Bitwarden Review | PCMag

Many free password managers have annoying limitations that force most people to upgrade to a paid tier. Not Bitwarden. The free version of this open-source password manager does not restrict you to a certain number of entries or prevent you from syncing your vault across all your devices. Even the paid version, which adds several high-end security and sharing capabilities, is very affordable. Our main complaints with Bitwarden are that the Premium tier offers very little encrypted storage space by default, and that it had trouble automatically capturing and filling credentials on certain pages in our testing. Those issues notwithstanding, Bitwarden wins an Editors’ Choice award for the free password manager category, alongside MyKi. However, if you want to pay for a password manager, other products offer a more seamless and sophisticated experience, albeit at an increased cost.

How Much Does Bitwarden Cost?

Bitwarden offers three plans at the consumer level: Free, Premium, and Family. The Free tier allows you to sync an unlimited number of vault items across an unlimited number of devices. Plus it includes a password generator, one-to-one text sharing (sharing text-based entries with a single person at a time), and the option to self-host. Not many other free password managers are as restriction-free. Myki Password Manager & Authenticator also doesn't have many limitations.

You Can Trust Our Reviews

Since 1982, PCMag has tested and rated thousands of products to help you make better buying decisions. (Read our editorial mission.)

When you upgrade to Bitwarden’s $10-per-year Premium tier, you get support for enhanced two-factor authentication methods, password vault reporting and analysis, and the ability to automatically log in to sites that use time-based one-time password (TOTP) authentication. You also get 1GB of encrypted storage for files and file-sharing capabilities, as well as emergency access features. If you need more storage, each additional gigabyte costs $4 per year. The $40-per-year Family Organization tier gets you six Premium licenses, priority customer support, and the option to use the Organizations sharing tool.

Business customers can choose between three plans: Free Organization, Teams Organization ($3 per month per user), and Enterprise Organization ($5 per person per month).

Bitwarden offers native apps for Windows (including a Microsoft Store app), macOS, Linux, Android, and iOS. Its browser extension supports the expected Chrome, Edge, Firefox, Opera, and Safari, as well as the less-common Vivaldi, Brave, and Tor Browser. None of the plans limits you to a certain number or type of platforms.

Comparative Pricing

Several other password managers offer free and paid tiers, too. However, their free tiers tend to be more limited, and their paid tiers are usually more expensive.

LastPass, for example, also offers Free, Premium ($36 per year), and Families ($48 per year) tiers. LastPass Free was roughly comparable to Bitwarden’s free edition since it did not place any limitations on the number of passwords you could store, though it makes users choose between using it on desktop computers and mobile phones, which severely limits its utility. A LastPass Premium plan removes that device-syncing limitation, plus adds one-to-many sharing, 1GB of cloud storage, account and password security monitoring, advanced multi-factor authentication options, and emergency access features. The Families subscription gets you six Premium licenses as well.

NordPass offers a similar lineup of plans with a different set of limitations for the free plan. Its free tier allows you to store an unlimited number of passwords, but prevents you from signing in to the same account on more than one device at a time. You need to pay for the Premium tier ($59.88 per year) for password health reports, sharing capabilities, and the data breach monitor. A NordPass Family account gets you five Premium accounts.

Dashlane offers a free tier too, but limits you to storing 30 total records, which is a dealbreaker. Dashlane’s cheapest paid plan starts at $35.88 per year, but this tier prevents you from syncing passwords across more than two devices at a time. To get rid of this limitation, you need to spring for Dashlane’s $59.99-per-year option.

Other premium password managers also charge more for their premium service than Bitwarden with its $10-per-year plan. For instance, Sticky Password costs $29.99 per year, Keeper Password is $34.99 per year, and 1Password charges $35.88 per year.

Getting Started With Bitwarden

As with most password managers, you start by setting up an account. Enter your email, create a strong master password, and you're done. Bitwarden rates your master password as weak, good, or strong as you type it, and it doesn't just look for a minimum length and use of different character sets. We found that it zinged simple-minded patterns as well. For example, the password 123Abc!123Abc!123Abc! is 21 characters long and uses all four character types, but Bitwarden still rates it as weak.

If you're switching from another password manager, Bitwarden can help, but you must head to the web vault to do so. Here, you can import passwords exported from Dashlane, Keeper, RoboForm, or more than 50 other password managers. You can also import passwords stored in your browsers.

Bitwarden offers three options for exporting your vault: JSON, JSON (encrypted), and CSV. The encrypted option is new and uses the same encryption as your vault, which means you need to use the same key to decrypt it when you import it again.

Authentication Options

Multi-factor authentication (MFA) significantly enhances the security of your stored passwords. Without some form of MFA, anybody who guesses, steals, or hacks your master password can access your vault from anywhere. With MFA enabled, access requires another factor, something only you can provide. To set up MFA with Bitwarden, head to the Settings section in the web interface and then select the Two-step login option on the left-hand menu.

Bitwarden's free edition supports MFA via authenticator apps, which we prefer over less secure SMS-based methods. Most multi-factor systems require you to set up some kind of backup, such as a mobile number that can receive an unlock code via text, in case you ever lose your authentication device. When you go to enable MFA in Bitwarden, it shows a warning at the top of the page about how the company cannot help you regain access to your account if you lose your MFA device. It strongly advises you to copy down your account recovery code and store it in a safe place.

Setting up MFA with an authenticator app is simple; just snap the QR code with your authenticator app of choice and you're ready to go. There's also an option to receive MFA codes via email, but using an MFA app is a much smoother experience. Bitwarden premium subscribers get more MFA options, including authentication via a Yubikey, or any FIDO U2F-compatible security key.

One popular technique for using two-factor authentication with your other online accounts relies on TOTPs. Like Myki and Enpass, Bitwarden Premium can serve as an authenticator itself, both generating the necessary TOTP and automatically filling it in when needed. To set this up, you paste the MFA authentication code into the Authenticator Key (TOTP) section of a password entry.

Desktop, Web, and Browser Extension Experience

You can use Bitwarden’s web interface, desktop apps, or browser extension to create and edit entries in your vault, but some functionality is limited to the web interface. For instance, you must use the web app to set up multi-factor, run Bitwarden’s security reports, and import passwords. You can share items from any platform, but the desktop app limits you to Bitwarden’s new Send feature, rather than giving you full sharing capabilities.

If you want to host your passwords locally, Bitwarden allows you to do so on Windows, macOS, and Linux devices. Bitwarden's applications and code library were audited by Cure53 in 2018, while its network infrastructure was audited by Insight Risk Consulting in 2021. We appreciate Bitwarden's commitment to audits and hope it continues to do them at regular intervals.

Bitwarden’s web and desktop apps have a similar layout. In the middle, you get a list of all the entries in the vault, while a left-hand menu allows you to filter by item type (login, card, identity, secure note) as well as view your favorites and deleted items. The browser extension’s design is more streamlined, but you can still filter by item type. We like that you can change the interface theme of the desktop app and browser extension. We didn’t experience any performance issues or crashes when during testing on any of these three apps. For reference, we tested Bitwarden primarily on the Edge browser and a Windows 10 machine.

You can also organize your saved logins and items into folders. LastPass and LogMeOnce Password Management Suite Premium are among the products that let you do this at capture time. If you want to organize your Bitwarden logins, it's a little more work. You must create the folders you want first and then edit each item to put it in the desired folder. The desktop app does not support drag-and-drop capabilities. 1Password goes one step further with password organization because you can maintain several vaults per account and organize items in a nested structure.

As with most other password managers, Bitwarden allows you to add identities, credit cards, and notes to your vault. All of these items are pretty straightforward to set up and they support custom fields (text, hidden, or Boolean). Bitwarden can use identity and credit card items to fill web forms, a process we discuss later.

All of Bitwarden’s apps have an extensive set of features related to vault access. For example, you can configure how long it takes for access to time out and what happens at that point. The desktop apps and browser extensions even support biometric authentication unlocks.

Password Capture and Replay

On the desktop, we tested Bitwarden in Edge on a Windows 10 machine. To start, we simply logged in to 10 or so websites. In almost every case, Bitwarden slid in a banner at the top of the page offering to save the credentials. Bitwarden had trouble with a two-page and hybrid login page we tried, however. It didn’t offer to save our credentials for those sites.

We verified that Bitwarden captures credentials during account creation and that it handles some, but not all, password change events. Some password managers, among them Keeper, Password Boss, and Sticky Password, handle oddball pages by letting you fill in all fields and then capture everything on demand.

MyKi, Norton, Enpass Password Manager, and many others let you give each entry a friendly, memorable name at the time of capture. With Bitwarden, capture is simpler because you just click a button, but adding a friendly name required editing the name after the fact. You might, for example, take two entries with the default name “login.yahoo.com” and rename them to Personal Email and Work Email.

Some password managers immediately fill in your credentials when you revisit a site. Others put an icon in the username field and fill in credentials only after you click, which avoids some possible security risks. Bitwarden can now automatically fill credentials, but you can disable this option if you prefer. In testing, this feature worked for standard sites we tried, but a few hybrid sign-on pages tripped it up.

If Bitwarden has credentials saved for the site you're on, it overlays the number of entries on its toolbar button. Click the button, click the desired entry, and it fills the data. Alternatively, you can right-click on a login field to fill in any saved credentials from a context menu.

You can also view your entire password collection by clicking the toolbar button and opening your vault. From here, you can easily search for items and launch the associated webpage by clicking on it.

After you add all your passwords to Bitwarden's vault, you should replace any weak or duplicate ones with strong and unique passwords. Free users have to scout out the bad ones themselves, as Bitwarden reserves most of its password security analysis tools for paying customers. These tools are available via Bitwarden’s web interface, but nowhere else.

Bitwarden can generate six reports: Exposed Passwords, Reused Passwords, Weak Passwords, Unsecured Websites, Inactive 2FA, and Data Breach. Exposed passwords are those that have been uncovered in known data breaches, while reused and weak passwords are self-explanatory. Bitwarden treats any linked URLs in your vault that don’t use TLS/SSL encryption as unsecured. The Inactive 2FA report identifies which sites in your vault support two-factor authentication, but for which you haven’t linked a TOTP code in Bitwarden. That last report could throw up some false positives, however, if you choose to use a different authenticator app.

The Data Breach report checks if any of your email addresses, passwords, and credit cards appear in any data breaches via the Have I Been Pwned site. Free users can check if any of their email addresses or usernames have been exposed in a breach.

Many other password managers, including LastPass, Keeper, 1Password, and NordPass include similar tools. Dashlane’s free version provides an actionable password strength report and active Dark Web monitoring for paid users.

Password Generator

When you do find a password that you've used multiple times or a weak one like “123456,” you don't have to think up the replacement yourself. Like almost every competing product, Bitwarden includes a random password generator.

By default, the password generator creates passwords containing upper- and lowercase letters and digits, but not special characters. We strongly advise checking the box to add special characters to the mix, since it's a requirement for many sites anyway.

The generator can crank out passwords from five to 128 characters long, but it defaults to 14 characters. We advise increasing the length to 20 characters or more. On Android, Bitwarden defaults to 15 characters and uses all character sets by default. Bitwarden should standardize these options and increase the default password length.

By contrast, Myki Password Manager & Authenticator defaults to passwords of more than 30 characters. Since you don't have to remember the saved passwords, you might as well make them long.

Bitwarden can also generate multi-word passphrases of the Correct-Horse-Battery-Staple type. There's no point in using this feature for a password managed by Bitwarden, but you might consider using it to create a memorable master password like “unstylish-slam-plywood-anvil.” Again, Bitwarden’s default word length is a bit low at three words. We recommend increasing that setting.

Filling Personal Data

It's just a short step from filling username and password fields to filling other personal data in web forms. Like LogMeOnce and many others, Bitwarden can store multiple sets of personal data and use them to help you when it's time to fill out a form.

Bitwarden stores two kinds of personal data items: Cards and Identities. For each credit card, you record details like the number, cardholder name, and CCV. It doesn't let you snap the card with a smartphone camera the way Dashlane and a few others do.

Each identity saves a simple collection of personal data, including name details, snail-mail address, email, and phone number. It's not nearly the huge cornucopia of data stored by RoboForm Everywhere, and you can't have multiple instances of a field the way you can with Dashlane and a few others. You don't even get separate lines for home, work, and mobile numbers. However, you can add custom fields to an identity entry: Text, Boolean (a checkbox), and Hidden (the entry is obscured by asterisks by default). Although other password managers are more comprehensive in this regard, every field that Bitwarden fills is one you don't have to type.

If you want Bitwarden to fill the form you're staring at, just click the extension button and then the desired identity or credit card. We tried a few sites as a simple sanity check and found that Bitwarden mostly did the job, despite missing a few fields.

Sharing and Emergency Access

We always advise against sharing your passwords with just anyone, but sometimes you really must. When you do have to share, you want the process to be both simple and secure. Bitwarden offers two methods for sharing logins: via a new feature called Send and, for families or teams, Organizations.

Bitwarden’s new Send feature simplifies sharing considerably. With this method, you can send an encrypted link to anyone (even people who don’t use Bitwarden) using whatever communication method you prefer. Sends can either include files (up to 500MB, or up to 100MB if uploading from mobile) or text notes. Free users can only share notes because those accounts do not include any encrypted file storage. During the setup for a Send, you can specify an expiration date, a deletion date, and a maximum access limit, plus set up a password.

For the second method, you don't share with other users directly. Instead, you create an organization, invite other users, and then share with the organization. Free and Premium personal users can't use this tool. It's only for subscribers of the Family Organization tier or any of the business plans. Subscribers to Bitwarden’s Free Organization and Family Organization tier can share items with a total of two and six people, respectively, while the Team and Enterprise plans don’t have any such limitations.

Within an organization, shared items fall into collections, and every item must be part of at least one collection. Collections are similar to shared folders in products such as LastPass and Keeper Password Manager & Digital Vault.

Free Organization users can create two collections. If you subscribe to the Family Organization plan or above, you can create an unlimited number of collections. The point with this system is to let you share different passwords with different members of a group. This sharing setup lends itself more to enterprise customers.

As the creator of the organization, you are the all-powerful Owner. There are three other levels of access, Admin, Manager, and User, but the distinctions really matter more to business installations. In addition, you can limit each user to specific collections, or make the share read-only. If you're sharing with a partner, it makes sense to give full Owner access. If the share is more one-sided, perhaps with a child, User access in read-only mode is probably best.

A few competing products, among them LastPass, LogMeOnce, and Dashlane, let you set up a different kind of sharing. With these products, you designate an heir to receive some or all of your passwords in the event of your untimely demise. Bitwarden offers this feature, too. In essence, the owner of a Bitwarden vault can invite an emergency contact to their vault who will only be able to access the contents of it after the original owner approves the request manually or a time limit set by the owner expires. Notably, only Premium users and higher can send out emergency access requests, but free users can be designated as those recipients. Emergency access contacts, upon gaining access to the vault, will either get read-only access or full control of the vault.

Bitwarden On Mobile

For mobile device testing, we used Bitwarden on an Android 11 device, although Bitwarden offers an iOS app too. Both apps look consistent and have the same features, among them biometric authentication and the ability to autofill credentials. Much like the desktop and web apps, the mobile versions support themes.

The Android app includes a bottom navigation bar with four items: My Vault, Send, Generator, and Settings. The My Vault section lists your item types, folders, and unorganized items; tap on any to view details or edit the entry. The Send tab lets you set up and manage shared items. The Generator section gives you access to Bitwarden’s password generator tool. In the Settings tab, you control autofill preferences, enable additional requirements to unlock the vault, and export your vault, as well as access other standard options.

In testing, Bitwarden successfully filled credentials within apps and in a browser. We didn’t experience any app crashes either.

Bitwarden for Business

Bitwarden's password manager for businesses and teams isn't as flashy as the competition, but it's an option for organizations looking for secure credential storage that won't break the bank.

Reporting features are a top attraction for many businesses seeking enterprise-level password protection. These features give administrators an idea of the overall password health of their teams. For example, if a team member isn't practicing diligent password hygiene, a manager could ask them about creating strong, unique credentials at work. Dashlane and Zoho Vault both offer extensive reporting graphs and charts for admin accounts. Bitwarden's Reports don't involve any graphical representations of poor password health. Instead, they are simple lists of Exposed Passwords, Reused Passwords, Weak Passwords, Unsecured Websites, and the Inactive 2FA list, which shows websites in the vault with inactive multi-factor authentication.

Single sign-on (SSO) is available for Bitwarden. SSO eliminates the need for multiple usernames and passwords, but it has its risks. If an attacker gets hold of SSO credentials, they have access to all the user's applications. Luckily, teams and business Bitwarden accounts include a multi-factor login for the organization's users. You can use Duo Security to verify user identification using the Duo Mobile app, SMS, a phone call, or a U2F security key. When an employee leaves the organization, Admin users can remove team members from the business vault.

Bitwarden makes it easy for users to access business passwords by importing their passwords into a business vault that's separate from their employee vault. In addition, users can create Collections of passwords to share with user groups or with the entire organization. Business accounts include unlimited sharing capabilities with the Collections feature.

In a move mirroring LastPass Business and Dashlane Business, Bitwarden's enterprise plans now include a free Families account for each employee. Encouraging employees to use password managers for their personal logins may help to establish vigilant password protection habits.

A Serious Contender

If you're searching for a free password manager, definitely look at the open-source Bitwarden. It does not limit the number of passwords you can store or prevent you from syncing your vault across devices, while many other free password managers do. The Premium tier is also inexpensive and includes excellent features such as an actionable password health report, emergency access options, the ability to generate TOTP codes, and support for enhanced two-factor authentication methods. Bitwarden had some trouble automatically capturing and filling credentials on some sites in our testing, but it is an Editors’ Choice winner for free users because of its notable lack of restrictions. If you want to pay for your password manager, other options are a bit slicker and offer more features.

Myki Password Manager & Authenticator keeps all your passwords in local storage and is another Editors’ Choice pick for free users. Our favorite paid password managers are Dashlane, LastPass, and Keeper, all of which offer an excellent, smooth password management experience with top security tools.