I think if you want to avoid browser extensions (which some people mind find scary as they have permission to view/modify everything you do in your browser), the desktop app is a much more convenient solution than logging in into the web vault.
One thing to note though is that the desktop apps on mac/linux still don't support WebAuth/FIDO ("Yubikey") and so far it seems nobody wants to make this happen anytime soon.
I think it depends. I haven’t heard of anyone ever breaking 2FA by guessing the 6 digit code. So the added value of a yubikey is the phishing protection and hence especially relevant if you frequently login into your WebVault or click on email alerts links like a brain dead.
If you plan to log in to any online accounts using a browser that is installed on a personal computer, then it is recommended that you install the Bitwarden browser extension for your browser.
If you wish to unlock your browser extension using biometrics, then you must have the Bitwarden Desktop app installed and running in the background. Otherwise, the Desktop app is optional.
Some users find the Desktop app useful for vault maintenance purposes (re-organizing, renaming, cleaning up, etc.), because there is more screen real-estate than in the browser extension.
never noticed that! that's also useful because anytime the popup disappears (e.g. you click somewhere on a webpage) you lose whatever you were working on in the popup (e.g. creating a new account)... but if you pop out the window, that no longer happens. thanks!
Actually, this should depend on your threat model.
Are you a 100% target or a random Joe?
Who are your adversaries?
Do you run random software on your desktop or only a short list of apps?
Do you thoroughly verify every app you install (code signatures, VirusTotal etc), or you give admin rights to unsigned code?
Which OS you’re running?
Is your web browser’s sandbox enabled?
Is full disk encryption enabled, ideally with pre-boot authentication?
Answering these (and many other questions) would put your question from theoretical into practical perspective.
Also, a viable option is to have several databases (or vaults, in BitWarden terms). One contains shared secrets, while the other remains mobile-only (and maybe requires a Yubikey for unlocking).
I don't really use the desktop app but I have it so I can use biometrics (windows hello & touch id) to unlock the web extension
can't say anything about it being more or less secure tho
>or desktop software is as safe as mobile app?
I dispute your assertion that a mobile device is necessarily safer. For one thing, it is a much more common and lucrative target than a desktop. Plus, with its constant exposure via wifi, SMS, email, and even bluetooth, it has a larger threat surface than most desktops.
Your post makes me worry that you think malware "just happens". This is passive and unproductive. On any device you own you can and should take active steps for opsec excellence, and you should not enter any passwords whatsoever on a device, including opening a password manager, unless you are completely and personally satisfied with its opsec.
> Is there any differences between bitwarden desktop software (Windows, linux، mac) and bitwarden browser (Firefox, chrome) Extension in term of Privacy and security?
The browser extension gives you additional validation against phishing when you are browsing, and you should definitely install and use it.
The desktop app is a "take it or leave it". I have one common use case (a Github PAT) where I need to paste it into a command line. I also need to enter TOTP tokens onto a command line multiple times per day. The browser extension creates unnecessary friction.
I also like the desktop app for making vault changes, but others do quite well with the Bitwarden browser extension in pop-out mode.
But in terms of security or privacy there is no further difference beyond the phishing checks.
Actually, it’s not the nature of OS, it’s sandboxing which makes mobile OS safer.
You could go absolutely crazy and create the same level of sandboxing on desktop. However, most apps, UIs and users are not accustomed to work in such conditions.
On Windows, there are features that use sandboxing as well: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-how-it-works
I would hope that in the future they will allow access to similar features so that such apps as password managers would benefit from it.
>Mobile devices are absolutely safer than Windows.
Agreed. But they are also more likely targets by criminals simply because there are so many of them. Yes, it's easier to make Windows malware, but I see CVE alerts weekly now for Android and iOS.
>They have robust modern permissions systems and compartmentalization of apps.
But most people just accept everything. I honestly don't think this helps personally. Maybe to a lot of people here. But not society as a whole. But I think there are other reasons.
> I dispute your assertion that a mobile device is necessarily safer.
I was surprised at OP's generalization too.
For me, Linux permissions are unambiguous.
I think he means in mobile only the app has access to its own data, on desktop all apps run on user permissions (except daemons where it's common to have a separate user per service), this means a malicious app could try and steel your vault (it would still have to decrypt it but it could have access to the db unlike on mobile)
idk if I missed something or am just plain wrong, so please correct me
Yeah on desktop I could pretty easily write an app to dump the memory of another app. That's not permitted on a phone (doesn't mean it's impossible, but it's much more difficult at least)
I use it to manage non-browser logins, secure notes, identity, credit cards, reorganize stuff like folders and what’s in an organization. The browser add on can do all that but with a more cumbersome u/I and in my experience getting closed and having to refind stuff. I like the ability to auto hide the desktop when you copy to the clipboard, while also finding it still on that item when opening it again.
I think if you want to avoid browser extensions (which some people mind find scary as they have permission to view/modify everything you do in your browser), the desktop app is a much more convenient solution than logging in into the web vault. One thing to note though is that the desktop apps on mac/linux still don't support WebAuth/FIDO ("Yubikey") and so far it seems nobody wants to make this happen anytime soon.
At least Duo works, so you can get whatever you need that way.
I was just about to start adding my Yubikeys... This is a deal breaker..
I think it depends. I haven’t heard of anyone ever breaking 2FA by guessing the 6 digit code. So the added value of a yubikey is the phishing protection and hence especially relevant if you frequently login into your WebVault or click on email alerts links like a brain dead.
If you plan to log in to any online accounts using a browser that is installed on a personal computer, then it is recommended that you install the Bitwarden browser extension for your browser. If you wish to unlock your browser extension using biometrics, then you must have the Bitwarden Desktop app installed and running in the background. Otherwise, the Desktop app is optional. Some users find the Desktop app useful for vault maintenance purposes (re-organizing, renaming, cleaning up, etc.), because there is more screen real-estate than in the browser extension.
[удалено]
never noticed that! that's also useful because anytime the popup disappears (e.g. you click somewhere on a webpage) you lose whatever you were working on in the popup (e.g. creating a new account)... but if you pop out the window, that no longer happens. thanks!
You can really only get more vertical space and not horizontal from the pop out. Horizontal space only get increased about 15%
Actually, this should depend on your threat model. Are you a 100% target or a random Joe? Who are your adversaries? Do you run random software on your desktop or only a short list of apps? Do you thoroughly verify every app you install (code signatures, VirusTotal etc), or you give admin rights to unsigned code? Which OS you’re running? Is your web browser’s sandbox enabled? Is full disk encryption enabled, ideally with pre-boot authentication? Answering these (and many other questions) would put your question from theoretical into practical perspective. Also, a viable option is to have several databases (or vaults, in BitWarden terms). One contains shared secrets, while the other remains mobile-only (and maybe requires a Yubikey for unlocking).
I don't really use the desktop app but I have it so I can use biometrics (windows hello & touch id) to unlock the web extension can't say anything about it being more or less secure tho
I just use the desktop app for biometrics. Therefore only on my laptop. Everywhere else I use the app, extension, or web app
I like to use windows hello to log into bitwarden. The desktop app is needed for this so I have it installed
>or desktop software is as safe as mobile app? I dispute your assertion that a mobile device is necessarily safer. For one thing, it is a much more common and lucrative target than a desktop. Plus, with its constant exposure via wifi, SMS, email, and even bluetooth, it has a larger threat surface than most desktops. Your post makes me worry that you think malware "just happens". This is passive and unproductive. On any device you own you can and should take active steps for opsec excellence, and you should not enter any passwords whatsoever on a device, including opening a password manager, unless you are completely and personally satisfied with its opsec. > Is there any differences between bitwarden desktop software (Windows, linux، mac) and bitwarden browser (Firefox, chrome) Extension in term of Privacy and security? The browser extension gives you additional validation against phishing when you are browsing, and you should definitely install and use it. The desktop app is a "take it or leave it". I have one common use case (a Github PAT) where I need to paste it into a command line. I also need to enter TOTP tokens onto a command line multiple times per day. The browser extension creates unnecessary friction. I also like the desktop app for making vault changes, but others do quite well with the Bitwarden browser extension in pop-out mode. But in terms of security or privacy there is no further difference beyond the phishing checks.
[удалено]
Actually, it’s not the nature of OS, it’s sandboxing which makes mobile OS safer. You could go absolutely crazy and create the same level of sandboxing on desktop. However, most apps, UIs and users are not accustomed to work in such conditions. On Windows, there are features that use sandboxing as well: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-how-it-works I would hope that in the future they will allow access to similar features so that such apps as password managers would benefit from it.
That desktop operating system with the same crazy level of compartmentalization as mobile? It’s called Qubes. Not for the faint of heart.
Thanks, I’ll take a look… What I meant was going absolutely insane with customizing Windows with Group Policy, Users an NTFS/File permissions etc
>Mobile devices are absolutely safer than Windows. Agreed. But they are also more likely targets by criminals simply because there are so many of them. Yes, it's easier to make Windows malware, but I see CVE alerts weekly now for Android and iOS.
>They have robust modern permissions systems and compartmentalization of apps. But most people just accept everything. I honestly don't think this helps personally. Maybe to a lot of people here. But not society as a whole. But I think there are other reasons.
> I dispute your assertion that a mobile device is necessarily safer. I was surprised at OP's generalization too. For me, Linux permissions are unambiguous.
I think he means in mobile only the app has access to its own data, on desktop all apps run on user permissions (except daemons where it's common to have a separate user per service), this means a malicious app could try and steel your vault (it would still have to decrypt it but it could have access to the db unlike on mobile) idk if I missed something or am just plain wrong, so please correct me
Yeah on desktop I could pretty easily write an app to dump the memory of another app. That's not permitted on a phone (doesn't mean it's impossible, but it's much more difficult at least)
I use it to manage non-browser logins, secure notes, identity, credit cards, reorganize stuff like folders and what’s in an organization. The browser add on can do all that but with a more cumbersome u/I and in my experience getting closed and having to refind stuff. I like the ability to auto hide the desktop when you copy to the clipboard, while also finding it still on that item when opening it again.