[Try1275]

I am a happy user and find it very convenient but how safe is it really to have all your jewels centralized in the cloud, including 2FA. It seems such a worthwhile target.

On the other hand keeping everything in sync manually seems a hassle and in the end you just encrypt on your machine and the syncing goes through the cloud anyway, so where's the difference? I'd be happy to hear thoughts on this.

[UncleMeat]

You absolutely must be able to create unique and reasonably strong passwords for each of the services you use. This is the absolute most critical first step in account management.

From here, we can have a discussion about broad behavior and individual behavior. We observe that at scale people reuse passwords if they are not using a password manager. End of story. Getting people to use a password manager at scale is the single largest practical improvement in account security for the general population that we have available to us right now. This is even true with the risk of a vault being stolen and unlocked. I've never seen any data that even remotely challenges this point.

Cloud management of passwords is basically non-negotiable for most people. "Oh fuck, my vault was on my computer and I dropped it on the floor and the disk broke" will be a constant occurrence. Getting everybody to properly back up their vaults is not feasible at scale.

You can separately talk about specific people if you want. If you are capable of creating unique and sufficiently strong passwords for all of your accounts, then go ahead and avoid a password manager. This will mitigate a marginal risk for you.

[Tmpod]

Yeah that's a good point. I have pretty much all my passwords on BitWarden but no 2FA tokens to avoid "putting all my eggs in one basket". If you centralize both secrets, you don't really have two factors of authentication anymore. I use Aegis on mobile and pass (with otp extension) on the computer, with completely different passwords from bitwarden.

If you're worried about using Bitwarden's cloud vault, you can always spin up an instance of vaultwarden (FOSS server impl in Rust) and point your clients to it. I haven't done it myself yet (though I will likely do it) but I've heard it works really well.

[devjab]

For me it was more a matter of convenience than security. I didn’t mind using “sameish” passwords for 90% of my accounts. Good enough not to be auto-broken on one leak, really bad if someone actually targeted me. But what eventually drove me to Bitwarden was that I needed more and more different 2FA method which were all somehow linked to my phone. Many of which weren’t actually backed up. My first idea was to just use Authy, but apparently my phone number is linked to an account that isn’t mine, and their support has been unable to do anything about it, so that’s not exactly possible. So I went with Bitwarden.

I’m not too worried about the eggs in one basket. My digital national ID and my email credentials aren’t saved on my Bitwarden, so while I obviously don’t want to lose it, it also wouldn’t be the end of the world for me.

[silversmith]

I'm using keepass, and the sync does not seem to be hassle - my file lives in dropbox, and it's always been synced before I open the app on another device. Bonus - backing up the database is as easy as copy-pasting a file.

[kapep]

For anyone who wants to avoid storing the Keepass database in the cloud store I can recommend Syncthing.

For extra security I use a key file in addition to a password which I manually transfer between devices.

[ckozlowski]

I'm glad to read this, as I hit upon a similar solution for my own password store. My Keepass DB lives in Dropbox, but my key file does not. If I want to open it (along with password) on a device, I manually install the key.

I'm sure I forgo some convenience by not having field auto-populate all of the time (Keepass can do some of this, but I haven't had it work reliably), but I relax knowing I need not worry about a third-party service being hacked or my credentials being behind a paywall.

[hsbauauvhabzb]

If your data is valuable enough, or you personally have the skills for something better, then yes it’s not the greatest solution.

For the average user, it is infinitely better to use a password manager than to use hunter42 on all their accounts.

[checkyoursudo]

Guess I had better go update all my passwords to hunter43 now.

[autophagian]

For this I self-host vaultwarden (https://github.com/dani-garcia/vaultwarden), an implementation of the bitwarden server, on my raspberry pi at home (and back up the DB frequently). It works well enough for me, and doesn't have my stuff stored in a single company's cloud.

[hollander]

So what if the disk crashes? Do you keep backups? In the cloud?

[sigio]

Always have backups... but in the bitwarden/vaultwarden case (just like with git), every client has a full copy which can be syched back to a new server, so even if you lose a server, you still have all passwords on (every) client. In my case, that is multiple browser instances on multiple laptops and the bitwarden client on android.

[tuhriel]

There are different places to keep backups

My relevant data is synced regularly to my nas (running a raid-1) and I weekly back the whole thing up to an offsite disk at my parents house.

Can someone who really really want it, get to it? Sure, how big of a target am I against a cloud provider?

[hanniabu]

can't backup to usb?

[shortcake27]

Storing OTPs in your password manager is like 1.5FA. It still provides protection against phishing, brute-forcing, socially engineered password resets, so it isn’t totally useless. But it doesn’t protect against your vault getting compromised.

I keep super important 2FA codes (email, github etc) elsewhere, and for less important services, I store the OTP in my password manager.

[UncleMeat]

OTPs don't protect against phishing. You still type the TOTP in a browser window that sends it off to the attacker. Phishing SDKs automatically handle proxying the password over and then proxying the TOTP over.

[shortcake27]

Depends how sophisticated the attack is. Plenty of attacks aren’t. I could have been clearer in my comment, but what I meant was “can protect” not “guaranteed protection”, I apologise if it was taken that way.

On the topic of phishing and OTPs, storing the OTP in your password manager could actually help with phishing (opposed to storing it in an authenticator), because it will only autofill on the correct domain. This can be the difference between compromising a password or the whole account.

[LinAGKar]

Bitwarden encrypts the data locally, so it's not readable on the server. Shouldn't be any less secure than syncing your KeePass DB to the cloud

[ta8645]

Unless the client is compromised. The question becomes: do you trust Bitwarden and KeePass equally, to deliver an uncompromised client?

[aborsy]

The difference is that Bitwarden is webapp, thus serves you code in real time. The server could serve bad JavaScript to a particular user. You have to trust the server.

Also, there is a chance of data breach. The 2FA and hardware keys are bypassed in this case. It’s all your master password.

[vinckr]

>The 2FA and hardware keys are bypassed in this case. It’s all your master password.

Not sure I follow. When my master password is breached, attackers would still need to have my hardware key (which I obviously don't keep in the cloud), right?

[gchamonlive]

In case of a password breach, yes, but the comment you are responding to refers to a data breach, where somehow the attacker dumps raw database data, which is still encrypted but only by your master password, afaik.

[kpdemetriou]

Assuming the cryptography is solid (big if), you primarily have to worry about end-device compromise or a supply chain attack. Is it the latter you're worried about?