actorartathleteauthorbizcrimecrosspostcustomerservicedirectoredufoodgaminghealthjournalistmedicalmilmodpostmunimusicnewsworthynonprofitotherphilpolretailscispecialisedspecializedtechtourismtravelunique

TechnologyI am a software engineer that created a free, open source password manager to keep you safe online. AMA!

Nov 21st 2016 by xxkylexx • 23 Questions • 140 Points

Hey reddit. We all use the internet, so we need to be taking the proper steps to stay safe. Password re-use is a huge problem and with large data breaches becoming more and more common these days, we need to protect ourselves. Nearly 4 million data records (that we know of) are stolen online everyday and chances are you've been in one of them. Using a password manager is one of the easiest things you can do to stay safe.

I'm a software architect and have worked in the credit card payment processing industry for quite some time dealing with your sensitive credit card data. Security is something I think about and work with on a daily basis. Last year I decided that there was something missing from the internet: a simple, free, open source password manager that was available on all of your devices. Sure, there are many password management applications out there, but none of them seemed to fit the bill.

After one full year of development, bitwarden has been released for free on several platforms including iOS, Android, Chrome, Firefox, Opera, and the web. You can read more about bitwarden on our website, https://bitwarden.com/.

I'll be here for the rest of the day to answer your questions about bitwarden, your password practices, online security, software development, open source, or whatever. AMA!

Links:

Apps:

Proof: https://bitwarden.com/reddit-ama

Q:

What makes your password manager better than a community open-source project (like KeePass) ?

A:

KeePass is a great piece of software and is indeed open source as well, however, ask your non-technically inclined friend or family member to try and use it and you will quickly find that it seems to fall short. At least that has been my experience.


Q:

Not OP, but you very well could. Any meaningful premium features would probably be attached to an account and their access would depend on an external server.

A:

This is correct.


Q:

Would I be able to host my own server instance of Bitwarden?

A:

Since the product is open source, you certainly can do this, though there is no "happy path" documented at this time. This is something we plan to introduce as a first-class experience further down the road with enterprise support/licensing.


Q:

First of all, I've ben an early user, love the platform. Just deleted my old Lastpass account. One quick question: Do the free features become premium later on?

A:

Thanks for using bitwarden! The plan is to offer a freemium model that will keep the current features free. Premium features will be in addition to what we offer today. Check out our Kickstarter for a better breakdown and comparison: http://kck.st/2gCsTUL


Q:

Your Kickstarter reward descriptions detail premium features including "unlimited device syncing" and "unlimited stored logins." If you're keeping current features free, what's up with those? I didn't realize there was a limit on logins or devices with the current version of Bitwarden.

Don't get me wrong, I love your software, but the reason I chose it over something like Lastpass is that it offered free syncing and didn't mention any limits.

A:

There is currently no limit on logins or devices with the current version of bitwarden. This is just part of the Kickstarter marketing to show exactly what you get with premium as well.


Q:

That's a relief. So to be clear, which features are not offered now but will be included with premium accounts?

A:

Currently the roadmap calls for the following premium features:

  • Password sharing
  • Two-factor storage for logins (TOTP)
  • Additional two-factor authentication options like YubiKey

Our Kickstarter will help fund a lot of other new free features too though, like:

  • Safari browser extension for Mac
  • Auto-fill for Android
  • Native desktop applications
  • International languages
  • Better documentation

Q:

So if someone gets my bitwarden password, I'm fucked?

A:

Yes, which is why it is important to create a strong master password. This shouldn't be an issue since you only have one password to remember now.


Q:

A data security breach on your end is a larger concern for me than someone making a bruteforce attack on my particular account. Why not just use that one strong password for all accounts if using bitwarden offers essentially the same level of protection? If I used one strong password for all my accounts, an intruder would only need that one password to access all of my accounts. If I use bitwarden, the intruder would need the same information to obtain the same level of access.

A:

A valid concern, however, the way we handle your master password renders it useless by the time it reaches our servers. Your master password is one-way hashed multiple times before it leaves your device and ultimately ends up on our server. You can read more about how we handle this data by checking out our help site Security topic: https://help.bitwarden.com/security/


Q:

You've said master password twice. You should be insisting on a master passphrase.

A:

Correct! A more complex phase is always better than a word.


Q:

First I will say... I love what you've done and strongly support this direction of development. I honestly think this market would be at a far better state if this was the norm for business models. With that said in regards to the above statement.... This is no different then how u would hack any front end auth API once you're inside the infrastructure though. Throw some sneaky logging at the place where the hash ingresses and then obviously u know how to use it once u have said hash since the code is available. Maybe you'd need some automation code to do in realtime if the hash is timebased or session based but still feasible once you have access to said systems handling the endpoints for auth... the scariest thing for security minded users in password storage IMO is trusting others to secure their infrastructure properly and go through pen tests and meet some level of best practices compliance framework for that infrastructure. People need to trust you more than LastPass/onepassword in that respect honestly for you to stand out as a viable competitor to the close sourcers I think.

A:

Thanks for your feedback.

One of the great things about our infrastructure security is that we do not manage any infrastructure at all. bitwarden processes and stores all data securely in the Microsoft Azure cloud using services that are managed by the team at Microsoft. Since bitwarden only uses service offerings provided by Azure, there is no server infrastructure to manage and maintain. All uptime, scalability, and security updates and guarantees are backed by Microsoft and their cloud infrastructure.


Q:

if you're only using application platform services and not managing OS' directly that definitely significantly reduces your footprint on this front. Thanks for the clarity :)

A:

Indeed. We don't have an infrastructure team so this is really the only way to go, though, it does cost more to operate this way.


Q:

Seems pretty unsecure for phishing/keylogging, any preventative measures such as an authenticator to prevent logging in from strange ip addresses/mac addresses?

A:

Two-factor authentication is available for your account as well. This can be activated from our web vault: https://vault.bitwarden.com/#/login


Q:

ok, good for you

A:

Username checks out.


Q:

Yes, but that's no different than 1password, lastpass, keepass, etc.

Strong master password and lots of encryption for the data.

A:

The main difference is that bitwarden aims to be simple to use, available on all platforms, offer a free tier that will allow you to actually use the product without being crippled, and is an open source project that is available on GitHub.


Q:

Sounds great! Another question if you don't mind and if it hasn't been asked/answered already, wouldn't transparency by publishing all of the source code make it easier for hackers to hack and access the passwords and sensitive data that is supposed to be protected?

A:

No, since that would be security though obscurity, which is not really security at all.


Q:

Masterlock Vault would be of interest to me.

A:

Masterlock Vault

Can you email me via the contact form on our website? We'll discuss getting this added.


Q:

I see. Do you have any requirements on the master passphrase that would reduced entropy (min or max characters)? Or make it more difficult to remember (capital letters and or special characters)?

A:

We do not enforce any rules on your master password other than it much be at least 8 characters. There was a discussion about this a while back here: https://github.com/bitwarden/web/issues/3


Q:

Do you see yourself in the foreseeable future introducing a two factor authentication method, the function of which is arbitrary, but where its name involves an elaborate pun that refers to Master Blaster from Mad Max 3? Possibly in the most obscure way possible and preferably used as a double entendre for both that and your system.

A:

Two-factor authentication is already available and can be activated on your account from your web vault. https://vault.bitwarden.com/#/login

A successful Kickstarter campaign will bring additional 2FA methods to the system like email and YubiKey. Check it out @ http://kck.st/2gCsTUL


Q:

I currently use Keepass for Android and PC

What features does your app offer over keepass (other than a more simplistic design)? Does your app have auto-fill capabilities?

A:

We offer first-class applications on all your devices so you don't have to depend on third-party implementations like KeyPass does. Also, in my bias opinion, bitwarden is much easier to use.

We plan to bring auto-fiill to Android with the successful completing of our Kickstarter campaign: http://kck.st/2gCsTUL


Q:

Any plans for native pc/mac clients? This is currently one of my favorite parts of lastpass, I can keep passwords separately from browsers. which I know is not a normal use case, but is helpful to me for work/personal account separation.

A:

Yes. We are currently running a Kickstarter campaign in which we hope to fund native desktop applications on Windows, macOS, and Linux. Check it out: http://kck.st/2gCsTUL


Q:

Is there any possibility of introducing nested folders in future releases? What about custom forms?

A:

Nested folders (proper) is not on the roadmap at the moment, but we may introduce some simple design tweaks if you use a special character in your folder name. For example, we could indent a folder structure based on the > character. So you could have a folder named Emails > Work, and Emails > Home and give some appearance of hierarchy.


Q:

How was your experience in university/college as being a software engineer? We're there any completely irrelevant subjects/ do you use much of these skills now?

A:

I attended the University of Florida for a B.S. in Computer Science. Overall it was a great experience but you really only get out of it what you put into it. The track calls for lots of higher level maths and and all-around general education courses in addition to your core CS classes. Two classes that I wish I could go back and re-take again are discrete mathematics and data structures. These courses are extremely helpful to your life as a software engineer.

One class that I felt like I never really got a whole lot of practical application from was Numerical Analysis. Maybe the professor was just bad or maybe I just wasn't interested, but that course went way over my head and I just BS'ed by way through it.


Q:

Is Google's password manager a better option than not having a password manager at all? On the same vein, is it also much more inferior to managers like yours?

A:

It is if you use it to save unique passwords for each service. Google's password manager used to be a nightware for security (they just stored your password in plain text) but they have made it better recently. The benefit to bitwarden is that is is cross platform and not just available on Google products. bitwarden will also assist you with generating secure passwords during site registrations. bitwarden is also entirely open source.