Looking for Something?

VPN deals Advertisement

Bitwarden Review

Bitwarden is a great looking and easy to use password manager with fantastic cross-platform support. As such, it can compete with industry heavyweights such as LastPass and 1Password.

Unlike these services, however, Bitwarden is (mainly) free to use and 100% open source. It also uses a strong end-to-end encryption, so you logins are safe from hackers and the NSA.

Pricing and plans

Although open source, Bitwarden is a commercial enterprise that offers both free and premium personal accounts.

All the core features of Bitwarden are available to free users, but the USD $10 per year premium plan offers some juicy extras. One of which is 1 GB of encrypted file storage, which can be expanded at a cost of $4 per GB /year.

In addition to personal accounts, Bitwarden offers “organization accounts” that allow sharing of logins and keys, plus various other handy features. A simple two-user family organization account is free, while business accounts can cost up to USD $3 per user per month if paid annually. A free trial is available for all premium organization accounts.

Payment is via credit card or PayPal, so anonymous payment is not an option. Of course, free users do not need to provide any payment details anyway.

Features (Personal)

We will look at the organization features later in this article. Free personal account users enjoy the following features:

  • End-to-end encrypted password storage
  • 100% open source
  • Cross-platform apps for all major platforms
  • Browser add-ons for all major browsers
  • Web browser access from anywhere
  • Command-line tools (CLI) to write and execute scripts on your Bitwarden vault
  • Self-hosting (optional)
  • Two-factor authentication (2FA)

For less than a buck a month, premium users also enjoy:

  • 1GB encrypted file storage
  • Additional 2FA options
  • Priority customer support.

Command-line tools

Bitwarden allows you to manage your Bitwarden vault using some powerful cross-platform command-line tools.

Bitwarden Cli

Most of the commands can be duplicated in the GUI, but tech-heads may appreciate the more hands-on feel of using a CLI.

2FA Support

Free users can protect their vaults using two-factor authentication. Bitwarden supports the Time-based One-Time Password (TOTP) algorithm and can be used with any app that supports this standard. This includes Authy, Google Authenticator, and open source andOTP. Free users can also opt for email 2FA verification.

Bitwardendesk 2Fa

Premium users have aces to additional 2FA methods. The YubiKey and other FIDO U2F-compatible USB or NFC devices are supported, as is authentication using Duo.

Self-hosting

If you are not happy with your data being stored on third-party servers (even though it is end-to-end encrypted), you can host Bitwarden's entire infrastructure stack on the platform of your choice (Linux, Windows, and macOS) using the Docker virtualization platform.

Privacy

Logs and tracking

The only personal information required is a valid email address which is used to identify your account. You may choose to give Bitwarden additional “User Personal Information,” which it may keep indefinitely unless you request to delete your account.

We collect only the minimum amount of personal data necessary for our purposes, unless you choose to provide more. We encourage you to only give us the amount of data you are comfortable sharing.

Of course, all vaults are secured using end-to-end encryption, so Bitwarden simply cannot access any information stored in them.

User Personal Information is never shared with third parties for commercial purposes, although “aggregated, non-personally identifying information” may be shared under certain non-commercial circumstances

There is also some quite extensive website tracking, which includes the use of cookies, HTML5 localstorage, and Google Analytics.

Bitwarden Website Tracking

Similarly, emails may contain a pixel that tells Bitwarden whether or not you have opened an email and what your IP address is. Analytics data collected through the software, although you can (at least partially) opt-out of it.

Bitwarden Analytics

As you can see, the logging and tracking situation is quite complex. It is therefore very much worth reading through Bitwarden’s privacy policy in detail for yourself.

Overall, we would say there is much less tracking than with a full-on commercial service such as LastPass, but much more than with true community-developed FOSS software such as KeePass (which basically has none).

Jurisdiction

Bitwarden operates under the “exclusive jurisdiction and venue of the courts located in the City and County of Jacksonville, Florida.” As a US company, it is subject to FISA and the Patriot Act, and as Edward Snowden demonstrated, can be assumed to be monitored by the NSA and/or other government agencies.

But… it uses strong end-to-end encryption, so even the NSA should not be able to access your data.

Security

By default, your data is stored on Microsoft Azure cloud servers managed by Microsoft. This should not be a threat to your privacy, however, as all data is encrypted and hashed before it leaves your computer. It can only be decrypted using the correct master passphrase, which only you should know.

In other words, Bitwarden uses end-to-end encryption (e2ee). This is great, but does mean there is no way to recover your data if you lose your master passphrase. This is in contrast to services such as LastPass, which do not use e2ee, and can therefore recover your account if you lose your password. But they can also hand over your data to government agencies, which Bitwarden can’t.

It does mean that it is vital to use a strong master passphrase, but one which you will not forget. Accounts can be secured further using 2FA.

As noted earlier, if being hosted on Microsoft servers bugs you, you can host Bitwarden on a personal server instead.

Technical security

Data is protected using an AES-256 cipher. PBKDF2 is used to derive the encryption key from your master password, which is then salted and hashed using HMAC SHA256. These are all respected third-party cryptographic libraries.

Data is transmitted to the cloud servers via regular TLS - which is fine. Even if your data was somehow intercepted in transit (via a MitM attack using fake SSL certificates) it could not be accessed because it is encrypted before leaving your device.

If accessing your Bitwarden vault via a browser (using either the browser add-ons or directly using the browser interface) you should be aware that all browser-based encryption is inherently insecure. How big is this danger? Well… it depends on your threat model, but it exists. The issue does not threaten users of the dedicated desktop clients or mobile apps, however, and so is easily avoided.

It is also worth noting that Bitwarden uses Microsoft SQL Server (MSSQL). This shouldn’t be a privacy problem as all data is securely e2e encrypted using AES-256. But Bitwarden’s reliance on Microsoft products does not sit well with its privacy ambitions.

Earlier this year, a flaw was found in the Chrome add-on’s cryptography, but this has been largely fixed as long as you "never, ever use the ‘never forget’ option of Bitwarden”. Bitwarden's developer, Kyle Spearrin, confirmed to us that “yes, if you do not want your encryption key persisted on disk, you should not use the “Never” lock option.”

As discussed above, though, for maximum security you should probably avoid using the browser add-ons anyway.

This brings us to the issue that Bitwarden has a single developer: Kyle. This means that when vulnerabilities are found it can take a while for Kyle to fix them.

Arguably the biggest issue, however, is that Bitwarden’s open source code has not been audited. As with most open source software, the fact that anyone who is qualified to do so can audit it does provide a fair degree of confidence in its integrity. But no-one has.

In fairness to Bitwarden, it was planning to pay for a formal security audit, but as a small company simply could not afford the $30,000 or so that reputable auditing firms were asking for. There is talk among the Bitwarden community of crowdfunding an audit, so it may yet happen at some point.

Update 11/2018: Bitwarden has now been independently audited by security firm Cure53. No major issues were identified during this audit and all issues that had an immediate impact have been resolved in recent Bitwarden application updates. The report does make clear, however, that further work needs to be done - especially on the cryptographic scheme. Regardless of any outstanding issues discovered, which will do doubt be addressed in time, we agree with Bitwraden that the audit "reiterates our commitment to the security and integrity of the entire Bitwarden platform."

In addition to an extensive and useful Help Center/FAQ, you can email the Bitwarden team for support. I have read that thanks to having a single developer it can take a while to receive an answer, but I received a knowledgeable response from Kyle within half an hour of sending him some questions.

Alternatively, you can post a question on social media or the Bitwarden community forums where Kyle is an active participant.

The Process

You can download the desktop clients, mobile apps and browser add-ons for free from the Bitwarden website. You can sign-up for a new account either on the website or when you first run the software.

Bitwarden Sign Up

A valid email address is required, although I can see no reason why disposable one will not work just fine. Don’t forget your master password (or better yet, passphrase), as Bitwarden cannot recover it for you.

The Bitwarden Desktop Clients

The clients are pretty much identical across all desktop platforms. I’ll just note that I found it much easier to install Bitwarden in Ubuntu from the Software Center, rather than the Linux .AppImage from the website.

Bitwardendesk 1

The client’s interface is clean looking and intuitive to use. The four different “types” of entry – login, card, identity, and secure note, are formatted for easy entry of different kinds of information that you might want to keep secure.

Bitwardendesk 3

Bitwarden can generate secure passwords. Being able to customize this process is very handy for websites that insist on specific requirements for passwords.

Bitwardendesk 2

Other than being able to create folders and add items to them, that’s about it. But what more do most people want? Those who do want increased functionality might be interested in an organization account, which we will look at a little later in this review.

The Bitwarden Mobile Apps

The Android and iOS versions of the app are similar in layout and functionality.

Bitwarden Android 1

The apps the same look and feel as the desktop client, and also includes all of its functionality.

Bitwarden Android 2 E1529070428933

You can do everything on the mobile app that you can on its desktop sibling. Note that on high-end phones Bitwarden also supports fingerprint unlocking.

Bitwarden Android 5

On Android devices, the Bitwarden accessibility service allows you to autofill both app and web logins.

Bitwarden Android 6 E1529070491838

In iOS, “the Bitwarden app extension allows you to quickly log into any website through Safari or Chrome and is supported by hundreds of other popular apps.”

The Bitwarden Browser add-ons

Browser add-ons are available for Chrome, Firefox, Safari, Vivaldi, Opera, Brave, Microsoft Edge and Tor browser. For the ones we tested (Firefox and Chrome), the add-ons worked for the mobile as well as the desktop versions of the browsers.

Again, the add-ons use the same design language as their desktop and mobile app siblings and provide full access to all of Bitwarden’s features. This does mean that encryption and decryption of logins occur inside the browser, so please bear in mind our earlier comments about the insecurity of browser-based cryptography.

Bitwarden Browser 11

The browser add-ons make auto-filling logins very easy. Just right-click and follow the menus.

Bitwarden Browser 2

We have already mentioned that there is an issue you should be aware of with the Chrome add-on. It is also worth noting that Tor browser users should think twice before installing the add-on.

One of the best features of Tor browser is that one unmodified Tor browser looks just like every other unmodified Tor browser. This makes using it one of the best defenses against browser fingerprinting. Installing any add-on, though, makes Tor browser more unique and thus more vulnerable to fingerprint tracking.

Other platforms

In addition to support for all major platforms, plus support for almost every browser available, you can access your Bitwarden vault via a web interface. This is particularly useful when you want to access logins and suchlike from a device that is not yours. The usual warnings about browser-based cryptography apply.

Organization Accounts

Users can upgrade to organization accounts, which add some additional features. A simple organization is even free!

Bitwarden Enterprise Pricing

Key features on offer to those who upgrade include:

  • Securely share and manage logins, secret keys, and suchlike
  • Implement fine-grained access control policies and organize vaults with collections
  • Enforce multi-factor login policies for users by integrating with Duo Security
  • Secure file storage (expandable)
  • On-premise hosting with no dependency on external cloud services.

Conclusion

We Liked@

  • Open source
  • Free (with very reasonably-priced bonus features)
  • Strong end-to-end encryption
  • Very easy to use
  • Looks great
  • Ability to self-host
  • Great cross-platform support
  • No independently audited (although non-critical issues discovered)

Not so sure about:

  • A moderate amount of tracking
  • Based in the US (not a major issue thanks to ee2e)
  • Open source code has not been audited
  • Only one dev

We hated:

  • Nothing

Bitwarden is a very slick and user-friendly password manager that saves passwords on a centralized server and has fantastic cross-platform support. As such, it makes a great drop-in replacement for the likes of LastPass.

Except that it’s basically free, is 100% open source, and thanks to end-to-encryption, is much more secure and private. LastPass can and will hand over your passwords to the Feds. Bitwarden simply can’t.

And nor is your data vulnerable to hacking, which is not something that can be said for LastPass. This should make choosing Bitwarden something of a no-brainer for most mainstream users.

For tech-heads and open source fanatics, the situation is not so clear-cut. Bitwarden looks better and is easier to use than KeePass and its derivatives (such as the excellent KeePass XC). It also has more functionality “out-of-the-box” (for example browser integration), although KeePass users can access similar features via a wide selection of plugins.

Open source fans, however, are likely to be sniffy about the commercial aspects of Bitwarden. On a philosophical level, it is not the kind of community-developed FOSS project that KeePass is. On a more practical level, Bitwarden performs much less tracking than most commercial password manager platforms, but this is still a hell of a lot more than KeePass does.

Another issue is Bitwarden’s use of browser-based cryptography. Almost all commercial services use it because doing so provides a seamless and convenient user cross-platform experience for users. And in truth, for most people, the small theoretical risk it presents is easily outweighed by convenience.

But there is a risk. You can, of course, simply use the stand-alone clients, but losing auto-fill in your browser is a major pain.

KeyPass manages to avoid this issue with browser plugins such as KeePassHtpp which acts as a bridge between KeePass and your browser. The actual cryptography is performed in the KeePass app, not the browser. But configuring KeePassHttp (instructions available in our KeePass Review) is not a task for casual internet users.

So let’s put it this way - this reviewer has no intention of ditching KeePass, but will recommend Bitwarden to his non-techy partner who has so far resisted all efforts to convince her to use a password manager…

Written by: Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

4 Comments

  1. uRwhatUr
    on November 13, 2018
    Reply

    Would you please update the review taking in account of the recent security audit. Thanks

    1. douglas replied to uRwhatUr
      on November 14, 2018
      Reply

      Hi uRwhatUr, Thanks for letting me know. I have added an update to the review.

  2. ARegularGuy
    on June 29, 2018
    Reply

    1. We must stop dealing with any US technology companies. They are no longer credible for hosting our data even if they are encrypted. I no longer believe in end-to-end encryption. All we can do is attempting to fly under the radar as often as possible and reduce our exposure to hacking teams around the world. Thousands of mathematicians work every day around the world for the sole purpose of uncovering zero-day vulnerabilities. Also, with the CLOUD Act in mind, sure enough we must absolutely avoid US companies or EU companies hosting in the US. 2. All US commercial companies still can't prevent themselves from tracking us. Thus, still the case with BitWarden. Their business model is flawed right from the beginning! The moment we read terms such as “tracking pixel”, “logged IP”, “analytics” and “HTML5 local storage” are enough for me to reject outrigh such a company. Of course, it is, as they say,our for own good, to improve our experience and, of course, like at Equifax, BitWarden takes very seriously our privacy! Bullshit!!! Not a single company takes seriously your privacy. 3. The fact we must take the precaution to opt-out (because it is “opt-in” by default). By the way, is BitWarden GDPR compliant? If not, I'd understand them. Asking us to “opt-in” would make us suspicious and hence, we would not “opt-in”! 4. “Open source” is now the pretty cute misused marketing locution to reassure the eco-conscious online shopper. The true questions are: has the code been audited? By who? Did BitWarden pay a group of experts to audit the code? If it hasn't been audited or if we do not see the result of that audit, then saying something is “open source” means nothing to me. 5. Poor consumers that have no choice but forced to trust companies such as BitWarden, because most of them would not be able to implement for themselves, for example, a low-cost cloud storage solution combining both Sia and Nextcloud. None of them would not event think about using rclone with a non US-cloud storage. I'm not saying it's better, I simply said it's far better than resorting to companies that can do nothing to resist againts the feds feeling the need to inspect your cloud data. Thanks for the article.

    1. Douglas Crawford replied to ARegularGuy
      on July 2, 2018
      Reply

      Hi ARegularGuy, 1. Data encrypted by yourself using AES-256 should be secure no matter where it is hosted. as renowned cryptographer Bruce Schneier once said, "trust the math." If this is still not good enough for, you can always self-host. 2. This is why I would prefer to use a genuine community-based product such as KeePass. But KeePass is not as easy to use as its commercial rivals, so I think BitWarden makes a good compromise. 3. Hmm. Good point. I'll ask and the response to this review. I agree data collection should be opt-out. 4. As I discuss in the review, Bitwarden could not afford to pay for an audit. There is talk among its fans of crowdsourcing an audit, though. I would still say, though, that the fact the code _can_ be audited improves the trustability of the product. 5. Bitwarden is a long way from perfect, and those serious about privacy should use something like KeePass or Password Safe (by Bruce Schneier). It is, however, a much better option for those who would otherwise choose a fully commercial password manager such as LastPass or 1Pasword...

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

VPN Special Offer