inferior option.
Hello Bitwarden won't recognize a login page that only asks for the username (once the username is entered, the NEXT page asks for the password). How to get Bitwarden to recognize this situation? It works ok if the page asks for both the username and password.
I use keepass and keepass2android. My database file is stored on my onedrive. My office356 account is protected by 2fa and my office365 password is not stored in my keepass file.
I'd make use of a key file in addition to your master password to add another layer of security. Office365 is a large infrastructure that's constantly being hammered by hackers. If somehow that encrypted database gets stolen at least with the key file and master password they will have a hard time cracking it.
I use keepass and bitwarden only reason i use bitwarden is i kind of consider it a off site backup so if i lose my database file for keepass i still have access to bitwarden.
Keepassxc with db in keybase filesystem!
Maybe I missed it but how does mobile app support compare? If it exists at all? I think most need mobile access just as much as desktop browser.
My 2FA is on my phone so my password manager is not.
What about Dashlane, I like the features you mention here for an organisation type, thinking on moving to Bitwarden but not sure if I can migrate from my Dashlane, any words on Dashlane?
Dunno, never used Dashlane.
I setup and used bitwarden once. Never really been able to get keepass' browser integration working with my Firefox flatpak.
Hi Tom. How do you deal with TOTP access for techs that are onsite at the customer site if they are not stored in bitwarden?
Bitwarden is great but sorting and organizing passwords is both bad and clunky to do. Still using to have everything synced, but it's not good. Especially compared to commercial solutions like Secret Server (ex thycotic)
Automatically handling TOTP is not necessarily a bad thing; it makes it way more likely users will not mind TOTP nearly as much. The primary function of two-factor is to make sure that even if an attacker gets the password (by phishing some of the truly clueless, which sadly happens) they still can't get in. They're way less likely to get the TOTP credentials, it's basically not a thing. Password management needs to be smooth and easy, and arguably there's still work there to do there for Bitwarden, too. Anything much beyond a ping on the phone and a question "is this you?" is probably too much work.
Yep, it's good feature to have, I wouldn't use it, but for reugular people that don't want hassle, but would still want to do something, it's much better than not using totp at all.
I would be interested to hear the opinions on master password. How are you all managing this? Write it down in a safe? But it’s inconvenient to get out each time. If it’s easy to recall then it’s not secure. Something in between?
Use diceware
@@JoergWessels I don’t trust it nor any “lists” circulating online of supposed words or phrases. There has to be something better.
Question about 2FA. If they have a copy of the data does it provide any benefit? Meaning does 2fa provide security for accessing it over the web or do the hackers still need it when they have the encrypted file. (My password was acceptable. It have yubikey 2nd factor)
No, if an attacker has a copy of the encrypted vault, 2FA does not apply.
2FA protects your login to the cloud servers. You need the 2FA to login and download the encrypted vault. The encrypted vaults from LastPass/Bitwarden/1Password do not require 2FA to open the vault. So if someone were to steal the encrypted vault without logging in, the 2FA would not provide any protection. This is what happened with LastPass.
Vault encryption does not mean a thing if the company fully controls the client, this is an issue both for password managers and end-to-end encrypted communication services, as long as bitwarden (as an example) control the software you use, each update is a window to add and/or remove a "feature" that would route your data via the same secure channel to them but encrypted with their key, to read bypassing the vault, and for web clients both the time of update and the specific update target (i.e. user) is fully controlled by the service provider, so one should assume that they have full control of your data....
I agree. Same with KeePass*. They control the code and can make it leak passwords to the internet at each update interval.
@@ericesev with KeePass there are two key differences:
1) you control when and if to update and have access to the code to review and/or build yourself (or someone you trust)
2) there are lots of independent and different clients to chose from (KeePassXC vs. KeePass is a prime example)
...point #2 is a double-edged sword -- on one hand each new implementation is a new risk, but on the other, each team is motivated to uphold the reputation and knows that with the source in the open (contrary to bitwarden's paid service) it is trivial to verify the binaries as well as to check the source itself.
(do not know about bitwarden in this regard, self-hosting could have the same advantages)
@@ericesev and for completeness, when using an app, you can completely block its access to the network thus making this vector exfiltration far less likely...
...that is unless you use a browser plugin which makes an app no better than a website you do not control.
If security is a requirement I usually recommend using an app (KeePass/KeePassXC or the like) without any browser integration and sync via something like syncthing (preferably) -- there are enough eyes on these projects to make a fuss if something odd would start happening and you (reasonably) control the whole chain from GUI to vault and from machine to machine....
@@AlexNaanou It just comes down to trust for me. How can I trust the binaries from KeePass/syncthing match the source? Per Ken Thompson's Reflections on Trusting Trust; How can I trust the compiler used to compile KeePass wasn't malware?
My comment wasn't meant as a criticism against KeePass. I was only stating that one needs to trust KeePass too. I think we just draw the line differently on where we are willing to place our trust.
@@ericesev I'd agree with you on the trust issue, but there are limits to it...
If you are paranoid you could compile everything yourself, you could compare the binaries to the official ones (though this is a can of worms I'll not get into) but if that is really needed is threat-scale (or paranoia-scale ;) ) dependent.... the end result is that your data is under your control with some potential vectors of outside attack that can be mitigated based on again threat-scale and need or simply left to trust, that is not a big compromise IMHO.
But if you compare that to a service that you do not control, then the threat surface is orders of magnitude larger, in addition to all the app issues you've touched on, the service-provider employs lots more people (usually), outside contractors, outsources some work, any link in this chain can be or get careless, they can be or get malicious, the web infrastructure can get compromised, your browser (or extension) can get compromised, ...etc. and contrary to the app, you have no way to audit, test, sandbox any of that, you are transferring quite sensitive data to a domain completely outside of your control based fully on trust.
Is KeePassXC as convenient to use on mobile as BitWarden?
Nope
Usint Selfhosted Bitwarden and im very very happy with it. Its also NOT open to the outside world. Unless i login via a VPN/Wireguard to my homenetwork then i can use it.
Whats TOTP?
whats your thoughts on Passbolt?
Never used it, I've only seen paid reviews of it, I didn't see anything compelling that would make me want to use it over bitwarden
What do you thing about Microsoft Authenticator. It stores also passwords and TOTP.
But I have no idea how safe it ist. I don't think that much like Bitwarden or KeePass. But it is very easy to use for employees.
For critical passwords we use some shared KeePass databases. Would be cool to have some easy way to share credentials or critical information to groups of employees. But I don't think this works well with encrypted databases.
While KeepassXC lacks the ability to sync one database to another in real time you can use any sync'ing tool like OneDrive or Nextcloud to sync everyone's database to the master. This is fine for small number of people but for large groups I'd use something like BitWarden Enterprise.
Bitwarden is great but the UI experience could use some polishing.
cool, could you do passbolt next?
Not likely as I don't use passbolt or know of any compelling reason I should use it.
I would like to give Bitwarden a shot, but I don't have any certificates and don't plan on getting them, since I don't want to open my home network... Any ideas on how to still self host bitwarden?
Cloudflare Tunnel
I don't know how the bitwarden implementation of letsencrypt is, but..... it is possible to get certificates from letsencrypt without opening your firewall - you'd need to use DNS validation instead [letsencrypt will ask you to add a TXT value to DNS to prove you own the domain, rather than needing to have port 80 open to vlaidate]
I use HAProxy with a wildcard certificate ruclips.net/video/jpyUm53we-Y/видео.html
Could also use traefik with a wildcard cert.
Started off with KeePassXC, then moved to BitWarden as we grew and had a team. BitWarden is a great product but I found it lacking in the actual sortability of what you put in it, for example making a fodler called clients was a bit of a pain! Anyway we use KeeperMSP now and couldnt be happier, we resell it to clients - its Security Audited. Not Open Source or Self-Hosted BUT I can live with that. My users and indeed my clients have Keeper lcoked down with strong Master Password and FIDO2 login.
How would you backup Bitwarden?
Export the vault, or if you self host backup the server.
@@LAWRENCESYSTEMS thanks
I want a local key store but bitwarden server setup is a little much. I'd love an app that can cross sync from app to app no cloud.
I personally use bitwarden. No way I could keep track of all the passwords all over the place. I've also started using gmail's ability to augment your email address so then I have different usernames at sites to go along with unique passwords.
please could you make a video bitwarden vs vaultwarden, especially with included enterprise features.
Vaultwarden is a fork maintained by a third party. I always prefer to use the first party service.
Why not use Keepass against a webdav store somewhere, it's synced between all platforms. (In a single user setup usable).
KeePassXC does not currently have native WEBDAV support.
@@LAWRENCESYSTEMS Am I mistaken with Keepass then, I use XC on Android with my Webdav server, on Windows normall Keepass with the webdav URL. Have a nice 2023!
@@edwardvanhazendonk Tom is correct. The old version of KeePass2 did have that feature. I've moved to KeePassXC and use Nextcloud to sync the database.
Password storage? No?
Domain matching auto fill is annoying because at least with LastPass for now it likes to store the full URL! Which means a whole lot of gibberish after the website and if it doesn't match on that when I come back to that website and it forwards me to a different landing page for login it won't auto fill which then breaks the automation forcing me to manually fill of course then there's also the sites that prevent you from auto filling Hulu!
Firefox for Android only supports Bitwarden's Extension
just add SQRL auth to everything, making password managers obsolete! it's the best of OTP and password managers!
Steve did a great job with SQRL
nice level1 shirt
Most keepass apps on android cache the database, which isn't even needed if you run something like syncthing too
Standards based federation with a secure IDP using cryptographically sound MFA.
KeePass for me.
We mostly deploy just simple keypass 2 files on the internal networks of a company. No browser extension no nothing.