Good Morning from my Robotics Lab! This is Shadow_8472, and today, I am switching my password manager from LastPass to Bitwarden. Let’s get started!
Introduction: Password Strength
It’s almost comical when a digital security expert starts a talk in a packed auditorium and asks, “How many of you use the same password everywhere you go?” and half the people raise their hands. A facepalm or two later and the speaker may start comparing it to how that’s like a company keying all their locks to the same key, regardless of department or security level. It’s a stupid, stupid, stupid idea, and I am guilty of doing it up until two or three years ago.
The absolute worst password you can use is one someone else has without permission. The next worst password is one someone else can quickly guess. Web Comic XKCD – Password Strength gives a concise explanation: long, simple passwords are easier to remember and harder to guess than short passwords butchered by special characters.
But you could have the strongest password in the world, and still be vulnerable if you’re using that password for all your accounts. If just one of your sites is compromised, an attacker now has a key ring to go try all the popular sites to try and let himself in, and you will need to spend a long time cleaning up.
Password Managers
But then, convenience. The human mind would rather not remember tens or hundreds of passwords that may be up to date or replaced. That is where a password manager comes in. You log in with your one master password, and it automatically fills in passwords as you go. Set up properly, it’s even faster than entering your one password each time everywhere you go, and a basic setup isn’t all that hard to do.
At this point, a password manager should sound like a major security vulnerability, akin to a nicely organized key cabinet in the lobby, but a properly designed password manager never knows your passwords except when and where they’re needed. Your master password is used to help scramble and unscramble your passwords on your own computers. The rest of the time, it’s a bunch of otherwise meaningless garbage to anyone trying to poke at it.
Furthermore: don’t “log in with <Platform X>”. Ever. Only if there’s no other way, and even then: take pause. Merged accounts are worse than using the same password because they are by definition using the same username as well. A break-in to one is a break-in to all linked accounts.
From LastPass to BitWarden
I am displeased to announce that LastPass today is chasing off a lot of their free users by making them choose between types of devices: desktop/laptop and mobile. I personally only use a tablet for one or two things, like reading my Bible or viewing PDF’s. This won’t affect me but maybe once a month or two when I’m not bothering to walk to a desktop. Still, I don’t like it. It’s not like they’re getting any of my money anyway.
I chose BitWarden because it kept coming up as a good alternative. Not only is it open source, but their code has been audited, and I can self-host it as well: all are highly desirable features whereas LastPass is -at most- only audited.
The actual switch once I had my personal server up was easier than getting the dogs ready for a walk. All my passwords were moved in a single transaction, categories and all.
Personal BitWarden Server
First of all, IF YOU DON’T KNOW WHAT YOU’RE DOING, JUST SET UP A REGULAR ACCOUNT! That said, I want to challenge myself, and I believe this is reasonably within my grasp. I closely followed sensiCLICK’s Full Guide to Self-Hosting Password Manager Bitwarden on Raspberry Pi on my BlinkiePie, my Pi 3B+ using a fresh, minimal install of a Raspberry OS.
I don’t really have much to say here because I don’t understand a lot of the new stuff I did. There were some instructions that had changed in the months since the video was released, but there were notes in the chapter titles. The tutorial ironically didn’t encourage its viewers to change the default password of ‘raspberry’ as you should. I changed the hostname, gave it a static IP, and not much else. I’ll need to save locking it down for another week when I have more time to propagate BitWarden across the rest of my devices that need it.
Takeaway
Passwords, like locks, are a balance between how badly people want in vs how badly you want to keep them out. Short passwords are easier to enter (if they can be remembered), long passwords keep attackers out longer.
Final Question
How many unique passwords do you use?