Not my project but Vaultwarden is an open source (in Rust) alternative backend for Bitwarden. I believe its been around a while, and is still maintained.

https://github.com/dani-garcia/vaultwarden

+1

I am a paid subscriber. I am kind of ok with the price increase.

The "coincident" with change of CEO and remove of "always free" tag worries me though.

Yep! Feels like a hard truth about the product life-cycle. It may be time to find an alternative to what was a great alternative.

I'm getting really tired of the enshittification cycle. Learning about android verification and captcha changes recently has been another big frustration point. I moved to android as a more open alternative to apple just a few years ago, and to bitwarden from lastpass around the same time. I would like to just have these infrastructural services work well and quietly without thinking about them for many years. Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)

I jumped to Bitwarden because of 1P's new pricing doing exactly that.

Circle of live, I guess.

PE? Private Equity is the slippery slope to Public Enshitification.

Yes, but vaultwarden isn't something you can casually run by yourself without some careful thinking. You are hosting secrets whose longevity is important, so if deploying yourself, take good care of backups and do regular drills, so you validate that the backups work, that they aren't corrupted and that you keep a copy off-site.

I'm running Vaultwarden because while on the one hand I'd like to just pay a company to make my password problem go away, I don't know who I can actually trust to not try to take advantage of the fact they have all the keys to all my kingdoms at some point. I see some people complaining about "Private Equity", with justification, and before that it was the "Harvard MBA" mindset, where businesses are encouraged to think of their customers as a resource to be stripmined rather than relationships to cultivate.

I don't like being considered a resource to be stripmined by any company, but some are worse than others by the nature of our relationship. I do not need a company greedily looking at my bank password, my Google password, my brokerage account password, and even having them be tempted to look at my set of passwords with them and start valuating which password they can "intermediate" and charge me more for using. I don't even want them pondering the question of how they can break exports ("oops, sorry, passkeys can't be exported because $SECURITY_BLATHER, guess you won't be migrating" - to be fair, while I think Bitwarden had that for a bit I believe it's no longer true, but AFAIK it is true of other things that will hold passkeys for you) so that they can extract the value of my passwords to me.

I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords. I don't trust any company holding passwords to not eventually be acquired by PE/HMBA types looking to stripmine my passwords. I don't trust any company that is, once you trace the entire value chain down, basically taking out real debt with my passwords as collateral. They get the money, I get the risk. Hard pass.

So I'm not happy about self-hosting my password vault in some sense... but who else can I trust?

I am very happy self-hosting Vaultwarden. I got really tired of being a refugee of one password manager or the next. Either the price goes up, or the service goes away. I am looking at YOU - Dropbox.

I don't think the clients are open source?

Recently moved to a KeePass setup after 1Password raised their prices. Feels good to be in complete control.

This is my exact plan too, if I ever have to leave the Apple ecosystem.

KeePass is such a backwards step in usability and features that I don’t even consider it a competitor. The whole reason I moved to 1Password was to get away from how easy it was to accidentally lose data with the KeePass clients.

For example, one client I used had a temporary bug that just lost the notes field entirely. It was quickly fixed but it still affected me.

I’m currently using 1Password, which I still think is the best product overall as I’ve tried just about all the rest. For this product category I’m happy to pay the highest price to get the best product.

I really don’t think a UI redesign is the intended meaning of enshittification. BW has had by far the best free option for password management since I started using them 8 years ago.

Do I like the UI changes? Eh it’s not my favorite but I don’t use it that often to care.

Password App surely is a good alternative, however i don’t think there are clients for Linux or Windows? …and that is where Bit/Vaultwarden comes into play.

Does Proton Pass use a wireguard tunnel? Or does Bitwarden? TLS should suffice.

Yes, you want to guard the machine that hosts your passwords. You can even physically keep it at home, and only proxy its port 443 wherever you have a presence in the public Internet.

I was using this but when I switched to iOS I switched to Bitwarden.

What are you using for Syncthing on Android? There used to be an official Syncthing app for Android but then they stopped maintaining it. There was a popular fork but then that person stopped as well.

I looked into using Syncthing on iOS but there was only Möbius Sync and it didn’t run in the background. This is was made me finally switch to Bitwarden. But of course now I need figure what to do next.

Which variant of keepass tho?

It’s a “always a free option” which doesn’t clarify what you get with the free version.

IIRC LastPass did this by slowly reducing how many devices and what kinds you could sync. They made the free option increasingly painful.

Out of interest, where are you moving?

> It still says "Always free" on the website for me. It's both on the billing page on the page linked in the article.

Just went to the website directly: says "Get Started Free". "Always Free" is only present at the bottom of the pricing page for personal customers.

What concerns me more is that they've started using the same language that Adobe had been panned for: "$price a month, billed yearly".

To me, thats weird language for a product that (now) costs $20.00 a year. Not hundreds or thousands. Twenty dollars. For non-enterprise users.

The lack of transparency and quietly changing things around makes me wary.

They mentioned in an update that they accidentally removed “always free” text during a website update and put it back quickly. Seems the article was written in the intervening period

Passwords in a notebook are arguably the most secure option. The notebook exists in exactly one place, behind locked doors, and cannot be leaked or hacked externally.

Notionally a password manager is more secure, but is there anything stopping Bitwarden from updating the app to silently send your master password up to the mothership and selling your unencrypted vault? Even supposing they stay open source and get caught, they will still have thousands of user's data ready to sell before the rug is pulled and the game collapses.

(And besides, where do you keep your recovery codes? If some cabinet or drawer in your house is safe enough for that, it's safe enough for your book of passwords.)

KeepassXC is much better than older keepass clients. Syncthing runs quietly in the background. It's really not much harder to use that other password managers once you set it up

I switched from KeepassXC and KeepassDX to Vaultwarden, primarily to make it easier to get family members to transition to using password managers.

Literally nothing has been taken away from BW yet, it’s all just speculative for now

Vibecoding a password manager might be the worst idea ever. You'd be better off with an encrypted Excel sheet. But otherwise, 1Password is great imo and there are other free open source password managers.

The LLMs also help a script kiddie become a highly skilled crypto adversary though.

Especially if the concerns around Mythos are well founded.

It's almost certainly ai written though. All the regular tells are there... Though he likely edited some out, like that "just"

Also if it was handwritten, it'd have been a third in length, the rest was LLM fluff

I've had similar issues, it's ridiculous!

I'd definitely give a Bitwarden client alternative a try, but I really hope this isn't the start of client fragmentation like it happened for Keepass, especially given that a server is involved here.

> Anyone know of a password manager that can encrypte and live in say Google drive?

Can't most of the many KeePass variants do that?

If you have Bitwarden installed on an iPhone, you can export directly to Apple Passwords with no intermediate steps or trying to figure out where to save the unencrypted CSV file. I just did this and it looks pretty good so far.

I believe they added it back after people noticed, archive.org has versions where its gone

Passbolt https://www.passbolt.com/

I went with the classic: KeepassXC + Syncthing

All locally synced

There are sharing options but they are not really convenient, not a problem for me since I mostly don't share passwords

Keepass or one of its variants are great. Pair it with a shared folder via SyncThing/GDrive/Dropbox/whatever and you'll be set.

I've been keeping my eye on AliasVault[1]. Open-source, self-hostable or pay for cloud hosting, handles both email aliases and passwords.

I'll probably switch for password management once it has a proper security audit, and for email aliases once (if) they implement IMAP/SMTP or similar so reading emails isn't restricted to in-app.

[1]: https://www.aliasvault.net/

Kinda funny. I helped get passit.io off the ground YEARS ago but we pivoted away from it because Bitwarden more or less ate our lunch. They just moved way faster.

Passit still works! Just as a webapp + chrome and FF extensions. I think we had an Android app too, dunno if that's still a thing.

Maybe if the best open source option is a less viable option, I should poke at its creator to revive it...

Proton Pass. Not ideal but actively developing and IMO its UX is way better than what I had with Bitwarden.

For the closest experience, self-host Vaultwarden and keep using the bitwarden clients you're used to. They're GPL-3.0 and aren't going anywhere (and could be forked if there was ever drama).

If you want to fully disassociate from bitwarden, there are vaultwarden compatible 3rd party clients. I like Keyguard.

Depends on what you are looking for. I use keepass to store my password + syncthing to sync across devices

I left for Apples Passwords.app and never looked back. Of course, that has its own limitations if you are not bought into Apple's ecosystem.

I’m fine with paying a bit more. I honestly don’t think I even use any of the premium features. I started paying because their founder answered some question I sent years ago and I figured that kinds of support deserved my support. I could still be on the free tier if cost were a concern.

With that said, I do find the direction here concerning. Quietly rewriting values, removing promise of free tier, hiking prices with almost no notice. I’m concerned that this feels sudden and sneaky. Sneaky behavior erodes trust.

I am fine with the price increase, for me its how sneaky they're being about everything. If they sent a few emails about the recent changes I wouldn't care, but it feels like they do not want customers to know which is the last thing I want from a password manager.

The problem is the rug-pull. You can't go and proudly state "free forever", and then silently back down on that commitment. That is a textbook example for the enshittification cycle... lure users in with grand promises, sell out once you got enough of a following.

(Well, technically, you can, but then don't complain about getting called out)

> Do they just get paid out with restrictive NDAs?

Yes, that's a very common part of an exit package for executives. Speaking from some first- and second-hand experience, you can get paid a hefty sum (6-12mo of salary worth of cash) for signing an agreement that has some amount of limits on what you can say, to whom.

There's also some kind of what I think of as a LinkedIn effect - there's a disincentive to talk trash about any organization publicly, since that's now attached to your name and might make future employers/organizations leery of hiring someone who might air their dirty laundry.

A password management system is one thing I definitely don’t want vibe coded.