Practical privacy and simple cybersecurity.
TheNewOil.org

2022 Review: Bitwarden & KeePass

In this review, I’ve decided to lump both Bitwarden and KeePass into the same review because of their vast similarities. However, there are some key differences that I will outline below. I don’t think of this blog as “Bitwarden vs KeePass.” In fact, I use both myself for different purposes. I hope that discussing this below will help you decide which is right for you, or if both are – like in my case – how to use them to their maximum potential.

A quick note, in this review I am using “KeePass” as a general term to refer to any KeePass client. Personally I use KeePassXC and therefore will base all my information on that experience, but the same general trends should hold true for other forks as well.

The Products

Bitwarden and KeePass are both password managers. A password manager is a critical piece of technology that I would argue is mandatory in today’s world, as they give a secure place to store your login (and other) information. This serves several purposes. The first and most obvious is account security. Modern cybersecurity advice says that passwords should be at least 8 characters (more, depending on who’s advice you listen to); contain a mix of uppercase and lowercase letters, numbers, and special characters; and should not be reused anywhere. This makes the idea of remembering your passwords laughable – even those with the best memory would struggle after a few accounts, and less-used accounts would be quickly forgotten. A good password manager will help you adhere to best password practices and keep track of all your accounts with zero effort on your end. It is a commonly held piece of wisdom that if you know your passwords, they aren’t strong enough (with the exception of passphrases used to log into your password manager and devices). Password managers can also serve numerous other purposes like help preventing phishing and keeping track of other critical information like 2FA seeds, security answers, and more.

The Good

Bitwarden and KeePass both start off with a lot of positives in common, like being open source and free. Bitwarden has a premium tier we’ll get to later, but even their free tier should offer all the functionality an average user would need. Both allow unlimited entries, multiple devices, folders, and much more. Both also feature browser plugins, which can help prevent you from falling prey to a phishing attack. (This works because if you click a link and it’s not accurate, the plugin won’t offer to auto-fill your login details, tipping you off that something’s not right.) Bitwarden can also be self-hosted if you like the product itself but want a little more control over your data.

In terms of functionality, KeePass is the clear winner. Because KeePass is fully free in every sense of the word, there is no functionality hidden behind a paywall. You can add your 2FA seeds, unlock your password vault with a hardware token, and more.

In terms of look, Bitwarden outdoes KeePass by a long shot. KeePass works, but it’s not the prettiest program ever. Bitwarden, meanwhile, looks much more modern and sleek, and even has different entry types so you can easily store common information like names, credit cards, and notes. KeePass can technically be made to do all this stuff, but you’re really using a password entry while Bitwarden has these entries already modified to look right. For example, I store my emergency credit card information in Bitwarden in case I ever need it while I’m not home. In KeePass, this would require me to enter the credit card number in a field normally used for logins, like “Password,” “Username,” or maybe the “Notes” field if I want. While there’s no real issue with this, it does bug my perfectionist nature a little bit. In Bitwarden, there’s an actual credit card entry that has fields like “Cardholder Name” and “Number” and “Expiration.” Same with Notes, and Identity. (Pro Tip: you can use the “Identity” entries to keep track of your various disinformation identities, like how Nathan Bartram lives at 350 West Wolf Point Plaza in Chicago.) Bitwarden also automatically pulls login icons for websites, while KeePass must be made to do this. Admittedly, this is either a pro or a con depending on your threat model and preferences, which brings me to my next point.

Let’s get to the elephant in the room: cloud syncing. Depending on your threat model and/or level of caution, cloud syncing is either a pro or a con for you. If you have a low threat model and value convenience, Bitwarden is the clear winner here. They are cloud based, with apps on Android and iOS, as well as Mac, Windows, Linux, and the aforementioned browser extension. Bitwarden is password security on easy mode. If you don’t trust the cloud – or you don’t trust Bitwarden for whatever reason – KeePass is going to be the best choice for you. You can manually sync your vault between devices by either plugging them in and uploading them, or by using a cloud service like Nextcloud or Filen.

The Bad

Let’s start with KeePass’s drawbacks because I think there are fewer of them. The most obvious, I already noted, is the UI. However, there’s also the cloud sync and plethora of forks. Because KeePass is not cloud-based, it’s up to you to make sure that you’re keeping good backups in case your device ever dies, becomes corrupted, gets stolen, etc. I discuss this on the site, but it can never be overstated. Losing your passwords is hard to bounce back from. It can also be tedious syncing your database, even if you have a good system in place. At one point, I was keeping my database in a cloud folder so it would always sync up automatically, then using Strongbox/KeePassDX on my mobile devices. Even with this near-realtime-cloud setup, I would still have to routinely import the newest version of my vault into the mobile apps to ensure I had the latest entries, and I would also have to be careful not to save over them. And on that note, KeePass is mostly a community-driven project in that sense that there is no universal KeePass client that works everywhere. KeePassXC is the closest you’ll get, as it works on Linux, Mac, and Windows, but for mobile you’ll need to find another client such as Strongbox for iOS or KeePassDX for Android. It’s definitely not as smooth and seamless of an experience. KeePass also doesn’t come with any sort of automatic sharing features like Bitwarden. If I wanted to share a login with someone, I’d have to export it somehow and send it to them over a secure channel.

Now let’s talk about Bitwarden. I’ll start by addressing the cloud part, since that’s a double-edged sword. Bitwarden is cloud-based. If you value convenience, this is great. But it also comes with some risks. For example, since Bitwarden is centralized, that means if they ever suffer a data breach, your vault could be at risk since they store it for you. Now just to be clear, if Bitwarden is encrypting your vault properly – and personally believe they are – then you have nothing to fear in the event of this happening. Still, it’s a very unsettling thought. Your vault has the keys to your entire digital life – which could include things like bank logins, logins for sensitive accounts and communications, and more. Even if it is practically unhackable, I still wouldn’t exactly be comfortable handing out a copy of that to just anyone. And of course, again, this is predicated on the assumption that they’ve implemented their encryption correctly. Bitwarden is very popular, meaning a lot of experts have no doubt laid eyes on the code, and they’ve even been audited, but all it takes is one slip up to create a vulnerability. It’s a lot of trust you’re placing in someone.

On that note, let me address a complaint I’ve seen float around a few times: there’s allegations that Bitwarden’s website is not properly protected against a possible malicious Javascript hijacking, which could allow an attacker to steal your login credentials. This is concerning, for sure, because as the end user you’d really have no way of knowing. However, in my experience, people love apps. I suspect that most people who use Bitwarden won’t be using the website except to make serious changes to their account like buying a premium plan or changing their password. I know that’s my use case. This seriously reduces the risk of this attack, and between that fact and my belief that the gains from using a password manager outweigh the risks in this usage model, I would still strongly encourage people who are considering Bitwarden to go ahead and use it. I preach Bitwarden to everyone I know without reservation, and as far as I know nobody I’ve convinced to use it uses the website. They all download the app and the browser plugin. Having said that, if you’re reading this and you work for Bitwarden, I strongly urge you to consider addressing this attack. It’s only a matter of time before it gets abused, and when you does you guys are gonna look pretty stupid for brushing it off all these years. Surely you can afford it now.

Finally, I should address that some of Bitwarden’s features are premium only. As I said earlier, the core functionality of Bitwarden is free – unlimited entries, unlimited devices, etc – and there’s really no reason that this shouldn’t work just fine for the vast majority of people. However, there are some paid features that would either increase user security or make life a lot easier for users. For example, being able to lock your vault with a hardware token is a paid feature. Such a feature increases your vault security exponentially. Another paid feature is the ability to store your 2FA seeds in your password vault. While this is potentially risky as it creates a single point of failure, it also makes using 2FA nearly effortless, and it’s something I would encourage if it’ll make the user more likely to use 2FA (assuming they also have a strong vault passphrase and 2FA enabled on the vault, too, for maximum protection). It’s a bummer to see such powerful features locked behind a paywall, but I suppose it’s somewhat fair. TOTP 2FA (the kind where you get a new code every thirty seconds) is still supported on the free account, and Bitwarden has to make money somehow, and also you could always just self-host it if you really want those features for “free” (in quotations because we’re not counting the cost of the server/VPS, time spent, etc). Again, the important functionalities are free, and that’s what matters.

As a last note, it should be noted that Bitwarden offers an emergency access feature. I can set another Bitwarden user – like my spouse – to be the emergency contact. If she requests access and I don’t respond within a certain time frame (I think it’s 7 days), she’ll automatically be given access to my vault. This is to ensure that if anything happens to me, she’ll be able to login to stuff like the bank, my email, and whatever other accounts she needs to handle our affairs. KeePass, being offline, does not offer such a feature. In either case, I encourage you to think about this kind of stuff and have a plan in place should the worst happen. I discussed this more in my blog post here.

Final Verdict

As I said above, I use both password managers. For those curious, here’s a quick explanation of how I do it (quick piece of context: I dualboot both Linux and Windows. I use Windows for gaming and for producing videos and music): I use KeePassXC for all of my passwords, even the ones I also have in Bitwarden. This is the vault I export regularly as part of my routine backup schedule. Anything that I need to access on a different device – like Windows or mobile – or anything that I need to share with my wife, I put in Bitwarden. So for example, my Discord and Matrix logins are saved in both KeePassXC and Bitwarden, because I like being logged into my communities on Windows so that I can keep an eye on them and respond if necessary even when I’m doing stuff on Windows. I also have things like Proton in there so I can access Drive or my email when on Windows to transfer files between my two OS’s easily. Then there’s the stuff I share with my wife, like the electric company login, the emergency credit card, and Netflix. Bitwarden makes it easy to sync logins between operating systems and to share them, but for the extra sensitive stuff like bank logins or accounts I don’t need immediate 24/7 access to, there’s always KeePass, where I can ensure more control over my vault and more easily integrate the backups into my workflow (for the record, Bitwarden does backups just as easily as KeePass, KeePass just works better for my personal workflow). I trust Bitwarden, but personally I also err on the side of “why take unecessary risks?” If I don’t need regular, sudden access to the account, then I prefer to keep it offline just in case. But that’s just me.

In the end, I believe that both password managers are excellent choices, and really the deciding factor is your preferences. If you prefer not to trust the cloud, you have good backup procedures in place, and you don’t mind some inconvenience when it comes to syncing your passwords across devices or sharing them with others, KeePass is the clear winner for you. If you want something easy that looks sharp and syncs across devices with no effort on your end but also has a strong reputation and good security, Bitwarden is the right choice. Regardless of which one you pick, I hope I’ve helped lay out the differences of each and helped make the choice a little bit easier for you. Remember to keep your vault secure. Password managers are game changers in making your digital life safer and more convenient, but they’re also putting all your eggs in one basket if you don’t take securing them seriously. With that said, be sure to check out these two password managers if you still haven’t adopted one yet.

You can check out Bitwarden here and KeePass here.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...