Who is hosting Bitwarden?


#1

Just wondering who is behind this project ?
Where is the data center ?

Maybe those question already were answered…

Thx


#2

If you don´t use self hosted version of bitwarden the servers are in the Azure cloud
https://help.bitwarden.com/article/where-is-data-stored-cloud/

The company behind this project is 8bit Solutions. The only Person you could find there is Kyle.


#3

I use Keepass but love the idea behind bitwarden and may consider self-hosting, but for cloud one I’d need to have a little more confidence that my data is safe and private


#4

It is always the same with password safes. Either you trust the company (and developers) or not. If not you can only user offline versions or maybe host it by yourself (which is offered by bitwarden)

For further security questions check this section:
https://help.bitwarden.com/security/


#5

Can we have an official response about this?
Is Bitwarden the only project for 8bit Solutions?

They don’t even have a company homepage and the only information is CEO name on LinkedIn and they use privacy guard on bitwarden.com domain WHOIS record…

The CEO seems to be identified as this user on GitHub.

Related thread on Reddit.


#6

His twitter seems kind of active.

For an app that requires maximum security and even has paid plans, it’s odd that these information isn’t clearly stated.


#7

If you’re concerned about security, self-host it. I’ve had my instance self-hosted since the beginning of this year and have had nothing but a great experience with it.

Setup instructions here:

https://help.bitwarden.com/article/install-on-premise/


#8

I am already self hosting it (though having problem logging in with it after having created a user).

The point is, whether it’s self hosted or not, such a security sensitive product should have people behind become a bit more open to who they’re.

The installation is through their script that I need to download at a certain time and while it’s open source, I don’t really check every part of the code that gets downloaded at that moment and it would make people feel more comfortable to know that people behind is willing to put their names on it.

I have much less concern having my Skype chat leaked than my entire database of every account on the web leaked.


#9

I understand, but because it is open source, you do have the ability to read through the install scripts and all code that’s going to run. You’re not forced to update your existing installation, you could continue running one certain version forever until you audit what you’re concerned about.

I understand your issue and what you’re saying completely, 100%. But if I felt the same way you do, I’d just stay put with the version I have installed until I had the time to audit the parts of the new version that concerned me.


#10

Security audit is not for a single person to venture. I’m more concerned why ‘8bit Solutions’ is almost non existent except being linked to this product as a name. While the dedication of the author to the project does make me somewhat comfortable into trusting it, visibility could certainly be better when this has gone to be a commercial product.

I don’t want to talk about extreme cases neither want to accuse the bitwarden author but if a scam company pays someone $500k a year to develop a password manager that actually works great but inject a backdoor on random downloads every now and then that’s never published on github, maybe someone would continue to develop it but would likely keep a low profile for their real identity.

The size of the project is certainly different from others but for example, LastPass’ company has this.


#11

I’ve been testing various password managers lately, and concluded that Bitwarden does it best for my needs. I’m currently self-hosting it, though I’ve not really taken the final decision whether to continue self-hosting vs. keeping it on the BW cloud.
You’re right in that 8bit Solutions is much smaller and less exposed than, say, LogMeIn who own Lastpass. On the other hand, if you search a bit more, you’ll find that Kyle, the lead developer of BW, is very very active on various forums answering the myriad questions that people ask, from posts like “thinking of switching to Bitwarden” to specific feature requests and of course bug reports or queries. He is certainly not invisible. He answers support queries very quickly and helpfully.

From the experience I’ve had so far, it appears to me that BW is Kyle’s main (if not only) project and he seems to put in a lot of effort and energy to it. I do my bit to support by buying the family and premium plans, I hope others do too.
At the same time, of course he wouldn’t want to be an “open book”, he will have a personal life that he wants to keep private!

With regards to open source, as you say you (nor I) don’t check every bit of code we download. I wouldn’t be able to make sense of most of it anyway. But being open source, we can trust there’s hundreds of people out there who have and still are looking through the code and if they find anything worrying they will follow the standard disclosure procedures. This is impossible with the likes of Lastpass as their code is closed-source - we only ever find out about breaches months or years after they’ve happened!

Having also looked at Lastpass extensively, I would say that it is indeed more visually refined and it has a few more options that I would perhaps like to see in BW. It also has some others that I wouldn’t (e.g. the OTP for account recovery). Overall, I think I trust my passwords more with an open-source program that is being reviewed by tons of people and whose developer seems to be putting a lot of energy into, rather than a closed-source program that belongs to a billion-dollar corporation that has been compromised repeatedly.


#12

If you can’t trust the company, you must:

  1. Review the source code.
  2. Self-host.
  3. Build all the apps you log into with by yourself.

ie. even if you review the source code… there is no guarantee that is what Bitwarden is running on their servers, and you have no guarantee that is the source code running on their Google Play app.

Same can be said for any password manager though.

Do I trust Kyle more than LogMeIn? Yes… yes I do.


#13

I may be a bit paranoid but doesn’t sound wrong when it comes to a security product.

billion-dollar corporation that has been compromised repeatedly

we can trust there’s hundreds of people out there who have and still are looking through the code and if they find anything worrying they will follow the standard disclosure procedures

This is just wishful thinking. Who are those hundreds of “nice” people? There may be hundreds who look at code for fun but are they going to spot corner case vulnerabilities?

Glad Bitwarden took security audit but random people aren’t really fit for that role and corporation with serious money with more staff seems to have more eyes on securities than a product with 1 man behind it who’s usually focusing on the features and not the “boring” security part.

I’m not dismissing Bitwarden but all I want to see is a clear display of what 8 bit solutions is and I think that’s the best Kyle can do.

Worst case scenario, Kyle is hired by a large scam group and funded well and he’s tasked to make a trustworthy product for the first 5 years and then asked to plant backdoor later on to steal millions of password combinations and might blame for getting “hacked” if it gets spotted. That’s why having no good visibility on the company presence doesn’t look good (to me at least), so one can hide away easily when things don’t look good.


#14

So download the source as it exists as of the completion of the trusted security audit and self-host it.


#15

To be honest, though. The concerns of wws are not invalid, and “well, compile the source then!” is ok for individuals, but I highly doubt your everyday user which we should all be recommending use Bitwarden is going to have the skill to do such a thing.

That said:

  1. This risk still persists for any other password manager, 1Password, LastPass all have this problem. If you think “well they’re a company with lots more people keeping an eye on each other” then you’re lying to yourself… it’s highly likely one guy in their company has access to the Android app deploy keys and/or Apple app store deploy keys etc… and it would be just as easy for a scam group to hire them as well.
  2. The option to fully run everything open sourced and reviewed is not even available for the other options, so if you start to get a sense that Kyle is a bad hombre, you can just switch to using your own compiled apps and server and problem is solved… but with other sites if they go rogue you’re pretty much have no option.

In fact, the problem still persists for other options like KeePass unless you build it yourself… and all the Mobile apps for keepass also have the same problem.


#16

I think the risk analysis needed here is:

  1. Likelihood you are using the same weak password on every site with the same email as your username.
  2. Likelihood that Kyle is a secret agent spy with plans to steal all our secrets with malware someday once we’re all lulled into a sense of security.

I personally think 1 for me is fairly high if I couldn’t use a password manager… though I’d hope the passwords weren’t weak and I’d at least try to salt the password with some deterministic info from the website… but yeah, it’d prolly be weak sauce.

I personally think 2 is a fairly low probability. In general, I think that single devs who live eat and breath security software tend to be better at opsec than “bob that was hired at logmein to man up the mobile app deploy division of LastPass. Fresh out of coding boot camp.”

But hey, that’s just my assessment… I think 1 is 99.9999999% for most normal people, which is why I recommend Bitwarden even if there’s a 0.0000001% chance for 2 in my eyes.