Opposite experience here! Requested $100, got back $60 with two of them folded over on the corners. $100 debited from bank account, filed a complaint with the bank. The temporary refunded the money, did an investigation, then said that the ATM actually settled at the correct number, and took the money back from me. Not cool
It’s not a wild generalization; I’m not sure why readers understood it that way.
My logic is, if people are living paycheck to paycheck and don’t have an extra $300 for a gas limit; why would you think that their available credit is any different.
I hope by that you mean "basically nobody with less than $600 in the bank", because according to the fed's survey of consumer finances, the median household has $2000 in their checking account.
This is an unreasonable assessment. I did it in a couple weeks. Maybe not guaranteed, or for everyone. But if you’re fairly athletic is it a fair goal.
I drove a rental recently that had a “check back seat” message and a chime when you turned off the car and it detected something in the back seat. I seemed to quickly learn to ignore the chime as it becomes the noise the car makes every time you turn it off. I would be surprised if they had any effect.
I love this project, but something has always bothered me about it. For something as critical as your entire set of passwords, aren’t you essentially trusting this person you’ve never met to not just take all of them when you use the server?
For example, one day a malicious maintainer could flip a switch that simply updates the docker image to send thousands of peoples’ entire vault somewhere and then disappear, no?
If I'm not mistaken it should be mostly fine as long as you trust the desktop/phone versions of Bitwarden not to send off the (unhashed) key to the server
The few tickets I've been interested in, their answers have been along those lines. I've mentioned this before, but Bitwarden has been broken in Firefox's private mode, and to this day they're just blaming it Mozilla for deprecating some APIs due to privacy concerns. Mozilla has given a safer alternative, but they're refusing to fix it. Someone even raised a PR to fix it, but they had some feedback. The PR has since gone stale.
Note also that the bitwarden desktop app has a remote code execution vulnerability that the developers refuse to fix, which means that the developers can, at any time, replace your local copy of the bitwarden desktop app with a different version that could steal all your passwords in exactly the manner you describe.
You can patch the bitwarden client (and also take the opportunity to remove the spyware they have embedded in it, as well), or use a program like LuLu or Little Snitch to block it from communicating with anything but your own selfhosted bitwarden_rs instance.
Do you have more information on this? A link maybe?
EDIT: Never mind, found it - https://github.com/bitwarden/desktop/issues/552. This isn't exactly an RCE. You can say the same about anything. By your logic Microsoft auto-updates are RCE. Same with pacman/apt-get/yum package managers. Same with pretty much anything else.
I'm not saying they're not valid concerns, however, if you're this worried about all of these things, maybe cloud-based software isn't for you.
You are in control here. It's like every other bit of software you run yourself: it's your problem to do it properly.
1) if you worry about people replacing the docker image you are using, build your own. It's not hard. Alternatively, use a specific version of the docker image by specifying the version or the hash (if you are really paranoid). Of course after you review the Dockerfile. Minimum at least glance through the Dockerfile.
2) bitwarden has import/export functionality (client side) so if your server disappears for whatever reason, you can still export your passwords from the client side.
3) if you don't trust the OSS code, audit it or at least look through it. That's the whole point of OSS. Build it from source if you must. File bugs. Look at the issue tracker. You can choose not to but if something happens it's your problem; not somebody else's problem.
4) The vault is encrypted and the server never handles or sees the decrypted content (see 3 to verify this). Other people's ability to break that encryption depends on you using a secure master password.
5) Or just pay Bitwarden to host passwords for you and rely on their terms of use, SLAs, support, good reputation, and what not. That's probably the best option if you want ass coverage for professional usage. Their pricing is very reasonable for small setups. And probably sharing passwords with a large group of users is just a spectacularly bad idea to begin with. A couple of key users, should cost you max 20/month. Not really worth dedicating devops time for self hosting unless you have a really good reason to. If you do, see 1-4.
"3) if you don't trust the OSS code, audit it or at least look through it. That's the whole point of OSS."
Thats an outright fantasy, every day I rely on like 50 pieces of software written in 20 different languages and frameworks. They are updated multiple times a month. How many man hours would it take? 1000 a week?
Proffesional developers couldn't find heartbleed for years, you really think anyone would notice a hidden backdoor in software like this withing a year?
The keyword in that sentence is trust. Either trust or check. Your choice.
Most people choose to trust certain software providers based on their reputation. But if you have serious doubts and you don't check, that would be your problem.
Whining about an open source project maybe being insecure basically means either check it or don't use it. Nobody is twisting your arm to risk your passwords on some wonky self hosted setup. Your problem if it blows up in your face. That's also what it spells out in a typical OSS license (that would be the section talking about limited liability). That's another thing people tend to not check that they probably should pay some attention to. Using the software means accepting that it's your responsibility.
If like most you are unable to make a sound judgment on this front; consider paying a service provider providing you a service. That would be Bitwarden in this case. They kindly provide a free version even. Easy choice IMHO.
Heart-bleed slipped through the cracks for a while and then certain software providers lived up to their reputation by providing fixes in a timely fashion. And certain others messed up by not doing that. I care more about how developers act when something like this happens than the fact that it happens.
OSS software providers are no different than other providers when it comes to trust. Except you have the option of looking at their code. Lots of people doing that builds trust. I tend to look at things like number of stars, commit frequency, and other things when deciding to use a random Github thing. When it comes to software that is safety critical, I prefer the scrutiny of an active community of developers. That just increases my level of trust.
IMHO Bitwarden's trustworthiness just went up by virtue of there being multiple implementations of the thing and apparently a growing community of users and developers depending on these things. I'm already using it and vastly prefer this over some closed source solution with opaque development processes. I probably would not self host but it is nice to have that option available.
I am not taking a stab at bitwarden or OSS, but this talking point about trust is total tripe.
It is a choice to obey the law of gravity? Because Its physically impossible for one person to check all security critical code they come in contact with even if they know every single programming language and have a Phd in cryptography. So stop with the accusatory language about 'whining' and pontification about choice.
With the official Bitwarden repos, this is solved by having reputable teams periodically run security audits. Sadly, it's unlikely this Rust implementation will be audited any time soon.
Bitwarden server phones home every install. In order to remove the phoning home bit, you must recompile the entire codebase. I wonder if this rust alternative makes that easier to remove...
4) this not 100% true. To get someone’s passwords you just have to compromise their bitwarden_rs to include a malicious web client that sends the master password to the attacker if the user logs in. This is a different story of course when the web client is never used. Then it is impossible to get the passwords because it’s encrypted at client side.
Isn't this true for any service? We're just trusting that the bitwarden/server image or bitwarden.com won't do the same?
Also this is only a risk if you use the provided Web vault. If you use the desktop, mobile or browser extension clients, it would require both Bitwarden LLC and dani garcia to conspire against you as the server doesn't control code those clients run and the API only provides it data in encrypted format.
Finally, if you're that worried you can pin the container version by hash and only update when you are confident in the new version
Yes, but if a company does this, they are essentially killing themselves. They have presumably spent a lot of time creating a company, gain customers etc, whereas a single(?) maybe anonymous open source developer does not have that much to lose.
> if a company does this, they are essentially killing themselves
...or they have to do it because of the NSA and weirdly 99% of users don't care or don't have the means to do anything about it.
Companies aren't trustworthy, they are bigger targets but also targets with thicker armor.
I just go with the offline route, KeepassXC runs well enough for me and is compatible with phones. I need to handle data sync myself but it's not like I change or add new passwords every day.
The single dev has their reputation and professional career to lose whereas companies can and regularly engage in all kinds of legal and or judo to avoid any responsibility towards users.
A single dev is an exploitation sitting duck. They can get hacked, they can be stoled from, they can be targeted by the NSA (or FSA, ...), they can make a small but fatal mistakes, and I doubt they conform to the level of policies that companies like FAANG impose on their security-critical teams.
And all of the above are very good plausible deniability excuses, such that this single developer could, after all, be malicious and still not loose his reputation simply by claiming he got targeted by a 3rd party.
Let that sink in: a single developer and their PC is a gatekeeper of everyone's safety.
Isn't the same thing true for every password manager? What's stopping LastPass from pushing an update that steals all my passwords? What's stopping Chrome from auto-updating to a version that sends every password I enter to Google?
Because of the way bitwarden works, I think as long as the client is secure, compromise of the server is not a major concern except for data loss. Your vault is encrypted client-side.
The real threat is that someone takes control of the bitwarden browser extension and pushes a malicious update.
> The real threat is that someone takes control of the bitwarden browser extension and pushes a malicious update.
That's why I don't use any KeePass extensions. I just don't trust browser enough to be able to get any of my passwords.
I'm thinking about writing my own extension which will communicate with KeePass in a way that suits me (basically: when I'm pressing button in browser, it'll popup KeePass window with search field filled with server domain. Then I can either auto-type password from KeePass or copy it to clipboard, either way I'm only using KeePass and browser extension have no way to get any information.
I think there's a relevant xkcd about this, though technically it's about standards.
I'd absolutely use KeePass for a long term storage password vault (with appropriately obscure reminders so I could recall the password), but the ecosystem of many unofficial free implementations for integration into browsers, phones (IIRC), etc. makes me twitch.
That's actually a cool idea for a password manager in general. After logging in, you input a "salt" value that is appended to the end of all your passwords. That value is never sent to the password server, so even if the server is compromised your associated accounts aren't.
Instead of a salt, which is random for each entry and has to be stored along the hash, one single pepper is added to each password before hashing and kept secret.
With any password manager, encryption happens client-side. A malicious or compromised host could make off with your encrypted vault, but that would not by itself compromise passwords.
OP is arguing that the software could be changed to upload your encrypted version as usual, but also silently upload your unencrypted version. Either unintentionally (bug) or intentionally (tin foil hat saying NSA)
That would require changes to the client as well, however, and as I understand it bitwarden_rs still uses the standard client-side Bitwarden addon/applications/apps.
I had the same concern. There's also the matter of supporting upstream development, which the maintainer does address in his readme. I ended up paying for a premium subscription of vanilla Bitwarden, which I self host. Sure it's overkill on resources and number of containers, but it's still insignificant. It seems slightly more safe to trust a company that depends on the software for revenue, if I'm going to use it without auditing the source. I've also e-mailed their support quite a few times, and they're great. It just doesn't feel right to me to do that while using a free custom backend to avoid the cost...
This is the use case that something like sandstorm.io tries to solve, by locking down system calls on the backend and (slowly but surely) CSP on the frontend. I don’t think BitWarden has been ported yet, though.
Is sandstorm active again? A few years ago there was some news about the company behind it running out of money and abandoning the project if I remember correctly.
The greatest thing about this implementation is its simplicity. I actually deployed this server for my personal use because everything lives in one Docker image and not a lot of them like the official implementation. I do understand that the official implementation helps with scalability and more, I just don't need it.
