Interview with Michael Crandell, CEO of Bitwarden
In the old days, all we had to memorise was a birthday or two. Now, the internet and all its security ramifications oblige us to grapple with a seemingly infinite list of passwords, in both our professional and our private, lives. But, as Michael Crandell, CEO of Bitwarden, tells us, it doesn’t have to be so hard.
Good day, Mr Crandell! Can we start with a few words on what made you want to work in cybersecurity?
My interest in security began with encryption, when I was implementing encryption technology as part of a document storage system. The idea that I could make a document inaccessible to anyone – including the system in which it was stored – and then return it to readable form for verified users, was exciting. I realised then the tremendous potential for achieving security through a multi-layered approach.
Was there something in particular about information security that drew you in?
As former New York Times cybersecurity reporter and author Nicole Perlroth said during the recent Bitwarden Open Source Security Summit, the fight against global cyberattacks isn’t just the responsibility of governments; businesses and individuals all play critical roles. What inspires me is the opportunity every day to help businesses solve their password security challenges, to help individuals stay safe online, and to work with a talented team that is passionate about those same goals.
Launched in 2015, Bitwarden has consistently provided the global community of online users with a way to securely manage their sensitive information and promote overall good credential hygiene. What moved you to finally establish your company?
The founder and CTO of Bitwarden is Kyle Spearrin. He recognised the need for a more comprehensive password management product that could meet the needs of end users and businesses. As an open source solution, Bitwarden views trust and transparency differently from competitors. We host our source code publicly on Github, which means anyone is free to audit and contribute to the codebase. Community, accountability, and code quality are key differentiators of the open source approach we take at Bitwarden.
For companies looking to establish a solid cybersecurity posture today, what common problems might they run into and how would you advise them to deal with them?
Our common challenge is also our great opportunity – namely, to empower employees to improve their personal security practices. Improving corporate security starts at the personal level, where employees are not only educated and aware of best practices, but also have the necessary tools to follow similar practices in their personal and home lives. When security tools are complex and difficult to use, adoption is going to be slow for your company. If you educate your employees about password management and multi-factor authentication and give them tools that improve their workflows and daily lives in and outside of work, you’ll see much less resistance. Think of it as helping people do business faster, safely.
In a survey conducted by your company, it was found that 92 percent of IT decision-makers reported reusing passwords across multiple sites. Aside from the tediousness of having to remember multiple passwords, why do you think even industry leaders struggle with implementing a password security scheme?
It’s simple. People hate passwords, but they love their password managers. Until you use a password manager daily, you don’t even realise how much time you have spent unnecessarily trying to keep track of everything. I think people have good intentions; it’s a case of “the spirit is willing, but the flesh is weak.” Once they’ve had the “Aha!” moment of using a password manager, they’re on board.
Unfortunately, not every company provides password managers to all of their employees. So employees revert to do-it-yourself practices, which involves reusing passwords and creating simple passwords.
However, things are changing as companies realise they can have happy and secure employees when they provide them with convenient tools for managing secure credentials.
You’re the CEO of Bitwarden, working in the realm of internet security. Have you ever fallen victim to an online scam?
Thankfully, I have not been scammed, but a few years ago I was notified that LinkedIn had been hacked and my email and password were exposed. My initial concern was not about my LinkedIn account being compromised, but whether this log-in and password that had been exposed were also used for any of my bank accounts. Since I was using a password manager at the time, I had strong and unique passwords set up for every site, and I realized the only thing I had to do to re-secure my account was update my LinkedIn password and the problem was solved. I know at Bitwarden we provide that same protection for millions of users every day.
In your opinion, what exactly is so bad about passwords?
I wouldn’t claim that passwords are bad. Passwords have been around since ancient times and will continue to be a part of our daily lives both personally and professionally. Passwords are ingrained in all of us; people know how to use them and, as long as they are strong and unique, they do their job.
It’s how we interact with and manage passwords that needs improvement. Businesses and individuals today use hundreds of online accounts and applications that require passwords for access. To deal with this, people tend to use the same password for multiple accounts. When a weak password has been compromised, it compromises all other accounts that use the same password. For businesses, the ramifications of a leaked password are often disastrous. The SolarWinds and Colonial Pipeline incidents are a couple examples out of many.
Passwords by themselves are not bad. When they are improperly managed – that’s what’s bad.
In what way can Bitwarden help with an organisation’s data protection and cybersecurity? What needs to be done by companies and organisations to avoid data breaches?
Every company is different and security systems should be tailored to the company’s size, structure, existing tools and resources. Cybercriminals can come through various vectors across the organisation. Just like you wouldn’t lock your windows but keep your front door open, companies need a multi-layered approach to security.
The easiest way to mitigate data breaches is to use strong and unique passwords for every account and service. What isn’t so easy is that, for most people, remembering these passwords is impossible. Enter Bitwarden. Most simply, Bitwarden provides a way for people to create, securely store and easily access their passwords anywhere they need them. But that’s just the beginning. For companies that are scaling, they need an easy way to manage secure password storage and sharing across multiple teams and functions.
So, the simplest first step toward cybersecurity and data protection is to start with the one thing every employee uses daily: their passwords. Giving employees a password management tool that simplifies their workflows is mutually beneficial for them and their companies. Employees will want to use Bitwarden, and IT teams will have better password security control.
Can you highlight a few core features of password management systems and their benefits to teams who mainly work remotely?
Password management systems should:
- Offer to store existing passwords in a secure vault automatically when a user is accessing a new website
- Generate strong passwords for new accounts when they are created by the user
- Autofill username and password credentials when the user visits a website already stored in their vault
- Allow users to work across multiple operating systems (Windows, Mac, Linux), mobile devices (Android, Apple iOS), browser extensions (Chrome, Firefox, Brave, Safari, Edge, Vivaldi, Opera), and a web vault.
For remote teams, a few of our top Enterprise features include:
Organisations allow teams to collaborate or share portions of a business vault. When you create an organisation within a vault, you can then associate users and vault items together to share log-ins, notes, cards and identities that are owned by the organisation, which can be a team, business, family or any group that needs to securely share data.
SSO integration. Bitwarden offers multiple authentication options with zero-knowledge encryption and delivers the right configuration for each company’s SSO requirements.
Event and audit logs. This provides a record of events, activities and changes that occur across your company’s system operations. It’s an incredibly valuable resource for IT teams, admins and auditors who want to examine potentially suspicious activities on a network, or troubleshoot issues.
Free Families plan for employees. Bitwarden recently announced that customers on the Enterprise plan can offer their employees a personal Bitwarden Families plan, including five additional accounts for their loved ones.
A comprehensive list of Bitwarden Enterprise features can be found at bitwarden.com.
You’ve also mentioned that despite the common knowledge that using unsafe sharing methods can lead to a cyberattack, people still continue to engage in risky credential practices. How would you encourage them to be more security-conscious?
At Bitwarden, we recommend a simple concept called “the triangle of security success”. It’s three simple steps:
- Start using a password manager. Bitwarden offers a fully featured free version, so anyone should be able to get started with little fuss.
- Secure your email account. It’s more than a digital mailbox in which you receive messages. It’s often the way websites verify who you are by sending a confirmation email, so you’ll want to add some additional security measures, such as two-factor authentication.
- Keep going and implement two-factor authentication everywhere you can, starting with your password manager and email system. This adds another layer of security in the form of an additional log-in step, over and above your password.
On that same note, why do you think password security is such a polarising topic within the crypto community in particular?
Actually, it appears to us that there is a lot of communal rallying around increased attention to credentials within the crypto community. Most people recognise that it is nearly impossible to keep track of cryptocurrency credentials without the help of a password manager. And with cryptocurrency and web3 trends putting more responsibility and emphasis on decentralisation and end-user control, password security practices become even more important. There are always a few open debates as to whether you should store your seed phrases in a password manager, but that is really up to individuals and their unique security profiles. Overall, we see the push to crypto currency and the emphasis on end-user credential management as just another reason folks need a password manager.
How would you advise companies to promote a stronger security culture?
Build consistency. Education and awareness are key but it’s not enough to offer one employee training session and think the lesson will sink in. Security is a process – we have to learn good security habits over time, just like we learn healthy habits over time, such as going to the gym or eating healthily. It doesn’t happen overnight. The threat landscape is always changing and how you build a security-conscious culture will need to keep pace.
Establish open dialogue. In addition to regular security awareness training, make it OK for employees to ask questions or report security incidents. Sometimes, people are embarrassed if they accidentally clicked on a phishing email or downloaded a malicious link. Sometimes, they’re worried about repercussions. Sometimes, they simply don’t know. Give them a safe and open forum – we’re all in this together – and tell people: “If you see something, say something.”
Bestow responsibility on all. Online security isn’t merely IT’s job. Cybercriminals exploit human weaknesses and most attacks are said to rely in some part on human involvement. Giving your employees security tools is good, but giving them accessible tools that boost security without slowing down productivity – such as a password manager – is even better.
When do you think we’ll see a ‘password-less future’ and how much of a challenge will it be adapting to that future?
Unlike other password managers, the Bitwarden name intentionally does not include the word password in order to reflect the broader vision of creating more secure online experiences for everyone. Bitwarden currently integrates passwordless approaches, including biometrics, security keys, and single sign-on.
The passwordless future is here today. But the pace at which individuals and businesses adopt new forms of authentication will continue to evolve over time. Bitwarden enterprise customers deploy passwordless technologies in phases, based on various factors such as size, departmental needs, IT resources, employee personas, and more. These factors shape how quickly customers can transition into other forms of authentication. Many of our customers start the passwordless journey by integrating applications with single sign-on systems and identity providers, based on tokens or other passwordless entry points.
As Wired’s “best choice” password manager, how can Bitwarden secure the “virtual front door” for good?
Many data breaches start through the same attack vector: account compromise through weak passwords. This is true even for large enterprises with advanced security controls in place, simply because we’re human. We’re all susceptible to clicking on phishing links in emails, downloading malicious attachments, or unintentionally visiting malicious websites.
Bitwarden helps enterprises on several levels:
- For IT admins and anyone in charge of cybersecurity, Bitwarden provides them with granular access control and user management to configure and optimise overall security.
- For employees and end users, Bitwarden offers an easy way for them to generate, store and secure complex passwords. This can go a long way toward ensuring that all work-related accounts and services have strong passwords.
- For executive and leadership teams, Bitwarden takes you one step closer to building a security-conscious culture across your entire company, where everyone embraces the role they play in cybersecurity. When you give employees accessible security tools that make their lives easier, it’s that much easier to ingrain a sense of accountability and ownership.
This article was originally published on March 13, 2022.
Executive Profile
Michael Crandell is the chief executive officer at Bitwarden. Before Bitwarden, Michael was the CEO and co-founder of RightScale, where he led the cloud management platform during the first decade of cloud computing. Michael received his bachelor’s degree from Stanford University and completed graduate studies at Harvard University. He began his career as a software engineer, self-taught, coding in assembly language.
