 Tom here for more systems and bit warden completed another security audit find some minor issues. They were fixed now This is a combination video of me talking about the security audit and talking about why I still use bit warden And I've been using it now for about seven months So right now it's July of 2020 and I am still really happy with myself hosted install of bit warden but I wanted to talk about these security changes and the overall usage of bit warden and you know some I'm not going to say it's a hundred percent perfect as no product is perfect But their continued improvement to product has been really good and their focus on security has made me really happy So I'm talking about some of those details, and I'm not big on click bait. So if you don't want to rush this video Yes, I'm still using it. Yes. I still like it. Yes. I still recommend it But before we jump into those details of why let's first feel like to learn more about me or my company head over to Lawrence systems calm if you like to hire sure project There's a hires button right at the top if you like to help keep this channel sponsor free and thank you to everyone who already has There is a join button here for YouTube and a patreon page. Your support is greatly appreciated If you're looking for deals or discounts on products and services we offer on this channel check out the affiliate links down below They're in the description of all of our videos Including a link to our shirt store. We have a wide variety of shirts that we sell and new designs come out Well randomly so check back frequently and finally our forums forums.laurancesystems.com is where you can have a more in-depth discussion About this video and other tech topics you've seen on this channel now back to our content And we'll start right here bit warden 2020 security audit is complete. We take the security of bit warden Seriously now they have and over here on hacker one. They have a bug bounty program, which is awesome but bug bounty programs are not the same as Paying a pen tester a company that does penetration testing that does security auditing to really test your product So in addition to them having a bug bounty program in addition to their 2018 audit of their code and crypto vacuum base They also once again here in 2020 Hired a company called insight risk consulting and made public all the findings they had of their security audit Which is some minor issues nothing major found no, you know Huge holes found under security some potential issues with cross-site scripting some potential cores Tightening up that they needed to do so nothing was terrible that they found in a course It was fixed and bringing up the fix is the updating I want to bring this part up because of course the evaluation of this product and be using it for this long means When these updates come if you're using bit warden site now letting them host it and getting the service directly through them Awesome, it works great, and you don't need to update anything And that's probably a great idea for the majority of people for me I chose to go the self-hosted route the self-hosts are out a little bit more challenging because there are things you have to do To configure this it's not like it just drop it in and load it You do have to configure a mail server to work properly with it You have to configure proper certificates or it will not work right and you have to make sure that you have your domain And everything configured properly there are steps involved in that of course then you have to update it yourself The good news is the updates have gone great over the last Seven months of use and their update script is really this simple and I have not had any problems at all with their updates on there Also, by the way, if you self-host it you have to make sure you're backing it up These are things that people ask me a lot when we talk about the self-hosted version It's like yeah great But are you willing to put all these steps in place and making sure you back all this up because The encrypted data there's no way to get it all back if you lose it But here like I said, I'll leave a link to their entire Details on what that was found they put made all the findings public and everything else and this is great And I will bring up again that we are using it self-hosted, but we do pay for it We are using the official bit warden Software and we really enjoy the teams feature and enterprise features that you can get on here So this allows you to have the different vault health reports unlimited shared items unlimited collections with a few dollars per user per month Now to me it's important that I pay these fees and I bring that up also because those penetration testings and paying hacker one bug Bounties those cost money their monetization model is you know buying their services and even if you self-host it Yes, you need to buy these so I get these questions all the way So make sure people are very clear that just because it's open source and because you could Re-edit the code and recompile it yourself to remove licenses if that's what you wanted to do It's pretty inexpensive especially for me as a business-running this to use it So it's not been a problem to me as far as how it works the the way it handles the shared items The collections as they're called for storage has been really really great now The one thing I like about this compared to using last pass where I came from And no I don't have time to exhaust to review every other password manager out there I went with bitwarden because it was open source It did have the ability to self-host which I thought was really cool And this adds another layer in my opinion of security So being that I have a server stack to host this on and being that requires a VPN in order to Access this server if there were something in the wild for bitward there has not been any there's not predicted to be any But just in case on that off crazy chance that there is something in the wild out there for bitwarden it Can only be accessed behind a VPN by my staff. So It adds one more layer of protection It's the thing I like about these self-hosted instance of this and my overall compared to last pass on this The way it does collections and what a collection is essentially is a shared Collection of passwords that I need to share between my team and as a business This is something you run into all the time They made this really easy because if I add something to the share no one has to accept that share No one has to add it to their pool of Things like you do in last pass this has the advantage from a business standpoint of making it really really easy and Fluid to be able to add things to that Vault essentially of shared resources the downside is if I want to share a one-off password Of course, this is the challenge if I have a one-off password. I want to share with one individual Well, that's a little bit more challenging need to be part of That collection and it gets a little bit It's a lot different of a concept compared to hey, I just have this one person. I want to share one password with Last pass did make that a little bit easier compared to the way bitwarden does it But it's kind of a minor thing to me and not something that I was really using in last pass I just know as a feature said if you have just that one password You want to share you'd have to create a collection and make the person part of that collection So it's a little a few more steps from the design standpoint of the way bitwarden handles it versus the way last pass does But that's not really been a big deal to me now The only quirkiness that I've run into is on occasion But of course without having used last pass in the last seven months Maybe this issue still persisted in both. I do know occasionally and this was a problem Even sometimes like I said with both and other password managers I do know from talking to friends that use other ones suffer from this sometimes when you change a password It will not realize you're changing a password and you have to copy and paste it essentially Manually into bitwarden. I seem to see this I think a little bit more often with bitwarden a lot less often when I was using last pass But it's also the nature of some of these sites if they have a Different domain a different methodology that doesn't match the URL exactly the same sometimes I won't realize you're changing a password on that But it's a kind of a minor complaint, but it's It's there now the good news is bitwarden You kind of can easily work around this and if I have a site that I'm going to change passwords not a lot And it has that problem It's really easy in bitwarden to list out for a particular site multiple Instances where you can adjust that essentially you or I and I'll show you how that works real quick so if you have a specific item that you want and this is just an internal server so It's got an IP address instead of a name you can put whatever you want in here But for the URI if there was something for example, it was admin dot You know whatever it is calm you can add each additional one really easy so you can get that matching So I guess it's kind of a minor issue on there. It is also interesting too. They do have the authenticator key To TP. I don't have this filled and one of the reasons why is Having the authenticator in there kind of to me defeats two factor because if you got into bitwarden And I have the rolling numbers in here in addition to the password on here That feels like I've now put all my eggs in one basket. So once you have access to this There's not that two factors. So I like keeping everything separate on there So that's something of note in there now the other things if I want to create this into a shared item I could just click this like I'd said before making it real easy or not having to notify anyone anyone else It's part of that collection instantly gets access to that resource and I do find myself using quite a bit the hidden field Options so if I wanted to add some custom thing I have a name and a value and then make that hidden so some other key some other key value and You can keep that value hidden And then when we hit save It will save it and then I can copy this without seeing it or hit the eye to see it And of course once this is edited in this item and if it was added to a collection where my staff could see it It's pretty easy. So if you wanted to add those little extra features It's not been a big deal and of course adding some notes to any of them pretty straightforward on the way it edits Now things I'm not using I do not use this on my phone and the reason why is once again my two-factor codes No surprise right or on my phone rolling to OTP numbers If I had my password manager on my phone with my to two P numbers now you can have a one device now granted I do lock that device to keep it secured, but having both things in one place seems like it's generally a bad idea So I Painstakingly if I have to have a password input on my phone I will painstakingly get that password through the web browser version of bit warden. I don't I mean it has a desktop app I don't really use it. I've tested it works But I'll get the password there put that tedious password into my phone And now I feel confident that I have not shared that in some way on there So those are some minor things, but I did that even with last pass. It's not really a bit warden thing It does have a phone app It does have the ability to do those other things I said where you can have it all integrated You can have an app on your desktop if you want they have that including a Linux by the way Which is cool, but they're not really things I use now my overall Like I said, I'm really happy with it and other than the minor occasional password change issues which are rare But something to keep in mind Keep your mind on because well if you change a password in a crap I didn't save it or it didn't ask me to update it and I still have the old one in there Just make sure you copy and paste in there and watch for that. It's a minor problem It's not like you're changing passwords all the time and on you know more commercial sites Let's say like Amazon eBay your more popular sites. It doesn't seem to do that It's only on some of the one-off unusual sites But I know some of them just have different weird authentication methods and non standard URLs for things therefore That's probably what causes that problem and you can add the new URI like I said Now the final thing I'll mention is I am aware of but not interested in using bit warden rust There is another implementation of bit warden that is pulled from the same source code and read done in rust I'm not intimately familiar with the project, but it's something I don't have an interest in I like to keep everything of for my business officially using all the proper bit warden Sources because well, they just went through security audit My contributions to buying those licenses helps with that security audit and the cost of it So I'm perfectly fine paying for this service even though I self-host it It's not something I see an issue with at all. So my thoughts on bit warden. Hey, I'd still give it a two thumbs up It's been a great product. I plan to continue using it. I don't have any Changes in mind in site. It's open source. It allows me for self-hosting. It's been really very reliable We haven't lost any passwords. We haven't any weird corruption or strange issues with it No quirkiness report, which is uh important the updates have all gone smooth and not lost any data either Which is also really important Um it in for the most part. I've you know, they've been really straightforward to do Updating the base server with you know, it's debbie and so apt-get update and updating the Bit warden with their little update tool. That's all gone really well. That's just a docker. So pulling that is been Uh really straightforward and easy. If you have any thoughts comments concerns head over to the forums We'll also be posting this if you want to have a more in-depth discussion. So it's much appreciated But that's it. Thanks and thank you for making it to the end of the video If you like this video, please give it a thumbs up If you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like youtube to notify you when new videos come out If you'd like to hire us head over to laurance systems dot com fill out our contact page and Let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums dot laurance systems dot com Where we can carry on the discussion about this video other videos or other tech topics in general Even suggestions for new videos. They're accepted right there on our forums, which are free Also, if you like to help the channel out in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time