Bitwarden – An Open-Source Alternative to LastPass for Business and Personal Use

Security

I’ve been using Bitwarden for the last couple of years and in this overview, I’ll look at why you might consider Bitwarden as an alternative to proprietary solutions like LastPass and 1Password. And I’ll give an outline of the pricing, architecture, and features for business and personal use.

What is Bitwarden?

Bitwarden is an open-source password manager. Password managers let you easily create and securely store long and complex passwords for your websites and applications. It’s important that on each site you register for, that you use a unique password. And preferably one that is long and complex; think 16 characters or more with a mixture of upper and lower case, numbers, and special characters.

Using a different password for each site reduces your exposure should a password be compromised. And long, complex passwords are harder for hackers to guess in brute force attacks. It would be impossible to remember a different password for each site. That is why many people use the same password every time they register on a website.

Is Bitwarden better than Google Chrome’s built-in password manager?

Most browsers have some kind of password management solution built-in. For example, Microsoft Edge uses an app called Authenticator, which gives you access to all your passwords on iOS and Android, and in the browser. Google Chrome also has a built-in password manager.

The primary advantage of using a third-party password manager like Bitwarden is that you don’t get locked into a particular browser. Password managers work with any browser or application. Third-party password managers usually have a bigger feature set than those built-in to browsers, which are primarily for consumer use.

Password management in Microsoft Edge
Password management in Microsoft Edge (Image Credit: Petri/Russell Smith)

And unlike popular solutions such as LastPass and 1Password, Bitwarden is open-source. You can review the code yourself and even modify it to suit your own needs.

Bitwarden cloud vs self-hosted model

One of the nice things about Bitwarden is that it is architected to allow for two different hosting models. You can choose to use Bitwarden’s cloud service, where the application is deployed for you in Bitwarden’s own cloud. All you need is to create an account and your password vault is securely stored by Bitwarden.

Alternatively, you can host:

  • Bitwarden’s software locally
  • in a public cloud like AWS or Azure
  • or in your own private cloud

Many organizations are sensitive to putting data in the public cloud, let alone all their passwords. Bitwarden provides the option to self-host a server instance and secure it yourself. Securing access to password vaults then becomes your responsibility.

Bitwarden pricing

Regardless of which hosting model you choose, there is a free version of Bitwarden. Pricing is split into two categories: personal and business. The free personal plan provides most of what you might expect from a password manager, including unlimited password storage, unlimited devices, and all the core features.

The Premium tier for personal use ($1/month) adds advanced two-factor authentication (2FA), emergency access, Bitwarden Authenticator, security reporting, and more. There’s also a family plan ($3.33/month) for those who want a more cost-effective way to use Premium accounts for the whole family.

 FreePremium
Unlimited passwordsxx
Unlimited devicesxx
Core featuresxx
Always freex 
Advanced 2FA x
Emergency access x
Bitwarden Authenticator x
Security reports x
Table 1 – Bitwarden personal plans feature comparison

Enterprise features and pricing

Business plans are available in two flavors: Teams Organization ($3 user/month) and Enterprise Organization ($5 user/month). Teams provides all the features in Premium, plus the ability to share data and passwords stored in vaults securely with co-workers across departments or the whole organization. It also includes:

  • API access
  • Enhanced 2-step login (YubiKey, FIDO2, DUO)
  • Encrypted file attachments (1GB personal plus 1GB for organization items)
  • Priority support
  • Vault health reporting
  • Event and audit logs
  • User groups
  • Directory Connector

Enterprise brings the most advanced feature set, including everything in Premium and Teams, plus:

  • Policy support
  • Single sign-on (SSO) integration
  • System for Cross-domain Identity Management (SCIM) support
  • Free Family plan for users
  • Admin password reset
  • Self-host option

What is Bitwarden Authenticator?

Bitwarden Authenticator is an authenticator application that you can use as an alternative to apps like Microsoft Authenticator, Authy, and Google Authenticator. Authenticator apps give you access to the passwords stored in your vault and facilitate logging in to websites and apps by auto filling fields like username and password. And they provide two-factor authentication, where you need to use a second factor, like a fingerprint or facial recognition, in addition to your password before you can log in.

Apps for iOS, Android, Windows, Linux, and macOS

Bitwarden vaults can be accessed in several ways:

  • Using a web browser like Google Chrome
  • Using the dedicated desktop app for Windows, Linux, or macOS
  • By downloading the Bitwarden app for iOS or Android
  • Using a browser plug-in
  • The command line

Getting started with Bitwarden

Most people should evaluate the free cloud-hosted version of Bitwarden initially to determine whether the basic functionality meets your needs. Go to the Bitwarden website and click Get Started in the top-right corner.

Getting started with Bitwarden
Getting started with Bitwarden (Image Credit: Petri/Russell Smith)

You’ll be prompted to enter some basic information about yourself so that you can create a vault. Follow the registration process and confirm your email address. Once that’s done, you can log in to Bitwarden. I recommend configuring two-step authentication for your vault to protect your master password from the get go.

Create your first vault
Create your first vault (Image Credit: Petri/Russell Smith)

When you log in to your vault for the first time, you can add entries by clicking + Add item. As you add entries, you can organize them into folders. And naturally, you can search your vault to quickly find the login information that you need.

Bitwarden vault
Bitwarden vault (Image Credit: Petri/Russell Smith)

But if you have the Bitwarden browser plug-in installed, it can auto fill usernames and passwords so that you don’t need to log in and search your vault manually each time. The Bitwarden mobile app can also perform the same function on your phone for logging in to sites and apps, providing you give the app permission to perform that task.

Bitwarden mobile app
Bitwarden mobile app (Image Credit: Petri/Russell Smith)

Bitwarden vs LastPass

Bitwarden isn’t quite as user friendly as LastPass. As with most open-source software, it was designed by geeks for geeks. That’s not to say the basic features are difficult to use – they aren’t – but the user interface is not as well designed or as intuitive as LastPass.

Bitwarden is cheaper than LastPass.

Two-factor authentication can be used in the free Bitwarden tier. But you’ll need to pay to get text message or security key support. But LastPass has more options when it comes to 2FA.

At the end of the day, it always depends on your organizational or personal needs which product is best and how much you are prepared to pay.

Can Bitwarden be trusted?

Bitwarden, like LastPass, uses military grade AES256-bit end-to-end encryption to secure your data at rest and in storage. The differences between the two solutions come down to privacy policy and trust.

LastPass has experienced several breaches over the years, with the latest exposing user vaults and the URL stored within. And while passwords were not compromised, the encrypted versions of your passwords were leaked, leaving the potential for an attacker to brute-force ‘guess’ a password. Although LastPass points out that a successful attack would be unlikely, I’d recommend LastPass users to change all the passwords stored in their vaults.

More worryingly is the way LastPass discloses these breaches. Paul Thurrott has more details about the latest LastPass incident.

Bitwarden has never been breached to my knowledge. But there’s a first time for everything. And what really matters is how Bitwarden deals with the aftermath. But because there’s never been an incident, we don’t know how they would react. Hopefully, more responsibly than LastPass. But at the time of writing, it’s clear that Bitwarden has a much better record of protecting your data in their cloud-hosted solution.

Give Bitwarden a try! Or if you are already a user, let me know what you think of it in the comments below.