I don’t understand the extreme love for Bitwarden. I understand it’s useful, but I want as few things with a webui and server instance as possible, especially passwords, the thing that should be most secure.
KeePass, vault saved into the user’s One Drive synced folder is sufficient. It’s secure, offline, and automatically makes backups. And migrates to the new system just by logging into One Drive.
Bitwarden and others worry me because they have a lot of exposed attack surface, comparatively, and require much more maintenance to keep secure imo. I don’t want to expose any of that to a portal or anything.
That said, I don’t hate Bitwarden, the bitwarden/vault warden software is incredibly solid for what it is.
I do not mean to imply the One Drive is offline. It’s the syncing backend.
But if your internet is out, you can still open your vault and look up a router password, for example, because the vault is a file on your local machine.
The actual answer will always be convenience. It’s just too easy to be able to smack my thumb on the fingerprint sensor to login to just about anything.
I understand your point on security, but for the masses, it needs to be as frictionless as possible.
And getting someone to use BW over nothing is a massive improvement even if it’s not perfect.
This is incredibly true. The ease of use I will admit got me to use other password managers in the past before I rethought my approach maybe 7 years ago. And any manager is better than the spreadsheet users will implement if we dont give them tools.
Oh certainly. I just mean that in an extremely broad sense, Bitwarden adds 1 more threat vector by being an online service. As a metaphor, if presented with a safety deposit box in a bank, and a safety deposit box in a train station with CCTV, even if the latter is incredibly well defended it still carries more intrinsic risk by being accessible.
That’s all really. Bitwarden is great software. It being an online platform just has that inherent factor that a non-web solution doesn’t.
Aka, if there is a massive breach in webview or a critical fault in SSL cryptography, this can be exploited. And Bitwarden itself is an attack surface to exploit. But in an offline solution, the attack surface of a vault can only be exploited when you get back online, and somehow actively choose to expose this or have a breach. The reason I use onedrive for the work sync (privately I use syncthing) is it would take two massive simultaneous failures to have an exposure this way. The sync service would have to somehow expose the file to a bad actor, and the file itself would have to have an exploitable cryptographic flaw at the same time.
Which is why it’s third-party audited every year.
It’s transparent for any issues rather than any other solution out there such as OneDrive that obfuscates completely.
Absolutely. Like I said: it’s great software and they are doing all they can to mitigate the inherent risk it faces because it is one of their biggest attack surfaces. They do great work.
I’m saying I would just rather decouple passwords, and online sync, into two entirely separate sandboxes. For my purposes, I don’t need to centrally assign or manage my users passwords from the top down, the manager is a tool for them to use as they like, and they can store PID in there as well, so I shouldn’t have access in principle. I can reset the accounts I control, but I cannot unlock or recover their vault.
For a web managed service, through no fault of their own, there is a high likelihood Bitwarden will one day be vulnerable to a browser engine based zeroday at one point or another. And I have no doubt they will rapidly patch this. But it’s a matter of time. And bad actors will be constantly attempting to break this quietly.
My only point is, even if onedrive, or GDrive, syncthing, etc, were vulnerable to a similar zeroday, it’s not enough to compromise an encrypted vault file because even if an exploit grants access to the file, the KeePass vault management is still entirely separate from all online portions of the interaction, and an entirely different and separate exploit would be needed to exploit the database file if it was obtained, as the vault is not managed in browser.
So there is a much greater chance for me to be notified of a onedrive or syncthing vulnerability, and have time to update the services in my vault contents just in case, well before a brute force attack could (potentially) open it.
This has its own drawbacks, as if they do exfiltrate the file, they can use infinite brute force attacks to break any vault with low enough entropy, but a vulnerability in Bitwarden could expose similar if a bad actor managed to dump the contents.
There is no perfect solution, period. I just wager it’s less likely for two zero day exploits to overlap perfectly like that on both my enterprise file sync software and my publically unlisted, undocumented, and otherwise undetectable KeePass Vault file stored in an arbitrary location with an arbitrary name and extension.
I don’t understand the extreme love for Bitwarden. I understand it’s useful, but I want as few things with a webui and server instance as possible, especially passwords, the thing that should be most secure.
KeePass, vault saved into the user’s One Drive synced folder is sufficient. It’s secure, offline, and automatically makes backups. And migrates to the new system just by logging into One Drive.
Bitwarden and others worry me because they have a lot of exposed attack surface, comparatively, and require much more maintenance to keep secure imo. I don’t want to expose any of that to a portal or anything.
That said, I don’t hate Bitwarden, the bitwarden/vault warden software is incredibly solid for what it is.
…shoukd we tell them?
You can access it offline.
I do not mean to imply the One Drive is offline. It’s the syncing backend.
But if your internet is out, you can still open your vault and look up a router password, for example, because the vault is a file on your local machine.
The actual answer will always be convenience. It’s just too easy to be able to smack my thumb on the fingerprint sensor to login to just about anything.
I understand your point on security, but for the masses, it needs to be as frictionless as possible.
And getting someone to use BW over nothing is a massive improvement even if it’s not perfect.
This is incredibly true. The ease of use I will admit got me to use other password managers in the past before I rethought my approach maybe 7 years ago. And any manager is better than the spreadsheet users will implement if we dont give them tools.
https://bitwarden.com/help/cli/
If you’re concerned about security audits they do those regularly too
https://bitwarden.com/help/is-bitwarden-audited/
In addition to free as in source, they are respected because they have a high-quality, certified, third-party audited product.
Oh certainly. I just mean that in an extremely broad sense, Bitwarden adds 1 more threat vector by being an online service. As a metaphor, if presented with a safety deposit box in a bank, and a safety deposit box in a train station with CCTV, even if the latter is incredibly well defended it still carries more intrinsic risk by being accessible.
That’s all really. Bitwarden is great software. It being an online platform just has that inherent factor that a non-web solution doesn’t.
Aka, if there is a massive breach in webview or a critical fault in SSL cryptography, this can be exploited. And Bitwarden itself is an attack surface to exploit. But in an offline solution, the attack surface of a vault can only be exploited when you get back online, and somehow actively choose to expose this or have a breach. The reason I use onedrive for the work sync (privately I use syncthing) is it would take two massive simultaneous failures to have an exposure this way. The sync service would have to somehow expose the file to a bad actor, and the file itself would have to have an exploitable cryptographic flaw at the same time.
Which is why it’s third-party audited every year. It’s transparent for any issues rather than any other solution out there such as OneDrive that obfuscates completely.
Absolutely. Like I said: it’s great software and they are doing all they can to mitigate the inherent risk it faces because it is one of their biggest attack surfaces. They do great work.
I’m saying I would just rather decouple passwords, and online sync, into two entirely separate sandboxes. For my purposes, I don’t need to centrally assign or manage my users passwords from the top down, the manager is a tool for them to use as they like, and they can store PID in there as well, so I shouldn’t have access in principle. I can reset the accounts I control, but I cannot unlock or recover their vault.
For a web managed service, through no fault of their own, there is a high likelihood Bitwarden will one day be vulnerable to a browser engine based zeroday at one point or another. And I have no doubt they will rapidly patch this. But it’s a matter of time. And bad actors will be constantly attempting to break this quietly.
My only point is, even if onedrive, or GDrive, syncthing, etc, were vulnerable to a similar zeroday, it’s not enough to compromise an encrypted vault file because even if an exploit grants access to the file, the KeePass vault management is still entirely separate from all online portions of the interaction, and an entirely different and separate exploit would be needed to exploit the database file if it was obtained, as the vault is not managed in browser.
So there is a much greater chance for me to be notified of a onedrive or syncthing vulnerability, and have time to update the services in my vault contents just in case, well before a brute force attack could (potentially) open it.
This has its own drawbacks, as if they do exfiltrate the file, they can use infinite brute force attacks to break any vault with low enough entropy, but a vulnerability in Bitwarden could expose similar if a bad actor managed to dump the contents.
There is no perfect solution, period. I just wager it’s less likely for two zero day exploits to overlap perfectly like that on both my enterprise file sync software and my publically unlisted, undocumented, and otherwise undetectable KeePass Vault file stored in an arbitrary location with an arbitrary name and extension.