New User, I want to believe but I have concerns

Hello All,

I am totally new to password managers and it is something that has been nagging at me for some time. I looked at several of them and I have selected Bit Warden due to positive reviews, support for hardware security keys, open source and of course its very reasonable pricing.

I have some questions and concerns I would like to clarify before I go all in. I have setup one test log in for my web hosting service so I put something rather critical into the hat, I have tossed out the old password and had BW create a strong 14 character password in its place.

I currently am using vault.bitwarden web interface and that works pleasantly with a nice dark theme and seems to be somewhat intuitive once you get the hang of things. I have used it to log into an account by clicking on the account and copying password to clip board and pasting it into the password field, this works. This brings me to my first question…

When copying a password to the clipboard, is it encrypted or plain text?

Next up I have the google chrome browser extension installed, so far just not feeling it. Seems redundant on the desktop as it is just another interface and another log in…Which leads into my next question…

On my desktop PC I can download the desktop app, I can use the web interface, and/or the browser extension, again it all seems redundant. Is this a case of pick the interface you like best and stick with it? Is there an advantage of the desktop app from the web interface, such as if there is a service disruption with BW as I read about recently, would your passwords still be available?

In regards to a service disruption with Bit Warden it seems all users loose access to their accounts, this seems like a fatal flaw in that all password vaults are stored on Bit Warden servers that are all beholden to one service provider (Cloudflare). So what happens then, I am just screwed because I can’t log into any of my sites? This reminds of the recent AWS outage that affected millions of people, its bad practice to be reliant on one service provider.

Have not installed the android app as of yet as I am not committed just yet, but I will assume it carries all the same functionality as all other applications. In addition I already use a Yubi Key and the Yubi Authentication App so honestly it kinda feels over kill to even have a password manager, I feel like this might be over kill. If I give you the password to my bank account and you try to log in, its going to ask you to insert a security key which you don’t have so honestly kinda makes the password manager redundant.

So recap, here are my questions…

1. When copying a password to the clipboard, is it encrypted or plain text?
2. I can download the desktop app, I can use the web interface, or the browser extension, again it all seems redundant. Is this a case of pick the interface you like best and stick with it?
3. Is there an advantage of the desktop app from the web interface, such as if there is a service disruption with BW as I read about recently, would your passwords still be available?
4. If I already use a hardware security key and an authentication app is there really a compelling use case for a password manager?

As a closing thought, I had mentioned above about having all accounts susceptible to outages by using one network provider. Would it not be possible to have multiple data instances located around the world that are all mirrors of each other?

Example: Servers in Los Angeles, Toronto, Singapore, Buenos Aires, etc… All redundant mirrors of each others data similar to a raid array, so that if any one data center went offline due to a provider there is no hard service disruption to any end users. For instance my hosting company uses data centers in 21 locations throughout the globe, I could host my server(s) in any one of those locations.

I also have questions regarding the cli interface and ssh sessions to outside servers, but lets get through the basics first, lol

Anyways, that is all I got. I look forward to hearing back from some long time users and or company reps.

Thanks,
Robert Calhoun

Hi,

The clipboard stores information in plain text - it’s just how copy and paste works. If it was encrypted, the website or program you paste the password into wouldn’t be able to decrypt it.

Pretty much. There are various ways to access your vault, use whichever works best for you. Some methods provide additional features, such as biometric integration via the desktop app. Personally, I use the browser extension and the Android app most of the time.

You can access the last synced version of your vault in read-only mode offline.

It’s great that you’re using 2FA, but not every service supports that. For those sites and programs that don’t support 2FA, you’re going to want a strong, unique password. Actually, you want strong, unique passwords for everything, including those services where you use your Yubikey. If you don’t, you’re almost reducing your strong, multi-factor authentication back down to a single factor. Using a password manager is definitely not redundant.

Bitwarden’s cloud storage option uses Microsoft Azure. Just like Google Cloud or AWS, this is highly scalable and reliable. However, things can occasionally go wrong - just look at Amazon’s AWS outages recently, or when Facebook disappeared for about a day earlier this year. You do have the option to self-host if you prefer.

I’m a big fan of Bitwarden and I recommend it to all my family, friends and colleagues. Whether it’s right for you will depend on your particular needs, but I’d urge you to read through the help section on the website - there’s lots of useful information there and it might answer any other questions that come up as you try out the product.

Cheers,
Dan

You don’t have to manually copy. If you have an extension you can just click on it and Bitwarden will automatically autofill login and password.

I recommend installing it, autofill there works great. I used 3 popular passwords managers and autofill there worked poorly, was not always showing up and I had to manually copy. However in Bitwarden it always works.

When you use a password manager you can more easily manage your accounts and some of password managers offers additional services like checking for leaked passwords or emails.
I imported my accounts from multiple google accounts and It turned out that I have over 200 accounts.

Just to add to what danmullen said, there is another aspect to consider: 2FA stands of Two Factory Authentication. It is meant as a complementary system.

Take, as an example, a situation where a bad actor obtains your security key, what then? A simple password might be more easily guessable. Or if someone was able to find a bug that allowed them to remove or bypass 2FA for your account, what then? If they were to breach the website’s server and obtain a copy of their user database it is a proven fact that shorter, simpler passwords are cracked faster than strong, random, long passwords.

There is nothing redundant about having strong passwords because they are just one line of defense in a multi-part system to prevent anyone other than you from accessing something. 2FA is great and should always be used when available, but it should not be relied upon as the sole means of protecting your account or even as a reason to reduce your security in other ways simply because you use 2FA.

Humans are notoriously bad at creating good passwords and the bad guys have become quite good at figuring out and incorporating the patterns that most people use when creating their own passwords.

You can always use a randomly generated pass-phrase if you need something that is more easily memorized.

Thank You everyone who has responded, you did the trick and pulled me in

First of all I really enjoy the fact that these forums are so responsive and with intelligent replies, so just that alone is a winning element.

Dan: I had a duh moment after I posted about the copy and paste, I will have to get things better set up to take advantage of the auto fill features as Kuba had mentioned below. It gives me relief to know that I can access the last synced version of the vault in the event of a network outage, that adds some comfort knowing I would not be simply unable to access passwords. Self hosting is a intriguing option to look into as well. Thank You for your quick and thoughtful responses!

Kuba: Thank you for the positive position on the Android app, that gives me more confidence in using it. I am very diligent in the apps and web sites I expose my phone to. I will also have to research this import feature you mentioned regarding the google accounts. Good to know, thanks again for the informative responses!

Ayitaka: Thank you for the informative food for thought regarding 2FA and redundancy. I appreciate your input and I can agree with everything you put forward, Thank You!

Alright so moving forward I am first going to go through all my main day to day websites and update the passwords as I have needed to do that for some time now and start integrating them into the vault. In the mean time I will get that premium membership locked in and download the Linux desktop app and start testing with that to get a sense of how my password management flow will flesh out in daily usage. After I get comfortable with all of that I will get the android app up and going on the phone.

Then from there we will take a look at the cli option and integrating into ssh sessions for administration log ins on my remote server. Then perhaps self hosting…alright looks like I am moving forward to full time bit warden user.

Thanks again for the quick and intelligent community responses, that is a huge plus in my decision to move forward.

Robert Calhoun

You can also export your passwords to a .csv or .json file and backup this file to an pendrive or SD card so even if Bitwarden was shut down you can just import them into another password manager.