Thanks! Glad to hear it's useful 🙂

@@ProTechShow it really is. I was going to leave a top-level comment, but this pretty well sums it up. Thanks!

@@DavidLindes thanks!

Thanks!

That was exactly my reason for looking at it, too. KeePass + Nextcloud was my solution for a very long time as well. It works well for a single user, but beyond that it gets messy quickly.

Well. I did set up Bitwarden (Families) selfhosted and I can share passwords with my wife. Not sure why this should not work?

also used keepass, but its slow and some login forms arent recognized within the keepassdx app, so I came to bitwarden and its so much better!

You're welcome 🙂

Thanks 🙂

As a bonus: you can safely say it in front of the kids as well! 😄

It might get around to making that video, but in the meantime my short version is that I think it's OK as long as you're protecting Bitwarden itself with multifactor authentication. In this case I view you logging into Bitwarden as the "real" authentication and Bitwarden is acting as something of an identity broker. It's a little analogous to logging in to KZbin - you don't actually log in to KZbin, you log in with 2FA to Google and then Google acts as a broker providing a single token to KZbin with your identity.

@@ProTechShow I agree, it’s just weird to have an OTP app to get a code to log into Bitwarden to get your OTP codes. I used LastPass as my OTP authenticator, and backed up to my account. So either way my eggs were in the same basket. That’s the reason I ask, because if someone cracks my Vault they have my passwords and OTP codes. I had a good password so I’m not too worried (i’m changing my codes anyway).

Yeah, I'd need to make a full video on it to explain my logic properly. Having it in a separate app could be considered more secure on the basis it's one more hurdle to slow an attacker down, but if that app is on the same phone as the Bitwarden app (which is usually the case) then it's a false sense of security because they're both using exactly the same authentication factor, regardless. My personal TOTP codes are currently separate, but that's mostly for historical reasons. If it's a an account shared between multiple people, though; keeping it in Bitwarden is much more secure than skipping the MFA to let your colleague or partner access it - something people often do!

@@ProTechShow in the case of the LastPass breach the hackers have my encrypted vault which includes my OTP seed codes. So they don’t need my phone to get both the OTP and the passwords (assuming they can crack my master password). If someone steals my phone and can get past FaceID, then they have access to my OTP codes and my passwords either way, because I use FaceID for my OTP app and Bitwarden. So, in that case I don’t think it matters if I put both in Bitwarden. Either way, I’m not I high profile person, so I’m not too worried.

The design of both LastPass and Bitwarden is such that stealing your vault shouldn't actually matter - stealing access to it does (so you should be fine). Or to think about it in MFA terms - your passwords are always protected by MFA: something you know (master password) plus something you have (either the physical database file, or a device generating TOTP codes to access the database remotely). Looked at that way; by breaching LastPass, they've only attained one factor. The biggest risk would be if the device (or software) you're using was compromised because that could potentially let a bad actor read the unlocked vault. In this case, having MFA separate would help; but again, if it's on the same compromised device, it may not help much. The best way to mitigate that risk is using strong authentication like a YubiKey that can't simply be copied (I have a video on that and use it for my important accounts). I wouldn't be too worried about your LastPass vault as long as the master password is good. I'd change the passwords stored in it as a precaution, but in theory we'd all be long dead anyway by the time someone could crack it.

Thanks! I haven't, but that's a good idea for a future video.

I've just made a video about it: kzbin.info/www/bejne/bGWZlZ-nmciVg80

Thanks! I'm going to give the stereotypical consultant's answer of "it depends". In terms of capabilities and granularity, Delinea (formerly Thycotic) Secret Server is the best I've seen, but you do pay a premium for it. I can recommend it as a good enterprise solution but it's one of those where you can probably get 80% of the capabilities for 25% of the price with another solution, and if the extras don't matter for your use case then you might be better saving the money. Hence, "it depends"...

@@ProTechShow Gotcha. Much appreciated!

Thanks. We've just been through a selection process for our own use, but I probably can't talk about it online. I can say we wrote off a number of otherwise good tools because our needs are quite different to a typical business. Most password managers that target MSPs are really just platforms for reselling the tool by letting the MSP create lots of instances for their customers to use. We don't tend to resell it, and having lots of instances would slow down our staff and hinder automation. We usually work collaboratively with in-house IT teams rather than full outsourcing, so we have a single platform that we add the IT teams of our customers to so we can share access directly with them. That makes our requirements pretty complex, because we need to share access with third parties but keep them completely isolated from each other without putting them on a separate instance. It goes beyond keeping them away from each other's passwords - if they click the share button they need to be able to see a list of their staff, and any of our staff they work with, but under no circumstances can they see the names of staff at other customers. It also means that where we deploy on-site components to support automation we need to essentially treat them as hostile, so if one customer were breached and their on-site components compromised there's no way to move laterally to anything that could affect another customer. Suffice to say, it narrowed the list of potential vendors pretty drastically!

Honestly, onepassword is probably best for simplicity and security.

Could you post said list of vendors? And if not, why so?

@@RexMk1 probably not. It was an exercise carried out on behalf of my employer so it isn't my information to share. I would need permission from them to do so.

As a user of software I don't like being forced to use a container because I don't trust devs to build it properly. I have seen (not talking about Bitwarden) too many containers with vulnerable libraries stuffed into them by devs who didn't want to update their code. That said, if the shoe was on the other foot I wouldn't trust the end-user to install it correctly so I'd be quite happy to give them a pre-validated container! It does make sense from their perspective.

Thanks

At work we use Delinea Secret Server. It's the most comprehensive solution I've tested in terms of its automation capabilities, but you do pay a premium for it. For our use case the ability to automatically verify and change passwords across hundreds of client sites is a major benefit, but for less complex scenarios it might be overkill. It is a good fit for us, but cheaper options exist if automation isn't a big driver.

This is the future... I hope. Old habits can be hard to break!

Thanks! Glad it was useful.

I wouldn't say one is better than the other, they're just different. Passbolt has more of a focus on security, Bit/Vaultwarden has more of a focus on usability. That's not to say Passbolt is hard to use or Bit/Vaultwarden is insecure - these are just areas of relative strength for them. Passbolt can be used as an individual but it is more aimed at team use. I wouldn't recommend deploying the community version to other people unless your users are technically-inclined. It could work for passwords within an IT department, but with "normal" end-users it's only a matter of time before they somehow lose their key, at which point if there isn't an admin somewhere with the escrow feature set up they're going to lose access to their passwords. The use of private keys makes it very secure, but as the escrow feature isn't available in the community version, users really need to look after those keys.

@@ProTechShow thank you for the input. My team is not that big (below 10 people) I'm searching for password manager solution that support multiple user, offline, on premise, secure, can remove access all access for a user at will, easy to migrate if i change the PM server, integrate seamlessly with browser integration ( i can't install app on client device), easy sharing between user. Would you recommend vaultwarden? Personally i use bitwarden, but sharing password is a little bit of a hassle. Do you think passbolt is the way to go?

Passbolt's sharing might be a bit more intuitive for you. You can test both for free, so I'd suggest giving them a spin to see which you prefer.

Thanks!

Bitwarden and Vaultwarden are alternative implementations of the same service. Passbolt works completely differently and doesn't fit into this video. I do have a video on Passbolt, though: kzbin.info/www/bejne/fqWWln6ijLqHoKc

I've uploaded a dedicated video about the 2FA aspect: kzbin.info/www/bejne/bGWZlZ-nmciVg80

How so? The data is encrypted and decrypted on your device so BitWarden themselves have no visibility of it.