It's 2023. I have a laptop. And an iPhone. And an iPad.
I want to shop for a book on my laptop.
I want to buy some shares on my iPhone.
I want to book flights on my iPad.
Each of these activities requires a different account for a different website or app.
Each of these accounts will have a different password because reusing the same, simple password is never a good idea.
I know none of these passwords. Why? Because why would I? I use a Password Manager. And I believe everyone else should too.
My first use of a password manager was the use of iCloud Keychain, a solution provided by Apple for their devices. It allowed for the creation of passwords for the use of the device, using (on my device) my fingerprint.
Prior to this, all of my passwords would have been the same, or some sort of iteration of a base-word. For example, the first password would have been tobybestdogever1. If a reset of a password was required due to being locked out or incase the account was compromised, I would have used another iteration of the password, such as tobybestdogever2. Obviously, looking back, this is not secure and very bad practice. Even if Toby is the best dog ever.
With the use of iCloud Keychain, I was able to let my phone generate a password that contained random alphanumerical characters. If a person was going to try and 'guess' my password, they would have an easier time guessing one that I created and iterated as opposed to one that has been generated by a password manager and has no relation to my life or pets.
Another useful feature that came with iCloud Keychain was that it conducts checks to see if any of my accounts or passwords were exposed on well known lists of exposed databases. This happens more than most people realise for a lot of well known companies, including Netflix and even Apple themselves.
Dropping the Keychain
2 years ago I found that iCloud Keychain just wasn't cutting it. Whilst it did a fantastic job on my iPhone and iPad, I'm not quite locked into the Apple ecosystem as others are, and I use an HP laptop. This renders iCloud Keychain fairly useless as it's not available for Windows.
When I was using iCloud Keychain to make all my passwords, if I needed to log on to a website or service on my laptop, which I did more so when working from home, I often had to type the password in manually. This was rather annoying as the password was not a word but an alphanumerical that is very difficult to remember even for a few seconds. This means it is very difficult for a malicious person to steal by glancing at my phone, but equally frustrating to copy across for legitimate purposes also.
So I decided to shop around and read quite a few reviews on different password managers, their benefits and their capabilities.
After some extensive readings, I decided to settle on Bitwarden for a few reasons.
- Open source
I love the idea of open source. I love the idea that the code is publicly available, can be evaluated by others, and that claims being made about it can be proven by an audience much smarter than myself. To this end I do use a few open source solutions in my life, including LibreOffice and Firefox. However, I am not a purest and have always insisted on IntelliJ over Eclipse for Java development.
2. Cross Platform
My main reason for seeking out an alternative to iCloud Keychain was that I wanted a solution that was cross platform. Bitwarden covered my bases, and went a step further by having a Firefox extension that makes it even easier to use with a nice autofill shortcut. It also integrated especially well with iOS and provided all of the autofill requirements there too, just like iCloud Keychain did.
3. It's Free
iCloud Keychain came bundled with iPhone as one of it's core features, Whilst it could be argued it's 'free', I was already paying for the phone, so I'm not sure if it was free. Bitwarden has pricing plans, and can be used personally for free. No free trial. Free, forever. No limit on number of passwords or number of devices. Free. Free. Free.
4. End-to-End encrypted
Being a password manager, being secure is obviously going to be one of the key selling points. And given it's open source development, and it's end to end encryption of passwords, this was a major selling point when it came to my migrating from iCloud Keychain to Bitwarden. It is worth noting at this point that when looking up alternatives to Bitwarden, the main rival LastPass was the target of major databreaches in the past. When letting an app generate your credentials for you, it is important to be aware of it's history at securing those of currents clients. Pretty websites are all well and good, but it's always worth doing a quick check for news stories about the company behind these solutions to see what is really going on that they aren't being up front about.
Bitwarden has been a wonderful experience thus far. The migration from iCloud Keychain to Bitwarden was a tad annoying and overly manual as Apple doesn't give you a way to export your credentials to be imported to another password manager. This is understandable as Apple is a for-profit company and wants to ensure that their customers are as locked in as possible. I had to manually add my current credentials to Bitwarden one at a time. Once this was done, however, I was ready to go.
Bitwarden has completely replaced iCloud Keychain on my iPhone and iPad. I have turned off iCloud Keychain in favour of Bitwarden, and it now fulfils all of the functionality of iCloud Keychain. I did, however, go one step further and purchase Bitwarden Premium. This costs $10 a year which is ridiculously cheap, and it allows for the comparing of my passwords against the reports detailing password leaks like iCloud Keychain does. I also wanted to pay the $10 as Bitwarden is such a fantastic tool that is created by amazing individuals supporting the open source cause.
Bitwarden on my PC has been a godsend too. No more manual typing of passwords. Using the Firefox extension, they are synced and ready to autofill. The amount of time that has been saved not having to type in secure-but-complicated alphanumeric passwords doesn't bare thinking about. I have never experienced any sync issues between making a password on my computer and accessing it on my phone or vice-versa, it has always been available to me instantly.
Is having a Password Manager really that important?
We have all said or heard the familiar 'What's my password?' In 2023, passwords are an unfortunate (and shit) reality of life. For those more well versed, the passwordless future is coming, but let's be frank, it'll be years because that is realised by the vast majority of people, websites and systems. In the meantime, the key is to maintain the security of our credentials using tools such as Password Managers that allow us not to have to remember tens of different passwords for everything we wish to log on to, whilst also allowing us the flexibility to use any device to get our intended task done as efficiently as possible. To compromise on this is to let a malicious person assume your identity and carry out actions in your name - and probably with your money.
A password manager should be easy to use and secure. Bitwarden passes those two tests.
The question I ask myself is 'Can this technical solution do a better job than me at protecting my credentials?' The answer for me is yes, and so I use the technical solution. I believe for the vast majority of people today the answer will be yes too.
If in doubt, please go read more on the subject, including from the UK National Cyber Security Centre. They are way smatrter than me. I'm just a fanboy!