Kyle Spearrin, Bitwarden: “complex security systems alone cannot safeguard businesses”
The widespread belief that investing in different security systems alone will protect companies from data breaches might be faulty, according to the Chief Technology Officer at Bitwarden, Kyle Spearrin.
While investing in complex cybersecurity is certainly valuable, on its own, it might add little value if not backed by additional security measures. Some of them are difficult-to-guess passwords and multi-factor authentication.
Indeed, remembering hard login credentials of each site and app can be challenging. One of the solutions is getting a password manager that works as an additional security layer and lets you store passwords and other sensitive data.
To address the challenges of protecting data for individuals and companies, we had a talk with Kyle Spearrin, the Founder and Chief Technology Officer at Bitwarden, which offers a safe way to store and share sensitive data from any device.
Can you tell us a little bit about what you do?
Having been a user of password managers for many years, I noticed that the current solutions on the market leave room for improvement. I recognized the need for a more comprehensive password management product, including one that could meet the needs of end users and businesses alike. This led me to start Bitwarden back in 2016, which aims to put the product first by delivering immediate value to users. I wanted to improve password management and secure handling of credit cards, notes for individuals and companies, and other sensitive information people use and share across the internet.
The Bitwarden vision is a world where no one gets hacked. This includes passwords and extends to make everyone’s online experiences more secure. Unlike other products of this type, the Bitwarden name does not include the word “password.” This was purposeful and meant to reflect a broader approach that goes beyond login credentials and covers all types of sensitive information.
The Bitwarden model is end-to-end and zero-knowledge encryption. This means that user data and passwords are encrypted the moment they are added to any Bitwarden application client. No one can see passwords or anything stored within the user’s Vault, not even Bitwarden.
What was the vision behind making Bitwarden open source?
Transparency is an important part of the Bitwarden security model. We host our source code publicly on GitHub, and everyone is free to review, audit, and contribute to the codebase. Open source gives us the opportunity to build trust among our users, which otherwise would be hard to do in the security market. Open source keeps Bitwarden accountable and the quality of our code in check. It also enables more technical users the freedom to do things they couldn’t do otherwise.
Of course, open source is just one differentiator. Here’s how Bitwarden stands out among competitors:
- A highly engaged global community, active translations of more than 40 languages, and millions of end users – source code, features, and infrastructure security are vetted and improved by key members of this global community.
- Third-party security audits that are open to the public – we hire experts to rigorously test and examine Bitwarden’s systems and policies with respect to security and data protection.
- Easy for everyday users – the product is easy to use and adopt by everyone.
- A fully featured free version for individuals – it offers unlimited passwords across unlimited devices.
- A highly scalable solution with multiple deployment options, including on-premises, to fit the needs of small and large businesses alike.
Some experts say that we are currently moving towards a passwordless future. Can you tell us more about this development?
Our vision of creating a more secure world includes passwordless authentication. Bitwarden embraces minimizing the use of passwords, ultimately removing them as a potential opportunity for cybercriminals. The approach to passwordless authentication is grounded in the following goals:
Biometrics - Bitwarden currently offers fast and secure biometric unlocking across multiple clients. Customers enhance both security and ease of use to their Bitwarden authentication through TouchID, FaceID, Windows Hello, or Android Login with Biometrics.
SSO for enterprises - enterprise customers can integrate Bitwarden with their single sign-on (SSO) systems and identity provider based on passwords, tokens, or other passwordless entry points.
Security keys - our customers can set up a two-step login for their Bitwarden Vault with authenticator applications and email. Paid customers can add security keys, Duo Security, Yubico, and FIDO2 solutions.
Have you noticed any new cybersecurity threats arise since the beginning of the COVID-19 pandemic?
Data breaches have been happening at an increasing rate even before the pandemic. Malicious actors were always seeking to exploit vulnerabilities. What the pandemic revealed was our reliance on the internet, so in that sense, yes, it had a profound impact on the security challenges companies face.
Ransomware doubled, and data breaches involving phishing attacks also spiked during the pandemic. With a remote and distributed workforce, companies now have to work much harder to maintain security and business continuity at scale. The rapid adoption of work-from-home tools and cloud applications have put a big strain on security teams.
In your opinion, what are the biggest mistakes organizations make when it comes to data security?
The biggest mistake an organization can make is thinking that complex security systems alone can safeguard businesses when one of the easiest ways to protect ourselves is to use different passwords across different sites and turn on multi-factor authentication. The largest ransomware attacks of 2021 were related to stolen or compromised passwords: Solar Winds encountered a devastating nation-state attack that compromised up to 18,000 businesses. The password criminals used to get into their network? Solarwinds123, which took hackers mere minutes to crack. A couple of months later, hackers took down the largest fuel pipeline in the U.S. through a single compromised password.
In case of a security breach, what should be the first steps for a business to protect its workload as well as its customers?
There is no one-size-fits-all security response. It should be customized to the organization’s size, strategies, structure, existing tools, and available skills. General recommendations would be:
- Be honest with your customers, especially if the breach compromised their data in any way.
- Determine the cause of the breach – was it through an outside hacker? A negligent employee? Find the source of the problem.
- Review event logs, which give clues for post-incident analysis. Bitwarden, for example, maintains timestamped event logs for 40 different types of events that can be exported for analysis.
- Reset and choose strong and unique passwords for all your accounts and applications. Never use the same password across multiple accounts. Then, make sure multi-factor authentication is turned on across your entire company.
How can one find out if their password has been compromised? Are there any warning signs that can often be overlooked?
If you’re a Bitwarden customer, Vault Health reports help uncover passwords that have been compromised, reused, weak, and more. Bitwarden also integrates with a service called “Have I Been Pwned” to identify compromised data (email addresses, passwords, credit cards, date of birth, and more) in known breaches.
What are some of the security tools you believe everyone should use nowadays?
For individuals, a password manager that generates, stores, and autofills passwords, provides personal online security, and makes your digital life much more convenient and organized. Consider a password manager that also offers the ability to transmit encrypted files and text for when you need to share sensitive information with others.
For companies, this is a little more complex – how enterprises architect their security infrastructure depends on many factors such as size, industry, resources, risk tolerance, and more. Bitwarden recommends starting with the fundamentals of online defense. This includes using a password manager so employees can easily create and store complex passwords for all their work-related accounts.
From there, implementing two-factor authentication across the organization adds another layer of security in the form of another login step, in addition to a password. Companies can then layer in “Single Sign-On” (SSO), which enables employees to securely authenticate multiple applications and websites with one set of credentials.
Share with us, what’s next for Bitwarden?
Bitwarden is growing and continues the mission to help everyone secure and safely share sensitive information. While our business and user base expands, we still have many more people to help around the world. This includes assisting every individual in adopting password management, which is why we have our fully featured basic free account.
Businesses of all sizes also need to ensure secure credential management that integrates with identity access management and advanced forms of authentication directly to their workforce. From this perspective, the business plans help the world’s leading companies set a secure foundation across their entire organizations. Bitwarden makes password management achievable for employees and admins. Being easy to deploy, simple to use by everyone, and effective in protecting sensitive online information continue to be our goals today and in the future.