Rendered at 19:44:57 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
antran22 1 days ago [-]
When I first learnt about Bitwarden about 3 years ago, I started hosting Vaultwarden right away. Right now I have one instance for myself and another for my friend's company. Everything runs as smooth as butter. If you can self-host something, do self-host a Vaultwarden instance. If you are (like me) somewhat paranoid about the fact that Vaultwarden hasn't got a proper security audit on its codebase, just run it behind a VPN, it will probably be fine.
I'm not particularly worried about Bitwarden going belly up because it has already have such a well-established open-source replacement. The worst-case scenario is that Bitwarden make the clients incompatible with Vaultwarden, and like how OP already mentioned in the post, somebody in the community will fork them as soon as this happen.
gchamonlive 1 days ago [-]
Yes, but vaultwarden isn't something you can casually run by yourself without some careful thinking. You are hosting secrets whose longevity is important, so if deploying yourself, take good care of backups and do regular drills, so you validate that the backups work, that they aren't corrupted and that you keep a copy off-site.
antran22 16 hours ago [-]
Actually, I didn't have any careful planning when I started out self-hosting Vaultwarden. I didn't even have system backup (was just a script kiddie back then, didn't even know about 1-2-3). I have to migrate my instance 3-4 times. But because I'm just hosting Vaultwarden for myself, I can export the whole account from one of the Bitwarden clients (either the extension or mobile app) and reimport it in the new instance. Because I always have at least three devices with active use connected to my Vaultwarden instance, for me this also counts as 3 off-site backup that can be used to re-instate the whole setup.
It is surprisingly very durable and maintenance-free even for a script kiddie like me to maintain. My advice is (at least when it comes to Vaultwarden) don't think too much about this, just selfhost it, at least for yourself. You'll probably be able to manage it when something happen.
inexcf 1 days ago [-]
Me and some friends have each been hosting vaultwarden casually for years now. What problem do you see? I mean if the Server goes down and gets completely corrupted, worst case, all my devices still have the version of the vault they recently used. Technically every device has it's own backup of the vault.
gchamonlive 1 days ago [-]
If I stay offline for more than 30 days, can I still access my local passwords? Honest question, because if that's the case it's nice, but I think you'd need to somehow authenticate before accessing your local vault.
inexcf 1 days ago [-]
Thanks for making me check. Did not know this:
"Offline Vault sessions will expire after 30 days.
Except for mobile client applications, which will expire after 90 days."
But for me that is enough time to feel safe, still will do backups regularly.
DANmode 20 hours ago [-]
If you’re self-hosting,
and not using their official clients,
your database stays functional in perpetuity.
gchamonlive 20 hours ago [-]
Which client? Is there a unofficial client for android that doesn't expire?
venusenvy47 22 hours ago [-]
You need a VPS, correct? Are there any concerns about hardening your VPS from attackers? I worry about my ability to harden a public - facing service that is handling something so critical for myself.
noAnswer 21 hours ago [-]
Don't make it public facing! Put it behind a VPN!!
porshia 8 hours ago [-]
Firewall*
DANmode 20 hours ago [-]
Use a host that takes care of this for you.
My host has prebuilds for Vaultwarden.
borg16 4 hours ago [-]
can you recommend what host do you use? noob here, and looking for something like this.
hypeatei 1 days ago [-]
You should be doing regular exports/backups of your vault regardless of how it's hosted. Bitwarden could go belly up tomorrow and lose all their stored vault data.
gchamonlive 4 hours ago [-]
Easier said than done. If done manually you will eventually forget, and to automate you have to wrap around a call to the bitwarden cli, which as we've seen already suffered a supply chain breach https://news.ycombinator.com/item?id=47876043
The API for managing secrets automatically is gated behind `bitwarden-cli serve` which is surprising for me that I can't call the API directly using urllib or requests directly. I have to pass it through the bitwarden-cli.
I've been using bitwarden for a while, but your comment prompted me to investigate how I could backup my secrets, and this is a surprise. I am considering moving to my own infrastructure, because I dread having to depend on this tool to automate regular backups for me. Better to do that at the service layer. Problem is just how to expose it. There is always tailscale but that's just shifting the problem around.
armchairhacker 1 days ago [-]
Is there anything stopping a commercial Vaultwarden host?
seanclayton 1 days ago [-]
Competing with the authority bitwarden the company has over the bitwarden open source project. That's just the first thing off the top of my head. Very few people go to the competitor offering the exact same thing but with less say on the popular codebase.
dolmen 23 hours ago [-]
That already somewhat exists.
Reimplementing the server side is the easy part.
But a commercial offer will need rebranding the client, and maintaining forks is much more involved. As long as Bit warden publishes the sources ...
unethical_ban 1 days ago [-]
IMO a paper print-out of all passwords and backup codes is the most reliable backup. No bit-rot, no third party, and "degradation" is obvious - fire, flood, etc.
Theft is also usually obvious.
If self-hosting, keep at a separate location than your hard drives.
1 days ago [-]
MaKey 19 hours ago [-]
> If you are (like me) somewhat paranoid about the fact that Vaultwarden hasn't got a proper security audit on its codebase [...]
I'm running Vaultwarden because while on the one hand I'd like to just pay a company to make my password problem go away, I don't know who I can actually trust to not try to take advantage of the fact they have all the keys to all my kingdoms at some point. I see some people complaining about "Private Equity", with justification, and before that it was the "Harvard MBA" mindset, where businesses are encouraged to think of their customers as a resource to be stripmined rather than relationships to cultivate.
I don't like being considered a resource to be stripmined by any company, but some are worse than others by the nature of our relationship. I do not need a company greedily looking at my bank password, my Google password, my brokerage account password, and even having them be tempted to look at my set of passwords with them and start valuating which password they can "intermediate" and charge me more for using. I don't even want them pondering the question of how they can break exports ("oops, sorry, passkeys can't be exported because $SECURITY_BLATHER, guess you won't be migrating" - to be fair, while I think Bitwarden had that for a bit I believe it's no longer true, but AFAIK it is true of other things that will hold passkeys for you) so that they can extract the value of my passwords to me.
I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords. I don't trust any company holding passwords to not eventually be acquired by PE/HMBA types looking to stripmine my passwords. I don't trust any company that is, once you trace the entire value chain down, basically taking out real debt with my passwords as collateral. They get the money, I get the risk. Hard pass.
So I'm not happy about self-hosting my password vault in some sense... but who else can I trust?
dolmen 23 hours ago [-]
As long as you continue to use (and upgrade) the Biwarden client apps, you should consider that BW could have the keys of your garden: they have control of decryption and encryption code, so that code could leak the key, whatever the server.
renegade-otter 1 days ago [-]
I am very happy self-hosting Vaultwarden. I got really tired of being a refugee of one password manager or the next. Either the price goes up, or the service goes away. I am looking at YOU - Dropbox.
buggeryorkshire 1 days ago [-]
I don't think the clients are open source?
zeroonetwothree 1 days ago [-]
I don’t understand why people post incorrect statements that are trivial to check
mctt 1 days ago [-]
Form the article;
"The real safety net is that Bitwarden’s clients are Apache 2.0 licensed."
Thank you for this post/link. I have been side eyeing Bitwarden since they started ensh*ttifying the desktop UX last year to make it more like everything else and take up too much space. It had been working perfectly well for browser autofill - super fast and staying out of the way. Now it is bloated white space, slow, standardized UX elements like any SaaS built by AI. Will check out Vaultwarden, Proton Pass, Keepass, I guess. But sadly - yet another tool that worked perfectly well that was ruined in contempt of its own users (LastPass, Authy, Google Reader, etc - the list goes on)
Refreeze5224 22 hours ago [-]
As mentioned, enshittifying doesn't mean "make shitty" or "make worse". It's a specific exploitative company MO, like taking a product like Bitwarden and the goodwill it's generated with open source contributions, free plans, etc., and exploiting that trust by selling it to private equity, unbeknownst to the users, in order to squeeze the most out of it they can and then scrap it.
avhception 14 hours ago [-]
I agree with you that "enshittification" has a more specific meaning than just "make worse". Yet, the enshittification of Windows doesn't really follow the mold you described, even though I'd also call it enshittification.
modriano 7 hours ago [-]
MSFT is the GOAT of enshittification, and Windows is a pretty fine example of that. The OS literally comes showing you ads by default.
radley 13 hours ago [-]
I'm pretty sure enshittification applies to other methods. Adding ads to smart devices after purchase is a very common example.
zeroonetwothree 1 days ago [-]
I really don’t think a UI redesign is the intended meaning of enshittification. BW has had by far the best free option for password management since I started using them 8 years ago.
Do I like the UI changes? Eh it’s not my favorite but I don’t use it that often to care.
varbhat 1 days ago [-]
I have moved to KeepassXC[1] on my desktop from Bitwarden. On phone, I use KeepassDX[2] which is Android client compatible with KeepassXC. On browser, I use KeepassXC Browser extension which connects with the desktop client. Since KeepassXC operates on a single file, you can use any Filesystem syncing tool to sync that file between devices or to store it in the cloud. I am really happy with the move.
The file syncing, particularly between Android phone and multiple desktop machines, is my biggest worry with this workflow. Will the synced Keepass file get corrupted if I add a new password on the phone and also on desktop, and then later try to merge them?
rmadriz 21 hours ago [-]
Been using this setup for many years and never had any problem at all. I sync between desktop and mobile with Syncthing[0]. You can configure Syncthing to do file versioning, it has many options (Trash Can, Simple, Staggered or External file versioning) so if some weird conflict happens you'll never lose data. But honestly, I have never had any issues, and I have been running this setup for many years. So I'm sure I have run into all kind of edge cases and it just works.
As side note, Syncthing is an amazing piece of software. I sync everything for my other devices into a central PC and from there I do the backups.
No, KeepassXC has an option to merge databases, it never caused me any trouble. I have a similar setup to parent commenter.
4k93n2 13 hours ago [-]
im using pretty much the same setup myself
just to mention an alternative method for anyone that doesnt know: keepass also has a feature called 'autotype' where the desktop program can send keystrokes to fill in password fields
the benefit of this over the browser extension is that there is no connection between your browser and your keepass vault.
its also handy for filling in passwords in desktop programs or even a terminal
one downside is that you wont be able to have passwords automatically filled in as youre browsing. you need to press a hotkey, but i would consider this to be more of a good security feature to cut out any chance of your browser autofilling any hidden password fields
there is still a browser extension that i use that adds the url to the titlebar of the browser, which makes it easier for the autotype dialog to show the correct logins from your vault
That's how I use it. The less browser extensions, the better.
brownpapercat 1 days ago [-]
Recently moved to a KeePass setup after 1Password raised their prices. Feels good to be in complete control.
plutokras 1 days ago [-]
This is my exact plan too, if I ever have to leave the Apple ecosystem.
Suffocate5100 23 hours ago [-]
KeePassXC is cross-platform FYI
dangus 1 days ago [-]
KeePass is such a backwards step in usability and features that I don’t even consider it a competitor. The whole reason I moved to 1Password was to get away from how easy it was to accidentally lose data with the KeePass clients.
For example, one client I used had a temporary bug that just lost the notes field entirely. It was quickly fixed but it still affected me.
I’m currently using 1Password, which I still think is the best product overall as I’ve tried just about all the rest. For this product category I’m happy to pay the highest price to get the best product.
baal80spam 12 hours ago [-]
You are right that 1Password is probably the best overall product in this space. It's non-free though, which for me is a deal breaker.
23 hours ago [-]
kjuulh 22 hours ago [-]
At this point it is too high of a risk to store my password elsewhere. I've been screwed over by dashlane, lastpass, potentially bitwarden now, I am with 1password now, but I've had my passwords in all these places, and I've had to change them each time, probably missing a few.
I like 1password, it is by far the highest quality product I've used in this category. I moved from BitWarden back then because their browser integration was quite poor.
I think I'll move to something custom, or a selfhosted keepass server, with the rugpulls, incidents, and whatnot, it is becoming too high of a risk.
thewebguyd 22 hours ago [-]
Keepass has been my go to since forever, highly recommend. I never jumped on the SaaS password manager train when they started coming out, always just kept it local. There were times I thought I was missing out on some convenience but I'm glad I never moved.
Depending on your threat model, you can even just keep the .kdbx in cloud storage somewhere and point your keepass client to that. I'd recommend using a keyfile in addition to your master password though so that if anyone does happen to get a hold of the database they can't just make brute force attempts against it.
l72 20 hours ago [-]
I’ve found being able to share passwords with my spouse very valuable which we couldn’t easily do with keepass. Also the syncing strategy on iOS is a disaster and corrupted my wife’s keepass db causing her to lose everything.
lanfeust6 18 hours ago [-]
Is there reasonably priced cloud storage for this use-case? Their offerings are usually for several gigs of data, a kdbx is minuscule
baal80spam 12 hours ago [-]
In theory, you can just use a public (free) github repo for this.
advisedwang 22 hours ago [-]
keepass files + syncthing works very nicely for me.
For non technical people, I just recommend to use the browser built in password managers. traviso has a good writeup why: https://lock.cmpxchg8b.com/passmgrs.html
20 hours ago [-]
hannofcart 16 hours ago [-]
I was doing this too until recently.
The problem with this setup is more at Syncthing.
More specifically, Syncthing Android app has seen some troubling changes in maintainers.
The latest maintainer has a very sparse Github profile and an AI generated avatar, so I noped out of installing it right then.
advisedwang 6 hours ago [-]
Previously I used keepass + drive. That also works well (I just wanted to avoid storing my password db in the cloud for multiple reasons).
ngruhn 17 hours ago [-]
Serious questions: what's wrong with just using Firefox built in password manager?
cryptos 13 hours ago [-]
It is limited to ... well ... Firefox! Sometimes you need passwords elsewhere. Besides that Firefox (or other browser password managers) doesn't support more advanced use cases like shared vaults.
radley 13 hours ago [-]
If you only need to manage online passwords, only use Firefox, and aren't using an iOS device, then it's probably fine. But most people may also need to use native apps, other browsers, and iOS devices.
ngruhn 3 hours ago [-]
You can absolutely access firefox passwords from any iOS app. You can even configure it as the default password app.
dpacmittal 13 hours ago [-]
For the same reasons, I imported all my passwords to Firefox and I'm satisfied with it. I have the option to self host if I don't trust Mozilla
_karie_ 11 hours ago [-]
Any malware or LLM with user-level filesystem access can attack the outdated KDF [1] and/or wait for Firefox to be running with an unlocked credential store and read the decrypted passwords from Firefox's process memory.
Isn't it game over anyway once you have an adversary on your system capable of reading process memory?
ozten 22 hours ago [-]
How were you screwed over by these products?
kjuulh 22 hours ago [-]
Rug-pulls, security incidents, lost passwords, I also don't know if they've kept my passwords behind when i deleted my accounts. The risk of them having them is too high, so i had to swap all of them.
ozten 20 hours ago [-]
Interesting! I've been a LastPass and then 1Password user since 2009ish.
I left LastPass because of UX paper-cuts, but I've never lost passwords on either of them.
Honestly, it's something I don't want to think about and just need it to work on mobile and desktop, so the switching friction is very high for me. I'm not going to shop around and try different password managers.
Is "rug pull" a cost thing? I'm generally frugal, but pay for a family plan and don't think twice.
cheriot 20 hours ago [-]
Wild to me that Bitwarden raised > $100m from VC. Seems like the kind of thing that would make a nice lifestyle business.
The enterprise version never went beyond password management so I'm not sure how this could have generated a viable ROI.
DANmode 15 hours ago [-]
> Seems like the kind of thing that would make a nice lifestyle business.
Don’t see too much of this talk around the comments, anymore!
If you’re seeing this comment:
Are lifestyle businesses on your radar?
Please do share.
rafterydj 4 hours ago [-]
Maybe this is me being a little wet behind the ears, but I don't know if lifestyle businesses are really possible to start at the moment, given the uncertainty of the current software sector.
The economics of software creation is changing, so it stands to reason how people engage with software will change too. Finding a niche may be a game of luck more than observation/perspiration at this stage, similar to discovering oil on your "barren" property rather than building a farm. As someone who's generally independent, though: I'd love to be wrong here!
DANmode 2 hours ago [-]
I’m betting the farm that you are =]
Your accountant will be configuring their own work software.
Your project manager will be developing their own work software.
Custodians will not necessarily be developing work software.
Most non-tech desk-staff start to lose focus after the fifth reply on a social media thread…
I do not believe they’re going to be able to perform the three required steps for building software solutions:
1. Know what you need (vs want).
2. Know how to ask for it.
3. Have a process for validating it.
I also don’t think it gets too much simpler than Docker et al for self-hosting, yet those concepts are genuinely a foreign language to even “tech-savvy” consumers.
I think we’re in a bubble, here,
and I am personally betting on one niche (of many) where value ($$$$) is still placed upon having another team to outsource responsibility to.
Responsibility for keeping an important tool up-to-date, keeping it able to capture data,
and most importantly: rigorously tested to ensure it’ll perform calculations correctly.
Responsibility for peak tooling, so a busy end-user can stay responsible for their craft without taking a sabbatical to build software is not going anywhere.
Whether these “peak tools” will be (validated, packaged, delivered to the user, maintained) by me,
or OpenAI/Anthropic instant-agents in 10 years,
is what I believe we should be watching.
evanjrowley 1 days ago [-]
Lately I've been scrutinizing Bitwarden after discovering a long history of memory leak problems in the GitHub issue tracker. It's an extention I use with all of my browsers. It seems to use an unusually high amount of RAM on Safari and I suspect it's why RAM just never stops growing in MS Edge.
Overall it's not a problem for me if Bitwarden wants more money, but I have to draw the line at replacing top leadership with randoms from private equity and secret price hikes. I'm glad this is being highlighted and it's motivating me even more to find suitable FOSS-friendly alternative.
Centigonal 19 hours ago [-]
Thankful for people like the author who surveil tech companies that take this well-worn path toward greater monetization
waysa 1 days ago [-]
It still says "Always free" on the website for me. It's both on the billing page on the page linked in the article.
I do share the concerns though. The change in leadership, the poor transparency, 100% price increase and the quiet change in core values.
I was happy paying $10 yearly for Bitwarden. I'm still okay with $20 but there's a seed of doubt.
misswaterfairy 1 days ago [-]
> It still says "Always free" on the website for me. It's both on the billing page on the page linked in the article.
Just went to the website directly: says "Get Started Free". "Always Free" is only present at the bottom of the pricing page for personal customers.
What concerns me more is that they've started using the same language that Adobe had been panned for: "$price a month, billed yearly".
To me, thats weird language for a product that (now) costs $20.00 a year. Not hundreds or thousands. Twenty dollars. For non-enterprise users.
The lack of transparency and quietly changing things around makes me wary.
zeroonetwothree 1 days ago [-]
The placement at the bottom of pricing is always where it was. Nothing has changed
They did raise the price to $20 (but the free version is still amazing). But that’s still really cheap and pretty much all services have gone up in price in the past 10 years (inflation)
zeroonetwothree 1 days ago [-]
They mentioned in an update that they accidentally removed “always free” text during a website update and put it back quickly. Seems the article was written in the intervening period
dust-jacket 1 days ago [-]
Ah damn. I've only recently moved in to Bitwarden - paid - largely on the basis of a multiple-user shared vault and emergency grants to personal vaults.
I'd really, really like them to not to ruin it or make it massively more expensive.
Havoc 1 days ago [-]
After the LastPass fiasco I switched to selfhosting a password manager (bw).
Rapidly starting to think even a vibecoded solution may be a better plan relying on commercial options. High risk of don’t roll your own crypto mistakes but realistically that’s not the threat model here anymore for the random individual. It’s online breaches or perhaps a wrench attack not highly skilled crypto adversary. Plus there are probably ready made crypto modules so wouldn’t be a true handroll
LetsGetTechnicl 1 days ago [-]
Vibecoding a password manager might be the worst idea ever. You'd be better off with an encrypted Excel sheet. But otherwise, 1Password is great imo and there are other free open source password managers.
Someone1234 1 days ago [-]
People mock Excel's encryption, mostly based on the outdated binary format's "encryption" (which admittedly was a joke). Modern Excel is actually legitimately secure, it uses PBKDF2 (5K rounds) to hash the user's password then AES-256 for the actual encryption.
So while Bitwarden is more secure than modern Excel out of the box, neither one is a slouch. You'll definitely spend a lot of compute cracking either one. The weakest part, as always, is the user's password.
manwe150 1 days ago [-]
Actual password managers (eg not my old excel sheet) protect you against url doppelgänger and related phishing attacks, as well as incidentally discourage password reuse. 1Password can even now warn you if you try to paste into the wrong website (https://support.1password.com/browser-autofill-security/)
Havoc 21 hours ago [-]
>Vibecoding a password manager might be the worst idea ever.
I mean I'm just spitballing here, but not convinced this is true.
From a formal security theory perspective certainly, but practically...nobody with half an ounce of skill is going to spend their time breaking one individual's custom solution that almost certainly just contains their hn password. That's if you can even get to it - selfhosted password managers are usually on LAN/behind vpn.
Risk profile wise the thing could be a god damn plain text .txt on a LAN network drive and still outperform a Lastpass.com that by definition has a giant hack-me sign on it's back.
The crypto part barely moves the needles here
LetsGetTechnicl 4 hours ago [-]
Part of it being a bad idea imo is just that it's wasteful to vibe code something that already exists and works well. But I guess that's my attitude to a lot of this AI hype.
bronlund 15 hours ago [-]
Yeah, I'm thinking the same thing - wondering if security-by-obscurity may compensate for some lack of quality.
schnitzelstoat 1 days ago [-]
The LLMs also help a script kiddie become a highly skilled crypto adversary though.
Especially if the concerns around Mythos are well founded.
ptdorf 1 days ago [-]
I wouldn't worry.
The mythical Mythos can't even find Claude code bugs before releases.
Havoc 1 days ago [-]
True. No chance of me putting a DIY password manager on the open internet though. Would be behind WireGuard etc
ViAchKoN 1 days ago [-]
I don't think concerns around Mythos are well founded. Highly doubt it will happen.
krupan 1 days ago [-]
The concerns around Mythos are not well founded
Cyan488 4 hours ago [-]
> A 2022 blog post by Crandell — “Defining and sustaining value for Bitwarden users” — was quietly edited. The GRIT list in the body now shows the new values: Innovation and Trust.
You can assume incompetence for some things ("gosh I really didn't know I should communicate organizational changes more clearly!"), but re-writing history is a deliberate and conscious act of deception.
bergheim 1 days ago [-]
> That’s not a software guy who happened to raise some money. That’s someone whose stated specialty is the PE integration and exit process.
Holy smokes has that's not just -> THAT IS become one of my trigger words.
ffsm8 1 days ago [-]
It's almost certainly ai written though. All the regular tells are there... Though he likely edited some out, like that "just"
Also if it was handwritten, it'd have been a third in length, the rest was LLM fluff
bergheim 1 days ago [-]
Correct, that was my point
ffsm8 15 hours ago [-]
I see, i actually like these tells. It let's us easily distinguish garbage from someones thoughts.
And you can also see how brainrotten someone's gotten when they start accidentally sneaking in these tells into their normal communication.
As a matter of fact, after a full workday in which I'm essentially forced to read LLM garbage for 9h a day... I sadly notice myself adding the same fluff pointlessness to how I express myself.
like I caught a viral contagion that's actively siphoning my humanity away.
And expectedly, when coming back to those opinions with a less infected mindset, I frequently have to reevaluate these thoughts later on
danparsonson 22 hours ago [-]
Do we need to keep pointing this out though? LLMs are not going anywhere any time soon and people will keep using them to generate articles.
If the content is also nonsense then that's worth talking about, but otherwise comments about LLM style are about as interesting as remarks about typos.
novok 15 hours ago [-]
Yes we do, continue keeping it a faux pas to reduce the over verbose LLM speak put elsewhere and ask people to just share the original prompt and save us all time. Label your LLM usage to respect other people's time.
HomeDeLaPot 16 hours ago [-]
I guess for me, blatant LLM style reminds me of LinkedIn-speak. Both are distracting and come across as fake. Somehow it's more interesting to read something in another human's unique style than to read something that's obviously been passed through a filter.
kn100 1 days ago [-]
Good post. I switched from Bitwarden to KeepassXC / KeepassDX / Syncthing across my Android phone, Linux PC, and Windows PC. This was the setup I had prior to using Bitwarden for the first time. The Keepass experience is significantly better these days! Importing from Bitwarden is trivial too. Recommended!
flanbiscuit 1 days ago [-]
I was using this but when I switched to iOS I switched to Bitwarden.
What are you using for Syncthing on Android? There used to be an official Syncthing app for Android but then they stopped maintaining it. There was a popular fork but then that person stopped as well.
I looked into using Syncthing on iOS but there was only Möbius Sync and it didn’t run in the background. This is was made me finally switch to Bitwarden. But of course now I need figure what to do next.
Keeblo 1 days ago [-]
I have had an excellent experience with Sushitrain/Synctrain on iOS [0]. It’s honestly the nicest Syncthing client I’ve used, although to be fair desktop-oriented clients have different design goals than mobile clientsm
as long as the house doesn't catch fire, or as long i run outside with 1 of my syncthing devices (have several), local cloud is the best.
red369 13 hours ago [-]
Can I ask questions about your setup? I don't intend to grill you on it or pick it apart - I would like to go down this route further, but find myself gradually moving away from it. I switched from Keepass to Bitwarden in 2020, knowing it was just a move towards convenience.
I suppose you realised you could protect against the scenario where you run outside without any devices, by just having a copy of the encrypted data sent to some cloud service, e.g. iCloud/OneDrive/Google Drive, but decided you couldn't trust any?
I know everyone's threat models are different, but I'm still curious to know your thoughts. There's no one you would trust with an encrypted copy?
Do you have any automated backup of your phone to a cloud service, or only local? If a cloud service, do you make sure it excludes your password manager? If no cloud backup, then do you make sure you have a copy of your data outside the house?
I have incomplete thoughts about the robustness of my password/OTP code backups. It is the 2-factor codes, which one day in the distant future, when I am overseas holding a new replacement for a lost phone, looking at the text "Enter the 6‑digit verification code", I will wish I'd thought about more carefully.
kennywinker 1 days ago [-]
Which variant of keepass tho?
bodge5000 23 hours ago [-]
I could quite easily ignore all this in the interest of not going through the pain of finding yet another password manager, but having your new CEO specialise in M&A is really hard to ignore.
dd8601fn 1 days ago [-]
It does seem like most password managers have no moat for import/export, so I’m kinda banking on the idea that I can quickly migrate to Proton Pass or vaultwarden if things get ugly.
I just don’t want to self-host if I can avoid it.
Staying on top of managing the application and the environment is a whole different level of diligence when the thing I’m self hosting is the keys to my life. At a minimum it would have to be behind something like a wireguard tunnel to a trusted machine, and that’s an added headache for daily use.
nine_k 1 days ago [-]
Does Proton Pass use a wireguard tunnel? Or does Bitwarden? TLS should suffice.
Yes, you want to guard the machine that hosts your passwords. You can even physically keep it at home, and only proxy its port 443 wherever you have a presence in the public Internet.
dd8601fn 1 days ago [-]
Those at least have people whose literal jobs are to protect that stuff. The service, the clients, the transport, the environments, etc. That’s what I don’t have if I self host.
That’s not to say anything is bulletproof… nothing useful is… just that I don’t entirely trust myself to be 100% on top of something like that as a hobby hosting endeavor.
RyJones 1 days ago [-]
Thank you for pushing me to migrate away from Bitwarden. I've used them for years but I was moving away slowly; now I've moved.
nemomarx 1 days ago [-]
Out of interest, where are you moving?
RyJones 1 days ago [-]
Apple's passwords app. It's what I use almost everywhere. I use 1password for work but I'd prefer not to mix work and personal life.
oarsinsync 1 days ago [-]
1Password for Business accounts all get an additional 1Password for Families license (5 seats), so you can absolutely keep your work and personal life separate.
Goofy_Coyote 23 hours ago [-]
What happens when you leave that business account? (e.g. change jobs, leave the company, get acquired and consolidate etc)
1123581321 14 hours ago [-]
You keep your personal account, but it goes into either a read-only or trial mode until you subscribe or connect another free account source. You can export everything out if you want to switch to a different tool.
red369 13 hours ago [-]
I have been considering this since Apple Passwords implemented a way to export. I've just seen that the iPhone Passwords app has an export to another app you have installed on your phone, but I previously tested the export from Safari method.
I realise that this is moving even more of my eggs into Apple's basket, and even further from self-reliance towards convenience, but today it doesn't seem significantly worse to just trust Apple with this, than Bitwarden.
But isn't it a pain to use those passwords on any other non-Apple device? Am I missing something, or is that just not an issue for your use-case? Ah! I've just learned/relearned about iCloud Passwords through iCloud for Windows, but nothing for Linux?
RyJones 11 hours ago [-]
For my Linux machines, I'm almost always coming to them via SSH or proxmox console. I started with Unix in like 85 or 86 and live on the command line when I can.
1 days ago [-]
jillesvangurp 1 days ago [-]
I got my parents using bitwarden a few years ago. This was a massive improvement over them writing passwords in a little notebook in a drawer (yes, really!).
But Keepass is a bridge too far for them. I'm not that enthusiastic about it myself to be honest. The UX is a bit meh (for the clients/extensions I've tried) and file syncing and handling is not something I can in good conscience push to a non technical user. It's just too many moving parts and you just have to do this, that, and the other thing. It's not really fit for purpose with normal users as far as I can see. Like much OSS stuff, UX for normal people seems to be a bit of an afterthought with Keepass.
The key selling point of Bitwarden was that it is free-ish and it is easy enough to work with for somebody that is not too technical. My father is an Android user and my mother has an iphone and ipad. They need access to each other's passwords so they share the same password manager. They are both in their seventies and I need something that is similarly useful and ideally without me self hosting a lot of stuff on their behalf. I don't want to be their system administrator. And I don't want to have to sit them down to migrate their passwords every few years either.
Right now the best move to me seems to be to stick with Bitwarden. I don't really gain anything from moving them over to some other solution and there isn't really anything out there that is materially better as far as I can see.
vitally3643 1 days ago [-]
Passwords in a notebook are arguably the most secure option. The notebook exists in exactly one place, behind locked doors, and cannot be leaked or hacked externally.
Notionally a password manager is more secure, but is there anything stopping Bitwarden from updating the app to silently send your master password up to the mothership and selling your unencrypted vault? Even supposing they stay open source and get caught, they will still have thousands of user's data ready to sell before the rug is pulled and the game collapses.
(And besides, where do you keep your recovery codes? If some cabinet or drawer in your house is safe enough for that, it's safe enough for your book of passwords.)
andrewaylett 10 hours ago [-]
This does depend somewhat on your risk profile. For many folk it's pretty decent: you need to guard against online attacks, so keeping your passwords offline gives them excellent security. If you need to protect yourself against family members, it's not so good — and it also doesn't provide the level of phishing protection that an online password manager offers.
pocksuppet 1 days ago [-]
How did we as an industry go from "Passwords in notebooks are insecure, use a password manager" full circle back to "Password managers are insecure, write your passwords in notebooks"?
6AA4FD 23 hours ago [-]
There has always been more nuance. The notebook is basically air gapped, but since using it is painful, most will rely on shorter, simpler, passwords and reuse them. That practice is highly insecure and was even more problematic in the days before widespread 2FA on the more crucial online services. As a teen I could have had for instance blizzard get breached and collaterally lose all of my csgo skins.
baal80spam 12 hours ago [-]
> Passwords in a notebook are arguably the most secure option.
Definitely not the most secure option, as it breaks 3-2-1 backup rule.
krupan 1 days ago [-]
KeepassXC is much better than older keepass clients. Syncthing runs quietly in the background. It's really not much harder to use that other password managers once you set it up
jillesvangurp 13 hours ago [-]
Syncthing is pretty much a non starter in it's current form. I use it myself. But it's one of those things that is too hard to figure out for normal users. And with the discontinued/half-assed support for mobile, it's just not great.
Too bad, because it's one of those things that could be great but just isn't in its current form.
kreyenborgi 1 days ago [-]
Ehh.. much as I love syncthing, I wouldn't recommend it to nontechnical people. I mean, here the dad has android the mom iphone amd they want to sync a keepass file? Maybe with a browser addon on a desktop as well? And the most popular third party android app is discontinued (I use the nerdily named syncthing-fork) and the ios apps i never managed to get to work for my family (maybe sushitrain works now?). But if you live close to parents I guess it can work. This kind of software can be good for social cohesion and less isolation =P
mianos 21 hours ago [-]
I use keepass and have for years and I wanted to switch from using google drive to something more self hosted so I tried sync-thing. I have been a C and C++ developer for over 40 years and I found it one of the most obtuse things I have ever tried. I'll have to get back to it. :) It's still running but somehow never syncs a single file between the desktop and the linux server. I don't think the android client can run on a modern pixel phone anyway anymore due to security constraints.
krupan 20 hours ago [-]
Syncthing-fork is running perfectly fine on my Pixel 9. The web interface is definitely better than the default app interface, it's a shame they even bothered with that app interface.
All you have to do is exchange "keys" with the two machines you want to sync and then it's mostly set and forget
jp191919 1 days ago [-]
I switched from KeepassXC and KeepassDX to Vaultwarden, primarily to make it easier to get family members to transition to using password managers.
TheCapeGreek 13 hours ago [-]
There is one underrated feature that I switched to Bitwarden for, away from KeePass: the emergency contact access. You can designate contacts that can request access to your account. If you don't deny the request within a time frame, they are granted access.
So much of our lives is now digital. Important accounts of all kinds, banking, etc.
Waiting on several giant corps to grant your loved ones access after they go through the bureaucratic hole of documentation is... rough.
Putting my master password in my will feels the same as just writing it on a note on my desk. Putting it in a note in a safety deposit box is high effort and cost.
Anyone got a better alternative way to set this up if self-hosting and not going with Vaultwarden?
306bobby 7 hours ago [-]
Any reason not to go with vaultwarden? It is pretty feature-parity with normal Bitwarden, up to and including the emergency access stuff
flanqueue 13 hours ago [-]
[dead]
welder 1 days ago [-]
I don't care about raising prices, I'm worried about the new CEO having a PE mindset. That means Bitwarden will now focus on extracting value while the product stagnates and degrades in quality. Time to jump ship before their security and quality goes down the drain.
giancarlostoro 1 days ago [-]
Not my project but Vaultwarden is an open source (in Rust) alternative backend for Bitwarden. I believe its been around a while, and is still maintained.
Question for anyone self-hosting vaultwarden: how reliable is it and how do you harden it?
I'm thinking about running it in a container (Podman Quadlet with systemd) behind a VPN, with daily backups with borg. Anything I'm overlooking here?
JimBlackwood 1 days ago [-]
I’ve used Vaultwarden for at lesst 7 years, I’m sure for longer but I’m not sure how long.
Never had an issue with Vaultwarden itself. Restored from backups several times for a variety of reasons (migrating host, corrupt hard disk, re-installs) and that always worked first try.
That guide is wild. By default it allows public registration, shows password hints, requires a reverse proxy for robust TLS but then passes tokens via GET params, runs in the container as root. Recommends fail2ban because it doesn't have any coverage against brute force. Recommends using a custom path for security.
This feels less like a guide on hardening Vaultwarden than a guide on why I should be skeptical about it.
tacticalturtle 18 hours ago [-]
I’m not an expert with web sockets or web development - but re: Get Params, Vaultwarden has to follow the API of the upstream Bitwarden implementation:
Requiring a reverse proxy for TLS is pretty standard, but the rest of those findings are egregious (if they haven't been addressed yet.)
akerl_ 9 hours ago [-]
The part I found jarring was that it will totally do TLS for you but using a TLS stack they don’t recommend, and if you put it behind a reverse proxy you also need to know to do custom log redaction to avoid logging tokens.
harrall 17 hours ago [-]
Those problems are endemic to all web apps.
e.g. You can’t just provide software to people that obtains TLS certs on their behalf: you have no idea how their infra is setup.
Hosting any app on your own infra is a serious skill set.
akerl_ 9 hours ago [-]
> Those problems are endemic to all web apps.
No, they’re not.
They’re design choices where the default that has been chosen is dangerous for somebody deploying the software. Plenty of web apps do not have those pitfalls.
zx8080 19 hours ago [-]
Since it's authored by the vaultwarden collaborators, I would not trust the project any bit of my passwords.
EvanAnderson 1 days ago [-]
Pretty similar experience for me, albeit I've only been managing it for about a year.
Restore from backup testing was straightforward. We haven't had any problems w/ the application itself.
I used that that hardening guide for my setup. The one I manage is exposed to the Internet and I'm bringing traffic into it via a reverse proxy.
void-star 21 hours ago [-]
I have my vaultwarden running on a container on my home-lab server acessible only from Tailscale. The container itself is only accessible as its own node on my Tailscale private network and can’t be reached any other way (there are no inbound port forwards for the container itself, tailscale handles this)
My phone and laptop both use tailscale to access this and a few other containers I have set up similarly. I also have tailscale ACL rules to limit just “me” or whomever I want to allow to use it (family etc) also on my tailnet.
Backups are encrypted and stored locally as well as to AWS glacier.
I love it and it works great.
msdz 5 hours ago [-]
What would happen if you lost access to phone and laptop? Is there another "backup" device, or a mechanism to register a new device to your Tailscale network that doesn't require vaultwarden?
rpcope1 16 hours ago [-]
I've got it running in an LXC container. Other than occasionally updating it, it's been entirely trouble free (I did need to work to get it out of the Docker container but that's a problem most won't have). Honestly one of the most useful and low trouble self-hosted apps I've used next to Dokuwiki. As far as hardening, I have not done a huge amount, but it lives on my LAN and is only reachable via VPN from the outside, which again works surprisingly well even with my Android phone.
I just take ZFS snapshots. I've restored a couple of times that way just to test DR and it worked pretty well.
cobertos 1 days ago [-]
I've never had a reliability issue with Vaultwarden. Hosted it 5+ years now. Even with random off/on of the server and other bumps in the road in life, the Docker container I run has had no issues with hosting. The user interface is friendly but can be just a little slow.
Mine is not exposed to the public internet, though some friends of mine do. I use a VPN when I need to access fresh data from the home server, otherwise both the Firefox client and Android client will generally keep a cache of the last data pull when they had connection (so it wasn't an issue the 4 or so years I didn't have a VPN yet).
xienze 23 hours ago [-]
> how do you harden it?
By not exposing it to the wider internet. When I use a client (iPhone, browser, etc.) while on the home network, it syncs. While off the network, the last synced data is still there. That's been good enough for me.
ibizaman 22 hours ago [-]
When the server can’t be accessed, you can’t create a secret, right? This has been quite annoying in my experience. I’d still recommend Bitwarden clients with self-hosted Vaultwarden.
danparsonson 22 hours ago [-]
Mobile wireguard clients are very good as a solution to the access problem.
hypeatei 1 days ago [-]
> Anything I'm overlooking here?
Not technical, but the person behind that project now works for Bitwarden so there's some risk of a rugpull. Of course it's OSS but you'll need to trust a fork or maintain it yourself if said rugpull happens.
Snow_Falls 1 days ago [-]
The maintainer has said that they've been given permission to maintain it in their free time. All it takes is a bad quarter and the CEO decides they don't want to be supporting a competitor and that goes away. It's possible that a community continuation could happen but I wouldn't rely on something so uncertain for something as important as credentials.
l72 21 hours ago [-]
It’s a bad strategy. I am capable so I host an instance of vaultwarden for myself and spouse (only available via our vpn)
But when friends and family ask for my recommendation I send them to Bitwarden and they pay for the service.
If it wasn’t for vaultwarden and the clients being open source I would not be using it nor recommending it.
I’d probably still be using keepass with manual sync and when friends and family ask for suggestions I’d probably shrug and say I don’t trust any of them.
giancarlostoro 1 days ago [-]
Kind of makes a lot of sense that they wound up working there too.
akerl_ 21 hours ago [-]
The expansion of "rugpull" to encompass "a company or open source developer changing the roadmap or level of investment in something they develop" is fascinating.
wolvoleo 17 hours ago [-]
I think that term refers more to the conflict of interest that now exists.
PunchyHamster 22 hours ago [-]
I touched it never aside from updates and it never failed. I compiled it from sources tho
thesuitonym 1 days ago [-]
It's as reliable as you make it.
vovavili 17 hours ago [-]
No matter where Bitwarden ends up, passwords are one of these few things I am very hesitant to self-host. The stakes are just too high, and my knowledge of security has too many unknown unknowns to take that risk.
afavour 22 hours ago [-]
Personally, I want to avoid the responsibility for hosting it myself. I'm happy to pay for that. But a reasonable amount. Today Bitwarden's price is fine for me, but I worry about what's coming.
danielmeskin 22 hours ago [-]
It is still maintained, but I believe the maintainer is employed by Bitwarden now, and is working on projects in addition to Vaultwarden.
pocksuppet 1 days ago [-]
Is there an alternative frontend as well, or are you still locked in?
void-star 21 hours ago [-]
https://github.com/doy/rbw Is an alternative Bitwarden cli front end. Probably has plenty of scaffolding to build a GUI frontend based on it.
Edit: Just a bit of googling turned up these as well.
There is not an alternative frontend that I'm aware of, but as the article mentions, the clients are Apache 2.0 licensed, so in the event of a rug pull, a fork and rebrand of the clients would be what is needed to restore service.
fluidcruft 19 hours ago [-]
Better question is how difficult would it be to have keypass use vaultwarden for sync.
backscratches 24 hours ago [-]
Their android app at least is open source and on available on their own f-droid repo
SilverElfin 19 hours ago [-]
How do you trust that it will be kept maintained and secure?
WesolyKubeczek 22 hours ago [-]
Don't I have to rely on the OG frontend/GUI components, though? They are one automatic update away from bundling taking custom server address away with important security fixes, in a way that you are damned if you do and damned if you don't.
PunchyHamster 22 hours ago [-]
Technically yes but the frontend is so far open source so forking that is also something that could technically happen if company ever went back on it.
j16sdiz 1 days ago [-]
+1
I am a paid subscriber. I am kind of ok with the price increase.
The "coincident" with change of CEO and remove of "always free" tag worries me though.
jnovek 1 days ago [-]
I just sent them a message along these lines.
I’m happy to pay for good services, but M&A means cost-cutting measures to make the company look good for acquisition and that makes me uncomfortable with letting them store secure data for me.
Switching is going to be a pain.
bglusman 1 days ago [-]
It is really easy to self-host, and do so securely...
jnovek 1 days ago [-]
I’m not buying hosting from a password manager, I’m buying security. I don’t have complete confidence that I can secure a self-hosted password manager and it’s not an area where I want to take risks.
xienze 23 hours ago [-]
It's very simple, just don't make it accessible outside your home network. Clients sync when the server is accessible and use last synced data otherwise.
gherkinnn 22 hours ago [-]
The effort required to set this up far outweighs the price to pay someone to do it for me.
I pay a cleaner, I have a dishwasher, I pay someone to do my taxes, I pay for companies to host software.
Then again, I never order food and almost never get takeaway, as cooking is nice and I value my food enough to care what goes in it. Cheaper too, easily offsetting what I pay for my password manager.
rmunn 17 hours ago [-]
Tailscale for your laptop, phone, etc. to be able to talk to the other computers when away from your home WiFi. (Optional, but makes syncing easier).
Syncthing, talking to your Tailscale IP addresses if you use it, or your private WiFi network addresses if you don't use Tailscale.
One folder synced, containing keyfile2.kdbx.
30 minutes to set up and then you almost never need to think about it again. If you don't trust Tailscale, you can run a Headscale server or just not use it. And the syncing is entirely run on your machines; your data never ends up written to someone else's SSD.
It's really not much effort.
l72 21 hours ago [-]
I mean does it? I have set it up before but I just set it up for my new small office team. I already had an internal server and WireGuard vpn in our office and it took 2 minutes to create a quadlet to run vaultwarden and a few more to configure it. The “hardest” part was training the team on how to use collections.
chatmasta 23 hours ago [-]
Give it less than one financial quarter and I guarantee the website will be about “identity for AI agents.”
chancek 24 hours ago [-]
Yep! Feels like a hard truth about the product life-cycle. It may be time to find an alternative to what was a great alternative.
drzaiusx11 17 hours ago [-]
I'm so fucking tired of jumping ship with these password vault providers. This will be my third jump in so many years.
Exactly what value do they think they have left to extract from me? I'm a paying customer for a product that essentially just stores an indexed list of strings with at-rest encryption.
Their official App's autofill on my phone hasn't worked for several months now., I literally have to login to it once every couple hours just to manually copy and paste my usernames and passwords separately. I guess enshitification knows no bounds?
jamiek88 22 hours ago [-]
Can anyone name a PE purchase that made a company better?
IG_Semmelweiss 18 hours ago [-]
in my humble opinion, Dominos ?
0x262d 1 days ago [-]
I'm getting really tired of the enshittification cycle. Learning about android verification and captcha changes recently has been another big frustration point. I moved to android as a more open alternative to apple just a few years ago, and to bitwarden from lastpass around the same time. I would like to just have these infrastructural services work well and quietly without thinking about them for many years. Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)
Barrin92 23 hours ago [-]
>Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)
no, if you relax the qualifier "without thinking" slightly and are okay with thinking for a few hours. There's so many off-the-shelf open source solutions now to just throw on a 5 bucks VPS, it costs you less time and money than switching or the premium plan of most of these individual services.
zeroonetwothree 1 days ago [-]
Bitwarden hasn’t “enshittified” anything. It’s all entirely speculative
20 hours ago [-]
degamad 17 hours ago [-]
Red flags are always speculative.
The point is that if there are only one or two red flags, you can risk assess them and continue as is if the risk is low. But if there are a large number of red flags, then you need to consider your exit strategy as well.
overgard 18 hours ago [-]
PE's entire modus operandi is enshittification. If there's no enshittification to be done there would be no point in purchasing the company
jnovek 1 days ago [-]
I don’t wait for companies to enshittify anymore. When they start making decisions that look like they’re heading in that direction, I start looking for alternatives.
zzleeper 23 hours ago [-]
Same. Whenever I see a PE acquisition, I immediately shift my purchases (eg namecheap last year)
evolve2k 24 hours ago [-]
It has already enshitified. These changes are text book.
- Inclusion and Transparency values made more shitty
- Always free commitment removed. What? It’s right there “always”.
- Shittily hacking old blog post to become nonsensical
- Loss of confidence
- Stalling improvement cycle, no more repairs, just things quietly breaking and going bad.
trinsic2 24 hours ago [-]
Looks pretty bad regardless of speculation. There are enough red flags to warrant actions and to consider this another enshitification.
mixologic 1 days ago [-]
yet. The hallmarks of enshittification are there. We've all been through the cycle of "this product is too good to be true, and provides considerably more value than it costs" "Customer Acquisition/Market Capture" phase. And we know what has to come next. They have to make the product profitable, because you cant just burn up VC money forever.
smallmancontrov 1 days ago [-]
Does a bear shit in the woods?
wafflemaker 23 hours ago [-]
Interesting, where are you from? Where does this proverb come from?
I know this proverb as (translating from Polish):
You're asking the boar if he's shitting in the forest.
chuckadams 20 hours ago [-]
It's an extremely common phrase in the US, along with "Is the Pope Catholic?" Sometimes the two phrases are humorously mixed together.
alluro2 18 hours ago [-]
I've never heard it mixed (not from US)...
"Is bear a Catholic?" doesn't seem very funny.
But a notion that everyone knows how Pope is regularly shitting in the woods absolutely is :)
Jailbird 17 hours ago [-]
We say "are bears Catholic?" when in more polite company and we can't get away with asking if the Pope shits in the woods :)
smallmancontrov 6 hours ago [-]
I don't know if it is exactly the same proverb -- it isn't about objecting to the bear (or boar) shitting in the woods, it is about our ability to infer that the bear shits in the woods even if we have never seen it happen. We know the bear shits, we know the bear lives in the woods, even people who have lived in the city their entire life and have never seen bear shit can infer that the bear shits in the woods.
In context, my intended meaning was that software enshittification works the same way: we don't have to see a particular private equity firm enshittify a particular piece of software to know that they do enshittify software, just as we do not have to see a bear shit in the woods to know that the bear does shit in the woods.
hobonation 1 days ago [-]
Vendors doing a rug-pull isn't just capitalism. China is adding DRM to AM radio: old receivers won't work. Heck, Soviet WWII ration cards no longer give turmips.
throawayonthe 1 days ago [-]
uh, by DRM you mean Digital Radio Mondiale[0], an open digital radio broadcasting standard? sure analog receivers won't work, but hardly a rugpull lol
Yeah? That has to be the worst possible acronym for an open thing.
pessimizer 1 days ago [-]
They're not doing it to increase margin. "Enshittification" or "rug-pulls" aren't when things get worse or things change, they're when the conditions that were used to attract an audience are changed in order to extract more margin after that audience is captured.
The larger exampls to compare them to would be "dumping." Dump subsidized, tariff-free corn in Mexico to make it unprofitable to farm corn in Mexico, and after all of the Mexican farmers go bust, buy their land and raise the price of corn to infinity while cheaping out on the quality of seed and handling. Enshittification. Rug-pull.
throwawayq3423 1 days ago [-]
I jumped to Bitwarden because of 1P's new pricing doing exactly that.
Circle of live, I guess.
void-star 20 hours ago [-]
Me too precisely. But after getting acclimated to a self hosted vaultwarden for the backend and beginning to explore some of the 3rd party Bitwarden frontends that implement its API, I’d recommend hanging in there a bit longer. I think there may be a moat around BW already for self-hosting.
What’s next in the circle is keepass I guess? And it’s just not friendly/robust enough yet for me to switch to it with my family who will probably just go back to using the same passwords on multiple sites if they hit resistance in ease of use.
adfm 1 days ago [-]
PE? Private Equity is the slippery slope to Public Enshitification.
baggachipz 24 hours ago [-]
Say what you will, but the Apple ecosystem's Passwords app and integration works great. It locks me into their services (iCloud), but I don't see them ever charging for it or sunsetting it. (watch me eat my words in the near future)
moepstar 23 hours ago [-]
Password App surely is a good alternative, however i don’t think there are clients for Linux or Windows? …and that is where Bit/Vaultwarden comes into play.
ZekeSulastin 16 hours ago [-]
I can't speak for Linux, but it's now part of their iCloud for Windows suite with browser access via extension[1]. Exporting from Bitwarden to Passwords (on an iPhone at least) is (as of this post) a simple Export Vault operation, but non-passwords/passkeys are not supported.
Google's is even better, as it is cross-platform (although same caveat of having even more dependency on your account is still true). Plus (not sure about Apple) but Google also does (portable) passkeys and OTP.
baggachipz 22 hours ago [-]
Apple does portable passkeys and OTP as well. I know you're going to laugh at me since I'm using Apple, but I don't trust Google with anything. Apple at least pretends to care about keeping my information in-house.
Postosuchus 19 hours ago [-]
I'm not gonna laugh but I can tell you quite authoritatively that Google will not abuse your passwords and passkeys. But more importantly (which is the main decision factor for me personally) - given the current state of software (in)security, I trust Google more than anyone else to build it right and to avoid attack vectors less sophisticated companies might expose.
(DISCLAIMER: I am on 1Password which I've been using for long long time - way before password management in Chrome became a real thing. But let's just say, GPM is becoming more and more compelling proposition).
greatgib 20 hours ago [-]
One day they could decide to suddenly block your account for no reason they would like to communicate to you or just you lose your password.
And then you will be screwed very hard with not recourse...
inquirerGeneral 19 hours ago [-]
[dead]
kennywinker 1 days ago [-]
It seems like it’s probably time for a bitwarden client alternative. I’m already running vaultwarden, it’d be nice to have a community-run client. The bitwarden client apps are so mid already - it seems like it couldn’t be that hard to out do them.
lxgr 1 days ago [-]
I'd definitely give a Bitwarden client alternative a try, but I really hope this isn't the start of client fragmentation like it happened for Keepass, especially given that a server is involved here.
holysoles 21 hours ago [-]
While I agree with the concerns raised in this article, I did not enjoy the writing style of it. Almost all of it feels AI generated, and is written in a very combative tone.
HomeDeLaPot 16 hours ago [-]
You start reading. Then it hits you. The short, choppy sentences. The stock phrases. This wasn't written by a human — this was generated by AI.
cwoolfe 1 days ago [-]
The Bitwarden chrome extension just randomly stopped working for me the other day. This is after years of working flawlessly. I had to remove the extension and add it back to get it working...What a shame. Hosting a password manager isn't a game; these are people's real lives and businesses at stake.
tskj 1 days ago [-]
I've had similar issues, it's ridiculous!
Balvarez 1 days ago [-]
Omg, do we really need to make another app suck? I left last pass years ago, I'll leave again but wow I'm tired of this cycle. Private equity is truly the destroyer of value. The next time will be self hosted. Anyone know of a password manager that can encrypte and live in say Google drive?
lillesvin 23 hours ago [-]
> Anyone know of a password manager that can encrypte and live in say Google drive?
Can't most of the many KeePass variants do that?
worksonmine 23 hours ago [-]
How portable do you need it to be? I use pass[1] and it is good. Just a shell script wrapper to gpg and the passwords are encrypted files you can backup and sync anyway you want.
Another vote for pass. I've been using it for ten years with a git repository. I sync to all my machines and use https://github.com/agrahn/Android-Password-Store on Android. Not a solution for non-technical people though...
nout 20 hours ago [-]
This will probably finally push me to migrate away from Bitwarden. Somehow over the years the UI was getting worse and worse too. It's more steps to add custom hidden fields than it used to, etc.
yoyohello13 1 days ago [-]
What a shame. I've been a paying Bitwarden customer since 2018. I really don't have time to move off yet, but I'll need to keep an eye out for where to jump. It sucks that this seems to just be the logical conclusion of all great projects.
zeroonetwothree 1 days ago [-]
Literally nothing has been taken away from BW yet, it’s all just speculative for now
grougnax 1 days ago [-]
We all know where it's going
yoyohello13 23 hours ago [-]
Better to look for exit strategies before the need arises.
gverrilla 1 days ago [-]
Yes, speculative, for sure.
In the same way if I hold a rock in my hand and let it go, it's speculative that it will fall to the ground.
kmoser 24 hours ago [-]
IANAL but if a company advertises "always free" and then starts charging, how is that not either false advertising and/or a breach of contract?
It’s a “always a free option” which doesn’t clarify what you get with the free version.
IIRC LastPass did this by slowly reducing how many devices and what kinds you could sync. They made the free option increasingly painful.
reassess_blind 16 hours ago [-]
"The phrase “Always free” disappeared from the personal password manager page in mid-April."
It's still on the pricing page, albeit not as prominently. "Just getting started?
Get basic password management today. Always free."
flossly 1 days ago [-]
I use BitWarden because I'd never trust a password manager with close source clients. Before BitWarden I used a local manager: BitWarden made my life easier.
The web interface I'd never use: I have no guarantee that my passphrase does not leave my computer. Same for the import feature: this also requires the passphrase to be sent to their servers.
Needless to say I move to the next ethical e2ee password manager if BitWarden turns it's back on open source.
deanc 1 days ago [-]
I don't see the problem here. It's a great product and if they want to make money then I don't mind. If it's too expensive, and they hike the price to something ridiculous then I'll vote with my wallet.
dpark 1 days ago [-]
I’m fine with paying a bit more. I honestly don’t think I even use any of the premium features. I started paying because their founder answered some question I sent years ago and I figured that kinds of support deserved my support. I could still be on the free tier if cost were a concern.
With that said, I do find the direction here concerning. Quietly rewriting values, removing promise of free tier, hiking prices with almost no notice. I’m concerned that this feels sudden and sneaky. Sneaky behavior erodes trust.
JALTU 1 days ago [-]
Management and leadership values, character, and integrity matter because it's unwise to assume there is some homogenous allegiance to customers behind the propaganda of putting the customer first. PE will and must squeeze for their margins as is their wont. They have learned it's unwise to draw attention to this.
Time to act accordingly.
mhitza 23 hours ago [-]
I'm in the same boat, became a premium member to support Bitwarden and use the built-in authenticator. The subscription price is now a negative proposition, alongside the silent rollout and the other red flags raised in the post. I'll probably move to self-hosted, since I have spare compute on my VPS.
notsylver 1 days ago [-]
I am fine with the price increase, for me its how sneaky they're being about everything. If they sent a few emails about the recent changes I wouldn't care, but it feels like they do not want customers to know which is the last thing I want from a password manager.
accrual 1 days ago [-]
Indeed. As I'm sure the new PE-focused CEO knows, the sale of a company includes not just the typical balance sheet items but also intangible assets such as goodwill. Being sneaky about is an attempt to minimize the loss of such intangibles ahead of a sale.
mschuster91 1 days ago [-]
The problem is the rug-pull. You can't go and proudly state "free forever", and then silently back down on that commitment. That is a textbook example for the enshittification cycle... lure users in with grand promises, sell out once you got enough of a following.
(Well, technically, you can, but then don't complain about getting called out)
You must be getting a different version of that page than me. The free tier is there but there’s no “always free” verbiage. There is “start free” verbiage.
Edit: “always free” was hidden under a collapsed section
darkwater 1 days ago [-]
It's not super big but it is there in the comparison list.
Pricing: Always free
Ctrl+f for "Always"
dpark 1 days ago [-]
I searched for the word “always”. It was not (and is not; I just checked again) there on the version of the page I was served.
Edit: Actually, it is there, hidden from search under the collapsed pricing section.
davoneus 1 days ago [-]
LOL.. you are correct. Funny thing though... the 'Always Free' text is linked to a "/start-free/" action\page. One could argue that they are hedging their bets.
darkwater 1 days ago [-]
Some other commenter says there are Archive.org cached versions with "Start free" instead of "Always free", so they must have backpedaled on this. Maybe they realized they turned the knob a bit too much towards "hot", increasing the temperature of the proverbial water too noticeably.
dpark 1 days ago [-]
I’m not willing to check all the pages on archive.org but for sure a month ago they had a big “Basic Free” tile in the plan comparison. Now it’s just Premium and Family. They are definitely downplaying the ability to use it for free.
Seems like they want to downplay the mentally that you would never benefit from an upsell to the paid plans, even if the free plan itself stays always free
basch 1 days ago [-]
as long as the people who signed up when it said it are granfathered, is it ok then?
corncob0067 1 days ago [-]
Maybe okay on a personal level, but the PE maw eating another great option is just depressing in a more general sense.
SV_BubbleTime 1 days ago [-]
[flagged]
mmonaghan 20 hours ago [-]
Tried everything and love 1pass. Dont want to have to think about it too much.
I think this is tentatively good for bitwarden - making money means you can more easily invest in the team and product. Counter to the prevailing notion in comments here, I much prefer a vc/paid product for security-critical tools.
Hope they didn't wait too long before deciding to kill the free tier.
gerty 1 days ago [-]
Not disputing the overall feeling about the changes at Bitwarden but "Always free" phrase is still actually there if you're creating a personal Free account.
notsylver 1 days ago [-]
I believe they added it back after people noticed, archive.org has versions where its gone
accrual 1 days ago [-]
Yeah, to me this isn't about whether or not it's "always free". It's about the rug pull.
"They put some of the rug back!" isn't enough to restore goodwill in my case.
zeroonetwothree 1 days ago [-]
What did they pull exactly? Nothing has changed about the product except for a small price increase (but free version is still great)
dlev_pika 1 days ago [-]
Yeah, I don’t trust their path anymore
1 days ago [-]
megamike 3 days ago [-]
what are some bitwarden alternatives?
dabber21 1 days ago [-]
I went with the classic: KeepassXC + Syncthing
All locally synced
There are sharing options but they are not really convenient, not a problem for me since I mostly don't share passwords
arbitrarian 1 days ago [-]
Keepass or one of its variants are great. Pair it with a shared folder via SyncThing/GDrive/Dropbox/whatever and you'll be set.
Brendinooo 1 days ago [-]
Kinda funny. I helped get passit.io off the ground YEARS ago but we pivoted away from it because Bitwarden more or less ate our lunch. They just moved way faster.
Passit still works! Just as a webapp + chrome and FF extensions. I think we had an Android app too, dunno if that's still a thing.
Maybe if the best open source option is a less viable option, I should poke at its creator to revive it...
RockstarSprain 1 days ago [-]
Proton Pass. Not ideal but actively developing and IMO its UX is way better than what I had with Bitwarden.
stock_toaster 1 days ago [-]
I think once url matching is added (which is now on their roadmap[1]), I'll try making the switch from my current password manager.
Personal anecdote --- Proton Pass very quickly went from worse than Bitwarden to better with more reliable auto-fill.
zeroonetwothree 1 days ago [-]
Doesn’t it cost much more than BW? I don’t really understand if the main complaint is people worrying about losing the free option (which hasn’t even happened)
magicalhippo 21 hours ago [-]
Not sure it makes sense on its own at $5 a month (currently discounted so $3), but as part of the Proton Ultimate package which gives you mail, VPN etc in addition it's not bad in my view. YMMV.
Worked well for me, I use it for non-critical web accounts and such. KeePass for the few core accounts etc.
paulrudy 1 days ago [-]
I've been keeping my eye on AliasVault[1]. Open-source, self-hostable or pay for cloud hosting, handles both email aliases and passwords.
I'll probably switch for password management once it has a proper security audit, and for email aliases once (if) they implement IMAP/SMTP or similar so reading emails isn't restricted to in-app.
No they aren't. They have a minimum of 10 users on their cloud plans and no offers at all for individuals, except self hosting - and you can just use vaultwarden at that point anyway...
hamdingers 1 days ago [-]
For the closest experience, self-host Vaultwarden and keep using the bitwarden clients you're used to. They're GPL-3.0 and aren't going anywhere (and could be forked if there was ever drama).
If you want to fully disassociate from bitwarden, there are vaultwarden compatible 3rd party clients. I like Keyguard.
gonzalohm 1 days ago [-]
Depends on what you are looking for. I use keepass to store my password + syncthing to sync across devices
hirvi74 1 days ago [-]
I left for Apples Passwords.app and never looked back. Of course, that has its own limitations if you are not bought into Apple's ecosystem.
dpark 1 days ago [-]
Apple apparently has an iCloud app for Windows that syncs passwords and provides extensions for major browsers. I had no idea.
dannyphantom 1 days ago [-]
The Windows app for iCloud Passwords works fairly well, no real complaints about it to share. It can sometimes be a bit clunky and slow, though that's likely related to my environment rather than the app itself.
Would love it a ton more if it could offer an experience similar to BitWarden where you can view notes linked to logins or autofill credit card details with a single click from the browser extension. But overall it's really helpful.
porshia 8 hours ago [-]
Well that explains a lot, saw their stall at a conference a few weeks ago. And was intrigued as I always thought they were purely FOSS software. I just self-host it...
jeromechoo 1 days ago [-]
Even if the clients go closed source and forked, there's still the very serious issue of closed app ecosystems on iOS and Android. It's one thing to self-host a Vaultwarden instance, it's another entirely to pay Google and Apple $100 a year to publish your own app.
fridder 1 days ago [-]
I started looking for a replacement when I noticed how much RAM the extension was using. >1GB for a password manager seems ridiculous. I'm currently debating between Keepassium and Strongbox but I wonder if there is something better.
havaloc 20 hours ago [-]
Strongbox already got bought out, but it's still very good and you can store the file wherever you want.
websap 1 days ago [-]
How hard is it to fully migrate from Bitwarden to Apple Passwords / Google Passwords? I guess I'm going to have to spend 2 hours on this next weekend.
saila 1 days ago [-]
If you have Bitwarden installed on an iPhone, you can export directly to Apple Passwords with no intermediate steps or trying to figure out where to save the unencrypted CSV file. I just did this and it looks pretty good so far.
2dvisio 23 hours ago [-]
What about TOTP tokens?
zug_zug 1 days ago [-]
funny, I just changed to bitwarden from 1-password after they had a big price increase (I probably otherwise would have been a lifetime customer if it could have been a leave it and never think about it again for the next 40 years deal).
I'm not too worried, if bitwarden changes their price somebody is going to vibecode a decent enough solution for pennies on the dollar, or there's always apples built-in product.
dpark 1 days ago [-]
A password management system is one thing I definitely don’t want vibe coded.
asmodeuslucifer 20 hours ago [-]
I believed Steve Gibson about lastpass, then about bitwarden.
studentdriver 24 hours ago [-]
Wonder if Sullivan is the same Sullivan involved in the Autonomy lawsuit
nodeflare 1 days ago [-]
This feels more like an expectation management problem than a product problem.
1 days ago [-]
cglan 1 days ago [-]
I don't think these companies are obligated to run a free tier. Someone has to pay the infra. It's a little shady that they didn't announce any of this though. But bitwarden is open source and you can host it all yourself
borborigmus 11 hours ago [-]
There seems to be a gap in the market for a Vaultwarden compatible iOS client, if this is the start of enshitification.
I’ve self-hosted Vaultwarden in the past and I’m planning to do it again. The lack of an iOS client is the only thing making me explore alternative solutions altogether.
curious whether "always free" is only marketing or actually has some legal implications
jiveturkey 1 days ago [-]
Ah! Curse your sudden but inevitable betrayal!
quantumwoke 1 days ago [-]
This is terrifying, but I couldn't help myself from frustration at the LLM writing that only worsened over the course of the post. Bloggers, it's not subtle. Please, stop, or at least disclose it.
faccacta 1 days ago [-]
Enshittification is properly viewed as a cybersecurity risk, a category of insider threat. You defend against it, when possible, by using open source software and open, documented file formats. That way, if open source enshittifies, the community can defend by forking. I’m so grateful for KeepassXC.
tamimio 20 hours ago [-]
Besides vaultwarden, I have been testing both AliasVault and peerpass, there’s also passbolt for self hosting. That being said, keep a copy of your vault in keepassXC, and better, don’t put your eggs in one basket so 2FA in keepassXC and passwords in one of the above.
aussieguy1234 20 hours ago [-]
If the price ever became unresaonable i'd host my own VaultWarden instance.
I'm sure if BitWarden ever went closed source, it would be forked and maintained by the community and that most would migrate to the open source solution.
BitWarden being open source and auditable is one of the main reasons I use it, no hidden backdoors from them or three letter government agencies.
DANmode 20 hours ago [-]
I started getting banner ads for them, as well.
grougnax 1 days ago [-]
This is terrible news. Jump off the ship while it's still possible!
carabiner 23 hours ago [-]
We've got to remove "quiet" as GPTism. It's a renovation. That's it.
0x262d 1 days ago [-]
I just read the linked Fast Company article [0]. One question that particularly frustrates me about this process is: why are the former leadership of companies that become enshittified so quiet about it? Do they just get paid out with restrictive NDAs?
One of the only exceptions to this I can remember is the founder of Whatsapp, who gave an interview pretty critical of Meta some years back after it acquired Whatsapp.
> Do they just get paid out with restrictive NDAs?
Yes, that's a very common part of an exit package for executives. Speaking from some first- and second-hand experience, you can get paid a hefty sum (6-12mo of salary worth of cash) for signing an agreement that has some amount of limits on what you can say, to whom.
There's also some kind of what I think of as a LinkedIn effect - there's a disincentive to talk trash about any organization publicly, since that's now attached to your name and might make future employers/organizations leery of hiring someone who might air their dirty laundry.
class3shock 20 hours ago [-]
For people looking for an alternative, Proton Pass is one, Keepass + Syncthing is another.
ltr_ 1 days ago [-]
is there an enshittification watch site? or something to track acquisition and red flags in products/oss projects?
itsenshittifiedyet.info
if not, what would it take to do that? i think it can be vibed in a weekend.
edit: s/of/and
jrm4 1 days ago [-]
Password protection by a for-profit (where the password protection is the product that you can't have unless you pay for it) is a fundamentally stupid and dangerous business model.
Waiting for everyone to understand this.
karel-3d 23 hours ago [-]
Crap. I just switched to Bitwarden as it was the only password manager that Just Worked and didn't seem scammy. Oh well
grim_io 1 days ago [-]
I am tired of this bullshit.
Want to raise the price? Fine, be honest about it and make sure it stays sustainably stable for a long while.
I am not leaving because of the price, but because of the dishonest behaviour around something so central and vital to my daily life.
colordrops 1 days ago [-]
Can someone just fork BitWarden into another open source project already? Maybe MorselGuardian lol
I'm not particularly worried about Bitwarden going belly up because it has already have such a well-established open-source replacement. The worst-case scenario is that Bitwarden make the clients incompatible with Vaultwarden, and like how OP already mentioned in the post, somebody in the community will fork them as soon as this happen.
It is surprisingly very durable and maintenance-free even for a script kiddie like me to maintain. My advice is (at least when it comes to Vaultwarden) don't think too much about this, just selfhost it, at least for yourself. You'll probably be able to manage it when something happen.
and not using their official clients,
your database stays functional in perpetuity.
My host has prebuilds for Vaultwarden.
The API for managing secrets automatically is gated behind `bitwarden-cli serve` which is surprising for me that I can't call the API directly using urllib or requests directly. I have to pass it through the bitwarden-cli.
I've been using bitwarden for a while, but your comment prompted me to investigate how I could backup my secrets, and this is a surprise. I am considering moving to my own infrastructure, because I dread having to depend on this tool to automate regular backups for me. Better to do that at the service layer. Problem is just how to expose it. There is always tailscale but that's just shifting the problem around.
Reimplementing the server side is the easy part.
But a commercial offer will need rebranding the client, and maintaining forks is much more involved. As long as Bit warden publishes the sources ...
Theft is also usually obvious.
If self-hosting, keep at a separate location than your hard drives.
It was audited in 2024: https://www.heise.de/en/news/Password-manager-BSI-reports-cr...
I don't like being considered a resource to be stripmined by any company, but some are worse than others by the nature of our relationship. I do not need a company greedily looking at my bank password, my Google password, my brokerage account password, and even having them be tempted to look at my set of passwords with them and start valuating which password they can "intermediate" and charge me more for using. I don't even want them pondering the question of how they can break exports ("oops, sorry, passkeys can't be exported because $SECURITY_BLATHER, guess you won't be migrating" - to be fair, while I think Bitwarden had that for a bit I believe it's no longer true, but AFAIK it is true of other things that will hold passkeys for you) so that they can extract the value of my passwords to me.
I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords. I don't trust any company holding passwords to not eventually be acquired by PE/HMBA types looking to stripmine my passwords. I don't trust any company that is, once you trace the entire value chain down, basically taking out real debt with my passwords as collateral. They get the money, I get the risk. Hard pass.
So I'm not happy about self-hosting my password vault in some sense... but who else can I trust?
Do I like the UI changes? Eh it’s not my favorite but I don’t use it that often to care.
[1]: https://keepassxc.org [2]: https://www.keepassdx.com
As side note, Syncthing is an amazing piece of software. I sync everything for my other devices into a central PC and from there I do the backups.
- [0]: https://syncthing.net/
just to mention an alternative method for anyone that doesnt know: keepass also has a feature called 'autotype' where the desktop program can send keystrokes to fill in password fields
the benefit of this over the browser extension is that there is no connection between your browser and your keepass vault.
its also handy for filling in passwords in desktop programs or even a terminal
one downside is that you wont be able to have passwords automatically filled in as youre browsing. you need to press a hotkey, but i would consider this to be more of a good security feature to cut out any chance of your browser autofilling any hidden password fields
there is still a browser extension that i use that adds the url to the titlebar of the browser, which makes it easier for the autotype dialog to show the correct logins from your vault
https://addons.mozilla.org/en-GB/firefox/addon/add-url-to-wi...
For example, one client I used had a temporary bug that just lost the notes field entirely. It was quickly fixed but it still affected me.
I’m currently using 1Password, which I still think is the best product overall as I’ve tried just about all the rest. For this product category I’m happy to pay the highest price to get the best product.
I like 1password, it is by far the highest quality product I've used in this category. I moved from BitWarden back then because their browser integration was quite poor.
I think I'll move to something custom, or a selfhosted keepass server, with the rugpulls, incidents, and whatnot, it is becoming too high of a risk.
Depending on your threat model, you can even just keep the .kdbx in cloud storage somewhere and point your keepass client to that. I'd recommend using a keyfile in addition to your master password though so that if anyone does happen to get a hold of the database they can't just make brute force attempts against it.
For non technical people, I just recommend to use the browser built in password managers. traviso has a good writeup why: https://lock.cmpxchg8b.com/passmgrs.html
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=973759
I left LastPass because of UX paper-cuts, but I've never lost passwords on either of them.
Honestly, it's something I don't want to think about and just need it to work on mobile and desktop, so the switching friction is very high for me. I'm not going to shop around and try different password managers.
Is "rug pull" a cost thing? I'm generally frugal, but pay for a family plan and don't think twice.
The enterprise version never went beyond password management so I'm not sure how this could have generated a viable ROI.
Don’t see too much of this talk around the comments, anymore!
If you’re seeing this comment: Are lifestyle businesses on your radar?
Please do share.
See this thread from a few days ago: https://news.ycombinator.com/item?id=48118727
The economics of software creation is changing, so it stands to reason how people engage with software will change too. Finding a niche may be a game of luck more than observation/perspiration at this stage, similar to discovering oil on your "barren" property rather than building a farm. As someone who's generally independent, though: I'd love to be wrong here!
Your accountant will be configuring their own work software.
Your project manager will be developing their own work software.
Custodians will not necessarily be developing work software.
Most non-tech desk-staff start to lose focus after the fifth reply on a social media thread…
I do not believe they’re going to be able to perform the three required steps for building software solutions:
1. Know what you need (vs want).
2. Know how to ask for it.
3. Have a process for validating it.
I also don’t think it gets too much simpler than Docker et al for self-hosting, yet those concepts are genuinely a foreign language to even “tech-savvy” consumers.
I think we’re in a bubble, here,
and I am personally betting on one niche (of many) where value ($$$$) is still placed upon having another team to outsource responsibility to.
Responsibility for keeping an important tool up-to-date, keeping it able to capture data,
and most importantly: rigorously tested to ensure it’ll perform calculations correctly.
Responsibility for peak tooling, so a busy end-user can stay responsible for their craft without taking a sabbatical to build software is not going anywhere.
Whether these “peak tools” will be (validated, packaged, delivered to the user, maintained) by me,
or OpenAI/Anthropic instant-agents in 10 years,
is what I believe we should be watching.
Overall it's not a problem for me if Bitwarden wants more money, but I have to draw the line at replacing top leadership with randoms from private equity and secret price hikes. I'm glad this is being highlighted and it's motivating me even more to find suitable FOSS-friendly alternative.
I do share the concerns though. The change in leadership, the poor transparency, 100% price increase and the quiet change in core values.
I was happy paying $10 yearly for Bitwarden. I'm still okay with $20 but there's a seed of doubt.
Just went to the website directly: says "Get Started Free". "Always Free" is only present at the bottom of the pricing page for personal customers.
What concerns me more is that they've started using the same language that Adobe had been panned for: "$price a month, billed yearly".
To me, thats weird language for a product that (now) costs $20.00 a year. Not hundreds or thousands. Twenty dollars. For non-enterprise users.
The lack of transparency and quietly changing things around makes me wary.
They did raise the price to $20 (but the free version is still amazing). But that’s still really cheap and pretty much all services have gone up in price in the past 10 years (inflation)
I'd really, really like them to not to ruin it or make it massively more expensive.
Rapidly starting to think even a vibecoded solution may be a better plan relying on commercial options. High risk of don’t roll your own crypto mistakes but realistically that’s not the threat model here anymore for the random individual. It’s online breaches or perhaps a wrench attack not highly skilled crypto adversary. Plus there are probably ready made crypto modules so wouldn’t be a true handroll
So while Bitwarden is more secure than modern Excel out of the box, neither one is a slouch. You'll definitely spend a lot of compute cracking either one. The weakest part, as always, is the user's password.
I mean I'm just spitballing here, but not convinced this is true.
From a formal security theory perspective certainly, but practically...nobody with half an ounce of skill is going to spend their time breaking one individual's custom solution that almost certainly just contains their hn password. That's if you can even get to it - selfhosted password managers are usually on LAN/behind vpn.
Risk profile wise the thing could be a god damn plain text .txt on a LAN network drive and still outperform a Lastpass.com that by definition has a giant hack-me sign on it's back.
The crypto part barely moves the needles here
Especially if the concerns around Mythos are well founded.
The mythical Mythos can't even find Claude code bugs before releases.
You can assume incompetence for some things ("gosh I really didn't know I should communicate organizational changes more clearly!"), but re-writing history is a deliberate and conscious act of deception.
Holy smokes has that's not just -> THAT IS become one of my trigger words.
Also if it was handwritten, it'd have been a third in length, the rest was LLM fluff
And you can also see how brainrotten someone's gotten when they start accidentally sneaking in these tells into their normal communication.
As a matter of fact, after a full workday in which I'm essentially forced to read LLM garbage for 9h a day... I sadly notice myself adding the same fluff pointlessness to how I express myself. like I caught a viral contagion that's actively siphoning my humanity away.
And expectedly, when coming back to those opinions with a less infected mindset, I frequently have to reevaluate these thoughts later on
If the content is also nonsense then that's worth talking about, but otherwise comments about LLM style are about as interesting as remarks about typos.
What are you using for Syncthing on Android? There used to be an official Syncthing app for Android but then they stopped maintaining it. There was a popular fork but then that person stopped as well.
I looked into using Syncthing on iOS but there was only Möbius Sync and it didn’t run in the background. This is was made me finally switch to Bitwarden. But of course now I need figure what to do next.
[0] https://github.com/pixelspark/sushitrain
as long as the house doesn't catch fire, or as long i run outside with 1 of my syncthing devices (have several), local cloud is the best.
I suppose you realised you could protect against the scenario where you run outside without any devices, by just having a copy of the encrypted data sent to some cloud service, e.g. iCloud/OneDrive/Google Drive, but decided you couldn't trust any?
I know everyone's threat models are different, but I'm still curious to know your thoughts. There's no one you would trust with an encrypted copy?
Do you have any automated backup of your phone to a cloud service, or only local? If a cloud service, do you make sure it excludes your password manager? If no cloud backup, then do you make sure you have a copy of your data outside the house?
I have incomplete thoughts about the robustness of my password/OTP code backups. It is the 2-factor codes, which one day in the distant future, when I am overseas holding a new replacement for a lost phone, looking at the text "Enter the 6‑digit verification code", I will wish I'd thought about more carefully.
I just don’t want to self-host if I can avoid it.
Staying on top of managing the application and the environment is a whole different level of diligence when the thing I’m self hosting is the keys to my life. At a minimum it would have to be behind something like a wireguard tunnel to a trusted machine, and that’s an added headache for daily use.
Yes, you want to guard the machine that hosts your passwords. You can even physically keep it at home, and only proxy its port 443 wherever you have a presence in the public Internet.
That’s not to say anything is bulletproof… nothing useful is… just that I don’t entirely trust myself to be 100% on top of something like that as a hobby hosting endeavor.
I realise that this is moving even more of my eggs into Apple's basket, and even further from self-reliance towards convenience, but today it doesn't seem significantly worse to just trust Apple with this, than Bitwarden.
But isn't it a pain to use those passwords on any other non-Apple device? Am I missing something, or is that just not an issue for your use-case? Ah! I've just learned/relearned about iCloud Passwords through iCloud for Windows, but nothing for Linux?
But Keepass is a bridge too far for them. I'm not that enthusiastic about it myself to be honest. The UX is a bit meh (for the clients/extensions I've tried) and file syncing and handling is not something I can in good conscience push to a non technical user. It's just too many moving parts and you just have to do this, that, and the other thing. It's not really fit for purpose with normal users as far as I can see. Like much OSS stuff, UX for normal people seems to be a bit of an afterthought with Keepass.
The key selling point of Bitwarden was that it is free-ish and it is easy enough to work with for somebody that is not too technical. My father is an Android user and my mother has an iphone and ipad. They need access to each other's passwords so they share the same password manager. They are both in their seventies and I need something that is similarly useful and ideally without me self hosting a lot of stuff on their behalf. I don't want to be their system administrator. And I don't want to have to sit them down to migrate their passwords every few years either.
Right now the best move to me seems to be to stick with Bitwarden. I don't really gain anything from moving them over to some other solution and there isn't really anything out there that is materially better as far as I can see.
Notionally a password manager is more secure, but is there anything stopping Bitwarden from updating the app to silently send your master password up to the mothership and selling your unencrypted vault? Even supposing they stay open source and get caught, they will still have thousands of user's data ready to sell before the rug is pulled and the game collapses.
(And besides, where do you keep your recovery codes? If some cabinet or drawer in your house is safe enough for that, it's safe enough for your book of passwords.)
Definitely not the most secure option, as it breaks 3-2-1 backup rule.
Too bad, because it's one of those things that could be great but just isn't in its current form.
All you have to do is exchange "keys" with the two machines you want to sync and then it's mostly set and forget
So much of our lives is now digital. Important accounts of all kinds, banking, etc.
Waiting on several giant corps to grant your loved ones access after they go through the bureaucratic hole of documentation is... rough.
Putting my master password in my will feels the same as just writing it on a note on my desk. Putting it in a note in a safety deposit box is high effort and cost.
Anyone got a better alternative way to set this up if self-hosting and not going with Vaultwarden?
https://github.com/dani-garcia/vaultwarden
I'm thinking about running it in a container (Podman Quadlet with systemd) behind a VPN, with daily backups with borg. Anything I'm overlooking here?
Never had an issue with Vaultwarden itself. Restored from backups several times for a variety of reasons (migrating host, corrupt hard disk, re-installs) and that always worked first try.
In regards to hardering, the wiki has a good guide: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Gu....
This feels less like a guide on hardening Vaultwarden than a guide on why I should be skeptical about it.
https://github.com/dani-garcia/vaultwarden/discussions/1549#...
The upstream also had this issue, which appeared to be closed without a PR:
https://github.com/bitwarden/server/issues/3650
e.g. You can’t just provide software to people that obtains TLS certs on their behalf: you have no idea how their infra is setup.
Hosting any app on your own infra is a serious skill set.
No, they’re not.
They’re design choices where the default that has been chosen is dangerous for somebody deploying the software. Plenty of web apps do not have those pitfalls.
Restore from backup testing was straightforward. We haven't had any problems w/ the application itself.
I used that that hardening guide for my setup. The one I manage is exposed to the Internet and I'm bringing traffic into it via a reverse proxy.
My phone and laptop both use tailscale to access this and a few other containers I have set up similarly. I also have tailscale ACL rules to limit just “me” or whomever I want to allow to use it (family etc) also on my tailnet.
Backups are encrypted and stored locally as well as to AWS glacier.
I love it and it works great.
I just take ZFS snapshots. I've restored a couple of times that way just to test DR and it worked pretty well.
Mine is not exposed to the public internet, though some friends of mine do. I use a VPN when I need to access fresh data from the home server, otherwise both the Firefox client and Android client will generally keep a cache of the last data pull when they had connection (so it wasn't an issue the 4 or so years I didn't have a VPN yet).
By not exposing it to the wider internet. When I use a client (iPhone, browser, etc.) while on the home network, it syncs. While off the network, the last synced data is still there. That's been good enough for me.
Not technical, but the person behind that project now works for Bitwarden so there's some risk of a rugpull. Of course it's OSS but you'll need to trust a fork or maintain it yourself if said rugpull happens.
But when friends and family ask for my recommendation I send them to Bitwarden and they pay for the service.
If it wasn’t for vaultwarden and the clients being open source I would not be using it nor recommending it.
I’d probably still be using keepass with manual sync and when friends and family ask for suggestions I’d probably shrug and say I don’t trust any of them.
Edit: Just a bit of googling turned up these as well.
https://github.com/AChep/keyguard-app https://github.com/sgolub/bitclient
I am a paid subscriber. I am kind of ok with the price increase.
The "coincident" with change of CEO and remove of "always free" tag worries me though.
I’m happy to pay for good services, but M&A means cost-cutting measures to make the company look good for acquisition and that makes me uncomfortable with letting them store secure data for me.
Switching is going to be a pain.
I pay a cleaner, I have a dishwasher, I pay someone to do my taxes, I pay for companies to host software.
Then again, I never order food and almost never get takeaway, as cooking is nice and I value my food enough to care what goes in it. Cheaper too, easily offsetting what I pay for my password manager.
Syncthing, talking to your Tailscale IP addresses if you use it, or your private WiFi network addresses if you don't use Tailscale.
One folder synced, containing keyfile2.kdbx.
30 minutes to set up and then you almost never need to think about it again. If you don't trust Tailscale, you can run a Headscale server or just not use it. And the syncing is entirely run on your machines; your data never ends up written to someone else's SSD.
It's really not much effort.
Exactly what value do they think they have left to extract from me? I'm a paying customer for a product that essentially just stores an indexed list of strings with at-rest encryption.
Their official App's autofill on my phone hasn't worked for several months now., I literally have to login to it once every couple hours just to manually copy and paste my usernames and passwords separately. I guess enshitification knows no bounds?
no, if you relax the qualifier "without thinking" slightly and are okay with thinking for a few hours. There's so many off-the-shelf open source solutions now to just throw on a 5 bucks VPS, it costs you less time and money than switching or the premium plan of most of these individual services.
The point is that if there are only one or two red flags, you can risk assess them and continue as is if the risk is low. But if there are a large number of red flags, then you need to consider your exit strategy as well.
- Inclusion and Transparency values made more shitty
- Always free commitment removed. What? It’s right there “always”.
- Shittily hacking old blog post to become nonsensical
- Loss of confidence
- Stalling improvement cycle, no more repairs, just things quietly breaking and going bad.
I know this proverb as (translating from Polish): You're asking the boar if he's shitting in the forest.
"Is bear a Catholic?" doesn't seem very funny.
But a notion that everyone knows how Pope is regularly shitting in the woods absolutely is :)
In context, my intended meaning was that software enshittification works the same way: we don't have to see a particular private equity firm enshittify a particular piece of software to know that they do enshittify software, just as we do not have to see a bear shit in the woods to know that the bear does shit in the woods.
[0]https://en.wikipedia.org/wiki/Digital_Radio_Mondiale
The larger exampls to compare them to would be "dumping." Dump subsidized, tariff-free corn in Mexico to make it unprofitable to farm corn in Mexico, and after all of the Mexican farmers go bust, buy their land and raise the price of corn to infinity while cheaping out on the quality of seed and handling. Enshittification. Rug-pull.
Circle of live, I guess.
What’s next in the circle is keepass I guess? And it’s just not friendly/robust enough yet for me to switch to it with my family who will probably just go back to using the same passwords on multiple sites if they hit resistance in ease of use.
1: https://support.apple.com/guide/icloud-windows/set-up-icloud...
(DISCLAIMER: I am on 1Password which I've been using for long long time - way before password management in Chrome became a real thing. But let's just say, GPM is becoming more and more compelling proposition).
And then you will be screwed very hard with not recourse...
Can't most of the many KeePass variants do that?
[1]: https://www.passwordstore.org/
IIRC LastPass did this by slowly reducing how many devices and what kinds you could sync. They made the free option increasingly painful.
It's still on the pricing page, albeit not as prominently. "Just getting started? Get basic password management today. Always free."
The web interface I'd never use: I have no guarantee that my passphrase does not leave my computer. Same for the import feature: this also requires the passphrase to be sent to their servers.
Needless to say I move to the next ethical e2ee password manager if BitWarden turns it's back on open source.
With that said, I do find the direction here concerning. Quietly rewriting values, removing promise of free tier, hiking prices with almost no notice. I’m concerned that this feels sudden and sneaky. Sneaky behavior erodes trust.
Time to act accordingly.
(Well, technically, you can, but then don't complain about getting called out)
Edit: “always free” was hidden under a collapsed section
Pricing: Always free
Ctrl+f for "Always"
Edit: Actually, it is there, hidden from search under the collapsed pricing section.
https://web.archive.org/web/20260414143334/https://bitwarden...
I think this is tentatively good for bitwarden - making money means you can more easily invest in the team and product. Counter to the prevailing notion in comments here, I much prefer a vc/paid product for security-critical tools.
Hope they didn't wait too long before deciding to kill the free tier.
"They put some of the rug back!" isn't enough to restore goodwill in my case.
All locally synced
There are sharing options but they are not really convenient, not a problem for me since I mostly don't share passwords
Passit still works! Just as a webapp + chrome and FF extensions. I think we had an Android app too, dunno if that's still a thing.
Maybe if the best open source option is a less viable option, I should poke at its creator to revive it...
[1]: https://proton.me/blog/pass-roadmap-spring-summer-2026
Worked well for me, I use it for non-critical web accounts and such. KeePass for the few core accounts etc.
I'll probably switch for password management once it has a proper security audit, and for email aliases once (if) they implement IMAP/SMTP or similar so reading emails isn't restricted to in-app.
[1]: https://www.aliasvault.net/
If you want to fully disassociate from bitwarden, there are vaultwarden compatible 3rd party clients. I like Keyguard.
Would love it a ton more if it could offer an experience similar to BitWarden where you can view notes linked to logins or autofill credit card details with a single click from the browser extension. But overall it's really helpful.
I'm not too worried, if bitwarden changes their price somebody is going to vibecode a decent enough solution for pennies on the dollar, or there's always apples built-in product.
I’ve self-hosted Vaultwarden in the past and I’m planning to do it again. The lack of an iOS client is the only thing making me explore alternative solutions altogether.
I'm sure if BitWarden ever went closed source, it would be forked and maintained by the community and that most would migrate to the open source solution.
BitWarden being open source and auditable is one of the main reasons I use it, no hidden backdoors from them or three letter government agencies.
One of the only exceptions to this I can remember is the founder of Whatsapp, who gave an interview pretty critical of Meta some years back after it acquired Whatsapp.
[0] https://www.fastcompany.com/91542655/bitwarden-scrubs-always...
Yes, that's a very common part of an exit package for executives. Speaking from some first- and second-hand experience, you can get paid a hefty sum (6-12mo of salary worth of cash) for signing an agreement that has some amount of limits on what you can say, to whom.
There's also some kind of what I think of as a LinkedIn effect - there's a disincentive to talk trash about any organization publicly, since that's now attached to your name and might make future employers/organizations leery of hiring someone who might air their dirty laundry.
edit: s/of/and
Waiting for everyone to understand this.
Want to raise the price? Fine, be honest about it and make sure it stays sustainably stable for a long while.
I am not leaving because of the price, but because of the dishonest behaviour around something so central and vital to my daily life.