Bitwarden — Awesome Open Source
Bitwarden is a decent modern password manager. While it is available as a cheap hosted service like many other password managers, the awesome thing about Bitwarden is it is commercially developed as open source software that optionally can be self-hosted. The perfect combination. Hurray!
My aim in embracing Bitwarden is to use a Freedom Software solution (open-source, and self-hosted or really I mean self-owned), and one that I can recommend to ordinary people who are not techies.
Now, the very idea of a cloud-hosted password store should make us suspicious at first, so let's briefly discuss how the concept works. The client program encrypts your secrets before sending them to the server, and decrypts them when it reads them back, and the server doesn't know the decryption key. This is an example of end-to-end encryption, a phrase currently becoming mainstream in relation to chat messaging. Both in messaging and in password management it refers to your data remaining encrypted from the point of entry to the point of exit of the system.
That means the IT personnel who have full access to the server can only see the encrypted data and cannot decrypt your secrets. Security is multi-faceted, but from this perspective at least, security on the server side is assured in this way. Taking a gross simplification, all we need to trust now is the client software. The client programs we use must not disclose our secret data, nor our encryption keys. To be able to establish such trust, the first essential ingredient is to use open source software: then we do not need to rely on claims made by its creators, as it can be openly audited. “Not claimed security but verifiable security.”
The second ingredient in client-side integrity is to assure that the software we are running really corresponds to that source code that has been published. This is a tricky and interesting topic, but not so relevant here as it is common to lots of the client-side software that we use.
How is Bitwarden Better?
Firstly, we can compare Bitwarden to other web-based password managers. For me there is no contest: an open-source and self-hostable solution wins hands down; I simply do not consider the proprietary ones as something I would use. It does not matter which service has slightly different or better features. It is about being locked in. I hate being locked in and occupying my brain space with knowledge about how a vendor's proprietary product works.
And it is not about the monetary cost. I am supportive of paying someone else to host and run services for me, if they charge reasonably for a service. I do pay for some services that are based on open-source software and that I could potentially run myself if I chose.
Bitwarden offers a pretty low cost service which I would recommend you consider using if you can't comfortably self-host or don't want to. I would urge you to support a company that supports open-source and self-hosting like Bitwarden rather than a proprietary service that locks in its customers.
Secondly we can compare Bitwarden to password managers that work with a local password file.
I have been happily using KeePassX (Keepass2Android Offline, KeepassXC) for years, for my personal use. This stores the password database in a file local to the client program. To synchronise the database between devices we can use any independent file synchronisation solution; I have been using Syncthing.
There are distinct advantages to this approach. It rules out a whole class of security issues. If we are using a password manager app that hasn't been granted network access permission, then any rogue or virus-infected version of the app will be unable to send our secrets to a third party. Meanwhile, if we ever run a malicious version of our file synchronisation software, that might be able to send our file to a third party but it would not be able to gain access to our decryption key or password so the file would be useless.
In comparison to KeePassX, Bitwarden shines in being generally easier to use, less “technical” looking with a more familiar modern design, and more widely and uniformly supported across modern devices and web browsers, making it more approachable for less technical users. In comparison to all local-file password managers, Bitwarden offers the ability to log in and access our passwords from anywhere, and organisational features useful for sharing passwords in family groups (and indeed for business and other organisations).
Bitwarden stores its password database on a server, which it accesses over the internet. The client program (Android, Linux desktop, or browser plugin) needs access to the server to log in for the first time and to add and modify passwords. Once logged in, it then caches the passwords locally so you can still read and use passwords while you or the server are temporarily offline.
Someone else has already echoed many of my own thoughts in their blog about Switching from KeePass to Bitwarden, so you could read more there if you like. I self-host in a different way but the essential ideas are there.
Bitwarden's Support for Self-Hosting
Bitwarden (the company) supports self-hosting the server component. In practice that means that the client apps and web-client that they publish have a supported and accessible way to enter our self-hosted server address. It isn't quite in-your-face obvious, but the welcome screen of these apps has a gears icon in the top-left corner for settings, where we can enter our server URL.
Self-Hosting a Bitwarden Server
I am self-hosting VaultWarden as my Bitwarden server. Vaultwarden is an alternative, compatible, self-hosted server for Bitwarden clients. It has most of the functionality of the official server, without some features that are mostly of use to larger organizations. Its primary benefit is that it is easier to deploy in a self-hosting environment.
Migrating from KeePassX
I migrated slowly from KeePassX to Bitwarden. Last year I set up my Bitwarden server and clients, did a basic export/import to transfer the data, and ran both sets of clients and browser plug-ins in parallel. I frequently compared the usability of both. On Android we can select Bitwarden as the “autofill service” in the system settings: see the help page. I switched that over from KP to BW after a while.
The basic import/export that is available in Bitwarden is good enough if you just need to migrate the basic fields (title, username, password, notes, and one URL). I used that for my shared “family” KeepassX database.
For my personal password database, which includes more complex kinds of entry such as ways to access my self-hosted services, I used the third-party conversion script by 'jampe' as it performs a more complete migration. In particular it migrates the additional attribute fields, some of which I had added manually, and some of which contained attributes such as 'KP2AURL2: androidapp://com.example.appname' which Keepass2Android had added to enable password filling in the associated apps.
I made some modifications to that script, fixing some issues and adding more processing of my own:
- convert KP attributes like 'URL2', 'URI 2', 'KPURL2' as additional URIs
- fix error handling: don't fall over when an entry's notes mention 'error'
- exclude KeepassX/KP2A folders 'Recycle Bin', 'Templates', 'AutoOpen'
- include/exclude chosen folders
- report more accurately the number of entries processed
- convert KP attributes with values like 'androidapp://x.y' as additional URIs
- convert TOTP
(I should publish these modifications. I haven't at the time of writing.)
How Good is Bitwarden?
This is going to be short. Basically, Bitwarden does what it needs to do. It helps fill passwords automatically in web pages and (some) apps, it works similarly across most devices and operating systems and web browsers, and it is accessible to ordinary non-techie users. It can be used in a browser anywhere, or as an app without much installation effort.
Bitwarden has enough capabilities for a large organization. One of its shortfalls for a personal or small family usage is that some of the features are visible when they are not needed. For example, having both 'folders' and also the 'collections' within a shared Organization makes more complexity than I would ideally like to see in this scenario. For another example, the screen for adding a new password shows all the possible options, not just the ones a normal user would understand.
In some cases I find Bitwarden slow compared with a local-file password manager, especially the web interface which often pauses for too long. However, the browser plugin and the integration on Android seem to be working fast enough to not get in the way, and these are the most frequent ways of using it.
My aim in embracing Bitwarden, as I said at the beginning, was to use a Freedom Software solution that I can recommend to ordinary people. I am very happy to find that this is what Bitwarden provides.