[HN Gopher] Bitwarden Acquires Passwordless.dev ___________________________________________________________________ Bitwarden Acquires Passwordless.dev Author : xxkylexx Score : 392 points Date : 2023-01-18 15:11 UTC (7 hours ago) (HTM) web link (bitwarden.com) (TXT) w3m dump (bitwarden.com) | ohCh6zos wrote: | I'm highly skeptical of Passkeys/Webauthn as it would seem to not | have the same legal protections that a password has in the US. | Maybe this is me becoming a conspiracy theorist. | qzx_pierri wrote: | I'm in the same boat. Using Passkeys gives the user less | control. The last thing I need is another layer of complexity | when dealing with credentials. This seems like a solution | created for people too lazy to generate and track secure | secrets (using a password manager). | | It also seems like a way companies like Google would lock | people into their browser. | 9dev wrote: | Well, passkeys come with another very interesting property: | they make it entirely useless to obtain the database of user | credentials from services. It only contains public keys | specific to a single service, so you cannot use them anywhere | else. Additionally, private keys are stored on secure storage | in client devices (or need to be decrypted themselves using a | second factor), so there's pretty much 0% risk of mass | credential leakage. | secabeen wrote: | > they make it entirely useless to obtain the database of | user credentials from services. It only contains public | keys specific to a single service, so you cannot use them | anywhere else. | | This is also the case for anyone using unique passwords per | site, which is the standard for password vault users. Not | much of a win there. | | > Additionally, private keys are stored on secure storage | in client devices (or need to be decrypted themselves using | a second factor) | | Also exactly the same as password vaults, but we still | stress about Lastpass losing their encrypted vault DB. | | I agree that Passkeys appear to bring the benefits of | Password Vaults to people not currently using them in a | fairly easy way. However, I worry about access to those | passkeys when access to the Passkey provider is | lost/revoked. | 9dev wrote: | No, you misunderstood me. Passkeys remove the _incentive_ | to attack auth infrastructure in the first place, because | a database of WebAuthn credentials isn't useful _to | criminals_ compared to a database full of password | hashes. This isn't about the handful of tech-savvy users | who know how to protect their privacy anyway, but all the | others which constantly reuse their insecure passwords | and won't use password managers. | tmerc wrote: | This is conspiracy theorist talk until it isn't and that date | will be not long after this is more commonly used. (I think | this is a rational concern, btw) | | The current legal climate is mixed but we have court cases that | claim biometrics are not covered by the 4th and 5th. We also | have the opposite. The reasoning being that producing | biometrics is not testimonial. Until decided by the Supreme | Court, I'll assume that anything that can be produced without | my mind is not covered and that includes this. | | I am not a lawyer and this is not legal advice. | tr33house wrote: | I like where passwordless.dev is going. However, I don't think | I'd like to build a business on top of that. Is there a similar | implementation that's open-source that doesn't depend on a third | party? | jlundberg wrote: | The core technology behind passwordless.dev is actually open | source. | | https://github.com/passwordless-lib/fido2-net-lib | jaywalk wrote: | You can do all of it yourself, it's all based on open | standards. Their value proposition is that by paying them, you | don't have to DIY. | judge2020 wrote: | This seems a bit odd to me - is setting up WebAuthn in your main | backend so hard that an external service like this for validating | credentials is required? | 9dev wrote: | I recently implemented WebAuthn for a toy project, and while it | took a bit to wrap my head around the details, it's fairly | straightforward if you know the problem domain a bit. | | I'd say we're going to see polished libraries soon that will | abstract all the details away, but services like this may help | less experienced developers to quickly get secure auth working. | cormacrelf wrote: | Quoting the docs: it's "WebAuthn - without reading the w3c | spec". So apparently yes. It does seem very silly that this has | to be a third party service instead of open source code you | just plug in to Rails or whatever. I guess they had to find | some way to get paid for all the expertise they accumulated. | Stuff running on external servers is the way tech companies as | a whole have decided to remunerate work like that, and now | everything looks like a nail. I note that since logging in is | such a crucial part of online business, running consulting | around open source software would appear to be a a good model. | That's what the people behind the C# OAuth2/OpenID code known | as IdentityServer do. | Jerrrry wrote: | Your passwords shouldn't leave your device. | | Chrome's password manager is pushing it. | | Everything else should be considered malware. | | I don't understand how such a 'techy' crowd here on HN can be so | belligerent with this security vs convenience trade off. | | KeePass locally, gmail yourself an encrypted backup. That's it. | FFS. | eli wrote: | How is "gmail yourself an encrypted backup" fine but "store a | copy of the encrypted vault in a cloud service designed for | this purpose" not? | Accacin wrote: | I'm surprised someone as techy as the parent even uses Google | if I'm honest. | ffstroll wrote: | One is an encrypted blob in the cloud, the other is an | encrypted file in your email in the cloud. That's it. FFS. | RockRobotRock wrote: | You don't know what you're talking about. | thesh4d0w wrote: | If the key to decrypt the vault never leaves your device, then | the security implications are minimal. Well worth the | convenience in my eyes, and many others apparently. | advisedwang wrote: | This push is because there's a lot of people using weak, reused | passwords out there, who are not willing (or capable in cases) | of a self-managing a password manager. For the people in my | life in this position, I would much rather them use lastpass or | bitwarden or _anything_ over continuing their current practice. | The risk of a lost password from one of those services is much | lower than of them getting hit by password stuffing or getting | a password brute-forced. | | For a technical person I would advise a better solution, but | the reason these solutions are being pushed is for widespread | adoption of better password practices. | probabletrain wrote: | Keeping your passwords on your device (and also in Gmail?) | might work for you, but a password store that I can't | conveniently access from both my computer and phone isn't | useful to me, and I suspect, many others. | xwowsersx wrote: | Could someone clarify what the relationship between passkeys and | WebAuthn is? Is it that Passkey is the Apple, Google, Microsoft | _implementation_ (commercialization?) of WebAuthn? If so, does it | add anything on top of WebAuthn that makes it differ in some | fundamental way? Also, are passkeys how WebAuthn is most commonly | actually used in practice? Apologies for the noob questions. | arianvanp wrote: | it's just WebAuthn with an easier to understand name. | | However passkeys depends on a yet to be published standard for | QR codes + bluetooth + websockets for doing WebAuthn from a | second device. But that is planned to be published soon. | candiddevmike wrote: | Just recently tried to add WebAuthn to an app and was shocked | at how complicated the spec is and how quirky the | implementation ends up being. The biggest thing I couldn't | easily figure out is how to use it properly. It seems like | hybrid auth with your phone or FIDO gives you sign in, and | local could be used for sessions? It's hard to make heads or | tails from it. | | The developer UX was also pretty bad, ArrayBuffers was a poor | design choice for passing around what ultimately becomes | JSON. | arianvanp wrote: | Webauthn L4 standardises on JSON serialisation luckily. | | Yes the spec is horribly complex unfortunately. | | In my own project I send the assertion and attestation as | multipart/form-data. Which means I can just directly send | the ArrayBuffers over the wire. | PublicKeyCredential.prototype.toFormData = function (this: | PublicKeyCredential) { const formData = new | FormData() formData.append('type', this.type) | formData.append('id', this.id) | formData.append('rawId', new Blob([this.rawId])) | switch (this.type) { case 'webauthn.get': | if (!(this.response instanceof | AuthenticatorAssertionResponse)) { | throw new Error('Unknown type') } | formData.append('response.authenticatorData', new | Blob([this.response.authenticatorData])) | formData.append('response.signature', new | Blob([this.response.signature])) | formData.append('response.clientDataJSON', new | Blob([this.response.clientDataJSON])) | if (this.response.userHandle) { | formData.append('response.userHandle', new | Blob([this.response.userHandle])) } | case 'webauthn.create': if | (!(this.response instanceof | AuthenticatorAttestationResponse)) { | throw new Error('Unknown type') } | formData.append('response.attestationObject', new | Blob([this.response.attestationObject])) | formData.append('response.clientDataJSON', new | Blob([this.response.clientDataJSON])) | break default: throw | new Error('Unknown type') } return | formData } async | solveChallenge(challenge: Challenge, credential: | PublicKeyCredential) { const formData = | credential.toFormData() await | fetch(challenge.location, { method: 'POST', headers: | {'content-type':'multipart/form-data'}, body: formData }) | } | PassageNick wrote: | Yeah, it is non-trivial to implement, but not impossible. | Some folks go that route. | | There are SaaS solutions that implement it for you and make | it easy to include in your app. | 0xCMP wrote: | Passkeys is the "normal" name for a FIDO2/WebAuthn credential | that basically lives within a phone or password manager. It | does add a few things. Namely the ability to store many | passkeys per device per app/site, the ability to sync those | passkeys (e.g. via iCloud or similar), and the ability to use | QR codes and Bluetooth to do a local-only authentication on a | device which doesn't have the passkey (which is what often | requires some proprietary implementation). | | [Edit]: An important feature of "Passkeys" is that browsers and | operating systems have a special API that allows an app to pre- | start a sign in with a known user/email/etc. which if there is | a passkey for that user it'll automatically start the FaceID or | similar confirmation process. Which Passkeys are checked is | controlled by the OS/Password Manager which checks which | website is asking and what username it's checking. This is just | to make it so it seamlessly logs you in. It does a fall-back to | just asking what your user is which is the initial workflow. | | This[0] is a good podcast to listen to with Adam Langley from | Google about how Chrome supports Passkeys and why they're a | good thing. It includes the details of how/where/why there are | some proprietary bits needed to implement "Passkeys". | | [0]: | https://securitycryptographywhatever.buzzsprout.com/1822302/... | | FIDO Alliance Press Release https://fidoalliance.org/apple- | google-and-microsoft-commit-t... | | Chromium Blog on Passkey support (Dec 8, 22) | https://blog.chromium.org/2022/12/introducing-passkeys-in-ch... | xwowsersx wrote: | Thanks for the info and for the podcast link. Going to give | that a listen. | PassageNick wrote: | (Full disclosure: I work at https://passage.id) | | WebAuthn is the short name for the "FIDO Alliance Web | Authentication Protocol". | | "Passkey" is the trade name (that Apple tries to own) for the | "stuff" that results from using the WebAuthn protocol. At it's | root, a passkey is really the private key portion of that | "stuff" that is kept. So yes, in practice, a passkey is the | result of a WebAuthn implementation. | | MS, Apple, and Google don't implement WebAuthn. Companies like | mine do. Each website out there that wants to use passkeys | needs to employ WebAuthn, whether via build or buy. What the | "Big Three" do is leverage their OS's and platforms to enable | the storage and migration of passkeys within their eco-system. | WebAuthn is implemented in their browsers, and they enable the | use of passkeys (which websites make happen via implementing | WebAuthn). | | One thing to note is that the Big Three also make a small | adjustment to the WebAuthn protocol to allow passkeys to shared | inside their cloud infrastructure. This every so slightly | reduces the security of passkeys (which start out as very, very | many orders of magnitude more secure than passwords). | | You can read about Passkeys here: | https://passage.id/post/a-look-at-passkeys | | More on WebAuthn: https://passage.id/post/what-is-webauth | xwowsersx wrote: | Thanks. | | > What the "Big Three" do is leverage their OS's and | platforms to enable the storage and migration of passkeys | within their eco-system. WebAuthn is implemented in their | browsers, and they enable the use of passkeys (which websites | make happen via implementing WebAuthn). | | That was really helpful, I think that was the bit I was | missing. | TacticalCoder wrote: | Do old Yubikeys and similar U2F devices, which do still work | for webauthn, still work for sites that a going to require a | "passkey"? | | Or are MS+Google+Apple doing an "embrace, extend and | extinguish" on webauthn? | | Are the "small adjustements that ever so slightly reduces the | security" sufficient to effectively kick security keys | hardware vendor out of the game? | PassageNick wrote: | Re: Yubikey -- I confess I don't know. The folks in | r/yubikey definitely will, though. | | The "Big Three" are on the FIDO board, along with | 1Password. They can't really do the extinguish thing, and | it really isn't in their interst to do so. | | An no, the small tweaks don't kick anyone out of the game. | | There will be other, perhaps more trusted, companies that | you can use to move your passkeys around between eco- | systems. | secabeen wrote: | Are Passkeys exportable and re-importable by another service, | site, or system? | | I am strongly opposed to any authentication system that makes | my authorization workflow for unrelated third-party sites | dependent on any company whose terms of service allow them to | suspend or terminate my use without reasonable recourse or | recovery. | | Passwords have problems, but I can print them out on a piece | of paper in a fire safe. | PassageNick wrote: | You own your own passkeys on your own device, ultimately. | Google/Apple/MS have no ownership or knowledge of the | actual keys. | secabeen wrote: | Okay, can they block access to those keys and/or the the | backups of them? Assume that my account is terminated or | that it's compromised to the degree that I cannot re- | claim access to it. Can I move those keys to my new | device/system without the cooperation of Google/Apple/MS? | echeese wrote: | I don't think Apple is trying to own the name passkey. Quote | from this video: | https://developer.apple.com/videos/play/wwdc2022/10092/ | | > Here are some guidelines for how to refer to passkeys in | your apps and websites. "Passkey" is a generic, user-visible | term. This video focuses on Apple's implementation, but as | I've just shown you, other major platforms have already | started building their own support for passkeys. "Passkey" is | also a common noun, like "password." In English, this means | it's lowercase and gets pluralized like "password" would. I | have a passkey for my account, and I can go to Settings to | view all of my accounts with passkeys. | PassageNick wrote: | Fair enough. | jlundberg wrote: | Passkeys is what Apple decided to call their implementation and | the benefits are within their ecosystem, such as storing these | in your Keychain to be used on multiple devices. | | This page is a good starter: | | https://developer.apple.com/passkeys/ | xwowsersx wrote: | Ah thanks, I kept ending up on Google's pages. I don't search | good:P | TacticalCoder wrote: | Can't help much but originally webauthn came from Fido2 and old | Fido devices, like old yubikeys, which only supported U2F, were | de facto compatible with webauthn (as in: webauthn was only an | upgrade server side). | | Now Google killed U2F in Chrome (and hence Chromium etc.) but | you can migrate your webserver to use webauthn instead of U2F | and your users' old U2F keys shall keep working. | | For the "new" webauthn, called passkeys, which is a modified | webauthn: I've got no clue. | | It's not clear to me if old hardware security keys shall keep | working or if we'll all be forced to use software keys | protected by Google/Apple/Microsoft. | judge2020 wrote: | Passkeys are effectively software security keys, stored in | whatever keychain you're using (Chrome or iCloud Keychain or | otherwise); for the major implementations you're hearing about, | the goal of their implementation is improving the UX by syncing | your passkeys between devices, so as long as you can access | your passkey keychain, you won't have to worry about losing | your security key for that website. | | As for how "passwordless" plays into this, Passkeys are | _generally_ better than passwords simply because it 's PGP | instead of a shared secret you send to the website, so even if | a website is compromised, there's effectively 0 way the | compromised database will enable password stuffing attacks on | other websites. | | Another cool thing is QR codes via caBLE (cloud assisted BLE), | you can scan a QR code on a browser (on a bluetooth-enabled | computer) to have your phone connect to that computer and | present its passkey to the computer, without needing to | actually plug in your device to the computer. This is not | strictly a passkey thing, it just aids in making them usable. | antihero wrote: | It's cool but until Apple lets Firefox use said keychain I'm | not going to use it. | toomuchtodo wrote: | Most people will though, because they're either in the | Android or Apple ecosystems. | Ajedi32 wrote: | Not sure if this is new information or not, but this post | mentions that Bitwarden is planning to support passkeys starting | in 2023. | | That's great, since AFAIK all existing passkey implementations | are tied to a specific browser or OS, and have no way to export | the keys, which isn't great for a program designed to own the | keys to your digital life. I'm hopeful Bitwarden will solve that | problem, and that their example will encourage other popular | password managers to do the same. | | (...or at least, I _think_ "passkey support" means they plan to | support storing passkeys in Bitwarden itself. I hope it doesn't | just mean they want to let you use a passkey to log in to | Bitwarden. That'd be really disappointing, and probably a poor | choice strategically given that passkeys aim to eventually render | traditional password managers obsolete.) | cmdli wrote: | Shameless plug to my own passkey manager, which is 100% open | source: https://bulwark.id | | One of the big challenges to passkeys right now is that they | aren't as versatile as passwords, but this doesn't have to be | the case. Passkeys should be able to be exported and stored | anywhere you want (ideally in an open source solution). Bulwark | Passkey supports that right now, but I'm glad that other | products are also providing solutions to users for the same | problem. | noahtallen wrote: | 1Password is also working on it: | https://www.future.1password.com/passkeys/ | | It's shaping up to be a cool year for password management! | badrabbit wrote: | Passwordless as a concept needs to die along with biometric auth. | | You have really good newer methods of auth. Instead of selling | them as good MFA alternatives security vendors decided to replace | passwords because that differentiates them more. But in reality, | the layer of defense "what you know" should be complemented not | replaced. A reduction in security being sold as a feature is | dishonest and harmful. | jaywalk wrote: | Please explain how this is a reduction in security. | hsdropout wrote: | They are pointing out that while the "something you have" | factor may be stronger than "something you know", multi | factor is still better. I agree. Also, passwords are | decentralized, whereas passwordless puts the power into fewer | hands, so this too reduces complexity for attackers. | | 2FA>1FA | PassageNick wrote: | The threat surface of a password based system is like Lake | Superior. | | The threat surface of a passkey based solution is like a small | puddle after a rain. | | How is there a "reduction" in security here? | badrabbit wrote: | Doesn't work that way. Passwords are inferior but still a | strong layer of defense. You are putting all your eggs in one | basket again. The lesson from passwords is that a single | factor of authentication is inherently inferior to multiple | factors of authentication. From a threat actor's perspective, | even a yubikey is a matter of one well planned attack | (physical, compromised host,etc) and by nature newer factors | of auth don't get treated with hostility like with passwords. | They are better than passwords but what I see is people | moving away from MFA to only a yubikey for example. Like you | are now one lost yubikey away from your whole company getting | owned lol. | jacooper wrote: | I still don't understand how it works. I went into the website | under authenticated using my phones API, where is my account now? | There is nothing in my Bitwarden vault. | g_p wrote: | Passkeys are stored on your platform keychain. In time, | Bitwarden will offer this interface up, so you can sync them | through your Bitwarden vault. | | Currently, if you use an iPhone, you will have the passkey | stored in iCloud keychain. Your "account" is a private key held | within iCloud keychain, along with some metadata mapping that | private key to the site you visited. | jacooper wrote: | Well I use GrapheneOS without a Google Account. Its not | listed under secure keys in the settings or in the browser. | | Anyway this really needs to be exportable, otherwise its in | the ultimate platform lock. | moneywoes wrote: | Any idea on the multiple? | boringg wrote: | Is this the password wars heating up? I.e. Bitwarden vs | 1Password? | zackify wrote: | I own passwordless.app. I wonder if they will want to buy it from | me now. | temptemptemp111 wrote: | [dead] | ubermonkey wrote: | Yeah, this is not a good sign IMO. | velhartice wrote: | I've been using the keepass ecosystem for years after switching | from 1password. It's open source, highly portable, and you don't | need a degree to set it up. | wurstehans wrote: | Sounds a bit worrisome to me... Maybe I'm just overly cautious, | but i guess it's time to look around again. Has anybody checked | out APass yet? https://github.com/balu-/a-pass | seanw444 wrote: | For my personal passwords and general secure info (it can store | notes, files, and TOTP as well), KeePass(XC/DX) has been my | password manager of choice. Nothing leaves your device. If you | want it to, that's considered out-of-scope, and you have to | handle syncing yourself. Whether that be something like | Nextcloud, or my personal favorite: Syncthing. | coffeeri wrote: | Without looking close at your suggestion, you might want to | look at passage [0] by the creator of age. It's a fork of pass | [1] using age as the backend. | | [0] https://github.com/FiloSottile/passage [1] | https://passwordstore.org | mtgx wrote: | [dead] | AdmiralAsshat wrote: | As a recent convert to Bitwarden from LastPass, I start to get a | bit nervous when I see acquisitions happening. LastPass getting | acquired was the beginning of the end for it, IMO, before | stagnating into criminal negligence. | | Granted this is Bitwarden _acquiring_ rather than being acquired, | but I still worry it leads to a trend of building "portfolio | value" rather than focusing on the product. I sincerely hope I'm | wrong. | gagabity wrote: | Also Bitwarden recently raised 100M from VC so yeah, the clock | is ticking now. | zucked wrote: | I'm happy for the one dev who's been lone rangering as I hope | it means he's finally getting paid, but the pressure is going | to be on to get an ROI. | sph wrote: | It is possible to build a profitable business without | investors or venture capitals, you know. | dahfizz wrote: | Insane radical idea: Businesses can actually make a profit | by having income higher than expenses. You can pay yourself | that way. | sirsinsalot wrote: | What does "make a profit" mean? Is that the money from | IPO? Or money laundering? Idgi | alex_suzuki wrote: | Heresy! | mfer wrote: | If he was not being paid before it means he had not built a | sustainable business. That means changes will need to come | in the future to do that. | | If he had a sustainable business and took the VC funding it | means he has grander ambitions. That will mean change as | well. | | No matter how you look at it there will be change coming. | Fueled by people who want a return on their investment. | agrippanux wrote: | Doesn't necessarily mean change will come to the current | offering; acquisitions can happen because new or | enhancing existing product lines (like enterprise) are in | the future. | sngz wrote: | was considering switching, guess I'll stick to keepass | cpsns wrote: | > Bitwarden recently raised 100M from VC | | I wasn't aware of this, but I'm glad I am now. If that's the | case it's time to look elsewhere or self host, VC funds and | acquisitions are rarely good for users so I'll assume the | worst. | ssgodderidge wrote: | My guess is they will follow 1Password and have more | strategies to monetize users. I wonder what the difference | between the two services will be at the end of the day. | princevegeta89 wrote: | 1Password in my experience was the biggest scum of bait | and switch I ever faced. They used to do "lifetime" | licenses which I bought into, but wouldn't support it | beyond one year of release and stop giving me updates. | Later, they invested heavily into the cloud side of | things, and brought in confusing subscription-based | pricing which made it expensive and difficult to | understand. All they're doing as of now is trying to | increase prices and tear into your pockets. | | With BW I have never expected the same and I am still | hopeful on giving them the benefit of doubt. | roustem wrote: | 1Password NEVER had lifetime licenses. We made this | decision since day one because we had a product before | that died because it was a "lifetime" purchase. The | 1Password license is valid for the major version of the | app. The license purchased would still work with that | version today. If you look at the release history of | 1Password apps -- every version had a ton of updates made | long after the app was no longer on sale. For example, | 1Password 7 was updated just a month ago: https://app- | updates.agilebits.com/product_history/OPM7 | | The licenses are also confusing -- people had to purchase | apps separately for every platform: macOS, Windows, iOS, | Android. And then they had to purchase upgrades | separately as well. | mbesto wrote: | > VC funds and acquisitions are rarely good for users | | Where does this sentiment come from? I know very few | applications I use that are VC funded or haven't gone | through acquisitions... | Dalewyn wrote: | The notion that all software must be provided free of | charge and that making any profit is a cardinal sin. | lotsofpulp wrote: | Or it could be that the probability of having to do anti | user things to earn an ROI for a $100M investment into a | password manager is too high. | | $100M to develop a new processor or phone or vaccine or | search engine or social network that delivers video to | everyone worldwide is different than $100M to a password | manager or other "simpler" project. | wvenable wrote: | No, it's just that growth necessary to satisfy VC | investment is unobtainable so solid products eat | themselves attempting to achieve that growth. | [deleted] | hn_throwaway_99 wrote: | The issue is that there are a large number of | products/companies (I think the vast, vast majority) | whose addressable market size isn't that big, but when | they take VC money they do all types of unnatural things | to try to grow instead of focusing on the couple things | they were really good at. Couple cases in point: | | 1. Totally agree with the comments that VC funding | absolutely killed LastPass. | | 2. Twitter is probably another good example. Twitter was | a really large business, but they were constantly | wringing their hands about what they could do to get as | big as Facebook or Instagram. What if the answer was | always just "No, you'll never be that big, just don't | even try". So instead of improving their core bread-and- | butter (and fine, easy to argue they didn't even do that | super well), they wasted a ton trying to get users who | were never going to use Twitter in the first place. | | 3. Very closely related to this idea about "When large | sums of money become toxic", the private equity | consolidation in US health care is another ongoing | disaster. PE comes in with the promise of "streamlining | operations", but instead they are just vampires, cutting | stuff to the bone so that the health care system isn't | able to respond to spikes in demand (e.g. Covid): | https://www.statnews.com/2022/12/14/moodys-private- | equity-he... | mbesto wrote: | Ya, but can you name any products where this is the | opposite? Meaning, how many products do you use that | _aren 't_ VC backed? | hn_throwaway_99 wrote: | craigslist famously rejected taking outside money for | years. | | But more importantly, I don't think VC or VC money is | always bad, but I get _extremely_ wary when a relatively | small company gets a shitload of money that they 'll then | be forced to grow into a way that means they'll lose | focus on their core product. | | I remember when I told a friend of mine that Postman | raised nearly _half a billion dollars_ in total funding, | and his jaw dropped "You mean that browser plugin that | allows you to make REST calls???" And sure enough, | postman got filled with more and more "enterprise-y | uselessness" to the point that I just stopped using it. | mbesto wrote: | > but I get extremely wary when a relatively small | company gets a shitload of money that they'll then be | forced to grow into a way that means they'll lose focus | on their core product. | | Irrationally so. That's my point. There isn't a strong | indicator that correlates to a company being a craigslist | vs a company being a Postman. The median is somewhere in | between and its not as dire as you pose it to be. | bsg75 wrote: | It comes from a concern that VC backed investments demand | a constant level of revenue growth, causing a company to | add features or integrations that do not improve the base | product. Organic growth is usually insufficient for | stockholders, whose demands become a priority over | stakeholders. | | If the user base does not increase at some rate | determined by the investor, then growth comes in the form | of advertising, partnerships, or similar that negatively | affect the _product_ existing customers signed up for. | orhmeh09 wrote: | This does not stem from VC but from the "C" itself - | capital. In order to function in capitalism, production | must facilitate the creation of surplus value that can | then be appropriated. Over time, with the tendency of the | rate of profit to fall and with inflation of prices, you | will see a race to the bottom. | afavour wrote: | They did? Oh JFC I just switched from 1Password to avoid | using a VC backed service. At least there's always | Vaultwarden, now all I need is a service I can pay to host an | instance for me. ...and to not take VC funding. | | https://github.com/dani-garcia/vaultwarden | | Though I fear it's only a matter of time before the VC gods | demand the client apps remove compatibility and they have to | be forked too. | mfer wrote: | Not to totally burst your bubble but 1Password took funding | a few years ago [1]. I say this as a 1Password user. | | [1] https://www.wsj.com/articles/password- | manager-1password-rais... | afavour wrote: | Oh I know, I switched _from_ 1Password to Bitwarden for | exactly that reason. | jorvi wrote: | I switched from 1Password to Bitwarden, imported my vault, | and then realized that their client doesn't even support | drag 'n drop. | | I've been wanting to switch from 1Password to Bitwarden for | years, but each year I try it I'm just flummoxed by how | atrociously behind the UX / UI still is. | | Unless you (or whoever you're getting to switch) are an | absolute open source absolutist: do yourself a favor and go | for 1Password. | afavour wrote: | I did try to switch a year or so ago and got really | frustrated. Tried again a week ago and Bitwarden does | seem a little better. It helps that it feels like | 1Password's app has been getting more bloated over time | (though I have no data to support that assertion). | roustem wrote: | 1Password certainly added a ton of new features recently | :) | | Did you check 1Password developer tools, like SSH-agent | server, git commit signing, and CLI? | https://developer.1password.com/ | | Or the new item and file sharing. | https://support.1password.com/share-items/ | miked85 wrote: | I refuse to use a cloud-based password manager, they will | all be hacked eventually. I will continue to use and pay | for the standalone 1Password as long as possible, and | then be forced to self-host vaultwarden. | afavour wrote: | I have no interest in those things, they're good examples | of what I _don 't_ want in my password manager. | | Sorry, I don't mean to sound like an ass, they look like | very well put together features. They just remind me of | when Dropbox decided to start offering document editing. | Not what I go there for. | roustem wrote: | Fair enough, everyone has their own requirements. I'd | argue that all modern operating systems have password | management already built-in. | | We have a lot of 1Password customers with families and | team members that require more than a single vault, need | an option to recover team/family member access and often | have to securely share data with other people, | accountants and lawyers. Also, many of developers and | admins that want to keep their SSH keys safe. | panzi wrote: | Bitwarden is the first password manager I ever used. | Where would it use drag and drop and for what? I wish it | would be better controllable vie keyboard-only. That is, | when you use the Firefox add on and tab out of the | Bitwarden popup and tab back in again it remembers the | focus on e.g. the copy password button, you just have to | hit space again and tab back to the terminal window where | you need to use the password. But Brave doesn't remember | the focus so annoyingly I have to grab the mouse. | selykg wrote: | In 1Password there's at least a half dozen ways that drag | and drop could be used: | | - Drag a password into a password field | | - Drag an attachment from Finder/Explorer into an item | | - Drag an item from vault to vault (or collection in | Bitwarden parlance) | | - Drag an item into a tag or folder to add that item to | the folder, or add that tag to the item | | - Drag an app to the 1Password icon to create a software | license item with the icon of the app as well as name | | There are also drag and drop functions, some similar to | above, on iOS as well. | | Bitwarden is... and I agree with the grand parent here, | awful from a UX angle, compared to 1Password. It's | certainly functional, but that's about where it ends for | me. | dddw wrote: | You must be on mac, because my 1pw experience is horrible | on Linux. Edit a password in the browserextention opens | an new tab in n which i have to login all again. Ugh. | Bitwarden at least doesn't do that. Drag and drop? Nope. | selykg wrote: | Technically it does the same thing on Mac, it opens the | Mac app. But on a Mac there's universal unlock, so if you | have the extension unlocked, the app will unlock, so it | opens the item you want to edit in edit mode. | | If you don't have the app installed it opens the website | in a tab to signin and edit. | sph wrote: | Ah for fuck's sake. It keeps happening to all the software I | love. I guess I'll have to stop relying on convenience (I was | a 1Password user years ago) and go 100% open-source. None of | the libre offerings seem to be as convenient and polished, | but at least they're not into some VC's pocket ready to | squeeze as much profit as possible out of my paid membership. | | What's a good OSS alternative that works with iOS and Linux? | Anything that's audited? (perhaps that's asking for too much) | kdmccormick wrote: | If a simple git-based CLI solution is appealing to you, | then try https://www.passwordstore.org/. I wouldn't | recommend it someone non-technical, but personally, I've | never looked back. | | There are iOS and Android clients, too. Not especially | polished, but they do the job. | jmcphers wrote: | Love passwordstore, been using it for almost 6 years with | zero issues while watching my friends run frantically | from one compromised or greedy password manager to | another. | Y_Y wrote: | I haven't seen, but would love to, a tech startup that is | guaranteed not to sell out. I don't mean a promise from the | founder on a blog, but a legal structure. I'm not sure what | what form this would take or if it's such anathema that it | could never be but it would be great to see. | | I'm sure I'm not the only one who's tired of the bait-amd- | switch of companies who are all about freedom until they | get acquired by a giant and then start hastily walling | their garden. | aaronax wrote: | Cooperative | | Customers are members/owners. | | Examples: Tessitura, NISC | Y_Y wrote: | Someone posted this list of such co-ops recently: | https://tech-coops.xyz/ | | Is it true that they couldn't sell out though? I imagine | if the buyer offered a pile of money then the majority of | the owner-workers would go for it, even at the expense of | the users. | lumb63 wrote: | I use KeePass. It's up to you to sync passwords and they're | stored locally. I see those as features despite that | they're inconvenient. | noirscape wrote: | Another advantage to KeePass is that there's about half a | million clients and most are actually written to be used | for their platforms. | | Lots of more "modern" password managers (as well as | generally other software) kinda suffer from having this | weird mixed mobile and desktop interface, inheriting all | the downsides of each interface while gaining the | advantages of neither. (Not to mention all the issues | with porting stuff between two different OSes; Mac and | Windows have completely different ideas on what an | interface should look like.) | | KeePass's official client being windows-only is a | blessing in disguise since it means that each client | developer can specifically focus on making it look good | on whatever specific platform they're targeting. | qwerpy wrote: | I use cloud storage to store the kdbx file and sync it | across a PC and my phone. It's pretty awesome 99% of the | time and just works. Once in a while you get a merge | conflict and it's not so good. | lcnPylGDnU4H9OF wrote: | Even merge conflicts have been a lot better for me in | recent years. My only worry with KeePass is that I have | to rely on potentially sketchy client applications but | I'm also fortunate enough to have the skills to make my | own if I really felt the need. It's one of the few "not- | my-solution" pieces of software which continually gives | me a sense of data ownership. | lumb63 wrote: | I run an SSH server on my laptop and SFTP it to my phone | via Strongbox when I'm local. | jimt1234 wrote: | I love Bitwarden. I've been a customer for years. Great | product. Great team. However, I recently quit for this | exact reason (evil VC influence), and migrated all of my | secrets to KeePass. Yes, a slight inconvenience to | manually sync across devices, but I sleep better at night | knowing my secrets are no longer in the hands of some VC | suit. | trinsic2 wrote: | Yeah, the very reason I'll stick with keepass. | worble wrote: | KeepassXC has served me well for many years, synced via my | Nextcloud but could just as easily use dropbox or icloud, | or even syncthing. | lotsofpulp wrote: | I use KeepassXC and Strongbox. | forsakenharmony wrote: | syncthing works really well imo, can also tell it to keep | 3 versions as a backup | vetinari wrote: | I had conflicts that needed manual intervention too | often. It is not something that most users would put up | with. | kornhole wrote: | Yes KeepassXC is great. Nextcloud passwords is actively | developed and looking good except for the Linux app | failing on Arch. | 5e92cb50239222b wrote: | Upvote for keepassxc. I've been using it and its | predecessor with the same database file for something | like 15 years and have seen many of these services come | and go in the meantime. It will outlive Bitwarden for | sure. | weaksauce wrote: | bitwarden is opensource. you can self host. the apps in the | store are compatible with the self hosted options just | change the url to your server. you can also fork any of the | projects and build it yourself if you don't trust them. | yoavm wrote: | As mentioned in other comments, BitWarden has both OSS | client and server implementations. You can keep using it | and if something goes wrong (or earlier, if you wish) you | can always run it yourself. | dcow wrote: | In your opinion, what would the ideal password management | business model be? A non-profit like Signal? (Not | rhetorical, actually curious what people want here.) | | As a thought experiment, let's say there are 1000 people | who get annoyed when a software product they use takes VC | funding. For those 1000 people to sustain a software | product with a team of 5 for 10 years at 150k average per | head. you'd need 7.5MM dollars just to break even. That's | $7,500 per user, or $750 per year. I doubt many people | would be willing to pay that just to have a product that | never takes VC funding. | | And note that's just to cover labor costs. If you want it | audited, that's a solid 25k per audit. Operating costs for | website and infrastructure, etc. Now if the product was | exceptional and beat out other products in the space and | generally had a slice of the pie, the number of users would | increase and per user cost would decrease. But also doing | as much with a team of 5 is no small feat. | aceazzameen wrote: | I'm not sure if there is a good business model in | password management. I can't answer that question. What I | do know is, a good password manager is the type of | software that should strive to be feature complete. And | at that point resources should be used for maintenance, | security, and software/OS compatibility updates. In other | words, a low-if-any growth, but profitable business | assuming the software is good. | | But once you get into VC funding or acquisitions, | businesses tend to want to grow and bloat their products | by adding features no one asked for to increase their | perceived value. I know I'm tired of seeing this happen | to beloved software time and time again. | dcow wrote: | Perhaps then software utilities are better suited for a | crowd funding model? | vanilla_nut wrote: | Non-profit like Signal that sells cloud hosting to pay | the bills, standard protocol with self-hosting option for | the server like email/browsers agreed upon decades ago, | anyone can create an interoperable desktop/browser/mobile | client. Fully encrypted such that even the non-profit | doesn't have the decryption keys. | | That being said: it's unclear if _anyone_ really | understands how to build an open source product with | cloud hosting covering the bills. Almost everyone either | makes a deal with the devil (VC funding) or upsells too | aggressively anyway. | | Cloud storage and CPU usage is basically negligible per- | user for a password manager. I imagine you could service | hundreds of millions of users on just a couple of capable | machines, similar to HN's setup. Even with hundreds of | passwords, most users total mere MB's of usage -- it's | even simpler than email! I think this is one of the rare | cases where corporate users can pay for big accounts with | special sharing features and completely subsidize a free | product for individual users. Or you could charge | individual users $5 a year to cover cloud costs (more | than enough), with self-hosting as an option for highly | technical users to save a buck. | franga2000 wrote: | > sells cloud hosting to pay the bills, standard protocol | with self-hosting option for the server like | email/browsers agreed upon decades ago, anyone can create | an interoperable desktop/browser/mobile client. Fully | encrypted such that even the non-profit doesn't have the | decryption keys | | All of those are true of Bitwarden, except for the non- | profit part... | | > Or you could charge individual users $5 a year to cover | cloud costs | | And who pays for the development?? Bitwarden already | charges only 10EUR/year, so they're basically doing | exactly what you're proposing, but paying for development | with VC money. | | Even if servers were literally free (they're far from | it!), do you have any idea how many users they'd need to | cover just the minimal amount of developers, one business | person and either an in-house or external security | auditor? And who would pay for all of that during the | time it took them to build up that user base?? | | I hate the VC culture as much as the next guy, but unless | the founder is already crazy rich, you need external | capital to start up any large decently company - or even | a non-profit. | crossroadsguy wrote: | I have accepted that one has to keep moving around. | Password manager, backup software, it goes on. | | Right now I am hunting for a non-subscription note taking | setup that will replace SimpleNote. | | So I'll move to the next option from BW, just like I moved | to it from LP. | ok_dad wrote: | > Ah for fuck's sake. | | I agree, and I wish we had more power in these things than | just forking. Now that I know Bitwarden took VC money, I'm | also fucking out of this mess, and here I was about to | renew for the 5th year in a row. | | Fuck VC's, they ruin everything good. Can I say that here? | It's true. | karaterobot wrote: | You can definitely say that here. To me the problem isn't | exactly VCs, it's the expectation of rapid, open-ended | growth that ruins good products and companies. Of course, | the driver for that is often VCs, but it can come from | other places too. | secabeen wrote: | The entire finance industry has a disdain for "lifestyle | businesses", that just generate enough profits for the | founders and employees to live on, but will never | generate an exit beyond that. I get why, but for utility | products, a solid lifestyle for the employees and a | useful product for users is enough, and should be enough. | tunesmith wrote: | Lifestyle businesses have a big flaw in American culture | though; our safety net is not enough to make "meets | expenses" a tenable long-term approach. We basically have | to aim for a big wad of savings for later in life, which | incentivizes going for exits and cash-outs. | TedDoesntTalk wrote: | VueScan (hamrick.com) is a very good example of a | successful lifestyle business (first release in 1998). | The founder and his son work on the product full-time. I | don't think they have any other staff, but I could be | wrong. | nightski wrote: | Seeing as only a few % of Americans achieve what you are | saying I don't think it's strictly true. Maybe if you | want to fatfire or something | secabeen wrote: | Perhaps, I would hope that a sustainable lifestyle | business would be able to pay employees and founders | enough to build a comfortable retirement nest egg through | savings, investments, and compound interest. | fortuna86 wrote: | This also means creation of billion dollar global | platforms that Europe and other parts of the world have | never accomplished. Trade offs. | ok_dad wrote: | I feel so happy that we have created "billion dollar | global platforms" instead of universal healthcare or | ensuring everyone was sleeping indoors. Woo-hoo! | jrochkind1 wrote: | And can be enough if you don't need large quantities of | investment capital. If you don't _need_ it, but _want_ it | to get fabulously wealthy... well, "lifestyle business" | is not the path to that, by definition. | | It's almost like the interests of those who want to get | fabulously wealthy -- whether founders or investors -- | become misaligned with the interests of the users, even | steeper/faster than when you "just" have a "lifestyle | business". | jjeaff wrote: | The thing is, founders can get fabulously wealthy with a | lifestyle business or at least very wealthy, but it might | take longer. But all the established money seeking rent | parked at VC firms can't get a cut if you don't play ball | with them. | jrochkind1 wrote: | Yeah, wealthy enough if not billionaire, true. | | > But all the established money seeking rent parked at VC | firms can't get a cut if you don't play ball with them. | | OK, but why does a founder care about that? Either they | think their business model can't get them to a | sustainable lifestyle business without external capital | investment... or they want to get more-than-lifestyle- | business wealthy, right? | sirsinsalot wrote: | Millions, even tens of millions, for founders isn't | unheard of at all for small "lifestyle" businesses. | | Not VC billions, but fuck you money is certainly doable. | jrochkind1 wrote: | I don't know if a couple million is "fuck you" money in | 2023 (enough to never work again and eventually retire | while living a fairly luxurious lifestyle?), but point | taken. | Liquidor wrote: | I'm of the opposite opinion in this case. | | If someone creates new tech and it fits with Bitwarden then I'm | more than happy to see what they can do together. | sschueller wrote: | Like docker? They made huge profits but docker itself has | made practically no improvements. It's still using iptables | when many distros switches to nftables causing a huge mess | and the documentation is still really poor. | dcow wrote: | Seems like Bitwarden is successful enough to have the cash to | make a strategic acquisition. That seems like a good thing for | users. | paulryanrogers wrote: | BitWarden is open source on both ends. So worst case one can | self host then fork clients. (Server has already been | reimplemented independently.) | Macha wrote: | So too have some clients (e.g. rbw CLI). So just need an | independent browser extension and then my use of Bitwarden | does not need Bitwarden LLC (and the browser extension is not | great, so that's not a high bar) | cdev_gl wrote: | This is true, but LastPass proved that by the time the worst | case occurs it's already too late. A security breach means, | at minimum, redoing all your passwords, and these sites are a | very compelling target. | | OTOH I wouldn't want to self-host because I know I'm not | going to spend the same amount of time and effort a full | security staff would, even if my self-hosted box would make a | much less attractive target. | | It's quite a pickle. | phyphy wrote: | I thought a security breach wasn't possible due to zero | knowledge encryption. | vorpalhex wrote: | You have security options self hosting that a big host does | not. | | Want to just encrypt everything on a node with no network | access? Sure. That doesn't work for a "real" host but that | is fine if you mostly use your phone and need to just | occasionally sync your passwords back at home. | | You don't need the things that make hosting hard. You can | have a few hours of downtime. You password vault is | gigabytes, not hundreds of terabytes. You don't need to arm | guard your backups, just pass them (encrypted) to a friend | with a safe. | lewantmontreal wrote: | Does bitwarden work if server is offline? I know the | client works without internet connection but server | outage had an issue earlier last year | https://news.ycombinator.com/item?id=32782386 | hn_throwaway_99 wrote: | > A security breach means, at minimum, redoing all your | passwords | | Not necessarily. I wouldn't have felt compelled to redo all | my passwords if 1Password's encrypted vaults were stolen | the way LastPass's were, given that 1P's vaults are | uncrackable with brute force but LastPass's critically | depend on the entropy of the master password. This was | discussed recently: | | https://news.ycombinator.com/item?id=34359251 | chriscjcj wrote: | I self-host Vaultwarden. I'm sure someone will be happy to | explain to me how foolish my implementation is, but I'm | comfortable with it from a security perspective. | | I run it as a Docker instance on my home Synology NAS. This | turned out to be pretty easy to do. The only part that was | a slight hassle was buying a cert, creating an FQDN and | making the DNS entries to get an SSL connection to the NAS. | Also, I wish updating to a new version of Vaultwarden was a | little more straightforward. | | When I am at home, my devices with Bitwarden all sync to | the Vautwarden instance on the NAS without issue. | | My router is a Ubiquiti UDMPro. I have an L2TP VPN | configured with a shared-secret and user passwords that are | ridiculously long and complex. When I'm out and about and | need to sync with the NAS from my laptop or mobile device, | I activate the VPN and do the sync. | | My Ubiquiti account does have 2FA. | | I implemented all this when 1Password informed me that in | order to continue using their service, my vault would have | to be hosted on their server and I would have to pay them | every month for the privilege. That was a nonstarter. | | I'm sure my router and NAS are not impenetrable, but I | don't feel like I'm low-hanging fruit either. And if | someone went to the trouble of breaking in, their reward | would be one guy's vault and not the vaults of millions of | customers. I'm hoping that makes me a less attractive | target. Of course the vault itself has a very long and | complex password as well. | | This is working out quite well for me so far, knock on | wood. | sampling wrote: | I have a very similar self-hosted Vaultwarden set up, for | the same reasons. | | My other concern, which may be unfounded is that | Vaultwarden [1], which is an unofficial Rust rewrite, may | also be developed to different, or lesser security | standards than the official client. However I don't have | any real reasons to suspect this. | | [1] https://github.com/dani-garcia/vaultwarden | chriscjcj wrote: | Agreed. I know I'm taking it on faith that this | implementation is robust and secure when it might not be. | However, I feel okay about it knowing that it would be | very difficult for anyone other than me to access this | Docker instance in the first place. And if I'm outside my | home network, I'm interacting with it via the VPN. | moogly wrote: | > The only part that was a slight hassle was buying a | cert, creating an FQDN and making the DNS entries to get | an SSL connection to the NAS | | Note that Synology DSM has built-in Let's Encrypt support | chriscjcj wrote: | > Note that Synology DSM has built-in Let's Encrypt | support | | Yes... I tried going down that route. In my scenario, I'm | accessing the NAS via its internal IP which is in an | RFC1918 subnet. Let's Encrypt insists that you use a | globally routable IP. If I used the public IP issed to me | by my ISP, then I would have to map a port on my router | and expose the NAS directly to the Internet. No way am I | doing that. | | I bought a cert through Namecheap and got 5 years for | $29.95. That seemed quite reasonable to me. There was no | problem getting it to work when I mapped the hostname to | the NAS's internal IP. The only downside is that I have | to go through a renewal process every year and install | the updated cert on NAS. Not a huge deal; just one more | thing I have to do. | moogly wrote: | That all makes sense. Wanted to point out to others that | there's potentially less of a hassle to set this up (if | you're fine with opening port 80, as has been pointed out | to me). | vetinari wrote: | Unfortunately, HTTP challenge only. I.e. you have to open | port 80 to your Synology, which is handled by the same | nginx instance, as all the other services on the device. | KyeRussell wrote: | I've never used Bitwarden, but I've used LastPass in the past, | and I've used 1Password for ages. AgileBits took on a big chunk | of VC some time ago. This upset a bunch of people, too. | Slightly different circumstances due to the different user base | and source availability, but whatever. | | I can say with certainty that I've continued to get value out | of 1Password both personally and professionally. I can even say | with a degree of certainty that I've gotten value out of the | changes that have come post-acquisition. Were I starting from | scratch, I'd still probably pick 1Password. This isn't me | arguing that 1Password is better. More saying that it's been | a...little bit of time now, and I'm still happy with the | product and how it's improved. | | I appreciate that acquisitions or taking on funding feels like | more of a kick in the teeth because it's a distinct event, is | publicised, and even publicised as a good thing. Having just | gone through my first acquisition (as an employee in an | entirely bootstrapped small business) I've realised that this | has to be weighed up against the risks associated with whatever | was in the no-funding no-acquisition future, i.e. the thing | just going away entirely, which happens slowly (and then all at | once) and mostly in private. | | I've little doubt that over time 1Password will get | comparatively worse than whatever else is around. Either | because it's neglected or because it gets juiced and dark | patterned by VC incentives. Ignoring the VC bit, I'm just as | sure the same will still happen to Bitwarden obviously. But | this shifting playing field just feels like an inevitability | regardless of which path any product takes. | bluSCALE4 wrote: | The concern with Bitwarden started a few months back when they | did a round of venture capital funding. Now, they have to turn | profits instead of just being great. | sirsinsalot wrote: | Not being a non profit or charity, I'm fairly sure profit was | a need for sustaining the business before investment. | sngz wrote: | not just turn profit. But ridiculous unsustainable amounts of | profit at the expense of the users until its bled dry then it | will be sold off | rvz wrote: | I'd like to remind you that Bitwarden is becoming completely VC | backed with the way it is going [0] and there is always a | possibility that it _can_ be acquired to give investors a | return. The same happened with Keybase as soon as they took VC | cash. | | It is now growth at all costs until an eventual acquisition of | Bitwarden. So I won't be surprised to see price increases on | some plans soon. | | [0] https://bitwarden.com/blog/accelerating-value-for- | bitwarden-... | sirsinsalot wrote: | The keybase pivot was so ugly and sad. Their pre VC product | was really nice. | babypuncher wrote: | I know this dead horse has probably been beaten beyond | recognition, but I think the safest option that still preserves | some convenience for password management is to stick a keepass | database in your cloud storage provider | (icloud/dropbox/whatever). | | Some keepass compatible apps even offer full iOS integration | (FaceTime unlock, Password AutoFill), so you don't lose these | features you're used to with LastPass. | WheatMillington wrote: | Criminal negligence? Explain? | AdmiralAsshat wrote: | https://www.grc.com/sn/sn-905-notes.pdf | | There are multiple users who, post-breach, are checking the | Iteration Count the number of PBKDF2 iterations for their | vault, and discovering that even though LastPass had been | slowly increasing the number of iterations for _new_ | customers in line with industry best practices, they were | never going back and upgrading the old users. So if you | created a LastPass account in the past few years, your | iteration count was 100,000. But if you were an older user, | it may have only been 5,000. Or 500. Or, in the case of many | _old_ users: 1. One iteration. That 's all that was | protecting their encrypted vault--now in the hands of | attackers--from brute forcing. | allochthon wrote: | I had a similar reaction. Acquisitions can be a signal that | there's a go-to-market strategy being pursued. | tiffanyh wrote: | Given that Bitwarden, Inc. is a _for_ -profit company, isn't | it expected they would have a GTM strategy. | fpoling wrote: | Well, when the interest rates were zero profit was an after | thought and many still do not grasp what a rate like 4% | implies. | kjfarm wrote: | A good note for bitwarden is that it has a self hosting open | source version, vaultwarden that is easy to switch to: | https://github.com/dani-garcia/vaultwarden I see this as | downside protection, as I can quickly migrate if I disagree | with bitwarden's direction with minimal changes to my clients. | | I do worry about VC pressure on Bitwarden for hypergrowth. | However in my personal opinion, the benefits outweigh the cons | (for now). | omnicognate wrote: | Vaultwarden's great. I use it. I use the Bitwarden Android | client, though. Not sure what there is to replace that. | johnmaguire wrote: | It's open source and can be forked if necessary: | https://github.com/bitwarden/mobile | jacoblambda wrote: | To add onto this, if you care about supply chain attacks, | bitwarden mobile supports Fdroid builds (albeit not part | of the main repo because they rely on xamarin) so you can | host your own fdroid repo and run your own builds if so | desired. | jjeaff wrote: | If you are making your own build, is there a benefit to | using f-droid? Why not just install the APK? | notpushkin wrote: | Update notifications? | weaksauce wrote: | you don't need to fork it... just add an account at the | main screen and set the backend url to whatever your | server resolves to. | tazard wrote: | I think they meant if they don't like the direction that | the Android client takes, i.e. they stop allowing you to | change the backend url for example in which case, yes you | would need to fork or rewrite it | princevegeta89 wrote: | Is it not possible to point BW Android to your Vaultwarden | instance? | cube00 wrote: | It's fragile if you do that. Bitwarden updated their API | last month on the clients so you couldn't connect to | Vaultwarden at all until the Vaultwarden team could | reverse engineer the change and produce a new release. | BrandoElFollito wrote: | This is interesting. I use BW daily (many times) on | Android against my self-updating VW instance. | | I did not notice anything, maybe the break happened | during the night in Europe. Or the Android app did not | want about problems. | kioleanu wrote: | Note that Vaultwarden is the unofficial server, there is also | an official one, that you can self host. | | Vaultwarden is much easier to set up and manage, I use it | myself, and I heard that the official build is a little bit | more tedious to go with. | Spivak wrote: | The official one used to only support MS SQL and other DBs | are still "mileage may vary" so people were uhh pretty | motivated to make something else. | nightski wrote: | Interesting, I use ms sql a lot so that's actually a plus | for me. | cube00 wrote: | It's easier to manage until it breaks as the recent example | last month when Bitwarden updated their client and | Vaultwarden had to play catch up and reverse engineer the | changes. | | That experience sent me back to just letting Bitwarden host | for me, I know it's all free and I can't expect anything | which is fine, but I can't be without my passwords either. | pavon wrote: | The official server is distributed as docker containers, | with a shell script to manage them, and is quite simple to | setup and maintain. I could see how trying to deploy it | yourself outside of docker could be an undertaking though. | | The MSSQL database seems a bit heavyweight (RAM wise) given | the tiny amount of data it needs to host for a handful of | users, and isn't acceptable to some people on principle, | since it isn't open source. | simooooo wrote: | Waiting for bitwarden unified to come out of beta before I | self Host | szundi wrote: | If dev support from the company fades, the UI will start to | deteriorate - and wether you are hosting or not, that is also | a thing that matters. Like mobile apps, browser plugins, form | filling logics and specific site behaviours etc. | switch007 wrote: | I'd bet on KeePass 2 longer term. KeepPassCX has been around 10 | years (forked from a project started 8 years before that). | Actively developed, cross platform. | | There are decent apps for android and iOS (eg Strongbox) | | I'm going to migrate off 1Password to it soon | princevegeta89 wrote: | What is the best client for Keepass on Android? How is the | autofill functionality? | ESchack wrote: | I did this some time ago when 1Password announced switching | from having native apps to being containerized web apps. Have | not regretted it one bit. | roustem wrote: | The "containerized web app" is not a correct description | here. 1Password 8 on macOS, Windows, and Linux is a full- | fledged desktop app. It is built in Rust with | Electron/React providing the UI. It can work completely | offline and does not require a network connection. | | 1Password 8 has greatly improved security architecture | compared to the previous versions. Just one example of | many: when rendering the item details, the Rust core would | not send the password value to the UI layer until the user | clicks "Copy" or "Reveal" password. | | In addition to that, 1Password 8 has better integration | with the operating system that any other version in the | past -- Touch ID, Windows Hello, Secure Enclave, macOS | Accessibility services, etc, etc. | velhartice wrote: | Bingo, me too. I like that keepass is file based so I can | use any storage medium to make multiple layers of security | to access the vault. Even if cloud providers have access to | the file or my cloud storage account gets hacked they still | have to crack the file to get the passowrds. Also I have | been using strongbox pro for a few years now and been very | happy, in fact I like it better than what 1password used to | be. Worth every penny. KeepassXC has also been great. | aheckler wrote: | I've been considering a switch from 1Password to | KeepassXC myself, but the last time I tried it, I | couldn't find if KeepassXC has some equivalent to the | "quick access" feature of 1Password.[0] In short, a way | to open a small window, search for a service name or URL, | and then quickly copy username, password, or a TOTP code. | As far as I could tell, I had to open the entire | KeepassXC app every time to find something. Has this | changed, or did I miss something somehow? | | [0] https://support.1password.com/quick-access/ | Jack5500 wrote: | Slightly offtopic, but I really find the Bitwarden Clients to be | lacking in the feature department. I switched to Bitwarden a few | month ago and the client has evolved (for me) ever since. | | There are a few basic features missing, such as that if I search | for something I wrote in the notes of password, that the client | shows the according password. I get that the open-source model | implies that everyone can contribute and fix this issue, but if I | look at the repo and see 108 open PRs, I don't even bother to | check if that's a feature that would be easy to add. | sigzero wrote: | Bitwarden (for me) is still a little clunkier in how it does | things compared to 1Password. I find 1Password a much smoother | experience. | velhartice wrote: | KeepassXC and/or strongbox have a very similar workflow to | the older file based 1password one. I switched from 1password | once they went to the centralized subscription model and I | have been very happy with it for years now. | mimimi31 wrote: | I agree, it's a little weird that some very basic quality of | life features are missing from such a popular and relatively | mature product. | | Folder management in particular seems to have been an | afterthought. You create a subfolder by setting its name to its | full path in the hierarchy, including all its parents. And | thus, in order to rename a folder you have to manually go | through every single subfolder and rename the particular parent | in its name. | | Other annoyances off the top of my head are things like the | inability to change the type of a custom field from e.g. text | to hidden without deleting it and creating a new field. Or the | browser extension forgetting everything you just typed into the | new item form (unless you remember to pop out the window) when | pasting a generated password on the site you're trying to | register to. | | After switching from KeepassXC to Bitwarden for its better | auto-fill detection and convenient synchronization, I can't | help but feel that it's also been a downgrade in more ways than | expected. | yshavit wrote: | I just switched password managers from LastPass, and | Bitwarden's lack of multiple accounts on their browser plugin | was a dealbreaker for me. Such a basic feature, especially if | they want to get widespread adoption. Otherwise, anyone whose | work uses Bitwarden basically can't also use it for their | personal stuff without jumping through hoops. | tapland wrote: | Aren't you supposed to have your personal Bitwarden account | and get work passwords shared to your account? I thought | that's how Bitwarden for organisations worked. | jeroenhd wrote: | Bitwarden's mobile app allows you to log in with multiple | accounts. I think the desktop client does as well. | | Not sure why the web extension doesn't. Might have | something to do with autofilling or adding credentials to | HTTP Basic Auth? | yshavit wrote: | Ideally I'd want to keep my _personal_ personal stuff | separate from my "work personal" (ie my personal logins, | but the one for work accounts) separate from my shared work | stuff. So I'd want two accounts, one for my truly personal | accounts, and then one for my work-personal and have the | work-shared connected to that. | jeroenhd wrote: | I don't know how well this works across business and | personal accounts, but you can use "collections" to share | passwords between accounts. | | I'm using that on my VaultWarden server to share data | between different accounts and it works well for me. This | may not work in your specific situation if your company | manages your Bitwarden account, though. | tapland wrote: | There doesn't seem to be a security benefit of doing this | if you encounter having to swap between personal-personal | and work-personal. | | It doesn't take me many seconds to swap accounts. | LastPass allows you to be signed into two accounts at the | same time in the same browser? | secabeen wrote: | Lastpass allows you to link your personal-personal | account into your work account, so that you can access | your personal-personal data while logged into a work | account. Work-personal accounts should be stored in a | personal folder in your work account, then work-work | accounts are in shared folders that cross multiple users. | yshavit wrote: | I forget if LastPass does -- 1Password does (though I | haven't actually used it in practice, because my work | doesn't use 1Password). Idk, maybe it's not actually a | problem, but it's how I like to organize things. | ::shrug:: | obblekk wrote: | I really dislike the idea of giving complete access to my digital | life to any company, particularly one that needs to grow quickly. | | The tech for password vaults is so simple, I use keepass + icloud | syncing and get free end-to-end encrypted password syncing, | without sharing any data with anyone. | | Outlined in more detail here: https://magoop.substack.com/p/how- | to-manage-500-passwords-se... | thefz wrote: | Bitwarden is built as a zero knowledge platform and they can't | access the contents of your Vault. | mort96 wrote: | Only if you never use the web interface. | RadiozRadioz wrote: | So is LastPass, but we users changed our passwords in | December anyway as a precaution. Bitwarden is still a central | entity that needs to be trusted to manage the zero knowledge | platform with competence, e.g. not storing unencrypted | metadata in a backup. | panarky wrote: | Because LastPass is a bad actor that falsely claimed to | have a "zero knowledge architecture" that couldn't be | compromised if they were hacked, and kept their code secret | so nobody could independently assess their implementation, | and then proceeded to store critical user data unencrypted, | which was promptly hacked and leaked, that means the risks | must be identical with Bitwarden, which publishes client | and server code in public, so anyone can inspect their | implementation. | stavros wrote: | I kind of want to point out the discrepancy in saying "I get | syncing without sharing my data with anyone by sending my | password database to Apple". If your argument is that the | database is encrypted, how is Bitwarden different? | dcow wrote: | What this highlights in my humble opinion is that many users | seek security signals and are less concerned with the actual | security implementation. In the password management space, | the signals are "local vault", and "not VC backed", at least | on HN. It's quite odd since you'd think people would be more | concerned with the application architecture, key derivation, | key transport backup and recovery, etc. But it seems security | is more synonymous with "company doesn't store my vault on | their servers" than it is with "company helps me securely | encrypt my passwords". | advisedwang wrote: | I do this, but have started using Syncthing [1] for sync | instead of a cloud service. | | [1] https://syncthing.net/ | TillE wrote: | BitWarden doesn't get "complete access to your digital life", | they get an encrypted blob. | | It's not materially different than storing your KeePass vault | in the cloud. | mort96 wrote: | There's still trust there. You're writing the key to decrypt | everything into their web interface if you ever use it | (vault.bitwarden.com). If they wanted, they could really get | access to everything in your bitwarden vault. | dcow wrote: | That's why open source is important. You can audit them and | verify that they are behaving in a trustworthy manner. | Kimcha wrote: | Not if you are using their cloud version instead of the | open source self hosted server. | | The code they are running does have to be the code they | are publishing. | | And if someone compromises their cloud servers, they | could also modify it to log the passwords entered. | dcow wrote: | Yes we can degenerate into inordinate amounts of rabbit | holes. For 1, you can audit the JS that runs on your | browser, it's not hiding (so it's not strictly fair to | say that just because you loaded a webpage in your | browser from their server it can't be trusted). And | anyway, generally, your argument holds for any software | interaction ever. GH doesn't have to ship you the repo | that you browsed on the web client. A malicious actor | could have compromised their infra and be serving fake | code in the web UI but have added all sorts of malware to | the stuff you download. Apple app store doesn't eve ship | you the exact binary the developer uploaded. Scary. At | some point you have to decide which threat vectors you | actually care about. Give me a scenario and I can tell | you how someone can theoretically attack it and why | you're not safe. The only thing you can be 100% sure | about is manually auditing every single release at the | source level and building it yourself. | getcrunk wrote: | Well even then you have to make sure your compiler isn't | playing tricks on you. So compile your compiler from | source ... oh wait. Then you have your cpu microcode, | firmware, security coprocessors. | | Trusting trust | mort96 wrote: | I can't audit their server-side code. Even if it's open | source, it's impossible to verify that the software which | the server is running is identical to the open source | version, or that there's no proxy in between you and the | sever which logs the passwords, or some debugger attached | which inspects the passwords in memory as people log in. | manmal wrote: | Services like 1Password are often more secure than your | solution because they need to harden vaults against full leaks. | In the case of 1Password, a secret key in addition to the | password ensures that brute forcing is (at the moment) not | feasible, even if your password is really crappy. | DavideNL wrote: | Note that 1Password copies the "Secret Key" to iCloud... | without asking. | princevegeta89 wrote: | Same was said about LastPass many times and look at what | happened, everything turns out to be a false promise. | hn_throwaway_99 wrote: | That's not a fair comparison. The differences in LP and 1P | encryption approaches have been well known for years, and | they are fundamentally different. | | Now, while 1P encrypted vaults are not brute-forceable the | way LP's are, that doesn't mean it's impossible to hack 1P | (e.g. malicious code injection in any of their apps or | plugins), but I don't like the "everything turns out to be | a false promise" broad-brushing when there are real and | verifiable differences in how these companies secure your | data. | notesinthefield wrote: | Keepass has Key Files as a part of the spec | https://keepass.info/help/base/keys.html | | On my devices, keyfiles and a KP client are stored locally. | The DB rests in the cloud. | phonebucket wrote: | But in the context of a strong master password, the | additional benefit of the secret key is of neglible benefit, | while the hassle and dangers of having to synchronise the | secret key remain. | | I'd rather use an extremely high entropy master password by | itself. | brandon272 wrote: | LastPass would have also led their customers to believe that | "brute forcing was not possible" and that they were taking | extraordinary measures to keep vaults and data safe. | | I think one distinction between services like KeePass and | 1Password is end user perception of how easy it is for an | attacker to acquire an encrypted vault to begin with. For | many, they consider a KDBX database sitting in their Dropbox | account to be less likely to be stolen than an encrypted | vault being held by a company like 1Password, a high value | target to the most sophisticated attackers including state | actors. | hn_throwaway_99 wrote: | Doesn't necessarily matter what LastPass "would have also | led their customers to believe", the mathematical reality | is still that LassPass vaults _are_ crackable in a way that | 1P vaults fundamentally are not. | brandon272 wrote: | Yes, according to what 1Password is telling us. But as | we've seen, what these companies say and what they | actually do in practice are not always aligned. And | oftentimes customers are inserting a _lot_ of their own | assumptions into the mix, not only with respect to vault | encryption but vault storage and operational security. | hn_throwaway_99 wrote: | > Yes, according to what 1Password is telling us. But as | we've seen, what these companies say and what they | actually do in practice are not always aligned. | | That's just not accurate: | | 1. First off, all the encryption happens client-side. It | is possible for anyone so inclined to validate how 1P and | LP are doing their encryption. | | 2. The deficiencies in LP's encryption approach were well | known for years. | | My point it, yes, companies will spin things how ever | they want, which is why you should _completely ignore | what they say_ and only evaluate _what is verifiable_. | And 1P 's and LP's approaches are verifiably different. | brandon272 wrote: | 1Password's client side encryption is occurring within | it's proprietary, closed-source product, so I'm not sure | how the end to end process can be completely validated. | | With respect to your confidence in 1Password's code and | encryption methodology, would you be willing to send me | your 1Password vault so that I can have a look at it? | hn_throwaway_99 wrote: | > 1Password's client side encryption is occurring within | it's proprietary, closed-source product | | It's Javascript running in a browser. | | > With respect to your confidence in 1Password's code and | encryption methodology, would you be willing to send me | your 1Password vault so that I can have a look at it? | | Yes, absolutely (note I don't actually know how to get | the encrypted version of the vault standalone). Are you | willing to send banking information over HTTPS? It's the | same level of security. | brandon272 wrote: | > Yes, absolutely (note I don't actually know how to get | the encrypted version of the vault standalone). | | I believe that, given that it's just JavaScript in the | browser, that the encrypted vault should be available as | a blob in one of the network requests when you are making | a change to the vault. | | > Are you willing to send banking information over HTTPS? | It's the same level of security. | | Maybe I'm being irrational, but I just think there is a | fundamental difference in the risk profile between a | breach of my banking credentials and having every stored | set of credentials across my entire digital life exposed | through a password vault breach. | | If my banking details were compromised somehow, I at | least have a bank I can work with and real people I can | talk to. Both the bank and myself have a strong mutual | interest in addressing the acute security issue. | Government banking regulations come into play. Insurance | comes into play. | | If my password vault is compromised and credentials for | every service and website are exposed, I would argue that | is a far graver matter. And who do I turn to in that | case? I have to imagine that any of these password | management companies would just point to me being somehow | negligent with my master key and tell me to pound sound. | zmxz wrote: | Bitwarden can be self-hosted, it's fully open source so you can | be safe that way, never giving a single byte to the company. | | Do you have a browser extension that offers username/password | autofill using keepass as datasource or do you alttab copypaste | / rely on a program made by someone else to clear your | clipboard? | d1lanka wrote: | Same here. | | KeepassXC to be specific: https://keepassxc.org/ | sakopov wrote: | Agreed. I use keepass + dropbox secured with yubikey. You can | even go a step further and configure yubikey with keepass as | well. | anonkogudhyfhhf wrote: | Where about on mobile? | sakopov wrote: | I believe KeepPassDX on android supports yubikey via NFC. | velhartice wrote: | Strongbox for iOS. | waymon wrote: | I used to do this. Now I self host vaultwarden since it allows | me to use that database with faceID. Can keepass do that? | hoboris wrote: | I use the Strongbox iOS client. It reads .kdbx files, | integrates with apple sign-in features, and supports faceID. | | https://apps.apple.com/us/app/strongbox-password- | manager/id8... | dicknuckle wrote: | I use the Keepass2Android and it integrates with the OS | fingerprint reader, so it's likely the same for faceunlock | but I don't use that. | IronWolve wrote: | I like keypass, but merging my android and pc versions every | so often is a task I'd like to automate. I dont do | google/apple cloud so avoiding that. | ithkuil wrote: | The demo on the homepage is available only on chrome. I tried | both safari and firefox on macos and I can't see the " Experience | Passwordless.dev in action" link there. | jlundberg wrote: | Worked for me in Safari on macOS if you have iCloud keychain | activated. | | Or more correctly: I got so far but stopped because I prefer to | have my keychain locally :) | StreamBright wrote: | I am not sure how much is this better than magic link logins. | 8organicbits wrote: | Magic links via email? Email isn't a secure transport, or | storage. I think that's only viable for low risk systems. Even | software like Slack, which supports magic links via email, will | also support username/password/MFA as an option for folks who | need better security. | 9dev wrote: | It's about a bazillion times less annoying? | heresjohnny wrote: | Interesting demo. What happens though if the device holding the | private key is lost? Or Apple decides to shut down your iCloud? | Is there a backup option, similar to backup codes for OTP? | smileybarry wrote: | I wonder how iCloud shutdown would affect this route, but: your | Passkeys are synced to your devices locally, and the whole | "scan QR code on another device with your phone to | authenticate" flow is fully local, utilizing key authentication | over BLE. | | Theoretically, your Passkeys _should_ still be on your iPhone | /iPad/Mac/iThing, and QR authentication will work. (And then | you provision another key on another device, since Passkeys' | intention is like SSH keys, allowing multiple on a single | account) | WorldMaker wrote: | Just like TOTP (used for most 2FA) the best practice for | websites accepting passkeys will be to support as many passkeys | as you wish to enroll. So you could enroll into your account | some device associated with your Apple ID and some device | associated with your Microsoft Account and some device | associated with your Google Account and some browser associated | with your Firefox Account and use any of those for recovery. | | Unlike TOTP, the _base case_ for passkeys is multiple key | enrollment so websites are more likely to support it well | whereas with TOTP so many implement it as having one-and-only- | one TOTP configured. Even when enrolling just a single device | that device generally enrolls a small key-chain, not just a | single key, because that 's how recovery systems work even for | using just a single "owner" account. Plus most people use 2 or | more devices regularly and Passkey has to work with that. So | much more websites in practice should actually support N | passkeys where N > 1 (versus half-baked single-option-only TOTP | implementations). | | At least in theory, in practice we'll see how well Passkey gets | implemented at large, there's always lots of ways for companies | to get practice wrong. | secabeen wrote: | Best practice is unlikely to help here, as people just aren't | going to register passkeys from multiple services unless it | happens automatically. I might bother to enroll multiple | passkeys for my bank, but I'm unlikely to do it often. | | Are Passkeys exportable and re-importable by another service, | site, or system? As described above, if my Google Account is | terminated by Google without recourse (which absolutely | happens), do I lose access to all sites that I used solely a | Google Account Passkey for once my phone stops working? | WorldMaker wrote: | It _should_ start to happen automatically. Apple, Google, | and Microsoft have all stated the goal that they are hoping | for deep inter-operation across all of a user 's devices, | regardless of ecosystem. | | If you are truly paranoid that your major device accounts | are subject to termination without recourse (which if that | happens you generally have lots of other problems and | should maybe cause you to rethink your other trust | relationships with such vendors and which devices you are | buying), you can build your own Passkeys with WebAuthn | standards and roll your own recovery/backup strategy. (Most | FIDO compatible WebAuthn keys already work today anywhere | Passkeys are supported, Passkey is just the "brand name" | for those standards plus a soon-to-be-standard Bluetooth | LTE handshake plus Vendor-guided backup and recovery plus | whatever cross-device ecosystem "interop" standards the Big | 3 eventually settle on.) | secabeen wrote: | > It should start to happen automatically. Apple, Google, | and Microsoft have all stated the goal that they are | hoping for deep inter-operation across all of a user's | devices, regardless of ecosystem. | | If this is the case, then maybe there will be some | solution through Google Takeout. Apple and MS seem less | interested in this, but if one of them can generate an | export, I can see services appearing that can work with | that exported data. | | > you can build your own Passkeys with WebAuthn standards | and roll your own recovery/backup strategy. | | This....or I can stick with passwords, print them out | annually and put them in my fire safe. The KISS principle | works here, and I can't imagine a non-techie person who | works in a socially-risky field being able to do so. | | > If you are truly paranoid that your major device | accounts are subject to termination without recourse | (which if that happens you generally have lots of other | problems and should maybe cause you to rethink your other | trust relationships with such vendors and which devices | you are buying) | | Complaints by users who have Big 3 cloud accounts closed | for unspecified "violations" are common enough to make it | a concern. I take other protections against something | like this, but I absolutely do consider it a risk, and | would generally advise people not to keep all their | digital services under one roof. If you use Gmail for | email, then use Microsoft or Apple for Passkey, Bitwarden | or 1Password for Password Vaults, etc., etc. | WorldMaker wrote: | > If this is the case, then maybe there will be some | solution through Google Takeout. Apple and MS seem less | interested in this, but if one of them can generate an | export, I can see services appearing that can work with | that exported data. | | So far as I'm aware none of them are planning key exports | any time soon. Keeping keys to the various secure | enclaves of user's devices is a key part of the security | footprint they are trying to establish. That's why multi- | key enrollment is the _base case_ in all Passkey systems: | recovery, multi-device support, etc all hinge on | continuously expiring old keys and auto-enrolling new | ones. There 's no export, and cloud backups aren't | "backups" but different, Vendor _escrowed_ keys (often | themselves in hardware cloud secure enclaves that cannot | be exported, only new keys added to keychains) and ways | to attest for (sign) new keys in recovery situations. | | As I said way above, the _theory_ is that enrolling all | of your devices and all of your top-level recovery | accounts will be easy and convenient enough on _every_ | website, not just your bank (given how many banks still | don 't even support proper TOTP, hopefully _better_ than | some banks today), and enough so that _everyone_ does it | by habit. I agree, there 's huge practical risks that | someone gets it wrong and there's all sorts of ways what | should be easy turns into complicated soup that never | works right. That's the brief glimmer of hope here | offered by the Big 3 alliance on this and making it a | major marketing endeavor. They've put a lot on the line | for this. | | > This....or I can stick with passwords, print them out | annually and put them in my fire safe. The KISS principle | works here, and I can't imagine a non-techie person who | works in a socially-risky field being able to do so. | | The _hope_ is that with the Big 3 all in agreement here | on passwords needing to be entirely replaced and the only | way that happens is if what replaces them is as easy and | uncomplicated as possible for non-technical to use every | day, Passkeys will see strong implementations everywhere | and that cross-vendor multi-device interop will be strong | enough for _everyone_ to rely on (even if you distrust | one or all three of the Big 3). | | > Complaints by users who have Big 3 cloud accounts | closed for unspecified "violations" are common enough to | make it a concern. I take other protections against | something like this, but I absolutely do consider it a | risk | | I consider it a risk too, but as with all things security | every risk needs to be evaluated within the template of a | larger threat model. Email is already the de facto | chokepoint for recovery of almost any account (and | passkeys don't necessarily change that, "Forgot Password" | flows still probably exist in passkey worlds, just | differently). You have a ton of eggs in whatever basket | is your email provider (and for the majority of people | often one of the Big 3). Phones are already the de facto | chokepoint for account access (whether because of TOTP or | single ecosystem "apps" or all sorts of other lock in | mechanics). Passkeys don't substantially change these | existing deep trust relationships (and weren't really | designed too), most people in most threat models the | amount they are trusting their various relationships with | the Big 3 doesn't substantially shift with a switch to | Passkeys. (For good and bad. Absolutely some people are | underestimating exactly how much they trust one vendor or | another and how much they have to lose if their account | is suspended for any reason without warning or easy | recourse.) (Your threat model is your own and will vary, | of course.) | | On top of that, other vendors _will_ be playing ball in | this space. Mozilla isn 't a direct part of the "Passkey | Alliance" but has stated their interest in Passkeys and | cross-platform/cross-device interoperability. There will | be more, too, over time. Possibly _enough_ paranoid | people will roll their own that good self-hosting and | open source options will roll out eventually, even if | most people won 't use them and most people won't need | them in their personal threat models, having more options | is always a good thing (and Plan B if your threat model | changes for any reason). All of this is in a cloud of | enough open standards that vendor lock-in, while maybe | not impossible, should be unlikely. | | You are right to be worried. You are right to be | questioning all of this. I appreciate your concerns here | (I know I have an uneasy relationship at best with at | least one of the Big 3 myself). I hope I've offered at | least some reasoning on where some of your concerns may | be mitigated by the ecosystem as a whole. | secabeen wrote: | Thanks for your comments, and I think I see the ambition | of the project. We'll see how far it goes. I hope that | the powers that be in this space see the risks they're | creating, recognize that they are increasing the blast | radius of account loss, and take some efforts to mitigate | them. | | Honestly, if they don't, they may find themselves under | significant government regulation. The DMV in most states | is hard to work with, but they work with everyone, | regardless of disability, felony record, reprehensible | views, everyone. If we're going to allow these companies | to take this authoritative role in our systems, they | should necessarily lose the right to refuse service. If | they don't want that trade-off, then they should hand the | whole thing to login.gov and other Government Identity | schemes. | | The best hinge point I would use in conversation with | these players is to plan for third-party access from the | beginning. Systems like Lastpass and Bitwarden have built | robust systems for emergency access in the event of | hospitalization or death. They've done so because its | needed, often. If the Big 3 commit to allowing some | access-for-transfer-out when accounts are closed or | access is lost, even in non-ideal situations, that would | go a long way. | secabeen wrote: | This is an unrelated question, so I'm putting it in a | different thread. | | How will Passkeys work for users who don't have or want a | smartphone? There are plenty of people who carry no | electronic devices on their person, and who primarily | access the Internet through library access stations, | other public Internet services. or multiple desktops. | Will they be unable to use a site that is passkey-auth- | only until they get such a device? | WorldMaker wrote: | Very good questions and I've been wondering that some | myself. I imagine of the Big 3 Microsoft is likely the | one to have been thinking about this the most. With | Microsoft no longer having a smartphone ecosystem of | their own, they will likely have to support both Apple | and Android devices and they probably also need to have | more answers for the "neither" scenarios as well (de- | Googled Android users still sometimes have Windows PCs, | for instance; Windows users are said to include a larger | share of older "dumb phone" generations; etc). Also, most | of those access stations themselves are generally Windows | PCs for the intersection of cheapest available hardware | and lowest common denominator software. (Though I've | heard Chrome OS is shifting that in some places.) | | I think the immediate answer is that something like a | Microsoft Account-based login system and Cloud-based key | escrow becomes more unavoidable in situations like that. | But I'm not sure and hopefully there are smart minds | exploring some of these scenarios in the long term. | Relatedly, I know there are some long-term creatives | trying to figure out if "smartphone" is becoming a | required utility for the modern world (TOTP has already | made that a recently strong requirement in plenty of | areas; soon you may not be able to bank without a mobile | device, for instance) and the "phoneless" may be its own | evolving economic crisis on top of homelessness to deal | with in the long term. "Give everyone phones" may sound | like a curt, dumb answer, but it may end up being | something close to the answer; go to your local DMV and | get a secure phone as your digital ID to go with your | physical ID. I don't know if that is the plan, I just | know it is a plan I've heard we need to consider, that | "baseline personal hardware" may be an ever-increasing | need. | selykg wrote: | > Or Apple decides to shut down your iCloud? | | This is probably testable as it is. They sync to iCloud | Keychain, as is my understanding anyway. | | How are the rest of your passwords stored in iCloud Keychain | when your account is hosed? Do you lose those or does it just | turn off syncing? I'd imagine it turns off syncing but keeps | the keychain around unless you delete the iCloud Account from | the device. That's a whole different ballgame of potential bad | decisions though. | echeese wrote: | Probably the same thing that happens when you forget your | password. Hit the "forgot your password" link, get a | confirmation email, create a new passkey | penciltwirler wrote: | One can easily self host a bitwarden server on digitalocean. | https://bitwarden.com/blog/digitalocean-marketplace/ | | However, I'm curious what y'all think about the cost. A | digitalocean droplet for the recommended specs (4 GiB memory) is | $24/month. This is hard to stomach when you compare with | Bitwarden Premium which is <$1/month. I guess it depends on how | much you value your own data. | jslql wrote: | 4 gb of memory for something like this? Absolutely deranged. | How can they not see that? | ramsj wrote: | I run Vaultwarden on the free VPS from Google Cloud and it | works great. | jeroenhd wrote: | You can run the open source VaultWarden server | (https://github.com/dani-garcia/vaultwarden) on way slower | hardware. It takes a while for the project to catch up in terms | of API support compared to the official server, but it's great | for self hosting. | sodality2 wrote: | Highly recommend using Vaultwarden, API compatible OSS server. | It even provides premium features like TOTP for saved sites. I | could host it on a small $12/yr VPS but currently host it on a | home server. Minimum specs are very low for it as it's written | in Rust. | | DO inflates prices for their systems, sometimes I guess it's | worth it but you can get a great dedi with FAR better | performance from Hetzner auctions for $32/mo. 64GB RAM, proper | CPU, large HDD, could probably host a thousand Vaultwarden | instances. Definitely don't use that for just Vaultwarden, it's | just an example, but yeah. | wallmountedtv wrote: | You can use vaultwarden, which is a re-implementation in Rust | that is much more lightweight than the official .NET version. | metaltyphoon wrote: | I wish they would drop SQL for the self hosting and just use | SQLite instead. That's what eats the most RAM on self hosting | in .NET version. | jeroenhd wrote: | Based on their current docker-compose file, it seems like | they did away with the MS SQL server, at least: | https://github.com/bitwarden/server/blob/master/docker- | unifi... | | [This issue](https://github.com/bitwarden/server/pull/2487) | also suggests SQLite was added as a database driver last | December. | fullstop wrote: | Vaultwarden can run on their $5 droplet. | mdaniel wrote: | Aside from the highly relevant cost observations of the sibling | comments, one will want to be cognizant of the ... very strange | .. opsec that installer uses. It's a lot of curl into bash, | self-updating things, url shorteners, and :latest tags | | discussed when it was announced: | https://news.ycombinator.com/item?id=31098608 | rqtwteye wrote: | If you self host, why would you need such specs? You would | access your server a few times a day at best. Otherwise it just | sits there. | kevwil wrote: | It makes me think (dangerous, I know) ... I find it odd to use | the term "self host" when referring to a third-party cloud. | It's someone else's servers and network and electric bill, | after all. | | Pedantry aside, yeah that seems expensive given the amount of | convenience offered. But much more convenient than setting up a | server in your basement with a UPS and external backup drives | and such. | selykg wrote: | Self hosting is a scale. But the point is you have the | ability to host it how you want. Whether that be on a cloud | service that you just throw a docker container at, to a VPS | with root, to a bare metal machine co-hosted, to in your | basement, the choice is yours. | recuter wrote: | Why does it need to run 24/7? | jedahan wrote: | They are working on reducing the requirements - see | https://bitwarden.com/help/install-and-deploy-unified-beta/ | which claims 200 MB RAM and 1GB storage requirements. | DangitBobby wrote: | Anyone know how Bitwarden fits into the "passwordless" equation | here? I tried to log in to Dogwarden (shown in the video demo on | passwordless.dev), but the Bitwarden extension/app doesn't seem | to do anything during sign-up. | | Also wondering if anyone knows why this device [1] doesn't work | during the "passwordless" sign-up/sign-in process on | dogwarden1.passwordless.dev. Am I going to have to buy yet | another hardware key if I want passwordless logins? | | 1. https://www.amazon.com/gp/product/B0773YLSY5/ | jeroenhd wrote: | My current setup uses Krypt.co (deprecated) to forward most | U2F/FIDO2 requests to an app on my phone. The app has some keys | stored in my phone's secure secret storage and verifies/signs | the request (after unlocking my phone with biometrics or my | phone's PIN). This signed response is then used to log into the | website. | | I believe the goal for Bitwarden would be the same, to allow | for seamless login through a secondary device using WebAuthn | and friends. Apple and Google are already working on cross- | device FIDO2 login support, but for Firefox I haven't seen much | announced as of yet. Bitwarden filling in for Apple's/Google's | proprietary services would be a way to log in securely without | giving up even more security features to browser companies. | ajcoll5 wrote: | Would have preferred to see the cash used for this to be used for | things like app QoL improvements, an actual code audit (not just | the basic network security assessments they list), or offer | actual bounties for their bug 'bounty' program. | Reptur wrote: | I'd like to see a video on how losing your device and recovery of | the account works with Passwordless. | jlundberg wrote: | And here is a link to the web site of this startup: | | https://www.passwordless.dev/ | | Anders Aberg (@andersaberg) who is the founder behind this is a | really enthusiastic and inspiring coder. I've always enjoyed his | mashup hackathon ideas and meetup presentations. :-) | jlundberg wrote: | For those curious, here is another fun project Anders has built | in which he mix ambient music with live radio broadcasts from | airports :) | | https://listentothe.cloud/ | fantalamera wrote: | Anders is amazing! | Jsharm wrote: | Wow this is really cool. I just tried the example on the | homepage, that's magic! No email, username or password. Can | someone explain what is happening? | antihero wrote: | On iOS this seems to use the iCloud Keychain which is slick but | how would I then login to sites using Firefox or any computer | that doesn't have access to my keychain? The reason I use a 3rd | party manager is precisely this reason. | WorldMaker wrote: | Sites should likely let you enroll multiple such passkeys | from different vendors (add a Microsoft Account passkey from | your PC, a Google one from your Chromebook, etc). | | Apple already supports Keychain sync with Edge on Windows and | I believe that already supports Passkey access. | | Also, I believe I heard rumor that "Sign in with Apple" | (their existing OpenID Connect account system) will also | eventually support helping you enroll non-Apple devices to | Passkeys in apps that support both Passkeys and "Sign in with | Apple", though I don't know if there is yet a timeframe on | that sort of support. | medstrom wrote: | From my loose skim, this seems to be more for UX than anything | else: no-clicks account creation and no-clicks login, but | there's still account creation and login happening, presumably | with a key provided by BitWarden. But websites can start | removing the login prompt as an entity to be interacted with. | rgrmrts wrote: | A new private-public key pair is generated, the public key is | your user identifier (sort of), and the private key is stored | on your device (browser or phone). You're logging in by proving | you have the private key for the associated public key. I think | the device may also be storing a mapping from key to service or | something? Not sure. | | Please correct me if I'm wrong on any of this. ___________________________________________________________________ (page generated 2023-01-18 23:00 UTC)