Free password managers often have significant limitations that force you to upgrade to a paid tier. Bitwarden, by contrast, is an open-source password manager with a free plan that’s generous enough for most users. For no cost at all, it includes username data breach monitoring and advanced multi-factor authentication options in addition to more standard password manager duties. That said, in our latest round of testing, Bitwarden’s browser extension failed our website form-filling tests, and competing services have improved considerably, leading us to lower the perfect five-star score from our previous evaluation to a still-excellent four. Proton Pass edges past Bitwarden with smoother form filling and additional features like email alias creation to earn our Editors’ Choice award for free password managers.
How Much Does Bitwarden Cost?
Bitwarden’s free plan includes support for up to two people. This means that in addition to the core functions of a password manager, you also get passkey and password storage across unlimited devices on multiple platforms, username data breach scanning, and the option to run a Bitwarden server application on your network.
That said, Bitwarden’s once-stellar free tier is a little less impressive than some of the competition now, and that’s primarily because competitors stepped up to the challenge. For example, a free Proton Pass plan now includes helpful features such as in-app email alias creation, credential hygiene monitoring, and advanced multi-factor authentication options.
Shrinking free tiers appears to be an industry trend, as other password managers whittle away at their free service menus or eschew free services altogether in favor of lengthy free trials. Keeper is an example of the latter, as it gives you 30 days to try its robust collection of Premium services for free. NordPass now limits free customers to one account on a single device without data breach scanning or password hygiene alerts, making Bitwarden’s free tier seem generous.
Though the free account isn’t as attractive as it once was, a Bitwarden Premium plan is still an excellent value at $10 annually. Premium adds file storage (up to 1GB), emergency access, password hygiene reports, and expanded sharing options. A Family account costs $40 per year and includes all the Free and Premium features while adding support for up to six people. You can also create unlimited Organizations for easy data sharing between accounts.
Other password managers charge significantly more for their premium services than Bitwarden’s $10-per-year plan. For example, Keeper is $34.99 per year, and 1Password and Proton Pass are $35.88 per year.
Getting Started With Bitwarden
(Credit: Bitwarden/PCMag)
Bitwarden is available as Android and iOS apps, and there are desktop apps for Linux, macOS, and Windows. Bitwarden offers extensions for a wide variety of browsers: Brave, Chrome, DuckDuckGo, Edge, Firefox, Opera, Safari, Tor, and Vivaldi. It’s the longest list of supported browsers I’ve seen while testing password managers, which is impressive. None of the plans limit you to a certain number or type of platform.
You can sign up for an account by visiting the website, entering your email address, and creating a strong master password when prompted. After creating an account, I recommend downloading one of Bitwarden’s browser extensions because the landing page for each one includes a short tutorial to help you import your passwords and familiarize yourself with the password manager’s web vault.
(Credit: Bitwarden/PCMag)
After exploring the browser extension and web vault, you may want to tweak the browser extension’s auto-filling settings. Citing security concerns, Bitwarden does not autofill credentials on page load for every browser or every website. You’ll need to manually enable this kind of auto-filling by visiting the Settings menu in the browser extension. Depending on the browser, you may need to also visit the browser’s settings menu to turn off the built-in password manager so that it doesn’t override Bitwarden.
Once you’re done setting up your browser extension, it’s time to import passwords from your old password manager or browser to your new Bitwarden vault. Bitwarden imports files from many apps, but the very long list includes a lot of defunct apps. For example, Myki, a free password manager, shut down in March of 2022, yet it is still on Bitwarden’s importing list. If you can’t find your old password manager, upload your credentials as a .csv file.
Whenever it’s time to move on from Bitwarden, the app offers three options for exporting your vault: JSON, JSON (encrypted), and CSV. The encrypted option uses the same encryption as your vault, which means you need to use the same key to decrypt it when you import it again.
From your web vault, you can create Collections, which allow you to separate your credentials and other vault items. For example, if you want to keep your work and personal credentials separate, you would create a Collection just for your work-related logins and other data and give it a Work label.
Simple Tricks to Remember Insanely Secure Passwords
Bitwarden on Data Privacy
Before I review and test a password manager, I send a list of questions to the company to inquire about its privacy and security practices. Consumers need to have plenty of information about the companies handling their data. I’ve included Bitwarden’s responses to my questions below.
Has your company ever had a security breach?
No, Bitwarden has not had a security breach.
What unencrypted information does the password manager store in customer vaults?
All information types within user vaults, including usernames, passwords, URLs, and secure notes, are encrypted. Bitwarden employs zero-knowledge end-to-end encryption, such that the company cannot see nor access any stored information within individual or business vaults. This ensures that all sensitive data is protected upon entry to any Bitwarden client. There is no unencrypted vault data.
What is the company’s policy regarding master passwords?
Users should choose a strong and unique main password and be sure it is memorable or stored in a safe place. Bitwarden cannot access customers’ vault data due to end-to-end encryption, nor can the company help an individual recover the contents of their vault if they lose their main password.
Enterprise administrators may turn on the main password requirements policy, which will enforce a configurable set of minimum requirements for users’ main password strength, such as complexity, length, and character types. Turning on the account recovery administration policy allows owners and admins to reset the main password of enrolled users.
For individual users, Bitwarden strongly urges that a main password be:
-
Unique, meaning it is not used for any other account.
-
Memorable or written down where it can be only found by the user.
-
Using a passphrase is one common solution. Strong and complex, with 14+ random characters.
What is the company’s policy regarding user data collection and data sales?
Bitwarden minimizes the data required to run its service and does not sell users’ private information. Bitwarden focuses on security with a privacy-friendly approach and does not rely on users to be an audience for advertising. The Bitwarden business model focuses on paid Teams and Enterprise business plans.
How does your company protect customer data?
To protect user data, Bitwarden utilizes end-to-end AES-CBC 256 bit encryption, salted hashing, and zero-knowledge encryption, meaning Bitwarden cannot see users’ vault contents. Bitwarden utilizes two key-derivation functions, PBKDF2 SHA-256 as well as Argon2 for unlocking encrypted vaults. Bitwarden further protects all customer data in the cloud with multifactor encryption. Bitwarden also undergoes regular third-party audits and complies with AICPA SOC2 Type 2 / Privacy Shield, GDPR, and CCPA regulations.
How does your company respond to requests for user information from governments and law enforcement?
Bitwarden is unable to access to users’ vaults in an unencrypted state
What kind of customer support options does your company offer and how easy is it to cancel a subscription / delete a user account?
All paying Bitwarden customers receive priority support
The Bitwarden app and website feature a robust Help Center with extensive documentation. Users may also submit questions to the customer success team via bitwarden.com/help or leverage the Bitwarden community forum. All MSPs receive priority support from the 24/7 customer support team.
Personal and organization subscriptions can be canceled in the web app at any time. Deleting a Bitwarden account or organization permanently deletes the account or organization and all data that is associated with it. Bitwarden does not “soft delete” any data.
After reviewing Bitwarden’s privacy policy, I didn’t find major inconsistencies with the answers provided above by the company. The privacy policy states that Bitwarden will comply with law enforcement requests for personal information because it’s information customers provide when they sign up for the service. The data classified as “personal information” differs from your vault data, which the company cannot access.
I encourage you to read the privacy policies before installing new apps to learn more about how companies collect, sell, or store their data. Only you can decide how comfortable you are with data collection and how companies use your data.
Bitwarden’s Authentication Options and Security Features
(Credit: Bitwarden/PCMag)
Next, let’s discuss your multi-factor authentication (MFA) method with Bitwarden. By enabling the passwordless login feature, you can log into your vault without a password. The feature, which was in beta at the time of review, requires using a hardware security key or biometrics instead of a username and password combination.
What Is Two-Factor Authentication?
To set up MFA, visit the Two-Step Login section of your Bitwarden account settings menu and choose to authenticate your identity each time you log in using a trusted email address, an authenticator app, or your devices’ biometrics. Setting up Bitwarden’s MFA with an authenticator app is simple; just snap the QR code with your authenticator app of choice, and you’re ready to go. Premium accounts can authenticate using Duo Security or Yubikey hardware security keys.
Like Enpass, Bitwarden’s paid plans allow the password manager to serve as an authenticator, generating the necessary TOTP and automatically filling it in when needed. To set it up, paste the MFA authentication code into a password entry’s Authenticator Key (TOTP) section.
Security Features
(Credit: Bitwarden/PCMag)
As mentioned above, you need a Premium account to check your vault’s password hygiene, which is not true for other free password managers. Avira Password Manager and Proton Pass allow free customers to access credential health information, while data breach alerts are limited to paying customers. Bitwarden is the opposite since you can check individual emails and usernames for data breach activity for free, which is helpful. Bitwarden’s breach monitor provides information about when the breach occurred and what data was compromised in each incident. Bitwarden Premium and Families accounts can check their credentials to find and change reused or weak passwords in vaults.
Bitwarden’s password hygiene monitoring feature can generate six reports: Exposed Passwords, Reused Passwords, Weak Passwords, Unsecured Websites, Inactive 2FA, and Data Breaches. Exposed passwords are those that have been uncovered in known data breaches. Reused and weak passwords are self-explanatory. Bitwarden treats any linked URLs in your vault that don’t use TLS/SSL encryption as unsecured. The Inactive 2FA report identifies sites in your vault that support multi-factor authentication but for which you haven’t linked a TOTP code in Bitwarden.
Hands On With Bitwarden
I tested Bitwarden using the Android app, Chrome and Edge browser extensions, web vault, and Windows app.
Web Vault and Windows App
(Credit: Bitwarden/PCMag)
Bitwarden’s client for Windows has a simple blue-and-white vault interface. Along the left rail, you can access four different data types: Login, Card, Identity, and Secure Note. Login is where your passwords live, credit cards are in the Card section, Identity is for addresses and phone numbers you commonly enter around the web, and Secure Note is for text files you want to keep private.
The Bitwarden web vault looks similar to the Windows client. Still, many more options along the left rail include opportunities to use features such as Bitwarden Send, access password reports, and change your account settings. To access a website with the credentials you imported to your vault, click on the item, choose Launch from the drop-down menu, and Bitwarden will take you to the website to log in.
Browser Extensions
(Credit: Bitwarden/PCMag)
The Bitwarden browser extensions recently received a welcome interface update, modernizing the graphics and making the layout more intuitive. In the Appearance section, you can modify the extension window further by enabling a compact version.
The extensions for Chrome and Edge worked as expected in testing. After tweaking the auto-fill settings and disabling Chrome’s built-in password manager, I could access my passwords and log in to the test accounts without any problems. Capturing existing logins I didn’t import into the vault also worked as expected.
You can use a generated email alias to sign into accounts. The setup process is a lot more complicated than the in-app email alias generator found in Proton Pass, and you’ll need to set up an account with an external provider like FastMail or SimpleLogin.
Password and Username Generators
(Credit: Bitwarden/PCMag)
By default, Bitwarden’s password generator creates passwords containing uppercase and lowercase letters and digits but not special characters. I strongly advise checking the box to add special characters since many sites require them.
The generator can generate passwords from five to 128 characters long, but it defaults to 14. I advise increasing the length to 20 characters or more. You can also create passphrases up to 20 words in length. You can view your entire password history by visiting the View menu at the top of the app window and clicking Password History.
You can also use the username generator to create new usernames for social platforms such as Reddit or X. When creating a new account, click the Bitwarden symbol in the username text box, then choose the option to generate a username.
Form-Filling Performance
(Credit: Bitwarden/PCMag)
Bitwarden stores three types of personal data items: Cards, Identities, and Secure Notes. For each credit card, you record the card number, cardholder name, expiration dates, and CCV. Each Identity is a collection of personal data, including your name, email, and phone number. It’s not the cornucopia of data stored by RoboForm, but you can create additional custom fields if you want to save more personal information in your vault. You can also save text in the Secure Note section of the vault. You give each note a name and then paste or type your notes in the text field.
If you want Bitwarden to fill out a form, you should be able to click the extension button and then choose the desired identity or credit card. While using the extensions for Google Chrome and Microsoft Edge, I attempted to fill in my Identity data on two of the sites I use to test other password managers. Bitwarden failed to fill in the appropriate data forms each time, which affected its score.
Credential Sharing Options
(Credit: Bitwarden/PCMag)
If you have to share credentials, you want the process to be simple and secure. Bitwarden offers two methods: Bitwarden Send and via Organizations. Of the available options, Bitwarden Send is much easier to set up and use.
With Bitwarden Send, you can pass along an encrypted link to anyone (even people who don’t use Bitwarden) using whatever communication method you prefer. During the setup for a Send, you can specify an expiration date, a deletion date, and a maximum access limit, plus set up a password. Bitwarden Premium subscribers can share files and texts using Bitwarden Send. Free customers can only share text.
Organizations work a little differently. You don’t use the Organization sharing options to share individual credentials or text with other customers directly. Instead, you create an Organization for your account, invite other people to that Organization, and share a Collection with them. Bitwarden Families account holders can share credentials with up to six other account members using Organizations.
Free and Premium account holders can create two Collections. If you subscribe to the Family plan, you can create unlimited Collections. The point of the Collection system is to let you share different passwords with different group members. This sharing setup is best for enterprise customers, and it’s organized in a very “corporate” manner. There are three other levels of access within an Organization: the Admin, Manager, and User, but those distinctions matter would matter more in a business setting. Suppose you’re using Organizations to share credentials with your family. In that case, all you need to know is that you can limit each person’s access to specific Collections or set the credential access to read-only. If you’re sharing with a partner, it makes sense to give them full access. If the share is more one-sided, perhaps with a child, User access in read-only mode is probably best.
Emergency Access Options
(Credit: Bitwarden/PCMag)
Bitwarden offers a way for paid account holders to hand over access to their vaults in an emergency. The owner can approve access manually or set a date for when the vault will be accessible by the emergency contact. Notably, only Premium customers and higher can send emergency access requests, but people on the free plan can be designated recipients. Upon gaining access to the vault, Emergency access contacts either get read-only access or full control of the vault, depending on the settings.
Passkey Support
Bitwarden can create and manage passkeys. If you set Bitwarden as your passkey provider in your device’s Settings menu, the app can generate and use passkeys. This function works on mobile devices and browsers.
Bitwarden Mobile App Experience
For mobile device testing, I used Bitwarden’s app on an Android device. The mobile app worked as expected and includes the functions found in the browser extensions.
(Credit: Bitwarden/PCMag)
You can use Bitwarden as an authenticator app to secure your online accounts with a second layer of encryption. As with the browser extensions, you’ll need to fiddle with the auto-filling settings within the app and on your device to get the app to fill in your credentials automatically. It’s an issue I’ve encountered when testing other password manager apps, and easy to fix. To get to Bitwarden’s platform settings tutorials, head to the Settings menu, choose ‘Auto-fill,’ then tap ‘Password auto-fill’ to find instructions for changing your device settings for optimal password manager performance.
Is Bitwarden Good for Business?
Bitwarden’s password managers for teams and enterprise organizations are options for small business owners looking for secure credential storage. The price is $48 per year per employee for a Teams subscription and $72 per year for each account for an Enterprise subscription. The business offerings are more expensive than NordPass’ similar Teams plan, which is $23.88 per employee each year, or the Business plan, which is $47.88 per account annually.
Single sign-on (SSO) is available and eliminates the need for multiple usernames and passwords, but it has risks. If an attacker gets SSO credentials, they can access all associated applications. Enterprise Bitwarden accounts include a passwordless login option to prevent these hacks. You can verify your identification using a passkey, the Duo Mobile app, SMS, a phone call, or a U2F security key. When an employee leaves the organization, Admin account holders can remove team members from the business vault.
Bitwarden makes it easy for employees to access business passwords by importing them into a business vault separate from their employee vault. In addition, you can create Collections of passwords to share with specific employee groups or the entire company. Enterprise accounts include unlimited sharing capabilities with the Collections feature.
Bitwarden’s Customer Service Options
Bitwarden does not offer live chat or phone support. Instead, the company provides troubleshooting assistance via the robust Help Center page. If you need help from a human, you can fill out the contact form. Paying customers get priority email support.
Is It Easy to Delete Your Bitwarden Account?
(Credit: Bitwarden/PCMag)
If you’re a paid subscriber and you want to downgrade to a free account, keep in mind that you’ll lose the ability to authenticate your identity using a hardware security key, Bitwarden’s 2FA code generator will stop working, you won’t be able to add file attachments (any previously stored files remain in your vault), and you can’t add any new emergency access contacts. Unlike Proton Pass, Bitwarden does not offer credit for unused subscription time.
In testing, I had no trouble deleting my Bitwarden account from the web app’s Settings menu. Uninstalling the apps and browser extensions from my devices was also easy.
Verdict: Bitwarden Is a Bargain
Bitwarden works across platforms, allows unlimited password storage, and offers passkey support, username data breach monitoring, and advanced multi-factor authentication. The open-source app is regularly audited by third-party security researchers, which should bring you peace of mind when trusting the company with your credentials. That said, we’ve dropped Bitwarden’s previously perfect five-star score to four. But instead of thinking of it as a drop, consider this score change a recalibration. Other companies stepped up their game, producing free and affordable credential management apps that operate more smoothly than Bitwarden. Proton Pass is our Editors’ Choice because it offers comprehensive free password management with flawless functionality and interesting features such as in-app email alias generation, alias inboxes, comprehensive dark web monitoring, and password hygiene reporting.
Like What You’re Reading?
This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.
About Kim Key
Senior Security Analyst
