Bitwarden

Bitwarden is an open-source password manager that stores all your credentials in an end-to-end encrypted vault synchronized across your devices. In a crisis scenario, your digital identity is only as secure as your weakest password — and if you're reusing passwords (which most people do), a single breach can cascade across every account you have. Bitwarden solves this by generating and storing unique, complex passwords for every account, locked behind a single master password that only you know. The vault is encrypted on your device before it's uploaded to Bitwarden's servers, meaning Bitwarden cannot read your passwords even if their servers are breached.

For exit preparedness, a password manager is critical infrastructure. You'll be creating new accounts across multiple privacy tools — ProtonMail, Mullvad VPN, Signal — and each one needs a strong, unique password. You'll also need to manage recovery codes, encryption keys, 2FA backup codes, and account numbers. Bitwarden provides a single, encrypted container for all of this information that's accessible from any device with your master password. If your phone is lost or seized, you can restore your entire digital identity by logging into Bitwarden on any new device.

Bitwarden's advantage over KeePassXC (the other top-ranked password manager) is cloud sync. Your vault is available on every device automatically, and you can access it through a web browser in emergencies. The trade-off is that your encrypted vault sits on Bitwarden's servers, which introduces a dependency on their infrastructure. For most users, the convenience of cloud sync outweighs this risk, especially given the zero-knowledge encryption model.

Bitwarden uses AES-256-CBC for vault encryption, HMAC-SHA256 for data integrity, and PBKDF2-SHA256 with 600,000 iterations (configurable to higher values) or Argon2id for deriving the encryption key from your master password. The encryption key is derived entirely on your device — your master password is never sent to Bitwarden's servers in any form. Instead, the derived key encrypts your vault locally, and only the encrypted blob is synced. Bitwarden's servers store only encrypted data that is computationally infeasible to decrypt without the master password.

Each item in your vault (passwords, notes, cards, identities) is individually encrypted, not just the vault as a whole. This means the encryption is granular, and sharing individual items (a Bitwarden Organizations feature) can be done without exposing the rest of your vault. The vault is encrypted at rest on Bitwarden's servers and encrypted in transit via TLS. Even the folder names and organization structure of your vault are encrypted. Bitwarden has published detailed documentation of their encryption model, and it has been validated through independent security audits.

Bitwarden allows account creation with only an email address — no phone number, no real name, no payment. You can sign up with an anonymous ProtonMail address, creating no link between your Bitwarden account and your real identity. Bitwarden does not require email verification to use the vault (though it's recommended for account recovery). The service can be accessed through Tor Browser without blocks or additional verification.

Bitwarden logs minimal metadata: your account email, the date of account creation, and the date of last login. They do not log IP addresses in normal operation. If you access Bitwarden only through a VPN or Tor, the email address is the only identifier — and if that email is anonymous, your Bitwarden account is effectively anonymous. For maximum isolation, you can self-host Bitwarden (using Vaultwarden, a compatible open-source implementation) on your own server, eliminating even the encrypted vault from Bitwarden's infrastructure.

Bitwarden's client applications (desktop, mobile, browser extensions, CLI), the web vault, and the server-side code are all open source, available on GitHub under the GPLv3 and AGPLv3 licenses. This is a significant differentiator — most commercial password managers (1Password, Dashlane, LastPass) are closed source, requiring you to trust their encryption claims without verification. With Bitwarden, you can read the encryption implementation, verify the key derivation, and confirm that your master password never leaves your device.

Independent security audits have been conducted by Cure53 (2018, 2022), Insight Risk Consulting (2020), and Acrosec (2023). All audit reports are published on Bitwarden's website. The audits have confirmed that the zero-knowledge architecture works as claimed and have found no critical vulnerabilities in the encryption implementation. Bitwarden also runs a bug bounty program through HackerOne. The open-source Vaultwarden project (a community implementation of the Bitwarden server API) provides an additional option for self-hosting that has been independently reviewed by the open-source community.

Bitwarden, Inc. is incorporated in the United States (Santa Barbara, California). U.S. jurisdiction means the company is subject to U.S. law enforcement requests, including potential National Security Letters and FISA orders. However, Bitwarden's zero-knowledge architecture means they cannot comply with requests for vault contents — they physically do not have the encryption keys. A legal request to Bitwarden would yield encrypted data that is useless without your master password.

Bitwarden publishes a transparency report and has stated that they would challenge any request that exceeded the scope of applicable law. The company's privacy policy explicitly states that they cannot access vault data. For users who want to eliminate U.S. jurisdiction entirely, self-hosting Bitwarden on a server in a privacy-friendly country (Switzerland, Iceland, Romania) is a supported option using the official server code or Vaultwarden.

Bitwarden launched in 2016 and has grown to over 17 million users without a security breach that exposed vault data. In contrast, LastPass (the former market leader) suffered breaches in 2022 that resulted in encrypted vault data being stolen — and subsequently, some vaults were cracked due to weak master passwords and outdated encryption parameters. Bitwarden's higher default PBKDF2 iterations and support for Argon2id provide stronger protection against this class of attack. The Bitwarden team responded to the LastPass incident by increasing their default PBKDF2 iterations and encouraging users to switch to Argon2id.

The company is led by Kyle Spearrin, who founded the project as an open-source alternative to closed-source password managers. The decision to keep the project open source, even as it grew commercially, has maintained community trust. Bitwarden is recommended by Privacy Guides, the EFF, and numerous security professionals. The product has maintained a clean security record while growing rapidly, which is a strong indicator of sound engineering practices.

Bitwarden is straightforward to use. After creating an account, you install the browser extension, which automatically detects login forms and offers to save new credentials. When you revisit a site, Bitwarden auto-fills your username and password. The desktop app and mobile apps provide the same vault access with biometric unlock (fingerprint or Face ID) for convenience. The interface is clean and functional — less polished than 1Password's but entirely adequate.

Migrating from another password manager or from browser-saved passwords is simple: Bitwarden supports importing from Chrome, Firefox, 1Password, LastPass, KeePassXC, and over 40 other sources. The import process takes minutes. For non-technical users, the browser extension provides the most frictionless experience — install it, create an account, and Bitwarden handles password generation, storage, and autofill automatically. The password generator creates strong random passwords (configurable length, character types, or passphrases) so you never need to invent a password again.

Bitwarden has apps for every platform: Windows, macOS, Linux (AppImage, deb, rpm, snap), iOS, Android, and browser extensions for Chrome, Firefox, Safari, Edge, Brave, Vivaldi, and Opera. There is also a web vault accessible from any browser and a command-line interface for advanced users. All platforms sync through Bitwarden's cloud servers (or your self-hosted server) with the same encrypted vault. Feature parity is excellent across all platforms.

The mobile apps support biometric unlock, auto-fill for apps and browsers, and the same vault management as desktop. The browser extension is the primary interface for most users and integrates directly with web forms. The CLI tool enables scripting and automation for power users. Offline access is supported on all platforms — the vault is cached locally in encrypted form and accessible even without an internet connection, syncing changes when connectivity is restored.

Bitwarden's free tier is exceptionally generous and sufficient for crisis use: unlimited passwords, unlimited devices, a password generator, a secure note storage, and Bitwarden Send (encrypted file sharing). No payment is required for these features. The free tier has no time limit and no artificial restrictions designed to push you toward paying.

Premium plans ($10/year for individuals, $40/year for families) add advanced 2FA options (YubiKey, FIDO2), 1 GB encrypted file storage, emergency access, and vault health reports. Bitwarden accepts credit cards and PayPal for premium plans. They do not currently accept cryptocurrency directly, though you can purchase Bitwarden gift cards or use privacy.com virtual cards to pay without revealing your real payment information. For crisis privacy, the free tier provides everything you need — premium is a nice-to-have, not a necessity.

Create a Bitwarden account at vault.bitwarden.com using an anonymous email address (your ProtonMail account created earlier in the privacy setup process). Choose a strong master password — this is the most important password in your life. Use a passphrase of at least 5 random words (e.g., "correct horse battery staple" style) that you can memorize. This password cannot be recovered if lost — Bitwarden's zero-knowledge design means they cannot reset it. Write it down on paper, store it in a physically secure location, and memorize it as soon as possible. Then destroy the paper.

Install the Bitwarden browser extension from your browser's extension store (on Brave, use the Chrome Web Store). Log in with your account. The extension will now detect login forms and offer to save credentials. When you create a new account on any service, use Bitwarden's password generator (click the Bitwarden icon > Generator) to create a random password of at least 20 characters. Save it in your vault. Install the Bitwarden app on your phone from the App Store, Google Play, or F-Droid and enable biometric unlock for convenience.

For crisis preparedness, store your critical recovery information in Bitwarden's secure notes: your Signal PIN, your Session recovery phrase, your Mullvad account number, your ProtonMail recovery information, and any 2FA backup codes. These notes are encrypted with the same AES-256 as your passwords. If you have a trusted person who should be able to access your vault in an emergency, set up Emergency Access (a premium feature) — this allows a designated contact to request access to your vault with a configurable waiting period (1-90 days) during which you can reject the request. Export your vault regularly (Settings > Export Vault > Encrypted JSON) and store the encrypted backup on an encrypted USB drive as a safeguard against service disruption.