We just moved a whole org over to Bitwarden anyway because of the way they threatened to hold free accounts hostage ("Pay us or you will not be able to access your password from mobile (or desktop) anymore").
We had previously actually planned to switch to a paid plan with them by July anyway (to nobody's surprise, management can be extremely slow to approve these things) - but their deadline was March and they way they forced our hand got management to act surprisingly quickly in transitioning us to Bitwarden.
I wonder which, excuse me, brain-dead executive honestly thought waving a pistol in users' faces like an amateur highwayman to force them to pay was by any stretch of the imagination an acceptable way to improve user confidence, especially in such a sensitive area where they store (access to) your most personal and private secrets. The same holds true for these trackers. I mean, I see all these weird decisions and just ask myself, who are these people in positions of significant power of larger companies who make such obvious, crazy bad management decisions? Whenever I meet them, they all seem so normal and well-dressed ;-) Boggles my mind every time.
I must say, for years now I've had the impression all the amazing products that LogMeIn (who own LastPass) touches, get toxic for the end-user quickly. Hamachi was so great in the olden days. GoToMeeting couldn't be rescued even by Covid. They had, at one point, one of the greatest remote desktop solutions around (which you could even completely self-host) but they were basically killed by TeamViewer because of their boneheaded licensing decisions.
Of course, TeamViewer has been going down the same drain and has significantly killed mass appeal since their IPO, which leads me to believe that this is just the "circle of liiiive"...
LogMeIn was bought a few years ago by a private equity company. The standard PE playbook is to buy things that are popular and stable but maybe not growing like this and then milk them for all they can, particularly in things that are hard to move away from (see Travis CI).
I knew that LogMeIn had acquired LastPass, but I didn't know that private equity had gobbled up LogMeIn (which used to be publicly traded on the stock market).
Apparently the private equity deal was only finalized in August of last year, see:
I'm sorry you feel like someone waved a gun at you or held your accounts hostage but damn this comment is entitled. You are talking about a _free_ service that runs on physical and expensive servers. It even offers an easy way to export your entire account in a csv. They are not doing anything wrong here other than trying to stop burning cash.
The cost of storage is marginal, 1 subscribing user subsidizes 100-1000 free users. The encryption computation is offloaded to the client as well. That's why this service is a profitable recipe for freemium. I'm sorry you're sorry about the parent commenter's experience.
There are ways to monetize a free service further and some are better than others.
Trello is currently evolving into a full-fledged project management tool and they fuel growth by adding new features to business class only. While that's not leaving the best taste either, I can understand.
When they tried to limit Trello Gold further, we retaliated so hard so, they relaxed their policies a bit.
I don't need their new features since it's not well organized for individuals but, they neither change the price of Trello Gold, nor remove features from it. It's a good compromise.
If customers had known this would happen when they put their data on LastPass, I think I would agree with you. In this case, LastPass is using a classic bait and switch tactic on their customers, which seems within their rights but is definitely not earning trust or loyalty from anybody.
Look, I get where you're coming from, but LastPass's behavior is just not clever at all. Frankly, if I had to think of a better way to antagonize my users with 100% certainty, I couldn't have done a better job myself (short of disabling free accounts overnight).
So when you're building a brand you have to ask, how much is the bad press and the millions of disappointed users worth to you? You have to understand, users you're losing this way are never coming back because you have nothing to offer them anymore. And they'll tell their friends, family, colleagues, bosses and just like that you lose a huge userbase.
OTOH, if you treat your free users with respect, chances are they'll recommend you left and right and a percentage of these recommendations is bound to convert to paying customers. Of course if you're greedy and want to milk your customers for all they're worth and you don't really care about the long-term success of your product or your brand, then by all means, go for it.
Another thought experiment: Imagine I gave you a generous gift for your birthday, like a new gaming laptop. You'd be using it for a few months, you'd finally throw out your old desktop PC and create your whole digital life around this laptop, install all your software, configure all your shortcuts etc. Then one morning I'd just show up and say, either you're paying my $$ every month from now until you die or I'll make it so that the left mouse button/half the RAM/the right screen half don't work anymore. You'd be just the tiniest bit pissed about that, wouldn't you? Sure, I'd claim that there was a file in C:\Windows\system32\drivers\etc\giftconditions-eula.txt that said I could do that anytime, too bad you didn't read it. But because while it looked like I was being generous, my goal was to trap you and then force you into a situation where it's ostensibly easier to just give me some money every month than to switch your whole life back to another system and build everything again from scratch. Additionally, even if you agreed to pay me, I'd now hide a few rootkits and trackers on the device, cause what are you gonna do? Sure, I might say, feel free to copy all your files to a USB stick and use them elsewhere (GDPR) but come on...
Yeah okay it's not the same. But can we agree that LastPass's behavior is a great example of how to make people angry at you?
One who set an expectation ought not be shocked when one's users have that expectation.
I don't think they are evil, but I do think they handled this transition poorly and with messaging that clearly didn't win their users over to their side.
Also, tracking is bad. I wouldn't do business with them on that basis.
It's not "holding your accounts hostage" when they merely cut back on what free users can do with their service. You can access your data at any time and export it to a file.
I was actually using their free tier for awhile (the Pro version didn't have any extra feature that I personally needed anyway). But when they pulled this bullshit counting on how useless the free tier will be and basically forcing the upgrade, I replaced them in like 5 minutes.
Yep, exactly. I have no problem with gentle reminders to check out pro features. Or maybe a recommendation engine ("Refer 10 of your friends to us and we'll give it to you for free"). Or making it clear to new users that the service tiers are now different and grandfathering-in the legacy free tier (like Gsuite used to do).
There's any of a dozen possibilities that allows you to monetize your service without antagonizing long-time users (if you believe LastPass really had an unsustainable ratio of free to paying customers, which I actually don't, I think they're just trying to milk it).
Adding spyware/trackers to a privacy-centric app and forcing customers to "pay up or leave" at a moment's notice, nah, there is no good excuse for that.
I also moved to Bitwarden as a result of the new policy. The UI is equily bad but I feel more secure using an open source tool that will not change their policy whenever their execs want more $$$
These aren't advertising trackers. They're not selling your data.
They're name-brand, industry-standard product analytics, for measuring the usage of app features etc. They're for improving UX and the product generally. I mean, one of them is solely for crash reporting.
This is zero privacy or security risk here. This is standard for essentially any commercial app. There is absolutely nothing unique or different or exceptional about LastPass here. And there is nothing about being a password manager that somehow makes this inappropriate. It's not like it's uploading your passwords to its analytics or anything.
Seriously, this is just spreading FUD. I get that a lot of people hate LastPass for a lot of reasons, but this isn't a good reason.
First, who said it's an issue that you have to care about? People feel different things are issues.
Not sure how facts are FUD. The submission here is saying "got 7 trackers in it" which are facts. What those trackers are tracking is irrelevant. They are tracking you and your usage, and get more information that way compared to if they only used backend tracking.
"This is standard for essentially any commercial app" sounds more like FUD that this submission, as that statement is obviously easy to check if it's true or not. In this case, I don't think it's true, as many apps don't do client-side tracking. I made a quick check for one competitor of lastpass (1password - https://reports.exodus-privacy.eu.org/en/reports/com.agilebi...) and they have 0 trackers. 1password is commercial and pretty big at this point, so your statement is not necessarily true in all industries/usages.
Of course facts aren't FUD. I'm responding to a lot of comments here which assume this is a bad thing, which I think is obviously why it's being upvoted as well.
And I'm not sure you understand the term FUD. You're saying my comment spreads fear and uncertainty? It's literally the opposite, I'm saying this particular thing isn't something to worry about.
Mobile apps aren't like webpages where most actions generate backend calls whose logs can be analyzed as an alternative. If 1password isn't using 3rd-party analytics, they probably rolled their own. No big difference. In any case, my point remains true -- client-side analytics is standard for essentially any commercial app, in order to improve the UX. There are exceptions of course, like for any rule, but it doesn't change the fact it's still standard.
I was just about to pay for my LastPass subscription (after years on being on free tier), given the recent price changes. This made me change my mind - why a password manager, which I entrust with my personal passwords, notes and credit card info, needs to dial home to 7 different trackers is just beyond relief.
I like LastPass because it works across my phone and multiple machines / browsers (I use Firefox). Can anyone please shed some light on good alternatives? I will happily pay for it.
Bitwarden is open source (with $10/year for some extra nice-to-haves if you use their hosted cloud service) and better than LastPass for me personally in pretty much every respect.
I switched approx 2 years ago after the LogMeIn acquisition and haven't regretted it.
Been hearing good things about bitwarden, just switched in about 2 minutes. As a password manager, Lastpass hasn't really improved with the times, infact it's been getting buggier and buggier with Chrome as times goes on.
It's bee a couple years but the web browser plugins for BitWarden were unreliable. Our power users made it work but our average office user complained non-stop and moved back to using notepad. Maybe BitWarden has improved since then but it was too immature to rollout to the average office user.
I also switched from LastPass. I find the Firefox Extension and Android experiences in Bitwarden much more intuitive. The autofill on Android works far better in my experience too.
Bitwarden also supports self-hosting their service.
I was an (on and off) paying LastPass user until 4 or so years ago, not because I had to, but because I felt like supporting it.
Switched to Bitwarden after Lastpass were bought and started tightening the grip I think (yep, I'm fairly sure they were testing the waters already 4 years ago).
Still pay Bitwarden (why not, the price is trivial for me at this point and they deserve it).
> Can anyone please shed some light on good alternatives?
I have been happily using Firefox's built-in password manager. Syncs seamlessly with Firefox Lockwise to provide complete integration with Android OS and presumably similar integration with iOS devices.
I wouldn't recommend it for casual users as there are definitely things that are less polished about the way it works, but for power-users it is great. The SSH key integration is really good.
1Password is the best I've seen out of several alternatives. Works flawlessly on all devices, great syncing, great UI. Highly recommended, well worth its price. Easy enough to set up that I've helped a few relatives around age 80 to get it running.
have you actually tried to use their support, it was a single guy, who wasn't helpful, when I asked for a different rep, he copped an attitude.
I still use bitwarden for personal use, but I didn't find the product (2 years ago) to be really enterprise ready. [biggest issue, when you share, you aren't sharing, you transfer your password to a group, this password is then no longer backed up, if you make a personal backup.]
The support issue was we had something go wrong with a group, and a dept. lost the passwords entered, but all the shares still pointed to it, so attempting to use it error'ed out.
I moved from LastPass to 1Password some time in early 2020 and never looked back. The browser add-in alone on 1Password is SO much faster that I feel it alone has saved me a bunch of time.
I did the same, however I wish 1password would keep my extension logged in instead of asking me to type up a convoluted password every time I open the browser.
How does one realistically type in the master password on a phone keyboard [1]? A secure password would be like 20 characters long with a mix of alphanumeric and special characters.
[1] Do these password managers even use their own keyboard, or rely on whatever insecure keyboard is installed on the mobile OS?
My MP is more than 40 chars long, but it's not really a chore to type it in considering we are texting much longer strings than that literally all the time.
Many of them support biometric authentication using Android's API.
Also, to enter the master password, all of them use whatever keyboard is installed, some of them send a message to them to work in "incognito mode" for what good that it. That said, for Keepass2Android and KeePassDX, they offer their own keyboard to enter secure credentials on sites you log into once your password manager is unlocked. That allows you to circumvent the system clipboard entirely, which is a major attack surface. Some apps also support the android autofill feature.
I moved to 1Password last month after LastPass sync got corrupted and the data would not populate my Firefox extension or my iOS app. 1Password has been an excellent replacement. I had a paid family account with LastPass previously.
Some more back story. I tried to get help from LastPass when I noticed fields for saved accounts were blank or included strange characters. After 1 week of only getting an automated reply with how to clear your local cache (which did not work) and several more attempts from my side to get help without a response, I decided to cancel. I was locked out of my bank account until I realized that I could log into my web client directly on the LastPass website (stupid panicked me). This allowed me to easily export all my data and move to 1Password. Thanks LastPass.
I've been using Keepass for years now, combined with Keepass2Android on my phone. I recently (finally) got that setup working perfectly by setting up Syncthing between my phone and computers.
Combined with an InputStick which emulates a keyboard to type a password from my phone into a computer it's plugged into, and I can efficiently get all my secrets around without involving anyone's cloud in an unencrypted capacity.
EDIT: I will note I've never bothered having browser integration though.
Be very careful with the keepass Syncthing combo. If you're not monitoring which one had changes, you could get it overwritten when you don't want it to.
> ...silly SaaS services like LastPass or Bitwarden?
...rather off-putting considering Bitwarden is nothing like LastPass in execution. For starters you don't need to pay for Bitwarden and you can run your own backend for self-host. Some of us use our password managers with others and would like to share things. I'm happy to pay for this feature.
So no, you're not required to leverage Bitwarden as SaaS like LastPass. They're not the same in that respect.
I have no affiliation with Bitwarden other than being a customer who dropped LastPass after the acquisition years ago.
If you haven't heard of it, I highly recommend checking out SQRL (secure quick reliable logon). It solves the problems of Identity on the internet in a nice, convenient, and decentralized way. While it isn't going to be widely adopted for a while, we should be talking about it anytime we see trackers in password management apps or breaches of websites.
This looks very interesting. Are there any websites or services actually using this?
The problem with the solution chosen here is that this requires yet another app for authentication and yet another account for synchronisation of credentials. If this were to be built into browsers, it might replace traditional passwords in time.
How does SQRL work when it comes to apps? Does the Android app natively support other applications calling it to authenticate? What about authenticating devices that can't run the client application (smart TVs, for example), can they still access the accounts authenticated by SQRL?
Right now, SQRL seems to be competing with Webauthn, which has been built into browsers already, but does so through an external daemon running alongside the browser. I'm not optimistic about its chances here, to be honest.
I just realized my first reply did very little to answer your questions, so I'll take a look at them one by one here:
> Are there any websites or services actually using this?
To my knowledge, there are not many (if any, besides the SQRL forums) working, live implementations out there. I played around with it and got it working on a couple of hobby projects over a weekend and it showed a lot of promise.
> The problem with the solution chosen here is that this requires yet another app for authentication and yet another account for synchronisation of credentials. If this were to be built into browsers, it might replace traditional passwords in time.
This is very true, but I believe SQRL as an open protocol will have long tail legs over time.
> How does SQRL work when it comes to apps? Does the Android app natively support other applications calling it to authenticate? What about authenticating devices that can't run the client application (smart TVs, for example), can they still access the accounts authenticated by SQRL?
At its core, SQRL is essentially a Challenge/Response mechanism. It would be possible for a device connected to a TV present a QR Code and have its session be authenticated by a device using the out of band HTTP request from the SQRL client scanning the QR Code (there are problems with this, like forwarding the QR code via a MITM attack to gain an authenticated session, however, the attacker only has a single logged in session instead of having access to a password that now needs to be changed, and any problems related to this MITM attack would also affect other user credentials like the email and password).
> Right now, SQRL seems to be competing with Webauthn, which has been built into browsers already, but does so through an external daemon running alongside the browser. I'm not optimistic about its chances here, to be honest.
Short term, I agree with this. However, long term I think WebAuthN is going to suffer from other problems which do not affect SQRL (user adoption of 2FA keys and user inconvenience in managing those 2FA items) SQRL provides some really nifty ways to transfer an identity safely to a host of other devices as well as rekeying an identity with the rescue code in the event an identity is compromised. It also doesn't require the management of those devices on any third party site.
The four PDFs present on the SQRL page to a better job explaining than I will here, however I'll summarize a bit:
The SQRL client registers the sqrl:// prefix to pass the login challenge to the SQRL client. The client, after a password or the pin (depending on if the password is present in RAM) is entered, responds to the server using signed credentials which are only valid for the domain being authenticated. That challenge creates a logged in session for the user and redirects back to the website.
There is also a QR code method of logging in, which depends on the user to confirm the domain name of the site being logged into. This is admittedly less secure, however, does provide some handy convenience when on an untrusted system by not requiring a user to give up their password. There are attacks that can be used to gain a session, however, these are thwarted when the on device authentication path is used (which requires some software to be installed on the users device)
This is interesting stuff, but as others have said they do a really bad job of presenting the what it does and how it fits it.
Having now read a lot of their docs, they don't seem to acknowledge basic things at all.
For one, the identity string it generates for a site is static, and is the only thing need to identify/log you in. They never cover that this basically _IS_ a password. If you have a this static string, you have the password for that site.
Further it sounds like the website operators also need to store these strings as plain text. I don't know how their rekeying method would work other wise.
This means to me that if a websites database is stolen, then a person with that database could impersonate everyone immediately! No need to get a password cracker out at all.
A website operator would need to completely disable all the existing keys, requiring everyone to rekey.
They have a global rekey method, but all their single site methods documented are very very manual and only possible if the site accepted you're old key.
The global rekey method is also very scary to me. You need to visit a site for the rekey to happen. They state that after a rekey it will send your current and old key over. However how many keys will it send? What happens if I have to they N times because of different site data beaches. Will sites I haven't visited no longer be usable because their key is no longer available?
All of these points have inaccuracies, and I'll run through them one by one:
> For one, the identity string it generates for a site is static, and is the only thing need to identify/log you in. They never cover that this basically _IS_ a password. If you have a this static string, you have the password for that site.
The identity generated is a public key based on a private key in the identity. You do need one password, the master password for the identity on the device for an initial decryption to make the Challenge Response work.
> Further it sounds like the website operators also need to store these strings as plain text. I don't know how their rekeying method would work other wise.
What the website stores is a public key. Rekeying works via some other cryptographic methods to create new public keys. A server, presented with a previous public key and a new public key will replace the previous key with the new key. The new key can be confirmed as belonging to the previous identity, while not able to be regenerated by the identity without the rescue code. Full disclosure: Didn't really understand the math behind it, but that's the premise of the protocol. Securing that rescue code is extremely important and it should be stored separately from the identity (think at home with you birth certificate in the event your device is stolen while you are somewhere else).
> This means to me that if a websites database is stolen, then a person with that database could impersonate everyone immediately! No need to get a password cracker out at all.
The database only contains public keys of the user for the purpose of authentication. This table could theoretically be published, the compromise of the key does not compromise the identity nor allow a thief to log on (it would obviously not protect other information tied to the user like the email, address, etc. However, its a step in the right direction because it isn't a hash of a password to be rainbow tabled or the like).
> A website operator would need to completely disable all the existing keys, requiring everyone to rekey.
The compromise of all keys in the db would not compromise any identities. If a malicious actor changed identities to their identity, then there would definitely be problem, however, the operator could restore the public keys from backup and keep moving. This is not much different from passwords today, except that the user could no longer trust the password, no trust is lost in the public key.
> They have a global rekey method, but all their single site methods documented are very very manual and only possible if the site accepted you're old key.
This is valid. I'm imagining a perfect world with a correctly implemented spec. We can all work together to make it a reality.
> The global rekey method is also very scary to me. You need to visit a site for the rekey to happen. They state that after a rekey it will send your current and old key over. However how many keys will it send? What happens if I have to they N times because of different site data beaches. Will sites I haven't visited no longer be usable because their key is no longer available?
It would be semi-true that you would lose access in a world where software is the only intervening factor. The reality here is different: The public identity is string in the DB associated with the user. A website operator can have a user come in with their birth certificate and passport or whatever, verify a user, and change their public key in the database. This would be totally out of scope of the spec, not expected behavior, and potentially compromises perfect security, but the reality we live in is imperfect.
Everything, at some level, is going to come down to trust, and anyone with DB access can do anything anywhere anytime.
EDIT: I reread this again and realize what you are talking about is the string of the public key being stored, and potentially providing an avenue for an attacker to replace that string with their own identity in order to gain authorization of that user. I do think that is a risk, however, an attacker with DB access is probably not going to waste time impersonating users: they have access to the DB directly.
This would only be a problem in the instance a users data is encrypted and can only be decrypted by the user. So logging in as the user would grant some special way of seeing their data (though even here, if the server holds all the secrets, this isn't secure).
SQRL has an answer for this, as a private key can be stored with the SQRL identity to allow data to be accessed by the user who can also prove they have access to the identity. This would allow a server to reliably store sensitive information without worrying if the public key of a user got changed to allow a malicious actor to impersonate said user.
I can only imagine this being leveraged for medical records or financial transactions, but a way is built into the protocol.
Thanks for the pointer, but I'm initially very skeptical. Not to judge a book by it's cover but that website looks like it was made in 1990. They also don't do a very good job explaining what this is. I found this:
It says "Using a SQRL app, a master identity is created and shared among the devices. Websites which support SQRL logon trigger the app to securely identify the user."
How does this happen? How can a website talk to an app?
The first document, SQRL explained, does a decent job describing how the system works. Having to download a PDF to read text on a website isn't the greatest of UX experiences.
The talking to seems to happen through a custom sqrl: URI-scheme. That's something that's supported by most platforms I know of; Steam uses the same mechanism to start installing a game you purchased in the browser, if I remember correctly.
To me, it's much more concerning that they do such a bad job of telling me what SQRL does than the fact that the page looks dated. At least it's clean-looking.
But I clicked around for a while and only found some videos that might show me what SQRL does, but I didn't actually feel like watching a video, so I still don't know.
Based on what I read, it sounds like snake oil so far. Too good to be true. I don't remember the phrase, but it suggested it would be my last password solution ever, which just sounds like snakeoil.
Also, it seems like only the Windows implementation is mature. All other implementations are by third parties and are marked as not being complete.
The spec was recently completed and there are multiple efforts to bring it into a more well rounded existence. The work is being done by volunteers, so it may take some time to become a reality across the internet, however, the seeds are all there to make it work and with some dedication from volunteers I think it has a bright future as possibly being the preferred password manager in the future. If you browse the SQRL forums, you can get an idea of where all the different efforts are playing out, but there is no real central repo of all SQRL code. https://sqrl.grc.com/
No serious user should still be using LastPass in 2021.
On a previous project the company I joined used LastPass as their password solution, we had 2 root admins, me and a senior colleague.
One day my senior colleague tries to log in to check/change a password and is unable to log in to his account. Account recovery/password lost doesn't work either. I log in to verify if his account is blocked or disabled in anyway, and I can't even find his account. The account was completely GONE. I checked the audit logs of the account (which should include user creation, deletion, logins, etc) and there is no mention of the account ever being deleted, it's like it never existed.
We contacted their support but never got a serious reply to this behavior, so we moved over to 1Password the next day and never looked back.
Stay away from LastPass, they just lose data out of nowhere and their support sucks.
Move to Bitwarden. It has a great free version but if you want to support them, you can pay 10 USD per year. Less than 1 dollar a month. Really reasonable.
Bitwarden has one critical feature that makes it unusable. For example, one feature that has been "in the works" for last 3+ years : "auto-save newly created passwords with a prompt" [0]. I understand that it is a different model than LastPass but 3y+ for a critical feature is one of the reasons BitWarden is not the first choices.
To clarify: the issue is that autosaving works only some of the time, not that it doesn't exist. From observation, it seemed to be overly keen at one point (prompting excessively) and now is very shy (not prompting even when it really should). At least that's my experience on Firefox. Seems to work better on FF/Mac than FF/Win.
I'm using pass as my password manager but I heard a lot of good about bitwarden
so I decided to give it a try, that would be one fewer thing to administrate for
me.
One very important feature for me is having a command line interface because I
have a bunch of scripts that need to be able to query the password manager.
Fortunately bitwarden provides a first party CLI that seems pretty fully
featured, so I was optimistic.
Anyway, I try to install bitwarden-cli through AUR and I see that one of the
dependencies is nodejs.
Oh no.
Right so it's a javascript thingy. I'm a bit shocked, but then I decide that I'm
being silly and it's what all the kids use these days and it's just a
programming language and who cares. So I decide to push forward and install the
binary version of the program (installed size is 65MB, as a comparison point
lastpass also provides a CLI tool written in C that's 0.2MB installed).
Since I don't know how the tool works, I decide to launch it without argument to
get the usage. It takes 0.6 seconds to display the usage. That's with a hot
cache.
Oh no.
So that's the story of how I kept using pass. I know that some people will say
that it's not that big of a deal, and I know that for bitwarden's devs it might
make sense to implement their client that way because it lets you reuse some
code and get good portability, but I just can't even. I'm running on an
overclocked desktop computer capable of executing billions of instructions per
second, I can play 4K videogames at 60 fps but apparently I get 1.6 UPS (usages
per second) with this tool. It unironically makes me sad that this is the state
of software engineering nowadays.
Reading this thread it seems like it's a mess when it comes to privacy too, so I suppose I dodged a bullet.
I agree that the Bitwarden cli is awful. You have to log in, and store the token it gives you manually so that it knows you're logged in.
However, I found https://github.com/doy/rbw , and alternative OSS cli written in Rust, and it's exactly what I wanted. (Disclaimer: I liked it so much I wrote a rofi integration for it.)
I've never had a use for a command line password manager so I've got to ask: how does this fit into your workflow? I'm honestly mostly using a password manager in my browser and on my phone; I don't need command line authentication all that often.
I didn't even know LastPass had a CLI, but it seems like it's a rewrite of the algorithm and surrounded toolset in C.
I can understand why the Bitwarden devs didn't want to go through the effort, though. The tiny minority of Linux-users that want a command-line password manager is not exactly worth a lot of development time, so I figured they just put their JS library in a NodeJS application and called it a day.
Bitwarden is a reasonable alternative, but it's important to be aware of the weak points compared to Lastpass (which IMO, makes it a good-enough-but-no-great-choice).
Autofill is relatively poor (it fails even on HN!). Also, Lastpass has a convenient timed expiry that doesn't work (well) on Bitwarden (BW will expire the login when the browser is closed).
All in all though, I do support the recommendation, in particular, because Lastpass works extremely poorly on Firefox (at least, that's what caused my switch some time ago).
> Autofill is relatively poor (it fails even on HN!).
Autofill is much more customizable than LastPass afaik. You can both define how (domain)name matching should occur as you can have multiple entries to match.
This means you can have instagram.com (as website) and androidapp://com.instagram.android (as app) which will use the same autofill entry.
If you configure name matching correctly, any site should
be able to provide autofill. My HN entry does match with news.ycombinator.com with default matching settings. But matching settings include hostname / domain name / starts with and even regex!
> Also, Lastpass has a convenient timed expiry that doesn't work (well) on Bitwarden (BW will expire the login when the browser is closed).
You can specify BW timeout settings. Even further, you can define if BW should lock the session (only a password is required to unlock) or if a sign-out is required. With a sign-out, you also need to provide your MFA if applicable.
Time outs can happen directly (after autofill), after an amount of time (1/5/15/30 minutes or 1/4 hours) or upon closing the browser.
So tbh, there is plenty to configure Bitwarden to suit your needs.
I have yet to find a site that autofill fails on. Hacker News works perfectly for me and always has.
As for Bitwarden locking (expiring) when the browser is closed, I disable that as my system is secured so locking the vault in the browser is overkill for me.
My only real complaint with Bitwarden is the macOS app lacks TouchID support.
> Autofill is relatively poor (it fails even on HN!).
In what context? I found Autofill poor on Android for FF before I gave it the "draw over other apps" permissions. Otherwise I've only seen it fail on a few sites out of hundreds, mostly with weird login flows.
> Autofill is relatively poor (it fails even on HN!)
HN Autofill works perfectly well for me with Firefox + Bitwarden extension on macOS (I know it also works with other combinations). If it does not seem to work, select a password field. Does it for me.
I feel like these trackers (Firebase Analytics and Visual Studio Crash Reporting) need to be looked at in context of the data they actually send and who they report to. According to the thread
> In the Mobile apps, Firebase Cloud Messaging (often mistaken for a tracker) is used only for push notifications related to sync and performs absolutely no tracking functions. Microsoft Visual Studio App Center is used for crash reporting on a range of mobile devices. In the Web Vault, Stripe and PayPal scripts are used for payment processing only on payment pages.
Compare this to LastPass where it was feeding data to Google Analytics and MixPanel, which do much more invasive levels of analysis in general.
I like almost every part of the experience except an annoying issue where the autofill doesn't work on firefox android (everything latest version). it shows up 10% of the time, for a few milliseconds. I've seen similar issues dating back from a year ago (https://github.com/bitwarden/mobile/issues/784). Makes me wonder how such commonly used things can be so broken for so long (see also https://news.ycombinator.com/item?id=26296339).
I setup bitwarden_rs recently on my own server with traefik in front. I use the android app and browser plugin which point to my own instance. Currently it's only working on my home network, but I'm working from home.
This setup seems fine for me. It seems faster and snappier than Lastpass, but that might just be down to the fact it's hosted on my LAN. All in all, I'm happy I moved and happy I'm now in control of such sensitive information as my passwords.
I done the same after the first breach and when they almost doubled the yearly sub free.
Bitwarden is open source and works just fine. Had no issues with it
That's a very disingenuous way of putting it. If you use the application, there's auto update functionality (with a confirmation dialog box) if:
- You're on Windows and not using the Windows Store version or a "portable" version of the application
- You're on macOS and not using the app store version
- You're on Linux and you're using the AppImage version
Given the security-sensitive nature of the application and the target audience (mostly non-technical people), I think it's not a bad thing that this software has auto update functionality.
If you want to be free of this behaviour, you can either install the application through your system package manager/app store so you can control the update behaviour there, or run a development build of your vetted version of the source code.
You should read your own bug report for the way to disable auto-updates: either use the portable version or set the ELECTRON_NO_UPDATER=1 environment variable.
I'm not sure these trackers are the worst possible as they could be used for things like crash analytics.
However, unrelated to this specific case, I believe that mobile apps could be the one place that adblocking cannot be guaranteed to work. When things get byte-compiled, you can no longer programmatically inspect the interface and remove malicious ads like with the browser's runtime. Imagine a future where a critical feature you have to use like banking is only available through a mobile app, and this is enforced through something like a certificate check. Then they run ads over it.
DNS based blocking is not infallible either. Even today it does not work with the YouTube app, because their ads are served on the same domain as the content, so blocking one means blocking both. The only solution people have come up with is reverse engineering the official app's source code and releasing a modified version, a process that consumes far more time and effort than using something like uBlock. And this was only prioritized and accomplished because YouTube has become that important of a platform to enough people.
If there's a future where our lives depend on compiled apps, will enough people go through the same effort to sanitize all of them?
In other news, my banking app used to have 17 trackers (!) but they reduced to 6 some time ago (I pinged them about that, not sure if this was related but it's good to put some pressure on the businesses to let them know users care).
BTW CrashLytics/Firebase Analytics are a de facto standard in every Android app if you want to roll out the new versions responsibly so I'm less worried about it than some random unknown company (though this cements the Google monopoly, so yeah it sucks).
Readit News
We had previously actually planned to switch to a paid plan with them by July anyway (to nobody's surprise, management can be extremely slow to approve these things) - but their deadline was March and they way they forced our hand got management to act surprisingly quickly in transitioning us to Bitwarden.
I wonder which, excuse me, brain-dead executive honestly thought waving a pistol in users' faces like an amateur highwayman to force them to pay was by any stretch of the imagination an acceptable way to improve user confidence, especially in such a sensitive area where they store (access to) your most personal and private secrets. The same holds true for these trackers. I mean, I see all these weird decisions and just ask myself, who are these people in positions of significant power of larger companies who make such obvious, crazy bad management decisions? Whenever I meet them, they all seem so normal and well-dressed ;-) Boggles my mind every time.
I must say, for years now I've had the impression all the amazing products that LogMeIn (who own LastPass) touches, get toxic for the end-user quickly. Hamachi was so great in the olden days. GoToMeeting couldn't be rescued even by Covid. They had, at one point, one of the greatest remote desktop solutions around (which you could even completely self-host) but they were basically killed by TeamViewer because of their boneheaded licensing decisions.
Of course, TeamViewer has been going down the same drain and has significantly killed mass appeal since their IPO, which leads me to believe that this is just the "circle of liiiive"...
Apparently the private equity deal was only finalized in August of last year, see:
[1] https://www.nasdaq.com/press-release/francisco-partners-and-...
The irony of claiming this is a free service when the service uses 7 trackers. The free service is a product!
Trello is currently evolving into a full-fledged project management tool and they fuel growth by adding new features to business class only. While that's not leaving the best taste either, I can understand.
When they tried to limit Trello Gold further, we retaliated so hard so, they relaxed their policies a bit.
I don't need their new features since it's not well organized for individuals but, they neither change the price of Trello Gold, nor remove features from it. It's a good compromise.
So when you're building a brand you have to ask, how much is the bad press and the millions of disappointed users worth to you? You have to understand, users you're losing this way are never coming back because you have nothing to offer them anymore. And they'll tell their friends, family, colleagues, bosses and just like that you lose a huge userbase.
OTOH, if you treat your free users with respect, chances are they'll recommend you left and right and a percentage of these recommendations is bound to convert to paying customers. Of course if you're greedy and want to milk your customers for all they're worth and you don't really care about the long-term success of your product or your brand, then by all means, go for it.
Another thought experiment: Imagine I gave you a generous gift for your birthday, like a new gaming laptop. You'd be using it for a few months, you'd finally throw out your old desktop PC and create your whole digital life around this laptop, install all your software, configure all your shortcuts etc. Then one morning I'd just show up and say, either you're paying my $$ every month from now until you die or I'll make it so that the left mouse button/half the RAM/the right screen half don't work anymore. You'd be just the tiniest bit pissed about that, wouldn't you? Sure, I'd claim that there was a file in C:\Windows\system32\drivers\etc\giftconditions-eula.txt that said I could do that anytime, too bad you didn't read it. But because while it looked like I was being generous, my goal was to trap you and then force you into a situation where it's ostensibly easier to just give me some money every month than to switch your whole life back to another system and build everything again from scratch. Additionally, even if you agreed to pay me, I'd now hide a few rootkits and trackers on the device, cause what are you gonna do? Sure, I might say, feel free to copy all your files to a USB stick and use them elsewhere (GDPR) but come on...
Yeah okay it's not the same. But can we agree that LastPass's behavior is a great example of how to make people angry at you?
One who set an expectation ought not be shocked when one's users have that expectation.
I don't think they are evil, but I do think they handled this transition poorly and with messaging that clearly didn't win their users over to their side.
Also, tracking is bad. I wouldn't do business with them on that basis.
There's any of a dozen possibilities that allows you to monetize your service without antagonizing long-time users (if you believe LastPass really had an unsustainable ratio of free to paying customers, which I actually don't, I think they're just trying to milk it).
Adding spyware/trackers to a privacy-centric app and forcing customers to "pay up or leave" at a moment's notice, nah, there is no good excuse for that.
Not laggy rather than waiting time in the multiple seconds range.
(Some will probably think this was because of encryption but ok the same machine the Girefox extension was snappy.)
These aren't advertising trackers. They're not selling your data.
They're name-brand, industry-standard product analytics, for measuring the usage of app features etc. They're for improving UX and the product generally. I mean, one of them is solely for crash reporting.
This is zero privacy or security risk here. This is standard for essentially any commercial app. There is absolutely nothing unique or different or exceptional about LastPass here. And there is nothing about being a password manager that somehow makes this inappropriate. It's not like it's uploading your passwords to its analytics or anything.
Seriously, this is just spreading FUD. I get that a lot of people hate LastPass for a lot of reasons, but this isn't a good reason.
Not sure how facts are FUD. The submission here is saying "got 7 trackers in it" which are facts. What those trackers are tracking is irrelevant. They are tracking you and your usage, and get more information that way compared to if they only used backend tracking.
"This is standard for essentially any commercial app" sounds more like FUD that this submission, as that statement is obviously easy to check if it's true or not. In this case, I don't think it's true, as many apps don't do client-side tracking. I made a quick check for one competitor of lastpass (1password - https://reports.exodus-privacy.eu.org/en/reports/com.agilebi...) and they have 0 trackers. 1password is commercial and pretty big at this point, so your statement is not necessarily true in all industries/usages.
And I'm not sure you understand the term FUD. You're saying my comment spreads fear and uncertainty? It's literally the opposite, I'm saying this particular thing isn't something to worry about.
Mobile apps aren't like webpages where most actions generate backend calls whose logs can be analyzed as an alternative. If 1password isn't using 3rd-party analytics, they probably rolled their own. No big difference. In any case, my point remains true -- client-side analytics is standard for essentially any commercial app, in order to improve the UX. There are exceptions of course, like for any rule, but it doesn't change the fact it's still standard.
https://reports.exodus-privacy.eu.org/en/reports/com.agilebi...
I switched approx 2 years ago after the LogMeIn acquisition and haven't regretted it.
[0] https://github.com/dani-garcia/bitwarden_rs
Bitwarden also supports self-hosting their service.
Switched to Bitwarden after Lastpass were bought and started tightening the grip I think (yep, I'm fairly sure they were testing the waters already 4 years ago).
Still pay Bitwarden (why not, the price is trivial for me at this point and they deserve it).
I have been happily using Firefox's built-in password manager. Syncs seamlessly with Firefox Lockwise to provide complete integration with Android OS and presumably similar integration with iOS devices.
https://www.mozilla.org/firefox/lockwise/
However, to be clear, Lockwise also ships 2 trackers[0], although one of those appears to be an in-house telemetry tool[1].
[0] https://reports.exodus-privacy.eu.org/en/reports/mozilla.loc...
[1] https://github.com/mozilla-mobile/android-components/blob/ma...
Also, it's open source.
I still use bitwarden for personal use, but I didn't find the product (2 years ago) to be really enterprise ready. [biggest issue, when you share, you aren't sharing, you transfer your password to a group, this password is then no longer backed up, if you make a personal backup.]
The support issue was we had something go wrong with a group, and a dept. lost the passwords entered, but all the shares still pointed to it, so attempting to use it error'ed out.
[1] Do these password managers even use their own keyboard, or rely on whatever insecure keyboard is installed on the mobile OS?
Many of them support biometric authentication using Android's API.
Also, to enter the master password, all of them use whatever keyboard is installed, some of them send a message to them to work in "incognito mode" for what good that it. That said, for Keepass2Android and KeePassDX, they offer their own keyboard to enter secure credentials on sites you log into once your password manager is unlocked. That allows you to circumvent the system clipboard entirely, which is a major attack surface. Some apps also support the android autofill feature.
Alternatively you can use fingerprint unlock
Bitwarden is able to produce diceware style passwords too.
https://theworld.com/~reinhold/diceware.html
And is this a known problem of Android, that there are keyboards that can log your keys?
Some more back story. I tried to get help from LastPass when I noticed fields for saved accounts were blank or included strange characters. After 1 week of only getting an automated reply with how to clear your local cache (which did not work) and several more attempts from my side to get help without a response, I decided to cancel. I was locked out of my bank account until I realized that I could log into my web client directly on the LastPass website (stupid panicked me). This allowed me to easily export all my data and move to 1Password. Thanks LastPass.
Combined with an InputStick which emulates a keyboard to type a password from my phone into a computer it's plugged into, and I can efficiently get all my secrets around without involving anyone's cloud in an unencrypted capacity.
EDIT: I will note I've never bothered having browser integration though.
Zetetic Codebook [1] is the way to go.
Pros: • It has desktop clients • It has apps • It has secure encrypted sync • It has responsive dev team • No silly subscription model
Cons: • It doesn't have a fancy web app (but do you need one ?)
I've no affiliation apart from being a long term happy user.
[1] https://www.zetetic.net/codebook/
> ...silly SaaS services like LastPass or Bitwarden?
...rather off-putting considering Bitwarden is nothing like LastPass in execution. For starters you don't need to pay for Bitwarden and you can run your own backend for self-host. Some of us use our password managers with others and would like to share things. I'm happy to pay for this feature.
So no, you're not required to leverage Bitwarden as SaaS like LastPass. They're not the same in that respect.
I have no affiliation with Bitwarden other than being a customer who dropped LastPass after the acquisition years ago.
In addition, there are open source alternatives that have all the features you mentioned (namely the Keepass/Keeweb family).
https://www.grc.com/sqrl/sqrl.htm
Disclosure: Started looking at it this weekend after hearing about it for a couple of years and starting to help contribute to various SQRL libs
The problem with the solution chosen here is that this requires yet another app for authentication and yet another account for synchronisation of credentials. If this were to be built into browsers, it might replace traditional passwords in time.
How does SQRL work when it comes to apps? Does the Android app natively support other applications calling it to authenticate? What about authenticating devices that can't run the client application (smart TVs, for example), can they still access the accounts authenticated by SQRL?
Right now, SQRL seems to be competing with Webauthn, which has been built into browsers already, but does so through an external daemon running alongside the browser. I'm not optimistic about its chances here, to be honest.
> Are there any websites or services actually using this?
To my knowledge, there are not many (if any, besides the SQRL forums) working, live implementations out there. I played around with it and got it working on a couple of hobby projects over a weekend and it showed a lot of promise.
> The problem with the solution chosen here is that this requires yet another app for authentication and yet another account for synchronisation of credentials. If this were to be built into browsers, it might replace traditional passwords in time.
This is very true, but I believe SQRL as an open protocol will have long tail legs over time.
> How does SQRL work when it comes to apps? Does the Android app natively support other applications calling it to authenticate? What about authenticating devices that can't run the client application (smart TVs, for example), can they still access the accounts authenticated by SQRL?
At its core, SQRL is essentially a Challenge/Response mechanism. It would be possible for a device connected to a TV present a QR Code and have its session be authenticated by a device using the out of band HTTP request from the SQRL client scanning the QR Code (there are problems with this, like forwarding the QR code via a MITM attack to gain an authenticated session, however, the attacker only has a single logged in session instead of having access to a password that now needs to be changed, and any problems related to this MITM attack would also affect other user credentials like the email and password).
> Right now, SQRL seems to be competing with Webauthn, which has been built into browsers already, but does so through an external daemon running alongside the browser. I'm not optimistic about its chances here, to be honest.
Short term, I agree with this. However, long term I think WebAuthN is going to suffer from other problems which do not affect SQRL (user adoption of 2FA keys and user inconvenience in managing those 2FA items) SQRL provides some really nifty ways to transfer an identity safely to a host of other devices as well as rekeying an identity with the rescue code in the event an identity is compromised. It also doesn't require the management of those devices on any third party site.
The SQRL client registers the sqrl:// prefix to pass the login challenge to the SQRL client. The client, after a password or the pin (depending on if the password is present in RAM) is entered, responds to the server using signed credentials which are only valid for the domain being authenticated. That challenge creates a logged in session for the user and redirects back to the website.
There is also a QR code method of logging in, which depends on the user to confirm the domain name of the site being logged into. This is admittedly less secure, however, does provide some handy convenience when on an untrusted system by not requiring a user to give up their password. There are attacks that can be used to gain a session, however, these are thwarted when the on device authentication path is used (which requires some software to be installed on the users device)
Having now read a lot of their docs, they don't seem to acknowledge basic things at all.
For one, the identity string it generates for a site is static, and is the only thing need to identify/log you in. They never cover that this basically _IS_ a password. If you have a this static string, you have the password for that site.
Further it sounds like the website operators also need to store these strings as plain text. I don't know how their rekeying method would work other wise.
This means to me that if a websites database is stolen, then a person with that database could impersonate everyone immediately! No need to get a password cracker out at all.
A website operator would need to completely disable all the existing keys, requiring everyone to rekey.
They have a global rekey method, but all their single site methods documented are very very manual and only possible if the site accepted you're old key.
The global rekey method is also very scary to me. You need to visit a site for the rekey to happen. They state that after a rekey it will send your current and old key over. However how many keys will it send? What happens if I have to they N times because of different site data beaches. Will sites I haven't visited no longer be usable because their key is no longer available?
> For one, the identity string it generates for a site is static, and is the only thing need to identify/log you in. They never cover that this basically _IS_ a password. If you have a this static string, you have the password for that site.
The identity generated is a public key based on a private key in the identity. You do need one password, the master password for the identity on the device for an initial decryption to make the Challenge Response work.
> Further it sounds like the website operators also need to store these strings as plain text. I don't know how their rekeying method would work other wise.
What the website stores is a public key. Rekeying works via some other cryptographic methods to create new public keys. A server, presented with a previous public key and a new public key will replace the previous key with the new key. The new key can be confirmed as belonging to the previous identity, while not able to be regenerated by the identity without the rescue code. Full disclosure: Didn't really understand the math behind it, but that's the premise of the protocol. Securing that rescue code is extremely important and it should be stored separately from the identity (think at home with you birth certificate in the event your device is stolen while you are somewhere else).
> This means to me that if a websites database is stolen, then a person with that database could impersonate everyone immediately! No need to get a password cracker out at all.
The database only contains public keys of the user for the purpose of authentication. This table could theoretically be published, the compromise of the key does not compromise the identity nor allow a thief to log on (it would obviously not protect other information tied to the user like the email, address, etc. However, its a step in the right direction because it isn't a hash of a password to be rainbow tabled or the like).
> A website operator would need to completely disable all the existing keys, requiring everyone to rekey.
The compromise of all keys in the db would not compromise any identities. If a malicious actor changed identities to their identity, then there would definitely be problem, however, the operator could restore the public keys from backup and keep moving. This is not much different from passwords today, except that the user could no longer trust the password, no trust is lost in the public key.
> They have a global rekey method, but all their single site methods documented are very very manual and only possible if the site accepted you're old key.
This is valid. I'm imagining a perfect world with a correctly implemented spec. We can all work together to make it a reality.
> The global rekey method is also very scary to me. You need to visit a site for the rekey to happen. They state that after a rekey it will send your current and old key over. However how many keys will it send? What happens if I have to they N times because of different site data beaches. Will sites I haven't visited no longer be usable because their key is no longer available?
It would be semi-true that you would lose access in a world where software is the only intervening factor. The reality here is different: The public identity is string in the DB associated with the user. A website operator can have a user come in with their birth certificate and passport or whatever, verify a user, and change their public key in the database. This would be totally out of scope of the spec, not expected behavior, and potentially compromises perfect security, but the reality we live in is imperfect.
Everything, at some level, is going to come down to trust, and anyone with DB access can do anything anywhere anytime.
EDIT: I reread this again and realize what you are talking about is the string of the public key being stored, and potentially providing an avenue for an attacker to replace that string with their own identity in order to gain authorization of that user. I do think that is a risk, however, an attacker with DB access is probably not going to waste time impersonating users: they have access to the DB directly.
This would only be a problem in the instance a users data is encrypted and can only be decrypted by the user. So logging in as the user would grant some special way of seeing their data (though even here, if the server holds all the secrets, this isn't secure).
SQRL has an answer for this, as a private key can be stored with the SQRL identity to allow data to be accessed by the user who can also prove they have access to the identity. This would allow a server to reliably store sensitive information without worrying if the public key of a user got changed to allow a malicious actor to impersonate said user. I can only imagine this being leveraged for medical records or financial transactions, but a way is built into the protocol.
https://sqrl.grc.com/pages/introductory_questions_and_answer...
It says "Using a SQRL app, a master identity is created and shared among the devices. Websites which support SQRL logon trigger the app to securely identify the user."
How does this happen? How can a website talk to an app?
Also where is the source code?
The talking to seems to happen through a custom sqrl: URI-scheme. That's something that's supported by most platforms I know of; Steam uses the same mechanism to start installing a game you purchased in the browser, if I remember correctly.
Source code for several implementations is linked in the explainer document from the home page: https://www.grc.com/sqrl/SQRL_Explained.pdf
I'm not sure if the Windows implementation is open source, but the algorithm itself is.
But I clicked around for a while and only found some videos that might show me what SQRL does, but I didn't actually feel like watching a video, so I still don't know.
Based on what I read, it sounds like snake oil so far. Too good to be true. I don't remember the phrase, but it suggested it would be my last password solution ever, which just sounds like snakeoil.
Also, it seems like only the Windows implementation is mature. All other implementations are by third parties and are marked as not being complete.
https://security.christmas/2019/2
On a previous project the company I joined used LastPass as their password solution, we had 2 root admins, me and a senior colleague.
One day my senior colleague tries to log in to check/change a password and is unable to log in to his account. Account recovery/password lost doesn't work either. I log in to verify if his account is blocked or disabled in anyway, and I can't even find his account. The account was completely GONE. I checked the audit logs of the account (which should include user creation, deletion, logins, etc) and there is no mention of the account ever being deleted, it's like it never existed.
We contacted their support but never got a serious reply to this behavior, so we moved over to 1Password the next day and never looked back.
Stay away from LastPass, they just lose data out of nowhere and their support sucks.
[0] https://github.com/bitwarden/browser/issues/320
PS - If this issue does not occur for you personally, great but it does not for me and many others. Thus, it is unreliable.
One very important feature for me is having a command line interface because I have a bunch of scripts that need to be able to query the password manager. Fortunately bitwarden provides a first party CLI that seems pretty fully featured, so I was optimistic.
Anyway, I try to install bitwarden-cli through AUR and I see that one of the dependencies is nodejs.
Oh no.
Right so it's a javascript thingy. I'm a bit shocked, but then I decide that I'm being silly and it's what all the kids use these days and it's just a programming language and who cares. So I decide to push forward and install the binary version of the program (installed size is 65MB, as a comparison point lastpass also provides a CLI tool written in C that's 0.2MB installed).
Since I don't know how the tool works, I decide to launch it without argument to get the usage. It takes 0.6 seconds to display the usage. That's with a hot cache.
Oh no.
So that's the story of how I kept using pass. I know that some people will say that it's not that big of a deal, and I know that for bitwarden's devs it might make sense to implement their client that way because it lets you reuse some code and get good portability, but I just can't even. I'm running on an overclocked desktop computer capable of executing billions of instructions per second, I can play 4K videogames at 60 fps but apparently I get 1.6 UPS (usages per second) with this tool. It unironically makes me sad that this is the state of software engineering nowadays.
Reading this thread it seems like it's a mess when it comes to privacy too, so I suppose I dodged a bullet.
However, I found https://github.com/doy/rbw , and alternative OSS cli written in Rust, and it's exactly what I wanted. (Disclaimer: I liked it so much I wrote a rofi integration for it.)
I didn't even know LastPass had a CLI, but it seems like it's a rewrite of the algorithm and surrounded toolset in C.
I can understand why the Bitwarden devs didn't want to go through the effort, though. The tiny minority of Linux-users that want a command-line password manager is not exactly worth a lot of development time, so I figured they just put their JS library in a NodeJS application and called it a day.
Autofill is relatively poor (it fails even on HN!). Also, Lastpass has a convenient timed expiry that doesn't work (well) on Bitwarden (BW will expire the login when the browser is closed).
All in all though, I do support the recommendation, in particular, because Lastpass works extremely poorly on Firefox (at least, that's what caused my switch some time ago).
Autofill is much more customizable than LastPass afaik. You can both define how (domain)name matching should occur as you can have multiple entries to match.
This means you can have instagram.com (as website) and androidapp://com.instagram.android (as app) which will use the same autofill entry.
If you configure name matching correctly, any site should be able to provide autofill. My HN entry does match with news.ycombinator.com with default matching settings. But matching settings include hostname / domain name / starts with and even regex!
> Also, Lastpass has a convenient timed expiry that doesn't work (well) on Bitwarden (BW will expire the login when the browser is closed).
You can specify BW timeout settings. Even further, you can define if BW should lock the session (only a password is required to unlock) or if a sign-out is required. With a sign-out, you also need to provide your MFA if applicable.
Time outs can happen directly (after autofill), after an amount of time (1/5/15/30 minutes or 1/4 hours) or upon closing the browser.
So tbh, there is plenty to configure Bitwarden to suit your needs.
As for Bitwarden locking (expiring) when the browser is closed, I disable that as my system is secured so locking the vault in the browser is overkill for me.
My only real complaint with Bitwarden is the macOS app lacks TouchID support.
In what context? I found Autofill poor on Android for FF before I gave it the "draw over other apps" permissions. Otherwise I've only seen it fail on a few sites out of hundreds, mostly with weird login flows.
HN Autofill works perfectly well for me with Firefox + Bitwarden extension on macOS (I know it also works with other combinations). If it does not seem to work, select a password field. Does it for me.
Deleted Comment
Huh, weird, it works fine for me in Firefox.
https://community.bitwarden.com/t/remove-embedded-trackers-f...
> In the Mobile apps, Firebase Cloud Messaging (often mistaken for a tracker) is used only for push notifications related to sync and performs absolutely no tracking functions. Microsoft Visual Studio App Center is used for crash reporting on a range of mobile devices. In the Web Vault, Stripe and PayPal scripts are used for payment processing only on payment pages.
Compare this to LastPass where it was feeding data to Google Analytics and MixPanel, which do much more invasive levels of analysis in general.
Deleted Comment
I like almost every part of the experience except an annoying issue where the autofill doesn't work on firefox android (everything latest version). it shows up 10% of the time, for a few milliseconds. I've seen similar issues dating back from a year ago (https://github.com/bitwarden/mobile/issues/784). Makes me wonder how such commonly used things can be so broken for so long (see also https://news.ycombinator.com/item?id=26296339).
This setup seems fine for me. It seems faster and snappier than Lastpass, but that might just be down to the fact it's hosted on my LAN. All in all, I'm happy I moved and happy I'm now in control of such sensitive information as my passwords.
https://github.com/bitwarden/desktop/issues/552
The issue has been reported and they refuse to fix it.
This bug renders the Bitwarden encryption irrelevant, as the Bitwarden devs can always access your passwords regardless if they choose.
- You're on Windows and not using the Windows Store version or a "portable" version of the application - You're on macOS and not using the app store version - You're on Linux and you're using the AppImage version
Given the security-sensitive nature of the application and the target audience (mostly non-technical people), I think it's not a bad thing that this software has auto update functionality.
If you want to be free of this behaviour, you can either install the application through your system package manager/app store so you can control the update behaviour there, or run a development build of your vetted version of the source code.
However, unrelated to this specific case, I believe that mobile apps could be the one place that adblocking cannot be guaranteed to work. When things get byte-compiled, you can no longer programmatically inspect the interface and remove malicious ads like with the browser's runtime. Imagine a future where a critical feature you have to use like banking is only available through a mobile app, and this is enforced through something like a certificate check. Then they run ads over it.
DNS based blocking is not infallible either. Even today it does not work with the YouTube app, because their ads are served on the same domain as the content, so blocking one means blocking both. The only solution people have come up with is reverse engineering the official app's source code and releasing a modified version, a process that consumes far more time and effort than using something like uBlock. And this was only prioritized and accomplished because YouTube has become that important of a platform to enough people.
If there's a future where our lives depend on compiled apps, will enough people go through the same effort to sanitize all of them?
https://reports.exodus-privacy.eu.org/en/reports/search/com....
BTW CrashLytics/Firebase Analytics are a de facto standard in every Android app if you want to roll out the new versions responsibly so I'm less worried about it than some random unknown company (though this cements the Google monopoly, so yeah it sucks).