Software:Bitwarden

From HandWiki
Bitwarden
Bitwarden Desktop Client 2025.7.0
Original author(s)Kyle Spearrin
Developer(s)Bitwarden Inc.
Initial release10 August 2016 (2016-08-10)
Stable release(s) [±]
Android2023.7.0 / July 13, 2023; 2 years ago (2023-07-13)[1]
iOS2023.8.0 / August 28, 2023; 2 years ago (2023-08-28)[2]
Desktop2023.8.2 / August 25, 2023; 2 years ago (2023-08-25)[3]
Command-Line Interface2023.7.0 / July 13, 2023; 2 years ago (2023-07-13)[4]
Browser2023.8.2 / August 24, 2023; 2 years ago (2023-08-24)[5]
Server2023.7.2 / August 1, 2023; 2 years ago (2023-08-01)[6]
Repositorygithub.com/bitwarden
Written inTypeScript, C#, and Rust
Operating systemLinux, macOS, Windows, Android, iOS, iPadOS, WatchOS
Available inMultilingual
TypePassword manager
LicenseServer: AGPL-3.0-only[7]
Clients: GPL-3.0-only[7]
Some modules: Proprietary[7][8]
Websitebitwarden.com

Bitwarden is a freemium open-source password management service that is used to store sensitive information, such as website credentials, in an encrypted vault. It is owned and developed by Bitwarden, Inc.[9]

Functionalities

Bitwarden uses zero-knowledge encryption, meaning the company cannot see its users' data. This is achieved by end-to-end encrypting data with AES-CBC 256-bit and by using PBKDF2 SHA-256/Argon2id to derive the encryption key.[10][11]

To log in, a user can use an email-address and password combination, biometric authentication, two-factor authentication (2FA), passkey, single sign-on, or passwordless login via notification approval on a mobile/desktop device.[12][13][14]

Additional client functionality includes: import of data from more than 50 password managers (such as LastPass, 1Password, and Keeper) passkey management; export to JSON, encrypted JSON, and CSV formats;[15] a random password generator; autofill of login and other forms; integration with email alias services; ability to sync across unlimited platforms and devices; storage of an unlimited number of items; and storing a variety of information beyond username-and-password pairs, including passkeys, TOTP seeds, debit and credit card numbers, billing data and other identity information, and secure notes (free-form text). Each item type can be extended by custom fields and file attachments, though these are restricted by file size depending on the subscription plan.[12][16] A feature called "Send" allows sharing of end-to-end encrypted text messages (free version) and files (paid versions). Any sent item optionally can be set with an expiration date, a maximum access limit, and a password.[17][18][19][20] The Password Checkup tool uses zxcvbn to assess password strength.[21] It detects credential breaches by querying the Have I Been Pwned? database.[21]

Bitwarden implements credential sharing through collections within an organization. As of 2024 collections in a given organization are encrypted using the same organizational secret key, meaning that privilege separation is enforced at the authorization layer rather than through distinct encryption keys for each collection.[22]

Availability

The platform hosts multiple client applications, including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface.[23] Bitwarden can be operated on web interfaces, desktop applications (Windows, MacOS, and Linux), browser extensions (Chrome, Firefox, Safari, Edge, Opera, Vivaldi, Arc, Brave and Tor), or mobile apps (Android, iOS, iPadOS and watchOS).[12] 50 languages and dialects are supported, although not all of them are available on all clients.[24]

The platform also offers a free US or European cloud-hosted synchronisation service, as well as the ability to self-host.[25][26][27][28]

Compliance

Bitwarden's codebases of the computer clients, the mobile apps, and the server are open-source.[29] In August 2020, Bitwarden achieved SOC 2 Type 2 and SOC 3 certification.[30][31] Bitwarden is compliant with HIPAA,[32] GDPR, CCPA, SOC 2, SOC 3, and the EU-US and Swiss–US Privacy Shield[33] frameworks.[34][35]

Security audits

Third-party security audits are conducted annually and a vulnerability disclosure program is also established.[36][34]

In June 2018, Cliqz performed a privacy and security review of the Bitwarden for Firefox browser extension and concluded that it would not negatively impact their users.[37] In October of that year, Bitwarden completed a security assessment, code audit, and cryptographic analysis from third-party security auditing firm Cure53.[38][39][40][41]

In July 2020, Bitwarden completed another security audit from security firm Insight Risk Consulting to evaluate the security of the Bitwarden network perimeter as well as penetration testing and vulnerability assessments against Bitwarden web services and applications. In August 2021, Bitwarden announced that network assessment (security assessment and penetration testing) for 2021 had been completed again by Insight Risk Consulting.[15][42]

In February 2023, Bitwarden released network security assessment and security assessment reports that were conducted by Cure53 again in May and October 2022 respectively.[43] The first related to penetration testing and security assessment across Bitwarden IPs, servers, and web applications.[44] The second related to penetration testing and source code audit against all Bitwarden password manager software components, including the core application, browser extension, desktop application, web application, and TypeScript library.[45] Ghacks reported that:[46]

No critical issues were discovered during the two audits. Two security issues that Cure53 rated high were discovered during the source code audit and penetration testing. These were fixed quickly by Bitwarden and the third-party HubSpot. All other issues were either rated low or informational only.

Reception

In January 2021, in its first password-protection program comparison, U.S. News & World Report selected Bitwarden as "Best Password Manager".[47] A month later, with Bitwarden competitor LastPass about to remove a feature from its free version, CNet recommended Bitwarden as the best free app for password synchronization across multiple devices,[48] while Lifehacker recommended it as "the best password manager for most people".[49]

Reviewers have praised the features offered in the software's free version, and (mostly) the low price of the premium tier compared to other managers.[48][50][51][52] The product was named the best "budget pick" in a Wirecutter password manager comparison.[53] Bitwarden's secure open-source implementation was also praised by reviewers.[50][52]

Nevertheless, Tom's Guide found some features to be less intuitive than they could be,[50] while PC Magazine criticized the price of the business tier as too high.[54]

Bitwarden was highlighted by Süddeutsche Zeitung in its 2025 overview of leading self-hosted password managers as a solution that offers users increased security and full control by allowing the entire vault to be operated on their own server.[55]

History

2016–2017

Bitwarden debuted in August 2016 with an initial release of mobile applications for iOS and Android, browser extensions for Chrome and Opera, and a Web-based "vault" (encrypted database). The browser extension for Firefox was later launched in February 2017.[56] The same month, the Brave web browser began including the Bitwarden extension as an optional replacement password manager.[57] In September 2017, Bitwarden launched a bug bounty program at HackerOne.[36][34]

2018

In January 2018, the Bitwarden browser extension was adapted to and released for Apple's Safari browser through the Safari Extensions Gallery.[58] In February, Bitwarden debuted as a stand-alone desktop application for macOS, Linux, and Windows. It was built as a web app variant of the browser extension, built with the Electron framework.[59] The Windows app was released alongside the Bitwarden extension for Microsoft Edge in the Microsoft Store a month later.[60][61] In May, Bitwarden released a command-line application enabling users to write scripted applications using data from their Bitwarden vaults.[23][62][63] In June 2018, following a review, Bitwarden was made available as an optional password manager in the Cliqz browser[37] (discontinued in 2020).

2022

In September 2022, the company announced $100M series B financing; the lead investor was PSG, with the existing investor Battery Ventures participating.[64][65] The investment would be used to accelerate product development and company growth to support its users and customers worldwide.[64][65]

2023

Example of passwordless authentication with Bitwarden

In January, Bitwarden announced the acquisition of Swedish startup Passwordless.dev for an undisclosed amount.[66] Passwordless.dev provided an open-source solution allowing developers to easily implement passwordless authentication based on the standards WebAuthn and FIDO2.[66][67]

Bitwarden also launched a beta software service allowing third-party developers the use of biometric sign-in technologies – including Apple's Touch ID and Face ID, and Microsoft's Windows Hello – in their apps.[66]

2024

On 1 May, Bitwarden launched its own multi-factor authentication app, Bitwarden Authenticator.[68] In October of that year, Bitwarden introduced changes to the dependencies of its desktop application to include a restricted-use SDK that may prevent some members of the public from compiling the application from source code, provoking concerns that Bitwarden is moving away from open-source principles. Bitwarden CTO Kyle Spearrin stated in response that it is an issue they plan to resolve, and is "merely a bug".[69]

Security Criticism

2024 Evaluation of Password Checkup Tools

A 2024 study by Hutchinson et al. examined the “password checkup” features of 14 password managers, including Bitwarden, using weak, breached, and randomly generated passwords. The authors found that the evaluated products reported weak and compromised passwords inconsistently and sometimes incompletely. No manager successfully flagged all known breached passwords. The study concludes that such inconsistencies may give users a false sense of security.[21]

2025 DOM-based Extension Clickjacking

Security researcher Marek Tóth presented a vulnerability in browser extensions of several password managers (including Bitwarden) at DEF CON 33 on August 9, 2025. In their default configurations, these extensions were shown to be exposed to a DOM-based extension clickjacking technique, allowing attackers to exfiltrate user data with just a single click.[70] The affected password manager vendors were notified in April 2025. According to Tóth, Bitwarden version 2025.8.2 (August 31, 2025) addressed the issue.[71]

See also

References

  1. "Bitwarden Password Manager - Apps on Google Play" (in en). https://play.google.com/store/apps/details?id=com.x8bit.bitwarden&hl=en_US. 
  2. "‎Bitwarden Password Manager" (in en-us). https://apps.apple.com/app/id1137397744. 
  3. Releases · bitwarden/desktop · GitHub, Bitwarden, https://github.com/bitwarden/clients/releases 
  4. Releases · bitwarden/cli · GitHub, Bitwarden, https://github.com/bitwarden/cli/releases 
  5. (in en) Releases · bitwarden/browser · GitHub, Bitwarden, https://github.com/bitwarden/browser/releases 
  6. (in en) Releases · bitwarden/server · GitHub, Bitwarden, https://github.com/bitwarden/server/releases 
  7. 7.0 7.1 7.2 "LICENSE_FAQ.md". GitHub. 22 November 2021. https://github.com/bitwarden/server/blob/master/LICENSE_FAQ.md. 
  8. "Bitwarden License Agreement". GitHub. 22 November 2021. https://github.com/bitwarden/server/blob/master/LICENSE_BITWARDEN.txt. 
  9. "About Us | Bitwarden, Inc.". https://bitwarden.com/about/. 
  10. "Encryption | Bitwarden Help & Support". Bitwarden.com. https://bitwarden.com/help/what-encryption-is-used/. 
  11. "How End-to-End Encryption Paves the Way for Zero Knowledge". Bitwarden.com. https://bitwarden.com/blog/end-to-end-encryption-and-zero-knowledge/. 
  12. 12.0 12.1 12.2 "Bitwarden Review: The Best Free Password Manager for 2022". CNet. 1 May 2022. https://www.cnet.com/tech/services-and-software/bitwarden-review-the-best-free-password-manager-for-2022/. 
  13. "Bitwarden launches SSO authentication to integrate password security with identity providers". Bitwarden Blog. 30 September 2020. https://bitwarden.com/blog/post/bitwarden-launches-sso-authentication/. 
  14. "Access Your Bitwarden Vault Without a Password". The Bitwarden Blog. 23 February 2023. https://bitwarden.com/blog/access-your-bitwarden-vault-without-a-password/. 
  15. 15.0 15.1 "Bitwarden Review". PCMag. 15 March 2022. https://www.pcmag.com/reviews/bitwarden. 
  16. "Store Secure Notes, Credit Cards, & Identities In Your Bitwarden Vault | Bitwarden". Bitwarden Blog. https://bitwarden.com/blog/notes-cards-identities-released. 
  17. "Password Strength Testing Tool". Bitwarden. https://bitwarden.com/password-generator/. 
  18. "Username & Password Generator | Bitwarden Help & Support". Bitwarden. https://bitwarden.com/help/generator/#generate-a-username. 
  19. "Add Privacy and Security Using Email Aliases With Bitwarden". The Bitwarden Blog. 18 October 2022. https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/. 
  20. "About Send". Bitwarden.com. https://bitwarden.com/help/about-send/. 
  21. 21.0 21.1 21.2 Hutchinson, Adryana; Munyendo, Collins W.; Aviv, Adam J; Mayer, Peter (2024-05-11). "An Analysis of Password Managers' Password Checkup Tools". Extended Abstracts of the CHI Conference on Human Factors in Computing Systems. CHI EA '24. New York, NY, USA: Association for Computing Machinery. pp. 1–7. doi:10.1145/3613905.3650741. ISBN 979-8-4007-0331-7. 
  22. Fábrega, Andrés; Namavari, Armin; Agarwal, Rachit; Nassi, Ben; Ristenpart, Thomas (2024). "Exploiting Leakage in Password Managers via Injection Attacks". arXiv:2408.07054v1 [cs.CR].
  23. 23.0 23.1 Wallen, Jack (31 May 2018). "How to install and use the Bitwarden command line password manager". TechRepublic. https://www.techrepublic.com/article/how-to-install-and-use-the-bitwarden-command-line-password-manager/. 
  24. "Localization". Bitwarden.com. https://bitwarden.com/help/localization/. 
  25. "Bitwarden password manager review". TechRadar. 2 November 2022. https://www.techradar.com/reviews/bitwarden. 
  26. Brinkmann, Martin (27 July 2023). "How to migrate your Bitwarden vaults from US to EU storage". Ghacks Technology News. https://www.ghacks.net/2023/07/27/how-to-migrate-your-bitwarden-vaults-from-us-to-eu-storage/. 
  27. "Server Geographies". Bitwarden.com. https://bitwarden.com/help/server-geographies/. 
  28. "Self-hosting Bitwarden on DigitalOcean". The Bitwarden Blog. 19 April 2022. https://bitwarden.com/blog/digitalocean-marketplace/. 
  29. "Bitwarden on GitHub". Bitwarden.com. https://github.com/bitwarden. 
  30. "System and Organization Controls 3 (SOC 3) Report on the Bitwarden Inc. Password Management System Relevant to Security and Confidentiality for the Period January 1, 2020 – June 30, 2020". AuditOne. 21 August 2020. https://cdn.bitwarden.com/misc/Bitwarden%202020%20SOC%203%20Report.pdf. 
  31. "Bitwarden achieves SOC 2 certification". The Bitwarden Blog. 25 August 2020. https://bitwarden.com/blog/post/bitwarden-achieves-soc-2-certification/. 
  32. "Why use a HIPAA-compliant password manager". Bitwarden Blog. 7 December 2020. https://bitwarden.com/blog/post/why-use-a-hipaa-compliant-password-manager/. 
  33. "Privacy Shield: Bitwarden Inc.". Privacy Shield Network. 5 December 2020. https://www.privacyshield.gov/participant?id=a2zt0000000CoURAA0&status=Active. 
  34. 34.0 34.1 34.2 "Compliance, Audits, and Certifications". Bitwarden.com. https://bitwarden.com/help/is-bitwarden-audited/. 
  35. "Privacy Policy". Bitwarden.com. https://bitwarden.com/privacy/. 
  36. 36.0 36.1 "Bitwarden". HackerOne.com. https://hackerone.com/bitwarden/?type=team. 
  37. 37.0 37.1 Greif, Björn (6 June 2018). "Password manager Bitwarden now available in Cliqz Browser". Cliqz Blog. https://cliqz.com/en/magazine/password-manager-bitwarden-now-available-in-cliqz-browser. 
  38. "Bitwarden Completes Third-party Security Audit". The Bitwarden Blog. 12 November 2018. https://blog.bitwarden.com/bitwarden-completes-third-party-security-audit-c1cc81b6d33. 
  39. Brinkmann, Martin (13 November 2018). "Results of Bitwarden security audit published". Ghacks Technology News. https://www.ghacks.net/2018/11/13/results-of-bitwarden-security-audit-published/. 
  40. "Bitwarden Passes Third Party Security Audit". The Mac Observer. 12 November 2018. https://www.macobserver.com/news/bitwarden-security-audit/. 
  41. Heiderich, Mario; Inführ, Alex; Kobeissi, Nadim; Hippert, Norman; Kinugawa, Masato (8 November 2018). "Pentest-Report: Bitwarden Password Manager 11.2018". Cure53.com. https://cure53.de/pentest-report_bitwarden.pdf. 
  42. "Bitwarden 2020 and 2021 Security Audits are Complete". The Bitwarden Blog. 2 August 2021. https://bitwarden.com/blog/bitwarden-network-security-assessment-2020/. 
  43. Spearrin, Kyle (28 February 2023). "Bitwarden Upholds High Security Standards with Annual Third-Party Audits". The Bitwarden Blog. https://bitwarden.com/blog/third-party-security-audit/. 
  44. "Bitwarden Network Security Assessment Report". Cure53. 12 May 2022. https://bitwarden.com/_gatsby/file/405465c5c37e30375973c5e7f736d4b0/2022%20Bitwarden%20Network%20Security%20Assessment%20Report.pdf. 
  45. "Bitwarden Security Assessment Report". Cure53. 17 November 2022. https://bitwarden.com/_gatsby/file/587f36548f06fac33536c4808b79802f/2022%20Bitwarden%20Security%20Assessment%20Report.pdf. 
  46. "Bitwarden passes annual security audit with flying colors". Ghacks Technology News. 1 March 2023. https://www.ghacks.net/2023/03/01/bitwarden-passes-third-annual-security-audit-with-flying-colors/. 
  47. Kinney, Jeff (12 January 2021). "Best Password Managers of 2021". U.S. News & World Report. https://www.usnews.com/360-reviews/password-managers. 
  48. 48.0 48.1 Broida, Rick. "This is the best free password manager alternative to LastPass". CNet. https://www.cnet.com/news/this-is-the-best-free-password-manager-alternative-to-lastpass/. 
  49. Murphy, David (18 February 2021). "Bitwarden Is Now the Best Free Alternative to LastPass". Lifehacker. https://lifehacker.com/bitwarden-is-now-the-best-free-alternative-to-lastpass-1846289833. 
  50. 50.0 50.1 50.2 Long, Emily (22 April 2021). "Bitwarden password manager review". Tom's Guide. https://www.tomsguide.com/reviews/bitwarden. 
  51. Lamont, Jonathan (2 August 2020). "Bitwarden offers excellent password management tools with great value". MobileSyrup. https://mobilesyrup.com/2020/08/02/bitwarden-password-manager-review/. 
  52. 52.0 52.1 Pathak, Khamosh (27 February 2021). "Bitwarden Is the Best Free Alternative to LastPass". How-to Geek. https://www.howtogeek.com/715490/bitwarden-is-the-best-free-alternative-to-lastpass/. 
  53. "The Best Password Managers". The New York Times. 5 February 2021. https://www.nytimes.com/wirecutter/reviews/best-password-managers/. 
  54. Rubenking, Neil J. (19 June 2019). "Bitwarden Review". PCMag. https://www.pcmag.com/reviews/bitwarden. 
  55. "Bester Self-Hosted Passwort-Manager 2025" (in de). 2024-08-09. https://www.sueddeutsche.de/erfahrungen/passwort-manager/self-hosted/. 
  56. "Bitwarden: Add-ons for Firefox". Addons.Mozilla.org. https://addons.mozilla.org/en-US/firefox/addon/bitwarden-password-manager/versions/1.9.8. 
  57. "Brave Features". Brave.com. https://brave.com/features/. 
  58. Brinkmann, Martin (1 March 2018). "Bitwarden Desktop App released". Ghacks Technology News. https://www.ghacks.net/2018/03/01/bitwarden-desktop-app-released/. 
  59. Stephenson, Brad (26 April 2018). "Password manager Bitwarden launches in the Microsoft Store". OnMsft.com. https://www.onmsft.com/news/password-manager-bitwarden-launches-in-the-microsoft-store. 
  60. Thorp-Lancaster, Dan (11 September 2017). "Bitwarden password manager extension comes to Microsoft Edge". Windows Central. https://www.windowscentral.com/bitwarden-password-manager-extension-comes-microsoft-edge. 
  61. "Bitwarden/cli v1.0.0". GitHub. 23 May 2013. https://github.com/bitwarden/cli/releases/tag/v1.0.0. 
  62. "The Bitwarden Command-line Tool". The Bitwarden Blog. 12 November 2018. https://blog.bitwarden.com/bitwarden-command-line-tool-now-available-e6184407b719. 
  63. 64.0 64.1 "Bitwarden Announces $100 Million Growth Investment Led by PSG to Further its Mission to Empower Businesses and Individuals to Stay Safe Online" (Press release). Bitwarden. Business Wire. 6 September 2022. Archived from the original on 8 September 2022.
  64. 65.0 65.1 Crandell, Michael (6 September 2022). "Bitwarden announces $100 million financing". https://bitwarden.com/blog/accelerating-value-for-bitwarden-users-bitwarden-raises-usd100-million/. 
  65. 66.0 66.1 66.2 "Bitwarden acquires Passwordless.dev to help companies authenticate users without passwords". TechCrunch. 18 January 2023. https://techcrunch.com/2023/01/18/bitwarden-acquires-passwordless-dev-to-help-companies-authenticate-users-without-passwords/. 
  66. "Bitwarden extends passwordless leadership with acquisition". Bitwarden.com. 18 January 2023. https://bitwarden.com/blog/bitwarden-extends-passwordless-leadership-with-acquisition/. 
  67. "Bitwarden launches its own free and open-source Authenticator app". Android Authority. 2 May 2024. https://www.androidauthority.com/bitwarden-authenticator-app-free-open-source-3439120/. 
  68. Proven, Liam (24 October 2024). "Bitwarden's FOSS halo slips as new SDK requirement locks down freedoms". The Register. https://www.theregister.com/2024/10/24/bitwarden_foss_doubts/. 
  69. "Multiple top password managers vulnerable to password stealing clickjacking attacks - here's what we know" (in en). 2025-08-22. https://www.techradar.com/pro/security/multiple-top-password-managers-vulnerable-to-password-stealing-clickjacking-attacks-heres-what-we-know. 
  70. Tóth, Marek (2025-08-09). "DOM-based Extension Clickjacking: Your Password Manager Data at Risk" (in en). https://marektoth.com/blog/dom-based-extension-clickjacking/. 
  • No URL found. Please specify a URL here or add one to Wikidata.



Retrieved from "https://handwiki.org/wiki/index.php?title=Software:Bitwarden&oldid=4221620"