I am totally new to password managers and it is something that has been nagging at me for some time. I looked at several of them and I have selected Bit Warden due to positive reviews, support for hardware security keys, open source and of course its very reasonable pricing.
I have some questions and concerns I would like to clarify before I go all in. I have setup one test log in for my web hosting service so I put something rather critical into the hat, I have tossed out the old password and had BW create a strong 14 character password in its place.
I currently am using vault.bitwarden web interface and that works pleasantly with a nice dark theme and seems to be somewhat intuitive once you get the hang of things. I have used it to log into an account by clicking on the account and copying password to clip board and pasting it into the password field, this works. This brings me to my first question…
When copying a password to the clipboard, is it encrypted or plain text?
Next up I have the google chrome browser extension installed, so far just not feeling it. Seems redundant on the desktop as it is just another interface and another log in…Which leads into my next question…
On my desktop PC I can download the desktop app, I can use the web interface, and/or the browser extension, again it all seems redundant. Is this a case of pick the interface you like best and stick with it? Is there an advantage of the desktop app from the web interface, such as if there is a service disruption with BW as I read about recently, would your passwords still be available?
In regards to a service disruption with Bit Warden it seems all users loose access to their accounts, this seems like a fatal flaw in that all password vaults are stored on Bit Warden servers that are all beholden to one service provider (Cloudflare). So what happens then, I am just screwed because I can’t log into any of my sites? This reminds of the recent AWS outage that affected millions of people, its bad practice to be reliant on one service provider.
Have not installed the android app as of yet as I am not committed just yet, but I will assume it carries all the same functionality as all other applications. In addition I already use a Yubi Key and the Yubi Authentication App so honestly it kinda feels over kill to even have a password manager, I feel like this might be over kill. If I give you the password to my bank account and you try to log in, its going to ask you to insert a security key which you don’t have so honestly kinda makes the password manager redundant.
So recap, here are my questions…
- When copying a password to the clipboard, is it encrypted or plain text?
- I can download the desktop app, I can use the web interface, or the browser extension, again it all seems redundant. Is this a case of pick the interface you like best and stick with it?
- Is there an advantage of the desktop app from the web interface, such as if there is a service disruption with BW as I read about recently, would your passwords still be available?
- If I already use a hardware security key and an authentication app is there really a compelling use case for a password manager?
As a closing thought, I had mentioned above about having all accounts susceptible to outages by using one network provider. Would it not be possible to have multiple data instances located around the world that are all mirrors of each other?
Example: Servers in Los Angeles, Toronto, Singapore, Buenos Aires, etc… All redundant mirrors of each others data similar to a raid array, so that if any one data center went offline due to a provider there is no hard service disruption to any end users. For instance my hosting company uses data centers in 21 locations throughout the globe, I could host my server(s) in any one of those locations.
I also have questions regarding the cli interface and ssh sessions to outside servers, but lets get through the basics first, lol
Anyways, that is all I got. I look forward to hearing back from some long time users and or company reps.