How Bitwarden protects cloud users

More than 10 million users in over 180 countries use Bitwarden cloud to store their important information. These users trust Bitwarden to keep their accounts safe, and that responsibility is taken seriously.

Bitwarden has two goals when protecting users of the Bitwarden cloud service: 

1. Users should have easy access to their data

2. Bad actors should have insurmountable barriers to accessing users’ data

These two goals align in such a way that there is always a need to balance. Making things simple for users to log in can inadvertently provide paths for bad actors. Similarly, anything to inhibit bad actors can also add a little friction for end users. Every new enhancement goes through significant consideration, research, and planning to uphold each goal without negatively impacting the other.

The initial line of protection is being sure that the user attempting to log in is legitimate. In recent years, Bitwarden developed and released new features that improve the security of logging in while also improving convenience. Login with Device, Login with Passkey, and for enterprise users, SSO with trusted devices, allow for authenticating into your Bitwarden apps without requiring a master password.

Other security measures improving authentication strength include increasing the minimum length of a master password and also making the most secure two-step login option free for every Bitwarden plan, allowing any user to set up a passkey or hardware security key for the best protection.

Additional security comes from making it harder for attackers to even launch an attack. Bitwarden requires a valid email address when registering to ensure that users receive important security alerts, such as notifications for new devices logging in. Similarly, accounts without two-step login enabled (2FA) will have to verify new devices during the login process. These changes make it harder for bad actors to attempt to gain access to users’ accounts and make it impossible for attacks such as credential stuffing (automated password guessing) to succeed.

End-to-end encryption
Your data is end-to-end encrypted, which is a fundamental aspect of data security. The only time that your data is unencrypted is when you’re viewing it, and it never leaves your device in an unencrypted state. This is why your master password is so important. In simple terms, it’s the key that is used to unlock your vault. Before your vault is synced to the Bitwarden cloud, it’s encrypted, so only the scrambled data is ever stored on Bitwarden (or self-hosted) servers.

Zero-knowledge encryption
Unlike most online services, Bitwarden uses zero-knowledge encryption, meaning that only you have the keys to your encrypted vault data. Bitwarden doesn’t know your master password - it never leaves the device you type it in on. This means that neither Bitwarden nor anyone else can see the contents of your vault. This also means Bitwarden cannot reset a forgotten master password, so take care to fill out a security readiness kit!

Encryption in transit
On top of the encryption already at the vault-level, your data is transmitted on secure channels to the Bitwarden cloud, using the tried-and-true Transport Layer Security (TLS) that most websites use today (think https://). This way someone sniffing around on your internet network activity won’t ever get access to your vault data.

Review the Bitwarden Security Whitepaper for a deeper dive on Bitwarden encryption.

Covered more deeply in this blog on Bitwarden multifactor encryption, Bitwarden takes additional security measures on the Microsoft Azure cloud servers that store users’ encrypted data. Bitwarden performs column-level encryption on the database itself, protecting important authentication hashes and user keys. On top of that, Microsoft Azure also places a level of Transparent Data Encryption on the stored data, with encryption keys managed by the Azure process itself. These protections make accessing vault data without a master password virtually impossible.

As the Bitwarden community grows, the Bitwarden service becomes a more appealing target for bad actors. Developments in AI have also increased the threat by enabling sophisticated credential-stuffing attacks that continuously try to breach the defensive perimeter. Implementing robust cloud security solutions counters these sophisticated threats.

Bitwarden has leveled up against these automated attacks with new, state-of-the-art tools to keep the infrastructure edge secure. Bitwarden has also increased the ranks of the cloud security team, always ever vigilant for the signs of new attacks and maintaining the Bitwarden cloud service.

You, the user, also have a role to play as well. You should always use your best judgment when receiving emails from Bitwarden or when searching online. Bitwarden lists the types of communications from the company and around the product in this help article: Emails from Bitwarden. When on the web, be sure that you are accessing the official URLs of bitwarden.com and bitwarden.eu, with vault.bitwarden.com and vault.bitwarden.eu representing the corresponding URLs for the web app.

All these measures, the strengthened authentication, vault-level encryption, layers of encryption, and dedicated cloud security team show the Bitwarden commitment to securing your password vault in the cloud. In addition, Bitwarden is compliant with all major industry security standards and serves thousands of businesses worldwide, including governments and agencies, who have full trust in Bitwarden security and operations. And, for those who still prefer something beyond cloud solutions, Bitwarden offers a fully functional self-host deployment to run on your own servers behind whatever layers of security you prefer.

Interested in securing yourself or your business with Bitwarden? Try a 7-day free trial for a business account, or create a free individual account today!