I'd strongly recommend bitwarden, having deployed and managed it. I would warn against lastpass, strongly, due to papercut level issues everywhere. I haven't used 1password in an appropriate scenario to comment on it.
I’m still suffering from this; somehow in this hack <<something>> happened to my LastPass account and login/unlocking it became impossible. LastPass support (rightly) can’t help, so 3 or so years later I’m still stumbling into sites that I can no longer access.
Many sites have forgotten password flows, they’re easy, but many other sites related to municipal services, etc, require hours on calls, often on hold, proving my identity and getting access reinstated.
The thing about the LastPass Wikipedia article is that someone keeps editing it to reduce the number of really bad security issues LastPass has had over the years. You can Google almost any year, along with "lastpass security incident" and get results.
Nobody with the goal of security should be using LastPass. Nobody.
We have SSO + 2FA in place, and would like to use Bitwarden for the rest of the password management. But for a company around ~50 people, the pricing feels too expensive, considering the only purpose is to manage a few passwords. So for now we are using Keepass which is kind of painful, but free. We would probably be willing to pay ~2$ per user per month, but instead it is 6$ if you want Bitwarden to work integrated with your SSO which means 3600$ per year.
Pricing is truly annoying with password managers. I know this is an edge case but I volunteered for my kid’s school PTA and discovered to my horror that all the passwords were stored in a single Google Sheet. But the pricing for the number of users we were looking at (a very small core number of staff but a large number of volunteer parents) made pretty much every password manager service unaffordable, even with non profit discounts. Per seat pricing doesn’t work out for everyone.
We ended up using Dashlane because its free tier allows sharing between users but the administration is so much more work than it needs to be.
Hi! could you please explain what is this admin work that is bothering you? Thanks! (working at Dashlane, and happy to forward feedback to product team. I'll already forward your comment on pricing)
It’s not really your fault, it’s us bending your free tier into something it isn’t intended to be. Maximum number of passwords shared, only logging in to one device at a time etc.
It’s a really weird edge case but eye opening for me as someone who is usually in a very well resourced tech environment. Google offers a great free tier for non profits and in the ideal world we’d have a password manager that plugs into our Google organization without a second thought. But that’s a premium tier feature and any money not spent on enriching the kids education has to be justified to the nth degree. We have people who are go-tos for a two factor auth code because their phone numbers are the ones attached to the accounts… people will go to surprising lengths!
There isn’t a good business case for it as such but volunteer organizations (as opposed to well resourced non profits) would make good use of a free tier and it would generate goodwill with people who are sometimes responsible for purchasing decisions in their day jobs.
You could self-host bitwarden on a $5 a month instance (or free-forever, if you choose to trust oracle or gcp), and then put TOTP 2fa into your bitwarden instance. Still requires a little maintenance on the instance, but this can be 99% automated.
Yeah, the thought has occurred to me. But I’m only going to be there for a few years, the responsible thing is to do something that’ll survive long after I’m gone.
I've volunteered for and served on the boards of several small, youth-oriented nonprofits. They all had this weird idea that you can't spend any money on operational stuff. Yeah I get that you want to minimize it, and you should. But payments for necessary services should just be part of the budget. There is overhead to running these orgs and not every penny can go straight through to the kids. If you make things a PITA for the volunteers, eventually you won't have any volunteers. People are giving their time freely to help, but most are busy and don't want to f*ck around with complicated solutions that waste that time.
A strength that is often overlooked at NGO's is their people power, so don't forget to leverage that. For instance, cctv, each unit, each chief and his 4 indians, could simply use wyze to monitor their immediate environment, worst case scenario, the chief leaves in a bad way and someone else has to reprogram the wyze cams to a new chief. Same with passwords, if you don't want to pay for centralized admin, then create multiple self-sufficient micro-environments with one central IT as tier 2 for advise and rescue. Think of it as vlans, but in admin terms. This method, opens up a lot of free tiers out there for each tribe/unit to leverage, as long as IT/CENTRAL, get's informed of the master-pwd (ex. bitwarden etc.).
Completely agree. The kind of people I've encountered in non-profits and charities as an IT Sales Professional over 20 years is that they expect great products and services should be as close to free as possible. They don't seem to understand that the tax breaks and incentives are there precisely to help soften the costs of running such an organisation. To expect even MORE than that from vendors is unrealistic. I watched an interview with Naveen Jain (Viome CEO) on a podcast once and he said that a non-profit entrepreneur or CEO is more often than not "just a sh*tty entrepreneur". I couldn't agree more based on my experience selling tech since 2001!
Immediate example that comes to mind: there’s a paid-for Canva account that multiple people need to use. Can’t use separate logins because then you’d need multiple subscriptions.
Moral argument is that a PTA are part time organizations and if canva doesn't cater to that business model, then shared credentials is fair use, commercial and for profit use is a horse of a different color.
Was going to suggest the same, of course you're taking matters into your own hands, so know what you are doing, but it's free, very light weight and supports "organizations" as a way of sharing passwords between people. I have hosted it for my family for years and was very happy with it (until I switched to Proton Family, now doing ProtonPass).
And you get all the excellent Bitwarden apps and extensions to go with it.
These is non-sense. They do not do anything more or less than any company does, they do not have access to decrypted data (so they cannot share it and havent done so obviously), and I bet in most of the discussion here interpol is not in people's threat models.
That is indeed bs. They gave up some IP addresses in accordance with local laws.
Why are you saying this? To justify your own use of free big tech services at the cost of all your data? Proton services have been audited, Proton staff cannot access your encrypted data. Whereas we know from Snowden et al that your data in most public clouds is readily available to the world police. Make a pic of your kid's private parts for medical reasons and people have found out the difference. My pictures are encrypt before they go to Proton Drive.
If Apple starts on-device scanning to see if I'm a criminal while I sleep, I'll be on GrapheneOS several days later, but still a happy Proton user.
I'm not making a claim that FAAANG is any better. I'm just saying that when FVEY wants your data and you've opted for convenience over security, you WILL be owned. It's not so much that Proton is untrustworthy, it's that they operate a business, and if the pigs tell them to make exceptions to their policy for your account, it's game over for you. Proton doesn't have the balls that Ladar Levison did with Lavabit. They won't shut down for you, they will hand you over on a silver platter for the pigs to pick away at your flesh.
Don't use any external service hosted in a country that complies with LEO or MLAT requests from the country of your residence. Actively seek out services hosted in countries that are hostile to the country of your residence.
Host your own infra, with your own authenticated FDE, reed switches and shock sensors for instant power-down on the cabinet, tamper-resistant and tamper-evident everything. Tor Hidden Services and i2p eepsites for any and all private correspondence if you really take this seriously.
Ever tried Psono? (I am Sascha, the main developer behind it)
It has SSO / encryption / self hosting / ... and even the enterprise version is free for up to 10 users and if you need more you only pay €2.5 / user / month.
Just checked, and its indeed doing this nonsense in the browser extension (on firefox). Its implemented sensibly in the Android app, and I haven't tested the website vault viewer or the desktop app.
I was first using 1Password and then I really tried to love Bitwarden for two entire years (paid user). But it was riddled with bugs and UX mishaps. I gave them detailed feedback by email, they acknowledged it, but nothing changed and my frustration grew over time. I eventually switched back to 1Password one year ago and I'm delighted.
For example here some issues I flagged to the team. Note that some of them may possibly have been resolved since then:
– The “incorrect ciphers” error that keeps happening where you have to restart Bitwarden and lose all your changes.
– Basic searches take multiple seconds if you have more than 400 entries.
– Editing items is awkward. Whenever I scroll down an item and want to edit a specific entry, I have to find the edit button and then WOOSH a new panel appears and I don’t know where the field I wanted to edit ended up in the new panel.
– Bitwarden doesn’t automatically categorize login items by type and it's not possible to exclude items from the “All Items” list. So it's a big mess and when you try to search a massive amount of irrelevant auto-generated entries pop up.
– Scrolling is super laggy on Android.
– Android logins don't have icons (they could very easily extract them when Bitwarden automatically creates an entry when logging on an Android app).
– Phone numbers are not formatted. Same for many other data types.
– Credit/debit cards show a generic icon rather than Mastercard, Visa, American Express, etc.
– The whole interface is marked as selectable in CSS and when you try to move the window around it keeps selecting irrelevant text from the UI such as “Search Vault” and “Item Information” instead of moving the window. Likewise, if I try to select actual text the selection isn't constrained to the field I'm selecting from so I often select a bunch of crap I didn't mean to select.
– Clicking on a password field doesn't offer the option to generate a password.
– Password generation settings don't synchronize between Bitwarden instances. Every time you install the app or the browser extension you have to reconfigure the length, symbols, letters, casing, etc. Again. By default it uses Bitwarden's default basic (and pretty insecure) criteria.
– Bitwarden frequently doesn't detect password fields, and frequently doesn't offer to automatically save the password.
– Can’t drag & drop an item from the list to a folder. I have to manually edit the item entry and select the folder from the dropdown. Every time.
– When editing an item, the ‶Attachments″ entry is a tiny line hidden below ‶Master password re-prompt″ so it's incredibly easy to miss and hard to find.
– Attachments don’t have previews and you can't rename them. You have to manually download a given item and open it in order to see what it's about.
– Can't copy attached images to the clipboard. Instead you have to press the download button, pick a folder, find it, copy the file (or possibly open it with an image editor when you need to copy the image itself), and then paste it where you want.
– Automatic entry names are dumb. For example for Android apps it just picks the package name (e.g. com.voyagerx.scanner) instead of the name of the app (in this example the corresponding app's name is vFlat, so not clear from the package name!).
And this is only the tip of the iceberg. I had many more issues than those with Bitwarden. None of these issues happen on 1Password.
Thanks for spending the time on that list. Hopefully Bitwarden will see this and reprioritize there game plan. You cant have a solid password manager without these things working. I have been using Keepass for years, but was thinking about switch to another product in the future, but I think I am going to stay with Keepass.
SSO, then password manager.
I'd strongly recommend bitwarden, having deployed and managed it. I would warn against lastpass, strongly, due to papercut level issues everywhere. I haven't used 1password in an appropriate scenario to comment on it.