My problems with Bitwarden’s lax security measures

Imagine this – you got all your secrets stashed in a box, that requires a key. This box is sitting in a very public place, say your city’s park. Also, a LOT of copies of the keys lie hidden away, somewhere – if you really know how to look, they’re there. You’re just trusting that people don’t know how to look for these keys, and it helps you sleep soundly at night.This, well, the above, is Bitwarden. What’s Bitwarden? Bitwarden is probably the most commonly used Password Manager, after LastPass decided to slash the free tier. Bitwarden stores all your secrets, all username, passwords, maybe some secure notes, some credit card details. All of your digital life is there.

Here’s the problem though, the key to access all this data might already exist on the internet. Actually, scratch that, it PROBABLY does exist on the internet! Can you verify this? Yes, but you have to pay unfortunately. So, now, there is a price tag against your online security. What do I mean? Bitwarden does offer some kind of audit, like LastPass did. But this is locked for premium users only, listed under Vault Health Reports. Actually, I have no idea whether they check your username and master password – and I don’t want to compromise my account to verify whether this exists.

On the same subject, I bet that most of the users who use Bitwarden re-use passwords for their Master Password, probably passwords that got compromised in the past and tempted them to start using Bitwarden in the first place? Am I speaking from experience? I’ll let you answer that one yourself. There is no need to try it on my account though, promise!

Also, it gets worse. If your details do INDEED exist and someone compromises them, you’re done. By default (or, at least for me) – 2FA is not turned on by default. So if someone does get hold of your details – you’re toast. Why isn’t 2FA enforced by default? My McDonalds app requires 2FA in order for my (initial) login to get some free fries! Why doesn’t my literal secret chest enforce 2FA? Not to mention, that I don’t really like the 2FA that is offered with the free version – for this kind of 2FA I prefer SMS – but that’s just my opinion.

Sorry – but another thing. I think that having your username as your email is quite silly as well. I’d prefer to pick a username which might be arbitrary and exist only in Bitwarden’s universe. But by having the email as the username prevents me from doing so. That means, by simply signing up to the services, my account is automatically searchable against billions of compromised passwords, such as I’d prefer if the username was some actual free-text field. Gmail users MIGHT be able to get away task-specific emails.

Here’s a take-away of all my woes:

  • The free account does not come strong auditing capabilities, such as re-used passwords.
  • Master passwords probably use reused passwords
  • 2FA is not on by default
  • Username must be your email address

Of course, I understand that Bitwarden, as a company, is there to make money at the end of the day, but I feel that profits are coming in at the expense of giving people a proper secure platform to trust literally all their online (and offline) secrets, which is a bit of a shame! In all fairness, the subscription for a year is very low at only $10 which solves the auditing issue and better 2FA capabilities.

Fortunately, this is all hypothetically, but this kept me up all night, literally. Onto the next one!