
Bitwarden – Open Source Password Manager - GutenYe
https://bitwarden.com/
======
ohthehugemanate
I switched from LastPass to bitwarden in November, and I love it.

\- it's FOSS, and audited, so it's software I can trust

\- great UX on Firefox, chrome, and even Edge. I had my issues, but the
project improved them away very quickly.

\- sharing support for families or organizations.

\- convenient standalone clients for win/Mac/Linux... And even the CLI.

\- built in 2FA code generation for each entry, so I don't need a separate app
for that.

\- the best autofill I've experienced, on desktop browser and even on
mobile(!)

\- open API so there are third party clients available

\- the lead developer is super responsive on GH, so I've been able to
contribute.

\- cheaper than the alternatives (at least at the time), and I feel good about
where my money is going.

I can't recommend it strongly enough. It's one of the OSS applications that
has a permanent place on all my devices, right up there with Firefox quantum
in my "great examples of OSS" liste.

~~~
giggsey
Is storing the 2FA codes alongside your password a wise idea?

~~~
Borealid
Yes, if the attack vector you're trying to close is a compromised
keyboard/network/terminal and not a stolen-while-unlocked device.

"Catching" one 2FA code doesn't let you compromise someone's account.

Losing (or having compromised) the hardware running your password manager
while that password manager is unlocked is a totally different thing from
logging into a web site once from a library computer.

~~~
pilif
_> Yes, if the attack vector you're trying to close is a compromised
keyboard/network/terminal and not a stolen-while-unlocked device._

however, not having the TOTP key in your password manager would also protect
against malware on your machine running the password manager from gaining
access to your account.

------
keehun
I really, really want to be a big fan of Bitwarden. I even used it for the
past year and a half. However, the last time HN talked about Bitwarden 7
months ago, I listed some reasons[0] why Bitwarden still fell massively short
of 1Password, and I feel that those three points have not been addressed
(which I believe impacts the friction/convenience of using Bitwarden).

My three points then were:

1\. A stand-alone desktop app. Quite annoying to have to open up a browser
every time I want to access a password. Basically, it's as inconvenient as
Keychain on OSX if you're not using a browser when you need a login info. This
could be solved if the browser plugin popup could be persisted as its own
window.

2\. iOS app is not polished. Not sure about Android app as I've not used it.
(* biggest problem then was how slow search was. It has been improved although
nowhere as fast as 1Password's—still)

3\. In the Safari extension, I would love to be able to search and use item
entries that are not specific to the domain. Sometimes, I have other info in
secured notes or password entries without a domain that I want to get to from
the extension. In these cases, I've had to leave the browser and open the
actual app to get access to them.

I just migrated from Bitwarden to 1Password a few days ago and have been much
happier since—especially with 1Password's ability to generate 2 factor tokens
and put them in your pasteboard automatically so you don't ever have to pull
up an Authenticator app!

[0]:
[https://news.ycombinator.com/item?id=15734260](https://news.ycombinator.com/item?id=15734260)

~~~
lhl
I've been a 1Password user for about 10 years, but I never moved to 1Password
6, as I didn't want to sync my vault to their servers (even if it's E2E
encrypted). I've moved from being primarily an OSX user to Linux, and as a
result, my experience has progressively gotten worse enough on 1PW (broken FF
extension, general jankiness running on Wine) that I'm finally looking switch
off, either to KeePassXC or to Bitwarden.

As far as a desktop app, it's electron-based, but there is a cross-platform
Bitwarden app that seems to work well enough (responsive, minimizes to tray,
etc).

I've yet to import all my passwords into Bitwarden (still comparing the Ruby,
Go, and Rust standalone server implementations), so I guess we'll see where
the experience is after I fully switch.

Regarding 2FA, while it doesn't totally expose you, if you put your token in
your PW manager, you've definitely significantly weakened your security.

~~~
hisyam
You don't have to sync your vault in 1Password 6.

~~~
xoa
Nor in 1Password 7 (the latest version). They do push it pretty hard, and
given their evasiveness/dishonesty about the business implications of
subscriptions and the push I wouldn't blame anyone for being concerned that
stand alone license+vault support might be removed in a future version (they
have said there will be no more free version updates IIRC though). However,
for the time being subscriptions and 1P's cloud service remain optional and
possibly disappointing only in terms of eliminating what might have been, not
anything that already existed.

------
m_sahaf
There are also two Bitwarden-compatible API implementations in Rust[0] and
Ruby[1]. Their main advantage, IMO, is them doing away with the requirement of
Microsoft SQL Server.

[0] [https://github.com/dani-garcia/bitwarden_rs](https://github.com/dani-
garcia/bitwarden_rs)

[1] [https://github.com/jcs/bitwarden-ruby](https://github.com/jcs/bitwarden-
ruby)

~~~
hashkb
This is great ammo for answering when anyone asks why Bitwarden (or OSS in
general) is better than LastPass or 1passsword...

~~~
satysin
I thought it was very cool of Kyle, the Bitwarden dev, to give Joshua, the
Ruby dev, a heads up about breaking API changes ahead of time.

[https://github.com/jcs/bitwarden-
ruby/issues/32](https://github.com/jcs/bitwarden-ruby/issues/32)

------
nickjj
If anyone wants an open source command line driven password manager that
doesn't require signing up or hosting anything, I recommend checking out
"Pass". It piggy backs off GPG encryption.

[https://www.passwordstore.org/](https://www.passwordstore.org/)

I use it to manage over 300 passwords and other sensitive blobs of text (it
lets you save arbitrary text snippets) and also has some nifty quality of life
features like auto-copying a password to your clipboard for 30 seconds when
you want to access a specific password.

~~~
chme
I like and use pass regulary, but it has some inconveniences.

\- It doesn't encrypt the paths to the passwords

\- It doesn't use a structural language for the password files, so additional
information like username has to be stored in the path of the password

\- It doesn't work with (Update: X.509) smartcards/gpgsm

\- It's written in bash. That has pros and cons...

~~~
phaer
> \- It doesn't use a structural language for the password files, so
> additional information like username has to be stored in the path of the
> password

only the first line of an encrypted file is considered to be the password. So
you can just but your username or any other account-related information on the
following lines.

> \- It doesn't encrypt the paths to the passwords

To elaborate: One of the problems with this approach is that it may leak
websites where you have accounts to people who gain access to your pass
repo/directory even without gaining control of your gpg key.

> \- It doesn't work with smartcards/gpgsm

What do you mean by that? I use pass with my yubikey as a gpg "smartcard"?

~~~
chme
>> \- It doesn't use a structural language for the password files, so
additional information like username has to be stored in the path of the
password

> only the first line of an encrypted file is considered to be the password.
> So you can just but your username or any other account-related information
> on the following lines.

I didn't know that. But what I would have preferred was copying the username
with one command and copying the password with another.

>> \- It doesn't work with smartcards/gpgsm

> What do you mean by that? I use pass with my yubikey as a gpg "smartcard"?

I haven't tried that with a yubi key, but with a corporate X.509 id card. And
that needed gpgsm. I had to patch pass in order for it to work, because gpgsm
uses different parameters that gpg.

------
pmontra
[https://github.com/bitwarden/core/blob/master/README.md](https://github.com/bitwarden/core/blob/master/README.md)

SQL Server 2017, really? Interesting choice. Open source but we have to pay
licenses for the database if we want to self host. I wonder what was wrong
with PostgreSQL or MySQL even if they're using .NET Core as a language.

Edit: there is an issue for that
[https://github.com/bitwarden/core/issues/10](https://github.com/bitwarden/core/issues/10)

~~~
LyndsySimon
Having worked with many RDBMSs in the past, MSSQL is one of the very few that
I would recommend for new installations.

Basically, my flow chart for DB selection:

Do you have an enterprise worth of money to burn on the deployment and
maintenance? Oracle.

Are you deploying to Windows? MSSQL.

Else: Postgres.

~~~
eitland
> Do you have an enterprise worth of money to burn on the deployment and
> maintenance? Oracle.

Even then I'd actively try to avoid it.

Source: three years installing, configuring and supporting it.

~~~
LyndsySimon
I don't disagree - but with an "enterprise worth"† of money to burn, you can
hire someone like you to suffer through it!

†: Now that I've used it twice, I move that we make an "enterprise worth" a
unit of measurement of money, like a "Library of Congress" is a unit of
measurement of storage.

------
jhabdas
For years I've discouraged use of clouds for storing passwords. But because
Bitwarden is FOSS software, encrypts data on the client, has good cross-
platform support, and can operate if the company goes out of business they
have won me over for the storage of secrets I'm not reserving for the
sneakernet.

~~~
bad_user
Last time I checked Bitwarden was not encrypting data on the client. Did that
change?

Also, OSS does not mean secure. Without audits from security experts, I can’t
trust it.

Bitwarden is objectivity less secure than 1Password or Keepass actually, at
the very least because it doesn’t have a desktop application.

~~~
number6
Bitwarden has a desktop client.

If you are hosting it on your private server does it change your outlook on
its security?

~~~
bad_user
No, it’s worse.

~~~
zouhair
Very thorough argument.

~~~
bad_user
Matches the question, but should be obvious why.

I do not have the inclination or resources to secure and keep my server up to
date, unless we are talking about a periodic "apt upgrade" that I could
configure to run automatically, but no more than that. And at the very least I
know how to reasonably secure a Linux server, at least initially.

If running your own server gives you peace of mind in terms of security, then
read more about how security works and the threat model you'll face. Just to
give an obvious example ... running your own Wordpress is one of the worst
thing you can do on your own server, putting your whole server at risk, not
just your website.

~~~
LyndsySimon
> running your own Wordpress is one of the worst thing you can do on your own
> server, putting your whole server at risk, not just your website.

My personal experience says this is 100% true.

Even when I've managed to stay on top of WP updates my server is invariably
targeted more often by automated attacks more often than others that are
hosting static sites and other frameworks. I strongly suspect that attackers
maintain lists of server addresses that host WordPress sites and use that to
make assumptions about their running services. If they know that it's a "self-
hosted" webserver, even if they can't break WordPress there's a very good
chance that some other unmatched vulnerability exists.

------
ramses0
[https://www.passwordstore.org/](https://www.passwordstore.org/)

~~~
hashkb
Can I take advantage of this on my mobile device or browser? Can I share with
my team? It's not really apples to apples.

~~~
shakna
Yes. You can. [0]

I run passff [1], to get Firefox to use it, and Android-Password-Store [2] on
my phone.

[0]
[https://www.passwordstore.org/#extensions](https://www.passwordstore.org/#extensions)

[1]
[https://github.com/jvenant/passff#readme](https://github.com/jvenant/passff#readme)

[2] [https://github.com/zeapo/Android-Password-
Store#readme](https://github.com/zeapo/Android-Password-Store#readme)

~~~
etu
Theres also browserpass [0], it works great in firefox and chrome as well.

A great great plugin is pass-otp [1], using this I have migrated the storage
of all OTP secrets from my phone to pass. And then I export it from pass to my
phone. That way I still have my OTP secrets if I loose my phone and don't have
to hassle with recovery of accounts just because of loosing the phone. For
sure the OTP needs to be changed at that point but still worth it.

It's also worth to mention that browserpass [0] integrates pass-otp [1] so
whenever I log in to a page (that has an OTP secret) using browserpass it
shows a litle box in the top right corner with the current OTP code that I can
copy-paste to the site.

[0]:
[https://github.com/browserpass/browserpass](https://github.com/browserpass/browserpass)

[1]: [https://github.com/tadfisher/pass-
otp](https://github.com/tadfisher/pass-otp)

------
albertop
First paragraph on their page disqualifies it completely. I do not want my
passwords on anybody’s servers.

Our secure cloud syncing features allow you to access your data from anywhere,
on any device! Your vault is conveniently optimized for use on desktop,
laptop, tablet, and phone devices.

~~~
ReverseCold
> I do not want my passwords on anybody’s servers.

What about your own server?

[https://help.bitwarden.com/article/install-on-
premise/](https://help.bitwarden.com/article/install-on-premise/)

~~~
techsupporter
To me, this disqualifies it:

> Each Bitwarden installation requires a unique installation id and
> installation key.

If I’m self hosting, I want it to be independent of the code provider. It is
bad enough, to me, that I have to pay a subscription fee to self-host
“advanced” features like Yubikey auth. That’s the same kind of annoying that
my own install still must link to their server that can die at any moment.

Let me buy the software to self-host with all of the features. The
“subscription” and “integrated” mindset has no place in “I’m doing it myself”
installs.

~~~
jchw
>That’s the same kind of annoying that my own install still must link to their
server that can die at any moment.

With software like a password manager, if it's not actively maintained you're
not going to want it anyway. So the same risk of the developers either
discontinuing the product OR changing the pricing model applies just about
evenly.

Being open source, at least the community can fork and maintain the software
if the developers ever did throw in the towel, similar to TrueCrypt's forks.

------
widerporst
I'm using KeepassXC on desktop, Keepass2Android on mobile and Dropbox for
syncing the database and I'm quite happy with it. Bitwarden looks a bit more
polished, but are there any other advantages over Keepass?

~~~
timendum
Check also KeePass Dx for Android, it has some nice features like Fingerprint
for fast unlocking, AutoFill and a nicer Material Theme.

~~~
mrrsm
Other then the design being a tiny bit different I can't see what KeePass Dx
offers that differentiates itself from Keepass2Android?

------
ron22
I love Bitwarden. I signed up when it first launched and happy to see it
continue to add features. One of the only projects I pay to support the
project rather than to get access to the additional premium features.

------
anotherevan
I recently switched to BitWarden from Lastpass after trying a few different
options including pass, Enpass and KeePass options.

95% of my usage is in the desktop browser, and the UI of their add-on is
great, IMO.

Lastpass' had been getting worse for some time, and their shuttering of Xmarks
finally left me with no good reason to stay.

Using the add-on with Firefox on my phone is reasonable, although could be a
bit better. Phone experience in general I'd say is also quite reasonable - not
used it that much yet, but I think it is quite comparable to other offerings.

~~~
rosege
Was the data transfer easy between the 2? I'm thinking of doing the same.

~~~
anotherevan
Yes, it was very easy. Just follow the instructions from here:
[https://help.bitwarden.com/article/import-from-
lastpass/](https://help.bitwarden.com/article/import-from-lastpass/)

~~~
jumbopapa
Do pay attention to the HTML encoded characters mentioned on that page because
I was going crazy trying to figure out why some passwords didn't work after I
imported them.

------
czei002
On problem with password managers (that are using web authentication to
create/manage an account for backing up the password manager in the cloud) is
that the authentication password can be leaked during the authentication
process. For example, the storage provider for password manager backup can
simply read the password from the authentication web page since this web page
is hosted at the provider. This is problematic if the authentication password
is also used to encrypt the password manager, i.e. the provider could decrypt
the password manager with the authentication password. You would actually need
two passwords; one for authentication and one for encryption. Unfortunately,
you usually don't even have the option to choose two passwords.

To solve this problem I'm working on FejoaAuth
([https://fejoa.org/fejoapage/auth.html](https://fejoa.org/fejoapage/auth.html)).
FejoaAuth uses an authentication protocol that does not leak the user password
to the provider who is going to store the password manager. This protocol is
run in a trusted browser plugin in order to ensure the correct execution of
the protocol. Thus you can use a single password for authentication and
password manager encryption.

------
commanderkeen08
Here’s why I switched from 1Password—

I recently picked up a Pixelbook and have gone all in on ChromeOS. Its
replaced my MBP. But unfortunately, that meant parting ways with 1Password.

I needed a new password manager with the following: Self hosted TOTP support
(have since decided not to use this) A web UI IOS app with face/Touch ID.

I tried the 1Password subscription but 1Password X just felt too clunky and I
wasn’t in love with storing on their server.

Keepass/XC/whatever was a hot mess for me. I really wanted to use it and the
idea of keeping and syncing a single db file still really appeals to me, but
the ecosystem is such a mess. I tried running a self hosted container for
Keepass Web but I kept having to enter a Dropbox API key on every client. I
also couldn’t find an iOS app that supported Face ID or the option for storing
TOTP. Maybe it’s a better experience on Android. On top of that, the UI was
pretty jarring all around.

Bitwarden still has some work in the UI department. The lack of keyboard
shortcuts and a native app adds some resistance but it’s manageable for me.

------
duxup
I've been a Keepass user for so long I just haven't wanted to switch. I just
don't want to use someone else's server... or setup my own. Even so best of
luck to them.

~~~
negus
Yeah. You may sync your keepass db using Google.Drive-like services -- I do
this

------
fluxsauce
If you were curious about the Open Source part (I was) -
[https://github.com/bitwarden/](https://github.com/bitwarden/)

------
amanzi
I've been using this for the last few months and couldn't be happier. I use
the browser extensions in Firefox, Chrome and Edge, as well as the desktop,
Android and web apps.

~~~
toomuchtodo
How does it compare to KeePassXC and 1Password?

~~~
amanzi
I found KeePassXC to be fairly clunky and didn't work well on Android with
regards to autofilling forms, but that was a while back and it may have
improved since then. Also with Bitwarden I've elected to have them host my
encrypted passwords so I don't need to worry about setting up my own sync
provider. I don't know much about 1Password but I didn't trust them to put too
much effort into their Android app since they were predominantly an Apple
shop.

~~~
Semaphor
> didn't work well on Android with regards to autofilling forms

Works pretty well, I use "Keepass2Android Password Safe" and it supports the
newest APIs to enable fully automatic filling once you tell it which app
belongs to which account. For syncing I use my own nextcloud server.

------
amaccuish
I like Enpass. Syncs to my own nextcloud. What other password managers can do
that out of interest?

~~~
justtoast
I also use Enpass. It needs more of a mention in these threads.

~~~
npongratz
I suspect Enpass doesn't get much mention on HN threads because it is not (or
at least, does not obviously appear to be) open source, which I've observed is
of paramount interest to a large number of HN readers -- full disclosure:
including me.

Because it is not open source [0], we must take statements like the following
purely on faith in their PR department, rather than being able to
independently verify:

[https://www.enpass.io/kb/if-enpass-is-an-offline-password-
ma...](https://www.enpass.io/kb/if-enpass-is-an-offline-password-manager-then-
why-does-it-connects-to-internet-and-shows-network-activity/)

"Indeed Enpass is an offline password manager and saves your data locally on
your device and in any case, we do not (and we can not) access any of your
data. But yes, Enpass does connect to the internet with the sole purpose to
give best user experience."

I'm sure they're really nice people, and do their best, etc, etc, but
passwords are the linchpin crown jewels. Enpass could secretly and
instantaneously become bad actors or incompetent stewards of said crown
jewels, and we wouldn't know, since we cannot see what they are doing. One of
many risks I would not take.

[0] Please correct me if my search-engine-fu is weak today, but I can find no
official Enpass open source repos or code anywhere.

------
Mefis
Any reason not to use Firefox's own password sync? It's been working fine for
me so far.

------
pvg
Has come up a fair bit before.

[https://hn.algolia.com/?query=bitwarden&sort=byPopularity&pr...](https://hn.algolia.com/?query=bitwarden&sort=byPopularity&prefix&page=0&dateRange=all&type=story)

~~~
nepeckman
It was probably posted in response to the firefox lockbox announcement.

------
untitled_bob
1Password works great on iOS and macOS but it's not open source... and there's
the subscription they try to impose... and their servers... So I was looking
to replace it. Bitwarden could be the one in the near future as Keepass is a
real pain on iOS and mac for a non-techie. The problem I still have with
bitwarden is that the app won't work unless connected to the internet. If the
connection is missing you can't add or edit anything, store on your device and
sync later :-(

------
ericseppanen
"Each Bitwarden installation requires a unique installation id and
installation key."

Sorry, it doesn't count as open source if everyone needs your permission to
run it.

~~~
mcfedr
It's open source, not to hard to remove this requirement

~~~
ericseppanen
The time investment to prove or disprove this statement is more than I'm
willing to give. I'd prefer to spend my time working with projects whose
maintainers aren't hostile to my privacy.

~~~
tylerhou
> whose maintainers aren't hostile to my privacy

How are they violating your privacy?

------
alexeymetz
This is nice product, but server requirement completely eliminates it as a
candidate instead of 1Password for me. I still can't find a better open-source
solution which works completely offline on desktop, browsers and mobile
devices with the possibility of synchronization using 3rd-party services,
decent UI and at least the ability to store TOTP passwords.

Enpass is good, but it's proprietary too.

------
logix
It's full of shills every time there's an article about password managers. I
wonder if they come from LastPass or 1Password.

------
Solar19
This looks like it could be better than LastPass. Bitwarden is the only
password manager that I've seen that officially supports Opera, Vivaldi, and
Brave. I wonder what the browser support on Android is like. LastPass seems to
work only on Chrome on Android, but I like to use Firefox, Opera, and
Samsung's optimized browser.

~~~
jillesvangurp
Firefox mobile can use the extension and the native android app is fully
supported by Android's password completion support as well.

------
geberl
If you're searching for an open-source self-hosted alternative that offers
corporate features like LDAP integration take a look at SysPass
([https://github.com/nuxsmin/sysPass](https://github.com/nuxsmin/sysPass)).
Doesn't look as nice as Bitwarden though.

------
rohan404
We evaluated Bitwarden to use as our company vault for shared accesses,
however found OneLogin to have a better UI, additional functionality
(especially when it came to syncing with our Google directory) and the price
(for enterprise) wasn't too much less than OneLogin (which is negotiable
anyways).

~~~
jhickmanit
I personally would be a little wary or OneLogin, they suffered a breach in the
past[1]. I know a lot of services are breached but one keeping my secrets I
want rock solid.

[https://krebsonsecurity.com/2017/06/onelogin-breach-
exposed-...](https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-
ability-to-decrypt-data/)

~~~
crypt1d
to be fair, many of them could be breached already, u just don't know about it
yet. At least with OneLogin there was a disclosure and pressure from the
public to improve their opsec.

------
ggm
If somebody wrote code to let me send the second factor from a nominated
device as my banks use of Symantec technology does.. it would be cool: I keep
meaning to remind myself having the second factor inside 1password is not a
second independent factor.

------
tehabe
What I really like about Bitwarden is, that you can define several URLs for
one entry, I have some services which can be accessed from several addresses
(same account) though.

It is also possible to define how a URL is matched which is a nice feature
too.

------
solidrake
I love the Linux app, and the integration on browser extensions and Android
app, but the Android app is very limited on features. I love projects like
this, and support them as a paid member, just like ProtonMail.

------
cipherzero
I love bitwarden, and have converted to it. However i just learned about
[https://passman.cc/](https://passman.cc/) Has anyone used that?

~~~
guroot
Yes, I'm using it currently and have for over a year. It works well enough.
However; The mobile apps haven't shown progress in over a year. Development on
the main app is very slow. The browser extensions work, but do have minor
quirks.

Honestly it feels like a dead project, It's not but it's lacking in resources
and the devs are lacking in time from what I've been able to gather from the
issue tracker.
[https://github.com/nextcloud/passman/issues](https://github.com/nextcloud/passman/issues)
I do sometimes worry I'm one nextcloud update away from losing access to my
passwords as a recent one did mess with the interface a bit, it's still
functional but some ui elements are mis-aligned.

I've been considering switching to bitwarden for a while, It's interface is
much nicer, and more polished. I've mostly been waiting for one of the
alternative API implementations to mature a bit, because I don't want to have
to run a big honking MS-SQL container on my little VPS. I'm also going to have
to write my own importer, or mangle the data a bit because the cvs format for
passman isn't compatible with any of the import formats for bitwarden.

Or maybe I'll just give up and migrate to pass or
gopass([https://www.gopass.pw/](https://www.gopass.pw/)) worth looking at if
you like pass). I think I want too much from my password manager =/

------
dorfsmay
Can you keep the database on a local disk, Dropbox etc?

~~~
tylerhou
[https://github.com/dani-garcia/bitwarden_rs](https://github.com/dani-
garcia/bitwarden_rs) is an api-compatible backend and uses SQLite as a
database engine. You can also build it outside of Docker. I'm not sure how
well SQLite binary files sync to Dropbox, but definitely you can run on local
disk.

source:
[https://news.ycombinator.com/item?id=17504187](https://news.ycombinator.com/item?id=17504187)

------
xtf
Seriously? A password manager where the desktop app is build ontop of unsecure
electron.

~~~
Starz0r
I get that Electron is undesirable, but what do you mean by unsecure? Also,
can you list some alternatives if you don't want them building a desktop app
in Electron?

~~~
self_awareness
Malware can sweep through the memory to find passwords by reading memory
directly from another process' address space.

~~~
smw
This is a risk in desktop software written in other languages and with other
gui frameworks as well, no?

------
vasili111
What are the advantages and disadvantages of Bitwarden over KeePassXC?

~~~
commanderkeen08
A web UI and iOS app that supports Face ID and TOTP codes.

