I've uploaded a dedicated video with my thoughts on storing 2FA tokens in Bitwarden: kzread.info/dash/bejne/aGhqxs6qlMbIfc4.html

What I appreciate the most is that you don't just give a verdict or rating, instead you go into a fair amount of meaningful detail justifying your view. Thanks a lot for your effort, it's ACTUALLY helpful!

@ProTechShow

Жыл бұрын

Thanks! Glad to hear it's useful 🙂

I've been a longtime user of keepassxc with nextcloud as the sync. It works, but there's a few utility accounts that need to be shared with my better half and this is difficult - so was literally about to spin up a bitwarden to have a look at and came across you vid. Thank you for saving the time of discovering bitwarden self host doesn't have password sharing - being the raison d'etre that would have been a pain. So I'm spinning up my VaultWarden instead :)

@ProTechShow

Жыл бұрын

That was exactly my reason for looking at it, too. KeePass + Nextcloud was my solution for a very long time as well. It works well for a single user, but beyond that it gets messy quickly.

@manfredbirkholz3832

4 ай бұрын

Well. I did set up Bitwarden (Families) selfhosted and I can share passwords with my wife. Not sure why this should not work?

@FusslDerEchte

3 ай бұрын

also used keepass, but its slow and some login forms arent recognized within the keepassdx app, so I came to bitwarden and its so much better!

Great video. Subscribed. Curious, what Enterprise password manager do you recommend?

@ProTechShow

Жыл бұрын

Thanks! I'm going to give the stereotypical consultant's answer of "it depends". In terms of capabilities and granularity, Delinea (formerly Thycotic) Secret Server is the best I've seen, but you do pay a premium for it. I can recommend it as a good enterprise solution but it's one of those where you can probably get 80% of the capabilities for 25% of the price with another solution, and if the extras don't matter for your use case then you might be better saving the money. Hence, "it depends"...

@anthonyf.2072

Жыл бұрын

@@ProTechShow Gotcha. Much appreciated!

Thank you from France for your video.

@ProTechShow

Жыл бұрын

You're welcome 🙂

i appreciate the video! im going to look if you've done nginx vs traefik!

@ProTechShow

Жыл бұрын

Thanks! I haven't, but that's a good idea for a future video.

❤

Good video. Our LastPass Enterprise subscription is due for renewal and we’re exploring the market again - especially after their data leak announcements! What password management solution are you recommending to your clients? We’re a 300 user business with 3 IT staff members.

@ProTechShow

Жыл бұрын

Thanks. We've just been through a selection process for our own use, but I probably can't talk about it online. I can say we wrote off a number of otherwise good tools because our needs are quite different to a typical business. Most password managers that target MSPs are really just platforms for reselling the tool by letting the MSP create lots of instances for their customers to use. We don't tend to resell it, and having lots of instances would slow down our staff and hinder automation. We usually work collaboratively with in-house IT teams rather than full outsourcing, so we have a single platform that we add the IT teams of our customers to so we can share access directly with them. That makes our requirements pretty complex, because we need to share access with third parties but keep them completely isolated from each other without putting them on a separate instance. It goes beyond keeping them away from each other's passwords - if they click the share button they need to be able to see a list of their staff, and any of our staff they work with, but under no circumstances can they see the names of staff at other customers. It also means that where we deploy on-site components to support automation we need to essentially treat them as hostile, so if one customer were breached and their on-site components compromised there's no way to move laterally to anything that could affect another customer. Suffice to say, it narrowed the list of potential vendors pretty drastically!

@alphaneo9198

Жыл бұрын

Honestly, onepassword is probably best for simplicity and security.

@RexMk1

Жыл бұрын

Could you post said list of vendors? And if not, why so?

@ProTechShow

Жыл бұрын

@@RexMk1 probably not. It was an exercise carried out on behalf of my employer so it isn't my information to share. I would need permission from them to do so.

Hello Bitwarden won't recognize a login page that only asks for the username (once the username is entered, the NEXT page asks for the password). How to get Bitwarden to recognize this situation? It works ok if the page asks for both the username and password.

In the US we don't use the phrase "muck about". It strikes me as pretty funny so I'm going to use it whenever possible. Like maybe: muck about, find out. (Instead of FAFO)

@ProTechShow

Жыл бұрын

As a bonus: you can safely say it in front of the kids as well! 😄

I would love to see the explanation on how integration of TOTP doesn't defeat the purpose.

@ProTechShow

6 ай бұрын

I've just made a video about it: kzread.info/dash/bejne/aGhqxs6qlMbIfc4.html

Yes, I would like to hear what you have to say about storing 2FA codes in Bitwarden. For my threat model, I think it’s ok. But I’d like a 2nd opinion.

@ProTechShow

Жыл бұрын

It might get around to making that video, but in the meantime my short version is that I think it's OK as long as you're protecting Bitwarden itself with multifactor authentication. In this case I view you logging into Bitwarden as the "real" authentication and Bitwarden is acting as something of an identity broker. It's a little analogous to logging in to KZread - you don't actually log in to KZread, you log in with 2FA to Google and then Google acts as a broker providing a single token to KZread with your identity.

@notreallyme425

Жыл бұрын

@@ProTechShow I agree, it’s just weird to have an OTP app to get a code to log into Bitwarden to get your OTP codes. I used LastPass as my OTP authenticator, and backed up to my account. So either way my eggs were in the same basket. That’s the reason I ask, because if someone cracks my Vault they have my passwords and OTP codes. I had a good password so I’m not too worried (i’m changing my codes anyway).

@ProTechShow

Жыл бұрын

Yeah, I'd need to make a full video on it to explain my logic properly. Having it in a separate app could be considered more secure on the basis it's one more hurdle to slow an attacker down, but if that app is on the same phone as the Bitwarden app (which is usually the case) then it's a false sense of security because they're both using exactly the same authentication factor, regardless. My personal TOTP codes are currently separate, but that's mostly for historical reasons. If it's a an account shared between multiple people, though; keeping it in Bitwarden is much more secure than skipping the MFA to let your colleague or partner access it - something people often do!

@notreallyme425

Жыл бұрын

@@ProTechShow in the case of the LastPass breach the hackers have my encrypted vault which includes my OTP seed codes. So they don’t need my phone to get both the OTP and the passwords (assuming they can crack my master password). If someone steals my phone and can get past FaceID, then they have access to my OTP codes and my passwords either way, because I use FaceID for my OTP app and Bitwarden. So, in that case I don’t think it matters if I put both in Bitwarden. Either way, I’m not I high profile person, so I’m not too worried.

@ProTechShow

Жыл бұрын

The design of both LastPass and Bitwarden is such that stealing your vault shouldn't actually matter - stealing access to it does (so you should be fine). Or to think about it in MFA terms - your passwords are always protected by MFA: something you know (master password) plus something you have (either the physical database file, or a device generating TOTP codes to access the database remotely). Looked at that way; by breaching LastPass, they've only attained one factor. The biggest risk would be if the device (or software) you're using was compromised because that could potentially let a bad actor read the unlocked vault. In this case, having MFA separate would help; but again, if it's on the same compromised device, it may not help much. The best way to mitigate that risk is using strong authentication like a YubiKey that can't simply be copied (I have a video on that and use it for my important accounts). I wouldn't be too worried about your LastPass vault as long as the master password is good. I'd change the passwords stored in it as a precaution, but in theory we'd all be long dead anyway by the time someone could crack it.

nice video

@ProTechShow

Жыл бұрын

Thanks!

They are absolutely shipping windows apps on linux to solve the "it works on my pc probelm" nothing to troubleshoot if you ship the user the whole desktop to run in a container. Like you said they need it to be as dummy simple as to keep the support costs simple.

@ProTechShow

22 күн бұрын

As a user of software I don't like being forced to use a container because I don't trust devs to build it properly. I have seen (not talking about Bitwarden) too many containers with vulnerable libraries stuffed into them by devs who didn't want to update their code. That said, if the shoe was on the other foot I wouldn't trust the end-user to install it correctly so I'd be quite happy to give them a pre-validated container! It does make sense from their perspective.

We removed Passwords from Company. We use certificates and secure tokens. No user needs a password anymore.

@ProTechShow

6 ай бұрын

This is the future... I hope. Old habits can be hard to break!

Make a video on 2FA Bitwarden, you forget Passbolt.

@ProTechShow

9 ай бұрын

Bitwarden and Vaultwarden are alternative implementations of the same service. Passbolt works completely differently and doesn't fit into this video. I do have a video on Passbolt, though: kzread.info/dash/bejne/eqhnx62lh7i6mqg.html

@ProTechShow

6 ай бұрын

I've uploaded a dedicated video about the 2FA aspect: kzread.info/dash/bejne/aGhqxs6qlMbIfc4.html