Open-source software review: Bitwarden

With technology progressively being implemented into every aspect of our everyday lives, it is becoming much more difficult to stay secure online. With each different website requiring a password that needs to fit certain conditions, it can become quite difficult to remember all of them. Because of this, the need for secure password managers continues to grow and with it, the amount of software on the market also proceeds to expand.

However, one particular password manager has emerged, rising in popularity over the past couple of years due to its open-source nature, functionalities and performance - Bitwarden. In this article, we are going to meticulously review every aspect of Bitwarden and put it to the test in order to answer one simple question - does Bitwarden live up to the hype?

Bitwarden Overview

Bitwarden was founded by Kyle Spearrin in 2016 as an open-source alternative to popular password managers at the time. However, Bitwarden has evolved to be much more than a simple password manager and now offers a complete package solution for protecting your privacy and sensitive information, which is why it ranks as the 4th most popular password manager for 2024.

Unlike other solutions, Bitwarden has stood the test of time and has remained committed to transparency. This dedication, combined with its compatibility with different browsers and operating systems ensures that the software not only promotes high security standards, but also sets it apart as accessible and easy to use, being able to practically run on any device and OS.

Bitwarden comes with both a free and a paid version, however, the free plan offers a wide variety of features that are not blocked behind a paywall unlike some of its competitors. This makes it very easy for utilization, allowing newcomers and those without prior knowledge about password managers to quickly get things set up and going. As for the premium version, it’s designed to build upon the free plan, offering extra quality of life features at an affordable price.

Plans

Let’s start our review at the beginning. When you first go over to Bitwarden you will notice that there are 2 main options in terms of plans - Personal and Business.

Right off the bat, you can immediately tell that Bitwarden makes sure to accommodate all types of users and projects, allowing everyday people to have their personal plan with all of the features that they’d need as well as offering a much more customized alternative for those looking for advanced password management tools.

With the Free plan, you get access to unlimited devices, passkey management and all of the core functions of Bitwarden. For the small price of just $1 per month you can also upgrade your account to the Premium tier, unlocking additional features like the integrated authenticator, file attachments and security reports, which build upon the existing free plan.

Then there is the family plan, which is ideal for those that are looking to share passwords in their household. With this plan you get 6 accounts with unlimited sharing and collections.

The business plans - Teams and Enterprise, on the other hand, offer all of the administrative and tinkering features that a potential big company would ever need from their password management software.

All of these pricing plans make it so that you can easily choose the one that fits your needs, without having to spend more for features that you wouldn’t use. Not only that but, as we previously mentioned, the core functionalities of Bitwarden come for free with the initial plan and each other tier just builds upon them, adding these beneficial features that you might need whether you are a family looking to share credentials or a business or organization that needs to implement better user management.

Features

When it comes to features, there are some that make Bitwarden stand out from its competitors, allowing you to get access to more options with the free plan rather than locking everything behind a paywall.

Password Vault

Let’s start at the most important feature that practically defines Bitwarden - the password vault. Essential for every password manager, the vault is the place that will keep your information secure.

The thing that sets Bitwarden apart, however, when it comes to its vault, in comparison to other solutions, is the fact that you have a large variety of organizational tools at your disposal.

Users have the option to group credentials into different folders, allowing for easier management and discovery. It also comes equipped with advanced search options, making it easy to find what you are looking for with just a single search. This can come in incredibly handy if you have hundreds or maybe even thousands of passwords and credentials. Speaking of large numbers of passwords, Bitwarden also gives you quite a bit of storage space should you need to store that many credentials, giving you unlimited storage.

Source: Bitwarden

Additionally, there is also a special frequently-accessed passwords section that you can easily customize, allowing you to keep the passwords that you commonly use at your fingertips. This is also quite useful for businesses that need to share passwords between branches.

Another thing that you can get with Bitwarden is secure notes (free version) and file attachments (premium+). Attachments are a fantastic way to share documents, while notes allow you to easily send over secure messages and notes without having to worry about interceptions or leaks. You can also add a password to protect your files as well as enable auto-deletion that will make sure that the file is destroyed after a set period of time.

Finally, Bitwarden also comes with its very own Password Health report that automatically stores and analyzes credentials for any weak passwords, flagging them in the process, encouraging you to update or change them.

Password Generator

Speaking of weak passwords, there have been multiple reports over the years, suggesting that a large majority of hacking breaches happen because of compromised credentials that are not secure enough. In order to fight against this theme of weak user passwords, Bitwarden has its own password generator that you can easily utilize to create strong passwords using random characters, numbers and symbols, making it impossible to guess or decipher.

Not only that, but the generator is also quite flexible, allowing you to fully customize the output using different parameters like length (which is also quite superior than that of its competitors), symbol selection and different character utilization. This ensures that if a legacy system accepts alphanumeric passwords, Bitwarden can also generate a password that will fit that description.

There is also a fully free online version that you can use, that is very customizable.

Secure Sharing

A common issue for both families and businesses is the fact that you do sometimes have to share passwords. In order to tackle this, Bitwarden utilizes Organizations, which enables you to group credentials and share them with other people without exposing plaintext data.

On top of that, the password manager also comes with very strict tools for tweaking permissions, allowing for very granular control. This is even more enhanced with the enterprise plan, which comes with change logs and an audit trail, enabling administrators to see who has done what.

Additionally, Bitwarden also offers easy importing and exporting of your credentials (allowing you to make a backup). You can even do so using an encrypted JSON file that you can then take and store somewhere safe in order to have a backup of your existing credentials should anything happen to your Bitwarden account.

Self-Hosted Option

Another privacy-oriented feature that Bitwarden offers is the fact that it can be self-hosted when utilizing a premium plan. This is especially tailored for those that require an extra layer of security and privacy and those that are looking to host the software on their own private infrastructure. This particular feature makes Bitwarden a lucrative choice for industries like finance, healthcare and governance, which need to constantly operate under different compliance regulations like HIPAA or GDPR.

While setting up a self-hosted version of Bitwarden can seem quite difficult, especially for those that do not have any experience with system administration, it’s actually quite a simple process. This is because of the fact that Bitwarden comes with its own Docker container for easy deployment, allowing you to get the software up and running within an hour. If you do get stuck, there is also a very descriptive documentation that you can utilize during the set up process.

One final thing that needs to be mentioned is that Bitwarden uses E2E encryption, meaning that even if your self-hosted instance is compromised, your passwords will still be safe. However, some metadata might still leak, meaning that if you are going to be utilizing a self-hosted version of Bitwarden, it’s crucial to choose a hosting provider that offers not only powerful servers, but also cares about your privacy and security, which is exactly what we at VPSBG do.

Security and Privacy

Staying on the topic of security, let’s delve deeper into Bitwarden and what makes it so safe. Bitwarden utilizes AES-256 encryption, which is widely regarded as the gold standard when it comes to data protection. This is also paired with PBKDF2 SHA-256 hashing, adding another layer of complexity to its overall security. Additionally, Bitwarden also utilizes a zero-knowledge model, which makes it so that Bitwarden cannot decrypt data even if the servers were to be compromised.

Because of its open-source model and its impressive security, Bitwarden goes through rigorous security checks and evaluations, yet none of them have been able to find a critical vulnerability or exploit, proving that its architecture is incredibly secure and reliable.

However, should a data breach happen to occur, Bitwarden’s transparency makes it so that each user will be quickly notified and will be given a set of actions to follow in order to protect their credentials.

Additionally, Bitwarden is also compatible with multiple two-factor authentication options with the  most popular being Google Authenticator, Duo (premium account only), YubiKey (premium account only) and FIDO2 WebAuthn. Mobile apps that also offer biometric authentication like fingerprinting or facial recognition also offer another layer of security.

In terms of extra security, Bitwarden also comes with emergency access, allowing you to designate a trusted contact who can request access to your vault in case of emergency. You can even set a waiting period before they can gain access, giving you time to revoke the request if necessary.

Additionally, Bitwarden also has an integration with "Have I Been Pwned", which can alert you if any of your saved passwords have been exposed in data breaches.

Finally, Bitwarden also keeps a record of your last five passwords for each login, allowing you to revert to an older password if necessary.

User Experience and Interface

When it comes to the design, Bitwarden’s UI might seem a little too minimalistic for some users. However, its focus falls on prioritizing functionality over sophisticated looks, which is why the user interface utilizes high-contrast colours and a simple layout, allowing users to always know where they are and what they are looking at. Bitwarden even carried out their own case study and research on its UI with the results showing that a vast majority of both users and non-users stated that the interface was in fact ‘clean’, ‘modern’ and ‘professional’.

Source: Bitwarden

This also ensures readability and great navigation. Bitwarden also supports dark mode, enabling users to change the theme to a darker, softer hue when used. Speaking of navigation and changes, the layout stays consistent regardless of the device that you are using, making it simple to learn and start using on a regular basis on different devices.

Because of this, most say that Bitwarden prioritizes inclusivity before all else, making sure that the software can be used by everyone. This is also further backed up by the fact that the software complies with WCAG AAA standards, allowing those that rely on screen readers to also utilize all of its features. Not only that but it also offers multilingual support with translations in over 40 languages.

Putting Bitwarden to the test

Now that we’ve gone over the principles behind Bitwarden, it’s time to see if the software can live up to the hype. In this section, we are going to gauge its performance by running multiple tests on different browsers, devices and operating systems in order to see what the results are going to show.

Performance

Let’s start by testing Bitwarden’s performance and its load times. For starters, you can access your Bitwarden vault via a browser extension, desktop app, web app, mobile app and even a command-line interface. Regardless of where you access Bitwarden, these methods all work in a similar way by connecting to a central server.

From our experience, the browser extension feels the fastest, due to the less overhead that is created when loading the full web vault or desktop app. In reality, the load times largely depend on your network connection, but we consistently saw times comparable to other websites (2-3 seconds or less) across Chrome, Firefox and Safari.

After logging in, there is a slight delay as the encrypted vault data is synced and decrypted, but subsequent searches and password retrieval are near-instantaneous.

Responsiveness

When it comes to responsiveness, we wanted to test out whether the autofill option can instantly fill the fields that you are typing into. In general, the tests showed that the feature is super fast, popping up instantly as you begin to type with the time being under a second.

Additionally, when registering on a new website Bitwarden automatically suggests a "Securely Generated Password" and upon successful registration and redirection, prompts you to save the credentials, making the process very smooth.

Next up, we wanted to check how Bitwarden would perform with websites that don’t use standard form fields. After some unexpected issues initially, we noticed the ‘Linked custom fields’ feature, which allowed us to manually map a custom field to the website’s unusual field name. This ultimately resolved the issue, proving that such situations were already accounted for.

Autofill on mobile is also good, with a convenient keyboard overlay on Android 11+ and Share Sheet integration on iOS.

Autofill speed

Next, we decided to test how fast Bitwarden can autofill passwords. Once you are logged in and your vault is unlocked, the autofill process happens incredibly fast on both desktop and mobile, inserting passwords without any noticeable delay.

If you have two-factor authentication set up, the 2FA code is automatically copied to your clipboard, ready to be pasted. If your login requires a PIN or security question, you can store those in Bitwarden's custom fields, and they'll autofill along with your username and password.

Reliability

In general, Bitwarden has remained stable throughout our experience and tests, rarely showing unavailability issues.

With its very own status page, Bitwarden undergoes maintenance every few weeks, but we didn't experience any service disruptions outside of those scheduled times. Additionally, we also tested whether there would be any downtime during the given time frames, but we were surprised to see that there weren’t any disruptions even during maintenance. However, Bitwarden there are users online that have been complaining about unavailability for short periods of time alongside slow loading pages.

For those that use Bitwarden’s self-hosted version, reliability depends entirely on your server’s infrastructure. Bitwarden's easy Docker deployment makes it simple to set up on various platforms, which is what we used to get it up and running on our end. We didn’t find any faults within the self-hosted Bitwarden Docker container that we used for our installation.

Can it run offline?

When offline Bitwarden is in a read-only state, because it caches your entire encrypted vault locally after the first login. So, if you lock your vault or your session times out, you can still unlock it and access your data offline using your master password, PIN or biometric data.

Since Bitwarden is zero-knowledge, the decryption must happen on your device, not their servers. However, the initial login on a device has to be made online in order to download your encrypted vault, which can be a pain if you don’t have access to the Internet.

Integrations and Compatibility

When it comes to integration, Bitwarden has an extension for the most popular browsers including Chrome, Firefox, Edge and Safari. When it comes to browser support and compatibility, the official documentation states that extensions are supported for the most recent versions of the most popular browsers, whereas for other browsers like Brave, Tor and Vivaldi, only the latest version is supported.

There is also a disclaimer that not all features are supported across all browsers. As an example, the documentation states that the biometric unlock feature only works on Chromium-based browsers and Firefox version 87 and above.

Software and tools

In terms of integration with other software and tools, Bitwarden has a full Ansible collection (bitwarden.secrets) that you can easily use to get credentials from your vault and directly utilize them with any Ansible playbooks, ultimately automating the entire process.

Additionally, Bitwarden also has a dedicated GitHub Action (bitwarden/sm-action) that you can use to fetch credentials from your vault and directly inject them as encrypted environment variables, making the process of securing your CI/CD pipelines extremely easy and convenient. But that’s not all! For those that prefer to use Gitlab, you can also use the Bitwarden CLI within your pipelines to get your credentials.

Finally, Bitwarden also offers a Kubernetes Operator (sm-operator) that you can easily utilize to sync credentials from your Bitwarden vault and your Kuberenetes cluster.

However, keep in mind that while direct integrations with specific software might not be a Bitwarden focus, you can incorporate the Bitwarden ecosystem within your project manually via the Bitwarden CLI and API.

The Bitwarden APIs

When it comes to using the Bitwarden API, there are 2 main options available - the Vault Management API and the Public API. The Vault Management API is used for interacting with items within your vault like adding, retrieving and editing credentials. The Public API, on the other hand, is designed for managing users, groups and other organization-level settings.

The Public API requires you to create API keys from your organization with the help of the web client. However, during our testing with a free account on the bitwarden.com server, we couldn't locate the option to generate these keys. It's possible that this feature is only available for the premium plans, but this was one point where the documentation wasn't entirely clear about. We were only able to generate user-level API keys, which cannot be used for organization purposes.

As for the Vault Management API, it's essentially a wrapper for the `bw` CLI tool. To use it, you first need to download `bw`, configure it and authenticate using your master password. Then you can start a local server that listens for HTTP API requests. These requests are afterwards translated into `bw` commands. During our testing we found the download process for the Linux version of `bw` to be a bit difficult. The URL provided in the documentation isn't a direct link to the resource, which further complicates CLI downloads. Plus, it comes as a zip archive, requiring the unzip utility to be installed. While experienced Linux users won't really notice this, it does provide an extra step that could have been skipped.

Once `bw` is downloaded, you have to configure it with your server details using:

bw config server https://<your-bitwarden-server.tld>

Then, you need to log in with:

bw login

After that, you need to run:

bw serve

This will start the API server, which in our testing only listened on IPv6 localhost by default.

We had to force it to listen to IPv4 with:

bw server --hostname 127.0.0.1

Finally, you can start using the Vault Management API, but you have to unlock it first against the local server (127.0.0.1:8087) by providing your master password in the request body.

The whole `bw serve` approach feels unnecessarily difficult. It seems like there's no built-in API server and `bw` is acting as an external workaround. It adds a layer of complexity that could be simplified. While the APIs are functional, the experience could definitely be smoother.

Community and Support

Bitwarden has a large active community - both on their official forums and on GitHub. The forums are a great place to find answers to common questions or to get help from other users. A quick look at the GitHub repository shows consistent activity, with regular commits and a responsive development team that is addressing issues. At the time of writing there are 15.8k stars and 1.3k forks on the main Bitwarden server repository.

Looking at the GitHub repository reveals a high level of activity. There are regular commits and the development team seems responsive in addressing issues. The transparency of having everything out in the open with Github is definitely a plus. This way you can easily track bug reports, feature requests and releases.

Bitwarden also comes with a very detailed and well-organized documentation. It covers nearly every aspect of the software, from basic usage to advanced features and self-hosting. For instance, there are detailed guides for setting up single sign-on (SSO), configuring two-factor authentication (2FA) and virtually everything you need to know about managing your vault and organizations.

In terms of support, Bitwarden offers a variety of channels that you can easily utilize such as emails, a ticketing system and a community forum. The community forum is a great resource for quick answers, as there are often other users who have experienced the same issue.

Comparison with others

The next thing that we wanted to do is to make a detailed comparison between Bitwarden and other password managers on the market, both open-source and premium ones. Here are the results:

Key takeaways

• All password managers utilize AES-256 encryption, but Bitwarden stands out as fully open-source, offering unparalleled transparency and community-driven development.
• Keeper and LastPass also implement zero-knowledge architecture, aligning with Bitwarden on privacy prioritization.
• Bitwarden and LastPass provide unlimited password storage in their free plans. Other providers, such as Dashlane, Avira and Sticky Password, have limitations in the free versions.
• Bitwarden includes a secure password generator, 2FA and browser integration, combining core essentials with advanced capabilities.
• Bitwarden is beginner-friendly but might feel technical for some users compared to NordPass, which is explicitly tailored for ease of use.
• Bitwarden's open-source model is a rarity.

Use Cases

As we have already mentioned throughout this review, Bitwarden is a great option for personal and business use. Based on its pricing and plans, there are a couple of use cases that the software encourages use for.

Personal Storage

With its free plan, the free plan offers everything that you can potentially need from a password manager - safe storage, abundance of space, security and additional security measures, making Bitwarden the ideal choice for those looking to securely store their credentials for free.

Family or Small Business

The second pricing plan is the perfect option for families and small businesses. With its 6 accounts, this plan is the ideal choice for households looking to share credentials as well as smaller businesses, organizations or startups that need a password manager because of the additional access options, administrative rights and customizations.

Businesses and Enterprise

While Bitwarden fits the bill for both individual and small group usage, it is also very capable of handling larger businesses and enterprises as well. With its more refined, advanced and custom plans, the password manager is a very lucrative option for those businesses and corporations that need to manage a lot of accounts and the access to them.

Overall, Bitwarden emerges as a robust and versatile password manager, appealing to a broad audience with its open-source transparency, security features and affordability. Offering complex security, cost-effective plans and a feature-rich tool suite, Bitwarden makes storing credentials a quick and easy task. It’s a solution that just works and it is a compelling choice for anyone seeking a reliable password manager, from individuals to large organizations.