TomyTang 
When you have hundreds or thousands of online account passwords, maintaining them becomes urgent. Many web, app, and various other accounts have too many passwords to remember, so you need a tool for unified, synchronized management. An ideal tool should be cross-platform, support various operating systems, and be accessible anytime and anywhere. Here we’ll talk about the open-source software Bitwarden.
Security Warning for Password Managers There is no absolute security, nor absolute convenience. It’s a balancing act between security and convenience. Try not to store important passwords like bank cards and IDs on Bitwarden or other password management platforms to prevent security incidents. You can store web network accounts, intranet app accounts, and so on. Strengthen server security measures. Passwords must be stored locally and on the server to reduce risks.
Introduction to Bitwarden Bitwarden is a secure open-source password manager with a lot of additional features. I have tested the security and usability of all of Bitwarden’s features, and it performs very well. It is actually one of the best choices for advanced users on the market, competing closely with well-known password managers like 1Password.
Bitwarden has all the security tools I expect from a high-end password manager, including strong encryption, two-factor authentication (2FA), password security auditing, password leak monitoring, and cloud or local hosting options. It allows you to safely send sensitive information and files to non-Bitwarden users.
Bitwarden’s drawbacks:
The user experience is slightly inferior. Importing passwords from a browser or other password manager can be a bit tricky, sharing and syncing password databases with other users is very complicated, and automatic saving and filling may be clumsy. The UI interface is not particularly intuitive. The server web end is exposed on the public network and cannot hide the server home address. For tech-savvy and budget-limited users, Bitwarden is a good low-cost choice—it is highly secure, can handle basic password management well, has several very useful additional features, and has low deployment costs. It is recommended that users with some technical skills can set it up on their servers themselves.
Bitwarden Security Discussion
Bitwarden’s website states clearly that whether it’s official or self-hosted, the data stored in the database will be encrypted using the “Master Password” field of that account. This means that as long as your master password is not leaked, neither the server owner nor a third party who obtains the database can obtain the plaintext information you have saved in the database.
The second question is, if a man-in-the-middle attack occurs, intercepting traffic and cracking the SSL certificate-encrypted information, will the traffic when uploading passwords to the Bitwarden server be decrypted into plaintext?
No, it won’t. If you’ve used the Bitwarden web or client-side, you may have noticed the “Passphrase” setting in the options. This is an encrypted string used for exchanging information between the client and the server, which is essentially end-to-end encryption. When the local client uploads a new password to the server, it encrypts the information using the passphrase locally, and the server decrypts it using the same passphrase upon receipt. Therefore, even if the traffic transmission is intercepted and decrypted, the obtained information is still encrypted by the passphrase, and plaintext password leakage won’t occur.
Bitwarden uses 256-bit AES encryption (the same encryption used by banks and governments worldwide) to ensure the security of user data, so you can safely store information on Bitwarden’s cloud servers. However, if you are concerned about your data being damaged in the cloud, Bitwarden also offers the option of local data storage (self-hosted). For tech-savvy and security-conscious users, this is a good option, but in fact, Bitwarden’s server is more secure than most users’ local networks, so local storage is not something most users need to worry about.
Bitwarden is also a zero-knowledge password manager, meaning that no one in the company can access or view the data in your Bitwarden vault—you are the only one who knows your master password, and therefore the only one who can decrypt your Bitwarden vault. From a security standpoint, this is a good thing, but it does mean that if you forget your master password, you won’t be able to access all your passwords—unlike some competitors (such as LastPass), Bitwarden doesn’t offer any account recovery service options. That said, if you set up biometric login or enable emergency access on another device, you can still access your vault, and there is also an option to set a master password hint for this situation.
Bitwarden also has all the security tools and features that other advanced password managers have, including:
Multiple two-factor authentication (2FA) options. Password generator. Password sharing. Password auditing and breach monitoring. Emergency access.
Analysis of Bitwarden’s Features
Password Vault
Bitwarden has a practical vault that allows you to store passwords and a lot of other information. However, it is not as intuitive as many other password managers, and some of its organizational features are quite clumsy. Bitwarden’s vault allows you to store four main types of data:
Logins. Identities. Credit cards. Secure notes.
Each of these items has a form with a fair amount of fields—all the standard fields you’d want, plus some custom options. There is also an option to create folders, so you can keep your vault organized, which is a nice feature. However, I did not find Bitwarden’s vault particularly intuitive or easy to use. I prefer the vaults of other password managers, such as RoboForm, which has one of the most detailed vaults on the market, with templates that cover almost every piece of data you can imagine, or 1Password, which has one of my favorite usability and
Password Generator
The password generator in Bitwarden is simple and effective. It allows users to generate random strings of numbers, letters, and symbols, or create easy-to-remember password phrases such as “correct-horse-battery-staple”. It can also choose to generate a username, which can include a part of your email address or other defined options. Not all password generators have as many options as Bitwarden. Dashlane only generates random passwords, so I like these additional features in Bitwarden.
I also like that Bitwarden can generate passwords that are 5 to 128 characters long. The default password length is 14, which is fine, but I recommend that your password be at least a few characters longer. I also think it’s cool that you can choose to exclude ambiguous characters from your password, although this is not too important as you don’t actually have to remember the password (but it’s still a good practice!).
Using Bitwarden to generate passwords and copy and paste them is easy, but I had some trouble getting Bitwarden to automatically save these new logins. During my testing, Bitwarden didn’t automatically save several passwords I had just generated, so I had to manually copy and paste the new login name into my vault. This isn’t too time-consuming, but considering that competitors like 1Password and Dashlane can automatically save passwords quickly and easily, this is definitely something I would like Bitwarden to do better. However, Bitwarden also allows you to view the history of generated passwords, which will be very useful if automatic saving doesn’t work or you forget to save the password. Dashlane also has this feature, but many password managers do not.
Overall, Bitwarden makes creating super-strong passwords or password phrases very easy. I think the many custom options in Bitwarden’s password manager are great, and I especially like that it can generate passwords up to 128 characters long.
Sharing Sensitive Information – Send
Bitwarden has a fantastic (and unique) feature that allows for easy and secure sharing of sensitive information with any recipient, called “Send”. The Send feature is built into Bitwarden’s web dashboard, browser extensions, mobile apps, and desktop applications, and allows you to quickly share files (up to 500 MB on desktop, 100 MB on mobile) and text information, which may include passwords, notes, or other sensitive data.
One major advantage of this feature is that the recipient does not need a Bitwarden account. Most top password managers, like Dashlane and 1Password, offer secure sharing features – but the recipient needs an account to access them. Send is completely different in this regard.
You can create and store Sends in a specific section of your Bitwarden vault. When creating a new Send, you give it a name, write the text you want the recipient to see and/or attach the files you want them to be able to access, select from a range of access-related options, and then click Save. Bitwarden then generates a unique URL for that particular Send, hosted on their secure servers, which anyone you share the link with can access.
This feature is a great way to send sensitive information to a company or other third party, as it means it won’t be indefinitely retained in their email account. When creating your Send, you can limit how long it can be accessed for and how many times it can be accessed. You can also password-protect it, meaning only the recipient who has both the URL and the password (which you will send separately) can access it.
I really like this feature, but it only provides access to single static data. If you want to share and sync entire folders or vaults with other users, or share passwords that your friends can automatically use to log into accounts, you’ll need to use Bitwarden’s organizational features, which are more like traditional password manager sharing features.
Bitwarden also has a more traditional password sharing feature, similar to what Dashlane and LastPass offer. This feature allows you to share login information and other details from your vault with friends and family, but they need a Bitwarden account to view, access, and use all the data.
Bitwarden’s sharing feature works through Organizations, which is essentially a shared vault. You first create an organization and add all the passwords and other data that you want to share. Then, you send invitations to your chosen recipients and select their access level – including whether they can access and modify the entire vault or if they only have read-only access. There is also an option to hide passwords, which means they can use them to log in but cannot read them.
You can also create collections within your organization, making it easy to organize your logins and who has access to what. For example, if you are sharing passwords with your family through the organization, you can group items that everyone can access into one collection and create another collection for sensitive information that you only want to share with your partner, not your children.
Both the free and premium plans of Bitwarden include one free organization where you can store an unlimited number of items. However, you can only create two collections and share them with one other user. If you want to share with more users, you can upgrade to the Family plan, which allows you to create an unlimited number of organizations and collections and share with up to six different people. Users who want to share passwords with more than six people will need to upgrade to one of Bitwarden’s business plans. Teams and Enterprise plans offer organizations that can include an unlimited number of Bitwarden users.
While I like the convenience of sharing vaults, setting up organizations and collections between users is a bit cumbersome and the options it offers are somewhat limited. Other top password managers, like Dashlane, provide a more intuitive and flexible sharing experience. Additionally, if you want to share login information with multiple users, you have to upgrade to the Family plan. On the other hand, Bitwarden Families allows for comprehensive shared vault management among up to six users and is much cheaper than competitors.
Bitwarden offers various password auditing tools to ensure the security of your vault. These “reports” provide valuable information that can help you analyze different aspects of your password vault. Here are the password auditing checks offered by Bitwarden:
- Exposed passwords: checks if any saved passwords are in breach databases.
- Reused passwords: scans your vault for duplicate passwords.
- Weak passwords: flags simple and weak passwords in your vault.
- Insecure websites: warns you if you have accounts on sites using the insecure HTTP protocol instead of the more secure HTTPS protocol.
- Invalid 2FA: highlights accounts in your vault that support 2FA logins, which you can set up using Bitwarden’s TOTP authenticator for added security.
- Data breaches: checks for any data breaches in your email or usernames.
Data breach monitoring is included in Bitwarden’s free plan, but you need to upgrade to the premium plan to access all other reports. This is a shame as competitors like Dashlane include this feature for free. That being said, other companies like Password Boss also charge for their password auditing tools, and Bitwarden’s plans are at least priced reasonably.
Bitwarden’s password auditing feature works well – it found all weak and duplicate passwords, insecure sites, inactive 2FA, and breached logins in my testing, so it was easy to see which passwords I should change.
My only complaint is that Bitwarden doesn’t have real-time breach monitoring – competitors like Dashlane and Keeper automatically notify users when their sensitive information appears on the dark web, while Bitwarden only checks when you manually search. However, if you regularly check the security of your online accounts, this shouldn’t be an issue.
Overall, Bitwarden’s vault health report makes it easy to monitor login strength and change weak or compromised passwords.
Bitwarden offers an emergency access feature for its premium users. This is an important feature that allows your trusted contacts, such as family members, to access your passwords in case of an emergency. I’m glad to see that Bitwarden provides this feature.
Setting up and using Bitwarden’s emergency access is easy. From your main account settings in the Emergency Access tab, simply click +Add Emergency Contact, enter the email address of the contact you choose, and define their waiting period and access level. They will receive an email notification and need to create a Bitwarden account if they haven’t already done so – a free account is sufficient. Once both parties accept and re-confirm trusted contact, an encrypted key (linked to your emergency contact’s email address and Bitwarden account) is created and stored, allowing your vault to be decrypted in an emergency.
If/when your contact needs access, they simply request it from their Bitwarden account, and if you do not manually accept or decline the request, they will automatically be granted access after the specified waiting period (which you set up when first establishing trusted contacts). You also specify the vault access level your contact will be granted: View (they can read/view all items in your vault) or Takeover (they create a new master password and gain complete control of your vault).
Overall, this is a great feature that is easy to set up and works perfectly, providing peace of mind. Most password managers have similar features, although Password Boss allows you to choose specific passwords to share with specific contacts instead of automatically sharing your entire vault, which is a nice customization level that I would like to see more password managers offer.
