Valid HTML 4.01 Transitional

New Password Manager: Bitwarden

James F. Carter <jimc@jfcarter.net>, 2021-03-20

Currently for my password manager I'm using KeePass by LuckyRat on my UNIX laptop. I want to considerably expand the scope of my password manager. Will KeePass support what I want to do, or will I need a new product?

A password manager has a database containing a map from URIs (or other IDs of password consumers) to loginIDs and passwords that will let the user authenticate and get service from that consumer. The usual mode is for a browser plugin, or an app running in the background, to monitor web pages, or other apps' authentication windows, and to fill in the loginID and password. Thus the user does not have to remember the password and is willing to make it long and random, resisting nefarious attempts to crack it.

Table of Contents

Glossary

These acronyms and jargon words are often used:

Goals and Issues

Issues for the password manager. Obviously some of these goals conflict.

Searching For a New Password Manager

The first step is to search on Google for password manager. I found quite a number of digest reviews and 10 best lists; I concentrated on recent ones in mainstream media. But PMs are fairly similar and so are the articles rating them; I'm showing details mostly for the first 10 best review.

PCMag: The Best Password Managers

On PC Magazine by Neil J. Rubenking & Ben Moore, 2021-02-17. They reviewed quite a number of products, which were also reviewed in other similar articles. While each author had his or her own opinions on which aspect of the product would drive the ranking, the information I was getting from all the reviews was generally similar. Here are four selected products from the PCMag review, products which seemed relevant to my needs.

Keeper: cross-platform; 4.5*; top of their list.

MSRP $21/yr for 1 user, $45/yr for family of up to 5. Does 2 factor auth. Keeps a password history. Free trial limited to one client. Windows, Android, iOS, Linux, Firefox, MSIE, Safari, others that we don't have. Zero knowledge: they store ciphertext; you encrypt and decrypt it on the client device using your master PW. Has password inheritance (your executor can extract your PWs if you die). Has password capture. Can recognize password change pages; can generate a random PW here and save it in the DB. It fills in app passwords. Can share PWs (individually) with other users. Or you can create one or more shared folders. Editor's choice. Comment: watch out for auto renewing the subscription; it's hard to unsubscribe.

Dashlane: 4*

MSRP $60/yr (highest in this set?), $120/yr for premium pro. Free trial. Handles Windows, MacOS, Android, iOS. Where's desktop Linux? Use via web browser extension. In functions it's very similar to Keeper. Includes a VPN service (to which the extra price is attributed). Dashlane recently made some kind of change to the terms of service (I had trouble to understand the issue but I think it involves secure storage for attachments), which pissed off a lot of users and led them to read this article to find a different password manager. Editor's choice.

1Password: 3.5* ; our son uses this.

MSRP $60/yr for family plan, 5 users ($1/mo per user for more), 1Gb secure storage; single user plan costs $36/yr. Covers Windows, MacOS, Android, iOS, Firefox (+others) browser extension, no native desktop Linux. PC Mag's complaints: UI of apps and browser are different leading to confusion. Prefer the X extension style vs. the regular extensions. No dedicated inheritance feature (but in the family account you can designate multiple people as administrators, which should be enough). Sharing is limited to within the family. Setup: to add another device or browser, you need to type in the 34 byte random symmetric key (obviously base64 encoded, about 204 bits). Or there are various maneuvers to pass a picture of a QR code to the new client. It does 2FA, both via an auth app and U2F keys. Don't try to get 1Password to do 2FA for 1Password, it's a chicken and egg issue. Our son uses this product.

Bitwarden: 4*

Open source! The free version offers most of the features. Premium is $10/yr (only!) plus $1/yr to share passwords. OS support: Windows, macOS, iOS, Android, Linux; Firefox, Safari, etc. Also many activites are available from a plain web UI. Breaking news, it now has emergency access, which is equivalent to legacy inheritance. The paid version has these features: Authenticate with YubyKey or FIDO U2F key. Attach files to items (1Gb max). Get a report of PWs stolen in data breaches.

Jimc's Summary

All the reviewed products have generally similar features and functions, although there are significant differences in price, in the slickness of the user interface, in flexibility, and in meeting non-core goals from jimc's list.

One question that often comes up is, can you use it without an Internet connection? It's my impression that most/all of these apps store the database (containing ciphertext) on each client device and sync to/from the cloud instance. So you can read and alter your items without a connection; alterations will be synced when the net returns. However, web pages in which you would fill passwords come in from the Internet, and password protected mobile apps almost but not quite invariably perform their service (e.g. controlling your thermostat) by an Internet connection from your phone and from the thermostat to the mother ship, so you will (almost) never have an opportunity to use your password manager when the Internet is down.

YubiKey 5Ci Review

YubiKey 5Ci by Yubico is a dongle with USB-C (type C) and Lightning connectors. It does smart card things, specifically FIDO2 U2F (WebAUTHN) for authentication. MSRP $70. There's a version with USB type A plus NFC; MSRP $45 street $27.

Google Has the Key to Keeping You Secure But You Don't Need It

Since Google required 2FA hardware keys internally, phishing successes dropped to zero. But their security guru says it's useless to deploy this to most users, who will just get frustrated with the extra steps. 2FA is really useful for people subject to targeted attacks, like politicians…

Wikipedia article about Password Manager

It discusses aspects and vulnerabilities of PW managers in general, but does not compare specific products.

Old review of KeePass

KeePass: 3* (dated 2016-06-27, 5 years old). For me, this review was not useful because of improvements to KeePass in the last 5 years.

CNET: Best Password Manager

By Clifford Colby & Rae Hodge, 2021-03-17. Their #1 is/was LastPass because the free version includes most of the features. However, they've changed terms of service, and someone discovered 7 web trackers in the Android app, so the authors are re-evaluating their rankings. #2 is 1Password.

They also have a short review of KeePassXC. They say, It's really for advanced users only: Its user interface takes a bit of fiddling to get all the independently built versions of KeePass to work together.

On SuSE Build Service, Bitwarden is not apparent, but there are packages for keepass (v2.47, in Mono) and KeePassXC (keepassxc) (v2.6.4, uses Qt5).

KeepassXC Project Website

Techradar: Best Password Manager

(2021-03-16) Their #1 is Dashlane. Keeper at #6. Bitwarden #7.

Wired.com: Best Password Managers

(2021-03-12) Their #1 is 1Password; #1 in free category is Bitwarden.

New York Times Wirecutter: Best Password Managers

(2021-02-05) Their #1 is 1Password; #1 in free category is Bitwarden.

Reddit forum for 1Password

OP _usererror_ about 2020-06-xx. He currently uses LastPass and is considering switching to Bitwarden or 1Password. His goals: Features (report of weak/duplicate PWs; sharing PWS); security particularly with cloud sync; privacy particularly with browser extensions. Main questions: What are the main benefits of the 3 products? Which is considered the best for security and privacy? 1Password being closed source, can it really be trusted? Why has the 1Password Firefox extension not received Mozilla Recommended status?

Snips of discussion posts:

ArchmageJesus says:

I tried BitWarden out and it is absolutely a great product, but I think the BW vs 1P debate comes down to what you value…for me, I value your design and ease of use above all else, because the nicer it looks and easier it is to use, the more likely it is I can get my wife to use it, and that's why I'm still on 1P…if it were just me, I'd honestly probably be on BW because I can handle it being a little rougher around the edges.

sonsofrusticus says:

When you change a PW, 1Password recognizes it and saves it in the database; Bitwarden doesn't. He's using Safari exclusively and Safari support is poor, so he says.

Jimc's summary of several postings:

Several users point out that 1Password started as an Apple app and its Apple incarnation is better than for Windows. Jimc is not sure whether the iOS app is closer to the macOS or the Windows desktop app. And what about Android?

Safety Detectives: Lastpass vs. Bitwarden: Is an Open Source Password Manager Better?

By Bjorn Johansson, date 2021-xx-xx. LastPass: winner in basic and extra features, ease of use, and customer support. Bitwarden: winner in security and pricing, but only recommended for advanced users.

Bitwarden integrates with TOTP generators (Google Authenticator etc). and biometric ID if the OS has it. USB tokens and the builtin TOTP generator require the premium product. Useability: with Bitwarden you have to copy and paste the TOTP, whereas LastPass can auto-fill the form. (Jimc says: in 2021-04-xx on Firefox for desktop Linux, it offered to fill a TOTP form.)

Basic features of both products:

Sharing: LastPass is much more slick, and you can share in the free tier. With Bitwarden, the premium users can share with one partner, while you can share a whole vault with multiple users if you have the family plan (up to 6 partners) or business plans.

Summary of the various review articles: All of the PW manager packages have a lot of similarity. Common features, starting with the most common:

The Selection: Bitwarden

KeePass is the devil I know. However, it's a fringe operation with only one developer, and it doesn't have some of the modern features. I'm seriously considering switching to Bitwarden. It has these advantages over other commercial competitors:

Bitwarden components: If you're installing Bitwarden you will want these web links:

Bitwarden download page

This page has the current links for the apps listed below. It's probably better to refer to the download page, rather than following my links which are possibly outdated.

Firefox browser integration

Use this on both Firefox for desktop Linux and for Androoid (and presumably for iOS.) Current version in 2021-03-xx: 1.49.1 Biometric auth if supported by the OS. The download page has extensions for eight different browsers.

Bitwarden for Android.

4.7*. Snips from reviews: No auto fill (with which browser and version?) but their UI for cut and paste is good. Another user says auto fill doesn't always work. Jimc says, auto-fill works for me. Current version in 2021-03-xx: 2.9.2

Bitwarden for iOS (iPhone and iPad).

4.7*; not much info on this page.

Desktop app for Linux

The main useful feature is a command line interface so you can possibly automate backups. On the desktop you will mostly need passwords for web pages, for which you will use your browser extension. Maintenance operations, like adding or editing items, can be done from the app but (in jimc's opinion) are better done from the web GUI; see the next item.

Web GUI

The web GUI has most of the features of the native apps (but not auto-fill). It can be used from any web browser (whether or not you have the browser extension installed). Major activities are adding, editing and deleting items (loginID-password pairs), organizing items in folders, sharing, importing and exporting (downloading) items (e.g. for backup).

Installing Bitwarden

The first step when instailing bitwarden is to select a service plan. These are the personal plans (there are also business plans).

Free Premium Family
Price/year Free $10/yr $40/yr
Max users 1 1 6
Bitwarden Send text only text+file text+file
Shared items -- -- Unlimited
Encrypted attachments -- 1Gb 1Gb personal + 1Gb family
2 factor authentication 2FA 2FA + etc 2FA + etc
(+etc means Yubikey, U2F, and Duo)

Some (but not all) Bitwarden features. -F marks features not available in the free plan; all are in the Premium and Family plans.

Which paid features do we really want?

Creating a free account. Pick a password first. You will need to remember it to open the service; you can't store it in the PM if you're going to use it to open the PM.

Terms of Service (Jimc's summary; IANAL),

Privacy policy (Jimc's summary)

The account creation form requires these items:

Tidbits and web resources from the welcome e-mail message:

If we're going to convert to a paid family plan, we really want to start out with a CFT organization (sharable collection). The free tier still can create an organization. (Actually it's a little less confusing to create the organization after you've upgraded your account.) Steps to create one:

Testing Bitwarden

I worked out a test plan in advance:

My existing password manager is a flat file (encrypted) with a fairly consistent format. I wrote a script to convert it to JSON, and when I botched the format and couldn't find what was wrong, I changed to convert to CSV. That took some work, but less work and less errors than cutting and pasting 127 items from the flat file to Bitwarden's item form. For checking that my JSON is correct as to form, I used https://jsononline.net/json-checker. Of course the attribute names have to be what Bitwarden expects; https://bitwarden.com/help/article/condition-bitwarden-import/ will get you started creating the JSON or CSV file but for gory details you will need to export and inspect a backup of test data.

Bitwarden in Operation

I now have all our passwords in Bitwarden. Both my wife and I agree that this is a low friction way to get passwords onto login forms, much less hassle than copying by hand from the flat file or the paper copy. The workflow in Bitwarden has to be learned, but it's pretty simple and convenient, particularly if you go through the settings and turn things on or off according to your preferences, and adjust the timeout to balance security and useability. Comparing BW's user interface with competitors that I didn't install, some promise a slicker experience and/or more focus on useability (vs. security) in the out-of-the-box setting defaults, but the PMs that lost this competition didn't match BW in other important core criteria.

These jobs still need to be done: