As in multi-factor?
You can use it free of charge as well - recommend Authy as the app of choice for MFA.
M.
Password managers
- Thread starter SixTwoSix
- Start date
As in multi-factor?
You can use it free of charge as well - recommend Authy as the app of choice for MFA.
M.
For those turning to Bitwarden, don't forget if you're self-hosting use the bitwardenrs/server implementation (Docker) as it has all the premium, organisation and family features included for free, which includes 2FA/MFA.
It's a bit fiddly to set up at first (Yubikey, SMTP, etc) but well worth it. I think it took me about half an hour all in. Mine's been running from Docker on my NAS for a year or so now without missing a beat, and backs up the password database to encrypted offsite storage every 24h via CRON using bruceforce/bw_backup.
It's a bit fiddly to set up at first (Yubikey, SMTP, etc) but well worth it. I think it took me about half an hour all in. Mine's been running from Docker on my NAS for a year or so now without missing a beat, and backs up the password database to encrypted offsite storage every 24h via CRON using bruceforce/bw_backup.
Associate
Sorry I wasn't clear - Bitwarden Authenticator (TOTP) is listed as a premier feature.
@Rainmaker how do you access it remotely? Are you port forwarding, or protecting it with some sort of VPN?
I have all my Docker servers (and other servers) running locally on their usual ports. For access to BitWarden, you just use the official apps. Getting to the server from WAN is done in my case using a reverse proxy. My router is a self-built x86 OpenBSD router, running pf firewall (and dhcpd, unbound etc). Ports 80 and 443 on my WAN IP are open, which the OpenBSD router redirects (destination NAT) to my NAS. The reverse proxy on the NAS then bounces the various subdomains to the appropriate local service. For example:
https://router.mydomain.com > proxy redirects 'router' to 10.100.0.1:443
https://bitwarden.mydomain.com > proxy redirects 'bitwarden' to 10.100.0.5:1234
https://plex.mydomain.com > proxy redirects 'plex' to 10.100.0.5:32400
https://dns.mydomain.com > proxy redirects 'dns' to 10.100.0.5:444
etc etc. Only one or two ports need to be open publicly, and the proxy handles the grunt work. OpenBSD is extremely secure, and the NAS (which has the proxy) is also firewalled.
Soldato
I do the same as above. I use NGINX Proxy Manager in Docker. It's extremely handy 
Associate
I use Roboform myself, been using it for many years and it syncs seamlessly between my pc and phone, and it even has an apple watch app for quick pasword reminders.
Tried different managers over the years but I always come back to this one. Only $17.50 for the year at the moment as it was on offer when I last checked. Does have a free version to try out as well.
Tried different managers over the years but I always come back to this one. Only $17.50 for the year at the moment as it was on offer when I last checked. Does have a free version to try out as well.
Soldato
I use LastPass, it syncs across all my devices. I do find the app on Android a bit hit and miss though.
Another vote here for lastpass.. have used it for work stuff for a while, though recently their desktop app seemed to stop working on windows for a while. For other stuff i just use the chrome password manager... make of that what you will
The reason people stopped using Lastpass is because you can only use it on one device unless you pay for it.
Bitwarden now seems to be where everyone was moving to. Been using it for a couple of months on both the App and the Website and it's all good here.
M.
This, didn’t you not get the email?
I'm sure this has been asked a million times but..
How are password managers any more secure? Only one password is needed to gain access to all the other passwords inside the manager?
It's something that has bugged me for a while lol and just came across this thread.
Personally, all my stuff is saved inside chrome/google on PC/Phone. Is there any reason not just use google smartlock/chrome? I have done for about 5 years
How are password managers any more secure? Only one password is needed to gain access to all the other passwords inside the manager?
It's something that has bugged me for a while lol and just came across this thread.
Personally, all my stuff is saved inside chrome/google on PC/Phone. Is there any reason not just use google smartlock/chrome? I have done for about 5 years
Soldato
It's a matter of perspective. Consider two scenarios:
1) I use a password (or even a mix of different, but simple passwords) across various sites. "Passw0rd", "Pass123" etc. This makes them easy for me, the user, to remember. In time, a site or sites is breached, and its password database is downloaded. It will take an offline attacker a matter of a couple of seconds (using a GPU) to discover my password from the database through brute force alone. They can then sell the credentials, and/or test those credentials against many other websites and services. Most people reuse credentials, so this approach words.
2) Using a password manager, I only have to remember one single very secure pass phrase to protect the rest of my data For example, "My-Children-Are-Hyper-,-But-Not-As-Bad-As-I-Was-In-The-80's-LOL". That's an over the top example, but it's very easy to think of a unique phrase that you can easily remember and that is, or at least becomes, easy to type quickly the one time a day you need to unlock your vault for use. This guards the vault storing all your other credentials. Because you're using a manager, the rest of your (online) passwords can look like this:
aiDpbYCB6P*WcS!ihnagSUf@a%x2h4miy8a!pE$Kod*R7qsaUaAo59kB*Hjr#uYU%MC5BX$XtF#qq3&aNxXwZ*#h2#LRSYXw3UFb7byKW9X!$w$Ls#H6Ud*g6J2$WcyN
or this:
Wrongdoer-Statute-Mom-Gloss-Evade3-Vividness-Onstage-Acts-Quail-Washbowl
These take a split second to generate in the manager, and it'll remember that passphrase or password for the site forever more. Because your vault data is (or at least can be) stored locally, it's not going to fall into a random attacker's hands (i.e. your vault itself). If a site is breached, and a password file or database is recovered by bad actors, well... good luck cracking a password/phrase like those above. We're talking many centuries even at many guesses per second. Even if/when they did succeed, they have only the credentials for one single web service/forum/site, not the keys to your entire kingdom. If you're smart and use 2FA (YubiKey, OTP etc) then even that is useless to them.
Using a manager has enabled you to use secure passwords(phrases) that you would never be able to do yourself, because human brains aren't that great at information storage.
Using the browser's or phone's built in manager is a viable alternative, especially if it's end to end encrypted (Firefox, Apple Keychain).
Edit: Relevant XKDC. But keep in mind, attacker 'guesses' are no longer around 1,000 per second, they're into the trillions. The more secure your passphrase, the better.
Last edited:
Kind of to be expected from logmein. But yeah considering what resources it takes to run a password manager, they're clearly taking the ****.
Quite. The load average on my bitwardenrs_server in Podman is 0.0, 0.0, 0.0 and it's ridiculously small - a few KB. To be fair (and LogMeIn don't deserve much defending), once you scale that up to hundreds of thousands or even millions of users, a backend, site, support staff... The money has to come from somewhere. I'll just stick to my free BW premium with the data stored safely at home, encrypted at rest and in transit, and backed up automagically in triplicate, on and offsite.
Quite. The load average on my bitwardenrs_server in Podman is 0.0, 0.0, 0.0 and it's ridiculously small - a few KB. To be fair (and LogMeIn don't deserve much defending), once you scale that up to hundreds of thousands or even millions of users, a backend, site, support staff... The money has to come from somewhere. I'll just stick to my free BW premium with the data stored safely at home, encrypted at rest and in transit, and backed up automagically in triplicate, on and offsite.
Oh I completely accept that nothing is free. But there's a very big gap between free and £35-40 a year. As most people have said, $10/yr for BW is about what people are expecting to pay.
Definitely. bitwardenrs was a bit of a pain to set up for me (Yubikey auth, SMTP backend issues with iCloud that necessitated a change to Outlook) but now it's working it's flawless, reliable and best of all free. It's nice having all the pro features (OTP, Family etc) for free and I know the data is safe because I know I can trust myself... usually.
I guess it’s a base of time v money v effort. I’m really happy with 1Password but the annual subscription cost of £46 for a family account isn’t worth it. I’d like to try a home bitwarden setup but I don’t trust myself to set up it securely.