Although there are several password management and secret vault solutions on the market, two stand out and are most often recommended by privacy advocates: KeepassXC and Bitwarden. Why? There are a couple of key reasons.
First, the price. KeepassXC is free as it does not provide a service, only the software (which comes with certain limitations that we will review later). Bitwarden, while free for personal use, offers a premium starter plan that is among the most affordable on the market. Additionally, Bitwarden is open source, so technically savvy individuals can download, compile, and use the source code for free.
Second, both KeepassXC and Bitwarden are open source. This transparency allows the security community to review the code and ensure there are no hidden “back doors” that could leak customer information. This is crucial for security software because it provides assurance that the vendor is not engaged in illegal activities or collaborating with special services to intercept user data and monitor user activities.
However, it’s worth noting that not all of Bitwarden’s code is open source in the traditional sense. Some of it has a commercial open source license that limits its usage to testing only. This is understandable for two reasons. Commercial companies aim to bring value to their owners or shareholders, and they need to protect their intellectual property from competitors. Making their source code public contradicts their primary objective, which is why many commercial software developers do not open their source code.
The main reason for a security software company to open their source code is to gain customer trust by demonstrating that their product is reliable and does not spy on users. However, to achieve this goal, it is sufficient to make the code available for testing and personal use, without the right to modify and reuse it for commercial purposes.
So, how do KeepassXC and Bitwarden make money to develop and maintain their products? What is the catch, if any?
For KeepassXC, the model is straightforward: the software is free, but users must handle usability and data availability on their own. Since there is no centralized database, features like support for multiple devices with synchronization between them are missing. This means if you have KeepassXC installed on your laptop and phone, they cannot update each other’s data automatically, requiring manual synchronization. While you can store your database on a shared drive, this solution is suitable only for a limited number of tech-savvy users. Thus, KeepassXC appeals primarily to a niche group of users who can enjoy its free nature, while the majority of users may find it impractical.
Bitwarden, on the other hand, provides a highly available service with synchronization between devices and basic access for free. However, this comes with privacy limitations: registration requires an email address, creating a link between user identity and data.
While Bitwarden employs “zero-knowledge encryption”—meaning encryption keys are known only to the user and never sent to the server—this should not be confused with zero-knowledge identity. Zero-knowledge encryption, also known as end-to-end encryption (e2ee), is used by most password managers. The term “zero knowledge” may sound more scientific and is often associated with privacy-centric cryptocurrencies that use zero-knowledge proofs.
Some might suggest using a temporary, anonymous email address for registration. However, this is not a long-term solution, as you will likely need to provide your real email address eventually for several reasons:
Account Recovery: Bitwarden uses your email address for account recovery. If you forget your master password or need to reset your account, access to the registered email is crucial.
Security Notifications: Important security updates and alerts are sent to your registered email. Using a temporary email could mean missing critical notifications.
Two-Factor Authentication (2FA): Setting up and recovering 2FA often relies on your email address. A temporary email might not be suitable for this purpose.
Subscription Management: For premium features or paid plans, Bitwarden uses your email for billing and subscription management.
Support and Communication: Bitwarden may need to communicate with you via the registered email for support queries. A temporary email could hinder effective communication.
Therefore, the requirement for email registration poses a privacy weakness in Bitwarden’s model.
Additionally, if Bitwarden is hacked or subpoenaed, your activities and data could be compromised, as it is relatively easy to guess your master password offline. When a password database is hacked, attackers often gain access to encrypted data, which they can attempt to crack offline using techniques like brute force or dictionary attacks. Without rate limits in place, hackers can try millions of password combinations per second. This risk is exacerbated if users employ weak or commonly used passwords. Consequently, the security of your stored information in Bitwarden can be significantly undermined, constituting a notable security weakness in the system.
KeepassXC and Bitwarden both offer valuable solutions for password management, but they come with significant weaknesses. KeepassXC, while free and open-source, lacks usability features like device synchronization, making it impractical for the average user. Bitwarden, though user-friendly and feature-rich, has privacy and security limitations due to its email registration requirement and potential vulnerabilities in the event of a hack or legal subpoena. Users should carefully consider these trade-offs before deciding which solution best meets their needs.