As seen in December I talked about the importance of using a password manager. So I take up the topic by focusing on one manager in particular: Bitwarden.
After the policy change made by LastPass, many users who use the free service have looked for an alternative and Bitwarden is the solution.
I really appreciate the philosophy proposed by Bitwarden and below is a list of those, at least for me, are the pros and cons.
This feature would already be enough to abound any other password manager. Being an open project, the entire infrastructure adopted by Bitwarden can be inspected step by step evaluating the actual safety and efficiency.
Available in desktop, mobile, and extensions for most browsers used.
You have all the features to manage passwords on each device in a totally free way.
Adding useful features at a very low price.
Bitwarden allows you to add custom fields. This feature can be very useful because you can create and refine the information to be saved. Many other password managers don’t allow custom fields, so you are forced to save all information or parts of it in the notes field. This makes everything messier and less precise.
New features are always introduced, some even interesting like Bitwarden send.
Developers are always ready to listen to users’ opinions on how to improve the product. This’s one of the most beautiful features that should make anyone prefer the use and development of open-source projects because the project takes shape from the needs of those who use the product and not on a single thought of those who develop it.
Exactly, you can host your Bitwarden server wherever you want. Of course, you will have to manage everything, but you really have full control of every single feature.
Required features not implemented in a very long time. For example, adding new tags in addition to those present was proposed in 2018 but has not yet been implemented today.
It’s not allowed to edit items if you are offline. This is a serious shortcoming despite being proposed in 2018 because you can find yourself in environments and places where there is no signal, or the signal is weak, and therefore you cannot add, modify and delete the elements of your vault.
There’re some strange cases of people who’re no longer able to access their vault despite having entered their master password correctly.
There is a lot of discussion on Reddit about it:
Obviously problems of this type, hopefully, are mainly due to errors on the part of the user and not of the system.
Without going into details, Bitwarden’s applications are developed with multi-platform languages and not in native code according to the system used. On the one hand, this choice makes it easier to develop an application because with a single development, it can be used universally for multiple systems and therefore the same application doesn’t have to be developed for each system. On the other hand, it involves having a product with lower performance and efficiency than other products.
Too dated. For when this parameter can be completely subjective if you put the Bitwarden interface (web, mobile app, desktop) with respect to that of other operators, Bitwarden turns out to be completely anachronistic and in some ways engineering, that is, inconsistent with the set of novice users who are starting to use the product. In particular, the discourse of the UI is very important for this type of product. Unfortunately, let us return to the first problem highlighted: development.
With Bitwarden premium you have the following features:
All at a price, in my opinion, too low. Searching on the internet seems that most of Bitwarden’s income comes from corporate and enterprise plans. Since the free plan includes all the features required by a “basic” user, it’s clear that Bitwarden will undergo an increase in the catchment area without getting any revenue back. The continuous increase of users without an economic return will first then lead Bitwarden to find a way to be able to pay the management costs such as servers and salaries.
The idea also proposed, is to increase the price of the premium plan, efficiently. That is, don’t propose a single price for anyone but establish different prices depending on the location in which the user is located. Practically, what many companies already do like Spotify ($9.99 Canada and ₹129 India - ₹129≃$2,17)
Each product has its pros and cons, but Bitwarden is a great choice for those who want to start with a password manager or those looking for an alternative. It’s always one of those products that I recommend to anyone and I’m very pushing to subscribe to the premium subscription to help developers, even if the additional features aren’t used.
For the keen eye, I used the old Bitwarden color palette as the cover and not the new one. I think the blue of the new color is too “strong” and less delicate than the old one. 😕
Searching the internet, I saw how many people continue to defend LastPass, considering it a great product built on solid foundations. In reality, the company had several problems:
LastPass discovered an anomaly in their incoming network traffic, then a similar anomaly in their outgoing traffic. Given the size of the anomalies, it was theoretically possible that data such as email addresses, the server salt, and the salted password hashes were copied from the LastPass database. To address the situation, LastPass took the “breached” servers offline so they could be rebuilt and, on May 4, 2011, requested all users change their master passwords.
LastPass team had discovered and halted suspicious activity on their network the previous Friday. Their investigation revealed that LastPass account email addresses, password reminders, server-per-user salts, and authentication hashes were compromised.
A blog post published by an independent online security firm detectify detailed a method for reading plaintext passwords for arbitrary domains from a LastPass user’s vault when that user visited a malicious website. This vulnerability was made possible by poorly written URL parsing code in the LastPass extension.
Tavis Ormandy discovered a vulnerability in the LastPass Chrome extension. The exploit applied to all LastPass clients, including Chrome, Firefox, and Edge
After, the same, discovered an additional security flaw allowing remote code execution based on the user navigating to a malicious website.
It was discovered that the Android app contained third-party trackers.
More information on Wikipedia.
Security problems are present in every company, but if we put LastPass on the same level as other companies that produce password management software, LastPass is certainly one of the worst.
My advice, therefore, is always to: research, inquire, and meticulously evaluate any software product you are going to use, especially when it comes to keeping your most important information. Many times you are influenced by other people, or by blogs that have been paid by the company itself to advertise their product well. The trump card is to concentrate and analyze the facts, to know the path of a company and how it has evolved, and how it has faced problems.
Returning to the issue of incongruity, there seem to be some quirks between inserting and using special characters for fields like email and password and rotating the encryption key. On Reddit,
Mihai-MCW (Update 2022: posts deleted by the author) was no longer able to log into his account, despite entering his password correctly. I recommend reading all his comments to understand what happened.
As already mentioned, many of the problems can be on the user side but must be considered that those who develop software, in many cases, don’t take into account all the possible combinations of interactions that a user can do, coming to create a sequence of steps entirely unexpected events that lead to problems in the software itself.
Latest update on the inconsistency issue.
The Bitwarden team commented on Reddit that these problems, i.e. users entering their vault password correctly but being unable to log in, are due to the self-hosted versions of Bitwarden. The particular problem is due to deprecated APIs and is solved simply by updating the server containing the Biwarden instance.