Password Managers
-
@dashrender said in Password Managers:
@jasgot said in Password Managers:
@rojoloco said in Password Managers:
@eddiejennings said in Password Managers:
I was a LastPass customer to turned to BitWarden.
BitWarden here too, still trying to get management buy in to deploy it for everyone.
@eddiejennings said in Password Managers:
I was a LastPass customer to turned to BitWarden.
I'm trying to wrap my head around the idea of my passwords being stored on someone else's storage; in the cloud.
How do you reconcile this? What specifically makes you think it is safe to do so?
I have been avoiding password managers for years because I simply don't trust other people or organizations with my passwords. But I am finding the sheer number of password I have -- to be getting too cumbersome to manage; so I am considering it again.
LastPass was does all the work locally only. Only the encrypted blob and your email address is stored on their system.
That's normal. I don't know anyone who does it otherwise, that's considered base functionality to be considered a viable password manager.
-
Still using LastPass Families. Works well for us, no reason to switch to something else.
-
@scottalanmiller said in Password Managers:
You are asking them to store the ENCRYPTED data of your passwords. You don't have to trust anyone. You should still use a vendor you trust, of course, but there's no need for trust. That's the point.
If you use an online password manager or anything not open source you still have to trust them.
Because you don't know what they do with your master password, encryption keys and other things.
Lastpass for example have passed security audits but still have had multiple breaches. There also have been examples of malicious browser extensions grabbing passwords.
As with anything, "safe" doesn't really mean safe, it means a little bit safe. And often safe enough - depending on what you are protecting.
-
@pete-s said in Password Managers:
Because you don't know what they do with your master password, encryption keys and other things.
Last I seen, LastPass doesn't have your master password.
LP stores a hash of your email address and master password on your computer (not its servers), which it uses as an encryption key to encode your log-in details for other sites (with a 256-bit AES cypher), before storing them on its servers.
They don't know your details or encryption key, so create a unique ID token for you by hashing your password and local encryption key together. That ID token is then hashed with a random number when you create your account.
-
@obsolesce said in Password Managers:
Last I seen
So you have validated their source code? Or did you read it from their webpage?
Just to be clear, I'm not saying Lastpass doesn't do what they say they do. I only state that you don't know.
I'm sure their intensions are good but software is not perfect. That why there are plenty of vulnerabilities and bugs in everything.
-
@pete-s said in Password Managers:
That why there are plenty of vulnerabilities and bugs in everything.
You can't take from them something they don't have...
-
@pete-s said in Password Managers:
If you use an online password manager or anything not open source you still have to trust them.
You still have to simply trust open source.
Can you read all the code and know that their encryption is valid? That there are no exploitable bugs?
-
@jaredbusch said in Password Managers:
@pete-s said in Password Managers:
If you use an online password manager or anything not open source you still have to trust them.
You still have to simply trust open source.
Can you read all the code and know that their encryption is valid? That there are no exploitable bugs?
True, but it a lot easier to put more trust in something that is completely transparent and can be verified by independent sources.
-
For what it's worth: https://github.com/bitwarden
-
@eddiejennings said in Password Managers:
For what it's worth: https://github.com/bitwarden
Yeah, that's what makes it my top choice today, I think.
-
People that are using bitwarden, are you self-hosting?
-
-
@krzykat no
-
@krzykat said in Password Managers:
People that are using bitwarden, are you self-hosting?
No, but it is on our radar to consider soon as we keep growing and it becomes more important, and more cost effective, once you get to any size.
-
New gig is using Bitwarden, converting from Zoho Vault
-
@jt1001001 said in Password Managers:
New gig is using Bitwarden, converting from Zoho Vault
Interesting. Is it self-hosted? Do you know the reason for the move?
-
Yet another +1 for using Bitwarden and not self-hosting. I actually did self-host it for a bit a couple of years ago, but changed my mind and moved to their hosted service.
-
@Pete-S I have no idea why they moved. I guess the higher ups want to migrate? Cost I think is about the same. We are not self hosted only 15 users so far
-
Bitwarden for home, and Dashlane at work currently
-
So I have been using BitWarden since this conversation started. I have to say I like it. I think I am ready to remove all the saved passwords from Edge and Chrome. Would this be the next step?
It's a wee bit scary. But BitWarden does claim to have the same number of passwords as my Edge and Chrome, and the BitWarden password tool is working!
