Bitwarden is just fantastic. It's open source, the interface is clean, works fine on all platforms for me and pretty much everything is free. If the devs browse here, thanks for making it.
I'm really happy to see this come to BitWarden. I switched from LastPass to BitWarden and this Dead Man's switch was the only thing I found missing. I actually kept my LastPass active just to provide instructions on how to get into my BitWarden in case of an emergency. I'm still not clear if both the granter and grantee need to be premium/paid subscribers or not. Hopefully I can grant emergency access to someone without a paid subscription... I guess I'll find out when I dig into it over the weekend.
Nice! I was already satisfied using Bitwarden, and now I will no longer have to manually manage my ICE backup.
In the past I've kept an offline copy of my 'vault' on a few USB keys in a safe deposit, for my family in case of death or similar. I'm curious how others have solved this problem.
Here's the details on how it works:
Am I reading it right that this allows people to designate access to their password manager via email? I feel like I have to missing something, like a previous step that fingerprints the emergency contact's key or something.
(I get that we rely on email for stuff like this all the time, but your password manager is part of what protects your email account, which is why we rely on email as much as we do for resets).
> On confirmation, the grantor’s Master Key is encrypted using the grantee’s public key and stored once encrypted. Grantee is notified of confirmation.
> When the request is approved or the wait time lapses, the public-key-encrypted Master Key is delivered to grantee for decryption with grantee’s private key.
I'm not quite sure how I feel about the way they're doing this. Whilst this is a feature a lot of people desire, the way that they're doing it makes it feel like it would be impossible to verify that they're not storing your Master Key, or transmitting it to someone else - i.e. backdoor.
At least, not with the level of detail I can find. [0]
I use Lastpass, but I'm no longer a fan. So I am considering Bitwarden, but was wondering: What does this afford me that the built in Firefox password manager does not? Firefox now provides a method to generate passwords. Is there something else I am missing?
This represents a dramatic escalation of side-channel attack vectors and surface area. It’s an unfortunate inevitability that this will not end well. Secure platforms never provide affordances for backdoors, especially backdoors tightly coupled to externalities. Bitwarden is further attracting unnecessary attention to itself from actors who have an interest in the collection of the volunteered emergency-trust relationships. Bitwarden would be well-advised to reconsider this feature.
Unless I'm reading this wrong, this lacks a lot of granularity. I'd like to be able to only give access to a subset of my vault, not all of it. I'm of the opinion that my accounts should just disappear with me, apart for some things related to real life like utilities and the likes. Come to think of it, my GitHub account could be worth preserving too but right now I can't think of much else being worth it.
Just a friendly reminder that DMS is an excellent service as well. Just PGP encrypt a message and it'll get emailed out if you don't click a link on a set period. It is a painfully simple and inexpensive service.
Just a thought after having read through the comments, not all emergencies are the result of death, and, since pretty much any textual information can be stored in a Bitwarden vault, the kinds of emergencies could vary widely. A well-thought out use of the share/collection features might mitigate a lot of "emergency" situations though.
I do, however, look forward to the clichéd "you had her change the will just days before her death" in murder mysteries being replaced with "you signed her up for Bitwarden's emergency access just days before her death"…
My dad set me up with the equivalent feature to this on Dashlane. But it involved downloading their desktop app, which has all the usual anti-user behaviour - automatically adding to startup list, minimising to taskbar on quit, self updating without request, etc. So I ended up uninstalling it.
I hope that I get an email notification, or I find out through other offline means, if the feature ever gets activated. I hate that something which could have a significant impact on my life, potentially at a difficult time, appears to require running crapware on my own computer.
An alternative way to restore access to an E2EE app account could involve Shamir's Secret Sharing, I wrote some ideas about it would work:
https://francoisbest.com/posts/2020/password-reset-for-e2ee-...
This is timely considering Vitalik’s vocal support for Social Account Recovery: https://vitalik.ca/general/2021/01/11/recovery.html
It’s personally something I love to see.
LastPass has had a similar feature for some time now.
https://support.logmeininc.com/lastpass/help/set-up-and-mana...
It's a good application and service that offers much on free accounts "but":
* there's still no way to keep fetching icons disabled across all devices and instances of bitwarden - each time I have to disable it; I just simply don't like such feature anywhere it's present
* there's no emptying the trash on desktop client and neither in browser addon
* logging in generates email on which your account is registered, which is a good security feature but sometimes it's just... annoying
* import exist only in the web vault interface, while export is present on desktop application and web vault
* despite of having vault unlocking to set with pin, I have to provide password
Still, it's my secondary choice for less important passwords for sites and apps since it works nicely on mobile and isn't limiting features like Enpass which is my main password manager.
And you still can't use Bitwarden in Firefox's private mode.
So useful. I have been wanting this feature.
I am not so sure about this. I think they should certainly allow emergency access to shut down all access but not necessarily give access to a trusted party. Life can change quite unexpectedly.
The pandemic has made me (re)evaluate how my family can get to my finances and online services. Such solutions can solve issues related to bank/trading account access and key documents but what about subscription services? All my subscription services from Netflix/Plex (less important) to VPN/Blackblaze (more important) are tied to my credit cards, which upon my untimely demise will be deactivated. My family will surely get locked out if I don't leave clear instructions on each of the services and how they can access them, etc. Then there is a technical aspect of taking over these service.
I'm curious on how others have planned around this?
edit: typo