I don't care about raising prices, I'm worried about the new CEO having a PE mindset. That means Bitwarden will now focus on extracting value while the product stagnates and degrades in quality. Time to jump ship before their security and quality goes down the drain.
Not my project but Vaultwarden is an open source (in Rust) alternative backend for Bitwarden. I believe its been around a while, and is still maintained.
Question for anyone self-hosting vaultwarden: how reliable is it and how do you harden it?
I'm thinking about running it in a container (Podman Quadlet with systemd) behind a VPN, with daily backups with borg. Anything I'm overlooking here?
I’ve used Vaultwarden for at lesst 7 years, I’m sure for longer but I’m not sure how long.
Never had an issue with Vaultwarden itself. Restored from backups several times for a variety of reasons (migrating host, corrupt hard disk, re-installs) and that always worked first try.
Pretty similar experience for me, albeit I've only been managing it for about a year.
Restore from backup testing was straightforward. We haven't had any problems w/ the application itself.
I used that that hardening guide for my setup. The one I manage is exposed to the Internet and I'm bringing traffic into it via a reverse proxy.
I've never had a reliability issue with Vaultwarden. Hosted it 5+ years now. Even with random off/on of the server and other bumps in the road in life, the Docker container I run has had no issues with hosting. The user interface is friendly but can be just a little slow.
Mine is not exposed to the public internet, though some friends of mine do. I use a VPN when I need to access fresh data from the home server, otherwise both the Firefox client and Android client will generally keep a cache of the last data pull when they had connection (so it wasn't an issue the 4 or so years I didn't have a VPN yet).
> how do you harden it?
By not exposing it to the wider internet. When I use a client (iPhone, browser, etc.) while on the home network, it syncs. While off the network, the last synced data is still there. That's been good enough for me.
It's as reliable as you make it.
> Anything I'm overlooking here?
Not technical, but the person behind that project now works for Bitwarden so there's some risk of a rugpull. Of course it's OSS but you'll need to trust a fork or maintain it yourself if said rugpull happens.
The maintainer has said that they've been given permission to maintain it in their free time. All it takes is a bad quarter and the CEO decides they don't want to be supporting a competitor and that goes away. It's possible that a community continuation could happen but I wouldn't rely on something so uncertain for something as important as credentials.
Kind of makes a lot of sense that they wound up working there too.
Is there an alternative frontend as well, or are you still locked in?
There is not an alternative frontend that I'm aware of, but as the article mentions, the clients are Apache 2.0 licensed, so in the event of a rug pull, a fork and rebrand of the clients would be what is needed to restore service.
Their android app at least is open source and on available on their own f-droid repo
+1
I am a paid subscriber. I am kind of ok with the price increase.
The "coincident" with change of CEO and remove of "always free" tag worries me though.
I just sent them a message along these lines.
I’m happy to pay for good services, but M&A means cost-cutting measures to make the company look good for acquisition and that makes me uncomfortable with letting them store secure data for me.
Switching is going to be a pain.
It is really easy to self-host, and do so securely...
I’m not buying hosting from a password manager, I’m buying security. I don’t have complete confidence that I can secure a self-hosted password manager and it’s not an area where I want to take risks.
It's very simple, just don't make it accessible outside your home network. Clients sync when the server is accessible and use last synced data otherwise.
Yep! Feels like a hard truth about the product life-cycle. It may be time to find an alternative to what was a great alternative.
I'm getting really tired of the enshittification cycle. Learning about android verification and captcha changes recently has been another big frustration point. I moved to android as a more open alternative to apple just a few years ago, and to bitwarden from lastpass around the same time. I would like to just have these infrastructural services work well and quietly without thinking about them for many years. Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)
>Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)
no, if you relax the qualifier "without thinking" slightly and are okay with thinking for a few hours. There's so many off-the-shelf open source solutions now to just throw on a 5 bucks VPS, it costs you less time and money than switching or the premium plan of most of these individual services.
Bitwarden hasn’t “enshittified” anything. It’s all entirely speculative
It has already enshitified. These changes are text book.
- Inclusion and Transparency values made more shitty
- Always free commitment removed. What? It’s right there “always”.
- Shittily hacking old blog post to become nonsensical
- Loss of confidence
- Stalling improvement cycle, no more repairs, just things quietly breaking and going bad.
I don’t wait for companies to enshittify anymore. When they start making decisions that look like they’re heading in that direction, I start looking for alternatives.
Same. Whenever I see a PE acquisition, I immediately shift my purchases (eg namecheap last year)
Looks pretty bad regardless of speculation. There are enough red flags to warrant actions and to consider this another enshitification.
yet. The hallmarks of enshittification are there. We've all been through the cycle of "this product is too good to be true, and provides considerably more value than it costs" "Customer Acquisition/Market Capture" phase. And we know what has to come next. They have to make the product profitable, because you cant just burn up VC money forever.
Does a bear shit in the woods?
Vendors doing a rug-pull isn't just capitalism. China is adding DRM to AM radio: old receivers won't work. Heck, Soviet WWII ration cards no longer give turmips.
uh, by DRM you mean Digital Radio Mondiale[0], an open digital radio broadcasting standard? sure analog receivers won't work, but hardly a rugpull lol
Yeah? That has to be the worst possible acronym for an open thing.
They're not doing it to increase margin. "Enshittification" or "rug-pulls" aren't when things get worse or things change, they're when the conditions that were used to attract an audience are changed in order to extract more margin after that audience is captured.
The larger exampls to compare them to would be "dumping." Dump subsidized, tariff-free corn in Mexico to make it unprofitable to farm corn in Mexico, and after all of the Mexican farmers go bust, buy their land and raise the price of corn to infinity while cheaping out on the quality of seed and handling. Enshittification. Rug-pull.
I jumped to Bitwarden because of 1P's new pricing doing exactly that.
Circle of live, I guess.
PE? Private Equity is the slippery slope to Public Enshitification.
When I first learnt about Bitwarden about 3 years ago, I started hosting Vaultwarden right away. Right now I have one instance for myself and another for my friend's company. Everything runs as smooth as butter. If you can self-host something, do self-host a Vaultwarden instance. If you are (like me) somewhat paranoid about the fact that Vaultwarden hasn't got a proper security audit on its codebase, just run it behind a VPN, it will probably be fine.
I'm not particularly worried about Bitwarden going belly up because it has already have such a well-established open-source replacement. The worst-case scenario is that Bitwarden make the clients incompatible with Vaultwarden, and like how OP already mentioned in the post, somebody in the community will fork them as soon as this happen.
Yes, but vaultwarden isn't something you can casually run by yourself without some careful thinking. You are hosting secrets whose longevity is important, so if deploying yourself, take good care of backups and do regular drills, so you validate that the backups work, that they aren't corrupted and that you keep a copy off-site.
Me and some friends have each been hosting vaultwarden casually for years now. What problem do you see? I mean if the Server goes down and gets completely corrupted, worst case, all my devices still have the version of the vault they recently used. Technically every device has it's own backup of the vault.
If I stay offline for more than 30 days, can I still access my local passwords? Honest question, because if that's the case it's nice, but I think you'd need to somehow authenticate before accessing your local vault.
Thanks for making me check. Did not know this:
"Offline Vault sessions will expire after 30 days.
Except for mobile client applications, which will expire after 90 days."
But for me that is enough time to feel safe, still will do backups regularly.
You should be doing regular exports/backups of your vault regardless of how it's hosted. Bitwarden could go belly up tomorrow and lose all their stored vault data.
Is there anything stopping a commercial Vaultwarden host?
That already somewhat exists.
Reimplementing the server side is the easy part.
But a commercial offer will need rebranding the client, and maintaining forks is much more involved. As long as Bit warden publishes the sources ...
Competing with the authority bitwarden the company has over the bitwarden open source project. That's just the first thing off the top of my head. Very few people go to the competitor offering the exact same thing but with less say on the popular codebase.
IMO a paper print-out of all passwords and backup codes is the most reliable backup. No bit-rot, no third party, and "degradation" is obvious - fire, flood, etc.
Theft is also usually obvious.
If self-hosting, keep at a separate location than your hard drives.
[deleted]
I'm running Vaultwarden because while on the one hand I'd like to just pay a company to make my password problem go away, I don't know who I can actually trust to not try to take advantage of the fact they have all the keys to all my kingdoms at some point. I see some people complaining about "Private Equity", with justification, and before that it was the "Harvard MBA" mindset, where businesses are encouraged to think of their customers as a resource to be stripmined rather than relationships to cultivate.
I don't like being considered a resource to be stripmined by any company, but some are worse than others by the nature of our relationship. I do not need a company greedily looking at my bank password, my Google password, my brokerage account password, and even having them be tempted to look at my set of passwords with them and start valuating which password they can "intermediate" and charge me more for using. I don't even want them pondering the question of how they can break exports ("oops, sorry, passkeys can't be exported because $SECURITY_BLATHER, guess you won't be migrating" - to be fair, while I think Bitwarden had that for a bit I believe it's no longer true, but AFAIK it is true of other things that will hold passkeys for you) so that they can extract the value of my passwords to me.
I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords. I don't trust any company holding passwords to not eventually be acquired by PE/HMBA types looking to stripmine my passwords. I don't trust any company that is, once you trace the entire value chain down, basically taking out real debt with my passwords as collateral. They get the money, I get the risk. Hard pass.
So I'm not happy about self-hosting my password vault in some sense... but who else can I trust?
As long as you continue to use (and upgrade) the Biwarden client apps, you should consider that BW could have the keys of your garden: they have control of decryption and encryption code, so that code could leak the key, whatever the server.
I am very happy self-hosting Vaultwarden. I got really tired of being a refugee of one password manager or the next. Either the price goes up, or the service goes away. I am looking at YOU - Dropbox.
I don't think the clients are open source?
I don’t understand why people post incorrect statements that are trivial to check
Form the article;
"The real safety net is that Bitwarden’s clients are Apache 2.0 licensed."
I have moved to KeepassXC[1] on my desktop from Bitwarden. On phone, I use KeepassDX[2] which is Android client compatible with KeepassXC. On browser, I use KeepassXC Browser extension which connects with the desktop client. Since KeepassXC operates on a single file, you can use any Filesystem syncing tool to sync that file between devices or to store it in the cloud. I am really happy with the move.
Recently moved to a KeePass setup after 1Password raised their prices. Feels good to be in complete control.
This is my exact plan too, if I ever have to leave the Apple ecosystem.
KeePass is such a backwards step in usability and features that I don’t even consider it a competitor. The whole reason I moved to 1Password was to get away from how easy it was to accidentally lose data with the KeePass clients.
For example, one client I used had a temporary bug that just lost the notes field entirely. It was quickly fixed but it still affected me.
I’m currently using 1Password, which I still think is the best product overall as I’ve tried just about all the rest. For this product category I’m happy to pay the highest price to get the best product.
Thank you for this post/link. I have been side eyeing Bitwarden since they started ensh*ttifying the desktop UX last year to make it more like everything else and take up too much space. It had been working perfectly well for browser autofill - super fast and staying out of the way. Now it is bloated white space, slow, standardized UX elements like any SaaS built by AI. Will check out Vaultwarden, Proton Pass, Keepass, I guess. But sadly - yet another tool that worked perfectly well that was ruined in contempt of its own users (LastPass, Authy, Google Reader, etc - the list goes on)
I really don’t think a UI redesign is the intended meaning of enshittification. BW has had by far the best free option for password management since I started using them 8 years ago.
Do I like the UI changes? Eh it’s not my favorite but I don’t use it that often to care.
I could quite easily ignore all this in the interest of not going through the pain of finding yet another password manager, but having your new CEO specialise in M&A is really hard to ignore.
Say what you will, but the Apple ecosystem's Passwords app and integration works great. It locks me into their services (iCloud), but I don't see them ever charging for it or sunsetting it. (watch me eat my words in the near future)
Password App surely is a good alternative, however i don’t think there are clients for Linux or Windows? …and that is where Bit/Vaultwarden comes into play.
Lately I've been scrutinizing Bitwarden after discovering a long history of memory leak problems in the GitHub issue tracker. It's an extention I use with all of my browsers. It seems to use an unusually high amount of RAM on Safari and I suspect it's why RAM just never stops growing in MS Edge.
Overall it's not a problem for me if Bitwarden wants more money, but I have to draw the line at replacing top leadership with randoms from private equity and secret price hikes. I'm glad this is being highlighted and it's motivating me even more to find suitable FOSS-friendly alternative.
Ah damn. I've only recently moved in to Bitwarden - paid - largely on the basis of a multiple-user shared vault and emergency grants to personal vaults.
I'd really, really like them to not to ruin it or make it massively more expensive.
It does seem like most password managers have no moat for import/export, so I’m kinda banking on the idea that I can quickly migrate to Proton Pass or vaultwarden if things get ugly.
I just don’t want to self-host if I can avoid it.
Staying on top of managing the application and the environment is a whole different level of diligence when the thing I’m self hosting is the keys to my life. At a minimum it would have to be behind something like a wireguard tunnel to a trusted machine, and that’s an added headache for daily use.
Does Proton Pass use a wireguard tunnel? Or does Bitwarden? TLS should suffice.
Yes, you want to guard the machine that hosts your passwords. You can even physically keep it at home, and only proxy its port 443 wherever you have a presence in the public Internet.
Those at least have people whose literal jobs are to protect that stuff. The service, the clients, the transport, the environments, etc. That’s what I don’t have if I self host.
That’s not to say anything is bulletproof… nothing useful is… just that I don’t entirely trust myself to be 100% on top of something like that as a hobby hosting endeavor.
Good post. I switched from Bitwarden to KeepassXC / KeepassDX / Syncthing across my Android phone, Linux PC, and Windows PC. This was the setup I had prior to using Bitwarden for the first time. The Keepass experience is significantly better these days! Importing from Bitwarden is trivial too. Recommended!
I was using this but when I switched to iOS I switched to Bitwarden.
What are you using for Syncthing on Android? There used to be an official Syncthing app for Android but then they stopped maintaining it. There was a popular fork but then that person stopped as well.
I looked into using Syncthing on iOS but there was only Möbius Sync and it didn’t run in the background. This is was made me finally switch to Bitwarden. But of course now I need figure what to do next.
I have had an excellent experience with Sushitrain/Synctrain on iOS [0]. It’s honestly the nicest Syncthing client I’ve used, although to be fair desktop-oriented clients have different design goals than mobile clientsm
IANAL but if a company advertises "always free" and then starts charging, how is that not either false advertising and/or a breach of contract?
It’s a “always a free option” which doesn’t clarify what you get with the free version.
IIRC LastPass did this by slowly reducing how many devices and what kinds you could sync. They made the free option increasingly painful.
Thank you for pushing me to migrate away from Bitwarden. I've used them for years but I was moving away slowly; now I've moved.
Out of interest, where are you moving?
Apple's passwords app. It's what I use almost everywhere. I use 1password for work but I'd prefer not to mix work and personal life.
1Password for Business accounts all get an additional 1Password for Families license (5 seats), so you can absolutely keep your work and personal life separate.
What happens when you leave that business account? (e.g. change jobs, leave the company, get acquired and consolidate etc)
[deleted]
It still says "Always free" on the website for me. It's both on the billing page on the page linked in the article.
I do share the concerns though. The change in leadership, the poor transparency, 100% price increase and the quiet change in core values.
I was happy paying $10 yearly for Bitwarden. I'm still okay with $20 but there's a seed of doubt.
> It still says "Always free" on the website for me. It's both on the billing page on the page linked in the article.
Just went to the website directly: says "Get Started Free". "Always Free" is only present at the bottom of the pricing page for personal customers.
What concerns me more is that they've started using the same language that Adobe had been panned for: "$price a month, billed yearly".
To me, thats weird language for a product that (now) costs $20.00 a year. Not hundreds or thousands. Twenty dollars. For non-enterprise users.
The lack of transparency and quietly changing things around makes me wary.
The placement at the bottom of pricing is always where it was. Nothing has changed
They did raise the price to $20 (but the free version is still amazing). But that’s still really cheap and pretty much all services have gone up in price in the past 10 years (inflation)
They mentioned in an update that they accidentally removed “always free” text during a website update and put it back quickly. Seems the article was written in the intervening period
I got my parents using bitwarden a few years ago. This was a massive improvement over them writing passwords in a little notebook in a drawer (yes, really!).
But Keepass is a bridge too far for them. I'm not that enthusiastic about it myself to be honest. The UX is a bit meh (for the clients/extensions I've tried) and file syncing and handling is not something I can in good conscience push to a non technical user. It's just too many moving parts and you just have to do this, that, and the other thing. It's not really fit for purpose with normal users as far as I can see. Like much OSS stuff, UX for normal people seems to be a bit of an afterthought with Keepass.
The key selling point of Bitwarden was that it is free-ish and it is easy enough to work with for somebody that is not too technical. My father is an Android user and my mother has an iphone and ipad. They need access to each other's passwords so they share the same password manager. They are both in their seventies and I need something that is similarly useful and ideally without me self hosting a lot of stuff on their behalf. I don't want to be their system administrator. And I don't want to have to sit them down to migrate their passwords every few years either.
Right now the best move to me seems to be to stick with Bitwarden. I don't really gain anything from moving them over to some other solution and there isn't really anything out there that is materially better as far as I can see.
Passwords in a notebook are arguably the most secure option. The notebook exists in exactly one place, behind locked doors, and cannot be leaked or hacked externally.
Notionally a password manager is more secure, but is there anything stopping Bitwarden from updating the app to silently send your master password up to the mothership and selling your unencrypted vault? Even supposing they stay open source and get caught, they will still have thousands of user's data ready to sell before the rug is pulled and the game collapses.
(And besides, where do you keep your recovery codes? If some cabinet or drawer in your house is safe enough for that, it's safe enough for your book of passwords.)
How did we as an industry go from "Passwords in notebooks are insecure, use a password manager" full circle back to "Password managers are insecure, write your passwords in notebooks"?
KeepassXC is much better than older keepass clients. Syncthing runs quietly in the background. It's really not much harder to use that other password managers once you set it up
Ehh.. much as I love syncthing, I wouldn't recommend it to nontechnical people. I mean, here the dad has android the mom iphone amd they want to sync a keepass file? Maybe with a browser addon on a desktop as well? And the most popular third party android app is discontinued (I use the nerdily named syncthing-fork) and the ios apps i never managed to get to work for my family (maybe sushitrain works now?). But if you live close to parents I guess it can work. This kind of software can be good for social cohesion and less isolation =P
I switched from KeepassXC and KeepassDX to Vaultwarden, primarily to make it easier to get family members to transition to using password managers.
What a shame. I've been a paying Bitwarden customer since 2018. I really don't have time to move off yet, but I'll need to keep an eye out for where to jump. It sucks that this seems to just be the logical conclusion of all great projects.
Literally nothing has been taken away from BW yet, it’s all just speculative for now
Better to look for exit strategies before the need arises.
We all know where it's going
Yes, speculative, for sure.
In the same way if I hold a rock in my hand and let it go, it's speculative that it will fall to the ground.
After the LastPass fiasco I switched to selfhosting a password manager (bw).
Rapidly starting to think even a vibecoded solution may be a better plan relying on commercial options. High risk of don’t roll your own crypto mistakes but realistically that’s not the threat model here anymore for the random individual. It’s online breaches or perhaps a wrench attack not highly skilled crypto adversary. Plus there are probably ready made crypto modules so wouldn’t be a true handroll
Vibecoding a password manager might be the worst idea ever. You'd be better off with an encrypted Excel sheet. But otherwise, 1Password is great imo and there are other free open source password managers.
Actual password managers (eg not my old excel sheet) protect you against url doppelgänger and related phishing attacks, as well as incidentally discourage password reuse. 1Password can even now warn you if you try to paste into the wrong website (https://support.1password.com/browser-autofill-security/)
[dead]
The LLMs also help a script kiddie become a highly skilled crypto adversary though.
Especially if the concerns around Mythos are well founded.
I don't think concerns around Mythos are well founded. Highly doubt it will happen.
I wouldn't worry.
The mythical Mythos can't even find Claude code bugs before releases.
True. No chance of me putting a DIY password manager on the open internet though. Would be behind WireGuard etc
The concerns around Mythos are not well founded
> That’s not a software guy who happened to raise some money. That’s someone whose stated specialty is the PE integration and exit process.
Holy smokes has that's not just -> THAT IS become one of my trigger words.
It's almost certainly ai written though. All the regular tells are there... Though he likely edited some out, like that "just"
Also if it was handwritten, it'd have been a third in length, the rest was LLM fluff
Correct, that was my point
The Bitwarden chrome extension just randomly stopped working for me the other day. This is after years of working flawlessly. I had to remove the extension and add it back to get it working...What a shame. Hosting a password manager isn't a game; these are people's real lives and businesses at stake.
I've had similar issues, it's ridiculous!
Wonder if Sullivan is the same Sullivan involved in the Autonomy lawsuit
I use BitWarden because I'd never trust a password manager with close source clients. Before BitWarden I used a local manager: BitWarden made my life easier.
The web interface I'd never use: I have no guarantee that my passphrase does not leave my computer. Same for the import feature: this also requires the passphrase to be sent to their servers.
Needless to say I move to the next ethical e2ee password manager if BitWarden turns it's back on open source.
It seems like it’s probably time for a bitwarden client alternative. I’m already running vaultwarden, it’d be nice to have a community-run client. The bitwarden client apps are so mid already - it seems like it couldn’t be that hard to out do them.
I'd definitely give a Bitwarden client alternative a try, but I really hope this isn't the start of client fragmentation like it happened for Keepass, especially given that a server is involved here.
Omg, do we really need to make another app suck? I left last pass years ago, I'll leave again but wow I'm tired of this cycle. Private equity is truly the destroyer of value. The next time will be self hosted. Anyone know of a password manager that can encrypte and live in say Google drive?
> Anyone know of a password manager that can encrypte and live in say Google drive?
Can't most of the many KeePass variants do that?
How hard is it to fully migrate from Bitwarden to Apple Passwords / Google Passwords? I guess I'm going to have to spend 2 hours on this next weekend.
If you have Bitwarden installed on an iPhone, you can export directly to Apple Passwords with no intermediate steps or trying to figure out where to save the unencrypted CSV file. I just did this and it looks pretty good so far.
I don't think these companies are obligated to run a free tier. Someone has to pay the infra. It's a little shady that they didn't announce any of this though. But bitwarden is open source and you can host it all yourself
Even if the clients go closed source and forked, there's still the very serious issue of closed app ecosystems on iOS and Android. It's one thing to self-host a Vaultwarden instance, it's another entirely to pay Google and Apple $100 a year to publish your own app.
Not disputing the overall feeling about the changes at Bitwarden but "Always free" phrase is still actually there if you're creating a personal Free account.
I believe they added it back after people noticed, archive.org has versions where its gone
Yeah, to me this isn't about whether or not it's "always free". It's about the rug pull.
"They put some of the rug back!" isn't enough to restore goodwill in my case.
What did they pull exactly? Nothing has changed about the product except for a small price increase (but free version is still great)
Yeah, I don’t trust their path anymore
[deleted]
I started looking for a replacement when I noticed how much RAM the extension was using. >1GB for a password manager seems ridiculous. I'm currently debating between Keepassium and Strongbox but I wonder if there is something better.
There are sharing options but they are not really convenient, not a problem for me since I mostly don't share passwords
Keepass or one of its variants are great. Pair it with a shared folder via SyncThing/GDrive/Dropbox/whatever and you'll be set.
I've been keeping my eye on AliasVault[1]. Open-source, self-hostable or pay for cloud hosting, handles both email aliases and passwords.
I'll probably switch for password management once it has a proper security audit, and for email aliases once (if) they implement IMAP/SMTP or similar so reading emails isn't restricted to in-app.
Kinda funny. I helped get passit.io off the ground YEARS ago but we pivoted away from it because Bitwarden more or less ate our lunch. They just moved way faster.
Passit still works! Just as a webapp + chrome and FF extensions. I think we had an Android app too, dunno if that's still a thing.
Maybe if the best open source option is a less viable option, I should poke at its creator to revive it...
Proton Pass. Not ideal but actively developing and IMO its UX is way better than what I had with Bitwarden.
I think once url matching is added (which is now on their roadmap[1]), I'll try making the switch from my current password manager.
Doesn’t it cost much more than BW? I don’t really understand if the main complaint is people worrying about losing the free option (which hasn’t even happened)
Personal anecdote --- Proton Pass very quickly went from worse than Bitwarden to better with more reliable auto-fill.
For the closest experience, self-host Vaultwarden and keep using the bitwarden clients you're used to. They're GPL-3.0 and aren't going anywhere (and could be forked if there was ever drama).
If you want to fully disassociate from bitwarden, there are vaultwarden compatible 3rd party clients. I like Keyguard.
Depends on what you are looking for. I use keepass to store my password + syncthing to sync across devices
I left for Apples Passwords.app and never looked back. Of course, that has its own limitations if you are not bought into Apple's ecosystem.
Apple apparently has an iCloud app for Windows that syncs passwords and provides extensions for major browsers. I had no idea.
The Windows app for iCloud Passwords works fairly well, no real complaints about it to share. It can sometimes be a bit clunky and slow, though that's likely related to my environment rather than the app itself.
Would love it a ton more if it could offer an experience similar to BitWarden where you can view notes linked to logins or autofill credit card details with a single click from the browser extension. But overall it's really helpful.
I don't see the problem here. It's a great product and if they want to make money then I don't mind. If it's too expensive, and they hike the price to something ridiculous then I'll vote with my wallet.
I’m fine with paying a bit more. I honestly don’t think I even use any of the premium features. I started paying because their founder answered some question I sent years ago and I figured that kinds of support deserved my support. I could still be on the free tier if cost were a concern.
With that said, I do find the direction here concerning. Quietly rewriting values, removing promise of free tier, hiking prices with almost no notice. I’m concerned that this feels sudden and sneaky. Sneaky behavior erodes trust.
I'm in the same boat, became a premium member to support Bitwarden and use the built-in authenticator. The subscription price is now a negative proposition, alongside the silent rollout and the other red flags raised in the post. I'll probably move to self-hosted, since I have spare compute on my VPS.
Management and leadership values, character, and integrity matter because it's unwise to assume there is some homogenous allegiance to customers behind the propaganda of putting the customer first. PE will and must squeeze for their margins as is their wont. They have learned it's unwise to draw attention to this.
Time to act accordingly.
I am fine with the price increase, for me its how sneaky they're being about everything. If they sent a few emails about the recent changes I wouldn't care, but it feels like they do not want customers to know which is the last thing I want from a password manager.
Indeed. As I'm sure the new PE-focused CEO knows, the sale of a company includes not just the typical balance sheet items but also intangible assets such as goodwill. Being sneaky about is an attempt to minimize the loss of such intangibles ahead of a sale.
The problem is the rug-pull. You can't go and proudly state "free forever", and then silently back down on that commitment. That is a textbook example for the enshittification cycle... lure users in with grand promises, sell out once you got enough of a following.
(Well, technically, you can, but then don't complain about getting called out)
You must be getting a different version of that page than me. The free tier is there but there’s no “always free” verbiage. There is “start free” verbiage.
Edit: “always free” was hidden under a collapsed section
It's not super big but it is there in the comparison list.
Pricing: Always free
Ctrl+f for "Always"
I searched for the word “always”. It was not (and is not; I just checked again) there on the version of the page I was served.
Edit: Actually, it is there, hidden from search under the collapsed pricing section.
LOL.. you are correct. Funny thing though... the 'Always Free' text is linked to a "/start-free/" action\page. One could argue that they are hedging their bets.
Some other commenter says there are Archive.org cached versions with "Start free" instead of "Always free", so they must have backpedaled on this. Maybe they realized they turned the knob a bit too much towards "hot", increasing the temperature of the proverbial water too noticeably.
I’m not willing to check all the pages on archive.org but for sure a month ago they had a big “Basic Free” tile in the plan comparison. Now it’s just Premium and Family. They are definitely downplaying the ability to use it for free.
Seems like they want to downplay the mentally that you would never benefit from an upsell to the paid plans, even if the free plan itself stays always free
as long as the people who signed up when it said it are granfathered, is it ok then?
Maybe okay on a personal level, but the PE maw eating another great option is just depressing in a more general sense.
[flagged]
I just read the linked Fast Company article [0]. One question that particularly frustrates me about this process is: why are the former leadership of companies that become enshittified so quiet about it? Do they just get paid out with restrictive NDAs?
One of the only exceptions to this I can remember is the founder of Whatsapp, who gave an interview pretty critical of Meta some years back after it acquired Whatsapp.
> Do they just get paid out with restrictive NDAs?
Yes, that's a very common part of an exit package for executives. Speaking from some first- and second-hand experience, you can get paid a hefty sum (6-12mo of salary worth of cash) for signing an agreement that has some amount of limits on what you can say, to whom.
There's also some kind of what I think of as a LinkedIn effect - there's a disincentive to talk trash about any organization publicly, since that's now attached to your name and might make future employers/organizations leery of hiring someone who might air their dirty laundry.
funny, I just changed to bitwarden from 1-password after they had a big price increase (I probably otherwise would have been a lifetime customer if it could have been a leave it and never think about it again for the next 40 years deal).
I'm not too worried, if bitwarden changes their price somebody is going to vibecode a decent enough solution for pennies on the dollar, or there's always apples built-in product.
A password management system is one thing I definitely don’t want vibe coded.
This feels more like an expectation management problem than a product problem.
[deleted]
Ah! Curse your sudden but inevitable betrayal!
Enshittification is properly viewed as a cybersecurity risk, a category of insider threat. You defend against it, when possible, by using open source software and open, documented file formats. That way, if open source enshittifies, the community can defend by forking. I’m so grateful for KeepassXC.
curious whether "always free" is only marketing or actually has some legal implications
This is terrible news. Jump off the ship while it's still possible!
This is terrifying, but I couldn't help myself from frustration at the LLM writing that only worsened over the course of the post. Bloggers, it's not subtle. Please, stop, or at least disclose it.
is there an enshittification watch site? or something to track acquisition and red flags in products/oss projects?
itsenshittifiedyet.info
if not, what would it take to do that? i think it can be vibed in a weekend.
edit: s/of/and
Password protection by a for-profit (where the password protection is the product that you can't have unless you pay for it) is a fundamentally stupid and dangerous business model.
Waiting for everyone to understand this.
I am tired of this bullshit.
Want to raise the price? Fine, be honest about it and make sure it stays sustainably stable for a long while.
I am not leaving because of the price, but because of the dishonest behaviour around something so central and vital to my daily life.
Can someone just fork BitWarden into another open source project already? Maybe MorselGuardian lol
I don't care about raising prices, I'm worried about the new CEO having a PE mindset. That means Bitwarden will now focus on extracting value while the product stagnates and degrades in quality. Time to jump ship before their security and quality goes down the drain.
Not my project but Vaultwarden is an open source (in Rust) alternative backend for Bitwarden. I believe its been around a while, and is still maintained.
https://github.com/dani-garcia/vaultwarden
Question for anyone self-hosting vaultwarden: how reliable is it and how do you harden it?
I'm thinking about running it in a container (Podman Quadlet with systemd) behind a VPN, with daily backups with borg. Anything I'm overlooking here?
I’ve used Vaultwarden for at lesst 7 years, I’m sure for longer but I’m not sure how long.
Never had an issue with Vaultwarden itself. Restored from backups several times for a variety of reasons (migrating host, corrupt hard disk, re-installs) and that always worked first try.
In regards to hardering, the wiki has a good guide: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Gu....
Pretty similar experience for me, albeit I've only been managing it for about a year.
Restore from backup testing was straightforward. We haven't had any problems w/ the application itself.
I used that that hardening guide for my setup. The one I manage is exposed to the Internet and I'm bringing traffic into it via a reverse proxy.
I've never had a reliability issue with Vaultwarden. Hosted it 5+ years now. Even with random off/on of the server and other bumps in the road in life, the Docker container I run has had no issues with hosting. The user interface is friendly but can be just a little slow.
Mine is not exposed to the public internet, though some friends of mine do. I use a VPN when I need to access fresh data from the home server, otherwise both the Firefox client and Android client will generally keep a cache of the last data pull when they had connection (so it wasn't an issue the 4 or so years I didn't have a VPN yet).
> how do you harden it?
By not exposing it to the wider internet. When I use a client (iPhone, browser, etc.) while on the home network, it syncs. While off the network, the last synced data is still there. That's been good enough for me.
It's as reliable as you make it.
> Anything I'm overlooking here?
Not technical, but the person behind that project now works for Bitwarden so there's some risk of a rugpull. Of course it's OSS but you'll need to trust a fork or maintain it yourself if said rugpull happens.
The maintainer has said that they've been given permission to maintain it in their free time. All it takes is a bad quarter and the CEO decides they don't want to be supporting a competitor and that goes away. It's possible that a community continuation could happen but I wouldn't rely on something so uncertain for something as important as credentials.
Kind of makes a lot of sense that they wound up working there too.
Is there an alternative frontend as well, or are you still locked in?
There is not an alternative frontend that I'm aware of, but as the article mentions, the clients are Apache 2.0 licensed, so in the event of a rug pull, a fork and rebrand of the clients would be what is needed to restore service.
Their android app at least is open source and on available on their own f-droid repo
+1
I am a paid subscriber. I am kind of ok with the price increase.
The "coincident" with change of CEO and remove of "always free" tag worries me though.
I just sent them a message along these lines.
I’m happy to pay for good services, but M&A means cost-cutting measures to make the company look good for acquisition and that makes me uncomfortable with letting them store secure data for me.
Switching is going to be a pain.
It is really easy to self-host, and do so securely...
I’m not buying hosting from a password manager, I’m buying security. I don’t have complete confidence that I can secure a self-hosted password manager and it’s not an area where I want to take risks.
It's very simple, just don't make it accessible outside your home network. Clients sync when the server is accessible and use last synced data otherwise.
Yep! Feels like a hard truth about the product life-cycle. It may be time to find an alternative to what was a great alternative.
I'm getting really tired of the enshittification cycle. Learning about android verification and captcha changes recently has been another big frustration point. I moved to android as a more open alternative to apple just a few years ago, and to bitwarden from lastpass around the same time. I would like to just have these infrastructural services work well and quietly without thinking about them for many years. Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)
>Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)
no, if you relax the qualifier "without thinking" slightly and are okay with thinking for a few hours. There's so many off-the-shelf open source solutions now to just throw on a 5 bucks VPS, it costs you less time and money than switching or the premium plan of most of these individual services.
Bitwarden hasn’t “enshittified” anything. It’s all entirely speculative
It has already enshitified. These changes are text book.
- Inclusion and Transparency values made more shitty
- Always free commitment removed. What? It’s right there “always”.
- Shittily hacking old blog post to become nonsensical
- Loss of confidence
- Stalling improvement cycle, no more repairs, just things quietly breaking and going bad.
I don’t wait for companies to enshittify anymore. When they start making decisions that look like they’re heading in that direction, I start looking for alternatives.
Same. Whenever I see a PE acquisition, I immediately shift my purchases (eg namecheap last year)
Looks pretty bad regardless of speculation. There are enough red flags to warrant actions and to consider this another enshitification.
yet. The hallmarks of enshittification are there. We've all been through the cycle of "this product is too good to be true, and provides considerably more value than it costs" "Customer Acquisition/Market Capture" phase. And we know what has to come next. They have to make the product profitable, because you cant just burn up VC money forever.
Does a bear shit in the woods?
Vendors doing a rug-pull isn't just capitalism. China is adding DRM to AM radio: old receivers won't work. Heck, Soviet WWII ration cards no longer give turmips.
uh, by DRM you mean Digital Radio Mondiale[0], an open digital radio broadcasting standard? sure analog receivers won't work, but hardly a rugpull lol
[0]https://en.wikipedia.org/wiki/Digital_Radio_Mondiale
Yeah? That has to be the worst possible acronym for an open thing.
They're not doing it to increase margin. "Enshittification" or "rug-pulls" aren't when things get worse or things change, they're when the conditions that were used to attract an audience are changed in order to extract more margin after that audience is captured.
The larger exampls to compare them to would be "dumping." Dump subsidized, tariff-free corn in Mexico to make it unprofitable to farm corn in Mexico, and after all of the Mexican farmers go bust, buy their land and raise the price of corn to infinity while cheaping out on the quality of seed and handling. Enshittification. Rug-pull.
I jumped to Bitwarden because of 1P's new pricing doing exactly that.
Circle of live, I guess.
PE? Private Equity is the slippery slope to Public Enshitification.
When I first learnt about Bitwarden about 3 years ago, I started hosting Vaultwarden right away. Right now I have one instance for myself and another for my friend's company. Everything runs as smooth as butter. If you can self-host something, do self-host a Vaultwarden instance. If you are (like me) somewhat paranoid about the fact that Vaultwarden hasn't got a proper security audit on its codebase, just run it behind a VPN, it will probably be fine.
I'm not particularly worried about Bitwarden going belly up because it has already have such a well-established open-source replacement. The worst-case scenario is that Bitwarden make the clients incompatible with Vaultwarden, and like how OP already mentioned in the post, somebody in the community will fork them as soon as this happen.
Yes, but vaultwarden isn't something you can casually run by yourself without some careful thinking. You are hosting secrets whose longevity is important, so if deploying yourself, take good care of backups and do regular drills, so you validate that the backups work, that they aren't corrupted and that you keep a copy off-site.
Me and some friends have each been hosting vaultwarden casually for years now. What problem do you see? I mean if the Server goes down and gets completely corrupted, worst case, all my devices still have the version of the vault they recently used. Technically every device has it's own backup of the vault.
If I stay offline for more than 30 days, can I still access my local passwords? Honest question, because if that's the case it's nice, but I think you'd need to somehow authenticate before accessing your local vault.
Thanks for making me check. Did not know this: "Offline Vault sessions will expire after 30 days. Except for mobile client applications, which will expire after 90 days." But for me that is enough time to feel safe, still will do backups regularly.
You should be doing regular exports/backups of your vault regardless of how it's hosted. Bitwarden could go belly up tomorrow and lose all their stored vault data.
Is there anything stopping a commercial Vaultwarden host?
That already somewhat exists.
Reimplementing the server side is the easy part.
But a commercial offer will need rebranding the client, and maintaining forks is much more involved. As long as Bit warden publishes the sources ...
Competing with the authority bitwarden the company has over the bitwarden open source project. That's just the first thing off the top of my head. Very few people go to the competitor offering the exact same thing but with less say on the popular codebase.
IMO a paper print-out of all passwords and backup codes is the most reliable backup. No bit-rot, no third party, and "degradation" is obvious - fire, flood, etc.
Theft is also usually obvious.
If self-hosting, keep at a separate location than your hard drives.
I'm running Vaultwarden because while on the one hand I'd like to just pay a company to make my password problem go away, I don't know who I can actually trust to not try to take advantage of the fact they have all the keys to all my kingdoms at some point. I see some people complaining about "Private Equity", with justification, and before that it was the "Harvard MBA" mindset, where businesses are encouraged to think of their customers as a resource to be stripmined rather than relationships to cultivate.
I don't like being considered a resource to be stripmined by any company, but some are worse than others by the nature of our relationship. I do not need a company greedily looking at my bank password, my Google password, my brokerage account password, and even having them be tempted to look at my set of passwords with them and start valuating which password they can "intermediate" and charge me more for using. I don't even want them pondering the question of how they can break exports ("oops, sorry, passkeys can't be exported because $SECURITY_BLATHER, guess you won't be migrating" - to be fair, while I think Bitwarden had that for a bit I believe it's no longer true, but AFAIK it is true of other things that will hold passkeys for you) so that they can extract the value of my passwords to me.
I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords. I don't trust any company holding passwords to not eventually be acquired by PE/HMBA types looking to stripmine my passwords. I don't trust any company that is, once you trace the entire value chain down, basically taking out real debt with my passwords as collateral. They get the money, I get the risk. Hard pass.
So I'm not happy about self-hosting my password vault in some sense... but who else can I trust?
As long as you continue to use (and upgrade) the Biwarden client apps, you should consider that BW could have the keys of your garden: they have control of decryption and encryption code, so that code could leak the key, whatever the server.
I am very happy self-hosting Vaultwarden. I got really tired of being a refugee of one password manager or the next. Either the price goes up, or the service goes away. I am looking at YOU - Dropbox.
I don't think the clients are open source?
I don’t understand why people post incorrect statements that are trivial to check
https://github.com/bitwarden/android
Form the article; "The real safety net is that Bitwarden’s clients are Apache 2.0 licensed."
I have moved to KeepassXC[1] on my desktop from Bitwarden. On phone, I use KeepassDX[2] which is Android client compatible with KeepassXC. On browser, I use KeepassXC Browser extension which connects with the desktop client. Since KeepassXC operates on a single file, you can use any Filesystem syncing tool to sync that file between devices or to store it in the cloud. I am really happy with the move.
[1]: https://keepassxc.org [2]: https://www.keepassdx.com
Recently moved to a KeePass setup after 1Password raised their prices. Feels good to be in complete control.
This is my exact plan too, if I ever have to leave the Apple ecosystem.
KeePass is such a backwards step in usability and features that I don’t even consider it a competitor. The whole reason I moved to 1Password was to get away from how easy it was to accidentally lose data with the KeePass clients.
For example, one client I used had a temporary bug that just lost the notes field entirely. It was quickly fixed but it still affected me.
I’m currently using 1Password, which I still think is the best product overall as I’ve tried just about all the rest. For this product category I’m happy to pay the highest price to get the best product.
Thank you for this post/link. I have been side eyeing Bitwarden since they started ensh*ttifying the desktop UX last year to make it more like everything else and take up too much space. It had been working perfectly well for browser autofill - super fast and staying out of the way. Now it is bloated white space, slow, standardized UX elements like any SaaS built by AI. Will check out Vaultwarden, Proton Pass, Keepass, I guess. But sadly - yet another tool that worked perfectly well that was ruined in contempt of its own users (LastPass, Authy, Google Reader, etc - the list goes on)
I really don’t think a UI redesign is the intended meaning of enshittification. BW has had by far the best free option for password management since I started using them 8 years ago.
Do I like the UI changes? Eh it’s not my favorite but I don’t use it that often to care.
I could quite easily ignore all this in the interest of not going through the pain of finding yet another password manager, but having your new CEO specialise in M&A is really hard to ignore.
Say what you will, but the Apple ecosystem's Passwords app and integration works great. It locks me into their services (iCloud), but I don't see them ever charging for it or sunsetting it. (watch me eat my words in the near future)
Password App surely is a good alternative, however i don’t think there are clients for Linux or Windows? …and that is where Bit/Vaultwarden comes into play.
Lately I've been scrutinizing Bitwarden after discovering a long history of memory leak problems in the GitHub issue tracker. It's an extention I use with all of my browsers. It seems to use an unusually high amount of RAM on Safari and I suspect it's why RAM just never stops growing in MS Edge.
Overall it's not a problem for me if Bitwarden wants more money, but I have to draw the line at replacing top leadership with randoms from private equity and secret price hikes. I'm glad this is being highlighted and it's motivating me even more to find suitable FOSS-friendly alternative.
Ah damn. I've only recently moved in to Bitwarden - paid - largely on the basis of a multiple-user shared vault and emergency grants to personal vaults.
I'd really, really like them to not to ruin it or make it massively more expensive.
It does seem like most password managers have no moat for import/export, so I’m kinda banking on the idea that I can quickly migrate to Proton Pass or vaultwarden if things get ugly.
I just don’t want to self-host if I can avoid it.
Staying on top of managing the application and the environment is a whole different level of diligence when the thing I’m self hosting is the keys to my life. At a minimum it would have to be behind something like a wireguard tunnel to a trusted machine, and that’s an added headache for daily use.
Does Proton Pass use a wireguard tunnel? Or does Bitwarden? TLS should suffice.
Yes, you want to guard the machine that hosts your passwords. You can even physically keep it at home, and only proxy its port 443 wherever you have a presence in the public Internet.
Those at least have people whose literal jobs are to protect that stuff. The service, the clients, the transport, the environments, etc. That’s what I don’t have if I self host.
That’s not to say anything is bulletproof… nothing useful is… just that I don’t entirely trust myself to be 100% on top of something like that as a hobby hosting endeavor.
Good post. I switched from Bitwarden to KeepassXC / KeepassDX / Syncthing across my Android phone, Linux PC, and Windows PC. This was the setup I had prior to using Bitwarden for the first time. The Keepass experience is significantly better these days! Importing from Bitwarden is trivial too. Recommended!
I was using this but when I switched to iOS I switched to Bitwarden.
What are you using for Syncthing on Android? There used to be an official Syncthing app for Android but then they stopped maintaining it. There was a popular fork but then that person stopped as well.
I looked into using Syncthing on iOS but there was only Möbius Sync and it didn’t run in the background. This is was made me finally switch to Bitwarden. But of course now I need figure what to do next.
I have had an excellent experience with Sushitrain/Synctrain on iOS [0]. It’s honestly the nicest Syncthing client I’ve used, although to be fair desktop-oriented clients have different design goals than mobile clientsm
[0] https://github.com/pixelspark/sushitrain
I use syncthing-fork from fdroid, works great
Which variant of keepass tho?
IANAL but if a company advertises "always free" and then starts charging, how is that not either false advertising and/or a breach of contract?
It’s a “always a free option” which doesn’t clarify what you get with the free version.
IIRC LastPass did this by slowly reducing how many devices and what kinds you could sync. They made the free option increasingly painful.
Thank you for pushing me to migrate away from Bitwarden. I've used them for years but I was moving away slowly; now I've moved.
Out of interest, where are you moving?
Apple's passwords app. It's what I use almost everywhere. I use 1password for work but I'd prefer not to mix work and personal life.
1Password for Business accounts all get an additional 1Password for Families license (5 seats), so you can absolutely keep your work and personal life separate.
What happens when you leave that business account? (e.g. change jobs, leave the company, get acquired and consolidate etc)
It still says "Always free" on the website for me. It's both on the billing page on the page linked in the article.
I do share the concerns though. The change in leadership, the poor transparency, 100% price increase and the quiet change in core values.
I was happy paying $10 yearly for Bitwarden. I'm still okay with $20 but there's a seed of doubt.
> It still says "Always free" on the website for me. It's both on the billing page on the page linked in the article.
Just went to the website directly: says "Get Started Free". "Always Free" is only present at the bottom of the pricing page for personal customers.
What concerns me more is that they've started using the same language that Adobe had been panned for: "$price a month, billed yearly".
To me, thats weird language for a product that (now) costs $20.00 a year. Not hundreds or thousands. Twenty dollars. For non-enterprise users.
The lack of transparency and quietly changing things around makes me wary.
The placement at the bottom of pricing is always where it was. Nothing has changed
They did raise the price to $20 (but the free version is still amazing). But that’s still really cheap and pretty much all services have gone up in price in the past 10 years (inflation)
They mentioned in an update that they accidentally removed “always free” text during a website update and put it back quickly. Seems the article was written in the intervening period
I got my parents using bitwarden a few years ago. This was a massive improvement over them writing passwords in a little notebook in a drawer (yes, really!).
But Keepass is a bridge too far for them. I'm not that enthusiastic about it myself to be honest. The UX is a bit meh (for the clients/extensions I've tried) and file syncing and handling is not something I can in good conscience push to a non technical user. It's just too many moving parts and you just have to do this, that, and the other thing. It's not really fit for purpose with normal users as far as I can see. Like much OSS stuff, UX for normal people seems to be a bit of an afterthought with Keepass.
The key selling point of Bitwarden was that it is free-ish and it is easy enough to work with for somebody that is not too technical. My father is an Android user and my mother has an iphone and ipad. They need access to each other's passwords so they share the same password manager. They are both in their seventies and I need something that is similarly useful and ideally without me self hosting a lot of stuff on their behalf. I don't want to be their system administrator. And I don't want to have to sit them down to migrate their passwords every few years either.
Right now the best move to me seems to be to stick with Bitwarden. I don't really gain anything from moving them over to some other solution and there isn't really anything out there that is materially better as far as I can see.
Passwords in a notebook are arguably the most secure option. The notebook exists in exactly one place, behind locked doors, and cannot be leaked or hacked externally.
Notionally a password manager is more secure, but is there anything stopping Bitwarden from updating the app to silently send your master password up to the mothership and selling your unencrypted vault? Even supposing they stay open source and get caught, they will still have thousands of user's data ready to sell before the rug is pulled and the game collapses.
(And besides, where do you keep your recovery codes? If some cabinet or drawer in your house is safe enough for that, it's safe enough for your book of passwords.)
How did we as an industry go from "Passwords in notebooks are insecure, use a password manager" full circle back to "Password managers are insecure, write your passwords in notebooks"?
KeepassXC is much better than older keepass clients. Syncthing runs quietly in the background. It's really not much harder to use that other password managers once you set it up
Ehh.. much as I love syncthing, I wouldn't recommend it to nontechnical people. I mean, here the dad has android the mom iphone amd they want to sync a keepass file? Maybe with a browser addon on a desktop as well? And the most popular third party android app is discontinued (I use the nerdily named syncthing-fork) and the ios apps i never managed to get to work for my family (maybe sushitrain works now?). But if you live close to parents I guess it can work. This kind of software can be good for social cohesion and less isolation =P
I switched from KeepassXC and KeepassDX to Vaultwarden, primarily to make it easier to get family members to transition to using password managers.
What a shame. I've been a paying Bitwarden customer since 2018. I really don't have time to move off yet, but I'll need to keep an eye out for where to jump. It sucks that this seems to just be the logical conclusion of all great projects.
Literally nothing has been taken away from BW yet, it’s all just speculative for now
Better to look for exit strategies before the need arises.
We all know where it's going
Yes, speculative, for sure. In the same way if I hold a rock in my hand and let it go, it's speculative that it will fall to the ground.
After the LastPass fiasco I switched to selfhosting a password manager (bw).
Rapidly starting to think even a vibecoded solution may be a better plan relying on commercial options. High risk of don’t roll your own crypto mistakes but realistically that’s not the threat model here anymore for the random individual. It’s online breaches or perhaps a wrench attack not highly skilled crypto adversary. Plus there are probably ready made crypto modules so wouldn’t be a true handroll
Vibecoding a password manager might be the worst idea ever. You'd be better off with an encrypted Excel sheet. But otherwise, 1Password is great imo and there are other free open source password managers.
Actual password managers (eg not my old excel sheet) protect you against url doppelgänger and related phishing attacks, as well as incidentally discourage password reuse. 1Password can even now warn you if you try to paste into the wrong website (https://support.1password.com/browser-autofill-security/)
[dead]
The LLMs also help a script kiddie become a highly skilled crypto adversary though.
Especially if the concerns around Mythos are well founded.
I don't think concerns around Mythos are well founded. Highly doubt it will happen.
I wouldn't worry.
The mythical Mythos can't even find Claude code bugs before releases.
True. No chance of me putting a DIY password manager on the open internet though. Would be behind WireGuard etc
The concerns around Mythos are not well founded
> That’s not a software guy who happened to raise some money. That’s someone whose stated specialty is the PE integration and exit process.
Holy smokes has that's not just -> THAT IS become one of my trigger words.
It's almost certainly ai written though. All the regular tells are there... Though he likely edited some out, like that "just"
Also if it was handwritten, it'd have been a third in length, the rest was LLM fluff
Correct, that was my point
The Bitwarden chrome extension just randomly stopped working for me the other day. This is after years of working flawlessly. I had to remove the extension and add it back to get it working...What a shame. Hosting a password manager isn't a game; these are people's real lives and businesses at stake.
I've had similar issues, it's ridiculous!
Wonder if Sullivan is the same Sullivan involved in the Autonomy lawsuit
I use BitWarden because I'd never trust a password manager with close source clients. Before BitWarden I used a local manager: BitWarden made my life easier.
The web interface I'd never use: I have no guarantee that my passphrase does not leave my computer. Same for the import feature: this also requires the passphrase to be sent to their servers.
Needless to say I move to the next ethical e2ee password manager if BitWarden turns it's back on open source.
It seems like it’s probably time for a bitwarden client alternative. I’m already running vaultwarden, it’d be nice to have a community-run client. The bitwarden client apps are so mid already - it seems like it couldn’t be that hard to out do them.
I'd definitely give a Bitwarden client alternative a try, but I really hope this isn't the start of client fragmentation like it happened for Keepass, especially given that a server is involved here.
Omg, do we really need to make another app suck? I left last pass years ago, I'll leave again but wow I'm tired of this cycle. Private equity is truly the destroyer of value. The next time will be self hosted. Anyone know of a password manager that can encrypte and live in say Google drive?
> Anyone know of a password manager that can encrypte and live in say Google drive?
Can't most of the many KeePass variants do that?
How hard is it to fully migrate from Bitwarden to Apple Passwords / Google Passwords? I guess I'm going to have to spend 2 hours on this next weekend.
If you have Bitwarden installed on an iPhone, you can export directly to Apple Passwords with no intermediate steps or trying to figure out where to save the unencrypted CSV file. I just did this and it looks pretty good so far.
I don't think these companies are obligated to run a free tier. Someone has to pay the infra. It's a little shady that they didn't announce any of this though. But bitwarden is open source and you can host it all yourself
Even if the clients go closed source and forked, there's still the very serious issue of closed app ecosystems on iOS and Android. It's one thing to self-host a Vaultwarden instance, it's another entirely to pay Google and Apple $100 a year to publish your own app.
Not disputing the overall feeling about the changes at Bitwarden but "Always free" phrase is still actually there if you're creating a personal Free account.
I believe they added it back after people noticed, archive.org has versions where its gone
Yeah, to me this isn't about whether or not it's "always free". It's about the rug pull.
"They put some of the rug back!" isn't enough to restore goodwill in my case.
What did they pull exactly? Nothing has changed about the product except for a small price increase (but free version is still great)
Yeah, I don’t trust their path anymore
I started looking for a replacement when I noticed how much RAM the extension was using. >1GB for a password manager seems ridiculous. I'm currently debating between Keepassium and Strongbox but I wonder if there is something better.
Dupe https://news.ycombinator.com/item?id=48157588
what are some bitwarden alternatives?
Passbolt https://www.passbolt.com/
I went with the classic: KeepassXC + Syncthing
All locally synced
There are sharing options but they are not really convenient, not a problem for me since I mostly don't share passwords
Keepass or one of its variants are great. Pair it with a shared folder via SyncThing/GDrive/Dropbox/whatever and you'll be set.
I've been keeping my eye on AliasVault[1]. Open-source, self-hostable or pay for cloud hosting, handles both email aliases and passwords.
I'll probably switch for password management once it has a proper security audit, and for email aliases once (if) they implement IMAP/SMTP or similar so reading emails isn't restricted to in-app.
[1]: https://www.aliasvault.net/
Kinda funny. I helped get passit.io off the ground YEARS ago but we pivoted away from it because Bitwarden more or less ate our lunch. They just moved way faster.
Passit still works! Just as a webapp + chrome and FF extensions. I think we had an Android app too, dunno if that's still a thing.
Maybe if the best open source option is a less viable option, I should poke at its creator to revive it...
Proton Pass. Not ideal but actively developing and IMO its UX is way better than what I had with Bitwarden.
I think once url matching is added (which is now on their roadmap[1]), I'll try making the switch from my current password manager.
[1]: https://proton.me/blog/pass-roadmap-spring-summer-2026
Doesn’t it cost much more than BW? I don’t really understand if the main complaint is people worrying about losing the free option (which hasn’t even happened)
Personal anecdote --- Proton Pass very quickly went from worse than Bitwarden to better with more reliable auto-fill.
For the closest experience, self-host Vaultwarden and keep using the bitwarden clients you're used to. They're GPL-3.0 and aren't going anywhere (and could be forked if there was ever drama).
If you want to fully disassociate from bitwarden, there are vaultwarden compatible 3rd party clients. I like Keyguard.
Depends on what you are looking for. I use keepass to store my password + syncthing to sync across devices
I left for Apples Passwords.app and never looked back. Of course, that has its own limitations if you are not bought into Apple's ecosystem.
Apple apparently has an iCloud app for Windows that syncs passwords and provides extensions for major browsers. I had no idea.
The Windows app for iCloud Passwords works fairly well, no real complaints about it to share. It can sometimes be a bit clunky and slow, though that's likely related to my environment rather than the app itself.
Would love it a ton more if it could offer an experience similar to BitWarden where you can view notes linked to logins or autofill credit card details with a single click from the browser extension. But overall it's really helpful.
I don't see the problem here. It's a great product and if they want to make money then I don't mind. If it's too expensive, and they hike the price to something ridiculous then I'll vote with my wallet.
I’m fine with paying a bit more. I honestly don’t think I even use any of the premium features. I started paying because their founder answered some question I sent years ago and I figured that kinds of support deserved my support. I could still be on the free tier if cost were a concern.
With that said, I do find the direction here concerning. Quietly rewriting values, removing promise of free tier, hiking prices with almost no notice. I’m concerned that this feels sudden and sneaky. Sneaky behavior erodes trust.
I'm in the same boat, became a premium member to support Bitwarden and use the built-in authenticator. The subscription price is now a negative proposition, alongside the silent rollout and the other red flags raised in the post. I'll probably move to self-hosted, since I have spare compute on my VPS.
Management and leadership values, character, and integrity matter because it's unwise to assume there is some homogenous allegiance to customers behind the propaganda of putting the customer first. PE will and must squeeze for their margins as is their wont. They have learned it's unwise to draw attention to this.
Time to act accordingly.
I am fine with the price increase, for me its how sneaky they're being about everything. If they sent a few emails about the recent changes I wouldn't care, but it feels like they do not want customers to know which is the last thing I want from a password manager.
Indeed. As I'm sure the new PE-focused CEO knows, the sale of a company includes not just the typical balance sheet items but also intangible assets such as goodwill. Being sneaky about is an attempt to minimize the loss of such intangibles ahead of a sale.
The problem is the rug-pull. You can't go and proudly state "free forever", and then silently back down on that commitment. That is a textbook example for the enshittification cycle... lure users in with grand promises, sell out once you got enough of a following.
(Well, technically, you can, but then don't complain about getting called out)
they haven't backed down, you find the "Always free" claim in the very same webpage OP linked https://bitwarden.com/products/personal/#whats-the-differenc...
You must be getting a different version of that page than me. The free tier is there but there’s no “always free” verbiage. There is “start free” verbiage.
Edit: “always free” was hidden under a collapsed section
It's not super big but it is there in the comparison list.
Pricing: Always free
Ctrl+f for "Always"
I searched for the word “always”. It was not (and is not; I just checked again) there on the version of the page I was served.
Edit: Actually, it is there, hidden from search under the collapsed pricing section.
LOL.. you are correct. Funny thing though... the 'Always Free' text is linked to a "/start-free/" action\page. One could argue that they are hedging their bets.
Some other commenter says there are Archive.org cached versions with "Start free" instead of "Always free", so they must have backpedaled on this. Maybe they realized they turned the knob a bit too much towards "hot", increasing the temperature of the proverbial water too noticeably.
I’m not willing to check all the pages on archive.org but for sure a month ago they had a big “Basic Free” tile in the plan comparison. Now it’s just Premium and Family. They are definitely downplaying the ability to use it for free.
https://web.archive.org/web/20260414143334/https://bitwarden...
Seems like they want to downplay the mentally that you would never benefit from an upsell to the paid plans, even if the free plan itself stays always free
as long as the people who signed up when it said it are granfathered, is it ok then?
Maybe okay on a personal level, but the PE maw eating another great option is just depressing in a more general sense.
[flagged]
I just read the linked Fast Company article [0]. One question that particularly frustrates me about this process is: why are the former leadership of companies that become enshittified so quiet about it? Do they just get paid out with restrictive NDAs?
One of the only exceptions to this I can remember is the founder of Whatsapp, who gave an interview pretty critical of Meta some years back after it acquired Whatsapp.
[0] https://www.fastcompany.com/91542655/bitwarden-scrubs-always...
> Do they just get paid out with restrictive NDAs?
Yes, that's a very common part of an exit package for executives. Speaking from some first- and second-hand experience, you can get paid a hefty sum (6-12mo of salary worth of cash) for signing an agreement that has some amount of limits on what you can say, to whom.
There's also some kind of what I think of as a LinkedIn effect - there's a disincentive to talk trash about any organization publicly, since that's now attached to your name and might make future employers/organizations leery of hiring someone who might air their dirty laundry.
funny, I just changed to bitwarden from 1-password after they had a big price increase (I probably otherwise would have been a lifetime customer if it could have been a leave it and never think about it again for the next 40 years deal).
I'm not too worried, if bitwarden changes their price somebody is going to vibecode a decent enough solution for pennies on the dollar, or there's always apples built-in product.
A password management system is one thing I definitely don’t want vibe coded.
This feels more like an expectation management problem than a product problem.
Ah! Curse your sudden but inevitable betrayal!
Enshittification is properly viewed as a cybersecurity risk, a category of insider threat. You defend against it, when possible, by using open source software and open, documented file formats. That way, if open source enshittifies, the community can defend by forking. I’m so grateful for KeepassXC.
curious whether "always free" is only marketing or actually has some legal implications
This is terrible news. Jump off the ship while it's still possible!
This is terrifying, but I couldn't help myself from frustration at the LLM writing that only worsened over the course of the post. Bloggers, it's not subtle. Please, stop, or at least disclose it.
is there an enshittification watch site? or something to track acquisition and red flags in products/oss projects? itsenshittifiedyet.info if not, what would it take to do that? i think it can be vibed in a weekend.
edit: s/of/and
Password protection by a for-profit (where the password protection is the product that you can't have unless you pay for it) is a fundamentally stupid and dangerous business model.
Waiting for everyone to understand this.
I am tired of this bullshit.
Want to raise the price? Fine, be honest about it and make sure it stays sustainably stable for a long while.
I am not leaving because of the price, but because of the dishonest behaviour around something so central and vital to my daily life.
Can someone just fork BitWarden into another open source project already? Maybe MorselGuardian lol
[flagged]
[flagged]
The "First time?" meme would be appropriate here. Companies change their policies all the time. Most recent example: https://cal.com/blog/cal-com-goes-closed-source-why
[flagged]
It has a very “AI-written”-ish feel to it, FWIW.