© 2021 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Bitwarden review: how good & safe is it?

35

If you're looking for a truly secure solution to store all your passwords, you could certainly do worse than Bitwarden. This open-source password manager keeps all your credentials in an encrypted vault, protected by a master password. It offers easy-to-use apps for desktop and mobile, including web and command-line interfaces. Not only that, you can use it cloud-hosted on their Microsoft Azure servers or stored within your network.

So, is Bitwarden a valid replacement for the best password managers out there?

In this Bitwarden review, I’ll go through its features to reveal the good and point out areas this tool could improve to come closer to the competition.

Rating:
4.1
Price:Free (paid options available)
Free version:Yes
Platforms:Windows, macOS, Linux, Android, iOS

Bitwarden features, pros & cons

Visit Bitwarden to learn more about these features

Vault Health Reports

Premium Bitwarden users' vaults have a variety of built-in monitoring tools. The tools range from generated reports to up-to-date information about the latest data breaches. The reports are always generated locally, so this is not a privacy threat.

Here are the types of reports that you could expect.

Password reusing report

If you use the same password/email combination on many accounts, you're digging yourself a hole. In cases of data breaches, such data can easily leak online. Hackers, using your trusty combination, could even get into the sites that have pretty solid security measures in place. So, it takes one site to become compromised to allow the hackers access to all your other accounts. This report will help you to identify cases of the same password reuse to avoid such cybersecurity catastrophes.

Password strength report

With the increasing processing power of computers, your weak passwords are a real security threat. Almost any modern device has enough force to brute force the weakest of them. Instances like "123456" and "password" are too common. They are among the most popular passwords. Pretty much all automated tools for password guessing will try to run the most popular passwords before generating all possible combinations. With Bitwarden's weak password reports, you'll be able to isolate all such examples in your vault.

Unsecure websites report

Although it's rare, there are still sites that are using HTTP instead of HTTPS. It's an older Hypertext Transfer Protocol used for transmitting data over a network. However, it's unencrypted, and if you're visiting such sites, this raises the risk that your connection might be intercepted or monitored by malicious individuals. Bitwarden's report will indicate whether you're using a safer protocol.

Breached databases report

The dark web is full of shady individuals selling and sharing accounts compromised during the data breaches. The goods news, these dealings are not above monitoring. This means that if one of the hacker forums would fill up with an offer to sell compromised accounts, you will be notified about the data breach before it gets on the news. You'll know as soon as the information gets out, that something isn't right. It allows you to take immediate action and change your password.

Bitwarden auto-fill

You can use Bitwarden to auto-fill your vault logins on the web or other apps. It will help to share your password across devices and will save you a lot of typing if you want to use unique and complex passwords.

If you're using browser extensions, the Bitwarden icon in the toolbar will display the count of login entries that match the site. It isn't limited to passwords. It can also include your ID, addresses, and other information that you could want to be filled in automatically.

Fingerprint phrases

Bitwarden uses accounts that are identified with uniquely generated five words string. This assists in securely identifying other users for sharing vault entries. When adding a new user, you can always verify them via their fingerprint phrase rather than some additional arbitrary information. It dramatically reduces the risk that your connections will be tampered and helps to reveal impersonators.

Password sharing

If you run a small organization, there could be thousands of accounts that you'd like to share among your teammates. Google sheets aren't the safest nor the most efficient way to do it. Bitwarden could allow you to share the credentials among users discreetly and using autofill form. It could significantly save your time.

Bitwarden security and privacy

Bitwarden is a perfectly secure password manager. The service uses an encrypted vault (that uses AES-256 encryption) to store all your passwords, protected by a single long master password. Bitwarden also uses zero-knowledge architecture. It means that your email and master password are generated into a string of random numbers and letters (hashed) on your device before being sent anywhere.

Bitwarden’s servers only receive already hashed versions of your email and password, which are hashed again when the data is transmitted and only then stored on their safe databases. The process is repeated every time you’re logging in.

The hash functions are one-way only, meaning no one at Bitwarden could reverse-engineer them into your actual master password. These data pieces would also be virtually useless to hackers should anyone breach Microsoft Azure servers.

Bitwarden’s source code is available online, which means it gets reviewed by lots of developers. The scrutiny helps Bitwarden patch security holes, making this one of the safest password managers. For example, their open-source nature helped Bitwarden remove unconstrained third-party JavaScripts that were a serious vulnerability.

Bitwarden encryption

Your other passwords stored in the vault are encrypted on the device with the military-grade AES-256 cipher. The encryption key is derived from your master password, which is held on Bitwarden's servers in a (heavily) hashed form. Encrypted data in the vault includes login, card, identity information, and more. Even folder names are encrypted.

Because the data is end-to-end encrypted, it is incomprehensible even to Bitwarden employees. In the unlikely event of a data breach, the information would also be useless to hackers because it would be impossible to reverse-engineer stored passwords from the cryptographic hashes.

When you're authenticating with the Bitwarden cloud (or your self-hosted server), a copy of the encrypted data is downloaded and stored on your device. The data is only decrypted when in use and stored in RAM only. Bitwarden never stores any plaintext data on their servers or even on your local devices.

Only certain bits of your information aren't encrypted. This includes your name (if you provided it), organization, billing email, and the like.

Have a look at our guide on how do password managers work to learn about other password encryption methods that are being employed by other password managers.

Bitwarden third-party security audits

In November 2018, Bitwarden passed a thorough third-party security audit and cryptographic analysis by Cure53. All findings were carefully considered and Bitwarden officially listed the actions they had taken or were planning to take to solve any identified security vulnerabilities. The assessment included not only Bitwarden applications but also their backend server systems.

Bitwarden also completed a security assessment and penetration test by the Insight Risk Consulting auditing firm. The audit identified no major security issues. There were some moderate issues, but they were also patched out in one of the Bitwarden server security updates.

Aside from established agencies, Bitwarden is constantly audited by willing developers, because their software is open-source and available for everyone to inspect on GitHub. As a matter of fact, the company has a public bug bounty profile on HackerOne.

Adding all these things together, I can say that Bitwarden is one of the most transparent cybersecurity companies out there. They have a great business privacy and security approach. An open-source password manager with a couple of known issues is certainly much better than a closed-source one with loads of problems, just waiting for some hacker to find them before everyone else does.

Data compliance

As stated in their Terms of Service page, Bitwarden Inc. is located in the United States of America - not a privacy friendly jurisdiction. The recent changes to the Patriot Act don't bode well either.

However, as we've established, even if Bitwarden handed over the data stored on their servers, no one could decrypt it. There's no meaningful data they hold on you. Plus, most password managers are located in the US, with only a few exception, such as Enpass or NordPass.

On their product page, Bitwarden also states that they meet GDPR, Privacy Shield, and CCPA regulations. This means that they assure you they're handling your data in compliance with these regulations.

Can Bitwarden be hacked?

Even if someone hacks Bitwarden, your data will still be secure and useless to the hacker. Because of the one-way salted hashing and other cryptographic measures, your data would remain safely encrypted even if a hacker seized their server.

Of course, it's always possible to initiate a social engineering attack or install a keylogger to your PC through malware - no system is completely safe from human error. However, should a hacker attempt to find out your master password, if you have 2FA enabled, he would also need your 2FA code.

In short, there are too many hoops the attacker would have to jump through to make a successful attack on Bitwarden. As long as your master password is unique and strong enough, you can be calm about your passwords ending up in the wrong hands. It would be much more useful to attack services with worse security credentials.

Plans and pricing

VersionFeaturesPrice
Free AccountFree forever$0/month
Premium FeaturesPremium password security and management featuresless than $1/month
Family SharingPremium features individually or as a group (up to 5 users)$1/month

Bitwarden Premium will cost you just $10 per year, and should you choose to opt-in for the Family Sharing package, it would only cost you $1/month for up to 5 users. Considering that other password managers like Dashlane will charge you $59.99 per year, this is a great deal.

Premium features include:

  • Added 2FA options - YubiKey, U2F, and Duo
  • Increased vault storage to 1 GB
  • Vault health reports
  • TOTP (time-based one-time password) authenticator and generator
  • Priority customer support

Premium edition isn't noticeably different from the free version. It installs the same native apps on Windows, macOS, iOS, Android, and Linux, unblocking the features that were locked out in the Free version.

A family plan will only be useful if you want to share entries with more than one person. I.e., you both need some passwords that you want to keep private from the other parties, and you also need a shared library with more than two shared folders.

Bitwarden password manager setup

Most users will be installing a native Bitwarden app that's available on Windows, macOS, iOS, Android, and Linux. There are also browser extensions for Chrome, Firefox, Edge, Opera, and some less popular picks. This means you get a wide selection of how you can access your stored credentials.

bitwarden dashboard

Aside from the easy-to-install applications, it's also possible to install Bitwarden on your server. Whether it makes sense from a security standpoint, it's for you to decide. Still, it's doable on Linux, macOS, and Windows machines via an array of Docker containers.

Password importing

What if you're already using some other password manager and want to switch it out for Bitwarden? Does it mean that you'll manually have to reenter all your passwords? Nope, there's no need for that. Bitwarden has an import function from plenty of other services.

import data window

Depending on which password manager you're using, your route might be different. Still, generally speaking, you'll have to export files from your current provider and upload it to Bitwarden, which will then encrypt and instantly add them to a vault.

For personal accounts:

Log into your web vault and navigate to Tools > Import Data. Detailed instructions for importing files from each source will be displayed after choosing the particular file format from the dropdown menu.

For organization accounts:

Managing organization accounts works the same way. You'll need to log into the vault and enter the organization admin area and then go to Tools > Import Data. More detailed information will also be shown after choosing a particular format.

Even when importing large volumes of data, the import procedure is relatively quick (just don't forget to delete all the unencrypted password exports). If recovered by hackers, these files can compromise all your accounts.

Platforms and extensions

You can't always expect when you'll need your password manager or what device you'll have with you at that moment. It's excellent that Bitwarden developers thought of this in advance and didn't lock any platform out.

Here's a full list of the platforms that support Bitwarden:

  • Web interface that's accessible from any browser
  • Browser extensions available for Chrome, Firefox, Edge, Brave, Opera, and more
  • Desktop apps for Windows, macOS, and Linux
  • Mobile apps for iOS and Android
  • Command-line interface (Windows, macOS, Linux)

Each option dramatically expands the usability options and adapts to the way you use password managers. Here's what they offer.

Bitwarden mobile apps

If you're on the go, nothing beats having all of your passwords on a mobile app. Chances are, even if you're away from your desktop, you'll still have your phone nearby. Apps are available on the Apple App Store and Google Play. They have and have slick mobile themes and you'll be able to customize the user interface the way you like it.

Web app

The web application is accessible through the Bitwarden website. It provides the most comprehensible management option for Bitwarden vault administration. You can manage your personal vault, organization vaults where you're added, and other account information settings. It's also possible to manage bulk operations via checkboxes.

Bitwarden screen showing adding image screen

From there, you're able to create Folders for your personal vault, and Collections within organization vaults. Folders are intended for the management of your own personal items, while Collections let you arrange and share items.

Bitwarden for desktop

The desktop application can be useful when web browsing isn't an option or it's just more convenient through the app. It's also perfect for storing particularly sensitive information like bank account numbers and credit cards.

bitwarden screen

Visually, the apps look identical on Windows, macOS, and Linux. Each of them has the same features and design, so if you're using the Windows version and decide to move to macOS, you'll scarcely notice a difference.

Browser extensions

A browser extension for password managers makes a lot of sense because most of our accounts are online. Bitwarden's add-ons for browsers have a lot more differences from one to the other. They cover even some of the least supported browsers. Your experience will be significantly dependent on your browser and the support it receives from the developer team.

For example, the Firefox add-on has a persistent sidebar, but Chrome does not. This might translate into different user interface decisions down the line. If you're switching browsers, do not expect that the add-ons you were using before will look or feel the same way.

Bitwarden Chrome extension

More importantly, this could translate to safety issues associated with your browser, rather than the safety of the add-on. For example, after the most recent Microsoft Edge update, its Bitwarden extension works with hiccups.

No matter which one you pick, all of the add-ons will allow you to do essentially the same things that are possible on apps – generate passwords and autofill credentials. The customization options will largely depend on the browser you pick.

Command-line interface

For the true DIY-spirited, Bitwarden offers a full-featured command-line interface (CLI) that you can access your vault through. Every feature that you can use on the web, apps, and extensions, you can also use through CLI. It's not chained to any particular platform - you can use it on Windows, macOS, and Linux distributions.

While it may not be handy for the more common users, administrators will love the possible integration between Bitwarden and other identity management systems. This means that if your IT personnel is tech-savvy enough, you could probably integrate Bitwarden's password manager vault within your organization's internal infrastructure. Plus, it allows you to tweak the UI, adding custom interfaces. If there's one thing that you'll remember, know that with CLI, the sky's the limit.

Customer support

How you find Bitwarden's customer support largely depends on your account type. If you're a free user, you might expect some frustration, but if you have a Premium plan, you can expect priority queues. Even then, Bitwarden doesn't shine.

The only option to contact support is via email. It's nice to see that the responses are from real human beings and not automated. You could contact support via Bitwarden's social media sites - they have a subreddit and a Twitter page. However, replying to user queries, they mostly direct users to the help page or ask to contact via email.

bitwarden forum screenshot

In many cases, Bitwarden's community forum is your best bet to get help in a timely fashion. There are plenty of users to share their workarounds and solutions, with developers sometimes joining in to give a tip. It's also a place to request features that you'd like to see implemented in Bitwarden. All in all, Bitwarden's customer support could be improved, but it's not a dealbreaker, either.

Alternatives to Bitwarden

If you're not intimidated by the proprietary software, there are some good options among these providers, too.

NordPass

Nordpass interface in smart devices
Cloud storage:3 GB (with NordLocker app)
Free version:Yes
Browser plugins:Chrome, Firefox, Safari, Opera, Brave, Vivaldi, and Edge
Current deal:Get NordPass, now 70% OFF!

NordPass is a very streamlined password manager. But its pretty UI isn't the only thing that might be appealing to you. It uses more modern XChaCha20 encryption, which is even harder to crack than AES-256. Plus, their apps were independently audited, which adds transparency even if the software is proprietary.

Still, you'll be able to automatically save and autofill passwords. Not only that, your vault is accessible from any device that you're using. So, even if you have iPhone but using a PC, you will have your credentials at hand at all times.

Read more: NordPass review

Dashlane

Dashlane interface in smart devices
Cloud storage:1–5 GB
Free version:Yes
Browser plugins:Chrome, Firefox, Safari, Internet Explorer, Edge
Current deal:Get Dashlane, now 20% OFF!

Dashlane is one of the safest proprietary password managers out there. They combine two-factor authentication, military-grade encryption, and zero-knowledge policy. Your privacy is a priority, and they have the means to guarantee it.

You can update outdated and unsafe passwords at once with a password changer. It will automatically replace them with safer alternatives. Then, there are functions like login capturing whenever you log in to some service. This password manager can seamlessly integrate into your everyday life and make it more secure.

Read more: Dashlane review

Bottom line

Bitwarden video review

There’s only a handful of trustworthy open-source password managers, making Bitwarden a truly unique service. It’s quite straightforward for personal use and great for organizations. It takes practically no time to set up and import passwords. There are ways to tweak the tool in line with the way you’re accustomed to using mobile apps and browser extensions.

The Premium plan is well worth it, considering it’s only $10 a year, so ~0.83 cents a month. This is almost four times cheaper than Dashlane’s annual premium offering. There are no strings attached, and you can try out this service for free and later decide if you need more features.

From our Bitwarden review, it’s clear that it does a lot of things right, and when it doesn’t, it has a crowd of independent developers not only asking for fixes but offering possible solutions. That’s a selling point that’s hard to beat.


Other password manager reviews from CyberNews

Dashlane review: password manager #1 in 2021

NordPass review: features, pricing and why we recommend it

Enpass review: safe and minimalistic password management solution

LastPass review: still among the most popular password managers


FAQ

Comments
delsin
delsin
prefix 2 months ago
What is “5 Eyes country”?
Justinas Mazūra
Justinas Mazūra
prefix 2 months ago
Luckily for you, we have an in-depth guide where we explain what it is and how this relates to your privacy.
Colin
Colin
prefix 5 months ago
Lost all access to vault – login attempt state login details incorrect, but both email and password are very much correct. Are my logins compromised!
Justinas Mazūra
Justinas Mazūra
prefix 5 months ago
It’s hard to say. You could try contacting customer support and find some solution with their help.
Stanislav
Stanislav
prefix 5 months ago
Hi,

How secure is the import process? Your article suggests that the logins and passwords exported from another program are uploaded to Bitwarden servers and ONLY THEN encrypted and stored to the vault. This looks to me as a major security issue, especially because the import can only be done through their website, i.e., there is no control over what it does with the data.
Justinas Mazūra
Justinas Mazūra
prefix 5 months ago
No, I mentioned that files are uploaded only in encrypted forms. This means that they first are encrypted locally, meaning, on your device and only then sent to their servers.
Ken
Ken
prefix 6 months ago
How secure are attached files in Bitwarden?
Justinas Mazūra
Justinas Mazūra
prefix 6 months ago
There is an ongoing debate whether Bitwarden is safe for file storage. Especially due to threads like this. I’d wait for an official response that the potential vulnerabilities are fixed before uploading sensitive data.
David
David
prefix 2 months ago
It appears from the Github page that this security issue has been fixed.
MK
MK
prefix 7 months ago
Looks to me like their pricing is now $40/yr for the family plan. Getting close to 1Password territory now.

As far as the Safari extension. I’m not sure what’s stopping from releasing it through the Mac App Store. That’s standard procedure for most Safari extensions. All it takes an Apple Developer account and the cost is not prohibitive.
Dennis
Dennis
prefix 7 months ago
I’m a new premium Bitwarden user as of 2/18/21 and am very disappointed to find Bitwarden has not once prompted for new or changed passwords on Firefox. If I forget to enter passwords manually through the Firefox extension’s cumbersome process, they are gone forever. For me, this is a major shortcoming. Lastpass, which I was considering ditching, has no such problems.
no bitwarden on safari
no bitwarden on safari
prefix 9 months ago
BW has not supported Safari extensions for over a year. The dev abandoned safari saying it accounted for less than 2 percent of his users and was basically not important enough to learn how to code for apples new requirements. Very sad.

This should be more upfront in this review as it is a deal breaker for many people.
Justinas Mazūra
Justinas Mazūra
prefix 9 months ago
Hi, thanks for the heads up! I’ve updated the article.
Alex C
Alex C
prefix 8 months ago
That is not true – Bitwarden was and still supported on Safari. It is supported on both Intel and M1 (Apple) devices, Catalina and Big Sur. Posting this message in Safari from Mac mini (M1, 2020) with Bitwarden active in here.
Justinas Mazūra
Justinas Mazūra
prefix 8 months ago
It may work now, but it’s temporary. Here’s a quote from their page:
“Safari now limits Safari App Extension use to only those obtained through Mac App Store downloads. As of Q1 2021, users will not be able to use a Bitwarden Safari App Extension obtained through a .dmg installation from bitwarden.com/download or any other non-App Store source.”
So, eventually, you will have to use their app instead of an extension.
larrymcj
larrymcj
prefix 10 months ago
So according to your review, the biggest problem with Bitwarden is it’s not “pretty”. I’ve used it for a long time and would agree with that. But is this enough to give it only 4.1 stars? Perhaps you could explain the rationale behind the decreased rating? Many thanks.
Justinas Mazūra
Justinas Mazūra
prefix 6 months ago
Due to the service being open-source, there are numerous issues that we know of. One of the key ones being attachments and secure code delivery. So, it all adds up when ranking the password managers.
Alp
Alp
prefix 10 months ago
Great review. I have been using pass managers quite a while. It started with CIL tools on linux keep going on macos. I am a cross platform user with different OSs. Works great, support all most t all my devices. Overall no need to deal with encrypt decrypt text files to store and arrange passwords.
Pastique19
Pastique19
prefix 10 months ago
We’ve been using Bitwarden at our organization for quite a while now and we are very satisfied with the product. Times have changed though and we are in a need of a rebranding. It’s not a huge deal but I wanted to know can organization names be changed on bitwarden?
Justinas Mazūra
Justinas Mazūra
prefix 10 months ago
Hi, yes organization names can be changed.
Dianna Walters
Dianna Walters
prefix 10 months ago
I got the free version of bitwarden a few weeks ago and so far it seems pretty good. But I’d like to know how can i add a favorite to bitwarden because I noticed that I use some passwords way more often than others and it would be convenient to organize them somehow.
Caio Fonseca
Caio Fonseca
prefix 10 months ago
You can create folders inside your vault, so basically create a folder with frequently used passwords and that’ll work.
Jonathan
Jonathan
prefix 10 months ago
Why doesn’t Bitwarden use the more secure Argon2 KDF instead of the crappy PBKDF2? Dashlane seems to be the only password manager using Argon2.
GallantGentleman
GallantGentleman
prefix 10 months ago
Hello. How to use bitwarden without singing in everytime? It is getting very annoying. I always use bitwarden on the same device. It’s still me, please stop asking. I already have a password on my computer so it’s pretty secure already.
Justinas Mazūra
Justinas Mazūra
prefix 10 months ago
Hi, you may try adjusting a time until the vault locks or switch out the master password to a fingerprint reader. This should help to speed up things a little.
Douresse
Douresse
prefix 10 months ago
good and detailed review as always. but i still dont quite understand what are the requimenets to host bitwarden.
Justinas Mazūra
Justinas Mazūra
prefix 10 months ago
Hi, thank you for your question!
you can deploy Bitwarden on Windows, macOS, and Linux machines. You’ll need Docker and Docker Compose (it might come with your default Docker installation, so double-check that you have it). You can get the installation id and key from here.
Then, there’s also the recommended minimum system requirements for the server:
Processor: 2 GHz dual-core
Memory: 4 GB RAM
Storage: 25 GB
Docker: Engine 19+ and Compose 1.24+
Ashton Hicks
Ashton Hicks
prefix 11 months ago
I like free and quality products as much as the next guy but is bitwarden cloud safe? Because i’ve heard that free cloud products aren’t always fully secure or private for example dropbox and google drive. Because of that I dont post any sensitve information on those services. now i have similar concerns about bitwarden. should i just opt for something paid if i want some guarantees?
Justinas Mazūra
Justinas Mazūra
prefix 10 months ago
Hi Ashton, in this case, your password vault is uploaded to the cloud in an encrypted format. There’s no risk about the cloud servers being unsafe because the used encryption measures are uncrackable without your master password.
Dumpayer
Dumpayer
prefix 11 months ago
do y’all know will bitwarden always be free? It’s a good product but i sure as hell don’t want to get scammed into thinking it’s going to be free forever and then suddenly get locked out of my passwords. Maybe there’s something in the terms of service? but i don’t understand the weird jargon people use when writing those
Jon
Jon
prefix 10 months ago
Bitwarden is open source meaning that the source code is available – someone will always be able to compile and run the software. https://github.com/bitwarden

You can also self-host although that takes a little work to setup.
Kirk H.
Kirk H.
prefix 11 months ago
i’ve been using lastpass for a while and lately i had the thought that perhaps it’s not worth the price for what I’m getting. anyway do you know if i can export from lastpass to bitwarden? it’s a lot of work to transfer everything manually and I’m looking for a convenient way out of this mess, any advice is welcome.
Dave
Dave
prefix 11 months ago
Yes you can export and import. Its very easy.
Bradlega
Bradlega
prefix 11 months ago
Hey guys, great review! Though of course I’m biased because I love Bitwarden. And it’s not like it is completely flawless, I’ve had issues with Bitwarden not showing autofill on android, maybe you know what could be causing that? Other than that it’s great, free and open-source. I’ll stick with their service for a long time for sure.
Justinas Mazūra
Justinas Mazūra
prefix 10 months ago
Hi, this is a known issue. There are a few fixes for it, but you’ll have to check it on their customer support website because the solution will depend on the Android version that you have.
Leave a Reply

Your email address will not be published. Required fields are marked