Bitwarden is a great looking and easy to use password manager with fantastic cross-platform support. As such, it can compete with industry heavyweights such as LastPass and 1Password.
Unlike these services, however, Bitwarden is (mainly) free to use and 100% open source. It also uses a strong end-to-end encryption, so you logins are safe from hackers and the NSA.
Pricing and plans
Although open source, Bitwarden is a commercial enterprise that offers both free and premium personal accounts.
All the core features of Bitwarden are available to free users, but the USD $10 per year premium plan offers some juicy extras. One of which is 1 GB of encrypted file storage, which can be expanded at a cost of $4 per GB /year.
In addition to personal accounts, Bitwarden offers “organization accounts” that allow sharing of logins and keys, plus various other handy features. A simple two-user family organization account is free, while business accounts can cost up to USD $3 per user per month if paid annually. A free trial is available for all premium organization accounts.
Payment is via credit card or PayPal, so anonymous payment is not an option. Of course, free users do not need to provide any payment details anyway.
We will look at the organization features later in this article. Free personal account users enjoy the following features:
- End-to-end encrypted password storage
- 100% open source
- Cross-platform apps for all major platforms
- Browser add-ons for all major browsers
- Web browser access from anywhere
- Command-line tools (CLI) to write and execute scripts on your Bitwarden vault
- Self-hosting (optional)
- Two-factor authentication (2FA)
For less than a buck a month, premium users also enjoy:
- 1GB encrypted file storage
- Additional 2FA options
- Priority customer support.
Bitwarden allows you to manage your Bitwarden vault using some powerful cross-platform command-line tools.
Most of the commands can be duplicated in the GUI, but tech-heads may appreciate the more hands-on feel of using a CLI.
Free users can protect their vaults using two-factor authentication. Bitwarden supports the Time-based One-Time Password (TOTP) algorithm and can be used with any app that supports this standard. This includes Authy, Google Authenticator, and open source andOTP. Free users can also opt for email 2FA verification.
If you are not happy with your data being stored on third-party servers (even though it is end-to-end encrypted), you can host Bitwarden's entire infrastructure stack on the platform of your choice (Linux, Windows, and macOS) using the Docker virtualization platform.
Logs and tracking
The only personal information required is a valid email address which is used to identify your account. You may choose to give Bitwarden additional “User Personal Information,” which it may keep indefinitely unless you request to delete your account.
“We collect only the minimum amount of personal data necessary for our purposes, unless you choose to provide more. We encourage you to only give us the amount of data you are comfortable sharing.”
Of course, all vaults are secured using end-to-end encryption, so Bitwarden simply cannot access any information stored in them.
User Personal Information is never shared with third parties for commercial purposes, although “aggregated, non-personally identifying information” may be shared under certain non-commercial circumstances
Similarly, emails may contain a pixel that tells Bitwarden whether or not you have opened an email and what your IP address is. Analytics data collected through the software, although you can (at least partially) opt-out of it.
Overall, we would say there is much less tracking than with a full-on commercial service such as LastPass, but much more than with true community-developed FOSS software such as KeePass (which basically has none).
Bitwarden operates under the “exclusive jurisdiction and venue of the courts located in the City and County of Jacksonville, Florida.” As a US company, it is subject to FISA and the Patriot Act, and as Edward Snowden demonstrated, can be assumed to be monitored by the NSA and/or other government agencies.
But… it uses strong end-to-end encryption, so even the NSA should not be able to access your data.
By default, your data is stored on Microsoft Azure cloud servers managed by Microsoft. This should not be a threat to your privacy, however, as all data is encrypted and hashed before it leaves your computer. It can only be decrypted using the correct master passphrase, which only you should know.
In other words, Bitwarden uses end-to-end encryption (e2ee). This is great, but does mean there is no way to recover your data if you lose your master passphrase. This is in contrast to services such as LastPass, which do not use e2ee, and can therefore recover your account if you lose your password. But they can also hand over your data to government agencies, which Bitwarden can’t.
It does mean that it is vital to use a strong master passphrase, but one which you will not forget. Accounts can be secured further using 2FA.
As noted earlier, if being hosted on Microsoft servers bugs you, you can host Bitwarden on a personal server instead.
Data is protected using an AES-256 cipher. PBKDF2 is used to derive the encryption key from your master password, which is then salted and hashed using HMAC SHA256. These are all respected third-party cryptographic libraries.
Data is transmitted to the cloud servers via regular TLS - which is fine. Even if your data was somehow intercepted in transit (via a MitM attack using fake SSL certificates) it could not be accessed because it is encrypted before leaving your device.
If accessing your Bitwarden vault via a browser (using either the browser add-ons or directly using the browser interface) you should be aware that all browser-based encryption is inherently insecure. How big is this danger? Well… it depends on your threat model, but it exists. The issue does not threaten users of the dedicated desktop clients or mobile apps, however, and so is easily avoided.
It is also worth noting that Bitwarden uses Microsoft SQL Server (MSSQL). This shouldn’t be a privacy problem as all data is securely e2e encrypted using AES-256. But Bitwarden’s reliance on Microsoft products does not sit well with its privacy ambitions.
Earlier this year, a flaw was found in the Chrome add-on’s cryptography, but this has been largely fixed as long as you "never, ever use the ‘never forget’ option of Bitwarden”. Bitwarden's developer, Kyle Spearrin, confirmed to us that “yes, if you do not want your encryption key persisted on disk, you should not use the “Never” lock option.”
As discussed above, though, for maximum security you should probably avoid using the browser add-ons anyway.
This brings us to the issue that Bitwarden has a single developer: Kyle. This means that when vulnerabilities are found it can take a while for Kyle to fix them.
Arguably the biggest issue, however, is that Bitwarden’s open source code has not been audited. As with most open source software, the fact that anyone who is qualified to do so can audit it does provide a fair degree of confidence in its integrity. But no-one has. In fairness to Bitwarden, it was planning to pay for a formal security audit, but as a small company simply could not afford the $30,000 or so that reputable auditing firms were asking for. There is talk among the Bitwarden community of crowdfunding an audit, so it may yet happen at some point.
Update 11/2018: Bitwarden has now been independently audited by security firm Cure53. No major issues were identified during this audit and all issues that had an immediate impact have been resolved in recent Bitwarden application updates. The report does make clear, however, that further work needs to be done - especially on the cryptographic scheme. Regardless of any outstanding issues discovered, which will do doubt be addressed in time, we agree with Bitwraden that the audit "reiterates our commitment to the security and integrity of the entire Bitwarden platform."
In addition to an extensive and useful Help Center/FAQ, you can email the Bitwarden team for support. I have read that thanks to having a single developer it can take a while to receive an answer, but I received a knowledgeable response from Kyle within half an hour of sending him some questions.
Alternatively, you can post a question on social media or the Bitwarden community forums where Kyle is an active participant.
You can download the desktop clients, mobile apps and browser add-ons for free from the Bitwarden website. You can sign-up for a new account either on the website or when you first run the software.
A valid email address is required, although I can see no reason why disposable one will not work just fine. Don’t forget your master password (or better yet, passphrase), as Bitwarden cannot recover it for you.
The Bitwarden Desktop Clients
The clients are pretty much identical across all desktop platforms. I’ll just note that I found it much easier to install Bitwarden in Ubuntu from the Software Center, rather than the Linux .AppImage from the website.
The client’s interface is clean looking and intuitive to use. The four different “types” of entry – login, card, identity, and secure note, are formatted for easy entry of different kinds of information that you might want to keep secure.
Bitwarden can generate secure passwords. Being able to customize this process is very handy for websites that insist on specific requirements for passwords.
Other than being able to create folders and add items to them, that’s about it. But what more do most people want? Those who do want increased functionality might be interested in an organization account, which we will look at a little later in this review.
The Bitwarden Mobile Apps
The Android and iOS versions of the app are similar in layout and functionality.
The apps the same look and feel as the desktop client, and also includes all of its functionality.
You can do everything on the mobile app that you can on its desktop sibling. Note that on high-end phones Bitwarden also supports fingerprint unlocking.
On Android devices, the Bitwarden accessibility service allows you to autofill both app and web logins.
In iOS, “the Bitwarden app extension allows you to quickly log into any website through Safari or Chrome and is supported by hundreds of other popular apps.”
The Bitwarden Browser add-ons
Browser add-ons are available for Chrome, Firefox, Safari, Vivaldi, Opera, Brave, Microsoft Edge and Tor browser. For the ones we tested (Firefox and Chrome), the add-ons worked for the mobile as well as the desktop versions of the browsers.
Again, the add-ons use the same design language as their desktop and mobile app siblings and provide full access to all of Bitwarden’s features. This does mean that encryption and decryption of logins occur inside the browser, so please bear in mind our earlier comments about the insecurity of browser-based cryptography.
The browser add-ons make auto-filling logins very easy. Just right-click and follow the menus.
We have already mentioned that there is an issue you should be aware of with the Chrome add-on. It is also worth noting that Tor browser users should think twice before installing the add-on.
One of the best features of Tor browser is that one unmodified Tor browser looks just like every other unmodified Tor browser. This makes using it one of the best defenses against browser fingerprinting. Installing any add-on, though, makes Tor browser more unique and thus more vulnerable to fingerprint tracking.
In addition to support for all major platforms, plus support for almost every browser available, you can access your Bitwarden vault via a web interface. This is particularly useful when you want to access logins and suchlike from a device that is not yours. The usual warnings about browser-based cryptography apply.
Users can upgrade to organization accounts, which add some additional features. A simple organization is even free!
Key features on offer to those who upgrade include:
- Securely share and manage logins, secret keys, and suchlike
- Implement fine-grained access control policies and organize vaults with collections
- Enforce multi-factor login policies for users by integrating with Duo Security
- Secure file storage (expandable)
- On-premise hosting with no dependency on external cloud services.
- Open source
- Free (with very reasonably-priced bonus features)
- Strong end-to-end encryption
- Very easy to use
- Looks great
- Ability to self-host
- Great cross-platform support
- No independently audited (although non-critical issues discovered)
Not so sure about:
- A moderate amount of tracking
- Based in the US (not a major issue thanks to ee2e)
Open source code has not been audited
- Only one dev
Bitwarden is a very slick and user-friendly password manager that saves passwords on a centralized server and has fantastic cross-platform support. As such, it makes a great drop-in replacement for the likes of LastPass.
Except that it’s basically free, is 100% open source, and thanks to end-to-encryption, is much more secure and private. LastPass can and will hand over your passwords to the Feds. Bitwarden simply can’t.
And nor is your data vulnerable to hacking, which is not something that can be said for LastPass. This should make choosing Bitwarden something of a no-brainer for most mainstream users.
For tech-heads and open source fanatics, the situation is not so clear-cut. Bitwarden looks better and is easier to use than KeePass and its derivatives (such as the excellent KeePass XC). It also has more functionality “out-of-the-box” (for example browser integration), although KeePass users can access similar features via a wide selection of plugins.
Open source fans, however, are likely to be sniffy about the commercial aspects of Bitwarden. On a philosophical level, it is not the kind of community-developed FOSS project that KeePass is. On a more practical level, Bitwarden performs much less tracking than most commercial password manager platforms, but this is still a hell of a lot more than KeePass does.
Another issue is Bitwarden’s use of browser-based cryptography. Almost all commercial services use it because doing so provides a seamless and convenient user cross-platform experience for users. And in truth, for most people, the small theoretical risk it presents is easily outweighed by convenience.
But there is a risk. You can, of course, simply use the stand-alone clients, but losing auto-fill in your browser is a major pain.
KeyPass manages to avoid this issue with browser plugins such as KeePassHtpp which acts as a bridge between KeePass and your browser. The actual cryptography is performed in the KeePass app, not the browser. But configuring KeePassHttp (instructions available in our KeePass Review) is not a task for casual internet users.
So let’s put it this way - this reviewer has no intention of ditching KeePass, but will recommend Bitwarden to his non-techy partner who has so far resisted all efforts to convince her to use a password manager…