Bitwarden: Avoid at all costs (outage issue)
What I learned about it, is that they can remotely disable your browser extension which is assumed to work in offline mode. So, as soon as you have an internet connection — you get blocked. This is what happened to me like 30 minutes ago or so. Just cannot log into my account and verify a transaction because I'm stupid enough to trust them with my TOTPs and storing temp verification passwords.
The funniest stuff, though, is that the company's damage control is to remove the comments and suspend feedback from it's community forum. Given that I'm a paying customer, I'm a little bit offended by it. For a secret management company that secured $100 mil recently, it's a clear mark that the enterprise service train is on the way.
I'm lucky enough to have the offline access to the storage. But my trust to Bitwarden as a reliable service is completely ruined. Having this in mind, is there a viable alternative?
PS. Expect Spearrin to appear on HN and bring "personal" apology for the hiccup. But I won't buy it. Password manager services are almost like bank storages but on the internet. Apologizing won't fix the fact you can get remotely locked from the passwords and TOTPs at a pressing moment.
136 comments
[ 5.6 ms ] story [ 231 ms ] threadProbably not going to find it anywhere for $10/yr
1) I want sane error messages on the client side.
2) I want my feedback on community forums not to be shushed. You screwed up — own it. Community mods aren't janitors to wipe out user feedback.
3) I want the extension to be working no matter what kind of server-side problems you have. Let me know about a sync problem but don't terminate my access.
But if you do think, that for $12 I get to be treated like an dog, too bad, there's enough options for me to take my business elsewhere.
I am surprised that they are not more popular than "fan-favorites" like LastPass which I absolutely can't stand (it's like from the dark ages UX wise) or 1Password, or, for that matter, Bitwarden. Bitwarden particularly experience degradation of service like every month or so, maybe due to their popularity.
Anyway, I'll still respond.
>Idk why you think you should be able to login to a cloud SaaS product while its down
The application works without internet access.
> Not all forms of Auth can be done locally, for example most 2fa requires server access.
TOTP validation can be done at the offline level. And the hardest proof of it is that the tokens themselves are generated offline. All that is required at the server side is shared secret and a Unix time syscall. This gets done at the browser extension level[0], no network required.
[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...
If you don't want to rely on a free cloud product go to lowendtalk and find an offer for a minimal VPS, which can regularly found for around $10/year.
- Local-first so you own your data
- Open about technical documentation and assisted in providing encryption scheme info to an open-source vault reader (so you own your data...) https://github.com/hazcod/enpass-cli
- Works with lots of cloud/sync providers
- Cross-platform (Windows, macOS, Linux, iOS, Android)
- Browser integration (Safari, Firefox, Chrome, Edge, Opera, Vivaldi)
- Lifetime license for $79.99
Why have I never heard of Enpass before? Anyone have any reason to not switch from Bitwarden to Enpass right now?
Found this: https://www.enpass.io/security-audit-report/
I'm not a security expert, so not sure if those audits are trustworthy.
When it comes to security audits of software I often prefer to see that software failed at this or that, and was corrected, with a reasonable explanation of both the problem and the applied solution. To me, this shows that 1) the audit was actually performed and not just bought/pencil-whipped; and, 2) the developers acknowledge their [inevitable] mistakes and correct them. It also teaches me what to be aware of for other, similar software.
In other words, I would rather see a pimple once in awhile than be convinced by makeup that everything is perfect.
I do not.
Moving to self hosted vaultwarden from keepassxc-in-syncthing was a big leap. A closed source client is a leap too far.
I used Google Drive/OneDrive in the past but a few times vaults would get into a broken state where they couldn't connect to the provider anymore and I had to manually re-connect. It was always able to smoothly recover and sync, but I had no confidence I was synced at any given moment.
I jumped on Wifi Sync as soon as they launched it and haven't looked back—as long as I'm on the same network once in a while, everything is in sync.
Sometimes I get an itch to try the open-source/Keepass route again, especially since it seems to be much improved, but Enpass is convenient for now.
Hello,
Thank you for contacting Bitwarden.
If you are receiving this message, you have contacted us about errors accessing your Bitwarden account. We would like to first apologize for any inconvenience.
Access should no longer be impeded when authenticating.
In our mission to continually strengthen services and protect Bitwarden users, we have employed many protections to that end. These are ever evolving and constantly being tuned. With these in place, there is potential for temporary false positives. The team is committed to refining and improving these protections.
We thank you for bringing this to our attention, and for your understanding. If you have any further questions, please let us know.
-The Bitwarden Team
what do people expect? all the wrong management are attracted to security products for exactly the reasons you suspected all along.. Lock-in is profits!
- Everything is open source - You get to self host - You get to export your database at any time - You don't even need to pay to use it if you don't want to
Are local password managers objectively more secure and reliable? Yes. Does that mean that Bitwarden is just an awful product by a money seething corporation that wants to lock you into their product and dime you till your last cent? Not so sure about that.
[0]: https://getaegis.app/
> With respect to the server software available under the Bitwarden License, production use requires a separate commercial agreement with Bitwarden
> The right to use the software in a production environment, or environments directly supporting production, requires a paid Bitwarden subscription
> The Bitwarden License does not qualify as an open source license under the OSI definition
[0]: https://github.com/bitwarden/server/blob/master/LICENSE_FAQ.... (permalink → https://github.com/bitwarden/server/blob/f848eb247767fbba8a4...)
Also Bitwarden's software has multiple licenses, one of them being AGPL for the server and one of them being GPL for the client. The part of the code that's under the Bitwarden license which you have to pay for is SSO, SCIM and I think FIDO2 authentication as they use some Azure tools for all of these and as such they can't run on premises
Quoting from their license FAQ [1]:
> "In your GitHub repositories, how can I determine what license applies to a given software program?"
> "Each Bitwarden repository contains a LICENSE.txt file that spells out which license applies to the code in that repository."
> "In the case of the Bitwarden server repository, the files are organized into various directories. These directories are not only used for logical code organization, but also to clearly distinguish the license that a given source file falls under. All source files under the /bitwarden_license directory at the root of the server repository are subject to the Bitwarden License. If a file is not organized under the /bitwarden_license directory, the AGPL 3.0 license applies."
Vaultwarden offers those for free if you so wish, but there are no restrictions to self hosting Bitwarden.
[0]: https://github.com/dani-garcia/vaultwarden
[1]: https://github.com/bitwarden/server/blob/master/LICENSE_FAQ....
Similarly to this API compatibility there's KeePassDX [2] for mobile phones which is compatible with the KeePass database format. There's also KeePass [3] which is the original built with .NET.
I personally use Bitwarden though because maintaining sync of databases on mobile phones is painful. Also keeping backups up to date is hard and time consuming, I do export my encrypted database once in a while though.
[0]: https://www.passwordstore.org/
[1]: https://www.gopass.pw/
[2]: https://www.keepassdx.com/
[3]: https://keepass.info/
On my Android phone I use Keepass2Android and it's built-in SFTP support to open the remote database (and also keep a local offline-copy). When saving it seems to synchronize with the remote file first before uploading the file, so even if I change entries on both devices the copy on my server shouldn't lose any entries. But I haven't really tried to break it yet.
A touch on Yubikey will give you one password out (as opposed to unlocking the whole database). As secure as it gets!
Also very convenient to use, since the password is a short pin.
You can use CLI in scripts and handle tokens.
Good code written by a good guy!
Use whatever you want for sharing your database across devices, like Syncthing or Nextcloud (or even USB thumb drives), as long as you have a strong password for it (or other means of unlocking it) and it should alleviate many of the availability related complaints about file based secret management.
It even allows storing files (like SSH keys) and on some platforms has the possibility of typing your credentials for you so they don't end up in the clipboard, even though when you use the clipboard functionality they get cleared out of it after a little bit.
[0]: https://passwordstore.app/
https://github.com/mssun/passforios/issues/418
Strongbox for iPhone/iPad: https://strongboxsafe.com/
There are plenty Android Keepass apps too, i don't have any experience with these though.
>And how do people choose
FWIW, KeePassXC is the best (most widely adopted) one for Desktop.
[1] https://github.com/dani-garcia/vaultwarden, note that it's different from Bitwarden's official server (https://bitwarden.com/help/install-on-premise-linux/), uses less CPU/memory, and enables premium features like TOTP for free.
[0]: https://keepassxc.org/
[1]: https://www.keepassdx.com/
[2]: https://syncthing.net/
You attack Bitwarden but how would this be any different with the other hosted password services?
Just do it once a month - mount the volume, export the database in plaintext directly to the volume, then unmount it.
If your password manager locks you out because of a bad software update, service outage, or you hold the wrong passport and got sanctioned, or whatever, at least you will still be able to access the vast majority of your credentials. Special password databases are nice and convenient, but plaintext is usable forever.
wife had issue with bank and wanted to flush all browser caches, but didn't notice that for some reason passwords checkbox was preselected. it deletes all saved passwords saved in cloud without way to recover (unless you have some offline device that didn't yet synced)
Literally running around the house trying to shut off other PC's before Chrome could sync on them... unsuccessful. What a disaster!
And this is all free service. Customer expectations have skyrocketed.
This seems incorrect.
I experienced this issue while I was working on 1 computer which I infrequently use so I was logged out of BitWarden. Trying to login gave me that oblique error message.
I was on a conference call (and presenting of course) so I needed the password Right Now so I pulled out my laptop, which was still logged in, and was able to access the password without issues.
I'm not sure exactly when this issue started/stopped, but, I probably use my phone vault 20x a day and I never saw the issue there either, only with the one computer which was logged out.
I really don't get all of the hate on here for BW. Are people annoyed or jealous because they just got funding? I understand people suggesting alternatives (and that's great -- monocultures are bad) but some of the comments on here (including, frankly, the OP's topic and message) are just rude.
I'm a user of both the hosted BitWarden and multiple VaultWarden_rs instances and it works well for me and meets my needs. It's been very reliable to the point where if I didn't see this post, I would have just assumed the earlier issue was some fluke and moved on without a 2nd thought.
I'll probably be accused of being a shill for them and legitimate criticism is warranted, but, too much of this seems like bad faith.
Annoying, but I think I see the benefit (kill it if it might be tampered with etc)
The entire point of these hosted password services is that they are a turnkey solution - I could give them to my mom, who knows nothing about technology, and trust that they work. I like using a turnkey solution myself even though I could self-host because I don't want to spend brain cycles on solving the "syncing passwords across multiple devices" issue.
I don't quite understand why Bitwarden even needs to have you login in order to access the passwords. Surely you could just have the salted+hashed passwords on device, and Bitwarden just syncs that data from device to device. If you work in an organization and need to revoke access, just change the password. No need to manage whether or not someone is logged in to Bitwarden.
You have the local encrypted database.
You have the key.
Opening your front door doesn't require a trip down to the hardware store whe$e you brought it.
When it's down you only need to lose backup and sync.
Refusing to unlock your local database because it made some check on the backup and sync server is precisely remote disabling and is a great reason to transition off of bitwarden as it is a pretty good sign of them testing the waters for vendor lockin.
How do the KeePass' compare?
P.S. I do use a KeePassXC vault for a small amount of stuff. Discovered KeePassDX for Android this week from a recent HN comment. It is very good. After playing with it for ten minutes I deleted the other two Keepass apps I had on my phone.
What were the issues with keepassxc integration? I have been using it and it generally works flawlessly integrating with firefox, the only thing is that you have to sometimes press the reconnect to keepass in the extension if you shut down keepass while Firefox was running.
Keepassxc also provides an ssh agent and works as my secret provider, that also works without problems if it wasn't for gnome keyrings which decides that it will stick around after you log into gnome (which I rarely do). Does BW provide secret integration?
I can’t really comment on secrets, I use a YubiKey for SSH and GPG for signing Git commits so I’ve never needed to look into it.
Yes, Syncthing doesn't work on iphone, buy your mother an android , or buy yourself a tie machine and write apps for windows Phone
Took me too long to realize you probably meant ti[m]e machine, but I still don't see how that would fix getting a non-techy off their iPhone.
TIME TRAVEL!
When do we want it?
THAT'S IRRELEVANT!