Logos von Bitwarden und UCS mit einem Schlüsselbund in der Mitte

Apart from two-factor authentication (2FA), strong passwords are still your best protection against data theft. We already described how you can apply what are known as “password policies” in our article “Secure passwords for the UCS domain”.
In this article, we will go one step further. After a brief refresher on the topic of password managers in general, we will present a concrete software solution that offers a convenient way to store and manage passwords – so that none of your users have to rely on writing down their access data anywhere in plain text.

One password per service

A basic rule is: the longer a password, the more difficult it is to crack with a brute force attack. To illustrate the approximate time required to crack passwords, datenschutz.org has created an exciting widget that not only generates passwords, but also provides information about their security level. Naturally, these are only approximate values, since cracking passwords always depends on multiple factors. The following sample results were determined under the assumption that the passwords contain upper case letters, lower case letters, numbers and special characters):

Password length Time required for decryption
4 characters Two hours
8 characters Two years
16 characters 139,563,251 years
32 characters 25,887,483,909 years

(Source)

When trying to crack a password, a special piece of software tries out as many different character combinations as possible until it finally “guesses” the password correctly. This process requires a lot of processing power, but since users tend to use short passwords that often only consist of letters, the procedure does not usually take very long overall. The longer and more complex a password is (for example using upper and lower case letters, special characters, and numbers), the more secure it is.

However: complexity is only one of several security factors that should be considered when using passwords. For example, it is also strongly discouraged to use a single password – no matter how complex it may be – for different (or even all) services and platforms. As a client, you usually don’t know how the operators of these services store their users’ passwords internally. Are they stored in plain text in a database? Or are they relying on hash values calculated by a procedure such as salted hashing or PBKDF2 SHA-256? News reports about services that have been infiltrated (resulting in the user’s passwords being made publicly available on the Net or being resold) have become quite normal. The logical conclusion should be: every service you use gets its own password.

In order to keep track, many users come up with a standard password that they integrate into individual passwords for different platforms. This method works in many cases, but certainly not all the time. One service defines at least two special characters as a guideline, another one wants only numbers or capital letters, and yet another one requires a mixture of the above, with the password being at least eight characters long. Since very few people can remember all this access data, an alternative to writing it down in a file or even on a piece of paper kept under the keyboard is needed. The more passwords you have to manage, the more frustrating it can become in the long run. Thus, a password manager can come in handy.

How do Password Managers work?

Screenshot of the UCS login window

Even though UCS provides a few shortcuts via Single Sign-on: Internet users accumulate a lot of access data over time.

Password managers are programs for managing user names and passwords. The access data is stored in encrypted form, and a master password provides access to the data when required. This way, users only have to remember one password instead of many different ones. In many cases, password managers also help users to create strong passwords, warn about possible phishing attacks and, if requested, synchronize the user’s passwords onto multiple devices. Some password managers use an external service provider’s cloud to synchronize the password database with the user’s log-in data, and some store their data locally. Thus, data synchronization across multiple devices and operating systems remains in the user’s hands.

Many modern web browsers offer a password management function which leaps into action whenever a website requests the user’s log-in data. But beware: what may seem convenient at first glance also has disadvantages: a web browser is first and foremost – well, a web browser. Integrated password managers are quite vulnerable to malware and attacks from outside. That is why anyone who wants to entrust their passwords to Firefox, Safari, Chrome, etc. for whatever reason should definitely set up a master password, make sure the browser is fully updated at all times and protect the computer or mobile device with an extra password.

Bitwarden: Password Management with Open Source Software

There are numerous password managers around which have been tested and evaluated by different entities. Even though the functionality is basically always the same, there are differences in terms of the user interface, the range of functions and the user-friendliness. And of course, one question always comes up: how much does a password manager cost? In many cases, the programs are actually free of charge, although a distinction is made between using than as an individual or as an organization.
Bitwarden offers an open source password manager that meets multiple application scenarios and is offered in the Univention App Center as an app for Univention Corporate Server (UCS) (more on this later). I would now like to introduce Bitwarden and its numerous functions in more detail.

What exactly is Bitwarden – and who’s behind it all?

Bitwarden is software for managing sensitive passwords securely. More precisely, it is a software package that consists of several individual components (a browser extension, mobile app, and server application). The software was developed by 8bit Solutions (now Bitwarden Inc.) in Florida, USA. Compared to similar services such as KeePass (2003) or Clipperz (2007), it is relatively new on the market: the Bitwarden password manager was first released on August 10, 2016, initially with mobile apps for iOS and Android and browser extensions for Chrome and Opera, followed by the Firefox extension in early 2017. Over the years, the software has been constantly developed further and gradually made available for additional browsers and operating systems (see the section “Bitwarden: list of compatible clients, browsers and apps” [link via anchor]). Its range of services is relatively large; due to its cross-system and cross-device usability, the Bitwarden password manager is accessible to a large audience.

Bitwarden: List of compatible Clients, Browsers and Apps

We now list all the integration options which are currently available for the Bitwarden password manager. The topic “Bitwarden and UCS” will be discussed separately.

The software runs on the three major operating systems, each with different installation options:

[content_piece=”Bitwarden for Windows]Bitwarden for Windows

Bitwarden is available for Windows 7, Windows 8 and Windows 10 – in each case for the 64-bit (x64) and 32-bit (x86) variants. Bitwarden Inc also offers support for each of these operating systems. It can installed in the following ways:

  • Standard Installer
  • App download from the Windows Store
  • Portable app for flash drives (there are no automatic updates in this version)
  • Chocolately Package Manager

Bitwarden for MacOS

The software is available from OS X Mavericks onwards and can be installed in the following ways:

  • Standard installer
  • Mac App Store
  • Homebrew Package Manager

Bitwarden for Linux

Bitwarden’s password management software is usable for numerous Linux distributions. Users can obtain the software via a variety of options:

  • Standard installer
  • Bitwarden for Ubuntu, Debian, Linux Mint and others (no automatic updates available)
  • Bitwarden for Fedora, CentOS, openSUSE, RHEL and others (no automatic updates available)
  • Snap Package Manager
Screenshot of the Bitwarden app as a Linux download

Preview of the Bitwarden Linux Installation

 

Bitwarden for Web Browsers

As the password manager has developed, the list of web browsers offering it as a direct extension has also grown. Now, the service is available for no less than 8 different browsers:

  • Google Chrome
  • Mozilla Firefox
  • Safari
  • Opera
  • Vivaldi
  • Microsoft Edge
  • Brave
  • Tor Browser

Bitwarden as a Moblie App

Bitwarden offers its mobile app in the two major, well-known app stores. Note: UCS users can get the server app from Univention’s App Center.

In the Univention App Center: Bitwarden Password Manager

There is good news for UCS administrators who do not want to use the Bitwarden cloud service and instead want to host their password storage themselves: the Bitwarden password manager is available in the Univention App Center. The program is licensed under AGPLv3 and integrates easily into UCS environments.

Installing Bitwarden in UCS

As with all partner apps, we have tried to make installing Bitwarden user-friendly and simple. If you want to integrate Bitwarden into your UCS via the Univention App Center:
• the ID and key must be requested from Bitwarden;
• the configuration parameters for an email server have to be stored by the administrator during the installation so that the Bitwarden instance can send emails, e.g. when registering a new user;
• the conditions shown in the table above also apply to the Bitwarden App in the App Center: the password manager is free for up to two users; if additional users are to be added, an appropriate license is required.

Why use Bitwarden in UCS?

Bitwarden provides your UCS users with a reliable password manager that runs on your own server. Going via a cloud service may be convenient, but it also always means that you relinquish control and that sensitive passwords reside with an external service provider.
Further advantages:

  • Connection with identity management via Single Sign On (via SAML) has been added with the current version of Bitwarden (1.38.2), which is available in the App Center. This is much more convenient and valuable for the user. There is no integration with identity management in UCS yet, but it can be configured manually.
  • Furthermore, organizations that choose to use Bitwarden via UCS will of course get the extensive capabilities of UCS and the other apps available with it included automatically.

Bitwarden Web Vault

For those who travel without a laptop, cell phone or tablet and urgently need access to stored passwords while on the road, the Bitwarden Web Vault provides online access to the data from any Internet-enabled device.
As you can see, the Bitwarden password manager is available for use in so many different variants that testing it should be straightforward for most users. The utilization of Bitwarden in UCS will be discussed later in this article. However, a small hint won’t hurt. So, if you do not have UCS installed yet: our core edition is permanently available to you for free!


Visit our App Center and download Bitwarden for UCS – free and ready-to-use!

Download now


Bitwarden: Advantages of using the Password Manager

It should have already become clear at the very beginning of the article why it is advisable to employ a password manager for both professional and personal use. I will now summarize the advantages that Bitwarden brings to the table:

Favorable prices

Although the Bitwarden password manager can be used free of charge as open source software, it is a widespread myth that “open source” always equates to “completely free”. When it comes to Bitwarden, fees are charged for the use of certain premium features or for larger numbers of users, but these fees are very limited for a tool whose development is so far advanced. More information on prices is given this later in the article (Link auf “Prices for various user groups”).

Ease of use

Nothing is more frustrating for new users than a program that, when installed, turns out to be incomprehensible and difficult to use. Quite often, when users are confronted with such a situation, the application is then deleted, with the manufacturer receiving a negative rating on the download platform. However, Bitwarden is characterized by a high degree of user-friendliness and is intuitive to use.

High level of security

Naturally, this is exactly what users would expect from a reliable password manager – and Bitwarden has been meticulously designed to meet this requirement to the fullest extent. Not only can open source enthusiasts contribute to the testing and improvement of security, but Bitwarden is also regularly audited by independent security firms. For example, the summary of the detailed analysis conducted by Cure53 states:

“During the tests performed by the Insight Risk Consulting team, no exploitable vulnerabilities were discovered and two issues of moderate severity were highlighted. These results are very positive, especially given the extensive size and complexity of Bitwarden’s overall infrastructure.” (Source)

More information about the software’s security aspects can be found in the section “Bitwarden: security aspects of the software”.

Testing Bitwarden: installation and taking the first steps

As part of testing out Bitwarden, I will now focus on getting the program up and running, providing an overview of the features (available in the free basic version), and saving the first passwords. [I will present the features of the premium version in a later article update].

Installing Bitwarden

Note: for my Bitwarden test, I am using the Linux operating system Ubuntu; the intricacies of the installation process may vary on other systems – even though the principle should stay same.

To get the free version of Bitwarden, entering its name in the search box on the desktop usually directs you straight to the Bitwarden download. The result provides another short introduction and emphasizes the open source idea behind the application.
If you can’t or don’t want to go this route, you can of course also download the password manager directly from the provider’s site (for all the operating systems and web browsers described above).
After clicking on “Install”, things are underway; in my case, installing Bitwarden took about a minute. If you start the program after the installation, you will be asked to login or create an account.

The creation of a master password that is safe and easy to remember is essential for the creation of a Bitwarden account.

 

In order to create an account, Bitwarden requires a valid e-mail address; in addition, you also need to set the master password at this stage of the installation. And that brings us to the first challenge:
the Bitwarden master password should of course be as secure as possible, since that is what you use to gain access to the rest of the data that you stored “within” the password manager. So it seems to make sense to choose a password that is as long and complicated as possible. However, Bitwarden explicitly points out that there is no way to reset this password if you forget it. Thus, as user, you should:

  • Either write the password down somewhere where it is safe and does not give a direct hint about what it is for
  • Choose a combination of letters, numbers and special characters with a logic behind it that is easy to remember
  • Choose a passphrase that is easy to remember and provides a crucial clue to the password, or
  • Use the option of the master password hint (this can be entered to aid your memory in case you do forget the password after all).

The decision to exclude the possibility of resetting the master password is, of course, understandable from the perspective of security; however, it means a drop in usability. One might think that a convenient solution would be to provide the option to have a TAN sent to a stored mobile phone number enabling users to reset their master password. However, that would contradict the security concept considerably – because if such a reset option were made available, Bitwarden would have to be in possession of a master key for the user’s passwords. This, in turn, would theoretically allow third parties (i.e. government agencies and other powerful institutions) to gain access to users’ passwords. Note: it is possible to change the master password in Bitwarden after the account has been created. The option to do so can be found via the path “Account” → Change master password. The change itself is only possible in the Bitwarden web vault, to which users are automatically redirected if they choose that option. The option to change the password can be found under “Settings”.

Screenshot of the chaning option of the master password in Bitwarden

The master password can be changed in Bitwarden if you have forgotten the initial one.

 

After entering the master password and the hint, both the terms and conditions and the privacy policy have to be accepted. Clicking on “Submit” creates the account, which can then be accessed using the login details.
Note: in order to unlock all the Bitwarden functions, the user must confirm their e-mail address. The option “Verify Email” can be found in the password manager’s web vault on the “My vault” tab after the account has been created. The e-mail is sent immediately; after clicking on the blue verification button, the user is redirected to the Bitwarden web interface and must log in again with the master password to complete the verification.

Bitwarden: Overview of Functions

The following features are available to users of the free Bitwarden basic account:

Create Login

This classic function is the main reason why password managers are developed and used. In addition to the user’s password and the username whose login is to be stored, the tool also saves the login URL if desired. There are several URL recognition features which enable the tool to autofill the user data later (see also the section “Bitwarden Browser Plugin”):

  • Default match detection
  • Base domain
  • Host
  • Starts with
  • Regular expression
  • Exact
  • Never

Additionally, a TOTP authentication key can be assigned. Users can create and attach notes to their saved logins. Other useful features include the compromise check and optional automatic password generation by Bitwarden itself.

Screenshot showing the Bitwarden Password Generator

Secure passwords can automatically be created in the Bitwarden Web Vault.

 

Create Cards

This Bitwarden function allows you to save credit card details in Bitwarden. The tool asks for the cardholder name, card number, brand, expiration month, expiration year and security code.

Create Identities

This feature allows you to create full personal records including sensitive data (social security number, passport number, driver’s license number, e-mail, address, etc.). This feature serves as a user management tool or as a storage option for the data needed for such management. Individuals who use Bitwarden primarily as a password manager probably won’t have much use for it, but small business owners or even club leaders get a nice additional feature in the form of identity management.

Create Secure Notes

This feature seems self-explanatory at first, but it goes beyond digital note-scribbling. Aside from the simple text field, the user can also add hidden fields or booleans.

Bitwarden Browser Plugin

In order to use Bitwarden in a meaningful way, a browser application should be installed in addition to the desktop client; a list of all the browsers supported can be found above in the section “Bitwarden for web browsers” (set anchor). You can select your preferred browser directly from the Bitwarden web vault.
The installation option has been placed a bit strangely in the program itself. You should be able to find it in the drop-down menu Help → Install Browser Extension (Code-Formatierung im WP zur grafischen Auflockerung nehmen!). Once you are there, you can choose between Chrome, Firefox, Safari, Edge and Opera.

Installation in the browser requires nothing more than clicking on the installation button. Of course in order to be able to use the extension, the e-mail address and the master password have to be entered again when the installation has finished. After this step, the password manager opens directly as a sidebar (in my case, it is the Bitwarden Firefox extension). Alternatively, you can also open the Bitwarden vault as its own small window.
A great advantage is that this small window basically offers all the essential functions that you need as a user, so you no longer need to log in to the main program as well.
At this point, it is not necessary to go into the features again, which are not fundamentally different for the desktop, Vault/Web Vault and browser extension. However, since I am running a Bitwarden test in parallel for this article, I would like to take a look at the autofill function offered by the browser extension, especially since this feature has been criticized in other reviews in the past.

Bitwarden browser extension screenshot

The browser extension of Bitwarden can be used directly when accessing websites.

 

Testing the Bitwarden Autofill Function

The Bitwarden plugin for the browser can be used to access the entries or passwords stored via the “My Vault” tab. If a URL has been stored, the website on which the login is to take place can also be accessed directly from the vault. Once you have accessed the page, just click on the “Auto-fill”-option in the Bitwarden Password Manager, and the program will automatically fill the login fields with the username and password! Alternatively, the username and/or password can be extracted and pasted via copy & paste; naturally, this option takes a little longer.

Conclusion: Our test of Bitwarden’s autofill function did not detect any problems. In this respect, not only the function, but also the usability and convenience of the application do not have much room for improvement.

Create and save passwords as you go

Once you have decided to use the password manager, the browser plugin really highlights the potential of Bitwarden: want to create a new login quickly while browsing the web? No problem at all! Just proceed as follows:

  • Visit the desired web page
  • Click on the login function of the website or go to the login subpage
  • Now open the Bitwarden extension
  • Click on the “plus” button in the upper right corner
  • A new entry appears; Bitwarden has already filled the name and URL of the website in automatically
  • Now you can assign your username and enter the password manually – or simply use the password generator to create a secure password
  • Click on “Save”
  • This creates the entry; the next time you visit, you can easily log in to the site using autofill.

Bitwarden: Security aspects of the Software

In this section, I will go into a bit more detail about the security of Bitwarden, since this is, as mentioned before, a central aspect of any password manager.

Two-factor authentication

First of all, two-factor authentication (2FA), which is already quite common for many web-services, increases the general security of your Bitwarden account immensely. With this activated, you not only have to enter the master password, you also have to enter an additional security code. You can set up the system to send you this code in various ways. The following options are currently available:

  • E-mail
  • SMS
  • Phone call
  • Authentication app

Users of the basic version have access to authentication apps and email; YubiKey OTP security key, Duo and FIDO U2F security key methods are reserved for premium users.

While two-factor authentication for Bitwarden undeniably provides significantly increased security (hackers cannot access the account even if they have obtained the master password), it is not quite so convenient, as the authentication code must be entered each time the user logs in.

Bitwarden fingerprint phrase

Every Bitwarden account is automatically assigned a public “fingerprint phrase” by the provider. This verification key consists of five English words without semantic context that appear in a fixed order.
Said fingerprint phrase makes it possible to identify individual Bitwarden users without any doubt and is especially practical when it is not just a matter of a single Bitwarden login, but rather multiple users attached to a single account. This is the case in organizations, for example.

The fingerprint phrase can be found via the following paths:

  • Desktop app: Account → Fingerprint phrase
  • Web vault: Settings → Account
  • Browser plugin: Settings → Account → Fingerprint Phrase
  • Mobile app: Settings → Account → Fingerprint Phrase

Using a Verification Key to identify new Users

The following process uses the fingerprint phrase before adding new users to your organization:
before adding a user, show the user their fingerprint phrase and ask them, for example, to verify the third word in the chain via e-mail, by SMS, live on the phone or the like. This allows you to ensure that the encryption works and that the server on which Bitwarden is running has not been compromised.

Customize the Encryption Key Settings

You can also customize the encryption key settings in Bitwarden’s web vault, to best protect your account from brute force attacks. In order to do this, you need to go to the “Settings” menu and scroll down to the “Encryption key settings” item. Here, you have the option to increase the number of iterations of the KDF (Key derivation function). In this case the program uses a process called the key stretching method. Bitwarden recommends gradually approaching a suitable value, since a high number of KDF iterations may slow down the login process.

Prices for various User Groups

In addition to its functionality and user-friendliness, Bitwarden’s pricing is also a point in its favor. Individual users and “organizations” only incur costs if they want to use the premium features. The provider is currently quoting the following prices on its website (as of February 2020).

Prices for Single Users and Families

Basic Free Premium Family Organization
Free; includes all the basic features of the password manager:

  • Store an unlimited number of passwords / accounts in the web vault
  • Synchronize across all devices
  • Generate secure passwords
  • Self-hosting option
$10 per annum; also includes the following premium features:

  • 1 GB of encrypted file storage
  • Two-factor authentication with Yubikey, U2F or Duo
  • Security reports
  • TOTP authentication key
  • Emergency access
$40 per annum; the account can be accessed by up to 6 users and offers the following extra features:

  • Priority customer support
  • Unlimited password collections and shared items
  • Self-hosting function
  • TOTP authentication key

 

Prices for Companies

Organization (Free) Teams Enterprises
The account can be handled by two users who may share their passwords/access data with each other $3 per user per month; includes premium features for all members, can be upgraded to additional members at any time, and also includes the following team features:

  • User groups
  • Event logs
  • Directory Connector
  • API access
$5 per user per month; includes premium features and team features for all members, is expandable by additional members at any time, and comes with the following extras:

  • SSO – authentication via SAML 2.0 and OpenID Connect
  • Enterprise policies
  • Self-hosting option

 

For a detailed comparison of the features included in Bitwarden’s business packages, visit the vendor’s pricing page.

If you have any questions or suggestions, feel free to discuss them with us in the forum or leave a comment here on the blog.

Use UCS Core Edition for Free!

Download now
Carsten Wurtmann

Carsten feels at home in Marketing and has already published for all kinds of online media on various topics. Concerning IT, he is particulary interested in data security and Digital Sovereignity.