Bitwarden Review 2026: After the Price Hike, ETH Zurich Study, and April CLI Incident

Last updated: May 2026 · Tested through: Jan 2026 +98% price hike, Feb 2026 ETH Zurich study, April 22 2026 CLI supply-chain incident · BuyerSprint Score: 8.5/10 (unsponsored, Bitwarden has no affiliate program)

Affiliate Disclosure: BuyerSprint earns a commission from partner links on this page. We only recommend tools we’ve genuinely tested, at no additional cost to you. Editorial note: BuyerSprint earns no commission from this Bitwarden recommendation. Bitwarden is open-source and doesn’t offer an affiliate program. We recommend it anyway. The 1Password CTAs further down DO pay a commission. View our disclosure policy.

Most online Bitwarden reviews were written before 2026 and miss the three events that defined the product’s year. This bit warden review (the space-variant of the brand name shares the same SERP and Google treats them as equivalents) tests the product after all three: the January Premium price hike, the February ETH Zurich study, and the April 22 CLI supply-chain incident. We score Bitwarden honestly, strong free tier, fair Premium pricing, real but bounded security questions, and surface the rough edges most reviews skip.

Quick framing for the rest of this bitwarden password manager review: Bitwarden is the consensus best free password manager in 2026, with Reddit aggregations across r/cybersecurity, r/PasswordManagers, and r/privacy all converging on the same default pick (per Wizcase and SafetyDetectives 2026 syntheses). G2 holds Bitwarden at 4.4 stars across 2,225+ enterprise reviews, a rating that did NOT drop in response to the January price hike or the April CLI incident, which is the strongest practitioner signal that the events haven’t damaged real-world sentiment. Bitwarden is #1 on G2’s Enterprise Grid for Password Managers in 2026, the only open-source vendor in the top quartile.

BuyerSprint Score: 8.5/10 (six-axis breakdown)

The BuyerSprint Score reflects our Bitwarden 2026 Threat-Tested rating across six axes weighted toward real-user impact. The 8.5/10 holds despite the 2026 turbulence because the free tier is unchanged, Premium is still cheapest in the category, and Bitwarden’s incident response transparency is the strongest in the category.

Bitwarden 2026 Threat-Tested Score: how we rated it

Our scoring framework, the Bitwarden 2026 Threat-Tested Score, weights three dimensions that 2026-era reviews need to honestly address. First, the ETH Zurich vector count (12 documented attack vectors, 7 resolved or in remediation, 3 accepted as architectural choices). Second, the April 22 CLI incident response (full transparency, same-day v2026.4.1 release, public IR statement, vault data unaffected). Third, the open-source verification advantage (GPLv3 codebase, Mandiant audit, Vaultwarden community fork as the self-host option). Each dimension scored against the comparable competitor handling, 1Password reported no new vectors in the same ETH Zurich study, NordPass has no comparable public IR pattern. Bitwarden’s transparency comes out ahead even where its threat model takes a real hit.

Who Bitwarden is for in 2026

Bitwarden fits five distinct user types in 2026. Free-tier users who want unlimited devices and items without paying, the free tier survived 2026 untouched and remains the best in the category. Cost-sensitive Premium buyers graduating from free who can’t justify 1Password’s $47.88/yr Individual, Bitwarden Premium at $19.80/yr is the cheapest credible paid tier and includes emergency access, 1GB encrypted file storage, TOTP code display, and advanced 2FA (YubiKey OTP, Duo, FIDO2). Privacy-purists and sysadmins who want open-source code with self-host options, Bitwarden + Vaultwarden gives you a fully self-controlled vault. LastPass refugees migrating after the 2022 breach class-action settlement (claim deadline July 2, 2026), Bitwarden has been the consensus migration target since 2023. Cross-platform users who need broader OS coverage than any other PM offers, Bitwarden ships native apps for Windows, Mac, Linux, iOS, Android, plus a web vault, the CLI, and browser extensions for every major browser.

Bitwarden pros: what we liked (the honest version)

What happened in 2026: three Bitwarden news events decoded

If you’re reading the headlines and wondering whether Bitwarden is in trouble, the chronological treatment matters more than the panic. Here’s the honest accounting of all three 2026 events.

Event 1, January 2026: Premium price doubled (the rollout failure)

Bitwarden Premium went from $9.99/yr to $19.80/yr in January 2026, its first hike in a decade. The free tier was explicitly unchanged. Families ($40/yr for 6 users) and Teams pricing were unaffected. Premium subscribers got a one-time 25% loyalty discount on the first renewal at the new price ($14.85/yr that year, then $19.80/yr after).

The communication was rough enough that Fast Company titled their coverage “Bitwarden announced a price hike in the worst way possible.” The specific problems: the news was buried inside a feature-announcement blog post (“January 2026 spotlight: enhanced Premium plan”) rather than a clear price-change communication, the renewal-notice email arrived 15 days before charge (less than the 30-day window most subscribers expect), and the announcement listed a monthly equivalent of $1.65/mo despite Bitwarden not offering monthly billing on Premium. Reddit threads in r/Bitwarden and r/cybersecurity criticized the rollout heavily.

The takeaway for users: if you’re on Bitwarden Free, nothing changed. If you’re on Premium, the new price is still 58.6% cheaper than 1Password Individual ($47.88/yr), even with the doubling, Bitwarden Premium remains the cheapest credible paid tier in the major-vendor pool. The price is justified by a decade of underpricing relative to Bitwarden’s actual development burden; the communication failure is fair criticism without changing the value math.

Event 2, February 2026: ETH Zurich study finds 12 attack vectors

In February 2026, ETH Zurich researchers Backendal, Scarlata, Paterson, and Torrisi published “Zero Knowledge (About) Encryption,” accepted to USENIX Security ’26. The study documented 25 attack vectors total across the major password managers: 12 against Bitwarden, 7 against LastPass, 6 against Dashlane. 1Password reported no new vectors beyond known architectural limitations.

The “12 against Bitwarden” headline reads catastrophic. The technical reality is narrower. Every attack assumes a malicious-server scenario, the attacker has already compromised Bitwarden’s infrastructure and is trying to exfiltrate vault contents from there. None of the 12 vectors describe an attack against a Bitwarden client (browser extension, mobile app, desktop app) that an everyday user could trip into via phishing or weak credentials.

The researchers honored a 90-day responsible disclosure window before publishing. Bitwarden’s response (published in their “security through transparency” blog) acknowledged the findings, documented technical mitigations for 7 vectors (resolved or in remediation), and accepted 3 vectors as deliberate architectural choices with documented tradeoffs. The remaining 2 are in active engineering review per Bitwarden’s transparency thread.

Paterson’s published comment via the ETH Zurich announcement is the honest framing: “The promise is that even if someone is able to access the server, this does not pose a security risk to customers because the data is encrypted and therefore unreadable. We have now shown that this is not the case.” The finding erodes the absolute “zero-knowledge” claim Bitwarden uses in marketing, which is fair criticism. For everyday users with a strong master password and 2FA enabled, the practical-exploitability is limited. For high-threat-model users (journalists, activists, sysadmins guarding root credentials), the practical advice is self-hosting Bitwarden via Vaultwarden, which removes the malicious-server dependency entirely.

Event 3, April 22, 2026: the CLI supply-chain compromise

On April 22, 2026 between 5:57 PM and 7:30 PM ET, the npm package @bitwarden/cli@2026.4.0 was compromised in the Checkmarx “Shai-Hulud” supply-chain campaign. Malicious code was distributed during that 90-minute window. Approximately 334 downloads occurred, meaningful but bounded against the package’s 70K weekly download average. The malicious payload (named bw1.js in the Endor Labs technical writeup) harvested developer credentials from CI/CD pipelines: GitHub tokens, npm tokens, SSH keys, AWS / GCP / Azure credentials, environment variables.

Vault data was never affected. The compromise was in the npm distribution mechanism for the CLI tool, not in Bitwarden’s vault infrastructure. Free-tier consumer users using only the web app, browser extensions, desktop apps, or mobile apps were completely unaffected. The blast radius was limited to developers who happened to install or update @bitwarden/cli during the 90-minute compromise window AND who ran the CLI against secret-laden environments.

Bitwarden’s response set the standard for 2026 open-source IR. The company published a community forum statement (“Bitwarden statement on Checkmarx supply chain incident”) within hours of detection. Version 2026.4.1 of the CLI was released the same day with the malicious code removed. Bitwarden’s official confirmation: “no evidence that end user vault data was accessed or at risk.” Recommended remediation for affected CLI users: rotate exposed secrets, review GitHub activity, check CI/CD audit logs.

If you’re searching bitwarden hacked or bitwarden vulnerability, the live April 2026 incident IS what the SERP is showing. The framing “Bitwarden was hacked” is misleading, Bitwarden’s infrastructure wasn’t breached, npm was. The framing “Bitwarden’s CLI distribution had a 90-minute compromise affecting ~334 developer downloads with no vault impact” is accurate. Headlines and reality differ here more than usual.

Is Bitwarden safe in 2026? (the real answer)

Is bitwarden safe, and how safe is bitwarden, after a year of three discrete trust events? Yes, for everyday users with a strong master password and 2FA enabled. Is bitwarden trustworthy in the broader sense? Yes, with the rough edges acknowledged. Is bitwarden safer than lastpass after the 2022 LastPass breach? Yes, materially, LastPass has had a documented vault data breach; Bitwarden has not.

Here’s the layered version:

• Architecturally: AES-256 encryption + zero-knowledge design + open-source GPLv3 code + Mandiant audit + regular independent third-party audits + self-host option via Vaultwarden. This is the strongest baseline architecture in the category.
• Operationally: ZERO vault data breaches in Bitwarden’s operating history through May 2026. The April 22, 2026 CLI incident was a CLI-distribution compromise via npm, not a vault breach. Historical “Bitwarden hacked” community threads (e.g., 2022-era “hacked three times in one day” posts) trace to weak master passwords or phishing, not Bitwarden infrastructure.
• Theoretically: 12 ETH Zurich attack vectors documented, all malicious-server scenarios. 7 resolved or in remediation, 3 accepted as architectural choices, 2 in active engineering. The findings erode the absolute “zero-knowledge” marketing claim but don’t change everyday user risk meaningfully.
• Comparatively: ETH Zurich found 7 vectors against LastPass and 6 against Dashlane (vs Bitwarden’s 12). 1Password reported no new vectors. The “12” is the highest count in the study, but Bitwarden also had the most transparent vendor response. Open-source incident response is the strongest in the category.
• For high-threat-model users: self-host via Vaultwarden + Yubikey 2FA + a strong master password + regular vault audits.

For deeper safety-only coverage, we have a dedicated “Is Bitwarden Safe” guide that walks through each ETH Zurich vector individually. The short version for this review: yes, safely usable, with the 2026 caveats above.

Bitwarden Free vs Premium after the +98% hike

Now that Premium is $19.80/yr instead of $9.99/yr, the free-to-premium decision math has shifted. Here’s what each tier ships in 2026:

The graduation triggers from free to Premium in 2026: you need emergency access (so a family member can recover your vault if you’re incapacitated), you want TOTP codes displayed in-app instead of toggling between Bitwarden and Authy, you want 1GB of encrypted file storage for documents, or you want advanced 2FA methods. None of those are required for everyday use, Bitwarden Free remains the best free PM in the category. If you do need them, $19.80/yr is a low bar relative to alternatives.

For deeper pricing analysis including total-cost-of-ownership math across years, see our Bitwarden pricing 2026 guide.

Is Bitwarden still worth it? (the cost-math answer)

After the 2026 hikes, the cost comparison across the major PMs as of May 2026:

The structural answer: Bitwarden Premium at $19.80/yr is still the cheapest credible paid tier. The hike preserved (in fact widened) Bitwarden’s relative cost advantage because 1Password and Dashlane raised prices more aggressively in 2026. Bitwarden worth it on cost? Yes, materially. On value? Yes. Bitwarden pros and cons need to be weighed against the alternatives, and on price alone, Bitwarden wins decisively. The honest 2026 verdict: cost of bitwarden is still its single strongest pillar, even after the +98% Premium hike.

Bitwarden vs 1Password (quick take, full comparison cross-linked)

The single most-asked comparison question in 2026, covered in depth in our dedicated 1Password vs Bitwarden guide. The TL;DR:

• Bitwarden = open-source, cheaper, cross-platform reach including Linux desktop and CLI, self-host option, broader 2FA support, less polished UI.
• 1Password = closed-source, more polished, Travel Mode (encrypts vaults during border crossings), Watchtower breach scanner, top Mac + iPhone UX, 2.4× the price.

For most users: pick Bitwarden if cost is a factor or open-source matters. Pick 1Password if you want the polished consumer-app experience and Travel Mode. Both are legitimate top-tier choices.

Bitwarden vs LastPass (for migrants)

If you’re a LastPass user reading this, Bitwarden has been the consensus migration target since the 2022 LastPass breach. The class-action settlement (claim deadline July 2, 2026) makes the breach financially concrete, up to $900,000 per claimant in documented losses. Three years after the breach, LastPass continues to face issues: a January 2026 phishing campaign with fake mail-lastpass.com domains, repeated trust dents.

Migrating to Bitwarden Free from LastPass takes about five minutes (CSV export from LastPass, CSV import to Bitwarden). Our dedicated LastPass alternatives guide covers the full migration paths including Bitwarden, Proton Pass, 1Password, and Dashlane.

Real user feedback: Reddit, G2, and Bitwarden Community

If you’re searching bitwarden review reddit for social-proof signal, the 2026 consensus across r/cybersecurity, r/PasswordManagers, r/Bitwarden, and r/privacy (aggregated via Wizcase and SafetyDetectives because raw Reddit blocks unauthenticated scraping):

• Bitwarden remains the default free pick, unchanged through 2026 events
• The January Premium hike drew vocal criticism on rollout (the “buried announcement” issue) but didn’t shift the consensus recommendation
• Some long-time free-tier users who’d been considering Premium at $9.99 reconsidered at $19.80, those users mostly stayed on free rather than switching to 1Password
• The April 22 CLI incident produced developer-focused community threads (rotation procedures, npm pin strategies); zero reports of vault-data exposure consistent with Bitwarden’s confirmation
• G2: 4.4 stars across 2,225+ enterprise reviews. The 4.4 rating did NOT drop in response to the Jan 2026 price hike or April 2026 CLI incident, the strongest practitioner-validation signal that the events haven’t damaged real-world sentiment.
• Bitwarden Trustpilot: high marks for free-tier value and incident response transparency; complaints largely center on autofill quirks (especially Mac post-macOS-Tahoe) and the January price-hike communication.

For bitwarden opinions from the perspective of users who left Bitwarden in 2026: a representative voice is ByteHaven’s “Bitwarden Doubled Their Price. I’d Already Left. Here’s What You Missed.”, a former Bitwarden user explaining the switch to Proton Pass before the hike. Specific complaints: UI staleness, free-tier-update fatigue. Worth surfacing as a credible counter-voice.

When Bitwarden is NOT the right choice

Honest reviews include the recommendations to look elsewhere. Bitwarden is not the right choice if:

• You want the polish of 1Password. The Mac + iPhone UX in 1Password is materially nicer; Travel Mode is unique to 1Password; Watchtower’s breach scanning has more depth. If you’re willing to pay $47.88/yr, 1Password is a legitimately better consumer experience.
• You’re an Apple-only household. Apple Passwords (free, native, brilliant on Apple devices) is the easiest free option if you accept the not-zero-knowledge tradeoff. Bitwarden is overkill in that scenario.
• You’re privacy-first and want 10 free email aliases. Proton Pass Free includes them; Bitwarden Free doesn’t. If aliases are the deciding factor, Proton Pass Free is the cleaner choice.
• You’re a developer doing CI/CD work and want maximum supply-chain caution after the April CLI incident. 1Password’s `op` CLI is currently the most-audited PM CLI in 2026. Alternatives include OS-level keyring scripts or KeePassXC CLI for self-hosted setups.
• You’re managing a Mac-heavy team that needs native autofill consistency. Bitwarden’s macOS autofill has documented regressions after macOS 26 Tahoe; 1Password’s Mac app handles autofill more reliably.

Decision tree: should you use Bitwarden in 2026?

Use case map: who Bitwarden fits in 2026

Frequently asked questions

Is Bitwarden worth it in 2026, after the Premium price doubling?

Yes. The Premium hike from $9.99 to $19.80 per year was Bitwarden’s first hike in a decade and left the free tier unchanged. Even at the new price, Bitwarden Premium is 58.6% cheaper than 1Password Individual ($47.88/yr). The free tier remains the best in the category. The hike’s communication was poor (Fast Company called it “the worst way possible”), but the value math hasn’t changed.

Is Bitwarden safe to use after the ETH Zurich study + April 2026 CLI incident?

Yes for everyday users with a strong master password and 2FA enabled. The ETH Zurich study found 12 attack vectors against Bitwarden’s encryption, all assuming a malicious-server scenario where Bitwarden’s infrastructure has already been compromised. Bitwarden resolved or has in remediation 7 of the 12 vectors. The April 22 CLI compromise affected ~334 developer downloads in a 90-minute window; vault data was never affected. Bitwarden’s incident response transparency is the strongest in the category.

What is the April 2026 Bitwarden CLI supply-chain attack and does it affect my vault?

On April 22, 2026 between 5:57 PM and 7:30 PM ET, the npm package @bitwarden/cli@2026.4.0 was compromised in the Checkmarx “Shai-Hulud” supply-chain campaign. Malicious code harvested developer credentials (GitHub tokens, npm tokens, SSH keys, cloud creds) from CI/CD pipelines. ~334 downloads occurred. Vault data was NEVER affected. If you only use the Bitwarden web app, browser extension, desktop app, or mobile app, you are completely unaffected. If you used the CLI in that 90-minute window, rotate exposed secrets and update to v2026.4.1.

Was Bitwarden hacked?

Bitwarden the service has had ZERO vault data breaches in its operating history through May 2026. The April 2026 CLI incident was a compromise of Bitwarden’s npm distribution mechanism (via the Checkmarx supply-chain attack), not Bitwarden’s vault infrastructure. Historical community threads from 2022 about user-account compromises trace to weak master passwords or phishing, not Bitwarden’s infrastructure. “Bitwarden hacked” headlines in April 2026 are misleading shorthand for the CLI-distribution incident.

Is Bitwarden’s free tier still trustworthy?

Yes. The free tier was explicitly unchanged through the January Premium hike. Free-tier features (unlimited devices, unlimited items, cross-platform apps, Send, browser extensions, mobile apps, password generator, breach monitoring) remain identical to pre-2026. None of the 2026 events affected free-tier security or functionality.

What are the pros and cons of Bitwarden vs 1Password?

Bitwarden pros: open-source, 58.6% cheaper, cross-platform including Linux + CLI, self-host option, broader 2FA support. Bitwarden cons: less polished UI, no Travel Mode, no Watchtower breach scanner, Mac autofill regressions. 1Password pros: polished UX, Travel Mode, best Mac+iPhone experience. 1Password cons: 2.4× the price, closed-source, no free tier. Both are top-tier; pick based on whether cost or polish matters more.

Bitwarden Premium vs Free: what changes at $19.80 per year?

Premium adds: 1GB encrypted file storage, in-app TOTP code display (free has storage only), emergency access (a designated person can recover your vault), advanced 2FA (YubiKey OTP, Duo, FIDO2), vault health alerts (weak/reused/exposed password warnings), priority customer support. Free remains: unlimited items, unlimited devices, cross-platform apps, Send, browser extensions, password generator, breach monitoring, TOTP storage.

Is Bitwarden safer than LastPass after the 2022 breach?

Yes, materially. LastPass has had a documented vault data breach (2022, $24.45M class-action settlement, claim deadline July 2, 2026). Bitwarden has not had a vault data breach. LastPass’s incident response has been criticized as opaque; Bitwarden’s response to its 2026 events has been the most transparent in the category. Reddit consensus across r/cybersecurity has treated Bitwarden as the default LastPass migration target since 2023.

What did the ETH Zurich study find in Bitwarden?

In February 2026, ETH Zurich + USI researchers published “Zero Knowledge (About) Encryption” with 25 total attack vectors: 12 against Bitwarden, 7 against LastPass, 6 against Dashlane. 1Password reported no new vectors. All 12 Bitwarden vectors assume a malicious-server scenario (Bitwarden’s infrastructure already compromised). Bitwarden has resolved or has in remediation 7 vectors; 3 are accepted as architectural choices; 2 are in active engineering review. The findings erode the absolute “zero-knowledge” marketing claim but don’t change everyday user risk meaningfully.

Should I leave Bitwarden after the price hike?

Probably not. Even at $19.80/yr, Bitwarden Premium remains the cheapest credible paid PM. The free tier was unchanged. Realistic alternatives (1Password at $47.88/yr, Dashlane at $59.88/yr) are materially more expensive. If you want privacy + aliases, Proton Pass Plus at ~$35.88/yr is reasonable. If you want polish, 1Password is the upgrade. For most users, staying on Bitwarden remains the rational choice.

Is Bitwarden open-source? Does that make it safer?

Yes, Bitwarden is open-source under GPLv3 (resolved in November 2024 after a brief SDK relicensing scare). Open-source means the code can be independently audited and self-hosted. It doesn’t guarantee bug-free code (open-source PMs still have vulnerabilities, as the ETH Zurich study showed), but it does materially improve transparency. Bitwarden’s April 2026 CLI incident response, full public disclosure, same-day patch, community statement, exemplifies the open-source incident-response advantage in practice.

Bitwarden vs one password, which should I pick?

Same answer as Bitwarden vs 1Password (the “one password” / “onepassword vs bitwarden” / “bitwarden vs 1password” SERPs converge): pick Bitwarden for cost + open-source + cross-platform reach; pick 1Password for polish + Travel Mode + Mac/iPhone UX. Both are top-tier. See our dedicated 1Password vs Bitwarden comparison for the full breakdown.