[HN Gopher] Bitwarden Acquires Passwordless.dev
___________________________________________________________________
Bitwarden Acquires Passwordless.dev
Author : xxkylexx
Score : 392 points
Date : 2023-01-18 15:11 UTC (7 hours ago)
(HTM) web link (bitwarden.com)
(TXT) w3m dump (bitwarden.com)
| ohCh6zos wrote:
| I'm highly skeptical of Passkeys/Webauthn as it would seem to not
| have the same legal protections that a password has in the US.
| Maybe this is me becoming a conspiracy theorist.
| qzx_pierri wrote:
| I'm in the same boat. Using Passkeys gives the user less
| control. The last thing I need is another layer of complexity
| when dealing with credentials. This seems like a solution
| created for people too lazy to generate and track secure
| secrets (using a password manager).
|
| It also seems like a way companies like Google would lock
| people into their browser.
| 9dev wrote:
| Well, passkeys come with another very interesting property:
| they make it entirely useless to obtain the database of user
| credentials from services. It only contains public keys
| specific to a single service, so you cannot use them anywhere
| else. Additionally, private keys are stored on secure storage
| in client devices (or need to be decrypted themselves using a
| second factor), so there's pretty much 0% risk of mass
| credential leakage.
| secabeen wrote:
| > they make it entirely useless to obtain the database of
| user credentials from services. It only contains public
| keys specific to a single service, so you cannot use them
| anywhere else.
|
| This is also the case for anyone using unique passwords per
| site, which is the standard for password vault users. Not
| much of a win there.
|
| > Additionally, private keys are stored on secure storage
| in client devices (or need to be decrypted themselves using
| a second factor)
|
| Also exactly the same as password vaults, but we still
| stress about Lastpass losing their encrypted vault DB.
|
| I agree that Passkeys appear to bring the benefits of
| Password Vaults to people not currently using them in a
| fairly easy way. However, I worry about access to those
| passkeys when access to the Passkey provider is
| lost/revoked.
| 9dev wrote:
| No, you misunderstood me. Passkeys remove the _incentive_
| to attack auth infrastructure in the first place, because
| a database of WebAuthn credentials isn't useful _to
| criminals_ compared to a database full of password
| hashes. This isn't about the handful of tech-savvy users
| who know how to protect their privacy anyway, but all the
| others which constantly reuse their insecure passwords
| and won't use password managers.
| tmerc wrote:
| This is conspiracy theorist talk until it isn't and that date
| will be not long after this is more commonly used. (I think
| this is a rational concern, btw)
|
| The current legal climate is mixed but we have court cases that
| claim biometrics are not covered by the 4th and 5th. We also
| have the opposite. The reasoning being that producing
| biometrics is not testimonial. Until decided by the Supreme
| Court, I'll assume that anything that can be produced without
| my mind is not covered and that includes this.
|
| I am not a lawyer and this is not legal advice.
| tr33house wrote:
| I like where passwordless.dev is going. However, I don't think
| I'd like to build a business on top of that. Is there a similar
| implementation that's open-source that doesn't depend on a third
| party?
| jlundberg wrote:
| The core technology behind passwordless.dev is actually open
| source.
|
| https://github.com/passwordless-lib/fido2-net-lib
| jaywalk wrote:
| You can do all of it yourself, it's all based on open
| standards. Their value proposition is that by paying them, you
| don't have to DIY.
| judge2020 wrote:
| This seems a bit odd to me - is setting up WebAuthn in your main
| backend so hard that an external service like this for validating
| credentials is required?
| 9dev wrote:
| I recently implemented WebAuthn for a toy project, and while it
| took a bit to wrap my head around the details, it's fairly
| straightforward if you know the problem domain a bit.
|
| I'd say we're going to see polished libraries soon that will
| abstract all the details away, but services like this may help
| less experienced developers to quickly get secure auth working.
| cormacrelf wrote:
| Quoting the docs: it's "WebAuthn - without reading the w3c
| spec". So apparently yes. It does seem very silly that this has
| to be a third party service instead of open source code you
| just plug in to Rails or whatever. I guess they had to find
| some way to get paid for all the expertise they accumulated.
| Stuff running on external servers is the way tech companies as
| a whole have decided to remunerate work like that, and now
| everything looks like a nail. I note that since logging in is
| such a crucial part of online business, running consulting
| around open source software would appear to be a a good model.
| That's what the people behind the C# OAuth2/OpenID code known
| as IdentityServer do.
| Jerrrry wrote:
| Your passwords shouldn't leave your device.
|
| Chrome's password manager is pushing it.
|
| Everything else should be considered malware.
|
| I don't understand how such a 'techy' crowd here on HN can be so
| belligerent with this security vs convenience trade off.
|
| KeePass locally, gmail yourself an encrypted backup. That's it.
| FFS.
| eli wrote:
| How is "gmail yourself an encrypted backup" fine but "store a
| copy of the encrypted vault in a cloud service designed for
| this purpose" not?
| Accacin wrote:
| I'm surprised someone as techy as the parent even uses Google
| if I'm honest.
| ffstroll wrote:
| One is an encrypted blob in the cloud, the other is an
| encrypted file in your email in the cloud. That's it. FFS.
| RockRobotRock wrote:
| You don't know what you're talking about.
| thesh4d0w wrote:
| If the key to decrypt the vault never leaves your device, then
| the security implications are minimal. Well worth the
| convenience in my eyes, and many others apparently.
| advisedwang wrote:
| This push is because there's a lot of people using weak, reused
| passwords out there, who are not willing (or capable in cases)
| of a self-managing a password manager. For the people in my
| life in this position, I would much rather them use lastpass or
| bitwarden or _anything_ over continuing their current practice.
| The risk of a lost password from one of those services is much
| lower than of them getting hit by password stuffing or getting
| a password brute-forced.
|
| For a technical person I would advise a better solution, but
| the reason these solutions are being pushed is for widespread
| adoption of better password practices.
| probabletrain wrote:
| Keeping your passwords on your device (and also in Gmail?)
| might work for you, but a password store that I can't
| conveniently access from both my computer and phone isn't
| useful to me, and I suspect, many others.
| xwowsersx wrote:
| Could someone clarify what the relationship between passkeys and
| WebAuthn is? Is it that Passkey is the Apple, Google, Microsoft
| _implementation_ (commercialization?) of WebAuthn? If so, does it
| add anything on top of WebAuthn that makes it differ in some
| fundamental way? Also, are passkeys how WebAuthn is most commonly
| actually used in practice? Apologies for the noob questions.
| arianvanp wrote:
| it's just WebAuthn with an easier to understand name.
|
| However passkeys depends on a yet to be published standard for
| QR codes + bluetooth + websockets for doing WebAuthn from a
| second device. But that is planned to be published soon.
| candiddevmike wrote:
| Just recently tried to add WebAuthn to an app and was shocked
| at how complicated the spec is and how quirky the
| implementation ends up being. The biggest thing I couldn't
| easily figure out is how to use it properly. It seems like
| hybrid auth with your phone or FIDO gives you sign in, and
| local could be used for sessions? It's hard to make heads or
| tails from it.
|
| The developer UX was also pretty bad, ArrayBuffers was a poor
| design choice for passing around what ultimately becomes
| JSON.
| arianvanp wrote:
| Webauthn L4 standardises on JSON serialisation luckily.
|
| Yes the spec is horribly complex unfortunately.
|
| In my own project I send the assertion and attestation as
| multipart/form-data. Which means I can just directly send
| the ArrayBuffers over the wire.
| PublicKeyCredential.prototype.toFormData = function (this:
| PublicKeyCredential) { const formData = new
| FormData() formData.append('type', this.type)
| formData.append('id', this.id)
| formData.append('rawId', new Blob([this.rawId]))
| switch (this.type) { case 'webauthn.get':
| if (!(this.response instanceof
| AuthenticatorAssertionResponse)) {
| throw new Error('Unknown type') }
| formData.append('response.authenticatorData', new
| Blob([this.response.authenticatorData]))
| formData.append('response.signature', new
| Blob([this.response.signature]))
| formData.append('response.clientDataJSON', new
| Blob([this.response.clientDataJSON]))
| if (this.response.userHandle) {
| formData.append('response.userHandle', new
| Blob([this.response.userHandle])) }
| case 'webauthn.create': if
| (!(this.response instanceof
| AuthenticatorAttestationResponse)) {
| throw new Error('Unknown type') }
| formData.append('response.attestationObject', new
| Blob([this.response.attestationObject]))
| formData.append('response.clientDataJSON', new
| Blob([this.response.clientDataJSON]))
| break default: throw
| new Error('Unknown type') } return
| formData } async
| solveChallenge(challenge: Challenge, credential:
| PublicKeyCredential) { const formData =
| credential.toFormData() await
| fetch(challenge.location, { method: 'POST', headers:
| {'content-type':'multipart/form-data'}, body: formData })
| }
| PassageNick wrote:
| Yeah, it is non-trivial to implement, but not impossible.
| Some folks go that route.
|
| There are SaaS solutions that implement it for you and make
| it easy to include in your app.
| 0xCMP wrote:
| Passkeys is the "normal" name for a FIDO2/WebAuthn credential
| that basically lives within a phone or password manager. It
| does add a few things. Namely the ability to store many
| passkeys per device per app/site, the ability to sync those
| passkeys (e.g. via iCloud or similar), and the ability to use
| QR codes and Bluetooth to do a local-only authentication on a
| device which doesn't have the passkey (which is what often
| requires some proprietary implementation).
|
| [Edit]: An important feature of "Passkeys" is that browsers and
| operating systems have a special API that allows an app to pre-
| start a sign in with a known user/email/etc. which if there is
| a passkey for that user it'll automatically start the FaceID or
| similar confirmation process. Which Passkeys are checked is
| controlled by the OS/Password Manager which checks which
| website is asking and what username it's checking. This is just
| to make it so it seamlessly logs you in. It does a fall-back to
| just asking what your user is which is the initial workflow.
|
| This[0] is a good podcast to listen to with Adam Langley from
| Google about how Chrome supports Passkeys and why they're a
| good thing. It includes the details of how/where/why there are
| some proprietary bits needed to implement "Passkeys".
|
| [0]:
| https://securitycryptographywhatever.buzzsprout.com/1822302/...
|
| FIDO Alliance Press Release https://fidoalliance.org/apple-
| google-and-microsoft-commit-t...
|
| Chromium Blog on Passkey support (Dec 8, 22)
| https://blog.chromium.org/2022/12/introducing-passkeys-in-ch...
| xwowsersx wrote:
| Thanks for the info and for the podcast link. Going to give
| that a listen.
| PassageNick wrote:
| (Full disclosure: I work at https://passage.id)
|
| WebAuthn is the short name for the "FIDO Alliance Web
| Authentication Protocol".
|
| "Passkey" is the trade name (that Apple tries to own) for the
| "stuff" that results from using the WebAuthn protocol. At it's
| root, a passkey is really the private key portion of that
| "stuff" that is kept. So yes, in practice, a passkey is the
| result of a WebAuthn implementation.
|
| MS, Apple, and Google don't implement WebAuthn. Companies like
| mine do. Each website out there that wants to use passkeys
| needs to employ WebAuthn, whether via build or buy. What the
| "Big Three" do is leverage their OS's and platforms to enable
| the storage and migration of passkeys within their eco-system.
| WebAuthn is implemented in their browsers, and they enable the
| use of passkeys (which websites make happen via implementing
| WebAuthn).
|
| One thing to note is that the Big Three also make a small
| adjustment to the WebAuthn protocol to allow passkeys to shared
| inside their cloud infrastructure. This every so slightly
| reduces the security of passkeys (which start out as very, very
| many orders of magnitude more secure than passwords).
|
| You can read about Passkeys here:
| https://passage.id/post/a-look-at-passkeys
|
| More on WebAuthn: https://passage.id/post/what-is-webauth
| xwowsersx wrote:
| Thanks.
|
| > What the "Big Three" do is leverage their OS's and
| platforms to enable the storage and migration of passkeys
| within their eco-system. WebAuthn is implemented in their
| browsers, and they enable the use of passkeys (which websites
| make happen via implementing WebAuthn).
|
| That was really helpful, I think that was the bit I was
| missing.
| TacticalCoder wrote:
| Do old Yubikeys and similar U2F devices, which do still work
| for webauthn, still work for sites that a going to require a
| "passkey"?
|
| Or are MS+Google+Apple doing an "embrace, extend and
| extinguish" on webauthn?
|
| Are the "small adjustements that ever so slightly reduces the
| security" sufficient to effectively kick security keys
| hardware vendor out of the game?
| PassageNick wrote:
| Re: Yubikey -- I confess I don't know. The folks in
| r/yubikey definitely will, though.
|
| The "Big Three" are on the FIDO board, along with
| 1Password. They can't really do the extinguish thing, and
| it really isn't in their interst to do so.
|
| An no, the small tweaks don't kick anyone out of the game.
|
| There will be other, perhaps more trusted, companies that
| you can use to move your passkeys around between eco-
| systems.
| secabeen wrote:
| Are Passkeys exportable and re-importable by another service,
| site, or system?
|
| I am strongly opposed to any authentication system that makes
| my authorization workflow for unrelated third-party sites
| dependent on any company whose terms of service allow them to
| suspend or terminate my use without reasonable recourse or
| recovery.
|
| Passwords have problems, but I can print them out on a piece
| of paper in a fire safe.
| PassageNick wrote:
| You own your own passkeys on your own device, ultimately.
| Google/Apple/MS have no ownership or knowledge of the
| actual keys.
| secabeen wrote:
| Okay, can they block access to those keys and/or the the
| backups of them? Assume that my account is terminated or
| that it's compromised to the degree that I cannot re-
| claim access to it. Can I move those keys to my new
| device/system without the cooperation of Google/Apple/MS?
| echeese wrote:
| I don't think Apple is trying to own the name passkey. Quote
| from this video:
| https://developer.apple.com/videos/play/wwdc2022/10092/
|
| > Here are some guidelines for how to refer to passkeys in
| your apps and websites. "Passkey" is a generic, user-visible
| term. This video focuses on Apple's implementation, but as
| I've just shown you, other major platforms have already
| started building their own support for passkeys. "Passkey" is
| also a common noun, like "password." In English, this means
| it's lowercase and gets pluralized like "password" would. I
| have a passkey for my account, and I can go to Settings to
| view all of my accounts with passkeys.
| PassageNick wrote:
| Fair enough.
| jlundberg wrote:
| Passkeys is what Apple decided to call their implementation and
| the benefits are within their ecosystem, such as storing these
| in your Keychain to be used on multiple devices.
|
| This page is a good starter:
|
| https://developer.apple.com/passkeys/
| xwowsersx wrote:
| Ah thanks, I kept ending up on Google's pages. I don't search
| good:P
| TacticalCoder wrote:
| Can't help much but originally webauthn came from Fido2 and old
| Fido devices, like old yubikeys, which only supported U2F, were
| de facto compatible with webauthn (as in: webauthn was only an
| upgrade server side).
|
| Now Google killed U2F in Chrome (and hence Chromium etc.) but
| you can migrate your webserver to use webauthn instead of U2F
| and your users' old U2F keys shall keep working.
|
| For the "new" webauthn, called passkeys, which is a modified
| webauthn: I've got no clue.
|
| It's not clear to me if old hardware security keys shall keep
| working or if we'll all be forced to use software keys
| protected by Google/Apple/Microsoft.
| judge2020 wrote:
| Passkeys are effectively software security keys, stored in
| whatever keychain you're using (Chrome or iCloud Keychain or
| otherwise); for the major implementations you're hearing about,
| the goal of their implementation is improving the UX by syncing
| your passkeys between devices, so as long as you can access
| your passkey keychain, you won't have to worry about losing
| your security key for that website.
|
| As for how "passwordless" plays into this, Passkeys are
| _generally_ better than passwords simply because it 's PGP
| instead of a shared secret you send to the website, so even if
| a website is compromised, there's effectively 0 way the
| compromised database will enable password stuffing attacks on
| other websites.
|
| Another cool thing is QR codes via caBLE (cloud assisted BLE),
| you can scan a QR code on a browser (on a bluetooth-enabled
| computer) to have your phone connect to that computer and
| present its passkey to the computer, without needing to
| actually plug in your device to the computer. This is not
| strictly a passkey thing, it just aids in making them usable.
| antihero wrote:
| It's cool but until Apple lets Firefox use said keychain I'm
| not going to use it.
| toomuchtodo wrote:
| Most people will though, because they're either in the
| Android or Apple ecosystems.
| Ajedi32 wrote:
| Not sure if this is new information or not, but this post
| mentions that Bitwarden is planning to support passkeys starting
| in 2023.
|
| That's great, since AFAIK all existing passkey implementations
| are tied to a specific browser or OS, and have no way to export
| the keys, which isn't great for a program designed to own the
| keys to your digital life. I'm hopeful Bitwarden will solve that
| problem, and that their example will encourage other popular
| password managers to do the same.
|
| (...or at least, I _think_ "passkey support" means they plan to
| support storing passkeys in Bitwarden itself. I hope it doesn't
| just mean they want to let you use a passkey to log in to
| Bitwarden. That'd be really disappointing, and probably a poor
| choice strategically given that passkeys aim to eventually render
| traditional password managers obsolete.)
| cmdli wrote:
| Shameless plug to my own passkey manager, which is 100% open
| source: https://bulwark.id
|
| One of the big challenges to passkeys right now is that they
| aren't as versatile as passwords, but this doesn't have to be
| the case. Passkeys should be able to be exported and stored
| anywhere you want (ideally in an open source solution). Bulwark
| Passkey supports that right now, but I'm glad that other
| products are also providing solutions to users for the same
| problem.
| noahtallen wrote:
| 1Password is also working on it:
| https://www.future.1password.com/passkeys/
|
| It's shaping up to be a cool year for password management!
| badrabbit wrote:
| Passwordless as a concept needs to die along with biometric auth.
|
| You have really good newer methods of auth. Instead of selling
| them as good MFA alternatives security vendors decided to replace
| passwords because that differentiates them more. But in reality,
| the layer of defense "what you know" should be complemented not
| replaced. A reduction in security being sold as a feature is
| dishonest and harmful.
| jaywalk wrote:
| Please explain how this is a reduction in security.
| hsdropout wrote:
| They are pointing out that while the "something you have"
| factor may be stronger than "something you know", multi
| factor is still better. I agree. Also, passwords are
| decentralized, whereas passwordless puts the power into fewer
| hands, so this too reduces complexity for attackers.
|
| 2FA>1FA
| PassageNick wrote:
| The threat surface of a password based system is like Lake
| Superior.
|
| The threat surface of a passkey based solution is like a small
| puddle after a rain.
|
| How is there a "reduction" in security here?
| badrabbit wrote:
| Doesn't work that way. Passwords are inferior but still a
| strong layer of defense. You are putting all your eggs in one
| basket again. The lesson from passwords is that a single
| factor of authentication is inherently inferior to multiple
| factors of authentication. From a threat actor's perspective,
| even a yubikey is a matter of one well planned attack
| (physical, compromised host,etc) and by nature newer factors
| of auth don't get treated with hostility like with passwords.
| They are better than passwords but what I see is people
| moving away from MFA to only a yubikey for example. Like you
| are now one lost yubikey away from your whole company getting
| owned lol.
| jacooper wrote:
| I still don't understand how it works. I went into the website
| under authenticated using my phones API, where is my account now?
| There is nothing in my Bitwarden vault.
| g_p wrote:
| Passkeys are stored on your platform keychain. In time,
| Bitwarden will offer this interface up, so you can sync them
| through your Bitwarden vault.
|
| Currently, if you use an iPhone, you will have the passkey
| stored in iCloud keychain. Your "account" is a private key held
| within iCloud keychain, along with some metadata mapping that
| private key to the site you visited.
| jacooper wrote:
| Well I use GrapheneOS without a Google Account. Its not
| listed under secure keys in the settings or in the browser.
|
| Anyway this really needs to be exportable, otherwise its in
| the ultimate platform lock.
| moneywoes wrote:
| Any idea on the multiple?
| boringg wrote:
| Is this the password wars heating up? I.e. Bitwarden vs
| 1Password?
| zackify wrote:
| I own passwordless.app. I wonder if they will want to buy it from
| me now.
| temptemptemp111 wrote:
| [dead]
| ubermonkey wrote:
| Yeah, this is not a good sign IMO.
| velhartice wrote:
| I've been using the keepass ecosystem for years after switching
| from 1password. It's open source, highly portable, and you don't
| need a degree to set it up.
| wurstehans wrote:
| Sounds a bit worrisome to me... Maybe I'm just overly cautious,
| but i guess it's time to look around again. Has anybody checked
| out APass yet? https://github.com/balu-/a-pass
| seanw444 wrote:
| For my personal passwords and general secure info (it can store
| notes, files, and TOTP as well), KeePass(XC/DX) has been my
| password manager of choice. Nothing leaves your device. If you
| want it to, that's considered out-of-scope, and you have to
| handle syncing yourself. Whether that be something like
| Nextcloud, or my personal favorite: Syncthing.
| coffeeri wrote:
| Without looking close at your suggestion, you might want to
| look at passage [0] by the creator of age. It's a fork of pass
| [1] using age as the backend.
|
| [0] https://github.com/FiloSottile/passage [1]
| https://passwordstore.org
| mtgx wrote:
| [dead]
| AdmiralAsshat wrote:
| As a recent convert to Bitwarden from LastPass, I start to get a
| bit nervous when I see acquisitions happening. LastPass getting
| acquired was the beginning of the end for it, IMO, before
| stagnating into criminal negligence.
|
| Granted this is Bitwarden _acquiring_ rather than being acquired,
| but I still worry it leads to a trend of building "portfolio
| value" rather than focusing on the product. I sincerely hope I'm
| wrong.
| gagabity wrote:
| Also Bitwarden recently raised 100M from VC so yeah, the clock
| is ticking now.
| zucked wrote:
| I'm happy for the one dev who's been lone rangering as I hope
| it means he's finally getting paid, but the pressure is going
| to be on to get an ROI.
| sph wrote:
| It is possible to build a profitable business without
| investors or venture capitals, you know.
| dahfizz wrote:
| Insane radical idea: Businesses can actually make a profit
| by having income higher than expenses. You can pay yourself
| that way.
| sirsinsalot wrote:
| What does "make a profit" mean? Is that the money from
| IPO? Or money laundering? Idgi
| alex_suzuki wrote:
| Heresy!
| mfer wrote:
| If he was not being paid before it means he had not built a
| sustainable business. That means changes will need to come
| in the future to do that.
|
| If he had a sustainable business and took the VC funding it
| means he has grander ambitions. That will mean change as
| well.
|
| No matter how you look at it there will be change coming.
| Fueled by people who want a return on their investment.
| agrippanux wrote:
| Doesn't necessarily mean change will come to the current
| offering; acquisitions can happen because new or
| enhancing existing product lines (like enterprise) are in
| the future.
| sngz wrote:
| was considering switching, guess I'll stick to keepass
| cpsns wrote:
| > Bitwarden recently raised 100M from VC
|
| I wasn't aware of this, but I'm glad I am now. If that's the
| case it's time to look elsewhere or self host, VC funds and
| acquisitions are rarely good for users so I'll assume the
| worst.
| ssgodderidge wrote:
| My guess is they will follow 1Password and have more
| strategies to monetize users. I wonder what the difference
| between the two services will be at the end of the day.
| princevegeta89 wrote:
| 1Password in my experience was the biggest scum of bait
| and switch I ever faced. They used to do "lifetime"
| licenses which I bought into, but wouldn't support it
| beyond one year of release and stop giving me updates.
| Later, they invested heavily into the cloud side of
| things, and brought in confusing subscription-based
| pricing which made it expensive and difficult to
| understand. All they're doing as of now is trying to
| increase prices and tear into your pockets.
|
| With BW I have never expected the same and I am still
| hopeful on giving them the benefit of doubt.
| roustem wrote:
| 1Password NEVER had lifetime licenses. We made this
| decision since day one because we had a product before
| that died because it was a "lifetime" purchase. The
| 1Password license is valid for the major version of the
| app. The license purchased would still work with that
| version today. If you look at the release history of
| 1Password apps -- every version had a ton of updates made
| long after the app was no longer on sale. For example,
| 1Password 7 was updated just a month ago: https://app-
| updates.agilebits.com/product_history/OPM7
|
| The licenses are also confusing -- people had to purchase
| apps separately for every platform: macOS, Windows, iOS,
| Android. And then they had to purchase upgrades
| separately as well.
| mbesto wrote:
| > VC funds and acquisitions are rarely good for users
|
| Where does this sentiment come from? I know very few
| applications I use that are VC funded or haven't gone
| through acquisitions...
| Dalewyn wrote:
| The notion that all software must be provided free of
| charge and that making any profit is a cardinal sin.
| lotsofpulp wrote:
| Or it could be that the probability of having to do anti
| user things to earn an ROI for a $100M investment into a
| password manager is too high.
|
| $100M to develop a new processor or phone or vaccine or
| search engine or social network that delivers video to
| everyone worldwide is different than $100M to a password
| manager or other "simpler" project.
| wvenable wrote:
| No, it's just that growth necessary to satisfy VC
| investment is unobtainable so solid products eat
| themselves attempting to achieve that growth.
| [deleted]
| hn_throwaway_99 wrote:
| The issue is that there are a large number of
| products/companies (I think the vast, vast majority)
| whose addressable market size isn't that big, but when
| they take VC money they do all types of unnatural things
| to try to grow instead of focusing on the couple things
| they were really good at. Couple cases in point:
|
| 1. Totally agree with the comments that VC funding
| absolutely killed LastPass.
|
| 2. Twitter is probably another good example. Twitter was
| a really large business, but they were constantly
| wringing their hands about what they could do to get as
| big as Facebook or Instagram. What if the answer was
| always just "No, you'll never be that big, just don't
| even try". So instead of improving their core bread-and-
| butter (and fine, easy to argue they didn't even do that
| super well), they wasted a ton trying to get users who
| were never going to use Twitter in the first place.
|
| 3. Very closely related to this idea about "When large
| sums of money become toxic", the private equity
| consolidation in US health care is another ongoing
| disaster. PE comes in with the promise of "streamlining
| operations", but instead they are just vampires, cutting
| stuff to the bone so that the health care system isn't
| able to respond to spikes in demand (e.g. Covid):
| https://www.statnews.com/2022/12/14/moodys-private-
| equity-he...
| mbesto wrote:
| Ya, but can you name any products where this is the
| opposite? Meaning, how many products do you use that
| _aren 't_ VC backed?
| hn_throwaway_99 wrote:
| craigslist famously rejected taking outside money for
| years.
|
| But more importantly, I don't think VC or VC money is
| always bad, but I get _extremely_ wary when a relatively
| small company gets a shitload of money that they 'll then
| be forced to grow into a way that means they'll lose
| focus on their core product.
|
| I remember when I told a friend of mine that Postman
| raised nearly _half a billion dollars_ in total funding,
| and his jaw dropped "You mean that browser plugin that
| allows you to make REST calls???" And sure enough,
| postman got filled with more and more "enterprise-y
| uselessness" to the point that I just stopped using it.
| mbesto wrote:
| > but I get extremely wary when a relatively small
| company gets a shitload of money that they'll then be
| forced to grow into a way that means they'll lose focus
| on their core product.
|
| Irrationally so. That's my point. There isn't a strong
| indicator that correlates to a company being a craigslist
| vs a company being a Postman. The median is somewhere in
| between and its not as dire as you pose it to be.
| bsg75 wrote:
| It comes from a concern that VC backed investments demand
| a constant level of revenue growth, causing a company to
| add features or integrations that do not improve the base
| product. Organic growth is usually insufficient for
| stockholders, whose demands become a priority over
| stakeholders.
|
| If the user base does not increase at some rate
| determined by the investor, then growth comes in the form
| of advertising, partnerships, or similar that negatively
| affect the _product_ existing customers signed up for.
| orhmeh09 wrote:
| This does not stem from VC but from the "C" itself -
| capital. In order to function in capitalism, production
| must facilitate the creation of surplus value that can
| then be appropriated. Over time, with the tendency of the
| rate of profit to fall and with inflation of prices, you
| will see a race to the bottom.
| afavour wrote:
| They did? Oh JFC I just switched from 1Password to avoid
| using a VC backed service. At least there's always
| Vaultwarden, now all I need is a service I can pay to host an
| instance for me. ...and to not take VC funding.
|
| https://github.com/dani-garcia/vaultwarden
|
| Though I fear it's only a matter of time before the VC gods
| demand the client apps remove compatibility and they have to
| be forked too.
| mfer wrote:
| Not to totally burst your bubble but 1Password took funding
| a few years ago [1]. I say this as a 1Password user.
|
| [1] https://www.wsj.com/articles/password-
| manager-1password-rais...
| afavour wrote:
| Oh I know, I switched _from_ 1Password to Bitwarden for
| exactly that reason.
| jorvi wrote:
| I switched from 1Password to Bitwarden, imported my vault,
| and then realized that their client doesn't even support
| drag 'n drop.
|
| I've been wanting to switch from 1Password to Bitwarden for
| years, but each year I try it I'm just flummoxed by how
| atrociously behind the UX / UI still is.
|
| Unless you (or whoever you're getting to switch) are an
| absolute open source absolutist: do yourself a favor and go
| for 1Password.
| afavour wrote:
| I did try to switch a year or so ago and got really
| frustrated. Tried again a week ago and Bitwarden does
| seem a little better. It helps that it feels like
| 1Password's app has been getting more bloated over time
| (though I have no data to support that assertion).
| roustem wrote:
| 1Password certainly added a ton of new features recently
| :)
|
| Did you check 1Password developer tools, like SSH-agent
| server, git commit signing, and CLI?
| https://developer.1password.com/
|
| Or the new item and file sharing.
| https://support.1password.com/share-items/
| miked85 wrote:
| I refuse to use a cloud-based password manager, they will
| all be hacked eventually. I will continue to use and pay
| for the standalone 1Password as long as possible, and
| then be forced to self-host vaultwarden.
| afavour wrote:
| I have no interest in those things, they're good examples
| of what I _don 't_ want in my password manager.
|
| Sorry, I don't mean to sound like an ass, they look like
| very well put together features. They just remind me of
| when Dropbox decided to start offering document editing.
| Not what I go there for.
| roustem wrote:
| Fair enough, everyone has their own requirements. I'd
| argue that all modern operating systems have password
| management already built-in.
|
| We have a lot of 1Password customers with families and
| team members that require more than a single vault, need
| an option to recover team/family member access and often
| have to securely share data with other people,
| accountants and lawyers. Also, many of developers and
| admins that want to keep their SSH keys safe.
| panzi wrote:
| Bitwarden is the first password manager I ever used.
| Where would it use drag and drop and for what? I wish it
| would be better controllable vie keyboard-only. That is,
| when you use the Firefox add on and tab out of the
| Bitwarden popup and tab back in again it remembers the
| focus on e.g. the copy password button, you just have to
| hit space again and tab back to the terminal window where
| you need to use the password. But Brave doesn't remember
| the focus so annoyingly I have to grab the mouse.
| selykg wrote:
| In 1Password there's at least a half dozen ways that drag
| and drop could be used:
|
| - Drag a password into a password field
|
| - Drag an attachment from Finder/Explorer into an item
|
| - Drag an item from vault to vault (or collection in
| Bitwarden parlance)
|
| - Drag an item into a tag or folder to add that item to
| the folder, or add that tag to the item
|
| - Drag an app to the 1Password icon to create a software
| license item with the icon of the app as well as name
|
| There are also drag and drop functions, some similar to
| above, on iOS as well.
|
| Bitwarden is... and I agree with the grand parent here,
| awful from a UX angle, compared to 1Password. It's
| certainly functional, but that's about where it ends for
| me.
| dddw wrote:
| You must be on mac, because my 1pw experience is horrible
| on Linux. Edit a password in the browserextention opens
| an new tab in n which i have to login all again. Ugh.
| Bitwarden at least doesn't do that. Drag and drop? Nope.
| selykg wrote:
| Technically it does the same thing on Mac, it opens the
| Mac app. But on a Mac there's universal unlock, so if you
| have the extension unlocked, the app will unlock, so it
| opens the item you want to edit in edit mode.
|
| If you don't have the app installed it opens the website
| in a tab to signin and edit.
| sph wrote:
| Ah for fuck's sake. It keeps happening to all the software I
| love. I guess I'll have to stop relying on convenience (I was
| a 1Password user years ago) and go 100% open-source. None of
| the libre offerings seem to be as convenient and polished,
| but at least they're not into some VC's pocket ready to
| squeeze as much profit as possible out of my paid membership.
|
| What's a good OSS alternative that works with iOS and Linux?
| Anything that's audited? (perhaps that's asking for too much)
| kdmccormick wrote:
| If a simple git-based CLI solution is appealing to you,
| then try https://www.passwordstore.org/. I wouldn't
| recommend it someone non-technical, but personally, I've
| never looked back.
|
| There are iOS and Android clients, too. Not especially
| polished, but they do the job.
| jmcphers wrote:
| Love passwordstore, been using it for almost 6 years with
| zero issues while watching my friends run frantically
| from one compromised or greedy password manager to
| another.
| Y_Y wrote:
| I haven't seen, but would love to, a tech startup that is
| guaranteed not to sell out. I don't mean a promise from the
| founder on a blog, but a legal structure. I'm not sure what
| what form this would take or if it's such anathema that it
| could never be but it would be great to see.
|
| I'm sure I'm not the only one who's tired of the bait-amd-
| switch of companies who are all about freedom until they
| get acquired by a giant and then start hastily walling
| their garden.
| aaronax wrote:
| Cooperative
|
| Customers are members/owners.
|
| Examples: Tessitura, NISC
| Y_Y wrote:
| Someone posted this list of such co-ops recently:
| https://tech-coops.xyz/
|
| Is it true that they couldn't sell out though? I imagine
| if the buyer offered a pile of money then the majority of
| the owner-workers would go for it, even at the expense of
| the users.
| lumb63 wrote:
| I use KeePass. It's up to you to sync passwords and they're
| stored locally. I see those as features despite that
| they're inconvenient.
| noirscape wrote:
| Another advantage to KeePass is that there's about half a
| million clients and most are actually written to be used
| for their platforms.
|
| Lots of more "modern" password managers (as well as
| generally other software) kinda suffer from having this
| weird mixed mobile and desktop interface, inheriting all
| the downsides of each interface while gaining the
| advantages of neither. (Not to mention all the issues
| with porting stuff between two different OSes; Mac and
| Windows have completely different ideas on what an
| interface should look like.)
|
| KeePass's official client being windows-only is a
| blessing in disguise since it means that each client
| developer can specifically focus on making it look good
| on whatever specific platform they're targeting.
| qwerpy wrote:
| I use cloud storage to store the kdbx file and sync it
| across a PC and my phone. It's pretty awesome 99% of the
| time and just works. Once in a while you get a merge
| conflict and it's not so good.
| lcnPylGDnU4H9OF wrote:
| Even merge conflicts have been a lot better for me in
| recent years. My only worry with KeePass is that I have
| to rely on potentially sketchy client applications but
| I'm also fortunate enough to have the skills to make my
| own if I really felt the need. It's one of the few "not-
| my-solution" pieces of software which continually gives
| me a sense of data ownership.
| lumb63 wrote:
| I run an SSH server on my laptop and SFTP it to my phone
| via Strongbox when I'm local.
| jimt1234 wrote:
| I love Bitwarden. I've been a customer for years. Great
| product. Great team. However, I recently quit for this
| exact reason (evil VC influence), and migrated all of my
| secrets to KeePass. Yes, a slight inconvenience to
| manually sync across devices, but I sleep better at night
| knowing my secrets are no longer in the hands of some VC
| suit.
| trinsic2 wrote:
| Yeah, the very reason I'll stick with keepass.
| worble wrote:
| KeepassXC has served me well for many years, synced via my
| Nextcloud but could just as easily use dropbox or icloud,
| or even syncthing.
| lotsofpulp wrote:
| I use KeepassXC and Strongbox.
| forsakenharmony wrote:
| syncthing works really well imo, can also tell it to keep
| 3 versions as a backup
| vetinari wrote:
| I had conflicts that needed manual intervention too
| often. It is not something that most users would put up
| with.
| kornhole wrote:
| Yes KeepassXC is great. Nextcloud passwords is actively
| developed and looking good except for the Linux app
| failing on Arch.
| 5e92cb50239222b wrote:
| Upvote for keepassxc. I've been using it and its
| predecessor with the same database file for something
| like 15 years and have seen many of these services come
| and go in the meantime. It will outlive Bitwarden for
| sure.
| weaksauce wrote:
| bitwarden is opensource. you can self host. the apps in the
| store are compatible with the self hosted options just
| change the url to your server. you can also fork any of the
| projects and build it yourself if you don't trust them.
| yoavm wrote:
| As mentioned in other comments, BitWarden has both OSS
| client and server implementations. You can keep using it
| and if something goes wrong (or earlier, if you wish) you
| can always run it yourself.
| dcow wrote:
| In your opinion, what would the ideal password management
| business model be? A non-profit like Signal? (Not
| rhetorical, actually curious what people want here.)
|
| As a thought experiment, let's say there are 1000 people
| who get annoyed when a software product they use takes VC
| funding. For those 1000 people to sustain a software
| product with a team of 5 for 10 years at 150k average per
| head. you'd need 7.5MM dollars just to break even. That's
| $7,500 per user, or $750 per year. I doubt many people
| would be willing to pay that just to have a product that
| never takes VC funding.
|
| And note that's just to cover labor costs. If you want it
| audited, that's a solid 25k per audit. Operating costs for
| website and infrastructure, etc. Now if the product was
| exceptional and beat out other products in the space and
| generally had a slice of the pie, the number of users would
| increase and per user cost would decrease. But also doing
| as much with a team of 5 is no small feat.
| aceazzameen wrote:
| I'm not sure if there is a good business model in
| password management. I can't answer that question. What I
| do know is, a good password manager is the type of
| software that should strive to be feature complete. And
| at that point resources should be used for maintenance,
| security, and software/OS compatibility updates. In other
| words, a low-if-any growth, but profitable business
| assuming the software is good.
|
| But once you get into VC funding or acquisitions,
| businesses tend to want to grow and bloat their products
| by adding features no one asked for to increase their
| perceived value. I know I'm tired of seeing this happen
| to beloved software time and time again.
| dcow wrote:
| Perhaps then software utilities are better suited for a
| crowd funding model?
| vanilla_nut wrote:
| Non-profit like Signal that sells cloud hosting to pay
| the bills, standard protocol with self-hosting option for
| the server like email/browsers agreed upon decades ago,
| anyone can create an interoperable desktop/browser/mobile
| client. Fully encrypted such that even the non-profit
| doesn't have the decryption keys.
|
| That being said: it's unclear if _anyone_ really
| understands how to build an open source product with
| cloud hosting covering the bills. Almost everyone either
| makes a deal with the devil (VC funding) or upsells too
| aggressively anyway.
|
| Cloud storage and CPU usage is basically negligible per-
| user for a password manager. I imagine you could service
| hundreds of millions of users on just a couple of capable
| machines, similar to HN's setup. Even with hundreds of
| passwords, most users total mere MB's of usage -- it's
| even simpler than email! I think this is one of the rare
| cases where corporate users can pay for big accounts with
| special sharing features and completely subsidize a free
| product for individual users. Or you could charge
| individual users $5 a year to cover cloud costs (more
| than enough), with self-hosting as an option for highly
| technical users to save a buck.
| franga2000 wrote:
| > sells cloud hosting to pay the bills, standard protocol
| with self-hosting option for the server like
| email/browsers agreed upon decades ago, anyone can create
| an interoperable desktop/browser/mobile client. Fully
| encrypted such that even the non-profit doesn't have the
| decryption keys
|
| All of those are true of Bitwarden, except for the non-
| profit part...
|
| > Or you could charge individual users $5 a year to cover
| cloud costs
|
| And who pays for the development?? Bitwarden already
| charges only 10EUR/year, so they're basically doing
| exactly what you're proposing, but paying for development
| with VC money.
|
| Even if servers were literally free (they're far from
| it!), do you have any idea how many users they'd need to
| cover just the minimal amount of developers, one business
| person and either an in-house or external security
| auditor? And who would pay for all of that during the
| time it took them to build up that user base??
|
| I hate the VC culture as much as the next guy, but unless
| the founder is already crazy rich, you need external
| capital to start up any large decently company - or even
| a non-profit.
| crossroadsguy wrote:
| I have accepted that one has to keep moving around.
| Password manager, backup software, it goes on.
|
| Right now I am hunting for a non-subscription note taking
| setup that will replace SimpleNote.
|
| So I'll move to the next option from BW, just like I moved
| to it from LP.
| ok_dad wrote:
| > Ah for fuck's sake.
|
| I agree, and I wish we had more power in these things than
| just forking. Now that I know Bitwarden took VC money, I'm
| also fucking out of this mess, and here I was about to
| renew for the 5th year in a row.
|
| Fuck VC's, they ruin everything good. Can I say that here?
| It's true.
| karaterobot wrote:
| You can definitely say that here. To me the problem isn't
| exactly VCs, it's the expectation of rapid, open-ended
| growth that ruins good products and companies. Of course,
| the driver for that is often VCs, but it can come from
| other places too.
| secabeen wrote:
| The entire finance industry has a disdain for "lifestyle
| businesses", that just generate enough profits for the
| founders and employees to live on, but will never
| generate an exit beyond that. I get why, but for utility
| products, a solid lifestyle for the employees and a
| useful product for users is enough, and should be enough.
| tunesmith wrote:
| Lifestyle businesses have a big flaw in American culture
| though; our safety net is not enough to make "meets
| expenses" a tenable long-term approach. We basically have
| to aim for a big wad of savings for later in life, which
| incentivizes going for exits and cash-outs.
| TedDoesntTalk wrote:
| VueScan (hamrick.com) is a very good example of a
| successful lifestyle business (first release in 1998).
| The founder and his son work on the product full-time. I
| don't think they have any other staff, but I could be
| wrong.
| nightski wrote:
| Seeing as only a few % of Americans achieve what you are
| saying I don't think it's strictly true. Maybe if you
| want to fatfire or something
| secabeen wrote:
| Perhaps, I would hope that a sustainable lifestyle
| business would be able to pay employees and founders
| enough to build a comfortable retirement nest egg through
| savings, investments, and compound interest.
| fortuna86 wrote:
| This also means creation of billion dollar global
| platforms that Europe and other parts of the world have
| never accomplished. Trade offs.
| ok_dad wrote:
| I feel so happy that we have created "billion dollar
| global platforms" instead of universal healthcare or
| ensuring everyone was sleeping indoors. Woo-hoo!
| jrochkind1 wrote:
| And can be enough if you don't need large quantities of
| investment capital. If you don't _need_ it, but _want_ it
| to get fabulously wealthy... well, "lifestyle business"
| is not the path to that, by definition.
|
| It's almost like the interests of those who want to get
| fabulously wealthy -- whether founders or investors --
| become misaligned with the interests of the users, even
| steeper/faster than when you "just" have a "lifestyle
| business".
| jjeaff wrote:
| The thing is, founders can get fabulously wealthy with a
| lifestyle business or at least very wealthy, but it might
| take longer. But all the established money seeking rent
| parked at VC firms can't get a cut if you don't play ball
| with them.
| jrochkind1 wrote:
| Yeah, wealthy enough if not billionaire, true.
|
| > But all the established money seeking rent parked at VC
| firms can't get a cut if you don't play ball with them.
|
| OK, but why does a founder care about that? Either they
| think their business model can't get them to a
| sustainable lifestyle business without external capital
| investment... or they want to get more-than-lifestyle-
| business wealthy, right?
| sirsinsalot wrote:
| Millions, even tens of millions, for founders isn't
| unheard of at all for small "lifestyle" businesses.
|
| Not VC billions, but fuck you money is certainly doable.
| jrochkind1 wrote:
| I don't know if a couple million is "fuck you" money in
| 2023 (enough to never work again and eventually retire
| while living a fairly luxurious lifestyle?), but point
| taken.
| Liquidor wrote:
| I'm of the opposite opinion in this case.
|
| If someone creates new tech and it fits with Bitwarden then I'm
| more than happy to see what they can do together.
| sschueller wrote:
| Like docker? They made huge profits but docker itself has
| made practically no improvements. It's still using iptables
| when many distros switches to nftables causing a huge mess
| and the documentation is still really poor.
| dcow wrote:
| Seems like Bitwarden is successful enough to have the cash to
| make a strategic acquisition. That seems like a good thing for
| users.
| paulryanrogers wrote:
| BitWarden is open source on both ends. So worst case one can
| self host then fork clients. (Server has already been
| reimplemented independently.)
| Macha wrote:
| So too have some clients (e.g. rbw CLI). So just need an
| independent browser extension and then my use of Bitwarden
| does not need Bitwarden LLC (and the browser extension is not
| great, so that's not a high bar)
| cdev_gl wrote:
| This is true, but LastPass proved that by the time the worst
| case occurs it's already too late. A security breach means,
| at minimum, redoing all your passwords, and these sites are a
| very compelling target.
|
| OTOH I wouldn't want to self-host because I know I'm not
| going to spend the same amount of time and effort a full
| security staff would, even if my self-hosted box would make a
| much less attractive target.
|
| It's quite a pickle.
| phyphy wrote:
| I thought a security breach wasn't possible due to zero
| knowledge encryption.
| vorpalhex wrote:
| You have security options self hosting that a big host does
| not.
|
| Want to just encrypt everything on a node with no network
| access? Sure. That doesn't work for a "real" host but that
| is fine if you mostly use your phone and need to just
| occasionally sync your passwords back at home.
|
| You don't need the things that make hosting hard. You can
| have a few hours of downtime. You password vault is
| gigabytes, not hundreds of terabytes. You don't need to arm
| guard your backups, just pass them (encrypted) to a friend
| with a safe.
| lewantmontreal wrote:
| Does bitwarden work if server is offline? I know the
| client works without internet connection but server
| outage had an issue earlier last year
| https://news.ycombinator.com/item?id=32782386
| hn_throwaway_99 wrote:
| > A security breach means, at minimum, redoing all your
| passwords
|
| Not necessarily. I wouldn't have felt compelled to redo all
| my passwords if 1Password's encrypted vaults were stolen
| the way LastPass's were, given that 1P's vaults are
| uncrackable with brute force but LastPass's critically
| depend on the entropy of the master password. This was
| discussed recently:
|
| https://news.ycombinator.com/item?id=34359251
| chriscjcj wrote:
| I self-host Vaultwarden. I'm sure someone will be happy to
| explain to me how foolish my implementation is, but I'm
| comfortable with it from a security perspective.
|
| I run it as a Docker instance on my home Synology NAS. This
| turned out to be pretty easy to do. The only part that was
| a slight hassle was buying a cert, creating an FQDN and
| making the DNS entries to get an SSL connection to the NAS.
| Also, I wish updating to a new version of Vaultwarden was a
| little more straightforward.
|
| When I am at home, my devices with Bitwarden all sync to
| the Vautwarden instance on the NAS without issue.
|
| My router is a Ubiquiti UDMPro. I have an L2TP VPN
| configured with a shared-secret and user passwords that are
| ridiculously long and complex. When I'm out and about and
| need to sync with the NAS from my laptop or mobile device,
| I activate the VPN and do the sync.
|
| My Ubiquiti account does have 2FA.
|
| I implemented all this when 1Password informed me that in
| order to continue using their service, my vault would have
| to be hosted on their server and I would have to pay them
| every month for the privilege. That was a nonstarter.
|
| I'm sure my router and NAS are not impenetrable, but I
| don't feel like I'm low-hanging fruit either. And if
| someone went to the trouble of breaking in, their reward
| would be one guy's vault and not the vaults of millions of
| customers. I'm hoping that makes me a less attractive
| target. Of course the vault itself has a very long and
| complex password as well.
|
| This is working out quite well for me so far, knock on
| wood.
| sampling wrote:
| I have a very similar self-hosted Vaultwarden set up, for
| the same reasons.
|
| My other concern, which may be unfounded is that
| Vaultwarden [1], which is an unofficial Rust rewrite, may
| also be developed to different, or lesser security
| standards than the official client. However I don't have
| any real reasons to suspect this.
|
| [1] https://github.com/dani-garcia/vaultwarden
| chriscjcj wrote:
| Agreed. I know I'm taking it on faith that this
| implementation is robust and secure when it might not be.
| However, I feel okay about it knowing that it would be
| very difficult for anyone other than me to access this
| Docker instance in the first place. And if I'm outside my
| home network, I'm interacting with it via the VPN.
| moogly wrote:
| > The only part that was a slight hassle was buying a
| cert, creating an FQDN and making the DNS entries to get
| an SSL connection to the NAS
|
| Note that Synology DSM has built-in Let's Encrypt support
| chriscjcj wrote:
| > Note that Synology DSM has built-in Let's Encrypt
| support
|
| Yes... I tried going down that route. In my scenario, I'm
| accessing the NAS via its internal IP which is in an
| RFC1918 subnet. Let's Encrypt insists that you use a
| globally routable IP. If I used the public IP issed to me
| by my ISP, then I would have to map a port on my router
| and expose the NAS directly to the Internet. No way am I
| doing that.
|
| I bought a cert through Namecheap and got 5 years for
| $29.95. That seemed quite reasonable to me. There was no
| problem getting it to work when I mapped the hostname to
| the NAS's internal IP. The only downside is that I have
| to go through a renewal process every year and install
| the updated cert on NAS. Not a huge deal; just one more
| thing I have to do.
| moogly wrote:
| That all makes sense. Wanted to point out to others that
| there's potentially less of a hassle to set this up (if
| you're fine with opening port 80, as has been pointed out
| to me).
| vetinari wrote:
| Unfortunately, HTTP challenge only. I.e. you have to open
| port 80 to your Synology, which is handled by the same
| nginx instance, as all the other services on the device.
| KyeRussell wrote:
| I've never used Bitwarden, but I've used LastPass in the past,
| and I've used 1Password for ages. AgileBits took on a big chunk
| of VC some time ago. This upset a bunch of people, too.
| Slightly different circumstances due to the different user base
| and source availability, but whatever.
|
| I can say with certainty that I've continued to get value out
| of 1Password both personally and professionally. I can even say
| with a degree of certainty that I've gotten value out of the
| changes that have come post-acquisition. Were I starting from
| scratch, I'd still probably pick 1Password. This isn't me
| arguing that 1Password is better. More saying that it's been
| a...little bit of time now, and I'm still happy with the
| product and how it's improved.
|
| I appreciate that acquisitions or taking on funding feels like
| more of a kick in the teeth because it's a distinct event, is
| publicised, and even publicised as a good thing. Having just
| gone through my first acquisition (as an employee in an
| entirely bootstrapped small business) I've realised that this
| has to be weighed up against the risks associated with whatever
| was in the no-funding no-acquisition future, i.e. the thing
| just going away entirely, which happens slowly (and then all at
| once) and mostly in private.
|
| I've little doubt that over time 1Password will get
| comparatively worse than whatever else is around. Either
| because it's neglected or because it gets juiced and dark
| patterned by VC incentives. Ignoring the VC bit, I'm just as
| sure the same will still happen to Bitwarden obviously. But
| this shifting playing field just feels like an inevitability
| regardless of which path any product takes.
| bluSCALE4 wrote:
| The concern with Bitwarden started a few months back when they
| did a round of venture capital funding. Now, they have to turn
| profits instead of just being great.
| sirsinsalot wrote:
| Not being a non profit or charity, I'm fairly sure profit was
| a need for sustaining the business before investment.
| sngz wrote:
| not just turn profit. But ridiculous unsustainable amounts of
| profit at the expense of the users until its bled dry then it
| will be sold off
| rvz wrote:
| I'd like to remind you that Bitwarden is becoming completely VC
| backed with the way it is going [0] and there is always a
| possibility that it _can_ be acquired to give investors a
| return. The same happened with Keybase as soon as they took VC
| cash.
|
| It is now growth at all costs until an eventual acquisition of
| Bitwarden. So I won't be surprised to see price increases on
| some plans soon.
|
| [0] https://bitwarden.com/blog/accelerating-value-for-
| bitwarden-...
| sirsinsalot wrote:
| The keybase pivot was so ugly and sad. Their pre VC product
| was really nice.
| babypuncher wrote:
| I know this dead horse has probably been beaten beyond
| recognition, but I think the safest option that still preserves
| some convenience for password management is to stick a keepass
| database in your cloud storage provider
| (icloud/dropbox/whatever).
|
| Some keepass compatible apps even offer full iOS integration
| (FaceTime unlock, Password AutoFill), so you don't lose these
| features you're used to with LastPass.
| WheatMillington wrote:
| Criminal negligence? Explain?
| AdmiralAsshat wrote:
| https://www.grc.com/sn/sn-905-notes.pdf
|
| There are multiple users who, post-breach, are checking the
| Iteration Count the number of PBKDF2 iterations for their
| vault, and discovering that even though LastPass had been
| slowly increasing the number of iterations for _new_
| customers in line with industry best practices, they were
| never going back and upgrading the old users. So if you
| created a LastPass account in the past few years, your
| iteration count was 100,000. But if you were an older user,
| it may have only been 5,000. Or 500. Or, in the case of many
| _old_ users: 1. One iteration. That 's all that was
| protecting their encrypted vault--now in the hands of
| attackers--from brute forcing.
| allochthon wrote:
| I had a similar reaction. Acquisitions can be a signal that
| there's a go-to-market strategy being pursued.
| tiffanyh wrote:
| Given that Bitwarden, Inc. is a _for_ -profit company, isn't
| it expected they would have a GTM strategy.
| fpoling wrote:
| Well, when the interest rates were zero profit was an after
| thought and many still do not grasp what a rate like 4%
| implies.
| kjfarm wrote:
| A good note for bitwarden is that it has a self hosting open
| source version, vaultwarden that is easy to switch to:
| https://github.com/dani-garcia/vaultwarden I see this as
| downside protection, as I can quickly migrate if I disagree
| with bitwarden's direction with minimal changes to my clients.
|
| I do worry about VC pressure on Bitwarden for hypergrowth.
| However in my personal opinion, the benefits outweigh the cons
| (for now).
| omnicognate wrote:
| Vaultwarden's great. I use it. I use the Bitwarden Android
| client, though. Not sure what there is to replace that.
| johnmaguire wrote:
| It's open source and can be forked if necessary:
| https://github.com/bitwarden/mobile
| jacoblambda wrote:
| To add onto this, if you care about supply chain attacks,
| bitwarden mobile supports Fdroid builds (albeit not part
| of the main repo because they rely on xamarin) so you can
| host your own fdroid repo and run your own builds if so
| desired.
| jjeaff wrote:
| If you are making your own build, is there a benefit to
| using f-droid? Why not just install the APK?
| notpushkin wrote:
| Update notifications?
| weaksauce wrote:
| you don't need to fork it... just add an account at the
| main screen and set the backend url to whatever your
| server resolves to.
| tazard wrote:
| I think they meant if they don't like the direction that
| the Android client takes, i.e. they stop allowing you to
| change the backend url for example in which case, yes you
| would need to fork or rewrite it
| princevegeta89 wrote:
| Is it not possible to point BW Android to your Vaultwarden
| instance?
| cube00 wrote:
| It's fragile if you do that. Bitwarden updated their API
| last month on the clients so you couldn't connect to
| Vaultwarden at all until the Vaultwarden team could
| reverse engineer the change and produce a new release.
| BrandoElFollito wrote:
| This is interesting. I use BW daily (many times) on
| Android against my self-updating VW instance.
|
| I did not notice anything, maybe the break happened
| during the night in Europe. Or the Android app did not
| want about problems.
| kioleanu wrote:
| Note that Vaultwarden is the unofficial server, there is also
| an official one, that you can self host.
|
| Vaultwarden is much easier to set up and manage, I use it
| myself, and I heard that the official build is a little bit
| more tedious to go with.
| Spivak wrote:
| The official one used to only support MS SQL and other DBs
| are still "mileage may vary" so people were uhh pretty
| motivated to make something else.
| nightski wrote:
| Interesting, I use ms sql a lot so that's actually a plus
| for me.
| cube00 wrote:
| It's easier to manage until it breaks as the recent example
| last month when Bitwarden updated their client and
| Vaultwarden had to play catch up and reverse engineer the
| changes.
|
| That experience sent me back to just letting Bitwarden host
| for me, I know it's all free and I can't expect anything
| which is fine, but I can't be without my passwords either.
| pavon wrote:
| The official server is distributed as docker containers,
| with a shell script to manage them, and is quite simple to
| setup and maintain. I could see how trying to deploy it
| yourself outside of docker could be an undertaking though.
|
| The MSSQL database seems a bit heavyweight (RAM wise) given
| the tiny amount of data it needs to host for a handful of
| users, and isn't acceptable to some people on principle,
| since it isn't open source.
| simooooo wrote:
| Waiting for bitwarden unified to come out of beta before I
| self Host
| szundi wrote:
| If dev support from the company fades, the UI will start to
| deteriorate - and wether you are hosting or not, that is also
| a thing that matters. Like mobile apps, browser plugins, form
| filling logics and specific site behaviours etc.
| switch007 wrote:
| I'd bet on KeePass 2 longer term. KeepPassCX has been around 10
| years (forked from a project started 8 years before that).
| Actively developed, cross platform.
|
| There are decent apps for android and iOS (eg Strongbox)
|
| I'm going to migrate off 1Password to it soon
| princevegeta89 wrote:
| What is the best client for Keepass on Android? How is the
| autofill functionality?
| ESchack wrote:
| I did this some time ago when 1Password announced switching
| from having native apps to being containerized web apps. Have
| not regretted it one bit.
| roustem wrote:
| The "containerized web app" is not a correct description
| here. 1Password 8 on macOS, Windows, and Linux is a full-
| fledged desktop app. It is built in Rust with
| Electron/React providing the UI. It can work completely
| offline and does not require a network connection.
|
| 1Password 8 has greatly improved security architecture
| compared to the previous versions. Just one example of
| many: when rendering the item details, the Rust core would
| not send the password value to the UI layer until the user
| clicks "Copy" or "Reveal" password.
|
| In addition to that, 1Password 8 has better integration
| with the operating system that any other version in the
| past -- Touch ID, Windows Hello, Secure Enclave, macOS
| Accessibility services, etc, etc.
| velhartice wrote:
| Bingo, me too. I like that keepass is file based so I can
| use any storage medium to make multiple layers of security
| to access the vault. Even if cloud providers have access to
| the file or my cloud storage account gets hacked they still
| have to crack the file to get the passowrds. Also I have
| been using strongbox pro for a few years now and been very
| happy, in fact I like it better than what 1password used to
| be. Worth every penny. KeepassXC has also been great.
| aheckler wrote:
| I've been considering a switch from 1Password to
| KeepassXC myself, but the last time I tried it, I
| couldn't find if KeepassXC has some equivalent to the
| "quick access" feature of 1Password.[0] In short, a way
| to open a small window, search for a service name or URL,
| and then quickly copy username, password, or a TOTP code.
| As far as I could tell, I had to open the entire
| KeepassXC app every time to find something. Has this
| changed, or did I miss something somehow?
|
| [0] https://support.1password.com/quick-access/
| Jack5500 wrote:
| Slightly offtopic, but I really find the Bitwarden Clients to be
| lacking in the feature department. I switched to Bitwarden a few
| month ago and the client has evolved (for me) ever since.
|
| There are a few basic features missing, such as that if I search
| for something I wrote in the notes of password, that the client
| shows the according password. I get that the open-source model
| implies that everyone can contribute and fix this issue, but if I
| look at the repo and see 108 open PRs, I don't even bother to
| check if that's a feature that would be easy to add.
| sigzero wrote:
| Bitwarden (for me) is still a little clunkier in how it does
| things compared to 1Password. I find 1Password a much smoother
| experience.
| velhartice wrote:
| KeepassXC and/or strongbox have a very similar workflow to
| the older file based 1password one. I switched from 1password
| once they went to the centralized subscription model and I
| have been very happy with it for years now.
| mimimi31 wrote:
| I agree, it's a little weird that some very basic quality of
| life features are missing from such a popular and relatively
| mature product.
|
| Folder management in particular seems to have been an
| afterthought. You create a subfolder by setting its name to its
| full path in the hierarchy, including all its parents. And
| thus, in order to rename a folder you have to manually go
| through every single subfolder and rename the particular parent
| in its name.
|
| Other annoyances off the top of my head are things like the
| inability to change the type of a custom field from e.g. text
| to hidden without deleting it and creating a new field. Or the
| browser extension forgetting everything you just typed into the
| new item form (unless you remember to pop out the window) when
| pasting a generated password on the site you're trying to
| register to.
|
| After switching from KeepassXC to Bitwarden for its better
| auto-fill detection and convenient synchronization, I can't
| help but feel that it's also been a downgrade in more ways than
| expected.
| yshavit wrote:
| I just switched password managers from LastPass, and
| Bitwarden's lack of multiple accounts on their browser plugin
| was a dealbreaker for me. Such a basic feature, especially if
| they want to get widespread adoption. Otherwise, anyone whose
| work uses Bitwarden basically can't also use it for their
| personal stuff without jumping through hoops.
| tapland wrote:
| Aren't you supposed to have your personal Bitwarden account
| and get work passwords shared to your account? I thought
| that's how Bitwarden for organisations worked.
| jeroenhd wrote:
| Bitwarden's mobile app allows you to log in with multiple
| accounts. I think the desktop client does as well.
|
| Not sure why the web extension doesn't. Might have
| something to do with autofilling or adding credentials to
| HTTP Basic Auth?
| yshavit wrote:
| Ideally I'd want to keep my _personal_ personal stuff
| separate from my "work personal" (ie my personal logins,
| but the one for work accounts) separate from my shared work
| stuff. So I'd want two accounts, one for my truly personal
| accounts, and then one for my work-personal and have the
| work-shared connected to that.
| jeroenhd wrote:
| I don't know how well this works across business and
| personal accounts, but you can use "collections" to share
| passwords between accounts.
|
| I'm using that on my VaultWarden server to share data
| between different accounts and it works well for me. This
| may not work in your specific situation if your company
| manages your Bitwarden account, though.
| tapland wrote:
| There doesn't seem to be a security benefit of doing this
| if you encounter having to swap between personal-personal
| and work-personal.
|
| It doesn't take me many seconds to swap accounts.
| LastPass allows you to be signed into two accounts at the
| same time in the same browser?
| secabeen wrote:
| Lastpass allows you to link your personal-personal
| account into your work account, so that you can access
| your personal-personal data while logged into a work
| account. Work-personal accounts should be stored in a
| personal folder in your work account, then work-work
| accounts are in shared folders that cross multiple users.
| yshavit wrote:
| I forget if LastPass does -- 1Password does (though I
| haven't actually used it in practice, because my work
| doesn't use 1Password). Idk, maybe it's not actually a
| problem, but it's how I like to organize things.
| ::shrug::
| obblekk wrote:
| I really dislike the idea of giving complete access to my digital
| life to any company, particularly one that needs to grow quickly.
|
| The tech for password vaults is so simple, I use keepass + icloud
| syncing and get free end-to-end encrypted password syncing,
| without sharing any data with anyone.
|
| Outlined in more detail here: https://magoop.substack.com/p/how-
| to-manage-500-passwords-se...
| thefz wrote:
| Bitwarden is built as a zero knowledge platform and they can't
| access the contents of your Vault.
| mort96 wrote:
| Only if you never use the web interface.
| RadiozRadioz wrote:
| So is LastPass, but we users changed our passwords in
| December anyway as a precaution. Bitwarden is still a central
| entity that needs to be trusted to manage the zero knowledge
| platform with competence, e.g. not storing unencrypted
| metadata in a backup.
| panarky wrote:
| Because LastPass is a bad actor that falsely claimed to
| have a "zero knowledge architecture" that couldn't be
| compromised if they were hacked, and kept their code secret
| so nobody could independently assess their implementation,
| and then proceeded to store critical user data unencrypted,
| which was promptly hacked and leaked, that means the risks
| must be identical with Bitwarden, which publishes client
| and server code in public, so anyone can inspect their
| implementation.
| stavros wrote:
| I kind of want to point out the discrepancy in saying "I get
| syncing without sharing my data with anyone by sending my
| password database to Apple". If your argument is that the
| database is encrypted, how is Bitwarden different?
| dcow wrote:
| What this highlights in my humble opinion is that many users
| seek security signals and are less concerned with the actual
| security implementation. In the password management space,
| the signals are "local vault", and "not VC backed", at least
| on HN. It's quite odd since you'd think people would be more
| concerned with the application architecture, key derivation,
| key transport backup and recovery, etc. But it seems security
| is more synonymous with "company doesn't store my vault on
| their servers" than it is with "company helps me securely
| encrypt my passwords".
| advisedwang wrote:
| I do this, but have started using Syncthing [1] for sync
| instead of a cloud service.
|
| [1] https://syncthing.net/
| TillE wrote:
| BitWarden doesn't get "complete access to your digital life",
| they get an encrypted blob.
|
| It's not materially different than storing your KeePass vault
| in the cloud.
| mort96 wrote:
| There's still trust there. You're writing the key to decrypt
| everything into their web interface if you ever use it
| (vault.bitwarden.com). If they wanted, they could really get
| access to everything in your bitwarden vault.
| dcow wrote:
| That's why open source is important. You can audit them and
| verify that they are behaving in a trustworthy manner.
| Kimcha wrote:
| Not if you are using their cloud version instead of the
| open source self hosted server.
|
| The code they are running does have to be the code they
| are publishing.
|
| And if someone compromises their cloud servers, they
| could also modify it to log the passwords entered.
| dcow wrote:
| Yes we can degenerate into inordinate amounts of rabbit
| holes. For 1, you can audit the JS that runs on your
| browser, it's not hiding (so it's not strictly fair to
| say that just because you loaded a webpage in your
| browser from their server it can't be trusted). And
| anyway, generally, your argument holds for any software
| interaction ever. GH doesn't have to ship you the repo
| that you browsed on the web client. A malicious actor
| could have compromised their infra and be serving fake
| code in the web UI but have added all sorts of malware to
| the stuff you download. Apple app store doesn't eve ship
| you the exact binary the developer uploaded. Scary. At
| some point you have to decide which threat vectors you
| actually care about. Give me a scenario and I can tell
| you how someone can theoretically attack it and why
| you're not safe. The only thing you can be 100% sure
| about is manually auditing every single release at the
| source level and building it yourself.
| getcrunk wrote:
| Well even then you have to make sure your compiler isn't
| playing tricks on you. So compile your compiler from
| source ... oh wait. Then you have your cpu microcode,
| firmware, security coprocessors.
|
| Trusting trust
| mort96 wrote:
| I can't audit their server-side code. Even if it's open
| source, it's impossible to verify that the software which
| the server is running is identical to the open source
| version, or that there's no proxy in between you and the
| sever which logs the passwords, or some debugger attached
| which inspects the passwords in memory as people log in.
| manmal wrote:
| Services like 1Password are often more secure than your
| solution because they need to harden vaults against full leaks.
| In the case of 1Password, a secret key in addition to the
| password ensures that brute forcing is (at the moment) not
| feasible, even if your password is really crappy.
| DavideNL wrote:
| Note that 1Password copies the "Secret Key" to iCloud...
| without asking.
| princevegeta89 wrote:
| Same was said about LastPass many times and look at what
| happened, everything turns out to be a false promise.
| hn_throwaway_99 wrote:
| That's not a fair comparison. The differences in LP and 1P
| encryption approaches have been well known for years, and
| they are fundamentally different.
|
| Now, while 1P encrypted vaults are not brute-forceable the
| way LP's are, that doesn't mean it's impossible to hack 1P
| (e.g. malicious code injection in any of their apps or
| plugins), but I don't like the "everything turns out to be
| a false promise" broad-brushing when there are real and
| verifiable differences in how these companies secure your
| data.
| notesinthefield wrote:
| Keepass has Key Files as a part of the spec
| https://keepass.info/help/base/keys.html
|
| On my devices, keyfiles and a KP client are stored locally.
| The DB rests in the cloud.
| phonebucket wrote:
| But in the context of a strong master password, the
| additional benefit of the secret key is of neglible benefit,
| while the hassle and dangers of having to synchronise the
| secret key remain.
|
| I'd rather use an extremely high entropy master password by
| itself.
| brandon272 wrote:
| LastPass would have also led their customers to believe that
| "brute forcing was not possible" and that they were taking
| extraordinary measures to keep vaults and data safe.
|
| I think one distinction between services like KeePass and
| 1Password is end user perception of how easy it is for an
| attacker to acquire an encrypted vault to begin with. For
| many, they consider a KDBX database sitting in their Dropbox
| account to be less likely to be stolen than an encrypted
| vault being held by a company like 1Password, a high value
| target to the most sophisticated attackers including state
| actors.
| hn_throwaway_99 wrote:
| Doesn't necessarily matter what LastPass "would have also
| led their customers to believe", the mathematical reality
| is still that LassPass vaults _are_ crackable in a way that
| 1P vaults fundamentally are not.
| brandon272 wrote:
| Yes, according to what 1Password is telling us. But as
| we've seen, what these companies say and what they
| actually do in practice are not always aligned. And
| oftentimes customers are inserting a _lot_ of their own
| assumptions into the mix, not only with respect to vault
| encryption but vault storage and operational security.
| hn_throwaway_99 wrote:
| > Yes, according to what 1Password is telling us. But as
| we've seen, what these companies say and what they
| actually do in practice are not always aligned.
|
| That's just not accurate:
|
| 1. First off, all the encryption happens client-side. It
| is possible for anyone so inclined to validate how 1P and
| LP are doing their encryption.
|
| 2. The deficiencies in LP's encryption approach were well
| known for years.
|
| My point it, yes, companies will spin things how ever
| they want, which is why you should _completely ignore
| what they say_ and only evaluate _what is verifiable_.
| And 1P 's and LP's approaches are verifiably different.
| brandon272 wrote:
| 1Password's client side encryption is occurring within
| it's proprietary, closed-source product, so I'm not sure
| how the end to end process can be completely validated.
|
| With respect to your confidence in 1Password's code and
| encryption methodology, would you be willing to send me
| your 1Password vault so that I can have a look at it?
| hn_throwaway_99 wrote:
| > 1Password's client side encryption is occurring within
| it's proprietary, closed-source product
|
| It's Javascript running in a browser.
|
| > With respect to your confidence in 1Password's code and
| encryption methodology, would you be willing to send me
| your 1Password vault so that I can have a look at it?
|
| Yes, absolutely (note I don't actually know how to get
| the encrypted version of the vault standalone). Are you
| willing to send banking information over HTTPS? It's the
| same level of security.
| brandon272 wrote:
| > Yes, absolutely (note I don't actually know how to get
| the encrypted version of the vault standalone).
|
| I believe that, given that it's just JavaScript in the
| browser, that the encrypted vault should be available as
| a blob in one of the network requests when you are making
| a change to the vault.
|
| > Are you willing to send banking information over HTTPS?
| It's the same level of security.
|
| Maybe I'm being irrational, but I just think there is a
| fundamental difference in the risk profile between a
| breach of my banking credentials and having every stored
| set of credentials across my entire digital life exposed
| through a password vault breach.
|
| If my banking details were compromised somehow, I at
| least have a bank I can work with and real people I can
| talk to. Both the bank and myself have a strong mutual
| interest in addressing the acute security issue.
| Government banking regulations come into play. Insurance
| comes into play.
|
| If my password vault is compromised and credentials for
| every service and website are exposed, I would argue that
| is a far graver matter. And who do I turn to in that
| case? I have to imagine that any of these password
| management companies would just point to me being somehow
| negligent with my master key and tell me to pound sound.
| zmxz wrote:
| Bitwarden can be self-hosted, it's fully open source so you can
| be safe that way, never giving a single byte to the company.
|
| Do you have a browser extension that offers username/password
| autofill using keepass as datasource or do you alttab copypaste
| / rely on a program made by someone else to clear your
| clipboard?
| d1lanka wrote:
| Same here.
|
| KeepassXC to be specific: https://keepassxc.org/
| sakopov wrote:
| Agreed. I use keepass + dropbox secured with yubikey. You can
| even go a step further and configure yubikey with keepass as
| well.
| anonkogudhyfhhf wrote:
| Where about on mobile?
| sakopov wrote:
| I believe KeepPassDX on android supports yubikey via NFC.
| velhartice wrote:
| Strongbox for iOS.
| waymon wrote:
| I used to do this. Now I self host vaultwarden since it allows
| me to use that database with faceID. Can keepass do that?
| hoboris wrote:
| I use the Strongbox iOS client. It reads .kdbx files,
| integrates with apple sign-in features, and supports faceID.
|
| https://apps.apple.com/us/app/strongbox-password-
| manager/id8...
| dicknuckle wrote:
| I use the Keepass2Android and it integrates with the OS
| fingerprint reader, so it's likely the same for faceunlock
| but I don't use that.
| IronWolve wrote:
| I like keypass, but merging my android and pc versions every
| so often is a task I'd like to automate. I dont do
| google/apple cloud so avoiding that.
| ithkuil wrote:
| The demo on the homepage is available only on chrome. I tried
| both safari and firefox on macos and I can't see the " Experience
| Passwordless.dev in action" link there.
| jlundberg wrote:
| Worked for me in Safari on macOS if you have iCloud keychain
| activated.
|
| Or more correctly: I got so far but stopped because I prefer to
| have my keychain locally :)
| StreamBright wrote:
| I am not sure how much is this better than magic link logins.
| 8organicbits wrote:
| Magic links via email? Email isn't a secure transport, or
| storage. I think that's only viable for low risk systems. Even
| software like Slack, which supports magic links via email, will
| also support username/password/MFA as an option for folks who
| need better security.
| 9dev wrote:
| It's about a bazillion times less annoying?
| heresjohnny wrote:
| Interesting demo. What happens though if the device holding the
| private key is lost? Or Apple decides to shut down your iCloud?
| Is there a backup option, similar to backup codes for OTP?
| smileybarry wrote:
| I wonder how iCloud shutdown would affect this route, but: your
| Passkeys are synced to your devices locally, and the whole
| "scan QR code on another device with your phone to
| authenticate" flow is fully local, utilizing key authentication
| over BLE.
|
| Theoretically, your Passkeys _should_ still be on your iPhone
| /iPad/Mac/iThing, and QR authentication will work. (And then
| you provision another key on another device, since Passkeys'
| intention is like SSH keys, allowing multiple on a single
| account)
| WorldMaker wrote:
| Just like TOTP (used for most 2FA) the best practice for
| websites accepting passkeys will be to support as many passkeys
| as you wish to enroll. So you could enroll into your account
| some device associated with your Apple ID and some device
| associated with your Microsoft Account and some device
| associated with your Google Account and some browser associated
| with your Firefox Account and use any of those for recovery.
|
| Unlike TOTP, the _base case_ for passkeys is multiple key
| enrollment so websites are more likely to support it well
| whereas with TOTP so many implement it as having one-and-only-
| one TOTP configured. Even when enrolling just a single device
| that device generally enrolls a small key-chain, not just a
| single key, because that 's how recovery systems work even for
| using just a single "owner" account. Plus most people use 2 or
| more devices regularly and Passkey has to work with that. So
| much more websites in practice should actually support N
| passkeys where N > 1 (versus half-baked single-option-only TOTP
| implementations).
|
| At least in theory, in practice we'll see how well Passkey gets
| implemented at large, there's always lots of ways for companies
| to get practice wrong.
| secabeen wrote:
| Best practice is unlikely to help here, as people just aren't
| going to register passkeys from multiple services unless it
| happens automatically. I might bother to enroll multiple
| passkeys for my bank, but I'm unlikely to do it often.
|
| Are Passkeys exportable and re-importable by another service,
| site, or system? As described above, if my Google Account is
| terminated by Google without recourse (which absolutely
| happens), do I lose access to all sites that I used solely a
| Google Account Passkey for once my phone stops working?
| WorldMaker wrote:
| It _should_ start to happen automatically. Apple, Google,
| and Microsoft have all stated the goal that they are hoping
| for deep inter-operation across all of a user 's devices,
| regardless of ecosystem.
|
| If you are truly paranoid that your major device accounts
| are subject to termination without recourse (which if that
| happens you generally have lots of other problems and
| should maybe cause you to rethink your other trust
| relationships with such vendors and which devices you are
| buying), you can build your own Passkeys with WebAuthn
| standards and roll your own recovery/backup strategy. (Most
| FIDO compatible WebAuthn keys already work today anywhere
| Passkeys are supported, Passkey is just the "brand name"
| for those standards plus a soon-to-be-standard Bluetooth
| LTE handshake plus Vendor-guided backup and recovery plus
| whatever cross-device ecosystem "interop" standards the Big
| 3 eventually settle on.)
| secabeen wrote:
| > It should start to happen automatically. Apple, Google,
| and Microsoft have all stated the goal that they are
| hoping for deep inter-operation across all of a user's
| devices, regardless of ecosystem.
|
| If this is the case, then maybe there will be some
| solution through Google Takeout. Apple and MS seem less
| interested in this, but if one of them can generate an
| export, I can see services appearing that can work with
| that exported data.
|
| > you can build your own Passkeys with WebAuthn standards
| and roll your own recovery/backup strategy.
|
| This....or I can stick with passwords, print them out
| annually and put them in my fire safe. The KISS principle
| works here, and I can't imagine a non-techie person who
| works in a socially-risky field being able to do so.
|
| > If you are truly paranoid that your major device
| accounts are subject to termination without recourse
| (which if that happens you generally have lots of other
| problems and should maybe cause you to rethink your other
| trust relationships with such vendors and which devices
| you are buying)
|
| Complaints by users who have Big 3 cloud accounts closed
| for unspecified "violations" are common enough to make it
| a concern. I take other protections against something
| like this, but I absolutely do consider it a risk, and
| would generally advise people not to keep all their
| digital services under one roof. If you use Gmail for
| email, then use Microsoft or Apple for Passkey, Bitwarden
| or 1Password for Password Vaults, etc., etc.
| WorldMaker wrote:
| > If this is the case, then maybe there will be some
| solution through Google Takeout. Apple and MS seem less
| interested in this, but if one of them can generate an
| export, I can see services appearing that can work with
| that exported data.
|
| So far as I'm aware none of them are planning key exports
| any time soon. Keeping keys to the various secure
| enclaves of user's devices is a key part of the security
| footprint they are trying to establish. That's why multi-
| key enrollment is the _base case_ in all Passkey systems:
| recovery, multi-device support, etc all hinge on
| continuously expiring old keys and auto-enrolling new
| ones. There 's no export, and cloud backups aren't
| "backups" but different, Vendor _escrowed_ keys (often
| themselves in hardware cloud secure enclaves that cannot
| be exported, only new keys added to keychains) and ways
| to attest for (sign) new keys in recovery situations.
|
| As I said way above, the _theory_ is that enrolling all
| of your devices and all of your top-level recovery
| accounts will be easy and convenient enough on _every_
| website, not just your bank (given how many banks still
| don 't even support proper TOTP, hopefully _better_ than
| some banks today), and enough so that _everyone_ does it
| by habit. I agree, there 's huge practical risks that
| someone gets it wrong and there's all sorts of ways what
| should be easy turns into complicated soup that never
| works right. That's the brief glimmer of hope here
| offered by the Big 3 alliance on this and making it a
| major marketing endeavor. They've put a lot on the line
| for this.
|
| > This....or I can stick with passwords, print them out
| annually and put them in my fire safe. The KISS principle
| works here, and I can't imagine a non-techie person who
| works in a socially-risky field being able to do so.
|
| The _hope_ is that with the Big 3 all in agreement here
| on passwords needing to be entirely replaced and the only
| way that happens is if what replaces them is as easy and
| uncomplicated as possible for non-technical to use every
| day, Passkeys will see strong implementations everywhere
| and that cross-vendor multi-device interop will be strong
| enough for _everyone_ to rely on (even if you distrust
| one or all three of the Big 3).
|
| > Complaints by users who have Big 3 cloud accounts
| closed for unspecified "violations" are common enough to
| make it a concern. I take other protections against
| something like this, but I absolutely do consider it a
| risk
|
| I consider it a risk too, but as with all things security
| every risk needs to be evaluated within the template of a
| larger threat model. Email is already the de facto
| chokepoint for recovery of almost any account (and
| passkeys don't necessarily change that, "Forgot Password"
| flows still probably exist in passkey worlds, just
| differently). You have a ton of eggs in whatever basket
| is your email provider (and for the majority of people
| often one of the Big 3). Phones are already the de facto
| chokepoint for account access (whether because of TOTP or
| single ecosystem "apps" or all sorts of other lock in
| mechanics). Passkeys don't substantially change these
| existing deep trust relationships (and weren't really
| designed too), most people in most threat models the
| amount they are trusting their various relationships with
| the Big 3 doesn't substantially shift with a switch to
| Passkeys. (For good and bad. Absolutely some people are
| underestimating exactly how much they trust one vendor or
| another and how much they have to lose if their account
| is suspended for any reason without warning or easy
| recourse.) (Your threat model is your own and will vary,
| of course.)
|
| On top of that, other vendors _will_ be playing ball in
| this space. Mozilla isn 't a direct part of the "Passkey
| Alliance" but has stated their interest in Passkeys and
| cross-platform/cross-device interoperability. There will
| be more, too, over time. Possibly _enough_ paranoid
| people will roll their own that good self-hosting and
| open source options will roll out eventually, even if
| most people won 't use them and most people won't need
| them in their personal threat models, having more options
| is always a good thing (and Plan B if your threat model
| changes for any reason). All of this is in a cloud of
| enough open standards that vendor lock-in, while maybe
| not impossible, should be unlikely.
|
| You are right to be worried. You are right to be
| questioning all of this. I appreciate your concerns here
| (I know I have an uneasy relationship at best with at
| least one of the Big 3 myself). I hope I've offered at
| least some reasoning on where some of your concerns may
| be mitigated by the ecosystem as a whole.
| secabeen wrote:
| Thanks for your comments, and I think I see the ambition
| of the project. We'll see how far it goes. I hope that
| the powers that be in this space see the risks they're
| creating, recognize that they are increasing the blast
| radius of account loss, and take some efforts to mitigate
| them.
|
| Honestly, if they don't, they may find themselves under
| significant government regulation. The DMV in most states
| is hard to work with, but they work with everyone,
| regardless of disability, felony record, reprehensible
| views, everyone. If we're going to allow these companies
| to take this authoritative role in our systems, they
| should necessarily lose the right to refuse service. If
| they don't want that trade-off, then they should hand the
| whole thing to login.gov and other Government Identity
| schemes.
|
| The best hinge point I would use in conversation with
| these players is to plan for third-party access from the
| beginning. Systems like Lastpass and Bitwarden have built
| robust systems for emergency access in the event of
| hospitalization or death. They've done so because its
| needed, often. If the Big 3 commit to allowing some
| access-for-transfer-out when accounts are closed or
| access is lost, even in non-ideal situations, that would
| go a long way.
| secabeen wrote:
| This is an unrelated question, so I'm putting it in a
| different thread.
|
| How will Passkeys work for users who don't have or want a
| smartphone? There are plenty of people who carry no
| electronic devices on their person, and who primarily
| access the Internet through library access stations,
| other public Internet services. or multiple desktops.
| Will they be unable to use a site that is passkey-auth-
| only until they get such a device?
| WorldMaker wrote:
| Very good questions and I've been wondering that some
| myself. I imagine of the Big 3 Microsoft is likely the
| one to have been thinking about this the most. With
| Microsoft no longer having a smartphone ecosystem of
| their own, they will likely have to support both Apple
| and Android devices and they probably also need to have
| more answers for the "neither" scenarios as well (de-
| Googled Android users still sometimes have Windows PCs,
| for instance; Windows users are said to include a larger
| share of older "dumb phone" generations; etc). Also, most
| of those access stations themselves are generally Windows
| PCs for the intersection of cheapest available hardware
| and lowest common denominator software. (Though I've
| heard Chrome OS is shifting that in some places.)
|
| I think the immediate answer is that something like a
| Microsoft Account-based login system and Cloud-based key
| escrow becomes more unavoidable in situations like that.
| But I'm not sure and hopefully there are smart minds
| exploring some of these scenarios in the long term.
| Relatedly, I know there are some long-term creatives
| trying to figure out if "smartphone" is becoming a
| required utility for the modern world (TOTP has already
| made that a recently strong requirement in plenty of
| areas; soon you may not be able to bank without a mobile
| device, for instance) and the "phoneless" may be its own
| evolving economic crisis on top of homelessness to deal
| with in the long term. "Give everyone phones" may sound
| like a curt, dumb answer, but it may end up being
| something close to the answer; go to your local DMV and
| get a secure phone as your digital ID to go with your
| physical ID. I don't know if that is the plan, I just
| know it is a plan I've heard we need to consider, that
| "baseline personal hardware" may be an ever-increasing
| need.
| selykg wrote:
| > Or Apple decides to shut down your iCloud?
|
| This is probably testable as it is. They sync to iCloud
| Keychain, as is my understanding anyway.
|
| How are the rest of your passwords stored in iCloud Keychain
| when your account is hosed? Do you lose those or does it just
| turn off syncing? I'd imagine it turns off syncing but keeps
| the keychain around unless you delete the iCloud Account from
| the device. That's a whole different ballgame of potential bad
| decisions though.
| echeese wrote:
| Probably the same thing that happens when you forget your
| password. Hit the "forgot your password" link, get a
| confirmation email, create a new passkey
| penciltwirler wrote:
| One can easily self host a bitwarden server on digitalocean.
| https://bitwarden.com/blog/digitalocean-marketplace/
|
| However, I'm curious what y'all think about the cost. A
| digitalocean droplet for the recommended specs (4 GiB memory) is
| $24/month. This is hard to stomach when you compare with
| Bitwarden Premium which is <$1/month. I guess it depends on how
| much you value your own data.
| jslql wrote:
| 4 gb of memory for something like this? Absolutely deranged.
| How can they not see that?
| ramsj wrote:
| I run Vaultwarden on the free VPS from Google Cloud and it
| works great.
| jeroenhd wrote:
| You can run the open source VaultWarden server
| (https://github.com/dani-garcia/vaultwarden) on way slower
| hardware. It takes a while for the project to catch up in terms
| of API support compared to the official server, but it's great
| for self hosting.
| sodality2 wrote:
| Highly recommend using Vaultwarden, API compatible OSS server.
| It even provides premium features like TOTP for saved sites. I
| could host it on a small $12/yr VPS but currently host it on a
| home server. Minimum specs are very low for it as it's written
| in Rust.
|
| DO inflates prices for their systems, sometimes I guess it's
| worth it but you can get a great dedi with FAR better
| performance from Hetzner auctions for $32/mo. 64GB RAM, proper
| CPU, large HDD, could probably host a thousand Vaultwarden
| instances. Definitely don't use that for just Vaultwarden, it's
| just an example, but yeah.
| wallmountedtv wrote:
| You can use vaultwarden, which is a re-implementation in Rust
| that is much more lightweight than the official .NET version.
| metaltyphoon wrote:
| I wish they would drop SQL for the self hosting and just use
| SQLite instead. That's what eats the most RAM on self hosting
| in .NET version.
| jeroenhd wrote:
| Based on their current docker-compose file, it seems like
| they did away with the MS SQL server, at least:
| https://github.com/bitwarden/server/blob/master/docker-
| unifi...
|
| [This issue](https://github.com/bitwarden/server/pull/2487)
| also suggests SQLite was added as a database driver last
| December.
| fullstop wrote:
| Vaultwarden can run on their $5 droplet.
| mdaniel wrote:
| Aside from the highly relevant cost observations of the sibling
| comments, one will want to be cognizant of the ... very strange
| .. opsec that installer uses. It's a lot of curl into bash,
| self-updating things, url shorteners, and :latest tags
|
| discussed when it was announced:
| https://news.ycombinator.com/item?id=31098608
| rqtwteye wrote:
| If you self host, why would you need such specs? You would
| access your server a few times a day at best. Otherwise it just
| sits there.
| kevwil wrote:
| It makes me think (dangerous, I know) ... I find it odd to use
| the term "self host" when referring to a third-party cloud.
| It's someone else's servers and network and electric bill,
| after all.
|
| Pedantry aside, yeah that seems expensive given the amount of
| convenience offered. But much more convenient than setting up a
| server in your basement with a UPS and external backup drives
| and such.
| selykg wrote:
| Self hosting is a scale. But the point is you have the
| ability to host it how you want. Whether that be on a cloud
| service that you just throw a docker container at, to a VPS
| with root, to a bare metal machine co-hosted, to in your
| basement, the choice is yours.
| recuter wrote:
| Why does it need to run 24/7?
| jedahan wrote:
| They are working on reducing the requirements - see
| https://bitwarden.com/help/install-and-deploy-unified-beta/
| which claims 200 MB RAM and 1GB storage requirements.
| DangitBobby wrote:
| Anyone know how Bitwarden fits into the "passwordless" equation
| here? I tried to log in to Dogwarden (shown in the video demo on
| passwordless.dev), but the Bitwarden extension/app doesn't seem
| to do anything during sign-up.
|
| Also wondering if anyone knows why this device [1] doesn't work
| during the "passwordless" sign-up/sign-in process on
| dogwarden1.passwordless.dev. Am I going to have to buy yet
| another hardware key if I want passwordless logins?
|
| 1. https://www.amazon.com/gp/product/B0773YLSY5/
| jeroenhd wrote:
| My current setup uses Krypt.co (deprecated) to forward most
| U2F/FIDO2 requests to an app on my phone. The app has some keys
| stored in my phone's secure secret storage and verifies/signs
| the request (after unlocking my phone with biometrics or my
| phone's PIN). This signed response is then used to log into the
| website.
|
| I believe the goal for Bitwarden would be the same, to allow
| for seamless login through a secondary device using WebAuthn
| and friends. Apple and Google are already working on cross-
| device FIDO2 login support, but for Firefox I haven't seen much
| announced as of yet. Bitwarden filling in for Apple's/Google's
| proprietary services would be a way to log in securely without
| giving up even more security features to browser companies.
| ajcoll5 wrote:
| Would have preferred to see the cash used for this to be used for
| things like app QoL improvements, an actual code audit (not just
| the basic network security assessments they list), or offer
| actual bounties for their bug 'bounty' program.
| Reptur wrote:
| I'd like to see a video on how losing your device and recovery of
| the account works with Passwordless.
| jlundberg wrote:
| And here is a link to the web site of this startup:
|
| https://www.passwordless.dev/
|
| Anders Aberg (@andersaberg) who is the founder behind this is a
| really enthusiastic and inspiring coder. I've always enjoyed his
| mashup hackathon ideas and meetup presentations. :-)
| jlundberg wrote:
| For those curious, here is another fun project Anders has built
| in which he mix ambient music with live radio broadcasts from
| airports :)
|
| https://listentothe.cloud/
| fantalamera wrote:
| Anders is amazing!
| Jsharm wrote:
| Wow this is really cool. I just tried the example on the
| homepage, that's magic! No email, username or password. Can
| someone explain what is happening?
| antihero wrote:
| On iOS this seems to use the iCloud Keychain which is slick but
| how would I then login to sites using Firefox or any computer
| that doesn't have access to my keychain? The reason I use a 3rd
| party manager is precisely this reason.
| WorldMaker wrote:
| Sites should likely let you enroll multiple such passkeys
| from different vendors (add a Microsoft Account passkey from
| your PC, a Google one from your Chromebook, etc).
|
| Apple already supports Keychain sync with Edge on Windows and
| I believe that already supports Passkey access.
|
| Also, I believe I heard rumor that "Sign in with Apple"
| (their existing OpenID Connect account system) will also
| eventually support helping you enroll non-Apple devices to
| Passkeys in apps that support both Passkeys and "Sign in with
| Apple", though I don't know if there is yet a timeframe on
| that sort of support.
| medstrom wrote:
| From my loose skim, this seems to be more for UX than anything
| else: no-clicks account creation and no-clicks login, but
| there's still account creation and login happening, presumably
| with a key provided by BitWarden. But websites can start
| removing the login prompt as an entity to be interacted with.
| rgrmrts wrote:
| A new private-public key pair is generated, the public key is
| your user identifier (sort of), and the private key is stored
| on your device (browser or phone). You're logging in by proving
| you have the private key for the associated public key. I think
| the device may also be storing a mapping from key to service or
| something? Not sure.
|
| Please correct me if I'm wrong on any of this.
___________________________________________________________________
(page generated 2023-01-18 23:00 UTC)