my profile picture

My Love-Hate Relationship With Bitwarden

And why I switched to Pass

2022-05-07

Digital security was my gateway into the world of FOSS. I wanted to use multi-factor authentication, and realized the value in using a Free program like andOTP[0] instead of Google Authenticator. From there my interest grew. I decided to transition away from Google Chrome's built-in passphrase manager to the Free passphrase manager Bitwarden.[1] I love Bitwarden, but at the same time see things that can be improved. Certain missing features and issues I had encouraged me to switch from Bitwarden to another passphrase manager, and I'm ready to explain why.

The Bitwarden web vault login screen, shown through Qutebrowser on my PinePhone.

I Love Bitwarden

In case you have not yet heard of Bitwarden, it is a well-known passphrase manager that is different from it's competitors in a few ways. Most notably that all client and server software is Free and Open Source. This allows the average user to take more control of their digital security by running their own Bitwarden server on their own hardware. It also gives people without the knowledge or expertise to do so peace of mind that their passphrases and personal information are not being logged or sold to the highest bidder. Bitwarden is accelerating in it's reformation of passphrase managers, with nearly 100 contributors to their server software alone.[2] Their platforms are also very all-encompassing. Through their web UI you can generate and manage passphrases, credit/debit cards, identities, and notes, securely send and recieve notes and files to other Bitwarden users, import and export vault items, and manage account settings. You can do all of these things from native programs on every major OS (including Linux!). If desktop or server software are not yet supported on your platform, you can always tweak it as needed and build it from source.[3] Bitwarden has a good history of being humane with users' digital rights and freedoms to my knowledge. I personally used Bitwarden full-time for almost 2 years, and still keep it as a backup while i transition away from it.

A list of Pass extentions, listed on the passwordstore.org.

I Hate Bitwarden

Bitwarden works for many people, but the lack of love for CLI users has pushed me away. For starters, if you dislike bloated electron apps[4] and the inconvenience of javascript-riddled web interfaces, Bitwarden might not be the best option for you. I totally acknowledge the fact that these options work for many people, and that's okay. I personally like the hackability of command-line utilities that allows for custom menu interfaces and easily integration into your workflow through bash (or oil)[5] scripts and programs. Waiting for the Bitwarden CLI to respond was aggravating, not to mention that the tool is based on Node, adding to the maintainance headache.[6] My biggest gripe with the CLI is the lack of credential saving. Either you have to set a unique environment variable each and every time you open a shell, or type in your master passphrase for every username, passphrase, or note you want to view or edit. Combine this with long delays between commands, and it's a recipe for near unusability in practical use.

Pass CLI on my PinePhone.

A Challenger Approaches: Pass

My attention recently turned to Pass, the standard unix passphrase manager.[7] Pass is a dead-simple, minimal, and hackable passphrase manager that strives to follow the unix philosophy and is made for use in the terminal. Each value is stored in it's own gpg encrypted file, in the special ~/.password-store directory. These can be organized however you wish, with the standard layout including the website address that the value applies to. There are tons of externally maintained graphical, menu-based, and text-based interfaces for Pass that serve as options for everyone. In true unix fashion, there are a wide array of user-created plugins that allow you to extend the functionality of Pass. I currently use the plugin pass-otp[8] to manage one-time passphrases, and take the place of my former mfa solution cOTP.[9] The advantage of this modularity is the increased flexibility. If you want integrate an external program or add a feature that you need, it's no problem. The script-friendly nature of Pass is easily seen in the Qutebrowser userscript that automatically fills logins on applicable pages with a bash script, called pass-qute.[10] Multiple external user created import tools have been created, allowing you to easily switch between passphrase management software without any headaches. One final feature of Pass is backup to external servers using git. Using the built in option, you can make sure you never lose your passphrase vault by automatically exporting encrypted files to a git repository. This serves a similar function to Bitwarden's automatic backup service, ensuring that you never lose important data. In all, I found Pass to be more than an adequate drop-in replacement for Bitwarden.

Pass In Action

I managed to screenrecord demo usage of Pass on my Pinephone. I created a temporary passphrase store and directed Pass to look there for my passphrases, not my real passphrase store directory.

Wrapping Up

While I still love many things about Bitwarden, pass is a minimal alternative to mainstream passphrase managers. Pass is dead simple, extensible, and closely follows the unix philosophy. I encourage you to give it a try. If it doesn't work for you, that's okay too. Using a qutebrowser script, autofill is made easily possible through a simple keyboard shortcut. Through extentions, it can even take the place of multi factor authentication solutions. Setup took only a few minutes, with import tools making it easy to switch. Pass was the solution to my problems with Bitwarden, and it might be your solution too.

Links/Notes

  1. github.com/andOTP
  2. bitwarden.com
  3. github.com/bitwarden/server
  4. github.com/bitwarden/clients/tree/master/apps/desktop
  5. drewdevault.com/2016/11/24/Electron-considered-harmful.html
  6. www.oilshell.org/
  7. drewdevault.com/2021/11/16/Cash-for-leftpad.html
  8. www.passwordstore.org/
  9. github.com/tadfisher/pass-otp
  10. github.com/replydev/cotp
  11. github.com/qutebrowser/qutebrowser/blob/master/misc/userscripts/qute-pass