Digital security remains a core concern for businesses, as the scary headlines continue to shriek of stolen and encrypted data, phishing, breaches, and intrusions. One company in the vanguard of defensive solutions against these menaces is Bitwarden, with its flagship password manager. Here, CEO Michael Crandell discusses this and other leading-edge initiatives from the company.
- Passwords alone are not enough to secure our digital lives. Passwordless authentication methods like biometrics and hardware tokens are becoming more popular.
- To improve cybersecurity, organizations need to adopt a zero-trust approach, where access is granted only after verifying user identity and ensuring device security.
- Password managers can help users create and manage strong passwords, and are an essential tool for protecting online accounts from cyber threats.
It’s great having you around again, Mr Crandell! In our last interview, you mentioned that a common challenge for teams and enterprises is also a great opportunity – to empower employees to improve their personal security practices. What has Bitwarden done in 2023 to achieve this?
It’s wonderful to speak with you again as well. We’ve focused on two areas: ubiquity, and convenience.
- Ubiquity: Digital security, for most of us, spans both our professional and personal lives. We’ve addressed this for a long time at Bitwarden by providing everything from a fully featured free version of our password manager for individuals up through an enterprise version for large organisations that includes, as a perk, a free family plan for every employee. We also keep adding to the platform support we offer – most recently adding an Apple Watch app that’s super handy. Our users need to be able to access Bitwarden regardless of the OS or device they’re using.
- Convenience: We were one of the first to offer integration with enterprise SSO systems, and we continue to innovate in the area by adding biometric capabilities into Bitwarden, as well as a variety of password-less options. Just recently, we announced that we acquired Passwordless.dev, which allows developers to incorporate the latest password-less authentication technology – called FIDO2 and WebAuthn – into their applications in minutes.
What are the company’s chief aims and missions this year?
Our mission is to empower individuals, teams, and organisations to safely manage their sensitive information online. This year, we’ll continue to innovate as a leader in the password management space and will expand our product offerings to include the password-less technology I just mentioned plus our Secrets Manager product – designed to help developers manage all the secrets that are used day to day in their coding, with the same level of protection we offer for password management.
Bitwarden is one of the biggest password managers in the world. I’m sure that makes you a target for hackers. How do you balance the security you need in order to keep businesses safe, while also making it easy for people to use?
Our first step from day one was to make Bitwarden open source. In our view, there is no more secure way to develop software than to allow the full security community to review and improve your work. We have contributors from all over the world, including security researchers, constantly reviewing our code, as well as regular audits, penetration tests, and compliance efforts run by third-party security professionals. All of this is documented in our security white paper (https://bitwarden.com/help/bitwarden-security-white-paper).
People should not be worried about using Bitwarden; they should be worried about not using Bitwarden.
When people think about storing their passwords inside of a browser add-on, they might have reservations through fear of the browser or computer getting hacked. Is this a misconception? How is Bitwarden safer than other options out there?
Well, for starters, everyone should always be aware of the fact that we are all targets of a variety of malicious attacks, from phishing and smishing to social engineering to malware and viruses. We all see the reports on the ever-increasing rate of breaches and intrusions. But one of the best ways to protect yourself is by using a password manager to create and store strong, unique passwords for each website you use, and to turn on 2FA wherever you can. That, along with a healthy sense of awareness and vigilance, is the first and most important level of protection available.
Verizon’s 2022 Data Breach Investigations Report attributed 82 per cent of breaches to leveraged credentials. How can you encourage companies to prioritise password security as one of their main cybersecurity initiatives?
I think you just did with that statistic! Actually, we’ve seen very strong growth since our founding, based on the growing awareness of the risk of not using a password manager. So it’s a pretty well known solution for a well-known risk.
One area we’ve invested in is helping companies with employee training and rollout assistance. Basically, we make it easier for IT teams to integrate Bitwarden with their existing systems, like SSO and employee directories, and then provide self-service training and education materials to help people get up to speed fast.
With billions of stolen passwords on the dark web, companies need to be mindful of the risks. How can you figure out what’s behind these dangers? What mistakes do organisations make when it comes to IT security?
To your first point, we have a handy report in Bitwarden that will compare your list of usernames and passwords in a secure way with what’s on the dark web and flag any credentials you’re currently using that have already been breached, so you can update them.
Hackers are very sophisticated and well funded, so the biggest mistake people make is underestimating the risk or falling victim to inertia in mitigating it. The cost of a password manager for all your employees is a tiny fraction of the average cost of a breach in ransomware – not to mention the damage to your brand. Plus, when you can offer the perk of protecting your employees at home with the same investment, it’s hard to argue why companies should not do it!
Bitwarden was recently awarded a Gold Medal in the 2022 Password Management Data Quadrant Report and was a recipient of CNET Editors Choice Awards: The Best Products and Services for 2023. What do you attribute this success to?
By being an open source product, we have always naturally put our community and our customers first. That is deeply ingrained in our DNA at Bitwarden, and impacts how we do our work and what we’re trying to contribute to make a difference in the world.
You also recently acquired Passwordless.dev, an API that uses cutting-edge FIDO2 WebAuthn standards. What can we expect out of this partnership?
For starters, Passwordless.dev is available now for anyone to try out. We will continue to add functionality that enables developers to incorporate password-less authentication into their apps and websites in minutes, to enable users to wield it more easily, and to also enable IT teams to better monitor and track the usage of password-less technology. Over time, we will continue to incorporate password-less technology into everything we do.
The company operates on the belief that protecting organisations’ data requires human behavioural change through a strong security culture. What steps are you taking to make sure your systems are robust enough to deal with this level of server load in the future?
Our founder Kyle Spearrin was a cloud systems architect when he started Bitwarden, so he’s built scalability and resiliency into the system from the start. We are well prepared for orders of magnitude more load than what we see today.
History is littered with supposedly unbreakable products that were eventually hacked; the Enigma machine during the Second World War is a classic example. If that happens to Bitwarden, what will your response be as CEO?
The ultimate answer here is that we have architected Bitwarden so that even if a bad actor were to gain access to our systems, it’s impossible for them to get user data. This is called zero-knowledge architecture, which we implement using end-to-end encryption. User login credentials – like usernames, passwords, the URLs that they visit – are all encrypted locally on user devices. We simply don’t have access to them. And then we add additional layers of encryption on the system side to the already-encrypted vaults, which we call multi-factor encryption.
Why do you think companies are now recognising the importance of password management for their employees?
As we continue to see breaches occur, we further see that a frequent cause is weak or reused passwords. Over the last decade or so, companies focused on SaaS apps, and login use proliferated. While some companies can implement single sign-on, many small companies do not have it yet. And even when companies do have SSO, it rarely provides 100 per cent coverage.
So companies realise that they need to empower employees from the start with the ability to create and manage strong and unique passwords. It has become an imperative for corporate safety.
How do you see companies deploying password management and what are some of the best practices?
We see a range of deployment options but the ones that have the most impact are those where companies empower every employee to stay secure. This guarantees that the full value of Bitwarden, and the use of password management, permeates throughout the organisation.
We see some companies start with an executive rollout, since those individuals can be high-value targets. Others begin with knowledge workers who have a range of devices. Departmental rollouts are popular, as well as focusing on front-line service or operational technicians to enable field productivity and security.
By far, we see the most important attributes of a rollout being the buy-in from employees and management to make security a priority. With so many Bitwarden users already benefiting from password management individually, bringing these options to work is often seen as a huge benefit.
What is your favourite way to use Bitwarden?
Oh, I have a few! First, I love using FaceID on my mobile device. It makes logging in and unlocking my vault a breeze.
I also like using the Bitwarden Send feature, which allows me to transmit a file or text with end-to-end encryption to anyone, regardless of whether they are a Bitwarden user.
At work, I like how we have implemented Bitwarden Groups and collections to segment system access. We use a least-privilege access mechanism at Bitwarden, and implementing this with our password manager gives us solid security and controls.
What is your vision for Bitwarden in the long term?
At Bitwarden, we imagine a world where no one gets hacked. That’s a pretty big vision, and one that will keep us busy for a long time.
And lastly, how would you define success?
We receive customer emails all the time thanking us for our products and the security and convenience they provide. Each and every time we help someone breathe easier because their sensitive information is kept safe, that’s success for me.
Michael Crandell is the chief executive officer at Bitwarden. Before Bitwarden, Michael was the CEO and co-founder of RightScale, where he led the cloud management platform during the first decade of cloud computing. Michael received his bachelor’s degree from Stanford University and completed graduate studies at Harvard University. He began his career as a software engineer, self-taught, coding in assembly language.