← 개발일지

Bitwarden Complete Guide — Setup, Features, and Security Tips

bitwardenpassword-managersecurity2fapasskeyopen-sourcetotp

Why You Need a Password Manager

Most people juggle dozens of online accounts and reuse the same password across many of them. One data breach at one site, and every account sharing that password is compromised. A password manager solves this by generating a strong, unique password for every account and storing them all in an encrypted vault behind a single master password.

This guide walks you through Bitwarden — an open-source password manager — from initial setup to advanced features.

What Is Bitwarden

Bitwarden is an open-source, zero-knowledge password manager. Its source code is fully available on GitHub and undergoes regular third-party security audits. It uses AES-256 encryption and a zero-knowledge architecture, which means even Bitwarden employees cannot see your vault data.

The free plan supports unlimited passwords across unlimited devices. The Premium plan costs $1.65/month ($19.80/year) and adds features like a built-in TOTP authenticator, vault health reports, and emergency access.

Pricing Overview

Personal plans: Free gives you unlimited items and devices with passkey management and basic 2FA. Premium ($19.80/year) adds TOTP, vault health reports, emergency access, file attachments (5GB), and a phishing blocker. Families ($47.88/year) covers up to six users, all with Premium features.

Business plans: Teams costs $4/user/month. Enterprise costs $6/user/month and includes SSO integration, self-hosting, policy management, and a complimentary Families plan for every employee.

Setup Guide

Step 1: Create Your Account and Master Password

Head to bitwarden.com and create an account. Your master password is the single most important decision you'll make here. Bitwarden uses zero-knowledge encryption, so if you lose your master password, there is no recovery. Nobody at Bitwarden can reset it for you.

Use a passphrase: four or five random words strung together (like Maple-Thunder-Bicycle-Ocean) is far more resistant to brute-force attacks than a short complex string like P@ssw0rd123!, and much easier to remember. Never use personal information — birthdays, pet names, or anything guessable.

Step 2: Enable 2FA Immediately

Right after creating your account, go to Settings → Security → Two-step login and enable two-factor authentication. Even if someone learns your master password, they won't get into your vault without the second factor.

Free users can use authenticator apps (Aegis, Authy, etc.) or email verification. Premium unlocks hardware keys like YubiKey, FIDO2 WebAuthn, and Duo. As of 2026, you can register up to 10 security keys.

Step 3: Install Clients

The browser extension is the workhorse — it suggests and autofills credentials on login pages. Available for Chrome, Firefox, Safari, and Edge.

The mobile app (iOS/Android) supports biometric unlock and OS-level autofill for app logins. The desktop app (Windows/macOS/Linux) provides a full vault management experience. The web vault is where you access admin-level features like vault health reports and emergency access settings.

For developers, the CLI (npm install -g @bitwarden/cli) is useful for scripting and DevOps automation.

Step 4: Migrate Your Existing Passwords

Export your passwords from Chrome or your current password manager as a CSV file, then import into Bitwarden via the browser extension or web vault.

After importing, you must do two things. First, disable your browser's built-in password manager — it will conflict with Bitwarden's autofill. Second, delete the passwords stored in your browser. Having credentials in two places creates management overhead and security risk.

Step 5: Organize Your Vault

Use Folders to categorize your entries: Financial, Work, Social, Shopping, Infrastructure, Entertainment, and so on. When you eventually have hundreds of items, this structure will save you time.

What You Can Store

Bitwarden vault items come in four types. Login stores website credentials including URL, username, password, and TOTP seed. Card stores credit/debit card details. Identity stores personal info like name, address, and phone number for form filling. Secure Note is a freeform text field — great for API keys, recovery codes, or license keys.

Key Features in Detail

Autofill

With the browser extension installed, Bitwarden automatically suggests credentials on login pages via an inline menu. You can also trigger autofill with keyboard shortcuts or the right-click context menu. On mobile, enable the OS autofill framework to get credential suggestions in apps, not just browsers.

Password Generator

Never invent passwords yourself. Bitwarden's generator lets you configure length, character types, and complexity — or switch to passphrase mode for word-based passwords. There's also a username generator that creates random usernames or email aliases.

Bitwarden Send

Send lets you securely transmit information to anyone, even people without a Bitwarden account. Text Send is free; File Send requires Premium.

You can set a deletion date, expiration date, maximum access count, and password protection. Once expired, the data is automatically deleted. Since March 2026, paid plans can also restrict access to specific email addresses with email verification.

Security tip: share the Send link and the access password through separate channels — for instance, send the link by email and communicate the password by phone.

Built-in TOTP Authenticator (Premium)

Instead of using a separate authenticator app, you can generate TOTP codes directly within Bitwarden. Edit a vault item, scan the QR code or manually enter the secret key in the Authenticator key field, and you're set. When you autofill a login, the TOTP code is automatically copied to your clipboard. It syncs across all devices and works offline.

One caveat: storing TOTP alongside your passwords means both factors are in the same vault. If your vault is compromised, your 2FA codes go with it. This is manageable if your master password is strong and your Bitwarden account itself is protected by 2FA — but for your most critical accounts (bank, primary email), consider keeping a separate authenticator app.

Vault Health Reports (Premium)

The web vault's Reports section runs six checks against your vault. Exposed Passwords flags credentials found in known data breaches. Reused Passwords catches identical passwords across sites. Weak Passwords ranks entries by vulnerability. Unsecured Websites identifies HTTP login URIs. Inactive 2FA shows sites that support 2FA but where you haven't set it up. Data Breach (powered by Have I Been Pwned) checks whether your email addresses have appeared in breaches — this report is free for all users.

All reports run client-side, so no plaintext data ever reaches Bitwarden's servers. Since late 2025, Vault Health Alerts provide real-time warnings in the browser extension, and Password Coaching guides you through fixing weak credentials on the spot.

Emergency Access (Premium)

This feature lets you designate trusted contacts who can request access to your vault in an emergency — illness, accident, or death. You configure it in the web vault under Settings → Emergency access. Access types are View (read-only) and Takeover (reset master password and gain full control). You set a wait period (1–30 days) during which you can reject the request. The designated contact only needs a free Bitwarden account.

Passkey Support

Bitwarden stores and manages passkeys as vault items. In 2026, it became the first third-party password manager to support CXP (Credential Exchange Protocol), enabling passkey portability between password managers. Cross-platform passkey sync — create on iPhone, use on Windows — is fully supported.

Security Optimization

Vault Timeout: Go to Settings → Security → Vault Timeout and set it to "On System Idle" or 15 minutes. The default may be too permissive. Note the difference between Lock (quick unlock with master password or biometrics) and Log Out (full re-authentication required).

Clipboard Clear: Set a clipboard auto-clear timer so copied passwords don't linger.

Biometric Unlock: You can set up PIN or fingerprint/Face ID unlock for convenience, but configure it to require the master password on app restart.

Important Caveats

Losing your master password means permanently losing your data. There is no recovery. Set a password hint, save your recovery code, and fill out the Bitwarden Security Readiness Kit (available as a PDF from the official site). Store it somewhere physically secure.

TOTP seeds don't export with CSV. If you migrate to another password manager, you'll need to re-register every TOTP manually. Plan for this before switching.

Disable your browser's built-in password manager. Running two password managers simultaneously causes autofill conflicts and splits your credential management.

2026 pricing changes. Premium went from $10/year to $19.80/year. The free plan saw some feature adjustments. Existing subscribers get a one-time 25% loyalty discount.

Self-hosting comes with responsibility. Running Vaultwarden or Bitwarden's official self-hosted deployment gives you complete data sovereignty, but security updates, backups, and server maintenance are entirely on you.

Wrapping Up

Bitwarden combines open-source transparency, competitive pricing, and robust security. The free plan handles everyday password management, and Premium unlocks advanced features like TOTP, vault health reports, and emergency access. Get the initial setup right — strong master password, 2FA enabled, systematic migration — and from that point on, every account gets a unique, strong password managed automatically.