Hello,
I’m just trying to move my passwords from Google to Bitwarden.
Some of my passwords on Google are reported as compromised, however after copying accounts to Bitwarden, Bitwarden doesn’t report them as compromised.
Which one do I trust / how do I trust Bitwarden if they obviously don’t check against the same lists?
This is a major concern to me and should be to everyone, I think.
Does anyone have any insight into this issue?
Thank you,
L.
Google will have a different list than what Bitwarden uses. Bitwarden uses https://haveibeenpwned.com/ list along with 1Password and many other password managers and websites.
Ideally, both will be correct and if one says the password is bad you need to change it. When in doubt, change the password.
Thank you. It’s given that I need to change it. My concern is that I don’t want to change to Bitwarden if it doesn’t alert me in the future, because it’s using subpar list(s).
I would say Bitwarden is using the better list because it uses HaveIBeenPwned. I doubt that Google is getting that many more breached data and HaveIBeenPwned did not hear about it. I would not be surprised that Google gets most of its list from HaveIBeenPwned.
Also, Google may be showing it “compromised” but it’s really a reused password and that is why it seems like more. Bitwarden separates the reused passwords from the compromised passwords.
It’s a cool feature but by the time you get these compromised alerts, it’s usually months if not years later so it’s not as groundbreaking as some think. What matters the most is that you give every account its own random password and if ever feel like you should change the password then do so. I would not rely on this feature to tell you to change a password.
My personal views on the issue of trust:
Google has a long history of failing to protect people’s data including, supposedly in the past, spying on users in order to sell data about them
Bitwarden’s business is built on trust and would get dramatically smaller if it was shown to be doing the sort of thig Google has (supposedly in the past) done
I have noticed that one of my accounts was compromised about one or two days before that article was published, and I ensure you, it was impossible to be compromised on my side.
It was not possible to bruteforce my credentials or use dictionary attacks on them. Keyloggers and any sort of other cyber attacks are out of question as I only used the account on a secured Linux install, who’s sole purpose is to have a clean environment for any sort of tasks which require security. If someone had access to that device, they would not need any of my google accounts to begin with. Moreover, although the account was used there, it does not equates to actively logging myself in. It’s been over 6 months before that incident that I entered any sort of login information for that account in that system, and it was never used anywhere else.
The account was was not using 2FA, and I kept getting logged out due to a suspicious login. Regardless of what I changed the password to, someone kept recovering my account with the previous password until I added 2FA. I never had any issus afterwards, and that was the only time my security was “compromised”. I’m not gonna lie, I suspected that the fault was with Google even before the incident, because just days before that it behaved odd, and I was proven right a few days after the incident.
Google was hacked a while ago this year. Someone released an article about it, but it soon got buried in the search engine and I can’t seem to find it anymore… they did a good job at covering it up. There were no known leaks from that hack and it’s unlikely that the sources which Bitwarden uses have any data on it since Google did not release any data about the users affected or their credentials. Those credentials were not released on the black market either. It was deemed as a governmental attack and it was not spoken about since.
A few other people I know had a similar issue like mine. It may have been an isolated event, although the article said otherwise and the people I know are from various places in the world, but whoever talked about it was clearly silenced because I didn’t see people complaining about it.
Big companies like google will often hide their data breaches to keep their image “clean”. There’s also the uncertainty of how many people were affected if you can’t find any sort of logs about what happened to help you with that. Also, not every hacker is looking to publicly share what they get from an attack. When those things go together, we as the clients to those services can end up in very difficult positions.
What you’re experiencing, is very likely that Google flagged in their database some passwords as affected, but kept silent about it being their fault. There could also be that the agreement they have with Facebook would include sharing data about such things, which could give them access to a bigger database of flagged accounts, since Facebook was hacked quite often in the past years. Since they managed to get an agreement with Facebook, they likely have with others as well, but much more difficult to spot.
Just because Bitwarden uses a trusty source, it does not mean that it is complete. If your credentials are flagged, it’s likely because they have been compromised. If they are not flagged, it does not mean that they are not compromised.
To this day, I did not find any traces online of my account being compromised, but it was, and I was not the only one that had those issues at around the same time.
Now the question is… are you going to risk it and believe one service over another, or are you going to play it safe as you should and do what is logical in such a situation? Just change those credentials. It takes a minute and you’re on your way. If anything, you should be glad that one of them alerted you.