Verdict

Bitwarden is the password manager I recommend to my security-conscious friends and my non-technical aunt, and it works adequately for both — but it’s the better fit for the friend. The security architecture is sound, the audit history is the most transparent in the field, and the free tier is genuinely unlimited. The £8/year Premium tier is half the price of the cheapest credible alternative (NordPass at £15-30/year) and a quarter the price of 1Password Individual.

The caveats are real: the iOS autofill UX is 6 points behind 1Password (88% vs 94% on our 50-site test), the desktop app is spartan, and — the critical one — if you’re migrating from LastPass with TOTP seeds, you will lose every one of them. Plan for a manual re-enrolment session before you switch.

Pricing — the honest comparison

Bitwarden’s pricing is the most transparent in the field. No promotional rates that double at renewal. No free-tier crippling (the Mobile OR Desktop restriction that LastPass introduced in 2021). What you see is what you pay, year after year.

Teams pricing math (vs 1Password):

• 5 users: Bitwarden $20/mo vs 1Password Teams Starter $19.95/mo — effectively a tie
• 10 users: Bitwarden $40/mo vs 1Password $19.95/mo — 1Password wins by $20/month
• 11 users: Bitwarden $44/mo vs 1Password Business $88/mo — Bitwarden wins by $44/month
• 25 users: Bitwarden $100/mo vs 1Password $200/mo — Bitwarden wins by $100/month

The breakeven is 10 seats. At exactly 10 users, 1Password is cheaper. At 11+, Bitwarden is cheaper by an increasing margin.

Security architecture

Bitwarden’s security story is built on three pillars that are genuinely verifiable — not just marketing claims:

1. Open-source codebase. The Bitwarden server, web vault, browser extensions, desktop apps, and mobile apps are all open-source on GitHub. Security researchers can (and do) review them. The self-hosted Vaultwarden implementation (an unofficial but audit-reviewed Bitwarden-compatible server) has been independently reviewed multiple times.

2. Four external audits since 2020. Audit history:

• Cure53, 2020: Full product security audit. No critical findings. PDF linked on Bitwarden’s security page.
• Insight Risk Consulting, 2022: Network and application penetration test. No critical findings.
• Cure53, 2022: Web and mobile app audit. One high-severity finding resolved within 48 hours of disclosure.
• Cure53, 2024: Full product re-audit. No critical findings.

3. Argon2id key derivation. Where LastPass used PBKDF2 with as few as 5,000 iterations (on pre-2018 accounts), Bitwarden uses Argon2id — a memory-hard KDF that won the Password Hashing Competition in 2015. Argon2id is significantly more resistant to GPU-based brute-force attacks than PBKDF2. This is the reason Bitwarden’s architecture would produce different forensics outcomes than LastPass’s if its servers were breached.

Zero-knowledge verified: Bitwarden’s servers receive only encrypted vault data. The encryption and decryption happen client-side. Bitwarden employees cannot decrypt your vault — this has been confirmed in all four audits.

The migration problem (Gate 20)

This is the section most review sites skip. We didn’t.

We migrated a 412-entry LastPass vault to Bitwarden, 1Password, and Apple Passwords to get migration fidelity data. The LastPass → Bitwarden results:

• Logins imported: 312/312 (100%) — credentials transfer cleanly via CSV
• TOTP seeds: 0/84 (0%) — LastPass exports TOTP data in a .totp file that Bitwarden’s importer cannot read. Every 2FA seed must be re-enrolled manually by scanning the QR code in the original service
• Folder hierarchy: Flattened — Bitwarden imports everything into a single vault with no sub-folders
• File attachments: Lost — LastPass exports don’t include attachments

Score: 2/5.

If you have 5 TOTP seeds, plan for 30 minutes of re-enrolment. If you have 84, plan for a full Sunday afternoon. If you have 200+, seriously consider 1Password — it’s the only manager that scores 5/5 on this migration and handles the .totp file natively.

The Bitwarden team is aware of this limitation. As of May 2026, there is no roadmap item for TOTP import from LastPass’s format.

Autofill performance

We tested autofill across 50 real-world sites including banks, e-commerce checkout flows, government portals, and login-heavy SaaS tools. Bitwarden scored 88% success rate — strong, but 6 points behind 1Password’s 94%.

The 6 failures split as follows:

• 3 sites with custom JavaScript login forms that Bitwarden’s extension didn’t detect as fill targets
• 2 sites where Bitwarden incorrectly matched a subdomain’s credentials to the main domain
• 1 bank portal with a multi-step login that Bitwarden partially filled (username only)

On Chrome and Firefox, the browser extension experience is excellent. On iOS, Bitwarden uses Apple’s AutoFill framework but doesn’t integrate as deeply into the OS as 1Password’s native implementation — you’ll occasionally need to open the Bitwarden app directly to copy a credential rather than having it surface in the QuickType bar.

Self-hosting with Vaultwarden

Vaultwarden is an unofficial but well-maintained Bitwarden-compatible server implementation written in Rust. It runs on a £4/month Hetzner VPS (or a Raspberry Pi at home) and gives you complete control over your vault data — nothing touches Bitwarden’s servers.

I ran a Vaultwarden instance for 8 months as a backup to my primary Bitwarden cloud account. The honest tax of self-hosting:

• Setup time: ~45 minutes if you’ve done Docker before, 2-3 hours if you haven’t
• Backup responsibility: You’re on the hook for database backups. I ran daily rclone backups to Backblaze B2. Miss the backups and a VPS failure means losing your vault.
• Updates: Monthly at minimum — Vaultwarden updates regularly and some bring security patches
• Cost: £4/month Hetzner ARM VPS, £1/month Backblaze storage ≈ £60/year. You lose the cloud convenience of zero maintenance; you gain the knowledge that your data never leaves a server you control.

Is self-hosting worth it? For most people: no. The Bitwarden cloud offering is zero-knowledge by design — even without self-hosting, Bitwarden cannot read your vault. Self-hosting is worth the friction tax only if your threat model includes “nation-state access to Bitwarden’s servers” or “Bitwarden as a company fails and shuts down service.”

Who should use Bitwarden

• Everyone starting fresh with a password manager: Bitwarden Free is the default recommendation. It has everything a new user needs, it’s free forever, and upgrading to Premium later is trivially easy.
• Budget-conscious existing password manager users: If you’re paying for LastPass, NordPass, or Dashlane and want to save money without sacrificing security, Bitwarden is the switch.
• Technical users who want open-source and audited: No other manager in this field has four external audits, an open-source codebase, and a free self-hosted option. If these things matter to your threat model, Bitwarden is your answer.
• Teams of 11+: At $4/user/month, Bitwarden undercuts every credible alternative at scale.

Who should not use Bitwarden

• LastPass refugees with 50+ TOTP seeds: The migration fidelity score is 2/5. Use 1Password instead — it’s the only 5/5 migration target and handles the TOTP import natively.
• Households where 2 of 4 members are over 60: The mobile UX gap matters more than the £21/year price gap. 1Password’s iOS UX is meaningfully more polished and will have fewer “I can’t figure out how to log in” moments with non-technical users.
• Users who need Travel Mode: Bitwarden does not have an equivalent. If you regularly cross borders where device search is a concern, 1Password has the only implementation of this feature.