Bitwarden or keepass ftw
this post was submitted on 07 Sep 2023
906 points (98.9% liked)
Technology
72957 readers
4109 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
So what makes Bitwarden better than LastPass if you're using Bitwarden's hosted option (I know you can keep it locally).
From what I remember (take this with a grain of salt since it’s all from when the big LastPass breach happened,) LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes, images, etc) were unencrypted. So even without cracking any vaults, hackers got access to gigantic lists of usernames and their associated email addresses. That’s valuable in and of itself, because it allows them to spear-phish those users.
For example, you may not fall for a regular phishing scam. But you may fall for it if the email has your username and recovery info in it. Because they know every email you’ve used to sign up for something and all of your different usernames that you used on that site, so they can craft convincing phishing emails that are specifically tailored to you.
It also allows them to search for specific users. Maybe there is a user on a crypto forum who is particularly noteworthy. Their username is already known on the site, and hackers are able to cross-reference that with the list of known usernames/emails and see if that user’s vault was part of the breach. If it was, they can focus on breaching that one user’s vault, instead of aimlessly trying random vaults.
load more comments
(2 replies)
I’m not 100% but I think Bitwarden actual encrypt the entire ‘password object’. So the url, username, password, and any notes. Lastpass didn’t/doesn’t encrypt the url so if anyone gets access to the vault, they have a list of websites where the person will have an account and can more accurately send phishing emails.
load more comments
(1 replies)
Switched to bitwarden as soon as they tried to charge a sub for multiple devices, I see that was the right choice
Are you not worried your vault is still on their servers? I feel most companies don’t delete shit. Most have ways to get around it saying they keep some info for taxes, accounting, etc.
I wouldn’t sleep well knowing my passwords were on there at any given time.
You can host a bitwarden vault yourself. They open sourced and audited. So, trustworthy that there's no back door somewhere to some degree.
load more comments
(4 replies)
same here. nuked my lastpass account and switched everything over to bitwarden. their paid offering was worse from the competition and now i’m very glad i moved from them
load more comments
(2 replies)
These guys saved their seed phrases to LastPass, not just account passwords. You can't just change your seeds without moving funds to a new wallet.
The main lesson here is never store your seeds in digital form, ever. Write it down by hand on paper at creation and then take additional efforts to safeguard it.
I just store recovery phrases of all kinds on an encrypted USB stick (which is obviously only connected to my PC when I need to put a new one in or use it (which so far has happened never)), I feel like that is secure enough for me, although if I could laminate at home I might print and make small cards in a separate a card wallet. Any other way I feel like I would eventually lose them, the particular USB drive ive had for over 15 years, it is 512 MB lol.
USB sticks are not very reliable and can become totally unreadable randomly. I hope you at least have a few backups of it
Yeah, they are horribly unreliable.
I got myself 5 sticks, put the same data on all 5.
1st was dead within a month. 2nd & 3rd both dead in 4m, 4th dead in 6m. The 5th is still alive 3 years later.
It's a shit lottery, don't play it, modern flash drives are absolutely garbage. Yet I still have a whole pile of 1,2, 4 GB flash drives from over a decade ago and they all still work.
load more comments
(1 replies)
Carve it in granite and bury it underground so that future archaeologists can be confused over their meaning.
load more comments
(1 replies)
load more comments
(2 replies)
load more comments
(2 replies)
load more comments
(1 replies)
instead of using a password manager managed by a PRIVATE ENTITY people should start using bitwarden ... its opensource, free and much more secure and reliable
But who is running the bitwarden server? Bitwarden the private company.
I self host vault warden, but it's really not something everyone can do.
Vaultwarden is incredible, and runs easily on freebsd.
load more comments
(1 replies)
I personally use KeepassXD on my phone, although it hasn't had a security audit. There is also KeepassXC for desktop, which has had an audit
Bitwarden, the host, is a private entity
I prefer local password managers. Synchronisation is achieved with a syncing service of our choice.
load more comments
(1 replies)
load more comments
(7 replies)
Man am I glad that I picked KeypassXC as my password manager some years ago. Super safe, easy to use, costs nothing, not dependant on internet/cloud, can export data to another app at any time, transparent because open source.
I'm using Syncthing to synchronize across devices which arguably took some fiddling to set up but I only had to fiddle once and haven't touched the configuration since; it just works automagically in the background.
Keepassxc and syncthing? Are you a clone of myself? :D
Same setup, working as a charm
load more comments
(1 replies)
load more comments
(5 replies)
Pro Tip: You don't need to give a private company all of your passwords. That literally defeats the purpose of having passwords.
Except you’re giving your passwords in an encrypted format. So if the company is trustworthy, it’s safe to let them store your passwords because it’s encrypted in such a way that even the company who own the password manager couldn’t access your passwords even if they wanted to.
(Note the caveat of “IF the company is trustworthy”, which rules out Lastpass)
Now I accept that there are legitimate arguments against storing passwords in the cloud via a password manager… so in that case, you may wish to use a local password manager (like Keepass) instead. But realistically, a typical person isn’t capable of memorising lots of unique, secure passwords… so the passwords need to be written down or stored in a password manager, just to avoid weak passwords or password reuse.
A-fucking-men... but I was always given shit for saying this.
Anything can be hacked or stolen, I don't trust any company to secure my information. :/
load more comments
(5 replies)
load more comments
(1 replies)
That's an average of over 200k each. I'm wondering how they managed to target people with so much money.
People with less might just not complain loudly
This is the best summary I could come up with:
Cybersecurity blogger Brian Krebs reports that several researchers have identified a “highly reliable set of clues” that seemingly connect over 150 victims of crypto theft with the LastPass service.
Taylor Monahan, lead product manager at crypto wallet company MetaMask and one of the key researchers investigating the attacks, concluded that the common thread connecting the victims was that they’d previously used LastPass to store their “seed phrase” — a private digital key that’s required to access cryptocurrency investments.
These keys are often stored on encrypted services like password managers to prevent bad actors from gaining access to crypto wallets.
We have reached out to LastPass to confirm if any of the stolen password vaults have been cracked and will update this story if we hear back.
Researcher Nick Bax, director of analytics at crypto wallet recovery company Unciphered, also reviewed the theft data and agreed with Monahan’s conclusions in an interview with KrebsOnSecurity:
“I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”
The original article contains 363 words, the summary contains 196 words. Saved 46%. I'm a bot and I'm open source!
load more comments
(1 replies)
I mean, they've had more than long enough to change passwords.
Nobody is after your password for the Moravian rug weaving forum but in this day and age it's on you, if you know there's a breach and you don't change your banking / crypto passwords.
Cannot change crypto seed phrases (but that can be mitigated). Cannot change addresses, social security numbers etc
load more comments
(1 replies)
I don't understand saving your passwords to the cloud in the first place
It is like storing all the passwords in one convenient place that can be accessed from any location on the planet, making it the most convenient and juicy target for hackers.
Even encrypted, it just doesn't make sense.
At one of my clients, a large institution, they go further: you're not allowed to use the local browser's password manager. And still have to abide by the usual password rules: rotate every 3 months, complex passwords, etc.
As a result,, users store a plain text file on their desktop (some go as far as printing it), that conveniently allows them to retrieve their passwords.
Too much security kills security.
Forcing a password change after a period of time has shown to make people gravitate towards the simplest passwords that are still within the policy or other, even less secure, solutions. That's why security standards nowadays advise to not implement forced password changes.
load more comments
(2 replies)
view more: next ›