Bitwarden is an open-source password manager that stores all your credentials in an encrypted vault, protected by a master password. It offers easy to use apps for desktop and mobile, including web and command-line interfaces. You can use it cloud-hosted on their Microsoft Azure servers or stored within your network.
In my Bitwarden review, I’ll go through each feature that they offer to test whether this open-source tool is a valid replacement for other competing password management solutions.
| Rating: | 4.1 |
| Price: | from $0.83/month |
| Free version: | Yes |
| Platforms: | Windows, macOS, Linux, Android, iOS |
Bitwarden features overview
Bitwarden review – main pros & cons
Pros
- Very secure password manager
- Superb free version
- Highly customizable
- Can be self-hosted
- User-friendly
- Cheap premium subscription
Cons
- User interface isn’t an eye candy
- Data is stored in 5 Eyes country
Visit Bitwarden to learn more about these features
Vault Health Reports
Premium Bitwarden users’ vaults have a variety of built-in monitoring tools. The tools range from generated reports to up-to-date information about the latest data breaches. The reports are always generated locally, so this is not a privacy threat.
Here are the types of reports that you could expect.
Password reusing report
If you use the same password/email combination on many accounts, you’re digging yourself a hole. In cases of data breaches, such data can easily leak online. Hackers, using your trusty combination, could even get into the sites that have pretty solid security measures in place. So, it takes one site to become compromised to allow the hackers access to all your other accounts. This report will help you to identify cases of the same password reuse to avoid such cybersecurity catastrophes.
Password strength report
With the increasing processing power of computers, your weak passwords are a real security threat. Almost any modern device has enough force to brute force the weakest of them. Instances like “123456” and “password” are too common. They are among the most popular passwords. Pretty much all automated tools for password guessing will try to run the most popular passwords before generating all possible combinations. With Bitwarden’s weak password reports, you’ll be able to isolate all such examples in your vault.
Unsecure websites report
Although it’s rare, there are still sites that are using HTTP instead of HTTPS. It’s an older Hypertext Transfer Protocol used for transmitting data over a network. However, it’s unencrypted, and if you’re visiting such sites, this raises the risk that your connection might be intercepted or monitored by malicious individuals. Bitwarden’s report will indicate whether you’re using a safer protocol.
Breached databases report
The dark web is full of shady individuals selling and sharing accounts compromised during the data breaches. The goods news, these dealings are not above monitoring. This means that if one of the hacker forums would fill up with an offer to sell compromised accounts, you will be notified about the data breach before it gets on the news. You’ll know as soon as the information gets out, that something isn’t right. It allows you to take immediate action and change your password.
Bitwarden auto-fill
You can use Bitwarden to auto-fill your vault logins on the web or other apps. It will help to share your password across devices and will save you a lot of typing if you want to use unique and complex passwords.
If you’re using browser extensions, the Bitwarden icon in the toolbar will display the count of login entries that match the site. It isn’t limited to passwords. It can also include your ID, addresses, and other information that you could want to be filled in automatically.
Fingerprint phrases
Bitwarden uses accounts that are identified with uniquely generated five words string. This assists in securely identifying other users for sharing vault entries. When adding a new user, you can always verify them via their fingerprint phrase rather than some additional arbitrary information. It dramatically reduces the risk that your connections will be tampered and helps to reveal impersonators.
Password sharing
If you run a small organization, there could be thousands of accounts that you’d like to share among your teammates. Google sheets aren’t the safest nor the most efficient way to do it. Bitwarden could allow you to share the credentials among users discreetly and using autofill form. It could significantly save your time.
Bitwarden security and privacy
Bitwarden is a perfectly secure password manager. The service uses an encrypted vault to store all your passwords, protected by a single long master password. Bitwarden also uses zero-knowledge architecture. It means that your email and master password are generated into a string of random numbers and letters (hashed) on your device before being sent anywhere. Bitwarden’s servers only receive already hashed versions of your email and password, which are hashed again when the data is transmitted and only then stored on their databases. The process is repeated every time you’re logging in.
The hash functions are one-way only, meaning no one at Bitwarden could reverse-engineer them into your actual master password. These data pieces would also be useless to hackers should anyone breach Microsoft Azure servers.
Bitwarden’s source code is available online, which means it gets reviewed by lots of developers. The scrutiny helps Bitwarden patch security holes, making this one of the safest password managers. For example, their open-source nature helped Bitwarden remove unconstrained third-party JavaScripts that were a serious vulnerability.
Bitwarden encryption
Your other passwords stored in the vault are encrypted on the device with the military-grade AES-256 cipher. The encryption key is derived from your master password, which is held on Bitwarden’s servers in a (heavily) hashed form. Encrypted data in the vault includes login, card, identity information, and more. Even folder names are encrypted.
Because the data is end-to-end encrypted, it is incomprehensible even to Bitwarden employees. In the unlikely event of a data breach, the information would also be useless to hackers because it would be impossible to reverse-engineer stored passwords from the cryptographic hashes.
When you’re authenticating with the Bitwarden cloud (or your self-hosted server), a copy of the encrypted data is downloaded and stored on your device. The data is only decrypted when in use and stored in RAM only. Bitwarden never stores any plaintext data on their servers or even on your local devices.
Only certain bits of your information aren’t encrypted. This includes your name (if you provided it), organization, billing email, and the like.
Have a look at our guide on how do password managers work to learn about other password encryption methods that are being employed by other password managers.
Bitwarden third-party security audits
In November 2018, Bitwarden passed a thorough third-party security audit and cryptographic analysis by Cure53. All findings were carefully considered and Bitwarden officially listed the actions they had taken or were planning to take to solve any identified security vulnerabilities. The assessment included not only Bitwarden applications but also their backend server systems.
Bitwarden also completed a security assessment and penetration test by the Insight Risk Consulting auditing firm. The audit identified no major security issues. There were some moderate issues, but they were also patched out in one of the Bitwarden server security updates.
Aside from established agencies, Bitwarden is constantly audited by willing developers, because their software is open-source and available for everyone to inspect on GitHub. As a matter of fact, the company has a public bug bounty profile on HackerOne.
Adding all these things together, I can say that Bitwarden is one of the most transparent cybersecurity companies out there. They have a great business privacy and security approach. An open-source password manager with a couple of known issues is certainly much better than a closed-source one with loads of problems, just waiting for some hacker to find them before everyone else does.
Data compliance
As stated in their Terms of Service page, Bitwarden Inc. is located in the United States of America – not a privacy friendly jurisdiction. The recent changes to the Patriot Act don’t bode well either.
However, as we’ve established, even if Bitwarden handed over the data stored on their servers, no one could decrypt it. There’s no meaningful data they hold on you. Plus, most password managers are located in the US, with only a few exception, such as Enpass or NordPass.
On their product page, Bitwarden also states that they meet GDPR, Privacy Shield, and CCPA regulations. This means that they assure you they’re handling your data in compliance with these regulations.
Can Bitwarden be hacked?
Even if someone hacks Bitwarden, your data will still be secure and useless to the hacker. Because of the one-way salted hashing and other cryptographic measures, your data would remain safely encrypted even if a hacker seized their server.
Of course, it’s always possible to initiate a social engineering attack or install a keylogger to your PC through malware – no system is completely safe from human error. However, should a hacker attempt to find out your master password, if you have 2FA enabled, he would also need your 2FA code.
In short, there are too many hoops the attacker would have to jump through to make a successful attack on Bitwarden. As long as your master password is unique and strong enough, you can be calm about your passwords ending up in the wrong hands. It would be much more useful to attack services with worse security credentials.
Plans and pricing
| Version | Features | Price |
|---|---|---|
| Free Accout | Free forever | $0/month |
| Premium Features | Premium password security and management features | less than $1/month |
| Family Sharing | Premium features individually or as a group (up to 5 users) | $1/month |
Bitwarden Premium will cost you just $10 per year, and should you choose to opt-in for the Family Sharing package, it would only cost you $1/month for up to 5 users. Considering that other password managers like Dashlane will charge you $59.99 per year, this is a great deal.
Premium features include:
- Added 2FA options – YubiKey, U2F, and Duo
- Increased vault storage to 1 GB
- Vault health reports
- TOTP (time-based one-time password) authenticator and generator
- Priority customer support
Premium edition isn’t noticeably different from the free version. It installs the same native apps on Windows, macOS, iOS, Android, and Linux, unblocking the features that were locked out in the Free version.
A family plan will only be useful if you want to share entries with more than one person. I.e., you both need some passwords that you want to keep private from the other parties, and you also need a shared library with more than two shared folders.
Bitwarden password manager setup
Most users will be installing a native Bitwarden app that’s available on Windows, macOS, iOS, Android, and Linux. There are also browser extensions for Chrome, Firefox, Edge (currently broken), Opera, and some less popular picks. This means you get a wide selection of how you can access your stored credentials.
Aside from the easy-to-install applications, it’s also possible to install Bitwarden on your server. Whether it makes sense from a security standpoint, it’s for you to decide. Still, it’s doable on Linux, macOS, and Windows machines via an array of Docker containers.
Password importing
What if you’re already using some other password manager and want to switch it out for Bitwarden? Does it mean that you’ll manually have to reenter all your passwords? Nope, there’s no need for that. Bitwarden has an import function from plenty of other services.
Depending on which password manager you’re using, your route might be different. Still, generally speaking, you’ll have to export files from your current provider and upload it to Bitwarden, which will then encrypt and instantly add them to a vault.
For personal accounts:
Log into your web vault and navigate to Tools > Import Data. Detailed instructions for importing files from each source will be displayed after choosing the particular file format from the dropdown menu.
For organization accounts:
Managing organization accounts works the same way. You’ll need to log into the vault and enter the organization admin area and then go to Tools > Import Data. More detailed information will also be shown after choosing a particular format.
Even when importing large volumes of data, the import procedure is relatively quick (just don’t forget to delete all the unencrypted password exports). If recovered by hackers, these files can compromise all your accounts.
Platforms and extensions
You can’t always expect when you’ll need your password manager or what device you’ll have with yourself at that moment. It’s excellent that Bitwarden developers thought of this in advance and didn’t lock any platform out.
Here’s a full list of the platforms that support Bitwarden:
- Web interface that’s accessible from any browser
- Browser extensions available for Chrome, Firefox, Edge, Brave, Opera, and more
- Desktop apps for Windows, macOS, and Linux
- Mobile apps for iOS and Android
- Command-line interface
Each option dramatically expands the usability options and adapts to the way you use password managers. Here’s what they offer.
Bitwarden mobile apps
If you’re on the go, nothing beats having all of your passwords on a mobile app. Chances are, even if you’re away from your desktop, you’ll still have your phone nearby. Apps are available on the Apple App Store and Google Play. They have and have slick mobile themes and you’ll be able to customize the user interface the way you like it.
Web app
The web application is accessible through the Bitwarden website. It provides the most comprehensible management option for Bitwarden vault administration. You can manage your personal vault, organization vaults where you’re added, and other account information settings. It’s also possible to manage bulk operations via checkboxes.
From there, you’re able to create Folders for your personal vault, and Collections within organization vaults. Folders are intended for the management of your own personal items, while Collections let you arrange and share items.
Bitwarden for desktop
The desktop application can be useful when web browsing isn’t an option or it’s just more convenient through the app. It’s also perfect for storing particularly sensitive information like bank account numbers and credit cards.
Visually, the apps look identical on Windows, macOS, and Linux. Each of them has the same features and design, so if you’re using the Windows version and decide to move to macOS, you’ll scarcely notice a difference.
Browser extensions
A browser extension for password managers makes a lot of sense because most of our accounts are online. Bitwarden’s add-ons for browsers have a lot more differences from one to the other. They cover even some of the least supported browsers. Your experience will be significantly dependent on your browser and the support it receives from the developer team.
For example, the Firefox add-on has a persistent sidebar, but Chrome does not. This might translate into different user interface decisions down the line. If you’re switching browsers, do not expect that the add-ons you were using before will look or feel the same way.
More importantly, this could translate to safety issues associated with your browser, rather than the safety of the add-on. For example, after the most recent Microsoft Edge update, its Bitwarden extension works with hiccups.
No matter which one you pick, all of the add-ons will allow you to do essentially the same things that are possible on apps – generate passwords and autofill credentials. The customization options will largely depend on the browser you pick.
Command-line interface
For the true DIY-spirited, Bitwarden offers a full-featured command-line interface (CLI) that you can access your vault through. Every feature that you can use on the web, apps, and extensions, you can also use through CLI. It’s not chained to any particular platform – you can use it on Windows, macOS, and Linux distributions.
While it may not be handy for the more common users, administrators will love the possible integration between Bitwarden and other identity management systems. This means that if your IT personnel is tech-savvy enough, you could probably integrate Bitwarden’s password manager vault within your organization’s internal infrastructure. Plus, it allows you to tweak the UI, adding custom interfaces. If there’s one thing that you’ll remember, know that with CLI, the sky’s the limit.
Customer support
How you find Bitwarden’s customer support largely depends on your account type. If you’re a free user, you might expect some frustration, but if you have a Premium plan, you can expect priority queues. Even then, Bitwarden doesn’t shine.
The only option to contact support is via email. It’s nice to see that the responses are from real human beings and not automated. You could contact support via Bitwarden’s social media sites – they have a subreddit and a Twitter page. However, replying to user queries, they mostly direct users to the help page or ask to contact via email.
In many cases, Bitwarden’s community forum is your best bet to get help in a timely fashion. There are plenty of users to share their workarounds and solutions, with developers sometimes joining in to give a tip. It’s also a place to request features that you’d like to see implemented in Bitwarden. All in all, Bitwarden’s customer support could be improved, but it’s not a dealbreaker, either.
Alternatives to Bitwarden
If you’re interested in the other open-source password managers, you could look into KeePass, KeeWeb, and Keychain. Keep in mind that each of them has its quirks.
KeePass. This service was primarily developed for Windows, which is still the platform that receives the most attention from developers. Linux and macOS support is only introduced through the use of Mono. If you want to use mobile apps, there are only unofficial community-made ports for Windows Phone, iOS, and Android. It stores the password only on the device as opposed to Bitwarden’s cloud-based approach.
KeeWeb. Available via apps for Windows, macOS, Linux, iOS, Android, and via the web. KeeWeb is written in JavaScript and fills the passwords directly without uploading to their servers.
Keychain. Initially introduced in Mac OS 8.6 and released under Apple Public Source License and accessible through the Keychain Access app. Naturally, it’s available only for macOS and iOS devices. iCloud sync is possible, sharing stored passwords between your devices.
Other popular options include NordPass, Dashlane, 1Password, Enpass, and LastPass. However, these are proprietary, which often means that they also ramp up the price a bit to cover development costs. For more good alternatives, check out our best password managers article.
Bottom line
There’s only a handful of trustworthy open-source password managers, making Bitwarden a truly unique service. It’s quite straightforward for personal use and even for organizations. It takes practically no time to set up and import passwords. There are ways to tweak the tool in line with the way you’re accustomed to using mobile apps and browser extensions.
Essentially, you’ll get the same functions no matter which way you decide to access your Bitwarden vault. Plus, you get all the basics you may need for your everyday browsing experience for free. The Premium plan is well worth it, considering it’s only $10 a year, so ~0.83 cents a month. This is almost four times cheaper than Dashlane’s annual premium offering. There are no strings attached, and you can try out this service for free and later decide if you need more features.
From our Bitwarden Review it’s clear that it does a lot of things right, and when it doesn’t, it has a crowd of independent developers not only asking for fixes but offering possible solutions. That’s a selling point that’s hard to beat.
To learn more about this great password manager or give it a shot, visit the Bitwarden website.
Read other password manager reviews
Dashlane review: password manager #1 in 2021
NordPass review: features, pricing and why we recommend it
Enpass review: safe and minimalistic password management solution
LastPass review: still among the most popular password managers
FAQ
Bitwarden is one of the safest password managers around. Its source code is freely available online to anyone, and such public scrutiny helps Bitwarden to quickly fix any security issues. Moreover, Bitwarden is frequently audited by third-party digital security auditors as well as independent researchers.
Finally, this password manager encrypts your data end-to-end using the AES 256-bit cipher. It means that a brute-force attack (trying all possible combinations) would take so long that only the grandchildren of the hacker have a remote chance of cracking your master password.
Comparing LastPass and Bitwarden is hard because the former is cloud-based, and the latter can work as an offline password manager. If you believe that online password managers are inherently less secure, stick with Bitwarden. If not, then give LastPass a try – it has a huge set of features, even if you use a free version. After all, there’s a reason why this product is found in most lists of the best premium and free password managers.
Bitwarden is available on Windows, macOS, and Linux. It also offers mobile apps for Android and iOS users. When it comes to browser extensions, you can install Bitwarden add-ons for Chrome, Firefox, Edge, Opera, Vivaldi, Brave, and Tor Browser.
All information stored in your vault, including credit cards, secure notes, IDs, folders, and attached files, is protected by end-to-end encryption. The only information about you that’s not encrypted is your billing email, name, and organization.
Using Bitwarden password manager is easy. It has apps for all popular desktop and mobile platforms, including Linux, as well as Chrome, Firefox, and Opera. You can even access your vault straight from the Bitwarden’s website.
After installation, you can import your existing data from other password managers or browsers. Alternatively, you can start adding logins, credit cards, IDs, and secure notes from scratch. And the best part – Bitwarden has a great free version, meaning you don’t have to spend a dime to protect your information.
Just like any zero-knowledge password manager, Bitwarden can’t see your passwords or anything else that’s in your vault. It receives already hashed account name and password without the means to reverse-engineer them. What’s more, all of your data is encrypted using military-grade cipher and brute-forcing it would take a lifetime of a Greenland shark, or even more. Finally, Bitwarden is used to third-party audits that check for security vulnerabilities and embraces open-source technology model that leaves no secrets behind the doors.
Hi,
How secure is the import process? Your article suggests that the logins and passwords exported from another program are uploaded to Bitwarden servers and ONLY THEN encrypted and stored to the vault. This looks to me as a major security issue, especially because the import can only be done through their website, i.e., there is no control over what it does with the data.
How secure are attached files in Bitwarden?
There is an ongoing debate whether Bitwarden is safe for file storage. Especially due to threads like this. I’d wait for an official response that the potential vulnerabilities are fixed before uploading sensitive data.
Looks to me like their pricing is now $40/yr for the family plan. Getting close to 1Password territory now.
As far as the Safari extension. I’m not sure what’s stopping from releasing it through the Mac App Store. That’s standard procedure for most Safari extensions. All it takes an Apple Developer account and the cost is not prohibitive.
I’m a new premium Bitwarden user as of 2/18/21 and am very disappointed to find Bitwarden has not once prompted for new or changed passwords on Firefox. If I forget to enter passwords manually through the Firefox extension’s cumbersome process, they are gone forever. For me, this is a major shortcoming. Lastpass, which I was considering ditching, has no such problems.
BW has not supported Safari extensions for over a year. The dev abandoned safari saying it accounted for less than 2 percent of his users and was basically not important enough to learn how to code for apples new requirements. Very sad.
This should be more upfront in this review as it is a deal breaker for many people.
Hi, thanks for the heads up! I’ve updated the article.
That is not true – Bitwarden was and still supported on Safari. It is supported on both Intel and M1 (Apple) devices, Catalina and Big Sur. Posting this message in Safari from Mac mini (M1, 2020) with Bitwarden active in here.
It may work now, but it’s temporary. Here’s a quote from their page:
“Safari now limits Safari App Extension use to only those obtained through Mac App Store downloads. As of Q1 2021, users will not be able to use a Bitwarden Safari App Extension obtained through a .dmg installation from bitwarden.com/download or any other non-App Store source.”
So, eventually, you will have to use their app instead of an extension.
So according to your review, the biggest problem with Bitwarden is it’s not “pretty”. I’ve used it for a long time and would agree with that. But is this enough to give it only 4.1 stars? Perhaps you could explain the rationale behind the decreased rating? Many thanks.
Due to the service being open-source, there are numerous issues that we know of. One of the key ones being attachments and secure code delivery. So, it all adds up when ranking the password managers.
Great review. I have been using pass managers quite a while. It started with CIL tools on linux keep going on macos. I am a cross platform user with different OSs. Works great, support all most t all my devices. Overall no need to deal with encrypt decrypt text files to store and arrange passwords.
We’ve been using Bitwarden at our organization for quite a while now and we are very satisfied with the product. Times have changed though and we are in a need of a rebranding. It’s not a huge deal but I wanted to know can organization names be changed on bitwarden?
Hi, yes organization names can be changed.
I got the free version of bitwarden a few weeks ago and so far it seems pretty good. But I’d like to know how can i add a favorite to bitwarden because I noticed that I use some passwords way more often than others and it would be convenient to organize them somehow.
You can create folders inside your vault, so basically create a folder with frequently used passwords and that’ll work.
Why doesn’t Bitwarden use the more secure Argon2 KDF instead of the crappy PBKDF2? Dashlane seems to be the only password manager using Argon2.
Hello. How to use bitwarden without singing in everytime? It is getting very annoying. I always use bitwarden on the same device. It’s still me, please stop asking. I already have a password on my computer so it’s pretty secure already.
Hi, you may try adjusting a time until the vault locks or switch out the master password to a fingerprint reader. This should help to speed up things a little.
good and detailed review as always. but i still dont quite understand what are the requimenets to host bitwarden.
Hi, thank you for your question!
you can deploy Bitwarden on Windows, macOS, and Linux machines. You’ll need Docker and Docker Compose (it might come with your default Docker installation, so double-check that you have it). You can get the installation id and key from here.
Then, there’s also the recommended minimum system requirements for the server:
Processor: 2 GHz dual-core
Memory: 4 GB RAM
Storage: 25 GB
Docker: Engine 19+ and Compose 1.24+
I like free and quality products as much as the next guy but is bitwarden cloud safe? Because i’ve heard that free cloud products aren’t always fully secure or private for example dropbox and google drive. Because of that I dont post any sensitve information on those services. now i have similar concerns about bitwarden. should i just opt for something paid if i want some guarantees?
Hi Ashton, in this case, your password vault is uploaded to the cloud in an encrypted format. There’s no risk about the cloud servers being unsafe because the used encryption measures are uncrackable without your master password.
do y’all know will bitwarden always be free? It’s a good product but i sure as hell don’t want to get scammed into thinking it’s going to be free forever and then suddenly get locked out of my passwords. Maybe there’s something in the terms of service? but i don’t understand the weird jargon people use when writing those
Bitwarden is open source meaning that the source code is available – someone will always be able to compile and run the software. https://github.com/bitwarden
You can also self-host although that takes a little work to setup.
i’ve been using lastpass for a while and lately i had the thought that perhaps it’s not worth the price for what I’m getting. anyway do you know if i can export from lastpass to bitwarden? it’s a lot of work to transfer everything manually and I’m looking for a convenient way out of this mess, any advice is welcome.
Yes you can export and import. Its very easy.
Hey guys, great review! Though of course I’m biased because I love Bitwarden. And it’s not like it is completely flawless, I’ve had issues with Bitwarden not showing autofill on android, maybe you know what could be causing that? Other than that it’s great, free and open-source. I’ll stick with their service for a long time for sure.
Hi, this is a known issue. There are a few fixes for it, but you’ll have to check it on their customer support website because the solution will depend on the Android version that you have.