is bitwarden safe reddit - Brave Search

Is bitwardern safe?

reddit.com › r › Bitwarden › comments › 178mezj › is_bitwardern_safe

Start here: https://bitwarden.com/blog/beyond-your-browser/ is it safe There is no certainty in life, but Bitwarden is about as good as you will get. If you are thoughtful about how you use it (good master password, strong 2FA;, good opsec, and only operate on trusted devices), you will be in good shape. Can my passwords be compromised Yes and no. The LP gaff was the exposure of their backups to attackers. That can happen with Bitwarden. What is different is that LP has bad encryption. Couple that with choosing a bad master password and you could have a problem. Answer from djasonpenney on reddit.com

reddit.com › r/bitwarden › is bitwardern safe?

r/Bitwarden on Reddit: Is bitwardern safe?

October 15, 2023 -

I am a new user and want to switch from default Google password manager to bitwardern so that i can use my passwords seamless. But am concerned that if it is safe to use and can my passwords be compromised like LastPass wass hacked?

Start here: https://bitwarden.com/blog/beyond-your-browser/ is it safe There is no certainty in life, but Bitwarden is about as good as you will get. If you are thoughtful about how you use it (good master password, strong 2FA;, good opsec, and only operate on trusted devices), you will be in good shape. Can my passwords be compromised Yes and no. The LP gaff was the exposure of their backups to attackers. That can happen with Bitwarden. What is different is that LP has bad encryption. Couple that with choosing a bad master password and you could have a problem.

In my opinion, it's safer than google in the following ways. The bitwarden account is separate from your google account, so if someone compromises your google account it won't expose your password. The vault is safer on Windows. Any process with that runs as the user can read the password. Bitwarden as a security company and is probably more security conscious than Google, who wants to serve you ads. Your vault is probably readable by Google. Bitwarden vaults are not readable by bitwarden. Ways that Bitwarden is better than Last Pass. They seemed to more security conscious than LastPass. Bitwarden encrypt more of their fields. Bitwarden source code is open so that securitys firm can audit the code for security. The code cannot be stolen like they did with Lastpass. Bitwarden uses existing encryption open source algorithm instead of coming up with their own. The reason coming up with your own is bad is because the algorithm is quick complicated and you should stick with one that's being used and audited by everyone else. You can use u2F as a 2FA. Lastpass seems to be using OTP, which is not phishing-resistent.

reddit.com › r/privacyguides › bitwarden... is it really %100 safe?

r/PrivacyGuides on Reddit: Bitwarden... Is it really 0 safe?

December 8, 2022 -

Compared to like Keepass, which is offline.

Idk but I feel like the risks are higher with Bitwarden since it's online and there is a risk of my data being compromised by whoever has access to where it's stored. Whereas KeePass is essentially a cold storage and the only way to get access to my data starts at getting the .kdbx file from where I store it, locally.

What am I missing?

EDIT: Asking for when on an Android OS.

No such thing as "%100 safe". But Bitwarden is among the safest options (in my opinion at least). Whereas KeePass is essentially a cold storage and the only way to get access to my data starts at getting the .kdbx file from where I store it, locally. Yes, you can also keep your passwords in encrypted text on a laminated page stored in a bank deposit. That will be a lot safer than storing a KeePass DB file in your computer, as it can be compromised in case a virus is installed on your computer (it can send the database file, and keylog the password to decrypt it). My point is - convenience also matters. There's a point of security where you're already pretty secure, and adding more layers of security give you very little benefit security-wise, but make it a pain in the ass to use. In 2022, where most people usually have more than a single smart device, and a lot of accounts for different services, I feel like KeePass is a lot of a hassle as you have to sync the db file across your devices, and backup the local database file yourself. Bitwarden is open-source and audited, has a good customer service, a transparent business model, and handles backups, syncing, and security for you.

No, it isn't, because as others have pointed out - "100% safe" doesn't exist. Deciding whether or not using something like Bitwarden is appropriate for you is a personal decision that should be informed by your individual threat model and specific use case. compromised by whoever has access to where it's stored What am I missing? You may be missing that it's an open source project that encrypts everything client-side, which you can additionally protect further using a hardware security key so that your vault cannot be unlocked without it - even with your master password. And you can optionally self-host if you decide that you trust your capability to do so securely more than theirs. You can also do this without directly exposing your Bitwarden instance to the internet (access from outside only via a VPN). There are lots of options. In the event that there is some sort of data breach on Bitwarden's server, they still can't get your passwords. Bitwarden server administrators can't get your passwords. It might help to elucidate in more depth what specific attack vectors you have in mind that need to be better mitigated.

reddit.com › r/bitwarden › how safe is bitwarden?

r/Bitwarden on Reddit: How safe is Bitwarden?

January 14, 2024 -

In a future unfortunate event when (or if) the Bitwarden servers suffer a malicious attack at the hands of expert hackers, with resulting breach of user data, what would be the options for the regular users?

I mean this could be serious and so I want to understand the security architecture of BW. How do they plan to avoid such mishaps and what would be their mitigation strategy (in case such event does happen), and how us, the users, would cope with it?

I know it’s not just about BW but for all other web-based services. However BW is the place where the most sensitive data are stored. So the concern.

I may be paranoid but I guess there has to be a back door to escape. What am I missing?

Thanks in advance.

EDIT: Thank you everyone for addressing my concerns. Have a great day.

Read all about it here . The bottom line is that if you make your master password a randomly generated 4-word passphrase , keep your KDF configuration up-to-date with currently recommended default settings (periodically log in to the Web Vault to check for notices about changes to the KDF requirements), and never disclose or re-use your Bitwarden master password, then you don't have to worry about what happens if Bitwarden's cloud servers are ever compromised. This is because all vault data stored on Bitwarden's cloud servers is encrypted, and the encryption is uncrackable if you follow the guidelines I have given above.

To be honest your main concern should be if your Master Password and E-Mail leaks and somehow they manage to bypass the 2FA which is pretty hard if you're careful and don't use your Master Password in anywhere but Bitwarden. The Database and Vault is encrypted with your Master Password so even if they breach and steal vaults from the Bitwarden's servers. The data would be unreadable for the attackers and if they want to brute force it it would take several million years to breach it. In short, use a strong Master Password ideally minimum 5-6 word passphrase with numbers and unique characters with Argon2id (default settings are fine but I use 500mb 8 Parallelism and 6 iterations) it would be uncrackable. Also use at least TOTP 2FA or better just use a YubiKey for 2FA. Hope this answers your question. Have a safe day.

reddit.com › r/bitwarden › is bitwarden safe?

r/Bitwarden on Reddit: Is bitwarden safe?

3 weeks ago -

Hi guys, I am a recent graduate in computer engineering.

I know Bitwarden is open source, but that doesn’t necessarily mean it is completely safe, because there are several factors to consider:

1-Various attacks and malware techniques could allow an attacker to steal your passwords from the Bitwarden manager

2-The Bitwarden source code could potentially include vulnerabilities or malicious code.

3-Even if the source code is clean, the app you download could be compromised.

So, how can I safely use and trust Bitwarden?

1 - your passwords are encrypted with your master password, even when stored on device, as long as you dont enable automatic unlock 2 - bitwarden gets annual security audits, meaning the code is checked: https://bitwarden.com/help/is-bitwarden-audited/ 3 - if you're really worried about this, build from source

The one you download is not compromised as soon as it is the same as the one publish from repo (hash/signature of published binary). From security whitepaper point of view it is safe and state-of-art. Obviously if your phone is compromised, everything you run on is also. From source code point of view, supply chain attack is complicated as soon as it is open repo and constantly verified by bitwarden. Still it could happen yes, but I think that the probability would be low. Also define your threat model.

reddit.com › r/bitwarden › is bitwarden safe and is it safe to have my master password the same as my master password hint?

r/Bitwarden on Reddit: Is Bitwarden safe and is it safe to have my master password the same as my master password hint?

April 28, 2025 -

I was downloading Bitwarden, but I was wondering if it was safe enough to store all my passwords in and is it safe to have my master password hint the same as my master password?

Hint same as password? Absolutely not, hint is public information and should not include password or any of its parts (it is like hiding you valuable stuff into vault and placing the key on the shelf next to it - would you do so??). Bitwarden will take care of all you passwords, except its own, which you need to memorize. This password becomes very importat now, since it protects all other credentials.

You can create an emergency sheet with your master password and 2FA recovery code, and keep it somewhere safe. Put the location of the sheet in the hint.

reddit.com › r/bitwarden › is bitwarden a good choice?

r/Bitwarden on Reddit: Is Bitwarden a good choice?

July 5, 2024 -

I currently use 1Password which is excellent, it does the job perfectly on my iPhone and my Windows PC. I would like to opt for Bitwarden since it is free, is it a good alternative? I use double authentication on 1Password, is it also effective on bitwarden?

Yes, Bitwarden is a good alternative. I assume by double authentication you mean some form of multi-form authentication to login. Bitwarden supports this as well.

1Password vs Bitwarden : I would ditch 1Password entirely. Bitwarden developers are transparent and proactive. I would also encourage you to subscribe to their premium service at 10$ a year. It’s cheap and you support the devs at the same time. Edit 1 : The UI of Bitwarden seems outdated by today’s standard but it just works and intuitive. You just have the settings you need to manage your stuff. Nothing fancy that could compromise security. The devs are also revamping their Ui entirely as well. While it would not add new features , it would be more pleasant to the eyes like the 1Password UI. I understand UI is important for good experience but Bitwarden is far from being unusable. It’s barebone UI makes it less vulnerable to bugs

reddit.com › r/bitwarden › is it safe to store credit card information on bitwarden? [not premium]

r/Bitwarden on Reddit: Is it safe to store credit card information on Bitwarden? [Not Premium]

November 17, 2024 -

Just worried, could someone explain to me how it stays safe. I do have 2FA, mostly use BW app and extension.

Credit cards are encrypted the same way as everything else in your vault. Nothing—not even the name of the bank—is in plain text. Next, your vault is encrypted. The encryption is driven by your master password. If you lose your master password, you lose the vault. There is no “back door”. Bottom line: if you have a good master password, your biggest danger is yourself.

The data only leaves your device in encrypted form. Look up end-to-end encryption.

reddit.com › r/bitwarden › would you bet your life on bitwarden's security?

r/Bitwarden on Reddit: Would you bet your life on Bitwarden's security?

March 30, 2022 -

I am a long time user of both Bitwarden and KeePassXC (I love both). Bitwarden in convenient for auto-fills, but somehow I feel more secure with an offline database which KeePass offers (old school). I have ended up saving my high-stakes passwords with KeePass.

Is my apprehension unfounded?

If you're not paranoid, you're not paying attention. :-) But that having been said, What exactly are you worried about? Nothing is perfect. I gather you're worried about happens if a malefactor gets his hands on a hard disk that has your passwords on it, but why are you worried about that? Of course you should have a long, strong, unique password — the longer the better — but if you do, then it won't matter much whether they get access to Bitwarden's cloud servers or whether a thief or burglar carriers off your laptop. Encrypted is encrypted is encrypted. The Bitwarden servers are a more attractive target I suppose. But they're also surely much better protected than your personal computers, even if you take them to bed with you at night. Everything is a compromise, and in the world of digital security you're always compromising between security and convenience. The more secure we make things, the less convenient they become, and at some point that inconvenience itself becomes a sort of security risk, because it causes us to start taking shortcuts. Bitwarden's solid. So's 1Password, NordPass and many others. I don't know KeePass but it's probably solid, too. Pick the one you like and then use it with appropriate carefulness.

If you are happy with what you are doing, you should keep doing it. Everyone has a different threat profile and everyone has different risk tolerances. So where you should be on the security-convenience spectrum is a personal decision that only you can make. Usually it’s less about trust and more about compartmentalization, just in case.

reddit.com › r/bitwarden › bitwarden vs. the good old paper & pen

r/Bitwarden on Reddit: Bitwarden vs. the good old paper & pen

May 23, 2024 -

Back in the early 90s, when i started with my computer journey, it was always a mantra to never ever write down passwords and credentials, since they will be found by burglars or will be lost in case of fire etc. ... in short: you are dumb if you write down credentials

Honestly, i never was convinced by this theory at least for some points: Which burglar, intruding in my house, is primary interested in a sheet of paper? Also back in these days, alternatives where very limited. Usually the alternative was to just memorize them, which might be manageble if there were just a few passwords, but its impossible today.

So someday I started to write down any of my important(!) passwords/credentials in a book and stored it somewhere where its not very obvious (but not in a safe or so, since it always attracts thiefs first).

Since the internet grew, the amount of credentials exploded and i decided to separate credentials into "important" and "not important"

In the "important" group:

email access
everything related to public authority/official stuff (for example access to ID/ passport, taxes etc.)
anything that involves money (bank account, paypal etc.)

The "not important" group:

anything else like access to communitys, boards, social media etc.

Any of the first group is written down in my book.
Whenever i use some of the second group, i log in once and when i was logged out, i just reset the password, so it have everytime a new one.

Thats it why it is important to be very very secure on the email access.

Thats also why i think the email access is the most valuable credential that one might have, since any reset will be done using the configured email.

These days, i wanna clean up my messed up written down credentials and like to switch to a modern solution like bitwarden.

At the moment I am at the setup, but now i am at a point where i feel very very discomfortable to let a password manager (that has its data stored in the generally exposed internet) entrust my accesses. It feels like beeing very vulnerable and loose control over everything despite the fact, that i know how everything works and where the flaws are.

There are two big feelings about it.

One the one hand, bits and bytes are not tangible like a piece of paper. If the vault is deleted somehow, they are lost forever.

One the other hand, how do one know if (however it was possible) the data is not already known to someone else? A piece of paper physically is there ... or somebody stole it and its gone, but you see the result immediately and can take action ...

But also if I am honest: In the meantime its a pain in the ass to not have access to a bank accounts online platform when you are on the move, so i really would like to take profit from a modern solution ...

So my question to you:

Do you still work with paper & pen escpecially when it comes to critical accesses? Or how do you manage it? Do you actually throw in bank accounts access or even private notes like bank balances in your (online) vault? Do you stake everything on one card, or do you spread the risk over different solutions? What is your emergency strategy in case the vault was stolen?

Or do i worry too much about it?

Best regards

So long story short, yeah paper would be the most secure because that’s the only way to access your passwords. Just have it somewhere that’s not accessible to everyone. Maybe keep a copy in a safe deposit box or something like that. Now if you want to modernize but don’t want your passwords on someone’s server (like Bitwarden, 1Password, etc) you can use a localized password manager like KeePass or keepassxc and make Copies of the database on external hard drives or thumb drives. This would keep it safe from internet breach attacks that you’re concerned with and is less cumbersome than pen and paper. Just my suggestion based on what you’ve said

There are TWO risks to a password. The first is unauthorized access—that someone will discover your password and use it. Paper handles this pretty well. The second risk is loss of access. You could lose the piece of paper. You could have a house fire. You could be stuck far from home and need the password. Paper is less convenient here. You have to worry about destroying and replacing the paper when the password changes. There are a number of sites that do require I update my password regularly. Phishing is another risk. There are are Trojan Horse URLs that are literally invisible to the human eye. Or more simply, you might accidentally misspell the site name or recall it incorrectly. Paper will not help you here. Another distinction you made was important/unimportant passwords. I strongly dispute that. Even a stupid social media login can be leveraged by crooks. For instance, an IG account can and has been used to publish links to child porn hosted on the Dark Web. What this all boils down to is, there’s gotta be a better way. If you followed me this far, you are already partway toward designing a password manager. Sure, a PM is not perfect, but neither is paper. At the end of the day your decision will come from your threat model and your risk tolerance. For me, having a piece of paper is too much risk. I could lose it entirely. Or I could forget to update my offsite backup copy. Or a thief might break into my fireproof lockbox and exfiltrate my secrets. With good encryption (and a high entropy master password), I do not worry about someone ready my password. They will NOT guess my password. And with cloud storage, I do not have to worry about losing the password either. Even if an assailant were to acquire a copy of my vault, they will be stymied by the encryption. Sure, we take steps to prevent someone getting that encrypted vault, just like you keep your piece of paper safe. But encryption gives me an additional layer of protection. I too started with a piece of paper. It was in my wallet. There was no username, and I had to be onsite at my place of employment to use it. If I lost the paper, I would just have the site admin reset my password. As the Internet has become more pervasive, this approach has become unwieldy. The list of passwords is longer. Just remembering the list of sites is impractical. And recovery/reset options s not always possible. Some sites will be lost forever if a password is lost. No, I am not going to paper. I continually look for ways to manage my credential storage better, but paper is no longer adequate for my needs.

Find elsewhere

Google Bing Mojeek

reddit.com › r/bitwarden › is it safe to use bitwarden on a public computer with extra caution?

r/Bitwarden on Reddit: Is It Safe to Use Bitwarden on a Public Computer with Extra Caution?

March 11, 2025 -

Hello! I’m a new user of Bitwarden and have a couple of questions about security.

Is it safe to log into Bitwarden from a public computer's web browser (not as a plugin, but through the official website in incognito mode)? For extra caution, I plan to log in using my mobile device instead of typing my master password. I also have 2-factor authentication enabled.

You should just pull up your phone and read it off your phone app and type your password that way.

The simplest malware is a key logger. Using mobile device to prevent entering master password can protect against this. If someone got your master password, 2-factor authentication would prevent them from logging into the Bitwarden website or app, which is good, but mostly irrelevant to this situation. However, the biggest problem: If there is more advanced malware, it can save your entire UNENCRYPTED vault as soon as you open it in any browser, extension, normal tab, incognito tab, doesn't matter. The best way to log into a public computer is to have a physical USB device that can act as a passkey to log into that service. Unlocking the vault on that device is not recommended. All that being said. Most likely the library runs regular malware scans and tries to make sure that other users don't install bad programs, so you should be fine... but if we're talking about the worst case scenario... it's pretty bad.

reddit.com › r › cybersecurity › comments › 1p1miyl › is_bitwarden_safe

Is bitwarden safe? : r/cybersecurity

We cannot provide a description for this page right now

reddit.com › r/bitwarden › is bitwarden more secure than 1password?

r/Bitwarden on Reddit: Is Bitwarden more secure than 1Password?

August 1, 2024 -

I’m thinking of switching password managers when my Dashlane subscription expires. I’m debating whether to go with Bitwarden or 1Password.

Thanks!

probably not much difference in terms of security but bw is only ten bucks a year

You're going to get biased answers in this sub. We're all here because we like Bitwarden. Best thing I can tell you is to do your research on both products and make an informed decision based on that.

reddit.com › r/bitwarden › why do you trust bitwarden?

r/Bitwarden on Reddit: Why do you trust Bitwarden?

November 4, 2022 - 23 votes, 49 comments. 97K subscribers in the Bitwarden community. Bitwarden empowers enterprises, developers, and individuals to safely store and share sensitive information. With a trusted, open source approach to password management, secrets ...

reddit.com › r/internetbrasil › is a password manager like bitwarden 100% secure?

Is a password manager like Bitwarden 100% secure? : r/InternetBrasil

April 19, 2025 - That said, I've used Bitwarden a lot and I really like it. Today I'm using Proton Pass and I like it too. ... Nothing is 100% safe.

reddit.com › r/bitwarden › reasons for and against using bitwarden as both a credentials manager and authenticator?

r/Bitwarden on Reddit: Reasons for and against using Bitwarden as both a credentials manager and authenticator?

January 11, 2025 -

It's my understanding that using Bitwarden as an authenticator means if one or more of your clients are ever compromised, your strongest second layer of defense is also compromised. There seems to be much debate around this.

Bitwarden doesn't recommend against it in any way, and it's obviously designed to be used for both purposes at once. The reasons I can think of for doing so are ease of access, trust, and security. There have never been any concerns I've seen for using their service, largely due to no reported breaches of Bitwarden's servers. There's certainly the possibility of another Raivo-like situation with a third party authenticator, which I'm confident would never happen with Bitwarden.

I still pay for Bitwarden to support them, but when I did try using their 2FA, I could never get Kraken to accept Bitwarden's 2FA code for it, and I can't recall if I had this problem with other services, which is another reason I've stuck to 2FAS.

It boils down to two stances: Do you want to trade some extra security for convenience? Do you want to have extra security along with some inconvenience? I personally consider my security strong enough that if someone manages to break into my vault I would have admire them for being able to. At the end of the day, all the other ways they could get their hands on my credentials, would lead them to get my 2FA codes as well, like gaining physical unrestricted access to my devices, or gaining my backups and being able to crack their encryption. The other ways would be with spyware and other tactics that would put those things at risk even when used separately. I don't use separate devices regardless, since I can't just carry around two phones with me for example, and the most important accounts have a physical hardware key associated to them along with a salt, which makes it pointless to get the password and gives me enough time to change them in the event something goes down. 99% of the situations I would know I have been compromised, which would allow me to react to an incident happening before any sort of damage would be done. I would advice you to devise a plan for yourself on how you would deal with those things as well. Don't expect to never be compromised, but rather think what you would do in case of it happening and how can you react. If you think you can't react in time if your 2FA are in the same vault, then consider splitting them up. Personally, I am comfortable to keep those things together. The only two reasons why I would think your 2FA code didn't work with kraken is because of your system's time not being synced. From time to time you have to do it manually on some systems as it can get out of sync with the global time server. The other reason is that kraken may be using a different 2FA algorithm, but I don't have the details on that.

Reason for: It's all in one place Reason against: It's all in one place

reddit.com › r/bitwarden › is it safer to use bitwarden on my web browser or the application? (on linux pc)

r/Bitwarden on Reddit: Is it safer to use Bitwarden on my web browser or the application? (On Linux PC)

October 26, 2022 -

I have a couple concerns with both approaches.

First with the browser: I have a very long randomly generated password for my master password, therefore it’s impossible to remember and a HUGE pain in the ass to type out manually, so on my PC I just end up leaving the password on my clipboard. I of course wanna change this habit as anyone who catches my PC (or laptops) on and unlocked can steal my master password.

So I was thinking of using the desktop application since I know it lets set a PIN rather than having to type out the entire master password every time.

My concern with this though is whether or not the locally saved vault is encrypted or not? Secondly, if it IS encrypted, would the PIN also decrypt my vault as my master password would? I’ve also heard some very bad things about Electron, how the app is built, does it have any inherit vulnerabilities I should be aware of?

If anyone has any recommendations on a potentially alternative approach I could take that is safer and also convenient I’m open to suggestions!

I have a very long randomly generated password for my master password Let's start there. Switch to using a passphrase . It might end up being longer, but it will be easier to remember and easier to correctly type. Something like Weekday35-RejudgeLoopySaucepan is going to serve you much better than what you have now. leaving the password on my clipboard. It also means you can't use your clipboard? 🙂 set a PIN That can work. I regard a PIN like the privacy lock on a guest bathroom. It is to keep people honest, not to repel intruders. It can be a part of a reasonable security stack, but it shouldn't replace -- for instance -- locking your desktop. Is it safer to use Bitwarden on my web browser or the application? (On Linux PC) Not sure why you make this an either-or. The browser is going to offer superior security recognizing phishing attempts that are invisible to the human eye. The desktop app is still superior for certain things, but you need to find a way to keep using the browser extension. using the desktop application since I know it lets set a PIN This is where I really got lost. The browser extension for Firefox allows you to set a PIN as well. No need to use the desktop app. whether or not the locally saved vault is encrypted or not? Your decrypted vault is never written to persistent storage. AFAIK the entire vault except for attachments is held in volatile memory while the app is running and the vault is either unlocked or locked. Every, including the copy of the encrypted vault on your disk, is discarded when you log out. would the PIN also decrypt my vault as my master password would? The PIN is used by the running app to let you use that decrypted copy in memory. does it have any inherit vulnerabilities I should be aware of? Well's there may be a few minor nits, but there is not much that I know of for you to be concerned about at this level. potentially alternative approach Change your master password to a passphrase. Enable a PIN for both the desktop and the browser extension, if you wish. Use the browser extension when possible. Practice good opsec on your device, including desktop automatically locking, device physically secure, no other user accounts on the box, malware detection, etc.

I want to give big thumbs up to everything said in this thread by u/djasonpenney . Me, I use both extension and desktop, for same reasons as Jason Penney but also because I use biometric authentication on all the various computers I work on during the day and in order to log into the browser extension this way, I have to have the desktop app open. And don't forget there is a third form of the app: the website. And that's required for certain things like managing your account.

reddit.com › r/bitwarden › key guard for bitwarden, how safe it is?

r/Bitwarden on Reddit: Key guard for bitwarden, how safe it is?

August 9, 2024 -

I stumbled upon a what it seems more refined bitwarden app with watch tower and more notifications?

Security wise I personally don't think should be good.

Feature wise well it's pretty neat.

https://play.google.com/store/apps/details?id=com.artemchep.keyguard

Anyone using it?

The developer has posted on this sub a few times. It is open source. https://github.com/AChep/keyguard-app I have no idea how safe it is, or how well it works. The official Bitwarden clients undergo regular testing and security reviews. YMMV

Developer of that app here. You can find it at https://github.com/AChep/keyguard-app If you really want to be sure that the client is safe, your best option is to review the code and compile it yourself. You should inspect every line and every dependency. Your second best option is to search for network calls in the code, install the binary and monitor the traffic while using a test Bitwarden account + read other people's review + repeat this process on each update. Keep in mind, that there's no such thing as 100% safety. You can be sure that the client is completely safe, but have an outdated system component with a vulnerability that essentially makes all software unsafe. The system can also be up to date and have a zero day vulnerability instead. The system can be completely fine, but if you meet a stranger with a wrench in real life that might also leak all the passwords.

reddit.com › r/bitwarden › how safe is the extension?

r/Bitwarden on Reddit: How safe is the extension?

December 24, 2023 -

I have been using bitwarden app on Windows, and I mostly store(write) password in Note. I was thinking about adding extension into browser but I have doubts.

So generally speaking, how safe can an extension be? What if browser get infected and data breached by extension? In infected browser, can someone read data from extension? Also how safe are the cookies?

I don't view that the bitwarden chrome extension poses any hazard. In fact the bitwarden chrome extension offers phishing protection if you use it the right way (I fill from the extension using cht-shift-L, and that only works if I'm on the right sight matching what I saved into bitwarden) OTHER chrome extensions installed can pose a hazard if they are malicious (malicious extensions can read anything on any site including passwords filled from the bitwarden extension or any other means. So vet your extensions, review their permissions, and don't install more extensions than you need (or segregate your browsing into different browsers or browser profiles so that fewer extensions are in the browser/profile where you do important logins using bitwarden) Tavis Ormandy offered a critique of password manager extensions here . But he works for google and would prefer you to leave your passwords in the chrome browser itself (I believe most security professionals would disagree with his position on that)

If your computer is infected, no password manager app running on your computer is safe. With that caveat, using the browser extension is safer than not using it, as long as you don't override any of the security safeguards (e.g., by enabling auto-fill on page load, by setting a vault timeout of "Never", or by setting a PIN or biometrics but preventing the extension from locking with the master password when the browser restarts).

reddit.com › r/bitwarden › how do i properly start securing my accounts using bitwarden

r/Bitwarden on Reddit: How do i properly start securing my accounts using Bitwarden

October 29, 2023 -

Hey guys! So, i’ve actually lost my account yesterday. The one where i use for my games, social media and other stuff that i use it on. All the grind i did on my games, all the friends that i had on my social media went gone. This actually happened twice to me although the first one was an account i just use to whatever i want. Still, it was useful and convenient, had some important stuff on it just before i lost it too. So now i want to keep things serious and secure my remaining accounts properly.

But as you know, Bitwarden isn’t a 100% safe app. None of the password managers are but i guess it’s less risky compare to memorizing your passwords so i want to know how to be more secure while using Bitwarden, keeping my accounts and password inside the app SAFE. Any kind of tips or things i should do that you highly suggest for me to do? Do you guys also use a notebook at home just in-case something happens? I really want to know more about this stuff. I’d really appreciate any help/tips. Thank you 😊

It is your responsibility to safeguard your vault in the following ways: Set up a unique, confidential, randomly regenerated master password that provides for at least 50 bits of entropy (e.g., a randomly generated passphrase , which should contain four or more words drawn at random from a list of at least 6000 words), and do not allow others to observe you typing your master password. Enable the strongest form of 2FA that you are able to use (FIDO2/Webauthn if possible). Make sure that your devices are secure (e.g., do not allow others to access your devices, practice good internet hygiene, and ensure that you are using up-to-date malware defenses), and do not use Bitwarden on other people's devices. Always lock your Bitwarden vault when not in use (e.g., using the vault time-out function). If you're still nervous about committing your most valuable secrets to your Bitwarden vault, you can use one or both of the following methods to reduce the likelihood that an attacker who has gained access to your vault data will be able to take over your online accounts: Add a password pepper to your most valuable accounts. Set up 2FA for all stored accounts that support it, using a hardware key (if possible) or a TOTP authenticator app installed on a device that is different from the device on which you use Bitwarden. Here is my Guide for Getting Started on the Right Foot in Bitwarden™: Get a piece of paper and write "Emergency Sheet" at the top. The write down the Bitwarden cloud server that you plan to use (bitwarden.com or bitwarden.eu), as well as the email address that you will use for your Bitwarden login. If you're paranoid or like to play secret agent, make sure that you write with the paper placed on a hard surface (not a notepad or magazine), and that you are alone in a closed room with all curtains drawn. Click this link once, and copy down the displayed phrase on your piece of paper. This will be your master password. Unless you have a medical condition, you will be able to memorize it with some practice (you were able to memorize your mailing address, telephone number, names of friends and relatives, and similar information, and memorizing your master password is not much harder — but accept that it will take a bit of practice). Create your Bitwarden account either on the .com server or on the .eu server . Use a fake name if you wish, and leave the Password Hint blank for now. When you first log in upon account registration, there is an option to Verify Email , which you should use. Optionally, upgrade your subscription to Premium if you wish to use Premium features . Go to the "Two-Step Login" section of your Account Settings, and get your 2FA Recovery Code . Accurately transcribe this code onto your "Emergency Sheet" paper. In the "Two-Step Login" section, enable a 2FA method for your Bitwarden account. I recommend purchasing one or more Yubikey Security Keys for the purpose of securing your Bitwraden account. To set this up in Bitwarden, click "Manage" for the WebAuthn provider, and register your Yubikeys there. Personally, I have 3 security keys; I keep one on my person, one at home, and one at work. In the Account Settings, change your KDF algorithm to Argon2id. Keep the default settings unless you use iOS devices, in which case you should decrease the "memory" setting to 48 MB and increase "iterations" to 4. Populate your vault by importing passwords that had been stored elsewhere, or by creating new vault items from scratch. Download and install the Bitwarden client apps that you wish to use, and configure the settings in each. It is recommended to set the vault Timeout Action to "Lock" instead of "Log out", and to use a relatively short Timeout Period. Also enable to option that clears the system clipboard after a short delay. Create your first backup, by logging in the the Web Vault and creating a vault export, being sure to select the encrypted .json format with the "Password Protected" option . Use the same method as before to create a strong password for your backup file, and write down the backup file password on your "Emergency Sheet" paper. In addition, create an entry in your Bitwarden vault to save the backup file password (which will make it easier to use the password when you create future backups). Use your Emergency Sheet as a "cheat sheet" for typing in your master password when logging in or unlocking your vault, until you have acquired to muscle memory to type it by heart (approximately one week, give or take). Seal your Emergency Sheet in a security envelope (which you can purchase or make yourself ), and store it in a secure location. Optionally, make one or more redundant copies of the Emergency Sheet, to store in different locations. Optionally, update your Password Hint to contain a clue about where your Emergency Sheet is hidden. To change your Password Hint, log in to the Web Vault and use the password change form, but type in your existing master password into the new password field (so that the master password is not changed), and do not check the option for rotating your account encryption key. That's it! Update your backup export on a regular basis using the method from Step 11. Don't use your master password or backup password anywhere else, and do not let anyone know what these passwords are. Keep your devices secure, and malware free, and you should be good to go.

Use a unique email that you will check for Bitwarden login. Make your main password a 4+ word passphrase using Bitwarden generator: https://bitwarden.com/password-generator/ Change your KDF to Argon2 with default settings: https://bitwarden.com/help/kdf-algorithms/#changing-kdf-algorithm Enable 2fa on your Bitwarden account. Use totp or security key, no email: https://bitwarden.com/help/setup-two-step-login/ Create an emergency kit with your main password and 2fa recovery phrase at minimum: https://bitwarden.com/help/two-step-recovery-code/ // https://passwordbits.com/password-manager-emergency-sheet/ When creating passwords for websites, use Bitwarden generator for each website with 16+ character password. Include all options (upper/lower, special, number). Consider using aliases or plussed addresses for your logins. Use 2fa on all accounts where applicable. No sms or email, totp or security key only unless it's a bank that only supports sms. Store the backup codes in your vault or on your emergency sheet. Once this is all done, backup your vault using password protected export: https://bitwarden.com/help/export-your-data/#export-an-individual-vault don't use unencrypted unless you know how to manage it. Add the password for your export to your emergency sheet Use Bitwarden to autofill your credentials through the browser extension. Keep the default timeout timer and action unless you want it more strict.

reddit.com › r/bitwarden › do you actually put in all your passwords ?

r/Bitwarden on Reddit: Do you actually put in ALL your passwords ?

June 8, 2023 -

Newbie here, have been in the background just seeing posts here and there. Not really replying but I think I am ready to start using bitwarden BUT I’m not sure if I trust it enough to input my information for financial stuff, 401k login, bank etc.

Is anyone using this for that? I get if you don’t want to answer (I get it OPSEC)..but also when do you know if and when to trust it?

Other programs which have had breaches just makes me so hesitant

Yep, I put everything in it. The entire point of encryption and the zero-knowledge architecture is that a bad actor can get everything Bitwarden has and they are not going to be able to get my passwords. Just make sure you use a strong master password. Switch to Argon2ID (which is really just icing on the cake if you created a strong master password). Use 2FA (which only helps if someone is trying to log in as you) and you'll be fine.

Bitwarden is completely open source, so you can inspect what they're running on their servers (and even run it on your own like I do). One thing that makes Bitwarden stand out from others like LastPass (that was breached) is that everything in your vault is encrypted using a key that's partially dependent on your master password, which Bitwarden has no knowledge of. That encryption happens on your device before transit as well.