Bitwarden Review

Bitwarden is an open-source password manager that stores all your credentials in an encrypted vault, protected by a master password. It offers easy to use apps for desktop and mobile, including web and command-line interfaces. You can use it cloud-hosted on their Microsoft Azure servers or stored within your network.

In my Bitwarden review, I’ll go through each feature that they offer to test whether this open-source tool is a valid replacement for other competing password management solutions.

Bitwarden review – main pros & cons

+ Pros

• Very secure password manager
• Superb free version
• Highly customizable
• Can be self-hosted
• User-friendly
• Cheap premium subscription

− Cons

• User interface isn’t an eye candy
• Data is stored in 5 Eyes country

Bitwarden features overview

Vault Health Reports

Premium Bitwarden users’ vaults have a variety of built-in monitoring tools. The tools range from generated reports to up-to-date information about the latest data breaches. The reports are always generated locally, so this is not a privacy threat.

Here are the types of reports that you could expect.

Password reusing report

If you use the same password/email combination on many accounts, you’re digging yourself a hole. In cases of data breaches, such data can easily leak online. Hackers, using your trusty combination, could even get into the sites that have pretty solid security measures in place. So, it takes one site to become compromised to allow the hackers access to all your other accounts. This report will help you to identify cases of the same password reuse to avoid such cybersecurity catastrophes.

Password strength report

With the increasing processing power of computers, your weak passwords are a real security threat. Almost any modern device has enough force to brute force the weakest of them. Instances like “123456” and “password” are too common. They are among the most popular passwords. Pretty much all automated tools for password guessing will try to run the most popular passwords before generating all possible combinations. With Bitwarden’s weak password reports, you’ll be able to isolate all such examples in your vault.

Unsecure websites report

Although it’s rare, there are still sites that are using HTTP instead of HTTPS. It’s an older Hypertext Transfer Protocol used for transmitting data over a network. However, it’s unencrypted, and if you’re visiting such sites, this raises the risk that your connection might be intercepted or monitored by malicious individuals. Bitwarden’s report will indicate whether you’re using a safer protocol.

Breached databases report

The dark web is full of shady individuals selling and sharing accounts compromised during the data breaches. The goods news, these dealings are not above monitoring. This means that if one of the hacker forums would fill up with an offer to sell compromised accounts, you will be notified about the data breach before it gets on the news. You’ll know as soon as the information gets out, that something isn’t right. It allows you to take immediate action and change your password.

Auto-fill logins

You can use Bitwarden to auto-fill your vault logins on the web or other apps. It will help to share your password across devices and will save you a lot of typing if you want to use unique and complex passwords.

If you’re using browser extensions, the Bitwarden icon in the toolbar will display the count of login entries that match the site. It isn’t limited to passwords. It can also include your ID, addresses, and other information that you could want to be filled in automatically.

Fingerprint phrases

Bitwarden uses accounts that are identified with uniquely generated five words string. This assists in securely identifying other users for sharing vault entries. When adding a new user, you can always verify them via their fingerprint phrase rather than some additional arbitrary information. It dramatically reduces the risk that your connections will be tampered and helps to reveal impersonators.

Password sharing

If you run a small organization, there could be thousands of accounts that you’d like to share among your teammates. Google sheets aren’t the safest nor the most efficient way to do it. Bitwarden could allow you to share the credentials among users discreetly and using autofill form. It could significantly save your time.

Bitwarden security and privacy

Bitwarden is an example of how a secure password manager should be made. Bitwarden’s source code is available online, which means it gets reviewed by lots of developers. The scrutiny helps Bitwarden patch security holes, making this one of the safest password managers. For example, their open-source nature helped Bitwarden remove unconstrained third-party JavaScripts that were a serious vulnerability.

The service uses an encrypted vault to store all your passwords, protected by a single long master password. Like all reliable password managers, Bitwarden uses zero-knowledge architecture. It means that your email and master password are generated into a string of random numbers and letters (hashed) on your device before being sent anywhere. Bitwarden’s servers only receive already hashed versions of your email and password, which are hashed again when the data is transmitted and only then stored on their databases. The process is repeated every time you’re logging in.

The hash functions are one-way only, meaning no one at Bitwarden could reverse-engineer them into your actual master password. These data pieces would also be useless to hackers should anyone breach Microsoft Azure servers.

Bitwarden encryption

Your other passwords stored in the vault are encrypted on the device with the military-grade AES-256 cipher. The ecnryption key is derived from your master password, which is held on Bitwarden’s servers in a (heavily) hashed form. Encrypted data in the vault includes login, card, identity information, and more. Even folder names are encrypted.

Because the data is end-to-end encrypted, it is incomprehensible even to Bitwarden employees. In the unlikely event of a data breach, the information would also be useless to hackers because it would be impossible to reverse-engineer stored passwords from the cryptographic hashes.

When you’re authenticating with the Bitwarden cloud (or your self-hosted server), a copy of the encrypted data is downloaded and stored on your device. The data is only decrypted when in use and stored in RAM only. Bitwarden never stores any plaintext data on their servers or even on your local devices.

Only certain bits of your information aren’t encrypted. This includes your name (if you provided it), organization, billing email, and the like.

Have a look at our guide on how do password managers work to learn about other password encryption methods that are being employed by other password managers.

Bitwarden third-party security audits

In November 2018, Bitwarden passed a thorough third-party security audit and cryptographic analysis by Cure53. All findings were carefully considered and Bitwarden officially listed the actions they had taken or were planning to take to solve any identified security vulnerabilities. The assessment included not only Bitwarden applications but also their backend server systems.

Bitwarden also completed a security assessment and penetration test by the Insight Risk Consulting auditing firm. The audit identified no major security issues. There were some moderate issues, but they were also patched out in one of the Bitwarden server security updates.

Aside from established agencies, Bitwarden is constantly audited by willing developers, because their software is open-source and available for everyone to inspect on GitHub. As a matter of fact, the company has a public bug bounty profile on HackerOne.

Adding all these things together, I can say that Bitwarden is one of the most transparent cybersecurity companies out there. They have a great business privacy and security approach. An open-source password manager with a couple of known issues is certainly much better than a closed-source one with loads of problems, just waiting for some hacker to find them before everyone else does.

Data compliance

As stated in their Terms of Service page, Bitwarden Inc. is located in the United States of America – not a privacy friendly jurisdiction. The recent changes to the Patriot Act don’t bode well either.

However, as we’ve established, even if Bitwarden handed over the data stored on their servers, no one could decrypt it. There’s no meaningful data they hold on you. Plus, most password managers are located in the US, with only a few exception, such as Enpass or NordPass.

On their product page, Bitwarden also states that they meet GDPR, Privacy Shield, and CCPA regulations. This means that they assure you they’re handling your data in compliance with these regulations.

Can Bitwarden be hacked?

Even if someone hacks Bitwarden, your data will still be secure and useless to the hacker. Because of the one-way salted hashing and other cryptographic measures, your data would remain safely encrypted even if a hacker seized their server.

Of course, it’s always possible to initiate a social engineering attack or install a keylogger to your PC through malware – no system is completely safe from human error. However, should a hacker attempt to find out your master password, if you have 2FA enabled, he would also need your 2FA code.

In short, there are too many hoops the attacker would have to jump through to make a successful attack on Bitwarden. As long as your master password is unique and strong enough, you can be calm about your passwords ending up in the wrong hands. It would be much more useful to attack services with worse security credentials.

Bitwarden Premium will cost you just $10 per year, and should you choose to opt-in for the Family Sharing package, it would only cost you $1/month for up to 5 users. Considering that other password managers like Dashlane will charge you $59.99 per year, this is a great deal.

Premium features include:

• Added 2FA options – YubiKey, U2F, and Duo
• Increased vault storage to 1 GB
• Vault health reports
• TOTP (time-based one-time password) authenticator and generator
• Priority customer support

Premium edition isn’t noticeably different from the free version. It installs the same native apps on Windows, macOS, iOS, Android, and Linux, unblocking the features that were locked out in the Free version.

A family plan will only be useful if you want to share entries with more than one person. I.e., you both need some passwords that you want to keep private from the other parties, and you also need a shared library with more than two shared folders.

Bitwarden password manager setup

Most users will be installing a native Bitwarden app that’s available on Windows, macOS, iOS, Android, and Linux. There are also browser extensions for Chrome, Firefox, Edge (currently broken), Opera, Safari, and some less popular picks. This means you get a wide selection of how you can access your stored credentials.

Aside from the easy-to-install applications, it’s also possible to install Bitwarden on your server. Whether it makes sense from a security standpoint, it’s for you to decide. Still, it’s doable on Linux, macOS, and Windows machines via an array of Docker containers.

Password importing

What if you’re already using some other password manager and want to switch it out for Bitwarden? Does it mean that you’ll manually have to reenter all your passwords? Nope, there’s no need for that. Bitwarden has an import function from plenty of other services.

Depending on which password manager you’re using, your route might be different. Still, generally speaking, you’ll have to export files from your current provider and upload it to Bitwarden, which will then encrypt and instantly add them to a vault.

For personal accounts:

Log into your web vault and navigate to Tools > Import Data. Detailed instructions for importing files from each source will be displayed after choosing the particular file format from the dropdown menu.

For organization accounts:

Managing organization accounts works the same way. You’ll need to log into the vault and enter the organization admin area and then go to Tools > Import Data. More detailed information will also be shown after choosing a particular format.

Even when importing large volumes of data, the import procedure is relatively quick (just don’t forget to delete all the unencrypted password exports). If recovered by hackers, these files can compromise all your accounts.

Platforms and extensions

You can’t always expect when you’ll need your password manager or what device you’ll have with yourself at that moment. It’s excellent that Bitwarden developers thought of this in advance and didn’t lock any platform out.

Here’s a full list of the platforms that support Bitwarden:

• Web interface that’s accessible from any browser
• Browser extensions available for Chrome, Safari, Firefox, Edge, Brave, Opera, and more
• Desktop apps for Windows, macOS, and Linux
• Mobile apps for iOS and Android
• Command-line interface

Each option dramatically expands the usability options and adapts to the way you use password managers. Here’s what they offer.

Bitwarden mobile apps

If you’re on the go, nothing beats having all of your passwords on a mobile app. Chances are, even if you’re away from your desktop, you’ll still have your phone nearby. Apps are available on the Apple App Store and Google Play. They have and have slick mobile themes and you’ll be able to customize the user interface the way you like it.

Web app

The web application is accessible through the Bitwarden website. It provides the most comprehensible management option for Bitwarden vault administration. You can manage your personal vault, organization vaults where you’re added, and other account information settings. It’s also possible to manage bulk operations via checkboxes.

From there, you’re able to create Folders for your personal vault, and Collections within organization vaults. Folders are intended for the management of your own personal items, while Collections let you arrange and share items.

Bitwarden for desktop

The desktop application can be useful when web browsing isn’t an option or it’s just more convenient through the app. It’s also perfect for storing particularly sensitive information like bank account numbers and credit cards.

Visually, the apps look identical on Windows, macOS, and Linux. Each of them has the same features and design, so if you’re using the Windows version and decide to move to macOS, you’ll scarcely notice a difference.

Browser extensions

A browser extension for password managers makes a lot of sense because most of our accounts are online. Bitwarden’s add-ons for browsers have a lot more differences from one to the other. They cover even some of the least supported browsers. Your experience will be significantly dependt on your browser and the support it receives from the developer team.

For example, the Firefox add-on has a persistent sidebar, but Chrome does not. This might translate into different user interface decisions down the line. If you’re switching browsers, do not expect that the add-ons you were using before will look or feel the same way.

More importantly, this could translate to safety issues associated with your browser, rather than the safety of the add-on. For example, after the most recent Microsoft Edge update, its Bitwarden extension works with hiccups.

No matter which one you pick, all of the add-ons will allow you to do essentially the same things that are possible on apps – generate passwords and autofill credentials. The customization options will largely depend on the browser you pick.

Command-line interface

For the true DIY-spirited, Bitwarden offers a full-featured command-line interface (CLI) that you can access your vault through. Every feature that you can use on the web, apps, and extensions, you can also use through CLI. It’s not chained to any particular platform – you can use it on Windows, macOS, and Linux distributions.

While it may not be handy for the more common users, administrators will love the possible integration between Bitwarden and other identity management systems. This means that if your IT personnel is tech-savvy enough, you could probably integrate Bitwarden’s password manager vault within your organization’s internal infrastructure. Plus, it allows you to tweak the UI, adding custom interfaces. If there’s one thing that you’ll remember, know that with CLI, the sky’s the limit.

Customer support

How you find Bitwarden’s customer support largely depends on your account type. If you’re a free user, you might expect some frustration, but if you have a Premium plan, you can expect priority queues. Even then, Bitwarden doesn’t shine.

The only option to contact support is via email. It’s nice to see that the responses are from real human beings and not automated. You could contact support via Bitwarden’s social media sites – they have a subreddit and a Twitter page. However, replying to user queries, they mostly direct users to the help page or ask to contact via email.

In many cases, Bitwarden’s community forum is your best bet to get help in a timely fashion. There are plenty of users to share their workarounds and solutions, with developers sometimes joining in to give a tip. It’s also a place to request features that you’d like to see implemented in Bitwarden. All in all, Bitwarden’s customer support could be improved, but it’s not a dealbreaker, either.

Alternatives to Bitwarden

If you’re interested in the other open-source password managers, you could look into KeePass, KeeWeb, and Keychain. Keep in mind that each of them has its quirks.

KeePass. This service was primarily developed for Windows, which is still the platform that receives the most attention from developers. Linux and macOS support is only introduced through the use of Mono. If you want to use mobile apps, there are only unofficial community-made ports for Windows Phone, iOS, and Android. It stores the password only on the device as opposed to Bitwarden’s cloud-based approach.

KeeWeb. Available via apps for Windows, macOS, Linux, iOS, Android, and via the web. KeeWeb is written in JavaScript and fills the passwords directly without uploading to their servers.

Keychain. Initially introduced in Mac OS 8.6 and released under Apple Public Source License and accessible through the Keychain Access app. Naturally, it’s available only for macOS and iOS devices. iCloud sync is possible, sharing stored passwords between your devices.

Other popular options include 1Password, Dashlane, Enpass, and LastPass. However, these are proprietary, which often means that they also ramp up the price a bit to cover development costs. For more good alternatives, check out our best password managers article.

Bottom line

There’s only a handful of trustworthy open-source password managers, making Bitwarden a truly unique service. It’s quite straightforward for personal use and even for organizations. It takes practically no time to set up and import passwords. There are ways to tweak the tool in line with the way you’re accustomed to using mobile apps and browser extensions.

Essentially, you’ll get the same functions no matter which way you decide to access your Bitwarden vault. Plus, you get all the basics you may need for your everyday browsing experience for free. The Premium plan is well worth it, considering it’s only $10 a year, so ~0.83 cents a month. This is almost four times cheaper than Dashlane’s annual premium offering. There are no strings attached, and you can try out this service for free and later decide if you need more features.

From our Bitwarden Review it’s clear that it does a lot of things right, and when it doesn’t, it has a crowd of independent developers not only asking for fixes but offering possible solutions. That’s a selling point that’s hard to beat.

To learn more about this great password manager or give it a shot, visit the Bitwarden website.

FAQ