I've tried exporting and importing via .csv file, but it's a disaster. KeePassXC on mastodon said an import wizard for Bitwarden was in the works for 2.7.5 but I didn't see it in the changelog.
So apparently #1password is telling their users "1Password Classic will stop working soon. As of July 1, 2023, this extension will no longer be compatible with your browser." Now what this really means is that if you are not willing to trust their cloud-based storage you can kindly go fork yourself (also if you want to continue with 1Password you'll have to pay again to upgrade, which some users suspect was the point of all this in the first place). See this link:
So if you want to only store your passwords on your local machine (or on a server you control), the alternative you hear a lot about is #KeePassXC and that is certainly one alternative. But if you are used to 1Password you may think it ugly and clunky. It's not that it doesn't work, and I'm sure the penguin-heads out there would like it because it's quite configurable. But that also implies that it's a bit difficult to configure and the one thing you really can't configure is any kind of theme, and if ever a piece of software needed the ability to use alternate themes it is KeePassXC (did I mention it is ugly, especially on a Mac? Of course that is very much a matter of personal opinion! And yeah, what I really mean is it doesn't have the #MacOS look and feel, not in the slightest).
After trying that we started looking for other alternatives and came across #Enpass. It appears that the desktop version is free to use, but if you want it on your phone and you want to store more than 25 passwords you have to pay, and there are certain other conditions where you may want to or need to pay. But out of the box, so to speak, it looks MUCH nicer than #KeePassXC and also the operation seems a lot smoother and better integrated with #Firefox (once you add their Firefox extension).
Mainly we tried it on a #Mac but we also installed it on a #Linux box too (Ubuntu desktop). It looks and works a lot like 1Password (at least moreso than KeePassXC). I am not saying it is perfect and honestly if 1Password had not decided to tell their customers "use our cloud service or f**k off" (not exactly in that way, they are polite Canadians but that's how it comes across) we'd keep using it, but if they want to lay down an ultimatum and are willing to kick all their self-stored customers to the curb, so be it.
I know some people love cloud-based services and some people love 1Password and if that's you I will not try to change your mind. We definitely don't love cloud-based services, and those have already bitten users of some other password managers in the butt (coughLastpasscough), and I know the 1P folks seem to think their vaults are invincible, and maybe they are but we don't want to take the risk of them being wrong about that. But if you're also not willing to make that leap of faith and you just can't get into KeePassXC, then maybe Enpass would be a good alternative.
Oh and before anyone feels the need to note that the 1P classic software itself will probably continue to work for some time after July 1, that may be the case but you can see where they are headed and I'd rather move to something else before the day comes when 1P classic is no longer useable. And also I do know there are many other alternatives out there; I am not meaning to imply that KeePassXC or Enpass are your only choices. But I don't have time to look at all of them and also am not really interested in any programs that haven't been updated in years.
I need to collect my thoughts on this at some point, and potentially write about it in more detail. But I started using 1Password not long ago, and it's becoming quite irritating to be honest. It seems to always ask for my account password, even though I've set it to never ask. And the Safari extension seems to only autofill half the time.
Might need to try something else.
Heute zum #weltpassworttag zwei freie Passwortmanager welche ich beide sehr empfehlen kann. Welchen nutzt Du? Und wenn Du noch keinen Passwortmanager nutzt, wird's Zeit!
#KeepassXC nutze ich für #Team Arbeit, also Datenbanken mit Zugängen, die ich teile, wo nur ein einzelnes Konto möglich ist. Synchronisiert über die Projektinterne #Nextcloud.
#Bitwarden nutze ich mit eigener Instanz in Form von (#Vaultwarden) mittlerweile für alles Private, ist halt im Browser sehr angenehm und mit App auf dem Gerät echt super.
The last few days I've been contemplating just how "chicken and egg" my digital #DisasterRecovery plan is.
I #SelfHost#Bitwarden for passwords. It's backed up to #S3 - but the credentials for getting access to those backups are stored in... you guessed it, Bitwarden.
Additionally my TOTP codes are in Aegis. If my house burns down and I lose the phone I can just restore them from google. Except my Google account is in Bitwarden - and that's protected with TOTP.
I've cracked billions of #passwords from tens of thousands of #data#breaches in the past 12+ years, and because of this, I likely know at least one #password for 90% of people on the Internet. And I'm not alone! While I primarily crack breached passwords for research purposes and the thrill of the sport, others are selling your breached passwords to criminals who leverage them in #AccountTakeover and #CredentialStuffing attacks.
Use a #Diceware style #passphrase - four or more words selected at random - for passwords you have to commit to memory, like your master password!
Enable MFA for important online accounts, including cloud-based password managers!
Harden your master password by tweaking your password manager's KDF settings! For #Bitwarden, use Argon2id with 64MB memory, 3 iterations, 4 parallelism. For #1Password and other PBKDF2 based password managers, set the iteration count to at least 600,000.
Use unique, randomly generated passwords for all your accounts! Use your password manager to generate random 14-16 character passwords for everything. Modern password cracking is heavily optimized for human-generated passwords, because humans are highly predictable. Randomness defeats this and forces attackers to resort to incremental brute force! There's no trick you can do to make a secure, uncrackable password on your own - your meat glob will only betray you.
Use an ad blocker like #uBlock Origin to keep you safe from password-stealing #malware and other browser based threats!
Don't fall for #phishing attacks and other social engineering attacks! Browser-based password managers help defend against phishing attacks because they'll never autofill your passwords on fake login pages. Think before you click, and never give your passwords to anyone, not even if they offer you chocolate or weed.
#Enterprises: require ad blockers, invest in an enterprise password management solution, audit password manager logs to ensure employes aren't sharing passwords outside the org, implement a Fine Grained Password Policy that requires a minimum of 20 characters to encourage the use of long passphrases, implement a password filter to block commonly used password patterns and compromised passwords, disable #NTLM authentication and disable RC4 for #Kerberos, disable legacy broadcast protocols like LLMNR and NBT-NS, require mandatory #SMB signing, use Group Managed Service Accounts instead of shared passwords, monitor public data breaches for employee credentials, and crack your own passwords to audit the effectiveness of your password policy and user training!
Maybe not a big deal, but it seems like a new level for #FDroid: people paying money to promote based on F-Droid's principals, in this case, opt-out data collection is tracking.
TIL that if you (accidentally or on purpose) omit the "n" from #bitwarden's web address, you end up at a domain squatter's site serving up a revolving selection of ads, referrals, and fake security-warning popups.
@downey@markwyner
I'm a #BitWarden guy myself, so I don't have a dog in this fight, but I really don't see what all the fuss is about here. Randomized, de-identified telemetry (app usage & performance) data is not even remotely the same thing as individual user data.
We all want better usability, stability, performance, security, etc. from our apps, right? Well, anonymous telemetry data collection allows app developers to observe how their users as a whole interact with the app, the errors and UI/UX challenges they encounter, etc. Telemetry doesn't tell the app developer how you personally use the app. That level of granularity is too specific to be useful, consumes more compute time and storage than anonymized data, and comes with an extraordinary increase in liability in case of a data breach.
Why on earth would any org pay extra AWS/GCP/Azure fees to collect, process, store, and analyze data that they don't need, only to increase their liability risk?
The 4th section is the password generator: simple options compared to #Bitwarden (64 char max vs BW's 128).
Allows you to set the length and whether or not special characters should be included. This is also integrated with the login section for quick password generation.
🆕 blog! “Happy 2nd Birthday to this Bitwarden bug!”
Exactly two years ago to the day, I reported a weird little emoji bug with Bitwarden. Let's say you want a password of: ✅🐎🔋📎 (As close as possible to Correct Horse Battery Staple) That works. Emoji are stored and retrieved correctly. You can use them with any system which supports them. But you can't view […]
What most ppl outside IT don't know about passwords:
Though no one targets you specifically, you still need a good password: attackers simply try common passwords & variants with all accounts and are often lucky.
While "needs to be random" is important, this rule is more important: "unique password for each site, no exceptions": attackers use leaks from site A and try your email & password on site B.
I recently wrote a post detailing the recent #LastPass breach from a #password cracker's perspective, and for the most part it was well-received and widely boosted. However, a good number of people questioned why I recommend ditching LastPass and expressed concern with me recommending people jump ship simply because they suffered a breach. Even more are questioning why I recommend #Bitwarden and #1Password, what advantages they hold over LastPass, and why would I dare recommend yet another cloud-based password manager (because obviously the problem is the entire #cloud, not a particular company.)
So, here are my responses to all of these concerns!
Let me start by saying I used to support LastPass. I recommended it for years and defended it publicly in the media. If you search Google for "jeremi gosney" + "lastpass" you'll find hundreds of articles where I've defended and/or pimped LastPass (including in Consumer Reports magazine). I defended it even in the face of vulnerabilities and breaches, because it had superior UX and still seemed like the best option for the masses despite its glaring flaws. And it still has a somewhat special place in my heart, being the password manager that actually turned me on to password managers. It set the bar for what I required from a password manager, and for a while it was unrivaled.
But things change, and in recent years I found myself unable to defend LastPass. I can't recall if there was a particular straw that broke the camel's back, but I do know that I stopped recommending it in 2017 and fully migrated away from it in 2019. Below is an unordered list of the reasons why I lost all faith in LastPass:
LastPass's claim of "zero knowledge" is a bald-faced lie. They have about as much knowledge as a password manager can possibly get away with. Every time you login to a site, an event is generated and sent to LastPass for the sole purpose of tracking what sites you are logging into. You can disable telemetry, except disabling it doesn't do anything - it still phones home to LastPass every time you authenticate somewhere. Moreover, nearly everything in your LastPass vault is unencrypted. I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no -- with LastPass, your vault is a plaintext file and only a few select fields are encrypted. The only thing that would be worse is if...
LastPass uses shit #encryption (or "encraption", as @sc00bz calls it). Padding oracle vulnerabilities, use of ECB mode (leaks information about password length and which passwords in the vault are similar/the same. recently switched to unauthenticated CBC, which isn't much better, plus old entries will still be encrypted with ECB mode), vault key uses AES256 but key is derived from only 128 bits of entropy, encryption key leaked through webui, silent KDF downgrade, KDF hash leaked in log files, they even roll their own version of AES - they essentially commit every "crypto 101" sin. All of these are trivial to identify (and fix!) by anyone with even basic familiarity with cryptography, and it's frankly appalling that an alleged security company whose product hinges on cryptography would have such glaring errors. The only thing that would be worse is if...
LastPass has terrible secrets management. Your vault encryption key always resident in memory and never wiped, and not only that, but the entire vault is decrypted once and stored entirely in memory. If that wasn't enough, the vault recovery key and dOTP are stored on each device in plain text and can be read without root/admin access, rendering the master password rather useless. The only thing that would be worse is if...
LastPass's browser extensions are garbage. Just pure, unadulterated garbage. Tavis Ormandy went on a hunting spree a few years back and found just about every possible bug -- including credential theft and RCE -- present in LastPass's browser extensions. They also render your browser's sandbox mostly ineffective. Again, for an alleged security company, the sheer amount of high and critical severity bugs was beyond unconscionable. All easy to identify, all easy to fix. Their presence can only be explained by apathy and negligence. The only thing that would be worse is if...
LastPass's API is also garbage. Server-can-attack-client vulns (server can request encryption key from the client, server can instruct client to inject any javascript it wants on every web page, including code to steal plaintext credentials), JWT issues, HTTP verb confusion, account recovery links can be easily forged, the list goes on. Most of these are possibly low-risk, except in the event that LastPass loses control of its servers. The only thing that would be worse is if...
LastPass has suffered 7 major #security breaches (malicious actors active on the internal network) in the last 10 years. I don't know what the threshold of "number of major breaches users should tolerate before they lose all faith in the service" is, but surely it's less than 7. So all those "this is only an issue if LastPass loses control of its servers" vulns are actually pretty damn plausible. The only thing that would be worse is if...
LastPass has a history of ignoring security researchers and vuln reports, and does not participate in the infosec community nor the password cracking community. Vuln reports go unacknowledged and unresolved for months, if not years, if not ever. For a while, they even had an incorrect contact listed for their security team. Bugcrowd fields vulns for them now, and most if not all vuln reports are handled directly by Bugcrowd and not by LastPass. If you try to report a vulnerability to LastPass support, they will pretend they do not understand and will not escalate your ticket to the security team. Now, Tavis Ormandy has praised LastPass for their rapid response to vuln reports, but I have a feeling this is simply because it's Tavis / Project Zero reporting them as this is not the experience that most researchers have had.
You see, I'm not simply recommending that users bail on LastPass because of this latest breach. I'm recommending you run as far way as possible from LastPass due to its long history of incompetence, apathy, and negligence. It's abundantly clear that they do not care about their own security, and much less about your security.
So, why do I recommend Bitwarden and 1Password? It's quite simple:
I personally know the people who architect 1Password and I can attest that not only are they extremely competent and very talented, but they also actively engage with the password cracking community and have a deep, deep desire to do everything in the most correct manner possible. Do they still get some things wrong? Sure. But they strive for continuous improvement and sincerely care about security. Also, their secret key feature ensures that if anyone does obtain a copy of your vault, they simply cannot access it with the master password alone, making it uncrackable.
Bitwarden is 100% open source. I have not done a thorough code review, but I have taken a fairly long glance at the code and I am mostly pleased with what I've seen. I'm less thrilled about it being written in a garbage collected language and there are some tradeoffs that are made there, but overall Bitwarden is a solid product. I also prefer Bitwarden's UX. I've also considered crowdfunding a formal audit of Bitwarden, much in the way the Open Crypto Audit Project raised the funds to properly audit TrueCrypt. The community would greatly benefit from this.
Is the cloud the problem? No. The vast majority of issues LastPass has had have nothing to do with the fact that it is a cloud-based solution. Further, consider the fact that the threat model for a cloud-based password management solution should start with the vault being compromised. In fact, if password management is done correctly, I should be able to host my vault anywhere, even openly downloadable (open S3 bucket, unauthenticated HTTPS, etc.) without concern. I wouldn't do that, of course, but the point is the vault should be just that -- a vault, not a lockbox.
I hope this clarifies things! As always, if you found this useful, please boost for reach and give me a follow for more password insights!