Bitwarden Review and Testing – Most Secure Password Manager?
Choosing a password manager is a somewhat personal decision. With multiple quality products out there, choosing one best product is a tough job. That said, after thoroughly reviewing and testing Bitwarden for this review, it is now my favorite password manager. Why? For starters, it is completely open source, has been through a third-party audit, and offers some great apps and browser extensions. Bitwarden provides all the basic password manager features most people would want, for free. The business model here is to offer the core product for free, and make money from the people who want or need advanced features (paid upgrades). If this is a password manager you are interested in using, then keep reading this Bitwarden review for all the important details.
- Passwords encrypted locally
- Passwords stored in the cloud or on your own server
- Completely open source code
- Third-party audit conducted
- Complies with GDPR
- Data encrypted in transit and at rest
- Single and multi-user accounts
- 1 GB encrypted file storage for paid accounts
- Supports 2FA
- Read-only offline access to last-synced vault
- Must provide a valid email address
- No telephone support
- Cannot create or modify records offline
- Bandwidth usage limits (unspecified)
- Based in, and data stored in, United States
- Collects and shares some user data
- Can be compelled to disclose user data
- May include a tracking pixel in email messages
- No account recovery feature
Bitwarden feature summaryHere’s a quick summary of the full set of Bitwarden features, some of which are only available on one or the other of the paid versions of the product:
- Supported platforms include Windows, Mac OS, Linux, Android, iOS, command line, web, and major browsers
- Secure Password Generator
- Secure Password Sharing
- Reports & Analysis
- Form Filling
- 2FA and TOTP Support
- Password Import/Export
- AES-256, PBKDF2 Encryption on your device
- 1GB encrypted file storage
- Synchronizes across all your devices and browsers
- Optional self-hosting of your data
Bitwarden core featuresHere are the core features of Bitwarden, the ones that you have access to in the free versions of the product. You have the ability to:
- Store logins, secure notes, credit card info, and multiple identities
- Group items into Collections
- Securely sync passwords between all your devices
- Store an unlimited number of items in your vault
- Use Two Factor Authentication (2FA)
- Securely generate passwords
- Securely share passwords
- Import and export passwords
- Auto-fill forms
- Auto-fill passwords on mobile apps
Company information8bit Solutions LLC, DBA Bitwarden, is incorporated in the state of Florida in the United States of America. According to their LinkedIn profile, the company is small and privately held. This should not be a problem unless you are looking for enterprise level support, which might be difficult for a small organization like this.
Bitwarden Terms of ServiceI reviewed the Bitwarden Terms of Service (TOS) and didn’t find anything objectionable. They do include a bandwidth limitation of unspecified size:
4. Excessive Bandwidth Use If we determine your bandwidth usage to be significantly excessive in relation to other Bitwarden customers, we reserve the right to suspend your account or throttle your file hosting until you can reduce your bandwidth consumption.It is hard to imagine any kind of issue with this unless you are doing some weird stuff with the 1GB of file storage that the paid version of Bitwarden gives you. In other words, don’t be using that space to stream music or videos and you should be fine.
Third-party auditsAt the end of 2018, Bitwarden published the results of a complete white box penetration testing, source code audit, and cryptographic analysis of the Bitwarden ecosystem of applications and associated code libraries. The audit covered Bitwarden client applications and backend server systems (including the APIs, database, and hosting platform). The audit was conducted by Cure53, a penetration testing firm that has also audited ExpressVPN and other privacy-related products. The testing revealed five vulnerabilities, of which only one required immediate action. According to Cure53,
Despite a small array of discoveries ranked as “Critical” and the general presence of certain vulnerabilities, the results of this Cure53 assessment of the Bitwarden scope are rather positive.You can see the full results of this audit, along with the Bitwarden team’s response and action plans here.
Bitwarden apps (clients)Bitwarden offers an absolutely huge range of clients. We’re talking about clients for:
- Windows, Mac OS, and Linux desktops
- Android and iOS mobile devices
- All major Web browsers
- Command-line tools (CLI) for Windows, Mac OS, and Linux
- A Web Vault for when nothing else is available
Bitwarden hands-on testingFor this review I’ve concentrated on the free version of Bitwarden, as this version should cover the needs of most people. We’ll start by looking at the Bitwarden browser extension for Brave.
Installing BitwardenYou install the Bitwarden browser extension through the relevant app store the way you would any other extension. Once that is done, you can create a new Bitwarden account right in the extension. You’ll need to enter a username, password, and a valid email address to complete the account creation process. Bitwarden will send a confirmation message to that address, and once you reply to that you will be ready to go.
Adding login credentials to BitwardenOnce you create your account, you are faced with the task of adding login credentials. There are several ways to do this, the easiest being to import your stuff from the password manager you have been using. Assuming you were using a password manager, you can find instructions for how to import your data on this page. Note: As of December 2019, you need to import login credentials using the Bitwarden Web Vault. The instructions linked above will guide you there. If you are going to enter login credentials manually, you can click the plus sign ( + ) in the top-right of the extension window to do so. That opens the Add Item page: Enter the credentials and click Save to add them to the vault. The final way to add credentials is to log into a page with the browser. Once you enter the username and password, and log into the site, Bitwarden will recognize what you are doing, and offer to add that information to the vault, like this: With one click you can save the credentials for the website you’re visiting.
Working with your passwordsOnce you add some credentials to the vault, it will look something like this: As you can see, Bitwarden can handle more than just login credentials. By default, it supports four types of data:
- Login – Login credentials
- Card – Credit and Debit card info that Bitwarden can automatically fill into the checkout pages at websites
- Identity – Identifying information (contact information, your address, etc.) that Bitwarden can auto-fill into website signup and checkout forms
- Secure Note – Encrypted note storage
The tab optionThe Tab option is where information about the current web page or mobile app will appear. If no information appears, Bitwarden will give you the options to create and populate a relevant item.
The generator optionBitwarden includes a powerful and flexible password generator. It can create both passwords and passphrases of various lengths. As you can see in the image below, you can control the types of characters that appear in these, as well as the number of numerals and special characters they will include.
The settings optionSelecting Settings gives you a ton of controls and options you can adjust. I won’t go into all of them here, but this is where to go if you want to do things like:
- Add or remove folders you can use to organize your passwords
- Adjust when and how Bitwarden locks to prevent unauthorized use
- Change your master password
- Enable and configure Two-Factor Authentication