There's compatible Bitwarden server written in Rust called bitwarden_rs[0] for those who don't want to run the official Docker image with the requirement of Microsoft SQL Server and the demand for 2GiB of RAM.
For reference, my single-user bitwarden_rs deployment, in use for about a year and with twenty days of uptime since I last updated, is currently idling at 14MB of resident memory and 1m46s of CPU time (read: basically nothing, average of 0.006%). 14MB is also its installed disk footprint, plus less than half a megabyte of data.
Haven't used the official server, but I've been using the official clients with bitwarden_rs without issues for the past week. So I'd guess its a complete reimplementation.
I'm not talking about API compatibility so much, but I think I read somewhere that you need to get a license even if you use a custom server. So all the custom server gives you is it decouples you from the main service.
Do you get TOTP support and Organizations on your custom server for free?
EDIT: I just tried it, and yes, you do get (at least) TOTP support for free. Haven't tried orgs, but I'm going to convert it for Dokku now and host it somewhere as a backup plan.
I think you still need to pay. Data is brokered through the official bitwarden servers (I think), so things like teams will still require payment to use. I'm not 100% sure though, so I could be wrong.
No, bitwarden_rs has nothing to do with the official servers; it’s a full backend, using a database of its own, SQLite by default. As regards normally paid features, it essentially just tells any frontend “yes, the user has paid” and proceeds to implement the feature itself.
Decent for development, not great for production. My experience has been that the things you would pay the license fee for ( e.g. transactional replication) aren't there yet.
I just set up my own Bitwarden server the other day using bitwarden_rs, a third-party implementation written in Rust.
It basically gives you all of the premium features for free, as opposed to the official server which requires a license.
I really wanted to run the official server, but they offered no option of a lifetime license (only a yearly license). For what it's worth, I would have been willing to pay a lot more for a license that never expired.
The whole reason I'm hosting the server myself in the first place is because I want _full_ control, so a subscription based license doesn't really fit well there.
Given that the project is licensed under the GPL, the license is effectively a donation anyway, so I hope they consider offering a lifetime license for those who want to self-host.
We've been using Bitwarden at work, the Teams plant, paying $15 per month, or $180 per year for 10 users. The only reason for why I picked it is its open source nature, otherwise I would have gone for 1Password Teams.
The pricing is odd. For example you can't self host it yourself without paying for a license. The code is AFAIK open source, so you could maintain your own fork with the required code branches removed, if you wanted to. I do hope the author doesn't pull a bait and switch, after enough users go down this route. Don't get me wrong, I'm actually not looking into hosting it myself, I'm glad to pay for a hosted service, but with open source I want that possibility to be there and I don't want licensing per user for self-hosting either.
And currently I like what the author has been doing. Adding some code in there that makes it require a license, but that you can remove, is totally fine. But I'm seeing more and more open source apps turning proprietary nowadays and I don't look kindly to such bait and switches, because I end up using those apps because they are open source. Like it is the case for Bitwarden, otherwise there are often better proprietary options available.
From a usability standpoint, Bitwarden is unfortunately inferior to 1Password in every way. But it works fine for our purposes, for now. And Bitwarden is better than LastPass in case you're wondering, even if it has some missing features.
The official servers are slow. I just had multiple login failures. I'm assuming that it's experiencing issues due to being featured on HN right now, but this isn't the first time that it's happening.
But as long as it is _open source_ and as long as it does a reasonable job, then I'll keep supporting it. Because I'd rather pay for open source solutions.
If that guy gets hit by a bus and if the app is useful enough (and it is), then a fork will happen. And I can always do some contributions myself. And if I'm wrong and that fork doesn't happen, then nobody (with resources) wants it, in which case might as well let it die.
The bus factor for open source stuff is great, even with zero contributors at any point in time.
In contrast when a proprietary app gets killed (either due to acquisition or b/c it's not profitable) then it's gone for good. If a proprietary app changes, to include ads or anything that you don't like, there's absolutely nothing you can do but switch to something else or bend over.
I've switched from KeePassXC, stored on my Google Drive with an offline key file, to BitWarden last month. I previously was a customer of LastPass and switched to KeePassXC after being tired of LastPass' UI mess.
Anyways, BitWarden works absolutely flawlessly. There are a few things here and there that I'd wish it had, like the ability to create templates for custom categories, but apart from that, it does an amazing job. The websites autocomplete works really well, and I was pleased to see that I can unlock my vault on my phone with my fingerprint reader.
Migrating data from KeePassXC to BitWarden went smoothly. I took a moment to clean my database and reorganize a few stuff. The database takes a bit of time to load, but nothing that's a real bother.
The only thing I don't store in BitWarden is the 2FA TOTP I use (mainly Google Authenticator) as I feel it breaks the entire concept for 2FA. I've seen people on HN do it, but to me it just feels wrong.
I currently use KeePassXC and think it's great. What made you switch? BitWarden seems interesting but it's not completely free and you'll need their servers (or you can set one up yourself). Granted I also use Google Drive to sync my KeePass db so I'm also using someone else's servers but
I've been considering changing that to syncthing to cut out the server.
I'm also curious about the same thing. Ever since I started using KeePassXC's autotype feature, I haven't been able to go to any other password manager. Even with the degraded mobile options and having to build my own syncing with things like rclone.
Does Bitwarden have that autotype option? If not, I'm wondering how difficult it would be to build it myself, if only for the desktop clients.
I reviewed Bitwarden for use in my company a few months ago. I discovered that there was no way for an admin to allow the recovery of an account (i.e. allowing a master password reset). This is a non-starter in my organization since some small percentage of the users will forget their master password.
Has anyone else been successfully using Bitwarden in a team setting? If so, how do you work around the limitation I mentioned and other such things?
With Bitwarden the personal account is separate from the shared Organization account.
If a user forgets his/her password, then you can always create a new account. All the collections belonging to the organizations will be there. The personal stuff is lost, but you can argue that the personal items don't belong to the organization.
Also the same user account can belong to multiple organizations. The model is different from say 1Password, where the app can login into multiple accounts.
I suppose it's for the same reason as why you cannot reset your forgotten private SSH key.
Secrets are only stored encrypted, and the key is derived from the master password, not known to any admins. Cracking the admin account or the entire server gives the intruder very little.
So, it's a feature. You may not want this feature, though.
> you cannot reset your forgotten private SSH key.
You can though. If you lose your private SSH key, you regenerate it, and the server admin resets your public key. Zero data loss.
I think the better analogy would have have been a disk encryption key. But note that consumer facing encryption tech (Mac, Windows) generally doesn't stick to "user forgot key = user lost data".
> So, it's a feature. You may not want this feature, though.
Yeah, I must agree I do not want this.
I understand it is more secure but it is also more user hostile.
I'll take the risk of a compromised admin (assuming strong password and TFA of course) over "sorry you lost all your data."
Data integrity is just as much a part of security as data privacy.
> If you lose your private SSH key, you regenerate it, and the server admin resets your public key. Zero data loss.
This is exactly the same data loss as when you lose your master password.
Just like you store multiple passwords in your password vault, your SSH key can give you access to multiple servers.
If you lose it, you have to "reset" your public key on _every_ server, just like you have to reset _every_ password that you stored in your password vault.
Though whatever data is "lost" in a password manager is usually recoverable; each password could be individually reset in each website. True though that it's a pain.
Unless the admin has access to all the places where your public SSH key was used, and reinstate the access for you, it's not going to help.
By the same token, if the admin did not have access to all the sites and your passwords, the admin can set a new master password, but cannot restore the access to the sites.
One of my previous companies required everyone to share their TrueCrypt keys with the IT dep. for this same reason (smallish company so it was manageable from their end).
The rationale for it not being a privacy violation, which was a concern that came up a couple of times, was that the machines were company property anyway.
The physical machine is company property. But some of the data may not be. Healthcare information for example, even though they pay for it it's still not their data.
Our company has to be very careful about that kind of stuff. Because once you have it you own it and you're responsible for it. Our ATP system, for example, scans for credit cards and SSNs in user and shared directories, sends us an alert and we ask the employee to remove it.
We use 1Password for all work related passwords because we can recover personal passwords. I use Bitwarden for my personal passwords because it is not related to work and cannot be recovered.
I'd still much rather stick with https://www.passwordstore.org/. It's encrypted with your keys (which I didn't see on Bitwarden's site) and has plugins for Chrome/Firefox (you can setup keyboard shortcuts to fill in your info automatically as well) and works with Git.
Although it is a bit of a hassle to setup on mobile devices (I use Pass for iOS), the security and functionality it provides is worth it.
I would argue that pass isn't that secure other than when your computer is off.
Namely that it requires copy and pasting. Any program on your computer can read your clipboard.
And for a normal user who are more vulnerable to phishing, there isn't automatic domain checking. It would be their normal work flow to copy a password into a malicious site.
If you install Browserpass for Chrome (there's an alternate for Firefox as well) all you need to do is type in your keyboard command and it'll automatically fill out your info for you on the website.
Meaning:
Suppose you go to gooogle.com instead of google.com, the extension won't fill out info because it doesn't recognize you having an user/pass for gooogle.com
Dude if your clipboard is untrusted in your threat model then you have bigger problems. Any program that is reading your clipboard could also be logging your keys, watching your webcam, recording your screen, or exfiltrating your files.
The clipboard is extra vulnerable. It requires no privileges at all to read. Up until very recently, JavaScript in your browser could pull content directly out of your clipboard.
Even beyond that, copy and pasting is training users to copy and paste. This is an even bigger threat imho. There is no layer of extra validation.
Can't any program on your computer also just keylog your master password and get your whole database? That's worse than getting individual passwords from the clipboard.
Hmm, what if a malicious program modifies your PATH (or creates a bash alias) so that whatever command you use before you enter your master password is now replaced with a backdoored one?
You should specify the full path to the real "pass" when you configure the browser extension. This is a very common problem—with a known solution—in shell scripts since forever.
In this case, Pass is probably not the right solution for you. It's a bit hard to setup keys and then share them over Git... which is most likely a bit too complicated. This being said, QtPass is a GUI for Pass, but not the best when compared to stuff like Bitwarden (presumably, haven't used it) or Lastpass.
I’m a little put off by the login and service. It’s just one more thing that can be shut down. Especially since iOS and android allow syncing on remote services such as dropbox and iCloud (how it works in 1Password ver 6 and below). There’s really no necessary need for a centralize service.
Create the encrypted vault in your preferred cloud storage service and locally and sync across all devices.
You are right. Yet hosting an encrypted 10kb for each user means that even if Bitwarden had a million free users it'd need no more than 10GB of cloud space to store all data. Consider syncing at startup or on adding new entries and the number of requests is also negligible. Not really a service that the company would ever had to cut to save money.
What makes you so sure that dropbox and icloud will never be shut down?
I use codebook which allows syncing directly between devices, to a local folder, to Google Drive, or to Dropbox. It doesn’t have Linux support though.
I’ve been really happy with it, and it’s a one-time cost (per device though). The company who makes it also makes an open source encryption layer for SQLite.
Given the requirements of self hosting, ill just stick with keepass. The desktop and mobile clients are great and I can host them on my nextcloud and grab them over WebDAV.
I should've been more clear. I don't host the clients; rather, I host the databases. That's why I prefer keepass - it's just an encrypted db which is lightweight and the clients tend to be lightweight as well.
I'm using Bitwarden and 1Password at the same time (private and company use).
1Password pros:
* very polished UI, pleasure to use
* good UX in general
1Password cons:
* I have constant issues with it loosing connection with browser. Extension just randomly stops working for few days. Tried to fix it multiple times, never succeeded
* Price (too expensive for my private use)
Bitwarden pros:
* Free
* Very simple app, easy to use
* More reliable than 1Password for me
* Fills login pages quicker than 1Password
* Feels quicker and more snappy than 1Password
Bitwarden cons:
* Lacks 1Password polish, generally UX and UI needs some work
* Can't login using fingerprint on Mac
* Crashes on my iPad when trying to save new credentials (need to report it as a bug, but I didn't go around to it yet)
* Slow on Android
All in all, I'm very satisfied with Bitwarden and use it daily.
I have the same situation, Bitwarden for personal use and 1pass at my job.
1pass does a few things better (2FA, background agent so I don't have to log into the browser and desktop app separately, general level of polish), but apart from that they're largely interchangeable for me.
If everyone took your advice and used 1pass, then I doubt 1pass would be able to defend itself against the coming hack attacks. I do say this in a bit of ignorance, but they don't imho possess the resources to defend against the complete list of cybercriminals out there.
Very interesting. Has anyone been using it as a daily driver and could comment of safety, reliability and browser integration? How well do they behave compared to e.g. 1Password?
I’m a very happy user (Firefox and iOS). Switched from LastPass about a year ago (found it on hacker news back then) and never looked back. I can’t compare it to 1Password, since I never used it.
I switched from 1Password to bitwarden. I feel like the browser plugin is a better experience for me. At work I set it to require 2factor to authenticate to use and at home only require my password. On my iPhone it uses faceid or thumb depending on phone model.
Switched to it after the most recent data problems with LastPass. It’s pretty good for me overall. The app and browser plugins are very similar but you do drop the icon on the right of text fields you can click to auto fill (There is an auto fill option but it’s in beta and slightly buggy). Overall though, I’m happy with it especially since it’s open sourced.
Me too. Also, there are some sites where LastPass could never manage to find the login fields and didn't fill them correctly or at all. I've yet to see Bitwarden screw this up.
I use it daily on Linux, Android, and OS X (Firefox on both desktop platforms). It works great for me. My wife and I share an "organization" that holds credentials we both need (banking, etc).
> The bitwarden_rs server does not support multiple users
I'm confused by this. I'm running bitwarden_rs and I have two users? Perhaps they just recently added support for multiple users? I've only been running it for a few weeks.
Nope, not recent. I’ve been using it for about nearly a year and it’s supported multiple users the whole time. Not sure what OP is referring to.
Edit: I should note, I’m talking about Bitwarden_rs. Maybe the official one doesn’t? That’s be strange though given it supposedly the same one the hosted version is running with a license lock on some features.
Browser integration is great. There a a few sites in which it can't autocomplete, and I wish I had the ability to "program" it like you can do on KeePassXC. In KeePassXC, you can specify a chain of commands in a string, with hardcoded elements, like "{USERNAME}{TAB}1979-05-22{TAB}{PASSWORD}", and it's really good. The Android app work really well too.
Apart from that, it's been audited, and praised on HN multiple times.
100% my favorite function of KeePassXC right there. It's unfortunately not very well highlighted in their docs even though it's the killer feature which keeps me with KeePass databases.
Love it. By far the best fully cross-platform experience (including Linux) of any alternative, with great independent self-hosted server implementations.
They've done an external audit, and I've studied the architecture, but other than that I can't speak for it's safety. But it seems legit in all ways I can imagine.
As for reliability and browser integration it's much better than anything I've tested prior. Works great on all platforms I use.
I use on Mac (Firefox & Safari) and iPhone, wife uses on Mac (chrome) and Android. Neither has had any issues in the past year and a half outside of mild confusion about the new Safari extension after Apple removed support for the old extension format.
I'm a moderately happy user, no issues here. I switched from KeePass because the latter didn't have good browser integration, but if that got better since I last saw it, I wouldn't switch now.
Bitwarden has changed my life: it's the first password manager I can get my family to use. The commercial ones all had ads or upsells that interfered with the experience, while Bitwarden just worked. Props to this creation.
I find it ironic that they claim "[s]ource code transparency is an absolute requirement for software solutions like Bitwarden" on their website yet they require SQL Server 2017, a completely proprietary RDMBS.
All of the software written by "Bitwarden" is open source. The fact that it uses some pre-existing propriety software doesn't change that. If it did, then that logic could really be extended to any piece of software written for Windows.
It's ironic b/c they claim source code transparency is an absolute requirement yet they rely on something that is not source code transparent to store the data.
You can write open source code for Windows all day long and it doesn't change the fact the your code is open source.
However, to claim that you need transparency for your security product and then build it on top of a proprietary storage engine is incongruent.
Security requirements all apply to the client side. The storage on the server doesn't matter. You could upload directly to the NSA and it will still be fine.
Also, there are many server implementations other than the official one.
> they rely on something that is not source code transparent to store the data.
They rely on it to store encrypted data.
If I recall correctly they use an authenticated aes cipher - and the Free software part can verify that correct data is read back (ie: it decrypts and authenticates).
For people who don't want to go through the trouble of self-hosting and also don't want to pay for a subscription I have had pretty good luck with Enpass.
* It stores an encrypted file on a cloud storage platform of your choice (gdrive/dropbox etc) and syncs across devices.
* No subscription fees
I used Enpass for a little while a couple years ago.
It was ok but not great. Eventually I decided to migrate off it and was not impressed by their export functionality. I had to literally go through every entry to make sure it made sense, check against the GUI to make corrections, and even then reimporting into either LastPass or 1Password was another full round of checking item per item.
I hope it got better but if you're on it I'd advise you look into that as soon as possible as your database only tends to grow and with it the difficulty of migrating off when the time comes.
I found the pricing to be a bit confusing. I'm self-hosting it now and been happy with it, but when installing for the first time I couldn't find how to share some of the passwords with another user. Well it turned out that in self-hosted instance you don't have that possibility to share to another user without a paid license. Ok, fine by me so I bought the one year premium for the self-hosted instance as from one of the tables in their website it said that would be needed. So now I had the one year premium with all the nice features but still I couldn't share passwords. Importing the license key to create an organization (for sharing) failed every time. I contacted their support and found out I had just misunderstood the pricing. To create an organization you need an organization license, which was another roughly ten euros a year. After bying that I had it working as I wanted. Their support also gave the possibility to get money back from the unneeded personal premium license as it wasn't needed for my usecase, but I kept it as I found the price to be quite ok.
So that might have sounded like a rant, but my only issue was that I didn't understand the pricing for self-hosted. My one year is up soon and I will be renewing my license as we've (as in me and my wife) been happy with Bitwarden.
Its good for personal use, but enterprise features are weak/missing and the layout isnt very enterprise ready. I tried their "Organizations" feature out to see if I could deploy it at work instead of teampass, and it wasn't comparable. They are still fixing and developing, so it might be enterprise ready someday. It really is a nice with all the addons.
I use the bitwardern docker version for people to use, I have it installed, but for my own use, sticking with keepass.
I have been using Bitwarden because its free for about 1.5 years. The UX experience is so bad on both mobile and extensions. If the extensions closes, like when you copy the password and paste it into the box, it looses its location, so you have to re-find the account, click on it, and then copy the username. You get what you pay for.
https://recordit.co/jrvUFWCPkS
Here, I go to add an account. I generate a new password and then I try to paste it into the text box to verify it meets the website's password rules. I then go back to hit save, confirming that it worked and it loses the entry.
oo that is a cool trick! but it doesn't work if you're looking for an account that doesn't match the current URL (like if you created the account on the mobile app)
In that case it's simpler to find the right password entry, click edit on it and add the current domain to the list of domains it keeps for the entry. That way you won't need to mess with the copy/paste button.
I use Bitwarden myself and I only need the copy/paste button for stuff like email and WiFi passwords. If you're manually copying and pasting data, you're probably overlooking one of the many (sometimes not clearly indicated) features Bitwarden has.
Don't forget about the Alt-Shift-U keyboard shortcut to open Bitwarden in a Firefox sidebar. Using that, the extension doesn't close when you click elsewhere in the page.
I tried it back in May this year - I was looking for alternatives having just moved f/t onto Linux given 1Password doesn't have a proper Linux app. Though Bitwarden seemed fundamentally sound, I was pretty unimpressed by the client. It wasn't then in 1Password's class. I don't remember which part of my informal Electron app screening it failed on (ctrl-a perhaps), but I do remember I couldn't live with it then. I can live with poor affordances for occasional apps, but not for something used as frequently in a typical day as a password manager.
The Bitwarden apps (native and web) aren’t as polished but they function well. I would recommend Bitwarden to anyone except the most handholding-needing of users.
I used (paid for across Windows/macOS/iOS) 1Password for years but switched to Bitwarden because AgileBits kept openly making progressively more hostile moves against customers like me, and weren’t remotely apologetic about it. I would strongly advise anyone considering use of their products against it. Capturing and controlling use is more important to them now than serving users.
I changed from LastPass to Bitwarden. Have been quite satisfied with it so far. The save suggestion was annoying sometimes but overall everything works pretty fine.
Would recommend it to everyone in need of a password manager now.
You can probably install and run it under a different "user". If you're using Android, Shelter [0] and Island [1] can provide isolation, depending how your device is configured.
Hmm. That’s a good point. Do other apps do this? I had already left LastPass for KeePassXC by the time my company adopted LastPass, so I’m not sure how other apps handle this.
Is it possible to migrate (export then import) data from bitwarden? I'd like to sign up for a free account, and I'm wondering if I'd be able to move my data to a private (bitwarden_rs) instance later.
Big fan of Bitwarden! I have tried almost all the password managers over the last few years, and this is the one I finally settled on. Every previous one had some element that bothered me or was principally wrong.
Yes, that feature is called "Collections". An item (login, card, secure note, etc.) can be shared into multiple collections (only within one organization). For each collection per user permissions (none, read, write) can be set.
my only gripe with Bitwarden is that it only allows one login per website that I've seen. At work we use DashLane cause you can have multiple saved logins per website, which is a God send when dealing with multiple clients.
Bitwarden is great for personal use, but I can't use it at work cause of this one missing feature. If anyone knows of a way to make it have multiple logins per site, I'm all ears as I would love to get rid of DashLane and it's horrible Chrome Extension.
I’m not sure what OP is on about, but I’ve got plenty of sites with multiple logins just fine...
I’m using Bitwarden_rs as a server, but the official Apps all support it great, so it would strike me as a surprise if the official server didn’t have this ability too.
He's wrong. I have nine Twitter accounts saved on my Bitwarden. I don't use more than 2 currently, but I've played with different ways to differentiate my interests/follows over the years, and have never had any issues with multiple logins. In fact, Bitwarden moves your most recently used login to the top of the list so you don't have to hunt for it.
I just had a thought. What I would like is password protected, "password notepad". When activated, it remembers the text of passwords, shows it to you in text when you go to a website and then you type it into the site. (people looking over your shoulder is a way overestimated danger, the password-hiding thing dates to shared terminals).
The thing I hate about password managers is I am afraid I would stop knowing my passwords. This would allow me to remember my passwords since I would type them each time.
I've only seen Firefox and Chrome's built-in password managers so maybe this exists already. But it seems a decent way to do it.
> The thing I hate about password managers is I am afraid I would stop knowing my passwords.
That is a feature. The handful of passwords I know are mostly long passphrases. The rest are long random strings, generally up in the 30-something character range.
In fact, I don't even know some of my logins anymore: I will use or at least append random characters to most accounts that don't have any 'social' functions (that I care about). I also use a unique email per site.
If an account is compromised, it's got a very low chance it'll even connect to another account I own (at least not without human interpretation), and zero chance of helping with cracking any of my other passwords (other than hinting you can skip guessing anything <30 characters).
I have backups of my password file, I have email recovery (to a domain I own) - knowing individual accounts is just unnecessary.
I use a catch-all subdomain (like *@something.mydomain.com) that simply forwards to my main account. I then sign up on sites using something like news.ycombinator.com@something.mydomain.com or hackernews@something.mydomain.com.
I've been doing it since ~2001. The only downside is long e-mail addresses, but my password manager deals with that for the most part.
Subdomain is important, otherwise you get dictionary-style spam email attacks (as well as everything coming to whoever owned the domain before you, if anyone). I've never noticed that style of attack to the sub-domain.
I've also got very little actual spam to this. A handful of e-mail addresses were obviously leaked/sold but by far the bulk of the spam I get comes to my primary e-mail address which I never use to sign up for anything.
I've been doing that for over a decade. It's great. If I get a phishing email about my iCloud account, but it's sent to my yahoo@mydomain.com then it's obviously a phishing attempt, not need to check for other markers.
You can also see who has sold/leaked your email address for marketing purposes.
Not OP, but just a guess: you can use tags in your email (add `normal-email+tag-here@domain.org`) and it should go to the same location. If you host your own mail or have your own domain with an… M record? I don’t know—then you can easily create as many emails as you want and forward them to other accounts.
Some overly strict checks on some websites don't allow tags, but if you host yourself there's also the possibility to use `normal-email@whatever.domain.org`. Pretty convenient for filtering.
I have a domain just for emails, so any mail sent to the domain goes to me, so I can just sign up for a site as hackernews@mydomain.tld or whatever system i want for naming stuff. I still get every mail to the same mailbox, but if I start getting spam, I know which site sold my email, or got hacked.
* Encourages bad (easy to type, and potentially memorable) passwords and password reuse (probably the single best way to get compromised). (I have several hundreds of unique passwords.)
* Makes phishing easier. (People are bad at consistently checking the URL bar correctly char for char and every time.)
* Is inconvenient.
* Can be done with any existing password manager.
* About shoulder looking... I don't know about you, but I frequently need my passwords at work when colleagues are watching, or when I'm sharing my screen in a (often recorded) conference call.
If you can remember your passwords, they're likely not great passwords to begin with. I've got hundreds of logins and remember only 2 - the password manager one and gmail which a lot of important things hang off of.
The big issue these days is users sharing a password between sites, so having them unique/random is the game.
It’s an interesting tradeoff. In the one hand you have a single, low entropy, shared secret you give out to any stranger offering you an account. On the other hand you have only a single stranger to trust who can keep track of unique high entropy secrets for all those other strangers. But it’s a very well known entity that many malicious actors are circling attempting to find a weakness, and it’s not only keeping your shared secret(s) it’s also keeping a record of every service you have an account with.
You don't realize how often in public places there are cameras recording you. Whether it's the password they see in the clear on your screen or you physically typing, it's a risk that you don't have when you use a copy/paste password manager.
> people looking over your shoulder is a way overestimated danger
Depends on your environment. I personally have learnt at least two people's email passwords just from watching them type (not to use, just to see how easy it was), and I've seen an instance of a Windows Domain admin password being shoulder-surfed. Making it easier seems questionable.
[0] https://github.com/dani-garcia/bitwarden_rs