← Password Managers
B

Bitwarden Password Manager

Some concerns
Bitwarden · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: com.x8bit.bitwarden
Manufacturer: Bitwarden Inc.

The bottom line

Most users never change defaults. PBKDF2 is thousands of times easier to crack with a GPU than Argon2id. If Bitwarden's servers were breached, vaults using the default KDF would fall first. If you visit a site with a malicious iframe embedded in it, Bitwarden's browser extension may auto-fill your password into the iframe — sending your credentials to the attacker. Bitwarden says this is by design.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
0/4 N/A
Is someone spying on me?
Data Sharing
0/4 N/A
Who gets my data?
Security
3/4 HIGH
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
4Contradictions
0Critical
0High
3Medium
2Sources
Findings by concern
Security 3/4 HIGH 4 findings
⚫ mediumfirmware analysis vs app permissions
Most users never change defaults. PBKDF2 is thousands of times easier to crack with a GPU than Argon2id. If Bitwarden's servers were breached, vaults using the default KDF would fall first.

What they claim: Bitwarden defaults to PBKDF2-SHA256 with 600,000 iterations for key derivation

What we found: Argon2id is available but not the default — users must manually switch in settings. PBKDF2 is GPU-friendly and significantly weaker against hardware-accelerated attacks compared to Argon2id which is memory-hard. Most users will never change the default.

⚫ mediumfirmware analysis vs regulatory findings
If you visit a site with a malicious iframe embedded in it, Bitwarden's browser extension may auto-fill your password into the iframe — sending your credentials to the attacker. Bitwarden says this is by design.

What they claim: Bitwarden is fully open-source (client and server) under GPL licenses

What we found: CVE-2023-27706: Bitwarden's browser extension auto-filled credentials into embedded iframes, potentially leaking passwords to third-party content on legitimate pages. Bitwarden defended this as a 'design choice' rather than a vulnerability, prioritizing convenience over security.

⚫ mediumpolicy claims vs firmware analysis
Most users trust their vault to Microsoft Azure without realising it. If Azure has an outage or gets compromised, your passwords are inaccessible or exposed. Self-hosting avoids this but requires sysadmin skills.

What they claim: Bitwarden offers self-hosting for complete data sovereignty

What we found: Cloud-hosted vaults (the default for most users) depend on Microsoft Azure infrastructure. While encrypted, the availability and geographic distribution of user vault data is controlled by Azure's infrastructure. Self-hosting requires technical expertise most users don't have.

✔️ lowfirmware analysis vs app permissions
A security researcher reported a PDF export XSS vulnerability and initially got no response. For a product holding your passwords, slow response to security disclosures means real exposure time for users.

What they claim: Bitwarden's open-source model allows independent verification of security claims

What we found: CVE-2025-5138: PDF export XSS vulnerability — the initial disclosure went unanswered before being fixed. Response time to security disclosures could be faster for a security-critical product.

Sources