Bitwarden
this post was submitted on 11 Feb 2025
79 points (96.5% liked)
Privacy
36502 readers
390 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
Never looked back.
Have you tried syncthing? It works great with keepassxc.
Vaultwarden is pretty easy to self host.
+1 for Keepass + Syncthing. Free, no cloud, always synced.
Yeah this is me. It's been just perfect for many years now.
load more comments
(1 replies)
Bitwarden is excellent and the paid plan is very reasonable unlike with others.
Bitwarden.
My recommendation: Don't use Vaultwarden (self hostable server side of bitwarden. Really easy to run and use). Why? You're not a security personal, and securing your vault isn't your job. You might do a slight mistake that'll lead to the compromise of your vault.
The people at Bitwarden have their work dedicated to securing the vaults and all they do is security. And they'll probably do it better then you. When it comes to serious matter, I prefer to trust the professionals.
Doesn't the server just hold an encrypted vault? What could go wrong when the server is compromised? Just thinking out loud I don't know the answer
Security is also about backups. 3 Replicas 2 Formats 1 Offsite location
I just don't want any unauthorized persons anywhere near my vaults in general. I also see my vault as a critical service that requires high availability, and I know enough about system administration to know that my network and I are not qualified to provide that.
Yep, that's right. In theory you could share the encrypted DB with the public and not degrade security. (Still don't do that though...)
Let's say I have an unupdated patch and my server is now vulnerable.
This could really happen. I have work and life to worry about and I might not notice.
This vulnerability, could be in the BW instance itself (say the web server or the backend itself), or in the server itself (say an old OpenSSH version), or another service (NextCloud instance hosted in the same server under a different subdomain).
So, first we see it's a big attack surface. In any of those entrances an attacker could gain access to my server and with it the vault. It's a short way from there to install a keylogger on the website where BW is hosted, and get my master password ¯_(ツ)_/¯.
Now take into consideration that I just sat a couple of minutes to think about this, and I'm not a professional in cyber security or web security. Neither blue nor red team. A professional, with more knowledge, time, experience and resources, could probably bring up much more things.
I would just put a server on the internet with only the bitwarden ports open to the internet. And put the server in its own isolated environment. With automatic updates I would be comfortable with this. Even if for any reason the isolated server gets compromised, the server is mostly a glorified sync server.
Just to play devils advocate. Bitwarden.com is a much more valuable target. My instance is behind a VPN. I think its actually far more likely Bitwarden will have a breach similar to LastPass then I will. But I agree with you mostly.
The data stored on Bitwarden's servers is completely encrypted though, which means a breach will not yield useful data, unlike the plain text storage for LastPass.
I have the ability to selfhost BW so I am interested in counterpoints.
Yes I agree. I was just offering a counter to the statement that Vaultwarden isnt as safe as Bitwarden. They both are encrypted but my vaultwarden instance is a lot less likely to experience a breach than Bitwarden. The guys with real skill are going after Bitwarden not me.
load more comments
(1 replies)
Ignoring the security aspect of it Bitwarden is responsible for hosting a fault tolerant, highly available web app.
They have redundant networking, redundant servers, load balancers, redundant databases.
While you could host this yourself to these tolerances it's work and it's not free.
If you're using your password manager to the fullest you have a different password for every resource out there. It's more than a minor inconvenience if you get locked out of your passwords.
Their service is dirt cheap and it's absolutely worth every penny.
load more comments
(1 replies)
For native sync, the two good and reputable alternatives are Bitwarden and Proton Pass
2nding the Bitwarden, absolutely love it. I moved from LastPass years ago and never looked back.
3rded moving from LastPass to Bitwarden and never looking back. I got out when LogMeIn got in.
I use KeepassXC on desktop, KeepassDX on my phone and keep it all synced with Syncthing. Works great
load more comments
(1 replies)
Vaultwarden works really well for me.
KeePassXC. Despite a lot of room for improvement, overall it is pretty powerful & you don't have to host a server. You can also sync your password file to cloud storage. With VaultWarden, it will store a cache of your passwords on your phone but you wont' be able to update them away from home unless you also setup port forwarding, dynamic DNS, web server & all that.
I also use Unix pass and self host a git repo over Tailscale to keep it synced across devices. Works like a charm so long as I remember to push whenever I edit a password somewhere.
One of the big flaws of snapshot-based VCSs like get is the patch order mattering—which causes conflicts. I would love to see an alternative built on Darcs or Pijul with their Patch Theory-based VCS system that does not have the flaws Git does.
load more comments
(1 replies)
Big fan of Keeppass + syncing program of choice. It has served me well for years. If you don't like nextcloud pick a different syncing app.
I like to use SyncThing for my keepass vault. Imo it's about as simple and elegant as it can get without involving third party services.
I know you're asking for an integrated sync but this has been flawless for me and only rarely notice a delay between machines including android, linux, and windows (less that 30s in any case)
Good thing the KeepassXC can be used as a 2nd factor authenticator, though it has TOTP only, doesn't offer HOTP.
I haven't seen it mentioned here so I'll throw it out there - 1Password. It's just a very smooth experience that I really appreciate.
Got a free family subscription through my work. Before that I was paying for it.
1Password is just great. Wonderful Linux support (desktop app, cli client, identity agent for SSH).
The major update to version 8 was rolled out to Linux first, actually.
One of the few pieces of software where you feel that the developers care about their product.
Agreed. The experience is so easy and well integrated that it has been trivial to get my whole family on it. Being open source would be very nice though. That lack of transparency due to closed source is my only real gripe with it.
They are closed source, but their white papers are very good
load more comments
(1 replies)
There’s a lot of arguments for one solution or the other based on security or privacy, but let me present a different scenario:
Imagine you’re in a natural disaster. Your home based self hosted server is down because of a general rolling network outage or just irrecoverably destroyed. Your offsite on the other side of the county is in a similar state. Can your cloud hosted backup be accessed at generic, public computer in a shelter or public building?
Bitwarden can. It has specific instructions for doing so as safely as possible.
Keepass2android should be able to handle nextcloud sync from within the app so that might work better than on device sync. If your done with keepass bitwarden or proton pass are common alternatives
If you can't self host --> KeePass If you can self host --> Vaultwarden
Is VW audited in the same way that BW is?
I'm not completely sure, but doesn't Bitwarden encrypt all data before it reaches the server? That means the server implementation is a bit less important. I guess you probably don't want to be leaking even encrypted databases though since there is a chance they could be cracked.
load more comments
(1 replies)
I've been using Bitwarden for years now. Their free tier is amazing, they're rarely down, and it's open source with extensions and apps for every platform.
I tried Proton Pass for a minute while Bitwarden was offline, but quickly ran back to Bitwarden. Proton's extension kept logging out for some reason. I didn't care enough to troubleshoot it.
Most here won’t like this answer. 1Password.
I’ve used it for years and it just works well for me. Finally convinced my spouse to also use it a couple of years ago. Switching is not an option since it took years of convincing to make that happen.
Selfhosted VaultWarden with Bitwarden browser apps and KeyGuard on my phone, which I like better than the Bitwarden app.
load more comments
(7 replies)
view more: next ›