Apart from two-factor authentication (2FA), strong passwords are still your best protection against data theft. We already described how you can apply what are known as “password policies” in our article “Secure passwords for the UCS domain”.
In this article, we will go one step further. After a brief refresher on the topic of password managers in general, we will present a concrete software solution that offers a convenient way to store and manage passwords – so that none of your users have to rely on writing down their access data anywhere in plain text.
One password per service
A basic rule is: the longer a password, the more difficult it is to crack with a brute force attack. To illustrate the approximate time required to crack passwords, datenschutz.org has created an exciting widget that not only generates passwords, but also provides information about their security level. Naturally, these are only approximate values, since cracking passwords always depends on multiple factors. The following sample results were determined under the assumption that the passwords contain upper case letters, lower case letters, numbers and special characters):
|Password length||Time required for decryption|
|4 characters||Two hours|
|8 characters||Two years|
|16 characters||139,563,251 years|
|32 characters||25,887,483,909 years|
When trying to crack a password, a special piece of software tries out as many different character combinations as possible until it finally “guesses” the password correctly. This process requires a lot of processing power, but since users tend to use short passwords that often only consist of letters, the procedure does not usually take very long overall. The longer and more complex a password is (for example using upper and lower case letters, special characters, and numbers), the more secure it is.
However: complexity is only one of several security factors that should be considered when using passwords. For example, it is also strongly discouraged to use a single password – no matter how complex it may be – for different (or even all) services and platforms. As a client, you usually don’t know how the operators of these services store their users’ passwords internally. Are they stored in plain text in a database? Or are they relying on hash values calculated by a procedure such as salted hashing or PBKDF2 SHA-256? News reports about services that have been infiltrated (resulting in the user’s passwords being made publicly available on the Net or being resold) have become quite normal. The logical conclusion should be: every service you use gets its own password.
In order to keep track, many users come up with a standard password that they integrate into individual passwords for different platforms. This method works in many cases, but certainly not all the time. One service defines at least two special characters as a guideline, another one wants only numbers or capital letters, and yet another one requires a mixture of the above, with the password being at least eight characters long. Since very few people can remember all this access data, an alternative to writing it down in a file or even on a piece of paper kept under the keyboard is needed. The more passwords you have to manage, the more frustrating it can become in the long run. Thus, a password manager can come in handy.
How do Password Managers work?
Password managers are programs for managing user names and passwords. The access data is stored in encrypted form, and a master password provides access to the data when required. This way, users only have to remember one password instead of many different ones. In many cases, password managers also help users to create strong passwords, warn about possible phishing attacks and, if requested, synchronize the user’s passwords onto multiple devices. Some password managers use an external service provider’s cloud to synchronize the password database with the user’s log-in data, and some store their data locally. Thus, data synchronization across multiple devices and operating systems remains in the user’s hands.
Many modern web browsers offer a password management function which leaps into action whenever a website requests the user’s log-in data. But beware: what may seem convenient at first glance also has disadvantages: a web browser is first and foremost – well, a web browser. Integrated password managers are quite vulnerable to malware and attacks from outside. That is why anyone who wants to entrust their passwords to Firefox, Safari, Chrome, etc. for whatever reason should definitely set up a master password, make sure the browser is fully updated at all times and protect the computer or mobile device with an extra password.
Bitwarden: Password Management with Open Source Software
There are numerous password managers around which have been tested and evaluated by different entities. Even though the functionality is basically always the same, there are differences in terms of the user interface, the range of functions and the user-friendliness. And of course, one question always comes up: how much does a password manager cost? In many cases, the programs are actually free of charge, although a distinction is made between using than as an individual or as an organization.
Bitwarden offers an open source password manager that meets multiple application scenarios and is offered in the Univention App Center as an app for Univention Corporate Server (UCS) (more on this later). I would now like to introduce Bitwarden and its numerous functions in more detail.
What exactly is Bitwarden – and who’s behind it all?
Bitwarden is software for managing sensitive passwords securely. More precisely, it is a software package that consists of several individual components (a browser extension, mobile app, and server application). The software was developed by 8bit Solutions (now Bitwarden Inc.) in Florida, USA. Compared to similar services such as KeePass (2003) or Clipperz (2007), it is relatively new on the market: the Bitwarden password manager was first released on August 10, 2016, initially with mobile apps for iOS and Android and browser extensions for Chrome and Opera, followed by the Firefox extension in early 2017. Over the years, the software has been constantly developed further and gradually made available for additional browsers and operating systems (see the section “Bitwarden: list of compatible clients, browsers and apps” [link via anchor]). Its range of services is relatively large; due to its cross-system and cross-device usability, the Bitwarden password manager is accessible to a large audience.
Bitwarden: List of compatible Clients, Browsers and Apps
We now list all the integration options which are currently available for the Bitwarden password manager. The topic “Bitwarden and UCS” will be discussed separately.
The software runs on the three major operating systems, each with different installation options:
[content_piece=”Bitwarden for Windows]Bitwarden for Windows
Bitwarden is available for Windows 7, Windows 8 and Windows 10 – in each case for the 64-bit (x64) and 32-bit (x86) variants. Bitwarden Inc also offers support for each of these operating systems. It can installed in the following ways:
- Standard Installer
- App download from the Windows Store
- Portable app for flash drives (there are no automatic updates in this version)
- Chocolately Package Manager
Bitwarden for MacOS
The software is available from OS X Mavericks onwards and can be installed in the following ways:
- Standard installer
- Mac App Store
- Homebrew Package Manager
Bitwarden for Linux
Bitwarden’s password management software is usable for numerous Linux distributions. Users can obtain the software via a variety of options:
- Standard installer
- Bitwarden for Ubuntu, Debian, Linux Mint and others (no automatic updates available)
- Bitwarden for Fedora, CentOS, openSUSE, RHEL and others (no automatic updates available)
- Snap Package Manager
Bitwarden for Web Browsers
As the password manager has developed, the list of web browsers offering it as a direct extension has also grown. Now, the service is available for no less than 8 different browsers:
- Google Chrome
- Mozilla Firefox
- Microsoft Edge
- Tor Browser
Bitwarden as a Moblie App
Bitwarden offers its mobile app in the two major, well-known app stores. Note: UCS users can get the server app from Univention’s App Center.
In the Univention App Center: Bitwarden Password Manager
There is good news for UCS administrators who do not want to use the Bitwarden cloud service and instead want to host their password storage themselves: the Bitwarden password manager is available in the Univention App Center. The program is licensed under AGPLv3 and integrates easily into UCS environments.
Installing Bitwarden in UCS
As with all partner apps, we have tried to make installing Bitwarden user-friendly and simple. If you want to integrate Bitwarden into your UCS via the Univention App Center:
• the ID and key must be requested from Bitwarden;
• the configuration parameters for an email server have to be stored by the administrator during the installation so that the Bitwarden instance can send emails, e.g. when registering a new user;
• the conditions shown in the table above also apply to the Bitwarden App in the App Center: the password manager is free for up to two users; if additional users are to be added, an appropriate license is required.
Why use Bitwarden in UCS?
Bitwarden provides your UCS users with a reliable password manager that runs on your own server. Going via a cloud service may be convenient, but it also always means that you relinquish control and that sensitive passwords reside with an external service provider.
- Connection with identity management via Single Sign On (via SAML) has been added with the current version of Bitwarden (1.38.2), which is available in the App Center. This is much more convenient and valuable for the user. There is no integration with identity management in UCS yet, but it can be configured manually.
- Furthermore, organizations that choose to use Bitwarden via UCS will of course get the extensive capabilities of UCS and the other apps available with it included automatically.
Bitwarden Web Vault
For those who travel without a laptop, cell phone or tablet and urgently need access to stored passwords while on the road, the Bitwarden Web Vault provides online access to the data from any Internet-enabled device.
As you can see, the Bitwarden password manager is available for use in so many different variants that testing it should be straightforward for most users. The utilization of Bitwarden in UCS will be discussed later in this article. However, a small hint won’t hurt. So, if you do not have UCS installed yet: our core edition is permanently available to you for free!