Bitwarden
- Overview
- Initial Configuration
- Deployment Configuration
- Application Interface
- Everyday Usage
- User Management
- Advanced Customization
- Troubleshooting
- Upstream Project
Overview
Bitwarden helps you generate, save and manage your passwords safely and securely. Think of it like a book of passwords, locked by a key that only you know.
Why A Password Manager?
Password managers take the hassle out of creating and remembering strong passwords. Passwords are stolen all the time. They can help you with digital inheritance, and they can help to protect your identity. One of the easiest ways to encourage good password hygiene is to deploy a password management solution across your workplace.
Major Features and Benefits
- Securely Store Passwords
- Ability to Generate Random Passwords
- Secure Password Sharing within Organizations
- Cross Platform Accessibility
- Have I Been Pwnd?
Application Range
- Web Application
- Browser Extension
- Desktop Client
- Mobile
- Command Line Interface
Links
- TechCrunch - Cybersecurity 101: Why you need to use a password manager
- Wikipedia - List of the Most Common Passwords
- MalwareBytes - What is a Password Manager
- Lastpass - 8 Truths of Password Managers
- NIST Rotating Passwords
- LastPass 8 Truths about Passwords in the New Password Exposè
Initial Configuration
Instance Settings
Access the Admin Portal
The System Administrator Portal for your instance is available at https://your.domain.com/admin
.
Settings to be aware about
If you are the main admin of the instance, it is good to be aware that there are a couple of settings that we do NOT set by default that you may wish to change. In order of appearance...
Allow new signups
This may seem counter-intuitive until you realize that we set up the initial user based on this availability. This also lets us easily onboard any additional users onto the instance. However, it is worth looking into as an option to set when creating the instance. However, it does not cause a major attack vector, especially when additional restrictions are introduced. Also, it enables zero data-leakage, as it simply allows an additional account to be enabled on the system.
Set attachment limits
Setting attachment limits avoids the really large attack vector from leaving account registrations open, which is to run an instance out of space by uploading very large attachments. This can be set from the instance setup, and from the admin page.
SMTP Email Settings
Like most services offered, because there is currently no bundled SMTP service, this is left blank. However, this can be connected to any email service that you have setup.
Email signup limitations
Implementing the above allows setting the below limitations on signups
This means that you can require signup emails to be verified for signups, but only to whitelisted domains. This works great if you work in an organization that uses their own domain addresses.
Client Settings
Common Settings
Vault Locking
There are two common settings - when to timeout, and what to do when it gets timed out. The above should be self-explanatory. The settings are different for the Browser Add-On which allows for the timeout to be the screenlock and/or a computer restart. The mobile app allows for an App Restart timeout.
Change Master Password
There are options on the other clients to do this, but they redirect to the web vault.
Web App
Display layout
This allows the web vault to display using the whole width of your screen. Just a nice QOL improvement.
Browser Add-On & Mobile Client
Server URL
Your URL should include the `/bitwarden` path at the end of the domain.
Unlock with Biometrics/PIN Code
This allows you to log in using a PIN or biometrics (fingerprint reader on mobile, etc.). This is much more convenient after setting up a device than having to re-type your master password over and over again.
Dark Theme
The only sane choice.
Auto-Fill
The explanations are above, but I would suggest setting these the way that seems best to you.
Note that if you don't have the URI saved for a site, but are using Bitwarden anyways, it will prompt you to add it to a new entry instead of the existing one.
Sync
This is to manually sync the clients. However, the clients sync any time there is a change as described in https://bitwarden.com/blog/post/live-sync/
Desktop Client
CLI
Deployment Configuration
Application Interface
How I access this tool, and how it is displayed to me.
Desktop
WebApp
https://bitwarden.com/help/article/getting-started-webvault/
In it's most basic form, there is a webapp that users can log into with their browser:
This is most handy as a bookmark in a web browser, or for accessing on public, or otherwise non-typical devices.
This is the best place to perform administrative functions, such as manipulating folders, performing administrative functions, and organizing groups.
NOTE: While a compromised server cannot access your encrypted information, it is able to modify the webapp code that it serves to your browser, potentially injecting malicious code. It is recommended to use platform-native implementations, such as a browser addon, or a desktop or mobile client.
Browser Addon
https://bitwarden.com/help/article/getting-started-browserext/
This is where this application really shines. It brings together all of the aspects that you would want in a password manager, including auto-fill, new login creation, and of course random password generation.
-
Chrome: Chrome Web Store
-
Safari: Bitwarden Official Docs
-
Edge Edge Add-Ons
-
Firefox: Firefox Browser Add-Ons
Clicking on that button will bring up a minimized version of the web app, which looks very similar to the mobile app, and allows you to perform almost all functions that you would need to consume the service. However, the web app is still the best place to access the more advanced functionality.
Auto-Fill
The auto-fill on the add-on is straightforward. For every login, there is a field named "URI" that accepts one or more entries. This allows the browser to determine which logins are for which site. Once that has been populated, the entry will show up in the "Tab" section of the popup.
NOTE: Don't worry if you don't want to add the URI in advance. You can always search for it, and add it as you are actually using the browser add-on.
Here is a look at what that looks like:
From here, I am able to select the login that I want. Note that I have several different options since I have several different logins for this same URL. Matching rules can be tweaked as appropriate in the Settings section.
Desktop Client
While all clients are enabled to work offline, the desktop client is especially well-suited, as it should be included in any desktop backups that are taken, while remaining fully encrypted at rest, with decryption done in memory.
Desktop clients also feature biometric unlocks that are able to be used as an alternative for re-entering your master password to unlock it after the initial login.
Command Line Interface
Yes, Bitwarden does have an official CLI client: https://bitwarden.com/help/article/cli/
There also exists an alternative implementation here: https://github.com/birlorg/bitwarden-cli
And of course the script that will create the params for a new user to be created written by Andrew: https://gitlab.com/compositionalenterprises/role-compositional/-/blob/master/roles/compositional/files/bitwarden_registration_params.py
Mobile
https://bitwarden.com/help/article/getting-started-mobile/
The mobile interface for this application is pretty much the same as the browser addon - it is meant to be used, and is not necessarily the best for performing administrative functions.
NOTE: For your own protection, mobile apps don't let you take screenshots.
Installs
The applications for Apple and Android are available in the App Store and Google Play respectively.
Note that for Android, the application is also available in the F-Droid repos: https://mobileapp.bitwarden.com/fdroid/
Unlock Options
For the initial login, your master password is of course required as it generates the data necessary to retrieve your passwords. However, after the initial login, you have the option of unlocking the application simply with your biometrics or your PIN.
It is recommended to set it to one of the above, since it would get extremely tedious to continuously be required to insert your master password every time that you want to auto-fill a login.
Auto-Fill
The autofill will pop up once you enable it in the settings. The following prompt pops up whenever you click on a password field. This is an example of logging into ebay on a mobile browser:
From there, it will switch apps to your Bitwarden app, where you can select the application to auto-fill it with. Keep in mind that the auto-fill follows all of the rules of the browser add-on.
Filters on the Home Page
Filters provide a way to look at different items in your vault based on different categorizations and tags. These tags can vary from favorites, to different types, to folders, and lastly to collections. At Compositional Enterprises on a daily basis I use collections to filter down different passwords. Clicking on a collection provides just the entries within that collection. At Home I have everything in folders based on different categories (homelab, work, school, etc..)
Everyday Usage
Methods and Concepts for how I use this tool.
Vault Items
There are four different types of items that can be created in Bitwarden. These are Login, Card, Identity and Secure Note. They are somewhat self explanatory but I will cover them: Login is for a login (website); Card is for a credit card or debit card; Identity is for an identity, this may be good to use for kids or identities such as business entities; and Secure note is very plain in the sense that it has a name and a box for a note. Below are the four different types of items that can be added, note the different available text boxes for each type of element.
Adding a new Element (4 different kinds):
Adding a new Login:
Adding a new Card:
Adding a new Identity:
Adding a new Secure Note:
Editing an Item: the one thing to note when editing the item is to ensure you save it after you are done making changes. It is easy to get burned by clicking the X on the top right and then having to reset a password again.
Folders and Search
Folders are the essence of organization. They allow you to logically group items for organization. They are a great way to make vault items removed. See Bitwarden's Documentation on folders here for more.
Adding a folder (relatively easy):
Organizations and Collections
Organizations:
Bitwarden Organizations add a layer of collaboration and sharing to password management for your family, team, or enterprise, allowing you to securely share common information like office wifi passwords, online credentials, or shared company credit cards. Secure sharing of Organization-owned credentials is safe and easy. For more information on organizations checkout the upstream documentation.
Viewing organizations can be found on the right hand of the page.
Within the Organization View:
Something to note is that all organization passwords in your view will show up with a "shared" Icon:
Collections:
Collections are Similar to Folders in that they provide a way to logically group items for your organization. For more information on Collections, check out the upstream documentation.
Think of Collections as Organization-equivalents to the Folders used to organize a Personal Vault, with a few key differences:
- Organizations control access to Organization-owned items by assigning users or Groups to Collections.
- Organization-owned items must be included in at least one Collection.
Note in Compositional Enterprises Instances, the "Move to organization" button will show as "Share" as seen below:
Send
Bitwarden Send is a secure and ephemeral way to transmit sensitive information to anyone. Sends can include plaintext or file attachments up to 500 MB (100 MB if creating from Mobile). Every Send is assigned a randomly generated and secure link, which can be shared with anyone (including those who do not have Bitwarden accounts) via text, email, or whatever communication channel you prefer. Every Send is: End-to-End Encrypted, Dynamically Ephemeral, Customizably Private. Send documentation can be found here.
Below is an example of creating a send:
Our Test Send Link that was generated and able to be shared:
Tools
In the Bitwarden Tools section, features such as how your password gets generated, importing data, exporting your vault, and pulling reports are available for customizing your instance.
Password Manager
Password Generator does exactly as it says, it generates a password. It provides the ability to set length, minimum numbers and minimum special. It also provides the ability to generate passphrases with the options to set the number of words, setting a word separator, capitalizing the words, and the ability to add a number.
If you look closely, the clock on the bottom right of the page provides a password history of the most recently generated passwords from the password generator.
Adding an item from the plugin also provides the ability to generate a new password when signing up using the refresh button on the password field (right most button/link in the password field):
Import Data
An undervalued tool, only likely to be used one time, the Import Data functionality allows you to import from a host of providers including: Bitwarden (Json, csv), Last Pass, Chrome, Firefox, KeePass 2, 1Password, Dashlane and many others.
Export Vault
What goes in may need to come out. Exporting a Bitwarden vault is as easy as setting the File Format, inputting your Master Password, and Exporting your Vault. This can be helpful for migrating to a new instance of bitwarden. Note at Compositional Enterprises we take care of your data and upgrades. These can be held for offsite backups if needed or migrating to a different provider.
Reports
Reports are helpful for changing up passwords, cycling passwords, and updating anything that may be stale or exposed. Reports can be found under the Tools section of Bitwarden. For information on the reports available, see Bitwarden Password Reports.
A quick note on the Exposed Passwords Report from Upstream Documentation:
This report uses a trusted web service to search the first 5 digits of the hash of all your passwords in a database of known leaked passwords. The returned matching list of hashes is then locally compared with the full hash of your passwords. That comparison is only done locally to preserve your k-anonymity.
Why use the first 5 digits of password hashes?
If the report was performed with your actual passwords, it doesn’t matter if they were exposed or not, you would be voluntarily leaking it to the service. This report’s result may not mean your individual account has been compromised, rather that you are using a password that has been found in these databases of exposed passwords, however you should avoid using leaked and non-unique passwords.
User Management
Inviting Users
Who can send invites?
There are two places where users can be invited:
- In the global admin "Users" page:
- An organization admin or owner in the "Manage" section of the Organization:
How do invited users sign up?
If an SMTP server is enabled for the server, the invited user's email will recieve a message inviting them to the instance.
If not, they are available to sign up on the regular "Create Account" screen.
What if registrations are disabled?
Even when registration is disabled, organization administrators or owners can invite users to join organization. After they are invited, they can register with the invited email.
https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations
How do I change invites?
The invitation organization name can be changed, and invitations in general can be allowed/disallowed on the "Settings" admin page:
Administrative Management
Users
Users can be managed from the "Users" section of the administration page.
From here, we can see a couple of things, from left to right:
- Name and status
- Names are redacted from the image above
- Status can be one of:
- Verified
- Invited
- Created date
- Year/Month is redacted from the image above
- Last active date
- Year/Month is redacted from the image above
- Items
- Can be one of:
- Login
- Card
- Identity
- Secure Note
- Excludes all items shared with an Organization
- Can be one of:
- Organizations
- Can change the role of the user within the organization by clicking on its logo
- Actions
- Can be one of:
- Deauthorize sessions
- Delete User
- Disable User
- Will not prompt for a confirmation to deauthorize sessions
- Can be one of:
Organizations
Organizations can be managed from the next tab over:
Basically they can be displayed and deleted. The users and items are displayed in-line.
Advanced Customization
Troubleshooting
Upstream Project
Links
Official Site: https://github.com/dani-garcia/bitwarden_rs/wiki
Code: https://github.com/dani-garcia/bitwarden_rs
Documentation: https://github.com/dani-garcia/bitwarden_rs/wiki
Updates: https://github.com/dani-garcia/bitwarden_rs/releases
Community: https://bitwardenrs.discourse.group
Container Image: https://hub.docker.com/r/bitwardenrs/server