 Tom here from Warrant Systems, and we're going to talk about Bitwarden, part two. And I wanted to follow up and address any questions that some people had on the first video and talk about some of the technical details. If you want to learn more about me or my company, head over to lawrantsystems.com. If you like to hire us for a project, there's a Hire Us button at the top. If you like to support the channel in other ways, there are affiliate links below that get you discounts and deals on products and services that we talk about here. Bitwarden. So I did a nice video when in depth about a lot of the features it has and things like that. But of course, there's always unanswered questions. And I know I did gloss over, but it is within there to show you that, yes, it does have form fill and credit card fill. And I'll show you that one real quick here. So if I wanted to, we have actually open up my vault here. We'll look at the vault itself. I have an identity set up. It's my office ID. It's got Mr. Tom Lawrence, Lawrence Systems, and all of our relevant company information. Move myself out of the way here so we can see that better. So we have everything here. And we'll go, actually, if you want to see it in the vault itself, it makes it easier. But here's the identity. Here's a demo visa card. So you can witness this card. And this is all, you can look these up. These are fake numbers that you can do for validation testing. Then we have the office ID here. And then we have a website over here that this is actually somewhere we belong to, the Southern Wayne County Regional Chamber. And if I wanted to fill this in, I can go up here. I can fill in the office ID. And it fills it in. Down at the bottom, they have the credit card information. If we click on the credit card, you notice it filled that in down here. This is a problem that was in many password managers. Sometimes they don't like these pull downs. So fill in the month and year when they're a type in. They'll fill in the security code, but they have trouble when these are pull downs. They don't always select the right dates on there. But you get the idea that it does have form fill that does work. The other security question is come up a few times with people. And this is relevant, is how do you have it set to log out? Well, you set your logout options. The default is on browser restart. So on browser restart, it logs you out. But similar to, and I'll compare it to last pass the inks, that's what I was using. That's what I'm most familiar with. You can set the log in time. So every minute, five minute, 15 minute, 30 minute, one hour, four hours. So once you log in after so many hours, it logs out. And most websites keep me logged in anyways. So I focus more when it comes to security. I'm less worried about it being on browser restart, but as soon as I get up from my computer, I lock my workstation. Because like I said, many websites, once you log in, unless you implicitly tell them to log you out or clear it each time, they will generally keep you logged in and they don't prompt you each time with the exception of some sites like banking and things like that. Now someone asked if it had a feature as well. And this is not a feature of whether or not you can select so certain prompts. For example, this one here, this is not real. I just set this up so I put Tom and I think I put, yeah, Thomas, not my real log in for this website at all. There's not an option to set this implicitly that every time I open this, reprompt me for the password. That is not a feature in here. So just don't add out there. So those are some of these security things. And the last one I'll talk about is the settings and how it does the unlock with pin. So you can actually say, go ahead and lock it every minute and then set a pin. So you don't have to type in your master password until then. So if we go to setting the pin, setting your pin for unlocking bit order and your pin setting will be reset if you ever fully log out application, lock master password on browser restart. And then you can put a pin in so you can just have some shorter pin that you may want to do that. It depends on how you want to do things. It's an option. They're just throwing it out there. Other people had asked about the Android application and I don't use it. This included with last pass the same thing. I don't want my password manager on the same device where I have my TOTP, my rolling authentication to be. I just feel those things shouldn't be on the same device. So no, I don't use this at all on there. So I can't really help with any problems people said they had with running it on their phone. It's just not something I use. Next part of the security. What nefarious connections does this thing make? Well, let's talk about that. So here is the Bitwarden application up and running. It's logged into the same account here and you know, same things in here. And then let's pull up what it's connected to. Just this one server and we're gonna sync the account. So what we've got here is netstat dash np dash dash inet grep bitward. So I'm tracing the process running locally on my computer and what connection this particular process is establishing. So it has a 443. It's using a secure connection to one of four, two, six, one, one, one, one, 53. That's the Bitwarden server because this is not, this is me demoing completely the using their servers, not my own for this part of the demo. And if I go over here and I say, let's sync the vault. Well, syncing the vault, establish another connection to something in the same IP space. So it keeps one persistent connection and did another when I synced probably part of the way their server is up for redundancy. So it doesn't make a lot of connections. I was kind of curious about that. But the reason I bring this up is one thing I did notice is when it syncs in my main account, which I'm not going to show you, there's too many logins in there and I have about, I don't know, 700 or so logins, it will go out and pull all the icon information. So when it first updated this item right here to get this little, the site icons, it does reach out to those servers and fill in the icons. That is an option that can be turned off as well. You can go into the settings and you can tell it to never disable website icons and it won't pull any of the site icons and away you go. Couple of other minor things that are in here too. I like this feature because if you're just copying and pasting passwords and tell other things, you can say, hey, just kick off a clear that way it's not accidentally pasted in again and you can clear the clipboard after 10 seconds. That's a nice security feature you may want to turn on if you do a lot of copying, pasting into the clipboard for certain things. All right, so let's close the app and now let's talk about the security of this system here. So I want to show you that we can ping 192.168.2.2 which is the same network this has an IP address of 2.4. So yes, we can ping out there. We're moving laterally into network. Ping 192.168, well even 3.9. I have blocked it from reaching out even to me. My computer's 192.163.9. And the reason I'm showing this is because someone asked, well, does the self-hosted instance reach out anywhere? The answer is no. It does the same thing. It does not reach out to any servers. The only servers it does reach out to is the icons. And right now, if I'm logged in in Chrome here and if I log, if I actually go in detail and pull up things inside of Chrome and pull up those icons, they'll all die because I currently have access blocked. I did this on purpose to confirm one, if you block access, it works. Two, if you are wondering what other connections this makes, it's only making connections that I've been able to find at all. And I've even played with a wire shark and dove deep into this. I don't find anything to figure out what it's doing. But this is obviously people's concern about this. Now it is open source and the source code can be audited. And, you know, this has all been vetted but still people ask the question and hey, why not check and validate to see if it's making some weird connection? And it doesn't die or anything when you block internet access. Like I said, I did this just so I could demo it but I do leave internet access because I do like the site icons on there. I don't see them as a security risk. That part of the code has been vetted but obviously there is some concern because if you were to find some way to buffer overrun a site icon in there, it's an edge case but yeah, it is potential that someone could find a way to, you know, pack a payload into a site icon. It's obscure, it's been vetted, it's been looked at in the code but, you know, if you want to get fully secure you can completely block access to your self-hosted instance and it'll continue working. The downside is when you need updates you're gonna have to unblock the access when you wanna pull a new Docker image or pull an update for it. So keep that in mind. But for the purposes of demo, like I said, it's got a connection to me and because it can't talk to me but I established a connection to Bitwarden, it works perfectly fine. Now on the open source topic and on the wait topic. So I'm gonna show you what it looks like running first and then we're gonna dive into a couple things about this. One of them is, yes, that says SQL server like Microsoft SQL server. I didn't cover this but yes it does have a dependency on that. And what I'm gonna do right now in another window so you don't get to see my vault, sorry. I'm going to find something in my vault and manipulate it. See let's go ahead and, I don't know what this is and let's make it go away. So we're gonna go and delete something out of the vault. I'm doing this so I can enact a database. All right. So it does have on this particular server which is nothing impressive as far as processing power but yeah, you can see it's using currently 2.5 gigs of RAM and with eight cores you can see not a huge but a little bit of workload. This server just isn't that intense and actually let's pull it up specifically inside the virtual machine that it runs in and you can see that little bit of changes we did and some of the disks that are put in it actually has a little bit of processor usage. Like I said, it's not that intense and if we look over at the host that it's running on this is an older R710. Yes, I do run my company still on R710, ain't broke, don't fix it. And you can see we're barely using any real processing power on this. So it is a little bit heavier and I'm bringing all this up because there is another project that doesn't depend on Microsoft SQL. And it's got brought up in the level one forums over here and I got tagged in it and yes, I do participate in these forums from time to time and the official Bitwarden does have a dependency on Microsoft SQL Server 2017. Now SQL Server 2017 does come with a free license. The version they're using is free so there's not any extra licenses going out there but yes, that is not that particular component that it has a dependency on is not open source and for those of you that may be confused now that I thought it was an open source product, yes, but it has a dependency on a closed source. So all the source code that runs Bitwarden is open source but they did write a dependency on MS SQL and MS SQL gets pulled into Docker image. It's the free version and it does not have source code with it so this happens a lot. This happens sometimes when you load drivers for things where you can run an open source operating system but then yes the driver was not for some particular device was not open source. Because of that, there is another project and this is Microsoft SQL Server is heavy handed. It does use more resources. So for those of you that want it lighter weight there is Bitwarden RS. This isn't our project. Now, why am I not running this? Well, couple of issues here. I really like Bitwarden and I like the fact that they have a business model behind it which means I should with their paid support and I bought the premium membership and the enterprise features so I can have the sharing between my staff. I get extra support and I trust them to be up to date. When you look at this particular project here well this is great and it's popular but it's not maintained specifically by the Bitwarden company, 8-Bit. So because it's not, I think it's 8-Bit solutions in the name of the company. Because it's not specifically maintained by them well this is some of the things that happen. So basically they've provided all this but they do have some missing features. So they also have changed what database it uses, et cetera. So they're doing different things inside of here and it's cool but when it comes to some of these features this is the official list of what's missing from it. Send the email to checked correct mail for config. Easy migration from SQLite. They are missing some third party connectors. So there's a couple of little things that they don't have the management support. They don't have log rotation support. So as I'm using this bigger so to speak and with an enterprise purchase it's going to not have all the features that if I want to run it. So it's cool that they have this. I'm not downplaying at all that this isn't great but for me I don't mind the fact that it has SQL in it, that's life. It has all the features I want. It's open source to the code itself that's in there is being vetted. And by the way, because they're using a free version of SQL also you notice that's why the importance of me talking about the fact that it's not calling out and doing anything with it. So you're not worried about the Microsoft SQL going out and doing something if there is either. Yes, it's closed source but it's not accessing the internet because it doesn't need to. It's not the full paid enterprise version of Microsoft SQL. So at least I wanted to mention them. It also is missing. One of the things here that I thought was interesting that they don't have here is the audit log. That's another feature you get with the if you buy the enterprise version of it so you can have a full audit of what's being done in there. But nonetheless, I really like the product. I wanted to cover these couple little things in there from the self hosted. If you're doing this and you want it to run lighter weight, you want to run this on a very small virtual machine that is lighter weight than the whole thing. The Bitward and REST is probably not a bad choice. If you're running it as an individual it's probably not a bad choice. It is done in Rust. If you're not familiar with Rust it's a solid programming language you build things in and it of course, it's not as resource heavy. So this is one of the reasons that they do this. I think it's great that they're maintaining this. It also means that you have an active group of people that people maintain this project that are constantly looking at the source code. And if for some reason you decided or Bitward themselves have decided to do something with the code they want to stop updating it, whatever. We've got all the source code that's been forked. It's over here. It's being maintained by this particular person right here. Danielle Garcia and any other people that are involved in this project. So hopefully this clears up some of those questions that people had. I'm still you know it's not really a follow-up as much as just trying to cover up all those details. If you have questions feel free to head over to the forums. I have a discussion. There's already a thread already going on this. And here it is in our forums. I'll link to this as I'll post this video at the bottom of this right here. So yeah, this is all the stuff about the whole Bitward. So like other people have been happy with it I'm always welcome to discussion and other things maybe I'm wrong about stuff. There's my thoughts on this. If you have other thoughts feel free to share them. Feel free to discuss here. If you want to have any other questions or debate about this or if I should do another video on a specific topic but I don't know if I'm going to do because someone did message me directly which please post in the forum is not direct. If I would do a video on how to set up self-hosted their work instructions are super thorough. So I didn't really see any need to do that. Maybe I'll do a future video on it if there's some more questions but their work instructions are top notch on how to self-host this. Like I said before about this company they really went out of their way to let you self-host this. They didn't just throw the source code up on GitHub and go figure it out. They made an entire installer for the self-hosted version so their documentation works. It's easy to set up and everything else. All right and thanks. And thank you for making it to the end of the video. If you liked this video please give it a thumbs up. If you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like YouTube to notify you when new videos come out. If you'd like to hire us head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you wanna carry on the discussion head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free. Also if you'd like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time.