Hello, this is my first look at password management. I’ve been watching a few videos, so get the basic idea of things, but was hoping to get some simple tips for beginners from some experts here. Also, I’m wondering how usernames get handled with Bitwarden? Do you use the same username for all your sites that require one? And do you use passkeys when you can, and if so, how does that fit in with using Bitwarden? I’d appreciate any help for getting started, and for becoming more knowledgeable. Thanks in advance!
Hello, CaptW, and Welcome to the community!
“Simple” first tips for maintaining BW security are:
- use randomly generated passphrases of sufficient length, i.e. 4 words when selecting the KDF algorithm (in the webvault) as Argon2
- Use 2FA, with FIDO2 WebAuthn as the best, and TOTP (Authenticator app) as the next
- Avoid (by getting rid of habits and increasing knowledge) malware being downloaded or being phished
“Simple” first tips for maintaining access are:
- Write down your BW master password and 2FA recovery code down
- Make encrypted backups
For emails/usernames that can be used in BW, you can increase privacy by:
- BW integrates with email aliasing services. You can use this for unique email addresses everywhere, including for BW itself, to reduce spams / detect email leaks.
- Use randomly generated username everywhere so your information can’t be easily correlated across the web. BW can produce random words for you, or you can use other reputable random user name generators
Passkeys stored in BW right now will allow you to use the stored passkeys on the supported desktop+browser platform. It’s not currently supported on mobiles yet.
I use passkeys, albeit stored on my Windows computer and not BW, everywhere I can because from “replacing a password” standpoint, it is very safe and convenient, and on my PC, I don’t care about the 2FA as much because the passkeys currently don’t sync to other machines. If I use passkeys on my PC, and I don’t need the username/email/password for other machines including my mobiles, then I don’t really need to store the entry in BW. I do use offline password manager concurrently with BW, although I don’t recommend it because of the increased complexity.
Welcome!
A couple of other tips, I find it best to create a new username and password within the BW vault before going to the website to update them there. That way, you don’t have to bounce back and forth so much between the browser and the vault.
I would focus on your most valuable accounts first, when upgrading your passwords. I.e. banking, that type of thing. Things like community forums you can do later on but get your key accounts, the ones that would hurt you the most if hacked, done first.
Probably best for you to set your vault timeout requirements to Lock rather than Log Out, at least as you get used to using a good password manager. As long as your home PC is set to lock itself then having the BW browser extension lock the vault should be sufficient. However if you are using a work or public PC then always log out of the vault.
Passkeys are great and I am upgrading to them wherever possible. But they are a work in progress and besides the fact that organizations using them today are quite limited, the implementation isn’t the same across them. Probably the easiest to use Passkeys for as a start is Google (if you have an Android phone with a google account on it) because Google will have already created a passcode on your phone to log into your account. Maybe get used to how it works there.
Last as already mentioned enable 2FA for every critical account that supports it. You can use a Yubikey, a software authenticator, etc. Just get something in place now.
Thank you kindly! I will need to sort through all this as I apply it, but for now could use some clarification regarding my usernames vs. email addresses:
Some companies required username, email address, and password. Does BW supply all three to a given company when needed? The email must remain the same, as that which used when I signed up with the company, yes? (Unless I edit my account.) And if there’s no email required to login, you are indicating that BW provides a username as well as a password? And that I provide the username at some point when I set up the account? I don’t think I saw that in the videos I watched (but I’ll be watching more.)
Don’t know if that all makes sense, so feel free to ask me for clarification.
Thanks again!
Thank you kindly! I will need to sort through all this as I apply it, but for now could use some clarification regarding my usernames vs. email addresses:
Some companies required username, email address, and password. Does BW supply all three to a given company when needed? The email must remain the same, as that which used when I signed up with the company, yes? (Unless I edit my account.) And if there’s no email required to login, you are indicating that BW provides a username as well as a password? And that I provide the username at some point when I set up the account? I don’t think I saw that in the videos I watched (but I’ll be watching more.)
Don’t know if that all makes sense, so feel free to ask me for clarification.
Thanks!
Yes BW can store all 3 (UN, Email, PW) and supply them to the requesting website when logging in. Yes the email stored in BW should be what the website has for you in its records.
You’ll find (or probably already know of course) that websites will vary in how they ask for this. Some want UN, some want Email, some want one or the other and the PW on the same page, some you enter either Email or UN and the website takes you to another page for the PW. You’ll just have to get used to how different sites do that but generally BW does a superb job of filling in the right info in the right fields. If not, you can make adjustments for that specific website (I’ve not had to do that ever but the ability is there).
Wonderful, thanks again.
One of the challenges I’m facing that that I have multiple family members, with multiple devices, with whom I shared and use accounts, e.g. Disney+, Apple Store, etc. I don’t like the idea of so many people accessing my BW account. Not because I don’t trust them, but it feels like doing that would be me losing more control, not tightening my security. We’re already sharing passwords for those accounts, of course, but BW would mean access to all the accounts.
In any case, I’m going to experiment for a while on accounts only I use, just to get familiar with BW’s potential. Then address any big questions which remain.
Best wishes!
It’s good that you don’t like it, because Bitwarden doesn’t like it either. Per the Terms of Service:
B.2. Your login may only be used by one person — i.e., a single login may not be shared by multiple people.
If you want to share login credentials that are stored in Bitwarden, you need to set up an “Organization”. And if you want to share login credentials with more than one other person, you’ll need to sign up for a paid Organization Plan (e.g., Family Plan, Teams Plan, or Enterprise Plan).
Organizations allow you to control who can see/use (and modify/add/delete) credentials for shared accounts.
Wow, thank you for this information. I had no idea, as this is new to me. Just to clarify, BW is saying that if my wife and I have an account with Amazon, she and I cannot use the same BW account for it unless we set up an Organization? And how would they know who was logging in? Couldn’t she just login to BW from any device with the master password, and access the vault to login on Amazon? I feel like I must be missing something. I mean everyone in the world has shared accounts for things like Amazon, and other retailers, right?
Thanks again!
Bitwarden doesn’t care about whether you are sharing your Amazon account with others. If you and your wife each had your own Bitwarden account, then you could each (separately) store a vault item containing an identical set of credentials for accessing your joint Amazon account — no problem. She would use the Amazon login stored in her vault to access the joint Amazon account, and you would use the Amazon login stored in your own vault to access the joint Amazon account — no problem.
The violation of Bitwarden’s Account Terms only occur if more than one person is using your email address and your master password to log in to the same Bitwarden account.
Are you asking me if it is possible to circumvent the Terms of Service without getting caught?
Many services impose restrictions on account sharing. For example, Netflix will allow you to share an account between members of the same household, but not with individuals outside the household.
Again, Bitwarden doesn’t care if there are two, ten, or a thousand Bitwarden users who use your Netflix or Amazon account. What they do restrict is the use of each Bitwarden account to single person.
To be clear, you are not permitted to use the same Bitwarden account even if you set up an Organization.
So, what you need to do, regardless, is to set up a separate Bitwarden account for your wife to use. In principle, you could each store a separate copy of the shared Amazon account login details in your two vaults, but the problem with this is that everything has to be set up twice, and if you ever change your Amazon password, then you will have to update the information in both your vault and in your wife’s vault.
This is where Organizations come in. You (or your wife) can set up an Organization and invite the other spouse to join the Organization as a member. You would now be able to store the login credentials for the joint Amazon account in one place (in the Organization’s vault), in such a way that both you and your wife can view the login information for your joint Amazon account. If you ever have to update the Amazon login details, then the change can be made in a single location.
1 Like