Update: 3 months with Bitwarden

Apps and platform experiences

LastPass only has an app for macOS and a few failed attempts at a few different Windows apps over the years. The Bitwarden desktop apps — available for Linux, macOS, and Windows — are pretty great by comparison. I‘e taken to use the Bitwarden desktop client on macOS and Windows, but I prefer to use the Bitwarden Web Vault installed as a GNOME Web app under Linux. Bitwarden’s Linux app works as great as its macOS and Windows brethren but it’s harder to install than a web app and doesn’t auto-update.

I’m not as happy with the experience on Android, however. Bitwarden integrates with the platform provided auto-fill service; a system that is unreliable at the best of times. I can have Bitwarden auto-fill in my login details into an app or webpage one day and then have it not work on the same app or webpage the next day. My login flow thus involves first attempting to use auto-fill, sighing, switching to the Bitwarden app and copy my login details, switch back to the app I want to login to, and pray that the app hasn’t dismissed the login prompt while I was away. It’s less than ideal but from my experience the same thing also happens with LastPass and other password managers on Android.

On a more positive note, Bitwarden’s extension for Firefox for Android works great and I don’t have to skip back and forth between apps to login to websites. Unfortunately, Firefox for Android doesn’t support physical security keys so I can’t properly secure my Bitwarden account and get a decent user experience on Android at the same time.

I’ve also not yet had the time to look into self-hosting Bitwarden services myself. However, this is on my to-do list for the coming months so expect another update on that at a later time.

Third-party scripts are mostly gone from the web vault

In my last article on Bitwarden, I raised some concerns over the inclusion of untrusted third-party JavaScript inside the password manager vault. These scripts could theoretically make a copy of your login credentials and run off with your entire unencrypted password vault.

The updated Bitwarden 2.0 web vault have reduced the risk by significantly reducing its reliance on third-party scripts. The only third-party scripts that run inside the web vault now is Stripe by PayPal, Bitwarden’s payment processor. You now also have to open the payments page before you’re exposed to any risk.

If a malicious third-party were to somehow get control over Stripe’s domains or scripts, they’d be more likely to focus on stealing credit card information that passes through the payment service than in hijacking passwords. However, a password manager should be as securely engineered as it’s possible to make it and risks that are acceptable on less critical websites are unacceptable in the context of a password manager.

Bitwarden could eliminate the risk entirely by moving the payment processing to a separate page outside of the vault to isolate the payment service provider from the sensitive data in the password vault. I’ve discussed this issue briefly with Kyle Spearrin, founder and lead developer at Bitwarden, who says he is hopeful that this will be improved one day.

Two features that I miss from LastPass

For most users, Bitwarden and LastPass have an mostly identical feature set. There are, however, two features in LastPass that I’ve missed since I switched to Bitwarden.

LastPass keeps track of your old passwords and not only your current password. This is actually quite handy in cause you accidentally override your password, or for websites where you change your password on the main website but e.g. the support page hasn’t updated and require you to still use your old password so you can login and complain about the support section having a separate password system that isn’t in sync with the main website. (Real story.) Bitwarden only stores the current password.

LastPass can automatically open a web pages in your browser and simulate user-actions to automatically log in to supported website and change the user’s password. The auto-password changer feature limited to only 80 supported websites and it has failed on at least some of the supported websites every time I’ve tried to use it.

Bitwarden has nothing similar and I have to login and change my passwords manually every time I like to update them. This experience is in practice no different from LastPass as I in practice still had to login and change a ton of passwords manually as most my passwords were with unsupported websites. Since LastPass keeps track of past passwords, it also easy to recover the previous password if something went wrong. However, I want to believe that it is a feature that will eventually work with every website out there and I feel like I’m missing out even though this feature isn’t super useful.