Bitwarden

In the current age of constant unending data breaches and the general ruin of the sacrosanct nature of your personal data by all and sundry, using a password manager is just table stakes. It’s so common to have to sign up to something online these days that the chances of at least one of the services you use suffering a breach and exposing PII and the password you used is almost a cast iron certainty.

Even if the password is just one of multiple factors you use to authenticate with something, and even if the service did the right things with at-rest storage of the representation of it, you have to assume that the password is burned and can’t ever be used again elsewhere. So you just have to use a manager that will let you generate a strong and unique password per service so that the only thing you really need to remember is the manager’s master password, and ideally whatever other physically-present factors you also need to authenticate with a service, be it a TOTP token or otherwise.

Put simply, if you don’t use one then who even are you anyway?

Now that you’re terrified, AzureDiamond, because the thought of randominternetforum.com leaking it and using it to steal all of your money at your bank, after buying things using your Amazon account and watching the 1998 Eddie Murphy Dr. Dolittle on your Disney+ subscription, which all use that freshly-leaked hunter2, which one do you pick?

I’ve previously used LastPass, and then abandoned that particular ship there after they were acquired by LogMeIn. My personal policy for password management tools, given what they look after, is to only do business with companies where that’s their majority, and hopefully only, business. That means they’re incentivised correctly to do the right thing with the security of the system they sell you. Money is on the line if they fail, and ideally all of the money they need to survive as a company.

That led me to use 1password which I’ve blogged about before. 1password meets my standards for a password manager since that’s all the 1password folks are up to in their business (that I know of at least, of course!), and has a great combination of iOS app that integrates with the system password management provider APIs to make itself available to all apps, a macOS standalone app, and great browser extensions that can either communicate with the standalone app or run as a standalone 1password client without needing it.

In regular use I’ve found 1password to be completely fine and had no real desire to look elsewhere, right up until I spotted some friends talking about Bitwarden.

Bitwarden is very 1password-esque in practice for me, now that I’ve given it a fair shake, both in parallel to 1password on my iPhone, iPad Pro and Mac, and most recently as the only password manager on those systems. The browser extension works almost identically, offering to (auto, if you want) fill credentials on websites, and capture those from new signups you make on sites it hasn’t got details for yet, and the standalone Mac app is very similar to the 1password one.

The iOS and iPadOS apps have a clear lead over the 1password apps too, in that they have a pure FaceID unlock mode that is completely reliable. For reasons I’ve never been able to fathom, 1password on iOS and iPadOS will frequently sign me out and require my master password instead of FaceID.

Bitwarden has never suffered from that problem on my devices that have FaceID, which is fantastic for me because my master password is purposely long, draws from all corners of the ASCII character set, and is therefore very hard and annoying to type. That’s especially true on an iPhone or iPad soft keyboard.

Bitwarden is also much cheaper than 1password. It’s completely free in fact, if you don’t want any of the premium features that get unlocked if you buy a Bitwarden personal license, and I’d argue that none of those features are absolutely essential. The free variant supports cross-device sync, storage of all kinds of items in addition to credentialed logins, and supports 2FA login, something which I personally consider table stakes for the system I’m going to entrust with some of my most sensitive data.

That brings me nicely on to its killer feature for me: you can host the server component yourself. The server handles device sync as its main feature, but also provides with you a web view of your vault if you need it outside of the apps that are available. Why host the server yourself, you might ask? It’s just one more step removed from anyone being able to access your vault, even if it’s in encrypted form at rest.

While the chances of your vault being accessible in the clear are minimal, even if someone breaks into 1password or Bitwarden or whoever’s infrastructure that’s storing it, because they don’t also store your key, it removes that risk. You obviously pay something for that by having to host it yourself somewhere, which incurs a maintenance and upkeep cost, but at least the choice is there.

Bitwarden made it almost completely straightforward to host the server component if you’re in any way familiar with Docker and basic systems administration, and the source code for it is freely available if you want to examine it and build the images yourself rather than use Bitwarden’s published ones in the Docker registry.

As for maintenance of the service if you host it yourself, the Bitwarden team have built a nice scripted front-end to it all that handles front-end updates, server updates, restarts (which I have plugged into my Let’s Encrypt certificate distributor after it deploys a fresh cert for the Bitwarden server instance), certificate management if you want it to handle that for you, and a strong set of documentation.

The documentation is — at the time of writing anyway — not without its small faults. In particular, it doesn’t document all of the global environment variables you can set to configure the email system, which is critical for the server to function correctly. Without a way for it to send email to users configured on the system, they can’t register and confirm their email addresses as part of the signup flow.

Still, the source code is available, so when I had problems getting it talking to my mailserver I was able to dive right in and figure out what was necessary. For those curious: if your mailserver uses STARTTLS for connection security like mine does, you might need to set globalSettings__mail__smtp__startTls and globalSettings__mail__smtp__trustServer both to true in your bwdata/env/global.override.env.

The end result is that I won’t be renewing the 1password annual subscription that I have, and I’ve now emptied my vaults there. Bitwarden doesn’t do exactly everything that 1password does, so I can’t claim it’s as good in every single way, but for my usage pattern it certainly is and the self-hosted server component and cheaper price are a winner. Plus, if you buy the Premium license, it still activates those features on a self-hosted server instance too, which is great!

Bitwarden is now my favourite password manager, and any incumbent will need to meet the standards above if they want to dethrone it like it has with 1password for me. Bravo, Bitwarden Inc!