Bitwarden Completes Third-Party Security Audit

We used LastPass for several years in our home, mostly because it was able to fill Firefox http basic auth dialogs. When Firefox switched to the webextension format, LastPass started using the Chrome version as the foundation for Firefox. This was a huge step backwards and my wife HATED it.<p>The biggest problem she had was that it was that the standard workflow of it capturing generated passwords became unreliable and it stopped automatically tracking the random passwords it generated. Whatever it was that she was doing, she kept losing passwords and getting locked out. It destroyed her trust.<p>We tried Bitwarden. It doesn&#x27;t require the same leap of faith to use a random password. They&#x27;re saved first before you use them. The usage flow isn&#x27;t quite as smooth as LastPass was, but she hasn&#x27;t lost any passwords since the switch.<p>She&#x27;s almost forgiven me for making her use a password manager. Almost... :)

&gt;On a less positive note, the assessment of the deployed cryptographic design led to the discovery of certain issues that must be addressed in due course. One was rated “Critical” because a malicious vault could obtain and modify organization items. This approach relied on MitM attack described in BWN-01-008. The overall code quality of the crypto implementations was deemed to be overly complex and frequently misleading, which led to reporting a false positive issue (see BWN-01-011). More generally, cryptographic libraries of the Bitwarden compound have not yet been optimized. They particularly need to be simplified as unnecessary complexity can lead to problems.<p>&gt;To reiterate, the results of this autumn 2018 assessment are positive for the client and code. Sadly, the same thing cannot be stated for the current cryptographic scheme in use. Given the number and range of issues discovered, it seems necessary that a re-design takes place. This needs to reassess how certain features are implemented and ensure that the overall cryptography stands strong against the attackers’ efforts.<p>Um. Is this not worrying to people?

There&#x27;s a Rust implementation of the BitWarden server which is compatible with the open source clients, that you can run really easily in Docker:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;mprasil&#x2F;bitwarden_rs" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;mprasil&#x2F;bitwarden_rs</a><p>Im running it via Dokku and it has been rock solid. It&#x27;s way lighter than running their reference server implementation.

Since Bitwarden added sub-domain support and fixed the speed-issues on large key-bases, I absolutely cannot live without Bitwarden it&#x27;s been absolutely flawless.<p>Previously used Lastpass for 8 years.<p>So glad to see that it&#x27;s security taken seriously by the developers!

I used Lastpass for about 5 years and moved to bitwarden a couple of years back. I never had to turn back again. The browser addons are great, but the mobile app is fantastic, simple, usable and lightweight. It&#x27;s great to hear that it&#x27;s pretty secure too.

Currently using Bitwarden right now. Really good to see that the security assessment is relatively positive:<p>&gt; All in all, while the client and backend code are vulnerable to some issues, all of the problems can be easily fixed without a lot of effort. In that sense, Cure53 believes these items of the Bitwarden scope to be fully capable of reaching the desired standards of security in a rather short time. To reiterate, the results of this autumn 2018 assessment are positive for the client and code.<p>Wondering how they will address the current cryptographic scheme though.

I have been using Keepass2, then KeepassXC for 5 years, with Dropbox to sync the db between my devices.<p>Since Dropbox recently stopped to support ecryptfs, I started looking for alternatives (KeepassXC + Google Drive&#x2F;SpiderOak, Lastpass were some candidates).<p>Looks like Bitwarden is worth testing too :-)

At the time of writing the link to actual report in the blog post does not work. Here is the correct link: <a href="https:&#x2F;&#x2F;cdn.bitwarden.com&#x2F;misc&#x2F;Bitwarden%20Security%20Assessment%20Report%20-%20v1.pdf" rel="nofollow">https:&#x2F;&#x2F;cdn.bitwarden.com&#x2F;misc&#x2F;Bitwarden%20Security%20Assess...</a>

Bitwarden is the password manager that got my to finally start using a password manager with it&#x27;s combination of full open source and good UI. I love that they are this security focused as well.

I just want to mention how insanely insecure browsers&#x27; native password managers are. It asks you password only on export but never to fill on sites and you can see which sites are saved with no authentication, you just need access to the machine physically to access them all. Why do browsers never implement something as easy as lock the vault with OS account pass after a certain period after unlocking like any password managers do?

5-6 vulnerabilities identified but ‘no action at this time’ identified as only resolution for all of them. Worrying or is this common practice?

Would it be possible to know, ballpark, how much a similar security assessment can cost? I understand it&#x27;s hard to say in general, but given this output I assume it&#x27;s possible to &quot;get a quote&quot;.<p>In an ideal world, all security-related OS project should have periodic scans like this, but clearly the cost may be prohibitive. Maybe there are ways to get funds, or to form groups of projects that get analyzed together, for example I&#x27;m thinking that while Cure53 is analyzing Bitwarden, they could do a similar work for other password managers that buy in.<p>Independently, a big thank you to Bitwarden for sharing this, knowing which were their vulnerabilities will help a lot everyone in the space. I&#x27;m personally very sensitive to these problems, I&#x27;m working on open source security products too.

isn&#x27;t there still a lot more hardening things to do, like moving payment out from vault.bitwarden.com, so that this domain can have a stronger CSP policy?<p>In other news: my todo list now features an item to migrate lastpass -&gt; bitwarden.<p>(I really love the effort here)

I&#x27;ve never used a password manager, I memorize them - dozens of them. And almost all of them are uniqe and <i>&quot;strong&quot;</i> passwords. Now I have a feeling that this situation is a real burden for my mind&#x2F;brain and I consider using one; just trying to convince* myself. Up until this time, I was thinking that &quot;it&#x27;s a good mental exercise!&quot;, not any more. Maybe the reason is now I have too many things to ponder upon.<p>I&#x27;d like to hear (well, read) if any of you have ever been in the same situation and how was the transition like? :-)<p>*it&#x27;s a little complicated...for me

Bitwarden has a clean interface and I like it except when you think about it, keeping your entire vault of passwords online also means, 1 single leak of your master login ID &#x2F; password (which can even be something easier to remember for the sake of not forgetting, which defeats the purpose of the entire existence of it) can put an end to your online self and I stopped using anything online and having 2FA just feels the convenience has flew out the window just to login to some site and offline password managers can just work fine without that massive flaw.

I use and like Bitwarden but their iOS app feels a bit slow especially when I need to search the Vault. After tapping the search icon it takes somewhere around five seconds (sometimes even longer) of loading time until I can enter my query. Has anyone else experienced this or is it just me?

I just want to pop in and say that I am planning on moving from lastpass to bitwarden. I have significant problems with the lastpass android app, the biggest being my CORRECT password being rejected; also the app is just really buggy in general. I hope bitwarden is an improvement.

has anyone here used Enpass? I use it and like it very much, because the UX is decent, and there is no &quot;cloud&quot; component whatsoever - it simply has a local DB which can be synced using Google Drive or Dropbox across all my devices. However, I am a concerned with their lack of a 3rd-party audit. So I&#x27;ve been eyeing BitWarden for that reason, but the need to run a server turns me off (especially since I&#x27;m not clear how that helps me sync the mobile clients). Those who host their own BitWarden instance: how do you approach the problems of backup and mobile sync?

I use Safari on macOS and iOS. with its native password manager.Am I exposing myself to higher risks than by using a standalone password management app?

Love Bitwarden!

What are the pro&#x2F;cons vs 1password?

With such a security sensitive project, I can barely find any information on what 8bit solutions is about.

Has anyone ever migrated away from Keychain Access to an OS-independent password protection program?

Can I get a quick vote on keepass2 vs bitwarden, and a feature comparison?