Bitwarden

Open-source password manager with zero-knowledge encryption. Free tier with no meaningful limits. Self-hostable. Passkey support across all plans.

Personal security

Open source

Strong

https://bitwarden.com · Reviewed 2026-04-02 · Editorial assessment by Mike Schneider — based on public security research and audits

What should journalists know about Bitwarden?

Bitwarden is the strongest free password manager available and one of the most trustworthy tools we evaluate. Open-source under GPL 3.0, independently audited annually by Cure53 and Insight Risk Consulting, zero-knowledge encryption (AES-256 + Argon2id by default). The company cannot access your vault even under legal compulsion. The free tier has no meaningful limitations. Self-hosting is available for full data sovereignty. The January 2026 price hike (Premium nearly doubled to $19.80/year) stung longtime users, but it is still half the cost of 1Password ($35.88/year). Bitwarden now stores and syncs passkeys across all plans, including free — a genuine differentiator. The main tradeoff vs. 1Password: Bitwarden's UI is more utilitarian, and it lacks 1Password's Travel Mode for border crossings. But the code is public, the audits are public, and the free tier is real.

Best for

Password management, passkey storage, 2FA code storage, secure credential sharing. Anyone who wants open-source transparency and a free tier that actually works.

Not for

If you want the most polished UI and Travel Mode for border crossings, 1Password is better. If your newsroom already has 1Password through their journalist program, switching may not be worth the friction.

Security & Privacy

Encryption in transit Yes

Data is scrambled while being sent to their servers

Encryption at rest Yes

Data is scrambled when stored on their servers

Data jurisdiction United States (Bitwarden, Inc. based in Santa Barbara, CA). Cloud-hosted on Microsoft Azure. Self-hosting option available for full jurisdiction control — this is the single best mitigation for jurisdiction concerns.

Where servers are located — affects which governments can request your data

Security rating Strong

Zero-knowledge architecture. Bitwarden cannot access, read, or decrypt your vault data. Master password and encryption key never leave your device. Vault data is encrypted locally before transmission. Compliant with SOC 2 Type 2, SOC 3, HIPAA, and GDPR. Annual third-party audits published publicly.

How to protect yourself:

Use a strong, unique master password (16+ characters). Enable 2FA on your Bitwarden account — hardware keys (YubiKey, etc.) are strongest; TOTP is adequate. Use the password generator for all new accounts. Set up passkey login for your vault if your browser supports it. Self-host if you need full control over your data. Review the Vault Health Report regularly to find weak or reused passwords. On Premium, you can store up to 10 security keys for 2FA.

Open-source (GPL 3.0), independently audited annually (Cure53, Insight Risk Consulting, Fracture Labs), zero-knowledge encryption, SOC 2 Type 2 certified. Self-hostable for full data control. Passkey support across all plans. The May 2024 metadata exposure was limited in scope and did not compromise encrypted vaults. One of the most trustworthy tools in our evaluation set.

Who Owns This

Owner Bitwarden, Inc.

Funding Growth equity. $100M Series B from PSG Equity in September 2022, with participation from Battery Ventures. No additional rounds disclosed since. Estimated revenue $5M–$25M annually (private company, not confirmed).

Business model Freemium. Revenue from Premium, Families, Teams, and Enterprise subscriptions. Free tier is fully functional for individual use. Enterprise tier adds SSO, SCIM provisioning, directory sync, and Access Intelligence.

Known issues

In May 2024, an unauthorized third party accessed a Bitwarden production environment via a compromised employee credential. Customer metadata (email addresses, display names) was exposed, but encrypted vaults were not accessed. CVE-2025-5138 allowed XSS via malicious PDF uploads (patched — PDFs now force-download instead of rendering in-browser). In late 2024, community backlash over a proprietary SDK license led Bitwarden to re-license the SDK under GPL 3.0 — the resolution was commendable, but the initial move raised trust questions. The January 2026 Premium price hike (98% increase) drew criticism for how it was communicated, though the price remains competitive.

Pricing

Free for individuals (unlimited passwords, unlimited devices). Premium: $19.80/year (raised from $10 in January 2026 — first price increase in 10 years). Families: $47.88/year (6 users). Teams: $4/user/month. Enterprise: $6/user/month. Enterprise includes a complimentary Families plan for every employee.

This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.

Something wrong or outdated? Report it.