When choosing a password manager, we want to choose the best possible software with no compromises. After all, this program is going to be storing your login credentials to every website, which is arguably the most sensitive data you have. Luckily, there are some great options available. In this article, we’re going to talk about the two most recommended password managers for privacy and security, Bitwarden and KeePassXC, and help you to decide which one you should use.
Bitwarden is the best open source, cloud-based password manager that allows for effortless syncing between devices and has the most feature-packed free tier among the competition. KeePassXC is the best open source password manager where all your passwords are saved locally on your device and never touch the cloud. Plus, KeePassXC is completely free with no account needed.
In the rest of this article, I give a detailed comparison of both Bitwarden and KeePassXC that I spent days researching. I breakdown the features, cost, browser integration, syncing, security, and more. Lastly I touch on why you should choose these two password managers over any others.
Why Everyone Should Use A Password Manager
You may be thinking it sounds crazy to put all your important passwords in one place. I definitely don’t want to discount the catastrophe that it would be to have this data stolen.
By using a password manager you have a single point of failure, which may be hard to swallow. However, the alternative of memorizing your passwords is to have many points of failure that are much more likely to fail in comparison.
The average person has to keep track of so many accounts these days that if you’re memorizing your passwords you either have bad passwords or you’re reusing your passwords. And in the landscape of daily data breaches that we find ourselves in, reusing passwords is an even bigger threat than having poor passwords.
I get it, I’m guilty of adding an asterisk instead of an exclamation point at the end of my passwords, too. But when one of those suckers inevitably gets breached in the coming years, suddenly all of your passwords become extremely predictable.
This is why I recommend that everyone use a password manager and have randomly generated, unique passwords for every account. Bitwarden and KeePassXC are both excellent password managers to accomplish this goal in a safe and secure manner. Read on to find out which is right for you.
Bitwarden vs. KeePassXC: Convenience & Features
Cost (KeePassXC Wins)
As far as price goes, KeePassXC is the clear winner since it is entirely free. This is feasible because it is an open-source project with many passionate developers. However, when compared to other password managers, Bitwarden has one of the best free-tiers and most people find the free account totally sufficient.
The most notable premium features of Bitwarden include:
- encrypted file attachments,
- hardware token 2FA for your database,
- saving TOTP codes for your logins,
- emergency access, and
- priority support.
Bitwarden also offers family and business plans. Below are the prices at the time of writing, but keep in mind these are subject to change.
Ease-Of-Use And Design (Bitwarden Wins)
Bitwarden works very similar to the way other password managers like LastPass and 1Password work. You will sign up for an account and login on any of your devices to access your vault. If you’re switching from another password manager, you will probably find Bitwarden more intuitive than KeePassXC.
KeePassXC, on the other hand, works by saving your password database locally as a file on your computer, so there is no account to log in. You’ll open the program on your desktop and enter your master password to decrypt your database file.
KeePassXC often gets a bad reputation because it gets conflated with the other, older KeePass projects. While KeePassXC uses the open-source code base of the original KeePass project, the developers gave the program a major modern face-lift and greatly improved usability, even for non-technical users.
Browser Integration (Tie)
Bitwarden and KeePassXC both have browser extensions to make automatically filling in your login credentials into your favorite websites a piece of cake. Plus, when you enter your credentials on a new website, a banner appears allowing you to save these details automatically.
Using these extensions rather than manually copying and pasting your passwords also provides phishing protection, since your credentials will only be filled on the exact matching URL.
Here is a list of the browsers supported by each password manager’s browser extension:
Syncing Your Passwords Between Devices (Bitwarden Wins)
Where Bitwarden really shines above KeePassXC is cross-platform compatibility and automatic syncing across all devices. Bitwarden has official applications for desktop and mobile platforms, in addition to a convenient browser extension, which all connect to your online vault and sync seamlessly.
In the case of KeePass, different forks of the original project are focused on different platforms. KeePassXC is compatible on Windows, MacOS, and Linux desktops. For Android, there is KeePassDX and AuthPass both available on F-Droid, or KeePass2Android on Google Play. For iOS, look into Strongbox or KeePassium. The downside of the KeePass set-up is that different developers maintain each of these variants, so the experience is not going to be as streamlined as it is with Bitwarden.
KeePassXC takes a do-it-yourself approach to syncing between devices, so there are several options to choose from in order to sync your database file:
- Manually transfer via USB drive
- Any mainstream cloud services like DropBox, OneDrive, Google Drive, etc.
- Self-host your own Bitwarden server
If you’re considering using a mainstream cloud provider like those mentioned above to host your KeePassXC database, I would recommend just going with Bitwarden instead. Otherwise, start with manually transferring your database between devices until you get used to the software.
Random Password Generator (Tie)
Both Bitwarden and KeePassXC have great password managers that will work fine. KeePassXC’s implementation is more secure overall since it offers 32 special characters, as opposed to Bitwarden’s 8 special characters. Extrapolating to the number of possible passwords, these extra characters exponentially increase the time it would take to brute force the password. However, a lot of websites only support certain special characters, so you may not be able to take advantage of these extra characters anyway.
The most important thing is that you use some type of random password generator and replace any of your reused or poor passwords with unique passwords that don’t use any dictionary words or names.
Both password generators will also display a strength rating. I used to always overthink my passwords and second guess if they were random enough when I created them myself. With these tools, I love that I can quickly generate a password and know that it is strong.
Extra Features (KeePassXC Wins)
Now, what if you have an extended use case and need a specific feature that the main developer hasn’t added? With KeePass and all its variants it is much more likely that your need will be met by one of them, or that your voice will be heard if you request this feature in the relevant forums.
More importantly, KeePass has built-in support for plugins, where additional functionality can be added to the main project by an independent developer without having to maintain an entire new fork. KeePassXC does not yet support plugins like the original project does, but has plans to add this utility in the future.
Getting Support If Something Goes Wrong (Bitwarden Wins)
As with anything in life, there can be times when using a password manager that something unexpected happens and you’d like to be able to ask someone for help. Perhaps after a software update the auto-fill no longer works in your browser. Maybe you just have a question about how a certain part of the software is implemented. Who can you go to?
With Bitwarden, you get the advantages that come with having a central entity to go to for support. There are employees that are paid to answer your questions in a timely manner until the issue is resolved. If you pay for one of their monthly plans and rely on Bitwarden to run your business, this can be a huge relief knowing that there is someone that will give you assistance when you need it most.
With KeePassXC, there is no dedicated support to contact and get help with your issue. That doesn’t necessarily mean you are left out to dry, however. You can try creating an issue on github and one of the developers or someone in the community will likely respond to you. This is a great place to report bugs, request a new feature, or discuss the direction of the project in general.
There are also subreddits dedicated to discussing both Bitwarden and KeePass. This can be a great place to go for forum-style support from the community and potentially from the official developers who may browse these forums from time to time.
Bitwarden vs. KeePassXC: Security & Privacy
Is My Database Vulnerable To Hacking? (KeePassXC Wins)
Both Bitwarden and KeePassXC are open source (meaning anyone can look at the code) and actively developed. While only Bitwarden has been audited at the time of writing, KeePassXC’s offline nature of password storage makes it more secure for those who don’t want to take any chances.
As long as you mange your KeePass database files and backups properly, having only a local database and no cloud server means that an adversary would have to physically invade your home or steal your computer (or wherever you keep your database). This drastically reduces your attack surface given that most people interested in your passwords aren’t willing to go to those lengths.
While having Bitwarden as a central entity to turn to for support can be helpful, it can also be a drawback under the lens of security. The support team is potentially an added attack vector if you have an extreme threat model. (Check out my article here on threat modeling.) Hackers often use social engineering and impersonate their victims to get information out of the unwitting support team who are just trying to be helpful.
This “central entity” is also the same entity that law enforcement will subpoena for information relating to a suspect. If you’re a journalist, activist, whistleblower, abuse victim, celebrity, or otherwise need to protect yourself from extreme threats, I would recommend that you go with KeePassXC and make sure to use two-factor authentication on your accounts.
A great solution to most targeted attacks is to always use two-factor authentication (2FA) on your important accounts, and especially on your password manager. Luckily, both Bitwarden and KeePassXC offer 2FA for free, although hardware token support is a premium feature on Bitwarden.
Backing Up Your Password Database (Tie)
No matter which password manager you choose to use, it is critical to have your password database backed up. Go by the old adage “two is one, and one is none” when it comes to having backups of your passwords. Don’t let a software glitch or a hard drive failure lead to the nightmare scenario of losing all your precious passwords. And if you use a cloud-based password manager, don’t trust that the service will have made a backup in the event that something goes wrong.
WARNING: None of these backup methods will help you if you’ve forgotten your master password!
With KeePassXC, making a backup of your password database is as straightforward as it gets since the database is already saved as a single “.kdbx” file on your hard drive. Simply copy the file onto a thumb drive or whatever your preferred storage medium is and keep that backup in a safe location.
Your password database backup should be completely encrypted so that it would be protected in case anyone got their hands on this file. However, if a bad actor with a little programming knowledge found your password database they would be able to brute force attack it in an offline environment, meaning their is no webpage to limit the rate at which guesses to your master password are made. Make sure you use a strong, long master password to mitigate this risk.
With Bitwarden, making a backup of your vault is almost as easy. You will have to go into the settings and select “Export Vault”. Here you can export your passwords into an encrypted JSON file (make sure you select the encrypted option!) and store this file directly on your thumb drive or other backup medium. Your passwords are encrypted with an encryption key that is tied to your Bitwarden account, rather than with your master password, so you can’t import this database into any other account but your own.
Alternatively, you could export your passwords into a CSV file, import them into KeePassXC, and then store the KeePass database file as your backup. I have personally used this method, however some of the special fields and data types may not be transferred completely so double check that everything important to you is copied over if you go this route.
Database Longevity (KeePassXC Wins)
Have you ever had the unfortunate experience of investing time and energy into a piece of software, only to see the project abandoned by the developers? Sometimes, support for transitioning to another program is nonexistent and your hard work is left to rot. We never want that to happen to something as important as our password manager, so let’s compare the track records and history of Bitwarden and KeePassXC.
Bitwarden was first released in August of 2016. While it doesn’t have as long of a history as KeePass, there are no signs that the business is struggling or will go away any time soon. Even if they did, it is relatively easy to quickly export your vault data in the event that Bitwarden closed up shop.
With KeePass, it’s important to understand that this is an open-source project with a long history of community development. In fact, there are over 20 independent KeePass-related forks (where the base code is expanded on by a different developer) taking the project in various directions. The original KeePass project has been around since November of 2003, practically an eternity in internet-time. The KeePassXC fork of this project, on the other hand, had its first release in December of 2015.
Because all the KeePass variants use the “.kdbx” database format, you can open the same database file in any of these fork projects so that you will never be left out to dry if one of them stops being developed. This ensures there will be great longevity in a KeePass password database. Given the popularity of the project and the community supporting it, I think it’s safe to say you will be able to use some variation of this software for a long time to come.
Why Bitwarden and KeePassXC Are Better Than The Alternatives
Complete Transparency With Open Source Code
One of the biggest things I look for when determining the trustworthiness of a critical piece of software like your password manager is open-source code. This means that the program’s code is freely available on the internet (see Bitwarden and KeePassXC on GitHub) for anyone to audit and verify that the application is secure and is doing what the developers claim.
Bitwarden and KeePassXC are the only stand-out, open source password managers with a sizable community of users. The rest of the competition, like LastPass, 1Password, and Keeper, are all proprietary.
Proprietary software means that the code base is protected intellectual property, and you will have to trust their word (or, ideally, independent audits) that their program does what they say it does and maintains proper security. Remember, with most password managers (except KeePass), you’re saving your passwords on their server, so make sure that you trust them.
A common criticism of the security of open source software is that just because the code is available, doesn’t mean that anyone is looking for vulnerabilities in the code. This is why I hesitate to recommend any open source software that does not have a substantial community of users. Both Bitwarden and KeePassXC meet this requirement.
Ideally, open source software should also be independently audited. Bitwarden has been audited, however KeePassXC has not yet been able to secure the funds for an audit since they rely only on donations to keep the project going.
You Don’t Have To Pay For Dark Web/Breach Monitoring
Recently, many of the big name password managers have been advertising “dark web monitoring” services to set their product above the competition. This feature is often added to higher-tier pricing schemes in order to justify the recurring cost, however, the same type of monitoring services are available for free at the website Have I Been Pwned.
Let’s clarify what exactly is meant by “dark web monitoring”. Every time a data breach is discovered, the stolen data is sought after by those that maintain enormous databases of stolen emails, usernames, passwords, phone numbers, etc. The monitoring service simply alerts you if your information is found in this database.
Editor’s Note: It’s clever of marketing teams to include the buzz word “dark web”. A more appropriate name would be “data breach monitoring,” since lots of stolen data is shared on the clear net as well.
You may notice that this entire scheme depends upon the integrity and scope of the database. Just because the monitoring service says your passwords haven’t been stolen does not definitively tell you that they have not been breached. To know for certain that your data has not been compromised you would have to assume both that the hacker publicly released the stolen data online and that the team maintaining the database actually finds that data, either of which may not happen.
So who maintains the databases for all of these data breach monitoring services?
- Lastpass uses a proprietary 3rd party service called Enzoic,
- Dashlane uses the proprietary 3rd party SpyCloud,
- Keeper maintains their own proprietary database,
- 1Password uses the freely available Have I Been Pwned service.
I haven’t yet done the research to properly compare each of these separate breach databases, but until there is a conclusive comparison, I don’t think dark web monitoring should be a big deciding factor in which password manager you choose. Just use the free service Have I Been Pwned, where you can either directly search for breaches involving your email or phone number or set up email alerts to let you know right away if they show up in the future.
I trust Have I Been Pwned over the alternative data breach monitoring services because of the complete transparency in their processes and monetization. Like most of these services, it is funded by API access subscriptions (to programmatically search the database) which are primarily sold to businesses and governments. However, the creator Troy Hunt is committed to offering the database as a free public service and has extensively documented the methods used and decisions made by Have I Been Pwned in his personal blog.
I hope this article has helped you decide between Bitwarden and KeePassXC for your password manager and cleared up the differences between each of these password solutions. Both of these programs are excellent solutions for managing your passwords in a convenient, safe, and private way. Remember, any password manager (yes, even just a notebook) is better than none.
If you’re switching from a different password manager or using one for the first time, make sure to give yourself enough time to adjust to using the software before relying on it. It can take practice to learn how to use a password manager, so don’t lose your credentials by making a silly mistake. Always have a backup.
To learn more tips on how to protect your yourself from hackers, identity thieves, or other fraudsters, check out my list of 25 low-effort tips here.