BitWarden review: is this the free password manager we’ve been waiting for?

I’ve never really got on with password managers. I’ve found them either to be clunky or expensive, sometimes both. And then I ran into BitWarden.

Well, I say ran into. It was more shoved in front of my windscreen by a brilliantly persistent Twitter correspondent Brian, who kept telling me to try BitWarden every time I moaned about remembering passwords.

Brian was right. BitWarden is free*, friendly, powerful, effective, works with almost any device or browser you can name, and it’s free. Did I mention you don’t have to pay for it? Here’s my review of BitWarden and why you should be more Brian.

(* There are paid-for features, but none of them is essential.)

BitWarden review: getting started

I’ve tried other password managers before, and getting started has been more painful than a stubbed toe. For starters, I want them to suck in all the passwords I’ve previously had stored in my browser – many make that awkward, some outright refuse. BitWarden’s well up for it.

First, of course, you must sign up, but this is the work of mere moments. You go to the website, enter your email address, name and master password and that’s it. You can set an optional password hint for the master password, but there are no other mandatory details required. No phone numbers, no date of birth, no inside leg measurements or anything of value to advertisers.

Don’t overlook the password hint, because if you forget your master password, you’ve had it. There is no means of recovery. Forget your password and you can forget getting back into BitWarden (although I’ll come to one possible failsafe later). For that reason, you might very well want to write down your master password and keep it somewhere secure: by which I mean a locked safe, not a Post-It Note on your computer screen.

Once you’re signed in, you can log into the web vault on the company’s website – the only place you can import passwords from another manager (the apps or browser extensions won’t do it). Click Tools, Import Data to start the process, and then select which browser or password manager you’re importing from from the drop-down menu. The only notable exceptions I can find are Internet Explorer/Edge. Apple’s Safari isn’t listed, but you can export from Apple’s Keychain and pop those passwords into BitWarden.

BitWarden: the browser extensions

BitWarden has the most comprehensive browser support of any password manager I can think of. Not only can you always access your passwords via the web browser, but it has a wide range of extensions that can auto-fill passwords on login pages, generate new passwords and much more.

BitWarden has extensions for the following browsers:

• Google Chrome
• Firefox
• Opera
• Microsoft Edge
• Safari
• Vivaldi
• Brave
• Tor Browser

On top of that, there are desktop applications for Windows (7, 8 and 10), macOS (Yosemite and later) and various Linux distros.

I’ve been testing the service with the Firefox and Chrome extensions, and they’ve both performed brilliantly – although there are a couple of key things to bear in mind.

First, if you want BitWarden to automatically fill usernames and passwords on website login pages you first have to disable any such feature in your web browser, and then secondly have to go to Settings > Options in the BitWarden extension and then select the option to auto-fill on page load.

BitWarden warns this is an experimental feature and it has struggled with usernames on one or two sites I’ve visited, but you can always just click into the extension and click on the login you wish to use on that page if the auto-filler fails. It’s nothing more than a couple of clicks of inconvenience on the rare occasion it goes wrong.

There’s not much point in using a password manager if you’re going to rely on the old, memorable passwords, which is where another key feature of the BitWarden extension comes into play – the password generator.

If you’re changing or setting up a new password on any site, you can use BitWarden’s generator to create your new super-strong password. By default, passwords are 14 characters in length, use a mix of upper and lower case letters and numbers, and avoid ambiguous, easily confused characters such as 1 and l. As you can see, however, all these settings are adjustable.

Once you’ve generated a new password and copied it into the New Password field on the relevant website, BitWarden offers to add it to its vault and that’s the last you’ll ever need see of it. You’re much more secure when even you don’t know your own passwords.

One thing to note with the browser extension: you’ll be logged out every time you close the session on your PC, so you’ll need to re-enter the master password every time you start your PC. That’s good practice, as it means you’re less likely to forget a master password that you only have to type, say, once a month. But, yes, it’s less convenient than having them saved in a browser, which may never demand a master password to autofill your logins. You don’t need me to tell you which is more secure, though.

BitWarden: mobile apps

BitWarden has mobile apps for Android and iOS, both of which were working flawlessly… until I came to take screengrabs for this review.

When it’s working, the Android experience looks like this:

As soon as you press into the login section of a website or app, a BitWarden pop-up appears offering to fill in the necessary credentials. Sometimes, because developers use different login URLs for apps and websites, BitWarden doesn’t recognise the login page for apps. But all you need do is search for the saved credentials and it fills them in for you. At the very worst, you can copy and paste them out of the app.

That was all working swimmingly until I went to take these screenshots, when the autofill suddenly stopped appearing in the Chrome browser. I’m not sure if an update to the browser has created a problem or if something else is afoot, but I’ll report back if it doesn’t right itself…

The iOS experience is similar. Apple doesn’t really do pop-ups, but if you’re logging into a website, you can press the passwords prompt at the top of the keyboard to enter your saved BitWarden logins, and if you’re entering details into an app then a little key symbol appears in the password field, which you can tap to get your saved logins.

Both Android and iOS apps let you log in with a fingerprint, once you’ve entered your master password for the first time. This is potentially the get-out-of-jail-free card I was talking about earlier, should you forget your master password. You still won’t be able to change that master password, but you will at least have access to your logins, letting you make note of any crucial passwords.

BitWarden: paid-for features

As I mentioned at the top, BitWarden does offer a smattering of paid-for features, although there’s no need to pay if you’re just looking for basic, single-user password management.

Premium features include:

• 1GB of encrypted file storage – handy for sharing sensitive files
• Support for two-factor login to the password vault, using devices such as the YubiKey
• A password hygeine service that scans to check if your credentials have been caught in any major breaches
• Priority tech support

The Premium features are only $10 a year if you do decide to go for them, which is ridiculously reasonable.

BitWarden: security

Finally, let’s deal with the security on offer from BitWarden. After all, if you’re going to entrust your passwords to a manager, you want to know they’re not going to leak.

BitWarden appears to do everything possible to ensure passwords aren’t compromised. Even though you can access them online, BitWarden doesn’t store your passwords in a readable format: everything is protected with strong encryption, both in storage and when it’s being transmitted. If you want to know more about the encryption used, there are full details here on BitWarden’s excellent support site.

Some people might be scared off by the fact BitWarden is open source, which means all the code for its apps and extensions are published online. But this is a GOOD THING. It doesn’t make the software any less secure. On the contrary, it means clever folk can see what’s going on in the code and alert BitWarden to any flaws. What’s more, the company submits it code for independent audit by a security consultancy, and you can read the entire auditor’s report here.

Nothing is bulletproof. But when a company is that transparent, it fills me with confidence.

BitWarden review: verdict

BitWarden is the most reliable, efficient and browser/operating system agnostic password manager I’ve come across – and I’ve tried a few. Only the glitch with Android I’ve encountered during testing rocks my confidence in this package a little.

You’ve absolutely nothing to lose by giving it a go, as it’s free and not hawking your personal data to all and sundry. Even the premium add-ons are reasonably priced. If you’ve decided it’s time to bolster your password security, then I wouldn’t look any further than BitWarden.

NOW READ THIS: Firefox Lockwise review