You aren’t handing over the keys, everything is E2E encrypted. Business model is people paying, or more specifically businesses paying.
There are paid personal plans, too. It’s $10/year if you want to store TOTP codes in Bitwarden or you want an emergency access contact. If you have more than just you and your significant other involved (i.e. sharing some logins but not everything with a teenager), you’re probably springing for the $40/year families plan.
I’m a 1password user but I think Bitwarden is solid, and very trustworthy.
There’s an argument that any password manager that uses a browser extension is ultimately going to be vulnerable to malicious code and that the safest one to use is the built-in one provided by the browser.
You could also just do it yourself on the Linux computer that we all use for our main device (right?).
That’s a very strong argument, and one I’ve made myself. Issue is none of the built in password vaults compare to BW/1P/etc. Yet.
Also most either aren’t cross platform or don’t work like a real password manager on mobile.
This is why I have Microsoft Authenticator which does encrypted backups, and I have it set up on my current phone, old phone, and tablet.
The good password managers build in such a way that the browser (i.e. Chrome or Safari themselves, as distributed by Google/Apple) would need to be compromised. If that were to happen, the native password managers would not be safe either.
Anything can happen, of course, but the risks to a password manager are already built into the comparison to DIY password management.
Here’s what 1Password does to run its extension safely, for example. I assume Bitwarden is similar.
- The pop-up runs outside of the web pages you visit. Only you can open and control it.
- Inline menus are loaded in iframes, with their source set to a resource inside the extension bundle. Same-origin policy prevents pages from looking inside these iframes or interacting with their contents.
- Messages are passed between extension components and the page using the extension messaging API rather than DOM events, so they can’t be intercepted or spoofed by untrusted web pages.
- Parsing is done with safe, tested methods, and all input is sanitized before being displayed to prevent XSS (cross-site scripting) attacks.
- A restrictive CSP (Content Security Policy) prevents 1Password from loading untrusted external resources.
- Native messaging ports allow 1Password to verify the connection between the app and extension. Before accepting a connection, the 1Password app verifies the extension ID and native messaging hosts file.
- Code signature validation makes sure the browser is properly signed on macOS and Windows. On Linux, 1Password verifies that the browser is an approved one and owned by
root.- Secure inter-process communication means messages in transit between the 1Password app and extension are protected. Only you have the keys to access and decrypt your data.
Basically, do you trust browsers to do what they say they’ll do with content policies/sandboxing/security policies? If not, why are you using them for anything, ever?
I don’t give it much thought, at least as it pertains to password managers, because I use the version of 1password that’s an exe version predating their move online.
And if I have any trepidation about browsers because I woke up on the wrong side of paranoid some particular morning then I use Tor.
Oh, and anywhere I have money I use a 2FA fob.
So, LastPass was not encrypting the URLs and IP addresses?!?!?! Only the user names, passwords, and notes?
Thanks for posting that, as it made me go check on something that I hadn’t thought of: the PBKDF2 iterations. Sure enough, mine were set at the old default of 5000, not upgraded to their still low 100100. So, fixed but a little late.
I would assume all your passwords are freely available at 5000 iterations, certainly once this dump is widely available. Change any you care about.
Yeah, I’ve been changing passwords anyway. It’s a bloody pain, but it’s a good exercise to do for the important sites every so often anyway.
I preferred it when I could be assured that passwords in password managers like this were relatively safe. Love to know why there weren’t notifications/articles about the lower security (like these iterations) brought up long before now, or how I missed them if they had been. I mean, it’s great to point out the failings after a breach but why is the information so hidden from users? General users are going to be left to the wolves.
I just checked, the piece of paper that I write my passwords down onto has yet to be hacked. Well, except by my kids, they have learned how to hack the system.
Once I started having to carry a book around to manage all my passwords, which were long and unique even back before password managers were all the rage, I had to give up on that particular ‘hack-proof’ method.
I do have MFA/2FA on accounts that support it, too, but I just hate the idea of someone accessing private info even if the account holds very little of importance.
I’m mostly being sarcastic when I mention my password list. The truth is a bunch of my passwords are saved on Chromium so it’s not like they aren’t all out there in once place ready to be stolen.
There were articles, and it was talked about-- I remember increasing my iterations in 2018, before switching to bitwarden. I don’t think LastPass itself notified users though.
I’d forgotten about my LastPass account after switching to BitWarden. Then this morning I just got an email saying that someone had tried to log on to my LP account (oddly enough, from my city.) It said you don’t have to do anything if it wasn’t you, we blocked it.
Like an idiot, I accidentally hit the link that said “Verify” and verified that it was me, duh! Hopefully since they were already blocked they moved on, but I did go in and figured out (after finally remembering my master PW!) how to completely delete my Last Pass account. Hopefully that wipes out all current info on me in the LP data banks.
Welp, someone tried to log into my Discord account this morning, so I’ve been going through and changing all the important passwords. God dammit LastPass.
This is one critical bit of info that’s missing from all this: how long are ‘backups’ kept once something is deleted? I mean, you may have deleted your vault/account, but this particular breach had the LastPass vault backup taken. If the backup, say, went back six months, that means people that don’t even have an account anymore may have their data in this breach, they won’t be notified, think they don’t have to do anything and may not even know what accounts were in their vault at the time they deleted.
Would that be plausible? Businesses keep rolling backups for a very long time, depending on their requirements, even into the years. Once your LastPass info it gone from the vault, is it gone from their one and only backup and there’s no other copies anywhere?
Certainly not, it’ll be in backups for an indeterminate period of time. There’s nothing anyone can do about that. Just change your important passwords-- I know I increased my iterations back in 2018, but I sadly failed to delete my LP account, and that’s what I did. Also I deleted my LP account.
What’s this iterations thing?