Bitwarden Review

Choosing a password manager is a somewhat personal decision. With multiple quality products out there, choosing one best product is a tough job. That said, after thoroughly reviewing and testing Bitwarden for this review, it is now my favorite password manager. Why?

For starters, it is completely open source, has been through a third-party audit, and offers some great apps and browser extensions.

Bitwarden provides all the basic password manager features most people would want, for free. The business model here is to offer the core product for free, and make money from the people who want or need advanced features (paid upgrades).

If this is a password manager you are interested in using, then keep reading this Bitwarden review for all the important details.

Bitwarden feature summary

Here’s a quick summary of the full set of Bitwarden features, some of which are only available on one or the other of the paid versions of the product:

• Supported platforms include Windows, Mac OS, Linux, Android, iOS, command line, web, and major browsers
• Secure Password Generator
• Secure Password Sharing
• Reports & Analysis
• Form Filling
• 2FA and TOTP Support
• Password Import/Export
• AES-256, PBKDF2 Encryption on your device
• 1GB encrypted file storage
• Synchronizes across all your devices and browsers
• Optional self-hosting of your data

Bitwarden core features

Here are the core features of Bitwarden, the ones that you have access to in the free versions of the product. You have the ability to:

• Store logins, secure notes, credit card info, and multiple identities
• Group items into Collections
• Securely sync passwords between all your devices
• Store an unlimited number of items in your vault
• Use Two Factor Authentication (2FA)
• Securely generate passwords
• Securely share passwords
• Import and export passwords
• Auto-fill forms
• Auto-fill passwords on mobile apps

Note: I’ll cover the other versions of Bitwarden and their additional features a bit later in this review. But first, let’s talk about some background information that will help you decide if you should read further.

Company information

8bit Solutions LLC, DBA Bitwarden, is incorporated in the state of Florida in the United States of America. According to their LinkedIn profile, the company is small and privately held. This should not be a problem unless you are looking for enterprise level support, which might be difficult for a small organization like this.

Bitwarden Terms of Service

I reviewed the Bitwarden Terms of Service (TOS) and didn’t find anything objectionable. They do include a bandwidth limitation of unspecified size:

4. Excessive Bandwidth Use

If we determine your bandwidth usage to be significantly excessive in relation to other Bitwarden customers, we reserve the right to suspend your account or throttle your file hosting until you can reduce your bandwidth consumption.

It is hard to imagine any kind of issue with this unless you are doing some weird stuff with the 1GB of file storage that the paid version of Bitwarden gives you. In other words, don’t be using that space to stream music or videos and you should be fine.

Privacy Policy

The Bitwarden Privacy Policy is clear and understandable. The general gist is that they comply with GDPR and try to collect the minimum amount of User Personal Information (Personally Identifiable Information or PII).

There are a few negatives in here. Because the company is based in the United States, they are subject to US law, which is less privacy-friendly than some other countries (see Five Eyes alliances). They can be compelled to give up whatever information they have on you in various ways, and they will voluntarily share such information under certain circumstances. There have been a few cases where VPN services and email providers were forced to log user data and turn this over to US authorities.

The Privacy Policy states that Bitwarden may include a pixel tag (tracking pixel) in emails they send to you. As we saw with the Superhuman scandal a few months ago, many people consider including such a pixel tag in email messages to be an invasion of privacy.

If any of these negatives concerns you, you can get all the details in the Bitwarden Privacy Policy.

Third-party audits

At the end of 2018, Bitwarden published the results of a complete white box penetration testing, source code audit, and cryptographic analysis of the Bitwarden ecosystem of applications and associated code libraries. The audit covered Bitwarden client applications and backend server systems (including the APIs, database, and hosting platform).

The audit was conducted by Cure53, a penetration testing firm that has also audited ExpressVPN and other privacy-related products. The testing revealed five vulnerabilities, of which only one required immediate action. According to Cure53,

Despite a small array of discoveries ranked as “Critical” and the general presence of certain vulnerabilities, the results of this Cure53 assessment of the Bitwarden scope are rather positive.

You can see the full results of this audit, along with the Bitwarden team’s response and action plans here.

Bitwarden apps (clients)

Bitwarden offers an absolutely huge range of clients. We’re talking about clients for:

• Windows, Mac OS, and Linux desktops
• Android and iOS mobile devices
• All major Web browsers
• Command-line tools (CLI) for Windows, Mac OS, and Linux
• A Web Vault for when nothing else is available

And everything can stay in sync thanks to your encrypted password data residing on the Bitwarden servers (or your own private server).

Bitwarden hands-on testing

For this review I’ve concentrated on the free version of Bitwarden, as this version should cover the needs of most people. We’ll start by looking at the Bitwarden browser extension for Brave.

Installing Bitwarden

You install the Bitwarden browser extension through the relevant app store the way you would any other extension. Once that is done, you can create a new Bitwarden account right in the extension.

You’ll need to enter a username, password, and a valid email address to complete the account creation process. Bitwarden will send a confirmation message to that address, and once you reply to that you will be ready to go.

Adding login credentials to Bitwarden

Once you create your account, you are faced with the task of adding login credentials. There are several ways to do this, the easiest being to import your stuff from the password manager you have been using. Assuming you were using a password manager, you can find instructions for how to import your data on this page.

Note: As of December 2019, you need to import login credentials using the Bitwarden Web Vault. The instructions linked above will guide you there.

If you are going to enter login credentials manually, you can click the plus sign ( + ) in the top-right of the extension window to do so. That opens the Add Item page:

Enter the credentials and click Save to add them to the vault.

The final way to add credentials is to log into a page with the browser. Once you enter the username and password, and log into the site, Bitwarden will recognize what you are doing, and offer to add that information to the vault, like this:

With one click you can save the credentials for the website you’re visiting.

Working with your passwords

Once you add some credentials to the vault, it will look something like this:

As you can see, Bitwarden can handle more than just login credentials. By default, it supports four types of data:

• Login – Login credentials
• Card – Credit and Debit card info that Bitwarden can automatically fill into the checkout pages at websites
• Identity – Identifying information (contact information, your address, etc.) that Bitwarden can auto-fill into website signup and checkout forms
• Secure Note – Encrypted note storage

While Bitwarden can enter this kind of information into mobile apps as well as web pages, the browser extension and other flavors of Bitwarden cannot enter this information into desktop apps. Instead, it will instruct you to copy and paste the data manually.

Now let’s take a look at each of the options that appear at the bottom of the window.

The tab option

The Tab option is where information about the current web page or mobile app will appear. If no information appears, Bitwarden will give you the options to create and populate a relevant item.

The generator option

Bitwarden includes a powerful and flexible password generator. It can create both passwords and passphrases of various lengths. As you can see in the image below, you can control the types of characters that appear in these, as well as the number of numerals and special characters they will include.

The settings option

Selecting Settings gives you a ton of controls and options you can adjust. I won’t go into all of them here, but this is where to go if you want to do things like:

• Add or remove folders you can use to organize your passwords
• Adjust when and how Bitwarden locks to prevent unauthorized use
• Change your master password
• Enable and configure Two-Factor Authentication

This is also where you’ll go to control features of the paid versions of Bitwarden, things like vault sharing and TOTP.

Editing your data

Bitwarden has an interesting way of storing your credentials. The live version of all your data is encrypted on your device, and stored in the cloud (on Bitwarden’s servers). This makes it easy to keep everything synchronized across devices. Just log into your account on whatever device you want, and everything will synchronize automatically.

However, this could lead to problems if the copy of Bitwarden on your device cannot connect to the servers holding your data. To address this problem, Bitwarden keeps a read-only copy of the data on each device. You can use that data locally, say to log onto another device on your home network. But you can’t change any of your data unless you are online and connected to the Bitwarden servers.

If you don’t want to depend on the Bitwarden servers, you can host your own instance of Bitwarden on your own hardware, as explained here.

Bitwarden in action

Once you’ve saved the credentials for a login page, revisiting that page causes a number to appear on the Bitwarden icon at the top of the browser window. That number represents the number of different items you have associated with this page. Click the icon to see a list of all the items. Select one and Bitwarden will fill the appropriate fields on the page.

Like any other password manager, some login pages can confuse Bitwarden. If Bitwarden can’t fill in everything automatically, you can copy and paste the data you need from the Tab page.

Note: To accelerate entering your login credentials, some products such as LastPass put an icon in the fields that it can fill. Clicking this icon will enter your data into the page, or display a list of all the logins you have stored for this page. Using this approach could save you a little bit of time and effort, but the Bitwarden approach works just fine.

If you want to increase the security of your passwords, you can enable basic 2FA on your account. The Premium version of Bitwarden gives you additional 2FA options.

Additional Bitwarden features

If your needs extend beyond basic, single-user password management, you may be interested in some of the following features. Some of them are available for free, while some of them are only available in paid versions of Bitwarden.

To make this easier for you, I’ve put together short descriptions of the coolest features, and listed in which versions of Bitwarden you can find them.

Sharing passwords: All organizational accounts

Sometimes you want or need to share passwords with someone else. For example, one big reason why I use Bitwarden is the need to share certain login credentials and bank information with my wife. Another common place to share passwords would be in a business, where several people might need to be able to log into a server or otherwise securely share data.

To share passwords and other data, you first create an Organization, which will hold the data to be shared, and invite Bitwarden users to join the Organization. You can further control access to data in the Organization by putting it into one or more Collections. As the Administrator of the Organization, you control who has access to the Organization and any Collections within it.

For more information on sharing passwords, check out this blog post.

1 GB encrypted file storage (all paid versions)

Paid versions of Bitwarden give you 1GB of encrypted file storage. But this isn’t a mini version of Dropbox or anything like that. Instead, you attach the files to items in your Bitwarden vault.

You could do something like create a secure note, then attach related photos, documents, or other files to that note. Any attachments you create are encrypted and synced across devices along with the vault item they are attached to.

Vault health reports (all paid versions)

The paid Accounts all give you a set of reports on the health of your vault. That includes topics like exposed and weak passwords, unused 2FA opportunities, and reports on data breaches.

To learn more about the available reports, read this blog post.

TOTP Verification code support (premium version)

The Premium version of Bitwarden can replace TOTP applications like Authy and Google Authenticator. If you choose to set this up, you can configure web pages that need TOTP authentication to work with Bitwarden instead of those other applications.

This isn’t a feature I use myself, but could definitely be valuable under the right circumstances.

Bitwarden support

Bitwarden provides a range of online support options, but does not offer telephone support. You can connect with them via email (hello@bitwarden.com) or social media (Twitter, Facebook, Github). They also have an active set of community forums.

The feedback I’ve seen from other users on Bitwarden’s support is positive. I hit them with two questions myself. The first was answered quickly and clearly in less than an hour. I submitted the second in the evening, and was impressed to see an answer in my Inbox when I woke up the next morning.

How secure and private is Bitwarden?

Now that you’ve seen what Bitwarden can do, we need to talk about how well Bitwarden protects your security and privacy. Let’s start with security.

Bitwarden provides excellent security. Your data is encrypted using AES 256 before leaving your device, encrypted in transit between your device and the Bitwarden servers, and encrypted while at rest on their servers. Given that AES 256 encryption is used by the US Government to protect Top Secret data, your data is secure.

The Bitwarden privacy picture is a little murkier. As I showed you earlier, the company does collect some personal data that it may share with third parties. And because they are based in the United States, they could potentially be forced by the US Government to try to gather and share additional personal data.

On the other hand, all your data is encrypted on your device, and remains encrypted when it is on Bitwarden servers. This would make it hard to gather additional personal data, unless they were to hack their own apps and extensions to do so. While this seems unlikely, the fact that the Bitwarden code is Open Source increases the chances that someone would notice any such hacking before it caused too much trouble.

All in all, the privacy risk seems small. If you are really concerned, you can self-host Bitwarden on your own secure hardware to make it even harder for anyone to get their hands on your private data.

Bitwarden prices

The free version should provide ample features and functionality for most users, but you can also upgrade to different paid plans. There are two personal accounts, Free and Premium. The FREE account is, well, free. The Premium account has some additional features and a nominal $10 per year subscription fee:

While there are some definite advantages to choosing the Premium plan, most people will probably be just fine with a FREE account. In a sense, Bitwarden is offering a freemium service. This is similar to free trial VPN providers that give you a baseline of data, but reserve premium features for paid plans.

Bitwarden also offers a series of multi-user accounts (they call them Organizational Accounts) for both Personal and Business use. The details can be found here.

Bitwarden alternatives

What if you don’t like Bitwarden for some reason? In that case, you might want to investigate LessPass or KeePass. Both have free versions like Bitwarden does, and both are open source.

LastPass is another popular option, but it is not open source and has suffered from some security issues over the years. We’ll be testing and reviewing more password managers, so stay tuned.

Bitwarden review conclusion

Bitwarden has many great characteristics. It is hard to beat a good-looking, secure, Open Source password manager that you can own for free. I think Bitwarden is a winner for individuals, families, and small businesses. However…

If you are an Enterprise customer, looking for heavy duty reporting and lots of Technical Support time, this might not be for you.

If you are super security conscious, you might not like the idea that Bitwarden is based in the United States, the home of Five Eyes and other international intelligence organizations.

Bitwarden is one of the best password managers available, with the free version being surprisingly robust and fully-featured. It is currently my favorite, and is quickly gaining a large and loyal following. Check it out here.

Our main password managers guide also has more info on this topic.