Considering Bitwarden..Thoughts

Hello. I have been using KeepassXC on my Linux box synced to Nextcloud and then using Keepass2android and it really has been working very nice. I checked out bitwarden about a year ago and they did not supported nested folders (which I need for customer folders, etc). However, now they do and it looks nice. And they completed that 3rd party audit which is huge. So I am considering self hosting it. My concerns are as follows:

#1) Only one very talented developer of bitwarden. The “hit by a bus thing”.
#2) Self hosting puts the burden of keeping up on security updates, etc. Especially with the latest doomsday docker security revelation.

I could use their cloud but I believe it is in Azure. I guess I like my roll my own solution but I am always looking at alternatives. Bitwarden does look nice

Any thoughts on this?


Reason #1 not only the hit by the bus but hi I have this pile of money would you sell it to me and stick around for a short time to get my offshore guy up to speed.
I to use KeepassX on Linux and on my one and only Windows laptop. Must agree it works welll keep the DB on USB stick. Also have Yubikey for Linux laptops.

I use KeePass2 (v 2.41) on Linux with KeePass2Android and LastPass primarily. Last year I experimented with Bitwarden Desktop app image and Android App and still maintain it, but it’s just an experiment. Just looked at KeePassX and XC. I like the passphrase generating tool in XC that’s missing in X and KP2. Are these equally secure but differ in interface akin to linux distros or is one better maintained than another? The cross platform has appeal since I have macOS in the house too. May have to switch apps.

Pretty sure XC is a fork of X. And they added the ability to have browser extensions (which I would never use with any password managers). Plus XC looks much nicer. If you have android check out Keepass2Android. Great piece of software.

1 Like

I’ll check out KeepassXC.

I tried to get the extension to work and it was not a smooth process then it told me I needed to update XC, so I added the ppa and updated. After that it didn’t work. I’ll stick with NOT using browser extension with XC.

Is it safe using the same kdbx file with KeePass2 or KeePassXC? This FAQ is confusing:

My versions are:
KeePass2 2.4.1
KeepassXC 2.3.4

I can open my db from either.

Browser extensions can be problematic when version of same and browser version introduces mismatch. Happens in FF but usually catches up.

1 Like

I don’t have issues with LastPass extension and have used with FF, Chrome and Chromium over the years. I did get KeePassXC to work, but it’s clunky and it fails if the URL in your database doesn’t match the sign-on URL which happens with many sites that open a dialog or have one dialog for username and another for passwd. I can live without KeePassXC integration, but they’ve got work to do to make it seamless.

I use both Lastpass and Bitwarden and I must say I prefer Bitwarden, especially on my Android phone, it seems to work better that Lastpass.

1 Like

via @two06 through twitter

“In this post, we’re going to take a quick look at Frida and use it to steal credentials from KeePass.”

this was brought to my attention by Maurice (@offsecmoe) co-host of how-they-got-hacked. Thanks Moe!

Keep the database on a USB stick. You are probable talking Windows since you wrote Keepass and while compatible with KeepassX and KeepassXC it is Windows based and Windows is akin to Swiss cheese. Refer to opening sentence, no matter what OS you are running. Consider the Yubikey or Duo as well.

Using KeepassXC here on Linux. I like the USB idea tho.

I had two thoughts after reading the article:

  1. why is he not reporting to project rather than publishing?
  2. if you’ve got access to my database on my system and running code there, you own it.

Are you saying other KeePass (2, XC) variants not subject to this? If that statement was in article, I missed it.

Just checked again and no mention of KeepassX or XC in article but I will speculate that on Linux it would be more secure simply because it’s Linux, now, nothing is bullet proof get a big enough bullet it will get through. The reason I keep encrypted DB on USB stick. A few degrees of separation.

1 Like

After @LTS_Tom 's video about Bitwarden I decided to test it and I’m delighted.

I only have a little concern. I don’t know if I’m being paranoid or is it a real concern:

When Bitwarden extension has the vault unlocked on the browser. Is it possible for a process to access my vault and copy my login information?

Actually I have always had the same concerns as you regarding the browser extensions. That is why I always refused to use browser extensions. I am begrudgingly using the bitwarden browser extension on a limited basis but browser extensions have proven to be vulnerable. It has happened to other password managers. But it is so convenient to use a browser extension. I would be curious what others think about this.

1 Like

I have the same concerns especially for critical applications. Nothing is perfect and anything assembled can be disassembled. Securing remote access is always a worrisome undertaking.

What’s your use case for BW? How many users, corporte environment? Plan to self host? If self host you don’t necessarily need to go with docker.

Guessing you viewed Lawrence Systems video on this it should help you decide but I do think it a good option.

I would recommend playing with it on their website using a dummy email account.

I also use KeePass, KeepassXC, etc but really do want to move to Bitwarden.

Think personal account going to be there cloud server (Lazy).

The work logins will be self hosted I am hoping… Still reviewing this in details before I deploy.

Hiding Bitwarden behide a VPN might cause me a small issue but should be able to overcome.

I do not mind paying for this product and hopefully they get more developers or someone else will pick up the torch if there is an issue.

Hope you are all doing well. :grinning:

Video Below:

@Paulser Yes I did see Tom’s video. I did make the switch to BW and self host behind a firewall and access via VPN. It works well. My vault is protected via a yubikey. I am still uneasy about using browser extensions with l any password manager but I do for most sites. And since I am all in I am also using the BW TOTP as well which is really super convenient as well. But in effect it is now 2 step and not really 2fa. And with the news recently of malware grabbing 2fa keys from apps such as Google authenticator and, authy, etc I am relying on the yubikey more and more. But that is another story.

For those self-hosting people – what version of BW are you using?
Are you using BW mobile app as well or only desktop client?