February 18, 2021

Password manager comparison: LastPass vs. Bitwarden

The March 16, 2021 severe change to LastPass Free (see here) shakes up the password manager choices a bit.

Both LastPass and Bitwarden have multiple tiers, and, of course, the functionality doesn't exactly line up between the similarly-named tiers.  The table below should help you decide which tier of which password manager meets your needs.   I haven't shown LastPass Free because the new limitation make the Free tier essentially unusable for the vast majority of users.

Unless you badly want a free service and think you'll stay there a long time, I suggest looking only at the Premium and Family(ies) tiers.  The main deciding factor between the two Premium tiers is probably the differences in the sharing features.


Feature/Area

LastPass Premium

LastPass Families

Bitwarden Free

Bitwarden Premium

Bitwarden Family

Cost

USD $36

USD $48

$0

USD $10

USD $40

Ease of use

Good

Not as good

Not as good

File attachments

1 GB

0 GB

1 GB

Sharing

Individual items: Unlimited sharing with any number of users

Folders: 1, with any number of users

Individual items: Unlimited sharing with any number of users

Folders: 1, with any numbers of users; unlimited within family

Folders: 1, with only 1 other user

Folders: 1, with only 1 other user

Folders: unlimited within family

Vault security check-up

Yes

No

Yes

2FA for itself

Yes

Yes

Yes

Authenticator feature

Yes

No

No

Yes

Emergency Access

Yes

No

Yes

Account recovery

Powerful (e.g., locally-stored OTPs)

Weaker

Weaker

Replacement for LastPass Free password manager

Starting March 16, LastPass's Free plan password manager will be essentially unusable; see here for more details.  Only users that don't have a computer (i.e., have only phones and/or tablets) will find this new limitation of LastPass Free acceptable; everyone else will need to move to something else.

I have recommended LastPass Free for years but that's not going to work now.  If you're looking for a free replacement for LastPass Free, and you care about security and privacy, Bitwarden Free looks like the best bet.  If you search you'll find a huge number of glowing reviews on the web.  It's not too hard to export your vault from LastPass and import it to Bitwarden.

However, if you're happy with LastPass, consider staying with it and upgrading to LastPass Premium, for USD $36 a year.  In addition to more powerful sharing, 1 GB of file storage (instead of 50 MB), more 2FA options, and tech support, you'll get the feature that I recommend everyone make use of: Emergency Access.

Bitwarden Premium, USD $10/year, also has an Emergency Access feature.

It doesn't matter which you use -- LastPass or Bitwarden or something else -- but it's essential that you use a password manager, and use it properly.  See my blog post on this


February 15, 2021

Winter hiking equipment

If you're going to be hiking in the winter -- in a place with snow like British Columbia -- you really need good traction devices.  For general-purpose hiking, microspikes are definitely the way to go.

You can't go wrong with these two models, both of while I use all the time:

1. Hillsound Trail Crampon

https://www.hillsound.ca/collections/traction-devices/products/trail-crampon

REI has them but also check out https://www.google.com/shopping

2. Kahtoola MICROspikes Footwear Traction

https://kahtoola.com/product/microspikes/

MEC has them

The Hillsound have 1/2" spikes while the Kahtoola have 3/8" spikes.  If I had to pick one, it would be the Hillsound.

In the Okanagan winter hiking is usually on a mixture of snow, ice, and dirt and rocks.  I happily used Yaktrax Pro in Vancouver for years but as I soon as I moved to the Okanagan they failed, because the rubber was quickly ground down by the dirt and rocks.  In retrospect, microspikes would have been better than Yaktrax in Vancouver too.

February 3, 2021

Local backup for professionals and organizations

My previous post talked about backup in general and cloud backup in particular.  I promised that my next post would finish by covering local backup.  Here it is.

First, the "why".  Recall that my previous post recommended you start by backing up your data files to the cloud.  Assuming that you're doing this, why would you also want to back up locally, that is to an external drive of some kind in the same room or building as your computer?

There are several excellent reasons:

  1. You need a second backup because one is not enough.  As mentioned in my previous post, a key tenet of information security is defense in depth. When applied to backup, this means having at least two backups of your data, in case something goes wrong with one of them.  You should start with a cloud backup, so you second backup should be a local backup.
  2. With a local backup you have the flexibility to set your own retention policy.  Your cloud backup may keep deleted files and old file versions for, say, only six months or a year, but with a local backup you can easily keep them for several years or even forever if you have a large enough external drive.
  3. Your local backup could be an external drive sitting by your desk, but you have other options too.  You could use a small portable drive or a flash drive and store it most of the time in your fire safe, or you could have two drives and swap them weekly or monthly between being attached to your computer and being in the fire safe, hidden in your home, or in a safety deposit box.  The sky's the limit on the possibilities.
  4. A very secure cloud backup is at least $100 a month -- every month, forever -- but a nice external drive can be purchased for $200 and will last for many years.  You can't dispense entirely with the cloud backup, but if you're price conscious you can use a less expensive (and less secure) cloud backup if you also have a local backup that you take care of well.
  5. If you need to restore a lot of data from your backup – perhaps your entire computer's worth – a local restore will likely be a lot faster than a cloud restore.  And a large cloud restore might use up enough of your monthly ISP data budget to cost you money, whereas a local restore is always going to be free.
  6. Finally, backing up locally offers a type of backup that is usually not done for a cloud backup: a system image backup.  A data backup, or files backup, includes just a user's files, but a system image backup is a backup of a computer's entire main drive, including the user's files, application software and settings, and the operating system.  Due to its size, it's usually not practical to transfer a system image backup to the cloud – but it's very easy to store it on a local drive.  Having a system image backup is not essential, but it's a much faster way to recover from a major computer failure.  Without a system image backup, recovery means reinstalling the OS and all applications, configuring (including hardening) the OS, configuring all applications, and restoring the user's data; whereas with a system image backup, it's a single restore operation that does everything in one step.

Encryption

In my previous post I listed three backup-specific requirements: sufficient confidentiality, sufficiently long retention, and support for point-in-time restore.  These of course apply to local backups too, and you may want to reread that part of my previous post before continuing on here.  Local backup software typically provides sufficient retention and a point-in-time restore, but confidentiality needs more discussion.

For a local backup, confidentiality means encrypting the external drive, and this can be done by the backup software and/or the operating system.  All backup software provides encryption, but encryption in the backup software that comes with many backup drives may not be sufficiently well implemented and secure.  If your computer's OS has the ability to encrypt external drives, use it; in this case you don't need to use the encryption feature of the backup software.  

If your OS can't encrypt external drives, you're probably on Windows 10 Home, in which case your computer's main drive is not encrypted either.  This is a bad situation and you should upgrade to Windows 10 Pro, which will give you the BitLocker feature.  BitLocker gives you the ability to encrypt not only your computer's main drive but also any external drive, such as the one you're going to use for backup.  

If for some reason you decide not to use the OS to encrypt your backup drive, you have four choices:

  1. don't encrypt the backup drive – not a good idea unless the data is not sensitive
  2. use the encryption built into the backup software that came with your backup drive – easy but not recommended, as discussed above
  3. use the encryption built into third-party backup software – a good choice, see below
  4. use quality third-party encryption software like VeraCrypt to encrypt the backup drive – a great choice

Whether you're using the OS, third-party software, or your backup software to encrypt the drive, make sure you store the encryption password in your password manager

Backup software

What backup software to use?  Let's talk about data backup first.  You can use the backup feature built into your computer's OS or you can use third-party software.  Here are some good choices:

  • Windows 10 File History – Don't use the older "Backup and Restore (Windows 7)" feature
  • macOS Time Machine – If you have a Mac
  • CrashPlan – It's a (great) cloud backup service, but it also allows backup up to a local drive.
  • Macrium Reflect Home Edition – It's primarily (great) system image backup software, but it also supports backing up just data files.
  • SyncBackSE – It's pure backup software that works very nicely.  You need the SE version (not the Free version) in order to get the critical Versioning feature.

CrashPlan, Reflect, and SyncBackSE will all do a good job of encrypting your backup, if you so configure them.

You could also use the backup software, if any, that comes with your external drive to perform your backup.  It's generally best, though, as discussed above, if you don't use the software's encryption capabilities.

For system image backup, here are some good choices:

  • On Windows, there is no good system image backup feature built in. (Don't use "Backup and Restore (Windows 7)": it's old and crotchety and even Microsoft recommends using third-party system image backup software instead.  Definitely don't try it if you use BitLocker.)
  • macOS Time Machine – If you have a Mac
  • Macrium Reflect Home Edition – Very nice software that supports BitLocker well
  • Acronis True Image – People seem to like it, but I recommend you stay away from it if you use BitLocker.

Backup drives

Finally, we get to the bottom level of the stack: the backup drive hardware.  You have many choices, including desktop backup drives, portable backup drives, and flash drives.  Desktop and portable drives used to always be hard disk drives (HDDs) but solid-state drives (SSDs) are now starting to appear at reasonable prices.  Flash drives, which are essentially small and slow SSDs, are now available for reasonable prices up to 512 GB, and would be useful if you want to hide your backup drive.

You should obviously buy a drive that has an interface that your computer supports.  USB is the most common, but pay attention to the physical connector and the USB version number.

Speed is not that important for a backup drive but size does matter.  You can never have enough backup storage, and right now the sweet spot seems to be about 8 TB for HDDs, which are currently the best choice for most people.

WD (Western Digital) and Seagate are respected brand names in HDDs.

Parting words

As mentioned above you absolutely should have more than one backup because things always go wrong.  My last post suggested that you add backups in this order: (1) a cloud backup, (2) a local backup, (3) a second cloud backup, and (4) a second local backup.  How far down the list you go depends on how important your data is and how paranoid you are.

A final recommendation: make sure you occasionally do a test restore of all your backups, both local and cloud.  Otherwise you might discover – just when you need it the most -- that your fail-safe has failed and can't be restored from.


November 14, 2020

Cloud backup for professionals and organizations

One of the highest priorities for securing any organization, big or small, is data backup. Most organizations could not survive the loss of their data, and hardware failure, software failure, ransomware, other malware, human error, etc., can all completely or partially destroy that data in an instant.

Protection against those threats come as two types of security controls: prevention and recovery. You implement security controls to try to prevent the threats from materializing, and you also implement security controls that should help your operations recover if they do.

Here or there?

The recovery security control for loss of data is data backup, and there are two broad categories: cloud and local. Because local backup -- such a external drives, flash drives, or network-attached storage -- is in the same building as – and often right beside – the computer that it is backing up, it is subject to the many of the same physical risks as the source computer. If the building is damaged by a fire, hurricane, or flood, or a thief breaks in and steals electronic equipment, both the original data and the local backup could be lost at the same time, negating the benefit of the backup. Cloud backup is therefore usually a higher priority than local backup.

I'll talk first about cloud backup for a professional with a single computer, then I'll extend this to a multi-computer organization.

The usual suspects 

Most people immediately think of the "cloud big four" when they think of cloud storage or sync: Apple iCloud Drive, Dropbox, Google Drive, and Microsoft OneDrive. People gravitate to them because they are large, reputable companies (with excellent security, by the way) and they offer free storage for a certain amount of data. You can also pay a subscription fee to get storage beyond the free limit.

So you could backup all your data in one of the big four, but should you? The answer is usually "no".

What you need

Let's back up a bit.  What should you be looking for in a data backup offering, whether cloud or local, to help you choose the best offering for you? These are the backup-specific requirements that apply to most situations:

  1. sufficient confidentiality;
  2. sufficiently long retention for deleted files and old file versions; and
  3. the ability to restore data – one file or the entire backup set -- not only from the most recent backup but from any chosen point in time (called a point-in-time restore).

I'll show you why there's a really good chance that the big four won't meet your needs in those three areas.

Confidentiality

"Sufficient confidentiality" means sufficient with respect to the level of confidentiality required for the data you are backing up. This is not black and white, rather it's a spectrum.

At one end of the spectrum, for data already in the public domain – say, cat videos that you've collected from the Internet – you don't need to be too concerned about theft or release of the data. But at the other end, for sensitive data -- tax records (which contain your SIN or SSN), a personal journal (your darkest secrets), a list of account userids and passwords (the keys to your kingdom), sensitive personal information of your customers (privacy and data protection laws), etc. – you want high confidentiality. Every other type of data -- your photos, for instance – falls somewhere in the middle, depending on how sensitive it is.

So you first need to look at your data to identify and classify the different confidentiality requirements – sensitivity -- of the various types of data present. Then you can determine what cloud services meet the needs of your data.

End-to-end encryption

If your data to back up contains some sensitive data – and almost everyone's does – the big four don't provide sufficient confidentiality, because they don't support end-to-end encryption (E2EE).

E2EE means, literally, that your data is encrypted from one end to the other. This term was originally applied to communications that are encrypted from one end – one user – to the other end – the other user – in such a way that no one in the middle can decrypt the messages being exchanged between the two users.

By extension, the term has come to be applied to cloud storage (including backup) as well, with the same user – the one with the data -- being at both conceptual ends: one end for encryption on the user's device, going across the network to the cloud server for storage, then back across the network to the user's device for decryption. With E2EE cloud storage, no one in the middle – including, most notably, the cloud service – is able to decrypt the user's data. You can read more on Wikipedia. You might also see E2EE referred to as "zero knowledge", because the cloud service has no knowledge of the contents of the data.

The big four may have excellent security, but they don't provide E2EE. If an attacker manages to break into a cloud service provider's servers, they may be able to extricate your data. For low and medium sensitivity data, "excellent security" as provided by the big four is usually sufficient, but that may not be good enough for sensitive data, for which you should probably be using E2EE.

Retention

"Sufficiently long retention for deleted files and old file versions" refers to how long the cloud service will save files you've backed up and then deleted, and files you've backed up and then edited or replaced with different contents. If you delete a file from your computer by mistake, delete a file and later realize you need it, overwrite a file by mistake, or make edits that you later want to back out – you'll be depending on your backup provider's retention of deleted files and old file versions.

The big four cloud storage provides provide only a minimal 30-day retention for both deleted files and old file versions. So, for example, if you delete a file on your computer by mistake and only notice this two months later, it's too late to restore the file from your backup, because it will have been automatically purged by the provider. For most of your data, 30 days is not nearly long enough.

There's one exception to the 30-day retention for the big four: if you buy one of Dropbox's (expensive) business plans, you'll get 180-day retention.

Point-in-time restore

When you need to retrieve a file files from your backup, that's called a restore. There are broadly two types of restores you can do:

  1. restore an individual file as it was just before it was changed or deleted – a file restore; and
  2. restore a folder/directory – which could also be the entire set of backed-up data – as it was at a particular point in time – a point-in-time restore.

If you want to get back a file or a few files that you deleted or changed, you would use a file restore. But if your computer was lost or stolen, suffered a serious failure, or got infected with malware (including ransomware), you would need to do a point-in-time restore of your entire backup, to the date and time just before the problem occurred.

The big four offer file restores to all plans but offer point-in-time restores only to paid customers. Naturally the restores are possible only within the retention period.

Cloud storage

If used one of the big four for your backup, you might very well need to buy a paid plan in order to get enough storage capacity to back up all your data. That would give you point-in-time restore capability, but you'd still have only 30-day retention, which is not enough. The big four are actually storage or sync services with a little bit of backup, as opposed to being true backup services. And because they are not E2EE, you'd only be able to store low sensitivity data, not all your data. What to do?

Luckily there's a nice alternative to the big four: true backup services with full confidentiality via E2EE, long retention times, and point-in-time restore.

True backup

I'll present three such providers that are excellent choices for your backup: CrashPlan, Backblaze, and Sync.com. You can use the information below to select the best provider for you as a function of your needs: price sensitivity, retention, confidentiality, and features (e.g., selecting vs. excluding vs. moving, pure backup vs. combined backup and sync, etc.). You might even care about data residency – where the servers, and therefore your data, are located -- although technically it doesn’t matter for an E2EE provider.

CrashPlan

  • USD $120 (CAD $160) for retention forever and unlimited storage
  • Full E2EE implementation
  • The UI allows you to select the folders/files you want to back up
  • The UI allows you to request a point-in-time restore
  • U.S. company (Code42) and servers

Backblaze

  • USD $84 (CAD $110) for 365-day retention and unlimited storage
  • USD $84 (CAD $110) plus a USD $0.005 (CAD $0.007) per GB monthly charge for retention forever
  • Partially E2EE: your data is stored in an E2EE manner, but any restore of your data is not E2EE, as your decryption key must be sent to the server temporarily so that it can decrypt your data to send to you
  • The UI does not allow you to select the folders/files you want to back up – instead, everything on the selected drive is backed up but you can exclude any folders you want
  • The UI allows you to request a point-in-time restore
  • U.S. company and servers

Sync.com

  • CAD $96 for 180-day retention and 2 TB of storage
  • CAD $120 for 365-day retention and 3 TB of storage
  • Full E2EE implementation
  • The UI does not allow you to select the folders/files you want to back up – instead you have to move all folders/files you want to back up into the "Sync" virtual folder. This can be an inconvenience, but using junction points is a possible alternative.
  • For the folders/files in the Sync folder, Sync.com additionally provides real-time syncing between multiple devices, a great feature for some use cases
  • The UI does not allow you to request a point-in-time restore, but you can request it by contacting customer support
  • (The Sync.com Vault feature is an alternative to the standard "Sync" folder sync: you manually upload files to the Vault using the Sync.com web interface whenever you want; this is useful when you need to move files to the cloud to free up storage on your main drive)
  • Canadian company and servers

Mix and match?

Of course you could choose to divide up your data: back up your less sensitive data to one or more of the big four – say, to take advantage of their free plans --- and back up your more sensitive data to an E2EE backup provider -- maybe the 5GB of free storage from Sync.com. 

If you do this, though, you have to be careful in two ways: (1) to keep your data well-segregated so that high sensitivity data doesn't get backed up by mistake to a non-E2EE provider, and (2) to ensure that all of your data is backed up to at least one service and no data is missed. 

This may sound simple but it's prone to mistakes happening over time. It's obviously much simpler to ensure that all your data is backed up, and with the proper confidentiality, if you choose a single E2EE provider for everything -- so which path you choose depends on how price sensitive you are.

Scaling away

If you're an organization with more than one computer to back up, all three E2EE backup providers will accommodate that. Organizations need, among other enterprise features, an organization-wide account and an administration console for the service, and all three have that. CrashPlan's base plan is already a business offering so includes the admin console, while with Backblaze and Sync.com you'll get an admin console if you choose a (more expensive) business plan.

Do you want more?

A key tenet of information security is defense in depth. When applied to backup, this means having more than one backup of your data, in case something goes wrong with the first backup. As described above a cloud backup is the first priority, so you should generally add backups in this order: (1) a cloud backup, (2) a local backup, (3) a second cloud backup, and (4) a second local backup. How far down the list you go depends on how important your data is and how paranoid you are.

One last thing, that will be obvious if you're read my previous posts: use a strong and unique password for your cloud storage/backup account, store the password in your password manager, and turn on two-factor authentication (2FA) for your cloud account.

That's it for the cloud! My next post will cover local backups.

For further reading

Here are a few good sources for more learning on backup services:

Note: Wirecutter – which I highly respect – recommends IDrive in their review. I last tried IDrive in early 2020 and was not impressed with its reliability and abilities. Of note was that it did not properly support BitLocker, which is very important for Windows machines. If you try IDrive, do let me know what you think.