Centralized Password Management with BitWarden

Despite its important, cybersecurity is an often-overlooked aspect of running a business. Early-stage startups benefit from 'security through obscurity'; because no one knows they exist, they don't experience hacking attempts or other cyber attacks. This can lead to a false sense of security as these companies enter growth stage and find themselves suddenly targets for ransomware and other threats.

As illustrated in this excellent security checklist developed for CTOs of early-stage companies, Implementing a central password manager, along with implementing 2FA and whole-disk encryption for company laptops and computers, are best practices you should implement as early as possible. No cybersecurity configuration or tools can make a company completely safe, but implementing a central password manager and using it with fidelity is one of the cornerstones of an effective cybersecurity practice.

For this Recipe we're recommending Bitwarden because it has a free tier that includes two accounts and many startups have only one or two founders. If you have a larger team, 1Password and Lastpass are also excellent options and may actually be cheaper. Functionally all of these products are very similar, so you will be able to use this Recipe with only minor modifications.

To get started visit the Bitwarden home page and click the Get Started link in the upper right. You'll be asked to create an account. The first two fields are email address and name:

The rest of the form involves selecting a master password. It is CRITICAL that you do not lose this. It's the equivalent to losing the combination to an unbreakable safe. Because of how important it is, we also recommend making this password complex and not related to the company name, product name, or any information about the founders.

If you are comfortable generating a cryptographically-strong password feel free to make one up and enter it (Feel free to use the XKCD method shown below).

If you are not comfortable generating your own password you can use https://passwordsgenerator.net/ instead. Because this password may need to be types rather than copy/pasted, set password length to 24 and only check the following boxes on the site's password generation form:

Before continuing with the form, print this password and the email address you used. Put the printout in an envelope and store it in a fireproof safe.

After you submit the form, you'll need to have the password available to log in to Bitwarden.

Once you have logged in and verified your email to can get started using Bitwarden. The user dashboard looks like this:

Password managgers call the collection of information they store a Vault. On the left you can see the types of items that Bitwarden can store. They are:

By default Bitwarden will re-lock your vault after 15 minutes of inactivity. This can make it difficult to work with because having to copy/paste your master password frequently is frustrating, and if you are using the best practice of locking your computer when you are away from it you aren't gaining security from having the vault lock after this level of inactivity.

To change this, click the Settings tab at the top of the screen and click Options on the left. Change the Vault Timeout dropdown to On Browser Refresh and click Save.

Unless you are absolutely certain that you will never have more than one employee in your company, the first thing you'll want to do is create an organization. In Bitwarden this step is free for up to two people. You'll need to enter your organization name and a billing email (if you have an accountant or someone who manages your finances you can use their email, but if not you can just enter yours). Also check the box to indicate this is a business. If you have more than two people who will need to access the Vault select Teams; otherwise you can stay on the free plan for now.

Once you have created the organization you can start adding items to your vault. Adding them under the organization ensures that everyone in the organization will have access to them.

Bitwarden, like all centralized password managers, offers browser extensions for Chrome, Firefox, Microsoft Edge, Safari, and other popular browsers that support extensions. They also have apps for iOS (Apple) and Android. Using these extensions is the best way to get the most value out of Bitwarden so you should install them for every browser or mobile device you use to work on your startup. Unfortunately, tools that can help you automatically install these extensions and enforce their use are very expensive and probably out of reach for your early stage startup. You'll need to work with your staff to make sure they have everything set up correctly.

To set up Bitwarden in a Chrome web browser, navigate to the extension's install page and click Add to Chrome. You will see a popup that describes the permissions the extension will need to operate.

While this can look like it needs a lot of access, it's safe to install. The extension needs to integrate with login forms you visit, and no information is sent to Bitwarden from your computer by the extension except the passwords you choose to save.

Once you install the extension, Bitwarden will open a tab with a helpful video to walk you through logging in and using the extension. Feel free to watch it, and when ready click the extension in your browser (it looks like a grey shield near the address bar; if you don't see it, click on the puzzle piece icon to select it from your extensions.

Clicking the Bitwarden extension will open a panel prompting you to log in. Click Log In, then enter your email address and the master password you entered above.

Once you have logged in the panel will tell you that there are no logins in your Vault. Let's go add one.

Since it's used in another Recipe we'll demonstrate capturing a login for PlaceIt (this process works similarly for most Websites). Navigate to their homepage and click Log In. Enter your email and password and click Log In on the modal. After you log in successfully, Bitwarden will display a small banner at the top of the website prompting you to save the credentials.

Click Yes, Save Now to save the password in your vault.

If you look at the Bitwarden extension it will now have a [1] superimposed on it, indicating that this site has a credential saved in the vault.

Click the icon and your vault should show you the saved credential.

Now let's log out so we can test our saved credential. Find the Log out button (for PlaceIt, click the user icon in the top right, then click Log out. You'll be redirected to the home page. Now click Log in, but instead of entering your email and password click the Bitwarden icon. You'll see an entry for PlaceIt.

Click the entry to automatically fill credentials in the form. Now you can log in without ever having to type (or even memorize!) your password.

A centralized password manager is only valuable if it can be easily accessed from all of you devices, and business is increasingly conducted on mobile devices. In this section we'll download and configure Bitwarden on an iOS device (the process is similar for Android), and show how to log in to sites using credentials from your Vault.

Start by installing Bitwarden from the App Store. Once it's loaded, tap the icon to open it.

Log in to the app using the credentials you set up earlier in the Recipe. After logging in you'll see your Vault, showing your saved login credential.

Before we start using Bitwarden we need to register it with Apple iOS as a Password Autofill extension. On your device, go to Settings → Passwords → AutoFill Passwords.

Select Bitwarden from the list. If you aren't using any of the other items you can disable them. You will be prompted to re-enter your master password. After you do Bitwarden will be registered to automatically fill passwords in Safari or any other web browsers you have installed.

Having to enter your master password to unlock your vault every time you want to log in to a site can quickly become a pain and discourage you from using the password manager. Bitwarden also supports unlocking your Vault with iOS's Face ID (if your phone has Touch ID you can use that instead). Let's enable that by opening Bitwarden and tapping the Settings menu item at the bottom of the screen.

Tap the entry marked Unlock with Face ID. iOS will perform its Face ID authentication process (you may also need to enter your Bitwarden Vault master password). Once it's complete your screen will show that Unlocking with Face ID is Enabled.

Let's test it out! Open Safari on your device and navigate to https://placeit.net. Tap the user icon in the upper right to access the login menu and tap Log In. Tap in the Email field and instead of the typical keyboard menu you'll see a special menu prompting you to log in with the saved credential from your Bitwarden Vault.

Tap the blue button with your saved email to automatically fill your credentials from Bitwarden. Your device will use Face ID to authenticate you (NOTE: The first time you use this feature you may be prompted to enter your master password, but after that you will only need Face ID). Once that process completes, your credentials will be entered in the form and you can log in as normal, without ever having to copy or even view your password for the site.

When you save a login to your Vault through the browser plugin as we showed above it saves to your personal Vault. But if you're using Bitwarden to share passwords for your startup, you'll need to take an extra step to do so.

Log back in to Bitwarden and you should see the saved password in your Vault. Click on the Settings (gear) icon next to it and select Move to Organization.

Any organizations you created should be listed in the dropdown. You'll also need to add it to a specific Collection (a grouping mechanism for stored items), but if you aren't using Collections yet the default collection is fine.

Now any user in your organization can access the saved login. In your vault the Login item will have an icon next to it indicating it's in the collection.

You'll get the most value out of Bitwarden if everyone in your startup uses it. Since you created the Organization record in Bitwarden you can send invitations to everyone in your startup to become members and access the saved credentials. To do so, from your Vault navigate to the organization's page and click the Manage tab. Click the Invite button in the upper right.

Enter the email address(es) of the people you want to add to the organization. For co-founders you can set their permissions to be Owner so they can assist with managing the Organization and its members. Staff that should have access to credentials but not the ability to add other users or manage the Vault can be set to User.

While it's easier to add Logins to Bitwarden through the plugin as you browse the web, you can also add them directly in the Vault. To add a login to Bitwarden click Add Item on the Organization screen. The modal interface you see has a number of fields to help you capture the information needed.

The Name field is used to identify this entry in Bitwarden. It's not used anywhere else. You can use the name of the website or its URL if you aren't sure what to enter. Bitwarden by default uses the domain, i.e. placeit.net .

The username field will be your email or whatever the website uses to identify you uniquely. The Password field is used to store your password for the site. If you are just setting up an account for the first time, the blue arrow icon above the password field can be used to automatically generate a secure password that you can use. We recommend always using this process where you can instead of trying to create a password by hand.

You can skip the Authenticator Key field since it's not available on a free plan. For the URI 1 field, copy the browser's address bar (such as https://www.example.com) and paste it in. By default this will tell Bitwarden to use these credentials whenever you have a login form anywhere in that domain.

Bitwarden can also handle situations where the same credential is used in multiple domains. A good example of this is how Google credentials can be used on youtube.com. If you have one of those cases, click the New URI link and it will add an additional entry to allow you to link the two domains with the same credential.

Bitwarden can store credit cards securely so that multiple members of your organization can have access to the card info without needing access to the physical card. To add a credit card, click Add Item and change the dropdown at the top of the modal to Card.

The fields available on this form should be familiar to anyone who has used a credit card, although note that the Card field is used to identify the card in Bitwarden (such as 'Corporate Card') and Cardholder Name should be used to store the name of the individual stored on the card.

If you are using a web browser with the Bitwarden extension installed, any time you encounter a form that prompts for credit card information you can autofill the data just as you would for logins. Note that on mobile devices this functionality doesn't work however; you'll need to open the vault and manually copy/paste the information from the Bitwarden app into the browser's mobile form.

To add an Identity, follow the same process of clicking Add Item, but select Identity from the dropdown. This will let you enter name, address, and other sensitive data for an individual. The only real benefit to doing this is for convenience. Using Autofill to add this information to a web form is a big time-saver.

Secure Notes are used for storing any other information that you need to make available to a group but would generally be considered sensitive. Startups building software products can store things like shared secrets and SSH keys here. Other useful items to store here are things like building alarm codes, PINs for bank accounts or debit cards, or your federal EIN.