Using A Password Manager Or Moving To A New One
An Ongoing Program
Session: One – Two – Three – Four – Five || Quick Start|
Articles and Videos || Password Strength |
Print Quick Start |
I have moved to Bitwarden and recommend you do the same.
A dedicated password manager is crucial for online security because it offers features beyond basic browser password storage, including strong encryption, automatic password generation, and secure sharing. These features help users avoid password reuse, improve organization, and alert them to potential breaches, ultimately reducing the risk of identity theft and data breaches.
Your Browser Password Manager Probably Isn’t Secure
While convenient, browser-based password managers often lack robust security features and can expose users to risks. Dedicated password managers offer better protection, especially when they utilize zero-knowledge architecture.
Browser password managers, built into browsers such as Chrome, Firefox, and Edge, provide a convenient way to store and manage passwords. However, they have several inherent limitations that make them less secure than dedicated password managers:
Lack of Zero-Knowledge Architecture:
Most browser password managers don’t operate on a zero-knowledge principle, meaning the browser vendor can potentially access your passwords. Dedicated password managers, on the other hand, often encrypt your data locally before syncing it, ensuring that even the provider cannot decrypt it without your master password.
Vulnerability to Browser Exploits:
Browser extensions, including password manager extensions, can be vulnerable to various types of attacks. Hackers can exploit vulnerabilities in the browser or its extensions to steal stored passwords.
Reliance on Browser Security:
Browser-based password managers rely on the overall security of the browser. If the browser is compromised, so are your passwords.
Limited Functionality:
Browser password managers often lack the advanced features of dedicated password managers, such as advanced password generation, security auditing, and the ability to store other sensitive information (e.g., credit card details, two-factor authentication codes).
“Walled Garden” Approach:
Browser password managers are often tied to the browser ecosystem, making it difficult to switch between different browsers or platforms.
Why Dedicated Password Managers are Recommended:
Dedicated password managers, like 1Password, LastPass, Bitwarden, and Keeper, offer several advantages:
Stronger Security:
They are built with security as a core focus, offering features such as end-to-end encryption, zero-knowledge architectures, and robust password generation capabilities.
Cross-Platform Compatibility:
They work seamlessly across different browsers, operating systems, and devices.
Advanced Features:
They offer a wide range of features, including password strength analysis, secure note storage, and the ability to share passwords with trusted individuals.
Independent of Browser Security:
They are not tied to the security of any particular browser, making them more resilient to browser-based attacks.
In conclusion, while browser password managers offer convenience, dedicated password managers provide superior security and functionality, making them the recommended choice for managing your online passwords.
- Don’t Let Google Manage Your Passwords – Experts tell us that relying on Google Chrome (or any browser) to manage your online passwords is a terrible idea.
- Why your browser’s password manager isn’t good enough – Standalone password managers work better and extend beyond your browser.
- Browser password managers – flawed security, by design! – This article addresses a severe and pervasive business data risk.
Session One
Choose A Password Manager
Using a password manager is one of the most crucial steps you can take to enhance online security. There are some good ones to choose from: KeyPass, DashLane, 1Password, RoboForm, and Bitwarden. These are all well-vetted and safe to use.
I am now using and suggest BitWarden. These sessions will focus on Bitwarden.
Creating One Strong, Easy-to-Remember Password for Use as a Master Password
However, to use a password manager, you still need one Password to lock and unlock it. This Password needs to be unique and follow all the robust rules. This one Password should have no relation to your life, family, anniversaries, hobbies, or travels. In other words, not guessable by someone with knowledge of your life. At the same time, this master password must be easy to remember and type, especially on a phone keyboard.
Here is a simple online tool from BitWarden. We will use it to generate pseudowords (nonsense words) to create our unique, unguessable master password.
Open the Bitwarden Password Generator
- Set the Username Length to 5 or 6 characters.
- Choose “easy to say” and check the Lowercase box.
- Now, click the circular arrow symbol to generate a word. Repeat clicking the circle arrow till you find a pseudoword you can pronounce, and make notes of it.
Repeat this process until you have 3 or 4 nonce words. - Combine these non-words using numbers and symbols between them, and add some numbers to the beginning or end.
- How long does it take to crack a Password? See the chart or the Password Strength Testing Tool.
- After creating a new Master Password, print several copies to have one to store in your safe deposit box or fireproof safe, as well as a convenient location for reference while memorizing your new Master Password.
Caution: You do not want to enter the Master Password in any editor that might automatically save it to your hard drive or the cloud (like MS Word, Google Docs, or your Email compose window). Windows Notepad (click Start or the Windows key, press” n”, choose Notepad from the list) is safe if you discard changes when closing the app or use the Chrome browser notepad. - To open the Chrome browser notepad, type or copy and paste data: text/html, <html contenteditable> in your omnibar (address bar). That may seem daunting to remember every time you want to access the Notepad, but it’s possible to add this to your bookmarks, making it easily accessible.
Tip: You can drag the URL directly from the omnibar to the bookmark bar. I edit the Name to make it shorter, allowing for more items on the bookmark bar.
Bitwarden security and multifactor encryption
A strong master password provides the first and most crucial level of protection to safeguard your vault data. Beyond this, Bitwarden adds an extra layer of encryption and protection, known as multifactor authentication, when your vault syncs with the Bitwarden cloud. Learn how multifactor encryption works to reinforce security and protect your vault information.
To create a Bitwarden account, select the Get Started button on the Bitwarden homepage, or click here.
On the Create Account screen, fill out all fields (Master Password Hint is optional) and select Submit.
- Make sure you don’t forget your Master Password. Bitwarden’s zero-knowledge model means we can’t see or recover your Master Password.
Verify your email
Once you have created your account, prompt Bitwarden to send you a verification email by logging in to your web vault and selecting the Verify Email button.
Next steps
Now that you have created your account, these help pages will get you up and running.
Unlock with PIN or biometrics.
For fast access to your credentials, set up a PIN or biometrics to unlock your vault.
- Open the Settings tab.
- In the Security section, check the Unlock with PIN checkbox.
- Enter the desired PIN code in the input box. PIN codes can be any combination of characters (a-z, 0-9, $, #, etc.)
Pin the extension
Pinning the browser extension ensures that it remains easily accessible each time you open your browser. The procedure differs based on which browser you are using:
- In Chrome, select the Extensions icon next to the address bar and select the Pin icon next to Bitwarden:
Disable a built-in password manager
Most web browsers will automatically save your passwords by default, but experts generally agree that built-in password managers are more vulnerable than dedicated solutions such as Bitwarden:
- In the Chrome browser, navigate to the Passwords page. On this page, toggle off both the Offer to save passwords option and the Auto Sign-in option:
Import your data
Use one of Bitwarden’s import guides for help transferring your data from an existing vault to Bitwarden.
Import Data To Bitwarden
Data you download from your previous password manager will be imported into Bitwarden. Data is encrypted locally before being sent to the server for storage.
Upload data to your vault:
- Log in to the web vault at https://vault.bitwarden.com
- Select Tools from the top navigation bar.
- Select Import Data from the Tools menu.
- From the format dropdown, choose a file format.
- Select Choose File and add the file to import, or copy/paste the contents of your file into the input box.
- Select Import Data to trigger the import. For example, if you are password-protected or protected. In the JSON file, enter the Password into the Confirm Vault Import window that appears.
- After successful import, delete the import source file from your computer. Deleting the file will protect you in the event your computer is compromised. The import file may not include encryption.
File attachments, sends, trash, and past import files. These items must be manually downloaded from LastPass and uploaded to your Bitwarden vault.
- How to Create a New Web Login with Bitwarden by Password Bits YouTube
- How to Log into accounts with Bitwarden Password Manager by Password Bits
- Bitwarden Password Manager Beginners Guide – By Password Bits YouTube
- Bitwarden Beginners Guide [Updated] – By Password Bits
- Bitwarden Password Manager Beginners Guide – By Password Bits YouTube
These are the best complete tutorial videos I’ve found.
- Bitwarden: How I Manage All My Passwords – by Tario Sultan
- The Complete Bitwarden: Setup and How-To For Beginners by PasswordBits
Advanced Topics
- Is BitWarden Paid Membership More Secure and Worth the Money? – By CyberMedics
- Bitwarden Two-Step Login (2FA) – How To Turn On & Use – By Password Bits YouTube
- BitWarden- Organizational Plan Explained! – By CyberMedics YouTube
- How to Secure Bitwarden with 2nd Factor Authentication – By CyberMedics YouTube
- Bitwarden Secured with Yubico Yubikey! – By CyberMedics YouTube
- How to Protect Your BitWarden Vault- Backup & Encrypt! -By CyberMedics YouTube
- * Get Started with the Web Vault – Add a new login item:
- * Get Started with Browser Extensions
- * Get Started with Mobile Apps
- Get Started with Desktop Apps
- Get Started with Organizations (including Family Plan)
- * Your Master Password
Account Protection and Avoiding Lockout
Bitwarden cannot reset user passwords, nor can Bitwarden disable two-step login if it has been enabled on your account.
Warning: Users who lose their Master Password or their two-step login recovery code will need to delete their account and start over.
To mitigate these potential issues, Bitwarden recommends the following for account protection and lockout avoidance.
Master Password – Identify a way for you to retain and be able to recover your Master Password should you forget it. This may include writing it down and placing it in a safe or secure place.
Two-step login recovery code – If you choose to set up a two-step login, be sure to access and retain your recovery code and store that in an equally safe place as your Master Password. Get your Recovery Code:
- Vault Items
- Account Switching the
- Log in with Device
- Sync your Vault
- * Search your Vault
- * Folders – Folders are a great way to make your vault items easy to find.
- * Favorites – Any item can be designated as a Favorite to allow quick access to your most frequently used items.
- * Username & Password Generator – Use the Bitwarden generator tool to create strong passwords and usernames easily.
- Custom Fields
- * Unlock with PIN– After five failed PIN attempts, the app will automatically log out of your account. Unlock with a PIN can be enabled for the Bitwarden browser extension, mobile app, and desktop app:
- * Unlock with Biometrics – Unlock with biometrics is supported for Android (via Google Play or F-Droid) using fingerprint unlock or face unlock, and for iOS using Touch ID and Face ID.
- Bitwarden Authenticator (TOTP) Note: I only use this for low-value accounts.
- * File Attachments Note: File attachments, sends, trash, and password history are not included in an import file. Additional items will need to be manually uploaded to your vault.
- * Vault Timeout Options – Vault timeout determines how long Bitwarden can be inactive before timing out. “Inactivity” is determined by time since interacting with Bitwarden, not system idle time.
- Keyboard Shortcuts
- Vault Health Reports
- General FAQs
- Auto-fill Logins in Browser Extensions – If your browser extension has issues auto-filling usernames and passwords for a particular site, using linked custom fields can force an auto-fill.
- Auto-fill Logins on Android
- Auto-fill Logins on iOS
- Field Guide to Two-Step Login – Authy is our recommended authenticator app because it includes backups for any device. Backups prevent you from losing access to your tokens, even if you lose the device on which Authy is installed. Flip the Authenticator Backups toggle on the Accounts screen of the Authy app to use this feature.
- Two-step Login Methods
- ** Two-step Login via Authenticator. I strongly recommend 2FA with Authenticator
WARNING
Setting up a two-step login can permanently lock you out of your Bitwarden account. A recovery code allows you to access your account if you can no longer use your normal two-step login provider (for example, if you lose your device). Unfortunately, bitwarden support will not be able to assist you if you lose access to your account. We recommend that you write down or print the recovery code and keep it in a secure location. Get your Recovery Code: - Two-step Login via Email
- Two-step Login via YubiKey
- Two-step Login via FIDO2 WebAuthn
- ** Two-step Login via Authenticator. I strongly recommend 2FA with Authenticator
- ** Lost Secondary Device. Be sure to store the two-step login recovery code safely.
TWO-STEP LOGIN Recovery code
Your Bitwarden two-step login recovery code:
XXXX 0C5H Y2ZJH XXXX 2 4GNP XXXX 2AMJ - Two-Step Login FAQs
- Encryption
Changing KDF iterations – Bitwarden uses a secure default (100,001 iterations), as mentioned above. However, you can change the iteration count from the Account Settings → Security → Keys menu of the web vault.
Setting your KDF iterations too high could result in poor performance when logging into (and unlocking) Bitwarden on devices with slower CPUs. Therefore, we recommend increasing the value in increments of 50,000 and testing all your devices.
Note: I set my account to 1000101 iterations. - Account Fingerprint Phrase
- Pin Bitwarden extension in Chrome
- Click the Extension icon > Click the Bitwarden Pin (turn it blue)
- Turn off LastPass Chrome
- Click the Extension icon > Choose Manage Extensions > Turn off LastPass
- In Chrome, turn off the Auto Sign-in
- Click the kebab menu (three-dot menu) > Choose Settings > Click Autofill > Password Manager > Turn off Auto Sign-in.
Sign up for a new account in the Browser Extension
- Create a folder
Folders are a great way to make sure you can always find vault items when you need to use them. To create a folder:- Select the Settings tab and choose Folders from the settings list.
- Select the Add icon.
- Give your folder a name (for example, Social Media) and select Save.
- Add a login
- To create a new login item:
- Navigate to the Signup Page for the new service.
- Next, open the Bitwarden browser extension.
- Next, navigate to the My Vault tab and select the Add icon.
- Finally, choose which type of item to create (in this case, select Login).
- Enter the essential information for this Login. For now, give the item:
- Replace the prefilled Name with something you’ll quickly recognize (for example, your Twitter account).
- Your Username (this is often your email address).
- In the Password box, select Generate.
- The URI 1 field will automatically have the correct (for example,
https://twitter.com/login). - Select a folder from the Folder dropdown. Note: You can only choose previously created folders.
- Nice work! Select Save to continue.
- Enter the essential information for this Login. For now, give the item:
- Test the Login
- After creating a new login, I recommend testing it to ensure it works as expected.
- Open the Bitwarden browser extension.
- In the Search, Vault box, type a few letters (“walm” to find Walmart) for the site you want to log into.
- If more than one item shows, choose the desired one and click the Launch icon (first icon on the left)
- If the login page does not open, navigate to it manually.
Tip: To prevent having to manually navigate to the login page whenever you want to open the site.
I recommend editing the saved web page (URI) to open the correct page, which displays login boxes. Here are the steps for changing the URI.- Navigate to the page showing the login boxes.
- Check the address bar; it will display something like (thesite.com/login…), which may be quite long.
- Click the address bar text (it will turn blue), indicating it is selected, and copy it (Ctrl+C on Mac, CMD+C).
- Open the Bitwarden browser extension, the site should be listed,d click the View icon (left-most icon)
- Choose Edit at the top right. Replace the address in the URI 1 box with what you just copied from the address bar.
- Select Save to continue. Test again!
- After creating a new login, I recommend testing it to ensure it works as expected.
- To create a new login item:
- How to Create a New Web Login with Bitwarden by Password Bits YouTube
Website Login
- Open the Bitwarden browser extension.
- In the Search, Vault box, type a few letters (walm to find Walmart) for the site you want to log into.
- If more than one item shows, choose the desired one and click the Launch icon (first icon on the left)
- The login page should open if you do not navigate to it.
Note: If the site requires manually navigating to the login page, see Test the Login above - When the login page is displayed, reopen the Bitwarden browser extension.
- This time, click the site name to autofill the Password if it is on a separate page.
- Tip: Auto-fill login with shortcuts (Ctrl + Shift + L on Mac, CMD + Shift + L).
- How to Log into accounts with Bitwarden Password Manager by Password Bits
Option Settings (my suggestions)
- Open the Bitwarden browser extension
- Select settings on the bottom row of icons.
- Security
- Vault timeout is 30 minutes or 1 hour.
- Vault timeout action Lock
- Unlock with PIN click.
Note: If you quit your browser, you will be logged out of both your web vault and browser extension.
Tip – If you are using a browser extension, you can bypass this by: - Uncheck Lock lock with the master password on browser restart.
- Enter a PIN. Your PIN can be any combination of characters (a-z, 0-9, $, #, etc.).
- I highly recommend you implement a Two-step login.
- Other
- Click Options to open the list.
- Clear the Clipboard > 2 or 5 minutes.
- Show card on Tab page > off
- Show identities on the Tab page > on
- Autofill (you decide) I chose > on
- Security
- How to Create a New Web Login with Bitwarden by Password Bits YouTube
- How to Log into accounts with Bitwarden Password Manager by Password Bits
- This comprehensive guide, accompanied by videos, will help you understand all Bitwarden functions.
- The Complete Bitwarden: Setup and How-To For Beginners by PasswordBits
- * Get Started with the Web Vault – Add a new login item:
- * Get Started with Browser Extensions
- * Get Started with Mobile Apps
- * Your Master Password
Account Protection and Avoiding Lockout
Bitwarden cannot reset user passwords, nor can Bitwarden disable two-step login if it has been enabled on your account.
Warning: Users who lose their Master Password or their two-step login recovery code will need to delete their account and start over.
To mitigate these potential issues, Bitwarden recommends the following for account protection and lockout avoidance.
Master Password – Identify a way for you to retain and be able to recover your Master Password should you forget it. This may include writing it down and placing it in a safe or secure place.
Two-step login recovery code – If you choose to set up a two-step login, be sure to access and retain your recovery code and store that in an equally safe place as your Master Password. Get your Recovery Code:
- * Search your Vault
- * Folders – Folders are a great way to make your vault items easy to find.
- Must-Have: Favorites – Any item can be designated as a Favorite to allow quick access to your most-used items.
- * Username & Password Generator – Use the Bitwarden generator tool to create strong passwords and usernames easily.
- Forwarded email alias -Use the integrated username generator with your external aliasing service. The mobile app supports integration with SimpleLogin, AnonAddy, and Firefox Relay.
- Must-Have: Unlock with PIN– After five failed PIN attempts, the app will automatically log out of your account. Unlock with a PIN can be enabled for the Bitwarden browser extension, mobile app, and desktop app:
- * Unlock with Biometrics – Unlock with biometrics is supported for Android (Google Play or F-Droid) via fingerprint unlock or face unlock and for iOS via Touch ID and Face ID.
- * File Attachments Note: File attachments, sends, trash, and password history are not included in an import file. Additional items will need to be manually uploaded to your vault.
- * Vault Timeout Options – Vault timeout determines how long Bitwarden can be inactive before timing out. “Inactivity” is determined by time since interacting with Bitwarden, not system idle time.
- Two-step Login Methods
- ** Two-step Login via Authenticator I strongly recommend 2FA with Authenticator
WARNING
Setting up a two-step login can permanently lock you out of your Bitwarden account. A recovery code allows you to access your account if you can no longer use your regular two-step login provider (for example, if you lose your device). Unfortunately, bitwarden support will not be able to assist you if you lose access to your account. We recommend you write down or print the recovery code and keep it in a safe place. Get your Recovery Code: - Two-step Login via Email
- Two-step Login via YubiKey
- Two-step Login via FIDO2 WebAuthn
- ** Two-step Login via Authenticator I strongly recommend 2FA with Authenticator
- ** Lost Secondary Device. Be sure to store the two-step login recovery code safely.
TWO-STEP LOGIN Recovery code
Your Bitwarden two-step login recovery code:
XXXX 0C5H Y2ZJH XXXX 2 4GNP XXXX 2AMJ
Advanced Topic Videos
- Is BitWarden Paid Membership More Secure and Worth the Money? – By CyberMedics
- BitWarden- Organizational Plan Explained! – By CyberMedics YouTube
- Bitwarden – Family Sharing – By Tristan Bolton YouTube
- Bitwarden Two-Step Login (2FA) – How To Turn On & Use – By Password Bits YouTube
- How to Secure Bitwarden with 2nd Factor Authentication – By CyberMedics YouTube
- Bitwarden Secured with Yubico Yubikey! – By CyberMedics YouTube
- Everything to Know About Configuring & Purchasing the Yubikey – By CyberMedics YouTube
- Should You Store TOTP Authentication in Bitwarden? – By Lawrence Systems YouTube
- How to Protect Your BitWarden Vault- Backup & Encrypt! -By CyberMedics YouTube
- How to export your LastPass passwords & switch to an alternative – By Jim Martin techadvisor.com
- How to delete your LastPass account – By Tom Pritchard, Tom’s Guide min
- Switch from LastPass to Bitwarden – HandsOn Tutorial – By SecureSimpleUK Canada YouTube
- Moving Your Passwords from LastPass – By TWiT Tech Podcast Network YouTube
- Steve’s Next Password Manager After the LastPass Hack – By TWiT Tech Podcast Network YouTube
- Bitwarden Premium Vs Free Account – By Tristan Bolton YouTube
- Bitwarden – Family Sharing – By Tristan Bolton YouTube
Security
- Should You Store TOTP Authentication in Bitwarden? – By Lawrence Systems YouTube
- The 2023 Bitwarden PKDF2 Changes & Why Your Master Password Entropy Still Matters The Most – By Lawrence Systems YouTube
- Hackproof Financial Accounts- Google Voice Number! – By CyberMedics YouTube
- Hackproof Your Passwords- Simple Double-Blind Method – By CyberMedics YouTube
- Everything to Know About Configuring & Purchasing the Yubikey – By CyberMedics YouTube
- The Winner of Best 2FA Method for Online Account Security? – By CyberMedics YouTube
- How to Protect & Secure Online Accounts- Pick the Right Yubikey! – By CyberMedics YouTube
Password Strength Evaluation
While server-side iteration counts have some value, they are only required for those with weak passwords. The time to crack a weak password compared to a strong one ranges from 9 days to 91 trillion years.
