Bitwarden Open Source



Access Bitwarden on Windows, macOS, and Linux desktops with our native desktop application. Windows Support for Windows 7, 8, and 10.exe macOS Support for MacOS 10.14+ and Safari 14+ Mac App Store Linux Support for most distributions.AppImage. Arguably one of the biggest advantages that Bitwarden has over LastPass, is that if you don’t trust them for whatever reason, you don’t have to. Since Bitwarden is open source, you can host your own instance, on your hardware, at your own site. That way, you really do keep full control of the entire application stack.

So, here is our compassion between Bitwarden vs LastPass, which of these is the best open source password manager 2021. The winner takes it all (and hides it) in the battle of the password managers.

Password Managers are, we think, generally a good thing. Remembering adsofpjdp is one thing, but also committing 4256p4m2glm! and paLsdKfnk26& to memory is quite another. Keeping your passwords strong and changing them regularly is important these days, when you can check on a website whether or not you’ve been “pwned,” and Chrome harasses you with your unfeasible large number of compromised passwords.

Web browsers, the front line in the war between password and jailbird, have been able to remember your passwords for a while now, and can generate strong passwords that you’ll never be expected to remember. This is fine until you try to log in on a different system, or using your cell phone, and have to dig in the browser settings to view the password that it recorded for you.

Benefits of Password Managers

There’s another benefit of password managers: they tend to come backed with some sort of internet security suite or browser plugin. They also make it easy to manage your passwords, syncing across devices, generating new ones, and hiding everything behind a master password—which is the only one you need to remember. You can also use them to hide encrypted notes, too.

Disadvantages of Password Managers

Of course, the downside of this is that they’re massive targets for password thieves. Once they’ve compromised your master password, your entire digital life is laid open. It’s worth, therefore, making that master password as complex as you can possibly cope with, changing it regularly, and never reusing passwords. There are also services, such as some banks, that don’t support their use, and if you’re caught with your banking details in one you may not get a refund if you’re a victim of cyber crime.

Two of the market leaders in password-management software are LastPass and Bitwarden. Both are available for free, though they maintain premium subscription tiers if you need the additional features they can bring. The free apps, however, contain all the functionality you’ll need as a one-person user, and only become limiting if you want to roll them out across entire organizations.

You can store an unlimited number of passwords in both, and sync them across devices. They both generate random passwords when you sign up for a new service or want to change an existing password, and you can use them to encrypt information, such as bank details or credit card numbers.

Bitwarden VS LastPass

Bitwarden is open source, which means it has faced external scrutiny from security experts, while LastPass is not. This doesn’t mean there’s anything wrong with LastPass’s security, of course—it takes part in security audits—and neither app has reported a full data breach, though LastPass has been the target of some minor ones. LastPass offers a hint for your master password, which can save you if you’ve forgotten it. Bitwarden does not.

Both apps offer plugins for major browsers—Chrome, Edge, Firefox, Opera, and Safari. Bitwarden goes one further and plugs into the, ahem, “privacy-focused” browser Tor, while LastPass works nicely with Internet Explorer. These plugins can be used to auto-fill identity fields within webpages, as well as manage your password database via the web interface.

Both services also come with desktop apps, although it’s notable that Bitwarden’s doesn’t support two-factor authentication, and doesn’t have the random-password generator or password-sharing abilities of the LastPass app. Both services use separate authenticator apps, however.

Usage

The award for user-friendliness has to go to LastPass, as its app and web interface are virtually identical, meaning you only have to learn how to use it once. Both managers use AES-256—the only public security standard approved by the NSA—against which there is no known practical attack strategy that doesn’t use a side-channel or some additional knowledge of the key.

Settings

Setting the apps up is a simple process. If you’ve got passwords stored somewhere, such as in Chrome, then they will import them for you. LastPass’s Security Challenge feature regularly reminds you to change passwords that are overdue or weak, and there’s an auto-change feature that can rattle through multiple password updates quickly— an extremely popular feature with users.

LastPass also has recovery options if you lose your master password, sending one-time passwords to trusted email addresses. Bitwarden doesn’t offer this—any passwords you store on its servers are accessible to you alone through the master password, so if you lose it or it becomes compromised, then you’ll need to rebuild your entire password database.

The Difference

Bitwarden free

Bitwarden has one feature you won’t find in many other places: your password vault doesn’t have to be stored on its servers. This is likely to be of more interest to corporate users (it’s only available through the Enterprise subscription tier), but the ability to keep your passwords under your control on your own server can be an attractive feature. Both apps offer secure password-sharing between two users as part of their free tier, which scales up through their Premium and Enterprise tiers, and both offer a small amount of encrypted file storage too, as long as you’re a subscriber.

It’s worth pointing out again that both apps have a free tier, so it’s perfectly possible to download them both, get them set up, and choose which one suits you best with no cost other than a little bit of your time. We’re big fans of Bitwarden, but using either app is still better than using neither and trying to remember all your passwords, which inevitably leads to reused, weak passwords, or other security flaws. Password managers are also more secure and flexible than getting your browser to remember them.

The Cost

Pricing is very close, with LastPass’s tiers being slightly more expensive each month by a buck or so. You may find, though, that you get more for your money with LastPass if you’re going to go for one of the business-oriented tiers.

Either way, a password manager is a valuable addition to your enterprise, and anyone who uses passwords online can benefit from one. These apps are so similar that it will come down to which has a feature you like, or just personal preference as to which one you ultimately choose.

We all know that password managers are worth their weight in gold, and the most popular of these by a large margin, is LastPass. LastPass is great, I used it myself for a number of years, but it is fairly expensive since doubling their prices in 2017. So are there any decent, open source alternatives to LastPass?

In short, yes. Enter Bitwarden (my current password manager). It is very similar to LastPass in functionality, but it’s completely open source. You can even host it yourself if you’re so inclined.

Pricing

Both LastPass and Bitwarden offer a free account that does not include any time restrictions for usage. However, the free account for Bitwarden has one big advantage over LastPass’ free offering – mobile sync.

The free tier for LastPass does not allow users to make use of the platform’s various mobile apps. Bitwarden on the other hand don’t limit their users in such a way. All of the core functionality of Bitwarden is also offered on their free tier.

Premium Pricing

If you decide you want to use LastPass’ mobile apps, and upgrade to their premium tier, it will set you back $2/month ($24 billed annually). However, Bitwarden’s premium offering will cost just $10/year.

If you decide to hand over 10 of your hard earned dollars to Bitwarden, you will receive 1GB of encrypted file storage, additional Two Factor Authentication (2FA) methods and use of their embedded TOTP generator. So if you use 2FA with any of your accounts, you can configure the tokens within Bitwarden, so that your codes can be pasted automatically, along with your username and password. You will also get priority support, as you would with LastPass Premium.

Family Account

Both LastPass and Bitwarden offer family accounts, where multiple accounts can be combined together under one umbrella account. These have a number of advantages; including cheaper overall costs, and the ability to easily share logins if you’re that way inclined.

LastPass offers 6 licenses at a cost of $4/month ($48 billed annually), whereas Bitwarden’s offering is just $1/month ($12 billed annually) for 5 licenses. The two packages are pretty much identical when it comes to features, so the fact that Bitwarden is 75% cheaper than the LastPass equivalent really is great value for money.

If you want to read more bout pricing, here are some useful links:

  • LastPass pricing table: https://www.lastpass.com/pricing
  • LastPass free features: https://lastpass.com/features_free.php
  • Bitwarden pricing details: https://bitwarden.com

Security

Ok, this is the important bit. What is the point in trusting your most secretive of data – your passwords – with a 3rd party, if their security is shoddy?

LastPass are a big target, and have been compromised in the past. However, their security stood up to the attack, and even if a threat actor managed to get hold of an encrypted version of your password vault, they couldn’t really do anything with it.

Having said that, Bitwarden has very similar security to LastPass; your vault is encrypted locally, before being uploaded to Bitwarden’s servers, so they couldn’t access your vault, even if they wanted to. Your encrypted vault then goes through numerous round of hashing and salting, to further protect it from prying eyes.

If for some reason Bitwarden were to get hacked and your data was exposed, your information is still protected. This is because Bitwarden uses strong encryption and one-way salted hashing. As long as you use a strong master password, your data is safe no matter who gets hold of it.

To add to this, Bitwarden are encouraging security researchers to responsibly report vulnerabilities that are found, via the use of HackerOne. Having said that, to my knowledge, there has not been any independent security audits of Bitwarden yet.

One of the things I think Bitwarden does do right over LastPass, is the lack of auto-fill. On LastPass, if there is a match, your username and password are filled automatically without any user interaction. Bitwarden on the other hand required its users to select the account to auto-fill, which is then pasted in.

Bitwarden Open Source File

Now, you may be thinking that this is a bonus point for LastPass, however, adding this deliberate step mitigates against theft of credentials via auto-fill.

Room For Improvement

Although good, I think Bitwarden’s security could do with some improvement to bring it in line with with LastPass. These are small items, and don’t actually stop me using the product, but they are worthy of improvement in my opinion. These are:

  • Geolocation – LastPass allows its users to limit logins to certain countries only. It would be great if Bitwarden also had this feature.
  • 3rd parties – Bitwarden uses 3rd party tools for payments. Although not a major issue, any 3rd party utilities that are in use can technically increase the attack vector.
  • Analytics – Within the app, there is an option for disabling analytics, stating that “We use analytics to better learn how the app is being used so that we can make it better. All data collected is completely anonymous”. Analytics are enabled by default. I would prefer this was disabled by default, or an option to choose when the app is first run.

Two Factor Authentication (2FA)

Both LastPass and Bitwarden offer a range of 2FA options. Everything from Google Authenticator, to Yubikeys, to plain old email. The fact of the matter is, both LastPass and Bitwarden offer a number of 2FA options, which is extremely important in order to add additional layers of security to such important data.

Arguably one of the biggest advantages that Bitwarden has over LastPass, is that if you don’t trust them for whatever reason, you don’t have to. Since Bitwarden is open source, you can host your own instance, on your hardware, at your own site. That way, you really do keep full control of the entire application stack.

Integration

Personally, I use a wide variety of devices and operating systems. I have both Windows and Linux based machines, I use Android on my mobile phone, my tablet is an iPad, and I also have a Chromebook. So for me, broad integration is key for tools like LastPass and Bitwarden. Luckily, both password managers support pretty much every operating system and browser you can think of.

By using one of the browser addons, users can enter their credentials for sites they have stored within their password manager automatically. This is common in many password managers. However, Bitwarden takes things one step further over LastPass, as it allows users to also store 2FA tokens within Bitwarden itself, so if you don’t have your phone to hand, you can log in using 2FA, right from the app.

LastPass vs Bitwarden Compared

The table below shows a direct comparison of some of the features LastPass and BitWarden offer:

Conclusion

Over all, both LastPass and Bitwarden are comparable products in terms of their functionality and usability. However, if you’re really paranoid and want to go with the product that has a proven track record, choose LastPass. Having said that, Bitwarden’s security (in my opinion) is more than capable of securing my password to such as degree that I’m happy to use it. Hopefully, a security audit in the near future will bolster than belief.

I personally moved over to Bitwarden around 6 months ago, following the price rises by LastPass, as well as the fact that they had been purchased by LogMeIn – who have a proven track record of not treating their users very well.

I wanted something open source, but also as functional as LastPass. I have most definitely found that in Bitwarden. My partner is still using LastPass, as her account hasn’t expired yet. However, when it does, I will definitely be moving her over to Bitwarden also.

Bitwarden Enterprise

Are you using a different password manager? Or have you tried Bitwarden and found it to not an appropriate LastPass alternative? If so, feel free to tell me more in the comments…

Bitwarden Open Source Github

Update Nov 2018

Bitwarden Open Source Download

The Bitwarden team have now completed a 3rd party security audit and the results were positive. You can read the full report here.