Bitwarden brings security to tens of thousands of businesses globally, providing them with a world-class product, enterprise-level service, and a trusted partnership. Companies considering Bitwarden may have questions about how Bitwarden operates, for their own department or for procurement requirements. This vendor report helps as an evaluation tool for those looking to bring valuable Bitwarden password security to their business.
Product Strategy
Overall quality, responsiveness, and professionalism
Bitwarden outscored competitors in the third-party Software Reviews Data Quadrant Report for Vendor Capability Satisfaction and Product Feature Satisfaction. Bitwarden receives high marks and reviews on G2.
Sustained product development and roadmap
Bitwarden has a track record of commercial success since 2016, a strong community following, and a history of delivering on password management and beyond.
A public roadmap is updated quarterly and details updates to the Bitwarden Password Manager product. New products coming in 2023 include Bitwarden Secrets Manager for developer secrets and Passwordless.dev, enabling any developer to easily add passwordless authentication to their application.
Product release process
Bitwarden adheres to a five-week product development and launch cycle, with launch windows published ahead of time. The launch team has strict controls on the process, with extensive QA and regression testing beforehand. All updates to the code are visible on GitHub, with major updates documented in the Help Centre release notes.
Company business model
Organisational structure
The Bitwarden organisation is headed by CEO Michael Crandell, supported by Founder and CTO Kyle Spearrin, CFO Stephen Morrison, and CCO Gary Orenstein. Mr Spearrin leads the engineering organisation, including QA and DevOps, and the product team. Mr Orenstein heads sales, marketing, and customer success. Bitwarden is a growing organisation and is actively adding top talent to the company.
Financial viability
Bitwarden has millions of users, tens of thousands of business customers, and recently received a $100m growth investment to further develop the strong and growing business.
Experience with many types of businesses
Bitwarden works with customers of all sizes, including some of the world’s largest businesses and organisations, across many industries. Public customer materials are posted on the reviews and success stories page.
Partnership experience
Bitwarden supports partnerships and integrations with channel and technology solutions. Bitwarden most recently partnered with DuckDuckGo to provide a password management solution for their new browser.
Read more
Learn about Bitwarden executives and cybersecurity experts Michael Crandell and Gary Orenstein.
Understanding of the market and customer needs
Bitwarden objectives and vision
Bitwarden envisages a world where nobody gets hacked, where everyone has access to the basic tools necessary to stay safe online. This includes both businesses and individuals. The Bitwarden business offering serves all employees, scales easily, encourages secure collaboration, and provides cross-platform availability. Enterprise users benefit from a complimentary Bitwarden Families account to help secure their loved ones.
Investigating company needs
The Bitwarden team meets with customers to gain a deep understanding of their needs and operating model, including discussions with support teams and integration engineers. Further escalation and tailored solutions are available.
Password Manager Security
Zero-knowledge architecture
Bitwarden delivers an end-to-end, zero-knowledge encryption architecture. This means that nobody at Bitwarden, or anyone else, can view any sensitive data in your vault, and all vault data is encrypted.
Encryption at rest
Two additional rounds of encryption are applied to stored data, securely hosted on Microsoft Azure servers.
High-trust encryption standards
Bitwarden employs AES-256 CBC for vault data and encryption keys.
High level of entropy for encryption
User-input master passwords are hashed and cryptographically stretched to a 256-bit master key.
High level of KDF iterations
By default, Bitwarden uses PBKDF2 for key derivation with 600,000 iterations which can be set higher by end users.
Code auditing and penetration testing
Bitwarden code is open source and audited by third parties, with report results published online.
Compliance
The Bitwarden Security and Compliance Programme is based on the ISO 27001 Information Security Management System (ISMS). The Bitwarden Security Whitepaper provides an in-depth view of Bitwarden compliance and security.
Bitwarden also completes a wide range of compliance certifications including SOC 2, GDPR, CCPA, HIPAA, as well as penetration testing, code testing, and other third-party audits.
Administrative capabilities
Users with administrative roles have a wide range of management tools available, showcased in the Proof-of-concept checklist, and include account creation, system-wide policy creation, Login with SSO, Admin Password Reset, group and user sync, event logs and vault health reporting.
Export logging for SIEM functionality
Bitwarden allows audit logs to be exported and multiple APIs to be used to pull data into SIEM tools, such as Splunk, for automated monitoring.
Detailed information on data security
The Bitwarden Security Whitepaper provides in-depth details of the security behind Bitwarden, including encryption, data flows, cloud security and more.
Backup longevity
Bitwarden maintains point-in-time restore (PITR) policies for disaster recovery. Data storage on Bitwarden servers is configured with a strict 7-day retention policy for PITR, with no long-term retention.
Stored PII data and maintenance
Administrative data allows for account maintenance and service.
Bitwarden compliance
Bitwarden complies with GDPR, the Data Privacy Framework (DPF), CCPA, HIPAA and TAA. SOC 2, SOC 3 and the results of third-party audits are published online.
User interface
Ease of use and autofill
Autofill functions in browser extensions and mobile apps. In browser extensions, a keyboard shortcut, context window or interaction with the extension triggers autofill. These methods do not interfere with the coding of the web page being viewed.
On mobile, Bitwarden acts as an autofill service provider and integrates into the mobile device's operating system.
Custom fields for autofill may also be created as part of a vault item.
Administrator policies
Enterprise policies allow Enterprise organisations to enforce security rules for all users. Additional policies can be utilised through Login with SSO, taking advantage of your existing IdP authentication functionality.
Control and audit data sharing
Share within an organisation via groups and collections. Bitwarden Send offers a way to transmit data securely to anyone and maintains zero-knowledge encryption. If desired, Send can be disabled via an organisation-wide Enterprise policy.
Permissions determine what actions a user can take with the items in a particular collection. User roles are set at an individual-member level, and permissions can be set either for an individual member or for a group as a whole.
Event logs record over 50 different types of events. The event logs screen captures a timestamp for the event, client app information including application type and IP, the user connected to the event, and an event description.
Dark web and breach reports
Reports provide details of data breaches and more for individual user vaults and for administrators of organisation vaults.
Ability to use one credential for multiple URLs
Credentials may have multiple URIs assigned for use on multiple sites.
Ability to use multiple credentials for one URL
The user interface for Bitwarden clients lists the available logins for a website. The autofill hotkey can also be used to cycle through credentials quickly.
Re-authentication timers
Turning on the Vault timeout policy will implement a maximum vault timeout duration and timeout action.
Random password generation
Bitwarden clients include a built-in password generator to easily create strong, unique passwords and save them to the vault. The web-based Bitwarden generator offers the same generation logic as a free utility for anyone.
Time-bound sharing capability
Bitwarden Send can be used to distribute one-off and time-bound files or attachments. Bitwarden Secrets Manager enables advanced lifecycle credential management.
Availability
Reliability of applications and service
Real-time system updates and historical uptime are posted on the Bitwarden Status page. Bitwarden is approved and recommended in major app stores, passing performance and reliability requirements for each marketplace.
Compatibility
Bitwarden is available on all modern devices and platforms, including desktop (Windows, macOS and Linux), browser extension (Google Chrome, Mozilla Firefox, Safari, Microsoft Edge, Brave, Safari, Vivaldi, Tor Browser and Opera), mobile (iOS and Android), Command Line Interface (CLI), and by using the web vault.
Global languages
Bitwarden is translated into more than 50 languages worldwide.
Deployment flexibility
Bitwarden provides cloud hosting that suits the majority of businesses served. Self-hosting is available for organisations that have the IT resources to maintain a server and manage regular backups and recovery.
Proof of concept (POC) and functional testing
Bitwarden has created a proof-of-concept checklist to help evaluation teams get started. Including resources on:
Policies
SSO
Migration
Managed Devices
Get started with Bitwarden
Start a 7-day trial of Bitwarden today to begin evaluating how Bitwarden can help secure your business. Representatives are available through the contact form to help with additional questions and more product documentation is available in the Help Centre.