For most people, a password manager is a vault with a browser extension. For developers, it's also an SSH agent, a CLI you script against, and a way to keep secrets out of .env files committed by accident. We spent a week running both 1Password and Bitwarden through a developer's daily workflow — git commit signing, pulling secrets into a CI job, and unlocking a vault from a terminal — to see where the two actually diverge in 2026.
The short version: both are good. The decision comes down to whether you want a polished closed-source product with the deepest dev tooling, or an open-source vault you can self-host and audit yourself.
The developer features that actually differ
The browser-extension experience between these two is close enough that it won't decide anything. The terminal is where they separate.
SSH and git signing. 1Password ships an SSH agent that stores your private keys in the vault and signs git commits with biometric approval — you git commit, Touch ID prompts, the key never touches disk in plaintext. It's the single feature most developers switch for. Bitwarden added an SSH agent more recently, and it works, but 1Password's is more mature: it has been the default recommendation for key-in-vault workflows for longer and integrates cleanly with ~/.ssh/config via a single IdentityAgent line.
CLI and CI secrets. Both ship a CLI. 1Password's op lets you reference secrets inline (op://vault/item/field) and inject them at runtime with op run -- ./deploy.sh, so nothing lands in your shell history or a file. For automation it uses service accounts and the 1Password Connect server. Bitwarden splits this: the bw CLI handles the personal vault, while Bitwarden Secrets Manager (with the bws CLI and machine accounts) is the dedicated path for CI/CD and infrastructure secrets. If your goal is replacing .env files in a pipeline, both get you there — 1Password with fewer moving parts, Bitwarden with a cleaner separation between human and machine secrets.
Passkeys and TOTP. Both store passkeys and generate TOTP codes inline, so you can drop a separate authenticator app. No meaningful gap here.
If SSH commit signing is the feature you care about, test it before you commit to a yearly plan. Set up one repo, sign a commit, and confirm your forge (GitHub, GitLab, Gitea) shows it as Verified. Both tools support it, but the unlock-prompt frequency and agent behavior feel different enough that you'll have a preference within ten minutes.
Self-hosting, source code, and trust
This is the philosophical split, and for a lot of developers it's the whole decision.
Bitwarden's clients and server are open source. You can read the code, and you can run the server yourself — either Bitwarden's official self-host stack or the community-built, Rust-based Vaultwarden, which is far lighter to run on a small VPS. If your threat model says "I don't want my password vault sitting on a vendor's cloud," Bitwarden is the only one of the two that answers it.
1Password is closed source. It compensates with regular third-party security audits and a published security model, and its end-to-end encryption design (the Secret Key in addition to your master password) is well-regarded. But you are trusting a vendor, not reading the source. There is no self-host option.
Vaultwarden is a community reimplementation, not an official Bitwarden product. It's widely used and actively maintained, but you own the consequences: backups, TLS, updates, and the security of the host are all on you. A misconfigured self-hosted vault is more dangerous than a managed one. If you self-host, treat the backup-and-recovery plan as part of the setup, not an afterthought.
What they cost
| 1Password | Bitwarden | |
|---|---|---|
| Free tier | None (14-day trial) | Yes — unlimited passwords, unlimited devices |
| Individual paid | $2.99/mo, billed annually | Premium $10/year |
| Family plan | ~$60/year (5 people) | $40/year (6 people) |
| Self-host | No | Yes (official or Vaultwarden) |
| Source | Closed, audited | Open source |
Bitwarden's free tier is genuinely usable for one person — the $10/year Premium mainly adds TOTP storage, encrypted file attachments, and security reports. 1Password has no free tier, but its individual plan at roughly $36/year buys the more refined product and the stronger dev tooling. For teams, both have business plans priced per seat where the gap narrows and the decision shifts to which admin console and provisioning flow your org prefers.
Secrets management is priced separately on both sides — neither bundles unlimited CI secret automation into the base consumer plan, so factor that in if a pipeline is your real use case.
Which one to pick
Pick 1Password if you want the most polished SSH-agent and git-signing experience, you live in op run, and you're fine paying for a closed-source product with a strong audit track record. Pick Bitwarden if open source matters to you, you want a free tier or self-hosting, or you want human and machine secrets cleanly separated via Secrets Manager. Most developers will be well-served by either; the tie-breaker is usually self-hosting (Bitwarden) versus SSH-agent polish (1Password).
Whatever you choose, the win is the same: stop reusing passwords, get your SSH keys out of plaintext, and keep secrets out of your repos.
Originally published at pickuma.com. Subscribe to the RSS or follow @pickuma.bsky.social for new reviews.
Top comments (0)