I Do Not Recommend Bitwarden
6 hours ago
- #security
- #password-manager
- #self-hosting
- Bitwarden's self-hosted deployment is complex and heavyweight, with many users opting for the unofficial lightweight Rust-based server Vaultwarden, which is more popular on GitHub.
- Bitwarden's open-source stance is questionable after it introduced a restrictive license for a new SDK, later relicensing it as GPLv3 following community backlash, indicating a shift toward prioritizing its SaaS subscription model.
- The client applications suffer from poor UI/UX, including non-intuitive workflows like requiring a small 'Fill' button instead of clicking the list item, lack of offline-first design, and slow sync delays.
- Critical features are missing or broken, such as a proper vault migration tool that loses data during exports, no move items between vaults feature, and client updates that can break access without warning.
- Bitwarden has a concerning security track record, with incidents like KDF iterations not applying to vault encryption (2023), Windows Hello bypass, cross-origin autofill vulnerabilities, DOM-based clickjacking (2025), and a compromised CLI in a supply chain attack (2026).
- The author recommends compartmentalizing credentials across multiple tools based on use case: SaaS for professional sharing, another cloud manager for PII accounts, KeePass with Syncthing for non-PII accounts, HashiCorp Vault for infrastructure, and GPG-encrypted files with pass for one-off credentials.
- The bottom line is that Bitwarden has drifted from its open-source roots, with enterprise-focused complexity, slow feature development, and recurring security issues, leading the author to advocate for splitting trust across specialized tools rather than relying on a single password manager.