I make it a goal of mine to research different software solutions every so often for applications and services I use on a daily basis. My wife and I were just discussing password managers as we currently use Bitwarden. We’ve been using it together for at least two years, and I’ve been using it for around four (maybe 5) myself. However, 1Password is what we use at work, and I’m interested in switching over to it. (I know there’s a free trial, but I trust the community to share their good and bad experiences)
What originally won me over to Bitwarden was their encouragement of open source (which I know is a double-edged sword) and that you could locally host it or have it on their servers. I also loved their free account tier, but would like to start putting some money into it because I have gotten a TON of use out of it.
I have a few questions for the community to see what everyone’s thoughts are, and to gauge what you use and why. I do want to note that I am NOT looking at being super secured and locked down with a KeePass file on Google Drive or the like. I used to do that prior to being married with both Enpass and KeePass, but I want to make sure my vault is accessible to my wife if need be. (She’s technical but I don’t want to make things even more difficult)
So… my questions…
What password manager do you use?
How much do you pay for said password manager?
Have you used either Bitwarden or 1Password?
Do you trust a company such as Bitwarden?
Is there another paid manager that’s better?
I really like the idea of TOTP being built into the manager, although I understand the caution to have with combining such services.
Thank you all in advance for your responses and I hope to spark some interesting conversations!
Both my wife and I use Bitwarden on all of our devices.
The yearly price is 10$ per premium account, with a family plan available.
Though we’ll switch to self-hosting soon.
I have never used 1Password, I don’t trust them. I use Bitwarden daily.
Never would I trust a company. In the End, behind the company there only are individual humans which are prone to make errors, biased and easily manipulated.
But I do trust Bitwarden’s Produt due to their Open Source Code and Security Audits, which indicate they hold their promise of End-To-End Encryption.
Not to my knowledge.
Just a quick note:
Bitwarden in itself might be considered secure, but in the end it all depends on how you use it. Get yourself a method of 2FA that’s not on the same device as bitwarden and make sure the devices are secure. Don’t set your vault be infinitely unlocked.
If an attacker wants to steal your password, they won’t do it through Bitwarden’s Service, but through your devices.
I use Bitwarden and am working on Yubikey implementation for my TFA. From what I have seen here and elsewhere Bitwarden seems like the best password manager on the market. Using a Yubikey or some other form of TFA is highly recommended regardless of the password manager service you use. The self-hosting and open source of Bitwarden are major advantages. Even if you don’t self-host it right now you might want to in the future.
If you follow this a bit @The_DM_Barlow makes some good arguments about password managers and talks about Bitwarden specifically.
That’s about the price I thought, which isn’t bad for all that’s included.
That seems pretty broad, can you tell me why you don’t trust them?
I saw that 1Password also has security audits that they’ve had run. Is there any reason why you wouldn’t put theirs on the same level as the one from Bitwarden?
Completely agree, and we certainly do take all the regular precautions with that.
I do also want to state again, that I am not concerned about a company having my vault on their servers. I understand the risk, but the likelihood of my own hardware or setup running into issues is too great for that type of data to disappear and be non-recoverable. I’m fine with paying for a setup from Bitwarden or 1Password. I just wanted to gauge the community to see what is preferred and if there were any huge red flags for either company at this time. Thanks for all the input thus far and I have appreciated the interaction!
Nothing, although I’ve been thinking about paying for the paid Bitwarden subscription just to help make sure they keep developing the clients.
To some extent, but I only need to trust them to the extent that they don’t put anything bad in the source code of the clients, and that the compiled client apps/extensions are not different from the public source code.
Given that I want something self hostable and open source, then no.
I have a couple of nitpicks with Bitwarden, no dealbreakers though:
Their selfhosted server is just an awful experience to deal with. Hard dependency on closed source MS SQL that needs 2gb ram to start, requires a (free) license key from them (even though the server is open source), and the default install script uses docker compose under the hood, but is not nice enough to let you use docker-compose directly. Though I run the third party Vaultwarden server that does everything I need it to.
Their browser extension does not work in Firefox private windows and if I understand correctly will soon stop working in Chromium incognito windows as well. They may or may not fix it, no comment from the developers on a timeline.
No switch in the options to disable auto updates on their desktop app.
Their desktop app installer is just a shim installer, and so cannot be run offline without extra files. (And I don’t think that is documented anywhere)
They showed themselves as a young but reputable company by not keeping their software ultra-secret and choosing fair prices for premium plans. This, for now, is a good sign for me. If they ever switched it up I’ll be the first to hop out of it.
What makes a password manager better than the others? Is it something objective like cryptographic algorithms or subjective like ease of use and integration with other softwares?
Bitwarden has that integrated in the manager. If you were talking about Bitwarden, I know you knew.
Nothing that useful to add here other than I also use Bitwarden and am pretty happy with it.
I use the extension in Brave browser, and have the app on my phone (Android). Same for both my kids.
I have it autofill passwords for sites in the browser which is nice. I haven’t looked to see if there’s a mobile browser extension, but I just have the app on there and it works well enough - a little more cumbersome since I have to go open the app and copy the password, but not that bad. Way more convenient that trying to manually type it in given that most of my passwords are a lengthy garbled mess of characters.
I had planned to run a local server, but never got around to it. Currently happy with the premium hosted plan.
I’ve used KeepassX as well for several years, but I was too lazy to keep the DB updated between all the machines. Otherwise no complaints with it either.
I’ve used Bitwarden, Dashlane, and LastPass, but not 1Password.
As far as I know all of the big-name password managers have good security and they can tick all the boxes for the audits, so you’re safe as far as you can tell.
As far as trust goes, Bitwarden gets bonus points for being open source.
There are certain features that other managers may have that Bitwarden doesn’t. For example, Dashlane can automatically change passwords for you (for some sites) which is actually really useful because when there are data breaches you can just change all your passwords with the press of a button. But they also have an annoying tiered pricing model where you can get it as low as $36 a year for “Essentials” but then you can only use it on two devices. The actual useful tier (Premium) is $60 a year. Also Dashlane feels pretty slow compared to Bitwarden.
Is it worth 6X the price though? I don’t think so. If it were double I’d say it might be but their prices are really steep IMO. Personally, I just want something to store passwords and auto-fill that works on all platforms. And most of the big-names do AFAIK. So I don’t want to pay the extra for Dashlane. Bitwarden is affordable and open source so that’s what I go with.
I use keepassxc desktop client on Windows 10 and Arch linux.
Both have Firefox plugin installed and synchronization of the password database is done via Syncthing, to all my machine (android, win, *nis) except iOS12( which will probably never run anything that syncs with syncthing or OneDrive).
Syncthing is not the safest option, though I am every now and then do a separate copy of my password.
Even to corporate managed laptop where I use the company OneDrive to back it up, just in case.
It’s just smarter password keeping, why one should be paying for this?
I initially thought this was very cool initially then I realized in horror what it meant. To my limited understanding, Dashlane has access and visibility to your plaintext password that enables them to change it for you.
I’ve switched to KeePassXC for my Linux machine and KeePassDX for my android. Since I switched to the iOS ecosystem, I was forced to use Bitwarden because its a true crossplatform solution. Previously I used sync the password database with Syncthing on my old Android - I cant do the exact same thing on iOS. Now its just more sane to use Bitwarden for all devices.
A lot of replies since I last checked, and first of all thank you very much for your input!
I think we’ll stick with Bitwarden for the time being, with upgraded plans, and then maybe check out 1Password if we feel there’s a need for a change. I really do appreciate everyone’s responses and it has made our choices way easier.
Please feel free to continue the conversation and discussion!