Great video. I see this as a viable alternative. I will probably stick with lastpass. I am still trying to get others to use a password manager period, so I can honestly have two solutions to offer. Thanks for showing how easy it is to switch too. If whoever buys lastpass makes a turn for the worst I’m glad you showed how easy it is to switch.
While I like benefits rust offers, I don’t really have a use case to switch over to Bitwarden_rs. It really does not take a lot of resources to run the native app and I don’t really want to rely on a third party that has not been code audited. And yes I know it is based on the same code, but rebuilding it could introduce new issues.
I’ve been using the free version of Bitwarden for a while. After this review I upgraded to Premium. I really like the cards, identities and Secure Note options. I’ll probably use the Secure Notes as secure place to store my KeyBase Paper Key. This way it is always with me and always secure.
Totally understand that. Rust has been labeled one of the most secure languages but you really can’t claim that until you do testing on this code specifically. It was just interesting how there is an alternative to the MS SQL option.
Great video will definately check out self hosted bitwarden. With regards to the cert, you could always spin up a vm as a webserver with letsencrypt and rsync the cert across allowing you to use the mobile app via openvpn.
Hi Tom! I’ve been very happy with Bitwarden Premier and use the TOTP feature with the browser extension. I mitigate the concern of access to my vault, via a compromised master password, by adding 2FA on login to Bitwarden.
I’m giving self-hosted Bitwarden a try after watching one of Tom’s reviews, the installation procedure is really simple. I recorded the install/config in case anyone could benefit from it, didn’t realise it was so simple to be honest before I started it, but recorded it anyhow so uploaded it.
Bitwarden violates its own security, at the very beginning of the process! In order to import the hundreds of sites, user id’s, and passwords from another system, the users only have two choices: re-key hundreds (for me, and thousands for my company) of sites, or upload all PLAINTEXT to their servers and “trust them” not to do bad things with it! UNACCEPTABLE!!! and UNBELIEVABLE!!!
You misunderstand how the system works. Yes, you can upload plaintext into the browsew, but all of the decryption and encryption is happening inside the browser. Only the “encrypted blob” without the keys is sent back to wherever your instances of Bitwarden is hosted. Go through, read the source code and their security audit. :
I’d like to hear others thoughts on on Bitwarden forcing an “Organization” and Enterprise accounts to use the DUO Two Step Authentication as the only option for second factor authentication. Here’s a blog post about wanting more options than just DUO:
You can force 2FA in enterprise policies. When you enable it, it tells you that any users currently in the org that do not have 2FA will be removed from the org (excepting owners and administrators). Is that not working for you?