They almost set the hook.

Sitting down to write this post, thinking about composing my thoughts into an organized, cohesive story, I checked the inbox and found a note which looked much like this:

It goes on, and includes a demand for about $2,000 to be sent to a Bitcoin wallet address. Oh, and the sender promises everything will end well provided I pay.

Although I admit my heart leapt into my throat, I didn’t pay.

Why? Because:

• an online search of “Cobalt Strike Email Scam” turned up several posts with letters which looked exactly like the one I got
• two-factor authenticantion is set up on my email account so this kind of thing can’t happen; and,
• I’ve used the open-source Bitwarden password manager with end-to-end, on-device, industry-leading encryption for years and trust it to keep my private information private safe.

I think you should use Bitwarden, too. It’s free basic plan is fully featured. It provides emergency access so, should a catastrophe strike, a trusted contact can gain access to your secure information. Plus it is open source, has been independently validated, and never been breached.  

Because you could receive an email exactly like the one I got. If you don’t protect your online data, if you take no steps to keep banking and medical and other personal details private, you may be tempted to pay.

Too many don’t use a password manager. As I noted in an earlier post, “two-third of us refuse to use a simple piece of technology designed to foil [hackers] and keep our bank accounts and personal information safe.”

Hopefully pointing out how important this is will compel you to start using a password manager. If it has, but you don’t want to go through the process yourself, let me know. We’ll schedule time to connect, talk through your options, select one, then get it set up. I’ll even check back with you afterward to answer questions and make sure you’ve worked the tool into your online life.

In an earlier post, I ran down the pros and cons of Google Password Manager. It’s okay, but there are some glaring gaps which led me to not recommend it. From needing to enable on-device encryption to a limited feature set, you can do much better.

I also mentioned Apple Keychain isn’t an option for many because there is no way to use it dynamically outside of an Apple product. If you only use Apple devices, maybe it’s a viable option, but there are better choices.

In a 2024 online survey, Security.org found, after Google Password Manager and Apple Keychain, most American adults were using either LastPass, Bitwarden, or 1Password. 

I’ve used all three, and am a committed Bitwarden user today. You should be too.

LastPass has suffered major security issues in the last several years which are reflected in how its user base plummeted in the above chart from 2021 to 2022. Hackers breached it multiple times, and the ripples from those events continue today.

Despite that, some of its users remain committed to it. Switching costs can be a real deterrent, and maybe that’s enough to keep you in the fold. For me, though, LastPass is a hard pass.

In attempt to simplify the choice, here’s a comparison of some of the key features of tools you may consider:

	Bitwarden	1Password	Google Password Manager
Cost	Free	Paid	Free
Open Source	Yes	No	No
Multiple Operating Systems	Yes	Yes	Yes
Secure Password Sharing	Yes, with anyone	Yes, with anyone	Yes, but only with Family Group
Organization Tools (folders)	Yes	Yes	No
Autofill in Advanced Scenarios	Yes	Yes	Yes. Requires set up on Apple devices
Secure File Storage	Yes, text only for free users	Yes	No
Emergency Access	Yes, automated	Yes, manual	No
Family Plans	Yes, paid feature	Yes	Yes
Password History	Yes	No	No
Password Recovery	Yes	No	No
Security Audits, Insights	Yes	Yes	Yes
Advanced Authentication	Yes	Yes	No
Two-factor Authentication	Yes	Yes	No
On-device Encryption	Yes	Yes	Not on by default, available

1Password offers an impressive array of features and functionality. Here’s how it stacks up in several key areas:

• Price: All plans are paid, although you get full access to the basic paid version for 14 days. Personal plans start at $2.99 per month.
• Open Source: No.
• Secure Password Sharing: Passwords can be be shared with anyone, even if they don’t have a 1Password account, and shares can be time limited.
• Organization Folders: 1Password calls it folders “vaults”and allows you to organize and categorize stored items multiple ways. You can create multiple vaults to manage different types of information, such as personal and work-related passwords. The vaults can be shared with specific individuals or groups.
• Secure File Storage: Users can securely store documents and other sensitive files alongside their passwords and login credentials.
• Emergency Access: 1Password provides an Emergency Kit which relies on a physical printout of your secure info. There is no way to set up a digital way to grant access.
• Family Plans: 1Password offers family plans that support up to five users and allow for shared vaults.
• Password History: Not available.
• Password Recovery: 1Password does not store the user’s master password and does not provide a way to recover the master password. If a user forgets their master password, they will not be able to access their account. Account recovery, available for Family plans and above, relies on a user securely storing an Emergency Kit.
• Security Audits and Insights: 1Password has several features that relate to security audits and insights: It undergoes independent audits and runs a bug bounty program.
• Advanced Authentication: 1Password supports advanced authentication methods, such as biometric authentication so a user can unlock the app using a fingerprint or facial recognition and two-factor authentication (2FA) so users can store 2FA codes in the app.
• Two-Factor Authentication (2FA): As mentioned above, 1Password supports two-factor authentication. It can act as an authenticator for sites that support two-factor authentication, and the codes can be synced across devices.
• On-Device Encryption: 1Password uses a zero-knowledge architecture, which means data is encrypted and decrypted only on the user’s device using a 256-bit AES encryption algorithm. (Click for an explainer.)

1Password is a solid choice. It has never been breached, and provides a robust feature set, but I think Bitwarden leads the pack.

Bitwarden stands out for a couple key reasons including its robust free plan, open source system, and how it handles emergency access.

• Price: Basic, full-featured plan is free. A premium plan for $10 per year is required to use emergency access.

• Open Source: Yes.
• Secure Password Sharing: Bitwarden allows you to share a login with anyone whether they have a Bitwarden account or not.
• Organization Folders: Bitwarden calls it folders “collections”and allows you to organize and categorize stored items multiple ways. You can create multiple vaults to manage different types of information, such as personal and work-related passwords. The vaults can be shared with specific individuals or groups.
• Secure File Storage: Free users can securely store text, while paid users can store multiple filetypes.
• Emergency Access: Bitwarden’s Emergency Access allows a trusted contact to request access to a user’s vault in the event of an emergency. It is only available for Bitwarden Premium users, but the trusted contact need not be a paid user.
• Family Plans: Bitwarden offers family plans that support up to six users and allow for unlimited collections.
• Password History: Bitwarden allows a user to see up to the last five passwords used for any saved login item.
• Password Recovery: Bitwarden offers several options for master password recovery, including email recovery, a password hint, or a one-time password recovery option.
• Security Audits and Insights: Bitwarden undergoes regular security audits by third-parties. The vault health reports feature allows premium users to monitor the security of their stored data.
• Advanced Authentication: Bitwarden Premium includes advanced two-factor authentication options. It also supports biometric authentication – fingerprint or face recognition – to unlock vaults.
• Two-Factor Authentication (2FA): Bitwarden offers 2FA for all users using authenticator apps or email verification codes. Premium users have access to additional options.
• On-Device Encryption: Bitwarden encrypts all data with 256-bit AES encryption on the user’s device before it’s transmitted or stored.

From my perspective, Bitwarden leads the pack.

It’s an excellent entry-level password manager with a full feature set available for free. The way it handles emergency access allows peace of mind in case of a calamity. And Password history and the way it handles recovery make sense.

Bitwarden can meet the needs of almost every user including somebody who has never used a password manager and a seasoned cyber security professional.

Which manager will you choose? Have you heard enough to consider switching to Bitwarden, or are you content with what you have?

As I said before, you don’t have to go through this alone. Reach out now and let me know how I can help.. We can talk through your options, select the right password manager for you, then set it up. I’ll check back with you later to answer questions and make sure you stay on the right track.

The last thing I want is for you to pay a ransomware demand. Work with me to safeguard your data now.

I asked ChatGPT to explain 256-bit AES encryption to me as if I was a sixth grader. It produced this story:

“AES 256-bit encryption is like locking your treasure (data) in a chest with an incredibly secure key that’s so long and complex it’s practically impossible to guess. The algorithm scrambles your data into a jumbled mess that looks like gibberish, and only someone with the secret key can turn it back into the original message. With 256 bits, the number of possible keys is so enormous it would take millions of years for even the fastest computers to crack. This makes AES one of the safest ways to protect sensitive information, like passwords and online communications.”

Both 1Password and Bitwarden use the same 256-bit AES encryption method.