Dismal Manor tries to be somewhat security conscious. We try to use unique passwords for all log-ins, keep passwords in an independent password manager, and to use 2 factor authentication, preferably a physical key where we can. In this article, we look at BitWarden and explore the possibility of migrating from 1Password to BitWarden.
- 2022-02-27 Original draft
- Add codes to a YubiKey
- Diceware pasword creation
Why use a password manager
Security experts recommend that each user account we have be secured by a good password. Typically, providers require that we use our Email address to identify the account. The E-mail provider enforces uniqueness and the account would require E-mail for administrative contact to reset passwords, etc.
Accounts need to have unique passwords to prevent compromise of one account from facilitating compromise of others. Use of unique passwords also protects important accounts related to banking, investment accounts, E-mail, health care, health insurance, utilities, communications services, etc from being compromised when when an entertainment account is compromised. Many consultants recommend use of a personal-business E-mail address with business contacts and a recreational E-mail address for entertainment and news sites. Here we use our Apple id address for important services and a Proton Mail address for recreational accounts.
Over the years, it is easily possible to accumulate a hundred or more accounts. It quickly becomes impossible to remember all of them or their passwords.The wide variety of password formation rules makes it impossible to use a simple password plus an algorithmic transformation to make unique yet memorable passwords. The only workable approach is to use a random password, preferably one that is long enough to be difficult to brute force yet easily remembered to type it by hand when you must. Password managers let us form such passwords, record them in a secure manner, and easily retrieve them for use.
Making a Good but Memorable Password
Here at Dismal Manor, we use the Diceware  algorithm to generate strong but memorable passwords. We generally use the dice to select 3 words, connect them with hyphens, and add a number at the end, also selected by rolling the dice.
The Diceware algorithm is used to pick words from the Diceware Word List. Roll the dice, form a 5 digit number, find the number in the list, and note the word. Do this two more times. Order the words to make a phrase you can remember long enough to type. Roll again to generate the tail end number.
Rolling dice picks 5 numbers from 1 to 6 with replacement. So the number of outcomes is 6**5 or 7776 outcomes per roll. but we’re making 4 independent picks, so the total outcomes are 7776**4 or 3.6*10**15. That’s a lot. and each of those outcomes is mapped to one of 7776 words chosen from a palate of say a million English words. The search problem quickly becomes intractable.
Both 1Password and BitWarden have implementations of the Diceware algorithm. The BitWarden version is a bit more flexible as you can tell it to throw in a number, which separator to use, and how many words to use. But either one creates tough passwords. The beauty of building Diceware in is that there can be more dice with 10 or more sides (hex dice anyone?) and a much bigger word list.
The catch is that most sites have stupid password complexity rules featuring a too-short length and character constraints you must satisfy. It is better just to take what is sent, hash it with salt, and run with it. If it is long enough, it is good enough unless people are picking form Bartlett’s Quotations or something equally lame. The words must be random picks.
Use the Built-In Password Manager?
In 2022, all major operating systems and web browsers offer a built in password manager of some sort. Some of the common ones include
- Windows-11 password manager
- Apple MacOS/iCloud password manager
- Firefox password manager
Most of these have the problem of being restricted in their domain of application or integration. I’m a Mac so I’m unfamiliar with the Windows password manager. In the old days, such things were used as velvet chains to keep you a Microsoft hostage. Today, Microsoft is more enlightened and plays better with others than in the past. Note their embrace of Linux for cloud development and provisions of Linux API’s to use important Microsoft capabilities like .net, Active Data Objects, and such.
Early password managers, like the MacOS Keychain, were developed primarily to meet the needs of the OS but less so for interactive use with large credential sets. Over the years, my Keychain has remembered every typo I’ve ever made. My Keychain is a mess and in severe need of a clean-up.
Apple later added password suggestion to Safari. Early versions would make up mush with newer versions able to make up a phrase depending on settings.
Apple still has a velvet chains mentality where things (like Apple Messages) work swimmingly well within the Apple ecosystem but are unavailable outside Apple World. Apple makes it easy to escape the Android and Microsoft worlds but not so easy to escape from Apple World.
Passwords are just too important to be restricted to a single user or application environment. We really need to be able to use our password collections from any device we have, either directly or via a browser plug-in. Third Party password managers offer this capability.
Third Party Password Managers
There are a number of commercial products including 1 Password, BitKeeper, BitWarden, DashLane, LastPass, etc. I’ve used two, 1Password and BitWarden. The others I’m aware of because I’ve seen articles reviewing them or they have been the subject of vulnerability exploitation articles in the past. That a password manager is not in the news is a very good thing.
Password managers need to be affordable, easy to use, permit sharing of family passwords, provide password recovery for estates in probate, and other things you’ve probably not thought of including off-site and off-device backup and recovery that permits continued use during a natural disaster or, heaven forbid, bugging out of a war zone.
Emigration folk recommend keeping secure cloud copies of important credentials and identifications for use in an emergency. Consider a trip abroad. Your passport goes missing. Wouldn’t it be nice to have a secure copy accessible from abroad to reestablish your credentials?
If the password manager hosts its data in a place with tough privacy laws, that’s a big plus. The EU and Switzerland have strong data privacy laws with the Swiss law being the toughest. The Swiss will tell intelligence agencies to pound sand when they show up looking for your data. Privacy is serious business for the Swiss. Swiss Proton Mail has a notes folder which is a good place to stash documents secured by AES-256 encryption.
What’s up with 1Password?
1Password is one of the better widely available commercial password managers on the market. It has been available for about 20 years beginning as a MacOS product and later broadening to serve Windows and to provide browser plugins for Safari, Firefox, and Chrome. 1Password featured excellent security hygiene, good ease of use, and cloud storage of your password trove for travel use and disaster recovery. I remain a satisfied 1Password user but changes are afoot at AgileBits and to the product to pitch it to the corporate market.
1Password appears to have had a change in direction and possibly ownership. AgileBits recently received venture capital to expand the product’s presence and utility in the corporate market. Work environments require access to increasing numbers of service accounts and need to recover passwords associated with departed employees. Administrators could reset internal accounts but recovering an external account required following procedures mandated by the provider. 1Password‘s recent moves appear aimed at development to support corporate use cases in addition to personal use cases.
Anyway, with the changes afoot at 1Password, it seemed prudent to more seriously examine migration from 1Password to another product while 1Password remained available, affordable for dual operation, and export formats supported data migration.
Introducing the Contender, BitWarden
BitWarden is a commercial product having an open source software development model for the core code and capabilities yet offering a commercial service that provides cloud storage of passwords, travel access to passwords, and disaster recovery of passwords. A strong design team understanding cryptographic system design has developed BitWarden. Like 1Password, they are careful not to expose plain text and cypher text together to permit known text attacks against your keys, and to independently audit cryptographic and coding practices to prevent, discover, and remove vulnerabilities.
BitWarden does support organizations or groups and sharing of passwords by members of a group. The intent is to permit role based sharing of credentials access by small business team members while protecting a team’s credentials from access by other teams.
Web App First, Native App Second
1Password started out as a MacOS app. I met 1Password after the move to OS X and Cocoa but it may have started before the move in the aughts. The original worked as a desktop application with a menu bar widget following, and more recently, browser plugins once the interface for writing them settled.
Getting Started with BitWarden
So BitWarden migration begins with account setup and vault setup at https://bitwarden.com/. Then you export your existing password trove and import it into BitWarden. BitWarden supports several common password manager export formats and makes manual duplicate removal easy.
BitWarden maps fields where it can. When it can’t, it creates a text custom field to hold the data. When it does not, it converts the item to a note item. For example, it does this with password licenses.
Once all troves have been loaded, it is time to paw through them to cull duplicates and check that a proper URL root is present to allow the plugin to retrieve candidate records based on the content of the browser address bar. This process can take several hours.
Begin using the new password manager
Begin using the new password manager immediately. This consists primarily of installing the browser plugin, disabling, the incumbent’s plugin, and going about your daily business for a couple of months to discover which retained entries need correcting and to identify missing records to recreate by hand.
As you enter an address, BitWarden will search for matching records. The BitWarden badge to the right of the address bar will indicate the number of matches found. Clicking the badge opens a record selector showing a row for each match and icons to copy the user name, password, and 2FA token to the clipboard. These are pasted to the proper fields in the sign-in form. 1Password will usually automatically make this transfer but not always. This is a key difference between the two products. 1Password is a bit more convenient when it works automatically and a bit clunkier when it doesn’t. BitWarden is consistent from site to site and account to account.
BitWarden appears to be a bit more capable regarding URI parsing and matching. 1Password attempts to do everything for you. BitWarden lets you choose the match algorithm and set a match regular expression where needed. Exposing this is a bit geekier and may help with collections of similar URI. One of the thornier cases is website development where you have user passwords and developer passwords and URI may be different to work in the development environment than in the production environment. Pantheon.io is a good example of a family of development URIs. With 1 Password, I needed a record for each. With BitWarden, I can set up a match expression for the site’s development URI family.
Both products support 2 factor authentication. They allow you to record the authenticator specification and will generate the random number from it. Both will accept hex or URI formats and both support several common standards. Both require you to keep backup codes in a note or a custom field. Entry of the configuration data is easy for either device.
Either application will compute the time dependent one time code. 1Password generally fills it automatically. BitWarden requires you to copy and paste it. Either product’s native application and browser plugins compute the code and are generally within a second of each other changing time slices. Both application show time to live and allow you to wait for the value to refresh.
These codes can also be stored in YubiKey devices for automatic insertion by serial port or NFC communication. I personally prefer storage in the password manager as security keys are only a trip through the dryer away from death. That said, I’ve yet to kill pocket devices made in the new century by laundering and drying them.
Both 1Password and BitWarden can require 2FA to log in or to open your vault. This is a good place to use YubiKeys as keys can be included with a will for transmittal to the estate executor. Clearly master keys to your financial kingdom have to be kept with parties trusted to control them properly until they are needed.
YubiKeys have several roles. Often, they can be used with systems and websites to enter authentication tokens. Google, Twitter, and several others support them.
Actual keys are most useful under the following conditions.
- The device has a port that can query the key.
- The device has a NFC radio that can query the key
- The device may be difficult to use with your password manager
1Password makes it possible in the web app to search for records having 2FA codes. BitWarden does not currently offer this search.
Both applications check to determine if sites support 2FA and can prompt you to add 2FA.
Reference  gives the procedures for using YubiKey Authenticator Application to maintain 2FA keys in a device.
Maintain Duplicate YubiKeys
How do you back up a YubiKey? You don’t. Rather, you have to maintain a duplicate or several as systems are changing from USB-A to USB-C ports. In Reference  Yubico writes the following.
If you have one or more backup YubiKeys, unplug the YubiKey that is currently plugged in, insert one of your backup keys, and follow through steps 4-6 again. Consider saving a copy of the QR code (or secret key) somewhere safe so you have the ability to program the credential into future backup YubiKeys, etc.Reference  step 7.
YubiKey Authenticator App allows you to store 2FA keys and will compute values for entry into applications without using the physical device. I’ve not found it convenient to use as it is not integrated with the browser. But you can use it to keep all your 2FA codes in the device. Once in, they can’t be extracted however. Yubico recommends saving codes separately.
Yubikey with Your Password Manager
I’ve found it more convenient to keep this information in 1Password or BitWarden as it is also held by a trusted third party. I keep the 2FA keys in the applications but also in a YubiKey and in an Apple Note saved in iCloud. My iCloud account has 2FA implemented with the one time code sent via iPhone.