I have been reviewing Bitwarden about once a year for the past few years, along with other top and emerging password managers. I always stayed with LastPass, where I’ve been a customer for over a decade. I am now a recent LastPass emigrant as a result of (1) its poor handling of its latest data breach, 2) Bitwarden being open source 3) this community and its active developer involvement, and 4) feature parity.
When I last tried Bitwarden it just didn’t have the LastPass feature set that created an ease of workflow that I was accustomed to. Now, it’s almost there (it still needs some work on the Chrome extension auto site creation and auto password update notifications/workflow and I will personally miss the paper grid 2FA that LastPass has but it’s a ‘want’ not a ‘need’).
LastPass outgrew itself. It was a victim of its own success. Why? Because it was initially a good product that filled a gap in the market. And it still has many great features that other products don’t have. In this latest breach, I am not actually worried anyone will be able to brute force my encrypted vault (that fear is overblown if you take good security precautions); I just haven’t liked the LastPass communications approach, lack of clarity, apparent internal chaos resulting in mixed or opaque messaging, coupled with a closed source product. LP is just too much of a black box. I can imagine the influx of new LP customers is both exciting and annoying to the developers and this community. When I look through the road map and feature requests I am struck with one concern: can the developer community and Bitwarden engineers sustain the breadth of planned features I see here. Or, will Bitwarden also eventually become a victim of its own success.
So, my feature request is simply: stick to your knitting. Tight, transparent security which is subject to regular, published audits. A company where engineers rule, not the marketing department. User-friendly workflows that mitigate security risk of unforced user error, especially for people who don’t care about strong passwords, aren’t technical, and just want a product that works and then gets out of the way. Rock solid products that just work because developers are constantly quashing bugs and rolling out updates instead of getting pulled into that fancy new product idea.
This is a great product. It has grown a lot in recent years. Congratulations!
I am also a LP migrant. I stayed with them due to inertia but can no longer.
You still seem to have some confidence in LP, which I don’t. A strong password alone is not enough, the quality of their source code matters too. If it is the group is who we think it is, these guys are very talented. They have the LP source and will find any weaknesses. We will have to see.
I am expecting some LP vaults to be decrypted, maybe only the ones with a weak password but some will be decrypted and it will be interesting to see the reaction of the industry when that happens. Apparently LP had 30 million users before this episode.
I don’t think we have heard the last of this LastPass breach
Agreed re: source code, hence the value proposition of Bitwarden’s open source vs. LP black box. I have been reviewing Bitwarden’s third party audits:
Security assessments in 2018, 2020, 2021, when vulnerabilities are being found is perhaps sufficient. NB. There are also yearly network security audits listed at that link which seems like a slightly better frequency. I would have assumed yearly product security assessments would have been more the standard course. In an IT environment I oversaw I introduced third party audits (penetration testing, policy review, etc.) every six months given the risk profile. Freaked the IT folks out but they remediated, it enhanced their hardware and software budget, and gave everyone confidence. After their initial cardiac arrest, they were grateful we instituted it and it had the additional benefit of shifting our IT security culture to a more forward-leaning posture. It was money well spent. My commitment was when the six month audits started becoming pro forma we would move to yearly. But, we kept identifying enough issues every six month cycle that it taught us we needed to exercise humility and keep doing them. This was a sector that was highly targeted for ransomware, etc, and we fortunately never got hit.
Now, on the Lastpass third party audits, there is lots of material on their site but I couldn’t find any third party audits. Can anyone else? Already, this tells you that Bitwarden is miles ahead, at least in communication and transparency. As far as I’m concerned, if a black box product also keeps its audits in a black box, that tells you everything you need to know.
Would be good to see Bitwarden publish an audit schedule in advance. Would create lots of confidence that the exercise is planful, routine, and proactive.
Thanks! The SOC reports appear to focus on policy and governance, which is incredibly important and often overlooked. But, this has to be coupled with routine, third party, published penetration testing. You have to kick the tires of these environments… hard and repeatedly.
Hey @222 thanks for the support and feedback! I’ve converted this into a community discussion as it is a broad subject and not a specific actionable request
A strong password alone is not enough, the quality of their source code matters too. If it is the group is who we think it is, these guys are very talented. They have the LP source and will find any weaknesses. We will have to see.
I’ve converted this into a community discussion as it is a broad subject and not a specific actionable request 