I understand why they're doing this but if I was okay with Google being able to lock me out of my password manager then I would simply be using Google's password manager already
=> More informations about this toot | More toots from mcc@mastodon.social
@mcc but what if I need that password in bitwarden to access my email? Hmmm....
=> More informations about this toot | More toots from Walker@infosec.exchange
@Walker Right? It's just :|
=> More informations about this toot | More toots from mcc@mastodon.social
@Walker @mcc just use keepassxc to save your email password
=> More informations about this toot | More toots from kaito02@mastodon.social
@kaito02 @mcc this could turn into a nesting doll worth of password managers.
=> More informations about this toot | More toots from Walker@infosec.exchange
@mcc I don't use a gmail domain email for Bitwarden. So I can host that email address elsewhere, at some point...sure is inconvenient and difficult to migrate away from all that Google & Android stuff tho...
=> More informations about this toot | More toots from johnefrancis@cosocial.ca
@johnefrancis Something has to be at the root. If I self host a domain I have to worry what happens if that domain stops working and I need to use email 2FA to fix the domain.
=> More informations about this toot | More toots from mcc@mastodon.social
@mcc I want 3-4 hardware keys as the roots. Keep one out for regular use, the rest distributed in safes. If I lose the safe combination, I can pay a locksmith to open it. I can put a hardware key in a safety deposit box.
=> More informations about this toot | More toots from johnefrancis@cosocial.ca
@mcc also...I have a hardware key. BW has never been super good about letting me put the hardware key as the highest priority auth method and demoting everything else to recovery (or oblivion)
=> More informations about this toot | More toots from johnefrancis@cosocial.ca
@mcc
https://bitwarden.com/help/self-host-an-organization/
=> More informations about this toot | More toots from dragonsidedd@sciencemastodon.com
@mcc New fear unlocked.
Gotta start making backups of my passwords now, I guess.
=> More informations about this toot | More toots from slyecho@mdon.ee
@slyecho I haven't looked into what the emergency options are
=> More informations about this toot | More toots from mcc@mastodon.social
@mcc Export .json, .csv, .json (encrypted)
But how to automate it...
Gotta hope that when I need my email password now on a new device that I also have a device handy where I logged in before.
=> More informations about this toot | More toots from slyecho@mdon.ee
@slyecho @mcc
https://bitwarden.com/help/cli/
bw login, export…
I use this now and then, similar to pass, which I use often.
I too am dismayed that additional “features” get added with a little “Surprise!” element to them 🫤
=> More informations about this toot | More toots from danhugo@fosstodon.org
@danhugo @slyecho They are at least giving ample advance warning on this one
=> More informations about this toot | More toots from mcc@mastodon.social
@mcc @slyecho
Another blinking light to pay attention to…
I recently switched devices and encountered this, and I was just mentioning the encrypted credentials problem for backups when your credentials are encrypted in the backup so decrypting or accessing the backup…
As long as it keeps my SSN safe from hackers ;-)
=> More informations about this toot | More toots from danhugo@fosstodon.org
@mcc @slyecho
Received email notification this morning from Bitwarden regarding new login procedure.
=> More informations about this toot | More toots from danhugo@fosstodon.org
@mcc I did see this:
=> More informations about this toot | More toots from gord@peoplemaking.games
@gord Thank you.
The problem is some form of 2FA does seem like a good idea. I wonder if there's a way to get some of the benefits without adding hard gmail failure points.
=> More informations about this toot | More toots from mcc@mastodon.social
@gord I am considering suggesting as a third option offering a "reverse 2FA" option:
This could help with catastrophe scenarios while creating only limited risk of a Problem
=> More informations about this toot | More toots from mcc@mastodon.social
@mcc @gord isn't it how the emergency access work for BW? When I set it up I'm pretty sure it was how it was setup, maybe minus the approve part before the end of the delay.
=> More informations about this toot | More toots from Thibug@mastodon.social
@mcc That is a good idea.
Now that said, is there a reason you don't want to do regular 2FA through an authenticator app? That seems like a secure enough option. Print off the backup codes and keep them safe in case you lost your device.
=> More informations about this toot | More toots from gord@peoplemaking.games
@gord Bitwarden is my authenticator app
=> More informations about this toot | More toots from mcc@mastodon.social
@mcc Bitwarden Password Manager can be hooked up to Bitwarden Authenticator to do 2FA, in which case they do not do the email authentication part (if I'm reading all this correctly). The email part is only if you use the password manager without 2FA.
=> More informations about this toot | More toots from gord@peoplemaking.games
@gord okay so i guess then the idea is i never get locked out as long as i still have one remaining device running bitwarden?
=> More informations about this toot | More toots from mcc@mastodon.social
@mcc When you hook the authenticator app up, you get a bunch of backup codes, you print those off and save them somewhere very safe. Those are your safety net. With those you can lose all your devices and still be OK.
=> More informations about this toot | More toots from gord@peoplemaking.games
@mcc @gord I am concerned about a scenario: email doesn’t get a reply because I don’t notice it. Vacation, or just a ludicrous amt of spam in my inbox.
=> More informations about this toot | More toots from cascheranno@hachyderm.io
@cascheranno @gord i am describing a hypothetical opt-in feature. one can set an email client to highlight certain things so they are not missed
=> More informations about this toot | More toots from mcc@mastodon.social
@mcc
Can't you use a physical token, like, say, a Yubikey instead? That'd be much more secure than a flippin' email.
=> More informations about this toot | More toots from praxiscode@mastodon.online
@mcc I got this and had the same reaction... Wondering what is the 2 step login alternative they offer there... But it's definitely a weird loop to be in if your email password is in bitwarden in the first place
=> More informations about this toot | More toots from LeoRJorge@mastodon.social
@mcc I feel very strongly that a credential manager, or really any sort of secure secret store, should not have a dependency on a third party, never mind a completely open-ended third party category like "any user's email provider"
=> More informations about this toot | More toots from jcoglan@mastodon.social
@mcc to be more specific, a dependency the user did not actively opt into, by e.g. saying "I would like you to store my data in "
=> More informations about this toot | More toots from jcoglan@mastodon.social
@mcc the whole point of the cryptography in these systems is that the mechanism for verifying the identity of the person trying to unlock the store is baked into the store itself
=> More informations about this toot | More toots from jcoglan@mastodon.social
@mcc my bitwarden points to proton. Seems fine to nee?
=> More informations about this toot | More toots from cosmic_spinnerette@mastodon.social
@mcc this only happens if you dont already have 2FA enabled. Just enable a TOTP Authenticator on your account and this behavior goes away. Should be the default anyway.
=> More informations about this toot | More toots from jantzen@mas.to
@jantzen ? but isn't bitwarden my TOTP authenticator?
=> More informations about this toot | More toots from mcc@mastodon.social
@jantzen Is your suggestion that I set up Bitwarden to only let me log in on a new device if I TOTP authenticate on a second, existing Bitwarden device?
=> More informations about this toot | More toots from mcc@mastodon.social
@mcc @jantzen in principle, I think you’re supposed to have a separate password manager and TOTP authenticator, since otherwise you’re reducing your two factors to one. I don’t really know how much that matters, or what considerations your threat model makes about a breach of your password manager
=> More informations about this toot | More toots from shadowfacts@social.shadowfacts.net
@shadowfacts @jantzen is it actually true that two programs on my phone is more secure than one program on my phone?
=> More informations about this toot | More toots from mcc@mastodon.social
@mcc @jantzen it would shift the single point of failure to your device, away from a cloud-synced thing. how exactly that affects one’s threat model, ¯(ツ)/¯
=> More informations about this toot | More toots from shadowfacts@social.shadowfacts.net
@mcc @shadowfacts @jantzen well, in the scenario under discussion (logging in to bitwarden on a new device) isn't their concern that it's currently 0 programs on my phone? All that's needed is my master password.
As I read their announcement, if one has some non-email 2FA set up already, then the new email based 2FA is not required, right?
=> More informations about this toot | More toots from esnyder@mastodon.social
@mcc as much as I love my bitwarden I love even more that I bit the bullet and set it up to self-host so they can’t throw curveballs at me. we shouldn’t have to work so hard to stay in the “you can have a nice thing” zone really.
=> More informations about this toot | More toots from djsundog@fedi.reclaim.technology
@mcc yeah, am a bitwarden paying customer & this’ll be a deal-breaker for me.
=> More informations about this toot | More toots from cascheranno@hachyderm.io
@cascheranno it can be turned off https://peoplemaking.games/@gord/113946747876533938
=> More informations about this toot | More toots from mcc@mastodon.social This content has been proxied by September (3851b).Proxy Information
text/gemini
