Imagine trusting Google with your passwords
Who do you trust with your passwords?
Proton. Bitwarden
I would understand self hosting but those are for-profit entities as well. They might be subject to less regulatory oversight because they’re smaller. They might not have as many resources to keep my data safe. They have benefits for sure but trust is not this easy to judge.
Between the for-profit businesses of Google and bitwarden, I’m going to trust bitwarden more.
Based on prcinpipes Bitwarden is an obvious choice. With things like passwords I’m leaning into giving my keys to a company that, if it comes to be, can pay gargantuan ransoms.
The difference is their business model is privacy. Google’s business model is advertising. I’m Proton’s customer, but advertisers are Google’s customers.
I don’t trust them in general but I’m certain Google doesn’t use my passwords for advertising.
The real issue is that Google stores your passwords in plaintext. That’s why they survive a password reset, or apparently now can be shared with others. Proton and Bitwarden encrypt your passwords so that nobody but you can access them, or at least in the case of Bitwarden, you can share with other users using pre-shared keys.
Why the hell would I do that?
We watched a show where there was a concept called a Dead man’s switch, and my wife asked me if I would ever do something similar, but include all my passwords, for everything.
“Absolutely not.” I told her.
No one can know about my smut logins.
Cool I guess?
Personally, I use Bitwarden with my wife. We pay $10/year, and we share a few things:
- streaming services
- online shopping services
- some bank accounts
Basically, if it’s something that doesn’t allow separate logins and both of us will need, we share them.
Everything else is not shared. $10/year is completely fair to me, and I’m probably going to upgrade to the family plan at some point. I plan to self-host soon, so I’ll have to see what plan we need to do that.
Bitwarden, DNS and email are the 3 services I pay for.
Passwords can’t be inaccessible, free DNS services never have an LE API, and email is extremely difficult to self host. The uptime and security I expect for these things means I’m happy paying someone else to take care of it.Bitwarden seem to be a great company and doing everything right (even though they are being annoyingly slow with passkeys on android, my only fault with their service).
Their subscription is extremely reasonable, so even if I figured I could self host it, I’d rather pay bitwardenWhat do you use for email?
I honestly don’t like passkeys, at least how they currently work. It seems the intent is to replace MFA with just one factor. I prefer 2FA with TOTP separate from my password manager, which means an attacker would need to exploit both to access my accounts.
That said, it’s a sticking point for many people, so I hope Bitwarden gets it soon. I just probably won’t use it.
From my understanding, passkeys is supposed to be something you have (phone) and something you know (pin) or something you are (biometrics)
I still use hardware keys like a yubikey (something I have) and my normal password via a password manager.