[HN Gopher] Passwordless Authentication - Access Your Bitwarden ...
___________________________________________________________________
Passwordless Authentication - Access Your Bitwarden Web Vault
Without a Password
Author : jacooper
Score : 63 points
Date : 2022-12-05 17:08 UTC (5 hours ago)
(HTM) web link (bitwarden.com)
(TXT) w3m dump (bitwarden.com)
| yasp wrote:
| How does Bitwarden protect against a malicious mobile app update?
| oddeyed wrote:
| I had no idea this was a new feature but used this today. It was
| extremely convenient!
| ghostly_s wrote:
| Waaay at the bottom: Note: Logging in with a
| device is currently only available on the Bitwarden cloud server
| (https://vault.bitwarden.com).
|
| And even there, I followed all the directions and don't have the
| 'Log in with device' button. Waste of time.
| imwillofficial wrote:
| Bitwarden is such an amazing value. $10 a year, constant
| progress, secure, quality product
| teruakohatu wrote:
| Is 2FA still hidden behind the paywall? While bitwarden does this
| they are doing a major disservice to the averge (unpaid) user.
|
| Edit: thanks, sounds like 2fa is now free.
| castrodd wrote:
| Isn't it like $10 per year for a premium account?
| Alupis wrote:
| Yes, and worth every penny in my experience. It's really a
| great app, and a great service.
|
| Happily paid my $10 after using it around the office for a
| few months (paid Teams account).
|
| We came from KeePass, so the whole cloud thing was new. But
| it's "just worked" remarkably well.
|
| The multiple-profiles feature was a game changer, allowing me
| to access both my work credentials and personal credentials
| from the same app, while keeping them entirely separate is
| really nice.
| y0ssr3n wrote:
| The free plan supports the following types of 2FA: "Email,
| Authentication App"
|
| Upgrading to the Premium Account ($10/yr) gets you additional
| options: "YubiKey, FIDO2, Duo, Email, Authentication app"
|
| Source: https://bitwarden.com/pricing/
| llampx wrote:
| I use 2FA with a free account.
| OJFord wrote:
| Unfortunately no plans to offer it for third-party stored
| credentials though - this is just for 'unlocking' Bitwarden
| itself.
|
| 'Passwordless' badly needs 'password manager' support, or other
| cross-platform implementation, IMO.
| sakisv wrote:
| That's very nice, well done!
|
| For a moment there I had hoped that maybe it would solve the
| problem in the opposite direction: I'm typing the master password
| so mechanically when I'm on my laptop, that I really struggle to
| remember it when I have to type it on a screen - to the point
| that I must go sit at a computer open a notepad, let muscle
| memory take over and then look at the screen to see what I typed
| /facepalm
|
| Anyway, in all seriousness, while this is a scenario that happens
| very rarely, it still makes me wonder if it would be possible to
| do the pasdwordless login the other way, i.e. authenticate the
| phone using a trusted laptop (maybe a fingerprint enabled one)?
| Fervicus wrote:
| Ha! I can definitely relate. Takes me 3-4 tries to get the
| password correct on mobile, and not so rarely I have to type it
| on the computer first.
| sschueller wrote:
| I just looked at the requirements to host your own Bitwarden
| server. Why does a password manager need 2GB of ram (4GB
| recommended) and 25GB[1] of storage? That seems quite excessive,
| how much data and traffic does this thing need to handle for me
| plus family members?
|
| [1] https://bitwarden.com/help/install-on-premise-linux/
| Someone1234 wrote:
| Because it uses Docker and that is what Docker requires.
| turmeric_root wrote:
| Vaultwarden's Docker images are much smaller:
| https://hub.docker.com/r/vaultwarden/server
| x3n0ph3n3 wrote:
| No, it's because it uses _several_ docker containers and runs
| mssql.
| Someone1234 wrote:
| "No" then go on to reinforce my explanation.
|
| Those minimums are taken from Docker. The person above
| asked why they were what they were, I answered. You're just
| further reinforcing what I explained.
| cweagans wrote:
| Running something in a Docker container adds very very
| little overhead - to the point that it's almost
| immeasurable. The resource utilization is specifically
| because of the services that have been packaged in the
| containers.
|
| If you were running the Bitwarden server on bare metal
| (which you can definitely do), the requirements would
| still be the same.
| alyandon wrote:
| Check out Vaultwarden instead - https://github.com/dani-
| garcia/vaultwarden.
|
| It is written in Rust and is much lighter on resource
| requirements. CONTAINER ID NAME CPU %
| MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O
| PIDS ecce485b8b3a bitwarden 0.06% 46.58MiB /
| 1.937GiB 2.35% 1.63MB / 28.1MB 17.5MB / 81.9kB 11
| thewataccount wrote:
| I've been considering vaultwarden, question though.
|
| I assume bitwarden's implementation has been more thoroughly
| reviewed.
|
| Assuming there is a critical bug in vaultwarden, what is the
| severity/what information is exposed? Is it relatively safe
| even then because of the E2E?
| xoa wrote:
| As well as what sibling said about it being E2EE and just
| using a standard API for storage, there are awesome tools
| these days so you can (and I think should) lock down your
| instance fairly well. Now when I run services like that I
| access them exclusively via WireGuard or Nebula, no
| exposure to the public internet at all. It's reliable,
| dependable and performant enough to pretty much put
| everything inside of by default. And for something as
| lightweight as this it should be fine running it at home
| off of most connections, if you don't have a fixed IP can
| bounce through even the cheapest VPS instance and still
| store nothing in the cloud (or run something like Nebula
| and automate that bit so that it's an encrypted mesh and
| only a minimal Lighthouse node need be 3rd party). If your
| instance is just for yourself then even the server can
| still be another of your devices. Selfhosting absolutely
| has its challenges and costs but the surface area for
| exploiting bugs drops a lot when there is no 3rd party or
| shared environment involved.
| thewataccount wrote:
| Thanks for the explination!
|
| > if you don't have a fixed IP can bounce through even
| the cheapest VPS instance and still store nothing in the
| cloud
|
| I've been meaning to look into this with wireguard, but
| I'm having trouble searching for/finding how to do this.
| Is "bastion host" what I'd want? Also is there a way to
| ensure the VPS cannot access the network as well, and
| just tunnels it essentially?
| xoa wrote:
| > _I 've been meaning to look into this with wireguard,
| but I'm having trouble searching for/finding how to do
| this. Is "bastion host" what I'd want? Also is there a
| way to ensure the VPS cannot access the network as well,
| and just tunnels it essentially?_
|
| First, yes a search phrase like that should get you the
| right terms, though there isn't anything inherently
| special about it. If multiple systems are connected to
| one system with wireguard giving them all access to a
| given subnet is straight forward. As far as the VPS, it
| can indeed access that subnet too, since it's acting as
| part of the subnet, but you can use normal firewall rules
| on the far side internally to control what can talk to
| what and how. And in this kind of specific instance the
| WG is more about controller public facing surface area,
| the Bitwarden/Vaultwarden traffic in flight is itself
| encrypted.
|
| Second though, having said all that I think if you
| worried about the VPS bit (or even if not) you should
| take a look at the Nebula SDN [0, 1] instead. It's built
| on the Noise encryption framework as well. There, the
| fixed IP node (the "Lighthouse") primarily acts to let
| other nodes know their mutual addresses, and they then
| attempt to form a direct link with no bouncing through a
| bastion, it's a real mesh. This generally works even if
| both are NAT'd, and if not it's transparent fallback and
| still encrypted between them. Depending on distance
| between nodes this can be a lot lower latency as well.
| With Nebula you establish an internal CA (super easy
| built-in tool for it) and that doesn't (and absolutely
| shouldn't) live on the lighthouse.
|
| I'm fortunate enough to have fixed IPs available to me at
| home and office and have tended to use WG a lot just
| because it's had more advanced support and performance in
| constrained environments for me (kernel support in Linux
| and now BSDs). Nebula has been super slick though and
| I've been using it more and more. It makes all this
| really easy.
|
| Anyway, hope this helps a bit. It's really exciting to me
| how much open source networking power is now available to
| everyone. It's a bit of a counter decentralization force
| IMO to the last few decades push towards central service
| providers.
|
| ----
|
| 0: https://github.com/slackhq/nebula
|
| 1: https://arstechnica.com/gadgets/2019/12/how-to-set-up-
| your-o... _(note 3 years old, there are now Android /iOS
| clients as well and things are further refined)_
| OJFord wrote:
| Aiui, the server's really just a storage backend
| implementing the correct API - vaultwarden can't really do
| any harm, it just stores what the client (encrypts and)
| tells it to. Worst case it doesn't store, and you still
| (but only) have a copy on the client.
| gpm wrote:
| Eh, worst case you access it via the web-ui, it has been
| taken over, and it serves a malicious copy of the front-
| end that steals your password.
|
| But... that seems reasonably unlikely.
| suumcuique wrote:
| It includes a MS SQL server among other things, so for serving
| single digit users its gonna be heavy. Check out Vaultwarden as
| an alternative for small scale self-hosting.
| heresjohnny wrote:
| Honest question: do you believe that you'll be able to
| guarantee the same/better uptime, performance, and security
| compared to the SaaS version? Hosting your own password manager
| seems like something you really shouldn't do, just like hosting
| your own e-mail. This stuff is critical to your life.
| sam_goody wrote:
| Sure.
|
| Hosting your own is a twenty minute setup, more or less, and
| $5/mo on Hetzner. Uptime, in my experience, is 5 nines.
|
| With SaaS, I am losing the main reason that I am using
| Bitwarden - that I don't want the X agency to force Bitwarden
| to give them my passwords.
|
| And I know that if said agency (it varies by country and
| target) could definitely hack the VPS if I was important
| enough, that is not part of my threat profile. Self hosted is
| far less likely to get auto vacuumed than SaaS data.
| idiotsecant wrote:
| I think if X agency wants your information the $5 wrench
| attack will probably bypass your self-hosted server
| infrastructure.
| iso1631 wrote:
| Yup, it's not rocket science if you already run your own
| services. An entire generation of techies seem to be
| completely scared of running their own machine and think it's
| some kind of massively difficult task.
| zikduruqe wrote:
| Just use passwordstore.org and stand up a bare git repo. It
| really doesn't need to be terribly complicated.
| koevet wrote:
| I have been running Vaultwarden (formerly known as
| bitwarden_rs) for years in a docker container and I don't
| remember a single time that it went down.
| Yujf wrote:
| Better security for sure. Bitwarden is a massive target while
| I am not. The chance that bitwarden has a databreach is way
| bigger than the chance that my server gets hacked. No one
| cares about my server, I am nobody not worth attacking. As
| long as I don't leave any big holes that can be found by an
| untargeted attack (which I won't, I run everything behind a
| personal VPN) it is safer.
___________________________________________________________________
(page generated 2022-12-05 23:01 UTC)