Skip to content
NeoGuard
Bitwarden logo

Bitwarden

password manager by Bitwarden, Inc.
Try Bitwarden →
Open source (GPLv3 / AGPLv3), independently auditedZero-knowledge AES-256 encryptionFree tier with unlimited devicesPasskey storage and passkey loginSelf-hosting (official + Vaultwarden)US provider (CLOUD Act applies)

Bitwarden is an open-source password manager from the US company Bitwarden, Inc., headquartered in California. It encrypts your vault with zero-knowledge AES-256, so Bitwarden cannot read your data. Its two standout traits are an unusually strong free tier and a fully open, independently audited codebase. The main caveat for a DACH audience is its US base, which brings the CLOUD Act into play.

What is Bitwarden?

Apps, browser extensions, and server code are released under open licenses (GPLv3 and AGPLv3). Only a few features aimed at large enterprises are paid and proprietary. This openness is Bitwarden’s strongest argument. The code can be independently reviewed, and technically savvy individuals or companies can self-host the service on their own infrastructure if they want (though they then also take on backups and operations). By its own account, more than 10 million people and over 50,000 organizations use it.

How secure is Bitwarden?

Bitwarden follows the zero-knowledge principle, a form of zero-access encryption. Your entries are encrypted with AES-256 on your device before they ever reach the server. AES-256 is the established and most widely vetted encryption standard. Some providers, such as NordPass, use the newer XChaCha20; both are considered secure. Bitwarden derives the key from your master password but never stores it. As a result, Bitwarden itself cannot read your passwords.

This security is backed by external audits. Bitwarden has its code reviewed every year by independent firms such as Cure53. In 2025, a research group at ETH Zurich analyzed the encryption even under the assumption that Bitwarden’s own server is malicious. So you can rely on independent assessments rather than Bitwarden’s own word. Even the free plan supports 2FA via authenticator app, FIDO2/WebAuthn, and passkey management. Like other password managers, Bitwarden can generate strong passwords or memorable passphrases on demand.

Bitwarden password generator in passphrase mode, with options for word count, separator, and capitalization
The built-in generator creates random passwords or memorable passphrases, for example Fantasy-Bobcat-Device-Calzone-Unrivaled2-Stallion.

What does Bitwarden’s US headquarters mean for the nDSG?

This is the most important point for businesses in Switzerland. Bitwarden does offer an EU region (bitwarden.eu), where data sits on European servers. As a US company, though, Bitwarden is subject to the US CLOUD Act, which lets US authorities access a US provider’s data under certain conditions, regardless of where the servers are located.

Bitwarden sign-in page with a data region selector: bitwarden.com for the US or bitwarden.eu for the EU
When you sign in, you choose between the US region (bitwarden.com) and the EU region (bitwarden.eu). Your data then sits on servers in the region you picked.

The key distinction is between content and metadata. Your passwords and notes are end-to-end encrypted and stay unreadable even in response to a government request. Administrative data, on the other hand, such as your email address, subscription status, or (for Teams and Enterprise accounts) login logs with IP addresses, is something a US provider can be compelled to hand over. For the transfer of personal data, Bitwarden is registered under both the EU-US and the Swiss-US Data Privacy Framework. For your nDSG assessment, this content-versus-metadata distinction is what matters most.

What does Bitwarden cost?

Bitwarden’s free plan is unusually generous. It allows unlimited entries across unlimited devices, including passkey management and 2FA. For most individuals, that is enough. Premium costs just under USD 20 per year (as of May 2026) and adds encrypted file attachments, TOTP codes right inside the vault, and advanced 2FA options. In early 2026, Bitwarden noticeably raised the prices for Premium and the Families plan and, in return, expanded storage and security features. Even after that, Bitwarden remains considerably cheaper than 1Password. For teams, there are plans from about USD 4 per user per month (Enterprise around USD 6) with user management, SSO, and directory integration, billed per user. You can find current prices on Bitwarden’s pricing page.

Where does Bitwarden reach its limits?

Bitwarden is capable and secure, but more utilitarian to use than some of its rivals. In comparison tests, 1Password and NordPass are seen as more approachable in setup and interface, especially for less technical team members. Its admin console and reporting are also leaner than those of these providers. German-language support runs mostly through tickets, and in practice the replies often come back in English.

In April 2026, there was a security incident involving the Bitwarden CLI, the command-line tool that lets you wire Bitwarden into scripts and build pipelines. For about an hour and a half, a tampered version of this CLI was distributed through the npm package manager. The password manager itself was not affected here. User data and the hosted service were untouched; only the CLI’s npm package was compromised. Bitwarden pulled the tampered version within a few hours and replaced it with a clean release (2026.4.1). You can read what happened and who needed to act in our analysis of the CLI incident.

Who is Bitwarden a good fit for?

For cost-conscious SMEs and technically savvy founders who value open source or want to self-host, Bitwarden is one of the strongest options on the market. For privacy-conscious individuals too, the free plan delivers solid security.

Try Bitwarden →

If server location and a Swiss connection are your priority, for example for clients in law, medicine, or the public sector, Proton Pass is the obvious alternative. Proton is headquartered in Switzerland and is not subject to the CLOUD Act. If, on the other hand, you want especially easy-to-use software and mature admin tools, 1Password or NordPass will serve you well. You will find a direct comparison in our password manager comparison for SMEs.

Frequently Asked Questions (FAQ) about Bitwarden

What happens if I forget my master password?

Bitwarden cannot reset your master password, because it follows the zero-knowledge principle and never holds the key. Without your master password, the vault stays locked. So keep your master password somewhere safe outside Bitwarden, store the recovery code for your 2FA, and, if your plan includes it, set up Emergency Access for a trusted contact.

Should I choose bitwarden.com or bitwarden.eu?

If you are in the DACH region, the EU region (bitwarden.eu) is usually the natural choice, because your data then sits on European servers. Note that you set the region when you create the account; switching later is only possible through a manual export and re-import. So make a deliberate choice from the start.

How secure is Bitwarden compared with a browser’s password manager?

A dedicated password manager like Bitwarden offers more than the stores built into Chrome, Firefox, or Edge. You get sync across devices and browsers, independently audited end-to-end encryption, secure sharing (for example the Netflix password within the family), and features such as passkey management. The browser-based options are convenient, but tied to their respective ecosystem and considerably more limited in scope.

Should I store my 2FA codes in Bitwarden?

Bitwarden can also generate and store TOTP codes for two-factor authentication. That is convenient and still safer than no 2FA at all, but it keeps your password and second factor in one place. For especially sensitive accounts such as email or banking, it therefore makes sense to keep the second factor in a separate app or on a hardware key (for example YubiKey or Nitrokey).

Should I self-host Bitwarden or Vaultwarden?

Bitwarden can be officially self-hosted via Docker. Vaultwarden is an unofficial, lightweight alternative written in Rust that is compatible with the Bitwarden apps and suits home servers or small setups. In both cases, responsibility for backups, updates, and securing the server is entirely yours. Vaultwarden is also not maintained by Bitwarden and sits outside its audits and certifications; for regulated environments, the official option is the safe choice.

Sources

Try Bitwarden →