Choosing a password manager is a somewhat personal decision. With multiple quality products out there, choosing one best product is a tough job. That said, after thoroughly reviewing and testing Bitwarden for this review, it is now my favorite password manager. Why?
For starters, it is completely open source, has been through a third-party audit, and offers some great apps and browser extensions.
Bitwarden provides all the basic password manager features most people would want, for free. The business model here is to offer the core product for free, and make money from the people who want or need advanced features (paid upgrades).
If this is a password manager you are interested in using, then keep reading this Bitwarden review for all the important details.
+ Pros
- Passwords encrypted locally
- Passwords stored in the cloud or on your own server
- Completely open source code
- Third-party audit conducted
- Complies with GDPR
- Data encrypted in transit and at rest
- Single and multi-user accounts
- 1 GB encrypted file storage for paid accounts
- Supports 2FA
- Read-only offline access to last-synced vault
– Cons
- Must provide a valid email address
- No telephone support
- Cannot create or modify records offline
- Bandwidth usage limits (unspecified)
- Based in, and data stored in, United States
- Collects and shares some user data
- Can be compelled to disclose user data
- May include a tracking pixel in email messages
- No account recovery feature
Bitwarden feature summary
Here’s a quick summary of the full set of Bitwarden features, some of which are only available on one or the other of the paid versions of the product:
- Supported platforms include Windows, Mac OS, Linux, Android, iOS, command line, web, and major browsers
- Secure Password Generator
- Secure Password Sharing
- Reports & Analysis
- Form Filling
- 2FA and TOTP Support
- Password Import/Export
- AES-256, PBKDF2 Encryption on your device
- 1GB encrypted file storage
- Synchronizes across all your devices and browsers
- Optional self-hosting of your data
Bitwarden core features
Here are the core features of Bitwarden, the ones that you have access to in the free versions of the product. You have the ability to:
- Store logins, secure notes, credit card info, and multiple identities
- Group items into Collections
- Securely sync passwords between all your devices
- Store an unlimited number of items in your vault
- Use Two Factor Authentication (2FA)
- Securely generate passwords
- Securely share passwords
- Import and export passwords
- Auto-fill forms
- Auto-fill passwords on mobile apps
Note: I’ll cover the other versions of Bitwarden and their additional features a bit later in this review. But first, let’s talk about some background information that will help you decide if you should read further.
Company information
8bit Solutions LLC, DBA Bitwarden, is incorporated in the state of Florida in the United States of America. According to their LinkedIn profile, the company is small and privately held. This should not be a problem unless you are looking for enterprise level support, which might be difficult for a small organization like this.
Bitwarden Terms of Service
I reviewed the Bitwarden Terms of Service (TOS) and didn’t find anything objectionable. They do include a bandwidth limitation of unspecified size:
4. Excessive Bandwidth Use
If we determine your bandwidth usage to be significantly excessive in relation to other Bitwarden customers, we reserve the right to suspend your account or throttle your file hosting until you can reduce your bandwidth consumption.
It is hard to imagine any kind of issue with this unless you are doing some weird stuff with the 1GB of file storage that the paid version of Bitwarden gives you. In other words, don’t be using that space to stream music or videos and you should be fine.
Privacy Policy
The Bitwarden Privacy Policy is clear and understandable. The general gist is that they comply with GDPR and try to collect the minimum amount of User Personal Information (Personally Identifiable Information or PII).
There are a few negatives in here. Because the company is based in the United States, they are subject to US law, which is less privacy-friendly than some other countries (see Five Eyes alliances). They can be compelled to give up whatever information they have on you in various ways, and they will voluntarily share such information under certain circumstances. There have been a few cases where VPN services and email providers were forced to log user data and turn this over to US authorities.
The Privacy Policy states that Bitwarden may include a pixel tag (tracking pixel) in emails they send to you. As we saw with the Superhuman scandal a few months ago, many people consider including such a pixel tag in email messages to be an invasion of privacy.
If any of these negatives concerns you, you can get all the details in the Bitwarden Privacy Policy.
Third-party audits
At the end of 2018, Bitwarden published the results of a complete white box penetration testing, source code audit, and cryptographic analysis of the Bitwarden ecosystem of applications and associated code libraries. The audit covered Bitwarden client applications and backend server systems (including the APIs, database, and hosting platform).
The audit was conducted by Cure53, a penetration testing firm that has also audited ExpressVPN and other privacy-related products. The testing revealed five vulnerabilities, of which only one required immediate action. According to Cure53,
Despite a small array of discoveries ranked as “Critical” and the general presence of certain vulnerabilities, the results of this Cure53 assessment of the Bitwarden scope are rather positive.
You can see the full results of this audit, along with the Bitwarden team’s response and action plans here.
Bitwarden apps (clients)
Bitwarden offers an absolutely huge range of clients. We’re talking about clients for:
- Windows, Mac OS, and Linux desktops
- Android and iOS mobile devices
- All major Web browsers
- Command-line tools (CLI) for Windows, Mac OS, and Linux
- A Web Vault for when nothing else is available
And everything can stay in sync thanks to your encrypted password data residing on the Bitwarden servers (or your own private server).
Bitwarden hands-on testing
For this review I’ve concentrated on the free version of Bitwarden, as this version should cover the needs of most people. We’ll start by looking at the Bitwarden browser extension for Brave.
Installing Bitwarden
You install the Bitwarden browser extension through the relevant app store the way you would any other extension. Once that is done, you can create a new Bitwarden account right in the extension.
You’ll need to enter a username, password, and a valid email address to complete the account creation process. Bitwarden will send a confirmation message to that address, and once you reply to that you will be ready to go.
Note: You can still use a temporary disposable email address for this purpose. You could also create a new secure email address that is not linked to your identity.
Adding login credentials to Bitwarden
Once you create your account, you are faced with the task of adding login credentials. There are several ways to do this, the easiest being to import your stuff from the password manager you have been using. Assuming you were using a password manager, you can find instructions for how to import your data on this page.
Note: As of December 2019, you need to import login credentials using the Bitwarden Web Vault. The instructions linked above will guide you there.
If you are going to enter login credentials manually, you can click the plus sign ( + ) in the top-right of the extension window to do so. That opens the Add Item page:
Enter the credentials and click Save to add them to the vault.
The final way to add credentials is to log into a page with the browser. Once you enter the username and password, and log into the site, Bitwarden will recognize what you are doing, and offer to add that information to the vault, like this:
With one click you can save the credentials for the website you’re visiting.
Working with your passwords
Once you add some credentials to the vault, it will look something like this:
As you can see, Bitwarden can handle more than just login credentials. By default, it supports four types of data:
- Login – Login credentials
- Card – Credit and Debit card info that Bitwarden can automatically fill into the checkout pages at websites
- Identity – Identifying information (contact information, your address, etc.) that Bitwarden can auto-fill into website signup and checkout forms
- Secure Note – Encrypted note storage
While Bitwarden can enter this kind of information into mobile apps as well as web pages, the browser extension and other flavors of Bitwarden cannot enter this information into desktop apps. Instead, it will instruct you to copy and paste the data manually.
Now let’s take a look at each of the options that appear at the bottom of the window.
The tab option
The Tab option is where information about the current web page or mobile app will appear. If no information appears, Bitwarden will give you the options to create and populate a relevant item.
Bitwarden’s password generator
Bitwarden includes a powerful and flexible password generator. It can create both passwords and passphrases of various lengths. As you can see in the image below, you can control the types of characters that appear in these, as well as the number of numerals and special characters they will include.
The settings option
Selecting Settings gives you a ton of controls and options you can adjust. I won’t go into all of them here, but this is where to go if you want to do things like:
- Add or remove folders you can use to organize your passwords
- Adjust when and how Bitwarden locks to prevent unauthorized use
- Change your master password
- Enable and configure Two-Factor Authentication
This is also where you’ll go to control features of the paid versions of Bitwarden, things like vault sharing and TOTP.
Editing your data
Bitwarden has an interesting way of storing your credentials. The live version of all your data is encrypted on your device, and stored in the cloud (on Bitwarden’s servers). This makes it easy to keep everything synchronized across devices. Just log into your account on whatever device you want, and everything will synchronize automatically.
However, this could lead to problems if the copy of Bitwarden on your device cannot connect to the servers holding your data. To address this problem, Bitwarden keeps a read-only copy of the data on each device. You can use that data locally, say to log onto another device on your home network. But you can’t change any of your data unless you are online and connected to the Bitwarden servers.
If you don’t want to depend on the Bitwarden servers, you can host your own instance of Bitwarden on your own hardware, as explained here.
Bitwarden in action
Once you’ve saved the credentials for a login page, revisiting that page causes a number to appear on the Bitwarden icon at the top of the browser window. That number represents the number of different items you have associated with this page. Click the icon to see a list of all the items. Select one and Bitwarden will fill the appropriate fields on the page.
Like any other password manager, some login pages can confuse Bitwarden. If Bitwarden can’t fill in everything automatically, you can copy and paste the data you need from the Tab page.
Note: To accelerate entering your login credentials, some products such as LastPass put an icon in the fields that it can fill. Clicking this icon will enter your data into the page, or display a list of all the logins you have stored for this page. Using this approach could save you a little bit of time and effort, but the Bitwarden approach works just fine.
If you want to increase the security of your passwords, you can enable basic 2FA on your account. The Premium version of Bitwarden gives you additional 2FA options.
Additional Bitwarden features
If your needs extend beyond basic, single-user password management, you may be interested in some of the following features. Some of them are available for free, while some of them are only available in paid versions of Bitwarden.
To make this easier for you, I’ve put together short descriptions of the coolest features, and listed in which versions of Bitwarden you can find them.
Sharing passwords: All organizational accounts
Sometimes you want or need to share passwords with someone else. For example, one big reason why I use Bitwarden is the need to share certain login credentials and bank information with my wife. Another common place to share passwords would be in a business, where several people might need to be able to log into a server or otherwise securely share data.
To share passwords and other data, you first create an Organization, which will hold the data to be shared, and invite Bitwarden users to join the Organization. You can further control access to data in the Organization by putting it into one or more Collections. As the Administrator of the Organization, you control who has access to the Organization and any Collections within it.
For more information on sharing passwords, check out this blog post.
1 GB encrypted file storage (all paid versions)
Paid versions of Bitwarden give you 1GB of encrypted file storage. But this isn’t a mini version of Dropbox or anything like that. Instead, you attach the files to items in your Bitwarden vault.
You could do something like create a secure note, then attach related photos, documents, or other files to that note. Any attachments you create are encrypted and synced across devices along with the vault item they are attached to.
Vault health reports (all paid versions)
The paid Accounts all give you a set of reports on the health of your vault. That includes topics like exposed and weak passwords, unused 2FA opportunities, and reports on data breaches.
To learn more about the available reports, read this blog post.
TOTP Verification code support (premium version)
The Premium version of Bitwarden can replace TOTP applications like Authy and Google Authenticator. If you choose to set this up, you can configure web pages that need TOTP authentication to work with Bitwarden instead of those other applications.
This isn’t a feature I use myself, but could definitely be valuable under the right circumstances.
Bitwarden support
Bitwarden provides a range of online support options, but does not offer telephone support. You can connect with them via email (hello@bitwarden.com) or social media (Twitter, Facebook, Github). They also have an active set of community forums.
The feedback I’ve seen from other users on Bitwarden’s support is positive. I hit them with two questions myself. The first was answered quickly and clearly in less than an hour. I submitted the second in the evening, and was impressed to see an answer in my Inbox when I woke up the next morning.
How secure and private is Bitwarden?
Now that you’ve seen what Bitwarden can do, we need to talk about how well Bitwarden protects your security and privacy. Let’s start with security.
Bitwarden provides excellent security. Your data is encrypted using AES 256 before leaving your device, encrypted in transit between your device and the Bitwarden servers, and encrypted while at rest on their servers. Given that AES 256 encryption is used by the US Government to protect Top Secret data, your data is secure.
The Bitwarden privacy picture is a little murkier. As I showed you earlier, the company does collect some personal data that it may share with third parties. And because they are based in the United States, they could potentially be forced by the US Government to try to gather and share additional personal data.
On the other hand, all your data is encrypted on your device, and remains encrypted when it is on Bitwarden servers. This would make it hard to gather additional personal data, unless they were to hack their own apps and extensions to do so. While this seems unlikely, the fact that the Bitwarden code is Open Source increases the chances that someone would notice any such hacking before it caused too much trouble.
All in all, the privacy risk seems small. If you are really concerned, you can self-host Bitwarden on your own secure hardware to make it even harder for anyone to get their hands on your private data.
Bitwarden prices
The free version should provide ample features and functionality for most users, but you can also upgrade to different paid plans. There are two personal accounts, Free and Premium. The FREE account is, well, free. The Premium account has some additional features and a nominal $10 per year subscription fee:
While there are some definite advantages to choosing the Premium plan, most people will probably be just fine with a FREE account. In a sense, Bitwarden is offering a freemium service. This is similar to free trial VPN providers that give you a baseline of data, but reserve premium features for paid plans.
Bitwarden also offers a series of multi-user accounts (they call them Organizational Accounts) for both Personal and Business use. The details can be found here.
Bitwarden alternatives
What if you don’t like Bitwarden for some reason? In that case, you might want to investigate LessPass or KeePass. Both have free versions like Bitwarden does, and both are open source.
LastPass is another popular option, but it is not open source and has suffered from some security issues over the years. We’ll be testing and reviewing more password managers, so stay tuned.
Bitwarden review conclusion
Bitwarden has many great characteristics. It is hard to beat a good-looking, secure, Open Source password manager that you can own for free. I think Bitwarden is a winner for individuals, families, and small businesses. However…
If you are an Enterprise customer, looking for heavy duty reporting and lots of Technical Support time, this might not be for you.
If you are super security conscious, you might not like the idea that Bitwarden is based in the United States, the home of Five Eyes and other international intelligence organizations.
Bitwarden is one of the best password managers available, with the free version being surprisingly robust and fully-featured. It is currently my favorite, and is quickly gaining a large and loyal following. Check it out here.
Our main password managers guide also has more info on this topic.
Additional reviews and guides:
I like Bitwarden on Windows and IOS. However, I don’t use it as a primary password manager. With iOS, everything is almost instant. On Android it’s painfully slow and it just can’t autofill. I’ve contacted the company. They’re fantastic in regards to Windows and feedback. This quickly changes when you bring up issues. With iOS you have many password managers to choose from but for auto-filling nothing beats Apple’s own which allows you to use more than one password manager. You can’t say that on Android. You’re really stuck on having to use Google or you can use nothing. Just copy and paste from another manager you have like the free version of 1Password which isn’t slow. .
Well that also means Apple has access to your personal information. Bitwarden is open source and encrypted making it nearly impossible for anyone to be able peer into your passwords. While Apple’s efforts regarding privacy are notable, but when critically examining their business practices, in reality, the company still benefits from mining their user’s personal information but goes about it differently.
https://www.theatlantic.com/technology/archive/2019/01/apples-hypocritical-defense-data-privacy/581680/
I use Bitwarden (for Windows). It’s a great [free] alternative to Google Chrome in many ways, but privacy might be an issue. However, if you’re using an Android device, I find it’s frustrating to use Bitwarden. Perhaps it’s the way the Android OS is but even the reviews on the Google Play store give Bitwarden and most Password managers a poor rating.
@Archie Your experience using Bitwarden for free is unfortunate. A possible solution is to contact the company directly and see if they can help or become a paid subscriber. It only costs $10US a year and my understanding is that there are more features with a Bitwarden subscription. Doing so might alleviate some of the problems you are experiencing.
Paper can’t be hacked.
Keep both your passwords and your vote secure.
If you must fiddle with software lockers ALSO have a paper copy
Randomness does not a good password make. A complex LONG password can and ought be constructed memorably
Never reuse a password
STOP using one email account for everything. Notice account. I’m not suggesting aliases for one account.
Never use the same password for multiple sites
Use an algorithm
In my next life, I shall try to be a bot or a Linux user that follow your recommendations, lol.
Halatinous, what has your comment to do with the review of Bitwarden?
Use an algorithm? Are you still in Algebra class? Paper can’t be hacked? Wanna bet? It can be stolen especially from your home or office.
Hello,
Congratulations for the site, it is of very good quality.
I have a question regarding Cons: Must provide a valid email address.
Sven Taylor, do you create an anonymous/burner email for this purpose? Only with Bitguarden and nothing more in this email ? if is your procedure, what email ?
Thank you for your helping.
Regards.
Hello H.B. Yes, we have reviewed some different burner email services here.
You can also set up a free secure email account with Mailfence, ProtonMail, or Tutanota, for example, which have free plans with a smaller storage limit.
Buy $0.85 domain for a year
Install your own disposable web app
Solved
@Halatinous, perhaps you can pass on your “knowledge” to the rest of us especially (Windows users) how to do such a thing, why we would want to, and the steps needed to install a disposable web app that is completely private, untraceable to you, and secure?
Think that need update for the Review
Dear Sven,
Thank you very much for the review.
Is there any way to block pixel tracking?
Best
I don’t know much about pixel tracking, but I’m sure a Pi-hole would block it.
Do not auto load images in email or at least not for unknown senders
NextDNS. DoH for phone. Enable lists: OISD, No facebook, No google. Block newly registered domains.
you can very easily self-host your own Bitwarden server, with the docker container “bitwarden_rs”.
Many of the cons here are then obsolete.
Nice benefit is it also has all paid features for free.
https://github.com/dani-garcia/bitwarden_rs
A great article, well balanced, explains features without getting bogged down in detail. Bitwarden is my first 3rd party password manger – I used Apple’e KeyChain but it’s too locked into Apple’s eco system – and I love its simplicity. Bitwarden’s not perfect, but nothing is, I can live with some of its quirks. I don’t need the Premium features but I paid up anyway to support the project, it costs nothing and it’s well worth it.
Why did you add “No account recovery feature” as a con? As far as I know, you can’t have such a feature assuming end-to-end-encryption!? Also, storing the data in the US would be a con if it wasn’t for E2E-encryption? And if it’s about the meta-data you can host Bitwarden yourself.
You make a valid point, but I’ve observed that geeks like myself can get far too obsessed with key derivation when all they need is a stronger password.
*Any* key derivation that uses a secure algorithm is better than none and standard PBKFD2 is perfectly secure so long as users aren’t idiotic enough to use 8-character master passwords. If your master password is truly random and contains more than 15 lowercase, uppercase, and ASCII symbol characters, it will be simply impractical to guess the password via brute-force. By my estimate, which assumes ASIC-level efficiencies even better than today’s best BitCoin miner, electricity costs *alone* would likely be over a hundred of billions of US dollars even with only *1* iteration of SHA-256. Go to 10 iterations and we’re already talking trillion dollar budgets and decades of computation.
I’m all in favor of switching to Argon2 wherever practical, but I don’t think it’s fair to tell potential users that this is a security “risk” when we should instead tell them to use a strong master password. Key derivation is a linear function, while password complexity is exponential. In my research, I’ve estimated that adding just 1 ASCII character to a password is equivalent to 95X more key derivation work.
In other words, a 15-character ASCII password with 95 seconds of traditional key derivation (i.e. PBKDF2) is just as resistant to brute force guessing as a 16-character ASCII password with *1* second of the same derivation.
I do use Argon2 with my KeePass database, but I now recommend BitWarden to friends and family rather than LastPass as I believe BitWarden has matured enough to replace LastPass for most people. I don’t fret about key derivation when my time would be better spent teaching people to make their master password stronger.
Can you please explain how you would recommend making stronger master passwords? Thanks.
This is discussed in the main password managers guide.
But that’s what he just did, no?
“In other words, a 15-character ASCII password with 95 seconds of traditional key derivation (i.e. PBKDF2) is just as resistant to brute force guessing as a 16-character ASCII password with *1* second of the same derivation.”
All encryption is done locally and this has been proven by 3rd-party audit, so even if a 5 Eyes agency gets your password database, they can’t see your passwords. While I disagree with unwarranted government surveillance, I don’t understand why so many people prioritize it as a threat when, in fact, the only people likely to be affected are terrorists and traffickers. I don’t want Big Brother watching me, either, but even if they are they can’t open my BitWarden database without my master password. Your *phones* are a much bigger threat than *any* Cloud storage of locally-encrypted data; pretty much any government in the world can get malware onto your phone that reads your data *after* decryption. Is this likely in the U.S. for law-abiding citizens? No, but it’s a far greater risk than BitWarden responding to secret warrants.