Hello everyone, what is your go-to password manager? What would you suggest for friends and family that aren’t very tech savvy?
Hello everyone, what is your go-to password manager? What would you suggest for friends and family that aren’t very tech savvy?
As a general rule, browser based password storage is less secure than a standalone offering. While convenient, Firefox loads the cipher into memory. and stores passwords in a local file (logins.json) encrypted with 3DES (older versions) or AES (newer), using a key derived from an optional primary password. Without a primary password, Firefox uses a blank key, making it trivially decryptable. Even with one, decryption occurs locally but lacks the layered, zero-knowledge design of something like Bitwarden. This makes Firefox stored passwords more vulnerable to something like a virus outbreak on your computer, which can access your Firefox stored passwords.
This is how I understand it. If someone has better intel, or if I need schooled up, do share.
Thank you for taking the time to write this
You are welcome. Anytime. I’m not the sharpest knife in the drawer but I do like to help.
Even if all the rest were true, what virus outbreak would affect me on Linux?
I am basically relaying conventional wisdom I have gleaned over the years of ‘best practice’. I also forget that a lot of people in the privacy sphere run Linux solely, where as I run Windows, Linux, and Mac. I hold no high ground in privacy, security, or anonymity. You are certainly within spec to run your network as your requirements deem necessary. I’m just a lot more comfortable not using a browser to store my passwords. If you’ve got it all down to a note, then rock on my brother and don’t let them give you shit about your ponytail either.
You seem to be much more knowledgeable on the topic, and while I would call myself privacy conscious, I would hardly consider myself within the pricacy sphere. How would using something like bitwarden or keepassxc work with entering passwords on websites? Firefox just retrieves it from its vault (as bad as it may be from what I’m reading) and then inserts it into the u/p fields. I’ve seen LastPass in action plenty, because corporations seem to love it, and I find it anything but seemless. So how do those two aforementioned compare?
Well, the first thing you need to know about me is that I am an expert at nothing. I’ve just been screwing up enough computers since the mid 70s to learn a couple things. LOL
Some thoughts and opinions:
Firefox: As mentioned earlier, Firefox stores it’s logins in a file called logins.json, which is encrypted. It stores the encryption keys in a separate file called key4.db. They are encrypted with 3DES in CBC mode for the passwords themselves. When you save a password, Firefox encrypts it before writing it to disk. If you don’t create a master password in Firefox, the browser uses a basic form of encryption based on your operating system credentials or a default key. This allows Firefox to automatically decrypt your passwords for autofill purposes without requiring any extra authentication, as long as you’re logged into your device. The master password is key, because with the master password Firefox adds a stronger cipher in the form of PBKDF2-SHA256. Without the master password, anyone using your browser can fill in log information.
Bitwarden: Bitwarden is a dedicated, separate, password manager that stores your vault data in the cloud on Microsoft Azure in the US or EU regions iirc. Bitwarden has zero-knowledge of your passwords or encrypted data. You start with a master password, much like you would with Firefox. That master password is never sent to Bitwarden. Here’s where my eyes start to glaze over. LOL It undergoes key stretching using PBKDF2-SHA-256 with 600,000 iterations. This derives a 256-bit master key, which is then expanded via HKDF to a 512-bit stretched master key. A separate 512-bit symmetric key generated by CSPRNG, is encrypted with this stretched key and stored on the servers as your ‘protected symmetric key’. Your passwords are individually encrypted using AES-256-CBC with HMAC-SHA256 for integrity, each with its own unique cipher key that’s further protected by your symmetric key. When you log in, the master password re-derives the keys client-side to decrypt the protected symmetric key fetched from the server, and decryption happens only in memory and is never written to disk. I’m not going to even pretend to thoroughly understand the process. That’s going to take someone way more intelligent than I. LOL
Firefox password system is browser based. Firefox does not mandate a master password like Bitwarden, or at least in the past has not. Firefox stored passwords, as mentioned earlier, are susceptible to Firefox based exploits. Those exploits are not relegated to just Windows platforms, and can happen on Linux and Mac just by visiting a laced up website. Bitwarden is device agnostic and invokes more encrypted protections than it’s Firefox counterpart.
To boil the ox down to the bullion cube, Bitwarden, in my humble opinion, gives you more layers of protection than your standard Firefox browser. I like layers. They do add complexity to the situation, but at times, complex layers is just what is required. At the end of the day, it gets down to what you feel comfortable with based on your threat model. Both options offer encryption and security features. Both options are reasonably secure, with Bitwarden being, in my mind, far more secure because it offers more robust layers of complexity. Bitwarden has a fabulous track record of security, and tho there have been previous breaches, none to my knowledge ever revealed any user data.
It has been quite a while since I have used LastPass briefly, so I cannot speak with intelligence about it’s operation. I do know that Bitwarden is super easy (for me) to use and in the browser, works like any other password storage option. You can set it to automatically fill in passwords and user names which is a feature I think appeals to those who use Firefox or other browser based password storage systems. However, as I stated, at the end of the day, it all gets down to what aligns with your threat model, and how comfortable you feel using the options you have chosen. For me, Bitwarden offers more layers of protection, and I am a green ogre who likes layers.