The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

22. Michael Crandell, CEO at Bitwarden Inc., on Open Source Security

Welcome, everyone, to another show. I'm here today with a very special guest, Michael Crandall, the CEO of Bitwarden. And for those of you who are less familiar with Bitwarden, Bitwarden is an open source password management solution for individuals, teams, and business organizations. Michael was named Entrepreneur of the Year at the South Coast Business and Technology Awards.

It's great to have you on the show, Michael. Thanks. It's a pleasure to be here, John. So a lot of times, the guests on this show will have some sort of a story or a connection with their childhood, maybe something that really happened or brought about a formative moment way back in the day, something that really happened that makes you or led to sort of an interest in security.

I'm curious, do you have any stories like that? That's a great question. I think back, when I was a kid, my mom let me take apart a bicycle, 100% take it apart to every single piece, and then put it back together, you know, kind of clean the pieces, oil them, etc. It really gave me an understanding of how component parts go together to create a whole.

And also, maybe more importantly, how paying attention to the quality at the detail level ends up producing a much better product as a finished product. You know, I think that applies to many product-focused businesses, but certainly software development. So I see a big relevance there. Yeah, absolutely.

Especially connecting the details to a user experience or how something might work. Yeah, I mean, sometimes we forget about how important quality is in the user experience with software, and it's something we try to pay a lot of attention to with Bitwarden. And so, speaking of Bitwarden, I like to think we've all heard about password management systems, but maybe you can share from your point of view, what's the core of password management? So what is that problem?

What are we solving, really, when we get right down to it? At a high level, it's about making security easy. We know that to be secure, a password needs to be unique and complex. So it needs to be unique so that should it somehow be breached, it doesn't compromise any other accounts that a user has.

And it needs to be complex so that it can't be easily guessed or cracked by a computer. By the way, a sweet spot for uncrackable passwords or very long time to crack a password is about 14 characters long. But those two qualities make it hard to remember for almost everyone. So a password manager creates unique, complex passwords for you, and it stores them in relation to the websites and accounts that you use, and then it pulls them up and automatically enters them for you.

So at the end of the day, it's a double win. It's both more secure and easier to use, which is something that you don't often get in the security world. That's right. You know, oftentimes I find that when you bump into a problem in security, you find that you have a little knob, and you can turn that knob one way and it increases your security, and if you turn it the other way, it's actually increasing your user performance and it almost feels like a compromise.

And whenever I bump into a problem like that in the security space, I think of it as a cop-out. You know, we're just not being creative enough. We're not thinking about the problem the right way to have both, because I want both security and usability. It's a nasty trade-off.

It's almost omnipresent in security. That means normally more secure means less convenient. So it's a tightrope that every security product has to walk, and it was one of the things that really attracted me to password management and Bitwarden in particular, was the combination of secure and easy to use. And you've been with Bitwarden for almost three years now, right?

Almost three years, that's right. That's a pretty good chunk of time. It seems to have gone by fast. We've been growing super fast and a lot has been accomplished.

By the way, I joined a company that was already founded by our founder and CTO, Kyle Spear. And he's an amazing guy with an amazing story. He basically built it single-handedly by himself based on the principle that he could do something better than the competition and, in a key insight, make it open source. Wow, so he really had that entrepreneurial drive and spirit, a strong sense of ownership.

Absolutely. As the story goes, when you start a company, often you're leaving another job. So it's the old story, quit the job, start a new company. There's risk associated with that.

I thought he was brilliant. Apparently, he popped that question to his wife while they were both on a 5K run, which pretty much guarantees that you're not going to have a long conversation about it anyway. And she said yes, and the rest is history. That's amazing.

Yeah, 5K is about what, 15 minutes or so? Yeah. So coming in as CEO and working with a founder or CTO, what was that experience like? It's been wonderful.

One of my mantras when I joined Bitwarden was not to screw up anything that's already working. And what was already in place, what Kyle had built, was a system that was simple. It does what you need and doesn't do more and doesn't get in your way. It was open source and it was very community-based.

So Kyle did a great job, and I think we've continued that work in fostering a strong global community around the product. And of course, being open source helps a lot with that because anyone can participate. Anyone can look at what we've done. They can review the code.

They can vet it. And many people do. And they can also contribute to make it better. Yeah, that's spectacular.

That's how you build community. Enable people, and then participation really becomes power in that sense. Exactly. Exactly.

I think one of your questions for me was, what's the best day I've had on my journey at Bitwarden? Yes, I'm just on the tip of my tongue. So what is your best day? You know, it's a little corny, but I would say every day.

Every day is. But seriously, it's probably the first day that I saw a customer support email that came in thanking Bitwarden for building such a great product and cheering us on. And I'm not kidding. As you know, most customer support communications are about problems and complaints.

But we get a ton that are just about Bitwarden love, and we get them just about every day, which is why I say every day. And they come from the fact that we have a full-featured free version that's free forever. That kind of goes with the ethos of being open source. And so people appreciate that.

And many people actually write in and sign up for the paid version because they want a way to support what we're doing, which is helping people stay safe online. And it's a core belief of ours that everybody has the right to be safe online. Everybody should have that right. And that's why we do provide a basic full-featured version for free that anybody can use.

That's very generous of you guys. So there's backend components that are required to run. If you're going to run Bitwarden entirely yourself, I'm sure you could because everything's open source, right? But having a SaaS already set up and ready to go is quite convenient.

And the fact that you provide that for free is in line with the community. Participation is power, right? Yeah, it's part of our core, the significance of what we're trying to do to make a difference in the world, to make the world a better place. We imagine a world where nobody gets hacked.

Very aspirational, but it's a great thing that people can believe in both in our community, but also everybody on the team who works at Bitwarden. It's something you can get up in the morning and believe in. And just a word, I think some people go, oh, if it's free, it must be somewhere there's a catch, right? Either the users are the product and we're somehow using advertising to them or using their information.

We don't do that absolutely at all. We don't track users. We don't capture any information. The way it works is pretty simple.

Free users love the product and they talk about it. If they want to, if they love the product, they're welcome to tell others about it. And so many of them bring Bitwarden to work. And when they do, that's where we make money as a successful company.

It's mostly with our business versions. We have an enterprise, a full enterprise version for very large companies and a team's version that serves smaller businesses. And that's how it works. And so no pressure on anyone.

And the free users don't need to be worried about being misused in any way. No, that's amazing. And I'm sorry that we live in a world where we have to say things like that, even though it's a SaaS and we provide this great service for free. It's not used for marketing.

And so you guys pivoted. Did you help the business pivot from a B2C play into a combined B2C and B2B play? I helped the emphasis there. Kyle had already created the teams and enterprise versions, but I do have experience in selling into enterprises and what they need and want.

And so when I joined, one of the first things we did is really beef up our security and compliance profile. And we went out and got a SOC 2, SOC 3 audit and went through, you know, the rigor of disciplining ourselves to those practices so that customers could trust us. We complemented that with a HIPAA audit. We started increasing the cadence of penetration tests and source code audits.

We became GDPR and CCPA compliant from a privacy point of view. So we put a bunch of things together. We created an SLA for larger customers. That's something they expect.

This is not a brand new playbook, but it's one that I had been through. So I helped us go through that process. And now at bitwarden. com slash compliance, you can see all the wonderful certifications and compliance and security measures we take just to help increase the validation of the trust that people have in us.

No, that sounds like quite the journey. And under your leadership and guidance, it sounds quite successful. I've been in many B2B plays myself, and I know security is a big role. And you just rattled off all of the major players, all of the important, I don't want to call them checkboxes, but there's real and serious contributions towards the security of a product through the certifications.

Yes. One of the things I learned along the way, one of the things I learned is that for larger companies that are making acquisitions, they have different teams that analyze things. And there's usually a security team as well as the business folks, the procurement folks, the IT team. And with security teams, you either kind of lean in and get a sense of trust early on, or you don't.

And if you lean in, then the path tends to be smoother and you can create that trust early on. Or else you're just fighting a losing battle because you haven't done the things that they are used to requiring as policies in their companies. And it's understandable, right? They all have policies they need to follow.

Yeah, exactly. They have a tough job as well. And they're in the same community as we all are in the security space. And so it's easy to empathize with the asks that they have.

And they're just trying to protect their business as well. Makes perfect sense. So tell me, has there been a worst day for you yet in Bitwarden? Yes, there is a kind of a worst day.

There's a template. Oh, there's a whole template for a worst day. It's the same day over and over. It's we get contacted sometimes by government agencies, whether in the U.

S. or overseas, to notify us of data breaches that have occurred that are being exposed on the dark web, etc. And in addition, you know, you can hardly pick up the news anymore without reading about the latest data breach of this or that company or ransomware. And what's rotten for me is when I read about or hear about these things that hit companies and people because of insecure password practices that could have been so easily avoided.

So it's just more pressure. I wish we could all get the word out faster because it is such a simple thing to roll out password management if you're in a company or to sign up and use it yourself. And the protection is so much greater through that. That's really my worst day is when I keep seeing this this bad pattern repeat over and over.

Yeah, I have exactly the same sentiment, especially, you know, you're talking about password, password related breaches. We have the technology to solve basically all of the types of breaches out there. It just takes a certain amount of efforts to go in and pull the trigger and commit to raising that security bar, right? Exactly.

And Bitwarden, it sounds like there is plenty of space available. It doesn't even cost anything and it's available to both consumers and to businesses. I could imagine that's quite frustrating. It is.

It's frustrating to hear, but it's motivation to keep getting up every day and getting more and more people on onto the platform. So share with me, there are a couple of different players out there in terms of password managers. Can you share with our listeners what makes Bitwarden special? Absolutely.

Number one, we're open source. And that makes a difference because the security of the product is vetted by lots of developers and security professionals around the world. Everybody can look at every line of code, how we do things, etc. and validate it.

We also offer versions for the largest enterprises with features around, typically around integration, integration with single sign-on systems or SSO systems, directory services. We offer self-hosting. The other leaders don't for those companies that want to do that. And we have those versions for big companies all the way down to individual users.

So that span is a differentiator for us. As I've mentioned, in keeping with the open source ethos, we believe strongly that the security of a password manager should be available to everybody worldwide. So we do have that full-featured free version, free forever, no strings attached. And it's helped us create what I think is the most vibrant community around a password manager across the globe.

We have over 5 million users of the product who help spread the word, and the product has been translated into almost 50 languages. So it's a very global base, and that's another distinguishing feature of Bitwarden. Wow, that's incredible. Over 50 languages.

Yes. Was that a community effort? It's largely driven by the community, yes. It makes me wonder why anyone would use anything else.

We wonder that sometimes too, John. Okay, so you mentioned a couple of times Bitwarden is open source, and you share that it means that anyone can audit it, that anyone can go and look at the code. And because of your B2B efforts, those are being rolled into the open source version as well, I'm assuming. Yes?

Yes. So really, anyone can take advantage of the world-class security that's being poured into the B2B product that's being sold to large institutions, large corporations. Correct. And so what is it about being open source?

Why does that matter? Like, is it, couldn't it be hurtful for your business? You know, just to ask the naive question, couldn't someone come along and copy the entire Bitwarden business with your open source product? So in a way, they could.

Remember that open source licenses require that whoever copies it open sources what they do also. And, you know, when, and that hasn't happened a lot, but when that happens, we try to remember that imitation is the sincerest form of flattery. But nobody's done that in any way that infringes on our business. Really, how it works for us is, as I mentioned, it's more transparent.

So you've, anybody can look at how we're handling their sensitive data. Let's face it, it's about as sensitive as you can get, all your login credentials. How we do encryption, what's the level of encryption, where and how we use it. They can validate that all their data is end-to-end encrypted so Bitwarden cannot touch it.

And all of that's open to the world. We do get researchers looking at it, et cetera. And of course, it's open not just for revealing, but for people to contribute or build upon or add modules. And finally, one of the advantages is that larger companies these days have come to prioritize using open source products whenever they can.

It's actually been a movement, as I'm sure you know, for quite a while. And the reason is it reduces their risk and it reduces their cost. You know, if they're worried about what happens if the provider of this product goes away, well, they have access to the source code. And open source, of course, tends to be more efficient, more economical from a cost point of view.

As to how, what the danger is to our business, the reality is that very few people build Bitwarden from scratch in order to use it. That's a difference with Bitwarden, which is really an app and a set of clients from traditional open source, which is more around infrastructure. So in the days of MySQL, people would download it, build it, and run it as a database, essentially a developer product. But as an end user app with admin features for larger companies and, you know, eight or 10 different clients for Bitwarden.

So you're running, some people run Bit on iPhones, iOS, on Android phones, on Windows, on Mac, on Linux, on five or six different browsers, command line interface. When you add up all those clients, it's just not worth it against our license cost and support to go out and try and build all that and run it. And finally, if you think about it, anybody who would propose that, if you're inside a company and you say, hey, we could save a few bucks if I kind of build Bitwarden myself. I think the IT managers and directors would say, you know, just manage password management.

Let's not do that. Let's just license it. Right. Right.

Let the folks who broke the software originally run the software. They know it best. They know how to configure it. It's more efficient if it's multi-tenant, and you can pass on the savings and the expertise to all the customers, right?

Yes. So it's the best of both worlds. We get the benefit of open source, but we don't really have to compete against ourselves. So a quick question for you.

You mentioned that everything is end-to-end encrypted, and so Bitwarden itself as a product or even as a company does not have any access to any of that encrypted data, which I think is beautiful and wonderful. That's exactly how it should work. But you also mentioned, and maybe some of our listeners caught it as well, that you have a version of Bitwarden that's available for on-prem deployment, if I understood correctly. Correct.

That's right. Don't those two product features bring you into the same level of security or a very similar level of security? And I'm curious who would drive a business to run that whole stack on-prem versus just take advantage of your fully end-to-end encrypted, already managed for you SaaS? Right.

The answer to that is really that if we start with what does the end-to-end encryption buy you as a user or customer, with any product out there, it buys you the fact that nobody in between during transmission or storage or the company providing the product, in this case Bitwarden, can ever see your sensitive data. We just do not have access to it because it's encrypted. So that's classically what's become popular in the last half dozen years, a zero-knowledge approach to security, which is, of course, a really strong one. Despite that fact, there are companies that just have an orientation toward wanting to self-host something.

Sometimes that can also be in relation to regulatory reasons versus security reasons. What do I mean by that? Maybe you're a company in Switzerland and the law says that you need to locate all the data for your company within the Swiss borders. So geolocation or data residency.

In that case, great. Run the server there and you meet that criterion. And we found that it's productive not to get into arguments with customers about which way they want to do it, but just to provide both and let customers choose. No, that makes perfect sense.

That's amazing. It's a pattern or a theme that I'm seeing crop up over and over again. It's the data governance and the data residency. And it's not the first time I've heard of this problem.

So it'll be interesting to see if we can wrap all of our storage around some abstraction layer that lets us continue down that path of multi-tenancy and hit all of the important requirements that are bubbling up out of geolocation and their data. It's going to be an interesting journey, John. It's not going away anytime soon. We see more and more, for example, recently from the EU around privacy requirements.

So it's not getting any easier. So how about Bitwarden as a company? How's your culture like? If I were to join there as a new employee, what would that feel like?

Sure. We'd love to have you, by the way. First off, we are a fully remote company. So we have people in somewhere around 22 states in the U.

S. , I think around 20 or more countries in the world, six continents. We're in Europe, Africa, Middle East, South America, North America, Australia, Asia-Pacific, etc. So what that means is we're really able to hire the best people because we can choose from almost anywhere in the world.

That's been a real eye-opener for me, the first time I've been in a fully remote company. One of the reasons I joined. That's allowed us to lean into also into diversity on our team, which is a real strength. Our customer base is global, so it's important that our team members be global also.

You know, our company values, every company has values. Ours are the four. Gratitude, responsibility, inclusion, and transparency. And I think, look, all of these are pretty self-evident to people.

They certainly seem to appeal to the candidates we end up attracting. But together, they spell the word grit, which I think is really necessary. Yeah, it's really important for building a long-lasting company that continues to innovate over time because not all of that journey is easy. You need to have stick-to-itiveness.

Yeah, you need to have grit. You need to be prepared to face grit. Yes. Yeah, I like that word.

That's a good word. It brings with a very odd. . .

Entrepreneurial mindset and spirit. Along with those four values, speaking of hiring folks, do you have a favorite interview question? I do. And that is, when I'm interviewing somebody, and by the way, I still interview everybody who joins Bitwarden.

I just think it's super important. I learned long ago, even in technology companies, where sometimes outsiders think, oh, it's all about the technical wizardry of this or that product. At the end of the day, it's all about people in technology companies. People are what build the technology, right?

So I still interview everyone. My question is, what did you like to do when you were 16 years old? Okay, that's a great question. So you can, it's almost like that first question I asked and I asked you.

About childhood. Yep. You tend to get authentic answers because it's not a question that anyone rehearses for in a job interview. So it's new.

It's not all that tough. Hopefully most people remember when they were 16. They think about it for a minute and it just helps share something about them as a person. That's really amazing.

I love that. It really has nothing to do with like the technical pieces. And it's an opportunity for a candidate, perhaps, to share a passion that was there when they were 16. It's still there when, you know, wherever their life has taken them.

So in the news, if you look at the news, there's a lot of chatter about going passwordless and this, that, and the other thing, like replacing passwords. What do you make of all of that? And how do you see that dialogue kind of fitting into Bitwarden as a company and your position in the market? First, passwords are not going away.

They're embedded in so much of what we do on computers that it's going to take a long time for all those systems to evolve and change. At the same time, passwordless technologies are already here and they're super useful. Things like biometrics that we use, Touch ID, Face ID, Android biometrics, et cetera, security keys. So there are a variety of passwordless technologies already in use and have been for a while.

And Bitwarden already supports all the common passwordless technologies and will continue to do that as passwordless evolves, which of course it will. So we look at it really as an and, not an or. People will use passwords and passwordless approaches to authentication and they'll want tools that let them use the best method in each situation. So that's what we're shooting for.

There's a saying that our founder Kyle uses, which is, there is a reason that the word pass or password is not in the company name Bitwarden. It's because we're really focused on a larger goal, which is helping people authenticate safely online, whether through a password or through a passwordless technology. So you're adapting and changing with the environment and actually incorporating those new technologies into your ecosystem. Yes.

I mean, one of my favorite features, I happen to be an iPhone user, and as you know, there's a password autofill feature kind of built into the iPhone or capability that different password managers can plug into. So when I'm going to a site and it asks for a password, I click the password button. It brings up Bitwarden and I authenticate into Bitwarden with Face ID and that automatically fills the password. So even though it's a password-based site, the experience is pretty much passwordless because all I'm doing is open the phone up to my face and I end up logging into any password-based site.

So that's an example of how we've already incorporated passwordless technology into the flow. No, that's spectacular. And this is how all of these different technology stacks can work together to bring a better user experience because at the end of the day, it is all about people. And I think when security is done right, it is seamless and it does not interrupt the flow of your day, but at the same time, it is also very strong.

And I know that the Face ID that you just mentioned behind the scenes, underneath the hood, if you were to peek into iOS, it's using secure enclaves and protected memory and all of those great features that we don't even need to think about as users when we use that. Sure. And of course, at the bottom of it all is a secret. You could think of it as something like a password that gets transferred in order to authenticate you.

So even their passwordless from a user perspective. But under the covers, there's still a certificate or a secret that does get passed. And I think it's important to recognize that end users, most people are not opinionated about technology. They just want to get their work done in the quickest, easiest, best way.

So it depends whatever you need to do. If you're on a password-based site, make that easy. If it's passwordless, make that easy. Next question.

Next question. Yeah. No, I couldn't agree more. One of the things that still drives me crazy is when there are all of those restrictions on what a password should look like.

And they only go up to like 32 characters and you kind of have to figure it out and you have to play games with like the password length and the types of characters in the password and hit reset a couple of times until you get one that has all of the right types of characters and your new random password for your password manager. But it's that stuff is super frustrating. There's a comic who did a whole comedy routine on the evolution of that. I think I see this.

Yeah. In the beginning was the password and we all had our password and we used it everywhere. And then some sites said, stop, that's not secure enough. I need a capital letter.

So we all, as a group, we all jointly decided to capitalize the first letter in our password. Of course, everybody's laughing because he was so right on. It's what everybody did. And then he does the special character and the number and all the other requirements.

Yes. That's funny because it's true. Yes. It wasn't George Carlin, but it's just like George Carlin.

It's funny because it's true. We'll have to put a link to that in the notes. All right. So when we look into the future, you look into the future, I'll let you decide how far you want to look into the future.

But when we look into that future and you see Bitwarden as an amazing smashing success, what does that look like? What does the success look like? Starting from today, in the last couple of years, we've been growing really fast in the password management space. So we're not going to let up the pace of innovation there.

That's a major focus and emphasis for us and a lot more growth in our future. But we'll also expand, John, by offering more tools and products for developers, first off, and then also more capabilities that incorporate passwordless authentication approaches. So both of those are going to be emphasis points. And then there are also other adjacencies.

For example, we have a feature in Bitwarden called Bitwarden Send. And it allows you to send a piece of text or a file, also end-to-end encrypted, to anyone, whether they're a Bitwarden user or not, with that same zero-knowledge trust and sense of security that we have in the rest of the product. And also one of the nice features about that is you can set a specific expiration date for that message. Companies in particular like that because they don't want to be building up data that gets exposed during a deposition or some other legal proceeding.

They want to know that things are temporary. And you want to know that it's not living around in your sent folder or somebody else's inbox forever. So I think of it as, I go back to the Mission Impossible TV series where they had that tape recording that self-destructed after 15 seconds. So this is similar to that.

Your message can be transmitted and then it goes away. And we get a lot of requests around enhancing that functionality for larger companies. So that's another area. All of it's going to come under the umbrella of helping people stay safe online and doing business faster, safely.

And it all starts with simple, secure, and convenient authentication. No, that sounds amazing. I would use that feature all of the time, you know, when someone comes over and they're like, hey, what's the Wi-Fi password? And do they have Bitwarden?

I don't know, maybe. Oh, you can send them the secret. You can send them the password. I mean, you can send it, share it just for the day, you know.

It doesn't need to be forever. So when they get a new phone or they lose their phone, your password's not just dangling in someone else's device that's now in the hands of who knows who, right? Well, check it out. I will definitely be checking it out.

Michael, this has been amazing. Thank you so much for joining me. Would you like to leave our listeners with any parting words of wisdom? Absolutely.

Please come have a look at Bitwarden. It's free. Don't be one of those folks who gets caught with your pants down because of a password mishap. Once you get into it, you're going to have an aha moment of where security and ease of use come together and you'll never go back.

I'm going to go check it out myself right now. Well, I want to thank Michael again. And thank all of our listeners for joining for this episode, and just stay tuned for the next episode of the Security Bonicast in Silicon Valley. Thank you, John.

It's great to be on the show.

‹ 23. David M’Raihi: CPSO at Rivian, on Cryptography, Cars, and the Craft of Security

21. Sergej Dechand, Co-Founder and CEO of Code Intelligence, on Fuzzing the Future ›