"Password managers" by Tavis Ormandy

Tavis Ormandy just published Password Managers. on his blog with this conclusion:

If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.

I use Chrome, but the other major browsers like Edge or Firefox are fine too. They can isolate their trusted UI from websites, they don’t break the sandbox security model, they have world-class security teams, and they couldn’t be easier to use.

No doubt there will be many people reading this who don’t like this advice. All I can say is I’ve heard all the arguments, and stand by my conclusions.

And I would like to know how Bitwarden address, or tries to, the issues mentioned in it.


I’m no expert, but I would never go back to storing my passwords in a browser without support for 2FA and TOTP code generation.

Also, most browsers won’t tell you how they implement security of your master password or the information that is stored on their servers - Bitwarden is audited and opensource, so anyone can see for themselves what is done - entirely transparent.


I would also add the obvious downside, which is you are locked into using a particular browser. Using a third-party password manager like BW, you’re free to use whatever browser you like at home and at work, on your PC and your laptop, as well as on your mobile phone and tablet. All your passwords will be available everywhere.


There’s a long discussion about this topic on Reddit before. Summary: If you care about security, Bitwarden is the clear winner.

Here’s some of our thinking on the matter:

Pinned so it doesn’t get lost in a sea of comments :slight_smile: