- it's FOSS, and audited, so it's software I can trust
- great UX on Firefox, chrome, and even Edge. I had my issues, but the project improved them away very quickly.
- sharing support for families or organizations.
- convenient standalone clients for win/Mac/Linux... And even the CLI.
- built in 2FA code generation for each entry, so I don't need a separate app for that.
- the best autofill I've experienced, on desktop browser and even on mobile(!)
- open API so there are third party clients available
- the lead developer is super responsive on GH, so I've been able to contribute.
- cheaper than the alternatives (at least at the time), and I feel good about where my money is going.
I can't recommend it strongly enough. It's one of the OSS applications that has a permanent place on all my devices, right up there with Firefox quantum in my "great examples of OSS" liste.
"Catching" one 2FA code doesn't let you compromise someone's account.
Losing (or having compromised) the hardware running your password manager while that password manager is unlocked is a totally different thing from logging into a web site once from a library computer.
however, not having the TOTP key in your password manager would also protect against malware on your machine running the password manager from gaining access to your account.
It's less secure than a dedicated device for storage of the 2FA secrets and code generation, sure, but I don't see how it's any less secure than using a service like Duo to manage and sync your secrets.
Furthermore, I'd argue it's substantially more secure than the recovery process for almost all of the services I use, most of which offer an option to reset by SMS.
Finally, keeping your 2FA secrets in your password manager is very likely not to change the attack surface for most people anyhow, as most people keep their recovery codes in their password managers as well.
My three points then were:
1. A stand-alone desktop app. Quite annoying to have to open up a browser every time I want to access a password. Basically, it's as inconvenient as Keychain on OSX if you're not using a browser when you need a login info. This could be solved if the browser plugin popup could be persisted as its own window.
2. iOS app is not polished. Not sure about Android app as I've not used it. (* biggest problem then was how slow search was. It has been improved although nowhere as fast as 1Password's—still)
3. In the Safari extension, I would love to be able to search and use item entries that are not specific to the domain. Sometimes, I have other info in secured notes or password entries without a domain that I want to get to from the extension. In these cases, I've had to leave the browser and open the actual app to get access to them.
I just migrated from Bitwarden to 1Password a few days ago and have been much happier since—especially with 1Password's ability to generate 2 factor tokens and put them in your pasteboard automatically so you don't ever have to pull up an Authenticator app!
> Especially with 1Password's ability to generate 2 factor tokens and put them in your pasteboard automatically so you don't ever have to pull up an Authenticator app!
Bitwarden also does this.
I still felt its sluggish performance on launch/search/sync was slowing me down a lot throughout the day.
I recently switched (maybe 5 weeks or so, ago, from 1Password to Bitwarden, after finding out about it on HN) I imported ~400 odd logins from 1Password, I honestly don't find it any slower than 1 Password.
I did notice that with Discord, both 1Password and Bitwarden now integrate with the new iOS password apis.
IIRC from their Github issue threads, Bitwarden is using Xamarin, and performant UI has been a consistent struggle with many login entries.
Bitwarden's support via IRC/gitter was exceptional when I was experiencing issues with it. Not only did they fix the problem, but they provided a custom build for me with more verbose logging enabled and worked with me directly to figure out what the issue was. It was fixed in a couple of hours and I was able to run the patched build without issue until the fix had been merged and released.
Also, having combed through my entire catalog by having to manually import Bitwarden to 1Password, I’ve realized all those random startups I’ve made a login for or various sites for applications (job/school/etc) really add up quickly!
I have over 1500 entries in my password manager. That's the result of using it for years and having every single account I signed up for registered in it. Including random forums I only ever posted once for support. So yes, people can have more than 100 entries in their password manager.
I switch from LP to bitwarden because I didn't trust LP anymore. It's fine but I find the autofill very dumb (will usually overwrote your password or random fields in various forms), and doesn't do subdomain matching well. Search or just opening the extension (on Firefox) is sluggish, and the android app is very slow (open and search). Automatically putting the 2FA in the clipboard has never worked for me either (Firefox on Linux). But I'll keep using it anyway because it's FOSS and not LP. You can even self host your instance if you like.
As far as a desktop app, it's electron-based, but there is a cross-platform Bitwarden app that seems to work well enough (responsive, minimizes to tray, etc).
I've yet to import all my passwords into Bitwarden (still comparing the Ruby, Go, and Rust standalone server implementations), so I guess we'll see where the experience is after I fully switch.
Regarding 2FA, while it doesn't totally expose you, if you put your token in your PW manager, you've definitely significantly weakened your security.
..and it works great. Same as 1Password X for Chrome, it does not require a desktop app, and handles certain things like TOTP a bit more seamlessly.
I can't speak to the iOS or Safari versions, but it's just angularjs underneath the FF extension, so I imagine it's quite similar to what I've used. And I quite like the Ux.
And bitwarden has included a 2FA generator for at least a year.
[ed: here it is
Seems a little more gnarly for scripting than pass (pass leverages gpg agent for getting a passphrase/keeping a "session" - but might work for my primary need - simplyfing VPN logins)
It looks like the have a native desktop app for Win/Mac/Lin?
I use it to manage over 300 passwords and other sensitive blobs of text (it lets you save arbitrary text snippets) and also has some nifty quality of life features like auto-copying a password to your clipboard for 30 seconds when you want to access a specific password.
- It doesn't encrypt the paths to the passwords
- It doesn't use a structural language for the password files, so additional information like username has to be stored in the path of the password
- It doesn't work with (Update: X.509) smartcards/gpgsm
- It's written in bash. That has pros and cons...
You can use multi-line passwords with the -m flag without leaking any information in the path.
You can put whatever you want in the password entry, in whatever text format you want.
So you can save an entry like this:
Secret API key: abc123
It's also really smart about what happens when you copy that entry to your clipboard. It will copy just the first line for easy password pasting.
There's a demo of me using it to store AWS credentials in this write up: https://nickjanetakis.com/blog/managing-your-passwords-on-th...
> - It doesn't encrypt the paths to the passwords
Yep, but the upside is you have tab complete in your terminal for accessing your passwords.
If you planned to put it up on github you could always encrypt the folder / file names using https://github.com/cryptomator/cryptomator or a comparable tool. I don't publish my pass fields on my public github account, so I never ran into this problem.
only the first line of an encrypted file is considered to be the password. So you can just but your username or any other account-related information on the following lines.
To elaborate: One of the problems with this approach is that it may leak websites where you have accounts to people who gain access to your pass repo/directory even without gaining control of your gpg key.
> - It doesn't work with smartcards/gpgsm
What do you mean by that? I use pass with my yubikey as a gpg "smartcard"?
> only the first line of an encrypted file is considered to be the password. So you can just but your username or any other account-related information on the following lines.
I didn't know that. But what I would have preferred was copying the username with one command and copying the password with another.
>> - It doesn't work with smartcards/gpgsm
> What do you mean by that? I use pass with my yubikey as a gpg "smartcard"?
I haven't tried that with a yubi key, but with a corporate X.509 id card. And that needed gpgsm. I had to patch pass in order for it to work, because gpgsm uses different parameters that gpg.
SQL Server 2017, really? Interesting choice. Open source but we have to pay licenses for the database if we want to self host. I wonder what was wrong with PostgreSQL or MySQL even if they're using .NET Core as a language.
Edit: there is an issue for that https://github.com/bitwarden/core/issues/10
As Bitwarden states in the core readme (https://github.com/bitwarden/core#requirements) "These dependencies are free to use."
And if you lookup the licensing on MSFTs website (https://www.microsoft.com/en-us/sql-server/sql-server-2017-p...) you can see that the SQL Server Express version is free.
Note: No, I'm not an MSFT employee and not related in any way to the mentioned company. I'm just a (not so regular) human being who first looks up information before posting statements.
The README requires SQL Server so I might be excused thinking that it would work only with that software. Nice to know that it does work on the free version too. I googled and looked on MS site and didn't find out if SQL Server Express exists for Linux too, but I'm on my phone right now. I only managed to involuntarily download a .exe :-)
There you go:
Basically, my flow chart for DB selection:
Do you have an enterprise worth of money to burn on the deployment and maintenance? Oracle.
Are you deploying to Windows? MSSQL.
Even then I'd actively try to avoid it.
Source: three years installing, configuring and supporting it.
†: Now that I've used it twice, I move that we make an "enterprise worth" a unit of measurement of money, like a "Library of Congress" is a unit of measurement of storage.
It all sounded really good until this point. I was even going to say you could add support for postgres, but I don't know a lot of open source devs who are using. NET.
Yes. See the list of compatible clients on the page: https://www.passwordstore.org/#other
I personally use it on android happily.
> Can I share with my team?
Yes. Just encrypt to multiple gpg ids, which can be customized per folder as well with a simple list in the ".gpg-id" file.
I admit that you can only use it as such with tech-savvy team members. If you want usability such that non-technical people can work with it, you'll likely want something else, like 1password.
I run passff , to get Firefox to use it, and Android-Password-Store  on my phone.
A great great plugin is pass-otp , using this I have migrated the storage of all OTP secrets from my phone to pass. And then I export it from pass to my phone. That way I still have my OTP secrets if I loose my phone and don't have to hassle with recovery of accounts just because of loosing the phone. For sure the OTP needs to be changed at that point but still worth it.
It's also worth to mention that browserpass  integrates pass-otp  so whenever I log in to a page (that has an OTP secret) using browserpass it shows a litle box in the top right corner with the current OTP code that I can copy-paste to the site.
Our secure cloud syncing features allow you to access your data from anywhere, on any device! Your vault is conveniently optimized for use on desktop, laptop, tablet, and phone devices.
What about your own server?
> Each Bitwarden installation requires a unique installation id and installation key.
If I’m self hosting, I want it to be independent of the code provider. It is bad enough, to me, that I have to pay a subscription fee to self-host “advanced” features like Yubikey auth. That’s the same kind of annoying that my own install still must link to their server that can die at any moment.
Let me buy the software to self-host with all of the features. The “subscription” and “integrated” mindset has no place in “I’m doing it myself” installs.
With software like a password manager, if it's not actively maintained you're not going to want it anyway. So the same risk of the developers either discontinuing the product OR changing the pricing model applies just about evenly.
Being open source, at least the community can fork and maintain the software if the developers ever did throw in the towel, similar to TrueCrypt's forks.
It's maybe not as feature rich as other password managers, but it is being actively developed and the few times I had questions I got a quick response from Kyle (the creator).
If you think it matters where the data is stored (which shouldn't matter because it should be client side encrypted), running your own server would also be a risk. Because you cannot possibly have the same resources to monitor your server/router for suspicious activity...
By separating the storage of passwords, we drive down the economic interest in breaking into any one of the individual baskets.
Since its all my own equipment and I have a background in this sort of stuff, I know what I am looking for when it comes to intrusions.
What is essentially a small CRUD app with encryption requirements shouldn't need 2G just for a database app.
"HOST IT YOURSELF
Don't want to use the Bitwarden cloud? You don't have to. With Docker you can easily host Bitwarden's entire infrastructure stack on the platform of your choice."
95% of my usage is in the desktop browser, and the UI of their add-on is great, IMO.
Lastpass' had been getting worse for some time, and their shuttering of Xmarks finally left me with no good reason to stay.
Using the add-on with Firefox on my phone is reasonable, although could be a bit better. Phone experience in general I'd say is also quite reasonable - not used it that much yet, but I think it is quite comparable to other offerings.
To solve this problem I'm working on FejoaAuth (https://fejoa.org/fejoapage/auth.html). FejoaAuth uses an authentication protocol that does not leak the user password to the provider who is going to store the password manager. This protocol is run in a trusted browser plugin in order to ensure the correct execution of the protocol. Thus you can use a single password for authentication and password manager encryption.
I recently picked up a Pixelbook and have gone all in on ChromeOS. Its replaced my MBP. But unfortunately, that meant parting ways with 1Password.
I needed a new password manager with the following:
TOTP support (have since decided not to use this)
A web UI
IOS app with face/Touch ID.
I tried the 1Password subscription but 1Password X just felt too clunky and I wasn’t in love with storing on their server.
Keepass/XC/whatever was a hot mess for me. I really wanted to use it and the idea of keeping and syncing a single db file still really appeals to me, but the ecosystem is such a mess. I tried running a self hosted container for Keepass Web but I kept having to enter a Dropbox API key on every client. I also couldn’t find an iOS app that supported Face ID or the option for storing TOTP. Maybe it’s a better experience on Android. On top of that, the UI was pretty jarring all around.
Bitwarden still has some work in the UI department. The lack of keyboard shortcuts and a native app adds some resistance but it’s manageable for me.
Works pretty well, I use "Keepass2Android Password Safe" and it supports the newest APIs to enable fully automatic filling once you tell it which app belongs to which account. For syncing I use my own nextcloud server.
Because it is not open source , we must take statements like the following purely on faith in their PR department, rather than being able to independently verify:
"Indeed Enpass is an offline password manager and saves your data locally on your device and in any case, we do not (and we can not) access any of your data. But yes, Enpass does connect to the internet with the sole purpose to give best user experience."
I'm sure they're really nice people, and do their best, etc, etc, but passwords are the linchpin crown jewels. Enpass could secretly and instantaneously become bad actors or incompetent stewards of said crown jewels, and we wouldn't know, since we cannot see what they are doing. One of many risks I would not take.
 Please correct me if my search-engine-fu is weak today, but I can find no official Enpass open source repos or code anywhere.
There are quite a few comments from paying customers, who were locked out of their data. According to timestamps, Enpass team successfully ignored these comments for months.
Perhaps this should be mentioned whenever Enpass surfaces as an option...
Sorry, it doesn't count as open source if everyone needs your permission to run it.
How are they violating your privacy?
Enpass is good, but it's proprietary too.
Brave bundles their extensions, and have gone months between updates in the past. Be aware of that if you use it, as it's a potential security issue with a password manager.
> I wonder what the browser support on Android is like.
Android support is excellent. The only nagging issue I had was that the "URL" for an app is usually something like "com.github", while the URL stored in the login is "github.com". Bitwarden is good about partial matches, so it's rare that I had to search for the login I wanted.
> LastPass seems to work only on Chrome on Android, but I like to use Firefox, Opera, and Samsung's optimized browser.
I moved off Android a few months ago, but I was using Brave and Bitwarden integrated seamlessly. It ties in to the "accessibility" framework I think, and offers an option in the system dropdown menu when a login is detected.
It is also possible to define how a URL is matched which is a nice feature too.
Honestly it feels like a dead project, It's not but it's lacking in resources and the devs are lacking in time from what I've been able to gather from the issue tracker.
I do sometimes worry I'm one nextcloud update away from losing access to my passwords as a recent one did mess with the interface a bit, it's still functional but some ui elements are mis-aligned.
I've been considering switching to bitwarden for a while, It's interface is much nicer, and more polished.
I've mostly been waiting for one of the alternative API implementations to mature a bit, because I don't want to have to run a big honking MS-SQL container on my little VPS.
I'm also going to have to write my own importer, or mangle the data a bit because the cvs format for passman isn't compatible with any of the import formats for bitwarden.
Or maybe I'll just give up and migrate to pass or gopass(https://www.gopass.pw/) worth looking at if you like pass). I think I want too much from my password manager =/
Also, OSS does not mean secure. Without audits from security experts, I can’t trust it.
Bitwarden is objectivity less secure than 1Password or Keepass actually, at the very least because it doesn’t have a desktop application.
From the linked page (https://bitwarden.com/)
If you are hosting it on your private server does it change your outlook on its security?
I do not have the inclination or resources to secure and keep my server up to date, unless we are talking about a periodic "apt upgrade" that I could configure to run automatically, but no more than that. And at the very least I know how to reasonably secure a Linux server, at least initially.
If running your own server gives you peace of mind in terms of security, then read more about how security works and the threat model you'll face. Just to give an obvious example ... running your own Wordpress is one of the worst thing you can do on your own server, putting your whole server at risk, not just your website.
My personal experience says this is 100% true.
Even when I've managed to stay on top of WP updates my server is invariably targeted more often by automated attacks more often than others that are hosting static sites and other frameworks. I strongly suspect that attackers maintain lists of server addresses that host WordPress sites and use that to make assumptions about their running services. If they know that it's a "self-hosted" webserver, even if they can't break WordPress there's a very good chance that some other unmatched vulnerability exists.
I don't know about this argument. On the one hand you can configure something as secure as you like/can, on the other hand you have to trust other people to do their best. If you don't trust them with your passwords, you would also not trust them to do their best.
If you host yourself a paranoid me would host their instance accessible only inside a stable VPN xor by tunneling a port via SSH.
OSS can often mean less secure. Unless you have the capabilities to fully audit the software you shouldn't fully trust OSS... unless it has an external audit.