| ▲ | Bitwarden scrubs 'Always free' and 'Inclusion' values from its site(fastcompany.com) |
| 153 points by gpi 6 hours ago | 85 comments |
| |
|
| ▲ | chipotle_coyote 5 hours ago | parent | next [-] |
| Actually, the part of the article that made me prick my ears up was this paragraph: In February, longtime CEO Michael Crandell moved to an advisory role, according to LinkedIn, with no announcement from the company. His replacement, Michael Sullivan, former CEO of both Acquia and Insightsoftware, touts his experience with “all facets of mergers and acquisitions” on his own LinkedIn page, including experience working with leading private equity firms. In combination with downplaying the free plan and removing any hint of now politically unfashionable DEI-like language, what this screams to me is: Bitwarden is being prepped for a sale. |
| |
| ▲ | nacs 4 hours ago | parent | next [-] | | This feels like deja-vu with Lastpass. LogMeIn buys Lastpass, multiple massive breaches occur[, people move to Bitwarden]. | | |
| ▲ | troyvit 2 hours ago | parent [-] | | Did Lastpass have a project like Vaultwarden behind it at the time? I'm hoping against hope that that will keep us with an open vault. | | |
| ▲ | jmux an hour ago | parent [-] | | vaultwarden is great, but password managers are security critical software that need consistent maintenance and constant updates. if bitwarden is acquired and the new owner decides an open source version of their product is not a business necessity, without someone actively supporting the salaries of engineers it’s unlikely to continue to be secure for much longer. | | |
| ▲ | hgoel 5 minutes ago | parent [-] | | But since it's already open source and popular among tech savvy people, they have to weigh any attempts at increasing profits against the risk of losing customers to a fork. |
|
|
| |
| ▲ | fbd_0100 2 hours ago | parent | prev | next [-] | | Well, it was nice while it lasted. | |
| ▲ | rcxdude 3 hours ago | parent | prev | next [-] | | This is what made me and others nervous when they announced a huge investment into the company a few years ago. It was already a good and self-sustaining product, and taking on that investment was just going to create an expectation of returns later down the line, something that was more likely to result in enshittification. | |
| ▲ | persedes 4 hours ago | parent | prev | next [-] | | urgh of course it has to be private equity. Really liked the product and did not mind paying for it...but not ready for the PE enshittification. | |
| ▲ | beAbU 3 hours ago | parent | prev [-] | | womp womp |
|
|
| ▲ | Cyan488 5 hours ago | parent | prev | next [-] |
| I stopped endorsing closed-source software to friends and family years ago, because you can't trust the companies behind them not to quietly change directions. Years ago I used a free workout app that I really liked. After a few months of using it I recommended it to friends. I only much later found out that I was on a grandfathered version of the free plan without ads or restrictions. The company had made changes to the free plan since I joined, and all new accounts (like my friends) were subject to ads and restrictions. It was embarrassing to have unknowingly recommending something like that. |
| |
| ▲ | 542458 5 hours ago | parent | next [-] | | Bitwarden is open-source though? This is about the hosted version of it, which has a free tier. But you can run the same software on your server at home if you want, for free. (That said, I am also concerned about the direction Bitwarden is taking. I just think this shows that even OSS projects can have direction/rugpull issues.) | | |
| ▲ | Cyan488 5 hours ago | parent | next [-] | | You're right, though the friends and family that I would feel the need to recommend a password manager to aren't the type that would self-host their own servers. | | |
| ▲ | maineldc 4 hours ago | parent [-] | | So what would you recommend to your friends and family that need a password manager? Genuinely curious. I pay for a service for my family because I need reliable and easy for my wife and daughter to use it. | | |
| ▲ | stevesimmons 4 hours ago | parent | next [-] | | - KeePass files synced between laptop and phone on OneDrive, DropBox, etc
- KeePassXC on Windows and Mac
- Keepass2Android mobile client
- Browser integration on mobile.
- On laptop, I prefer no browser integration; Copy username and password with Ctrl+B and Ctrl+C
| |
| ▲ | drfloyd51 an hour ago | parent | prev | next [-] | | A small notebook. Unhackable. Yours forever. Use words based passwords to make entry easier. Suffers from physical presence security hacks. I argue those are far less frequent than online hacks. Wouldn’t recommend for people who are comfortable with Password managers. It is super easy to explain to people how to use it. And some security is better than none. | | | |
| ▲ | Cyan488 3 hours ago | parent | prev [-] | | I've paid for and recommended Bitwarden. For years it's operated along a stable trajectory. I was confident in its security record. Vaultwarden is an escape hatch I'm in a position to set up for my family as a last resort. Almost any reputable password manager is more secure than reusing the same passwords or storing everything in a note file. What I stopped doing so frequently could be described as "evangelizing" or "endorsing". I no longer actively tell people that I think they should use X, instead, if someone asks, I say "I use X, and it's worked for me so far". |
|
| |
| ▲ | alt227 4 hours ago | parent | prev | next [-] | | > But you can run the same software on your server at home if you want, for free. Whats to say this will still be true if the company gets sold? | | |
| ▲ | xienze 4 hours ago | parent | next [-] | | The fact that Vaultwarden exists? | | |
| ▲ | alt227 4 hours ago | parent [-] | | How long after a public sale will Bitwarden clients keep compatible with Vaultwarden? The new owners could put a check in all clients on the first day of ownership if they wanted, and Vaultwarden would immediately be obselete and useless. | | |
| ▲ | GCUMstlyHarmls 4 hours ago | parent [-] | | I wonder if Bitwarden shit on everyone, how long it would take for Vaultwarden specific clients to appear. A browser extension would be pretty simple, app store apps are a bit more complicated because of the pay-to-play aspects. | | |
| ▲ | alt227 4 hours ago | parent [-] | | The problem is once Vaultwarden clients appear, then Vaultwarden becomes its own complete system and is no longer able to rely on the good reputation of Bitwarden. Plus developing clients for multiple browsers and OSes is a lot more difficult than just keeping a back end up to date. If they went this path I think I would jump ship to a paid service. |
|
|
| |
| ▲ | happymellon 4 hours ago | parent | prev [-] | | Except that we do have Vaultwarden, so those who haven't already switched still have an option. | | |
| ▲ | alt227 4 hours ago | parent [-] | | Vaultwarden relies on the goodwill of Bitwarden to allow it to use its clients for compatibility. I would wager a new owner looking for money would block that pretty soon after buying the company. | | |
| ▲ | lern_too_spel 4 hours ago | parent [-] | | The clients are open source. If Bitwarden removes the ability to select the server, people will just fork the clients. | | |
| ▲ | alt227 4 hours ago | parent [-] | | Again, for how long? The answers to all the questions seems to be the same. If Bitwarden was sold they could remove all of this free functionality and interoperability with 3rd party clients immediately. Then you could say well Vaultwarden will work with these forked clients, but then you are placing your security into the hands of multiple different open source maintainers and vaultwarden then has nothing to do with Bitwarden and becomes some random back end + some random 3rds party clients. | | |
| ▲ | rcxdude 3 hours ago | parent [-] | | Sure, but vaultwarden as a system would be entirely usable, I don't think a lot of it is really relying on the bitwarden compatibility for much more than a little convenience. | | |
| ▲ | alt227 3 hours ago | parent [-] | | Useable yes, but trustable? Not without some serious backing and regular auditing from some public security experts. IMO that fact that the existing Vaultwarden system relies on Bitwarden clients and therefore caries Bitwardens secure reputation is its main selling point. Take that away and Vaultwarden is nothing more than some random back end software that can not really be trusted. | | |
| ▲ | rcxdude 7 minutes ago | parent | next [-] | | Maybe, I don't think that reputation really should transfer anyway, and it's not something I would consider necessary for using it. (I mean, some scrutiny is obviously good, but I don't think it needs to be as big as Bitwarden). | |
| ▲ | troyvit 2 hours ago | parent | prev [-] | | > the existing Vaultwarden system relies on Bitwarden clients and therefore caries Bitwardens secure reputation is its main selling point. I hope that this could be a starting point and not an end-point of Vaultwarden. It has gotten far on the shoulders of the Bitwarden giant. If it forked, would it have a large enough community to continue to carry that trust forward (including building new clients)? How much financial support would they need? Could they find a sponsor? It's a European project -- would the EU help fund it as a data sovereignty push? | | |
| ▲ | alt227 2 hours ago | parent [-] | | Agreed, it would be great to have a fully open source solution, however I would be wary of it until it was audited and backed by secuirty professionals in the field. |
|
|
|
|
|
|
|
| |
| ▲ | pigeons 3 hours ago | parent | prev [-] | | The server is only recently free, if indeed it is at all. I don't remember when or if that changed, because for most of its life it was definitely not free (open source). |
| |
| ▲ | mccolin 5 hours ago | parent | prev [-] | | I hear you, but the flip side is that it sounds like they did right by their early adopters in grandfathering you in. | | |
| ▲ | Cyan488 4 hours ago | parent [-] | | Early adopters are exactly the people that like to test and recommend things to the majority. Without being aware of it, I was recommending a different product than the one I was using. People stake their own personal reputations behind their recommendations. I don't think quietly changing the product without warning is doing right by their early adopters. |
|
|
|
| ▲ | Goofy_Coyote an hour ago | parent | prev | next [-] |
| This is very sad. I wasn’t paying for the code tbh, I could always self-host (VaultWarden) at home behind Tailscale, it was all about the management, uptime, and most importantly, supporting a good software I used and loved for years. Sad, really. I’ll either move to self-hosting it at home behind TS, or going back to keepass tbh, anyway, I’m not staying on a sinking ship. P.S: VaultWarden had a few bad CVEs this year (like an Auth Bypass), but when I looked deeper, it wouldn’t have much of a negative effect on me as a self-hosted home user that shares everything with family. |
|
| ▲ | nusl 4 hours ago | parent | prev | next [-] |
| The price doesn't seem bad, though this case smells of some sort of greater internal shift that's, at least for me, indicative the Bitwarden is being turned into a profit-machine-at-any-cost rather than providing a good service for money. This new CEO is a massive red flag. Literally nothing about anything relevant to the product or industry, though he's apparently good at private equity and selling orgs. Probably worth jumping ship now before it mutates into another shitty corporate org, except this one is keeping your passwords. |
|
| ▲ | kelvinjps10 12 minutes ago | parent | prev | next [-] |
| Why projects get destroyed just after I migrate to them?.
Guess I'll have to go back to kepass. |
|
| ▲ | gaiagraphia 3 hours ago | parent | prev | next [-] |
| The private equity virus has a biological imperative to spread. All those people who paid half a mil on education must appear useful at the expense of us all! |
|
| ▲ | summermusic 4 hours ago | parent | prev | next [-] |
| I've paid for Bitwarden for years, but I can come to no other conclusion from all this (CEO all about private equity, severe price hike, scrubbing of core values, hiding the free tier) that it will be sold soon. Time to jump ship! |
| |
|
| ▲ | mfro 4 hours ago | parent | prev | next [-] |
| Great heads up! I will work on self-hosting this month. |
| |
| ▲ | 6ak74rfy 19 minutes ago | parent | next [-] | | I have been self-hosting Vaultwarden for a few months and it has been great. But this news still worries me because Vaultwarden still relies on open-source Bitwarden clients and sounds like those could be on the chopping board anytime soon. Separately, I don't know if there is a self-hostable password manager which allows easy family sharing. (KeepassXC won't work, I believe, because the whole vault is a single file.) | |
| ▲ | OptionOfT 4 hours ago | parent | prev [-] | | There are 2 versions out there, the one from Bitwarden itself, and an open-source rewrite called Vaultwarden. But, the main developer of works at Bitwarden. Thankfully you can easily export your passwords and move to another system (unlike say Authy where we had to inject Javascript to extract the TOTP seeds). |
|
|
| ▲ | aneutron 5 hours ago | parent | prev | next [-] |
| Thank you so much for posting this. I have been paying the annual 10$ (which went up by 2$ this year), but now it looks like I have to pay a whopping 30$ a year (a 3x increase, with no increase in features or value at all). The cherry on the shit cake is that they did not give me any heads up at all. Quite sad. Bitwarden has been consistently one of the best pieces of softwares I have ever used. Simple, just does what it does and gets out of the way. Sad really ... |
| |
| ▲ | mlnj 5 hours ago | parent [-] | | Have been a customer for years, but if the core values are going away, so am I. It's not even about the money. |
|
|
| ▲ | milkglass 5 hours ago | parent | prev | next [-] |
| Just use vaultwarden https://github.com/dani-garcia/vaultwarden |
| |
| ▲ | esperent 5 hours ago | parent | next [-] | | Do you have to self host it? I'm moderately decent at self hosting. I'm fairly confident in my backups and security. But also, I am not a system backup nor security expert, and I don't want to become either. The one last thing that I really want to leave to the experts is my secrets management. | | |
| ▲ | cornell532 32 minutes ago | parent | next [-] | | I like Elestio for managing devops of self-hosting. I don't want to do backups, monitor and fork git repositories for updates, etc.
It's non-trivial. My time is scarce. However, I'm extremely reluctant to give my password database hosting to ANYONE. I feel like this is something I need to "own" myself. Perhaps on Coolify, Dokploy, or on a Raspberry Pi with regular backups hosted at my home or office.
This is extra work that I'm not eager to do; and frankly, it goes against my philosophy of outsourcing "commodity" work to which I'm ill-equipped to add substantial value. On the other hand,
password managers are the most sensitive software I can imagine. Lastly,
Sharing passwords with my wife, coworkers, etc is genuinely very valuable. Either of us can update, maintain etc our shared set of passwords. Last I looked, Keepass and its ilk cannot replace that functionality | |
| ▲ | nathanmills 4 hours ago | parent | prev [-] | | You don't need to be a system backup expert to take backups, and with that attitude you will never become a system backup novice either. There is no gaurentee paid services will keep your data available either. One company lost my data and I was very glad to have backups. |
| |
| ▲ | gigel82 2 hours ago | parent | prev | next [-] | | I do, but this still uses the Bitwarden app and browser extensions. I'm now worried that in pursuit of monetization they'll start screwing with those. After all, the code in the clients have access to all recorded secrets and there would be nothing stopping them from accessing that unencrypted data. | |
| ▲ | thunderbong 5 hours ago | parent | prev [-] | | This uses the Bitwarden client and extensions, which is it's main attraction (I use it too). My worry however is about the future - what if a core functionality goes behind a paywall. |
|
|
| ▲ | ktm5j 4 hours ago | parent | prev | next [-] |
| I'm already paying for the Protonmail suite so reading this was my cue to finally switch over to Proton Pass. Thanks for the heads up. |
| |
| ▲ | bakoo an hour ago | parent [-] | | Switched recently, and was positively surprised by the flexibility of the import process. |
|
|
| ▲ | AdmiralAsshat 4 hours ago | parent | prev | next [-] |
| sigh The writing on the wall seems to have been when they suddenly doubled the price of a yearly subscription without notifying anyone. That struck me as skeezy as **...looks like it may just be the beginning. I hope people are actively mirroring their GH repos, because I expect at some point they might suddenly decide to change the license to Proprietary and move to scrub the repos from the web. At which point, the community will then fork the last-free version and start to maintain a fork. Which I really don't want to see happen, because having to move all my shit for myself and my family again after the LastPass debacle is going to be an extraordinary headache. |
|
| ▲ | UnhappyMeaning 4 hours ago | parent | prev | next [-] |
| Private equity ruins housing. They also ruin software. |
|
| ▲ | AnonC 4 hours ago | parent | prev | next [-] |
| I feel glad that I never went paid (though I do pay for software and services). Bitwarden always seemed laggy: both the development pace and the iOS app (though the latter improved a bit only in the last two years). The moment Bitwarden took VC funding ($100 million?), it was clear that it would “pivot” to enterprise, raise prices for consumers and do other things that describe enshittification. It’s probably in the same league as 1Password (another scummy company with similar practices and deteriorating applications). On password managers, anyone using ProtonPass want to chime in on how it is? I’ve read online that Proton (as a company) has a tendency to start working on new things all the time and let the ones they created remain half baked and languishing (to some extent). I’m not into KeePass and other local password managers since I need a shared solution for multiple people using the same vault. |
|
| ▲ | deepriverfish 4 hours ago | parent | prev | next [-] |
| what's a good open source and secure alternative? even if payed? I've been using bitwarden for years but this change plus their new CEO gives me pause. |
| |
| ▲ | dandellion 4 hours ago | parent | next [-] | | I've been self-hosting Vaultwarden for some time, I'm pretty happy with it. | | | |
| ▲ | happymellon 4 hours ago | parent | prev [-] | | If you are using Bitwarden self hosted, you can switch it out for Vaultwarden. |
|
|
| ▲ | faangguyindia 5 hours ago | parent | prev | next [-] |
| i mostly moved out of all SaaS, today i've Go app with sqlite backing for everything! whenever i need any new feature, i just add it. |
|
| ▲ | microflash 30 minutes ago | parent | prev | next [-] |
| I guess it is time ... (sigh) |
|
| ▲ | elashri 5 hours ago | parent | prev | next [-] |
| Now I started to worry about their clients openness to work with valultwarden. They also said in the past they will not change the behavior to not accept third party servers. But who knows now. |
| |
| ▲ | 542458 4 hours ago | parent [-] | | As much as I hate the changes Bitwarden is making, I’m kinda with them on not adding official vaultwarden support. Having to support multiple backends (some of which you don’t control!) with your frontend makes everything massively more complicated. | | |
| ▲ | alt227 4 hours ago | parent [-] | | Its not about them having to support multiple 3rd party backends, its about them not making any hostile changes which actively block them. |
|
|
|
| ▲ | baal80spam 5 hours ago | parent | prev | next [-] |
| Ah, good old rugpull. Just use KeePass. |
| |
| ▲ | jarofgreen 4 hours ago | parent | next [-] | | Unfortunately that has no team features, and last time I checked they were quite pushy about not adding any - which is totally fair, they know what product they want to make and are sticking to it! But BitWarden has good team features. | | |
| ▲ | jabroni_salad 3 hours ago | parent [-] | | If you are referring to an organization rather than a family, have a look at Pleasant Password Server. |
| |
| ▲ | leosanchez 4 hours ago | parent | prev [-] | | How do you sync between devices? | | |
| ▲ | nvme0n1p1 4 hours ago | parent | next [-] | | https://syncthing.net/ | |
| ▲ | timw4mail 4 hours ago | parent | prev | next [-] | | Syncthing | | |
| ▲ | ilvez 2 hours ago | parent [-] | | Lived like this years, never going to look back. Add mobile to the mix and you're screwed with conflicts and manual resolution. |
| |
| ▲ | nathanaldensr 4 hours ago | parent | prev [-] | | Last time I looked into this, you really couldn't in a reasonably simple way. It was possible between two users, but more than two just caused issues with syncing. | | |
| ▲ | doubled112 4 hours ago | parent [-] | | Syncing between your own devices is still an easier problem to solve than syncing between different users. The database is just a file. I use a self hosted Nextcloud, but you don't have to. KeePassXC allows you to automate opening a database from the URL column. My family and I share a second database and open it from there, but it's super kludgy on any other device. |
|
|
|
|
| ▲ | rvz 5 hours ago | parent | prev [-] |
| "Always free" was never sustainable for a password manager that took VC money and now needs growth at all costs [0]. Obviously predictable. Bitwarden is now in the extraction phase and it is now time to pay an expensive... ...$1.65 a month. [0] https://news.ycombinator.com/item?id=34427981 |
| |
| ▲ | cicko 5 hours ago | parent | next [-] | | Compared with KeePassXC and Syncthing, it is infinitely more expensive! | | |
| ▲ | TurkTurkleton 5 hours ago | parent [-] | | Oh yeah, I love having to manage sync conflicts in my password database because I was dumb enough to edit it on two separate computers that weren't both online at the same time. | | |
| ▲ | sigio 4 hours ago | parent | next [-] | | Yeah, my main reason to stay away from Keepass, everything is in a single versioned binary file. I like 'passwordstore.org', where every secret is it's own gpg-encrypted textfile in a git repo. Every change is a commit, easy to see history, easy to revert or know which version is newest. And easy to selfhost, you just need a place to git push/pull from. | |
| ▲ | rpdillon 4 hours ago | parent | prev [-] | | Works best if you have an always on client. Easy if you have a VPS or a home lab, even a small one, a nuisance if you don't. | | |
|
| |
| ▲ | BoredPositron 4 hours ago | parent | prev [-] | | Look at the CEOs other "ventures" he is a private equity squeeze guy. |
|
