Rendered at 23:28:48 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
MostlyStable 2 days ago [-]
While I'm not _happy_ about the messaging changes, those alone are not enough to do more than start paying closer attention. I highly, highly doubt that vault export would be the first meaningful feature change, and so I think there will be stronger signals of actual issues before then.
As I understand it, so far the only actual change is an announced increase in prices. Obviously, from the consumer perspective, cheaper is better, but this is a product where I think that a subscription plan makes sense (and the free tier, for now, still exists), and so I'm not going to get mad about price changes. Competitors exist and one doesn't think the new price is worth it, then switch to one of them (using the very-much-still-available vault export).
I don't think the warning is crazy or anything, but in my personal opinion it's a little stronger/earlier than is warranted and the current appropriate response is careful watching.
torben-friis 2 days ago [-]
The counterpoint would be that, if you feel like you need to carefully watch something that's supposed to take things off your mind, that's an issue.
ktm5j 2 days ago [-]
I hear you, but I feel like it's a better safe than sorry situation. Exporting your passwords takes two seconds. I think you can export to an encrypted file, but I just did a plain-text json file and gpg'd it. Can't hurt to play it safe.
throawayonthe 2 days ago [-]
if you have to do the 'encrypt single plaintext file' dance at least use age[0] in 2026
Well it did happen - and then unhappened when people noticed.
mort96 2 days ago [-]
There have been plenty of cases like this over time too. Company makes controversial change. Company rolls it back after outrage. Company slowly shifts over time until they've restored what's essentially the original controversial change.
When a company tells you their intention by announcing a change, it's often a good idea to listen. Even if their PR department does some good cleanup work in the aftermath.
IshKebab 2 days ago [-]
Yeah exactly. When a company announces some money making scheme and it gets backlash they don't think "oops that was a mistake we won't do that"; they think "oops that was a mistake - we'll have to do it in a way that gets less backlash".
Another recent example is GitHub charging for self-hosted CI. They backtracked, but they're still going to end up doing something. They kind of have to because of all the "get 10x cheaper actions runners by changing one line" people.
cortesoft 2 days ago [-]
So what does it matter?
If they are going to make it not free, they can just remove it right before they make it not free.
If it was somehow a binding promise, then it doesn’t matter if they remove it or not, the promise was already made.
If it isn’t a binding promise, then it doesn’t matter if they remove it or not, the promise was not binding anyway.
craigmart 2 days ago [-]
I had checked as soon as I found out about the news the other day and it was there. I just checked on wayback machine and you're right, it was removed for some time.
However, if they're willing to put back that claim immediately, I doubt that their intention was to drop the free plan anytime soon, but probably it was to incentivize people to use the paid plans. Enshittification must happen sooner or later afterall, but fortunately vaultwarden exists and the export feature is highly unlikely gonna be removed immediately as the free plan disappears, so people could just switch to a third-party or self-hosted backend as soon as that happens.
esseph 2 days ago [-]
> Enshittification must happen sooner or later afterall
There are a fair amount of multi-hundred year old companies out there.
lazide 2 days ago [-]
Any out there still doing what they originally were?
Meph504 2 days ago [-]
most of them seem to be falling into the "or later part"
ozlikethewizard 2 days ago [-]
Companies can enshittify without dying, ahem microslop. Bitwarden likely isn't large enough to survive though.
jjulius 2 days ago [-]
>Enshittification must happen sooner or later afterall...
No it absolutely must not.
craigmart 2 days ago [-]
You're right, pardon my cynical remark. I'm just disillusioned by the promises of most tech companies
jjulius 2 days ago [-]
Pardon my tone, as well - the enshittification is exhausting.
halJordan 2 days ago [-]
I dont think its an over reaction. It's pretty common to lock in users by removing or imposing cost on exports. Having an export from today is a lot better than having nothing in 5 years when bitwarden disables exports
Esophagus4 2 days ago [-]
> in 5 years when bitwarden disables exports
i think this is the overreaction - getting worked up about these sort of risks in general isn’t worth your time.
Otherwise you’d end up self-hosting everything strictly on OSS from maintainers you personally know and trust.
This is like someone saying, “don’t use AWS because they might raise prices some day”
lazide 2 days ago [-]
With the escalating abusive practices on display, going towards ‘self hosting everything strictly on OSS’ at least is exactly where this is all going.
Esophagus4 2 days ago [-]
This is like the tech version of being a prepper
PaulHoule 2 days ago [-]
I've had the argument so many times with eng managers about how this password manager or that password manager will get hacked or get enshittified and I've been right 100% of the time.
Meph504 2 days ago [-]
Can you name a single password vault that has removed the ability to export, I would say it is a bit of wild speculation to assume this would happen. Even more so as there seems to only be anecdotal and speculative evidence this would happen.
Between the law suits, and the brand damage, there is likely very little upside for a company entertaining this idea.
daveguy 2 days ago [-]
I'm not seeing "Always free" on that page browsing from mobile. Also, it breaks my back button. Yeah... I'm going to need to switch.
mrkeen 2 days ago [-]
My last job was for a product which launched with a promise of a free tier forever, which they removed a year or two ago.
anonymousab 2 days ago [-]
It is not an overreaction at all to them replacing the principled leader who promised things with the vulture leader whose job and job history is primarily to enshittify things and sell them off.
wat10000 2 days ago [-]
How is it an incredible overreaction? It's not like switching password managers is particularly arduous or expensive.
KetoManx64 16 hours ago [-]
I need to:
- Replace the extension and login on all of my browsers on all my devices
- replace the desktop application/app on all my devices
- go through and rework all the scripts that I use to automatically pull passaords from Bitwarden using the API and hope that the replacement has a good API
Nah, I think I'll stick with and keep paying/supporting Bitwarden.
tfarias 2 days ago [-]
I've been recommending Bitwarden for a few years now and have also been paying a yearly sub since 2022, as I always thought 10$ was a really good value.
But with all this stuff coming out, I'm holding off on recommending it anymore; at least until everything calms down and the new value proposition is fully laid out.
Like other folks have said, I don't think it's yet time to migrate. That being said, it doesn't hurt to do an encrypted export for backup purposes, start looking at alternatives, and reach out to people I know use Bitwarden to do the same.
Keeping an eye out on how this develops.
fnordian 1 days ago [-]
$10 was in a magical „don’t even think about it“ zone. When they increased the price I started thinking about it and switched to keepassxc.
solarkraft 2 days ago [-]
Agreed. I will continue using it as it currently fulfills my needs. But I’m not going to shout it at everybody I catch not using a password manager anymore. I’m just not willing to take responsibility for the changes they may make in the near future.
As an aside, since it seems like they’re trying to make money: The aforementioned enthusiasm has gotten it adopted at a workplace of mine. The experience hasn’t been good, so no recommendation here either.
Their moat was being a trusted name in FOSS and it’s a bit sad to see them going in the direction of abandoning it.
But somebody else will probably step up and build on the ruins, like vaultwarden already has. That’s the beauty of choosing FOSS in the first place.
scrollop 2 days ago [-]
You should try hosting it yourself in docker. Absurdly easy to do if you get an llm to do it and it works very, very well.
Hope they don't alter self hosting it.
BrandoElFollito 2 days ago [-]
It is absurdly easy to fire off the docker container you mean.
Because you need to back up, verify backups, monitor availability, manage updates, manage MFA, and a zillion things.
Don't get me wrong, I work in hardcore, high tech IT for 30 years and I selfhost two dozen or so of services. It is far, very far from "absurdly easy" when you start .
Sure you can run a container on your pc, and hope for the best
2 days ago [-]
Esophagus4 2 days ago [-]
Exactly.
I’ve seen this idea so many times on HN. “Just stand up a docker container and self-host”. Or even worse: “why does anyone need GitHub - just host Bitbucket yourself”
Ok, then what?
mvdtnz 2 days ago [-]
This seems crazy to me. I have a home server and host lots of my own stuff. But a password manager is tier-0, it cannot fail me.
I need to access my accounts while I'm overseas - in fact I'm prompted for passwords far more often when I cross borders. I need my passwords at urgent moments like when I need to make a large bank transfer. I need passwords unexpectedly at all times when sessions expire or I need a new session for a device I've never logged in with.
If my home server went down for any reason at these critical moments it could be extremely bad. There are some kinds of outages I can't recover from without physically attending my server. And if I'm not very very careful there are some kinds of failures I cannot recover from at all - I have a working backup solution but so did every company that lost customer data before.
And this doesn't even touch on the security risk of hosting a database of credentials on a publicly available endpoint.
I need a trust hosted solution.
arikrahman 2 days ago [-]
You can get rid of the element of hope by using KeepassXC and syncthing. Bonus is you can use this FOSS stack completely offline.
omnimus 2 days ago [-]
And not be able to use it on your phone or share it with people you work with.
Vaultwarden is the way. Easy to host docker. Solid. And if bitwarden blocks the clients there will be a fork.
It's leading to it anyway.
xstr305 2 days ago [-]
Syncthing works on Android just fine, though I'm not familiar with iOS. There also several keepass compatible clients, some support sync via cloud storage. Don't need to host anything. But I admit, for corporate shared secrets storage it is not a right tool.
rirze 2 days ago [-]
I really hope the community gets together and creates a better browser extension. Vaultwarden + that would be perfect.
arikrahman 2 days ago [-]
KeepassDX works great on my phone. I use LocalSend to move around keyfiles fully offline as well.
yinksta 2 days ago [-]
You can use it on your phone what are you talking about?
arikrahman 2 days ago [-]
That's what I'm saying, a lot of people are coping with a product they admit will need a fork.
Not only is it incurring the cost of project fragmentation, but also incurring an always online cost with overly-complicated docker solutions, when a fully offline and airgapped solution already exists.
Furthermore, staying with the same ecosystem invokes the sunken cost fallacy. But the migration from Bitwarden couldn't be simpler (just export Bitwarden json file). It's almost a form of battered woman syndrome people are inflicting on themselves when quite simply they can hop onto an already proven ecosystem that doesn't bait and switch.
omnimus 1 days ago [-]
I was on keepass before bitwarden. Bitwarden just solves more things for me. I am sure the keepass ecosystem improved a lot over the years but fundamentally i find vaultwarden docker to be far easier. Especially for my work and family members that i convinced to use bitwarden. If they were also in charge of the sync it wouldn't be possible.
Afaik vaultwarden and bitwarden clients are as proven as keepass.
arikrahman 15 hours ago [-]
Proven to bait and switch as it turns out much unlike keepass.
ndsipa_pomu 1 days ago [-]
I self-host Vaultwarden and it's great, but I'm not so sure that we can rely on trustworthy forks of the phone app and browser extensions.
horsawlarway 2 days ago [-]
If you're going to the trouble of self-hosting, I'd suggest just running vaultwarden.
It's entirely compatible with the clients. It also removes a lot of "rug-pull" potential, and gives you the ability to access all the nice features (ex - multi-org, multi-user, shared vaults, totp, etc...)
Honestly - part of the reason I like Bitwarden is that if they ever go full "enshittification", it's going to be relatively easy and straight-forward to just move entirely off their projects and onto open-source forks.
prism56 2 days ago [-]
Cant tell if this is satire. But I'm not self hosting my passwords unless I fully understand exactly what's happening. Trusting that to an LLM without really understanding what's happening seems very risky to me.
9x39 2 days ago [-]
Serious question - how come free is a requirement for a password manager? Everyone's gotta eat, including the maintainers of password managers.
Tech has generous TC, lots of high-end laptops and phones worth thousands, AI & cloud spend, and yet the only acceptable price for secrets management is $0 it seems at times.
culi 2 days ago [-]
They promised an "always free" option. People committed to the service based on that.
Many companies offer a free tier and a paid tier and are willing to incur the cost of users who will never convert. If a company doesn't actually intend to keep it "always free" they shouldn't make the promise in the first place
gregoriol 2 days ago [-]
I think a company has to be able to change its commitment, but should not screw users at the same time. For example, if they want to remove the free plan, why not, strategy can change with context, the world is moving around the company, so then remove it for new users not existing ones and it's all good.
culi 2 days ago [-]
Maybe that's fair but that's not what's happening here.
hnarn 2 days ago [-]
It’s about the backpedaling. No one says it has to be free, they said that. They just have to keep their promise.
RHSeeger 2 days ago [-]
And, honestly, if they came out with a statement that said (effectively), "Look, we're losing money here... we just _can't_ support free going forward. Here's our plan" that would be understandable. Sometimes you have a plan/goal, and you realize later that you were wrong and things need to change. But that's not what they did.
hnarn 2 days ago [-]
I disagree, there is always a way to keep it free, if you care about keeping your promises. Especially in this case where the service is essentially locally encrypted json blob storage. There’s already plenty of premium functionality not included. If you have runaway costs due to abuse, just make up new limits to solve it.
fontain 2 days ago [-]
Passwords are critical, losing them because you forget to pay or run out of money would be a disaster. I suspect they would still provide access in read only mode to non-paying users so it wouldn’t be a disaster if they didn’t offer a free version but I think it’s pretty easy to see why someone thinks it should always have a free offering.
eviks 2 days ago [-]
That's what the backups are for, and also local password copies remain even without internet/subscription?
donmcronald 2 days ago [-]
It doesn’t have to be free, but it can’t be set up so they can take it away from me. I self-host Vaultwarden to get that right now. Even if they break client compatibility, I still have the web vault with access to my passwords.
As soon as a company positions themselves to hold your data hostage, assume they will. I have no problem paying, but I’m not going to pay anyone trying to trap me. That’s the goal of most of these tech companies now.
My opinion and stubbornness doesn’t matter though. Identity control is getting lobbied into government legislation everywhere. Everyone’s going to pay no matter what, probably twice; once directly, once via taxes.
AlexandrB 2 days ago [-]
For me it's not that it has to be free, but that it can't be a subscription service or cloud-hosted-only. It's why I left 1Password. I don't like trusting my password management to the whims of mercurial business decisions. It's only a matter of time until private equity smells blood in the water with this product category and starts "extracting value" through acquisitions and arbitrary price increases.
Esophagus4 2 days ago [-]
> It's only a matter of time until private equity smells blood in the water with this product category and starts "extracting value" through acquisitions and arbitrary price increases.
My advice would be… If that happens, you can worry about it then.
It seems you could lose a lot of time and sleep protecting yourself against a doomsday scenario that will probably never happen.
nekzn 2 days ago [-]
If I had to pay for everything I use.
sph 2 days ago [-]
I pay for my email and the vault that contains all my passwords. Be smart with your money, not stingy. $10 (is it still? No idea) a year is an absolute nonfactor for most of the world.
cocoa19 2 days ago [-]
I’ve been a paying user for years, but the free tier change announcement is a sign of the enshittification to come.
It means the old guard is moving away and potentially starting initiatives not in the best interest of the user. In the worst case scenario they will sell my data or introduce stupid changes that risk security.
It's a shell script that stores passwords in a git repository, containing one file per entry. The files are encrypted using a GPG key. Because it's just a git repository, you can synchronise it between devices using whatever infrastructure you want. I use a FOSS client for it on iOS, and there was one for Android before I got an iPhone.
n0ot 2 days ago [-]
I tried using pass once. I like that it follows the Unix philosophy, and I want to like it, but the fact that all of your account names are visible in the clear is a deal breaker for me.
ab71e5 2 days ago [-]
I'm interested in this, what do you use to host the git repo? Just a private repo on something like github or your own server? How do you backup your private key?
wfleming 2 days ago [-]
I also use pass. Any forge you feel like is fine (I use gitlab). I backup my gpg key with `gpg —export-owner-trust` and store that backup elsewhere.
Pass has a pretty good ecosystem of plugins/other clients, as well. There are open source iOS/Android clients and browser extensions so once you’re setup the day-to-day experience is not far off from any of the popular hosted password managers.
My only real issue is the dependency on gpg, as it’s pretty long in the tooth and a hassle to operate. (If you are not comfortable using gpg, spend some time learning that before you go all-in on pass!) There’s a fork[1] which swaps gpg for age, but it hasn’t attracted enough attention to get a similar ecosystem of mobile clients/browser extensions, so it’s not a very practical choice IMHO.
It's next-to-impossible to implement pass on every device everywhere and have all the same features on each client without reimplementing all of GnuPG. It pushes a lot on to GnuPG.
God help you if you want to use the PGP applet on a Yubikey or smartcard. The pieces all exist, but wiring them all up in a mobile app is hard and the result is janky.
eikenberry 2 days ago [-]
I don't think Age will catch on as a replacement until it has a gpg-agent equivalent to facilitate access.
cjs_ac 2 days ago [-]
I run Gitea on my own server. (I didn't switch to Forgejo because it's not in the Debian repositories.) I don't have a backup of my private key... I should do that.
marssaxman 2 days ago [-]
Thanks for the pointer. I use a similar system, but hadn't thought to put the password directory into a git repo.
Depraved4482 2 days ago [-]
+1 for pass! I use this on my VPS to store secrets. I love that it syncs with GIT. Good stuff
jmcphers 2 days ago [-]
I have used this for almost 10 years now. It's pretty barebones but it seems like the usable lifetime of commercial password managers is 4-5 years before they get enshittified, bought, discontinued, price-jacked, or otherwise made unsuitable for use. "pass" just keeps working.
Someone1234 2 days ago [-]
I think the caution around Bitwarden is justified; and I think it is good that the message is getting out there. I will say "while you still can" is hyperbole, and will do more to distract from the larger (correct) point about Private Equity.
Terr_ 2 days ago [-]
So I have an admission here: I keep seeing HN stuff about these networked password managers and I don't quite understand the appeal.
Is it because everybody else is swapping between several different computers, and you need the synchronization?
I just have everything in KeepassXC, and the ciphertext is subject to the same kind of backup regime I use for other files, [edit: and also additionally] a copy kept on a USB stick in my pocket.
kqp 2 days ago [-]
It’s phones, mainly. People do also have multiple other devices, yes. For me another big pro is having a realtime offsite backup and being able to survive simultaneous loss of all my devices, which is plausible in correlated scenarios like a burglary, fire, mugging, car crash, etc, but I don’t know how much others think of that one.
The people I know who use KeePass live like they’re disabled. You ask them to sign up for something and they need to schedule a half hour for it two weeks out. Ask them to use a website and they need to wait until they’re home because their biweekly manual data transfer was put off because of whatever. And if they ever drop their phone, it’s this totally unforeseeable panic they’re still recovering from two months later. I’m far from convinced it must be like this, but I’m also far from convinced that most KeePass people—or people using any other strategy—have really thought this through.
NoGravitas 2 days ago [-]
Weird. I keep my KeePass database on NextCloud, and the only difference between home and phone is that on a bad network I may need a few seconds for KeePassDX on the phone to decide to use its cached copy of the database rather than the latest one. It would probably be even smoother if I used Syncthing. I assume non-technical people ought at least be able to put their KeePass files on DropBox?
Esophagus4 2 days ago [-]
> I assume non-technical people ought at least be able to put their KeePass files on DropBox?
Non-technical people would not do something this complicated. They don’t even have password managers, let alone a setup like this.
Shoot, even a lot of technical people (like me) wouldn’t bother with this. It’s why I pay for a cloud-based password manager.
Ukv 2 days ago [-]
> > I assume non-technical people ought at least be able to put their KeePass files on DropBox?
> Non-technical people would not do something this complicated. They don’t even have password managers, let alone a setup like this.
Google Drive/iCloud/OneDrive/Dropbox are already used by non-technical users - moreso than SaaS password managers.
> Shoot, even a lot of technical people (like me) wouldn’t bother with this. It’s why I pay for a cloud-based password manager.
What do you do for when you want to access some other type of file across devices, like notes or photos? If you have notes.txt on an FTP server, just put passwords.kdbx alongside it. If you're subscribing to some new service for each individual filetype you want to sync, with nothing for arbitrary files, that seems like considerably more hassle overall to me.
Esophagus4 2 days ago [-]
For other types of files, I have different apps: Obsidian Vaults with Syncthing, but that’s not accessible from the internet. And I like having my passwords across all my devices, updating anywhere I am.
And for me, it’s just not worth the headache (and security risk) of hosting my own password manager.
Ukv 2 days ago [-]
> For other types of files, I have different apps
How many separate services do you have for accessing files across devices, and what do you do for filetypes outside of what they cover?
> And I like having my passwords across all my devices, updating anywhere I am.
That's how it works for me with a passwords.kdbx file on my FTP server (but any cloud storage works). Same for any filetype.
> And for me, it’s just not worth the headache (and security risk) of hosting my own password manager.
What's the security risk? If anything, it's SaaS password managers that seem to semi-regularly get hit with breaches (well, mostly LastPass).
You don't need to host anything for KeePass - just plop the file next to your notes/etc.
Headache seems greater overall if you're juggling a large number of subscriptions, particularly when they start ramping up payment or moving features you rely on to higher tiers.
Esophagus4 2 days ago [-]
> What's the security risk? If anything, it's SaaS password managers that seem to semi-regularly get hit with breaches (well, mostly LastPass).
Talk to your local security engineer :)
On a venting note, this mentality is a frustration I have with SV, because I see it a lot. They don’t know what they don’t know, and think they can just stand up businesses without understanding the domain.
Ukv 2 days ago [-]
> Talk to your local security engineer :)
You made the claim - I'm interested to hear why you believe it, because I suspect it's based on a misunderstanding of how KeePass works.
> and think they can just stand up businesses without understanding the domain
Using KeePass is not analogous to standing up a business.
Esophagus4 2 days ago [-]
Ok - I made the assumption that your (s)FTP was publicly available over the internet. (It’s safer if not, but then you don’t get the benefits of syncing from anywhere that I get.)
If your FTP is open to the internet, you are now responsible for alerting / monitoring, IPS/IDS, proper config management, routine automated patching, IP allow/blocklisting… all of these things require regular maintenance. Even if you stick it behind a VPN, you will need to patch, alert on, and configure the VPN and everything behind it as well, as VPNs can be compromised.
That’s why, unless I really wanted to spend time hardening the spit out of it, there’s no way I’m self hosting my passwords. I’m happy to just pay a password manager to handle all of that.
Ukv 2 days ago [-]
> you are now responsible for [...] there’s no way I’m self hosting my passwords
You don't need to host anything new or take on any patching responsibilities for anything you weren't before. I already had an FTP server, so put it on there. Wherever you already access arbitrary files across devices (you didn't answer what you do for files outside of your filetype-specific subscriptions, but I'd assume you just have iCloud or something) should work fine.
Not that there are zero reasons to use a SaaS password manager, just that I disagree Keepass is somehow insecure or prohibitively technical for regular users. The solution a lot of people already seem to gravitate towards (if not just password reuse) is "passwords.txt on Google Drive".
microtonal 2 days ago [-]
Multiple devices and family sharing. My wife and I share several accounts, so it's really nice that we can move them between private and shared vaults on 1Password.
vablings 2 days ago [-]
I swap between my phone and my computer. Sometimes I need to get an account password on a workstation, and I can just login online rather than typing several lengthy generated passwords.
Most of the workstations I use completely block USB storage devices (but not fido2 keys!)
What would be super nice is to have USB wedge that I can just send my passwords from my phone to any computer like this https://www.inputstick.com/ (Expensive, sold out and also doesn't ship to the USA)
mystifyingpoi 2 days ago [-]
> I just have everything in KeepassXC
Me too, but I rarely add/edit anything in .kdbx file, it rarely changes. So I just keep a copy on my phone and use KeePassDroid to open it sometimes.
If you change/edit your passwords all the time, and you like autofill and I assume other features, networked solutions are much better.
cortesoft 2 days ago [-]
Who doesn’t like autofill? It makes everything SO MUCH easier.
And it isn’t about changing/editing passwords all the time, it is about all the new passwords that are constantly being added.
parliament32 2 days ago [-]
My KeePassXC database auto-syncs to my Nextcloud instance. Nextcloud client on PCs, Keepass2Android on my phone, and it's the same end result as Bitwarden but without the shenanigans.
webstrand 2 days ago [-]
Do you have a solution for auto-merging conflicting changes? Because I think that's the real difference, editing on a laptop and on a desktop before the sync can occur, can cause data-loss (for my potentially naive use of keepassxc anyway).
parliament32 2 days ago [-]
I've never seen this happen, because (as far as I can tell) all KeePassXC clients auto-save the file any time a change is made, and all the Nextcloud clients auto-sync as soon as the file changes. Keepass is also resilient to the underlying file changing while you have, say, the edit password dialog open.
If a conflict did happen though, newer versions of Nextcloud just keep both copies and alert you to resolve it. If I had to resolve this I'd probably try the built-in database merger first: https://keepassxc.org/docs/KeePassXC_UserGuide#_merging_data...
lexlambda 2 days ago [-]
I second what the other commenters have said.
There are several factors at play making conflicts almost impossible:
- A central device can be immediately synced to. For Nextcloud, it could be a server, for direct synchronization that I use (Syncthing), my phone (almost always online) is the intermediate device for all.
- You are usually online when creating accounts/password, so an sync can happen directly after a change
- And finally: How often do you actually _create_ accounts rather than just read the database? And how often do you do it on two devices in quick succession?
NoGravitas 2 days ago [-]
Merge conflicts on NextCloud are terrible, but for a KeePass file, I don't think this comes up very much. My laptop syncs from Nextcloud whenever it's online, and my phone syncs whenever it opens or modifies the file. Nobody else is using my laptop or phone, and certainly not my keepass vault. I would probably have to go out of my way to use both my laptop and my phone offline and add/change passwords during that time in order to get a merge conflict.
yinksta 2 days ago [-]
How do you get data loss?keepassXC,DX saves a conflict copy and warns you. Anytime I've seen the warning over ~10 years it's been a non issue. Like I add an entry on PC, walk away from the 'save db' prompt for a day and then update something on my phone so I have 1 new account on both. I see the warning and so I have to hit one button to do the basic merge or whatever and it's done.
What are you guys doing to get real issues?
9x39 2 days ago [-]
Having a password manager synced to phone, desktop, laptop, browsers is handy. I used Keepass 10 years ago but I prefer integrated experiences now, particularly since I often pull them up on mobile.
Also consider teams or multiple teams across an org sharing secrets. Flat files are a tough sell, so these apps eliminate almost all the hassle. We pay for a lot of 1Password accounts, and I couldn’t imagine rolling our own solution.
markdown 2 days ago [-]
The Apple Passwords app does all this just fine. The only thing it's missing is secure notes to store my 2FA recovery codes in.
benhurmarcel 2 days ago [-]
Can it store multiple urls for the same password now?
cortesoft 2 days ago [-]
That works if all your devices are Apple devices.
markdown 2 days ago [-]
Yes
cortesoft 2 days ago [-]
I use vaultwarden hosted on my own server.
I use it to sync between my phone, tablet, laptop, and two desktops.
I want to be able to add a login from any of those, and have it be updated on all of them.
I might have more machines than most, but everyone has at least a computer and a phone, seems reasonable to want to link those two.
teach 2 days ago [-]
In my case it's exactly that. I have a Linux gaming workstation, a work-issued (and managed) MacOS laptop and a Google-branded (Pixel) Android phone.
Bitwarden just works in all those places and the tech was, by all accounts, rock solid. AND I can pay for it instead of trying to leech off some privacy-ambiguous free tier.
culi 2 days ago [-]
USB stick in your pocket sounds nice but what happens when you drop your keys and it cracks or you get caught in a rain storm and it gets soaked?
dpoloncsak 2 days ago [-]
Then the copies that exist on the USB are fried but the original that live at home on your desktop/laptop are fine?
Terr_ 2 days ago [-]
Someone else made it similar comment, so I clarified the phrasing of my original post. The main backup of allll my decades of digital junk is independent and happens elsewhere.
Even if I had a USB-stick of magical capacity and reliability, I wouldn't want to have to remember to connect and disconnect it constantly.
2 days ago [-]
pavon 2 days ago [-]
Syncing is a huge part, UX is another. I was using KeePass on my desktop for several years before I met my wife, and having her use it was a complete failure. She did not like the workflow. Having to open another another tool, login, search for the correct site, and copy/paste the password was too much friction. And that was when things worked.
Syncing was an utter disaster. Inevitably something would cause syncs to be delayed, and then there would be a conflict and one of our changes would be silently lost. We were constantly going to lookup a password we entered, and finding it was not there anymore, at which point I would have to dig through sync conflict backup files and manually reenter the passwords that were lost, or go through the password reset flow for the sites. It was a giant mess, and that was just with two desktops and a laptop. I was using btsync at the time but all the issues I encountered apply to any file based synchronization, like syncthing, nextcloud or dropbox. Performing whole database file synchronization is simply not the right approach for password safe.
I eventually switched over to self-hosted BitWarden with the browser plugin and it has been much smoother.
smw 2 days ago [-]
USB sticks are infamously unreliable, not a great backup plan
Terr_ 2 days ago [-]
I realize the wording in my comment was a little ambiguous, but don't worry, that's in addition to my files in general. (Restic, Backblaze B2, memorized passwords/keys, regular integrity checks of remote data.)
After all, even with godlike storage-media on my keychain, it would still be susceptible to a mugger or falling down a deep hole. Until that happens, it provides redundancy and convenience, provided I can bring it to a trustworthy computer.
marcosdumay 2 days ago [-]
I used to use syncthing to solve that problem, until the developer dropped the distribution because of the Google's anti-social behavior.
But the interface of every software on a phone is so atrocious that I have never actually seen any benefit from having a password manager there that I could copy stuff from. So now I just don't have it, and haven't seen any loss yet.
That said, I store way more low-value passwords on the Firefox manager (that is synchronized) than high-value ones on the offline manager.
Angostura 2 days ago [-]
Is it because everybody else is swapping between several different computers, and you need the synchronization?
.. and phones, and tablets. Yes
eviks 2 days ago [-]
> everybody else is swapping between several different computers, and you need the synchronization?
So you do understand it!
blablabla123 2 days ago [-]
The last months didn't make Bitwarden look very good. On the other hand, what about the competition? Sure there's KeePassXC but that's essentially local. Bitwarden even has Send to quickly share with anyone.
I might self-host something at some point. But even choosing something seems a menial task, not to speak of setting it actually up...
aryan14 2 days ago [-]
You can host your keepass db file anywhere you like, whether that’s google drive or on a hard drive.
Bitwarden/Vaultwarden had a good run but if someone's going to self-host Vaultwarden, I would encourage people to look into AliasVault instead. It's a complete opensource ecosystem.
Humorist2290 2 days ago [-]
I'm taking a "wait and see" approach with Bitwarden. I've been a paying customer for a while, happy with it, and hoping the leadership changes won't be too user hostile. Still, a major reason I chose Bitwarden to begin with is they have a decent "Export" button, and all of this news reminded me that my offline backup of the vault was a few months old. Regardless of their product roadmap, they could have an incident tomorrow that keeps users away from their passwords -- offline backups are a good idea.
And Vaultwarden is nice. I've used it at work, hosted it myself, and as a user of the password manager I can say it's basically indistinguishable. But I don't really pay Bitwarden for a password manager -- I pay them for a secure sync of a password manager I can share with family members who can't figure out a VPN.
bitlevel 2 days ago [-]
I have been paying for Bitwarden (BW) premium since 2019 and earlier this year decided to move away from BW due to the password filling becoming somewhat hit-and-miss (even on a fresh install), along with taking its time to do so.
Had previously used Enpass in the past and was pleased to see how much it had improved since then. Also allows me several choices when it comes to where I store my vaults. And fills passwords quickly and efficiently in comparison to BW.
So I've migrated fully to Enpass - clients everywhere, browser plugins available, and it just works.
With this news, it now looks as though my migration was somewhat prescient.
I also use KeypassXC as a backup on USB should it ever be needed.
bitlevel 2 days ago [-]
Just to add - in my experience, exporting from Bitwarden loses a bunch of things - attachments, passkeys and a few obtuse items.
This isn't a good - particularly as passkeys are effectively just certs - migrators should be aware of those caveats.
donmcronald 2 days ago [-]
> I'm taking a "wait and see" approach with Bitwarden.
I won’t. The optics look bad and that alone is enough to show the leadership is either hostile to users or too inept to understand why their recent actions signal a change away from what people value in their product. If they don’t understand or care about the same things as the community / customers, there’s no reason to think they’ll make choices that continue to be a good value proposition for their customers.
The only thing that’s going to stop tech companies from pulling this crap is if a hint of private money coming in to ruin everything ends up ruining things before everyone gets to cash in. Basically, a mass exodus and bankruptcy would be the only outcome that makes the next company think twice about using the enshitiffication playbook.
We need some companies built around fair value instead of extortion and they need to be run like Steam. Steam has an unbreakable hold on gaming because they’ve never screwed their users.
stormed 2 days ago [-]
I only use Vaultwarden, which to my understanding is an open source reimplementation of Bitwarden's API. I personally haven't had any issues with it, not sure if it'll eventually stop being compatible with Bitwarden's official applications however.
arikrahman 2 days ago [-]
Just switched to KeepassXC and syncthing. Transferring keyfiles over LocalSend. This has been a great local FOSS way to keep autonomy over secrets, without even needing internet.
fpauser 2 days ago [-]
Thats why I use vaultwarden. I also like the fact, that vaultwarden is written in rust and does not consume a lot of resources, which is great for selfhosting.
TN1ck 2 days ago [-]
I switched to Apple Passwords this week. Really good passkey support, 2FA support, best iOS integration. You can even share passwords with others. Sadly no first party cli support. If you only use Apple devices, it’s really solid.
fidotron 2 days ago [-]
Surely they have their reasons, but if they made Linux support work I suspect a lot of the dev community would jump. This household certainly would.
chuckadams 2 days ago [-]
I only use Apple devices myself normally, but if I'm stranded out in the middle of nowhere and have to borrow someone's Android phone or Windows box in order to connect to important stuff like my bank, I'd really rather not be out of luck. Same reason I don't self-host my vault.
markdown 2 days ago [-]
The only thing it's missing for me is secure notes for me to store my 2FA recovery codes in. So I mainly use Apple Passwords now, but still keep Bitwarden going for secure notes.
WolfeReader 2 days ago [-]
"If you only use Apple devices, it’s really solid."
It's not a good idea to become dependent on a single corporation's products.
You can leave via Strongbox (a KeePassXC client), which supports the new export system that includes Passkeys.
randyrand 2 days ago [-]
Same here! Switched over for the passkey support.
cjwoodall 2 days ago [-]
I wish companies that offer such a core technology and what not were at times entered into a public trust, similar to how some public lands are managed, that would protect them from private equity takeovers; I know it defeats the purpose of the companies in the first place (making money), and it probably would backfire in myriad worse ways than the problems it might solve... But I do think there are many options for how products, services and what not can be structured that give the people who maintain them what they need to thrive; without mining the users for money.
Overly idealistic thinking, maybe... but still thinking.
throwaway85825 2 days ago [-]
Public management exists for natural monopolies where no market competition is feasible. The role of the public entities is to protect competition. In this case that would be mandating import/export interoperability.
jrm4 2 days ago [-]
Third-party password management as an isolated paid service (i.e. you don't get password management unless you pay specifically for the password management) is just a terribly bad idea all around.
Waiting for people to get this.
e40 2 days ago [-]
A bad idea for you. My non-technical family members can barely use 1Password and it is the easiest of the lot. The idea you promote is just not realistic.
donmcronald 2 days ago [-]
Losing control and ownership of technology isn’t a prerequisite for ease of use. That’s just the narrative big tech has been selling for 20 years.
e40 1 days ago [-]
I didn't say it was. I'm saying that is the current state.
baal80spam 2 days ago [-]
Not really. That something is convenient doesn't mean that it's a good idea. It's always a matter of convenience vs security.
9x39 2 days ago [-]
The inverse also doesn’t mean convenience is a bad idea, just happens 1Password has a strong security model and is convenient.
I end up helping a lot of older people for a variety of reasons with tech - 60s to 90s, family, neighbors, coworkers.
They’re not invalids and have a right to participate in the digital world, even if security requirements have exploded.
Anchoring the trust in stuff like 1Password where we setup domains, their account info, their OTP codes means they get to go to their bookmarked site, FaceID to unlock the PW manager, get automatically logged in, and do what they need.
Being able to let them navigate this world without always having to hand over the paper secrets notebook to random helpers, or lose sheets of paper with passwords, or get caught up in tracking down an SMS code is better for them. Their password manager with the autofill helps somewhat deter phishing links since relying on autofill usually signals something is off, and they call someone they trust.
My point, I guess, was that convenience is basic access for some subset of vulnerable groups of people.
tensor 2 days ago [-]
When people had to rotate passwords every month and choose a new one according to insane complex rules and dictionary tests, well, that was not convenient. You would probably say it's good.
Reality: people started writing their passwords on sticky notes by their computer. Possibly the worst outcome.
Convenience is part of good security.
jrm4 2 days ago [-]
Why the worst outcome, though? "Sticky notes" are absolutely superior to third-party password managers in regard to "attackers."
Third-party password managers INCREASE your threat surface by orders of magnitude more than sticky notes, period. They change the number of holders of secrets from two to three, and that third one is now a juicy target. This is not theory, this has happened frequently.
Sticky notes (even better, a little private physical notebook) keep this limited to your physical location which is much easier to secure; the grandmas and grandpas I know who do this (I do similar) have a far better track record than anything else.
sandeepkd 2 days ago [-]
Its a catch 22, with password requirements getting crazy its hard to remember them. At the same time storing the passwords with a password manager means you are entrusting them for your identity. For the first party sites the passwords are hashed, however for these password manager sites they are at the most encrypted with the encryption keys that the third party already has. This essentially means a rouge password manager or rouge individual in password manager service can run away with your plaintext passwords on scale
starkparker 2 days ago [-]
This frames the only options as mediocre and better, when the reality is likely the third, most common, and worst option: nothing.
gaws 1 days ago [-]
The great thing about Bitwarden is its ability to sync passwords between multiple devices seamlessly. KeePassXC is the next move here, and I'd like to know how people made syncing work, especially for iPhone users.
Clients are OSS, I wonder why nobody did a Vaultwarden-style fork of them yet that would watch over upstream changes.
subhobroto 2 days ago [-]
Vaultwarden is a very lean implementation of Bitwarden but if you want to look into an alternative to the Bitwarden ecosystem, I recommend - AliasVault https://github.com/aliasvault/aliasvault - check it out!
jerf 2 days ago [-]
Until Bitwarden screws up it's going to be difficult for any fork to get much attention. If they do, that will the moment to launch a fork.
It's Bitwarden's game to lose. Forking is easy enough that there's no great need to pre-emptively fork.
cortesoft 2 days ago [-]
Probably because there is no need to fork until you have to. Why do it prematurely and have to keep it up to date when you can just do it when it is needed?
PaulHoule 2 days ago [-]
Sometimes I think when a startup announces that they are being acquired their competitors have a meeting that morning and announce that they're going to start dialing for dollars. Since acquisitions almost always hurt customers I wonder if we can start creating "poison pills" that deter them.
oliculipolicula 2 days ago [-]
A successful sequel or reboot is its own poison pill
Honestly after years of resistance I've finally partially embraced Apple's solution and have to admit it works great. I love that Hide My Email is integrated into it so well too
Vaultwarden looks neat:
> Lightweight, self-hosted server written in Rust, fully compatible with Bitwarden clients, implements the Bitwarden server API, supports organizations, attachments, web interface, website icon API, YubiKey, Duo, and multiple two-factor authentication options.
skarz 2 days ago [-]
ProtonPass
parliament32 2 days ago [-]
KeePassXC has always been the one true path.
culi 2 days ago [-]
What is the option for people who want access to their passwords on their phones and don't wanna set up a complex or fragile sync regime
(I do use KeePassXC btw. I just think this is what GP's real question was)
parliament32 2 days ago [-]
Ultimately, you have to store the file somewhere and sync it to all the places you want it. The magic here is that it decouples the "password manager" and the "file syncer" so you can (and should) use whatever you're already using. Greenfield, Nextcloud is the cleanest if you want FOSS and self-hosting (and they have clients for basically every platform under the sun), otherwise pick your poison between google drive, dropbox, icloud, onedrive, etc.
undeveloper 2 days ago [-]
vaultwarden (self hosted)
ranger207 2 days ago [-]
My company just finished switching from LastPass to Bitwarden. Just in time for that to become terrible too it looks like lol
culi 2 days ago [-]
My old company switched through 4 different managers in the span of 3 months. They switched to LastPass just before all the seemingly endless breaches started. I think they were willing to weather it at first but things just got worse and worse. I think they also ended up with Bitwarden
abfan1127 2 days ago [-]
I've been using LastPass for years. I really like it. Why did you switch away?
nacs 2 days ago [-]
Lastpass has had multiple large breaches, especially after LogMeIn bought them out
nullbyte 2 days ago [-]
Since Bitwarden is open source, can't somebody create a community-driven fork? Maybe a self hosted option?
vim has an encryption feature (:help encryption). With some AutoCommands, keeping your own encrypted password list becomes painless. On other platforms (phone), enter your 12 or so passwords once and let them store them.
SilverElfin 2 days ago [-]
All these companies are being bought by PE right? So what's a safe vendor to use?
colordrops 2 days ago [-]
I knew when I started hearing ads for BitWarden on NPR that the good times were over.
sys32768 2 days ago [-]
We were just about to go to BitWarden from KeePass.
VLM 2 days ago [-]
"This way your passwords are truly yours"
They were never yours, and zillions of people you don't know have access to them.
HeartStrings 2 days ago [-]
KeepassXC
pattilupone 2 days ago [-]
WOW. Quietly editing the 4-year-old blog post is super slimy, holy crap. Also seems like since this story was published, they edited the 4-year-old blog post again. The story points out
>But the explanatory paragraph at the bottom of the same post still says the old ones: Inclusion and Transparency. Crandell’s name is still on it. The post now contradicts itself, and nobody wrote a new one.
Looking at the post right now, they've corrected it to Innovation and Trust.
chuckadams 2 days ago [-]
Nothing says Trust like quietly and retroactively editing old blog posts. We have always been at war with EastAsia.
AdmiralAsshat 2 days ago [-]
The original creator of Bitwarden still works there as a CTO. I am curious whether he has any failsafes/poison pills in his contract when he took VC money that allows him to fork the product and start over in the event that they decide they want to lock everything down.
Or did he sign all of those rights away when he took the $100M "fuck you" VC funding in 2022.
cortesoft 2 days ago [-]
Do you need a contract like that when the product is open source? The only thing he couldn’t keep would be the name.
AdmiralAsshat 2 days ago [-]
There would be nothing preventing him in the source license, but I'm saying he may be prevented as part of the contract he signed when he sold the company.
steviedotboston 2 days ago [-]
This is a whole lot of FUD.
avgDev 2 days ago [-]
A tale as old as time, enshitification.
eleventen 2 days ago [-]
I think this is a little hyperbolic. The product may drop features, increase prices, and squeeze its free tier users. Everything enshittifies. But the idea that password export might disappear or be degraded? Nah. You'll be able to jump ship any time you want.
vallassy 2 days ago [-]
>You'll be able to jump ship any time you want.
Famous last words...
AdmiralAsshat 2 days ago [-]
I mean, LastPass was a train wreck after their breach, but they didn't go as far as trying to stop me from exporting my vault when I switched to BW.
The idea of BW doing a rug pull and suddenly removing the ability to export your vault I think would trigger a class-action lawsuit.
e40 2 days ago [-]
I don't know why this is framed as "jumping ship" ... of course you can stop using it any time (and use your periodic export to go elsewhere).
The real issue is potential data loss. Remember LastPass? Bought by someone and downhill it went, with multiple security incidents.
tremarley 2 days ago [-]
Never underestimate the lengths companies will go to, to enshittify their product to squeeze customers for money.
eleventen 2 days ago [-]
Name one major password manager that blocks or paywalls export.
gruez 2 days ago [-]
The iOS "passwords" app didn't support exporting for a while, though they eventually added it.
ptrl600 2 days ago [-]
Usually when this type of thing happens, all the major players decide to do it at the same time.
kpozin 2 days ago [-]
- Authy
- Google Authenticator
eleventen 2 days ago [-]
Not password managers of course, but thanks for reminding me that I should figure out how to ditch Authy.
I had to migrate from Authy because it doesn't work on Graphene OS. Migrated to Ente Auth and couldn't be happier.
Ringz 2 days ago [-]
Ente Auth
is a good alter. Works perfect for me.
pablopr3 2 days ago [-]
[dead]
MostlyStable 2 days ago [-]
Google Authenticator has an export-as-QR-code function that several other authenticator apps can parse. Is it the best/most convenient implementation? Obviously not, but you can absolutely export the codes.
Itoldmyselfso 1 days ago [-]
Comment you're replying to should've specified afterwards. Feature that were never there is very different than pay walling a such essential feature.
Someone1234 2 days ago [-]
Notably not password managers.
SubiculumCode 2 days ago [-]
Yes, there are signs of an oncoming enshitification, and these types of articles gaining traction is good because it sends a signal to the company of potential consequences....but at the same time, the evidence supporting Bitwarden enshitification is pretty weak at this point. There are degrees here, not just either/or, on/off, good/shit.
nickburns 2 days ago [-]
Anyone not already using KeePass (or KeePassXC) has been doing it wrong for at least a decade.
KeePass2Android Offline and KeePassium on mobile.
2 days ago [-]
normalaccess 2 days ago [-]
For TRUE offline password storage use "Off The Grid". A cryptographically secure paper based password generator created by Steve Gibson from he Security Now podcast.
As I understand it, so far the only actual change is an announced increase in prices. Obviously, from the consumer perspective, cheaper is better, but this is a product where I think that a subscription plan makes sense (and the free tier, for now, still exists), and so I'm not going to get mad about price changes. Competitors exist and one doesn't think the new price is worth it, then switch to one of them (using the very-much-still-available vault export).
I don't think the warning is crazy or anything, but in my personal opinion it's a little stronger/earlier than is warranted and the current appropriate response is careful watching.
[0] https://age-encryption.org/
Edit: it actually disappeared for some time but they put it back on May 18
snapshot from May 15: https://web.archive.org/web/20260515190646/https://bitwarden...
snapshot from May 18: https://web.archive.org/web/20260518183728/https://bitwarden...
> The “Always free” motto quietly reappeared on the site after its removal was uncovered and went viral on Fedi.
(And the linked article gives evidence: <https://blog.ppb1701.com/the-quiet-renovation-at-bitwarden#:...>.)
When a company tells you their intention by announcing a change, it's often a good idea to listen. Even if their PR department does some good cleanup work in the aftermath.
Another recent example is GitHub charging for self-hosted CI. They backtracked, but they're still going to end up doing something. They kind of have to because of all the "get 10x cheaper actions runners by changing one line" people.
If they are going to make it not free, they can just remove it right before they make it not free.
If it was somehow a binding promise, then it doesn’t matter if they remove it or not, the promise was already made.
If it isn’t a binding promise, then it doesn’t matter if they remove it or not, the promise was not binding anyway.
There are a fair amount of multi-hundred year old companies out there.
No it absolutely must not.
i think this is the overreaction - getting worked up about these sort of risks in general isn’t worth your time.
Otherwise you’d end up self-hosting everything strictly on OSS from maintainers you personally know and trust.
This is like someone saying, “don’t use AWS because they might raise prices some day”
Between the law suits, and the brand damage, there is likely very little upside for a company entertaining this idea.
Nah, I think I'll stick with and keep paying/supporting Bitwarden.
But with all this stuff coming out, I'm holding off on recommending it anymore; at least until everything calms down and the new value proposition is fully laid out.
Like other folks have said, I don't think it's yet time to migrate. That being said, it doesn't hurt to do an encrypted export for backup purposes, start looking at alternatives, and reach out to people I know use Bitwarden to do the same.
Keeping an eye out on how this develops.
As an aside, since it seems like they’re trying to make money: The aforementioned enthusiasm has gotten it adopted at a workplace of mine. The experience hasn’t been good, so no recommendation here either.
Their moat was being a trusted name in FOSS and it’s a bit sad to see them going in the direction of abandoning it.
But somebody else will probably step up and build on the ruins, like vaultwarden already has. That’s the beauty of choosing FOSS in the first place.
Hope they don't alter self hosting it.
Because you need to back up, verify backups, monitor availability, manage updates, manage MFA, and a zillion things.
Don't get me wrong, I work in hardcore, high tech IT for 30 years and I selfhost two dozen or so of services. It is far, very far from "absurdly easy" when you start .
Sure you can run a container on your pc, and hope for the best
I’ve seen this idea so many times on HN. “Just stand up a docker container and self-host”. Or even worse: “why does anyone need GitHub - just host Bitbucket yourself”
Ok, then what?
I need to access my accounts while I'm overseas - in fact I'm prompted for passwords far more often when I cross borders. I need my passwords at urgent moments like when I need to make a large bank transfer. I need passwords unexpectedly at all times when sessions expire or I need a new session for a device I've never logged in with.
If my home server went down for any reason at these critical moments it could be extremely bad. There are some kinds of outages I can't recover from without physically attending my server. And if I'm not very very careful there are some kinds of failures I cannot recover from at all - I have a working backup solution but so did every company that lost customer data before.
And this doesn't even touch on the security risk of hosting a database of credentials on a publicly available endpoint.
I need a trust hosted solution.
Vaultwarden is the way. Easy to host docker. Solid. And if bitwarden blocks the clients there will be a fork.
It's leading to it anyway.
Not only is it incurring the cost of project fragmentation, but also incurring an always online cost with overly-complicated docker solutions, when a fully offline and airgapped solution already exists.
Furthermore, staying with the same ecosystem invokes the sunken cost fallacy. But the migration from Bitwarden couldn't be simpler (just export Bitwarden json file). It's almost a form of battered woman syndrome people are inflicting on themselves when quite simply they can hop onto an already proven ecosystem that doesn't bait and switch.
Afaik vaultwarden and bitwarden clients are as proven as keepass.
https://github.com/dani-garcia/vaultwarden
It's entirely compatible with the clients. It also removes a lot of "rug-pull" potential, and gives you the ability to access all the nice features (ex - multi-org, multi-user, shared vaults, totp, etc...)
Honestly - part of the reason I like Bitwarden is that if they ever go full "enshittification", it's going to be relatively easy and straight-forward to just move entirely off their projects and onto open-source forks.
Tech has generous TC, lots of high-end laptops and phones worth thousands, AI & cloud spend, and yet the only acceptable price for secrets management is $0 it seems at times.
Many companies offer a free tier and a paid tier and are willing to incur the cost of users who will never convert. If a company doesn't actually intend to keep it "always free" they shouldn't make the promise in the first place
As soon as a company positions themselves to hold your data hostage, assume they will. I have no problem paying, but I’m not going to pay anyone trying to trap me. That’s the goal of most of these tech companies now.
My opinion and stubbornness doesn’t matter though. Identity control is getting lobbied into government legislation everywhere. Everyone’s going to pay no matter what, probably twice; once directly, once via taxes.
My advice would be… If that happens, you can worry about it then.
It seems you could lose a lot of time and sleep protecting yourself against a doomsday scenario that will probably never happen.
It means the old guard is moving away and potentially starting initiatives not in the best interest of the user. In the worst case scenario they will sell my data or introduce stupid changes that risk security.
It's a shell script that stores passwords in a git repository, containing one file per entry. The files are encrypted using a GPG key. Because it's just a git repository, you can synchronise it between devices using whatever infrastructure you want. I use a FOSS client for it on iOS, and there was one for Android before I got an iPhone.
Pass has a pretty good ecosystem of plugins/other clients, as well. There are open source iOS/Android clients and browser extensions so once you’re setup the day-to-day experience is not far off from any of the popular hosted password managers.
My only real issue is the dependency on gpg, as it’s pretty long in the tooth and a hassle to operate. (If you are not comfortable using gpg, spend some time learning that before you go all-in on pass!) There’s a fork[1] which swaps gpg for age, but it hasn’t attracted enough attention to get a similar ecosystem of mobile clients/browser extensions, so it’s not a very practical choice IMHO.
[1]: https://github.com/FiloSottile/passage
God help you if you want to use the PGP applet on a Yubikey or smartcard. The pieces all exist, but wiring them all up in a mobile app is hard and the result is janky.
Is it because everybody else is swapping between several different computers, and you need the synchronization?
I just have everything in KeepassXC, and the ciphertext is subject to the same kind of backup regime I use for other files, [edit: and also additionally] a copy kept on a USB stick in my pocket.
The people I know who use KeePass live like they’re disabled. You ask them to sign up for something and they need to schedule a half hour for it two weeks out. Ask them to use a website and they need to wait until they’re home because their biweekly manual data transfer was put off because of whatever. And if they ever drop their phone, it’s this totally unforeseeable panic they’re still recovering from two months later. I’m far from convinced it must be like this, but I’m also far from convinced that most KeePass people—or people using any other strategy—have really thought this through.
Non-technical people would not do something this complicated. They don’t even have password managers, let alone a setup like this.
Shoot, even a lot of technical people (like me) wouldn’t bother with this. It’s why I pay for a cloud-based password manager.
> Non-technical people would not do something this complicated. They don’t even have password managers, let alone a setup like this.
Google Drive/iCloud/OneDrive/Dropbox are already used by non-technical users - moreso than SaaS password managers.
> Shoot, even a lot of technical people (like me) wouldn’t bother with this. It’s why I pay for a cloud-based password manager.
What do you do for when you want to access some other type of file across devices, like notes or photos? If you have notes.txt on an FTP server, just put passwords.kdbx alongside it. If you're subscribing to some new service for each individual filetype you want to sync, with nothing for arbitrary files, that seems like considerably more hassle overall to me.
And for me, it’s just not worth the headache (and security risk) of hosting my own password manager.
How many separate services do you have for accessing files across devices, and what do you do for filetypes outside of what they cover?
> And I like having my passwords across all my devices, updating anywhere I am.
That's how it works for me with a passwords.kdbx file on my FTP server (but any cloud storage works). Same for any filetype.
> And for me, it’s just not worth the headache (and security risk) of hosting my own password manager.
What's the security risk? If anything, it's SaaS password managers that seem to semi-regularly get hit with breaches (well, mostly LastPass).
You don't need to host anything for KeePass - just plop the file next to your notes/etc.
Headache seems greater overall if you're juggling a large number of subscriptions, particularly when they start ramping up payment or moving features you rely on to higher tiers.
Talk to your local security engineer :)
On a venting note, this mentality is a frustration I have with SV, because I see it a lot. They don’t know what they don’t know, and think they can just stand up businesses without understanding the domain.
You made the claim - I'm interested to hear why you believe it, because I suspect it's based on a misunderstanding of how KeePass works.
> and think they can just stand up businesses without understanding the domain
Using KeePass is not analogous to standing up a business.
If your FTP is open to the internet, you are now responsible for alerting / monitoring, IPS/IDS, proper config management, routine automated patching, IP allow/blocklisting… all of these things require regular maintenance. Even if you stick it behind a VPN, you will need to patch, alert on, and configure the VPN and everything behind it as well, as VPNs can be compromised.
That’s why, unless I really wanted to spend time hardening the spit out of it, there’s no way I’m self hosting my passwords. I’m happy to just pay a password manager to handle all of that.
You don't need to host anything new or take on any patching responsibilities for anything you weren't before. I already had an FTP server, so put it on there. Wherever you already access arbitrary files across devices (you didn't answer what you do for files outside of your filetype-specific subscriptions, but I'd assume you just have iCloud or something) should work fine.
Not that there are zero reasons to use a SaaS password manager, just that I disagree Keepass is somehow insecure or prohibitively technical for regular users. The solution a lot of people already seem to gravitate towards (if not just password reuse) is "passwords.txt on Google Drive".
Most of the workstations I use completely block USB storage devices (but not fido2 keys!)
What would be super nice is to have USB wedge that I can just send my passwords from my phone to any computer like this https://www.inputstick.com/ (Expensive, sold out and also doesn't ship to the USA)
Me too, but I rarely add/edit anything in .kdbx file, it rarely changes. So I just keep a copy on my phone and use KeePassDroid to open it sometimes.
If you change/edit your passwords all the time, and you like autofill and I assume other features, networked solutions are much better.
And it isn’t about changing/editing passwords all the time, it is about all the new passwords that are constantly being added.
If a conflict did happen though, newer versions of Nextcloud just keep both copies and alert you to resolve it. If I had to resolve this I'd probably try the built-in database merger first: https://keepassxc.org/docs/KeePassXC_UserGuide#_merging_data...
There are several factors at play making conflicts almost impossible:
- A central device can be immediately synced to. For Nextcloud, it could be a server, for direct synchronization that I use (Syncthing), my phone (almost always online) is the intermediate device for all.
- You are usually online when creating accounts/password, so an sync can happen directly after a change
- And finally: How often do you actually _create_ accounts rather than just read the database? And how often do you do it on two devices in quick succession?
What are you guys doing to get real issues?
Also consider teams or multiple teams across an org sharing secrets. Flat files are a tough sell, so these apps eliminate almost all the hassle. We pay for a lot of 1Password accounts, and I couldn’t imagine rolling our own solution.
I use it to sync between my phone, tablet, laptop, and two desktops.
I want to be able to add a login from any of those, and have it be updated on all of them.
I might have more machines than most, but everyone has at least a computer and a phone, seems reasonable to want to link those two.
Bitwarden just works in all those places and the tech was, by all accounts, rock solid. AND I can pay for it instead of trying to leech off some privacy-ambiguous free tier.
Even if I had a USB-stick of magical capacity and reliability, I wouldn't want to have to remember to connect and disconnect it constantly.
Syncing was an utter disaster. Inevitably something would cause syncs to be delayed, and then there would be a conflict and one of our changes would be silently lost. We were constantly going to lookup a password we entered, and finding it was not there anymore, at which point I would have to dig through sync conflict backup files and manually reenter the passwords that were lost, or go through the password reset flow for the sites. It was a giant mess, and that was just with two desktops and a laptop. I was using btsync at the time but all the issues I encountered apply to any file based synchronization, like syncthing, nextcloud or dropbox. Performing whole database file synchronization is simply not the right approach for password safe.
I eventually switched over to self-hosted BitWarden with the browser plugin and it has been much smoother.
After all, even with godlike storage-media on my keychain, it would still be susceptible to a mugger or falling down a deep hole. Until that happens, it provides redundancy and convenience, provided I can bring it to a trustworthy computer.
But the interface of every software on a phone is so atrocious that I have never actually seen any benefit from having a password manager there that I could copy stuff from. So now I just don't have it, and haven't seen any loss yet.
That said, I store way more low-value passwords on the Firefox manager (that is synchronized) than high-value ones on the offline manager.
.. and phones, and tablets. Yes
So you do understand it!
I might self-host something at some point. But even choosing something seems a menial task, not to speak of setting it actually up...
Bitwarden/Vaultwarden had a good run but if someone's going to self-host Vaultwarden, I would encourage people to look into AliasVault instead. It's a complete opensource ecosystem.
And Vaultwarden is nice. I've used it at work, hosted it myself, and as a user of the password manager I can say it's basically indistinguishable. But I don't really pay Bitwarden for a password manager -- I pay them for a secure sync of a password manager I can share with family members who can't figure out a VPN.
Had previously used Enpass in the past and was pleased to see how much it had improved since then. Also allows me several choices when it comes to where I store my vaults. And fills passwords quickly and efficiently in comparison to BW.
So I've migrated fully to Enpass - clients everywhere, browser plugins available, and it just works.
With this news, it now looks as though my migration was somewhat prescient.
I also use KeypassXC as a backup on USB should it ever be needed.
This isn't a good - particularly as passkeys are effectively just certs - migrators should be aware of those caveats.
I won’t. The optics look bad and that alone is enough to show the leadership is either hostile to users or too inept to understand why their recent actions signal a change away from what people value in their product. If they don’t understand or care about the same things as the community / customers, there’s no reason to think they’ll make choices that continue to be a good value proposition for their customers.
The only thing that’s going to stop tech companies from pulling this crap is if a hint of private money coming in to ruin everything ends up ruining things before everyone gets to cash in. Basically, a mass exodus and bankruptcy would be the only outcome that makes the next company think twice about using the enshitiffication playbook.
We need some companies built around fair value instead of extortion and they need to be run like Steam. Steam has an unbreakable hold on gaming because they’ve never screwed their users.
It's not a good idea to become dependent on a single corporation's products.
Passkeys too: https://sixcolors.com/post/2025/09/export-keys-securely-from...
Overly idealistic thinking, maybe... but still thinking.
Waiting for people to get this.
I end up helping a lot of older people for a variety of reasons with tech - 60s to 90s, family, neighbors, coworkers.
They’re not invalids and have a right to participate in the digital world, even if security requirements have exploded.
Anchoring the trust in stuff like 1Password where we setup domains, their account info, their OTP codes means they get to go to their bookmarked site, FaceID to unlock the PW manager, get automatically logged in, and do what they need.
Being able to let them navigate this world without always having to hand over the paper secrets notebook to random helpers, or lose sheets of paper with passwords, or get caught up in tracking down an SMS code is better for them. Their password manager with the autofill helps somewhat deter phishing links since relying on autofill usually signals something is off, and they call someone they trust.
My point, I guess, was that convenience is basic access for some subset of vulnerable groups of people.
Reality: people started writing their passwords on sticky notes by their computer. Possibly the worst outcome.
Convenience is part of good security.
Third-party password managers INCREASE your threat surface by orders of magnitude more than sticky notes, period. They change the number of holders of secrets from two to three, and that third one is now a juicy target. This is not theory, this has happened frequently.
Sticky notes (even better, a little private physical notebook) keep this limited to your physical location which is much easier to secure; the grandmas and grandpas I know who do this (I do similar) have a far better track record than anything else.
The quiet renovation at Bitwarden
https://news.ycombinator.com/item?id=48163389
It's Bitwarden's game to lose. Forking is easy enough that there's no great need to pre-emptively fork.
https://automaton-media.com/en/news/kadokawa-reports-sharp-d...
Paying mean they have revenue, an interest to keep it secure and innovate more.
I recall last pass and the last pass breech and the class action from that but that resulted from improper crypto rollout.
Would the same risk happen with Bitwarden?
Honestly after years of resistance I've finally partially embraced Apple's solution and have to admit it works great. I love that Hide My Email is integrated into it so well too
Vaultwarden looks neat:
> Lightweight, self-hosted server written in Rust, fully compatible with Bitwarden clients, implements the Bitwarden server API, supports organizations, attachments, web interface, website icon API, YubiKey, Duo, and multiple two-factor authentication options.
(I do use KeePassXC btw. I just think this is what GP's real question was)
They were never yours, and zillions of people you don't know have access to them.
>But the explanatory paragraph at the bottom of the same post still says the old ones: Inclusion and Transparency. Crandell’s name is still on it. The post now contradicts itself, and nobody wrote a new one.
Looking at the post right now, they've corrected it to Innovation and Trust.
Or did he sign all of those rights away when he took the $100M "fuck you" VC funding in 2022.
Famous last words...
The idea of BW doing a rug pull and suddenly removing the ability to export your vault I think would trigger a class-action lawsuit.
The real issue is potential data loss. Remember LastPass? Bought by someone and downhill it went, with multiple security incidents.
- Google Authenticator
https://github.com/BrenoFariasdaSilva/Authy-iOS-MiTM is going to be my project for the afternoon.
is a good alter. Works perfect for me.
KeePass2Android Offline and KeePassium on mobile.
https://www.grc.com/offthegrid.htm