One Month with Bitwarden

| Comments

It almost feels too soon to be handing in a report on how well Bitwarden is working out after only a month of use. I’ve learned something important since migrating from Keepass. Something that I managed to completely gloss over when making my decision to migrate. It may have made me change my mind, so I think it is important to tell you about it!

Hosting your own Bitwarden server has a weird caveat

Bitwarden is open source, and you can host your own Bitwarden server. I’m excited about having the ability to host my own server, but I didn’t want to go down this road. My initial investigation didn’t go terribly deep. Once I saw that the documentation looked good, and the process was pretty simple, I put in check in the “ability to host your own server” box on my list.

I’ve since noticed that you can’t just host your own Bitwarden server. Your server needs a key that is provided by bitwarden.com. At a glance, this feels sketchy to me. This is what the Bitwarden documentation has to say about server keys:

Each Bitwarden installation requires a unique installation id and installation key. The installation id and key is used to:

  1. . Register your installation and contact email so that we can contact you in case of important security updates.

  2. . Validate licensing of paid features.

  3. . Authenticate to push relay servers for push notifications to Bitwarden client applications.

You should not share your installation id or installation key across multiple Bitwarden installations. They should be treated as secrets.

They want to protect their revenue stream, and they’re allowing you to use their push notification infrastructure so that your server can communicate with the Android and IOS clients.

There is an alternative to the official Bitwarden server

There is an unofficial Bitwarden-compatible server written in Rust. If you feel that having to obtain a key to host your own server is weird or creepy, Dani Garcia’s Rust server looks like a fantastic option.

Bitwarden

This isn’t the only reason to look at Dani’s Bitwarden server implementation. The official Bitwarden server is rather heavy. It requires 2 GB of RAM and quite a bit of storage. You probably won’t be able to just throw an official Bitwarden server up on a random VPS that you already have. You’ll probably need a RAM upgrade.

The unofficial Bitwarden Rust server only requires 10 or 20 megabytes of RAM. You can squeeze that in just about anywhere, and it even runs on a Raspberry Pi!

Everything else has been fantastic

I’m impressed with Bitwarden so far. I haven’t had any problems. Once I learned the control-shift-L hotkey to automatically fill in passwords, it has been smooth sailing.

The Firefox extension works great. All my passwords were imported from Keepass without any issues. After an initial hiccup, the Android app has been doing a fantastic job of populating username and password fields.

My cheap Blu phone’s battery-saving nonsense was goobering things up at first. It was killing the Bitwarden app, and when it did, the app would lose its accessibility status. It wasn’t obvious right away why this was happening, but once I dug into my Android system settings to disable battery-saving features for the Bitwarden app, everything has been working perfectly.

Conclusion

Within a few days of posting about my migration to Bitwarden, three comments showed up recommending three more open-source password managers that I never heard of. This space seems to be crowded, and I plan to do more research in the near future. It might be time for a password-management version of my old cloud storage comparison blog!

Bitwarden has all the features I was looking for, but what pushed me into the migration was when I learned about the third-party audit of Bitwarden that was conducted late last year. It didn’t get a perfect score, but they quickly addressed the serious issues, and they put plans in place to address everything else.

What do you think? Did I make a good move when I migrated to Bitwarden? Do you prefer Lastpass or 1Password? Do you use an open-source password manager? Let me know in the comments, or stop by the Butter, What?! Discord server to chat with me about it!

Comments