How can I use Bitwarden best?

Initial considerations

  • Is there any guide, any post on best practices in using bitwarden software?
  • I see these tips on many sites:
    • not using public computers.
    • avoid passwords shorter than 8 characters

Other considerations

But, can you tell what is effective and real to avoid getting hacked?

  • How to ensure more security when using Bitwarden?
  • As a user like me am I protected from hacking by bitwarden?

initial objective

Open this topic to discuss what is feasible for end users, how to be safe when using bitwarden

1 Like

As far as guides not so much as each and every aspect can be different depending on your situation. The Bitwarden documentation is fairly extensive though and covers many topics with many helpful hints.

As practice I would make that recommendation closer to 12 or so at a minimum for most sites now in days.
For your master passphrase I would say more in the line of 20 or more, more is generally better.
Bitwarden also accepts spaces within the master password and they count as special characters.

Could you elaborate on this a bit further?

This portion is a bit confusing as well, as when you say hacking by Bitwarden there are several things you can do to ensure safety.
Namely just by using Bitwarden you are far safer than most users online without a good password manager.

Bitwarden is open-source and zero-trust, all information is encrypted prior to being sent from your device out to their cloud.
Even in the event Bitwarden was hacked and databased breached all an attacker would see is encrypted information, that without your master password cannot be reversed. The same also holds true for Bitwarden as a company. Even their admins with direct access to their software would not be able to have access to your information, either if they wanted to or were court-ordered for any reason.

Bitwarden by design is extremely secure, though there are other password managers that also encrypt prior to being sent as well Bitwarden is one of the only few I have found that are open source. I personally would never use a password manager that didn’t encrypt locally first, secondly would be who holds the keys to decrypt this information is it me or the company?
Bitwarden has had several security audits and reviews regularly and stay fairly transparent.

Now you may ask how you could verify the code being run on Bitwarden SaaS cloud is the same open-source code that has been reviewed. I guess in theory Bitwarden could be running a different code-base but very unlikely as Bitwarden is in the business to do what they do, create and provide an excellent security tool.
Though there is always the option to self-host for the truly dedicated, or those who may have data compliance requirements.

None of these factors help to protect you in the event you yourself get hacked though, if you click a phishy email link, download some malware or a keylogger to your computer all bets are off.
If someone gets your master passphrase they could easily gain access into your Bitwarden vault. For this 2FA is an obvious choice, using Yubikey → TOTP → email with general consensus being that Yubikey is best, TOTP is good, and email is can be considered less secure but depends on your email setup as well.

Another option that would protect you against both an external and possible “inside” attacker would be to what is considered as “peppering” your passwords. This would be a word or phrase possibly added with your passwords generated and saved by Bitwarden.
So in the example if your pepper phrase was “Christmas”, you would have a login saved in Bitwarden with something like "ikig*J#6#5!yP5U8" but the true password used to sign in may be something similar to

ikig*J#6#5!yP5U8Christmas


These are just a few ideas, and again security and practices are pretty subjective depending on the situation.
As many know security is a tipping scale of safety and convenience. Someone who only uses Bitwarden to manage online accounts may have a lower issue in the event a breach happened VS a corporate executive or someone who works with highly sensitive information.
It all depends on your personal risk factor and how much security do you get VS how much on an inconvenience will something be?
MFA or 2FA is a great example because this is something that adds a notable security benefit for a trade of a few extra simple steps and a few additional seconds of your time.
Another example, and hotly debated item in these forums and many others is the thought of saving TOTP 2FA codes in your password manager. Bitwarden has the ability to save these TOTP seeds and generate the codes needed for your 2FA login with a premium account.
This may be less secure however as it tends to defeat the purpose of 2FA by having all your eggs in one basket. But again if you already have strong security on your password vault, and additionally pepper them the risk would be minimal.
Still one may chose to keep TOTP code in Bitwarden for convenience in some case, I personally enable 2FA anywhere possible and will allow Bitwarden to save these for things such as personal homelab projects, online game accounts, or other misc. logins that do not otherwise matter as much in terms of security. My main Bitwarden account however, as well as any possible financial, or higher valued logins are protected with 2FA saved to an separate authenticator app on the phone.

3 Likes

There was a good blog post about this recently.

2 Likes