 Time here for more systems brand talk about bit warden the open source security password manager But I know some people think open source they think it might be insecure, etc They've gone through audits. They've gone through all this We're gonna cover a couple those details But managing passwords is very challenging. I will mention that we've been using bitwarden now for just about Seven or eight months ago. We moved over from last pass. I still think last pass is a good product So if you want to use last pass, I have no reason Not to use it other than it's not open source. It doesn't have a self-hosted version those two checkboxes Bitwarden has and I thought that was great now before you think I'm a paid shill from bitwarden Which someone will accuse me of anyways. No bitwarden did not influence this video in any way matter of fact I pay for licenses for bitwarden. So take that for what you will there's still someone who that will not satisfy But hey, at least I just closed it and follow my ethics policy If you want to understand better about how I do disclosures on this channel this channel is about products we use and why we use them in my Essentially biased opinion because I like the product so I will say I'm biased where's liking bitwarden But I'm not biased because money was thrown at me for my bias So I want to talk about why you might want to consider using bitwarden some of the ins and outs of password managers and Reducing your threat level because that's what all this is about when it comes to security You never get your threat to zero But you can do things to help mitigate and reduce your threat surface Bitwarden is one of those tools in my toolbox before we dive into that Let's first feel like to learn more about me and my company head over to Lawrence systems calm If you'd like to hire short project There's a hires button right at the top if you'd like to help keep this channel sponsor free and thank you to everyone Who already has there is a join button here for YouTube and a patreon page your support is greatly Appreciated if you're looking for deals or discounts on products and services we offer on this channel check out the affiliate links down below They're in the description of all of our videos including a link to our shirt store We have a wide variety of shirts that we sell and new designs come out well randomly So check back frequently and finally our forums forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech Topics you've seen on this channel now back to our content And we'll start right here at the bitwarden page open source password management for you and your business and Just because it's open source doesn't mean it's secure That is something where people conflate that and they think because the source code is available that oh that means It's been audited and people went through it and there's no holes in it. No that costs money Actually have proper security auditing. They have gone through security auditing They paid not once but twice to have companies audit their code So they have gone through security auditing so one the source code is available to it has been vetted It's not just a pile of code that's just available to the internet But people haven't really taken a time to audit and poke at it. Yes, it's been audit and poke at it And if you're worrying about the infrastructure by which they hosted on they have completed a sock type 2 and Sock 3 audit and they've got the details on here Let's talk about bit warden. No as the company Bitwarden started as an open source password manager a lot of people asked me about using it And I said not until it was audited it went through some audits And then I got around to moving from last pass over to bit warden earlier this year in January of 2020 I think is when I first started using it and somewhere not long after is when we actually switched to it now Here we are in October of 2020 and I'm really happy with it. We've watched it go through a few updates We've seen bugs get fixed and we've seen features get added and we're self-hosting it This is why I mentioned the updates because the updates come via docker images We do a docker poll and get the updates and so far it's migrated all the data They did a nice job the way they containerize it with docker or keeping all the different services separate and the data separate So it's easy to understand if you're familiar with how docker architecture works of keeping your data separate from the application layers And that way the components can be all updated and that's all worked really well now using it as an IT business I know someone's going to say what about key pass or any of these other ones And I never found them quite as scalable because one of the challenges is we have hundreds of clients that challenge means Having those clients having to have unique passwords not a stupid password scheme that you thought no one would guess That's one of those roll my eyes We've done IT takeovers where we see people come up with a scheme by trying to add some common digits to a common password Like relating it to their address or something like that of the physical address of the client Don't do that You need unique passwords if you have some type of admin account You need to create on clients and frequently as an IT provider This is something you need to do then you have the next problem You have a team of people and they need to be able to get to these passwords or they can't service the client So you have to have a way to manage all of this bit warden gives you that granular password options It allows you to share it with your teams and for those wondering. Yes, there's directory synchronization with active directory Etc. It's not a feature we're using but it is something they do offer on Bit warden so you can synchronize things to it now One of the problems I have with some of these solutions that are out there that exist now And no, I don't have an exhaustive list of all of them Or I don't know what's going to be coming out in the future from the time I make this video to the time you may be watching it But a lot of these other companies my first fatal flaw with any of them can the back-end People the whoever runs those companies see my password This is something that last pass and bit warden solve by simply not having your password They handle all the encryption in the browser or in the application So when you type in your master password hashes are compared is the simplest way There's a lot more complexity to it than that But they make sure that the decryption layers that are occurring happen on your Client not at their end that way you're not passing a password even though you type it in the browser You are not passing the password over to them They don't have access to the password that password decrypts the blob as it's referred to the encrypted blob Like I said, this is still describing both how last pass and bit warden work And then the decrypted blob decrypts and opens up in the application and now there's all your passwords So if there was an insider threat at one of these back ends of the company bit warden or last pass can't read your password That's an important aspect and that helps reduce threat surface because insider threat is very real here in 2020 So I thought I'd get that out of the way that that is the functionality by which these work and companies that don't work That way are immediately off my list and as I said, I don't have an exhaustive list But that's a question. You can ask any sales rep. Hey, can who in the back end can see my passwords? All right, I'm not using you as kind of how that conversation goes with me Because well, it's just kind of scary to me that we have a lot of passwords and someone might be able to see them Now let's talk about some functional features that I really like about bit warden and a lot of this video was prompted by this blog post and I thought it's a good write-up that's just from October 7th bit warden for MSPs and They kind of addressed some of the complaints I've heard and some of them are kind of annoying but I'll address this one right off front reseller program They do allow you to resell it but I've seen some companies just be upset because there's not like a commission channel partner only program and I've seen people say well, it's a great solution But if I can't make money selling that solution to my clients I can't recommend it and that's not the way I start with a product I start with will the product provide the best in class service for my client and Cool if it has a resale program if it doesn't if it's the best in class for my clients Then it's something we're gonna look at us using it volts for every client organization easy management for dozen of clients Streamline user provisioning and deprovisioning for clients This is some of the things I talked about like the directory connector Which they have right here syncing users with different things like active directory LDAP Azure G suite one login Etc. So there's a lot of different options on there Organizational vault health reports cloud or on-premises or self-hosting options now This is where maybe I'm a little bit Overly cautious because we choose a self-host bit warden and it's gone really well self-hosting it the cloud version They've gone through a sock on it. So we know they've got solid infrastructure But also being able to self-host this internally and adding that extra layer of confidence and protecting it behind a VPN So even though I'm self-hosting it and keeping it up-to-date which their auto updater will updating tools I should say not auto but updating tools they have worked really well and have gone very smooth Also being behind a VPN means if there was some type of flaw that buys you essentially kind of extra time Someone has to be within my network to exploit said flaw in between the time of flaw may have been discovered or An up to in an update been applied having this behind a VPN Just well is one more security layer that I feel Comfortable with and it's worked out really really well using this all this year so far for about what about six or seven months now I think we've been using bit warden cross-platform compatibility and This is something is really important because obviously for those of you that follow this channel you know I'm a Linux user and Linux no problem windows no problem if you want to use the phone app Which we don't use because that's where we keep all of our to a face stuff So I do keep it off of the phone. That's just me being a little bit You know tinfoil hat maybe but hey It's got compatibility for all those options and as I mentioned a bit warden for value added retailers in addition partners can resell bit warden product as Is and let bit warden handle customer technical support so for those of you that are looking for an option to sell bit warden It does have that option. I will mention to their pricing is right up front and on here So if you want to go with the self-hosted that would be the enterprise version right here you go through set up create the organizational steps and Then you have the self-hosted option right here or you can just play with the free version set up a demo Etc and I have no offer codes or if that goes like I said I'm not reselling bit warden to you as in people watching here on YouTube But I am mentioning it is something that they do have the option and offerings so you can resell it So this is my endorsement a bit warden. I do like it as a product It does help reduce threat service by not having people on the back and I can see it It does let me keep my tinfoil hat nice and tight when it comes to security the fact that I can self-host it It does make it easy for you manage me my staff and have granular levels of permission so I can practice principles of lease privilege Properly and understand what people have access to and share and sync all those passwords and The directory sync is something we're looking at too as we look into different organizations and being able to synchronize it I think it's an overall great solution now We move from last pass and for those of you that may be considering moving off another password manager They do have import and export options So if you import into bit warden from one of those other options That was actually pretty pain-free and I like the fact that they have an export option So if you decide I don't like this tool I want to move away from it They don't lock your data up in some weird format You can get the data back out and then move it into the next platform that you need to move it into whatever makes you happy These are things that I think are really important for when you're choosing a password manager and a password management system And this helps bring up that level of security because it easily lets you have very unique Very high entropy passwords for all of your clients, which I'm hoping all of you do I'll leave a link to as well to my bit warden review and something that was mentioned when I did a video about MSPs getting breached. I've dealt with I did a video with Hunter's Labs We talked about this and one of the things that really Accelerates these breaches is the fact that common passwords are frequently used at managers riders because they don't want to use Some of these different type of password managers or they do use them and just keep using common passwords across a lot of clients So in a breach type situation having the same password everywhere makes it easier for that type of letter Of movement. This is why it's so important. Have a good password manager I still am using bit warden and if that ever changes, I'll do a video on it or you know Tag me on Twitter if you're curious if you're watching in some time in future. Hey, Tom I you're still using bit warden, but as of October of 2020 I am completely impressed by the product the updates have gone Well the whole system I'm excited about and really happy with and just wanted to share my thoughts on it as a good solution for password management Alright, thanks And thank you for making it to the end of the video if you like this video Please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like YouTube to notify you when new videos come out If you'd like to hire us head over to Lawrence systems calm fill out our contact page and Let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums not Lawrence systems calm Or we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time