If you’re on the lookout for a trustworthy, open-source password manager that comes stuffed with security features yet costs less than most of its competitors – Bitwarden might be worth a look.
It includes all of the standard security tools you would expect to see with similar solutions such as strong AES-CBC 256-bit encryption, two-factor authentication (2FA), a “zero-knowledge” policy, third-party audits, and breached password detection.
It stores all your credentials in an encrypted vault, safeguarded by a master password, and gives you a choice between cloud and local hosting – yes, you can use a self-hosted server. Also, its freemium edition isn’t as restricted as with most of its competitors.
However, unlike most popular password managers, Bitwarden isn’t particularly beginner-friendly and would greatly benefit from being polished up a bit. That said, Bitwarden is a capable, low-cost solution geared towards somewhat tech-savvy users – particularly those working on a tight budget.
|Platforms||Windows, macOS, Linux, Android, iOS|
|Browser extensions||Chrome, Firefox, Edge, Opera|
So, if you think this might be the right password manager for you, keep reading this Bitwarden review.
- Ability to use self-hosted server
- A free, open-source solution
- Excellent free forever edition
- Provides apps for all popular platforms
- Pocket-friendly pricing
- Securely syncs passwords between all your devices
- Solid password generator
- Based in the USA (privacy issues)
- Customer support needs improvement
Bitwarden feature summary
Here’s a quick summary of the full set of Bitwarden features, some of which are only available with paid versions of the product:
- 1GB encrypted file storage
- 2FA and TOTP Support
- AES-256, PBKDF2 Encryption on your device
- Optional self-hosting of your data
- Form Filling
- Password Import/Export
- Reports and analysis
- Secure Password Generator
- Secure Password Sharing
- Supported platforms include Windows, macOS, Linux, Android, iOS, command line, web, and all major browsers
- Synchronizes across all your devices and browsers
Bitwarden core features
Here are the core features of Bitwarden, the ones that you have access to in the free versions of the product. You have the ability to:
- Auto-fill forms
- Auto-fill passwords on mobile apps
- Group items into Collections
- Import and export passwords
- Use two-factor authentication (2FA)
- Securely generate passwords
- Securely share passwords
- Securely sync passwords between all your devices
- Store logins, secure notes, credit card info, and multiple identities
- Store an unlimited number of items in your vault
Note: I’ll cover the other versions of Bitwarden and their additional features a bit later in this review. But first, let’s go into some background information that will help you decide if you should read further.
8bit Solutions LLC, DBA Bitwarden, is incorporated in the state of Florida in the United States of America. According to their LinkedIn profile, the company is small and privately held. This should not be a problem unless you are looking for enterprise-level support, which might be difficult for a small organization like this.
Terms of Service
I reviewed the Bitwarden Terms of Service (TOS) and didn’t find anything objectionable. The company does include a bandwidth limitation of unspecified size:
“If we determine your bandwidth usage to be significantly excessive in relation to other Bitwarden customers, we reserve the right to suspend your account or throttle your file hosting until you can reduce your bandwidth consumption.”
It is hard to imagine any kind of issue with this unless you are doing some weird stuff with the 1GB of file storage that the paid version of Bitwarden gives you. In other words, don’t be using that space to stream music or videos and you should be fine.
If you want to check out the TOS for yourself, click right here.
There are a few negatives in here as well. Because the company is based in the United States, it is subject to US law, which is less privacy-friendly than some other countries (see Five Eyes alliances). This means that it can be compelled to give up whatever information it has on you in various ways, and it will voluntarily share such information under certain circumstances. There have been a few cases where VPN services and email providers were forced to log user data and turn this over to US authorities.
At the end of 2018, Bitwarden published the results of a complete white box penetration testing, source code audit, and cryptographic analysis of the Bitwarden ecosystem of applications and associated code libraries. The audit covered Bitwarden client applications and backend server systems (including the APIs, database, and hosting platform).
The audit was conducted by Cure53, a penetration testing firm that has also audited ExpressVPN and other privacy-related products. The testing revealed five vulnerabilities, of which only one required immediate action. According to Cure53:
“Despite a small array of discoveries ranked as “Critical” and the general presence of certain vulnerabilities, the results of this Cure53 assessment of the Bitwarden scope are rather positive.”
You can see the full results of this audit, along with the Bitwarden team’s response and action plans here.
Two years later, in July 2020, Bitwarden would complete another security audit supported by Insight Risk Consulting. The main mission was to evaluate the security of the Bitwarden network perimeter as well as penetration testing and vulnerability assessments against Bitwarden’s web-based services and apps.
In August of that same year, Bitwarden obtained SOC 2 Type 2 and SOC 3 certifications, and in December it announced that it was HIPAA compliant as well.
To find out more about this, go right here.
Bitwarden apps (clients)
Bitwarden offers an absolutely huge range of clients. We’re talking about clients for:
- Windows, Mac OS, and Linux desktops
- Android and iOS mobile devices
- All major Web browsers
- Command-line tools (CLI) for Windows, Mac OS, and Linux
- A Web Vault for when nothing else is available
And everything can stay in sync thanks to your encrypted password data residing on the Bitwarden servers (or your own private server).
Bitwarden hands-on testing
For this review I’ve concentrated on the free version of Bitwarden, as this version should cover the needs of most people. We’ll start by looking at the Bitwarden browser extension for Brave.
You can install the Bitwarden browser extension through the relevant app store the way you would any other extension. Once that is done, you can create a new Bitwarden account right in the extension.
You’ll need to enter a username, password, and a valid email address to complete the account creation process. Bitwarden will send a confirmation message to that address, and once you reply to that you will be ready to go.
Adding login credentials to Bitwarden
Once you create your account, you are faced with the task of adding login credentials. There are several ways to do this, the easiest being to import your stuff from the password manager you have been using. Assuming you were using a password manager, you can find instructions for how to import your data on this page.
Note: As of December 2019, you need to import login credentials using the Bitwarden Web Vault. The instructions linked above will guide you there.
If you are going to enter login credentials manually, you can click the plus sign ( + ) in the top-right of the extension window to do so. That opens the Add Item page:
Enter the credentials and click Save to add them to the vault.
The final way to add credentials is to log into a page with the browser. Once you enter the username and password and log into the site, Bitwarden will recognize what you are doing, and offer to add that information to the vault, something like this:
With one click you can save the credentials for the website you’re visiting.
Working with your passwords
Once you add some credentials to the vault, it should look something like this:
As you can see, Bitwarden can handle more than just login credentials. By default, it supports four types of data:
- Login – Login credentials
- Card – Credit and Debit card info that Bitwarden can automatically fill into the checkout pages at websites
- Identity – Identifying information (contact information, your address, etc.) that Bitwarden can auto-fill into website signup and checkout forms
- Secure Note – Encrypted note storage
While Bitwarden can enter this kind of information into mobile apps as well as web pages, the browser extension and other flavors of Bitwarden cannot enter this information into desktop apps. Instead, it will instruct you to copy and paste the data manually.
Now let’s take a look at each of the options that appear at the bottom of the window.
The tab option
The Tab option is where information about the current web page or mobile app will appear. If no information appears, Bitwarden will give you the options to create and populate a relevant item.
Bitwarden’s secure password generator
Bitwarden provides a powerful and flexible password generator. It can create both passwords and passphrases of various lengths. As you can see in the image below, you can control the types of characters that appear in these, as well as the number of numerals and special characters they will include.
Selecting Settings gives you a ton of controls and options you can adjust. I won’t go into all of them here, but this is where to go if you want to do things like:
- Add or remove folders you can use to organize your passwords
- Adjust when and how Bitwarden locks to prevent unauthorized use
- Change your master password
- Enable and configure Two-Factor Authentication
This is also where you’ll go to control features of the paid versions of Bitwarden, things like vault sharing and TOTP.
Editing your data
Bitwarden has an interesting way of storing your credentials. The live version of all your data is encrypted on your device and stored in the cloud (on Bitwarden’s servers). This makes it easy to keep everything synchronized across devices. Just log into your account on whatever device you want, and everything will synchronize automatically.
However, this could lead to problems if the copy of Bitwarden on your device cannot connect to the servers holding your data. To address this problem, Bitwarden keeps a read-only copy of the data on each device. You can use that data locally, say to log onto another device on your home network. But you can’t change any of your data unless you are online and connected to the Bitwarden servers.
If you don’t want to depend on the Bitwarden servers, you can host your own instance of Bitwarden on your own hardware, as explained here.
Bitwarden in action
Once you’ve saved the credentials for a login page, revisiting that page causes a number to appear on the Bitwarden icon at the top of the browser window. That number represents the number of different items you have associated with this page. Click the icon to see a list of all the items. Select one and Bitwarden will fill the appropriate fields on the page.
Like any other password manager, some login pages can confuse Bitwarden. If Bitwarden can’t fill in everything automatically, you can copy and paste the data you need from the Tab page.
Note: To accelerate entering your login credentials, some products such as LastPass put an icon in the fields that it can fill. Clicking this icon will enter your data into the page, or display a list of all the logins you have stored for this page. Using this approach could save you a little bit of time and effort, but the Bitwarden approach works just fine.
If you want to increase the security of your passwords, you can enable basic 2FA on your account. The Premium version of Bitwarden gives you additional 2FA options.
Additional Bitwarden features
If your needs extend beyond basic, single-user password management, you may be interested in some of the following features. Some of them are available for free, while some of them are only available in paid versions of Bitwarden.
To make this easier for you, I’ve put together short descriptions of the coolest features, and listed in which versions of Bitwarden you can find them.
Secure password sharing (all business accounts)
Sometimes you want or need to share passwords with someone else. For example, one big reason why I use Bitwarden is the need to share certain login credentials and bank information with my wife. Another common place to share passwords would be in a business, where several people might need to be able to log into a server or otherwise securely share data.
To share passwords and other data, you first create an Organization, which will hold the data to be shared, and invite Bitwarden users to join the Organization. You can further control access to data in the Organization by putting it into one or more Collections. As the Administrator of the Organization, you control who has access to the Organization and any Collections within it.
For more information on sharing passwords, check out this blog post.
1 GB encrypted file storage (all paid versions)
All paid versions of Bitwarden will give you 1GB of encrypted file storage. But this isn’t a mini version of Dropbox or anything like that. Instead, you attach the files to items in your Bitwarden vault.
You could do something like create a secure note, then attach related photos, documents, or other files to that note. Any attachments you create are encrypted and synced across devices along with the vault item they are attached to.
Vault health reports (all paid versions)
The paid Accounts all give you a set of reports on the health of your vault. That includes topics like exposed and weak passwords, unused 2FA opportunities, and reports on data breaches.
To learn more about the available reports, check this entry from Bitwarden’s knowledgebase.
With free version you will get username data breach report, and that’s about it.
TOTP verification code support (Premium and Families plans)
These premium versions of Bitwarden can replace TOTP applications like Authy and Google Authenticator. If you choose to set this up, you can configure web pages that need TOTP authentication to work with Bitwarden instead of those other applications.
This isn’t a feature I use myself, but could definitely be valuable under the right circumstances.
Bitwarden provides a range of online support options but does not offer telephone support. You can connect with them via email (firstname.lastname@example.org) or social media (Twitter, Reddit, and Github). It also has an active set of community forums.
I find Bitwarden’s Help Center to be one of its highlights when it comes to customer self-service. It’s well-supplied with simple-to-understand how-tos and most of them are backed by suitable screenshots.
The feedback I’ve seen from other users on Bitwarden’s support is positive. I hit them with two questions myself. The first was answered quickly and clearly in less than an hour. I submitted the second in the evening and was impressed to see an answer in my Inbox when I woke up the next morning.
How secure and private is Bitwarden?
Now that you’ve seen what Bitwarden can do, we need to talk about how well Bitwarden protects your security and privacy. Let’s start with security.
Bitwarden provides excellent security. Your data is encrypted using AES 256 before leaving your device, encrypted in transit between your device and the Bitwarden servers, and encrypted while at rest on their servers. Given that AES 256 encryption is used by the US Government to protect Top Secret data, your data is secure.
The Bitwarden privacy picture is a little murkier. As I showed you earlier, the company does collect some personal data that it may share with third parties. And becauseit is based in the United States, it could potentially be forced by the US Government to try to gather and share additional personal data.
On the other hand, all your data is encrypted on your device and remains encrypted when it is on Bitwarden servers. This would make it hard to gather additional personal data unless it was to hack its own apps and extensions to do so. While this seems unlikely, the fact that the Bitwarden code is Open Source increases the chances that someone would notice any such hacking before it caused too much trouble.
All in all, the privacy risk seems small. If you are really concerned, you can self-host Bitwarden on your own secure hardware to make it even harder for anyone to get their hands on your private data.
How much does Bitwarden cost?
The free version should provide ample features and functionality for most users, but you can also upgrade to several paid plans.
Bitwarden offers three personal accounts: Free, Premium, and Families.
The Free account is, well, free. The Premium will cost you a mere $10 for a year, which is less than $1 per month. The Families plan supports up to 6 users and will set you back $3.33 per month which is $40 for a whole year – pretty reasonable if you ask me.
While there are some definite advantages to choosing the Premium plan, most people will probably be just fine with a FREE account. In a sense, Bitwarden is offering a freemium service. This is similar to free trial VPN providers that give you a baseline of data, but reserve premium features for paid plans.
Bitwarden also offers two business-focused plans: Teams Organization and Enterprise Organization, both of which are billed per user.
In addition to this, if you’re running an enterprise with hundreds to thousands of users, you can get in touch with the sales staff and see if a custom plan can be tailored to suit your organization’s needs.
There are 7-day free trials for Families, Teams Organization, and Enterprise Organization plans.
What if you don’t like Bitwarden for some reason? In that case, you might want to investigate LessPass or KeePass. Both have free versions like Bitwarden does, and both are open source.
There are a couple of things that make Bitwarden trustworthy. First, it’s open-source software that’s routinely audited by some of the top third-party security companies. It also utilizes end-to-end 256-bit encryption, two-factor authentication, and “zero-knowledge” architecture – so, not even Bitwarden knows your passwords.
No, Bitwarden has never been hacked. However, even if it does get hacked, since your data is fully encrypted and hashed before leaving your local device no one from Bitwarden’s staff can access your data, and nor can hackers.
No, since your data is fully encrypted (and/or hashed) before ever leaving your local device, no one from Bitwarden’s staff can ever see your data for what it is. Also, we should note that Bitwarden’s servers store encrypted and hashed data only.
There are several types of data Bitwarden support and they include: login credentials, credit/debit card details, identifying information, and secure notes – and all of these are safeguarded by end-to-end encryption. The only information that’s not encrypted is your billing email address, user name, and the name of your organization.
Bitwarden review conclusion
All in all, Bitwarden manages to stay strong on security without breaking the bank, which can’t be said for some of its competitors.
Users working on a shoestring budget will appreciate Bitwarden’s fully-featured freemium edition, while those who are focused on security will value its open-source nature, as well as its full set of security features every password manager should possess.
Even those looking for an enterprise-level solution with heavy-duty reporting and lots of technical support time can find something to satisfy their needs.
On the downside, Bitwarden’s user interface is not as intuitive as some of its competitors, which might confuse less tech-savvy users. However, this can be overcome with a couple of step-by-step how-tos and Bitwarden has plenty of them to offer.
Also, the fact that Bitwarden is based in the United States, the home of Five Eyes and other international intelligence organizations, will probably put off super security-conscious users – and understandably so.
Nevertheless, Bitwarden is still one of the best password managers available today, with a robust, feature-rich free edition everyone should try out.
To check it out, click right here.
And here are our additional reviews and guides:
This Bitwarden review was last updated on September 23, 2022.