As seen in December I talked about the importance of using a password manager. So I take up the topic by focusing on one manager in particular: Bitwarden.

After the policy change made by LastPass, many users who use the free service have looked for an alternative and Bitwarden is the solution.
I really appreciate the philosophy proposed by Bitwarden and below is a list of those, at least for me, are the pros and cons.

Index

Pro

• Open source

  This feature would already be enough to abound any other password manager. Being an open project, the entire infrastructure adopted by Bitwarden can be inspected step by step evaluating the actual safety and efficiency.
  
  

• Multiplatform

  Available in desktop, mobile, and extensions for most browsers used.
  
  

• Free

  You have all the features to manage passwords on each device in a totally free way.
  
  

• Premium

  Adding useful features at a very low price.
  
  

• Custom field

  Bitwarden allows you to add custom fields. This feature can be very useful because you can create and refine the information to be saved. Many other password managers don’t allow custom fields, so you are forced to save all information or parts of it in the notes field. This makes everything messier and less precise.
  
  

• Development

  New features are always introduced, some even interesting like Bitwarden send.
  
  

• Communication

  Developers are always ready to listen to users’ opinions on how to improve the product. This’s one of the most beautiful features that should make anyone prefer the use and development of open-source projects because the project takes shape from the needs of those who use the product and not on a single thought of those who develop it.
  
  

• Self-host

  Exactly, you can host your Bitwarden server wherever you want. Of course, you will have to manage everything, but you really have full control of every single feature.

Con

• Development

  Required features not implemented in a very long time. For example, adding new tags in addition to those present was proposed in 2018 but has not yet been implemented today.
  
  

• Offline management

  It’s not allowed to edit items if you are offline. This is a serious shortcoming despite being proposed in 2018 because you can find yourself in environments and places where there is no signal, or the signal is weak, and therefore you cannot add, modify and delete the elements of your vault.
  
  

• Discrepancy

  There’re some strange cases of people who’re no longer able to access their vault despite having entered their master password correctly.
  
  

  There is a lot of discussion on Reddit about it:
  
  

  • Ditching Bitwarden: master password is suddenly incorrect (post deleted by the author)
  • Cannot log into account
  • Master Password Incorrect
  • Lost my Master Password?

  
  Obviously problems of this type, hopefully, are mainly due to errors on the part of the user and not of the system.
  
  

• Non-native code

  Without going into details, Bitwarden’s applications are developed with multi-platform languages and not in native code according to the system used. On the one hand, this choice makes it easier to develop an application because with a single development, it can be used universally for multiple systems and therefore the same application doesn’t have to be developed for each system. On the other hand, it involves having a product with lower performance and efficiency than other products.
  
  

• Interface

  Too dated. For when this parameter can be completely subjective if you put the Bitwarden interface (web, mobile app, desktop) with respect to that of other operators, Bitwarden turns out to be completely anachronistic and in some ways engineering, that is, inconsistent with the set of novice users who are starting to use the product. In particular, the discourse of the UI is very important for this type of product. Unfortunately, let us return to the first problem highlighted: development.

Premium

With Bitwarden premium you have the following features:

1. Encrypted file attachments
2. Two-step login with 2FA, YubiKey, U2F, Duo
3. Vault health reports
   • Exposed Passwords
   • Reused Passwords
   • Weak Passwords
   • Unsecured Website
   • Inactive 2FA
4. Emergency Access
5. TOTP verification code (2FA) generator

All at a price, in my opinion, too low. Searching on the internet seems that most of Bitwarden’s income comes from corporate and enterprise plans. Since the free plan includes all the features required by a “basic” user, it’s clear that Bitwarden will undergo an increase in the catchment area without getting any revenue back. The continuous increase of users without an economic return will first then lead Bitwarden to find a way to be able to pay the management costs such as servers and salaries.

The idea also proposed, is to increase the price of the premium plan, efficiently. That is, don’t propose a single price for anyone but establish different prices depending on the location in which the user is located. Practically, what many companies already do like Spotify ($9.99 Canada and ₹129 India - ₹129≃$2,17)

Conclusion

Each product has its pros and cons, but Bitwarden is a great choice for those who want to start with a password manager or those looking for an alternative. It’s always one of those products that I recommend to anyone and I’m very pushing to subscribe to the premium subscription to help developers, even if the additional features aren’t used.

Ehm

On the final notes of the December post, some may wonder why you recommend Bitwarden when I don’t use it but prefer 1Password. The answer always comes from the usability of a product. In my case, 1Password is the best choice in terms of user interface and user experience. Plus, for those using Apple products, 1P exhibits better and more consistent management capabilities than Bitwarden. Obviously, I will continue to keep myself updated on Bitwarden and I’ll be ready to use it when is more mature.

For the keen eye, I used the old Bitwarden color palette as the cover and not the new one. I think the blue of the new color is too “strong” and less delicate than the old one. 😕

Update Apr 19, 2021

Searching the internet, I saw how many people continue to defend LastPass, considering it a great product built on solid foundations. In reality, the company had several problems:

• 2011

  LastPass discovered an anomaly in their incoming network traffic, then a similar anomaly in their outgoing traffic. Given the size of the anomalies, it was theoretically possible that data such as email addresses, the server salt, and the salted password hashes were copied from the LastPass database. To address the situation, LastPass took the “breached” servers offline so they could be rebuilt and, on May 4, 2011, requested all users change their master passwords.
  
  

• 2015

  LastPass team had discovered and halted suspicious activity on their network the previous Friday. Their investigation revealed that LastPass account email addresses, password reminders, server-per-user salts, and authentication hashes were compromised.
  
  

• 2016

  A blog post published by an independent online security firm detectify detailed a method for reading plaintext passwords for arbitrary domains from a LastPass user’s vault when that user visited a malicious website. This vulnerability was made possible by poorly written URL parsing code in the LastPass extension.
  
  

• 2017

  Tavis Ormandy discovered a vulnerability in the LastPass Chrome extension. The exploit applied to all LastPass clients, including Chrome, Firefox, and Edge

  After, the same, discovered an additional security flaw allowing remote code execution based on the user navigating to a malicious website.
  
  

• 2019

  Tavis Ormandy reported a vulnerability in the LastPass browser extension in which Web sites with malicious JavaScript code could obtain a username and password inserted by the password manager on the previously visited site.
  
  

• 2021

  It was discovered that the Android app contained third-party trackers.

More information on Wikipedia.

Security problems are present in every company, but if we put LastPass on the same level as other companies that produce password management software, LastPass is certainly one of the worst.

My advice, therefore, is always to: research, inquire, and meticulously evaluate any software product you are going to use, especially when it comes to keeping your most important information. Many times you are influenced by other people, or by blogs that have been paid by the company itself to advertise their product well. The trump card is to concentrate and analyze the facts, to know the path of a company and how it has evolved, and how it has faced problems.

Update May 08, 2021

Returning to the issue of incongruity, there seem to be some quirks between inserting and using special characters for fields like email and password and rotating the encryption key. On Reddit, Mihai-MCW (Update 2022: posts deleted by the author) was no longer able to log into his account, despite entering his password correctly. I recommend reading all his comments to understand what happened.

As already mentioned, many of the problems can be on the user side but must be considered that those who develop software, in many cases, don’t take into account all the possible combinations of interactions that a user can do, coming to create a sequence of steps entirely unexpected events that lead to problems in the software itself.

Update Jan 19, 2023

Latest update on the inconsistency issue.
The Bitwarden team commented on Reddit that these problems, i.e. users entering their vault password correctly but being unable to log in, are due to the self-hosted versions of Bitwarden. The particular problem is due to deprecated APIs and is solved simply by updating the server containing the Biwarden instance.

Update Jan 27, 2024

What I considered to be the cons of Bitwarden at the time, were seen from another point of view in the blog post about LastPass, where Bitwarden represents the best choice for a password manager.