alt Hacker NewsThe Quiet Renovation at Bitwarden
Comments
When I first learnt about Bitwarden about 3 years ago, I started hosting Vaultwarden right away. Right now I have one instance for myself and another for my friend's company. Everything runs as smooth as butter. If you can self-host something, do self-host a Vaultwarden instance. If you are (like me) somewhat paranoid about the fact that Vaultwarden hasn't got a proper security audit on its codebase, just run it behind a VPN, it will probably be fine.
I'm not particularly worried about Bitwarden going belly up because it has already have such a well-established open-source replacement. The worst-case scenario is that Bitwarden make the clients incompatible with Vaultwarden, and like how OP already mentioned in the post, somebody in the community will fork them as soon as this happen.
I have moved to KeepassXC[1] on my desktop from Bitwarden. On phone, I use KeepassDX[2] which is Android client compatible with KeepassXC. On browser, I use KeepassXC Browser extension which connects with the desktop client. Since KeepassXC operates on a single file, you can use any Filesystem syncing tool to sync that file between devices or to store it in the cloud. I am really happy with the move.
Thank you for this post/link. I have been side eyeing Bitwarden since they started ensh*ttifying the desktop UX last year to make it more like everything else and take up too much space. It had been working perfectly well for browser autofill - super fast and staying out of the way. Now it is bloated white space, slow, standardized UX elements like any SaaS built by AI. Will check out Vaultwarden, Proton Pass, Keepass, I guess. But sadly - yet another tool that worked perfectly well that was ruined in contempt of its own users (LastPass, Authy, Google Reader, etc - the list goes on)
It does seem like most password managers have no moat for import/export, so I’m kinda banking on the idea that I can quickly migrate to Proton Pass or vaultwarden if things get ugly.
I just don’t want to self-host if I can avoid it.
Staying on top of managing the application and the environment is a whole different level of diligence when the thing I’m self hosting is the keys to my life. At a minimum it would have to be behind something like a wireguard tunnel to a trusted machine, and that’s an added headache for daily use.
The Bitwarden chrome extension just randomly stopped working for me the other day. This is after years of working flawlessly. I had to remove the extension and add it back to get it working...What a shame. Hosting a password manager isn't a game; these are people's real lives and businesses at stake.
Lately I've been scrutinizing Bitwarden after discovering a long history of memory leak problems in the GitHub issue tracker. It's an extention I use with all of my browsers. It seems to use an unusually high amount of RAM on Safari and I suspect it's why RAM just never stops growing in MS Edge.
Overall it's not a problem for me if Bitwarden wants more money, but I have to draw the line at replacing top leadership with randoms from private equity and secret price hikes. I'm glad this is being highlighted and it's motivating me even more to find suitable FOSS-friendly alternative.
Good post. I switched from Bitwarden to KeepassXC / KeepassDX / Syncthing across my Android phone, Linux PC, and Windows PC. This was the setup I had prior to using Bitwarden for the first time. The Keepass experience is significantly better these days! Importing from Bitwarden is trivial too. Recommended!
Ah damn. I've only recently moved in to Bitwarden - paid - largely on the basis of a multiple-user shared vault and emergency grants to personal vaults.
I'd really, really like them to not to ruin it or make it massively more expensive.
Thank you for pushing me to migrate away from Bitwarden. I've used them for years but I was moving away slowly; now I've moved.
It still says "Always free" on the website for me. It's both on the billing page on the page linked in the article.
I do share the concerns though. The change in leadership, the poor transparency, 100% price increase and the quiet change in core values.
I was happy paying $10 yearly for Bitwarden. I'm still okay with $20 but there's a seed of doubt.
What a shame. I've been a paying Bitwarden customer since 2018. I really don't have time to move off yet, but I'll need to keep an eye out for where to jump. It sucks that this seems to just be the logical conclusion of all great projects.
I got my parents using bitwarden a few years ago. This was a massive improvement over them writing passwords in a little notebook in a drawer (yes, really!).
But Keepass is a bridge too far for them. I'm not that enthusiastic about it myself to be honest. The UX is a bit meh (for the clients/extensions I've tried) and file syncing and handling is not something I can in good conscience push to a non technical user. It's just too many moving parts and you just have to do this, that, and the other thing. It's not really fit for purpose with normal users as far as I can see. Like much OSS stuff, UX for normal people seems to be a bit of an afterthought with Keepass.
The key selling point of Bitwarden was that it is free-ish and it is easy enough to work with for somebody that is not too technical. My father is an Android user and my mother has an iphone and ipad. They need access to each other's passwords so they share the same password manager. They are both in their seventies and I need something that is similarly useful and ideally without me self hosting a lot of stuff on their behalf. I don't want to be their system administrator. And I don't want to have to sit them down to migrate their passwords every few years either.
Right now the best move to me seems to be to stick with Bitwarden. I don't really gain anything from moving them over to some other solution and there isn't really anything out there that is materially better as far as I can see.
After the LastPass fiasco I switched to selfhosting a password manager (bw).
Rapidly starting to think even a vibecoded solution may be a better plan relying on commercial options. High risk of don’t roll your own crypto mistakes but realistically that’s not the threat model here anymore for the random individual. It’s online breaches or perhaps a wrench attack not highly skilled crypto adversary. Plus there are probably ready made crypto modules so wouldn’t be a true handroll
Omg, do we really need to make another app suck? I left last pass years ago, I'll leave again but wow I'm tired of this cycle. Private equity is truly the destroyer of value. The next time will be self hosted. Anyone know of a password manager that can encrypte and live in say Google drive?
Even if the clients go closed source and forked, there's still the very serious issue of closed app ecosystems on iOS and Android. It's one thing to self-host a Vaultwarden instance, it's another entirely to pay Google and Apple $100 a year to publish your own app.
> That’s not a software guy who happened to raise some money. That’s someone whose stated specialty is the PE integration and exit process.
Holy smokes has that's not just -> THAT IS become one of my trigger words.
Ah! Curse your sudden but inevitable betrayal!
I use BitWarden because I'd never trust a password manager with close source clients. Before BitWarden I used a local manager: BitWarden made my life easier.
The web interface I'd never use: I have no guarantee that my passphrase does not leave my computer. Same for the import feature: this also requires the passphrase to be sent to their servers.
Needless to say I move to the next ethical e2ee password manager if BitWarden turns it's back on open source.
I started looking for a replacement when I noticed how much RAM the extension was using. >1GB for a password manager seems ridiculous. I'm currently debating between Keepassium and Strongbox but I wonder if there is something better.
I don't see the problem here. It's a great product and if they want to make money then I don't mind. If it's too expensive, and they hike the price to something ridiculous then I'll vote with my wallet.
It seems like it’s probably time for a bitwarden client alternative. I’m already running vaultwarden, it’d be nice to have a community-run client. The bitwarden client apps are so mid already - it seems like it couldn’t be that hard to out do them.
I don't think these companies are obligated to run a free tier. Someone has to pay the infra. It's a little shady that they didn't announce any of this though. But bitwarden is open source and you can host it all yourself
Well the CEO has released a blog post about having an "always" free version. So the people crying here can stop, unless you want to whine/rant more.
Not disputing the overall feeling about the changes at Bitwarden but "Always free" phrase is still actually there if you're creating a personal Free account.
I just read the linked Fast Company article [0]. One question that particularly frustrates me about this process is: why are the former leadership of companies that become enshittified so quiet about it? Do they just get paid out with restrictive NDAs?
One of the only exceptions to this I can remember is the founder of Whatsapp, who gave an interview pretty critical of Meta some years back after it acquired Whatsapp.
[0] https://www.fastcompany.com/91542655/bitwarden-scrubs-always...
funny, I just changed to bitwarden from 1-password after they had a big price increase (I probably otherwise would have been a lifetime customer if it could have been a leave it and never think about it again for the next 40 years deal).
I'm not too worried, if bitwarden changes their price somebody is going to vibecode a decent enough solution for pennies on the dollar, or there's always apples built-in product.
This feels more like an expectation management problem than a product problem.
curious whether "always free" is only marketing or actually has some legal implications
Password protection by a for-profit (where the password protection is the product that you can't have unless you pay for it) is a fundamentally stupid and dangerous business model.
Waiting for everyone to understand this.
Enshittification is properly viewed as a cybersecurity risk, a category of insider threat. You defend against it, when possible, by using open source software and open, documented file formats. That way, if open source enshittifies, the community can defend by forking. I’m so grateful for KeepassXC.
This is terrifying, but I couldn't help myself from frustration at the LLM writing that only worsened over the course of the post. Bloggers, it's not subtle. Please, stop, or at least disclose it.
I am tired of this bullshit.
Want to raise the price? Fine, be honest about it and make sure it stays sustainably stable for a long while.
I am not leaving because of the price, but because of the dishonest behaviour around something so central and vital to my daily life.
Can someone just fork BitWarden into another open source project already? Maybe MorselGuardian lol
[flagged]
I don't care about raising prices, I'm worried about the new CEO having a PE mindset. That means Bitwarden will now focus on extracting value while the product stagnates and degrades in quality. Time to jump ship before their security and quality goes down the drain.