, I wanted to move away from LastPass — who’ve lately have been dropping support for Firefox and other platforms — to an open-source password manager.
I chose to migrate to Bitwarden. I’ve been happy with the decision overall. Here are my thoughts and impressions after three months with Bitwarden.
Apps and platform experiences
LastPass only has an app for MacOS and a few failed attempts at different Windows apps over the years. The Bitwarden desktop apps — available for Linux, MacOS, and Windows — are pretty great by comparison.
I use the Bitwarden desktop client on MacOS and Windows, but I prefer to use the Bitwarden Web Vault installed as a GNOME Web app under Linux. Bitwarden’s Linux app works as great as its MacOS and Windows brethren but it’s harder to install than a web app and doesn’t auto-update.
I’m not as happy with the experience on Android, however. Bitwarden integrates with the platform provided auto-fill service; a system that’s unreliable at the best of times. I can have Bitwarden auto-fill in my login details into an app or webpage one day and then have it not work on the same app or webpage the next day.
My login flow thus involves first attempting to use auto-fill, sighing, switching to the Bitwarden app and copy my login details, switch back to the app I want to login to, and pray that the app hasn’t dismissed the login prompt while I was away. It’s less than ideal but from my experience, the same thing also happens with LastPass and other password managers on Android.
On a more positive note, Bitwarden’s extension for Firefox for Android works great and I don’t have to skip back and forth between apps to login to websites.
Unfortunately, Firefox for Android doesn’t support physical security keys so I can’t properly secure my Bitwarden account and get a decent user experience on Android at the same time.
I’ve also not yet had the time to look into self-hosting Bitwarden services myself. However, this is on my to-do list for the coming months so expect another update on that at a later time.
Third-party scripts are mostly gone from the web vault
In my last article on Bitwarden, I raised some concerns over the inclusion of untrusted third-party JavaScript inside the password manager vault. These scripts could theoretically make a copy of your login credentials and run off with your entire unencrypted password vault.
The updated Bitwarden 2.0 web vault has reduced the risk by significantly reducing its reliance on third-party scripts. The only third-party scripts that run inside the web vault now is Stripe, Bitwarden’s payment processor. You now also have to open the payments page before you’re exposed to any risk.
If a malicious third-party were to somehow get control over Stripe’s domains or scripts, they’d be more likely to focus on stealing credit card information that passes through the payment service than in hijacking passwords
However, a password manager should be as securely engineered as its possible to make it. Risks that may be acceptable on less critical websites are unacceptable in the context of a password manager.
Bitwarden could eliminate the risk entirely by moving the payment processing to a separate page outside of the vault to isolate the payment service provider from the sensitive data in the password vault. I’ve discussed this issue briefly with Kyle Spearrin, founder and lead developer at Bitwarden, who says he is hopeful that this will be improved one day.
Two features that I miss from LastPass
For most users, Bitwarden and LastPass have a mostly identical feature set. There are, however, two features in LastPass that I’ve missed since I switched to Bitwarden.
LastPass keeps track of your old passwords and not only your current password. This is quite handy in cause you accidentally override your password, or for websites where you change your password on the main website.
In some situations, the support page hasn’t updated and require you to still use your old password so you can login. It will complain about the support section having a separate password system that isn’t in sync with the main website. (Real story.) Bitwarden only stores the current password.
Update (): Bitwarden has now added a password history list of old passwords associated with each password vault entry. You can only access the password history from their web vault, but history is preserved even when updating a saved password from one of their browser extensions or apps.
LastPass can automatically open a webpage in your browser and simulate user-actions to automatically log in to a supported website and change the user’s password. The auto-password changer feature limited to only 80 supported websites and it has failed on at least some of the supported websites every time I’ve tried to use it.
Bitwarden has nothing similar and I’ve to login and change my passwords manually every time I like to update them. This experience is in practice no different from LastPass as I in practice still had to login and change a ton of passwords manually as most of my passwords were with unsupported websites.
Since LastPass keeps track of past passwords, it also easy to recover the previous password if something went wrong. However, I want to believe that it’s a feature that will eventually work with every website out there and I feel like I’m missing out even though this feature isn’t super useful.