A
© BITWARDEN
A COMPATIBLE WEB BROWSER
Administrative rights to set up the password manager
IN LATE 2023, cybersecurity blogger Brian Krebs reported on the November 2022 breach of LastPass’ database, wherein the password vaults of 25 million users were stolen. Citing a recent spate of cr yptocurrency thefts to the value of $35 million from security-conscious people in the tech industry, Krebs speculated that at least some of LastPass’ vaults were cracked.
It’s hard to tell if this is true, as like many password management platforms, LastPass isn’t fully open-source. Proprietar y software can’t be subjected to public scrutiny, so it’s difficult to verify claims like ‘zero knowledge encryption' ser ver-side. Open-source software is built on the philosophy that ‘many eyes make bugs shallow’, making it the gold standard for privacy.
In this guide, we’ve focused on three of the very best open-source password managers. By making the source code freely available, the developers are providing the best assurance that the software lives up to its claims. We’ll also focus on what KDFs (key derivation functions) are used, along with which encr yption algorithms are deployed for savings sensitive data.
You’ll also glean tips on creating a strong, memorable master passphrase, and learn why you really can’t rely on your browser’s built-in password manager.
–NATHAN JORDAN
1 BITWARDEN
First release: 2016 Suppor ted OS: Linux, macOS, Windows Browser extension: Chrome, Firefox, Safari, Edge, Opera, Vivaldi, Arc, Brave, Tor Mobile version: Yes (Android & iOS)
Available in Microsoft Store: Yes Bitwarden uses an open-source codebase, and all core functions are available for up to two users free of charge. The developers actually take their open-source credentials seriously, making all code available via GitHub. They also submit to regular security audits and offer a bug bounty program.
» This means that when Bitwarden claims that all user credentials are protected by zero-knowledge end-to-end encr yption, it’s easy to take these claims at face value. Upon first registration, users are asked to create a ‘Master Password’ of at least 12 characters [Image A]. Bitwarden then works client-side with PBKDF2 or Argon2 to stretch the master password using the user’s email as a salt to create a 256-Bit master key.
» Neither this master key nor the original password are ever stored on Bitwarden’s ser vers, meaning that even if a hacker were to breach them, they’d still have to crack your data, which is secured with AES-CBC 256 bit encr yption.