Bitwarden Open Source



Arguably one of the biggest advantages that Bitwarden has over LastPass, is that if you don’t trust them for whatever reason, you don’t have to. Since Bitwarden is open source, you can host your own instance, on your hardware, at your own site. That way, you really do keep full control of the entire application stack. Bitwarden is an open source password manager. The source code for Bitwarden is hosted on GitHub and everyone is free to review, audit, and contribute to the Bitwarden codebase. We believe that being open source is one of the most important features of Bitwarden.

Both Bitwarden and Passbolt are open source password managers specifically built for teams. This article will help you decide which one suits you better.

When it comes to finding a password manager that not only works for individual use but allows teams and enterprises better manage and access sensitive information, finding the right password manager can help ease the work flow. Bitwarden and Passbolt are both open source password manager software, that have been specifically designed for teams and allows businesses to host the applications locally or on the cloud. We will cover following topics in this post in order to compare Bitwarden vs Passbolt:

What is Bitwarden?

Bitwarden is a promising open source password manager that has cross platform compatibility including a mobile and web application along with command line interface as well. You can also access Bitwarden on your desktop as it has compatibility with Windows, MacOS, and Linux. As an open source password manager, Bitwarden can be used for individual use as well as at enterprise level. Not only can you host Bitwarden on your servers but it has cloud hosting as well, and with cross device compatibility it can be accessed whenever you need.

What is Passbolt?

Passbolt is an open source password manager specifically developed for businesses. The interface has been designed keeping in mind the needs and requirements of small and large team, and it allows an easy and secure management of passwords and sensitive information that needs to be accessed by multiple employees regularly. Passbolt is only available to be used locally on your server and can be accessed through a web browser extension online. As an open source password manager, you can directly install the source code on your server, or host it on Ubuntu, CentOS 7, Digital Ocean and more.

Main Differences

Both Bitwarden and Passbolt provide many features and functionality as open source managers, however they differ in their encryption technique and different client side applications they offer. Here is a rundown:

  • Bitwarden provides mobile, web and desktop applications for their users to access passwords at any time. However, Passbolt only provides local hosting for client servers and web browser extensions in order to access passwords online.
  • Passbolt has been specifically designed for teams which means that the interface provides a better user experience and overall community benefits that come along with it. Bitwarden on the other hand can be used for both individual and team use.
  • When it comes to pricing both open source password managers provide free and premium packages. While Passbolt it free to use for unlimited users, Bitwarden only allows two users on their free plan.
  • Encryption is key difference when comparing Passbolt and Bitwarden as the former uses GnuPG algorithm to authenticate users and secure the password database. On the other hand, Bitwarden uses 256 bit AES encryption protocol. Both encryption technologies ensure maximum security and protection of information stored.
  • Only Passbolt provides users and group management feature on its free package which makes it easier for teams to categorize and provide a hierarchy to access passwords. Bitwarden has these features but you will have to purchase the plan for Team organization.
  • Passbolt has an open API that can be accessed for development purposes however, Bitwarden’s API can only be accessed in its premium package.

Conclusion

In this post, we tried to go over in detail comparison of Bitwarden vs Passbolt. We discussed the main differences between the two open source password managers and which one provides the most features as a free, easy to use, open source password manager for teams.

Explore

You may find following links relevant:

We all know that password managers are worth their weight in gold, and the most popular of these by a large margin, is LastPass. LastPass is great, I used it myself for a number of years, but it is fairly expensive since doubling their prices in 2017. So are there any decent, open source alternatives to LastPass?

In short, yes. Enter Bitwarden (my current password manager). It is very similar to LastPass in functionality, but it’s completely open source. You can even host it yourself if you’re so inclined.

Pricing

Both LastPass and Bitwarden offer a free account that does not include any time restrictions for usage. However, the free account for Bitwarden has one big advantage over LastPass’ free offering – mobile sync.

The free tier for LastPass does not allow users to make use of the platform’s various mobile apps. Bitwarden on the other hand don’t limit their users in such a way. All of the core functionality of Bitwarden is also offered on their free tier.

Premium Pricing

If you decide you want to use LastPass’ mobile apps, and upgrade to their premium tier, it will set you back $2/month ($24 billed annually). However, Bitwarden’s premium offering will cost just $10/year.

If you decide to hand over 10 of your hard earned dollars to Bitwarden, you will receive 1GB of encrypted file storage, additional Two Factor Authentication (2FA) methods and use of their embedded TOTP generator. So if you use 2FA with any of your accounts, you can configure the tokens within Bitwarden, so that your codes can be pasted automatically, along with your username and password. You will also get priority support, as you would with LastPass Premium.

Family Account

Both LastPass and Bitwarden offer family accounts, where multiple accounts can be combined together under one umbrella account. These have a number of advantages; including cheaper overall costs, and the ability to easily share logins if you’re that way inclined.

LastPass offers 6 licenses at a cost of $4/month ($48 billed annually), whereas Bitwarden’s offering is just $1/month ($12 billed annually) for 5 licenses. The two packages are pretty much identical when it comes to features, so the fact that Bitwarden is 75% cheaper than the LastPass equivalent really is great value for money.

If you want to read more bout pricing, here are some useful links:

Bitwarden Open Source

  • LastPass pricing table: https://www.lastpass.com/pricing
  • LastPass free features: https://lastpass.com/features_free.php
  • Bitwarden pricing details: https://bitwarden.com

Security

Ok, this is the important bit. What is the point in trusting your most secretive of data – your passwords – with a 3rd party, if their security is shoddy?

LastPass are a big target, and have been compromised in the past. However, their security stood up to the attack, and even if a threat actor managed to get hold of an encrypted version of your password vault, they couldn’t really do anything with it.

Having said that, Bitwarden has very similar security to LastPass; your vault is encrypted locally, before being uploaded to Bitwarden’s servers, so they couldn’t access your vault, even if they wanted to. Your encrypted vault then goes through numerous round of hashing and salting, to further protect it from prying eyes.

If for some reason Bitwarden were to get hacked and your data was exposed, your information is still protected. This is because Bitwarden uses strong encryption and one-way salted hashing. As long as you use a strong master password, your data is safe no matter who gets hold of it.

To add to this, Bitwarden are encouraging security researchers to responsibly report vulnerabilities that are found, via the use of HackerOne. Having said that, to my knowledge, there has not been any independent security audits of Bitwarden yet.

Bitwarden source code

One of the things I think Bitwarden does do right over LastPass, is the lack of auto-fill. On LastPass, if there is a match, your username and password are filled automatically without any user interaction. Bitwarden on the other hand required its users to select the account to auto-fill, which is then pasted in.

Now, you may be thinking that this is a bonus point for LastPass, however, adding this deliberate step mitigates against theft of credentials via auto-fill.

Room For Improvement

Although good, I think Bitwarden’s security could do with some improvement to bring it in line with with LastPass. These are small items, and don’t actually stop me using the product, but they are worthy of improvement in my opinion. These are:

  • Geolocation – LastPass allows its users to limit logins to certain countries only. It would be great if Bitwarden also had this feature.
  • 3rd parties – Bitwarden uses 3rd party tools for payments. Although not a major issue, any 3rd party utilities that are in use can technically increase the attack vector.
  • Analytics – Within the app, there is an option for disabling analytics, stating that “We use analytics to better learn how the app is being used so that we can make it better. All data collected is completely anonymous”. Analytics are enabled by default. I would prefer this was disabled by default, or an option to choose when the app is first run.

Two Factor Authentication (2FA)

Both LastPass and Bitwarden offer a range of 2FA options. Everything from Google Authenticator, to Yubikeys, to plain old email. The fact of the matter is, both LastPass and Bitwarden offer a number of 2FA options, which is extremely important in order to add additional layers of security to such important data.

Bitwarden Open Source Github

Arguably one of the biggest advantages that Bitwarden has over LastPass, is that if you don’t trust them for whatever reason, you don’t have to. Since Bitwarden is open source, you can host your own instance, on your hardware, at your own site. That way, you really do keep full control of the entire application stack.

Integration

Personally, I use a wide variety of devices and operating systems. I have both Windows and Linux based machines, I use Android on my mobile phone, my tablet is an iPad, and I also have a Chromebook. So for me, broad integration is key for tools like LastPass and Bitwarden. Luckily, both password managers support pretty much every operating system and browser you can think of.

By using one of the browser addons, users can enter their credentials for sites they have stored within their password manager automatically. This is common in many password managers. However, Bitwarden takes things one step further over LastPass, as it allows users to also store 2FA tokens within Bitwarden itself, so if you don’t have your phone to hand, you can log in using 2FA, right from the app.

LastPass vs Bitwarden Compared

The table below shows a direct comparison of some of the features LastPass and BitWarden offer:

Bitwarden Github

Conclusion

Over all, both LastPass and Bitwarden are comparable products in terms of their functionality and usability. However, if you’re really paranoid and want to go with the product that has a proven track record, choose LastPass. Having said that, Bitwarden’s security (in my opinion) is more than capable of securing my password to such as degree that I’m happy to use it. Hopefully, a security audit in the near future will bolster than belief.

I personally moved over to Bitwarden around 6 months ago, following the price rises by LastPass, as well as the fact that they had been purchased by LogMeIn – who have a proven track record of not treating their users very well.

I wanted something open source, but also as functional as LastPass. I have most definitely found that in Bitwarden. My partner is still using LastPass, as her account hasn’t expired yet. However, when it does, I will definitely be moving her over to Bitwarden also.

Bitwarden Open Source

Are you using a different password manager? Or have you tried Bitwarden and found it to not an appropriate LastPass alternative? If so, feel free to tell me more in the comments…

Update Nov 2018

Bitwarden Source Code

The Bitwarden team have now completed a 3rd party security audit and the results were positive. You can read the full report here.