If you’re on the lookout for a trustworthy, open-source password manager that comes stuffed with security features yet costs less than most of its competitors – Bitwarden might be worth a look.
It includes all of the standard security tools you would expect to see with similar solutions such as strong AES-CBC 256-bit encryption, two-factor authentication (2FA), a “zero-knowledge” policy, third-party audits, and breached password detection.
It stores all your credentials in an encrypted vault, safeguarded by a master password, and gives you a choice between cloud and local hosting – yes, you can use a self-hosted server. Also, its freemium edition isn’t as restricted as with most of its competitors.
However, unlike most popular password managers, Bitwarden isn’t particularly beginner-friendly and would greatly benefit from being polished up a bit. That said, Bitwarden is a capable, low-cost solution geared towards somewhat tech-savvy users – particularly those working on a tight budget.
| Website | Bitwarden.com |
| Platforms | Windows, macOS, Linux, Android, iOS |
| Browser extensions | Chrome, Firefox, Edge, Opera |
| Free version | Yes |
| Encryption | 256-bit AES |
| Support | Forum; email |
| Price | From $0.83/mo. |
So, if you think this might be the right password manager for you, keep reading this Bitwarden review.
+ Pros
- Ability to use self-hosted server
- A free, open-source solution
- Excellent free forever edition
- Provides apps for all popular platforms
- Pocket-friendly pricing
- Securely syncs passwords between all your devices
- Solid password generator
– Cons
- Based in the USA (privacy issues)
- Customer support needs improvement
Bitwarden feature summary
Here’s a quick summary of the full set of Bitwarden features, some of which are only available with paid versions of the product:
- 1GB encrypted file storage
- 2FA and TOTP Support
- AES-256, PBKDF2 Encryption on your device
- Optional self-hosting of your data
- Form Filling
- Password Import/Export
- Reports and analysis
- Secure Password Generator
- Secure Password Sharing
- Supported platforms include Windows, macOS, Linux, Android, iOS, command line, web, and all major browsers
- Synchronizes across all your devices and browsers
Bitwarden core features
Here are the core features of Bitwarden, the ones that you have access to in the free versions of the product. You have the ability to:
- Auto-fill forms
- Auto-fill passwords on mobile apps
- Group items into Collections
- Import and export passwords
- Use two-factor authentication (2FA)
- Securely generate passwords
- Securely share passwords
- Securely sync passwords between all your devices
- Store logins, secure notes, credit card info, and multiple identities
- Store an unlimited number of items in your vault
Note: I’ll cover the other versions of Bitwarden and their additional features a bit later in this review. But first, let’s go into some background information that will help you decide if you should read further.
Company information
8bit Solutions LLC, DBA Bitwarden, is incorporated in the state of Florida in the United States of America. According to their LinkedIn profile, the company is small and privately held. This should not be a problem unless you are looking for enterprise-level support, which might be difficult for a small organization like this.
Terms of Service
I reviewed the Bitwarden Terms of Service (TOS) and didn’t find anything objectionable. The company does include a bandwidth limitation of unspecified size:
“If we determine your bandwidth usage to be significantly excessive in relation to other Bitwarden customers, we reserve the right to suspend your account or throttle your file hosting until you can reduce your bandwidth consumption.”
It is hard to imagine any kind of issue with this unless you are doing some weird stuff with the 1GB of file storage that the paid version of Bitwarden gives you. In other words, don’t be using that space to stream music or videos and you should be fine.
If you want to check out the TOS for yourself, click right here.
Privacy Policy
The Bitwarden Privacy Policy is presented in a clear and simple-to-understand way. The general gist is that it complies with GDPR and tries to collect the minimum amount of User Personal Information (Personally Identifiable Information or PII).
There are a few negatives in here as well. Because the company is based in the United States, it is subject to US law, which is less privacy-friendly than some other countries (see Five Eyes alliances). This means that it can be compelled to give up whatever information it has on you in various ways, and it will voluntarily share such information under certain circumstances. There have been a few cases where VPN services and email providers were forced to log user data and turn this over to US authorities.
The Privacy Policy states that Bitwarden may include a pixel tag (tracking pixel) in emails it sends to you. As we saw with the Superhuman scandal a few months ago, many people consider including such a pixel tag in email messages to be an invasion of privacy.
If any of these negatives concerns you, you can get all the details in the Bitwarden Privacy Policy.
Third-party audits
At the end of 2018, Bitwarden published the results of a complete white box penetration testing, source code audit, and cryptographic analysis of the Bitwarden ecosystem of applications and associated code libraries. The audit covered Bitwarden client applications and backend server systems (including the APIs, database, and hosting platform).
The audit was conducted by Cure53, a penetration testing firm that has also audited ExpressVPN and other privacy-related products. The testing revealed five vulnerabilities, of which only one required immediate action. According to Cure53:
“Despite a small array of discoveries ranked as “Critical” and the general presence of certain vulnerabilities, the results of this Cure53 assessment of the Bitwarden scope are rather positive.”
You can see the full results of this audit, along with the Bitwarden team’s response and action plans here.
Two years later, in July 2020, Bitwarden would complete another security audit supported by Insight Risk Consulting. The main mission was to evaluate the security of the Bitwarden network perimeter as well as penetration testing and vulnerability assessments against Bitwarden’s web-based services and apps.
In August of that same year, Bitwarden obtained SOC 2 Type 2 and SOC 3 certifications, and in December it announced that it was HIPAA compliant as well.
To find out more about this, go right here.
Bitwarden apps (clients)
Bitwarden offers an absolutely huge range of clients. We’re talking about clients for:
- Windows, Mac OS, and Linux desktops
- Android and iOS mobile devices
- All major Web browsers
- Command-line tools (CLI) for Windows, Mac OS, and Linux
- A Web Vault for when nothing else is available
And everything can stay in sync thanks to your encrypted password data residing on the Bitwarden servers (or your own private server).
Bitwarden hands-on testing
For this review I’ve concentrated on the free version of Bitwarden, as this version should cover the needs of most people. We’ll start by looking at the Bitwarden browser extension for Brave.
Installing Bitwarden
You can install the Bitwarden browser extension through the relevant app store the way you would any other extension. Once that is done, you can create a new Bitwarden account right in the extension.
You’ll need to enter a username, password, and a valid email address to complete the account creation process. Bitwarden will send a confirmation message to that address, and once you reply to that you will be ready to go.
Note: You can still use a temporary disposable email address for this purpose. You could also create a new secure email address that is not linked to your identity.
Adding login credentials to Bitwarden
Once you create your account, you are faced with the task of adding login credentials. There are several ways to do this, the easiest being to import your stuff from the password manager you have been using. Assuming you were using a password manager, you can find instructions for how to import your data on this page.
Note: As of December 2019, you need to import login credentials using the Bitwarden Web Vault. The instructions linked above will guide you there.
If you are going to enter login credentials manually, you can click the plus sign ( + ) in the top-right of the extension window to do so. That opens the Add Item page:
Enter the credentials and click Save to add them to the vault.
The final way to add credentials is to log into a page with the browser. Once you enter the username and password and log into the site, Bitwarden will recognize what you are doing, and offer to add that information to the vault, something like this:
With one click you can save the credentials for the website you’re visiting.
Working with your passwords
Once you add some credentials to the vault, it should look something like this:
As you can see, Bitwarden can handle more than just login credentials. By default, it supports four types of data:
- Login – Login credentials
- Card – Credit and Debit card info that Bitwarden can automatically fill into the checkout pages at websites
- Identity – Identifying information (contact information, your address, etc.) that Bitwarden can auto-fill into website signup and checkout forms
- Secure Note – Encrypted note storage
While Bitwarden can enter this kind of information into mobile apps as well as web pages, the browser extension and other flavors of Bitwarden cannot enter this information into desktop apps. Instead, it will instruct you to copy and paste the data manually.
Now let’s take a look at each of the options that appear at the bottom of the window.
The tab option
The Tab option is where information about the current web page or mobile app will appear. If no information appears, Bitwarden will give you the options to create and populate a relevant item.
Bitwarden’s secure password generator
Bitwarden provides a powerful and flexible password generator. It can create both passwords and passphrases of various lengths. As you can see in the image below, you can control the types of characters that appear in these, as well as the number of numerals and special characters they will include.
The settings
Selecting Settings gives you a ton of controls and options you can adjust. I won’t go into all of them here, but this is where to go if you want to do things like:
- Add or remove folders you can use to organize your passwords
- Adjust when and how Bitwarden locks to prevent unauthorized use
- Change your master password
- Enable and configure Two-Factor Authentication
This is also where you’ll go to control features of the paid versions of Bitwarden, things like vault sharing and TOTP.
Editing your data
Bitwarden has an interesting way of storing your credentials. The live version of all your data is encrypted on your device and stored in the cloud (on Bitwarden’s servers). This makes it easy to keep everything synchronized across devices. Just log into your account on whatever device you want, and everything will synchronize automatically.
However, this could lead to problems if the copy of Bitwarden on your device cannot connect to the servers holding your data. To address this problem, Bitwarden keeps a read-only copy of the data on each device. You can use that data locally, say to log onto another device on your home network. But you can’t change any of your data unless you are online and connected to the Bitwarden servers.
If you don’t want to depend on the Bitwarden servers, you can host your own instance of Bitwarden on your own hardware, as explained here.
Bitwarden in action
Once you’ve saved the credentials for a login page, revisiting that page causes a number to appear on the Bitwarden icon at the top of the browser window. That number represents the number of different items you have associated with this page. Click the icon to see a list of all the items. Select one and Bitwarden will fill the appropriate fields on the page.
Like any other password manager, some login pages can confuse Bitwarden. If Bitwarden can’t fill in everything automatically, you can copy and paste the data you need from the Tab page.
Note: To accelerate entering your login credentials, some products such as LastPass put an icon in the fields that it can fill. Clicking this icon will enter your data into the page, or display a list of all the logins you have stored for this page. Using this approach could save you a little bit of time and effort, but the Bitwarden approach works just fine.
If you want to increase the security of your passwords, you can enable basic 2FA on your account. The Premium version of Bitwarden gives you additional 2FA options.
Additional Bitwarden features
If your needs extend beyond basic, single-user password management, you may be interested in some of the following features. Some of them are available for free, while some of them are only available in paid versions of Bitwarden.
To make this easier for you, I’ve put together short descriptions of the coolest features, and listed in which versions of Bitwarden you can find them.
Secure password sharing (all business accounts)
Sometimes you want or need to share passwords with someone else. For example, one big reason why I use Bitwarden is the need to share certain login credentials and bank information with my wife. Another common place to share passwords would be in a business, where several people might need to be able to log into a server or otherwise securely share data.
To share passwords and other data, you first create an Organization, which will hold the data to be shared, and invite Bitwarden users to join the Organization. You can further control access to data in the Organization by putting it into one or more Collections. As the Administrator of the Organization, you control who has access to the Organization and any Collections within it.
For more information on sharing passwords, check out this blog post.
1 GB encrypted file storage (all paid versions)
All paid versions of Bitwarden will give you 1GB of encrypted file storage. But this isn’t a mini version of Dropbox or anything like that. Instead, you attach the files to items in your Bitwarden vault.
You could do something like create a secure note, then attach related photos, documents, or other files to that note. Any attachments you create are encrypted and synced across devices along with the vault item they are attached to.
Vault health reports (all paid versions)
The paid Accounts all give you a set of reports on the health of your vault. That includes topics like exposed and weak passwords, unused 2FA opportunities, and reports on data breaches.
To learn more about the available reports, check this entry from Bitwarden’s knowledgebase.
With free version you will get username data breach report, and that’s about it.
TOTP verification code support (Premium and Families plans)
These premium versions of Bitwarden can replace TOTP applications like Authy and Google Authenticator. If you choose to set this up, you can configure web pages that need TOTP authentication to work with Bitwarden instead of those other applications.
This isn’t a feature I use myself, but could definitely be valuable under the right circumstances.
Bitwarden support
Bitwarden provides a range of online support options but does not offer telephone support. You can connect with them via email (hello@bitwarden.com) or social media (Twitter, Reddit, and Github). It also has an active set of community forums.
I find Bitwarden’s Help Center to be one of its highlights when it comes to customer self-service. It’s well-supplied with simple-to-understand how-tos and most of them are backed by suitable screenshots.
The feedback I’ve seen from other users on Bitwarden’s support is positive. I hit them with two questions myself. The first was answered quickly and clearly in less than an hour. I submitted the second in the evening and was impressed to see an answer in my Inbox when I woke up the next morning.
How secure and private is Bitwarden?
Now that you’ve seen what Bitwarden can do, we need to talk about how well Bitwarden protects your security and privacy. Let’s start with security.
Bitwarden provides excellent security. Your data is encrypted using AES 256 before leaving your device, encrypted in transit between your device and the Bitwarden servers, and encrypted while at rest on their servers. Given that AES 256 encryption is used by the US Government to protect Top Secret data, your data is secure.
The Bitwarden privacy picture is a little murkier. As I showed you earlier, the company does collect some personal data that it may share with third parties. And becauseit is based in the United States, it could potentially be forced by the US Government to try to gather and share additional personal data.
On the other hand, all your data is encrypted on your device and remains encrypted when it is on Bitwarden servers. This would make it hard to gather additional personal data unless it was to hack its own apps and extensions to do so. While this seems unlikely, the fact that the Bitwarden code is Open Source increases the chances that someone would notice any such hacking before it caused too much trouble.
All in all, the privacy risk seems small. If you are really concerned, you can self-host Bitwarden on your own secure hardware to make it even harder for anyone to get their hands on your private data.
How much does Bitwarden cost?
The free version should provide ample features and functionality for most users, but you can also upgrade to several paid plans.
Bitwarden offers three personal accounts: Free, Premium, and Families.
The Free account is, well, free. The Premium will cost you a mere $10 for a year, which is less than $1 per month. The Families plan supports up to 6 users and will set you back $3.33 per month which is $40 for a whole year – pretty reasonable if you ask me.
While there are some definite advantages to choosing the Premium plan, most people will probably be just fine with a FREE account. In a sense, Bitwarden is offering a freemium service. This is similar to free trial VPN providers that give you a baseline of data, but reserve premium features for paid plans.
Bitwarden also offers two business-focused plans: Teams Organization and Enterprise Organization, both of which are billed per user.
In addition to this, if you’re running an enterprise with hundreds to thousands of users, you can get in touch with the sales staff and see if a custom plan can be tailored to suit your organization’s needs.
There are 7-day free trials for Families, Teams Organization, and Enterprise Organization plans.
Bitwarden alternatives
What if you don’t like Bitwarden for some reason? In that case, you might want to investigate LessPass or KeePass. Both have free versions like Bitwarden does, and both are open source.
LastPass is another popular option, but it is not open source and has suffered from some security issues over the years. We’ll be testing and reviewing more password managers, so stay tuned.
Bitwarden FAQ
There are a couple of things that make Bitwarden trustworthy. First, it’s open-source software that’s routinely audited by some of the top third-party security companies. It also utilizes end-to-end 256-bit encryption, two-factor authentication, and “zero-knowledge” architecture – so, not even Bitwarden knows your passwords.
No, Bitwarden has never been hacked. However, even if it does get hacked, since your data is fully encrypted and hashed before leaving your local device no one from Bitwarden’s staff can access your data, and nor can hackers.
No, since your data is fully encrypted (and/or hashed) before ever leaving your local device, no one from Bitwarden’s staff can ever see your data for what it is. Also, we should note that Bitwarden’s servers store encrypted and hashed data only.
There are several types of data Bitwarden support and they include: login credentials, credit/debit card details, identifying information, and secure notes – and all of these are safeguarded by end-to-end encryption. The only information that’s not encrypted is your billing email address, user name, and the name of your organization.
Bitwarden review conclusion
All in all, Bitwarden manages to stay strong on security without breaking the bank, which can’t be said for some of its competitors.
Users working on a shoestring budget will appreciate Bitwarden’s fully-featured freemium edition, while those who are focused on security will value its open-source nature, as well as its full set of security features every password manager should possess.
Even those looking for an enterprise-level solution with heavy-duty reporting and lots of technical support time can find something to satisfy their needs.
On the downside, Bitwarden’s user interface is not as intuitive as some of its competitors, which might confuse less tech-savvy users. However, this can be overcome with a couple of step-by-step how-tos and Bitwarden has plenty of them to offer.
Also, the fact that Bitwarden is based in the United States, the home of Five Eyes and other international intelligence organizations, will probably put off super security-conscious users – and understandably so.
Nevertheless, Bitwarden is still one of the best password managers available today, with a robust, feature-rich free edition everyone should try out.
To check it out, click right here.
And here are our additional reviews and guides:
This Bitwarden review was last updated on September 23, 2022.
I have been using Bitwarden for about 2.5 years and have _never_ had a problem with them. I almost locked myself out once! I knew I had hidden what would basically amount to a type of decipher key that only I knew, but the tough part, aside from finding the hints and key, of course, is that my Master Password is 17 characters that are a Bitwarden-created password with a few slight tweaks (I also like that even with the free version, you can run your password against a database of recently-used and compromised passwords), but keeping it still looking like gibberish to anyone else. As long as you have a key, you can flip numbers and Aa-Ff to Hex, or punctuation/grammar characters and letters and numbers can be flipped to/from ASCII to Hex, Octal, Dec, Binary, etc., all while keeping meticulous hints as to why 594541 is a funny secret and then when you put each of the 3 pairs of numbers back through what only you know (by some other hint to tell you how to decipher them) each fit in between &# and a ; which is a funny secret because it makes up the ; eyes/”top”/left-most pair of numbers of the put back together 😉 winking smiley face. It seems like a lot but if you have a few things telling you how to read each part, or exactly what consists of a part of the 17 or however many characters make up your password. The 3 numbers 4, 7, and 6 could easily be a part of your girlfriend’s address, the first 3 numbers of your phone number, etc. But using it instead to tell you to break the password’s characters into 3 groups of 4 & 7 & 6 and then using the previous example of the 3 pairs as the last part–you get my point. Because, after all, it does not matter how good Bitwarden or any other similar password keeper is, if I know your Master Password, well: game over. It’s the keys to the kingdom. But obviously, Bitwarden can make its own Master Password, but if it is really a completely random/arbitrarily-chosen password, you are NOT getting in. And you can have 75 forms of ID but all are no good because Bitwarden protects itself against even itself. And all the people within the company could believe you really are John W. Smith but not even the CEO, COO, CFO, or LMNOP are any good to you. That is, after all, one of their selling points.
I like Bitwarden on Windows and IOS. However, I don’t use it as a primary password manager. With iOS, everything is almost instant. On Android it’s painfully slow and it just can’t autofill. I’ve contacted the company. They’re fantastic in regards to Windows and feedback. This quickly changes when you bring up issues. With iOS you have many password managers to choose from but for auto-filling nothing beats Apple’s own which allows you to use more than one password manager. You can’t say that on Android. You’re really stuck on having to use Google or you can use nothing. Just copy and paste from another manager you have like the free version of 1Password which isn’t slow. .
Well that also means Apple has access to your personal information. Bitwarden is open source and encrypted making it nearly impossible for anyone to be able peer into your passwords. While Apple’s efforts regarding privacy are notable, but when critically examining their business practices, in reality, the company still benefits from mining their user’s personal information but goes about it differently.
https://www.theatlantic.com/technology/archive/2019/01/apples-hypocritical-defense-data-privacy/581680/
I use Bitwarden (for Windows). It’s a great [free] alternative to Google Chrome in many ways, but privacy might be an issue. However, if you’re using an Android device, I find it’s frustrating to use Bitwarden. Perhaps it’s the way the Android OS is but even the reviews on the Google Play store give Bitwarden and most Password managers a poor rating.
@Archie Your experience using Bitwarden for free is unfortunate. A possible solution is to contact the company directly and see if they can help or become a paid subscriber. It only costs $10US a year and my understanding is that there are more features with a Bitwarden subscription. Doing so might alleviate some of the problems you are experiencing.
Paper can’t be hacked.
Keep both your passwords and your vote secure.
If you must fiddle with software lockers ALSO have a paper copy
Randomness does not a good password make. A complex LONG password can and ought be constructed memorably
Never reuse a password
STOP using one email account for everything. Notice account. I’m not suggesting aliases for one account.
Never use the same password for multiple sites
Use an algorithm
In my next life, I shall try to be a bot or a Linux user that follow your recommendations, lol.
Halatinous, what has your comment to do with the review of Bitwarden?
Use an algorithm? Are you still in Algebra class? Paper can’t be hacked? Wanna bet? It can be stolen especially from your home or office.
Hello,
Congratulations for the site, it is of very good quality.
I have a question regarding Cons: Must provide a valid email address.
Sven Taylor, do you create an anonymous/burner email for this purpose? Only with Bitguarden and nothing more in this email ? if is your procedure, what email ?
Thank you for your helping.
Regards.
Hello H.B. Yes, we have reviewed some different burner email services here.
You can also set up a free secure email account with Mailfence, ProtonMail, or Tutanota, for example, which have free plans with a smaller storage limit.
Buy $0.85 domain for a year
Install your own disposable web app
Solved
@Halatinous, perhaps you can pass on your “knowledge” to the rest of us especially (Windows users) how to do such a thing, why we would want to, and the steps needed to install a disposable web app that is completely private, untraceable to you, and secure?
Think that need update for the Review
Dear Sven,
Thank you very much for the review.
Is there any way to block pixel tracking?
Best
I don’t know much about pixel tracking, but I’m sure a Pi-hole would block it.
Do not auto load images in email or at least not for unknown senders
NextDNS. DoH for phone. Enable lists: OISD, No facebook, No google. Block newly registered domains.
you can very easily self-host your own Bitwarden server, with the docker container “bitwarden_rs”.
Many of the cons here are then obsolete.
Nice benefit is it also has all paid features for free.
https://github.com/dani-garcia/bitwarden_rs
A great article, well balanced, explains features without getting bogged down in detail. Bitwarden is my first 3rd party password manger – I used Apple’e KeyChain but it’s too locked into Apple’s eco system – and I love its simplicity. Bitwarden’s not perfect, but nothing is, I can live with some of its quirks. I don’t need the Premium features but I paid up anyway to support the project, it costs nothing and it’s well worth it.
Why did you add “No account recovery feature” as a con? As far as I know, you can’t have such a feature assuming end-to-end-encryption!? Also, storing the data in the US would be a con if it wasn’t for E2E-encryption? And if it’s about the meta-data you can host Bitwarden yourself.
You make a valid point, but I’ve observed that geeks like myself can get far too obsessed with key derivation when all they need is a stronger password.
*Any* key derivation that uses a secure algorithm is better than none and standard PBKFD2 is perfectly secure so long as users aren’t idiotic enough to use 8-character master passwords. If your master password is truly random and contains more than 15 lowercase, uppercase, and ASCII symbol characters, it will be simply impractical to guess the password via brute-force. By my estimate, which assumes ASIC-level efficiencies even better than today’s best BitCoin miner, electricity costs *alone* would likely be over a hundred of billions of US dollars even with only *1* iteration of SHA-256. Go to 10 iterations and we’re already talking trillion dollar budgets and decades of computation.
I’m all in favor of switching to Argon2 wherever practical, but I don’t think it’s fair to tell potential users that this is a security “risk” when we should instead tell them to use a strong master password. Key derivation is a linear function, while password complexity is exponential. In my research, I’ve estimated that adding just 1 ASCII character to a password is equivalent to 95X more key derivation work.
In other words, a 15-character ASCII password with 95 seconds of traditional key derivation (i.e. PBKDF2) is just as resistant to brute force guessing as a 16-character ASCII password with *1* second of the same derivation.
I do use Argon2 with my KeePass database, but I now recommend BitWarden to friends and family rather than LastPass as I believe BitWarden has matured enough to replace LastPass for most people. I don’t fret about key derivation when my time would be better spent teaching people to make their master password stronger.
Can you please explain how you would recommend making stronger master passwords? Thanks.
This is discussed in the main password managers guide.
But that’s what he just did, no?
“In other words, a 15-character ASCII password with 95 seconds of traditional key derivation (i.e. PBKDF2) is just as resistant to brute force guessing as a 16-character ASCII password with *1* second of the same derivation.”
All encryption is done locally and this has been proven by 3rd-party audit, so even if a 5 Eyes agency gets your password database, they can’t see your passwords. While I disagree with unwarranted government surveillance, I don’t understand why so many people prioritize it as a threat when, in fact, the only people likely to be affected are terrorists and traffickers. I don’t want Big Brother watching me, either, but even if they are they can’t open my BitWarden database without my master password. Your *phones* are a much bigger threat than *any* Cloud storage of locally-encrypted data; pretty much any government in the world can get malware onto your phone that reads your data *after* decryption. Is this likely in the U.S. for law-abiding citizens? No, but it’s a far greater risk than BitWarden responding to secret warrants.