Loved the video! Glad you decided to give Bitwarden a try. I have been running it for a year now and it is great.
Have you looked at Bitwarden_rs?
It is a Rust implementation of Bitwarden and it is much lighter. It can run SQLite or MySQL DBs.
Personally, I use the MySQL version becasue I can use standard MySQL dumps to backup my database and easily import it to any MySQL server.
This implementation also works with all Bitwarden Apps (Browser app, Mobile App, and Desktop app) and it has the full web vault.
Here is the GitHub for it: https://github.com/dani-garcia/bitwarden_rs
There are Docker images available for both SQLite and MySQL options.
Great video. I see this as a viable alternative. I will probably stick with lastpass. I am still trying to get others to use a password manager period, so I can honestly have two solutions to offer. Thanks for showing how easy it is to switch too. If whoever buys lastpass makes a turn for the worst I’m glad you showed how easy it is to switch.
While I like benefits rust offers, I don’t really have a use case to switch over to Bitwarden_rs. It really does not take a lot of resources to run the native app and I don’t really want to rely on a third party that has not been code audited. And yes I know it is based on the same code, but rebuilding it could introduce new issues.
Interesting but as Tom mentions below could bring new problems, lot of testing.
I will be taking a look and do testing. Question with self signed cert when compile from source can you set to enable apps and will DUO work?
I’ve been using the free version of Bitwarden for a while. After this review I upgraded to Premium. I really like the cards, identities and Secure Note options. I’ll probably use the Secure Notes as secure place to store my KeyBase Paper Key. This way it is always with me and always secure.
Totally understand that. Rust has been labeled one of the most secure languages but you really can’t claim that until you do testing on this code specifically. It was just interesting how there is an alternative to the MS SQL option.
Great video will definately check out self hosted bitwarden. With regards to the cert, you could always spin up a vm as a webserver with letsencrypt and rsync the cert across allowing you to use the mobile app via openvpn.
I’ve been using the self-hosted version for over a year and it’s been flawless.
The bitwarden_rs is not quite as feature complete as the official build, they have a list of missing features here.
Hi Tom! I’ve been very happy with Bitwarden Premier and use the TOTP feature with the browser extension. I mitigate the concern of access to my vault, via a compromised master password, by adding 2FA on login to Bitwarden.
Bitwarden Open Source Password Manager Review Part 2: Forms, Security & Docker Dependencies
I’m giving self-hosted Bitwarden a try after watching one of Tom’s reviews, the installation procedure is really simple. I recorded the install/config in case anyone could benefit from it, didn’t realise it was so simple to be honest before I started it, but recorded it anyhow so uploaded it.
*** WARNING ***
Bitwarden violates its own security, at the very beginning of the process! In order to import the hundreds of sites, user id’s, and passwords from another system, the users only have two choices: re-key hundreds (for me, and thousands for my company) of sites, or upload all PLAINTEXT to their servers and “trust them” not to do bad things with it! UNACCEPTABLE!!! and UNBELIEVABLE!!!
You misunderstand how the system works. Yes, you can upload plaintext into the browsew, but all of the decryption and encryption is happening inside the browser. Only the “encrypted blob” without the keys is sent back to wherever your instances of Bitwarden is hosted. Go through, read the source code and their security audit. :
I’d like to hear others thoughts on on Bitwarden forcing an “Organization” and Enterprise accounts to use the DUO Two Step Authentication as the only option for second factor authentication. Here’s a blog post about wanting more options than just DUO:
Does self-hosted give you any more options?
There does not appear to be a away to force it, but with the self hosted I can see which users have it turned on.
You can force 2FA in enterprise policies. When you enable it, it tells you that any users currently in the org that do not have 2FA will be removed from the org (excepting owners and administrators). Is that not working for you?