What I learned about it, is that they can remotely disable your browser extension which is assumed to work in offline mode. So, as soon as you have an internet connection — you get blocked. This is what happened to me like 30 minutes ago or so. Just cannot log into my account and verify a transaction because I'm stupid enough to trust them with my TOTPs and storing temp verification passwords.
The funniest stuff, though, is that the company's damage control is to remove the comments and suspend feedback from it's community forum. Given that I'm a paying customer, I'm a little bit offended by it. For a secret management company that secured $100 mil recently, it's a clear mark that the enterprise service train is on the way.
I'm lucky enough to have the offline access to the storage. But my trust to Bitwarden as a reliable service is completely ruined. Having this in mind, is there a viable alternative?
PS. Expect Spearrin to appear on HN and bring "personal" apology for the hiccup. But I won't buy it. Password manager services are almost like bank storages but on the internet. Apologizing won't fix the fact you can get remotely locked from the passwords and TOTPs at a pressing moment.
Similarly to this API compatibility there's KeePassDX [2] for mobile phones which is compatible with the KeePass database format. There's also KeePass [3] which is the original built with .NET.
I personally use Bitwarden though because maintaining sync of databases on mobile phones is painful. Also keeping backups up to date is hard and time consuming, I do export my encrypted database once in a while though.
[0]: https://www.passwordstore.org/
A touch on Yubikey will give you one password out (as opposed to unlocking the whole database). As secure as it gets!
Also very convenient to use, since the password is a short pin.
You can use CLI in scripts and handle tokens.
Good code written by a good guy!
On my Android phone I use Keepass2Android and it's built-in SFTP support to open the remote database (and also keep a local offline-copy). When saving it seems to synchronize with the remote file first before uploading the file, so even if I change entries on both devices the copy on my server shouldn't lose any entries. But I haven't really tried to break it yet.
Strongbox for iPhone/iPad: https://strongboxsafe.com/
There are plenty Android Keepass apps too, i don't have any experience with these though.
>And how do people choose
FWIW, KeePassXC is the best (most widely adopted) one for Desktop.
[1] https://github.com/dani-garcia/vaultwarden, note that it's different from Bitwarden's official server (https://bitwarden.com/help/install-on-premise-linux/), uses less CPU/memory, and enables premium features like TOTP for free.
Just do it once a month - mount the volume, export the database in plaintext directly to the volume, then unmount it.
If your password manager locks you out because of a bad software update, service outage, or you hold the wrong passport and got sanctioned, or whatever, at least you will still be able to access the vast majority of your credentials. Special password databases are nice and convenient, but plaintext is usable forever.
wife had issue with bank and wanted to flush all browser caches, but didn't notice that for some reason passwords checkbox was preselected. it deletes all saved passwords saved in cloud without way to recover (unless you have some offline device that didn't yet synced)
Literally running around the house trying to shut off other PC's before Chrome could sync on them... unsuccessful. What a disaster!
Hello,
Thank you for contacting Bitwarden.
If you are receiving this message, you have contacted us about errors accessing your Bitwarden account. We would like to first apologize for any inconvenience.
Access should no longer be impeded when authenticating.
In our mission to continually strengthen services and protect Bitwarden users, we have employed many protections to that end. These are ever evolving and constantly being tuned. With these in place, there is potential for temporary false positives. The team is committed to refining and improving these protections.
We thank you for bringing this to our attention, and for your understanding. If you have any further questions, please let us know.
-The Bitwarden Team
what do people expect? all the wrong management are attracted to security products for exactly the reasons you suspected all along.. Lock-in is profits!
- Everything is open source - You get to self host - You get to export your database at any time - You don't even need to pay to use it if you don't want to
Are local password managers objectively more secure and reliable? Yes. Does that mean that Bitwarden is just an awful product by a money seething corporation that wants to lock you into their product and dime you till your last cent? Not so sure about that.
I do both, self-host vaultwarden for a non-profit and have Bitwarden premium for personal use. A short while ago our server got nearly nuked and our Vaultwarden was down for several days, everyone in the org still could access all of our personal and shared passwords just fine, the extension and the clients stored all the necessary data offline and let us work uninterrupted until we restored the service ( ironically, it held the server's cloud provider credentials too ).
I suspect that in case of a complete outage or while not connected to the internet the client will work just fine, but on this instance something got messed up on the autentication/authorization side, so your client tried to authenticate to their server to sync up/do whatever it needs, since the server was not down but experiencing problems it received an error and logged you out.
I would argue this is by design, If the server returns an error while logging in there's probably a good reason, and especially in case of an organization account, you shouldn't have access to the passwords anymore.
You seem to have had major problems, but I assume it's likely your fault. You should not store all the means of accessing an account in a single place, I too store TOTPs on Bitwarden, but that's just for convenience, I have them on my phone Authenticator app too. But most importantly, as the name suggest, recovery codes ( which is what i assume your "temp verification passwords" are ) should be kept safe and in a separate place altogether, preferably printed even.
What you're describing here looks like nothing more than an outage, a thing that literally everyone and their dog experiences, from the non-profit like us to AWS, Microsoft, Google and Cloudflare.
Surely nothing to scream "Avoid at all costs" about.
Same for me.
>I suspect that in case of a complete outage or while not connected to the internet the client will work just fine, but on this instance something got messed up on the autentication/authorization side, so your client tried to authenticate to their server to sync up/do whatever it needs, since the server was not down but experiencing problems it received an error and logged you out.
If you're familiar with Bitwarden you're aware there is a Vault lock. When the laptop started and FF was launched, the extension got greyed out immediately. This means there's some sort of preflight init right after browser starts.
This behavior is not documented anywhere on their website in the troubleshooting section. And that was my first attempt to figure out the cause. Next thing was to reinstall the application and check if the problem goes away. And only after that the email to support was dispatched. So, enough effort was put before contacting BW staff. The error message is misleading[0]. So I went on to support forum[1] to learn this problem is recurring. And while I was typing my message, I have seen several messages deleted by the staff. Same happened with mine.
Given all that, where is my fault exactly?
>What you're describing here looks like nothing more than an outage, a thing that literally everyone and their dog experiences, from the non-profit like us to AWS, Microsoft, Google and Cloudflare.
It's an outage that indicated that you can loose access to BW Vault anytime they have an outage, means you can loose offline access even if the docs say otherwise[2]. To me it's false advertising at best given the iPhone's vault was in locked state as well but did not show any operational errors. Current BW users got aware of the incident and can draw conclusions and mitigate risks. I'm speaking for my experience and it's avoid at all costs now.
[0] https://imgur.com/a/y4qYcFL
[1] https://community.bitwarden.com/t/an-error-has-occured-acces...
Your devices were online and their server reachable but returning erroneous messages, if we have to go based on their forum response "in most cases, your IP is most likely getting flagged by cloud protection services as malicious activity" maybe even because of a third party provider.
> So I went on to support forum[1] to learn this problem is recurring. And while I was typing my message, I have seen several messages deleted by the staff. Same happened with mine.
While I can't speak for this problem, I understand this is frustrating and agree that the staff could have managed the situation differently, but they possibly knew about the outage and were simply de-cluttering the forum from what I imagine were dozens of messages about the same problem popping in at the same time.
> It's an outage that indicated that you can loose access to BW Vault anytime they have an outage, means you can loose offline access even if the docs say otherwise[2].
By definition, during an outage you lose access to the service, whatever it may be. Their docs say nothing about them, they state that while your devices are offline the clients can still be unlocked and used in read-only mode. While this means that in theory the apps could work while their services are not reachable for whatever reason, be it the device being offline or their server being completely down, this was not the case. I agree that they could improve the experience, so that if their services are not working as expected the clients revert to offline mode until the issue is resolved. This however is not an easy problem to manage and could only be an extra bonus feature to their service.
> Given all that, where is my fault exactly?
Sorry, maybe I didn't use the correct language, when I said you were at fault I wasn't of course talking about the outage, but you having issues logging into your accounts because everything is saved in Bitwarden. My point was that while their software is extremely convenient, it should not be the only place that stores all the means of accessing a service. Reading your post at first glance made me think that because of this outage you could not access credentials + TOTPs + recovery codes. but seeing > I'm lucky enough to have the offline access to the storage. I don't know about that anymore
> ...the iPhone's vault was in locked state as well but did not show any operational errors.
Does this mean that the iPhone app was still working or was it locked like the rest?
The entire point of these hosted password services is that they are a turnkey solution - I could give them to my mom, who knows nothing about technology, and trust that they work. I like using a turnkey solution myself even though I could self-host because I don't want to spend brain cycles on solving the "syncing passwords across multiple devices" issue.
I don't quite understand why Bitwarden even needs to have you login in order to access the passwords. Surely you could just have the salted+hashed passwords on device, and Bitwarden just syncs that data from device to device. If you work in an organization and need to revoke access, just change the password. No need to manage whether or not someone is logged in to Bitwarden.
I’ve happily used BW for years without problems. My experience is so far removed from what’s been posted here that I find it hard to take seriously at all. What an incredibly low quality post that does not live up to the standards of quality I expect on HN. There’s a proper way to voice concern and criticism, and this post is simply not that.
I’d like to hear dang’s thoughts. I believe the title should be edited and the OP text should probably be as well. To the OP, you missed the mark here, but I believe you can do better on your next post. Hopefully my criticism isn’t received too harshly as it’s intended to be helpful.
How do the KeePass' compare?
P.S. I do use a KeePassXC vault for a small amount of stuff. Discovered KeePassDX for Android this week from a recent HN comment. It is very good. After playing with it for ten minutes I deleted the other two Keepass apps I had on my phone.
What were the issues with keepassxc integration? I have been using it and it generally works flawlessly integrating with firefox, the only thing is that you have to sometimes press the reconnect to keepass in the extension if you shut down keepass while Firefox was running.
Keepassxc also provides an ssh agent and works as my secret provider, that also works without problems if it wasn't for gnome keyrings which decides that it will stick around after you log into gnome (which I rarely do). Does BW provide secret integration?
Annoying, but I think I see the benefit (kill it if it might be tampered with etc)
- Local-first so you own your data
- Open about technical documentation and assisted in providing encryption scheme info to an open-source vault reader (so you own your data...) https://github.com/hazcod/enpass-cli
- Works with lots of cloud/sync providers
- Cross-platform (Windows, macOS, Linux, iOS, Android)
- Browser integration (Safari, Firefox, Chrome, Edge, Opera, Vivaldi)
- Lifetime license for $79.99
I used Google Drive/OneDrive in the past but a few times vaults would get into a broken state where they couldn't connect to the provider anymore and I had to manually re-connect. It was always able to smoothly recover and sync, but I had no confidence I was synced at any given moment.
I jumped on Wifi Sync as soon as they launched it and haven't looked back—as long as I'm on the same network once in a while, everything is in sync.
Sometimes I get an itch to try the open-source/Keepass route again, especially since it seems to be much improved, but Enpass is convenient for now.
Why have I never heard of Enpass before? Anyone have any reason to not switch from Bitwarden to Enpass right now?
I do not.
Moving to self hosted vaultwarden from keepassxc-in-syncthing was a big leap. A closed source client is a leap too far.
Probably not going to find it anywhere for $10/yr
1) I want sane error messages on the client side.
2) I want my feedback on community forums not to be shushed. You screwed up — own it. Community mods aren't janitors to wipe out user feedback.
3) I want the extension to be working no matter what kind of server-side problems you have. Let me know about a sync problem but don't terminate my access.
But if you do think, that for $12 I get to be treated like an dog, too bad, there's enough options for me to take my business elsewhere.
I am surprised that they are not more popular than "fan-favorites" like LastPass which I absolutely can't stand (it's like from the dark ages UX wise) or 1Password, or, for that matter, Bitwarden. Bitwarden particularly experience degradation of service like every month or so, maybe due to their popularity.
If you don't want to rely on a free cloud product go to lowendtalk and find an offer for a minimal VPS, which can regularly found for around $10/year.
This seems incorrect.
I experienced this issue while I was working on 1 computer which I infrequently use so I was logged out of BitWarden. Trying to login gave me that oblique error message.
I was on a conference call (and presenting of course) so I needed the password Right Now so I pulled out my laptop, which was still logged in, and was able to access the password without issues.
I'm not sure exactly when this issue started/stopped, but, I probably use my phone vault 20x a day and I never saw the issue there either, only with the one computer which was logged out.
I really don't get all of the hate on here for BW. Are people annoyed or jealous because they just got funding? I understand people suggesting alternatives (and that's great -- monocultures are bad) but some of the comments on here (including, frankly, the OP's topic and message) are just rude.
I'm a user of both the hosted BitWarden and multiple VaultWarden_rs instances and it works well for me and meets my needs. It's been very reliable to the point where if I didn't see this post, I would have just assumed the earlier issue was some fluke and moved on without a 2nd thought.
I'll probably be accused of being a shill for them and legitimate criticism is warranted, but, too much of this seems like bad faith.
You attack Bitwarden but how would this be any different with the other hosted password services?
And this is all free service. Customer expectations have skyrocketed.
You own your data, get great UX thanks to their mobile clients/extensions.
Or… grab a Precursor[0] and import your bitwarden JSON export into its vault app :-)
I'm sorry, but isn't the highlight of your problem is that you did not separate TOTP with any service that depends on it, including BW?
Yes, Syncthing doesn't work on iphone, buy your mother an android , or buy yourself a tie machine and write apps for windows Phone
Took me too long to realize you probably meant ti[m]e machine, but I still don't see how that would fix getting a non-techy off their iPhone.
TIME TRAVEL!
When do we want it?
THAT'S IRRELEVANT!
