Advice Request BitWarden: Pros, Cons, & General Questions

Please provide comments and solutions that are helpful to the author of this topic.

PotentialUser

Level 1
Thread author
May 28, 2020
35
Hello all,

I've been a long-time user of 1Password (1P) -- going on six years. Over time, the changes they've made to the program: forcing 1P accounts on users, unnecessary new features, and increased prices leaves me wanting for an alternative. I've stumbled across BitWarden (BW) as a safe, open-source, and well-received alternative. I have a list of questions below regarding BW and how it compares with 1P.

Feel free to pick and choose which questions to answer as there are quite a few. If you can answer all of them, that would be great but not necessary. And if you are currently a BW user (or migrated away from BW!), please post a comment. I'd love to hear some feedback. As always, thank you for any and all answers given!

1. Opinion: Is BitWarden comparable to 1Password in terms of security?
- I have read the BW FAQ page multiple times (yes, the entire thing :)) so no need to direct me there. This is more of an opinion question i.e. do you personally feel like BW can stand with the likes of 1P? I could care less about 'pretty' UI designs and useless add-on features. For me, a password manager simply needs to provide a way to reliably sync and store usernames, passwords, notes (mostly for 2FA back-up codes), and maybe store files/images in an extremely secure format.

2. How does BitWarden authenticate its users? 1Password has multiple layers of security built in (see below). Does BitWarden have all of these layers as well? I know this is easily found out by making an account with BitWarden but I'd rather ask here before signing up for a product I won't use.
- With 1P, you have a username, password, and email address (standard stuff). But then you also have a long alpha-numeric "Secret Key", a separate Master Password, and 2FA. All of these components are required to log into your account on their website. Of course, only the Master Password is needed for daily usage. Which components does BW have?

3. How exactly is BitWarden providing such a comprehensive product for free?
- I get a bit nervous when I see the word "free" attached to most things online. I plan to use the premium version of BitWarden for some of the extra goodies but even their free product has almost all (if not all) of the main functions I use with 1P. I can only assume most of their users are on the free plan -- how can they afford to pay for the infrastructure (servers, bandwidth, licensing for various software, in-house development, etc.) for syncing and storing all of this data? Is there/what is the catch?

4. I read this (URL: How is my data securely transmitted and stored on Bitwarden servers? | Bitwarden Help & Support) on BitWarden's FAQ page regarding how data is securely transmitted. Does this still hold true in all use-cases?
- For example: say I'm a completely novice internet user who doesn't know the first thing about user privacy/security. I'm at a coffee shop with an unsecured (no password) WiFi network. If I connect to that WiFi network and interact with BitWarden on my phone/computer (ex: log into my account on their website, unlock the browser security extension with the Master Pasword, update some passwords) -- am I still secure since my data should be encrypted in transit to and from BW's servers to my devices?

5. For BitWarden users: how well do the BitWarden desktop apps, browser extension, and mobile app (iOS specifically!) sync up with one another?
- With 1P, within a couple seconds of making a change on either of the platforms listed above, the data would be updated on all of the others. Does BW sync up just as quickly?

6. Does BitWarden not work well in "offline mode"?
- I keep reading how BW "doesn't work" in offline mode (i.e. with a device not connected to the internet) but most of those articles/Reddit threads are a few years old. With 1P, this is never a problem. You can change passwords, email, notes -- literally anything -- while in offline mode and the data would "update" and sync up automatically with your other devices after connecting to the internet once again. Is this not how BitWarden also functions?

7. Does BitWarden's browser extension need the desktop app in order to function?
- With 1P, the desktop app (both on Windows/Mac) needed to be downloaded for the browser extension to work reliably. The browser extension would communicate with the desktop app to update your data in the cloud. This may have changed now as 1P did release a new stand-alone extension.

8. If the answer to the above question is "no" -- are there any draw-backs (security or otherwise) to just using the BitWarden browser extension?
- With 1P, I had to download their Windows and Mac apps as they were integral in order to get the browser extension to work. However, I rarely found myself using them, if ever. With BW, I would rather not download the desktop apps unnecessarily.

9. Are there any alternatives to BW that you would recommend as superior and why?

Once again, thank you to everyone who participates in the poll and answers some questions in this thread. I truly appreciate the effort this community goes to to keep everyone well-informed. I have made quite a few threads on this forum and have received some great information. Knowledge is power and you guys give it away without asking for compensation. Truly, thank you :)
 

Tiamati

Level 12
Verified
Top Poster
Well-known
Nov 8, 2016
574
I used bitwarden for some time. It's easy, very light and secure. It has already been audited and it has a very strong protection. Only 5 critical vulnerabilities were found, of which, only 1 need to be immediatly fixed (check it here) Add to that, you can host your own bitwarden server, so no info would need to be sent to bitwarden. (check it here). Add to that, they have a good Privacy Policy.

For me, the Bitwarden have only a few problems that won't let me recommend it to most people.
1) Every time you need to fill something, you need to click on the extension. You don't have a convenient icon inside the password box to auto-generate passwords or easily fill your info. Furthermore, bitwarden always block itself every time you close your browser. So, basically you'll need to click on it and unlock it almost every time you need. It's true you can reduce the problem using the auto-fill option (that only works if the vault is unlocked) and ask bitwarden to save your credentials and never auto-lock again (but that would reduce your security)

2) Bitwarden doesn't work correctly in Firefox private mode

3) Generally speaking, i think LastPass is more convenient than Bitwarden. It's true LastPass is not considered so secure as Bitwarden or 1Password. But IMHO it is safe enough for the average user if you use 2FA and other security features from LastPass. So for most people i just indicate LastPass cause it's easier to use. But i would certainly indicate Bitwarden instead of LastPass for someone that care more about security than convenience.

Anyway, i believe that THIS REVIEW can answer most of your questions.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
2. How does BitWarden authenticate its users?
3. How exactly is BitWarden providing such a comprehensive product for free?
Free version is a basic password manager and that is it. Premium version offers better security features and for $10, it is well worth it. The business model is similar to free AVs, free users act as ADs by themselves. They use it home and they are satisfied, so they want to use it at work. It seems to work for them.
4. I read this (URL: How is my data securely transmitted and stored on Bitwarden servers? | Bitwarden Help & Support) on BitWarden's FAQ page regarding how data is securely transmitted. Does this still hold true in all use-cases?
Even on insecure WiFi, data are transmitted using encrypted connection via https and since bitwarden encrypts it as well, it is double encrypted.
7. Does BitWarden's browser extension need the desktop app in order to function?
Nope.
8. If the answer to the above question is "no" -- are there any draw-backs (security or otherwise) to just using the BitWarden browser extension?
It is the extension, so yes. Other extensions could steal data from it and it is also deceptible to browser's vulnerabilities. To put it bluntly, the extension is more convenient, but less secure, so it is up to the user to decide. I use the extension, but I store important password in Keepass, I would never put them online.

Every time you need to fill something, you need to click on the extension. You don't have a convenient icon inside the password box to auto-generate passwords or easily fill your info.
You can use the context menu.
capture_06202020_084610.jpg
Furthermore, bitwarden always block itself every time you close your browser.
It's true you can reduce the problem using the auto-fill option (that only works if the vault is unlocked) and ask bitwarden to save your credentials and never auto-lock again (but that would reduce your security)
Well, you can not have it both ways. I have it set to Never, because my windows account is protected.
capture_06202020_084648.jpg
 

Lord Ami

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 14, 2014
1,026
I use Bitwarden with the following configuration:

1. I always enter Master Password after browser is restarted.
Why? With the option "Never", essentially your Master password and the content of the Vault is written and kept on your drive. That means that it can be stolen or tampered with.
As far as I understand, entering Master password keeps the Vault and Master password in protected memory instance. This is much harder to break/tamper with.

2. I enter all the login details via CTRL + L shortcut.
Why? Even though Auto-fill works, malicious frames and text boxes could theoretically be implemented in websites. Theoretically it would mean that you'd be entering login details without even knowing about it.

3. For 2FA-ing BW account: I use 2FA App (Aegis, protected) and Yubikey + Recovery codes
Using email as a 2FA is not bad idea, but I'd use something more "offline" :)

4. I do use built-in TOTP feature (2FA code generator) for NON-CRITICAL logins. It makes life so much easier!
Not secure, but convenient as hell!

All in all, if someone really wants to get access to your passwords, they will find a way.
It's just about closing as much attack vectors as possible. I highly doubt me or someone else (the "Average Joe") will be targeted like that.
 

Tiamati

Level 12
Verified
Top Poster
Well-known
Nov 8, 2016
574
1. I always enter Master Password after browser is restarted.
Why? With the option "Never", essentially your Master password and the content of the Vault is written and kept on your drive. That means that it can be stolen or tampered with.
As far as I understand, entering Master password keeps the Vault and Master password in protected memory instance. This is much harder to break/tamper with.

I think that is very uncovenient. Why? Cause Master Password should be long, random and with numbers and special caracthers. That makes the master password unconvenient to be rewriten everytime you need to unlock the vault. If you really want to lock it everytime, it would be better to lock it with PIN.

2. I enter all the login details via CTRL + L shortcut.
Why? Even though Auto-fill works, malicious frames and text boxes could theoretically be implemented in websites. Theoretically it would mean that you'd be entering login details without even knowing about it.
I think that is inconvenient too (and a little paranoid). If you are worried about malicious text boxes been inserted in websites you are visiting, so you shouldn't interact with that site in any way. What is the real chance of an official and secure website present that kind of problem?

3. For 2FA-ing BW account: I use 2FA App (Aegis, protected) and Yubikey + Recovery codes
Using email as a 2FA is not bad idea, but I'd use something more "offline" :)
I didn't know any of them. Any reason to use Aegis and Yubi instead of others like Microsoft, Google or LastPass authenticators? How do you use Recovery codes?

4. I do use built-in TOTP feature (2FA code generator) for NON-CRITICAL logins. It makes life so much easier!
Not secure, but convenient as hell!

I don't know how to implement that too. I would like to know more about it. Ty!
 
F

ForgottenSeer 85179

I didn't know any of them. Any reason to use Aegis and Yubi instead of others like Microsoft, Google or LastPass authenticators?
The reason is: offline usage without Cloud attack surface.
Yubikey is also a hardware token.

How do you use Recovery codes?
You can make backups easily and also every website tell you many backup codes at 2FA setup so you have at least many backup codes, even if you don't make manually backups.
Very easy
 

Lord Ami

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 14, 2014
1,026
I think that is very uncovenient. Why? Cause Master Password should be long, random and with numbers and special caracthers. That makes the master password unconvenient to be rewriten everytime you need to unlock the vault. If you really want to lock it everytime, it would be better to lock it with PIN.
Yes. Well, in my case I use long word with special letters in it. + numbers and special characters. It's rather simple to put in - no need to twist your fingers 😉
Chances that someone figures it out is close to non-existent.

I think that is inconvenient too (and a little paranoid). If you are worried about malicious text boxes been inserted in websites you are visiting, so you shouldn't interact with that site in any way. What is the real chance of an official and secure website present that kind of problem?
Yes and no. You can call me paranoid, but using Ad Blocker + NextDNS I still feel that some hijacked advertisements can do the damage. Again, call me paranoid.
BUT: How many times do you log into your most visited websites? Once per month maybe... with that, I can live.

I didn't know any of them. Any reason to use Aegis and Yubi instead of others like Microsoft, Google or LastPass authenticators? How do you use Recovery codes?
Aegis simply because:
1. It supports Fingerprint unlocking
2. It supports backup (Google Authenticator did not support it).
3. No cloud sync. Cloud sync would make it online (vulnerable).

Recovery codes: Hard copy: Printing them out and storing securely, in 2 different locations.

I don't know how to implement that too. I would like to know more about it. Ty!
It is rather simple. All you need is Premium version, either the TOKEN (code) or smartphone with Bitwarden installed.
I like where it copies TOTP to the clipboard. Especially useful in mobile usage.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top