This article contains content that is written like an advertisement .(December 2023) |
Original author(s) | Kyle Spearrin | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Developer(s) | Bitwarden Inc. | ||||||||||||
Initial release | August 10, 2016 | ||||||||||||
Stable release(s) [±] | |||||||||||||
| |||||||||||||
Repository | github | ||||||||||||
Written in | TypeScript, C#, and Rust | ||||||||||||
Operating system | Linux, macOS, Windows, Android, iOS, iPadOS, WatchOS | ||||||||||||
Available in | Multilingual | ||||||||||||
Type | Password manager | ||||||||||||
License | Server: AGPL-3.0-only [7] Clients: GPL-3.0-only [7] Some modules: Proprietary [7] [8] | ||||||||||||
Website | bitwarden |
Bitwarden is a freemium open-source password management service that stores sensitive information, such as website credentials, in an encrypted vault. The platform offers a variety of client applications, including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. [9] Bitwarden offers a free US or European cloud-hosted service as well as the ability to self-host. [10] [11] [12]
Desktop applications are available for Windows, MacOS, and Linux. [13] Browser extensions include Chrome, Firefox, Safari, Edge, Opera, Vivaldi, Arc, Brave and Tor. [13] Mobile apps for Android, iPhone, and iPad are available. [13]
Client functionalities include 2FA login, passwordless login, biometric unlock, passkey management, random password generator, password strength testing tool, login/form/app autofill, syncing across unlimited platforms and devices, storing unlimited number of items, sharing credentials, and storing a variety of information including credit cards.
In January 2021, in its first password-protection program comparison, U.S. News & World Report selected Bitwarden as "Best Password Manager". [58] In February, with competitor LastPass about to remove a feature from its free version, CNET recommended Bitwarden as the best free app for password synchronization across multiple devices, [59] while Lifehacker recommended it as "the best password manager for most people." [60]
Critics have praised the features offered in the software's free version, and the low price of the premium tier compared to other managers. [59] [61] [62] [63] The product was named the best "budget pick" in a Wirecutter password manager comparison. [45] Bitwarden's secure open-source implementation was also praised by reviewers. [61] [64]
Tom's guide found some features to be less intuitive than they could be, [61] while PC Magazine criticized the high price of the business tier. [65] Mobilesyrup was disappointed by the simplistic graphics of the user interface, and felt that it was missing a few features found in competitor's offerings. [62]
Bitwarden debuted in August 2016 with an initial release of mobile applications for iOS and Android, browser extensions for Chrome and Opera, and a web vault. The browser extension for Firefox was later launched in February 2017. [66] In February 2017, the Brave web browser began including the Bitwarden extension as an optional replacement password manager. [67]
In September 2017, Bitwarden launched a bug bounty program at HackerOne. [19] [15]
In January 2018, the Bitwarden browser extension was adapted to and released for Apple's Safari browser through the Safari Extensions Gallery. [68]
In February 2018, Bitwarden debuted as a stand-alone desktop application for macOS, Linux, and Windows. It was built as a web app variant of the browser extension and delivered on top of Electron. [69] The Windows app was released alongside the Bitwarden extension for Microsoft Edge in the Microsoft Store a month later. [70] [71]
In March 2018, Bitwarden's web vault was criticized for embedding unconstrained third-party JavaScript from BootstrapCDN, Braintree, Google, and Stripe. These embedded scripts could pose as an attack vector to gain unauthorized access to Bitwarden users' passwords. [72] These third-party scripts were removed as part of the Bitwarden 2.0 Web Vault update, released in July 2018. [73]
In May 2018, Bitwarden released a command-line application enabling users to write scripted applications using data from their Bitwarden vaults. [9] [74] [75]
In June 2018, Cliqz performed a privacy and security review of the Bitwarden for Firefox browser extension and concluded that it would not negatively impact their users. Following the review, Bitwarden was made available as an optional password manager in the Cliqz web browser. [76]
In October 2018, Bitwarden completed a security assessment, code audit, and cryptographic analysis from third-party security auditing firm Cure53. [77] [78] [79] [80]
In July 2020, Bitwarden completed another security audit from security firm Insight Risk Consulting to evaluate the security of the Bitwarden network perimeter as well as penetration testing and vulnerability assessments against Bitwarden web services and applications.
In August 2020, Bitwarden achieved SOC 2 Type 2 and SOC 3 certification. [81] [82]
In December 2020, Bitwarden announced that it was HIPAA compliant [83] in addition to already being GDPR, CCPA, and Privacy Shield [84] compliant. [85]
In August 2021, Bitwarden announced that network assessment (security assessment and penetration testing) for 2021 had been completed by the firm Insight Risk Consulting. [18] [86]
In September 2022, the company announced $100M series B financing; the lead investor was PSG, with the existing investor, Battery Ventures, participating. [87] [88] The investment would be used to accelerate product development and company growth to support its users and customers worldwide. [87] [88]
In January, Bitwarden announced the acquisition of Swedish startup Passwordless.dev for an undisclosed amount. [89] Passwordless.dev provided an open source solution allowing developers to easily implement passwordless authentication based on the standards WebAuthn and FIDO2. [89] [90] Bitwarden also launched a beta software service allowing third-party developers the use of biometric sign-in technologies including Touch ID, Face ID and Windows Hello in their apps. [89]
In February, Bitwarden published network security assessment and security assessment reports that were conducted by Cure53 in May and October 2022 respectively. [91] The first related to penetration testing and security assessment across Bitwarden IPs, servers, and web applications. [92] The second related to penetration testing and source code audit against all Bitwarden password manager software components, including the core application, browser extension, desktop application, web application, and TypeScript library. [93] Ghacks reported that "No critical issues were discovered during the two audits. Two security issues that Cure53 rated high were discovered during the source code audit and penetration testing. These were fixed quickly by Bitwarden and the third-party HubSpot. All other issues were either rated low or informational only." [94]
On May 1, Bitwarden launched its own multi-factor authentication app, Bitwarden Authenticator. [95]
A password manager is a computer program that allows users to store and manage their passwords for local applications or online services such as web applications, online shops or social media. A web browser generally has a built in version of a password manager. These have been criticised frequently as many have stored the passwords in plaintext, allowing hacking attempts.
A browser extension is a software module for customizing a web browser. Browsers typically allow users to install a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and styling of web pages.
LastPass is a password manager application. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.
Chromium is a free and open-source web browser project, primarily developed and maintained by Google. It is a widely-used codebase, providing the vast majority of code for Google Chrome and many other browsers, including Microsoft Edge, Samsung Internet, and Opera. The code is also used by several app frameworks.
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.
Google Authenticator is a software-based authenticator by Google. It implements multi-factor authentication services using the time-based one-time password and HMAC-based one-time password, for authenticating users of software applications.
Waterfox is a free and open-source web browser and fork of Firefox. It claims to be ethical and user-centric, emphasizing performance and privacy. There are official Waterfox releases for Windows, macOS, Linux and Android. It was initially created to provide official 64-bit support, back when Firefox was only available for 32-bit systems.
Firefox was created by Dave Hyatt and Blake Ross as an experimental branch of the Mozilla browser, first released as Firefox 1.0 on November 9, 2004. Starting with version 5.0, a rapid release cycle was put into effect, resulting in a new major version release every six weeks. This was gradually accelerated further in late 2019, so that new major releases occur on four-week cycles starting in 2020.
1Password is a password manager developed by the Canadian software company AgileBits Inc. It supports multiple platforms such as iOS, Android, Windows, Linux, and macOS. It provides a place for users to store various passwords, software licenses, and other sensitive information in a virtual vault that is locked with a PBKDF2-guarded master password. By default, the user’s encrypted vault is hosted on AgileBits’ servers for a monthly fee.
Mozilla is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, publishes and supports Mozilla products, thereby promoting exclusively free software and open standards, with only minor exceptions. The community is supported institutionally by the non-profit Mozilla Foundation and its tax-paying subsidiary, the Mozilla Corporation.
SQRL or Secure, Quick, Reliable Login is a draft open standard for secure website login and authentication. The software typically uses a link of the scheme sqrl:// or optionally a QR code, where a user identifies via a pseudonymous zero-knowledge proof rather than providing a user ID and password. This method is thought to be impervious to a brute-force password attack or data breach. It shifts the burden of security away from the party requesting the authentication and closer to the operating-system implementation of what is possible on the hardware, as well as to the user. SQRL was proposed by Steve Gibson of Gibson Research Corporation in October 2013 as a way to simplify the process of authentication without the risk of revelation of information about the transaction to a third party.
HTTPS Everywhere is a discontinued free and open-source browser extension for Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Brave, Vivaldi and Firefox for Android, which was developed collaboratively by The Tor Project and the Electronic Frontier Foundation (EFF). It automatically makes websites use a more secure HTTPS connection instead of HTTP, if they support it. The option "Encrypt All Sites Eligible" makes it possible to block and unblock all non-HTTPS browser connections with one click. Due to the widespread adoption of HTTPS on the World Wide Web, and the integration of HTTPS-only mode on major browsers, the extension was retired in January 2023.
Proton Mail is a Swiss end-to-end encrypted email service founded in 2013 headquartered in Plan-les-Ouates, Switzerland. It uses client-side encryption to protect email content and user data before they are sent to Proton Mail servers, unlike other common email providers such as Gmail and Outlook.com. The service can be accessed through a webmail client, the Tor network, Windows, macOS and Linux (beta) desktop apps and iOS and Android apps.
Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards. It is succeeded by the FIDO2 Project, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance's Client to Authenticator Protocol 2 (CTAP2).
Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.
KeePassXC is a free and open-source password manager. It started as a community fork of KeePassX.
Myki was a password manager and authenticator developed by Myki Security. Myki was available on iOS and Android, as browser extensions on Chrome, Firefox, Safari, Opera and Microsoft Edge, and as a standalone desktop app for Windows, macOS, Linux, Arch Linux, and Debian. It was available in English, Arabic, French, German, Italian, Portuguese and Spanish. On 24 March 2022, MYKI announced Jump Cloud's acquisition of Myki and on 10 April 2022, Myki ceased to operate.
Firefox Lockwise is a deprecated password manager for the Firefox web browser, as well as the mobile operating systems iOS and Android. On desktop, Lockwise was simply part of Firefox, whereas on iOS and Android it was available as a standalone app.
NordPass is a proprietary password manager launched in 2019. It is meant to help its users to organise their passwords and secure notes, keeping them in a single encrypted password vault. This service comes in both free and premium versions, though the free version lacks much of the paid functionality like multi-device login. NordPass was developed by the same cybersecurity team that created NordVPN, a VPN service provider.
The following is a general comparison of OTP applications that are used to generate one-time passwords for two-factor authentication (2FA) systems using the time-based one-time password (TOTP) or the HMAC-based one-time password (HOTP) algorithms.
{{cite web}}
: CS1 maint: numeric names: authors list (link)