Behind the scenes with the Bitwarden password manager

Developer Kyle Spearrin explains why he created Bitwarden and how it improves upon commercial password managers like LastPass and 1Password.
365 readers like this.
Lock

JanBaby, via Pixabay CC0.

We're human. We are inundated with technology and accounts day in and day out, and most people will choose a password that they can easily remember.
—Jonathan LeBlanc, formerly of PayPal

Having to remember passwords for web applications, email, banking, and more begat the password manager. And that begat such popular and proprietary services like LastPass and 1Password.

A little over two years ago, software developer Kyle Spearrin decided the open source world needed its own web-based password manager. His company, 8Bit Solutions, develops and markets an open source alternative to services like LastPass and 1Password called Bitwarden.

Recently I had the opportunity to ask Spearrin some questions about Bitwarden's origins, how it secures user information, where he sees Bitwarden going, and more.


Scott Nesbitt: Why did you develop Bitwarden?

Kyle Spearrin: I've used password management tools for years. I became frustrated by the complexity and barrier to entry many of the existing solutions offered. There was also a lack of quality, open source solutions available. I thought things could be done better and that there was great value in doing so.

SN: What advantages does Bitwarden have over, say, LastPass or 1Password?

KS: The main advantage we have over many of our top competitors is that we're focused on making our entire product line open source. Being open source offers numerous advantages such as helping us gain the trust of new users (something important and hard to do in the password management space), helping keep the quality of our code in check, and allowing us to offer important features like self-hosted Bitwarden, just to name a few.

Earlier this year, we saw a user rewrite a new core backend for Bitwarden in Ruby, which he then deployed to his own home server to use with our other client applications. He did this not because he needed to, but simply because he could. Open source offers the freedom for our users to do things that they couldn't do otherwise.

SN: Are there any areas where Bitwarden falls short?

KS: Sure. 8Bit Solutions is still a young, small company. That comes with its own set of challenges as we try to compete with the much larger, well-established players in the market. Resources are harder to come by, which makes development in certain areas slower than we would like. But that's changing every day as we continue to grow.

SN: Are there any features that you think are missing?

KS: While the product line we offer today is very feature rich and serves the needs of the vast majority of our user base, there's always a full backlog of good ideas and features that we want and need to build.

One feature we're focusing heavily on building is native desktop applications for our Windows, MacOS, and Linux users. The good news is that we're pretty close to finishing the 1.0 release of desktop on all platforms and we've launched a public beta for our cross-platform desktop apps.

SN: How do you respond to critics of password managers in light of some high-profile security breaches?

KS: Their criticism is not unfounded. Offline password managers will usually always offer a smaller threat model for a user. And, of course, if we could all somehow remember all the secure passwords for every service we use in our heads we'd be doing even better.

The reality is that we can't. Our ever-growing world of becoming more and more dependent on online services and technology in general creates the need for using multiple connected devices, having teams of users that need access to share and manage the same secrets, and more. Having a secure password management tool that solves these problems while still being convenient enough for a user to adopt and properly utilize is the challenge that Bitwarden is solving.

SN: Describe Bitwarden's security model

KS: Our security model follows a few important policies and principles:

  • Everything must be open source. All code that we write must be open for audit and review.
  • End-to-end encryption is utilized. All sensitive information is encrypted locally on a user's device before ever being transmitted or stored elsewhere.
  • All Bitwarden server infrastructure uses managed cloud services. This not only helps us scale easily but protects us from having to manage servers, security patches, and guarding from malicious actors who target those systems.

SN: Has Bitwarden had a security audit? If so, what were the results?

KS: Bitwarden offers a bug bounty program on HackerOne, where security researchers review our products and source code for vulnerabilities daily. Being open source is a tremendous advantage for us here. Although we've not received reports of anything horrible, these researchers have reported some great things for us to fix and continue to help keep Bitwarden safe for our users and customers.

We also understand the need for a more formal security audit from a trusted third party. We're working towards having this done and hope to have something publicly available for our users and customers in the future.

SN: Who uses Bitwarden?

KS: Bitwarden is used by lots of people: individual users like you, me, and our families as well as teams and business organizations. Universities, hospitals, U.S. federal government agencies, tech companies, and more are all Bitwarden customers.

SN: Do you know approximately how many people use it?

KS: Due to our self-hosting features, it's impossible for us to know exactly how many people are using Bitwarden. However, we do know that over 100,000 users have registered with and use the public cloud version of Bitwarden.

SN: Bitwarden has paid accounts. How else do you fund its development?

KS: Bitwarden is entirely funded by our paid features. Premium memberships are available for individual users who want those extra features. Families, teams, and enterprise organization plans are available for those that need to share and manage passwords and other secrets across multiple users.

SN: What were the toughest parts of getting Bitwarden off the ground?

KS: Bitwarden has been around for over two years now. When people found out about it, they loved it. One of the toughest things about getting the product off the ground was just getting exposure.

I've always been a big believer in organic marketing. It's a slower process of gaining exposure, but the results are real. My philosophy has always been: If you build it great, they will come. And that's what we're seeing.

SN: Where do you see Bitwarden in the next year? Next two years? Five years?

KS: In the next year, we're focusing heavily on building great products. Features are evolving and products will keep getting better.

Beyond that, we will start to invest more in growing our sales and marketing efforts. Educating users on ways they can stay safe while online is a goal of ours.

In the next five years, we want Bitwarden to be the go-to password and secret management solution for individuals and enterprise customers. Open source will be the new standard for security-related solutions like Bitwarden.

SN: What do you consider Bitwarden's killer features?

KS: There are too many to list, so I encourage your readers to try us out. However, some of the best features Bitwarden offers are:

  • We have easy-to-use, feature-rich applications available across all of your devices: web, mobile, desktop, and browser. All applications are built to the same quality standards from the same organization.
  • It's free to use. While we do offer paid features, we are very careful not to cripple the free tier of our product. It's not a fake "free trial." You can use the core, necessary features of Bitwarden unhindered, for free, forever.
  • You can securely share secrets between multiple users. Whether it's the Netflix password with the family or database keys with a team at work, you can use Bitwarden to easily share passwords with other users. We even offer a free tier for these features as well.
  • Bitwarden is self-hostable. Although Bitwarden is an online password manager that's easy to get started with and syncs through our secure cloud servers, you don't have to use it that way. Many of our users and business customers deploy the entire Bitwarden backend to their own servers. You can control and protect your data with no external dependencies.
  • Everything is open source. Anyone can review, audit, and contribute to our products. Many features that we build are a community-driven effort.

SN: What advice can you give people wanting to get started using Bitwarden?

KS: Getting started using a password management application can be quite a change for people who are not used to using one. Maybe you've tried a password manager in the past and became discouraged by its complexity and gotchas. We've tried to make the experience the best we can.

You can get started by installing Bitwarden on any or all of your devices. Then, start logging into websites like you always have. Bitwarden will begin automatically remembering your passwords for you so that the next time you need access to that service, Bitwarden will be there to handle the login experience for you, all while keeping your passwords safe and synced between your different devices.

SN: What advice do you have for people wanting to migrate to Bitwarden from another password manager?

KS: We've gone to great lengths to make it as easy as possible for people to switch to Bitwarden. We offer simple, one-click import tools for nearly 30 different password management applications. You can read more about switching from another application in our help center.

SN: How can people support the project?

KS: Besides purchasing our product, the best thing people can do to help us is just to use our products and share Bitwarden with others.

As I mentioned earlier, exposure is one of our biggest challenges. Spreading the word with family, friends, coworkers and leaving us reviews in the various online stores where our products are listed are all a great help!

That idiot Scott Nesbitt ...
I'm a long-time user of free/open source software, and write various things for both fun and profit. I don't take myself all that seriously and I do all of my own stunts.

3 Comments

I have migrated from Lastpass that I have used for the last 7 years. Tried a couple of other password managers, fist 1passworde but their trial was heavily crippled (only 20 passwords) then Enpass which I liked very much. Then I decided to try Bitwarden, which is kind of similar, because it is open source. The free version wasn't crippled so I could try it as one should try software and I just loved it. After a week I paid for the premium just because I want to support it. Been using it for a couple of months now and it just works. I love that it can generate TOTP codes for all my sites.

“Everything must be open source.”

Then why does Bitwardenb use Google Analytics instead of Matomo (Piwik) inside the password vault? Why is there any unnecessary scripts in the password vault at all?

I agree that it shouldn't be there in the first place, but you can easily disable this anti-feature by going to Settings>Options>Disable Analytics

In reply to by Dan_. (not verified)

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.