I wanted to like Bitwarden, due to its “open source” nature. But 1Password is really miles ahead, and it's a little ironic, as 1Password 8 went through a major refactoring to a Node-enabled UI, which many people disliked, and it's still miles and miles ahead.
I tried teaching my father to use Bitwarden for the sole reason that it seemed to be translated into my native tongue. In his use, Bitwarden turned out to be completely unreliable. As techies, we stop noticing the little glitches, the times when Bitwarden is unable to auto-complete, or to detect a login that needs to be saved. Or the times Bitwarden logs you out of the account, or fails to use your biometrics in the browser because the app is no longer running in the background. Or the management UX of the app that's terrible. For us, these are little annoyances, but for my father it was the difference between usable and unusable.
The individual plan is very cheap, but the family plan is costly. And you can self-host, sure, but it's expensive to self-host.
When talking of self-hosting, people actually mean the alternative built from scratch in Rust (vaultwarden). Well, that project was never audited to my knowledge. Open source or not, it may have security vulnerabilities that could be exploited remotely, and I don't understand how people can trust it.
Bitwarden also took VC investments. Which is fine, I guess they need to grow, but I'm longing for projects that are owned by sustainable businesses that don't need to grow. Why does everything need freaking VC investments? The problem being that startups that took such investments are not trustworthy to be around in another year from now, sorry. Although this is true of 1Password as well.
> I wanted to like Bitwarden, due to its “open source” nature. But 1Password is really miles ahead, and it's a little ironic, as 1Password 8 went through a major refactoring to a Node-enabled UI, which many people disliked, and it's still miles and miles ahead.
Exactly my experience. When 1Password announced the shift to a crummy Electron app, I evaluated all of the major password managers, plus some less major ones, such as Strongbox. Even with the UX degradation of 1PW 8, it's still clearly superior to the others, to the point it's really not a contest.
I stuck with V7 until just a few weeks ago, when other circumstances necessitated an "upgrade". I once again evaluated the others, including Bitwarden, to see if they were "good enough". Bitwarden's UX hasn't improved as far as I can tell; more importantly, it refused to import my secrets because I had a secure note that was too big for it. Not "refused to import that note"; refused to import anything—there's no skip option. I had to do a bunch of manual nonsense, which still left me in an incomplete state because I both need that note and want it in my vault (splitting it into multiple notes is an option but also an ugly kludge).
I'm a paying user because 1€/month is the perfect price for what I'd like a password manager to cost. But you're right and the flaws are there.
Before, I used LastPass, and for me, the form field detection was miles ahead. Not a tiny bit, but _a lot_ better. And the UI built on the ephemeral pop-up was a very bad idea that after years and years they haven't decided to ditch and do it the proper way on a new tab, like LastPass, uBlock Origin, o TreeStyleTabs do.
When was the last time you used it? They just had a UI change here recently and it's better than the original. It's cheaper for personal and family accounts compared to 1password. I've been a paying customer of Bitwarden for a long time now and have never experienced any of these issues.
FYI, 1password has taken almost 1 billion dollars in vc investment. They have an obscene amount of pressure to grow.
Cloud password manager functionality can be accomplished in 6U of server space. Vault files are measured in kilobytes or megabytes, millions of customers could be handled by a single SSD RAID and a fast Xeon. Infrastructure and software to make it secure, reliable, and user friendly, add expense but not 9 digits of it.
I do realize that Bitwarden has also taken funding, but nowhere near this much. That being said I'm always baffled by some talking heads in the security space who continuously hock 1Password. I'm sorry, but when you've taken that amount of funding - the customer is no longer the customer, the investors are and that is who is being catered to. Does the industry as a whole not remember LastPass and the garbage that has become to cater to "Enterprise"? I would bet good money that I can come back to this post in less than 10 years and highlight the downfall of how 1Password has changed hands, changed direction and the product has become less than ideal or a leader in their space. The upside with Bitwarden is it can be forked and kept true to it's roots. I get it, 1Password has a few things that work slightly better - but I'm forced to use it for work and despise it's bloated feel comparative to Bitwarden.
They are moving into enterprise(or trying to anyway), see things like passage[0], etc. They are trying to grow their brand and reach beyond just a simple(but nice) password manager.
Because storage, even globally replicated, isn't the core cost or the core function of a security company.
Your app, the detection of forms (when total idiots try to prevent password managers being used), the security audits, active intrusion detection, etc... those are yet to be handled by an AI, so these cost a lot.
"Bitwarden also took VC investments. Which is fine."
Nope. With that, you've quite literally convinced me to not just avoid it forever, but to also recommend others do the same.
VC investments means "they're gonna want money back at some point," and the service they provide is too important to have that hanging in the air, especially given how badly MANY other VC backed things have screwed things up.
You've effectively told me, there's a serious, if not likely, chance that they will at some point screw me and my passwords over if I don't pay them ransom (or engage in some other similarly drastic behavior that I haven't even considered yet)
There is a difference and that is the Bitwarden bits are open source. If the masses decide to change direction and leave Bitwarden as a paid for service - they can. That can't be said about 1Password. IMO this counterbalance of OSS and VC investment can help to keep things in line - look at how this exact situation is playing out for Hashicorp. When you're $1B deep with no way for your customers to push back - you, as an end user, are no longer the customer. I still recommend Bitwarden over 1Password because of this.
Do you have any examples of startups that went to shit due to VC funding? I have a feeling you're completely right, and I want to recommend others to avoid it. I might need some examples to back this up though:)
Pebble. They had a great niche product that was growing organically and sustainably. VCs thought the smartwatch could be the next smartphone, and dumped a truckload of cash on them. Next minute they were burning all that cash pumping out too many new models.
Meanwhile everyone stopped wearing wristwatches except as a fashion statement. The original company would have survived this easily but the VCs wanted the next Apple or bust.
Hosting at data centers is expensive, hosting at home is not expensive. You probably already pay for internet, why not use it.
My home server costs me about 3 euro per month in electricity (and it is quite beefy for a home server) and it runs many services, not just Vaultwarden. Add homeassistant for smart home, nextcloud for document cloud, jellyfin for media, immich for photo backups, etc. Maintenance using docker and compose is also trivial task.
On top of that, it runs in a private network and has limited exposure to the outside world though VPN in case you need to access it away from home.
Yes, hosting a single service is more expensive, but hosting a bunch is much much cheaper.
What is this nonsense?
If you own a car and know how to drive, do you always call a taxi?
And if you drive your own car, do you pay yoursef a salary for being a driver? Including all the taxes?
> Why does everything need freaking VC investments?
I share this frustration. Putting aside the ambitions of founders and initial investors in order to address your question about "everything"...
I think it comes down to tech being perennially talent constrained. It might not feel like that right now after a year or two of big layoffs, but every time that has happened, another long hiring boom has started within a couple of years.
If there were enough competent engineers (in this case, ones that aren't going to get the company in the news for things like cryptography mistakes or sloppy data handling), then that would change all of this. But there aren't, so these companies are left competing for the scarce talent.
You need a large pool of resources for that competition. VC money (eventually replaced by liquid stock grants) is often the easiest source of that. So, VCs can help a company keep and add talent, but in return they want hypergrowth.
It's interesting to see some comments here suggesting that people should just export their bitwarden db to keepassxc (due to the VC backing), & then the other side suggesting a closed-source alternative due to better UX. Two distant sides of a spectrum.
FWIW I switched just fine. The apps definitely don’t have the fit and finish of 1Password but I was up and running pretty fast and haven’t looked back.
> But 1Password is really miles ahead, and it's a little ironic, as 1Password 8 went through a major refactoring to a Node-enabled UI, which many people disliked, and it's still miles and miles ahead.
I use BW for my personal use with my SO and 1P at work. I hit some errors in 1P that were crypting, stuff like "Failed to add this record" with no details, no help button, I had to fire up the chrome console for the extension to find out it was a 401 to our 1P portal. Very poor experience, probably related to our SSO setup but still.
Never had any weird issue like this with BW and I love the autofill shortcut and the absence of a popup when I access a password field like 1P.
So yea, YMMV as usual but definitely not miles ahead.
If 1password keeps applying their current development standards, I'm pretty sure Bitwarden will overtake them soon simply by virtue of not getting worse.
Kind of apples to orange with 1Password not being open source or having a free tier.
There are small issues with autocomplete on mobile here and there, which I have never seen a password manager do a perfect job at. Otherwise I have never had any issues with BW and the 2fa on the paid tier is great.
Have you ever tried Psono? (I am the main developer behind it). Its open source, client side encryption, offers free versions for individuals, regular audited and and bootstrapped / no VC money. Would be happy to hear your opinion how it compares to 1password.
I just had a look if psono would be for me. One thing that I discover all too often (and that is also the case here) is that SSO (openid Salm...) is considered enterprise (sorry for calling you out here right now, this is a general frustration).
If I selfhost i want to not have to manage all my services with individual logins. Selfhosting with e.g. Authentik to provide SSO and identity management is really a perfect solution, but alas so many projects lock SSO away in their enterprise edition (good on psono to not make it ridiculously expensive like often is the case).
SSO is the same login/password authentication flow, isn't it? Just its session is shared between services. Any password manager can handle that password-based authentication just fine.
I was on Bitwarden for a bit. I really really like the secure notes feature, it's great for storing secrets like keys that aren't used in a browser or android app.
But Google is so much more convenient.
I still wonder why there's no completely P2P password manager using SyncThing plus a layer of encryption. We have this near perfect tool for making multidevice apps but we don't use it for much!
I mean, you could use pass, which stores all your passwords in a gpg encrypted file. It works very well out of the box with syncthing, or anything else that can move around files, like git-annex.
The Android app for pass seems to be 2yrs old, not the worst, not the best.
I've heard KeePassX can have sync conflicts if you edit on multiple devices with the wrong timing.
I think for a real conflict-free experience you'd need to put each password in its own file, or give each device a logfile to publish CRDT updates with cr-sqlite(Looking into adding that to a baserow style app).
AFAIK the vaultwarden is just easier to set up for self-hosting. You can self-host the same server bitwarden use, but it's a lot more effort (unless they have stopped developing this recently).
Have you considered just merging it into your own fork? I guess it depends on what their specific concerns are, but if it's political and not technical, I'd for sure just keep rebasing that change on top of releases and let them do as they see fit
Using Vauldwarden for my team passwords (for personal ones I have Password Store). Zero problems except when I had to migrate to another server and it didn't pick up the database from the Docker volume I restored the first time (although it's equally likely a Docker problem or me doing something wrong).
I went away from keepassxc after too many sync conflicts. Perhaps it was my own Nextcloud that was the cause, but now with passwords sharing between me and spouse and no more sync issues (on Vaultwarden) I’m very happy I switched.
Huh, more negative than I expected. For some reason I had Bitwarden as an HN darling in my head. Not sure where I got that from. I pay for premium for $10 a year. Not sure what I actually take advantage of with that honestly but I just really like the product. That said, it's not based on a lot of competition searching. Am I missing out on some big benefits in other managers?
So many comments are of the generic nature, "<COMPETING PRODUCT> is miles ahead", without any specifics on what that's supposed to mean. My last few employers have used LastPass and 1Password, while I use Bitwarden for my personal stuff, and I prefer the latter by far.
The browser plugin is more reliable about recognizing when I'm entering or updating a password, and offering to store or update it. The iOS version has smoother integration with password autocomplete in other native apps. It MAY be that Bitwarden lags behind in "team" sharing features, I don't know. For personal use, that class of use cases is irrelevant to me.
As near as I can tell, there seems to be a lot of HN rage that "most" of Bitwarden is open source, but there are still some proprietary bits that keep it from 100%. I never understand this mentality, that software should fall from the sky like manna from heaven and not support a business. I also don't understand why these resentments never seem to stick to products like VS Code, that are the exact same way. Maybe Bitwarden should just try a sexier-looking dark mode UI?
I’m with you on this. I tried every popular option a few years ago and found all of them to be rather atrocious, but settled on self-hosting VW, and found its mobile integration (using BW clients/apps) to be as close to native as anything, and its 2FA (for TOTP anyway) is superb. Nothing else thus far allows me to launch a website or app and login with 2FA faster than Bitwarden. I operate under the assumption that everything has a weak spot, at least Vaultwarden isn’t hiding the source code and if BW’s VC backers dictate some kind of rule-breaking change to the service, it won’t affect my data and forks/OSS alternatives will be easily readied to interface with it.
There is a weird phenomenon in software where the open source solution is held to a higher standard than other software in the space. I also have premium Bitwarden and I love it. My org uses a different "Enterprise" grade password manager and it's way more complicated to use and the interface is slower.
I just have a rule that if I can get 80% of the same features with an open source solution I'll use it, even if it's not "the best."
Feels like an orchestrated attempt at taking down a competitor to be honest. HN has had nothing but praise about Bitwarden before this. I use it and have had nearly none of the issues people are complaining about here; the one complaint I have would be the biometrics login with the desktop app being clunky - not a show stopper.
FYI - Your two primary alternatives are LastPass and 1Password. The former of which is melting down due to security flaws, and the latter has raised roughly $1B in VC money:
At a certain point, you just have to live your life. To accept that products you use might change in the future, and you might need to migrate to something else down the road.
The alternative is just keep something like KeePass around on a thumb drive, and forgo all the cloud sync, and browser and native app autocomplete integration. But those things are really the main point to all these products. Without that, I would argue that you're better off with a pad of paper in your desk drawer.
If you look at the total financial means Proton has spent to develop and grow, >98% came from the community, making VC funding less than 2%. In fact, the total amount of VC money is actually even less than the money we have given away in various donations (you can learn more about those here: https://proton.me/blog/2022-lifetime-fundraiser-results).
Holy crap! Never been so excited at a corporate account reply! Love your products. Love your philosophy. Great to know about limited VC funding! Thanks for the info. Now I can add Non Vc Funded TM to my list of endorsements for your services.
The new CEO concerns me. I didn't know who the founder was but I always had the impression it was a lone hacker. They passed the baton. Now it's some old Web 1.0 guy who was the CEO of eFax in the 90's.
That's not the type of service I thought I was using.
I looked up their headquarters in Santa Barbara and it's a co-working space. That doesn't sound very secure. Though that could be their corp address and they're hiding where they work.
Bitwarden has had VC investors for years, long before the mentioned 2022 funding. I think our track record to date shows how we operate in this relationship. We specifically choose partners that align with our vision, not just anyone that comes off the street wanting to throw money at us (though there are many). Our health as a company afford us this luxury.
Bitwarden is and has been monetized since the beginning. There are no plans to change how we monetize our products. It's working well for us.
No company will eever say that thereyare plans for aggresive monetezation. They will always say everything stays the same - open-source mindset etc.
Until 2 years later there is a license and pricing change. One that will make it 10 times more expensive - or the free/open-source version will be crippled.
The clients are fully FOSS, and there is a FOSS server reference application, too. What could go wrong? (Famous last words Inc.)
FWIW: I've been using this application for the past years. I pay 12 USD or so a year, though I self-host. I just pay as a thank you since I still use the FOSS client, and the price is very reasonable.
1Password is hardly even a competitor as it is a completely different price range, and different product. It isn't FOSS at all, there's a vendor lock-in (in contrast to Bitwarden), and it is 3x as expensive at the very least. They're miles apart.
And 1Password does not propose self-hosting anymore, which is why I am stuck to version 7 for my personal vault. At work, we use Bitwarden self-hosted solution. I could even use an encrypted text file to store my passwords if there were no self-hosting solution anywhere. It gives you an idea at how much I do not want my infos to be on the Internet somewhere.
I'm just a normal tech-lover guy who works in the marketing field. I have made my family & 2 agencies switch to Bitwarden and they all love it.
I have stored more than 400 passwords and more than 30 debit + credit cards in it. Though I don't need a paid plan but I'm paying $10 per year just to support the developers.
Just want to echo other comments, thanks so much for bitwarden I've been using it for years and it has changed my family's life. Even managed to get my aging parents to use it instead of their paper notebook
> The new CEO concerns me. I didn't know who the founder was but I always had the impression it was a lone hacker. They passed the baton. Now it's some old Web 1.0 guy who was the CEO of eFax in the 90's.
This sounds like ageism to me. I don't know if this guy is any good or not, but calling out someone as a 'concern' just because they were successful in the past isn't a good look. Is there anything more substantive behind your concern?
I've never heard "web 1.0 guy" as a pejorative, on top of what you said. For the curious, Michael Crandell is the CEO and he founded Right Scale in 2007 which exited in 2018 with 250 employees. He was EVP at eFax in the early aughts, which would have been somewhere in his twenties. He's a Stanford and Harvard graduate as well as a self-taught programmer in assembly. Here's an interview with him: https://medium.com/authority-magazine/michael-crandell-of-bi...
Kyle Spearrin is still at BitWarden and is listed as the Founder & CTO: https://bitwarden.com/about/ It looks like he lives in Jacksonville, FL and has a lot of hobbies.
Maybe this is some internalization, but thinking about another engineer referring to me, pejoratively, as a "web 1.0 engineer" would probably leave me confused. Am I supposed to be ashamed I played in the early days of the web?
I’m with you on all that. Web 1.0… so he has a fundamental understanding of how the Internet works? And was successful before blockchain nonsense came around? Sounds like good qualifications to me.
> he founded Right Scale in 2007 which exited in 2018 with 250 employees.
A strong negative signal as far as I am concerned.
For a consumer-oriented software startup, an “exit” is most of the time a polite euphemism for selling the userbase to a juicing machine of some sort; the second place is taken by selling the product to an enterprise-oriented business which doesn’t want the userbase and eventually will, with more or less grace, show them the door.
Therefore, when I see a consumer-oriented, VC-funded startup, I don’t see why I should consider trusting them for even a second. Dine on the free lunch while it lasts, yes; squirrel away every bit of software they’re willing to release, yes; trust, depend on, or invest even a tiniest bit of my time, no.
Based on the interview I linked BitWarden is going down a venture of trying to offer vault-like enterprise secrets management on top of BitWardens tech, which could mean they're trying to monetize the more enterprise side of their business.
Web 2.0 replaced Web 1.0, right? Is that because Web 1.0 was better or just as good? Or was that because Web 2.0 was an improvement? And we're a good decade or so beyond Web 2.0 now. Surely you're familiar with the term dinosaur in this context. Web 1.0 are the dinosaurs.
If you still think web 1.0 doesn't have any negative connotations there is nothing I can say to change your mind. But I strongly disagree.
You do realize that Web 1.0 and Web 2.0 aren't that far apart in time, right?
Tim Berners-Lee invented the web 1.0 when he was in his thirties in 1989.
Tim O'Reilly and Dale Doughterty, both in their 40s, coined the concept of Web 2.0 in 2004.
Tim Berners-Lee, then in his 50s, coined the semantic or executable web aka Web 3.0 in 2006.
Web 4.0 has no known origin, but the chase for artificial intelligence and machine learning was led by many of the same people from Web 1.0 from engineers to thought leaders. Many of the people who were building back then are only now beginning to peak in their careers. Not to mention, the guy you're talking about would be "Web 3.0" because the company he founded was in 2007 - pretty much the year cloud computing started.
I think, sadly, you're incredibly far down the rabbit hole of ageism.
> I think, sadly, you're incredibly far down the rabbit hole of ageism.
That doesn't make me wrong.
Is it ageism to say I'd rather have a 23 year old baseball player than a 60 year old one? What about a 23 year old model instead of a 60 year old model? Ageism? Ok. Then I'm an ageist. I'll take the 23 year olds.
'But being a model or a baseball player and working at a tech company are not the same thing'
Ya, I know. But the point stands. Crying ageism doesn't make you right or the person appealing to age wrong.
Yeah, it does. Just like racism and sexism, being ageist is wrong. You should really re-asses how you look at the world, because your current view stinks.
> Is it ageism to say I'd rather have a 23 year old baseball player than a 60 year old one? What about a 23 year old model instead of a 60 year old model? Ageism? Ok. Then I'm an ageist. I'll take the 23 year olds.
There are 60 year old models, what is wrong with that? Only somebody who is ageist thinks somebody can't be model at 60. As for the baseball player, they are not discriminated by age, but by physical condition. If a 60 year old player could have the same physical impact as a 23 year old, then why not?
When it comes to the industry we're in, physical condition is not a discriminator. We are knowledge workers. Older workers tend to (not always) have much more knowledge and experience. Which is why they are paid more and end up in leadership positions (as in this case).
Your comments assume that the guy stopped learning in 1989. How do you know that he's not keeping up with the times? How do you know that he can't understand the modern world, as you imply? And do you even know what it means to be an executive? It doesn't mean knowing all the latest features of the React. It means setting a strategy (with fellow executives) for successful growth of the business. These things are as old as time (well, as old as capitalism). Having a talented CTO paired with a shrewd/experienced CEO is a good setup. It doesn't guarantee success, but it's more likely to succeed than with inexperienced executives.
Here's another way of looking at it. Replace "old" in your original sentence with "black", "woman", or "gay":
- Now it's some black Web 1.0 guy who was the CEO of eFax in the 90's.
- Now it's some Web 1.0 woman who was the CEO of eFax in the 90's.
- Now it's some gay Web 1.0 guy who was the CEO of eFax in the 90's.
How do those sentences make you feel?
Your comments are ageist and you should realise that discrimination is unacceptable. It would be wise to stop digging.
Hacker News is essentially a marketing and legitimization arm of a VC firm. The community around it is the value. They know what happens if they try to change it.
Fairly sure that was meant tongue in cheek, as HN is literally run by a VC firm for all intents and purposes. Moderators seems to do a pretty well done making it impartial, but worth keeping in mind that Y Combinator ultimately run this website.
What could a password managing service possibly need this amount of money for - or worse - what could they possibly plan to be doing with it to convince the VC that they will get even more money back from this deal?
As someone who much prefers bootstrapping businesses, this seems like a just insane amount of money to raise.
If you had a growing popular product like this, why on earth would you raise that amount of money? This isn't a rhetorical question btw! I would honestly like to know the rationale here?!
It depends. If the point of the VC money is to go after enterprise customers and to expand into other enterprisey software security products, then $100M seems reasonable to me, especially for the time when the investment happened. The VC market seems to have cooled quite a bit from when Bitwarden took that investment, so times change and maybe they were just striking while the iron was hot?
The $10/year individual plan wouldn't warrant $100M investment. But going after big companies who are going to commit to $X/year/employee or similar kinds of pricing packages might, especially if Bitwarden integrates with existing corporate directory systems and such for delegating and managing accounts.
Maybe. Vaultwarden is just a compatible server. All the clients (web, browser extension, desktop, cli and mobile apps) are still maintained by Bitwarden.
Please note that bitwarden server is floss too - vaultwarden is just a simpler backend to self-host (and without a dependency on Microsoft SQL server):
The potential enshitification from this worries me. What crazy stroke will they feel they have to pull on users to satisfy the VCs need for a quick cash out.
I can understand your position, but there's more than a few of us that have watched some of our favorite products pursue new verticals for the sake of making more money, losing focus on what made them great in the first place, and ultimately dying, forcing us to pivot to some replacement that is better not because its made some revolutionary improvement to the problem space, but because it's less distracted.
All that to say, every time you hear someone talking about this, it's not because they want to talk crap about Bitwarden, it's because they are afraid of getting too sucked into yet another product that works well, only to have to leave when the company's leadership loses focus. Largely because they received pressure from investors trying to 10x their investment in the short term when they could have received sustainable dividends over time.
That's a slippery slope argument though. I am happy for the people you describe that they found a support group in HN comments for the impending demise of bitwarden but it's still just noise and doesn't nurture interesting conversations. Like the recurring "this webapp requires javascript", "signal is centralized", etc. It's becoming memes.
For now. It would be great if the client part would have a fork with an OS maintainer as well, who merges upstream changes but would also add features the corporate entity wouldn't want to do do. Vaultwarden is much much easier to selfhost for example.
The typical trajectory of VC-backed companies is one of the things that led us to develop Backbone[1]. We've opted to forego VC funding and the short-term benefits in entails to build the long-term foundational infrastructure for end-to-end encryption.
Another concerning realization is how sparingly encryption is used in (many) modern password managers. Sure, it makes search easier but it also leaks secrets stored in metadata fields without any disclosure to the user. And this is in the single-user setting! There are vastly more security considerations as soon as a common "workspace" is involved.
Welll.. Crap. And I just moved off LastPass within the past year :|
I even pay for Bitwarden and it's been great with its back-to-basics UI that just works, and not crushing page load performance with the Chrome plugin.. But 100M is a huge sum and we saw how this turns out.
Wow, I wasn't aware of this. With such amount of money raised, I would expect a more polished app/frontend. Their core open-source product as a password manager is solid, but the UX/UI could definitely use some improvement.
Bitwarden is great. I use it everywhere and it manages passwords well. The key feature for me is the ease of use of "organizations", which allows me to share passwords with my wife easily. A lot of accounts regarding our financials or children are shared, so we both need the password. Bitwarden makes this trivial.
I also use the sharing feature (aka organizations) and maybe I am too dumb but it seems that you can't see or copy the password anymore once you have shared it (even the one you yourself shared with somebody else). Which is fine for when you can use the auto-fill but that just doesn't always work or isn't always feasible.
The title is misleading. This is not fully "free and open-source". I'm actually puzzled by the licensing structure.
Bitwarden server is dual-licensed [1]
- part of it is licensed with AGPL (Open Source)
- some features are licensed with a source available Bitwarden license
Now, even the Open Source core requires you to register if you want to self host. This is to provide you with complementary services like security updates, push relay servers (?), and licensing checks. [2] Although not stated in the docs, I guess this also improves their telemetry data, as they suggest to never share the license keys between installations.
I completely understand the need to use source available licenses instead of open source. What I don't understand is why to even license parts of your app as Open Source? The resulting product is not free. Neither as in beer, nor as in speech. Does anyone know good reasons for doing that? I'm asking seriously. I'd like to better understand how companies benefit by marketing their products as Open Source, even if they are barely open source.
"Commercial.Core and SSO integration: Code for certain new modules that are designed and developed for use by larger organizations and enterprise environments is released under the Bitwarden License, a "source available" license."
The rest of Bitwarden is free both as in beer and as in speech. Dunno why you think otherwise. Vaultwarden exists, and Bitwarden clients are compatible with it.
Thank you, and other people, for mentioning Vaultwarden. I’ll check that out. This is, however, a separate software package, coming from different people, so not related to my question.
Bitwarden is not free as in speech, as it requires me to register with Bitwarden, Inc and get a license key to be able to self host. Also, then it uses some closed cloud services.
As for the free as in beer - this is more nuanced, but I still think it is far from free. For individuals - hosting something that requires 2-4 GB of RAM [1] is definitely not free. For companies - hosting something that doesn’t include SSO is pointless. The Bitwarden source available license, that includes SSO, does not allow production use [2], and requires a paid subscription instead.
BTW I completely understand the reasons to not open source everything. What I don’t understand is: why not use the source available Bitwarden license for the entire server codebase?
> Bitwarden is not free as in speech, as it requires me to register with Bitwarden, Inc and get a license key to be able to self host.
That is not the right understanding of the term "free" because the code is completely open-source and you can remove the parts that have to do with registration and enterprise features yourself without breaking the license agreement. You would have to maintain such a fork on your own though. It would be easier if Bitwarden Inc. themselves would maintain a completely open-sourced version and an open core version with non-free parts and registration, but they are not obligated to do so.
Why does everyone assume that if something is open source it must also be free and licensed under permissive license allowing you whatever? Briefly looking at their website I got the impression that it was meant for transparency reasons rather than in the spirit of free and open-source.
Yesterday I was listening to The Changelog podcast with Steve O'Grady called "Open Source is at a Crossroads". In it he says something along the lines of: We have companies come to us saying they want to release their source under an encumbered license and we tell them that they can definitely do that but they can't call it open source, because open source means something fairly specific to developers. We work with them on getting their specific license terms set up but they come back saying "We really want to call it open source, because developers find open source cool, and we want to attract developers." Developers like it because of what open source means.
Thank you, I found the answer to my question posted above in this podcast and the article linked there [1]
So, the argument is simply that Open Source is a branding that attracts developers as a target group.
I wonder when will we start seeing commercial, source available projects posted to GitHub with a single file like stringutils.[ts|go|java|etc] MIT-licensed for a single purpose of calling the entire project "Open Source"
I don't think anyone really cares, but from the wording in the license faq, it sounds like you can host the server as FOSS -only?
> ... api includes... Commercial Core which is under the Bitwarden License, however this can be disabled by using /p:DefineConstants="OSS" as an argument to dotnet while building the module.
I'm surprised no one's mentioned Padloc [1] yet. It's end-to-end encrypted, open source, easy to self host, and with a really UI + UX. I got all my family to use it and used it for a over a year, before eventually contributing actively to it.
There's even a Tauri-based desktop app!
Full disclosure: I have "contributing power" but do not make money from its sales or anything like it.
Sorry, I install from the APK directly, available in the GitHub repo. I see someone already created an issue for it at https://github.com/padloc/padloc/issues/725 so thanks for bringing it up!
Well, it couldn't be farther away from the truth. It's a very profitable business (I tried to buy it, but I don't have nearly enough money). So I just contribute to improve things because I like it. I do get the design isn't for everyone, though, so thanks for sharing!
Does it have WiFi sync? Seems like all the big players are committed to removing that, and that’s like the one single thing I want from a password manager: don’t store all my passwords in the cloud.
Check out CodeBook, it’s not open source but it’s a 1-time fee for device type (windows, Mac, iPhone, android), up to five installs. I’ve purchased for phone, MacBook, and windows pc and been using for the past 5+ years and am satisfied with it. The product itself isn’t open source but the company which makes it does develop an open source module/extension of SQLite for encrypted database. All syncing is manually done, across Wi-Fi or it can use Dropbox or google drive.
Nope. It stores the data end-to-end encrypted in the devices locally and synchronizes that to the cloud. I personally liked the wi-fi sync a long time ago with 1Password (before it was a subscription-based business), but since this is e2ee and open source, I'm fine with the cloud storage.
Bitwarden is not perfect, but calling `pass` "easy" is comical - especially for those of us sharing passwords with far less technical family members - and 1Password has a very opinionated UI that seems to get more in the way than anything. I find Bitwarden to strike a good balance between security, price, and design.
That said, I do share in the concern about the funding and exec changes.
I am a happy user and find it very convenient but how safe is it really to have all your jewels centralized in the cloud, including 2FA. It seems such a worthwhile target.
On the other hand keeping everything in sync manually seems a hassle and in the end you just encrypt on your machine and the syncing goes through the cloud anyway, so where's the difference? I'd be happy to hear thoughts on this.
You absolutely must be able to create unique and reasonably strong passwords for each of the services you use. This is the absolute most critical first step in account management.
From here, we can have a discussion about broad behavior and individual behavior. We observe that at scale people reuse passwords if they are not using a password manager. End of story. Getting people to use a password manager at scale is the single largest practical improvement in account security for the general population that we have available to us right now. This is even true with the risk of a vault being stolen and unlocked. I've never seen any data that even remotely challenges this point.
Cloud management of passwords is basically non-negotiable for most people. "Oh fuck, my vault was on my computer and I dropped it on the floor and the disk broke" will be a constant occurrence. Getting everybody to properly back up their vaults is not feasible at scale.
You can separately talk about specific people if you want. If you are capable of creating unique and sufficiently strong passwords for all of your accounts, then go ahead and avoid a password manager. This will mitigate a marginal risk for you.
Yeah that's a good point. I have pretty much all my passwords on BitWarden but no 2FA tokens to avoid "putting all my eggs in one basket". If you centralize both secrets, you don't really have two factors of authentication anymore. I use Aegis on mobile and pass (with otp extension) on the computer, with completely different passwords from bitwarden.
If you're worried about using Bitwarden's cloud vault, you can always spin up an instance of vaultwarden (FOSS server impl in Rust) and point your clients to it. I haven't done it myself yet (though I will likely do it) but I've heard it works really well.
For me it was more a matter of convenience than security. I didn’t mind using “sameish” passwords for 90% of my accounts. Good enough not to be auto-broken on one leak, really bad if someone actually targeted me. But what eventually drove me to Bitwarden was that I needed more and more different 2FA method which were all somehow linked to my phone. Many of which weren’t actually backed up. My first idea was to just use Authy, but apparently my phone number is linked to an account that isn’t mine, and their support has been unable to do anything about it, so that’s not exactly possible. So I went with Bitwarden.
I’m not too worried about the eggs in one basket. My digital national ID and my email credentials aren’t saved on my Bitwarden, so while I obviously don’t want to lose it, it also wouldn’t be the end of the world for me.
I'm using keepass, and the sync does not seem to be hassle - my file lives in dropbox, and it's always been synced before I open the app on another device. Bonus - backing up the database is as easy as copy-pasting a file.
I'm glad to read this, as I hit upon a similar solution for my own password store. My Keepass DB lives in Dropbox, but my key file does not. If I want to open it (along with password) on a device, I manually install the key.
I'm sure I forgo some convenience by not having field auto-populate all of the time (Keepass can do some of this, but I haven't had it work reliably), but I relax knowing I need not worry about a third-party service being hacked or my credentials being behind a paywall.
For this I self-host vaultwarden (https://github.com/dani-garcia/vaultwarden), an implementation of the bitwarden server, on my raspberry pi at home (and back up the DB frequently). It works well enough for me, and doesn't have my stuff stored in a single company's cloud.
Always have backups... but in the bitwarden/vaultwarden case (just like with git), every client has a full copy which can be syched back to a new server, so even if you lose a server, you still have all passwords on (every) client.
In my case, that is multiple browser instances on multiple laptops and the bitwarden client on android.
Storing OTPs in your password manager is like 1.5FA. It still provides protection against phishing, brute-forcing, socially engineered password resets, so it isn’t totally useless. But it doesn’t protect against your vault getting compromised.
I keep super important 2FA codes (email, github etc) elsewhere, and for less important services, I store the OTP in my password manager.
OTPs don't protect against phishing. You still type the TOTP in a browser window that sends it off to the attacker. Phishing SDKs automatically handle proxying the password over and then proxying the TOTP over.
Depends how sophisticated the attack is. Plenty of attacks aren’t. I could have been clearer in my comment, but what I meant was “can protect” not “guaranteed protection”, I apologise if it was taken that way.
On the topic of phishing and OTPs, storing the OTP in your password manager could actually help with phishing (opposed to storing it in an authenticator), because it will only autofill on the correct domain. This can be the difference between compromising a password or the whole account.
The difference is that Bitwarden is webapp, thus serves you code in real time. The server could serve bad JavaScript to a particular user. You have to trust the server.
Also, there is a chance of data breach. The 2FA and hardware keys are bypassed in this case. It’s all your master password.
>The 2FA and hardware keys are bypassed in this case. It’s all your master password.
Not sure I follow. When my master password is breached, attackers would still need to have my hardware key (which I obviously don't keep in the cloud), right?
In case of a password breach, yes, but the comment you are responding to refers to a data breach, where somehow the attacker dumps raw database data, which is still encrypted but only by your master password, afaik.
Assuming the cryptography is solid (big if), you primarily have to worry about end-device compromise or a supply chain attack. Is it the latter you're worried about?
This is a bit different. It's not a password manager app, it's more a standard for storing passwords encrypted with GPG in ~/.password-store and a reference CLI implementation. Several GUI clients exist to interact with the passwords, as well as tools to import from other password managers etc.
It sounds like a good idea, but I'm worried that a client could be at risk of a software supply chain attack - I don't think I will have the expertise to evaluate each new version.
Easy to use...for computer professionals. Try introducing pass to your family, even 1Password is not easy to set up for regular people. We have a long way to go before everyone is using passoword managers. The more realistic alternative is probably passkeys.
Note that pass by design leaks both the websites you have set up and the metadata of the history of each record. This might suit your threat model, or it might not.
That means I have access to your local machine if I can view your ~/.password-store directory. I might not be able to view or decrypt the contents of every entry, but I still have access to your machine.
I’ve been using Bitwarden more as a backup since it lags in more ways than one. With iOS 17 bringing password sharing, I may be able to rely on that and switch to KeePass (and its derivatives) as a cross platform backup where needed.
Products like 1Password and Dropbox first made a good consumer product before pivoting to enterprise and making the products worse. Even before the VC funding of $100 million, Bitwarden started pivoting to cater to enterprise features and neglected the consumer side. This has resulted in Bitwarden doing a minimum set of things in a very mediocre way.
Its desktop clients are based on Electron and suffer with the common issues related to that (don’t behave like native apps for keyboard shortcuts or navigation, sluggish, etc.). Its mobile app, at least on iOS, is also sluggish and has poor UX.
People have asked for additional predefined item types (like WiFi passwords, software licenses, etc.) and that’s been on the roadmap for more than five and a half years [1] with no timeframe for release in sight. It just recently changed the timeframe for this from the first half of 2023 back to “Under Research”. [2] In all likelihood, it’ll be six and a half to seven years by the time that’s done, if at all.
One positive about Bitwarden is that its free tier offers something that’s somewhat good (ProtonPass is nowhere close to this as of yet). But I don’t see anything in the password management market that’s cheap enough (like Bitwarden’s personal plan), has good features (including browser extensions) and stability, and is managed by courteous and helpful people (1Password fails on some of these).
We added a steering exception to our Netskope setup for 1Password. All the traffic going there is encrypted twice anyway, once by the app and again my TLS, so inspection doesn’t show you anything interesting.
Ironically, I tried to fill out that form, and I receive a 429 when trying to submit. I guess they aren't going to get a lot of requests to make this product a reality if they can't get feedback that folks want it.
I started with keepass, and switched to Bitwarden for personal use, and LastPass for work (before LastPass imploded). I now use 1password everywhere. I've got complaints, sure, but Bitwarden regularly fails at input field detection on mobile and web, regularly fails at login (particularly with biometric). If a tool can't reliably do it's core functionality, it's not fit for purpose.
Unsure what it’s like on android but it never fails on iOS. I think both 1Password and bitwarden are great on iOS. My issue is with the chrome and Firefox plugins for 1Password. I never have issues with bitwarden but 1Password I often need to refresh after logging in.
1password started on iOS and for a long time it was Apple-only. I've not checked it in ages, and when I went on the homepage today I probably got confused by their copy in the Products menu, which says "Go passwordless today and start using passkeys with 1Password in the browser and 1Password for iOS". I guess it's some specific feature only available in those versions, but I read it as them still having only iOS and web. Even if that's not the case, having features limited to the Apple world shows that Android support continues to be an afterthought.
Their Android client has been maintained for over a decade, from what I can see. It’s not something even remotely recent as you’re implying. I’ve used the Android client and it works great.
Passkeys aren’t supported in 1Password on Android because Google has not released APIs to allow that. Not because Android support is an afterthought. Which you would know if you had researched this: https://blog.1password.com/save-use-passkeys-web-ios/
Your comments on this topic are woefully out of date and wrong.
Since nobody has mentioned: iOS 17 and macOS Sonoma brings family sharing to password managerm. Sonoma also brings support for using native passwordsl manager in Chrome using a chrome extension developed by Apple.
For families who are hooked into Apple's ecosystem, this can provide a much better password management than third party tools.
Note: This is sort of true but is highly misleading.
csv export is only possible on a Mac (https://discussions.apple.com/thread/251108577). So, iPhone/iPad/PC users are pretty much out of luck Additionally, I don’t believe passkey’s are exportable at all.
Lack of actual functioning backup options is the primary reason I’m not using iCloud Keychain, so I would love to have these issues fixed.
I have been looking to move away from 1Password and did look into this. The thing that prevented me from doing so is that if someone got access to your AppleID (through phishing or social engineering), it allows them to essentially take control of your entire online presence. Right now, I try to keep the single point failures to a minimum (ie don't keep Apple ID in password manager). Is this a concern that's worth thinking about or am I just shifting the problem from one place to another?
For what it’s worth I was a longtime KeepassXC user. Switched to Bitwarden to have easier shared passwords between myself and partner/family however I’m now moving back to KeepassXC. I support Bitwarden fully however the app itself is just so badly designed. The UI is dreadful (both the website and desktop app) and I find it very frustrating to use. The whole layered concept of folders and inability to have tags is a nightmare when you have a large collection of passwords. The iOS app seems to quit unexpectedly after opening as well. I’m just very underwhelmed with what I was hoping would be a nice alternative to having to sync my Keepass database everywhere.
On the KeepassXC side of things I’ve had zero issues with the app itself (using it on Linux, OSX and Windows) and I use Strongbox on iOS which is one of the very few apps I’m happy to pay for to support the developer, it’s so much more polished than Bitwarden.
I did the same for years: KeepassXC + Database being synced through Google Drive + keyfile stored only locally on each device (Linux personal laptop, Windows work laptop + Android personal phone) + Safe strong password that was only in my head. The main reason I decided to switch to Bitwarden it's because the Google drive client I used on Linux (GVFS in Gnome) gave me a few good headaches. Basically, everytime I made a modification to the database, it changed the name of the file, therefore, when opening the database later from another device, I had to be listing files by modification date to try to guess the most recent one and open it. Also, sometimes from Linux, I got errors from KeepassXC saying that the database was not writable, so I had to save it in a different location that wasn't the Google drive FS and then move it manually to it. Perhaps not a big deal for some people but after years of this I just got tired of shenanigans on something I consider too critical.
The reasons for me for switching specifically to Bitwarden were:
- Price.
- Open source.
- Multiplatform client.
- Simple and straightforward to import stuff from KeepassXC.
- MFA.
- Possibility of self hosting. (Although I'm using the saas version for now)
As a long-time user of KeePassXC, I switched because of the difficulty of syncing databases. Basically, I used the sneakernet and a thumb drive whenever I thought I needed to for five or six devices - it became wearing. At first after the change I kept the critical account - banks, email, and the like - solely on KeePassXC. As I began to trust Bitwarden I began to slowly add those accounts, too.
Also, while I trust Bitwarden sync, I'm not quite as sure of the various apps that implement the KeePassXC on iOS. I'm still not aware that any have been audited, so to my mind Bitwarden is more secure.
Still, the possibility of a change of management philosophy at Bitwarden also wore on me, so not wishing to be solely dependent on an app that I might no longer trust, I continued to maintain my KeePassXC vault, duplicating any new Bitwarden entries. It's a simple way to backup Bitwarden, though a bit time-consuming.
Syncing KeePassXC is simpler now than before I migrated; sneakernet is no longer required, having been replaced by Signal and "Note to Self." It's still not as simple as Bitwarden's sync, so I'll maintain that unless I have a trust reason to change. FWIW
If you don't want to pay $10/year for Premium, you can still host Vaultwarden instead and get the features for free.
> self-hosting is deliberately difficult so you'll be using the cloud
[citation needed] in my opinion. Yes, the current self-hosting method is rather complex, but still not that difficult to set up. Just follow their guide.
They are even working on a new "unified" deployment method [1] where you can choose your own DB and all the Bitwarden containers are merged into one. The resulting docker-compose.yml looks as simple as any other service I self-host. Why would they do this if what you said were true?
From what I can see, the major feature would be that it stores the password database on their premises and then lets you access it through multiple devices.
Whereas in the case of KeepassXC, you have to have your own place where to store the password database and set it up on you different devices. So Bitwarden offers more convenience.
I also use KeePassXC and commit my DB to git. On PCs I just clone the repo and am ready to go. On mobile I download the DB via a web interface. No fancy automatic sync, but my DB doesn't change that often, so the manual effort is still small.
Same boat. I'm also curious how does device sync happen with bitwarden - from a cursory glance it seems to rely on their cloud. Can you manually manage the database file, like with keepass?
You can use their cloud, but if you're technical you can also self-host a server instance. In that case, it's usually recommend to stay way from the complicated official implementation and instead pick vaultwarden, like another commenter said.
If I create a new login on mobile it never syncs to the vault/desktop correctly. I have so many empty vault items that then sync back to mobile. Nothing seems to fix it.
I've been self-hosting it for years and I love it.
I mean, being a MSSQL + .NET app it's quite an exotic beast in my self-hosting garden, but it definitely does its job without skipping a beat.
I'm also happy to support them with a modest $10/month contribution - for that price you get a few extra perks on your instance, but most importantly for me you get to store OTP codes / support for MFA, so I don't have to use a separate app for that.
I feel like it's important to keep financially supporting projects like these, even if we host them ourselves, even if we only get one or two extra perks for the extra bucks.
External pressures towards enshittification are inversely proportional to profitability.
If a company can make money out of a business model where 80% is free to self-host and 20% is additional subscribe-only stuff, then things can remain like they are. If it doesn't, then we're all going to lose also the remaining 80%.
I don't agree with the self hosted Bitwarden philosophy.
Having a "server" to manage passwords is overkill for most people. The best is to use an encrypted keepass file stored on your cloud storage (Google drive, Dropbox etc).
It is portable and easy to access from anywhere ( don't need to VPN to your local network). Not a fan of the self hosted server password management model. Doesn't make any sense unless managing multiple users.
Don't get me wrong, I don't use a password manager either. Not a single one of them is truly portable, safe or secure. What if you lose all your electronics? All your belongings? Your house burns down in a fire? The cloud gets hacked? You have conflicting interests with US government and they kindly request your passwords from Apple? You have conflicting interests with any other country and they find and use the backdoors installed in US companies by US agencies?
I use an algorithmic password which is:
* Trivial to run in my head (I got used to it)
* Compliant with all silly password character requirements
* Has password rotation built in for apps/websites which require you to change your password every X monts
* Has a shorter version for apps/websites which have a password length limit of 20 chars
* Has a third easier-to-spell version for passwords I need to share with family and friends
* Completely ASCII
* Impossible to tell with bare eyes it's the password for amazon.com from the resulting password. It looks like randomly generated gibberish.
* Leaves the Caps Lock off (so that you won't try again and fail again when you fail once and the Caps Lock is on)
I only have an algorithm in my head. The downsides? It's a bit more slower to enter a password if I haven't entered it in a while. Still doesn't take more than 30 secs. And it can only be brute forced in a million years instead of a billion.
And yes, you need these features in your algorithmic password. It took me about a year of trial and error to get to this point.
No. Not without a proper examination by someone who knows historical cryptography techniques, those used before computers. I'd expect the only real threat to be an automated transformer AI solution actively looking for these types of algorithmic passwords, and one which already has access to a few of my passwords. Which is extremely unlikely given that no one uses algorithmic passwords. I was using a separate algorithm for more critical things, like my Google account but I deemed it unnecessary after some time because there is virtually no chance someone will crack it.
Though I should admit I still didn't migrate all my passwords to the latest and safest specification of the algorithm.
Only using digits limits the probabilities space drastically.
I won't come at you, for lack of time and expertise. I'm genuinely interested in that approach, but I'm probably too afraid to design an algorithm that would be vulnerable for reasons I couldn't imagine.
For digit-only, I meant platforms that forces you that requirement - my bank does.
Currently I use custom passwords which I write down in a single file for digit-only passwords. But while I was writing my top comment, an idea about converting letters in app/website name to digits and scrambling them came to me.
Take a look for the algorithms: https://www.google.com/search?q=historical+cryptography+tech... Choose one which you can run in your head, don't use it as-is, insert random chars at certain places, substitute some letters in the app name for others, make sure it looks like randomly generated, and you will be fine.
I still use 2FA with Authenticator (on iPhone), fallback set as SMS. Only thing I need is my government issued ID to get a new SIM card if the current one burns.
The difference is that the one password for the manager is kept in a location very difficult to attack, whereas various services are inevitably prone to be pwned.
Still, the algorithm method requires 3 services to be breached. Those services must be storing the passwords in plaintext or an otherwise retrievable method. The bad actor must put together the fact that your account is the same across all 3 services. Then they must analyze your password and reverse engineer your algorithm.
That seems a lot less likely than your master password getting nabbed.
The attack vector for a PW manager is a lot easier. They're obvious targets for both breaches and social hacks. One person looking over your shoulder at the coffee shop is as or more likely than anything else. They can even swipe your phone in that scenario to beat MFA.
I'm not advocating an algorithmic approach. The average person isn't going to understand this (heck, they don't understand PW managers either). And if they did, most algos would be something like ServiceName! anyway.
On the whole a password manager is a better solution, but it's not without its own trade offs, which don't get nearly enough discussion.
Is there a desktop client for Bitwarden that isn't Electron-based yet?
I tried this years ago and didn't like it. Not only because Electron, but I thought it was missing a lot of basic features (folders/organizing passwords was sorely lacking).
I'm not looking to try it again, to be clear, just curious. KeepassXC won my heart.
Depends on if you count a command line tool as a desktop client or not [0]. I personally just use the browser extension instead of the desktop client (the GUI one) since it was a bit slow and the extension is fine.
I’ve been a happy user of Pass (https://www.passwordstore.org/) for a few years now. Can’t see it being monetized any time soon, which is a Good Thing. So is its strict adherence to the Unix philosophy.
I really wanted to try switching to pass, but I use my password manager on my phone too much, and I dual-boot on my desktop besides. WSL solves the desktop issue, but I'm not sure what the best option is for syncing Linux, Windows, and an Android phone. Heck, I don't even know how `pass` stores the db so I don't know if it can be synced.
Do any companies use Bitwarden? Are they satisfied with it?
We tried using Keepass but people were resistant to using it. The UI is not very user-friendly for non-technical people.
Keepass also lacks some of the features we would like to have, for example: We would like to push a new user/password to a person's vault (for example let's say IT creates a printer account for a person, we would like to put the account information to the relevant person's vault), or we would like to share a common password among a group of people.
But I am not sure if Bitwarden is a good choice in practice for this kind of things.
Oh, how much I enjoy those infinite discussions about password management software, looking from my pass¹ side. I cannot imagine migrating from pass anywhere, I have almost a thousand of entries there (my and my family’s plus some friends). The funniest part those discussion well never cease to appear. And they are so much alike, again and again!
To anyone wondering whether I would recommend pass for family and non-techy friends. No, I wouldn’t. I just recommend them to use whatever is built into their smartphones (usually Apple’s or Google’s). Those integrated tools are plenty for their 15 entries. And I may back up the crucial ones to my pass vault, just in case of a smartphone loss or anything that may never happen, just to keep my peace of mind. That works for me and my close ones quite well.
I try to use open-source wherever I can, but Bitwarden's UX just can't compete with 1Password or even LastPass. The Firefox extension in particular is pretty wonky.
This is incredibly superficial, but I wish Bitwarden used the system font stack for its apps instead of forcing Open Sans on everyone. I found that it helped make Bitwarden slightly nicer to use for me and some others I provided a one-time fork of the Mac app to try.
If I could figure out how to sign and ship Mac and iOS apps, I'd ship a fork that continually pulled from upstream, with just the two `variables.scss` files patched.
I was about to try this out a while ago, but I installed Syncthing on my machines at around the same time. Keepass db + syncthing works astonishingly well, and the Android keepass client works great for me. I prefer the simplicity of this setup to yet another web service, especially if I'm going to self-host.
I wish our industry would adopt the custom that to pitch your product you need to compare yourself to the best competitor, or no one will even look at you.
There's only one thing I wanna hear from Bitwarden: What do you do that KeePassXC doesn't, and what are the trade-offs?
I want to like bitwarden but 1 year subscription ended without notification. Then they disabled 2FA a no go. Now I use KeepassXC better to have full control over sensitive data
Am I stupid for feeling that Google Chrome and my iPhone keychain is all the password management I need? What am I missing out on with solutions like Bitwarden or 1Password?
My main concern is that the password is the only key that is needed to both log into the server and to decrypt the vault. There is no additional key that is completely offline, like 1password Secret Key (that is presumably stored in Keychain / Secure Enclave at rest). A password seems somewhat more easily stealable (with keyloggers or clipboard loggers etc).
I am not a security expert, but I know enough to be concerned :). I wish there was more discussion on the implications of this difference on security models.
2. Offline access.
Bitwarden does not like to work offline.
You can unlock and view the vault, but you cannot make any changes without active connection to the internet! And Bitwarden will show you a very generic error ("failed to fetch") if you try editing while offline, it won't give you any suggestion on what to do.
Moreover, apparently they will delete the local copy of the vault if internet connection is missing for 30 days: https://www.reddit.com/r/Bitwarden/comments/vtaqi0/comment/i.... That's just nuts if true. I should not rely on the Cloud to have access to the vault as stored locally as long as I have the password.
While there is a general fear about trusting The Cloud as the source of truth for accessing the passwords, this caused very tangible practical issues. I have actually run into needing Bitwarden while on the go. Also the CloudFlare IP that Bitwarden uses was somehow blocked by my provider for some time, and that broke Bitwarden completely (both the provider and Bitwarden neglected to do anything about the problem when contacted).
3. UX.
You get used to it, but it's simply not great.
Worst of all, the UI of the browser extension is prone to data loss. The Bitwarden popup resets the state every time it is unfocused. So imagine the scenario:
* I start creating a new entry and generate a password.
* I briefly dismiss the Bitwarden popup to paste the password into the website.
* I open Bitward popup again hoping to finish entering the data and save. But the entry is gone. I just need to hope that the generated password is still on the clipboard.
1password in contrast keeps full UI state and partially entered data even if the vault is locked in the interim.
The fact that you can't access your passwords when offline really blew my mind.
Also that one time when they randomly blocked my IP and wont do anything about it, wtf?! From then on I've started occasionally exporting the JSON file and keeping it somewhere safe, just in case. Like... I'm the person behind this account, I own the email.. I don't even ask you for a password or whatever! I'm asking you to unblock my IP. This shouldn't take more than 5 minutes!
I also want BitWarden to succeed, but does it want itself to succeed?
Yeah, the extension data loss issue is especially bad, I save often to avoid it (it's also a bit weird to create a profile for a new site instead of saving entered data)
For anyone that's interested in self-hosting Bitwarden on your server, I would highly recommend checking out the Rust implementation, Vaultwarden. It takes less resources to run, doesn't paywall certain features (I.E MFA logins), and (in my experience) has been a lot easier to work with compared to the official client.
I tried teaching my father to use Bitwarden for the sole reason that it seemed to be translated into my native tongue. In his use, Bitwarden turned out to be completely unreliable. As techies, we stop noticing the little glitches, the times when Bitwarden is unable to auto-complete, or to detect a login that needs to be saved. Or the times Bitwarden logs you out of the account, or fails to use your biometrics in the browser because the app is no longer running in the background. Or the management UX of the app that's terrible. For us, these are little annoyances, but for my father it was the difference between usable and unusable.
The individual plan is very cheap, but the family plan is costly. And you can self-host, sure, but it's expensive to self-host.
When talking of self-hosting, people actually mean the alternative built from scratch in Rust (vaultwarden). Well, that project was never audited to my knowledge. Open source or not, it may have security vulnerabilities that could be exploited remotely, and I don't understand how people can trust it.
Bitwarden also took VC investments. Which is fine, I guess they need to grow, but I'm longing for projects that are owned by sustainable businesses that don't need to grow. Why does everything need freaking VC investments? The problem being that startups that took such investments are not trustworthy to be around in another year from now, sorry. Although this is true of 1Password as well.