177
I am a software engineer that created a free, open source password manager to keep you safe online. AMA!
Hey reddit. We all use the internet, so we need to be taking the proper steps to stay safe. Password re-use is a huge problem and with large data breaches becoming more and more common these days, we need to protect ourselves. Nearly 4 million data records (that we know of) are stolen online everyday and chances are you've been in one of them. Using a password manager is one of the easiest things you can do to stay safe.
I'm a software architect and have worked in the credit card payment processing industry for quite some time dealing with your sensitive credit card data. Security is something I think about and work with on a daily basis. Last year I decided that there was something missing from the internet: a simple, free, open source password manager that was available on all of your devices. Sure, there are many password management applications out there, but none of them seemed to fit the bill.
After one full year of development, bitwarden has been released for free on several platforms including iOS, Android, Chrome, Firefox, Opera, and the web. You can read more about bitwarden on our website, https://bitwarden.com/.
I'll be here for the rest of the day to answer your questions about bitwarden, your password practices, online security, software development, open source, or whatever. AMA!
Links:
- Website: https://bitwarden.com/
- GitHub, source code: https://github.com/bitwarden
- Kickstarter campaign: http://kck.st/2gCsTUL
Apps:
xxkylexx25 karma
KeePass is a great piece of software and is indeed open source as well, however, ask your non-technically inclined friend or family member to try and use it and you will quickly find that it seems to fall short. At least that has been my experience.
PM_YourDildoAndPussy3 karma
I won't speak for him, but it isn't often feasible to "just make this better". KeePass doesn't have any kind of infrastructure. With open source one problem you'll run into often is getting your patches merged
Plus there's also the "better to burn it down and start again" that becomes necessary from time to time
FrontierPsycho3 karma
I came to ask just that, and I must say that nowadays, it feels to me that the slice of people who aren't technical enough to be able to use KeePass, but still are technical enough to need a password manager is getting slimmer and slimmer.
That is to say, the aforementioned grandma probably doesn't have accounts whose passwords she needs to keep that safe. And someone with multiple accounts and passwords could most probably learn how to use KeePass, if inexpertly.
xxkylexx3 karma
but still are technical enough to need a password manager
This is something we hope to change by creating an easier to use solution and educating users on the necessities of using a password manager. It's really quite sad how bad many people's password practices are.
xxkylexx24 karma
LastPass is very similar to bitwarden, however, it is a closed source solution. bitwarden aims to offer transparency by publishing all of the source code online for anyone to review, audit, and contribute: https://github.com/bitwarden. I believe that this is a requirement for any software that handles such sensitive data like your passwords.
WakkkaFlakaFlame8 karma
Question, if later on you offer premium versions, will those versions be open source too?
WakkkaFlakaFlame4 karma
But I mean, couldn't people just compile that version?
I'm not saying they should, I just never understood how that worked
nodealyo12 karma
Not OP, but you very well could. Any meaningful premium features would probably be attached to an account and their access would depend on an external server.
xxkylexx5 karma
Since the product is open source, you certainly can do this, though there is no "happy path" documented at this time. This is something we plan to introduce as a first-class experience further down the road with enterprise support/licensing.
Der_Jaegar11 karma
First of all, I've ben an early user, love the platform. Just deleted my old Lastpass account. One quick question: Do the free features become premium later on?
xxkylexx11 karma
Thanks for using bitwarden! The plan is to offer a freemium model that will keep the current features free. Premium features will be in addition to what we offer today. Check out our Kickstarter for a better breakdown and comparison: http://kck.st/2gCsTUL
stairmast0r3 karma
Your Kickstarter reward descriptions detail premium features including "unlimited device syncing" and "unlimited stored logins." If you're keeping current features free, what's up with those? I didn't realize there was a limit on logins or devices with the current version of Bitwarden.
Don't get me wrong, I love your software, but the reason I chose it over something like Lastpass is that it offered free syncing and didn't mention any limits.
xxkylexx5 karma
There is currently no limit on logins or devices with the current version of bitwarden. This is just part of the Kickstarter marketing to show exactly what you get with premium as well.
stairmast0r3 karma
That's a relief. So to be clear, which features are not offered now but will be included with premium accounts?
xxkylexx7 karma
Currently the roadmap calls for the following premium features:
- Password sharing
- Two-factor storage for logins (TOTP)
- Additional two-factor authentication options like YubiKey
Our Kickstarter will help fund a lot of other new free features too though, like:
- Safari browser extension for Mac
- Auto-fill for Android
- Native desktop applications
- International languages
- Better documentation
xxkylexx16 karma
Yes, which is why it is important to create a strong master password. This shouldn't be an issue since you only have one password to remember now.
shitty_millennial4 karma
A data security breach on your end is a larger concern for me than someone making a bruteforce attack on my particular account. Why not just use that one strong password for all accounts if using bitwarden offers essentially the same level of protection? If I used one strong password for all my accounts, an intruder would only need that one password to access all of my accounts. If I use bitwarden, the intruder would need the same information to obtain the same level of access.
xxkylexx7 karma
A valid concern, however, the way we handle your master password renders it useless by the time it reaches our servers. Your master password is one-way hashed multiple times before it leaves your device and ultimately ends up on our server. You can read more about how we handle this data by checking out our help site Security topic: https://help.bitwarden.com/security/
-FuckYourGod9 karma
You've said master password twice. You should be insisting on a master passphrase.
zenion3 karma
First I will say... I love what you've done and strongly support this direction of development. I honestly think this market would be at a far better state if this was the norm for business models. With that said in regards to the above statement.... This is no different then how u would hack any front end auth API once you're inside the infrastructure though. Throw some sneaky logging at the place where the hash ingresses and then obviously u know how to use it once u have said hash since the code is available. Maybe you'd need some automation code to do in realtime if the hash is timebased or session based but still feasible once you have access to said systems handling the endpoints for auth... the scariest thing for security minded users in password storage IMO is trusting others to secure their infrastructure properly and go through pen tests and meet some level of best practices compliance framework for that infrastructure. People need to trust you more than LastPass/onepassword in that respect honestly for you to stand out as a viable competitor to the close sourcers I think.
xxkylexx3 karma
Thanks for your feedback.
One of the great things about our infrastructure security is that we do not manage any infrastructure at all. bitwarden processes and stores all data securely in the Microsoft Azure cloud using services that are managed by the team at Microsoft. Since bitwarden only uses service offerings provided by Azure, there is no server infrastructure to manage and maintain. All uptime, scalability, and security updates and guarantees are backed by Microsoft and their cloud infrastructure.
zenion3 karma
if you're only using application platform services and not managing OS' directly that definitely significantly reduces your footprint on this front. Thanks for the clarity :)
xxkylexx3 karma
Indeed. We don't have an infrastructure team so this is really the only way to go, though, it does cost more to operate this way.
Slayeraustin4 karma
Seems pretty unsecure for phishing/keylogging, any preventative measures such as an authenticator to prevent logging in from strange ip addresses/mac addresses?
xxkylexx10 karma
Two-factor authentication is available for your account as well. This can be activated from our web vault: https://vault.bitwarden.com/#/login
DesTeufelsAdvokat1 karma
Are there backup codes in case I lose my phone or something like that?
xxkylexx2 karma
Not in the current release, but this has actually already been developed and will be going out with the next release very soon.
iCvDpzPQ79fG2 karma
Yes, but that's no different than 1password, lastpass, keepass, etc.
Strong master password and lots of encryption for the data.
xxkylexx2 karma
The main difference is that bitwarden aims to be simple to use, available on all platforms, offer a free tier that will allow you to actually use the product without being crippled, and is an open source project that is available on GitHub.
xxkylexx4 karma
Being open source on GitHub provides many eyes that have validated our solution already, however, detailed audits from other security professionals are required in order to provide additional validation and credibility. This is something that we are hoping to fund through our current Kickstarter campaign: http://kck.st/2gCsTUL
eiktyrner4 karma
Being open source on GitHub provides many eyes that have validated our solution already
To be clear, it provides the opportunity for many eyes to validate the solution. Just because it's open doesn't mean anyone has actually read it.
I'd love to read a detailed audit before using it so hopefully your campaign gets funded!
Another question: I can self-host this right or is there any component that isn't open source?
xxkylexx6 karma
Every component is open source so you can certainly self host if you want to figure that out. Documentation for something like self-hosting is lacking currently, which is also part of our Kickstarter initiative. We hope to offer a first-class solution to self hosting further down the road with enterprise support/licensing.
Der_Jaegar4 karma
Is being open source a worrisome matter for you? In the sense that any future features can be copied. What are you planning to do in order to avoid this kind of problem and to stay profitable?
And a second question. Is transparency for BitWarden only a matter of open source code? If not, what would you additionally implement in order to increase said transparency?
xxkylexx9 karma
This always a potential issue with open source, but the benefits far outweigh the negatives, especially when it comes to software like bitwarden that handle sensitive information: https://en.wikipedia.org/wiki/Security_through_obscurity
wrapped_in_clingfilm4 karma
Why can't I just put all my passwords in a word document on google drive and lock that with a password?
xxkylexx7 karma
The accessibility of a password manager is a much better solution than a locked word document. bitwarden will assist you from your web browser, phone, etc by autofilling your logins for you during login or registration.
Also, I am not sure what kind of encryption (if any) is offered by locking a word document.
Phanomenal3 karma
Hello!
I already have 1Password downloaded on my phone and I was wondering what are the differences between bitwarden and 1Password that would make me choose one or the other?
xxkylexx10 karma
1Password is a great application, however, like most other solutions, it is closed source software (it's also rather expensive!).
bitwarden aims to offer transparency by publishing all of the source code online for anyone to review, audit, and contribute. We believe that this is a requirement for security software that handles sensitive data like your passwords. https://github.com/bitwarden
Phanomenal2 karma
Sounds great! Another question if you don't mind and if it hasn't been asked/answered already, wouldn't transparency by publishing all of the source code make it easier for hackers to hack and access the passwords and sensitive data that is supposed to be protected?
xxkylexx8 karma
No, since that would be security though obscurity, which is not really security at all.
a7nth3 karma
How do I know that you don't have access to my passwords? People seem concerned about attacks from outside sources but you would be personally building a huge database of passwords that you have back end access to.
xxkylexx3 karma
Since your data is fully encrypted and/or hashed before ever leaving your local device, noone from the bitwarden team can ever see, read, or reverse engineer to get to your real data. bitwarden servers only store encrypted and hashed data. This is an important step that bitwarden takes to protect you.
You can read more about bitwarden security on our help site: https://help.bitwarden.com/security/
MilleniumPelican3 karma
As an infosec admin, I have a big problem with "the cloud" in general. I won't use it, personally, and I'm not a fan of it professionally. Why do you think it's a smart idea for me to send all of my passwords over the internet to third-party storage, adding (at least) two additional levels of exposure to attack? Even Microsoft finally had to admit, sort of, that Wifi Sense was a stupid idea.
As ITSEC professionals, we walk the line between security and productivity for a living. Sometimes convenience has to take a back seat to security. I don't believe that people should have access to their important passwords from many devices. I think that a single encrypted storage location is a better solution.
Now, that's just my possibly over-protective opinion. I'm interested in what you can say to win me over.
xxkylexx7 karma
Hey there. You are right. The ability to cloud sync always offers additional risk, however, these risks can be mitigated by securing the data before transmitting. All data in bitwarden is securely encrypted locally before ever leaving your device. This renders the data useless to anyone that may capture it in-flight or from bitwarden servers.
Of course the most secure way to handle your data is to never transmit it over the internet, but you will find that this creates a barrier to entry that most people will abandon quickly and therefore continue with their poor password choices.
You can read more about these practices via our Security topic on our help site: https://help.bitwarden.com/security/
stairmast0r2 karma
So in theory, a leak of the Bitwarden database should't compromise any passwords by itself? Only if someone's master password is easily guessed or otherwise already compromised should the data be readable?
Toastybites3 karma
I've always wondered, whenever someone releases freeware, are donations or ads enough to keep them afloat, or is it usually like a side gig?
xxkylexx6 karma
Ads can be a powerful revenue generator, but that won't really make sense for a piece of security software like bitwarden.
We launched our Kickstarter campaign today that introduces our premium membership that will help fund the project for years to come. Check it out: http://kck.st/2gCsTUL
absentwalrus2 karma
I have never used a password manager because of the phrase "Never put all your eggs in one basket". Why am I an idiot? Haha, by which I mean, what am I missing that negates the problem of someone taking ALL your passwords by gaining acces to your password manager?
xxkylexx1 karma
This is a valid concern that many people have initially. It comes from a lack of understanding how a password manager like bitwarden works.
bitwarden encrypts your data locally on your device, which is then locked by your master password. So as long as you have a strong, secure master password your data is secure and cannot be compromised. You can read more about encryption and how bitwarden handles your data on our help site here: https://help.bitwarden.com/security/
The alternative to not using a password manager usually leads to bad password practices, which is a much worse alternative.
Oilfan942 karma
What are the Import & Export options?
I'm using a password manager that doesn't seem to let me export the data (unless I buy a subscription). I'd like to switch or at least try a different app, but I really don't want to manually transfer my 100+ passwords.
xxkylexx5 karma
bitwarden currently offers import options for the following platforms from our web vault (https://vault.bitwarden.com/#/login):
- bitwarden (csv)
- LastPass (csv)
- Chrome (csv)
- Firefox Password Exporter (xml)
- SafeInCloud (xml)
- SafeInCloud (csv)
- KeyPass (xml)
- Padlock (csv)
- 1Password (1pif)
- Universal Password Manager (csv)
- Keeper (csv)
- Password Dragon (xml)
We also offer export from the web vault as well at any time for free. Charging the user to export their data sounds evil. Sorry about that!
If you see one missing from this list that you need just let us know and we'll get it added. We want everyone to be able to move their data without having to do it manually if possible!
xxkylexx2 karma
Masterlock Vault
Can you email me via the contact form on our website? We'll discuss getting this added.
Desert-Mouse2 karma
Thank you for your work on this important project!
Given that cloud services still have costs, what's the business model that will ensure the service is available for years to come? I'd hate to think it was all being given away for free and therefore a good tech solution would stop being available.
xxkylexx1 karma
Thank you! We hope you enjoy it.
We launched our Kickstarter campaign today that introduces our premium membership that will help fund the project for years to come. Check it out: http://kck.st/2gCsTUL
corner_case2 karma
It's great that this software is open-source. Is there a straight-forward way to self-host a vault or server?
xxkylexx6 karma
Since the product is open source, you certainly can do this, though there is no "happy path" documented at this time. This is something we plan to introduce as a first-class experience further down the road with enterprise support/licensing.
an_idealist1 karma
Donno the way this works but would't it be easier for hackers to reverse engineer the password as the code is open source?
xxkylexx3 karma
That would mean that an application has vulnerabilities that are being hidden by the fact that it is closed source, aka, security through obscurity.
Being open source does not degrade security at all if the application is built correctly.
ptd1631 karma
Hey there.
I've never used password managers before, but have been thinking about using one. Why should I use your product over something that's recommended on privacy activist sites such as https://privacytools.io?
Do you plan to have your software professionally audited at some point?
xxkylexx1 karma
- bitwarden provides much of the same functionality as other password managers, however, it is open source, free, and available on all of your devices. It is also much easier to use than tools like KeePass which have a large barrier to entry for non-technically inclined people.
- Yes, we hope to fund a third-party audit with the success of our Kickstarter campaign: http://kck.st/2gCsTUL
ptd1631 karma
I see. Do you have any requirements on the master passphrase that would reduced entropy (min or max characters)? Or make it more difficult to remember (capital letters and or special characters)?
xxkylexx1 karma
We do not enforce any rules on your master password other than it much be at least 8 characters. There was a discussion about this a while back here: https://github.com/bitwarden/web/issues/3
Fluffenpuffen1 karma
Do you see yourself in the foreseeable future introducing a two factor authentication method, the function of which is arbitrary, but where its name involves an elaborate pun that refers to Master Blaster from Mad Max 3? Possibly in the most obscure way possible and preferably used as a double entendre for both that and your system.
xxkylexx1 karma
Two-factor authentication is already available and can be activated on your account from your web vault. https://vault.bitwarden.com/#/login
A successful Kickstarter campaign will bring additional 2FA methods to the system like email and YubiKey. Check it out @ http://kck.st/2gCsTUL
Skanky1 karma
I currently use Keepass for Android and PC
What features does your app offer over keepass (other than a more simplistic design)? Does your app have auto-fill capabilities?
xxkylexx1 karma
We offer first-class applications on all your devices so you don't have to depend on third-party implementations like KeyPass does. Also, in my bias opinion, bitwarden is much easier to use.
We plan to bring auto-fiill to Android with the successful completing of our Kickstarter campaign: http://kck.st/2gCsTUL
pwxn1 karma
Any plans for native pc/mac clients? This is currently one of my favorite parts of lastpass, I can keep passwords separately from browsers. which I know is not a normal use case, but is helpful to me for work/personal account separation.
xxkylexx1 karma
Yes. We are currently running a Kickstarter campaign in which we hope to fund native desktop applications on Windows, macOS, and Linux. Check it out: http://kck.st/2gCsTUL
LoTGoD1 karma
Is there any possibility of introducing nested folders in future releases? What about custom forms?
xxkylexx1 karma
Nested folders (proper) is not on the roadmap at the moment, but we may introduce some simple design tweaks if you use a special character in your folder name. For example, we could indent a folder structure based on the >
character. So you could have a folder named Emails > Work
, and Emails > Home
and give some appearance of hierarchy.
The_Other_Slim_Shady1 karma
I just pledged to my first kickstarter, so nice job! I have been very reticent to use a password manager due to trust, but you seem to have struck a nice balance.
Would you consider adding a feature for verification questions, thus making your questions website's use when you forget password more secure?
xxkylexx1 karma
Thanks for backing! We currently offer an optional hint that can be emailed to you if you forget your master password. Due to the way bitwarden works, there is no other way to recover your account if you forget it (your master password is required to unencrypted your data).
The_Other_Slim_Shady1 karma
I was actually referring to websites that ask you for personal questions. For example, I signed into a banking site I don't normally use with my phone, and it wanted to ask a personal question to prove it is me, in addition to my saved password. I suppose it would be harder to input, but could be nice since sometimes those questions are hard to answer a couple years later.
Finally, what is the $49k going to be used for? If you don't reach your goal, what will the result be for those that pledged?
xxkylexx1 karma
Ah I see. The "Notes" input field on the site in your vault is perfect for things like that.
The funding goal is to help pay for some of the things that are listed in the campaign description (ex. third-party audits, hosting services) as well as allow me to focus more full-time on this project.
If we do not meet the goal I will still continue working on the project no doubt, but it will just continue at a much slower pace.
xxkylexx2 karma
As a software developer, I love learning new things. Mobile app development was something that I had never done until I started building bitwarden. My background has always been on the web so this was a great opportunity for me to learn some new things.
heliotrope3n1 karma
How did you get to where you are today?
eg. how did you get interested in software, uni...
xxkylexx1 karma
I was big into computer gaming when I was younger (still am). I taught myself how to make websites and things for my online gaming clans. This ultimately led to an interest in computer science which I perused at the university level. From there I continued my passion in web development at a professional level and grew into larger roles.
alucard3331 karma
How was your experience in university/college as being a software engineer? We're there any completely irrelevant subjects/ do you use much of these skills now?
xxkylexx1 karma
I attended the University of Florida for a B.S. in Computer Science. Overall it was a great experience but you really only get out of it what you put into it. The track calls for lots of higher level maths and and all-around general education courses in addition to your core CS classes. Two classes that I wish I could go back and re-take again are discrete mathematics and data structures. These courses are extremely helpful to your life as a software engineer.
One class that I felt like I never really got a whole lot of practical application from was Numerical Analysis. Maybe the professor was just bad or maybe I just wasn't interested, but that course went way over my head and I just BS'ed by way through it.
readerbore1 karma
Is Google's password manager a better option than not having a password manager at all? On the same vein, is it also much more inferior to managers like yours?
xxkylexx1 karma
It is if you use it to save unique passwords for each service. Google's password manager used to be a nightware for security (they just stored your password in plain text) but they have made it better recently. The benefit to bitwarden is that is is cross platform and not just available on Google products. bitwarden will also assist you with generating secure passwords during site registrations. bitwarden is also entirely open source.
rimalp1 karma
Three questions:
Do I need an account on your website to use this passwordmanager?
Do you store the user's logins on your server?
Why is there no standalone program and just browser plugins?
I use a passwordmanager for many other things than just websites. encrypted containers, ssh/ftp logins, NAS logins, router login, etc, etc . I don't want to use the browser for this. For websites you can use the integrated password manager of your browser, no need for third party addons.
xxkylexx1 karma
- Yes, you will need an account. This is how we keep your devices in sync.
- Yes, the logins are stored in encrypted form on our server for syncing purposes. You can read more about that here: https://help.bitwarden.com/security/
- Standalone native desktop applications in something we plan to add. We are currently running a Kickstarter campaign to try and fund these new features. Check it out: http://kck.st/2gCsTUL
xxkylexx1 karma
No, since that would be security though obscurity, which is not really security at all.
xf-31 karma
What makes your password manager better than a community open-source project (like KeePass) ?
View HistoryShare Link