Great video, thanks! I really should have thought of doing this myself! Switching from Password Safe to Bitwarden and was nervous about using the 'bulk import' function - the one where you upload a file exported from your old password manager containing every entry. Ended up here, and although that's not shown in this video, I just tried it with a dummy pwsafe3 db and can confirm that it still locally encrypts each and every entry in the file before transmitting over HTTPS POST. At least using the 'Password Safe XML' format. Pretty cool!
Thanks for taking the time same effort of making this video, and explaining this potentially complex topic so clearly and succinctly. Kudos Best regards
My concern about the information being stored in the cloud is at some time in the future they decide to charge for it and if you don't want to pay you're screwed.
Even though it could be kind of cumbersome, I would say, it´s mandatory, keep backups of any data in a different place, for example I use bitwarden but I have a backup of all my passwords in OneDrive personal vault folder which is encrypeted using Cryptomator, it depends how much security layers you want to add, commonly, more security layers, more steps required by the user
In any case, you can do a double blinded pasword... That means that one part of the passwords is in the vault and the othe part is a keyword that you can remember. Every time you enter a password then you need to complete the last 3 or 4 letters... Not the safest way but better than nothing
@@ankylosis751 say Bitwarden gives you a password of "MyB@dPassw0rd" You will then come up with a secondary phrase you always add into your passwords, possibly before or after, something you know but hopefully that isn't easy to guess etc. Let's say for simplicity my extra phrase is Christmas. I will always add this to the end of my passwords provided by Bitwarden, and thus passwords will always be unique but also still require some knowledge of my own in the case someone can get the passwords stored in Bitwarden. So Bitwarden says my password for ABC site is "MyB@dPassw0rd" and my password for that site is actually "MyB@dPassw0rdChristmas" Hope that explains it.
so from what I understood, the encryption is done client side, which means anyone can figure out how it is done and undo it? or am I missing something? because sending plain text over HTTPS is also "safe", no?
You can't undo the encryption without having the key. Your key is your master password, this is why it's important you use a long master password that is only used for your password manager.
What I dont understand is if the hash of your password is visible why cant a malicious actor copy that hash and submit it along with your username to access your account?
It's not possible for a malicious actor to see it, that's how HTTPS works, and how the internet is secured. Not so easily at least. The video was done to show that Bitwarden doesn't know or store your passwords in plaintext on their servers, because they're hashed from the beginning.
these are my volume levels: Ext speakers 25%, PC Main 50%, Browser 25%, YT 25% and it's 3:30 in the morning so i cant hear loud, but i hear the video excelent. to anyone with same issues, try to check your volume settings if everything is well leveled.
One way is to check the source code at GitHub, since Bitwarden is open source anyone can check the code and many do to make sure they're not doing anything wrong. github.com/bitwarden Another way is to look at the source code of the actual page and then open the JS file and see for yourself what the code is actually doing. This is the great thing about being open sourced, others can check your code and if something is not right you bet people will make a stink of it. Other paid password managers are not open sourced so you have to trust they don't do anything wrong but at least we can confirm with Bitwarden. If you still don't trust them you can always salt your passwords passwordbits.com/salting-passwords/.
Password Bits ok this is beyond my technical knowledge. I have been thinking that with keypass for example, you download the software and cross check the md5 sum or even compile yourself. This verified software then encrypts the database that you can then upload to a cloud provider that is independent of the guys who wrote the keypass software. With bitwarden they might have legitimate open source code to download but that doesn’t mean that is the actual code they run on their site. But you are saying that you can in fact verify that they didn’t do a bait and switch with their code by inspecting the code being run in the browser. I could imagine the NSA etc would love to have a widely deployed open source password manager where they have user identitying email address and master password logged for millions of people plus the underlying databases.
@@henrylawson430 This is why I bring up salting passwords ( passwordbits.com/salting-passwords/ ) even if someone got in your database of passwords they would not have the real passwords. Even with KeePass you still need to trust they're not doing anything bad either. At least with salting you don't have to trust anyone 100%.
Not true sum of us do understand what’s going on but prefer not to store something as important as our password database on someone else’s computer. The file is encrypted but there are a couple of caveats to storing it on someone else’s computer to long to go in to
Every so often you can export your password database to a CSV file. Now keep in mind that this file is going to have all of your passwords and login information in a plaintext file so you should secure it in a password protected format. Many people recommend compressing this CSV file into an encrypted 7-zip file that you store on your computer or you can use something like veracrypt to create an encrypted folder. Basically yes you can backup your passwords on your own computer just in case you're worried that Bitwarden falls apart one day. When you open the CSV file it's very easy to read and you can usually import it into any other password manager.
Great video, thanks! I really should have thought of doing this myself! Switching from Password Safe to Bitwarden and was nervous about using the 'bulk import' function - the one where you upload a file exported from your old password manager containing every entry. Ended up here, and although that's not shown in this video, I just tried it with a dummy pwsafe3 db and can confirm that it still locally encrypts each and every entry in the file before transmitting over HTTPS POST. At least using the 'Password Safe XML' format. Pretty cool!
That was a excellent interesting video thank you for explaining so clearly
Thanks for taking the time same effort of making this video, and explaining this potentially complex topic so clearly and succinctly.
Kudos
Best regards
My concern about the information being stored in the cloud is at some time in the future they decide to charge for it and if you don't want to pay you're screwed.
You could always create a backup of your vault. ua-cam.com/video/kXkP7oBX0Lc/v-deo.html
With Bitwarden, you can have your vault on your own server, under your full control. All for free.
Even though it could be kind of cumbersome, I would say, it´s mandatory, keep backups of any data in a different place, for example I use bitwarden but I have a backup of all my passwords in OneDrive personal vault folder which is encrypeted using Cryptomator, it depends how much security layers you want to add, commonly, more security layers, more steps required by the user
export your passwords and import into a new passwrod manager in 5 miniutes
WOW !! Very informative video !! FANTASTIC !!
I find it extremely shady that I can't change my master password in the application. I *HAVE* to do it on the website. Would you please explain that?
In any case, you can do a double blinded pasword... That means that one part of the passwords is in the vault and the othe part is a keyword that you can remember. Every time you enter a password then you need to complete the last 3 or 4 letters... Not the safest way but better than nothing
@@edrumsense What a genius, thank you so much edrum :) i will definitely try your method
@@edrumsense - Thanks. Will definitely start doing it.
@@edrumsense example.pls edrum
@@ankylosis751 say Bitwarden gives you a password of "MyB@dPassw0rd"
You will then come up with a secondary phrase you always add into your passwords, possibly before or after, something you know but hopefully that isn't easy to guess etc.
Let's say for simplicity my extra phrase is Christmas.
I will always add this to the end of my passwords provided by Bitwarden, and thus passwords will always be unique but also still require some knowledge of my own in the case someone can get the passwords stored in Bitwarden.
So Bitwarden says my password for ABC site is "MyB@dPassw0rd" and my password for that site is actually "MyB@dPassw0rdChristmas"
Hope that explains it.
so from what I understood, the encryption is done client side, which means anyone can figure out how it is done and undo it? or am I missing something?
because sending plain text over HTTPS is also "safe", no?
You can't undo the encryption without having the key. Your key is your master password, this is why it's important you use a long master password that is only used for your password manager.
@@passwordbits hmm! Does this mean the key is stored client side?
Wait, bitwarden is open source! Lol
I will take a look at how it's done.
Thanks for the answer anyway
What I dont understand is if the hash of your password is visible why cant a malicious actor copy that hash and submit it along with your username to access your account?
It's not possible for a malicious actor to see it, that's how HTTPS works, and how the internet is secured. Not so easily at least. The video was done to show that Bitwarden doesn't know or store your passwords in plaintext on their servers, because they're hashed from the beginning.
Please raise microphone volume for next video. Thank you!
these are my volume levels: Ext speakers 25%, PC Main 50%, Browser 25%, YT 25% and it's 3:30 in the morning so i cant hear loud, but i hear the video excelent. to anyone with same issues, try to check your volume settings if everything is well leveled.
what about icloud keychain? Is that any more safe than Bitwarden?
How do you know Bitwarden is not recording your master password when logging into their site to access your password database?
One way is to check the source code at GitHub, since Bitwarden is open source anyone can check the code and many do to make sure they're not doing anything wrong. github.com/bitwarden
Another way is to look at the source code of the actual page and then open the JS file and see for yourself what the code is actually doing.
This is the great thing about being open sourced, others can check your code and if something is not right you bet people will make a stink of it. Other paid password managers are not open sourced so you have to trust they don't do anything wrong but at least we can confirm with Bitwarden.
If you still don't trust them you can always salt your passwords passwordbits.com/salting-passwords/.
Password Bits ok this is beyond my technical knowledge. I have been thinking that with keypass for example, you download the software and cross check the md5 sum or even compile yourself. This verified software then encrypts the database that you can then upload to a cloud provider that is independent of the guys who wrote the keypass software. With bitwarden they might have legitimate open source code to download but that doesn’t mean that is the actual code they run on their site. But you are saying that you can in fact verify that they didn’t do a bait and switch with their code by inspecting the code being run in the browser. I could imagine the NSA etc would love to have a widely deployed open source password manager where they have user identitying email address and master password logged for millions of people plus the underlying databases.
@@henrylawson430 This is why I bring up salting passwords ( passwordbits.com/salting-passwords/ ) even if someone got in your database of passwords they would not have the real passwords. Even with KeePass you still need to trust they're not doing anything bad either. At least with salting you don't have to trust anyone 100%.
Password Bits yes good point I will start doing that. Thanks for your insights.
@@passwordbits just wow
Thx! i use it today and like it!
You are the hero. More such videos
Not true sum of us do understand what’s going on but prefer not to store something as important as our password database on someone else’s computer. The file is encrypted but there are a couple of caveats to storing it on someone else’s computer to long to go in to
Amazing video, thanks a lot! 🤩
What happens if they go out of business tho? How would we get our passwords?
Every so often you can export your password database to a CSV file. Now keep in mind that this file is going to have all of your passwords and login information in a plaintext file so you should secure it in a password protected format. Many people recommend compressing this CSV file into an encrypted 7-zip file that you store on your computer or you can use something like veracrypt to create an encrypted folder.
Basically yes you can backup your passwords on your own computer just in case you're worried that Bitwarden falls apart one day. When you open the CSV file it's very easy to read and you can usually import it into any other password manager.
@@johnbod Oh thanks you should make a video on this and how to do it I'll be ur 1st sub lol
How do you know that what you see is what actually going on? And not just a program that makes you think it is encrypted?
Which one is better bit warden or keepass
Booth are good, but in terms of use I prefer Bitwarden
I host my own Bitwarden server and i am please with it.
Please edit and turn up the volume...it is barely audible. Could also go slower.