R/Bitwarden: Bitwarden is an open source password management platform for individuals, teams, and business organizations. Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts. Bitwarden Send (One-to-One Text and File Sharing) Text Sharing: Text + File Sharing: Text + File Sharing: Sync all of your devices: Shared Items-Unlimited: Secure Password Generator: Encrypted file attachments-1 GB Personal: 1 GB+ Personal 1 GB+ for Org Items: Encrypted Export: Premium Features: Upgrade Required: Bitwarden Authenticator (TOTP.
Passwords are hard work. We can’t use simple passwords, because they’ll be easy to guess or brute force. We can’t reuse passwords, because when a random Internet forum’s database is compromised, we don’t want anyone to use that data to steal our Slashdot, Reddit, or bank account. What should we do?
I’ll be surprised if you’re not already using a password manager. You’re probably using something like 1Password or LastPass to store your passwords. Maybe you’re an old man like me, and you’re still using KeePass. It almost doesn’t matter what you use. You need to be using something, right?
- One Month with Bitwarden at patshead.com
What’s Pat been up to lately? You can check out what I’ve been up to this month over at Butter, What?!
My life up until today
I’ve been using KeePass for a long, long time. I couldn’t even take an educated guess about when I started using it. The only change I made was to upgrade to KeePass2 at some point. Even that was a long time ago!
KeePass is an encrypted password database. Your password database is stored locally, and KeePass has a crufty but usable interface that lets you keep track of usernames, passwords, and URLs. There are plugins to integrate KeePass2 with various web browsers, and it has the ability to automatically type your username and password into various dialog boxes.
Syncing your database between your devices is a problem you have to solve on your own. I store my KeePass database file in an encrypted Seafile library. That keeps the database in sync on my desktop, laptop, and tablet. The Android Seafile client doesn’t actually sync files, so I use SyncThing to keep the database on my phone up to date.
The storage devices on my desktop, laptop, tablet, and phone are all encrypted. The KeePass database is encrypted. My Seafile library is encrypted. There’s encryption all over the place, and for the most part, the database doesn’t leave my control. I don’t own my Seafile server, though.
- One Month with Bitwarden at patshead.com
- Outsourcing My Self-Hosted Cloud Storage at patshead.com
What’s the problem?
All this stuff works fine. All these layers of encryption are nice. KeePass’s integration with Chrome and Firefox works just fine. Getting sync going was easy, but required a bit of effort syncing to Android. Once I had it set up, it worked just fine. Why not keep using KeePass?
To tell you the truth, I probably would have kept using KeePass for years. Last week, I saw Bitwarden mentioned in a comment thread somewhere. I didn’t think much of it. I just assumed it was another attempt at a KeePass replacement.
Then I saw it mentioned again a few days ago, and I realized that Bitwarden is attempting to be a replacement for LastPass or 1Password. That piqued my interest. An open source LastPass equivalent that I could host myself sounds awesome!
1Password and LastPass have one particular feature that KeePass will never be able to have. They allow you to share passwords with your friends and family. This wasn’t a deal breaker for me, but I imagine it will come in handy. With Bitwarden, our Netflix and Hulu passwords won’t get out or sync between mine and my wife’s KeePass databases!
- One Month with Bitwarden at patshead.com
I’m using Bitwarden, but I’m not hosting my own server
A few nights ago, I did a bit of research on Bitwarden. I’ll tell you some of the details of my findings soon, but I didn’t find anything that scared me away. I signed up for an account, upgraded to a premium account for $10 per year, and I imported my KeePass2 database.
The process was painless, and I haven’t had any problems signing into anything yet. I’ll keep you updated over the next few months.
You can host your own Bitwarden service, and it looks easy enough to set up. If you already have a server out there somewhere, they offer a Docker image that you should be able to have up and running in no time.
When I had a server colocated downtown, I would most definitely have set this up. I’ve been trying to offload most of that work to other companies, though, and this is definitely inexpensive enough to outsource.
The free Bitwarden account would meet my needs, but the premium account was inexpensive enough.
- One Month with Bitwarden at patshead.com
Password hygiene and vault health reports
These services are available with a premium Bitwarden account, but what on Earth does that mean?! Bitwarden will correlate information in your password vault with leaked password databases. Have your email addresses been compromised in a password leak? Are you using passwords that are commonly found in those leaked databases? Are you still using weak passwords anywhere?
Bitwarden can give you this information. I have a lot of old cruft in my KeePass database. Ancient websites that I will probably never log into again. Websites that are long gone. Old garbage. Bitwarden’s health service threw up a lot of red flags on that old junk!
- One Month with Bitwarden at patshead.com
KeePass is better in many important ways
BitWarden will always be a little scary. Just like 1Password and LastPass, the BitWarden browser extension has full access to your password vault. Once you enter your passphrase, all that important information is sitting around in memory in an unencrypted state. Not only that, but that unencrypted data is part of your Chrome or Firefox browser process.
You’re relying on Firefox or Chrome to keep malicious web pages or extensions out of your password vault. You could be one compromise away from your password database being gobbled up.
KeePass is always a separate process. The browser extensions for KeePass don’t store your data. They communicate with a KeePass process to request a particular username and password. When the request is made, the KeePass desktop app will ask you for confirmation.
If you’re logging into Reddit, you might check the button to remember this decision. Next time you log in, KeePass will hand that password over to the browser without prompting. Maybe you would want to be more careful with your bank password, so you might require confirmation each time.
I know I’m oversimplifying things when I say this, but I’m trying to keep this post under 2,000 words. Bitwarden, 1Password, and LastPass may have your bank password in memory in the browser process whenever the vault is unlocked.
KeePass may have the password in memory, but it is further protected from the browser by your operating system’s kernel’s memory protections. That’s a much bigger wall to break down or climb over, and just having an additional wall is nice.
- One Month with Bitwarden at patshead.com
Does this really matter?
It depends who you ask. Security and ease of use are almost always at odds. It would be simplest to just use a password
everywhere for your password, but that wouldn’t be safe. It would be extremely safe if you could memorize a different 128-character password for every single service that you use, and type it in manually each time, but that’s never going to happen.
I’ve thought about this problem for years. I’ve done my research. I’ve decided that the level of protection and convenience provided by Bitwarden, LastPass, or 1Password is the right compromise for me.
Yes. I most definitely gave up some amount of security for the sake of convenience when I switched from KeePass to Bitwarden. I’m pleased with this compromise.
- One Month with Bitwarden at patshead.com
Bitwarden’s pricing structure is weird
I was confused when I looked at their pricing charts. I quickly zeroed in on the $1/month family plan listed under organization accounts. It says it includes 5 users, and that’s only $2 more per year than the premium plan. Seems like a no-brainer, right?
That’s not how it works. Organization accounts are something completely different. Each user has to have either a free or a premium account. The organization accounts are where the shared password vaults live.
I have a premium account. My wife has a free account. I believe you could say we’re using a separate organizational account for the passwords we share with our family. It is just the two of us, so our organizational account is free as well. We will likely be setting up an organizational account for Butter, What?! to make it easier to share important passwords with Brian.
- One Month with Bitwarden at patshead.com
Is Bitwarden safe?
I suppose it depends on what you’re trying to protect yourself from and your definition of safe, but I believe it is more than safe enough for my use. I did some research. I tried to find as much terrifying information about Bitwarden as I could. The scariest stuff isn’t that scary.
I found this short security review of Bitwarden. He found that the password to log into the service and the password used to encrypt your database are the same. He has a heading that says your password is sent to the server, but it appears that some sort of salted hash is actually sent to the server.
That’s not too terrible. It would be nice if two different passwords could be used, but I understand the design choice. A single password is much more convenient for the user!
He also noted that Bitwarden loads quite a bit of Javascript from third-party sources. It seems that this has been addressed to some extent by the Bitwarden developer in recent months.
Bitwarden was audited by a third-party security company last year. There were definitely some problems. The major ones seem to have been addressed quite quickly.
- One Month with Bitwarden at patshead.com
- Results of Bitwarden security audit at Reddit
- A short security review of Bitwarden at electricmonk.nl
Conclusion
I’ve only been using Bitwarden for a few days. I’ve been holding off on migrating from KeePass to something like LastPass, because I prefer to use open-source software. I especially prefer to use open source software for my most important infrastructure. My virtualization, my web servers, my file sync server, and all my computers run on open-source software.
Bitwarden has been a welcome surprise, and I look forward to giving you an update in a few months. I expect that there won’t be much to tell you about. If it is working fine today, I expect it to continue to do so in three months!
What do you think? Are you a KeePass holdout like me, or have you already moved on to something like LastPass or 1Password? Did you already discover Bitwarden long before I heard of it? Tell me about your experiences in the comments, or stop by the Butter, What?! Discord server to chat with us about it!
- One Month with Bitwarden at patshead.com
- Results of Bitwarden security audit at Reddit
- A short security review of Bitwarden at electricmonk.nl
- Outsourcing My Self-Hosted Cloud Storage at patshead.com
Bitwarden Pricing
Bitwarden is free and open-source software, but unlike community-developed alternatives such as KeePass, it is a commercial venture.
The core product is free and will stay free forever, but you can support the developer by paying a very reasonable $10 per year subscription fee for a premium personal account. Premium users enjoy some cool (non-core) additional features, as outlined below.
In addition to a premium personal plan, Bitwarden offers family plans and a couple of enterprise plans aimed at businesses.
In this review, we will focus on personal plans.
What features does Bitwarden offer?
The following features are available to free users:
- End-to-end encryption (e2ee) of passwords
- 100% open source
- Cross-platform apps for all major platforms
- Browser add-ons for all major browsers
- Web browser access from anywhere
- Command-line tools (CLI) to write and execute scripts on your Bitwarden vault
- Can self-host
- Two-factor authentication (2FA)
Paying $10 a year adds:
- 1GB encrypted file storage
- Additional 2FA options
- Priority customer support
What is important to note is that there is no account recovery feature.
How easy is Bitwarden to use?
To start using Bitwarden, just download the app for your platform and sign-up in-app. A password is requested, but this is not verified. You’ll need to think of a strong master password, and can choose a hint to help you remember it.
And that’s it! Just don’t forget your master password!
The desktop clients
The Bitwarden desktop clients are basically identical in Windows, macOS, and Linux. Most versions of Linux are supported thanks to the app being packaged in the AppImage format. It is also available through the Ubuntu Software Center and, of course, you can compile the open-source code yourself.
We find the interface to be smart looking and very easy to use. Four “Types” of data entry are supported: login, card, identity, and secure note.
Each entry Type is formatted in a way suitable to entering data of that kind, and which the app can use to auto-fill passwords, web forms, and card detail forms. using browser add-ons.
An interesting new feature is a button in the password field which checks if the password you input has been exposed. This works much like our very own data breach tool and compares the username and password you enter with a database of known password breaches.
A more secure option than thinking up your own all-too-fallible passwords is to let the Bitwarden app generate secure passwords for you. These passwords can be tailored to conform with any specific requirements a website insists on.
You can also create folders and add items to them. What more do you want? If you need group password management and sharing features then these are provided by Bitwarden’s organization accounts.
Autofill functionality on the desktop is provided by browser add-ons for Firefox and Chrome.
The Mobile Apps
The mobile Android and iOS apps are very similar, and share the same attractive and intuitive design philosophy as their desktop siblings.
Both apps do everything their desktop siblings can including generate secure random passwords. They also both support fingerprint unlocking on devices which have fingerprint sensors.
The Androids app uses the Autofill Framework Service on Android 8+ devices and the Auto-fill Accessibility Service on older Android devices to auto-fill forms in any browser window or app. In addition to this, the browser add-ons work with the mobile versions of Firefox and Chrome.
In iOS 12+ the Bitwarden app integrates with Apple’s new Authentication Services framework to provide instant autofill functionality in most browsers and apps.
Web Vault
In addition to using apps, it is possible to access your passwords via the “Web Vault” from any browser. This is handy, although the possibility of compromised servers pushing malicious JavaScript code directly to your browser window means that using browser-based e2ee cryptography will never be quite as secure as performing the cryptography in a stand-alone client.
Interestingly, the only way to import data is via the Web Vault, which accepts files exported from a huge range of password managers
Command-line interface CLI
In addition to graphical user interfaces (GUIs) for all major platforms, Bitwarden provides a powerful CLI client for Windows, macOS, and Linux.
It doesn’t really do anything the GUI clients don’t, but it is very lightweight and geeks will love it!
Browser add-ons
Browser add-ons are available Chrome, Firefox, Vivaldi, Opera, Brave, and Microsoft Edge. A Firefox link is provided for the Tor Browser, but we do not recommend this as using any browser add-on with Tor Browser makes it more susceptible to browser fingerprinting.
The add-ons look like the Bitwarden apps and provide the same core functionally.
They also make auto-filling logins, forms, and suchlike a breeze.
Bitwarden customer support
An extensive help section provides detailed documentation on most aspects of Bitwarden. If you have any additional questions you can email them in.
Bitwarden is basically a one-man show, so all responses we received were from its developer Kyle Spearrin himself. Responses typically arrived on the same day. Alternatively, the Bitwarden website hosts an active forum on which Kyle is an enthusiast participant.
Privacy and security
Bitwarden is a US company and is therefore subject to FISA, the Patriot Act, and very likely surveillance by the NSA. Which shouldn’t matter because…
Bitwarden uses fully audited open-source end-to-end encryption (e2ee). Which is as good a guarantee that it is secure and private as it’s possible to get. The only way to decrypt your data is by using the correct master password, which is not recoverable should you forget it. So don’t.
Because e2ee is used, it shouldn’t matter that Bitwarden uses Microsoft Azure cloud servers to host accounts, although if this really bugs you then you can self-host on a home or rented server of your choice using the open-source Docker framework.
Audit
In November 2018 a crowdfunded independent security audit by Cure53 found no major issues with the software. Some non-critical issues were discovered, the most important of which were patched immediately. We can only presume that developer Kyle has been working hard this last year to fix any additional issues raised by the audit.
Technical security
Data at rest is protected using an AES-256 cipher. PBKDF2 is used to derive the encryption key from your master password, which is then salted and hashed using HMAC SHA256. These are all respected third-party cryptographic libraries.
Data in transit is protected by regular TLS - which is fine. Even if your data was somehow intercepted in transit (via a MitM attack using fake SSL certificates) it could not be accessed because it is encrypted with AES-256 before leaving your device.
In 2018 a flaw was found in the Chrome add-on’s cryptography. This was largely fixed immediately, although you should never use the ‘never forget’ option of Bitwarden if you do not want your encryption key to exist on disk.
Two-factor authentication (2FA)
Free users can secure their Bitwarden Vaults using a Time-based One-Time Password (TOTP) or email verification for two-factor authentication. Premium users can also use 2FA methods such as Duo, YubiKeys, and other FIDO U2F-compatible USB or NFC devices.
Check out our 'what is 2FA' page if you are new to this.
Final thoughts
Bitwarden is a free and open-source password manager that can go head-to-head with any of its closed- source subscription-based rivals. It is powerful, looks good, is intuitive to use, and syncs seamlessly across all your devices.
In our view, Bitwarden’s only real rival is the similarly open-source KeePass and its various forks. Bitwarden looks prettier than KeePass and is easier to set up and use, but thanks to the huge number of add-ons available to KeePass, it is no-where near as powerful or flexible.
KeePass is also true community-developed software rather than a one-man for-profit product (albeit one which is open-source). Bottom line: Bitwarden is the ideal password manager for the less technically minded.
Dashlane Vs Bitwarden Reddit
- Fastest VPN we test
- Servers in 94 countries
- Unblocks Netflix, iPlayer and more