top | item 37641079

(no title)

Try1275 | 2 years ago

I am a happy user and find it very convenient but how safe is it really to have all your jewels centralized in the cloud, including 2FA. It seems such a worthwhile target.

On the other hand keeping everything in sync manually seems a hassle and in the end you just encrypt on your machine and the syncing goes through the cloud anyway, so where's the difference? I'd be happy to hear thoughts on this.

discuss

UncleMeat|2 years ago

You absolutely must be able to create unique and reasonably strong passwords for each of the services you use. This is the absolute most critical first step in account management.

From here, we can have a discussion about broad behavior and individual behavior. We observe that at scale people reuse passwords if they are not using a password manager. End of story. Getting people to use a password manager at scale is the single largest practical improvement in account security for the general population that we have available to us right now. This is even true with the risk of a vault being stolen and unlocked. I've never seen any data that even remotely challenges this point.

Cloud management of passwords is basically non-negotiable for most people. "Oh fuck, my vault was on my computer and I dropped it on the floor and the disk broke" will be a constant occurrence. Getting everybody to properly back up their vaults is not feasible at scale.

You can separately talk about specific people if you want. If you are capable of creating unique and sufficiently strong passwords for all of your accounts, then go ahead and avoid a password manager. This will mitigate a marginal risk for you.

Tmpod|2 years ago

Yeah that's a good point. I have pretty much all my passwords on BitWarden but no 2FA tokens to avoid "putting all my eggs in one basket". If you centralize both secrets, you don't really have two factors of authentication anymore. I use Aegis on mobile and pass (with otp extension) on the computer, with completely different passwords from bitwarden.

If you're worried about using Bitwarden's cloud vault, you can always spin up an instance of vaultwarden (FOSS server impl in Rust) and point your clients to it. I haven't done it myself yet (though I will likely do it) but I've heard it works really well.

devjab|2 years ago

For me it was more a matter of convenience than security. I didn’t mind using “sameish” passwords for 90% of my accounts. Good enough not to be auto-broken on one leak, really bad if someone actually targeted me. But what eventually drove me to Bitwarden was that I needed more and more different 2FA method which were all somehow linked to my phone. Many of which weren’t actually backed up. My first idea was to just use Authy, but apparently my phone number is linked to an account that isn’t mine, and their support has been unable to do anything about it, so that’s not exactly possible. So I went with Bitwarden.

I’m not too worried about the eggs in one basket. My digital national ID and my email credentials aren’t saved on my Bitwarden, so while I obviously don’t want to lose it, it also wouldn’t be the end of the world for me.

silversmith|2 years ago

I'm using keepass, and the sync does not seem to be hassle - my file lives in dropbox, and it's always been synced before I open the app on another device. Bonus - backing up the database is as easy as copy-pasting a file.

kapep|2 years ago

For anyone who wants to avoid storing the Keepass database in the cloud store I can recommend Syncthing.

For extra security I use a key file in addition to a password which I manually transfer between devices.

hsbauauvhabzb|2 years ago

If your data is valuable enough, or you personally have the skills for something better, then yes it’s not the greatest solution.

For the average user, it is infinitely better to use a password manager than to use hunter42 on all their accounts.

checkyoursudo|2 years ago

Guess I had better go update all my passwords to hunter43 now.

autophagian|2 years ago

For this I self-host vaultwarden (https://github.com/dani-garcia/vaultwarden), an implementation of the bitwarden server, on my raspberry pi at home (and back up the DB frequently). It works well enough for me, and doesn't have my stuff stored in a single company's cloud.

hollander|2 years ago

So what if the disk crashes? Do you keep backups? In the cloud?

shortcake27|2 years ago

Storing OTPs in your password manager is like 1.5FA. It still provides protection against phishing, brute-forcing, socially engineered password resets, so it isn’t totally useless. But it doesn’t protect against your vault getting compromised.

I keep super important 2FA codes (email, github etc) elsewhere, and for less important services, I store the OTP in my password manager.

UncleMeat|2 years ago

OTPs don't protect against phishing. You still type the TOTP in a browser window that sends it off to the attacker. Phishing SDKs automatically handle proxying the password over and then proxying the TOTP over.

LinAGKar|2 years ago

Bitwarden encrypts the data locally, so it's not readable on the server. Shouldn't be any less secure than syncing your KeePass DB to the cloud

ta8645|2 years ago

Unless the client is compromised. The question becomes: do you trust Bitwarden and KeePass equally, to deliver an uncompromised client?

aborsy|2 years ago

The difference is that Bitwarden is webapp, thus serves you code in real time. The server could serve bad JavaScript to a particular user. You have to trust the server.

Also, there is a chance of data breach. The 2FA and hardware keys are bypassed in this case. It’s all your master password.

vinckr|2 years ago

>The 2FA and hardware keys are bypassed in this case. It’s all your master password.

Not sure I follow. When my master password is breached, attackers would still need to have my hardware key (which I obviously don't keep in the cloud), right?

kpdemetriou|2 years ago

Assuming the cryptography is solid (big if), you primarily have to worry about end-device compromise or a supply chain attack. Is it the latter you're worried about?