Bitwarden Premium

Posted on  by

Bitwarden Premium costs just $10 per year. You can, at the time of this update, get NordPass and NordVPN on a three-year deal for $125.64 (effectively $3.49 per month). ProtonVPN offers a bundle. R/Bitwarden: Bitwarden is an open source password management platform for individuals, teams, and business organizations. Premium gives the individual account two.

  1. Bitwarden Premium Access
  2. Bitwarden Premium Vs Family
  3. Bitwarden Free Download For Windows
  4. Bitwarden Premium Family

I’ve got hundreds of accounts and passwords, and I need a good password manager with good integration with my web browsers. My brain would explode if I had to remember all the individual accounts and password details I need to login in to every week.

I’ve been using LastPass despite never having liked or fully trusted them. Then LastPass began stripping away platform support and I started looking for an alternate password manager.

I’ll go through a few points that I feel were important to me when deciding on a password manager, and compare how Bitwarden vs LastPass lives up to my expectations.

Bitwarden Premium Access

Platform availability

Bitwarden and LastPass both offer free hosted password management services with clients available for multiple popular platforms.

Bitwarden Premium Vs Family

LastPass have been pretty good about being available in every web browser and on every platform. However, they left the LastPass extension for Firefox for Android to rot for over a year before abandoning it. They were slow to migrate their extension to WebExtensions, the new Chromium-inspired extension API used since Firefox Quantum. They’ve also got a long history of shipping outdated versions of their extensions to Firefox users over several years.

In my experience, the LastPass extension for Firefox has been only getting more and more buggy with time. My browser of choice, Firefox, clearly haven’t been a priority for LastPass.

Bitwarden have desktop apps for Linux, macOS, and Windows; as well as mobile apps for Android and iOS and browser extensions for just about all web browsers — including the underdogs like Vivaldi and Brave with their tiny marketshares. Bitwarden is everywhere I am and everywhere I can foresee finding myself — whereas LastPass suggest you switch your browser to continue using their service.

LastPass’ toolbar icon in my browsers used a glaring red color; a color normally reserved to indicate that something is broken or requires your attention. Bitwarden’s calm blue icon is less alarming and I subjectively strongly prefer it over LastPass’ icon. I’ve also found that Bitwarden displays error messages in situations were LastPass would just silently fail to perform the requested operation.

Open-source and self-hosting

LastPass is a proprietary software and service. You’ve to rely on their infrastructure and will to continue operating the service without interference.

Bitwarden on the other hand is open-source from top to bottom. Their apps, extension, and online services are all open-source. If Bitwarden.com where to announce they were shutting down tomorrow, you could grab the source from their servers and host it yourself to ensure continued service.

Self-hosted instances of Bitwarden isn’t an after-thought either as the company behind it considered self-hosting a “first-class feature”. I’ve yet to dig into this in more detail, but I expect that I’ll look into hosting it for myself with time.

As a developer, I also value the ability to inspect their code and suggest changes when I encounter bugs. I haven’t ran into anything that have needed my attention in Bitwarden, but I like knowing that I’ve the option to fix it myself. I’ve submitted quite a few concrete bugs and even suggested patches to LastPass through their support form, but they’ve always preferred to leave the bug unresolved in their browser extensions for years instead.

Security

I don’t have the time nor ability to evaluate exactly how secure or insecure any password manager is compared to another. However, I’ve noted a few things of interest.

There hasn’t been a full independent security review of Bitwarden yet. The code is open and anyone can look at it, and hopefully it will be “the good guys” who’ll find any potential security vulnerabilities and report the issues to Bitwarden. The probability of that happening is much greater than with a proprietary product; seeing how everyone has access to Bitwarden’s source code.

I was positively surprised to learn that Bitwarden’s browser extension doesn’t auto-fill login information on pages as soon as they’ve loaded. The user has to interact with the extension to cause it to fill in stored usernames and passwords.

While this is a slight inconvenience, it also effectively stops auto-fill theft as some advertisement networks were caught doing in . This issue has been known to browser vendors for over a decade already, yet the built-in password manager in most web browsers and most third-party password managers have all ignored it.

I’ve also got some concerns regarding Bitwarden’s use of third-party script resources which I’ll go into greater detail in the next section.

Security concerns over third-party resources

In my opinion, no external resources should be loaded from any third-party domains inside a high-risk high-security environment like a password manager.

LastPass hosts everything under their own domains and thereby can ensure that as long as they’ve control over their servers, they maintain control over everything that loads inside the password manager.

Update (): The rest of the information in this section is outdated. Please see the 3-months with Bitwarden update for newer information.

Bitwarden loads scripts and styles from Bootstrap CDN as well as Google Fonts and Google Hosted Libraries. These resources are loaded with Subresource Integrity enforcement, meaning that modern browsers will refuse to load them if the external resource don’t match a predetermined checksum. In other words, Bitwarden have a fairly good confidence that they don’t load anything malicious or unexpected by including these remotely hosted resources.

However, Bitwarden also loads JavaScript from the two payment service providers Braintree (PayPal) and Stripe, as well as Google Analytics and the two-factor login services provider Duo Security. All these third parties are included when you login to the web vault, and are loaded without Subresource Integrity enforcement. Subresource Integrity enforcement isn’t supported by these third-party vendors.

Including any third-party content is a potential avenue for malicious actors to get in to the password vault. I can’t see any strong reason why any of these companies should be able to execute code inside the password vault. They’re all well-established service providers and it’s not very likely that they’ll loose control over their domains. However, it’s an unnecessary risk factor and frankly their inclusion also seems entirely unnecessary.

Third-party analytics

The Bitwarden mobile apps, desktop apps, extensions, and web vault all integrate Google Analytis for tracking behavioral data from users. Users can opt-out by disabling the Analytics option by going to Settings: Other: Options.

Update (): Bitwarden no longer includes Google Analytics scripts directly. Please see the 3-months with Bitwarden update for newer information.

This is another example of an unconstrained third-party script that don’t belong in a secure environment such as a password manager. Users should opt-in to tracking in this instance rather than having to opt-out.

Bitwarden Free Download For Windows

It’s not enough to opt-out once in the web vault or in one of the apps or extensions. Users have to opt-out again in every client they use as the opt-out preference isn’t being synchronized between clients.

I completely understand the need and desire for tracking some behavioral analytics. However, what is good enough for a normal website isn’t necessarily good enough for a security critical environment like a password manager. In my opinion, there’s no good reason for using Google Analytics — or any third-party analytics — in the way Bitwarden uncritically uses it.

Data portability

Bitwarden and LastPass can export and import password, secure notes, and other secure notes to a comma-separated value (CSV) format with headers denoting each value. Many password managers support importing from CSV files, but some manual shuffling of the data columns may be required (as with anything else that use CSV in lieu of a formally standardized interchange format).

Bitwarden being the underdog, can import data from LastPass. However, if you want to go the other way around, you’ll need to reformat the CSV export file for LastPass to accept it. CSVs are easy enough to work with, and the important point to note is that all data appears to be present when exporting from both password managers.

LastPass incorrectly encoded a few (but not all) UTF-8 characters when I exported data to be imported in Bitwarden. I’d to manually correct these in the comma-separated export format before Bitwarden could import the file. (This is a bug in LastPass and not Bitwarden.) Having just run into an export issue, I also tested and made sure that Bitwarden didn’t do the same mistake when exporting.

Both Bitwarden and LastPass can store other types of information including secure notes and credit card information. These types of data are also part of the password database dump.

Conclusions

I choose to use Bitwarden over LastPass despite being more skeptical about their security practices when it comes to inclusion of third-party executable scripts inside the password manager. I hope we’ll see Bitwarden make changes to limit the number of possible attack vectors in the future.

Bitwarden doesn’t have a proven record of maintaining strict operational security for a decade like LastPass. However, my personal values, beliefs, and preferences lean heavily towards Bitwarden over LastPass as an optionally self-hosted open-source application with clients for every platform.

I’ve no strong reason to trust LastPass over Bitwarden. I find that I like using Bitwarden whereas I never liked using LastPass. Bitwarden seemed to me like the best LastPass alternative out there.

If you require absolute security, you should probably stick with LastPass as they’ve get a decade of experience in offering hosted password management services. You could opt to self-host Bitwarden in an environment that isn’t exposed to the internet as an alternative. However, for most folks — the current level of security offered by Bitwarden is probably good enough. Hopefully, we’ll see Bitwarden undergo a full security audit soon.

Update (): German security agency Cure53 have now completed an independent security audit of Bitwarden. All noted issues have been patched.

Bitwarden Review

Usability - 95%
Support - 89%

Bitwarden have produced an excellent password manager backed up by a great range of apps and browser extensions. At only $10 / year the premium upgrade includes 1GB of cloud storage, priority support and additional 2Fa security options.

In recent years Bitwarden has firmly established itself as a safe, secure and easy to use password manager and a great alternative to the industries big names such as 1Password and LastPass.

One of the most notable features of Bitwarden is that the software they produce is free and open source (including the server software should you want to run the synchronisation yourself). This means not only is Bitwarden software subject to the highest security standards but also a great choice for those who are looking for a low cost way to manage their own passwords or those of a small business.

In-fact, even if you don’t host the server software yourself, Bitwarden offer a very generous free account which allows an unlimited number of passwords to be saved, use of all available Bitwarden apps and automatic synchronisation via the Bitwarden secure servers. The Premium account is priced very fairly at $10 / year and in addition to the free tier also offers user 1GB of secure cloud storage and priority technical support!

Device support is also taken very seriously by Bitwarden and they offer client software for PC, MAC and Linux in addition to apps for iOS and Android along with plug-ins for all popular web browsers.

This all sounds very promising so far, time to have a look at the Bitwarden Password Manager.

Features

  • Well designed and very easy to use
  • Open source software ensures maximum security
  • Plugins available for all major browsers
  • Applications for Windows, Mac and Linux
  • iOS and Android apps available
  • Cloud synchronisation (included on free account)
  • Supports 2FA (multi-factor authentication)
  • Automatic password generator
  • Automatic website logins
  • No password sharing implemented
  • Generous free account
  • Premium account with 1GB cloud storage for only $10/yr

Usability

Installing Bitwarden

To begin with I will be installing the Bitwarden Windows 10 desktop client, this is free to download form the Bitwarden website and at only 720KB can be downloaded almost instantaneously.

Once downloaded the installation takes only a couple of minutes to complete whilst some other components are being downloaded and with only a couple of clicks everything is ready to go, great work so far!

Upon opening the desktop client for the first time we will be asked to log in or create an account if we don’t yet have one. Bitwarden require only an email address and a master password which is great to see as this helps keep users data as private as possible.

Finally, once logged in with our new account we will be greeted by the main Bitwarden application home screen, from here we have full access to the free version of the service and any other devices using this account will be automatically synchronised.

In addition to the desktop client software, Bitwarden also offer smartphone apps and browser extensions for all major web browsers. I will have a look at the smartphone app a little later on but for now I will have a look at the FireFox browser extension, this can be installed directly via the Firefox add-on store:

As with most Firefox extensions the installation here is quick and easy taking only a few moments to complete, once installed we can login with the Bitwarden account we created a little earlier on.

Once installed and logged in we will have full access to our account via the browser window, this includes tools such as the automatic password generator and all passwords already synchronised via our Bitwarden account. I will have a look at using the Bitwarden browser plugin in more depth a little later on.

Finally, should you need to access your Bitwarden vault without the desktop client, browser apps or smartphone apps there is the option of using a web-based console. This web-based console can be logged into using your usual Bitwarden credentials and can also be used for importing / exporting accounts from other password managers.

Types of Data Stored by Bitwarden

As with most password managers not only do they store simple passwords but also other useful information such as credit card numbers, PIN codes, tax numbers and any other secure personal notes you might want to keep safe.

As such Bitwarden will not only store the logins for any websites and apps you might use but also allows credit card, PIN umbers and secure personal notes to be stored alongside them and synchronised across all devices automatically.

Should you take out the Bitwarden premium subscription at $10/ year you will also be able to upload and synchronise files and photographs across all of your devices thanks to the 1GB of secure cloud storage included with this premium option. This is a very useful way to keep copies of bank cards, personal IDs and other important documents which you might need to securely access whilst on the go!

Adding a new Site to Bitwarden

Once Bitwarden is up and running one of the easiest ways of adding a new login is via the web browser plugins. Of course, any app can be used for adding a new login but the browser extensions will automatically recognise a new website and offer to add the login to your Bitwarden account automatically whenever necessary, excellent!

Regardless of which method you choose adding new logins to Bitwarden is a fairly straightforward process, however, the browser plugins will be essential for many as they will (in almost all cases) make this process completely automatic when using a new site for the first time.

Can Bitwarden Generate Passwords

Yes, Bitwarden has a great password generator which can be used to generate strong and unique passwords automatically every time a new login is added to your account.

This is a very important feature in a password manager as it makes the process of utilising strong, unique and secure passwords for each and every website you use very easy to manage. This is helpful because in the event that a password is ever compromise and exposed to the world along with your login details (e.g. email address) then only a single website will be affected. In such cases it is fairly easy to then change the password for that single site knowing all other sites are still 100% safe thanks to them having different passwords (even if the login email is the same).

Imagine if your username and password (as per above) had been leaked and it turned out the username (email) and password were used regularly use across many different websites! In this case it would take much longer to change them all (you might even miss some) and it is much more likely that one or many accounts would be compromised, not a good situation!

Bitwarden

Signing in to Websites and Apps with Bitwarden

Signing into websites is one of the most common tasks a password manager will be used for. Because of this any password manager which incorporates a web browser plugin which will automatically fill out login forms is at a big advantage versus those which don’t (yes, some still don’t have browser plugins!).

Thankfully, Bitwarden has very good selection of web browser plugins covering widely used browsers such as Chrome, Safari and Firefox as well as lesser used ones including Brave, Opera and Vivaldi.

When signing into a website the Bitwarden browser plugin will do one of two things depending upon whether you already have an account saved for the website in use. If a login is already stored, Bitwarden will recognise this and can (via the plugin menu) be used to fill in the login automatically. If the account is not stored in Bitwarden then this will be recognised and a new login can (optionally) be stored it in the password vault automatically.

Bitwarden also provide apps for iOS and Android which can be used to login to websites and apps on a smartphone device, I will be looking at the Android app in this review which can be installed via the Google Play store.

Once installed, as with the Windows desktop client and the browser extensions the Bitwarden username and password must be entered in order to sign-in and synchronise the app with the main Bitwarden account.

The Bitwarden smartphone app can also be used to automatically fill in app based logins, in Android this can be achieved by configuring the auto-fill service as is shown below):

How Secure and Reliable is Bitwarden

Bitwarden make use of very secure AES 256bit encryption to ensure all user data is encrypted both whilst it is being stored on user devices and whilst being synchronised via the Bitwarden synchronisation service. Bitwarden also make use of extended, salted hashing on passwords adding even more security to accounts and ensuring the master passwords of account holders are even more protected.

Multi-factor authentication is also available on both free and premium accounts which adds a further layer of security to an already safe service in addition to “new device” warning emails which will alert users every time a new device is used to access the account.

Another very important part of Bitwarden’s approach to security comes from making all of their software open source. Such a move is still not common amongst many password managers yet helps prove Bitwarden’s commitment to security and transparency by allowing the open source community to review and verify the code is working as it should. Open sourcing their software is also a great way to ensure any bugs and security issues have been dealt in a correct and effective way as all work will be publicly available.

Can Bitwarden Import from Other Password Managers?

Yes, Bitwarden provides a specialist import tool making the importing of passwords form other password managers quick and easy. The tool (as can be seen below) is pre-configured to work with all of the main password managers in use today and can be found via the Bitwarden web vault.

This same tool can be used for easily exporting of Bitwarden passwords should you wish to move else ware in the future.

Whilst import and export functionally is fully covered it is slightly disappointing to see this is (currently) only available via the web console and not in the desktop client applications. Not a big deal but it would be nice to have this functionality available locally on a device.

Bitwarden Free vs Premium

Bitwarden Premium Family

Bitwarden offer, by default, a completely free service allowing use of all applications, multi-factor authentication and an unlimited number of logins to be added and synchronised via the service.

Bitwarden also offer an upgraded premium account which also includes 1GB of secure cloud storage, premium support, additional multi-factor authentication options and data breach reports to alert you if your passwords have been involved in a breach.

The premium account also offers several security related reports which make it easy to see which (if any) of you passwords might have been involved in data breaches, might have been re-used across multiple accounts or might be considered weak and unsecure passwords based on their complexity and length.

Security

Bitwarden uses AES-256 bit end-to-end encryption to ensure all user data is encrypted locally on the device before any synchronization takes place. In addition to strong encryption Bitwarden also offer the ability to use multi-factor authentication on both free and premium accounts.

Another important aspect to the security of Bitwarden software is that it is fully open source and available for anyone to review. This means the workings of the software are transparent and that security researchers can easily verify that the software is as secure as the company producing it (Bitwarden) says it is.

Support

Bitwarden have a very useful knowledge base and Q&A section on their website which should have the answers to common questions which might arise whilst using the service. Should you require any more support Bitwarden provide 24/7 online messaging support in addition to priority support for premium members.

Pricing

Bitwarden have both a free account and a premium account priced at $10 / year for individuals. Business and team account are also available.

Summary

Bitwarden is a solid password manager which features everything you could ever need from such a tool. This is especially impressive given that the free account is one of the best I have ever come across and if you don’t need the 1GB of cloud storage will most likely be ideal for many individual users.

The premium account is also excellent value at only $10 / year providing everything in the free account along with 1GB of cloud storage, use of advanced 2FA options (YubiKey, U2F and Duo), premium security reports and TOTP authenticator features.

The range of applications provided by Bitwarden is also noteworthy with iOS and Android smartphone apps, plugins for all major browsers and Windows, Linux and Mac operating systems supported via open source software.

Overall this is a very impressive password manager and comes very close to LastPass in being one of the best free options I have so far tested. An excellent job Bitwarden!