Tuesday, May 1st, 2018

Update 2021-02-25: (Disclaimer: I’m not a cryptographer, and not affiliated or sponsored by Passbolt in any way, shape or form). I’ve reviewed another Open Source personal and team password manager called Passbolt. Without going into a full review, its security looks impressive. Passbolt uses plain, old, trusted GPG with asymmetric public / private key encryption to encrypt and share secrets. Secrets are end-to-end encrypted, and a separate browser plugin is used for the client-side encryption. This (apparently) makes the crypto safer than plain Javascript client-side encryption. (yada, yada, CPRNG) This architecture is also more resilient against server-side breaches, as an attacker that gains access to the server cannot inject code into the javascript, given that it’s a separate plugin. The private key never leaves your client, as far as I can tell. The Open Source version does not support 2FA, however it already requires the private key and a password (with which the private key is encrypted). So basically it’s already 2FA by design. Passbolt is slightly less easier to use, but for team-based password sharing, I highly recommend it.

Update: Kyle Spearrin, the lead developer of Bitwarden, contacted me regarding this blog post. Some issues (unnecessary loading of resources from CDNs and disclosure of my email address to a third-party without confirmation) have already been resolved. Mitigations for other issues were already in place, although I haven’t had time to confirm this yet. I’ll update this post with more details as soon possible.

Keeping your online accounts secured and managing your passwords is no easy task. Thankfully, Bitwarden is here to help simplify securing your most sensitive data. That, as Bitwarden founder and chief technology officer, Kyle Spearrin, admits is “better than not using anything”, because people using browser password managers is preferable to the alternative.

Safe

Bitwarden is an open source online password manager:

The easiest and safest way for individuals, teams, and business organizations to store, share, and sync sensitive data.

Bitwarden offers both a cloud hosted and on-premise version. Some notes on the scope of this blog post and disclaimers:

  • I only looked at the cloud hosted version.
  • This security review is not exhaustive, I only took about a few minutes to review various things.
  • I’m not a security researcher, just a paranoid enthusiast. If you find anything wrong with this blog post, please contact me at ferry DOT boender (AT) gmaildotcom.

Here are my findings:

Encryption password sent over the wire

There appears to be no distinction between the authentication password and encryption password.

Bitwarden

When logging in, the following HTTP POST is made to Bitwarden’s server:

That’s a base64 encoded password. (Don’t worry, I anonymized all secrets in this post, besides, it’s all throw-away passwords anyway). Lets see what it contains:

Bitwarden

Okay, at least that’s not my plain text password. It is encoded, hashed or encrypted somehow, but I’m not sure how. Still, it makes me nervous that my password is being sent over the wire. The master password used for encryption should neverleave a device, in any form. I would have expected two password here perhaps. One for authentication and one for encryption.

The reason it was implemented this way is probably because of the “Organizations” feature, which lets you share passwords with other people. Sharing secrets among people is probably hard to do in a secure way. I’m no cryptography expert, but there are probably ways to do this more securely using asymmetric encryption (public and private keys), which Bitwarden doesn’t appear to be using.

Bitwarden has a FAQ entry about its use of encryption, which claims that passwords are never sent over the wire unencrypted or unhashed:

Bitwarden always encrypts and/or hashes your data on your local device before it is ever sent to the cloud servers for syncing. The Bitwarden servers are only used for storing encrypted data. It is not possible to get your unencrypted data from the Bitwarden cloud servers.

The FAQ entry on hashing is also relevant:

Bitwarden salts and hashes your master password with your email address on the client (your computer/device) before it is transmitted to our servers. Once the server receives the hashed password from your computer/device it is then salted again with a cryptographically secure random value, hashed again and stored in our database. This process is repeated and hashes are compared every time you log in.

The hashing functions that are used are one way hashes. This means that they cannot be reverse engineered by anyone at Bitwarden to reveal your true master password. In the hypothetical event that the Bitwarden servers were hacked and your data was leaked, the data would have no value to the hacker.

However, there’s a major caveat here which they don’t mention. All of the encryption is done client-side by Javascript loaded from various servers and CDNs. This means that an attacker who gains control over any of these servers (or man-in-the-middle’s them somehow) can inject any javascript they like, and obtain your password that way.

Indiscriminate allowance / loading of external resources

The good news is that Bitwarden uses Content-Security-Policy. The bad news is that it allows the loading of resources from a variety of untrusted sources. uMatrix shows the type of resources it’s trying to load from various sources:

Here’s what the Content-Security-Policy looks like:

Roughly translated, it allows indiscriminate loading and executing of scripts, css, web workers (background threads) and inclusion of framed content from a wide variety of untrusted sources such as CDNs, Paypal, Duosecurity, Braintreegateway, Google, etc. Some of these I know, some I don’t. Trust I have in none of them.

It would take too long to explain why this is a bad idea, but the gist of it is that the more resources you load and allow from different sources, the bigger the attack surface becomes. Perhaps these are perfectly secure (right now…), but an import part of security is the developers’ security mindset. Some of these resources could have easily been hosted on the same origin servers. Some of these resources should only be allowed to run from payment pages. It shows sloppy configuration of the Content-Security-Policy, namely site-wide configuration in the web server (probably) rather than being determined on an URL by URL basis.

The actual client-side encryption library is loaded from vault.bitwarden.com, which is good. However, the (possibility of) inclusion of scripts from other sources negates any security benefits of doing so.

The inclusion of Google analytics in a password manager is, in my opinion, inexcusable. It’s not required functionality for the application, so it shouldn’t be in there.

New password entry is sent securely

When adding a new authentication entry, the entry appears to be client-side encrypted in some way before sending it to the server:

It’s base64 again, and decodes into the same obscure binary string as the password when logging in. I have not spent time looking at how exactly the encoding / encryption is happening, so I cannot claim that this is actually secure. So keep that in mind. It does give credence to Bitwarden’s claims that all sensitive data is encrypted client-side before sending it to the server.

Disclosure of my email address to a third part without my consent

I clicked on the “Data breach report” link on the left, and Bitwarden immediately sent my email address to https://haveibeenpwned.com. No confirmation, no nothing; it was disclosed to a third party immediately. Well, actually, since I use uMatrix to firewall my browser, it wasn’t and I had to explicitly allow it to do so, but even most security nerds don’t use uMatrix.

That’s not cool. Don’t disclose my info to third parties without my consent.

Developer mindset

One of, if not the, most important aspects is the developer mindset. That is, do they care about security and are they knowledgeable in the field?

Bitwarden appears to know what they’re doing. They have a security policy and run a bug bounty program. Security incidents appear to be solved quickly. I’d like to see more documentation on how the encryption, transfer and storage of secrets works. Right now, there are some FAQ entries, but it’s all promisses that give me no insight into where and how the applied security might break down.

One thing that bothers me is that they do not disclose any of the security trade-offs they made and how it impacts the security of your secrets. I’m always weary when claims of perfect security are made, whether explicitely, or by omission of information. There are obvious problems with client-side javascript encryption, which every developer and user with an reasonable understanding of web developers recognises. No mention of this is made. Instead, security concerns are waved away with “everything is encrypted on your device!”. That’s nice, but if attackers can control the code that does the encryption, all is lost.

Please note that I’m not saying that client-side javascript encryption is a bad decision! It’s a perfectly reasonable trade-off between the convenience of being able to access your secrets on all your devices and a more secure way of managing your passwords. However, this trade-off should be disclosed prominently to users.

Conclusion

So, is Bitwarden (Cloud) secure and should you use it? Unfortunately, I can’t give you any advice. It all depends on your requirements. All security is a tradeoff between usability, convenience and security.

I did this review because my organisation is looking into a self-hosted Open Source password manager to manage our organisation’s secrets. Would I use this to keep my personal passwords in? The answer is: no. I use an offline Keepass, which I manually sync from my laptop to my phone every now and then. This is still the most secure way of managing passwords that I do not need to share with anyone. However, that’s not the use-case that I reviewed Bitwarden for. So would I use it to manage our organisation’s secrets? Perhaps, the jury is still out on that. I’ll need to look at the self-hosted version to see if it also includes Javascript from unreliable sources. If so, I’d have to say that, no, I would not recommend Bitwarden.

Perhaps you are a very busy person, and you need someone or something to help you keep track of your passwords. Or you are someone who has a lot of accounts that have password access.

You find it hard to keep your passwords in your password – for fear that you may lose your phones. Or you fear keeping your passwords in a notebook or a piece of paper, fearing how you may lose it and fall into the wrong set of hands.

To keep all your password together, try having Bitwarden to keep it safe and secure.

Bitwarden is purportedly may have been the best free password manager around, according to some user suggestions and feedback. It has great usability and decent features. Unfortunately, we were also told that paying users can do better elsewhere.

Quick Navigation

Company Background

Bitwarden was founded in August 2016, which originally was made for iOS and Android – mobile devices in general. It later on expanded into desktop use where you can install it as a browser extension for Chrome and Opera, and a web vault. The browser extension for Firefox was launched later in February 2017.

Criteria

Before moving on to the main review for Bitwarden, let us enlighten you on which areas we are going to review the software.

The Features

We are obviously going to have a look at the features that is available with Bitwarden. Some features are its strong points, whereas some other features, less so.

Every software have its own strong points and weak points. That includes Bitwarden also.

In this part, we will also include the user friendliness of the software or product. This part is crucial in a sense that not everyone is tech savvy. Some software was built for advanced users, whereas there are some that are made for entry-level users.

You may be someone who is looking for a password security software that is easy to use, but safe and secure. Or you may be an advance user who is looking for a password security software that is loaded with advanced safety features.

Find out here if Bitwarden is the right package for you.

Security

After covering the features and user friendliness of the password software, we will touch on the security aspects of Bitwarden. You will be very surprise that not every password security software is made to be as safe and secure as you thought to be.

Sometimes what was advertised on the official websites can be considered as inaccurate or falsely advertised. You won’t know until you have either tested it out yourself, or have read or heard from your peers how safe some password security features are.

Ease of Use and Support

It may be a simple password management software but not everyone knows how to use it. As mentioned previously, not everyone is tech savvy. Hence, we have included a quick and summarised section on how to use Bitwarden.

At the same time, we will look at how easy it is to reach Bitwarden’s support team if you need any assistance. A password security software’s support is important in a sense that it’s important to not have your passwords (and other private information) leaked and compromised.

You will have to see how easy it is to reach the support team, usually via the software’s official website. Look into the reply and problem resolve turnaround time. See if it is accurate and properly resolved.

Plans and Pricing

Plans and pricing is just what it is – the plans and pricings available from Bitwarden. You’ll see if its packages are within your budget. It can mean that or if you have the kind of money to spend on what Bitwarden has to offer.

We’d advise that if you have more money to spend, and are willing to do so, then you can do so at your own discretion. At the same time, remember that you get what you pay for when choosing certain packages or software.

It’s all your choice and in your discretion.

Bitwarden: Our Review

In quick summary, Bitwarden offers the following features. Free users are able to access the following features:

  • End to end encryption (e2ee) of passwords
  • 100% open source
  • Cross-platform apps for all major platforms
  • Browser add-ons for all major browsers
  • Web browser access from anywhere
  • Command-line tools (CLI) to write and execute scripts on your Bitwarden vault
  • Can self-host
  • 2 factor authentication (2FA)

Paying packages get you slightly more features than non-paying packages. Which are:

  • 1GB encrypted file storage
  • Additional 2FA options
  • Priority customer support

However, it depends on which (paid) packages you choose. Nevertheless, each paid package has a slightly different feature to each other. It still covers more or less the same thing for a slightly different price point.

The Features

Bitwarden has quite a bit of features to offer for something that offers mostly free services.

Open Source Software

Bitwarden is an entirely open source software. Its source code is hosted on GitHub and everyone is free to review, audit, and contribute to the Bitwarden codebase.

Bitwarden believed that by being open source is an important feature. Source code transparency is an absolute requirement for software solutions like Bitwarden.

Docker Feature – Host It Yourself

If you are someone who do not like using the Bitwarden cloud, it’s all right as yohu do not have to. You can easily host its entire infrastructure stack on the platform of your choice.

Join Their Active Community Online

Bitwarden has an active community online, which you are more than welcomed to join. Join its Gitter chat channel to talk directly to its developers. Or you can swing by its community forums to ask questions and discuss product features.

Free Features

Yes, Bitwarden is largely a free software t use. Their CSR is that they believe security is important for everyone. The core features of Bitwarden are entirely free. No payment needed. Forever.

The free features include:

  • Access and install Bitwarden apps
  • Sync all your devices, no limits
  • Store unlimited items in your vault
  • Logins, secure notes, cards, and identities
  • Two step authentications (2FA)
  • Secure password generator
  • Self-host on your own server (optional)

The premium features include:

  • Everything from the free account
  • 1GB encrypted file storage
  • Two step login with YubiKey, U2F, and Duo
  • Password hygiene and vault health reports
  • TOTP authenticator key storage and code gen
  • Priority customer support

Organization Accounts

If you are looking for account features for organizations, Bitwarden has that covered too. Its organization accounts have powerful sharing features for families, teams, and business organizations.

Personal Use

The personal account is free. You can share it with a spouse or friend, and is upgradeable at any time. It includes the basic features and the following:

  • Sharing for 2 users
  • Limit 2 collections
  • Unlimited shared items

Family Accounts

The family account covers up to 5 users and is an account sharing for family and friends. It starts from US$1 a month. It includes the following:

  • Share with 5 users
  • Unlimited collections
  • Unlimited shared items
  • Vault health reports
  • 1GB encrypted file storage
  • Self-hosting (optional)

Business Use Accounts

Business use accounts covers up to 5 users in one account. It costs US$5. For every additional users will be charged US$2 per user. IT covers the following in this package:

  • Unlimited users
  • Unlimited collections
  • Unlimited shared items
  • Vault health reports
  • 1GB encrypted file storage
  • Priority tech support

Enterprise Package

This package is for bigger businesses and enterprises. This package charges US$3 per user. It includes all teams’ features and the following:

  • User groups
  • Directory sync
  • On-premises hosting
  • Event/audit logs
  • API access
  • MFA with Duo Security
  • Users get premium

The prices are charged annually, although monthly options are also available.

Securely share and manage logins, secret keys, and more with other users across your organisations. At the same time, implement fine-grained access control policies and organise your vault with collections.

Store sensitive files such as private keys, certificates, documents, photos, and more. Keep your vault health reports in stellar mode by practising hygiene. All you need to do is to audit your vault with insightful reports.

Utilise its user groups for easier user management and greater control across departments and teams. Make use of its directory sync by syncing groups and users from Active Directory (and other LDAP), Azure, G Suite, and Okta.

Keep an event log. Review an audit trail of actions and changes performed by your organisation’s users. At the same time, its RESTful and flexible API access allows you to integrate your organisation with other tools and systems. Its on-premise hosting is easily deployed and host Bitwarden with no dependency on external cloud services.

Its multi-factor authentication enforces multi-factor login policies for your users by integrating with Duo Security. Last but not least, having a problem? Having questions and doubts? Get the help you need when you need it – fast – with Bitwarden’s priority support!

Security

As Bitwarden is a US company, it is therefore subjected to FISA, the Patriot Act, and is quite likely be under surveillance by the NSA.

It should not be a big issue as Bitwarden uses fully audited open source end to end encryption (e2ee). In other words, it is as good a guarantee that is secure and private as it is possible to get.

To decrypt your data is to use the correct master password. That’s the only way to decrypt your data. You should know that the master password is not recoverable if you forget it. So it’s best if you do not forget it.

As e2ee is used, it does not matter that Bitwarden uses Microsoft Azure cloud servers to host accounts. However, if you are bothered by this, you can self-host on a home or rented server of your choice using the open source Docker framework.

Audited for Safety

Back in November 2018, a crowdfunded independent security audit by Cure53 found no big problems with Bitwarden. There were some non-critical issues discovered, but the most important parts were patched and fixed immediately.

It is only presumable that its developer has been working t=hard to fix any additional issues raised by the auditors.

Technical Security

Bitwarden is purportedly protected by some of the best security systems in the world. It is protected using AES-256 cipher. It also uses PBKDF2 to derive the encryption key from your master password, which in turn is then salted and hashed using HMACSHA256.

To put it simply – the above paragraph basically described how Bitwarden uses well-respected and advanced 3rd party cryptographic libraries.

Your data in transit is protected by regular TLS. Let’s say your data was, in some ways, intercepted in transit, it cannot be accessed. That is because it is encrypted with AES-256 before leaving your device.

However, in 2018 a problem was found in the Chrome add-on’s cryptography. It was fixed immediately, although it is advisable that you should never use the “never forget” option available with Bitwarden.

To be fair, it is cautionary that you should never choose the “never forget” option from any websites or software. If you really do not want any of your encryption key to exist on disk, that is.

Two Factor Authentication (2FA)

Free users are able to secure their Bitwarden Vaults using a time-based one-time password (TOTP) or an email verification for 2 factor authentication.

Premium users can also use 2FA methods such as Duo, YubiKeys, and other FIDO U2F-compatible USB or NFC devices.

Ease of Use and Support

Bitwarden is relatively easy to use, according to most users.

  • Step 1 – To start using Bitwarden, download the app for your platform. The sign up for an account in its application.
  • Step 2 – A password is then requested, but it is not verified. You will need to have a very strong master password. You can even choose a hint to help you remember it. Just do not remember you master password.

Desktop Client

Bitwarden’s desktop clients are identical across all operating systems – Windows, macOS, and Linux. Apparently most versions of Linux are supported as the app is packaged in the Applmage format. It is also available in the Ubuntu Software Center, where you can compile the open source code yourself.

Users who have, previously and currently use this software before, said they find the interface to be smart looking and easy to use. They mentioned how there are 4 types of data entry that are supported: login, card, identity, and secure note.

Each entry type is formatted in ways suitable to entering data of each kind. Something which the app can use to autofill passwords, web forms, and card detail forms. All using browser add-ons.

You can even check if the password you input has been exposed. It works like your own data breach tool and compares the username and password you enter with a database of known password breaches.

If you feel you are not creative enough, or simply cannot be bothered entirely to come up with a really strong password – leave it to Bitwarden. Let the Bitwarden app generate a really secure password for you.

These passwords can be tailored to conform with any specific requirements a website insisted on.

Create folders and add items to them. You can actually do this on the desktop version of Bitwarden. Need group password management and sharing features, then these are provided by Bitwarden’s organisation accounts.

Autofill functionality on the desktop is provided by browser add-ons. That is only applicable for Firefox and Chrome browsers.

Browser Add-Ons

You can find that browser add-ons are available on Chrome, Firefox, Vivaldi, Opera, Brave, and Microsoft Edge. We were told that a Firefox link is provided for the Tor Browser, but us not recommended. This is not recommended as using any browser add-on with Tor Browser makes it more susceptible to browser fingerprinting.

The add-ons look like the Bitwarden apps and are said to provide the same core functionality.

Mobile Apps

Android and iOS Bitwarden app works very similar, according to users. It shares the same attractive and intuitive design philosophy as the desktop versions.

Basically, the Bitwarden phone apps can do everything the desktop versions can do, including generate secure random passwords. Both can also support fingerprint unlocking on devices which have fingerprint snesors.

However, there is a small difference between the Android app and the iOS app.

The Android app uses the Autofill Framework Service on all Android 8+ devices to autofill any forms in any browser window or app. The Autofill Accessibility Service on older Android devices instead. On top of that, users also mention that the browser add-ons work with the mobile versions of Firefox and Chrome.

In iOS 12+. On the other hand, Bitwarden app integrates with Apple’s new Authetication Services framework to provide instant autofill functionality in most browser and apps.

Customer Support

If you ever need help from Bitwarden, an extensive help section provides a very detailed and well documented section on most aspects of Bitwarden. If you feel the need to reach out to them, you can always email them.

Bitwarden is said to be a 1-man show, basically. All responses received from Bitwarden is said to be sent from the developer called Kyle Spearrin himself. Users said responses usually are received on the same day you sent an email query.

Your other way of getting app support is to join its Bitwarden forum. In the Bitwarden-hosted active forum, you can also find Kyle there as an enthusiastic participant.

Plans and Pricing

We have previously touched on Bitwarden pricings before. Here’s a quick run-down of their plans and pricing:

i. Personal Packages

  • Covers 2 users
  • Free

ii. Family Account

Bitwarden Is Safe Online

  • Covers 5 users
  • US$1 a month
Bitwarden Is Safe

iii. Business Account

  • Covers 5 users – US$1 a month
  • Charges US$2 for every additional users

iv. Enterprise Account

  • Covers unlimited users
  • Charges US$3 per user

Prices can be charged annually. Alternatively, monthly pricings are also available.

Our Verdict

Is Bitwarden Firefox Extension Safe

Bitwarden is generally an all right password security software for the average household or business. If you have intermediate data and information to keep, then this software will be a good choice for you.

However, if you have many advanced data and information to keep, then you will need to get yourself a password security software that fits that mould.

We have come to a conclusion that Bitwarden’s basic and free package works very well for the general population. As the basic package covers a lot of pretty good features, it is a pretty good software for the average person with intermediate needs.

Bitwarden Is Safe

If you are looking for premium password security and safety with Bitwarden and don’t mind paying the money, then you will be better off looking for better ones elsewhere. Somehow Bitwarden is not able to provide advanced security if you have rather advanced needs.

Frequently Asked Questions (FAQ)

Here are some frequently asked questions (FAQ).

Q: Is Bitwarden safe?

Bitwarden is said to be a top notch and equally secure software. However, it has a potential risk because of its web vault website. That means if you need to change your password or other settings (that are not in the app), you will need to login to the web vault where you do not have control of your client side code.

Q: How good is Bitwarden?

For the majority of users, Bitwarden is one of the very best password managers you can ever get. It is a great program, as it is very inexpensive. As it is open sourced and audited, it is one of the most secure softwares – far more secure than close sourced password managers.

Q: How is Bitwarden free?

Bitwarden is a free and open source software. Unlike community-developed alternatives such as KeePass, Bitwarden has a commercial venture. The core product itself is free, and will stay free forever. You can always support the developer by paying a really reasonable US$10/year subscription fee for a premium personal account.

Q: Can Bitwarden be hacked?

If Bitwarden were to get hacked at any day and any time and your data is exposed, your information will still be protected. That is because Bitwarden uses strong encryption and a 1 way salted hashing. As long as you have a very strong master password, your data will stay safe no matter who gets hold of it.

Reddit Is Bitwarden Safe

As a Master Degree graduate in the Internet Technology field, Stefan is highly dedicated towards improving the overall web security so internet users can browse freely without having to be afraid of technical loopholes. With over 15 years in the internet security industry, you should definitely take his advice seriously.