New Password Manager: Bitwarden

Currently for my password manager I'm using KeePass by LuckyRat on my UNIX laptop. I want to considerably expand the scope of my password manager. Will KeePass support what I want to do, or will I need a new product?

A password manager has a database containing a map from URIs (or other IDs of password consumers) to loginIDs and passwords that will let the user authenticate and get service from that consumer. The usual mode is for a browser plugin, or an app running in the background, to monitor web pages, or other apps' authentication windows, and to fill in the loginID and password. Thus the user does not have to remember the password and is willing to make it long and random, resisting nefarious attempts to crack it.

Table of Contents

• Glossary
• Goals and Issues
• Searching For a New Password Manager
• The Selection: Bitwarden
• Installing Bitwarden
• Web Resources
• Testing Bitwarden
• Bitwarden in Operation

Glossary

These acronyms and jargon words are often used:

• PW = Password
• PM = Password manager
• BW = Bitwarden
• MSRP = Manufacturer's suggested retail price
• 2FA = Two factor authentication
• TOTP = Timed One Time Password, a very commonly used 2FA method
• Consumer = A program, website, etc. that requires the user to give it a user ID and a password (which it consumes), to induce it to provide service.
• WAF = Wife Acceptance Factor

Goals and Issues

Issues for the password manager. Obviously some of these goals conflict.

• I want to add or change the password for a particular consumer on one of my various client devices, and then to use it for authentication on any of them.
• My devices run these operating systems (so the new PM has to run on them): Android, iOS, desktop Linux, and Microsoft Windows. On the desktop I have OpenSuSE Tumbleweed and the packages have to be installable there.
• I want to share the database with my wife. Complex organization of the passwords is not needed, and neither is negative sharing (a password that she or I are excluded from). I also want our son to have access in case we shuffle off this mortal coil.
• My wife is not a geek, and the WAF (Wife Acceptance Factor) of the software has to be good enough that she will use it consistently.
• I want to use the password manager when away from home (as well as at home).
• I would much prefer if the database server could run on premises, versus being under the administrative control of an unknown and untrusted third party. For me, access to the home server from off site is a solved problem.
• I would much prefer an open source solution.
• I would prefer a package with active maintenance (security patches) that does what I want with minimal hacking, and that uses standard system libraries for security such as OpenSSL or GnuTLS, which have their own active issue tracking and patching.
• Many of the PMs have a zero knowledge design, which I insist on: when adding or changing an item the app on the client encrypts it and the database in the cloud stores ciphertext, sending it back for the client to decrypt when the loginID and password are to be filled into a login form. The key never leaves the client. In case of a subpoena or hacking, the crypto strength is typically set so the Black Hat will have to spend at least a billion USD and work for at least a year to crack the private key, which is feasible, but is only justified for the most important national security issues.

Searching For a New Password Manager

The first step is to search on Google for password manager. I found quite a number of digest reviews and 10 best lists; I concentrated on recent ones in mainstream media. But PMs are fairly similar and so are the articles rating them; I'm showing details mostly for the first 10 best review.

PCMag: The Best Password Managers

On PC Magazine by Neil J. Rubenking & Ben Moore, 2021-02-17. They reviewed quite a number of products, which were also reviewed in other similar articles. While each author had his or her own opinions on which aspect of the product would drive the ranking, the information I was getting from all the reviews was generally similar. Here are four selected products from the PCMag review, products which seemed relevant to my needs.

Keeper: cross-platform; 4.5*; top of their list.

MSRP $21/yr for 1 user, $45/yr for family of up to 5. Does 2 factor auth. Keeps a password history. Free trial limited to one client. Windows, Android, iOS, Linux, Firefox, MSIE, Safari, others that we don't have. Zero knowledge: they store ciphertext; you encrypt and decrypt it on the client device using your master PW. Has password inheritance (your executor can extract your PWs if you die). Has password capture. Can recognize password change pages; can generate a random PW here and save it in the DB. It fills in app passwords. Can share PWs (individually) with other users. Or you can create one or more shared folders. Editor's choice. Comment: watch out for auto renewing the subscription; it's hard to unsubscribe.

Dashlane: 4*

MSRP $60/yr (highest in this set?), $120/yr for premium pro. Free trial. Handles Windows, MacOS, Android, iOS. Where's desktop Linux? Use via web browser extension. In functions it's very similar to Keeper. Includes a VPN service (to which the extra price is attributed). Dashlane recently made some kind of change to the terms of service (I had trouble to understand the issue but I think it involves secure storage for attachments), which pissed off a lot of users and led them to read this article to find a different password manager. Editor's choice.

1Password: 3.5* ; our son uses this.

MSRP $60/yr for family plan, 5 users ($1/mo per user for more), 1Gb secure storage; single user plan costs $36/yr. Covers Windows, MacOS, Android, iOS, Firefox (+others) browser extension, no native desktop Linux. PC Mag's complaints: UI of apps and browser are different leading to confusion. Prefer the X extension style vs. the regular extensions. No dedicated inheritance feature (but in the family account you can designate multiple people as administrators, which should be enough). Sharing is limited to within the family. Setup: to add another device or browser, you need to type in the 34 byte random symmetric key (obviously base64 encoded, about 204 bits). Or there are various maneuvers to pass a picture of a QR code to the new client. It does 2FA, both via an auth app and U2F keys. Don't try to get 1Password to do 2FA for 1Password, it's a chicken and egg issue. Our son uses this product.

Bitwarden: 4*

Open source! The free version offers most of the features. Premium is $10/yr (only!) plus $1/yr to share passwords. OS support: Windows, macOS, iOS, Android, Linux; Firefox, Safari, etc. Also many activites are available from a plain web UI. Breaking news, it now has emergency access, which is equivalent to legacy inheritance. The paid version has these features: Authenticate with YubyKey or FIDO U2F key. Attach files to items (1Gb max). Get a report of PWs stolen in data breaches.

Jimc's Summary

All the reviewed products have generally similar features and functions, although there are significant differences in price, in the slickness of the user interface, in flexibility, and in meeting non-core goals from jimc's list.

One question that often comes up is, can you use it without an Internet connection? It's my impression that most/all of these apps store the database (containing ciphertext) on each client device and sync to/from the cloud instance. So you can read and alter your items without a connection; alterations will be synced when the net returns. However, web pages in which you would fill passwords come in from the Internet, and password protected mobile apps almost but not quite invariably perform their service (e.g. controlling your thermostat) by an Internet connection from your phone and from the thermostat to the mother ship, so you will (almost) never have an opportunity to use your password manager when the Internet is down.

YubiKey 5Ci Review

YubiKey 5Ci by Yubico is a dongle with USB-C (type C) and Lightning connectors. It does smart card things, specifically FIDO2 U2F (WebAUTHN) for authentication. MSRP $70. There's a version with USB type A plus NFC; MSRP $45 street $27.

Google Has the Key to Keeping You Secure But You Don't Need It

Since Google required 2FA hardware keys internally, phishing successes dropped to zero. But their security guru says it's useless to deploy this to most users, who will just get frustrated with the extra steps. 2FA is really useful for people subject to targeted attacks, like politicians…

Wikipedia article about Password Manager

It discusses aspects and vulnerabilities of PW managers in general, but does not compare specific products.

Old review of KeePass

KeePass: 3* (dated 2016-06-27, 5 years old). For me, this review was not useful because of improvements to KeePass in the last 5 years.

CNET: Best Password Manager

By Clifford Colby & Rae Hodge, 2021-03-17. Their #1 is/was LastPass because the free version includes most of the features. However, they've changed terms of service, and someone discovered 7 web trackers in the Android app, so the authors are re-evaluating their rankings. #2 is 1Password.

They also have a short review of KeePassXC. They say, It's really for advanced users only: Its user interface takes a bit of fiddling to get all the independently built versions of KeePass to work together.

On SuSE Build Service, Bitwarden is not apparent, but there are packages for keepass (v2.47, in Mono) and KeePassXC (keepassxc) (v2.6.4, uses Qt5).

KeepassXC Project Website

• This is a fork of KeePassX to get slow development progress moving.
• The DB is encrypted with AES-256. Backward compatible with old KeePass formats (not too old). The local DB contains the whole corpus; no internet connection needed.
• Uniform UI across Windows, MacOS, desktop Linux.
• Open source, GPL, on GitHub.
• Active development, 3 releases since 2020-10-22.
• The DB could be shared by a public or private cloud solution (and jimc actually does it) but there is no such service included with the package itself.
• Feature summary: Auto-fills forms; grouped entries; searcher; PW generator; import+export CSV (encrypt it yourself for backup); PW health report; TOTP management; custom fields in entries; file attachments; has a CLI; can share database.
• Keeps a history of modifications to an entry, so you can revert to an old password or other field values.
• Acts as a hardware key proxy for TOTP.
• SSH key agent integration: add keys from KP to SSH Agent, remove them when the DB is re-locked.
• Browser integration with Chrome, Firefox, etc.
• Requirements: These are already installed on Xena: libQt5, libgcrypt, libargon2, libqrencode, libsodium, libxi, libxtst, These are available on SBS: zlib (source pkg; several product pkgs are installed), zlib1g (not found, wrong name?), libquazip5 (libquazip1-qt5 is probably the right package on SuSE), qtx11extras (libqt5-qtx11extras is the SuSE package), libyubikey (on SBS), libykpers-1 (libykpers-1-1 is the SuSE package).
• From the FAQ: On Android, they recommend KeePassDX and KeePass2Android; On iOS, Strongbox or KeePassium

Techradar: Best Password Manager

(2021-03-16) Their #1 is Dashlane. Keeper at #6. Bitwarden #7.

Wired.com: Best Password Managers

(2021-03-12) Their #1 is 1Password; #1 in free category is Bitwarden.

New York Times Wirecutter: Best Password Managers

(2021-02-05) Their #1 is 1Password; #1 in free category is Bitwarden.

Reddit forum for 1Password

OP _usererror_ about 2020-06-xx. He currently uses LastPass and is considering switching to Bitwarden or 1Password. His goals: Features (report of weak/duplicate PWs; sharing PWS); security particularly with cloud sync; privacy particularly with browser extensions. Main questions: What are the main benefits of the 3 products? Which is considered the best for security and privacy? 1Password being closed source, can it really be trusted? Why has the 1Password Firefox extension not received Mozilla Recommended status?

Snips of discussion posts:

ArchmageJesus says:

I tried BitWarden out and it is absolutely a great product, but I think the BW vs 1P debate comes down to what you value…for me, I value your design and ease of use above all else, because the nicer it looks and easier it is to use, the more likely it is I can get my wife to use it, and that's why I'm still on 1P…if it were just me, I'd honestly probably be on BW because I can handle it being a little rougher around the edges.

sonsofrusticus says:

When you change a PW, 1Password recognizes it and saves it in the database; Bitwarden doesn't. He's using Safari exclusively and Safari support is poor, so he says.

Jimc's summary of several postings:

Several users point out that 1Password started as an Apple app and its Apple incarnation is better than for Windows. Jimc is not sure whether the iOS app is closer to the macOS or the Windows desktop app. And what about Android?

Safety Detectives: Lastpass vs. Bitwarden: Is an Open Source Password Manager Better?

By Bjorn Johansson, date 2021-xx-xx. LastPass: winner in basic and extra features, ease of use, and customer support. Bitwarden: winner in security and pricing, but only recommended for advanced users.

Bitwarden integrates with TOTP generators (Google Authenticator etc). and biometric ID if the OS has it. USB tokens and the builtin TOTP generator require the premium product. Useability: with Bitwarden you have to copy and paste the TOTP, whereas LastPass can auto-fill the form. (Jimc says: in 2021-04-xx on Firefox for desktop Linux, it offered to fill a TOTP form.)

Basic features of both products:

• Unlimited storage capacity
• Sync to multiple client devices
• Auto-fill, auto-save (capture previously unseen credentials). The reviewer found that LastPass usually auto-filled with no user interaction, while with Bitwarden you have to right click in the field and then click on the entry: an advantage if you have multiple logins at the same service, but otherwise it's an annoying extra step. Jimc discovered that there's a setting to turn on aggressive auto-fill (if only one password applies to the account), and it works, but it's off by default.
• PW generator
• Digital wallet (credit card auto fill)
• Identity storage (auto fill additional fields beyond UID and PW)
• Secure notes

Sharing: LastPass is much more slick, and you can share in the free tier. With Bitwarden, the premium users can share with one partner, while you can share a whole vault with multiple users if you have the family plan (up to 6 partners) or business plans.

Summary of the various review articles: All of the PW manager packages have a lot of similarity. Common features, starting with the most common:

• It stores a mapping between a server/consumer identifier (URL, etc.) and a loginID and password that you can use to get service on that server.

• Most packages offer database hosting in the cloud (not free) so you can use the PW manager on multiple client devices when at or away from home. A few, specifically KeePass and friends, tell you to use your favorite file sharing solution, like Dropbox or ownCloud, to host the database. Of course you can omit this feature if you have only one device. A few, specifically Bitwarden, can use either their cloud hosting or your own.

• All PW managers have browser integration so you visit a login page and the manager will recognize it and (offer to) fill in the appropriate loginID and password. Some (including BW) but not all can handle servers like Google that put the loginID and password on separate pages.

• PW managers for mobile devices usually can recognize and fill in apps' own login pages.

• Most PW managers can copy your loginID and password to the clipboard, one at a time, for use on a login page that it fails to recognize. Beware: if you do this on an iDevice, the clipboard is shared among all of them, and while the PW manager clears the clipboard after the PW is used, this clearance is (or used to be) ineffective on remote iDevices.

• Some but not all PW managers can recognize a password changing form and (in the better cases) can capture the new password and update the database entry. Many can recognize a login page for which it has no entry, and can create one on the spot with varying completeness and convenience.

• Some packages keep a history of modifications, specifically historic passwords, so a botched PW change can be reverted easily in the database.

• Many packages say they have a zero knowledge design, meaning that the database stores ciphertext, and the client device encrypts it when creating the entry, and decrypts it when filling in a login form. So in case of a subpoena or an illegal hack on the cloud host, the booty is useless.

• A few packages, specifically KeePass and Bitwarden, are open source. Bitwarden gets a professional security audit every 2 years (expensive).

• The database entries can contain other information, like notes, credit card numbers, etc., and the packages are more or less agile at filling these into appropriate fields. (KeePass is in the less category.) Some packages let you attach files (of modest size) to entries.

• Facilities for sharing passwords vary in convenience, agility and scope. The sharing feature seems to be a profit center for many packages.

• All (?) packages can organize entries in groups, generally called folders,with varying convenience and effectiveness.

• Operating systems covered are (in order of commonness): Windows, MacOS, iOS, Android, desktop Linux.

The Selection: Bitwarden

KeePass is the devil I know. However, it's a fringe operation with only one developer, and it doesn't have some of the modern features. I'm seriously considering switching to Bitwarden. It has these advantages over other commercial competitors:

• Open source
• Hosting on their server or ours.
• Least expensive of the paid plans, and the free tier has the most capabilities of all packages. Sharing seems to be the main thing that you really want and have to pay for.
• New feature: you could always export your content (for backup) and encrypt it yourself. Now, you can export the cyphertext, if you're not too skilled in crypto. But you have to restore to a vault with the same session key, which basically means if your account gets deleted you're screwed.
• They have newly added legacy takeover, called emergency access.

Bitwarden components: If you're installing Bitwarden you will want these web links:

Bitwarden download page

This page has the current links for the apps listed below. It's probably better to refer to the download page, rather than following my links which are possibly outdated.

Firefox browser integration

Use this on both Firefox for desktop Linux and for Androoid (and presumably for iOS.) Current version in 2021-03-xx: 1.49.1 Biometric auth if supported by the OS. The download page has extensions for eight different browsers.

Bitwarden for Android.

4.7*. Snips from reviews: No auto fill (with which browser and version?) but their UI for cut and paste is good. Another user says auto fill doesn't always work. Jimc says, auto-fill works for me. Current version in 2021-03-xx: 2.9.2

Bitwarden for iOS (iPhone and iPad).

4.7*; not much info on this page.

Desktop app for Linux

The main useful feature is a command line interface so you can possibly automate backups. On the desktop you will mostly need passwords for web pages, for which you will use your browser extension. Maintenance operations, like adding or editing items, can be done from the app but (in jimc's opinion) are better done from the web GUI; see the next item.

Web GUI

The web GUI has most of the features of the native apps (but not auto-fill). It can be used from any web browser (whether or not you have the browser extension installed). Major activities are adding, editing and deleting items (loginID-password pairs), organizing items in folders, sharing, importing and exporting (downloading) items (e.g. for backup).

Installing Bitwarden

The first step when instailing bitwarden is to select a service plan. These are the personal plans (there are also business plans).

Some (but not all) Bitwarden features. -F marks features not available in the free plan; all are in the Premium and Family plans.

• Works with all Bitwarden mobile apps
• Unlimited number of storable items (PW entries etc)
• Sync with arbitrariiy many client devices
• Secure password generator
• Encrypted export (for backup); also unencrypted export
• (-F) TOTP authenticator
• (-F) Vault Health Reports (recognize weak, duplicated or compromised PWs)
• (-F) Emergency access (equivalent to legacy access)
• (-F) Priority support
• Host on their cloud server or your own.
• You can upgrade (or downgrade) your account later.

Which paid features do we really want?

• It is feasible during setup and evaluation for us to all be one user. But likely we will want to have separate logins, meaning family plan.
• Bitwarden Send (file sharing): I doubt we're going to use this. We have S/MIME already set up.
• Unlimited shared items (e.g. accounts and PWs). we want this; many of our accounts are per family.
• Encrypted file attachments: we already have a solution for sharing text and images.
• TOTP authenticator: we'd have to learn to make this work. Could be useful but few PW consumers let users configure your own TOTP auth.
• 2FA with Yubikey or U2F: Intriguing but are we paranoid enough?
• Health reports: probably not a big deal for us; we know our status.
• Emergency access: other products call this legacy access but the grantor doesn't have to actually die to activate it. We definitely need this.
• Priority support: :-)

Creating a free account. Pick a password first. You will need to remember it to open the service; you can't store it in the PM if you're going to use it to open the PM.

Terms of Service (Jimc's summary; IANAL),

• 8Bit Solutions LLC is the legal entity that provides Bitwarden. It is wholly owned by Bitwarden Inc, a Delaware corporation.
• Acceptable use: Similar terms to other services. Inciting riots is forbidden. No spam. You may not sublicense the service.
• 30 day refund policy.
• You can cancel your account. Your data will be shredded. Bitwarden may terminate your account with or without cause.
• Customer support is via e-mail, No phone support.
• No warranty.
• No liability.

Privacy policy (Jimc's summary)

• They comply with Privacy Shield for US entities operating in the EU or Switzerland.
• Vault data is encrypted with (a hash of) the password that the user enters on his own device, which Bitwarden does not know, so they cannot reveal vault data. (And they're unable to recover your vault if you forget your password.)
• Administrative data is used to provide the service. It is not shared with outside weasels. (Doesn't say anything about a subpoena.) Similarly for webserver data (but they mention complying with laws).
• They use Google Analytics to optimize product design. Google Analytics combines data from a lot of sites for their own purposes.
• Bitwarden uses outside vendors for e.g. database hosting. Bitwarden's contracts with those vendors require them to use personal information only to provide services to Bitwarden,
• Bitwarden may disclose personal information in response to a subpoena, national security request, etc.
• Cookies are required for the web interface to work right. They use Cloudflare for DDoS protection, and Cloudflare requires cookies.

The account creation form requires these items:

• E-mail address (used as loginID)
• Human readable name
• Your new password (twice)
• Master password hint (optional, useless for random PW)
• Checkbox for agreeing to the terms of service and the privacy policy
• The timeout on the account creation form is long enough that you can actually read the terms of service and the privacy policy.
• After you log in for the first time, you need to hit Send in the Verify Email box, for domain validation, to unlock features where they need to rely on the e-mail address being real.

Tidbits and web resources from the welcome e-mail message:

• Don't lose your password, or you're screwed. Bitwarden does not know the key by which the vault data is encrypted; it's derived from your password.
• https://vault.bitwarden.com/ -- Web GUI to see/modify secret data
• http://www.bitwarden.com/download -- Download the software, including for mobile devices.
• http://www.bitwarden.com/help -- Online help
• http://www.bitwarden.com/contact -- Customer support
• https://community.bitwarden.com/ -- Community forum
• https://www.reddit.com/r/Bitwarden/ -- Bitwarden Sub-Reddit

If we're going to convert to a paid family plan, we really want to start out with a CFT organization (sharable collection). The free tier still can create an organization. (Actually it's a little less confusing to create the organization after you've upgraded your account.) Steps to create one:

• Hit New Organization on the main page, right sidebar, bottom.
• Organization Name -- CFT Secure Password Storage
• Billing Email -- jimc@jfcarter.net
• Choose your plan: Free.
• Now here's a question: with plan selection, they show prices, which match the per-user plan prices. Is it implying that you pay for each Organization? (They didn't charge me.) Are name collisions possible, e.g. user A creates organization Z, and user B also creates organization Z; are these organizations different?
• You end up on a page that looks identical to a user's front page (vault display) except no right sidebar.
• Under Manage/People the creator is prefilled as the owner.
• What's the right way to get back to the user's own page?
• Back on the user's front page, the organization(s) he is a member of are now listed; click on the link to open the organization's vault.

Testing Bitwarden

I worked out a test plan in advance:

• As the test user, on desktop Linux, start Firefox and log in to my Bitwarden vault (as jimc). [Done]
• Create (by hand) PW entries for Ring and MyUCLAHealth. (Called a login.) [Done]
• On desktop Linux, install the Bitwarden web extension on the browser. The procedure would be identical for Microsoft Windows or MacOS (Apple) or mobile OS's, but probably differs among browsers. See http://www.bitwarden.com/download; look for the Web Browser section. Click on Mozilla Firefox (or whatever your browser is). It opens a new window/tab in the Firefox extensions store. Review what you're installing, then hit Add to Firefox. A box pops up: yes allow this extension to run in private windows (unless you're too paranoid). (But this is ignored; make this settings under Manage Add-ons - Plugins.)
• Testing the browser extension: For both accounts, log in on the service's website using Bitwarden. To do this you need to give your BW loginID and password to the add-on; click on its icon in the tool area and it will prompt you. (Having the web vault open doesn't count.) (Your tool area may not be big enough for all the icons to show; click on >> for a dropdown list. One of its choices is Customize Toolbar which would let you change the order of the icons.)
• How to launch the page from Bitwarden and auto-fill it:
  • Left click on the BW icon.
  • If your session has timed out, it will ask for your BW password.
  • Type a search string in the searcher. When your item appears, click on the launch icon (left one in a row of 4 icons, a rectangle with an arrow pointing out). The page will be shown in a new tab/window. (Or you can navigate any other way, e.g. a bookmark or a link, but the point here is to test BW's launcher.)
  • Right click on the BW icon. Hover over Bitwarden. Hover over Auto-Fill. Click on the desired login title (not always unique, e.g. work and home e-mail on the same service). The page gets auto-filled. In these tests the loginID and PW were on the same page, but later I tried Google (Gmail), with the PW on a separate page, and it worked.
  • Alternate procedure: left click on the BW icon. It will show a list of relevant logins. Click on one (in the name area) and pick Auto-Fill in the resulting menu.
  • Both accounts: login succeeded. Ring has 2FA which BW doesn't know about. And (as of 2021-04-xx) Ring does not make the TOTP seed visible for authenticator apps like Bitwarden.
• On my cellphone's browser (Firefox for Android), install the Bitwarden web extension; similar procedure to desktop Firefox. [Done.]
• For each test account, use the mobile browser's BW to launch the login page, similar to the desktop test. You can also use the native BW app as a bookmark launcher, or you can navigate to the site another way. With the login page open, click in the password field (not the loginID field), and a tag should pop up saying Auto-fill with Bitwarden, go to my vault. Click on it. If your session has timed out it will ask for uour BW password. A list of login entries will appear (usually unique). Click on it. The login form will be filled in.
• Successful login for both accounts, except the Ring app went around in circles offering to make a lock screen shortcut and various similar stuff one at a time (declined), and each time I had to auto-fill again. It didn't do that before, and I hope it doesn't go through this performance on every BW login.
• On my Android cellphone, install the Bitwarden app, and set it up. I followed the link to the Play Store on the Bitwarden download page. (vs. launching the Play Store app and searching, which would have been better). It made me log in twice to my Google account. Eventually the Play Store web UI got the browser to download the APK and pass it to the installer.
• Setting up the Android native app:
  • Click on the BW app's icon.
  • Log in to BW. (Is it going to save the credential? Yes the loginID, but not the password.)
  • Hit Settings. These need fiddling:
    • Auto-Fill is disabled. Click on it. Turn on Auto-fill Service (select BW in the pop-up), Use Accessibility (allow full control), and Use Draw-over (which for me was already on).
    • Auto-Fill on Page Load: It's off by default. If you want it, turn this on. But explaining when and why this works or doesn't is too complicated, and you may want to advise your users (wife) to just click on the BW icon every time.
    • Security/Vault Timeout: the default is 15min, but I found while writing these notes that I usually went over that time. I changed to 1 hour. It is possible to keep the session forever (equivalent to saving the password), but this is a really bad move for security.
    • Defaults are OK for all the rest.
  • Under Settings/Tools are an item to log out, and to launch the BW web GUI.
  • To cue the BW app to auto-fill other apps' login forms, edit the relevant login entries adding a second URI like androidapp://epic.mychart.android or androidapp://com.ringapp . To find the name of the app, long press on its icon, hit App Info (or the i icon if there's an active icon menu), click on Advanced (at the bottom), scroll to the new bottom, and the version and the name are shown there.
  • If you're editing on the web GUI, you'll need to sync the DB: in the BW app click on Settings/Sync. If you edit in the Android app you can use the URI immediately; and it will be sent promptly to the mother ship.
  • Iconify (close) the app.
• To launch a web page from the Bitwarden app:
  • Open the app; My Vault should be showing.
  • Click on Logins. A list of item titles will appear; there's also a search icon in the top title row.
  • Find your item and click on the traffic light icon at the right edge (3 vertical dots). Click on Launch.
  • The service's native app will be launched, or a web page will be opened by your default browser in a new tab/window. Proceed to auto-fill as described in the previous section.
• Now testing app login (vs. web page login): Start the Ring and MyUCLAHealth apps and authenticate with Bitwarden. If you're persistently logged in to the app already, to do the test you'll need to log out, or force-stop it (from App Info). MyUCLAHealth: successful login. It automatically popped a little tag saying Auto-fill, go to vault. Click on it, it auto-fills. Ring: For the test, if you're already logged in, do hamburger/Account/Logout (at bottom). Re-launch the app. You get the splash screen, hit Login. Click in E-mail (other apps/pages may need you to click first in Password). It pops a tag saying Auto-Fill with BW. Click on it. It shows a list of 1 matching item. Click on it. Ring wants a 2FA code sent by SMS (and they won't divulge the TOTP seed, otherwise BW could take care of this). It let me on.
• Export (unencrypted) the vault content. I'm doing this on desktop Linux with test data in the vault.
  • https://bitwarden.com/help/article/export-your-data/
  • Log in to your vault. Gotcha: if you've created an Organization, its items are visible on your main page, but you won't be able to export them; it will export just the ones (if any) in your personal vault, with no error message. Switch to the vault containing the items you intend to export.
  • Switch to Tools tab. Hit Export Vault.
  • Pick your file format: JSON, CSV, encrypted JSON. Give your BW password. For backups you want unencrypted JSON (the default) which you will encrypt yourself. Encrypted JSON is encrypted with your session key, and if your vault gets trashed and you have to re-create it, the session key will change and you can't read the backup. CSV represents almost all of the vault data but loses certain arcane features.
  • Your web browser will download the backup, world readable. Make it readable by you only, encrypt it with output in your backup directory, and shred the plaintext. I've got to automate this, with sanitary file permissions and with pipes used wherever possible, because shred is ineffective on a solid state disc.
  • Inspect the plaintext. Both CSV and JSON look correct as to form, they're complete, and both test and production data are identical to what I put into the vault.
• Importing a file.
  • I got a positive statement from BW help pages: when you import, every object in the file is added to the database, producing duplicates. It's recommended to either purge (empty) the vault before importing, or make sure that none of the objects to be imported are already in the database, by getting them out of the file, or out of the database if you intend to replace.
  • So I couldn't really do the import test I had planned. On the test data, having the exported CSV, I purged the vault and re-imported it, with no errors and equal comparison with the original.
  • Procedure to import (after purging, if needed): In the Tools tab, click on Import Data. Set the file format. Use the file browser to find your backup. Hit Import Data. A toast pops out saying the data has been imported.
  • Suggestion to Bitwarden: handle an import like a sync.

My existing password manager is a flat file (encrypted) with a fairly consistent format. I wrote a script to convert it to JSON, and when I botched the format and couldn't find what was wrong, I changed to convert to CSV. That took some work, but less work and less errors than cutting and pasting 127 items from the flat file to Bitwarden's item form. For checking that my JSON is correct as to form, I used https://jsononline.net/json-checker. Of course the attribute names have to be what Bitwarden expects; https://bitwarden.com/help/article/condition-bitwarden-import/ will get you started creating the JSON or CSV file but for gory details you will need to export and inspect a backup of test data.

Bitwarden in Operation

I now have all our passwords in Bitwarden. Both my wife and I agree that this is a low friction way to get passwords onto login forms, much less hassle than copying by hand from the flat file or the paper copy. The workflow in Bitwarden has to be learned, but it's pretty simple and convenient, particularly if you go through the settings and turn things on or off according to your preferences, and adjust the timeout to balance security and useability. Comparing BW's user interface with competitors that I didn't install, some promise a slicker experience and/or more focus on useability (vs. security) in the out-of-the-box setting defaults, but the PMs that lost this competition didn't match BW in other important core criteria.

These jobs still need to be done:

• Automate the process of backing up the Bitwarden vault.
• Continue to work with Customer Support to find out what's going on with the bug Jimc screwup that prevents importing a JSON backup. [Done.]
• Write the report generator that turns a vault backup into a useable paper document. (Do we really want to continue doing this?)
• Investigate on-premises hosting. Seriously evaluate the pro and con for on-premises vs. commercial hosting.
• Get our son set up with Emergency Access.
• Identify all our accounts that require TOTP-type 2FA and that tell users the TOTP seed, and configure that in Bitwarden so it can generate the codes. (Very few reveal the seed.) Think really carefully about the security implications of having the second factor accessible through the same service as the first factor. Also think about the weaknesses of SMS as the medium for 2FA.
• Think about a hardware 2FA key; are we paranoid enough to require this to get at our Bitwarden vault?