Hacker News new | ask | show | jobs
by tptacek 2743 days ago
Many of these have had audits, not just this Bitwarden audit. There are some disquieting things in that audit, for what it's worth.

I don't understand how this information is actionable. It would be worth knowing whether something has _ever_ been audited (again: most of the major password managers have been), but just knowing an audit has been done isn't sufficient to know whether it's secure.
1 comments
beatgammit 2743 days ago
Sure, but if it has been audited, it's more likely that security issues were found and resolved than if it hasn't gone through one.

Our company went through an audit and did quite well, and we fixed most of the findings. However, I know for a fact that there are things we can do to improve that weren't covered.

Not all audits are created equal, no audit will catch everything, and there's no guarantee that findings were patched sufficiently. However, I feel much better knowing that an audit was done, which means the author cares at least somewhat about security.

link
tptacek 2743 days ago
I think Scott knows that most of these other password managers have been audited, and I know he knows audits are of varying quality and are virtually never conclusive, so I'm not sure what he's trying to say by pointing Bitwarden's audit out.
link
CiPHPerCoder 2743 days ago
I thought the checklist was aiming to be comprehensive and that the omission of the audits was an oversight.

The one for bitwarden being, as you said, disquieting, makes its omission a little suspicious.

link
jik 2742 days ago
We didn't use the word "comprehensive", "complete", or "thorough", and obviously we didn't include every password manager in our evaluation, so I'm not sure what reason you have to believe that we were aiming to be "comprehensive."

We were aiming to evaluate the features / issues we care about against the password managers we were most likely to want to use. We published the results of our evaluation because we thought it might be useful to some people, not because we thought or intended for it to be all things to all people.

We didn't include security audits in our evaluation because, we are skeptical of their value and do not consider them a significant differentiator.

For example, in our experience trying to keep our own application secure, our HackerOne bug-bounty program has identified far more issues than the white-box security audits we've commissioned, at far lower cost.

link