Bitwarden review: how good & safe is it?
If you're looking for a truly secure solution to store all your passwords, you could certainly do worse than Bitwarden. This open-source password manager keeps all your credentials in an encrypted vault, protected by a master password. It offers easy-to-use apps for desktop and mobile, including web and command-line interfaces. Not only that, you can use it cloud-hosted on their Microsoft Azure servers or stored within your network.
So, is Bitwarden a valid replacement for the best password managers out there?
In this Bitwarden review, I’ll go through its features to reveal the good and point out areas this tool could improve to come closer to the competition.
|Price:||Free (paid options available)|
|Platforms:||Windows, macOS, Linux, Android, iOS|
Bitwarden features, pros & cons
- Very secure password manager
- Superb free version
- Highly customizable
- Can be self-hosted
- Cheap premium subscription
- User interface isn't an eye candy
- Data is stored in 5 Eyes country
Vault Health Reports
Premium Bitwarden users' vaults have a variety of built-in monitoring tools. The tools range from generated reports to up-to-date information about the latest data breaches. The reports are always generated locally, so this is not a privacy threat.
Here are the types of reports that you could expect.
Password reusing report
If you use the same password/email combination on many accounts, you're digging yourself a hole. In cases of data breaches, such data can easily leak online. Hackers, using your trusty combination, could even get into the sites that have pretty solid security measures in place. So, it takes one site to become compromised to allow the hackers access to all your other accounts. This report will help you to identify cases of the same password reuse to avoid such cybersecurity catastrophes.
Password strength report
With the increasing processing power of computers, your weak passwords are a real security threat. Almost any modern device has enough force to brute force the weakest of them. Instances like "123456" and "password" are too common. They are among the most popular passwords. Pretty much all automated tools for password guessing will try to run the most popular passwords before generating all possible combinations. With Bitwarden's weak password reports, you'll be able to isolate all such examples in your vault.
Unsecure websites report
Although it's rare, there are still sites that are using HTTP instead of HTTPS. It's an older Hypertext Transfer Protocol used for transmitting data over a network. However, it's unencrypted, and if you're visiting such sites, this raises the risk that your connection might be intercepted or monitored by malicious individuals. Bitwarden's report will indicate whether you're using a safer protocol.
Breached databases report
The dark web is full of shady individuals selling and sharing accounts compromised during the data breaches. The goods news, these dealings are not above monitoring. This means that if one of the hacker forums would fill up with an offer to sell compromised accounts, you will be notified about the data breach before it gets on the news. You'll know as soon as the information gets out, that something isn't right. It allows you to take immediate action and change your password.
You can use Bitwarden to auto-fill your vault logins on the web or other apps. It will help to share your password across devices and will save you a lot of typing if you want to use unique and complex passwords.
If you're using browser extensions, the Bitwarden icon in the toolbar will display the count of login entries that match the site. It isn't limited to passwords. It can also include your ID, addresses, and other information that you could want to be filled in automatically.
Bitwarden uses accounts that are identified with uniquely generated five words string. This assists in securely identifying other users for sharing vault entries. When adding a new user, you can always verify them via their fingerprint phrase rather than some additional arbitrary information. It dramatically reduces the risk that your connections will be tampered and helps to reveal impersonators.
If you run a small organization, there could be thousands of accounts that you'd like to share among your teammates. Google sheets aren't the safest nor the most efficient way to do it. Bitwarden could allow you to share the credentials among users discreetly and using autofill form. It could significantly save your time.
Bitwarden security and privacy
Bitwarden is a perfectly secure password manager. The service uses an encrypted vault (that uses AES-256 encryption) to store all your passwords, protected by a single long master password. Bitwarden also uses zero-knowledge architecture. It means that your email and master password are generated into a string of random numbers and letters (hashed) on your device before being sent anywhere.
Bitwarden’s servers only receive already hashed versions of your email and password, which are hashed again when the data is transmitted and only then stored on their safe databases. The process is repeated every time you’re logging in.
The hash functions are one-way only, meaning no one at Bitwarden could reverse-engineer them into your actual master password. These data pieces would also be virtually useless to hackers should anyone breach Microsoft Azure servers.
Your other passwords stored in the vault are encrypted on the device with the military-grade AES-256 cipher. The encryption key is derived from your master password, which is held on Bitwarden's servers in a (heavily) hashed form. Encrypted data in the vault includes login, card, identity information, and more. Even folder names are encrypted.
Because the data is end-to-end encrypted, it is incomprehensible even to Bitwarden employees. In the unlikely event of a data breach, the information would also be useless to hackers because it would be impossible to reverse-engineer stored passwords from the cryptographic hashes.
When you're authenticating with the Bitwarden cloud (or your self-hosted server), a copy of the encrypted data is downloaded and stored on your device. The data is only decrypted when in use and stored in RAM only. Bitwarden never stores any plaintext data on their servers or even on your local devices.
Only certain bits of your information aren't encrypted. This includes your name (if you provided it), organization, billing email, and the like.
Have a look at our guide on how do password managers work to learn about other password encryption methods that are being employed by other password managers.
Bitwarden third-party security audits
In November 2018, Bitwarden passed a thorough third-party security audit and cryptographic analysis by Cure53. All findings were carefully considered and Bitwarden officially listed the actions they had taken or were planning to take to solve any identified security vulnerabilities. The assessment included not only Bitwarden applications but also their backend server systems.
Bitwarden also completed a security assessment and penetration test by the Insight Risk Consulting auditing firm. The audit identified no major security issues. There were some moderate issues, but they were also patched out in one of the Bitwarden server security updates.
Aside from established agencies, Bitwarden is constantly audited by willing developers, because their software is open-source and available for everyone to inspect on GitHub. As a matter of fact, the company has a public bug bounty profile on HackerOne.
Adding all these things together, I can say that Bitwarden is one of the most transparent cybersecurity companies out there. They have a great business privacy and security approach. An open-source password manager with a couple of known issues is certainly much better than a closed-source one with loads of problems, just waiting for some hacker to find them before everyone else does.
As stated in their Terms of Service page, Bitwarden Inc. is located in the United States of America - not a privacy friendly jurisdiction. The recent changes to the Patriot Act don't bode well either.
However, as we've established, even if Bitwarden handed over the data stored on their servers, no one could decrypt it. There's no meaningful data they hold on you. Plus, most password managers are located in the US, with only a few exception, such as Enpass or NordPass.
On their product page, Bitwarden also states that they meet GDPR, Privacy Shield, and CCPA regulations. This means that they assure you they're handling your data in compliance with these regulations.
Can Bitwarden be hacked?
Even if someone hacks Bitwarden, your data will still be secure and useless to the hacker. Because of the one-way salted hashing and other cryptographic measures, your data would remain safely encrypted even if a hacker seized their server.
Of course, it's always possible to initiate a social engineering attack or install a keylogger to your PC through malware - no system is completely safe from human error. However, should a hacker attempt to find out your master password, if you have 2FA enabled, he would also need your 2FA code.
In short, there are too many hoops the attacker would have to jump through to make a successful attack on Bitwarden. As long as your master password is unique and strong enough, you can be calm about your passwords ending up in the wrong hands. It would be much more useful to attack services with worse security credentials.
Plans and pricing
|Free Account||Free forever||$0/month|
|Premium Features||Premium password security and management features||less than $1/month|
|Family Sharing||Premium features individually or as a group (up to 5 users)||$1/month|
Bitwarden Premium will cost you just $10 per year, and should you choose to opt-in for the Family Sharing package, it would only cost you $1/month for up to 5 users. Considering that other password managers like Dashlane will charge you $59.99 per year, this is a great deal.
Premium features include:
- Added 2FA options - YubiKey, U2F, and Duo
- Increased vault storage to 1 GB
- Vault health reports
- TOTP (time-based one-time password) authenticator and generator
- Priority customer support
Premium edition isn't noticeably different from the free version. It installs the same native apps on Windows, macOS, iOS, Android, and Linux, unblocking the features that were locked out in the Free version.
A family plan will only be useful if you want to share entries with more than one person. I.e., you both need some passwords that you want to keep private from the other parties, and you also need a shared library with more than two shared folders.
Bitwarden password manager setup
Most users will be installing a native Bitwarden app that's available on Windows, macOS, iOS, Android, and Linux. There are also browser extensions for Chrome, Firefox, Edge, Opera, and some less popular picks. This means you get a wide selection of how you can access your stored credentials.
Aside from the easy-to-install applications, it's also possible to install Bitwarden on your server. Whether it makes sense from a security standpoint, it's for you to decide. Still, it's doable on Linux, macOS, and Windows machines via an array of Docker containers.
What if you're already using some other password manager and want to switch it out for Bitwarden? Does it mean that you'll manually have to reenter all your passwords? Nope, there's no need for that. Bitwarden has an import function from plenty of other services.
Depending on which password manager you're using, your route might be different. Still, generally speaking, you'll have to export files from your current provider and upload it to Bitwarden, which will then encrypt and instantly add them to a vault.
For personal accounts:
Log into your web vault and navigate to Tools > Import Data. Detailed instructions for importing files from each source will be displayed after choosing the particular file format from the dropdown menu.
For organization accounts:
Managing organization accounts works the same way. You'll need to log into the vault and enter the organization admin area and then go to Tools > Import Data. More detailed information will also be shown after choosing a particular format.
Even when importing large volumes of data, the import procedure is relatively quick (just don't forget to delete all the unencrypted password exports). If recovered by hackers, these files can compromise all your accounts.
Platforms and extensions
You can't always expect when you'll need your password manager or what device you'll have with you at that moment. It's excellent that Bitwarden developers thought of this in advance and didn't lock any platform out.
Here's a full list of the platforms that support Bitwarden:
- Web interface that's accessible from any browser
- Browser extensions available for Chrome, Firefox, Edge, Brave, Opera, and more
- Desktop apps for Windows, macOS, and Linux
- Mobile apps for iOS and Android
- Command-line interface (Windows, macOS, Linux)
Each option dramatically expands the usability options and adapts to the way you use password managers. Here's what they offer.
Bitwarden mobile apps
If you're on the go, nothing beats having all of your passwords on a mobile app. Chances are, even if you're away from your desktop, you'll still have your phone nearby. Apps are available on the Apple App Store and Google Play. They have and have slick mobile themes and you'll be able to customize the user interface the way you like it.
The web application is accessible through the Bitwarden website. It provides the most comprehensible management option for Bitwarden vault administration. You can manage your personal vault, organization vaults where you're added, and other account information settings. It's also possible to manage bulk operations via checkboxes.
From there, you're able to create Folders for your personal vault, and Collections within organization vaults. Folders are intended for the management of your own personal items, while Collections let you arrange and share items.
Bitwarden for desktop
The desktop application can be useful when web browsing isn't an option or it's just more convenient through the app. It's also perfect for storing particularly sensitive information like bank account numbers and credit cards.
Visually, the apps look identical on Windows, macOS, and Linux. Each of them has the same features and design, so if you're using the Windows version and decide to move to macOS, you'll scarcely notice a difference.
A browser extension for password managers makes a lot of sense because most of our accounts are online. Bitwarden's add-ons for browsers have a lot more differences from one to the other. They cover even some of the least supported browsers. Your experience will be significantly dependent on your browser and the support it receives from the developer team.
For example, the Firefox add-on has a persistent sidebar, but Chrome does not. This might translate into different user interface decisions down the line. If you're switching browsers, do not expect that the add-ons you were using before will look or feel the same way.
More importantly, this could translate to safety issues associated with your browser, rather than the safety of the add-on. For example, after the most recent Microsoft Edge update, its Bitwarden extension works with hiccups.
No matter which one you pick, all of the add-ons will allow you to do essentially the same things that are possible on apps – generate passwords and autofill credentials. The customization options will largely depend on the browser you pick.
For the true DIY-spirited, Bitwarden offers a full-featured command-line interface (CLI) that you can access your vault through. Every feature that you can use on the web, apps, and extensions, you can also use through CLI. It's not chained to any particular platform - you can use it on Windows, macOS, and Linux distributions.
While it may not be handy for the more common users, administrators will love the possible integration between Bitwarden and other identity management systems. This means that if your IT personnel is tech-savvy enough, you could probably integrate Bitwarden's password manager vault within your organization's internal infrastructure. Plus, it allows you to tweak the UI, adding custom interfaces. If there's one thing that you'll remember, know that with CLI, the sky's the limit.
How you find Bitwarden's customer support largely depends on your account type. If you're a free user, you might expect some frustration, but if you have a Premium plan, you can expect priority queues. Even then, Bitwarden doesn't shine.
The only option to contact support is via email. It's nice to see that the responses are from real human beings and not automated. You could contact support via Bitwarden's social media sites - they have a subreddit and a Twitter page. However, replying to user queries, they mostly direct users to the help page or ask to contact via email.
In many cases, Bitwarden's community forum is your best bet to get help in a timely fashion. There are plenty of users to share their workarounds and solutions, with developers sometimes joining in to give a tip. It's also a place to request features that you'd like to see implemented in Bitwarden. All in all, Bitwarden's customer support could be improved, but it's not a dealbreaker, either.
Alternatives to Bitwarden
If you're not intimidated by the proprietary software, there are some good options among these providers, too.
|Cloud storage:||3 GB (with NordLocker app)|
|Browser plugins:||Chrome, Firefox, Safari, Opera, Brave, Vivaldi, and Edge|
|Current deal:||Get NordPass, now 70% OFF!|
NordPass is a very streamlined password manager. But its pretty UI isn't the only thing that might be appealing to you. It uses more modern XChaCha20 encryption, which is even harder to crack than AES-256. Plus, their apps were independently audited, which adds transparency even if the software is proprietary.
Still, you'll be able to automatically save and autofill passwords. Not only that, your vault is accessible from any device that you're using. So, even if you have iPhone but using a PC, you will have your credentials at hand at all times.
Read more: NordPass review
|Cloud storage:||1–5 GB|
|Browser plugins:||Chrome, Firefox, Safari, Internet Explorer, Edge|
|Current deal:||Get Dashlane, now 20% OFF!|
Dashlane is one of the safest proprietary password managers out there. They combine two-factor authentication, military-grade encryption, and zero-knowledge policy. Your privacy is a priority, and they have the means to guarantee it.
You can update outdated and unsafe passwords at once with a password changer. It will automatically replace them with safer alternatives. Then, there are functions like login capturing whenever you log in to some service. This password manager can seamlessly integrate into your everyday life and make it more secure.
Read more: Dashlane review
There’s only a handful of trustworthy open-source password managers, making Bitwarden a truly unique service. It’s quite straightforward for personal use and great for organizations. It takes practically no time to set up and import passwords. There are ways to tweak the tool in line with the way you’re accustomed to using mobile apps and browser extensions.
The Premium plan is well worth it, considering it’s only $10 a year, so ~0.83 cents a month. This is almost four times cheaper than Dashlane’s annual premium offering. There are no strings attached, and you can try out this service for free and later decide if you need more features.
From our Bitwarden review, it’s clear that it does a lot of things right, and when it doesn’t, it has a crowd of independent developers not only asking for fixes but offering possible solutions. That’s a selling point that’s hard to beat.
Other password manager reviews from CyberNews
Dashlane review: password manager #1 in 2021
NordPass review: features, pricing and why we recommend it
Enpass review: safe and minimalistic password management solution
LastPass review: still among the most popular password managers
Is Bitwarden safe?
Bitwarden is one of the safest password managers around. Its source code is freely available online to anyone, and such public scrutiny helps Bitwarden to quickly fix any security issues. Moreover, Bitwarden is frequently audited by third-party digital security auditors as well as independent researchers.
Finally, this password manager encrypts your data end-to-end using the AES 256-bit cipher. It means that a brute-force attack (trying all possible combinations) would take so long that only the grandchildren of the hacker have a remote chance of cracking your master password. Your Master password is even safer, as it is hashed using PBKDF2 SHA256.
Is Bitwarden better than LastPass?
Comparing LastPass and Bitwarden is hard because the former is entirely cloud-based. In any case, LastPass is definitely a good password manager – it has a huge set of features, even if you use a free version. After all, there's a reason why this product is found in most lists of the best premium and free password managers.
What platforms does Bitwarden support?
Bitwarden is available on Windows, macOS, and Linux. It also offers mobile apps for Android and iOS users. When it comes to browser extensions, you can install Bitwarden add-ons for Chrome, Firefox, Edge, Opera, Vivaldi, Brave, and Tor Browser.
What information does Bitwarden encrypt?
All information stored in your vault, including credit cards, secure notes, IDs, folders, and attached files, is protected by end-to-end encryption. The only information about you that's not encrypted is your billing email, name, and organization.
How to use Bitwarden?
Using Bitwarden password manager is easy. It has apps for all popular desktop and mobile platforms, including Linux, as well as Chrome, Firefox, and Opera. You can even access your vault straight from the Bitwarden's website.
After installation, you can import your existing data from other password managers or browsers. Alternatively, you can start adding logins, credit cards, IDs, and secure notes from scratch. And the best part – Bitwarden has a great free version, meaning you don't have to spend a dime to protect your information.
Can Bitwarden see my passwords?
Just like any zero-knowledge password manager, Bitwarden can't see your passwords or anything else that's in your vault. It receives already hashed account name and password without the means to reverse-engineer them. What's more, all of your data is encrypted using military-grade cipher and brute-forcing it would take a lifetime of a Greenland shark, or even more. Finally, Bitwarden is used to third-party audits that check for security vulnerabilities and embraces open-source technology model that leaves no secrets behind the doors.