bitwarden - Free Password Manager Reviews

A much better choice than Lastpass, but not the best choice overall

about bitwarden - Free Password Manager and 1Password, KeePassXC, LastPass · · Helpful Not helpful 7 Helpful

Password managers are essential and come in many different shapes and sizes. The best advice is to go with something that is open source, which the "big players" like LastPass, 1Password and Dashlane aren't. Open source software ensures a higher level of trust, and enables security flaws to be found much more quickly.

The Good:

BitWarden is open source, which is good for security and trustworthiness. However, like its closed-source competitors mentioned above, it syncs an encrypted version of your password library to a central server, so that your logins are available wherever you are. All you have to do is install a browser plugin or phone app. Additionally, it offers 2-factor authentication via mobile. One of the major advantages over BitWarden is that it encrypts your URLs (web addresses) whereas Lastpass does not (and I think 1Passwords doesn't either). This means they can read which websites you have accounts with, how often you visit them, and that means this data can be subpoenad and used to profile you, which would be a violation of your privacy.

The Bad.

Bitwarden does not give you access to your passwords if you don't have an internet connection active. That's bad news because if you store data there that might be of use even in an offline situation, you can't get to it. BitWarden is also based in Florida, which puts it under US legal jurisdiction, which is far from ideal. Although it's open source, the data - in it's unreadable, encrypted format - is stored on Microsoft's servers. That probably means the servers are well managed and secure, but if the data was asked for by federal agencies under National Security Letter or FISA laws, they would probably hand it over and tell you nothing about it. It would be encrypted, but they would still have a copy for future use if they wanted. The fact that Bitwarden (and Lastpass, etc) store your data on a central server (whoever it belongs to), means there is a high-value target servers somewhere for hackers to try to breach. This has been LastPass's perennial problem, and in the case of OneLogin, another related servers, an attack seems recently to have succeeded. Finally, Bitwarden is a young project and does not enable you to store other types of data than passwords (e.g. notes, credit card numbers) with the same ease as other projects.

My advice

Use a local database that you sync yourself (e.g. KeePassXC, which works with browser plugins on Windows, Mac and Linux). If you absolutely need something that syncs for you, go with Bitwarden (although there are others, like Encryptr, which are simpler and also open source). Avoid LastPass and 1Password like the plague. They will make your passwords more secure only up to a point, and your internet habits much less private.

Summary

KeepassXC (OSS, local) > BitWarden (OSS, synced) = Encryptr (OSS, synced) > Enpass (closed, local) >>> Lastpass = 1Password = Dashlane (closed, synced)


2017-06-25 update: I have been testing BitWarden for the past couple of weeks. I am impressed by how much of the functionality of LastPass it can offer for such a young project. The developer is also responsive and has fixed a GUI bug I reported. He predicts addtitional features in the summer of 2017, including Yubikey for paying customers (same price as LastPass: $1/month). I would like to see Bitcoin as a payment option, but about this he says he is undecided.

Reply