Bitwarden New CEO has extensive M&A, Private equity experience, Removes Transparency from its Motto
1mon 3d ago by lemmy.today/u/iter_facio in technology from www.fastcompany.com
I find this move concerning, and wish that the Founder had looked for a new CEO that shared his values rather than a Private Equity and Mergers Expert.
Furthermore, the change to the GRIT motto is worrying. Trust is useless without Transparency when it comes to code and security.
Is it that time when I say "oh shit!" and starts to look at alternatives? I've seen this scenario a hundred times already and I'm tired.
I don't have the patience to switch to alternatives until they make a change that actually affects the usability of the tool.
This is absolutely a red flag though.
Just FYI, you can export your Bitwarden database to plain text and import that with KeePassXC
All the attachments, though... man this is going to be such a pain :/
It takes a full 3 minutes to try an alternative. Export, install new one, import. Install extensions where you need them and sync.
Same question here. What are the best alternatives?
KeePassXC is the best FOSS option, but you'll need to figure out self hosting if you want to sync the database between devices.
As the database is encrypted in your device, you dont really need to self host. A keepass database in the Google cloud is not really problematic, although you should still choose a more private cloud provider.
Syncthing is probably a simple fix.
Assuming you have a degoogle'd phone. The syncthing-fork devs announced that they aren't going to certify for Google Play when that's made a requirement in a few months
Ugh, I forgot about this. Aren't you still going to be able to install apps from third-party marketplaces? I thought the plan was just that the phone was going to hassle you and require multiple hoops.
Yes, that's the plan
I think other apps will require ADB to install
After initial wait period of 24 hours, which is intolerably dumb, you don't need ADB.
They should interview me when I make a purchase and determine the likelihood of me falling for a scam where a family member will save me if I just had an extra day
fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck fuck
I use both KeePassXC and Syncthing for passwords. Works fine.
And you can use a keyfile separate from the database for even more security. If the database is backed up on Google Drive and the keyfile is saved on a USB or in a (non-Google) email somewhere for the rare times you add a new device, your passwords should be safe even from keyloggers or Google themselves.
make sure to use post-quantum encryption algs
Which algs would that be? ed25519 okay? Is that even an encryption alg? I'm not too hot with encryption.
or use syncthing, no hosting experience required
Syncthing on the phone seems to use up a lot of battery, though.
If you don't need real time sync you can disable background use of the app. That's what I've done, and I just open the app when I need to update. Probably a smarter way to do it, but it works for me.
It doesn't need to be complicated. I use syncthing to synch them. It's pretty trivial. You just tell it what folders to synch, between which devices, and it'll synch whenever it's running.
I found the easiest way to sync is to use rclone. This way you can use any cloud provider like Google Drive or OneDrive or DropBox. First create the rclone remote for your cloud provider using rclone config. Second step is to create a second remote using the encryption option (menu item 16), choosing an appropriate path <first remote>:<path to directory>. Upload your KeepassXC database to this encrypted remote using rclone copy.
On Android you can use the RoundSync app from F-droid to configure the the same remotes, then create a task to copy or sync from that encrypted remote and a trigger to run that task on a schedule. Overall, this one-time setup works really well for me. This is my backup in addition to using Bitwarden for several years. Bitwarden is not going to get my money any more.
post-quantum encryption algs
I use the built in ftp sync option with any file explorer that makes an ftp server on my phone.
I use Vaultwarden
But you still use the official BW client apps, correct?
Unless you forego usage of the clients and access Vaultwarden through the browser (removing accessibility and convenience especially on mobile), it is not an e2e replacement solution.
Are there any alternative FOSS clients/apps that work with Vaultwarden?
Edit: I see further down that the official client is open source, and would get forked in the event of any fuckery. So I'm sticking with Vaultwarden + Official client app approach for now.
I just use the webapp UI and don't bother with the clients/extensions. Easy enough to just log in, copy/paste from there.
But yeah, the official client (and probably browser extension as well) would probably be forked if/when needed.
What about passkeys?
For now
Coincidentally, I moved to self-hosting Vaultwarden last night, which is open source but compatible with Bitwarden. If you want a simple transition and are capable of hosting it yourself, that would be my recommendation.
I've been hosting it for a couple years now and question why it took me so long.
Proton Pass.
I'm pretty sure that isn't self hostable.
That's true.
I use keepassxc. It does the job.
Alias vault seems the most feature complete and self hostable https://www.aliasvault.net/
KeePassXC + Syncthing to sync passwords across devices
Sigh. This will be a huge pita. I have probably over 100 things saved into bitwarden. Where's a good foss alternative.
GabeN, please don't die before me.
Cute. A hundred items :p /j
I’ve been pretty happy with Apple passwords
Oh great. Let's go from an open client to a vendor closed-source lock-in.
Sometimes I am baffled by the polarity of Lemmy.
From Tryhard-only-libre-software type of users over A-bit-of-each users (but tending to sway towards (F)OSS application) over to this opinion/suggestion.
Wild.
Vendor lock in is an issue, true, but it's a different issue than the enshittification we're starting to see from Bitwarden. Also, apple passwords isn't "locked in" per se, as passwords aren't difficult to export.
Lately, I'm starting to feel like finding good software (often FOSS but not exclusively) is increasingly a hook for later increased monetization. The 'agreement' I had with Bitwarden was they provide a solid service, and (while not required) I pay the $10/year honor system fee. That's been upped to $20 now, and now they're appearing to move away from their core principles. I won't be paying for another year.
With Apple, the unspoken agreement is I "overpay" for my hardware, and they don't have incentive to monetize me otherwise. I'll admit, there are cracks forming in that agreement, but that's my read on it currently anyway, and I think probably the person to which you are replying to as well.
Your decision are sound.
Not a fan of the usability of Apple devices (I have an iPad, so I am not talking ou of my butt) but I can't deny they reduced user hostility is attractive.
iPad usability is in a really weird place. It's definitely the least "usable" of Apple's platforms, and to be honest I probably wouldn't be an Apple user at all if all they had was iPadOS and iOS. macOS is still attractive to me (the Liquid Glass theme notwithstanding). For the record, I split my password manager use between Apple Passwords and [now] self-hosted Vaultwarden. Each has advantages, and while I'd like to just use one, having two is working okay for me for now.
What? Is it frowned upon here to just use what works?
A lot of people chose Bitwarden because it was open-source, so they don't see the very closed Apple Passwords as a suitable alternative.
Why the fuck does everything that's good turn to shit? This world sucks. This timeline sucks.
it's all motivated by the accumulation of wealth = capitalism
Accumulation of power is a common motive regardless of political system. Money is just one way power gets expressed.
Not claiming our system is perfect by any means. But this thought, to me, always felt like kicking the can down the road.
That might qualify as an argument but the enshittification of everything hasn't gained anyone power, only money. Cuba was curing cancer before we started more war crimes in order to prove socialism doesn't work, while we're financing fast food.
I think there's a difference though, in that capitalism rewards this kind of innate motive, while socialism doesn't, so I think it would be much easier to build a system based on that that's not fucked from the foundations like capitalism is. The societal benefits of capitalism always feel like an accidental side effect at most, when it should be at a heart of any economy system.
Also it definitely seems that holding power over others warps the human mind, so I would definitely advocate for distributing policy-making power as evenly across the population as possible.
Kicking the can down the road implies you have a better solution?
A solution that stops evil people from being greedy for all of future society, gaming whatever our system is to hoard resources? No, I don't.
Whether under capitalism or socialism, either system would need frequent attention and intervention by thoughtful, socially responsible people to watch for abusers of the system.
Right, but Capitalism incentivises this behaviour, thus making the checks and balances required both more robust and needing to be applied for regularly - while the powerful are capable of preventing this.
On the other hand, Socialism has incentives that are completely different - managing the abusers would be a much simpler task.
It's not a timeline. It's just the world we keep making. The only one.
VC ruins everything
This is literally a product where a hobbyist tried to fix a niche, and now the VCs arrive.
reading this as someone who migrated the rest of the household to Bitwarden literally yesterday: 😒
It took me years after the lastpass breach to get my wife and 1/3 of my kids to switch to Bitwarden. I am not looking to having to migrate again.
but exporting is easy with bitwarden. this is annoying. after the age check laws, i have been moving off big companies because it will be bad snd i know my migration will take a bit. i finalized bitwarden a couple weeks ago and was just about to assist my family.
i would not be as upset if ram and harddtives didnt cost a mortgage right now.
It does not matter how easy exporting is, the difficulty is going someone who really does not understand why they should be using a password locker to use one, much less change to a different one.
You won't have to. Bitwarden is FOSS. The server is able to be self hosted so "migration" will just be you moving their account to the self hosted one if things go south
Does this mean other companies are hosting compatible servers to switch to?
I mean some may be offering that but it means you can just rent a cheap. VPS and host your own
What do you use it for?
passwords and secure notes of recovery codes and the like
Luckily BW is open source, and VaultWarden exists. If they enshitify, all it takes is a fork of the browser extensions and apps with a rebrand.
This right here is the only answer
Companies can try to steal the app but they can only steal the name
Exactly, IMO Vaultwarden should just fork the clients and extensions and officially take the lead. Bitwarden can just go the way of OpenOffice for all I care.
I'm out of the loop, what happened to OpenOffice?
OpenOffice was maintained by sun Microsystems and they were bought by oricale. At the time it was seen so negatively that a fork called libreoffice was created and almost immediately became the default office suite for most people who were using OpenOffice.
Yeah, this here is exactly the reason why anytime I have to migrate from any piece of software I'm migrating to something open source and standards compliant.
How would network hosting work, though? Like... do I need to pull my passwords down now?
You can export from any of the BW clients. Then import into sepf-hosted BW or VW.
Short-term, yes. Maintaining the client integrations is a ton of work. If BW ever breaks selfhosted integrations, it's gonna be a shitshow.
1Password took investor funding, moved to subscription and focusing on corporate.
Bitwarden heading the same way. Great…
This is troubling and I am going to accelerate my migration to Vaultwarden. I'm not going to leave Bitwarden yet but I saw how this played out with LastPass, and I was a happy LastPass customer until I wasn't.
Docker and caddy make this pretty easy. Even easier if you have a static ip and go to porkbun for a domain.
And that’s only if you wanna access it outside your network. Mostly you can get away with syncing before you leave.
Or just use ZeroTier/Tailscale/NetBird/Wireguard and you can access your server from anywhere without exposing it to the imternet directly.
Yeah I know but I’d rather just expose the services I want.
And I'd rather not deal with extra, unnecessary security concerns.
Cool. You do you and I’ll do me.
I should get a cheap laptop and start self hosting...
The company has long defined its values with the acronym “GRIT,” which used to stand for “Gratitude, Responsibility, Inclusion, and Transparency.” After May 4, it changed the acronym to stand for “Gratitude, Responsibility, Innovation, and Trust.”
It's not as bad as the headline seems. Transparency is still in the motto. The actual change is:
But still. Why change it at all? Why replace "inclusion" with "innovation"?
It smells like Tech Bro.
There's just no way to spin that positively, even giving them the benefit of the doubt, especially since they aren't rolling it back. Someone spent effort to make that values change, so its not an accident nor a "nothingburger".
Well, trust is literally the oposite of transparency. So i would call it quite bad, especially if you consider that right now i trust these guys with my credit card details, my taxID, all my passwords.
Exactly. In cybersec, trust is someting you try to avoid or at least minimize. Trying to use it as a selling point is ridiculous.
Or it's something you earn through transparency.
That's what they are trying to communicate here, yes. But 8.5 million users didn't need to be told they need to trust the platform, they chose to. As did I with a premium plan to cover MFA and attachments.
Now with business types in charge and a hidden doubling of the fees, that's more than halfway out the window no matter what the website stands for. I'm guessing somebody decided it's time to cash in on the goodwill they built over the past decade.
That's a great point.
I don't want to trust them either. I don't want to have to.
The only "devil's advocate" argument I can think of is they're trying to appeal to enterprise clients (who would not know that and want to "trust" a security company). That would explain the "I" change: "inclusion" (sadly) sounds political, "innovation" is like corporate catnip. Bitwarden could be trying to attract big fish to fund development, having their cake an eating it.
Removing 'inclusion' smells like a pivot to the right, same way DEI is a target for maga
I don't need my password manager to innovate anything. I would very much like it to include support for all of my tools and machines though.
It's the change from "users" and "community members" to "customers" for me.
Because the "inclusive" part is already described by the first letter's "story"?
Ty. So many comments here didn't see your post and others did but didn't read it. My take is innovation is a greater priority, and trust protocols. I'll watch but I'll wait for it to be a something burger.
“You either die the hero, or you live long enough to become the villain”
Why does every good thing always have to go to shit. Sigh.
because capitalism
This
Nothing good ever lasts. Guess that's entropy for you.
From the article
Update: After publication, an employee on the Bitwarden subreddit said that “Always free” had been restored on its pricing page, calling it an “oversight” by the marketing team. The product page for Bitwarden’s personal password manager remains unchanged.
Don't care. Being owned by a private equity bro is enough for me ✌️
Sounds someone was caught doing silly stuff... it will be interesting how this will develop in the future.
i guess unregulated capitalism is inherently entropic.. since its utlimately a system that consumes itself until everything is gone and it dies and returns to background radiation.
It's the investor obsession with forever growth. It ruins everything.
hope this does not fuck up my vaultwarden hosting.
Narrator: ...but it did.
I'm amazed that vaultwarden has maintained such fantastic compatibility with bitwarden. ...but all it takes is one api with an obfuscated "signed request" to bring it all down.
No?
I get that clients might break, but the web portal running inside vaultwarden isn't gonna suddenly stop working.
Vaultwarden itself is self-contained. An API change won't do anything to it.
Then it creates the opportunity (need) for an open sourced client, if that ever happens, I'm confident the community will come together and make one using the currently known API calls.
The current (at least android) client for bitwarden is already open source (GPL 3).
I wasn't certain what the bitwarden clients were licensed under.
...but if they're all GPL, then yeah - it'll just get forked. Just like terraform vs opentufu. Just like MySQL vs MariaDB - it's a tale as old as time (unfortunately).
Vaultwarden has a backend encrypted db and web server, with it's own API. The bitwarden clients are currently opensource so there could be a fork for the browser extension, and desktop client. Unlike 1Password, there is a good opensource base.
Same
Ah shit, here we go again…
If you're looking for alternatives and you don't care about automatic device syncing, I have been enjoying using keepassxc
If you have a cloud storage provider, and you save your keepass database to it, then you also get automatic syncing for all devices that can connect to that cloud.
Sure, i'll put my password db somewere I have zero control over, just for convenience
You would’ve already been doing that with BitWarden.
Pretty sure I don't. I don't have bitwarden.
Just keepass. On two pc's and backup to my nas.
Its like you have your own cloud storage provider.
One device on the lan ....... would not call that cloud.
It does a similar function though. Your devices are able to connect to it and sync a keepass db between the two. You have a solid solution IMO.
my nas.
Wow, talk about missing the point.
your nas is your cold storage provider
Isn't the keepass db file encrypted?
Not everyone can self-host
I know. Keepass is a stand alone app. It does not need hosting.
You made me think about this a little bit, why couldn't someone self host?
They don't own the network, or don't even have a network to connect to. I probably vastly underestimate the people who do not control their internet connection, or simply use devices that are on cell networks.
There are quite a few people that have a phone and/or tablet, and no WiFi. Not many who would care about this situation, but still
https://keepassxc.org/docs/KeePassXC_UserGuide#_storing_your_database
You can keep it on a USB too
You can sync between devices securely with syncthing.
That being said, the syncthing-fork devs are refusing to get certified with Google Play (which I support) so by the end of the year you'll need a deGoogle'd phone
Keepassxc DB has strong encryption.
Nextcloud, syncthing, sftp can all be self hosted
I'm the weirdo with the tin foil hat, but thats how I feel about ALL of these services. I don't care how secure anyone says they are.
It's incredibly inconvenient, but I have all my passwords saved as documents written in a cryptic and incomplete way so that only I know what they mean on my pc. It sucks that if I don't remember one I have to wait until I get home, but I'll never trust any of these services. EVERYTHING gets hacked eventually.
If you are happy with cloud services, please, go ahead. But not for me .. True. I'm having close to zero trust however safe they say it is. My choice is to have my data on my hardware that i own and control and can access 24/7.
Ps: You can't hack me, i carry around my stack of post-it's on my skin and they have medic style hand written passwords /s
You can selfhost your cloud storage, for instance using Nextcloud, if you want to maintain complete control
I do care about automatic device syncing
They took the VC money
They all do, eventually.
Id take it, too.
People need to understand that if they wait for everyone to do the right thing we are all going to be fucked.
Run.
ProtonPass is run by a non-profit if you have to move to another hosted solution.
Otherwise there's multiple self-hostable options, including plain file sync options.
Use this example as learning experience that the type of the firm you're buying a service from is very important as it changes whose interests it puts first, second and last.
Non-profits do not always remain non-profits, and can become for-profit entities. Being a non-profit is not a reason to move to proton IMO, but Proton should be a decent temporary option if Bitwarden becomes aggressive to the open-source ecosystem.
My health insurer is a non-profit but they're still a bag of money hungry dicks.
Update: After publication, an employee on the Bitwarden subreddit said that “Always free” had been restored on its pricing page, calling it an “oversight” by the marketing team. The product page for Bitwarden’s personal password manager remains unchanged.
Oversight
They got community checked and backtracked hard... I have always endorsed bitwarden but that is becoming worrisome. :(
Yeah, you know those marketing team people. They totally went out of their way to make more work for themselves to change it with I'm sure zero instructions from higher up to do so.
Getting hard to endorse anyone you don't personally know at this point.
We're sorry we got caught
I wonder how much the new choice of CEO was up to the founder versus the venture capital investors. I’m assuming the investors had the main input.
And this is why every time a tech company raises venture capitalist funding, it's almost inevitably on the road to enshittification, as the ones holding the pursestrings only care about what profit they can extract from the company over the next few years.
It needs a conscious effort from companies that are small but successful to stay that way, to keep their size and business model sustainable, and their mission connected to the interests of their users. From the top of my head I know Obsidian does it this way (fully user-funded), but there are probably others too.
Enshitification marches on.
Well, it was fun while it lasted, lol.
I've long wondered when this was going to happen. Their investors must have been frustrated about the lack of revenue per user growth (eg, screwing us over with annual price hikes and removing features from free plan)
Ah for fuck's sake. Seems like every month I have to change something because some fucking company starts getting a taste for greed via data sucking. I'm goddamn sick of it.
Enshitification
That's why you use open source alternatives everywhere :) just replace one at a time when the company fails
Start using open source then
Unprompted snark from an .ml user, how surprising. I am a bigger cheerleader for open source than any of my friends or family. It's the only real path to stay free of corporate influence, greed, and spying (in regards to software). Live free or die.
Bitwarden is, by definition, open source. It has been since I started using it ~6 years ago. I'm tired of literally everything having the potential for enshittification. Nothing is safe in the long run, not even volunteer-run projects. If you think your favorite project is safe because of some "core ethos" or "guiding principles", you're just drinking the kool-aid. As long as we exist under capitalism, anything under the sun can be enshittified.
I will never give up, even if things seem even more dire than they are now. But I'm tired of having to maintain constant vigilance.
Troll better.
I feel like switching to self hosted vaultwarden was one of my best moves of the year
Been planning to do this just because; now it seems it's strictly necessary.
Gotta figure out how docker, containerization and all that jazz works. I have an account with hetzner but just web/sql hosting and a managed Nextcloud instance - no vps yet.
Seems like a Saturday project that I hope I can get round to.
I tried for it today on an LXC at home but its proving to be a pain in the ass due to my DNS provider, DreamHost. I'll figure it out later, but this isn't as turnkey as I had hoped.
For anyone else in the same boat as me, this is the official Hetzner tutorial on setting up vaultwarden. I'm going to try it at the weekend. I already have the prerequisites taken care of once I order my hetzner server:
- hetzner account and server
- resolvable domain name
- smtp server access
Good luck all, link is below.
https://community.hetzner.com/tutorials/how-to-set-up-vaultwarden
I just tried it and it took me 5 minutes, since I use yunohost Just add app, setup admin account, invite myself, then import my bitwarden.org vault (after password encrypting the json export, of course)
Same. But it’s an ugly UX. I liked keepassxc UX better.
Was good while it lasted. Thanks for getting me off LastPass. See ya
I guess it's time to move to vaultwarden sooner rather than later.... This wasn't supposed to be the weekend project, but fuck it; let's roll with it!
My question is move to vaultwarden, and trust they will still develop the open source client apps, or just preemptively move to another system. The UX isnt perfect, but it seems a lot easier to use than kerpassxc. Time to do some research.
Very easy to migrate to vaultwarden from bitwarden I think, so I'd probably do that and hope the clients are forked if ever needed. I'd probably just live with vaultwardens web ui before swapping completely to keepassxc (because setting up keepass db sync to all devices manually doesn't sound fun).
No personally using KeePass, but I've heard Syncthing is great to sync the database. Might wanna try to look into that.
ugh... This is worrying.
All good things come to an end at some point I guess.
I knew trouble was brewing when they started adding the little corporate cute waving graphics and stuff to the UI. Glad I already migrated away
What are u using? I just got onto Bitwarden and set up all my credentials there!
I was about to and also interested
I'm just using pass on Linux. Haven't figured out a good way to access my passwords through it on mobile yet, but I avoid using my smartphone when at all possible so I haven't been particularly motivated to find a solution to that
oh great, now I have to research what the next best alternative is
How long before they go full lastpass like in 2023 ?
#leakpass #lastpass #neverforget
is proton pass good?
Yes. If you’re looking for a cloud solution, Proton Pass is quite good. I switched from Bitwarden about 6 months ago. Works great.
Completely agree. I couldn’t be happier with Proton Pass.
I just tried it out and imported my Bitwarden vault. Does Proton Pass really not have folders? Or is that a paid feature?
They are called vaults but they are sort of a facsimile.
Yeah I assumed as much. But then it appears there's a limit of 3 vaults for free users. I get it, beggars can't be choosers, but man, a simple folder feature like Bitwarden has for free would be nice.
Self hosting is the new battefront for the individual's right to sovereign data
Proton pass has been fine for me. I don’t care that the one Proton guy said the one thing that time, I’m out of energy and it’s good enough.
Another happy proton pass user here, i do care about what that one guy said but not enough to switch to another service. Not foss, but it's definitely a good enough thing for me.
Yeah I think you said it better. If I boycotted every company that employs one person I disagree with I would be self hosting everything. Proton represents the best in privacy-focused non-Google/Microsoft hosted email and productivity services. There are numerous reasons that we should want to see them succeed if even just to take some market share from Google.
There's kind of a difference between an employee and a CEO.
Proton seems okay still at the moment, but with their growing in scope and success I imagine it's only a matter of time
It's just annoying on Android because it often struggles if there's a "remember me" checkbox. And there aren't separate fields for username and email.
Are they OSS?
What do they do differently than BW?
To me, they are just another vendor that seem very corpo
Googled it: Proton operates under a unique hybrid model. Its core services (such as Proton Mail and Proton VPN) are run by a for-profit Swiss corporation, Proton AG, but the primary voting shareholder is the non-profit Proton Foundation.
This structure was designed to permanently put people before profits and protect the company from hostile takeovers or venture capital control. While the foundation ensures the company never deviates from its privacy-first mission, Proton AG must remain profitable to be fully independent and self-sustaining without relying on subsidies.
why even have "Motto" if you are just going to renege on it.
In this case, not having a motto would have made them able to get further down the enshittification path before anyone noticed. They just warned us.
though this also points out why such things as companies having "values" is laughable and should be ridiculed if they arent clearly enforced. All they do is scam people into thinking they might not be explitative shits which shouldnt be allowed or looked kindly upon.
So many people have to switch services now and even more will just become victims of the company after it becomes more shitty. All those people could have used some other service that is less likely to go shitty, which in turn would have given it more resources to improve.
Experienced this with 1 Password. Experienced this with Enpass in another way. Really doesn't want to experience this with Bitwarden especially because of self-hosting. Let's hold thumbs but, apparently, it was fun while it lasted...
I'm curious what your problem with enpass was? I got lifetime cheap back when lastpass went to hell and as far as I can tell with Wifi sync they could go out of business entirely and I could still use it.
Where do I go if I want to move? Must have free tier and cloud sync (or when my devices are online they sync automatically). Suppose I'm gonna look into proton.
For the last 10 years I've been using KeepassXC file + nextcloud/cloud of your choice.
Desktop and mobile apps available. Browsers have extension for it for password fill.
It's just a password-locked file that's synced between devices. Simple, not dependant on any third party services.
I use Dashlane myself. It's free tier is 10 logins which is a bit of a joke.
I like Keepass and do use it for my non-critical stuff. I sync using syncthing
Edit: Dashlane no longer offers a free tier.
10 login entries or simultaneous user logins??
They no longer provide a free tier. It was 10 login entries and I think 5 simultaneous logins.
I'm happy with proton but can't tell you if the free tier is good enough for you. Worth taking into consideration for sure if you ask me.
"Equity" or "Capital" = the kiss of death
Fuuuuuuck
Anyone have any idea how this affects Vaultwarden, if at all?
I think the short answer is that it doesn't. VaultWarden is currently open source, and no private equity organization can put the genie back in the bottle. If things get really bad then someone would likely fork the open source bits and maintain a pure open source version, in which case there would likely be a procedure to migrate existing VaultWarden installs to the purely open source successor. I don't think VaultWarden users need to be overly concerned at this point.
It won't stop them from trying though. Just look at what Bambu is doing.
The fork would have to be a browser integration as the bitwarden extensions and desktop apps are the bitwarden part. Vaultwarden as the backend self-hosted db and webapp is opensource.
Edit: bitwarden clients are not yet closed source
Seems like the clients are at least source-available? https://github.com/bitwarden/clients
For now... That's what would be forked, thanks for the correction
I thought the same, just wanted some reassurance :))
Short-term, no change.
Medium- and long-term, Bitwarden could cut off access to their clients and go closed source.
Hopefully, Vaultwarden devs take advantage of the early warning and prepare contingencies for if when Bitwarden crosses the point of no return.
Aren't Bitwarden clients open-source?
If things turn for the worse, hopefully Vaultwarden can fork the client as well
Great I bought a paid subscription for it all this time for it to end up like this, I'm done with anything that is not self hosted now on, I'll just convert my old laptop into a home server
This. At this rate everything that has growth and not open source is just a resource to exploit.
Gr8. Yet another critical service soon to be gobbled up by PE. I guess I'm moving to Proton Pass.
Time for a dedicated vaultwarden client?
As long as they don't enshittify the mobile apps and browser extensions, I'm neither surprised nor concerned. Vaultwarden exists.
And if they do ruin the client end, I expect third-party alternative clients, or a wholly new alternative, will appear soon enough.
(Yes, yes, "b-but KeePass!" folks... I've been there.)
As long as they don’t enshittify
lol you don't know how this works yet
Its never an if, its a when. And that when is VERY soon.
I hate that I upvoted this, but it's the frustrating truth
Get out now
Try keepass on self hosted sandstorm
Can keepass do passkeys?
It does but some of my passkeys didn't work after migrating my bitwarden database
I don't think so, but sandstorm can as of a few weeks ago (might not be in main branch yet)
I just went all in to bitwarden 🙃. Not ready to change again just yet but will be ready probably once it starts going to shit.
I upgraded to premium last year. Never heard about the price increase until this article. But frankly the change in leadership is more concerning to me than that.
Well, it could be forked of course. The self-hosted version at least.
Why people bother with any corporate software when it really don't provide much more than completely FOSS alternatives
Bitwarden is completely FOSS, both client and server
Not if you are being strict with the definition of FOSS.
Free and open source
Is free? Yep
Is OSS? Yep
Is it full libre? I think not, right? And I assume that is your actual issue with it?
FOSS is a standardized term. As the Free Software Foundation defines it:
Free and open-source software (FOSS) is software available under a license that gives users the right to use, share, modify, and distribute the software – modified or not – to everyone and provides the means to exercise those rights using the software's source code.
You are not granted right to modify or distribute Bitwarden. You can inspect and use that to build your own. That is what Vaultwarden does.
Well, the client code is liensed GPL 3.0 and server code is licensed AGPL 3.0, and those are both FOSS licenses. There are some additional commercial components licensed under a non-FOSS source-available license, but those are not required for the basic service. I guess you can't use the Bitwarden trademark either. I would still consider Bitwarden FOSS, although with a slightly limited (but not crippling) scope of the term "Bitwarden".
So you wanna say it's Source-Available, yes?
All I say is that it's not FOSS in the strict sense.
Neither the OSI definition, nor the FSF definition require you to allow your trademark to be used freely, nor do they require you to only host FOSS software for your FOSS software to qualify as such. The client and server software published as GPL and APL qualify as FOSS by both orgs that define the term. Vaultwarden is better for self hosting specifically because it is superior software for self hosting.
It is FOSS.
And securely hosting a password manager that is accessible over WAN links is beyond the capability of most users.
- FOSS includes distributive right. Bitwarden is not.
- I agree self hosting maybe hard, but one could always go for KeepassXC with any generic cloud storage.
What generic cloud storage do you trust?
It is an encrypted file using AES-256 so unless your threat model is state actors dedicating a data center to brute forcing it, it's probably ok mostly anywhere.
Glad I didn't let myself get talked into switching to Bitwarden from my boring KeepassXC setup...
This was the headline that finally prompted me to figure out why KeePass wasn't working on Librewolf.
(KeePass doesn't work with the flatpak version of Librewolf, you need to install it through terminal.)
It does work with some effort, even the flatpak version. I recall finding a github issue about it and then with some trial and error, it works.
I figured you have to layer the browser on the system. The KeePassXC can stay flatpak. That's how it worked for me. You always want to have one browser layered, anyways.
I don't know what this means, "... one browser layered..." I suppose I can search it... sigh, something else to figure out.
That means you want one browser to be not flatpak, in most distros the default is Firefox, but it's up to you to change.
I use proton pass because I our a subscription to proton unlimited and proton pass lets me hide my emails by making a forwarded email which is helpful.
The standard unix password manager, people.
There's almost no password manager to it.
Mobile?
3 passwords. Optimistic
This is not great but the strength of vaultwarden on the back of the bitwarden brand will give us forked clients as soon as they stop allowing self-hosters to set their instance.
Goddammit.
Moved to proton pass a while ago. Bitwarden support is just shit.
I guess I won't be recommending Botwarden to normies anymore.
I use Pass, and I’m tired of laughing at all these posts. Now I’m just ‘oh, again, what a surprise!’
My passwords are gpg-encrypted and stored in a git repository. The only improvement I can do is to migrate to my own server instead of GitLab (which I setup like a decade ago), but there’s some inertia as GitLab just works for now. And I see no real point of doing so.
The structure is open, but you can encrypt it with the external tools if needed. I have zero understanding of the attack vector when my password file name is Gmail or Proton or Server/1. Good luck doing something with it.
I use Pass, and I'm tired of laughing at all these posts
Shut up, nerd
Yeah, I’m not that loud as the other guys who keep praising some obviously stupid solutions like 1Password or I don’t know, BitWarden. And then one day … surprise surprise!
Keepass’ derivatives may be worth a look, but I don’t like it either. For most people a built-in solution iPhones provide is actually better than all this shit. If you’re on Android, good luck. Write your own if you don’t like pass.
Is there an Android solution that works with Pass?
On fdroid there is, but this is a fork from some "random" person after the original dev abandoned the project.
Thanks
As the other reply goes. I am not sure I even care whether the app is updated, I believe some software can stay finished if it’s simple enough.
Let the enshittification begin.
So does this affect vaultwarden at all?
Vaultwarden benefits from the development ideas in Bitwarden server, and especially the client app ecosystem that I am sure costs a small fortune to maintain. To go alone, vaultwarden will have a lot of work ahead of them and need to maintain a development community capable of maintaining the whole thing.
It will as there is not an VW official OS client nor browser plugin. It is undoubtedly a fucked state of affairs.
Looks like I'm moving over to something else now.
Fucking shit it's time to migrate again isn't it?
There's vaultwarden, I don't think it's difficult to migrate to that.
Always happens eventually. You can run Vaultwarden yourself if you have a homelab you trust so passwords never disappears.
I learned about alias vault recently and it seems to check all the boxes i would need. Self hostable and automatic sync and maintained with apps on all platforms https://www.aliasvault.net/
I wonder if Vaultwarden is safe.
I'm also curious of this, but I also don't fully understand what everyone is assuming is going to happen next? I don't like this but why is everyone saying run now?
At a best guess it's because up until now Bitwarden was conducting public audits.
This meant people could check their work and also highlight problems if they were found.
That's part of being fully transparent.
Changing that language may mean changing that transparency and that's bad because it means the public will have a harder time holding the company accountable if something is wrong.
It's the first step in going closed source. Time to fork.
Basically nothing survives private equity. So a CEO who’s all about private equity is a dead canary in a coal mine.
WHERE is this CEO from?
Oracle?
Seriously? That would means potential ties to the genocidal creeps
That just remind me how good stuff can go horribly wrong in the hands of such great persons. Like Oracle’s CEO years ago.
I swear, equity is literaly just pure evil, allowed to thrive only due to lack of force opposing it.
Great. Now I have to move all of my password to another services because of a stupid decision made by a company.
How good or bad is a move to Proton Pass?
It's still glp though so how shitty can it be?
I have also been getting popup ads every time I login now. It started a few months ago. Annoying but I'm using their hosting service so I can't really complain.
I have been giving them $20 per year because nothing is free
Same, I have the yearly subscription not because I use the features but because I want to support the project.
I'll leave the subscription for now, but the second they start LastPassing things up I'm cancelling the subscription.
Also my start 9 has VaultWarden as an official app, I just haven't seen the need to get it setup, now I do. I guess I know what I'm doing this weekend....
It's not self-hosted but it does the trick; I use 1Password. Plus they're Canadian not American, so that's another benefit.
Canada is part of five eyes and is functionally a US vassal. There's little difference between a Canadian tech company and an American tech company.
This also goes for most NATO countries
I just installed Bitwarden because 979 2FA started refusing to show my codes unless I set up a password and fingerprint (and fails when I try anyway). Now to find something else I guess.
Edit: wrong comment section ¯\_(ツ)_/¯