I don't care about raising prices, I'm worried about the new CEO having a PE mindset. That means Bitwarden will now focus on extracting value while the product stagnates and degrades in quality. Time to jump ship before their security and quality goes down the drain.
Not my project but Vaultwarden is an open source (in Rust) alternative backend for Bitwarden. I believe its been around a while, and is still maintained.
No matter where Bitwarden ends up, passwords are one of these few things I am very hesitant to self-host. The stakes are just too high, and my knowledge of security has too many unknown unknowns to take that risk.
I've got it running in an LXC container. Other than occasionally updating it, it's been entirely trouble free (I did need to work to get it out of the Docker container but that's a problem most won't have). Honestly one of the most useful and low trouble self-hosted apps I've used next to Dokuwiki. As far as hardening, I have not done a huge amount, but it lives on my LAN and is only reachable via VPN from the outside, which again works surprisingly well even with my Android phone.
I just take ZFS snapshots. I've restored a couple of times that way just to test DR and it worked pretty well.
I’ve used Vaultwarden for at lesst 7 years, I’m sure for longer but I’m not sure how long.
Never had an issue with Vaultwarden itself. Restored from backups several times for a variety of reasons (migrating host, corrupt hard disk, re-installs) and that always worked first try.
That guide is wild. By default it allows public registration, shows password hints, requires a reverse proxy for robust TLS but then passes tokens via GET params, runs in the container as root. Recommends fail2ban because it doesn't have any coverage against brute force. Recommends using a custom path for security.
This feels less like a guide on hardening Vaultwarden than a guide on why I should be skeptical about it.
I’m not an expert with web sockets or web development - but re: Get Params, Vaultwarden has to follow the API of the upstream Bitwarden implementation:
I have my vaultwarden running on a container on my home-lab server acessible only from Tailscale. The container itself is only accessible as its own node on my Tailscale private network and can’t be reached any other way (there are no inbound port forwards for the container itself, tailscale handles this)
My phone and laptop both use tailscale to access this and a few other containers I have set up similarly. I also have tailscale ACL rules to limit just “me” or whomever I want to allow to use it (family etc) also on my tailnet.
Backups are encrypted and stored locally as well as to AWS glacier.
I've never had a reliability issue with Vaultwarden. Hosted it 5+ years now. Even with random off/on of the server and other bumps in the road in life, the Docker container I run has had no issues with hosting. The user interface is friendly but can be just a little slow.
Mine is not exposed to the public internet, though some friends of mine do. I use a VPN when I need to access fresh data from the home server, otherwise both the Firefox client and Android client will generally keep a cache of the last data pull when they had connection (so it wasn't an issue the 4 or so years I didn't have a VPN yet).
By not exposing it to the wider internet. When I use a client (iPhone, browser, etc.) while on the home network, it syncs. While off the network, the last synced data is still there. That's been good enough for me.
When the server can’t be accessed, you can’t create a secret, right? This has been quite annoying in my experience. I’d still recommend Bitwarden clients with self-hosted Vaultwarden.
Not technical, but the person behind that project now works for Bitwarden so there's some risk of a rugpull. Of course it's OSS but you'll need to trust a fork or maintain it yourself if said rugpull happens.
The maintainer has said that they've been given permission to maintain it in their free time. All it takes is a bad quarter and the CEO decides they don't want to be supporting a competitor and that goes away. It's possible that a community continuation could happen but I wouldn't rely on something so uncertain for something as important as credentials.
It’s a bad strategy. I am capable so I host an instance of vaultwarden for myself and spouse (only available via our vpn)
But when friends and family ask for my recommendation I send them to Bitwarden and they pay for the service.
If it wasn’t for vaultwarden and the clients being open source I would not be using it nor recommending it.
I’d probably still be using keepass with manual sync and when friends and family ask for suggestions I’d probably shrug and say I don’t trust any of them.
The expansion of "rugpull" to encompass "a company or open source developer changing the roadmap or level of investment in something they develop" is fascinating.
Personally, I want to avoid the responsibility for hosting it myself. I'm happy to pay for that. But a reasonable amount. Today Bitwarden's price is fine for me, but I worry about what's coming.
There is not an alternative frontend that I'm aware of, but as the article mentions, the clients are Apache 2.0 licensed, so in the event of a rug pull, a fork and rebrand of the clients would be what is needed to restore service.
Don't I have to rely on the OG frontend/GUI components, though? They are one automatic update away from bundling taking custom server address away with important security fixes, in a way that you are damned if you do and damned if you don't.
Technically yes but the frontend is so far open source so forking that is also something that could technically happen if company ever went back on it.
I’m happy to pay for good services, but M&A means cost-cutting measures to make the company look good for acquisition and that makes me uncomfortable with letting them store secure data for me.
I’m not buying hosting from a password manager, I’m buying security. I don’t have complete confidence that I can secure a self-hosted password manager and it’s not an area where I want to take risks.
It's very simple, just don't make it accessible outside your home network. Clients sync when the server is accessible and use last synced data otherwise.
The effort required to set this up far outweighs the price to pay someone to do it for me.
I pay a cleaner, I have a dishwasher, I pay someone to do my taxes, I pay for companies to host software.
Then again, I never order food and almost never get takeaway, as cooking is nice and I value my food enough to care what goes in it. Cheaper too, easily offsetting what I pay for my password manager.
Tailscale for your laptop, phone, etc. to be able to talk to the other computers when away from your home WiFi. (Optional, but makes syncing easier).
Syncthing, talking to your Tailscale IP addresses if you use it, or your private WiFi network addresses if you don't use Tailscale.
One folder synced, containing keyfile2.kdbx.
30 minutes to set up and then you almost never need to think about it again. If you don't trust Tailscale, you can run a Headscale server or just not use it. And the syncing is entirely run on your machines; your data never ends up written to someone else's SSD.
I mean does it? I have set it up before but I just set it up for my new small office team. I already had an internal server and WireGuard vpn in our office and it took 2 minutes to create a quadlet to run vaultwarden and a few more to configure it. The “hardest” part was training the team on how to use collections.
I'm so fucking tired of jumping ship with these password vault providers. This will be my third jump in so many years.
Exactly what value do they think they have left to extract from me? I'm a paying customer for a product that essentially just stores an indexed list of strings with at-rest encryption.
Their official App's autofill on my phone hasn't worked for several months now., I literally have to login to it once every couple hours just to manually copy and paste my usernames and passwords separately. I guess enshitification knows no bounds?
Me too precisely. But after getting acclimated to a self hosted vaultwarden for the backend and beginning to explore some of the 3rd party Bitwarden frontends that implement its API, I’d recommend hanging in there a bit longer. I think there may be a moat around BW already for self-hosting.
What’s next in the circle is keepass I guess? And it’s just not friendly/robust enough yet for me to switch to it with my family who will probably just go back to using the same passwords on multiple sites if they hit resistance in ease of use.
I'm getting really tired of the enshittification cycle. Learning about android verification and captcha changes recently has been another big frustration point. I moved to android as a more open alternative to apple just a few years ago, and to bitwarden from lastpass around the same time. I would like to just have these infrastructural services work well and quietly without thinking about them for many years. Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)
>Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)
no, if you relax the qualifier "without thinking" slightly and are okay with thinking for a few hours. There's so many off-the-shelf open source solutions now to just throw on a 5 bucks VPS, it costs you less time and money than switching or the premium plan of most of these individual services.
The point is that if there are only one or two red flags, you can risk assess them and continue as is if the risk is low. But if there are a large number of red flags, then you need to consider your exit strategy as well.
I don’t wait for companies to enshittify anymore. When they start making decisions that look like they’re heading in that direction, I start looking for alternatives.
yet. The hallmarks of enshittification are there. We've all been through the cycle of "this product is too good to be true, and provides considerably more value than it costs" "Customer Acquisition/Market Capture" phase. And we know what has to come next. They have to make the product profitable, because you cant just burn up VC money forever.
Vendors doing a rug-pull isn't just capitalism. China is adding DRM to AM radio: old receivers won't work. Heck, Soviet WWII ration cards no longer give turmips.
They're not doing it to increase margin. "Enshittification" or "rug-pulls" aren't when things get worse or things change, they're when the conditions that were used to attract an audience are changed in order to extract more margin after that audience is captured.
The larger exampls to compare them to would be "dumping." Dump subsidized, tariff-free corn in Mexico to make it unprofitable to farm corn in Mexico, and after all of the Mexican farmers go bust, buy their land and raise the price of corn to infinity while cheaping out on the quality of seed and handling. Enshittification. Rug-pull.
When I first learnt about Bitwarden about 3 years ago, I started hosting Vaultwarden right away. Right now I have one instance for myself and another for my friend's company. Everything runs as smooth as butter. If you can self-host something, do self-host a Vaultwarden instance. If you are (like me) somewhat paranoid about the fact that Vaultwarden hasn't got a proper security audit on its codebase, just run it behind a VPN, it will probably be fine.
I'm not particularly worried about Bitwarden going belly up because it has already have such a well-established open-source replacement. The worst-case scenario is that Bitwarden make the clients incompatible with Vaultwarden, and like how OP already mentioned in the post, somebody in the community will fork them as soon as this happen.
Yes, but vaultwarden isn't something you can casually run by yourself without some careful thinking. You are hosting secrets whose longevity is important, so if deploying yourself, take good care of backups and do regular drills, so you validate that the backups work, that they aren't corrupted and that you keep a copy off-site.
Actually, I didn't have any careful planning when I started out self-hosting Vaultwarden. I didn't even have system backup (was just a script kiddie back then, didn't even know about 1-2-3). I have to migrate my instance 3-4 times. But because I'm just hosting Vaultwarden for myself, I can export the whole account from one of the Bitwarden clients (either the extension or mobile app) and reimport it in the new instance. Because I always have at least three devices with active use connected to my Vaultwarden instance, for me this also counts as 3 off-site backup that can be used to re-instate the whole setup.
It is surprisingly very durable and maintenance-free even for a script kiddie like me to maintain. My advice is (at least when it comes to Vaultwarden) don't think too much about this, just selfhost it, at least for yourself. You'll probably be able to manage it when something happen.
Me and some friends have each been hosting vaultwarden casually for years now. What problem do you see? I mean if the Server goes down and gets completely corrupted, worst case, all my devices still have the version of the vault they recently used. Technically every device has it's own backup of the vault.
If I stay offline for more than 30 days, can I still access my local passwords? Honest question, because if that's the case it's nice, but I think you'd need to somehow authenticate before accessing your local vault.
Thanks for making me check. Did not know this:
"Offline Vault sessions will expire after 30 days.
Except for mobile client applications, which will expire after 90 days."
But for me that is enough time to feel safe, still will do backups regularly.
You need a VPS, correct? Are there any concerns about hardening your VPS from attackers? I worry about my ability to harden a public - facing service that is handling something so critical for myself.
You should be doing regular exports/backups of your vault regardless of how it's hosted. Bitwarden could go belly up tomorrow and lose all their stored vault data.
Competing with the authority bitwarden the company has over the bitwarden open source project. That's just the first thing off the top of my head. Very few people go to the competitor offering the exact same thing but with less say on the popular codebase.
IMO a paper print-out of all passwords and backup codes is the most reliable backup. No bit-rot, no third party, and "degradation" is obvious - fire, flood, etc.
Theft is also usually obvious.
If self-hosting, keep at a separate location than your hard drives.
I'm running Vaultwarden because while on the one hand I'd like to just pay a company to make my password problem go away, I don't know who I can actually trust to not try to take advantage of the fact they have all the keys to all my kingdoms at some point. I see some people complaining about "Private Equity", with justification, and before that it was the "Harvard MBA" mindset, where businesses are encouraged to think of their customers as a resource to be stripmined rather than relationships to cultivate.
I don't like being considered a resource to be stripmined by any company, but some are worse than others by the nature of our relationship. I do not need a company greedily looking at my bank password, my Google password, my brokerage account password, and even having them be tempted to look at my set of passwords with them and start valuating which password they can "intermediate" and charge me more for using. I don't even want them pondering the question of how they can break exports ("oops, sorry, passkeys can't be exported because $SECURITY_BLATHER, guess you won't be migrating" - to be fair, while I think Bitwarden had that for a bit I believe it's no longer true, but AFAIK it is true of other things that will hold passkeys for you) so that they can extract the value of my passwords to me.
I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords. I don't trust any company holding passwords to not eventually be acquired by PE/HMBA types looking to stripmine my passwords. I don't trust any company that is, once you trace the entire value chain down, basically taking out real debt with my passwords as collateral. They get the money, I get the risk. Hard pass.
So I'm not happy about self-hosting my password vault in some sense... but who else can I trust?
As long as you continue to use (and upgrade) the Biwarden client apps, you should consider that BW could have the keys of your garden: they have control of decryption and encryption code, so that code could leak the key, whatever the server.
I am very happy self-hosting Vaultwarden. I got really tired of being a refugee of one password manager or the next. Either the price goes up, or the service goes away. I am looking at YOU - Dropbox.
At this point it is too high of a risk to store my password elsewhere. I've been screwed over by dashlane, lastpass, potentially bitwarden now, I am with 1password now, but I've had my passwords in all these places, and I've had to change them each time, probably missing a few.
I like 1password, it is by far the highest quality product I've used in this category. I moved from BitWarden back then because their browser integration was quite poor.
I think I'll move to something custom, or a selfhosted keepass server, with the rugpulls, incidents, and whatnot, it is becoming too high of a risk.
Keepass has been my go to since forever, highly recommend. I never jumped on the SaaS password manager train when they started coming out, always just kept it local. There were times I thought I was missing out on some convenience but I'm glad I never moved.
Depending on your threat model, you can even just keep the .kdbx in cloud storage somewhere and point your keepass client to that. I'd recommend using a keyfile in addition to your master password though so that if anyone does happen to get a hold of the database they can't just make brute force attempts against it.
I’ve found being able to share passwords with my spouse very valuable which we couldn’t easily do with keepass. Also the syncing strategy on iOS is a disaster and corrupted my wife’s keepass db causing her to lose everything.
keepass files + syncthing works very nicely for me.
For non technical people, I just recommend to use the browser built in password managers. traviso has a good writeup why: https://lock.cmpxchg8b.com/passmgrs.html
I was doing this too until recently.
The problem with this setup is more at Syncthing.
More specifically, Syncthing Android app has seen some troubling changes in maintainers.
The latest maintainer has a very sparse Github profile and an AI generated avatar, so I noped out of installing it right then.
Rug-pulls, security incidents, lost passwords, I also don't know if they've kept my passwords behind when i deleted my accounts. The risk of them having them is too high, so i had to swap all of them.
Interesting! I've been a LastPass and then 1Password user since 2009ish.
I left LastPass because of UX paper-cuts, but I've never lost passwords on either of them.
Honestly, it's something I don't want to think about and just need it to work on mobile and desktop, so the switching friction is very high for me. I'm not going to shop around and try different password managers.
Is "rug pull" a cost thing? I'm generally frugal, but pay for a family plan and don't think twice.
Thank you for this post/link. I have been side eyeing Bitwarden since they started ensh*ttifying the desktop UX last year to make it more like everything else and take up too much space. It had been working perfectly well for browser autofill - super fast and staying out of the way. Now it is bloated white space, slow, standardized UX elements like any SaaS built by AI. Will check out Vaultwarden, Proton Pass, Keepass, I guess. But sadly - yet another tool that worked perfectly well that was ruined in contempt of its own users (LastPass, Authy, Google Reader, etc - the list goes on)
As mentioned, enshittifying doesn't mean "make shitty" or "make worse". It's a specific exploitative company MO, like taking a product like Bitwarden and the goodwill it's generated with open source contributions, free plans, etc., and exploiting that trust by selling it to private equity, unbeknownst to the users, in order to squeeze the most out of it they can and then scrap it.
I really don’t think a UI redesign is the intended meaning of enshittification. BW has had by far the best free option for password management since I started using them 8 years ago.
Do I like the UI changes? Eh it’s not my favorite but I don’t use it that often to care.
I have moved to KeepassXC[1] on my desktop from Bitwarden. On phone, I use KeepassDX[2] which is Android client compatible with KeepassXC. On browser, I use KeepassXC Browser extension which connects with the desktop client. Since KeepassXC operates on a single file, you can use any Filesystem syncing tool to sync that file between devices or to store it in the cloud. I am really happy with the move.
The file syncing, particularly between Android phone and multiple desktop machines, is my biggest worry with this workflow. Will the synced Keepass file get corrupted if I add a new password on the phone and also on desktop, and then later try to merge them?
Been using this setup for many years and never had any problem at all. I sync between desktop and mobile with Syncthing[0]. You can configure Syncthing to do file versioning, it has many options (Trash Can, Simple, Staggered or External file versioning) so if some weird conflict happens you'll never lose data. But honestly, I have never had any issues, and I have been running this setup for many years. So I'm sure I have run into all kind of edge cases and it just works.
As side note, Syncthing is an amazing piece of software. I sync everything for my other devices into a central PC and from there I do the backups.
KeePass is such a backwards step in usability and features that I don’t even consider it a competitor. The whole reason I moved to 1Password was to get away from how easy it was to accidentally lose data with the KeePass clients.
For example, one client I used had a temporary bug that just lost the notes field entirely. It was quickly fixed but it still affected me.
I’m currently using 1Password, which I still think is the best product overall as I’ve tried just about all the rest. For this product category I’m happy to pay the highest price to get the best product.
Lately I've been scrutinizing Bitwarden after discovering a long history of memory leak problems in the GitHub issue tracker. It's an extention I use with all of my browsers. It seems to use an unusually high amount of RAM on Safari and I suspect it's why RAM just never stops growing in MS Edge.
Overall it's not a problem for me if Bitwarden wants more money, but I have to draw the line at replacing top leadership with randoms from private equity and secret price hikes. I'm glad this is being highlighted and it's motivating me even more to find suitable FOSS-friendly alternative.
Ah damn. I've only recently moved in to Bitwarden - paid - largely on the basis of a multiple-user shared vault and emergency grants to personal vaults.
I'd really, really like them to not to ruin it or make it massively more expensive.
Good post. I switched from Bitwarden to KeepassXC / KeepassDX / Syncthing across my Android phone, Linux PC, and Windows PC. This was the setup I had prior to using Bitwarden for the first time. The Keepass experience is significantly better these days! Importing from Bitwarden is trivial too. Recommended!
I was using this but when I switched to iOS I switched to Bitwarden.
What are you using for Syncthing on Android? There used to be an official Syncthing app for Android but then they stopped maintaining it. There was a popular fork but then that person stopped as well.
I looked into using Syncthing on iOS but there was only Möbius Sync and it didn’t run in the background. This is was made me finally switch to Bitwarden. But of course now I need figure what to do next.
I have had an excellent experience with Sushitrain/Synctrain on iOS [0]. It’s honestly the nicest Syncthing client I’ve used, although to be fair desktop-oriented clients have different design goals than mobile clientsm
The placement at the bottom of pricing is always where it was. Nothing has changed
They did raise the price to $20 (but the free version is still amazing). But that’s still really cheap and pretty much all services have gone up in price in the past 10 years (inflation)
They mentioned in an update that they accidentally removed “always free” text during a website update and put it back quickly. Seems the article was written in the intervening period
It does seem like most password managers have no moat for import/export, so I’m kinda banking on the idea that I can quickly migrate to Proton Pass or vaultwarden if things get ugly.
I just don’t want to self-host if I can avoid it.
Staying on top of managing the application and the environment is a whole different level of diligence when the thing I’m self hosting is the keys to my life. At a minimum it would have to be behind something like a wireguard tunnel to a trusted machine, and that’s an added headache for daily use.
Does Proton Pass use a wireguard tunnel? Or does Bitwarden? TLS should suffice.
Yes, you want to guard the machine that hosts your passwords. You can even physically keep it at home, and only proxy its port 443 wherever you have a presence in the public Internet.
Those at least have people whose literal jobs are to protect that stuff. The service, the clients, the transport, the environments, etc. That’s what I don’t have if I self host.
That’s not to say anything is bulletproof… nothing useful is… just that I don’t entirely trust myself to be 100% on top of something like that as a hobby hosting endeavor.
I could quite easily ignore all this in the interest of not going through the pain of finding yet another password manager, but having your new CEO specialise in M&A is really hard to ignore.
After the LastPass fiasco I switched to selfhosting a password manager (bw).
Rapidly starting to think even a vibecoded solution may be a better plan relying on commercial options. High risk of don’t roll your own crypto mistakes but realistically that’s not the threat model here anymore for the random individual. It’s online breaches or perhaps a wrench attack not highly skilled crypto adversary. Plus there are probably ready made crypto modules so wouldn’t be a true handroll
Vibecoding a password manager might be the worst idea ever. You'd be better off with an encrypted Excel sheet. But otherwise, 1Password is great imo and there are other free open source password managers.
Actual password managers (eg not my old excel sheet) protect you against url doppelgänger and related phishing attacks, as well as incidentally discourage password reuse. 1Password can even now warn you if you try to paste into the wrong website (https://support.1password.com/browser-autofill-security/)
People mock Excel's encryption, mostly based on the outdated binary format's "encryption" (which admittedly was a joke). Modern Excel is actually legitimately secure, it uses PBKDF2 (5K rounds) to hash the user's password then AES-256 for the actual encryption.
So while Bitwarden is more secure than modern Excel out of the box, neither one is a slouch. You'll definitely spend a lot of compute cracking either one. The weakest part, as always, is the user's password.
>Vibecoding a password manager might be the worst idea ever.
I mean I'm just spitballing here, but not convinced this is true.
From a formal security theory perspective certainly, but practically...nobody with half an ounce of skill is going to spend their time breaking one individual's custom solution that almost certainly just contains their hn password. That's if you can even get to it - selfhosted password managers are usually on LAN/behind vpn.
Risk profile wise the thing could be a god damn plain text .txt on a LAN network drive and still outperform a Lastpass.com that by definition has a giant hack-me sign on it's back.
Do we need to keep pointing this out though? LLMs are not going anywhere any time soon and people will keep using them to generate articles.
If the content is also nonsense then that's worth talking about, but otherwise comments about LLM style are about as interesting as remarks about typos.
I guess for me, blatant LLM style reminds me of LinkedIn-speak. Both are distracting and come across as fake. Somehow it's more interesting to read something in another human's unique style than to read something that's obviously been passed through a filter.
1Password for Business accounts all get an additional 1Password for Families license (5 seats), so you can absolutely keep your work and personal life separate.
While I agree with the concerns raised in this article, I did not enjoy the writing style of it. Almost all of it feels AI generated, and is written in a very combative tone.
I got my parents using bitwarden a few years ago. This was a massive improvement over them writing passwords in a little notebook in a drawer (yes, really!).
But Keepass is a bridge too far for them. I'm not that enthusiastic about it myself to be honest. The UX is a bit meh (for the clients/extensions I've tried) and file syncing and handling is not something I can in good conscience push to a non technical user. It's just too many moving parts and you just have to do this, that, and the other thing. It's not really fit for purpose with normal users as far as I can see. Like much OSS stuff, UX for normal people seems to be a bit of an afterthought with Keepass.
The key selling point of Bitwarden was that it is free-ish and it is easy enough to work with for somebody that is not too technical. My father is an Android user and my mother has an iphone and ipad. They need access to each other's passwords so they share the same password manager. They are both in their seventies and I need something that is similarly useful and ideally without me self hosting a lot of stuff on their behalf. I don't want to be their system administrator. And I don't want to have to sit them down to migrate their passwords every few years either.
Right now the best move to me seems to be to stick with Bitwarden. I don't really gain anything from moving them over to some other solution and there isn't really anything out there that is materially better as far as I can see.
Passwords in a notebook are arguably the most secure option. The notebook exists in exactly one place, behind locked doors, and cannot be leaked or hacked externally.
Notionally a password manager is more secure, but is there anything stopping Bitwarden from updating the app to silently send your master password up to the mothership and selling your unencrypted vault? Even supposing they stay open source and get caught, they will still have thousands of user's data ready to sell before the rug is pulled and the game collapses.
(And besides, where do you keep your recovery codes? If some cabinet or drawer in your house is safe enough for that, it's safe enough for your book of passwords.)
How did we as an industry go from "Passwords in notebooks are insecure, use a password manager" full circle back to "Password managers are insecure, write your passwords in notebooks"?
There has always been more nuance. The notebook is basically air gapped, but since using it is painful, most will rely on shorter, simpler, passwords and reuse them. That practice is highly insecure and was even more problematic in the days before widespread 2FA on the more crucial online services. As a teen I could have had for instance blizzard get breached and collaterally lose all of my csgo skins.
KeepassXC is much better than older keepass clients. Syncthing runs quietly in the background. It's really not much harder to use that other password managers once you set it up
Ehh.. much as I love syncthing, I wouldn't recommend it to nontechnical people. I mean, here the dad has android the mom iphone amd they want to sync a keepass file? Maybe with a browser addon on a desktop as well? And the most popular third party android app is discontinued (I use the nerdily named syncthing-fork) and the ios apps i never managed to get to work for my family (maybe sushitrain works now?). But if you live close to parents I guess it can work. This kind of software can be good for social cohesion and less isolation =P
I use keepass and have for years and I wanted to switch from using google drive to something more self hosted so I tried sync-thing. I have been a C and C++ developer for over 40 years and I found it one of the most obtuse things I have ever tried. I'll have to get back to it. :) It's still running but somehow never syncs a single file between the desktop and the linux server. I don't think the android client can run on a modern pixel phone anyway anymore due to security constraints.
Syncthing-fork is running perfectly fine on my Pixel 9. The web interface is definitely better than the default app interface, it's a shame they even bothered with that app interface.
All you have to do is exchange "keys" with the two machines you want to sync and then it's mostly set and forget
Say what you will, but the Apple ecosystem's Passwords app and integration works great. It locks me into their services (iCloud), but I don't see them ever charging for it or sunsetting it. (watch me eat my words in the near future)
Password App surely is a good alternative, however i don’t think there are clients for Linux or Windows? …and that is where Bit/Vaultwarden comes into play.
I can't speak for Linux, but it's now part of their iCloud for Windows suite with browser access via extension[1]. Exporting from Bitwarden to Passwords (on an iPhone at least) is (as of this post) a simple Export Vault operation, but non-passwords/passkeys are not supported.
Google's is even better, as it is cross-platform (although same caveat of having even more dependency on your account is still true). Plus (not sure about Apple) but Google also does (portable) passkeys and OTP.
Apple does portable passkeys and OTP as well. I know you're going to laugh at me since I'm using Apple, but I don't trust Google with anything. Apple at least pretends to care about keeping my information in-house.
I'm not gonna laugh but I can tell you quite authoritatively that Google will not abuse your passwords and passkeys. But more importantly (which is the main decision factor for me personally) - given the current state of software (in)security, I trust Google more than anyone else to build it right and to avoid attack vectors less sophisticated companies might expose.
(DISCLAIMER: I am on 1Password which I've been using for long long time - way before password management in Chrome became a real thing. But let's just say, GPM is becoming more and more compelling proposition).
This will probably finally push me to migrate away from Bitwarden. Somehow over the years the UI was getting worse and worse too. It's more steps to add custom hidden fields than it used to, etc.
It seems like it’s probably time for a bitwarden client alternative. I’m already running vaultwarden, it’d be nice to have a community-run client. The bitwarden client apps are so mid already - it seems like it couldn’t be that hard to out do them.
I'd definitely give a Bitwarden client alternative a try, but I really hope this isn't the start of client fragmentation like it happened for Keepass, especially given that a server is involved here.
The Bitwarden chrome extension just randomly stopped working for me the other day. This is after years of working flawlessly. I had to remove the extension and add it back to get it working...What a shame. Hosting a password manager isn't a game; these are people's real lives and businesses at stake.
Omg, do we really need to make another app suck? I left last pass years ago, I'll leave again but wow I'm tired of this cycle. Private equity is truly the destroyer of value. The next time will be self hosted. Anyone know of a password manager that can encrypte and live in say Google drive?
How portable do you need it to be? I use pass[1] and it is good. Just a shell script wrapper to gpg and the passwords are encrypted files you can backup and sync anyway you want.
What a shame. I've been a paying Bitwarden customer since 2018. I really don't have time to move off yet, but I'll need to keep an eye out for where to jump. It sucks that this seems to just be the logical conclusion of all great projects.
Tried everything and love 1pass. Dont want to have to think about it too much.
I think this is tentatively good for bitwarden - making money means you can more easily invest in the team and product. Counter to the prevailing notion in comments here, I much prefer a vc/paid product for security-critical tools.
Hope they didn't wait too long before deciding to kill the free tier.
I use BitWarden because I'd never trust a password manager with close source clients. Before BitWarden I used a local manager: BitWarden made my life easier.
The web interface I'd never use: I have no guarantee that my passphrase does not leave my computer. Same for the import feature: this also requires the passphrase to be sent to their servers.
Needless to say I move to the next ethical e2ee password manager if BitWarden turns it's back on open source.
I don't see the problem here. It's a great product and if they want to make money then I don't mind. If it's too expensive, and they hike the price to something ridiculous then I'll vote with my wallet.
I’m fine with paying a bit more. I honestly don’t think I even use any of the premium features. I started paying because their founder answered some question I sent years ago and I figured that kinds of support deserved my support. I could still be on the free tier if cost were a concern.
With that said, I do find the direction here concerning. Quietly rewriting values, removing promise of free tier, hiking prices with almost no notice. I’m concerned that this feels sudden and sneaky. Sneaky behavior erodes trust.
Management and leadership values, character, and integrity matter because it's unwise to assume there is some homogenous allegiance to customers behind the propaganda of putting the customer first. PE will and must squeeze for their margins as is their wont. They have learned it's unwise to draw attention to this.
I'm in the same boat, became a premium member to support Bitwarden and use the built-in authenticator. The subscription price is now a negative proposition, alongside the silent rollout and the other red flags raised in the post. I'll probably move to self-hosted, since I have spare compute on my VPS.
I am fine with the price increase, for me its how sneaky they're being about everything. If they sent a few emails about the recent changes I wouldn't care, but it feels like they do not want customers to know which is the last thing I want from a password manager.
Indeed. As I'm sure the new PE-focused CEO knows, the sale of a company includes not just the typical balance sheet items but also intangible assets such as goodwill. Being sneaky about is an attempt to minimize the loss of such intangibles ahead of a sale.
The problem is the rug-pull. You can't go and proudly state "free forever", and then silently back down on that commitment. That is a textbook example for the enshittification cycle... lure users in with grand promises, sell out once you got enough of a following.
(Well, technically, you can, but then don't complain about getting called out)
You must be getting a different version of that page than me. The free tier is there but there’s no “always free” verbiage. There is “start free” verbiage.
Edit: “always free” was hidden under a collapsed section
LOL.. you are correct. Funny thing though... the 'Always Free' text is linked to a "/start-free/" action\page. One could argue that they are hedging their bets.
Some other commenter says there are Archive.org cached versions with "Start free" instead of "Always free", so they must have backpedaled on this. Maybe they realized they turned the knob a bit too much towards "hot", increasing the temperature of the proverbial water too noticeably.
I’m not willing to check all the pages on archive.org but for sure a month ago they had a big “Basic Free” tile in the plan comparison. Now it’s just Premium and Family. They are definitely downplaying the ability to use it for free.
Seems like they want to downplay the mentally that you would never benefit from an upsell to the paid plans, even if the free plan itself stays always free
Not disputing the overall feeling about the changes at Bitwarden but "Always free" phrase is still actually there if you're creating a personal Free account.
Kinda funny. I helped get passit.io off the ground YEARS ago but we pivoted away from it because Bitwarden more or less ate our lunch. They just moved way faster.
Passit still works! Just as a webapp + chrome and FF extensions. I think we had an Android app too, dunno if that's still a thing.
Maybe if the best open source option is a less viable option, I should poke at its creator to revive it...
Doesn’t it cost much more than BW? I don’t really understand if the main complaint is people worrying about losing the free option (which hasn’t even happened)
Not sure it makes sense on its own at $5 a month (currently discounted so $3), but as part of the Proton Ultimate package which gives you mail, VPN etc in addition it's not bad in my view. YMMV.
Worked well for me, I use it for non-critical web accounts and such. KeePass for the few core accounts etc.
I've been keeping my eye on AliasVault[1]. Open-source, self-hostable or pay for cloud hosting, handles both email aliases and passwords.
I'll probably switch for password management once it has a proper security audit, and for email aliases once (if) they implement IMAP/SMTP or similar so reading emails isn't restricted to in-app.
No they aren't. They have a minimum of 10 users on their cloud plans and no offers at all for individuals, except self hosting - and you can just use vaultwarden at that point anyway...
For the closest experience, self-host Vaultwarden and keep using the bitwarden clients you're used to. They're GPL-3.0 and aren't going anywhere (and could be forked if there was ever drama).
If you want to fully disassociate from bitwarden, there are vaultwarden compatible 3rd party clients. I like Keyguard.
The Windows app for iCloud Passwords works fairly well, no real complaints about it to share. It can sometimes be a bit clunky and slow, though that's likely related to my environment rather than the app itself.
Would love it a ton more if it could offer an experience similar to BitWarden where you can view notes linked to logins or autofill credit card details with a single click from the browser extension. But overall it's really helpful.
Even if the clients go closed source and forked, there's still the very serious issue of closed app ecosystems on iOS and Android. It's one thing to self-host a Vaultwarden instance, it's another entirely to pay Google and Apple $100 a year to publish your own app.
I started looking for a replacement when I noticed how much RAM the extension was using. >1GB for a password manager seems ridiculous. I'm currently debating between Keepassium and Strongbox but I wonder if there is something better.
If you have Bitwarden installed on an iPhone, you can export directly to Apple Passwords with no intermediate steps or trying to figure out where to save the unencrypted CSV file. I just did this and it looks pretty good so far.
funny, I just changed to bitwarden from 1-password after they had a big price increase (I probably otherwise would have been a lifetime customer if it could have been a leave it and never think about it again for the next 40 years deal).
I'm not too worried, if bitwarden changes their price somebody is going to vibecode a decent enough solution for pennies on the dollar, or there's always apples built-in product.
This is terrifying, but I couldn't help myself from frustration at the LLM writing that only worsened over the course of the post. Bloggers, it's not subtle. Please, stop, or at least disclose it.
I don't think these companies are obligated to run a free tier. Someone has to pay the infra. It's a little shady that they didn't announce any of this though. But bitwarden is open source and you can host it all yourself
Besides vaultwarden, I have been testing both AliasVault and peerpass, there’s also passbolt for self hosting. That being said, keep a copy of your vault in keepassXC, and better, don’t put your eggs in one basket so 2FA in keepassXC and passwords in one of the above.
If the price ever became unresaonable i'd host my own VaultWarden instance.
I'm sure if BitWarden ever went closed source, it would be forked and maintained by the community and that most would migrate to the open source solution.
BitWarden being open source and auditable is one of the main reasons I use it, no hidden backdoors from them or three letter government agencies.
Password protection by a for-profit (where the password protection is the product that you can't have unless you pay for it) is a fundamentally stupid and dangerous business model.
Enshittification is properly viewed as a cybersecurity risk, a category of insider threat. You defend against it, when possible, by using open source software and open, documented file formats. That way, if open source enshittifies, the community can defend by forking. I’m so grateful for KeepassXC.
I just read the linked Fast Company article [0]. One question that particularly frustrates me about this process is: why are the former leadership of companies that become enshittified so quiet about it? Do they just get paid out with restrictive NDAs?
One of the only exceptions to this I can remember is the founder of Whatsapp, who gave an interview pretty critical of Meta some years back after it acquired Whatsapp.
> Do they just get paid out with restrictive NDAs?
Yes, that's a very common part of an exit package for executives. Speaking from some first- and second-hand experience, you can get paid a hefty sum (6-12mo of salary worth of cash) for signing an agreement that has some amount of limits on what you can say, to whom.
There's also some kind of what I think of as a LinkedIn effect - there's a disincentive to talk trash about any organization publicly, since that's now attached to your name and might make future employers/organizations leery of hiring someone who might air their dirty laundry.
is there an enshittification watch site? or something to track acquisition and red flags in products/oss projects?
itsenshittifiedyet.info
if not, what would it take to do that? i think it can be vibed in a weekend.
I don't care about raising prices, I'm worried about the new CEO having a PE mindset. That means Bitwarden will now focus on extracting value while the product stagnates and degrades in quality. Time to jump ship before their security and quality goes down the drain.
Not my project but Vaultwarden is an open source (in Rust) alternative backend for Bitwarden. I believe its been around a while, and is still maintained.
https://github.com/dani-garcia/vaultwarden
No matter where Bitwarden ends up, passwords are one of these few things I am very hesitant to self-host. The stakes are just too high, and my knowledge of security has too many unknown unknowns to take that risk.
Question for anyone self-hosting vaultwarden: how reliable is it and how do you harden it?
I'm thinking about running it in a container (Podman Quadlet with systemd) behind a VPN, with daily backups with borg. Anything I'm overlooking here?
I've got it running in an LXC container. Other than occasionally updating it, it's been entirely trouble free (I did need to work to get it out of the Docker container but that's a problem most won't have). Honestly one of the most useful and low trouble self-hosted apps I've used next to Dokuwiki. As far as hardening, I have not done a huge amount, but it lives on my LAN and is only reachable via VPN from the outside, which again works surprisingly well even with my Android phone.
I just take ZFS snapshots. I've restored a couple of times that way just to test DR and it worked pretty well.
I’ve used Vaultwarden for at lesst 7 years, I’m sure for longer but I’m not sure how long.
Never had an issue with Vaultwarden itself. Restored from backups several times for a variety of reasons (migrating host, corrupt hard disk, re-installs) and that always worked first try.
In regards to hardering, the wiki has a good guide: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Gu....
That guide is wild. By default it allows public registration, shows password hints, requires a reverse proxy for robust TLS but then passes tokens via GET params, runs in the container as root. Recommends fail2ban because it doesn't have any coverage against brute force. Recommends using a custom path for security.
This feels less like a guide on hardening Vaultwarden than a guide on why I should be skeptical about it.
I’m not an expert with web sockets or web development - but re: Get Params, Vaultwarden has to follow the API of the upstream Bitwarden implementation:
https://github.com/dani-garcia/vaultwarden/discussions/1549#...
The upstream also had this issue, which appeared to be closed without a PR:
https://github.com/bitwarden/server/issues/3650
Requiring a reverse proxy for TLS is pretty standard, but the rest of those findings are egregious (if they haven't been addressed yet.)
Those problems are endemic to all web apps.
e.g. You can’t just provide software to people that obtains TLS certs on their behalf: you have no idea how their infra is setup.
Hosting any app on your own infra is a serious skill set.
Since it's authored by the vaultwarden collaborators, I would not trust the project any bit of my passwords.
Pretty similar experience for me, albeit I've only been managing it for about a year.
Restore from backup testing was straightforward. We haven't had any problems w/ the application itself.
I used that that hardening guide for my setup. The one I manage is exposed to the Internet and I'm bringing traffic into it via a reverse proxy.
I have my vaultwarden running on a container on my home-lab server acessible only from Tailscale. The container itself is only accessible as its own node on my Tailscale private network and can’t be reached any other way (there are no inbound port forwards for the container itself, tailscale handles this)
My phone and laptop both use tailscale to access this and a few other containers I have set up similarly. I also have tailscale ACL rules to limit just “me” or whomever I want to allow to use it (family etc) also on my tailnet.
Backups are encrypted and stored locally as well as to AWS glacier.
I love it and it works great.
I've never had a reliability issue with Vaultwarden. Hosted it 5+ years now. Even with random off/on of the server and other bumps in the road in life, the Docker container I run has had no issues with hosting. The user interface is friendly but can be just a little slow.
Mine is not exposed to the public internet, though some friends of mine do. I use a VPN when I need to access fresh data from the home server, otherwise both the Firefox client and Android client will generally keep a cache of the last data pull when they had connection (so it wasn't an issue the 4 or so years I didn't have a VPN yet).
> how do you harden it?
By not exposing it to the wider internet. When I use a client (iPhone, browser, etc.) while on the home network, it syncs. While off the network, the last synced data is still there. That's been good enough for me.
When the server can’t be accessed, you can’t create a secret, right? This has been quite annoying in my experience. I’d still recommend Bitwarden clients with self-hosted Vaultwarden.
Mobile wireguard clients are very good as a solution to the access problem.
> Anything I'm overlooking here?
Not technical, but the person behind that project now works for Bitwarden so there's some risk of a rugpull. Of course it's OSS but you'll need to trust a fork or maintain it yourself if said rugpull happens.
The maintainer has said that they've been given permission to maintain it in their free time. All it takes is a bad quarter and the CEO decides they don't want to be supporting a competitor and that goes away. It's possible that a community continuation could happen but I wouldn't rely on something so uncertain for something as important as credentials.
It’s a bad strategy. I am capable so I host an instance of vaultwarden for myself and spouse (only available via our vpn)
But when friends and family ask for my recommendation I send them to Bitwarden and they pay for the service.
If it wasn’t for vaultwarden and the clients being open source I would not be using it nor recommending it.
I’d probably still be using keepass with manual sync and when friends and family ask for suggestions I’d probably shrug and say I don’t trust any of them.
The expansion of "rugpull" to encompass "a company or open source developer changing the roadmap or level of investment in something they develop" is fascinating.
I think that term refers more to the conflict of interest that now exists.
Kind of makes a lot of sense that they wound up working there too.
I touched it never aside from updates and it never failed. I compiled it from sources tho
It's as reliable as you make it.
Personally, I want to avoid the responsibility for hosting it myself. I'm happy to pay for that. But a reasonable amount. Today Bitwarden's price is fine for me, but I worry about what's coming.
It is still maintained, but I believe the maintainer is employed by Bitwarden now, and is working on projects in addition to Vaultwarden.
Is there an alternative frontend as well, or are you still locked in?
https://github.com/doy/rbw Is an alternative Bitwarden cli front end. Probably has plenty of scaffolding to build a GUI frontend based on it.
Edit: Just a bit of googling turned up these as well.
https://github.com/AChep/keyguard-app https://github.com/sgolub/bitclient
There is not an alternative frontend that I'm aware of, but as the article mentions, the clients are Apache 2.0 licensed, so in the event of a rug pull, a fork and rebrand of the clients would be what is needed to restore service.
Better question is how difficult would it be to have keypass use vaultwarden for sync.
Their android app at least is open source and on available on their own f-droid repo
How do you trust that it will be kept maintained and secure?
Don't I have to rely on the OG frontend/GUI components, though? They are one automatic update away from bundling taking custom server address away with important security fixes, in a way that you are damned if you do and damned if you don't.
Technically yes but the frontend is so far open source so forking that is also something that could technically happen if company ever went back on it.
+1
I am a paid subscriber. I am kind of ok with the price increase.
The "coincident" with change of CEO and remove of "always free" tag worries me though.
I just sent them a message along these lines.
I’m happy to pay for good services, but M&A means cost-cutting measures to make the company look good for acquisition and that makes me uncomfortable with letting them store secure data for me.
Switching is going to be a pain.
It is really easy to self-host, and do so securely...
I’m not buying hosting from a password manager, I’m buying security. I don’t have complete confidence that I can secure a self-hosted password manager and it’s not an area where I want to take risks.
It's very simple, just don't make it accessible outside your home network. Clients sync when the server is accessible and use last synced data otherwise.
The effort required to set this up far outweighs the price to pay someone to do it for me.
I pay a cleaner, I have a dishwasher, I pay someone to do my taxes, I pay for companies to host software.
Then again, I never order food and almost never get takeaway, as cooking is nice and I value my food enough to care what goes in it. Cheaper too, easily offsetting what I pay for my password manager.
Tailscale for your laptop, phone, etc. to be able to talk to the other computers when away from your home WiFi. (Optional, but makes syncing easier).
Syncthing, talking to your Tailscale IP addresses if you use it, or your private WiFi network addresses if you don't use Tailscale.
One folder synced, containing keyfile2.kdbx.
30 minutes to set up and then you almost never need to think about it again. If you don't trust Tailscale, you can run a Headscale server or just not use it. And the syncing is entirely run on your machines; your data never ends up written to someone else's SSD.
It's really not much effort.
I mean does it? I have set it up before but I just set it up for my new small office team. I already had an internal server and WireGuard vpn in our office and it took 2 minutes to create a quadlet to run vaultwarden and a few more to configure it. The “hardest” part was training the team on how to use collections.
Give it less than one financial quarter and I guarantee the website will be about “identity for AI agents.”
I'm so fucking tired of jumping ship with these password vault providers. This will be my third jump in so many years.
Exactly what value do they think they have left to extract from me? I'm a paying customer for a product that essentially just stores an indexed list of strings with at-rest encryption.
Their official App's autofill on my phone hasn't worked for several months now., I literally have to login to it once every couple hours just to manually copy and paste my usernames and passwords separately. I guess enshitification knows no bounds?
Yep! Feels like a hard truth about the product life-cycle. It may be time to find an alternative to what was a great alternative.
Can anyone name a PE purchase that made a company better?
in my humble opinion, Dominos ?
I jumped to Bitwarden because of 1P's new pricing doing exactly that.
Circle of live, I guess.
Me too precisely. But after getting acclimated to a self hosted vaultwarden for the backend and beginning to explore some of the 3rd party Bitwarden frontends that implement its API, I’d recommend hanging in there a bit longer. I think there may be a moat around BW already for self-hosting.
What’s next in the circle is keepass I guess? And it’s just not friendly/robust enough yet for me to switch to it with my family who will probably just go back to using the same passwords on multiple sites if they hit resistance in ease of use.
I'm getting really tired of the enshittification cycle. Learning about android verification and captcha changes recently has been another big frustration point. I moved to android as a more open alternative to apple just a few years ago, and to bitwarden from lastpass around the same time. I would like to just have these infrastructural services work well and quietly without thinking about them for many years. Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)
>Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)
no, if you relax the qualifier "without thinking" slightly and are okay with thinking for a few hours. There's so many off-the-shelf open source solutions now to just throw on a 5 bucks VPS, it costs you less time and money than switching or the premium plan of most of these individual services.
Bitwarden hasn’t “enshittified” anything. It’s all entirely speculative
Red flags are always speculative.
The point is that if there are only one or two red flags, you can risk assess them and continue as is if the risk is low. But if there are a large number of red flags, then you need to consider your exit strategy as well.
PE's entire modus operandi is enshittification. If there's no enshittification to be done there would be no point in purchasing the company
It has already enshitified. These changes are text book.
- Inclusion and Transparency values made more shitty
- Always free commitment removed. What? It’s right there “always”.
- Shittily hacking old blog post to become nonsensical
- Loss of confidence
- Stalling improvement cycle, no more repairs, just things quietly breaking and going bad.
Looks pretty bad regardless of speculation. There are enough red flags to warrant actions and to consider this another enshitification.
I don’t wait for companies to enshittify anymore. When they start making decisions that look like they’re heading in that direction, I start looking for alternatives.
Same. Whenever I see a PE acquisition, I immediately shift my purchases (eg namecheap last year)
yet. The hallmarks of enshittification are there. We've all been through the cycle of "this product is too good to be true, and provides considerably more value than it costs" "Customer Acquisition/Market Capture" phase. And we know what has to come next. They have to make the product profitable, because you cant just burn up VC money forever.
Does a bear shit in the woods?
Interesting, where are you from? Where does this proverb come from?
I know this proverb as (translating from Polish): You're asking the boar if he's shitting in the forest.
It's an extremely common phrase in the US, along with "Is the Pope Catholic?" Sometimes the two phrases are humorously mixed together.
I've never heard it mixed (not from US)...
"Is bear a Catholic?" doesn't seem very funny.
But a notion that everyone knows how Pope is regularly shitting in the woods absolutely is :)
We say "are bears Catholic?" when in more polite company and we can't get away with asking if the Pope shits in the woods :)
Vendors doing a rug-pull isn't just capitalism. China is adding DRM to AM radio: old receivers won't work. Heck, Soviet WWII ration cards no longer give turmips.
uh, by DRM you mean Digital Radio Mondiale[0], an open digital radio broadcasting standard? sure analog receivers won't work, but hardly a rugpull lol
[0]https://en.wikipedia.org/wiki/Digital_Radio_Mondiale
Yeah? That has to be the worst possible acronym for an open thing.
They're not doing it to increase margin. "Enshittification" or "rug-pulls" aren't when things get worse or things change, they're when the conditions that were used to attract an audience are changed in order to extract more margin after that audience is captured.
The larger exampls to compare them to would be "dumping." Dump subsidized, tariff-free corn in Mexico to make it unprofitable to farm corn in Mexico, and after all of the Mexican farmers go bust, buy their land and raise the price of corn to infinity while cheaping out on the quality of seed and handling. Enshittification. Rug-pull.
PE? Private Equity is the slippery slope to Public Enshitification.
When I first learnt about Bitwarden about 3 years ago, I started hosting Vaultwarden right away. Right now I have one instance for myself and another for my friend's company. Everything runs as smooth as butter. If you can self-host something, do self-host a Vaultwarden instance. If you are (like me) somewhat paranoid about the fact that Vaultwarden hasn't got a proper security audit on its codebase, just run it behind a VPN, it will probably be fine.
I'm not particularly worried about Bitwarden going belly up because it has already have such a well-established open-source replacement. The worst-case scenario is that Bitwarden make the clients incompatible with Vaultwarden, and like how OP already mentioned in the post, somebody in the community will fork them as soon as this happen.
Yes, but vaultwarden isn't something you can casually run by yourself without some careful thinking. You are hosting secrets whose longevity is important, so if deploying yourself, take good care of backups and do regular drills, so you validate that the backups work, that they aren't corrupted and that you keep a copy off-site.
Actually, I didn't have any careful planning when I started out self-hosting Vaultwarden. I didn't even have system backup (was just a script kiddie back then, didn't even know about 1-2-3). I have to migrate my instance 3-4 times. But because I'm just hosting Vaultwarden for myself, I can export the whole account from one of the Bitwarden clients (either the extension or mobile app) and reimport it in the new instance. Because I always have at least three devices with active use connected to my Vaultwarden instance, for me this also counts as 3 off-site backup that can be used to re-instate the whole setup.
It is surprisingly very durable and maintenance-free even for a script kiddie like me to maintain. My advice is (at least when it comes to Vaultwarden) don't think too much about this, just selfhost it, at least for yourself. You'll probably be able to manage it when something happen.
Me and some friends have each been hosting vaultwarden casually for years now. What problem do you see? I mean if the Server goes down and gets completely corrupted, worst case, all my devices still have the version of the vault they recently used. Technically every device has it's own backup of the vault.
If I stay offline for more than 30 days, can I still access my local passwords? Honest question, because if that's the case it's nice, but I think you'd need to somehow authenticate before accessing your local vault.
Thanks for making me check. Did not know this: "Offline Vault sessions will expire after 30 days. Except for mobile client applications, which will expire after 90 days." But for me that is enough time to feel safe, still will do backups regularly.
If you’re self-hosting,
and not using their official clients,
your database stays functional in perpetuity.
Which client? Is there a unofficial client for android that doesn't expire?
You need a VPS, correct? Are there any concerns about hardening your VPS from attackers? I worry about my ability to harden a public - facing service that is handling something so critical for myself.
Don't make it public facing! Put it behind a VPN!!
Use a host that takes care of this for you.
My host has prebuilds for Vaultwarden.
You should be doing regular exports/backups of your vault regardless of how it's hosted. Bitwarden could go belly up tomorrow and lose all their stored vault data.
Is there anything stopping a commercial Vaultwarden host?
That already somewhat exists.
Reimplementing the server side is the easy part.
But a commercial offer will need rebranding the client, and maintaining forks is much more involved. As long as Bit warden publishes the sources ...
Competing with the authority bitwarden the company has over the bitwarden open source project. That's just the first thing off the top of my head. Very few people go to the competitor offering the exact same thing but with less say on the popular codebase.
IMO a paper print-out of all passwords and backup codes is the most reliable backup. No bit-rot, no third party, and "degradation" is obvious - fire, flood, etc.
Theft is also usually obvious.
If self-hosting, keep at a separate location than your hard drives.
> If you are (like me) somewhat paranoid about the fact that Vaultwarden hasn't got a proper security audit on its codebase [...]
It was audited in 2024: https://www.heise.de/en/news/Password-manager-BSI-reports-cr...
I'm running Vaultwarden because while on the one hand I'd like to just pay a company to make my password problem go away, I don't know who I can actually trust to not try to take advantage of the fact they have all the keys to all my kingdoms at some point. I see some people complaining about "Private Equity", with justification, and before that it was the "Harvard MBA" mindset, where businesses are encouraged to think of their customers as a resource to be stripmined rather than relationships to cultivate.
I don't like being considered a resource to be stripmined by any company, but some are worse than others by the nature of our relationship. I do not need a company greedily looking at my bank password, my Google password, my brokerage account password, and even having them be tempted to look at my set of passwords with them and start valuating which password they can "intermediate" and charge me more for using. I don't even want them pondering the question of how they can break exports ("oops, sorry, passkeys can't be exported because $SECURITY_BLATHER, guess you won't be migrating" - to be fair, while I think Bitwarden had that for a bit I believe it's no longer true, but AFAIK it is true of other things that will hold passkeys for you) so that they can extract the value of my passwords to me.
I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords. I don't trust any company holding passwords to not eventually be acquired by PE/HMBA types looking to stripmine my passwords. I don't trust any company that is, once you trace the entire value chain down, basically taking out real debt with my passwords as collateral. They get the money, I get the risk. Hard pass.
So I'm not happy about self-hosting my password vault in some sense... but who else can I trust?
As long as you continue to use (and upgrade) the Biwarden client apps, you should consider that BW could have the keys of your garden: they have control of decryption and encryption code, so that code could leak the key, whatever the server.
I am very happy self-hosting Vaultwarden. I got really tired of being a refugee of one password manager or the next. Either the price goes up, or the service goes away. I am looking at YOU - Dropbox.
I don't think the clients are open source?
I don’t understand why people post incorrect statements that are trivial to check
https://github.com/bitwarden/android
Form the article; "The real safety net is that Bitwarden’s clients are Apache 2.0 licensed."
At this point it is too high of a risk to store my password elsewhere. I've been screwed over by dashlane, lastpass, potentially bitwarden now, I am with 1password now, but I've had my passwords in all these places, and I've had to change them each time, probably missing a few.
I like 1password, it is by far the highest quality product I've used in this category. I moved from BitWarden back then because their browser integration was quite poor.
I think I'll move to something custom, or a selfhosted keepass server, with the rugpulls, incidents, and whatnot, it is becoming too high of a risk.
Keepass has been my go to since forever, highly recommend. I never jumped on the SaaS password manager train when they started coming out, always just kept it local. There were times I thought I was missing out on some convenience but I'm glad I never moved.
Depending on your threat model, you can even just keep the .kdbx in cloud storage somewhere and point your keepass client to that. I'd recommend using a keyfile in addition to your master password though so that if anyone does happen to get a hold of the database they can't just make brute force attempts against it.
I’ve found being able to share passwords with my spouse very valuable which we couldn’t easily do with keepass. Also the syncing strategy on iOS is a disaster and corrupted my wife’s keepass db causing her to lose everything.
Is there reasonably priced cloud storage for this use-case? Their offerings are usually for several gigs of data, a kdbx is minuscule
Serious questions: what's wrong with just using Firefox built in password manager?
keepass files + syncthing works very nicely for me.
For non technical people, I just recommend to use the browser built in password managers. traviso has a good writeup why: https://lock.cmpxchg8b.com/passmgrs.html
I was doing this too until recently. The problem with this setup is more at Syncthing. More specifically, Syncthing Android app has seen some troubling changes in maintainers. The latest maintainer has a very sparse Github profile and an AI generated avatar, so I noped out of installing it right then.
How were you screwed over by these products?
Rug-pulls, security incidents, lost passwords, I also don't know if they've kept my passwords behind when i deleted my accounts. The risk of them having them is too high, so i had to swap all of them.
Interesting! I've been a LastPass and then 1Password user since 2009ish.
I left LastPass because of UX paper-cuts, but I've never lost passwords on either of them.
Honestly, it's something I don't want to think about and just need it to work on mobile and desktop, so the switching friction is very high for me. I'm not going to shop around and try different password managers.
Is "rug pull" a cost thing? I'm generally frugal, but pay for a family plan and don't think twice.
Thankful for people like the author who surveil tech companies that take this well-worn path toward greater monetization
Thank you for this post/link. I have been side eyeing Bitwarden since they started ensh*ttifying the desktop UX last year to make it more like everything else and take up too much space. It had been working perfectly well for browser autofill - super fast and staying out of the way. Now it is bloated white space, slow, standardized UX elements like any SaaS built by AI. Will check out Vaultwarden, Proton Pass, Keepass, I guess. But sadly - yet another tool that worked perfectly well that was ruined in contempt of its own users (LastPass, Authy, Google Reader, etc - the list goes on)
As mentioned, enshittifying doesn't mean "make shitty" or "make worse". It's a specific exploitative company MO, like taking a product like Bitwarden and the goodwill it's generated with open source contributions, free plans, etc., and exploiting that trust by selling it to private equity, unbeknownst to the users, in order to squeeze the most out of it they can and then scrap it.
I really don’t think a UI redesign is the intended meaning of enshittification. BW has had by far the best free option for password management since I started using them 8 years ago.
Do I like the UI changes? Eh it’s not my favorite but I don’t use it that often to care.
I have moved to KeepassXC[1] on my desktop from Bitwarden. On phone, I use KeepassDX[2] which is Android client compatible with KeepassXC. On browser, I use KeepassXC Browser extension which connects with the desktop client. Since KeepassXC operates on a single file, you can use any Filesystem syncing tool to sync that file between devices or to store it in the cloud. I am really happy with the move.
[1]: https://keepassxc.org [2]: https://www.keepassdx.com
The file syncing, particularly between Android phone and multiple desktop machines, is my biggest worry with this workflow. Will the synced Keepass file get corrupted if I add a new password on the phone and also on desktop, and then later try to merge them?
Been using this setup for many years and never had any problem at all. I sync between desktop and mobile with Syncthing[0]. You can configure Syncthing to do file versioning, it has many options (Trash Can, Simple, Staggered or External file versioning) so if some weird conflict happens you'll never lose data. But honestly, I have never had any issues, and I have been running this setup for many years. So I'm sure I have run into all kind of edge cases and it just works.
As side note, Syncthing is an amazing piece of software. I sync everything for my other devices into a central PC and from there I do the backups.
- [0]: https://syncthing.net/
No, KeepassXC has an option to merge databases, it never caused me any trouble. I have a similar setup to parent commenter.
Recently moved to a KeePass setup after 1Password raised their prices. Feels good to be in complete control.
This is my exact plan too, if I ever have to leave the Apple ecosystem.
KeePassXC is cross-platform FYI
KeePass is such a backwards step in usability and features that I don’t even consider it a competitor. The whole reason I moved to 1Password was to get away from how easy it was to accidentally lose data with the KeePass clients.
For example, one client I used had a temporary bug that just lost the notes field entirely. It was quickly fixed but it still affected me.
I’m currently using 1Password, which I still think is the best product overall as I’ve tried just about all the rest. For this product category I’m happy to pay the highest price to get the best product.
Wild to me that Bitwarden raised > $100m from VC. Seems like the kind of thing that would make a nice lifestyle business.
The enterprise version never went beyond password management so I'm not sure how this could have generated a viable ROI.
Lately I've been scrutinizing Bitwarden after discovering a long history of memory leak problems in the GitHub issue tracker. It's an extention I use with all of my browsers. It seems to use an unusually high amount of RAM on Safari and I suspect it's why RAM just never stops growing in MS Edge.
Overall it's not a problem for me if Bitwarden wants more money, but I have to draw the line at replacing top leadership with randoms from private equity and secret price hikes. I'm glad this is being highlighted and it's motivating me even more to find suitable FOSS-friendly alternative.
Ah damn. I've only recently moved in to Bitwarden - paid - largely on the basis of a multiple-user shared vault and emergency grants to personal vaults.
I'd really, really like them to not to ruin it or make it massively more expensive.
Good post. I switched from Bitwarden to KeepassXC / KeepassDX / Syncthing across my Android phone, Linux PC, and Windows PC. This was the setup I had prior to using Bitwarden for the first time. The Keepass experience is significantly better these days! Importing from Bitwarden is trivial too. Recommended!
I was using this but when I switched to iOS I switched to Bitwarden.
What are you using for Syncthing on Android? There used to be an official Syncthing app for Android but then they stopped maintaining it. There was a popular fork but then that person stopped as well.
I looked into using Syncthing on iOS but there was only Möbius Sync and it didn’t run in the background. This is was made me finally switch to Bitwarden. But of course now I need figure what to do next.
I have had an excellent experience with Sushitrain/Synctrain on iOS [0]. It’s honestly the nicest Syncthing client I’ve used, although to be fair desktop-oriented clients have different design goals than mobile clientsm
[0] https://github.com/pixelspark/sushitrain
I use syncthing-fork from fdroid, works great
same. Recommend
as long as the house doesn't catch fire, or as long i run outside with 1 of my syncthing devices (have several), local cloud is the best.
Which variant of keepass tho?
It still says "Always free" on the website for me. It's both on the billing page on the page linked in the article.
I do share the concerns though. The change in leadership, the poor transparency, 100% price increase and the quiet change in core values.
I was happy paying $10 yearly for Bitwarden. I'm still okay with $20 but there's a seed of doubt.
> It still says "Always free" on the website for me. It's both on the billing page on the page linked in the article.
Just went to the website directly: says "Get Started Free". "Always Free" is only present at the bottom of the pricing page for personal customers.
What concerns me more is that they've started using the same language that Adobe had been panned for: "$price a month, billed yearly".
To me, thats weird language for a product that (now) costs $20.00 a year. Not hundreds or thousands. Twenty dollars. For non-enterprise users.
The lack of transparency and quietly changing things around makes me wary.
The placement at the bottom of pricing is always where it was. Nothing has changed
They did raise the price to $20 (but the free version is still amazing). But that’s still really cheap and pretty much all services have gone up in price in the past 10 years (inflation)
They mentioned in an update that they accidentally removed “always free” text during a website update and put it back quickly. Seems the article was written in the intervening period
It does seem like most password managers have no moat for import/export, so I’m kinda banking on the idea that I can quickly migrate to Proton Pass or vaultwarden if things get ugly.
I just don’t want to self-host if I can avoid it.
Staying on top of managing the application and the environment is a whole different level of diligence when the thing I’m self hosting is the keys to my life. At a minimum it would have to be behind something like a wireguard tunnel to a trusted machine, and that’s an added headache for daily use.
Does Proton Pass use a wireguard tunnel? Or does Bitwarden? TLS should suffice.
Yes, you want to guard the machine that hosts your passwords. You can even physically keep it at home, and only proxy its port 443 wherever you have a presence in the public Internet.
Those at least have people whose literal jobs are to protect that stuff. The service, the clients, the transport, the environments, etc. That’s what I don’t have if I self host.
That’s not to say anything is bulletproof… nothing useful is… just that I don’t entirely trust myself to be 100% on top of something like that as a hobby hosting endeavor.
I could quite easily ignore all this in the interest of not going through the pain of finding yet another password manager, but having your new CEO specialise in M&A is really hard to ignore.
After the LastPass fiasco I switched to selfhosting a password manager (bw).
Rapidly starting to think even a vibecoded solution may be a better plan relying on commercial options. High risk of don’t roll your own crypto mistakes but realistically that’s not the threat model here anymore for the random individual. It’s online breaches or perhaps a wrench attack not highly skilled crypto adversary. Plus there are probably ready made crypto modules so wouldn’t be a true handroll
Vibecoding a password manager might be the worst idea ever. You'd be better off with an encrypted Excel sheet. But otherwise, 1Password is great imo and there are other free open source password managers.
Actual password managers (eg not my old excel sheet) protect you against url doppelgänger and related phishing attacks, as well as incidentally discourage password reuse. 1Password can even now warn you if you try to paste into the wrong website (https://support.1password.com/browser-autofill-security/)
People mock Excel's encryption, mostly based on the outdated binary format's "encryption" (which admittedly was a joke). Modern Excel is actually legitimately secure, it uses PBKDF2 (5K rounds) to hash the user's password then AES-256 for the actual encryption.
So while Bitwarden is more secure than modern Excel out of the box, neither one is a slouch. You'll definitely spend a lot of compute cracking either one. The weakest part, as always, is the user's password.
>Vibecoding a password manager might be the worst idea ever.
I mean I'm just spitballing here, but not convinced this is true.
From a formal security theory perspective certainly, but practically...nobody with half an ounce of skill is going to spend their time breaking one individual's custom solution that almost certainly just contains their hn password. That's if you can even get to it - selfhosted password managers are usually on LAN/behind vpn.
Risk profile wise the thing could be a god damn plain text .txt on a LAN network drive and still outperform a Lastpass.com that by definition has a giant hack-me sign on it's back.
The crypto part barely moves the needles here
The LLMs also help a script kiddie become a highly skilled crypto adversary though.
Especially if the concerns around Mythos are well founded.
I wouldn't worry.
The mythical Mythos can't even find Claude code bugs before releases.
True. No chance of me putting a DIY password manager on the open internet though. Would be behind WireGuard etc
I don't think concerns around Mythos are well founded. Highly doubt it will happen.
The concerns around Mythos are not well founded
> That’s not a software guy who happened to raise some money. That’s someone whose stated specialty is the PE integration and exit process.
Holy smokes has that's not just -> THAT IS become one of my trigger words.
Do we need to keep pointing this out though? LLMs are not going anywhere any time soon and people will keep using them to generate articles.
If the content is also nonsense then that's worth talking about, but otherwise comments about LLM style are about as interesting as remarks about typos.
I guess for me, blatant LLM style reminds me of LinkedIn-speak. Both are distracting and come across as fake. Somehow it's more interesting to read something in another human's unique style than to read something that's obviously been passed through a filter.
It's almost certainly ai written though. All the regular tells are there... Though he likely edited some out, like that "just"
Also if it was handwritten, it'd have been a third in length, the rest was LLM fluff
Correct, that was my point
Thank you for pushing me to migrate away from Bitwarden. I've used them for years but I was moving away slowly; now I've moved.
Out of interest, where are you moving?
Apple's passwords app. It's what I use almost everywhere. I use 1password for work but I'd prefer not to mix work and personal life.
1Password for Business accounts all get an additional 1Password for Families license (5 seats), so you can absolutely keep your work and personal life separate.
What happens when you leave that business account? (e.g. change jobs, leave the company, get acquired and consolidate etc)
While I agree with the concerns raised in this article, I did not enjoy the writing style of it. Almost all of it feels AI generated, and is written in a very combative tone.
You start reading. Then it hits you. The short, choppy sentences. The stock phrases. This wasn't written by a human — this was generated by AI.
I got my parents using bitwarden a few years ago. This was a massive improvement over them writing passwords in a little notebook in a drawer (yes, really!).
But Keepass is a bridge too far for them. I'm not that enthusiastic about it myself to be honest. The UX is a bit meh (for the clients/extensions I've tried) and file syncing and handling is not something I can in good conscience push to a non technical user. It's just too many moving parts and you just have to do this, that, and the other thing. It's not really fit for purpose with normal users as far as I can see. Like much OSS stuff, UX for normal people seems to be a bit of an afterthought with Keepass.
The key selling point of Bitwarden was that it is free-ish and it is easy enough to work with for somebody that is not too technical. My father is an Android user and my mother has an iphone and ipad. They need access to each other's passwords so they share the same password manager. They are both in their seventies and I need something that is similarly useful and ideally without me self hosting a lot of stuff on their behalf. I don't want to be their system administrator. And I don't want to have to sit them down to migrate their passwords every few years either.
Right now the best move to me seems to be to stick with Bitwarden. I don't really gain anything from moving them over to some other solution and there isn't really anything out there that is materially better as far as I can see.
Passwords in a notebook are arguably the most secure option. The notebook exists in exactly one place, behind locked doors, and cannot be leaked or hacked externally.
Notionally a password manager is more secure, but is there anything stopping Bitwarden from updating the app to silently send your master password up to the mothership and selling your unencrypted vault? Even supposing they stay open source and get caught, they will still have thousands of user's data ready to sell before the rug is pulled and the game collapses.
(And besides, where do you keep your recovery codes? If some cabinet or drawer in your house is safe enough for that, it's safe enough for your book of passwords.)
How did we as an industry go from "Passwords in notebooks are insecure, use a password manager" full circle back to "Password managers are insecure, write your passwords in notebooks"?
There has always been more nuance. The notebook is basically air gapped, but since using it is painful, most will rely on shorter, simpler, passwords and reuse them. That practice is highly insecure and was even more problematic in the days before widespread 2FA on the more crucial online services. As a teen I could have had for instance blizzard get breached and collaterally lose all of my csgo skins.
KeepassXC is much better than older keepass clients. Syncthing runs quietly in the background. It's really not much harder to use that other password managers once you set it up
Ehh.. much as I love syncthing, I wouldn't recommend it to nontechnical people. I mean, here the dad has android the mom iphone amd they want to sync a keepass file? Maybe with a browser addon on a desktop as well? And the most popular third party android app is discontinued (I use the nerdily named syncthing-fork) and the ios apps i never managed to get to work for my family (maybe sushitrain works now?). But if you live close to parents I guess it can work. This kind of software can be good for social cohesion and less isolation =P
I use keepass and have for years and I wanted to switch from using google drive to something more self hosted so I tried sync-thing. I have been a C and C++ developer for over 40 years and I found it one of the most obtuse things I have ever tried. I'll have to get back to it. :) It's still running but somehow never syncs a single file between the desktop and the linux server. I don't think the android client can run on a modern pixel phone anyway anymore due to security constraints.
Syncthing-fork is running perfectly fine on my Pixel 9. The web interface is definitely better than the default app interface, it's a shame they even bothered with that app interface.
All you have to do is exchange "keys" with the two machines you want to sync and then it's mostly set and forget
I switched from KeepassXC and KeepassDX to Vaultwarden, primarily to make it easier to get family members to transition to using password managers.
Say what you will, but the Apple ecosystem's Passwords app and integration works great. It locks me into their services (iCloud), but I don't see them ever charging for it or sunsetting it. (watch me eat my words in the near future)
Password App surely is a good alternative, however i don’t think there are clients for Linux or Windows? …and that is where Bit/Vaultwarden comes into play.
I can't speak for Linux, but it's now part of their iCloud for Windows suite with browser access via extension[1]. Exporting from Bitwarden to Passwords (on an iPhone at least) is (as of this post) a simple Export Vault operation, but non-passwords/passkeys are not supported.
1: https://support.apple.com/guide/icloud-windows/set-up-icloud...
That's correct; I only use MacOS and iOS.
Google's is even better, as it is cross-platform (although same caveat of having even more dependency on your account is still true). Plus (not sure about Apple) but Google also does (portable) passkeys and OTP.
Apple does portable passkeys and OTP as well. I know you're going to laugh at me since I'm using Apple, but I don't trust Google with anything. Apple at least pretends to care about keeping my information in-house.
I'm not gonna laugh but I can tell you quite authoritatively that Google will not abuse your passwords and passkeys. But more importantly (which is the main decision factor for me personally) - given the current state of software (in)security, I trust Google more than anyone else to build it right and to avoid attack vectors less sophisticated companies might expose.
(DISCLAIMER: I am on 1Password which I've been using for long long time - way before password management in Chrome became a real thing. But let's just say, GPM is becoming more and more compelling proposition).
One day they could decide to suddenly block your account for no reason they would like to communicate to you or just you lose your password.
And then you will be screwed very hard with not recourse...
This will probably finally push me to migrate away from Bitwarden. Somehow over the years the UI was getting worse and worse too. It's more steps to add custom hidden fields than it used to, etc.
It seems like it’s probably time for a bitwarden client alternative. I’m already running vaultwarden, it’d be nice to have a community-run client. The bitwarden client apps are so mid already - it seems like it couldn’t be that hard to out do them.
I'd definitely give a Bitwarden client alternative a try, but I really hope this isn't the start of client fragmentation like it happened for Keepass, especially given that a server is involved here.
The Bitwarden chrome extension just randomly stopped working for me the other day. This is after years of working flawlessly. I had to remove the extension and add it back to get it working...What a shame. Hosting a password manager isn't a game; these are people's real lives and businesses at stake.
I've had similar issues, it's ridiculous!
Omg, do we really need to make another app suck? I left last pass years ago, I'll leave again but wow I'm tired of this cycle. Private equity is truly the destroyer of value. The next time will be self hosted. Anyone know of a password manager that can encrypte and live in say Google drive?
> Anyone know of a password manager that can encrypte and live in say Google drive?
Can't most of the many KeePass variants do that?
How portable do you need it to be? I use pass[1] and it is good. Just a shell script wrapper to gpg and the passwords are encrypted files you can backup and sync anyway you want.
[1]: https://www.passwordstore.org/
What a shame. I've been a paying Bitwarden customer since 2018. I really don't have time to move off yet, but I'll need to keep an eye out for where to jump. It sucks that this seems to just be the logical conclusion of all great projects.
Literally nothing has been taken away from BW yet, it’s all just speculative for now
We all know where it's going
Better to look for exit strategies before the need arises.
Yes, speculative, for sure. In the same way if I hold a rock in my hand and let it go, it's speculative that it will fall to the ground.
IANAL but if a company advertises "always free" and then starts charging, how is that not either false advertising and/or a breach of contract?
IAANAL, but always free sounds like it could fall under puffery: https://uslawexplained.com/puffery
It’s a “always a free option” which doesn’t clarify what you get with the free version.
IIRC LastPass did this by slowly reducing how many devices and what kinds you could sync. They made the free option increasingly painful.
Tried everything and love 1pass. Dont want to have to think about it too much.
I think this is tentatively good for bitwarden - making money means you can more easily invest in the team and product. Counter to the prevailing notion in comments here, I much prefer a vc/paid product for security-critical tools.
Hope they didn't wait too long before deciding to kill the free tier.
I use BitWarden because I'd never trust a password manager with close source clients. Before BitWarden I used a local manager: BitWarden made my life easier.
The web interface I'd never use: I have no guarantee that my passphrase does not leave my computer. Same for the import feature: this also requires the passphrase to be sent to their servers.
Needless to say I move to the next ethical e2ee password manager if BitWarden turns it's back on open source.
I don't see the problem here. It's a great product and if they want to make money then I don't mind. If it's too expensive, and they hike the price to something ridiculous then I'll vote with my wallet.
I’m fine with paying a bit more. I honestly don’t think I even use any of the premium features. I started paying because their founder answered some question I sent years ago and I figured that kinds of support deserved my support. I could still be on the free tier if cost were a concern.
With that said, I do find the direction here concerning. Quietly rewriting values, removing promise of free tier, hiking prices with almost no notice. I’m concerned that this feels sudden and sneaky. Sneaky behavior erodes trust.
Management and leadership values, character, and integrity matter because it's unwise to assume there is some homogenous allegiance to customers behind the propaganda of putting the customer first. PE will and must squeeze for their margins as is their wont. They have learned it's unwise to draw attention to this.
Time to act accordingly.
I'm in the same boat, became a premium member to support Bitwarden and use the built-in authenticator. The subscription price is now a negative proposition, alongside the silent rollout and the other red flags raised in the post. I'll probably move to self-hosted, since I have spare compute on my VPS.
I am fine with the price increase, for me its how sneaky they're being about everything. If they sent a few emails about the recent changes I wouldn't care, but it feels like they do not want customers to know which is the last thing I want from a password manager.
Indeed. As I'm sure the new PE-focused CEO knows, the sale of a company includes not just the typical balance sheet items but also intangible assets such as goodwill. Being sneaky about is an attempt to minimize the loss of such intangibles ahead of a sale.
The problem is the rug-pull. You can't go and proudly state "free forever", and then silently back down on that commitment. That is a textbook example for the enshittification cycle... lure users in with grand promises, sell out once you got enough of a following.
(Well, technically, you can, but then don't complain about getting called out)
they haven't backed down, you find the "Always free" claim in the very same webpage OP linked https://bitwarden.com/products/personal/#whats-the-differenc...
You must be getting a different version of that page than me. The free tier is there but there’s no “always free” verbiage. There is “start free” verbiage.
Edit: “always free” was hidden under a collapsed section
It's not super big but it is there in the comparison list.
Pricing: Always free
Ctrl+f for "Always"
I searched for the word “always”. It was not (and is not; I just checked again) there on the version of the page I was served.
Edit: Actually, it is there, hidden from search under the collapsed pricing section.
LOL.. you are correct. Funny thing though... the 'Always Free' text is linked to a "/start-free/" action\page. One could argue that they are hedging their bets.
Some other commenter says there are Archive.org cached versions with "Start free" instead of "Always free", so they must have backpedaled on this. Maybe they realized they turned the knob a bit too much towards "hot", increasing the temperature of the proverbial water too noticeably.
I’m not willing to check all the pages on archive.org but for sure a month ago they had a big “Basic Free” tile in the plan comparison. Now it’s just Premium and Family. They are definitely downplaying the ability to use it for free.
https://web.archive.org/web/20260414143334/https://bitwarden...
Seems like they want to downplay the mentally that you would never benefit from an upsell to the paid plans, even if the free plan itself stays always free
as long as the people who signed up when it said it are granfathered, is it ok then?
Maybe okay on a personal level, but the PE maw eating another great option is just depressing in a more general sense.
Not disputing the overall feeling about the changes at Bitwarden but "Always free" phrase is still actually there if you're creating a personal Free account.
I believe they added it back after people noticed, archive.org has versions where its gone
Yeah, to me this isn't about whether or not it's "always free". It's about the rug pull.
"They put some of the rug back!" isn't enough to restore goodwill in my case.
What did they pull exactly? Nothing has changed about the product except for a small price increase (but free version is still great)
Yeah, I don’t trust their path anymore
what are some bitwarden alternatives?
I went with the classic: KeepassXC + Syncthing
All locally synced
There are sharing options but they are not really convenient, not a problem for me since I mostly don't share passwords
Keepass or one of its variants are great. Pair it with a shared folder via SyncThing/GDrive/Dropbox/whatever and you'll be set.
Kinda funny. I helped get passit.io off the ground YEARS ago but we pivoted away from it because Bitwarden more or less ate our lunch. They just moved way faster.
Passit still works! Just as a webapp + chrome and FF extensions. I think we had an Android app too, dunno if that's still a thing.
Maybe if the best open source option is a less viable option, I should poke at its creator to revive it...
Proton Pass. Not ideal but actively developing and IMO its UX is way better than what I had with Bitwarden.
I think once url matching is added (which is now on their roadmap[1]), I'll try making the switch from my current password manager.
[1]: https://proton.me/blog/pass-roadmap-spring-summer-2026
Personal anecdote --- Proton Pass very quickly went from worse than Bitwarden to better with more reliable auto-fill.
Doesn’t it cost much more than BW? I don’t really understand if the main complaint is people worrying about losing the free option (which hasn’t even happened)
Not sure it makes sense on its own at $5 a month (currently discounted so $3), but as part of the Proton Ultimate package which gives you mail, VPN etc in addition it's not bad in my view. YMMV.
Worked well for me, I use it for non-critical web accounts and such. KeePass for the few core accounts etc.
I've been keeping my eye on AliasVault[1]. Open-source, self-hostable or pay for cloud hosting, handles both email aliases and passwords.
I'll probably switch for password management once it has a proper security audit, and for email aliases once (if) they implement IMAP/SMTP or similar so reading emails isn't restricted to in-app.
[1]: https://www.aliasvault.net/
Passbolt https://www.passbolt.com/
No they aren't. They have a minimum of 10 users on their cloud plans and no offers at all for individuals, except self hosting - and you can just use vaultwarden at that point anyway...
For the closest experience, self-host Vaultwarden and keep using the bitwarden clients you're used to. They're GPL-3.0 and aren't going anywhere (and could be forked if there was ever drama).
If you want to fully disassociate from bitwarden, there are vaultwarden compatible 3rd party clients. I like Keyguard.
Depends on what you are looking for. I use keepass to store my password + syncthing to sync across devices
I left for Apples Passwords.app and never looked back. Of course, that has its own limitations if you are not bought into Apple's ecosystem.
Apple apparently has an iCloud app for Windows that syncs passwords and provides extensions for major browsers. I had no idea.
The Windows app for iCloud Passwords works fairly well, no real complaints about it to share. It can sometimes be a bit clunky and slow, though that's likely related to my environment rather than the app itself.
Would love it a ton more if it could offer an experience similar to BitWarden where you can view notes linked to logins or autofill credit card details with a single click from the browser extension. But overall it's really helpful.
Even if the clients go closed source and forked, there's still the very serious issue of closed app ecosystems on iOS and Android. It's one thing to self-host a Vaultwarden instance, it's another entirely to pay Google and Apple $100 a year to publish your own app.
I believed Steve Gibson about lastpass, then about bitwarden.
I started looking for a replacement when I noticed how much RAM the extension was using. >1GB for a password manager seems ridiculous. I'm currently debating between Keepassium and Strongbox but I wonder if there is something better.
Strongbox already got bought out, but it's still very good and you can store the file wherever you want.
How hard is it to fully migrate from Bitwarden to Apple Passwords / Google Passwords? I guess I'm going to have to spend 2 hours on this next weekend.
If you have Bitwarden installed on an iPhone, you can export directly to Apple Passwords with no intermediate steps or trying to figure out where to save the unencrypted CSV file. I just did this and it looks pretty good so far.
What about TOTP tokens?
Dupe https://news.ycombinator.com/item?id=48157588
funny, I just changed to bitwarden from 1-password after they had a big price increase (I probably otherwise would have been a lifetime customer if it could have been a leave it and never think about it again for the next 40 years deal).
I'm not too worried, if bitwarden changes their price somebody is going to vibecode a decent enough solution for pennies on the dollar, or there's always apples built-in product.
A password management system is one thing I definitely don’t want vibe coded.
Wonder if Sullivan is the same Sullivan involved in the Autonomy lawsuit
This feels more like an expectation management problem than a product problem.
This is terrifying, but I couldn't help myself from frustration at the LLM writing that only worsened over the course of the post. Bloggers, it's not subtle. Please, stop, or at least disclose it.
I don't think these companies are obligated to run a free tier. Someone has to pay the infra. It's a little shady that they didn't announce any of this though. But bitwarden is open source and you can host it all yourself
Besides vaultwarden, I have been testing both AliasVault and peerpass, there’s also passbolt for self hosting. That being said, keep a copy of your vault in keepassXC, and better, don’t put your eggs in one basket so 2FA in keepassXC and passwords in one of the above.
If the price ever became unresaonable i'd host my own VaultWarden instance.
I'm sure if BitWarden ever went closed source, it would be forked and maintained by the community and that most would migrate to the open source solution.
BitWarden being open source and auditable is one of the main reasons I use it, no hidden backdoors from them or three letter government agencies.
I started getting banner ads for them, as well.
Ah! Curse your sudden but inevitable betrayal!
curious whether "always free" is only marketing or actually has some legal implications
Password protection by a for-profit (where the password protection is the product that you can't have unless you pay for it) is a fundamentally stupid and dangerous business model.
Waiting for everyone to understand this.
We've got to remove "quiet" as GPTism. It's a renovation. That's it.
For people looking for an alternative, Proton Pass is one, Keepass + Syncthing is another.
Enshittification is properly viewed as a cybersecurity risk, a category of insider threat. You defend against it, when possible, by using open source software and open, documented file formats. That way, if open source enshittifies, the community can defend by forking. I’m so grateful for KeepassXC.
This is terrible news. Jump off the ship while it's still possible!
I just read the linked Fast Company article [0]. One question that particularly frustrates me about this process is: why are the former leadership of companies that become enshittified so quiet about it? Do they just get paid out with restrictive NDAs?
One of the only exceptions to this I can remember is the founder of Whatsapp, who gave an interview pretty critical of Meta some years back after it acquired Whatsapp.
[0] https://www.fastcompany.com/91542655/bitwarden-scrubs-always...
> Do they just get paid out with restrictive NDAs?
Yes, that's a very common part of an exit package for executives. Speaking from some first- and second-hand experience, you can get paid a hefty sum (6-12mo of salary worth of cash) for signing an agreement that has some amount of limits on what you can say, to whom.
There's also some kind of what I think of as a LinkedIn effect - there's a disincentive to talk trash about any organization publicly, since that's now attached to your name and might make future employers/organizations leery of hiring someone who might air their dirty laundry.
is there an enshittification watch site? or something to track acquisition and red flags in products/oss projects? itsenshittifiedyet.info if not, what would it take to do that? i think it can be vibed in a weekend.
edit: s/of/and
Crap. I just switched to Bitwarden as it was the only password manager that Just Worked and didn't seem scammy. Oh well
I am tired of this bullshit.
Want to raise the price? Fine, be honest about it and make sure it stays sustainably stable for a long while.
I am not leaving because of the price, but because of the dishonest behaviour around something so central and vital to my daily life.
Can someone just fork BitWarden into another open source project already? Maybe MorselGuardian lol