TYPES
You can store more
than just passwords- payment cards,
identities and secure
notes can all be
stored here.
anencryptedfile(orvault)that’slockedbehinda ‘master
password’ – the only password you’ll have to remember going
forward. This should be lengthy but memorable (to you), and
can be further protected using secondary layers such as
two-factor authorisation.
Password managers come in all shapes and sizes, but to be
truly effective they need to be cross-platform, work in any
browser and simplify the act of entering passwords through
autofill and paste features. Plenty of proprietary solutions offer
these, but few are open source, which raises questions about
transparency.
Cross-platform means apps for all major platforms: Linux,
Windows, Mac, Android, Apple and web browsers (Chrome
and Firefox, but preferably more). Your vault is kept synced
between your devices via the cloud. The cloud might mean
storing your vault on one of your cloud services, or relying
on the password manager’s own server. If you’re lucky, you’ll
even get the option of setting up your a self-hosted server.
Using the cloud throws up security considerations of its own,
so the vault needs to use keys that aren’t accessible to your
password manager.
We’ve narrowed our choice of recommended password
managers to two. The first option is the least flexible, but is a
good choice if you’re already using KeePass to store sensitive
information on your PC. That option is KeePassXC (https://
keepassxc.org). It’s optimised for multi-platform use but has no
built-in support for cloud providers (you’ll need to set this up).
One password manager to rule them all
If you’re currently using one of the well-known password
managers like LastPass, then you’ll want something
capable of going toe to toe with it. The open-source
alternative we recommend is Bitwarden (https://bitwarden.com),
which has been our password manager of choice for several
years. It has pretty much all the functionality found in
commercial offerings like LastPass and 1Password, but it’s
open source and all core functionality is free (although we
recommend the $10 (about £7.75) per year Premium tier to
support the project).
Like these proprietary solutions, Bitwarden stores your
passwords on its own cloud servers by default. All data is
encrypted both in transit and at rest, and your all-important
encryption keys remain in your possession, out of
Bitwarden’s reach. You may, however, be put off by the fact
its servers are hosted in the US, while its growing popularity
mayseeit become an increasinglytemptingtarget for
hackers. But no matter, because Bitwarden has a not-so-
hidden secret: you can run your own Bitwarden server to
keep tight control over your passwords. The full-blown
version offered on the main website is fiddly and more suited
to organisations, but there’s a lightweight alternative that’s
perfect for individuals or small groups – Bitwarden_rs (‘rs’
refers to the fact it was built using Rust, a lightweight and
efficient programming language).Install the apps
Log out of your web vault and visit https://bitwarden.com to
download the desktop and mobile apps or install the browser
plugins. If you’re primarily using Bitwarden to securely store
online passwords, you can get by with the browser plugins and
mobile apps.
After installing, click the Bitwarden icon in your browser
toolbar or open the mobile app to log in. Those with self-hosted
servers should first click the settings button and enter your
server’s URL (such as https://bw.domain.com – don’t forget the
‘https’ this time) before clicking Save. Click Log In, enter your
username and password and off you go. The step-by-step guide
reveals how to use Bitwarden to manage and generate strong
passwords in your web browser.
The mobile app works in a similar way to the browser add-on
but comes into its own when linked to your mobile OS’s
password auto-fill feature – in Android Oreo (released 2017) or
later, for example, search for Autofill under Settings and tap
Autofill Service. Bitwarden should be in this list, so tap it. In the
future, whenever prompted to enter login details in apps orYou can store more than one login for each website – which is
useful when accessing multiple services on the same server.40 |^ |^ March 2020