[mdevere]

Big fan of Bitwarden, albeit you are putting a single point of failure on all of your secure info.

I'd love to know what others do to maximise both convenience and security.

For two-factor authentication, I wouldn't use the same service for both layers. Seems daft to use Bitwarden as both the password keeper and the TOTP provider. Not sure if that's a cryptographically coherent view, but hey.

[cwalv]

> albeit you are putting a single point of failure on all of your secure info.

Depends on what failure mode you're talking about.

If you mean "I won't be able to access things when their service is down", that's not entirely accurate, because the database is synced to clients, so you just can't connect a new client or add/update entries, but existing entries are accessible.

If you mean "everything will be compromised if their service is hacked", that's not quite accurate either, because the encryption key to the database isn't stored on their servers (things are only ever decrypted on the client).

If you mean "any compromise is all/nothing", this is kindof true, but can be mitigated by keeping separate vaults, so that your most sensitive items are not kept with the ones you need routinely.

Or maybe you're thinking of some other failure mode ...

[0xEF]

Perhaps it's just an aversion to having all your eggs in one basket. I am experiencing that with Proton, atm, after having spent a year De-Googling my life and moving my mail, drive, calendar and VPN to their drop-in replacement for the same Google products. Lo and behold, the CEO has to go and share views I not only disagree with but also find dangerously aligned with people that are very much enemies of privacy and protection of PII.

The problem with buying into one entity for a bunch of these services is they eventually find a way to sour their mission or worse, bend the knee to those that seek to exploit us, leaving you with the increasingly arduous task of migrating to another competitive service.

[mmsc]

Luckily with Proton, it is incredibly easy to export everything and delete everything, unlike Google which makes it extremely difficult to delete things (notwithstanding the 2FA screen you get when deleting data from each service, which leads to "too many logins, wait 5 minutes" even if you login with the correct password/TOTP every time). I recommend downloading a "google takeout" to confirm all your data is actually gone.

[cwalv]

One of the nice things about bitwarden in particular is that they make it easy to self host (and there's vaultwarden which is even easier). There are tradeoffs, but lockin risk is minimal

[josh-sematic]

In terms of a compromise being “all or nothing,” most secure accounts should have a password (which you can manage in BitWarden) AND a second factor (ideally not tied to your phone; ex: a YubiKey). That way even in the nightmare scenario that someone gets into your password manager there’s extra legwork they’d need to do to ruin you.

[linsomniac]

>"I won't be able to access things when their service is down", that's not entirely accurate

That is entirely accurate. During their outage a few weeks ago (the first I've experienced in years of using it TBF), I wasn't able to get passwords from my browser extension, Android app, or Mac app. Maybe in theory it's not supposed to work that way, but in practice it got stuck when it couldn't reach the server and went back to the "Enter master password" page (IIRC).

[cwalv]

> ... (IIRC)

This is easy to test. Just disable your wifi and try it out

[tomasff]

Bitwarden Authenticator is a separate service. Even if you don't use bitwarden you can use this apparently

[wongarsu]

But if somebody compromised their internal infrastructure they could push out malicious updates to both the Authenticator and the clients of the password manager (most likely the browser extension), compromising both security factors at once