
Bitwarden: Free, open-source password manager - singingwolfboy
https://bitwarden.com/
======
m_sahaf
There's compatible Bitwarden server written in Rust called bitwarden_rs[0] for
those who don't want to run the official Docker image with the requirement of
Microsoft SQL Server and the demand for 2GiB of RAM.

[0] [https://github.com/dani-garcia/bitwarden_rs](https://github.com/dani-
garcia/bitwarden_rs)

~~~
StavrosK
Does that give you access to all the features, or do you still need to pay?

~~~
Karupan
Haven't used the official server, but I've been using the official clients
with bitwarden_rs without issues for the past week. So I'd guess its a
complete reimplementation.

~~~
StavrosK
I'm not talking about API compatibility so much, but I think I read somewhere
that you need to get a license even if you use a custom server. So all the
custom server gives you is it decouples you from the main service.

Do you get TOTP support and Organizations on your custom server for free?

EDIT: I just tried it, and yes, you do get (at least) TOTP support for free.
Haven't tried orgs, but I'm going to convert it for Dokku now and host it
somewhere as a backup plan.

~~~
Unklejoe
> I read somewhere that you need to get a license even if you use a custom
> server

I don't think this is the case. There's really no way to use the license with
a custom server anyway.

------
dang
Previous discussions:

2019
[https://news.ycombinator.com/item?id=18433144](https://news.ycombinator.com/item?id=18433144)

2018
[https://news.ycombinator.com/item?id=17503917](https://news.ycombinator.com/item?id=17503917)

2017
[https://news.ycombinator.com/item?id=15733540](https://news.ycombinator.com/item?id=15733540)

[https://news.ycombinator.com/item?id=14865932](https://news.ycombinator.com/item?id=14865932)

[https://news.ycombinator.com/item?id=14264117](https://news.ycombinator.com/item?id=14264117)

2016
[https://news.ycombinator.com/item?id=12676979](https://news.ycombinator.com/item?id=12676979)

------
Unklejoe
I just set up my own Bitwarden server the other day using bitwarden_rs, a
third-party implementation written in Rust.

It basically gives you all of the premium features for free, as opposed to the
official server which requires a license.

I really wanted to run the official server, but they offered no option of a
lifetime license (only a yearly license). For what it's worth, I would have
been willing to pay a lot more for a license that never expired.

The whole reason I'm hosting the server myself in the first place is because I
want _full_ control, so a subscription based license doesn't really fit well
there.

Given that the project is licensed under the GPL, the license is effectively a
donation anyway, so I hope they consider offering a lifetime license for those
who want to self-host.

~~~
m-p-3
Does the bitwarden-rs server works with the browser addons and the
desktop/mobile apps?

~~~
Unklejoe
Yeah, it works with the official Bitwarden clients. I'm using it with the iOS
client personally.

------
bad_user
We've been using Bitwarden at work, the Teams plant, paying $15 per month, or
$180 per year for 10 users. The only reason for why I picked it is its open
source nature, otherwise I would have gone for 1Password Teams.

The pricing is odd. For example you can't self host it yourself without paying
for a license. The code is AFAIK open source, so you could maintain your own
fork with the required code branches removed, if you wanted to. I do hope the
author doesn't pull a bait and switch, after enough users go down this route.
Don't get me wrong, I'm actually not looking into hosting it myself, I'm glad
to pay for a hosted service, but with open source I want that possibility to
be there and I don't want licensing per user for self-hosting either.

And currently I like what the author has been doing. Adding some code in there
that makes it require a license, but that you can remove, is totally fine. But
I'm seeing more and more open source apps turning proprietary nowadays and I
don't look kindly to such bait and switches, because I end up using those apps
because they are open source. Like it is the case for Bitwarden, otherwise
there are often better proprietary options available.

From a usability standpoint, Bitwarden is unfortunately inferior to 1Password
in every way. But it works fine for our purposes, for now. And Bitwarden is
better than LastPass in case you're wondering, even if it has some missing
features.

The official servers are slow. I just had multiple login failures. I'm
assuming that it's experiencing issues due to being featured on HN right now,
but this isn't the first time that it's happening.

But as long as it is _open source_ and as long as it does a reasonable job,
then I'll keep supporting it. Because I'd rather pay for open source
solutions.

~~~
thatsnotmepls
Doesn't it bother you that even though it is open source, it is essentially
maintained by one person [1]?

What happens to the SaaS offering if he gets run over by a car?

[1]
[https://github.com/bitwarden/server/graphs/contributors](https://github.com/bitwarden/server/graphs/contributors)

~~~
bad_user
Open Source means that it can be forked.

If that guy gets hit by a bus and if the app is useful enough (and it is),
then a fork will happen. And I can always do some contributions myself. And if
I'm wrong and that fork doesn't happen, then nobody (with resources) wants it,
in which case might as well let it die.

The bus factor for open source stuff is great, even with zero contributors at
any point in time.

In contrast when a proprietary app gets killed (either due to acquisition or
b/c it's not profitable) then it's gone for good. If a proprietary app
changes, to include ads or anything that you don't like, there's absolutely
nothing you can do but switch to something else or bend over.

------
fbnlsr
I've switched from KeePassXC, stored on my Google Drive with an offline key
file, to BitWarden last month. I previously was a customer of LastPass and
switched to KeePassXC after being tired of LastPass' UI mess.

Anyways, BitWarden works absolutely flawlessly. There are a few things here
and there that I'd wish it had, like the ability to create templates for
custom categories, but apart from that, it does an amazing job. The websites
autocomplete works really well, and I was pleased to see that I can unlock my
vault on my phone with my fingerprint reader.

Migrating data from KeePassXC to BitWarden went smoothly. I took a moment to
clean my database and reorganize a few stuff. The database takes a bit of time
to load, but nothing that's a real bother.

The only thing I don't store in BitWarden is the 2FA TOTP I use (mainly Google
Authenticator) as I feel it breaks the entire concept for 2FA. I've seen
people on HN do it, but to me it just feels wrong.

~~~
flanbiscuit
I currently use KeePassXC and think it's great. What made you switch?
BitWarden seems interesting but it's not completely free and you'll need their
servers (or you can set one up yourself). Granted I also use Google Drive to
sync my KeePass db so I'm also using someone else's servers but I've been
considering changing that to syncthing to cut out the server.

~~~
DeadBabyOrgasm
I'm also curious about the same thing. Ever since I started using KeePassXC's
autotype feature, I haven't been able to go to any other password manager.
Even with the degraded mobile options and having to build my own syncing with
things like rclone.

Does Bitwarden have that autotype option? If not, I'm wondering how difficult
it would be to build it myself, if only for the desktop clients.

------
justin_oaks
I reviewed Bitwarden for use in my company a few months ago. I discovered that
there was no way for an admin to allow the recovery of an account (i.e.
allowing a master password reset). This is a non-starter in my organization
since some small percentage of the users _will_ forget their master password.

Has anyone else been successfully using Bitwarden in a team setting? If so,
how do you work around the limitation I mentioned and other such things?

~~~
nine_k
I suppose it's for the same reason as why you cannot reset your forgotten
private SSH key.

Secrets are only stored encrypted, and the key is derived from the master
password, not known to any admins. Cracking the admin account or the entire
server gives the intruder very little.

So, it's a feature. You may not want this feature, though.

~~~
paulddraper
> you cannot reset your forgotten private SSH key.

You can though. If you lose your private SSH key, you regenerate it, and the
server admin resets your public key. Zero data loss.

I think the better analogy would have have been a disk encryption key. But
note that consumer facing encryption tech (Mac, Windows) generally doesn't
stick to "user forgot key = user lost data".

> So, it's a feature. You may not want this feature, though.

Yeah, I must agree I do not want this.

I understand it is more secure but it is also more user hostile.

I'll take the risk of a compromised admin (assuming strong password and TFA of
course) over "sorry you lost all your data."

Data integrity is just as much a part of security as data privacy.

~~~
Jasp3r
> If you lose your private SSH key, you regenerate it, and the server admin
> resets your public key. Zero data loss.

This is exactly the same data loss as when you lose your master password.

Just like you store multiple passwords in your password vault, your SSH key
can give you access to multiple servers.

If you lose it, you have to "reset" your public key on _every_ server, just
like you have to reset _every_ password that you stored in your password
vault.

~~~
paulddraper
That's true.

Though of the purposes of having password manager is managing with large
numbers of disparate systems.

Whereas an SSH is simply the authentication mechanism, and may or may not be
shared across large numbers of systems.

------
sdan
I'd still much rather stick with
[https://www.passwordstore.org/](https://www.passwordstore.org/). It's
encrypted with your keys (which I didn't see on Bitwarden's site) and has
plugins for Chrome/Firefox (you can setup keyboard shortcuts to fill in your
info automatically as well) and works with Git.

Although it is a bit of a hassle to setup on mobile devices (I use Pass for
iOS), the security and functionality it provides is worth it.

~~~
georgyo
I would argue that pass isn't that secure other than when your computer is
off.

Namely that it requires copy and pasting. Any program on your computer can
read your clipboard.

And for a normal user who are more vulnerable to phishing, there isn't
automatic domain checking. It would be their normal work flow to copy a
password into a malicious site.

~~~
sdan
If you install Browserpass for Chrome (there's an alternate for Firefox as
well) all you need to do is type in your keyboard command and it'll
automatically fill out your info for you on the website.

Meaning: Suppose you go to gooogle.com instead of google.com, the extension
won't fill out info because it doesn't recognize you having an user/pass for
gooogle.com

~~~
judge2020
This is a basic feature of every password manager I've ever used.

~~~
lozf
Yes, he's just making the point to the GP, that actually copy and paste is not
a requirement to use pass.

------
dev_dull
I’m a little put off by the login and service. It’s just one more thing that
can be shut down. Especially since iOS and android allow syncing on remote
services such as dropbox and iCloud (how it works in 1Password ver 6 and
below). There’s really no necessary need for a centralize service.

Create the encrypted vault in your preferred cloud storage service and locally
and sync across all devices.

~~~
dangom
You are right. Yet hosting an encrypted 10kb for each user means that even if
Bitwarden had a million free users it'd need no more than 10GB of cloud space
to store all data. Consider syncing at startup or on adding new entries and
the number of requests is also negligible. Not really a service that the
company would ever had to cut to save money.

What makes you so sure that dropbox and icloud will never be shut down?

~~~
benhurmarcel
> What makes you so sure that dropbox and icloud will never be shut down?

They might, but then they’re trivial to replace and you have a backup.

------
alistproducer2
Given the requirements of self hosting, ill just stick with keepass. The
desktop and mobile clients are great and I can host them on my nextcloud and
grab them over WebDAV.

~~~
christilut
You can self host Bitwarden or use the cloud version

~~~
alistproducer2
I should've been more clear. I don't host the clients; rather, I host the
databases. That's why I prefer keepass - it's just an encrypted db which is
lightweight and the clients tend to be lightweight as well.

------
pkalinowski
I'm using Bitwarden and 1Password at the same time (private and company use).

1Password pros:

* very polished UI, pleasure to use

* good UX in general

1Password cons:

* I have constant issues with it loosing connection with browser. Extension just randomly stops working for few days. Tried to fix it multiple times, never succeeded

* Price (too expensive for my private use)

Bitwarden pros:

* Free

* Very simple app, easy to use

* More reliable than 1Password for me

* Fills login pages quicker than 1Password

* Feels quicker and more snappy than 1Password

Bitwarden cons:

* Lacks 1Password polish, generally UX and UI needs some work

* Can't login using fingerprint on Mac

* Crashes on my iPad when trying to save new credentials (need to report it as a bug, but I didn't go around to it yet)

* Slow on Android

All in all, I'm very satisfied with Bitwarden and use it daily.

~~~
davefp
I have the same situation, Bitwarden for personal use and 1pass at my job.

1pass does a few things better (2FA, background agent so I don't have to log
into the browser and desktop app separately, general level of polish), but
apart from that they're largely interchangeable for me.

~~~
not_a_cop75
If everyone took your advice and used 1pass, then I doubt 1pass would be able
to defend itself against the coming hack attacks. I do say this in a bit of
ignorance, but they don't imho possess the resources to defend against the
complete list of cybercriminals out there.

~~~
amdavidson
Who do you suggest does have the resources?

Bitwarden is essentially the work of one person[0].

Are you suggesting that we only rely on Apple Keychain and Chrome password
sync due to their MegaCorp backing?

0:
[https://github.com/bitwarden/server/graphs/contributors](https://github.com/bitwarden/server/graphs/contributors)

------
dangom
Very interesting. Has anyone been using it as a daily driver and could comment
of safety, reliability and browser integration? How well do they behave
compared to e.g. 1Password?

~~~
dragosiulian
I’m a very happy user (Firefox and iOS). Switched from LastPass about a year
ago (found it on hacker news back then) and never looked back. I can’t compare
it to 1Password, since I never used it.

~~~
dorchadas
I switched from LastPass today, and already liking it a bit more. Not as slow
and doesn't slow down on forms, for one!

------
mwexler
Bitwarden has changed my life: it's the first password manager I can get my
family to use. The commercial ones all had ads or upsells that interfered with
the experience, while Bitwarden just worked. Props to this creation.

------
theta_d
I find it ironic that they claim "[s]ource code transparency is an absolute
requirement for software solutions like Bitwarden" on their website yet they
require SQL Server 2017, a completely proprietary RDMBS.

~~~
Unklejoe
I don't think it's that ironic.

All of the software written by "Bitwarden" is open source. The fact that it
uses some pre-existing propriety software doesn't change that. If it did, then
that logic could really be extended to any piece of software written for
Windows.

~~~
theta_d
It's ironic b/c they claim source code transparency is an absolute requirement
yet they rely on something that is not source code transparent to store the
data.

You can write open source code for Windows all day long and it doesn't change
the fact the your code is open source.

However, to claim that you need transparency for your security product and
then build it on top of a proprietary storage engine is incongruent.

~~~
floatboth
Security requirements all apply to the client side. The storage on the server
doesn't matter. You could upload directly to the NSA and it will still be
fine.

Also, there are many server implementations other than the official one.

------
theferalrobot
For people who don't want to go through the trouble of self-hosting and also
don't want to pay for a subscription I have had pretty good luck with Enpass.

* It stores an encrypted file on a cloud storage platform of your choice (gdrive/dropbox etc) and syncs across devices. * No subscription fees

~~~
itake
> Stores up to 20 items

How is this possibly a replacement for Bitwarden considering they don't have
any limits on the number of passwords for the free accounts?

~~~
theferalrobot
You pay once for cloud based sync instead of annually

------
strathos
I found the pricing to be a bit confusing. I'm self-hosting it now and been
happy with it, but when installing for the first time I couldn't find how to
share some of the passwords with another user. Well it turned out that in
self-hosted instance you don't have that possibility to share to another user
without a paid license. Ok, fine by me so I bought the one year premium for
the self-hosted instance as from one of the tables in their website it said
that would be needed. So now I had the one year premium with all the nice
features but still I couldn't share passwords. Importing the license key to
create an organization (for sharing) failed every time. I contacted their
support and found out I had just misunderstood the pricing. To create an
organization you need an organization license, which was another roughly ten
euros a year. After bying that I had it working as I wanted. Their support
also gave the possibility to get money back from the unneeded personal premium
license as it wasn't needed for my usecase, but I kept it as I found the price
to be quite ok.

So that might have sounded like a rant, but my only issue was that I didn't
understand the pricing for self-hosted. My one year is up soon and I will be
renewing my license as we've (as in me and my wife) been happy with Bitwarden.

~~~
chmars
In 1Password, you cannot share passwords at all …

(Sharing is useful if you set up new accounts for other users.)

~~~
sarb
Yes, you can. [https://support.1password.com/create-share-vaults-
teams/](https://support.1password.com/create-share-vaults-teams/)

~~~
chmars
That’s vault sharing, not password sharing.

------
IronWolve
Its good for personal use, but enterprise features are weak/missing and the
layout isnt very enterprise ready. I tried their "Organizations" feature out
to see if I could deploy it at work instead of teampass, and it wasn't
comparable. They are still fixing and developing, so it might be enterprise
ready someday. It really is a nice with all the addons.

I use the bitwardern docker version for people to use, I have it installed,
but for my own use, sticking with keepass.

------
jf
As someone who has used 1Password for many years, how does Bitwarden compare?

~~~
itake
I have been using Bitwarden because its free for about 1.5 years. The UX
experience is so bad on both mobile and extensions. If the extensions closes,
like when you copy the password and paste it into the box, it looses its
location, so you have to re-find the account, click on it, and then copy the
username. You get what you pay for.

~~~
viraptor
> If the extensions closes, like when you copy the password and paste it into
> the box, it looses its location, so you have to re-find the account

That's not my experience. The account details stay open for me.

For me the UX is not amazing, but ok. A bit better than LastPass, a bit worse
than 1password.

~~~
itake
This happens to me on Firefox.

[https://recordit.co/QdK2FrRoYX](https://recordit.co/QdK2FrRoYX) I copy the
password, go to paste it in and it loses the selected account:

[https://recordit.co/jrvUFWCPkS](https://recordit.co/jrvUFWCPkS) Here, I go to
add an account. I generate a new password and then I try to paste it into the
text box to verify it meets the website's password rules. I then go back to
hit save, confirming that it worked and it loses the entry.

Sooo frustrating.

~~~
nightski
You can just right click on the text box and use the context menu to make this
task much easier.

~~~
itake
oo that is a cool trick! but it doesn't work if you're looking for an account
that doesn't match the current URL (like if you created the account on the
mobile app)

~~~
jeroenhd
In that case it's simpler to find the right password entry, click edit on it
and add the current domain to the list of domains it keeps for the entry. That
way you won't need to mess with the copy/paste button.

I use Bitwarden myself and I only need the copy/paste button for stuff like
email and WiFi passwords. If you're manually copying and pasting data, you're
probably overlooking one of the many (sometimes not clearly indicated)
features Bitwarden has.

Hope this helps!

------
shelune
I changed from LastPass to Bitwarden. Have been quite satisfied with it so
far. The save suggestion was annoying sometimes but overall everything works
pretty fine.

Would recommend it to everyone in need of a password manager now.

------
brunoqc
I wish the Bitwarden mobile app would support multiple accounts so I could use
a server at work and another server for my personal stuff.

~~~
wideasleep1
I just sign in as another (email) user.

~~~
ViViDboarder
That would require logging out and back into the mobile client every time they
leave and start work... that’s pretty tedious.

~~~
wideasleep1
Not at all..a few clicks. Safer, as well...I use email addresses no one else
knows.

------
RHSeeger
Is it possible to migrate (export then import) data from bitwarden? I'd like
to sign up for a free account, and I'm wondering if I'd be able to move my
data to a private (bitwarden_rs) instance later.

------
rb666
Big fan of Bitwarden! I have tried almost all the password managers over the
last few years, and this is the one I finally settled on. Every previous one
had some element that bothered me or was principally wrong.

------
thatthatis
For business users, can a single password be stored in multiple “shared
folders” or groups?

For example, can I share a password with both “marketing” and “customer
support”

The lack of this is one of the biggest pains I have with LastPass

~~~
rolandboon
Yes, that feature is called "Collections". An item (login, card, secure note,
etc.) can be shared into multiple collections (only within one organization).
For each collection per user permissions (none, read, write) can be set.

------
thrownaway954
my only gripe with Bitwarden is that it only allows one login per website that
I've seen. At work we use DashLane cause you can have multiple saved logins
per website, which is a God send when dealing with multiple clients.

Bitwarden is great for personal use, but I can't use it at work cause of this
one missing feature. If anyone knows of a way to make it have multiple logins
per site, I'm all ears as I would love to get rid of DashLane and it's
horrible Chrome Extension.

~~~
thatsnotmepls
Are you saying that I can only have one saved account for say twitter.com?
That's definitely a killer for me.

~~~
ViViDboarder
I’m not sure what OP is on about, but I’ve got plenty of sites with multiple
logins just fine...

I’m using Bitwarden_rs as a server, but the official Apps all support it
great, so it would strike me as a surprise if the official server didn’t have
this ability too.

------
infinityplus1
There are no screenshots of the UI on the homepage. Adding them would be
helpful.

------
joe_the_user
You know,

I just had a thought. What I would like is password protected, "password
notepad". When activated, it remembers the text of passwords, shows it to you
in text when you go to a website and then you type it into the site. (people
looking over your shoulder is a way overestimated danger, the password-hiding
thing dates to shared terminals).

The thing I hate about password managers is I am afraid I would stop knowing
my passwords. This would allow me to remember my passwords since I would type
them each time.

I've only seen Firefox and Chrome's built-in password managers so maybe this
exists already. But it seems a decent way to do it.

~~~
gregmac
> The thing I hate about password managers is I am afraid I would stop knowing
> my passwords.

That is a feature. The handful of passwords I know are mostly long
passphrases. The rest are long random strings, generally up in the
30-something character range.

In fact, I don't even know some of my logins anymore: I will use or at least
append random characters to most accounts that don't have any 'social'
functions (that I care about). I also use a unique email per site.

If an account is compromised, it's got a very low chance it'll even connect to
another account I own (at least not without human interpretation), and zero
chance of helping with cracking any of my other passwords (other than hinting
you can skip guessing anything <30 characters).

I have backups of my password file, I have email recovery (to a domain I own)
- knowing individual accounts is just unnecessary.

~~~
snypox
How do you have unique emails per site?

~~~
ashton314
Not OP, but just a guess: you can use tags in your email (add `normal-
email+tag-here@domain.org`) and it should go to the same location. If you host
your own mail or have your own domain with an… M record? I don’t know—then you
can easily create as many emails as you want and forward them to other
accounts.

~~~
stinos
Some overly strict checks on some websites don't allow tags, but if you host
yourself there's also the possibility to use `normal-
email@whatever.domain.org`. Pretty convenient for filtering.

