I am a software engineer that created a free, open source password manager to keep you safe online. AMA!

What makes your password manager better than a community open-source project (like KeePass) ?

KeePass is a great piece of software and is indeed open source as well, however, ask your non-technically inclined friend or family member to try and use it and you will quickly find that it seems to fall short. At least that has been my experience.

Why didn't you just contribute to the KeePass project to make it better?

I won't speak for him, but it isn't often feasible to "just make this better". KeePass doesn't have any kind of infrastructure. With open source one problem you'll run into often is getting your patches merged

Plus there's also the "better to burn it down and start again" that becomes necessary from time to time

Pretty much this.

I came to ask just that, and I must say that nowadays, it feels to me that the slice of people who aren't technical enough to be able to use KeePass, but still are technical enough to need a password manager is getting slimmer and slimmer.

That is to say, the aforementioned grandma probably doesn't have accounts whose passwords she needs to keep that safe. And someone with multiple accounts and passwords could most probably learn how to use KeePass, if inexpertly.

but still are technical enough to need a password manager

This is something we hope to change by creating an easier to use solution and educating users on the necessities of using a password manager. It's really quite sad how bad many people's password practices are.

What differentiates you from companies like last pass?

LastPass is very similar to bitwarden, however, it is a closed source solution. bitwarden aims to offer transparency by publishing all of the source code online for anyone to review, audit, and contribute: https://github.com/bitwarden. I believe that this is a requirement for any software that handles such sensitive data like your passwords.

Question, if later on you offer premium versions, will those versions be open source too?

Absolutely.

But I mean, couldn't people just compile that version?

I'm not saying they should, I just never understood how that worked

Not OP, but you very well could. Any meaningful premium features would probably be attached to an account and their access would depend on an external server.

This is correct.

Would I be able to host my own server instance of Bitwarden?

Since the product is open source, you certainly can do this, though there is no "happy path" documented at this time. This is something we plan to introduce as a first-class experience further down the road with enterprise support/licensing.

First of all, I've ben an early user, love the platform. Just deleted my old Lastpass account. One quick question: Do the free features become premium later on?

Thanks for using bitwarden! The plan is to offer a freemium model that will keep the current features free. Premium features will be in addition to what we offer today. Check out our Kickstarter for a better breakdown and comparison: http://kck.st/2gCsTUL

Your Kickstarter reward descriptions detail premium features including "unlimited device syncing" and "unlimited stored logins." If you're keeping current features free, what's up with those? I didn't realize there was a limit on logins or devices with the current version of Bitwarden.

Don't get me wrong, I love your software, but the reason I chose it over something like Lastpass is that it offered free syncing and didn't mention any limits.

There is currently no limit on logins or devices with the current version of bitwarden. This is just part of the Kickstarter marketing to show exactly what you get with premium as well.

That's a relief. So to be clear, which features are not offered now but will be included with premium accounts?

Currently the roadmap calls for the following premium features:

• Password sharing
• Two-factor storage for logins (TOTP)
• Additional two-factor authentication options like YubiKey

Our Kickstarter will help fund a lot of other new free features too though, like:

• Safari browser extension for Mac
• Auto-fill for Android
• Native desktop applications
• International languages
• Better documentation

So if someone gets my bitwarden password, I'm fucked?

Yes, which is why it is important to create a strong master password. This shouldn't be an issue since you only have one password to remember now.

A data security breach on your end is a larger concern for me than someone making a bruteforce attack on my particular account. Why not just use that one strong password for all accounts if using bitwarden offers essentially the same level of protection? If I used one strong password for all my accounts, an intruder would only need that one password to access all of my accounts. If I use bitwarden, the intruder would need the same information to obtain the same level of access.

A valid concern, however, the way we handle your master password renders it useless by the time it reaches our servers. Your master password is one-way hashed multiple times before it leaves your device and ultimately ends up on our server. You can read more about how we handle this data by checking out our help site Security topic: https://help.bitwarden.com/security/

You've said master password twice. You should be insisting on a master passphrase.

Correct! A more complex phase is always better than a word.

First I will say... I love what you've done and strongly support this direction of development. I honestly think this market would be at a far better state if this was the norm for business models. With that said in regards to the above statement.... This is no different then how u would hack any front end auth API once you're inside the infrastructure though. Throw some sneaky logging at the place where the hash ingresses and then obviously u know how to use it once u have said hash since the code is available. Maybe you'd need some automation code to do in realtime if the hash is timebased or session based but still feasible once you have access to said systems handling the endpoints for auth... the scariest thing for security minded users in password storage IMO is trusting others to secure their infrastructure properly and go through pen tests and meet some level of best practices compliance framework for that infrastructure. People need to trust you more than LastPass/onepassword in that respect honestly for you to stand out as a viable competitor to the close sourcers I think.

Thanks for your feedback.

One of the great things about our infrastructure security is that we do not manage any infrastructure at all. bitwarden processes and stores all data securely in the Microsoft Azure cloud using services that are managed by the team at Microsoft. Since bitwarden only uses service offerings provided by Azure, there is no server infrastructure to manage and maintain. All uptime, scalability, and security updates and guarantees are backed by Microsoft and their cloud infrastructure.

if you're only using application platform services and not managing OS' directly that definitely significantly reduces your footprint on this front. Thanks for the clarity :)

Indeed. We don't have an infrastructure team so this is really the only way to go, though, it does cost more to operate this way.

Seems pretty unsecure for phishing/keylogging, any preventative measures such as an authenticator to prevent logging in from strange ip addresses/mac addresses?

Two-factor authentication is available for your account as well. This can be activated from our web vault: https://vault.bitwarden.com/#/login

Are there backup codes in case I lose my phone or something like that?

Not in the current release, but this has actually already been developed and will be going out with the next release very soon.

ok, good for you

Username checks out.

Yes, but that's no different than 1password, lastpass, keepass, etc.

Strong master password and lots of encryption for the data.

The main difference is that bitwarden aims to be simple to use, available on all platforms, offer a free tier that will allow you to actually use the product without being crippled, and is an open source project that is available on GitHub.

Is being open source a worrisome matter for you? In the sense that any future features can be copied. What are you planning to do in order to avoid this kind of problem and to stay profitable?

And a second question. Is transparency for BitWarden only a matter of open source code? If not, what would you additionally implement in order to increase said transparency?

This always a potential issue with open source, but the benefits far outweigh the negatives, especially when it comes to software like bitwarden that handle sensitive information: https://en.wikipedia.org/wiki/Security_through_obscurity

Has the code been audited by any 3rd party?

Being open source on GitHub provides many eyes that have validated our solution already, however, detailed audits from other security professionals are required in order to provide additional validation and credibility. This is something that we are hoping to fund through our current Kickstarter campaign: http://kck.st/2gCsTUL

Being open source on GitHub provides many eyes that have validated our solution already

To be clear, it provides the opportunity for many eyes to validate the solution. Just because it's open doesn't mean anyone has actually read it.

I'd love to read a detailed audit before using it so hopefully your campaign gets funded!

Another question: I can self-host this right or is there any component that isn't open source?

Every component is open source so you can certainly self host if you want to figure that out. Documentation for something like self-hosting is lacking currently, which is also part of our Kickstarter initiative. We hope to offer a first-class solution to self hosting further down the road with enterprise support/licensing.

Why can't I just put all my passwords in a word document on google drive and lock that with a password?

The accessibility of a password manager is a much better solution than a locked word document. bitwarden will assist you from your web browser, phone, etc by autofilling your logins for you during login or registration.

Also, I am not sure what kind of encryption (if any) is offered by locking a word document.

How do I know that you don't have access to my passwords? People seem concerned about attacks from outside sources but you would be personally building a huge database of passwords that you have back end access to.

Since your data is fully encrypted and/or hashed before ever leaving your local device, noone from the bitwarden team can ever see, read, or reverse engineer to get to your real data. bitwarden servers only store encrypted and hashed data. This is an important step that bitwarden takes to protect you.

You can read more about bitwarden security on our help site: https://help.bitwarden.com/security/

I've always wondered, whenever someone releases freeware, are donations or ads enough to keep them afloat, or is it usually like a side gig?

Ads can be a powerful revenue generator, but that won't really make sense for a piece of security software like bitwarden.

We launched our Kickstarter campaign today that introduces our premium membership that will help fund the project for years to come. Check it out: http://kck.st/2gCsTUL

Hello!

I already have 1Password downloaded on my phone and I was wondering what are the differences between bitwarden and 1Password that would make me choose one or the other?

1Password is a great application, however, like most other solutions, it is closed source software (it's also rather expensive!).

bitwarden aims to offer transparency by publishing all of the source code online for anyone to review, audit, and contribute. We believe that this is a requirement for security software that handles sensitive data like your passwords. https://github.com/bitwarden

Sounds great! Another question if you don't mind and if it hasn't been asked/answered already, wouldn't transparency by publishing all of the source code make it easier for hackers to hack and access the passwords and sensitive data that is supposed to be protected?

No, since that would be security though obscurity, which is not really security at all.

As an infosec admin, I have a big problem with "the cloud" in general. I won't use it, personally, and I'm not a fan of it professionally. Why do you think it's a smart idea for me to send all of my passwords over the internet to third-party storage, adding (at least) two additional levels of exposure to attack? Even Microsoft finally had to admit, sort of, that Wifi Sense was a stupid idea.

As ITSEC professionals, we walk the line between security and productivity for a living. Sometimes convenience has to take a back seat to security. I don't believe that people should have access to their important passwords from many devices. I think that a single encrypted storage location is a better solution.

Now, that's just my possibly over-protective opinion. I'm interested in what you can say to win me over.

Hey there. You are right. The ability to cloud sync always offers additional risk, however, these risks can be mitigated by securing the data before transmitting. All data in bitwarden is securely encrypted locally before ever leaving your device. This renders the data useless to anyone that may capture it in-flight or from bitwarden servers.

Of course the most secure way to handle your data is to never transmit it over the internet, but you will find that this creates a barrier to entry that most people will abandon quickly and therefore continue with their poor password choices.

You can read more about these practices via our Security topic on our help site: https://help.bitwarden.com/security/

So in theory, a leak of the Bitwarden database should't compromise any passwords by itself? Only if someone's master password is easily guessed or otherwise already compromised should the data be readable?

Correct.

What are the Import & Export options?

I'm using a password manager that doesn't seem to let me export the data (unless I buy a subscription). I'd like to switch or at least try a different app, but I really don't want to manually transfer my 100+ passwords.

bitwarden currently offers import options for the following platforms from our web vault (https://vault.bitwarden.com/#/login):

• bitwarden (csv)
• LastPass (csv)
• Chrome (csv)
• Firefox Password Exporter (xml)
• SafeInCloud (xml)
• SafeInCloud (csv)
• KeyPass (xml)
• Padlock (csv)
• 1Password (1pif)
• Universal Password Manager (csv)
• Keeper (csv)
• Password Dragon (xml)

We also offer export from the web vault as well at any time for free. Charging the user to export their data sounds evil. Sorry about that!

If you see one missing from this list that you need just let us know and we'll get it added. We want everyone to be able to move their data without having to do it manually if possible!

Masterlock Vault would be of interest to me.

Masterlock Vault

Can you email me via the contact form on our website? We'll discuss getting this added.

I have never used a password manager because of the phrase "Never put all your eggs in one basket". Why am I an idiot? Haha, by which I mean, what am I missing that negates the problem of someone taking ALL your passwords by gaining acces to your password manager?

This is a valid concern that many people have initially. It comes from a lack of understanding how a password manager like bitwarden works.

bitwarden encrypts your data locally on your device, which is then locked by your master password. So as long as you have a strong, secure master password your data is secure and cannot be compromised. You can read more about encryption and how bitwarden handles your data on our help site here: https://help.bitwarden.com/security/

The alternative to not using a password manager usually leads to bad password practices, which is a much worse alternative.

It's great that this software is open-source. Is there a straight-forward way to self-host a vault or server?

Since the product is open source, you certainly can do this, though there is no "happy path" documented at this time. This is something we plan to introduce as a first-class experience further down the road with enterprise support/licensing.

Thank you for your work on this important project!

Given that cloud services still have costs, what's the business model that will ensure the service is available for years to come? I'd hate to think it was all being given away for free and therefore a good tech solution would stop being available.

Thank you! We hope you enjoy it.

We launched our Kickstarter campaign today that introduces our premium membership that will help fund the project for years to come. Check it out: http://kck.st/2gCsTUL

Making this app open source won't effect it's security?

No, since that would be security though obscurity, which is not really security at all.

Donno the way this works but would't it be easier for hackers to reverse engineer the password as the code is open source?

That would mean that an application has vulnerabilities that are being hidden by the fact that it is closed source, aka, security through obscurity.

Being open source does not degrade security at all if the application is built correctly.

Hey there.

1. I've never used password managers before, but have been thinking about using one. Why should I use your product over something that's recommended on privacy activist sites such as https://privacytools.io?

2. Do you plan to have your software professionally audited at some point?

1. bitwarden provides much of the same functionality as other password managers, however, it is open source, free, and available on all of your devices. It is also much easier to use than tools like KeePass which have a large barrier to entry for non-technically inclined people.
2. Yes, we hope to fund a third-party audit with the success of our Kickstarter campaign: http://kck.st/2gCsTUL

I see. Do you have any requirements on the master passphrase that would reduced entropy (min or max characters)? Or make it more difficult to remember (capital letters and or special characters)?

We do not enforce any rules on your master password other than it much be at least 8 characters. There was a discussion about this a while back here: https://github.com/bitwarden/web/issues/3

Do you see yourself in the foreseeable future introducing a two factor authentication method, the function of which is arbitrary, but where its name involves an elaborate pun that refers to Master Blaster from Mad Max 3? Possibly in the most obscure way possible and preferably used as a double entendre for both that and your system.

Two-factor authentication is already available and can be activated on your account from your web vault. https://vault.bitwarden.com/#/login

A successful Kickstarter campaign will bring additional 2FA methods to the system like email and YubiKey. Check it out @ http://kck.st/2gCsTUL

I currently use Keepass for Android and PC

What features does your app offer over keepass (other than a more simplistic design)? Does your app have auto-fill capabilities?

We offer first-class applications on all your devices so you don't have to depend on third-party implementations like KeyPass does. Also, in my bias opinion, bitwarden is much easier to use.

We plan to bring auto-fiill to Android with the successful completing of our Kickstarter campaign: http://kck.st/2gCsTUL

Any plans for native pc/mac clients? This is currently one of my favorite parts of lastpass, I can keep passwords separately from browsers. which I know is not a normal use case, but is helpful to me for work/personal account separation.

Yes. We are currently running a Kickstarter campaign in which we hope to fund native desktop applications on Windows, macOS, and Linux. Check it out: http://kck.st/2gCsTUL

Is there any possibility of introducing nested folders in future releases? What about custom forms?

Nested folders (proper) is not on the roadmap at the moment, but we may introduce some simple design tweaks if you use a special character in your folder name. For example, we could indent a folder structure based on the > character. So you could have a folder named Emails > Work, and Emails > Home and give some appearance of hierarchy.

I just pledged to my first kickstarter, so nice job! I have been very reticent to use a password manager due to trust, but you seem to have struck a nice balance.

Would you consider adding a feature for verification questions, thus making your questions website's use when you forget password more secure?

Thanks for backing! We currently offer an optional hint that can be emailed to you if you forget your master password. Due to the way bitwarden works, there is no other way to recover your account if you forget it (your master password is required to unencrypted your data).

I was actually referring to websites that ask you for personal questions. For example, I signed into a banking site I don't normally use with my phone, and it wanted to ask a personal question to prove it is me, in addition to my saved password. I suppose it would be harder to input, but could be nice since sometimes those questions are hard to answer a couple years later.

Finally, what is the $49k going to be used for? If you don't reach your goal, what will the result be for those that pledged?

Ah I see. The "Notes" input field on the site in your vault is perfect for things like that.

The funding goal is to help pay for some of the things that are listed in the campaign description (ex. third-party audits, hosting services) as well as allow me to focus more full-time on this project.

If we do not meet the goal I will still continue working on the project no doubt, but it will just continue at a much slower pace.

My Q:

What's the best part about the development of Bitwarden?

As a software developer, I love learning new things. Mobile app development was something that I had never done until I started building bitwarden. My background has always been on the web so this was a great opportunity for me to learn some new things.

How did you get to where you are today?

eg. how did you get interested in software, uni...

I was big into computer gaming when I was younger (still am). I taught myself how to make websites and things for my online gaming clans. This ultimately led to an interest in computer science which I perused at the university level. From there I continued my passion in web development at a professional level and grew into larger roles.

How was your experience in university/college as being a software engineer? We're there any completely irrelevant subjects/ do you use much of these skills now?

I attended the University of Florida for a B.S. in Computer Science. Overall it was a great experience but you really only get out of it what you put into it. The track calls for lots of higher level maths and and all-around general education courses in addition to your core CS classes. Two classes that I wish I could go back and re-take again are discrete mathematics and data structures. These courses are extremely helpful to your life as a software engineer.

One class that I felt like I never really got a whole lot of practical application from was Numerical Analysis. Maybe the professor was just bad or maybe I just wasn't interested, but that course went way over my head and I just BS'ed by way through it.

Is Google's password manager a better option than not having a password manager at all? On the same vein, is it also much more inferior to managers like yours?

It is if you use it to save unique passwords for each service. Google's password manager used to be a nightware for security (they just stored your password in plain text) but they have made it better recently. The benefit to bitwarden is that is is cross platform and not just available on Google products. bitwarden will also assist you with generating secure passwords during site registrations. bitwarden is also entirely open source.

Three questions:

• Do I need an account on your website to use this passwordmanager?

• Do you store the user's logins on your server?

• Why is there no standalone program and just browser plugins?

I use a passwordmanager for many other things than just websites. encrypted containers, ssh/ftp logins, NAS logins, router login, etc, etc . I don't want to use the browser for this. For websites you can use the integrated password manager of your browser, no need for third party addons.

• Yes, you will need an account. This is how we keep your devices in sync.
• Yes, the logins are stored in encrypted form on our server for syncing purposes. You can read more about that here: https://help.bitwarden.com/security/
• Standalone native desktop applications in something we plan to add. We are currently running a Kickstarter campaign to try and fund these new features. Check it out: http://kck.st/2gCsTUL