Tuesday, May 1st, 2018
Update 2021-02-25: (Disclaimer: I’m not a cryptographer, and not affiliated or sponsored by Passbolt in any way, shape or form). I’ve reviewed another Open Source personal and team password manager called Passbolt. Without going into a full review, its security looks impressive. Passbolt uses plain, old, trusted GPG with asymmetric public / private key encryption to encrypt and share secrets. Secrets are end-to-end encrypted, and a separate browser plugin is used for the client-side encryption. This (apparently) makes the crypto safer than plain Javascript client-side encryption. (yada, yada, CPRNG) This architecture is also more resilient against server-side breaches, as an attacker that gains access to the server cannot inject code into the javascript, given that it’s a separate plugin. The private key never leaves your client, as far as I can tell. The Open Source version does not support 2FA, however it already requires the private key and a password (with which the private key is encrypted). So basically it’s already 2FA by design. Passbolt is slightly less easier to use, but for team-based password sharing, I highly recommend it.
Update: Kyle Spearrin, the lead developer of Bitwarden, contacted me regarding this blog post. Some issues (unnecessary loading of resources from CDNs and disclosure of my email address to a third-party without confirmation) have already been resolved. Mitigations for other issues were already in place, although I haven’t had time to confirm this yet. I’ll update this post with more details as soon possible.
Keeping your online accounts secured and managing your passwords is no easy task. Thankfully, Bitwarden is here to help simplify securing your most sensitive data. That, as Bitwarden founder and chief technology officer, Kyle Spearrin, admits is “better than not using anything”, because people using browser password managers is preferable to the alternative.
Bitwarden is an open source online password manager:
The easiest and safest way for individuals, teams, and business organizations to store, share, and sync sensitive data.
Bitwarden offers both a cloud hosted and on-premise version. Some notes on the scope of this blog post and disclaimers:
Here are my findings:
There appears to be no distinction between the authentication password and encryption password.
When logging in, the following HTTP POST is made to Bitwarden’s server:
That’s a base64 encoded password. (Don’t worry, I anonymized all secrets in this post, besides, it’s all throw-away passwords anyway). Lets see what it contains:
Okay, at least that’s not my plain text password. It is encoded, hashed or encrypted somehow, but I’m not sure how. Still, it makes me nervous that my password is being sent over the wire. The master password used for encryption should neverleave a device, in any form. I would have expected two password here perhaps. One for authentication and one for encryption.
The reason it was implemented this way is probably because of the “Organizations” feature, which lets you share passwords with other people. Sharing secrets among people is probably hard to do in a secure way. I’m no cryptography expert, but there are probably ways to do this more securely using asymmetric encryption (public and private keys), which Bitwarden doesn’t appear to be using.
Bitwarden has a FAQ entry about its use of encryption, which claims that passwords are never sent over the wire unencrypted or unhashed:
Bitwarden always encrypts and/or hashes your data on your local device before it is ever sent to the cloud servers for syncing. The Bitwarden servers are only used for storing encrypted data. It is not possible to get your unencrypted data from the Bitwarden cloud servers.
The FAQ entry on hashing is also relevant:
Bitwarden salts and hashes your master password with your email address on the client (your computer/device) before it is transmitted to our servers. Once the server receives the hashed password from your computer/device it is then salted again with a cryptographically secure random value, hashed again and stored in our database. This process is repeated and hashes are compared every time you log in.
The hashing functions that are used are one way hashes. This means that they cannot be reverse engineered by anyone at Bitwarden to reveal your true master password. In the hypothetical event that the Bitwarden servers were hacked and your data was leaked, the data would have no value to the hacker.
However, there’s a major caveat here which they don’t mention. All of the encryption is done client-side by Javascript loaded from various servers and CDNs. This means that an attacker who gains control over any of these servers (or man-in-the-middle’s them somehow) can inject any javascript they like, and obtain your password that way.
The good news is that Bitwarden uses Content-Security-Policy. The bad news is that it allows the loading of resources from a variety of untrusted sources. uMatrix shows the type of resources it’s trying to load from various sources:
Here’s what the Content-Security-Policy looks like:
Roughly translated, it allows indiscriminate loading and executing of scripts, css, web workers (background threads) and inclusion of framed content from a wide variety of untrusted sources such as CDNs, Paypal, Duosecurity, Braintreegateway, Google, etc. Some of these I know, some I don’t. Trust I have in none of them.
It would take too long to explain why this is a bad idea, but the gist of it is that the more resources you load and allow from different sources, the bigger the attack surface becomes. Perhaps these are perfectly secure (right now…), but an import part of security is the developers’ security mindset. Some of these resources could have easily been hosted on the same origin servers. Some of these resources should only be allowed to run from payment pages. It shows sloppy configuration of the Content-Security-Policy, namely site-wide configuration in the web server (probably) rather than being determined on an URL by URL basis.
The actual client-side encryption library is loaded from vault.bitwarden.com, which is good. However, the (possibility of) inclusion of scripts from other sources negates any security benefits of doing so.
The inclusion of Google analytics in a password manager is, in my opinion, inexcusable. It’s not required functionality for the application, so it shouldn’t be in there.
When adding a new authentication entry, the entry appears to be client-side encrypted in some way before sending it to the server:
It’s base64 again, and decodes into the same obscure binary string as the password when logging in. I have not spent time looking at how exactly the encoding / encryption is happening, so I cannot claim that this is actually secure. So keep that in mind. It does give credence to Bitwarden’s claims that all sensitive data is encrypted client-side before sending it to the server.
I clicked on the “Data breach report” link on the left, and Bitwarden immediately sent my email address to https://haveibeenpwned.com. No confirmation, no nothing; it was disclosed to a third party immediately. Well, actually, since I use uMatrix to firewall my browser, it wasn’t and I had to explicitly allow it to do so, but even most security nerds don’t use uMatrix.
That’s not cool. Don’t disclose my info to third parties without my consent.
One of, if not the, most important aspects is the developer mindset. That is, do they care about security and are they knowledgeable in the field?
Bitwarden appears to know what they’re doing. They have a security policy and run a bug bounty program. Security incidents appear to be solved quickly. I’d like to see more documentation on how the encryption, transfer and storage of secrets works. Right now, there are some FAQ entries, but it’s all promisses that give me no insight into where and how the applied security might break down.
One thing that bothers me is that they do not disclose any of the security trade-offs they made and how it impacts the security of your secrets. I’m always weary when claims of perfect security are made, whether explicitely, or by omission of information. There are obvious problems with client-side javascript encryption, which every developer and user with an reasonable understanding of web developers recognises. No mention of this is made. Instead, security concerns are waved away with “everything is encrypted on your device!”. That’s nice, but if attackers can control the code that does the encryption, all is lost.
Please note that I’m not saying that client-side javascript encryption is a bad decision! It’s a perfectly reasonable trade-off between the convenience of being able to access your secrets on all your devices and a more secure way of managing your passwords. However, this trade-off should be disclosed prominently to users.
So, is Bitwarden (Cloud) secure and should you use it? Unfortunately, I can’t give you any advice. It all depends on your requirements. All security is a tradeoff between usability, convenience and security.
I did this review because my organisation is looking into a self-hosted Open Source password manager to manage our organisation’s secrets. Would I use this to keep my personal passwords in? The answer is: no. I use an offline Keepass, which I manually sync from my laptop to my phone every now and then. This is still the most secure way of managing passwords that I do not need to share with anyone. However, that’s not the use-case that I reviewed Bitwarden for. So would I use it to manage our organisation’s secrets? Perhaps, the jury is still out on that. I’ll need to look at the self-hosted version to see if it also includes Javascript from unreliable sources. If so, I’d have to say that, no, I would not recommend Bitwarden.
Perhaps you are a very busy person, and you need someone or something to help you keep track of your passwords. Or you are someone who has a lot of accounts that have password access.
You find it hard to keep your passwords in your password – for fear that you may lose your phones. Or you fear keeping your passwords in a notebook or a piece of paper, fearing how you may lose it and fall into the wrong set of hands.
To keep all your password together, try having Bitwarden to keep it safe and secure.
Bitwarden is purportedly may have been the best free password manager around, according to some user suggestions and feedback. It has great usability and decent features. Unfortunately, we were also told that paying users can do better elsewhere.
Bitwarden was founded in August 2016, which originally was made for iOS and Android – mobile devices in general. It later on expanded into desktop use where you can install it as a browser extension for Chrome and Opera, and a web vault. The browser extension for Firefox was launched later in February 2017.
Before moving on to the main review for Bitwarden, let us enlighten you on which areas we are going to review the software.
We are obviously going to have a look at the features that is available with Bitwarden. Some features are its strong points, whereas some other features, less so.
Every software have its own strong points and weak points. That includes Bitwarden also.
In this part, we will also include the user friendliness of the software or product. This part is crucial in a sense that not everyone is tech savvy. Some software was built for advanced users, whereas there are some that are made for entry-level users.
You may be someone who is looking for a password security software that is easy to use, but safe and secure. Or you may be an advance user who is looking for a password security software that is loaded with advanced safety features.
Find out here if Bitwarden is the right package for you.
After covering the features and user friendliness of the password software, we will touch on the security aspects of Bitwarden. You will be very surprise that not every password security software is made to be as safe and secure as you thought to be.
Sometimes what was advertised on the official websites can be considered as inaccurate or falsely advertised. You won’t know until you have either tested it out yourself, or have read or heard from your peers how safe some password security features are.
It may be a simple password management software but not everyone knows how to use it. As mentioned previously, not everyone is tech savvy. Hence, we have included a quick and summarised section on how to use Bitwarden.
At the same time, we will look at how easy it is to reach Bitwarden’s support team if you need any assistance. A password security software’s support is important in a sense that it’s important to not have your passwords (and other private information) leaked and compromised.
You will have to see how easy it is to reach the support team, usually via the software’s official website. Look into the reply and problem resolve turnaround time. See if it is accurate and properly resolved.
Plans and pricing is just what it is – the plans and pricings available from Bitwarden. You’ll see if its packages are within your budget. It can mean that or if you have the kind of money to spend on what Bitwarden has to offer.
We’d advise that if you have more money to spend, and are willing to do so, then you can do so at your own discretion. At the same time, remember that you get what you pay for when choosing certain packages or software.
It’s all your choice and in your discretion.
In quick summary, Bitwarden offers the following features. Free users are able to access the following features:
Paying packages get you slightly more features than non-paying packages. Which are:
However, it depends on which (paid) packages you choose. Nevertheless, each paid package has a slightly different feature to each other. It still covers more or less the same thing for a slightly different price point.
Bitwarden has quite a bit of features to offer for something that offers mostly free services.
Bitwarden is an entirely open source software. Its source code is hosted on GitHub and everyone is free to review, audit, and contribute to the Bitwarden codebase.
Bitwarden believed that by being open source is an important feature. Source code transparency is an absolute requirement for software solutions like Bitwarden.
If you are someone who do not like using the Bitwarden cloud, it’s all right as yohu do not have to. You can easily host its entire infrastructure stack on the platform of your choice.
Bitwarden has an active community online, which you are more than welcomed to join. Join its Gitter chat channel to talk directly to its developers. Or you can swing by its community forums to ask questions and discuss product features.
Yes, Bitwarden is largely a free software t use. Their CSR is that they believe security is important for everyone. The core features of Bitwarden are entirely free. No payment needed. Forever.
The free features include:
The premium features include:
If you are looking for account features for organizations, Bitwarden has that covered too. Its organization accounts have powerful sharing features for families, teams, and business organizations.
The personal account is free. You can share it with a spouse or friend, and is upgradeable at any time. It includes the basic features and the following:
The family account covers up to 5 users and is an account sharing for family and friends. It starts from US$1 a month. It includes the following:
Business use accounts covers up to 5 users in one account. It costs US$5. For every additional users will be charged US$2 per user. IT covers the following in this package:
This package is for bigger businesses and enterprises. This package charges US$3 per user. It includes all teams’ features and the following:
The prices are charged annually, although monthly options are also available.
Securely share and manage logins, secret keys, and more with other users across your organisations. At the same time, implement fine-grained access control policies and organise your vault with collections.
Store sensitive files such as private keys, certificates, documents, photos, and more. Keep your vault health reports in stellar mode by practising hygiene. All you need to do is to audit your vault with insightful reports.
Utilise its user groups for easier user management and greater control across departments and teams. Make use of its directory sync by syncing groups and users from Active Directory (and other LDAP), Azure, G Suite, and Okta.
Keep an event log. Review an audit trail of actions and changes performed by your organisation’s users. At the same time, its RESTful and flexible API access allows you to integrate your organisation with other tools and systems. Its on-premise hosting is easily deployed and host Bitwarden with no dependency on external cloud services.
Its multi-factor authentication enforces multi-factor login policies for your users by integrating with Duo Security. Last but not least, having a problem? Having questions and doubts? Get the help you need when you need it – fast – with Bitwarden’s priority support!
As Bitwarden is a US company, it is therefore subjected to FISA, the Patriot Act, and is quite likely be under surveillance by the NSA.
It should not be a big issue as Bitwarden uses fully audited open source end to end encryption (e2ee). In other words, it is as good a guarantee that is secure and private as it is possible to get.
To decrypt your data is to use the correct master password. That’s the only way to decrypt your data. You should know that the master password is not recoverable if you forget it. So it’s best if you do not forget it.
As e2ee is used, it does not matter that Bitwarden uses Microsoft Azure cloud servers to host accounts. However, if you are bothered by this, you can self-host on a home or rented server of your choice using the open source Docker framework.
Back in November 2018, a crowdfunded independent security audit by Cure53 found no big problems with Bitwarden. There were some non-critical issues discovered, but the most important parts were patched and fixed immediately.
It is only presumable that its developer has been working t=hard to fix any additional issues raised by the auditors.
Bitwarden is purportedly protected by some of the best security systems in the world. It is protected using AES-256 cipher. It also uses PBKDF2 to derive the encryption key from your master password, which in turn is then salted and hashed using HMACSHA256.
To put it simply – the above paragraph basically described how Bitwarden uses well-respected and advanced 3rd party cryptographic libraries.
Your data in transit is protected by regular TLS. Let’s say your data was, in some ways, intercepted in transit, it cannot be accessed. That is because it is encrypted with AES-256 before leaving your device.
However, in 2018 a problem was found in the Chrome add-on’s cryptography. It was fixed immediately, although it is advisable that you should never use the “never forget” option available with Bitwarden.
To be fair, it is cautionary that you should never choose the “never forget” option from any websites or software. If you really do not want any of your encryption key to exist on disk, that is.
Free users are able to secure their Bitwarden Vaults using a time-based one-time password (TOTP) or an email verification for 2 factor authentication.
Premium users can also use 2FA methods such as Duo, YubiKeys, and other FIDO U2F-compatible USB or NFC devices.
Bitwarden is relatively easy to use, according to most users.
Bitwarden’s desktop clients are identical across all operating systems – Windows, macOS, and Linux. Apparently most versions of Linux are supported as the app is packaged in the Applmage format. It is also available in the Ubuntu Software Center, where you can compile the open source code yourself.
Users who have, previously and currently use this software before, said they find the interface to be smart looking and easy to use. They mentioned how there are 4 types of data entry that are supported: login, card, identity, and secure note.
Each entry type is formatted in ways suitable to entering data of each kind. Something which the app can use to autofill passwords, web forms, and card detail forms. All using browser add-ons.
You can even check if the password you input has been exposed. It works like your own data breach tool and compares the username and password you enter with a database of known password breaches.
If you feel you are not creative enough, or simply cannot be bothered entirely to come up with a really strong password – leave it to Bitwarden. Let the Bitwarden app generate a really secure password for you.
These passwords can be tailored to conform with any specific requirements a website insisted on.
Create folders and add items to them. You can actually do this on the desktop version of Bitwarden. Need group password management and sharing features, then these are provided by Bitwarden’s organisation accounts.
Autofill functionality on the desktop is provided by browser add-ons. That is only applicable for Firefox and Chrome browsers.
You can find that browser add-ons are available on Chrome, Firefox, Vivaldi, Opera, Brave, and Microsoft Edge. We were told that a Firefox link is provided for the Tor Browser, but us not recommended. This is not recommended as using any browser add-on with Tor Browser makes it more susceptible to browser fingerprinting.
The add-ons look like the Bitwarden apps and are said to provide the same core functionality.
Android and iOS Bitwarden app works very similar, according to users. It shares the same attractive and intuitive design philosophy as the desktop versions.
Basically, the Bitwarden phone apps can do everything the desktop versions can do, including generate secure random passwords. Both can also support fingerprint unlocking on devices which have fingerprint snesors.
However, there is a small difference between the Android app and the iOS app.
The Android app uses the Autofill Framework Service on all Android 8+ devices to autofill any forms in any browser window or app. The Autofill Accessibility Service on older Android devices instead. On top of that, users also mention that the browser add-ons work with the mobile versions of Firefox and Chrome.
In iOS 12+. On the other hand, Bitwarden app integrates with Apple’s new Authetication Services framework to provide instant autofill functionality in most browser and apps.
If you ever need help from Bitwarden, an extensive help section provides a very detailed and well documented section on most aspects of Bitwarden. If you feel the need to reach out to them, you can always email them.
Bitwarden is said to be a 1-man show, basically. All responses received from Bitwarden is said to be sent from the developer called Kyle Spearrin himself. Users said responses usually are received on the same day you sent an email query.
Your other way of getting app support is to join its Bitwarden forum. In the Bitwarden-hosted active forum, you can also find Kyle there as an enthusiastic participant.
We have previously touched on Bitwarden pricings before. Here’s a quick run-down of their plans and pricing:
i. Personal Packages
ii. Family Account
iii. Business Account
iv. Enterprise Account
Prices can be charged annually. Alternatively, monthly pricings are also available.
Bitwarden is generally an all right password security software for the average household or business. If you have intermediate data and information to keep, then this software will be a good choice for you.
However, if you have many advanced data and information to keep, then you will need to get yourself a password security software that fits that mould.
We have come to a conclusion that Bitwarden’s basic and free package works very well for the general population. As the basic package covers a lot of pretty good features, it is a pretty good software for the average person with intermediate needs.
If you are looking for premium password security and safety with Bitwarden and don’t mind paying the money, then you will be better off looking for better ones elsewhere. Somehow Bitwarden is not able to provide advanced security if you have rather advanced needs.
Here are some frequently asked questions (FAQ).
Bitwarden is said to be a top notch and equally secure software. However, it has a potential risk because of its web vault website. That means if you need to change your password or other settings (that are not in the app), you will need to login to the web vault where you do not have control of your client side code.
For the majority of users, Bitwarden is one of the very best password managers you can ever get. It is a great program, as it is very inexpensive. As it is open sourced and audited, it is one of the most secure softwares – far more secure than close sourced password managers.
Bitwarden is a free and open source software. Unlike community-developed alternatives such as KeePass, Bitwarden has a commercial venture. The core product itself is free, and will stay free forever. You can always support the developer by paying a really reasonable US$10/year subscription fee for a premium personal account.
If Bitwarden were to get hacked at any day and any time and your data is exposed, your information will still be protected. That is because Bitwarden uses strong encryption and a 1 way salted hashing. As long as you have a very strong master password, your data will stay safe no matter who gets hold of it.
As a Master Degree graduate in the Internet Technology field, Stefan is highly dedicated towards improving the overall web security so internet users can browse freely without having to be afraid of technical loopholes. With over 15 years in the internet security industry, you should definitely take his advice seriously.