ES version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
63% Positive
Analyzed from 9212 words in the discussion.
Trending Topics
#bitwarden#password#passwords#don#more#free#vaultwarden#self#always#https
Discussion (313 Comments)Read Original on HackerNews
I'm not particularly worried about Bitwarden going belly up because it has already have such a well-established open-source replacement. The worst-case scenario is that Bitwarden make the clients incompatible with Vaultwarden, and like how OP already mentioned in the post, somebody in the community will fork them as soon as this happen.
It is surprisingly very durable and maintenance-free even for a script kiddie like me to maintain. My advice is (at least when it comes to Vaultwarden) don't think too much about this, just selfhost it, at least for yourself. You'll probably be able to manage it when something happen.
The API for managing secrets automatically is gated behind `bitwarden-cli serve` which is surprising for me that I can't call the API directly using urllib or requests directly. I have to pass it through the bitwarden-cli.
I've been using bitwarden for a while, but your comment prompted me to investigate how I could backup my secrets, and this is a surprise. I am considering moving to my own infrastructure, because I dread having to depend on this tool to automate regular backups for me. Better to do that at the service layer. Problem is just how to expose it. There is always tailscale but that's just shifting the problem around.
Theft is also usually obvious.
If self-hosting, keep at a separate location than your hard drives.
Reimplementing the server side is the easy part.
But a commercial offer will need rebranding the client, and maintaining forks is much more involved. As long as Bit warden publishes the sources ...
It was audited in 2024: https://www.heise.de/en/news/Password-manager-BSI-reports-cr...
I don't like being considered a resource to be stripmined by any company, but some are worse than others by the nature of our relationship. I do not need a company greedily looking at my bank password, my Google password, my brokerage account password, and even having them be tempted to look at my set of passwords with them and start valuating which password they can "intermediate" and charge me more for using. I don't even want them pondering the question of how they can break exports ("oops, sorry, passkeys can't be exported because $SECURITY_BLATHER, guess you won't be migrating" - to be fair, while I think Bitwarden had that for a bit I believe it's no longer true, but AFAIK it is true of other things that will hold passkeys for you) so that they can extract the value of my passwords to me.
I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords. I don't trust any company holding passwords to not eventually be acquired by PE/HMBA types looking to stripmine my passwords. I don't trust any company that is, once you trace the entire value chain down, basically taking out real debt with my passwords as collateral. They get the money, I get the risk. Hard pass.
So I'm not happy about self-hosting my password vault in some sense... but who else can I trust?
I'm trying to work out why it feels bad to trust a private company with this kind of information, whereas "we" are happy to trust AWS with our servers, Hashicorp with our Vaults, etc.
But these businesses seem to rely on some amount of scale for their trustworthiness. Password managers seem like a cottage industry in comparison, especially as lots of their users will just be "normies" and even ones on a free tier, because ~nobody thinks they should pay for a password manager?
> I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords.
I agree, but you have credible exit. As annoying as it is, it seems quite feasible to continuously migrate to the next provider who is currently in their "don't be evil" phase.
Someone on lobste.rs suggested there should be a worker-owned co-op for password managers. This fits my personal bias, but I wonder if it would be any more resistant to this failure mode? Co-ops can be bought out also, and depend on strong leadership to prevent this.
Maybe a customer-owned co-op instead of a worker-owned one could make it more impractical to buy out. Or a foundation model like Signal, Wikipedia etc.
EDIT: I'm reminded of https://fleetdm.com/ business model, which is heavily open source yet paid. That seems like essentially what Bitwarden was? And presumably Fleet is not protected from the same outcome, no matter how inspiring their example is right now.
[1]: https://keepassxc.org [2]: https://www.keepassdx.com
As side note, Syncthing is an amazing piece of software. I sync everything for my other devices into a central PC and from there I do the backups.
- [0]: https://syncthing.net/
For example, one client I used had a temporary bug that just lost the notes field entirely. It was quickly fixed but it still affected me.
I’m currently using 1Password, which I still think is the best product overall as I’ve tried just about all the rest. For this product category I’m happy to pay the highest price to get the best product.
just to mention an alternative method for anyone that doesnt know: keepass also has a feature called 'autotype' where the desktop program can send keystrokes to fill in password fields
the benefit of this over the browser extension is that there is no connection between your browser and your keepass vault.
its also handy for filling in passwords in desktop programs or even a terminal
one downside is that you wont be able to have passwords automatically filled in as youre browsing. you need to press a hotkey, but i would consider this to be more of a good security feature to cut out any chance of your browser autofilling any hidden password fields
there is still a browser extension that i use that adds the url to the titlebar of the browser, which makes it easier for the autotype dialog to show the correct logins from your vault
https://addons.mozilla.org/en-GB/firefox/addon/add-url-to-wi...
Do I like the UI changes? Eh it’s not my favorite but I don’t use it that often to care.
I like 1password, it is by far the highest quality product I've used in this category. I moved from BitWarden back then because their browser integration was quite poor.
I think I'll move to something custom, or a selfhosted keepass server, with the rugpulls, incidents, and whatnot, it is becoming too high of a risk.
Depending on your threat model, you can even just keep the .kdbx in cloud storage somewhere and point your keepass client to that. I'd recommend using a keyfile in addition to your master password though so that if anyone does happen to get a hold of the database they can't just make brute force attempts against it.
For non technical people, I just recommend to use the browser built in password managers. traviso has a good writeup why: https://lock.cmpxchg8b.com/passmgrs.html
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=973759
I left LastPass because of UX paper-cuts, but I've never lost passwords on either of them.
Honestly, it's something I don't want to think about and just need it to work on mobile and desktop, so the switching friction is very high for me. I'm not going to shop around and try different password managers.
Is "rug pull" a cost thing? I'm generally frugal, but pay for a family plan and don't think twice.
Overall it's not a problem for me if Bitwarden wants more money, but I have to draw the line at replacing top leadership with randoms from private equity and secret price hikes. I'm glad this is being highlighted and it's motivating me even more to find suitable FOSS-friendly alternative.
The enterprise version never went beyond password management so I'm not sure how this could have generated a viable ROI.
Don’t see too much of this talk around the comments, anymore!
If you’re seeing this comment: Are lifestyle businesses on your radar?
Please do share.
See this thread from a few days ago: https://news.ycombinator.com/item?id=48118727
The economics of software creation is changing, so it stands to reason how people engage with software will change too. Finding a niche may be a game of luck more than observation/perspiration at this stage, similar to discovering oil on your "barren" property rather than building a farm. As someone who's generally independent, though: I'd love to be wrong here!
Your accountant will be configuring their own work software.
Your project manager will be developing their own work software.
Custodians will not necessarily be developing work software.
Most non-tech desk-staff start to lose focus after the fifth reply on a social media thread…
I do not believe they’re going to be able to perform the three required steps for building software solutions:
1. Know what you need (vs want).
2. Know how to ask for it.
3. Have a process for validating it.
I also don’t think it gets too much simpler than Docker et al for self-hosting, yet those concepts are genuinely a foreign language to even “tech-savvy” consumers.
I think we’re in a bubble, here,
and I am personally betting on one niche (of many) where value ($$$$) is still placed upon having another team to outsource responsibility to.
Responsibility for keeping an important tool up-to-date, keeping it able to capture data,
and most importantly: rigorously tested to ensure it’ll perform calculations correctly.
Responsibility for peak tooling, so a busy end-user can stay responsible for their craft without taking a sabbatical to build software is not going anywhere.
Whether these “peak tools” will be (validated, packaged, delivered to the user, maintained) by me,
or OpenAI/Anthropic instant-agents in 10 years,
is what I believe we should be watching.
I do share the concerns though. The change in leadership, the poor transparency, 100% price increase and the quiet change in core values.
I was happy paying $10 yearly for Bitwarden. I'm still okay with $20 but there's a seed of doubt.
Just went to the website directly: says "Get Started Free". "Always Free" is only present at the bottom of the pricing page for personal customers.
What concerns me more is that they've started using the same language that Adobe had been panned for: "$price a month, billed yearly".
To me, thats weird language for a product that (now) costs $20.00 a year. Not hundreds or thousands. Twenty dollars. For non-enterprise users.
The lack of transparency and quietly changing things around makes me wary.
They did raise the price to $20 (but the free version is still amazing). But that’s still really cheap and pretty much all services have gone up in price in the past 10 years (inflation)
I'd really, really like them to not to ruin it or make it massively more expensive.
Rapidly starting to think even a vibecoded solution may be a better plan relying on commercial options. High risk of don’t roll your own crypto mistakes but realistically that’s not the threat model here anymore for the random individual. It’s online breaches or perhaps a wrench attack not highly skilled crypto adversary. Plus there are probably ready made crypto modules so wouldn’t be a true handroll
So while Bitwarden is more secure than modern Excel out of the box, neither one is a slouch. You'll definitely spend a lot of compute cracking either one. The weakest part, as always, is the user's password.
I mean I'm just spitballing here, but not convinced this is true.
From a formal security theory perspective certainly, but practically...nobody with half an ounce of skill is going to spend their time breaking one individual's custom solution that almost certainly just contains their hn password. That's if you can even get to it - selfhosted password managers are usually on LAN/behind vpn.
Risk profile wise the thing could be a god damn plain text .txt on a LAN network drive and still outperform a Lastpass.com that by definition has a giant hack-me sign on it's back.
The crypto part barely moves the needles here
Especially if the concerns around Mythos are well founded.
The mythical Mythos can't even find Claude code bugs before releases.
What are you using for Syncthing on Android? There used to be an official Syncthing app for Android but then they stopped maintaining it. There was a popular fork but then that person stopped as well.
I looked into using Syncthing on iOS but there was only Möbius Sync and it didn’t run in the background. This is was made me finally switch to Bitwarden. But of course now I need figure what to do next.
[0] https://github.com/pixelspark/sushitrain
as long as the house doesn't catch fire, or as long i run outside with 1 of my syncthing devices (have several), local cloud is the best.
Holy smokes has that's not just -> THAT IS become one of my trigger words.
Also if it was handwritten, it'd have been a third in length, the rest was LLM fluff
And you can also see how brainrotten someone's gotten when they start accidentally sneaking in these tells into their normal communication.
As a matter of fact, after a full workday in which I'm essentially forced to read LLM garbage for 9h a day... I sadly notice myself adding the same fluff pointlessness to how I express myself. like I caught a viral contagion that's actively siphoning my humanity away.
And expectedly, when coming back to those opinions with a less infected mindset, I frequently have to reevaluate these thoughts later on
If the content is also nonsense then that's worth talking about, but otherwise comments about LLM style are about as interesting as remarks about typos.
I just don’t want to self-host if I can avoid it.
Staying on top of managing the application and the environment is a whole different level of diligence when the thing I’m self hosting is the keys to my life. At a minimum it would have to be behind something like a wireguard tunnel to a trusted machine, and that’s an added headache for daily use.
Yes, you want to guard the machine that hosts your passwords. You can even physically keep it at home, and only proxy its port 443 wherever you have a presence in the public Internet.
That’s not to say anything is bulletproof… nothing useful is… just that I don’t entirely trust myself to be 100% on top of something like that as a hobby hosting endeavor.
I realise that this is moving even more of my eggs into Apple's basket, and even further from self-reliance towards convenience, but today it doesn't seem significantly worse to just trust Apple with this, than Bitwarden.
But isn't it a pain to use those passwords on any other non-Apple device? Am I missing something, or is that just not an issue for your use-case? Ah! I've just learned/relearned about iCloud Passwords through iCloud for Windows, but nothing for Linux?
But Keepass is a bridge too far for them. I'm not that enthusiastic about it myself to be honest. The UX is a bit meh (for the clients/extensions I've tried) and file syncing and handling is not something I can in good conscience push to a non technical user. It's just too many moving parts and you just have to do this, that, and the other thing. It's not really fit for purpose with normal users as far as I can see. Like much OSS stuff, UX for normal people seems to be a bit of an afterthought with Keepass.
The key selling point of Bitwarden was that it is free-ish and it is easy enough to work with for somebody that is not too technical. My father is an Android user and my mother has an iphone and ipad. They need access to each other's passwords so they share the same password manager. They are both in their seventies and I need something that is similarly useful and ideally without me self hosting a lot of stuff on their behalf. I don't want to be their system administrator. And I don't want to have to sit them down to migrate their passwords every few years either.
Right now the best move to me seems to be to stick with Bitwarden. I don't really gain anything from moving them over to some other solution and there isn't really anything out there that is materially better as far as I can see.
Notionally a password manager is more secure, but is there anything stopping Bitwarden from updating the app to silently send your master password up to the mothership and selling your unencrypted vault? Even supposing they stay open source and get caught, they will still have thousands of user's data ready to sell before the rug is pulled and the game collapses.
(And besides, where do you keep your recovery codes? If some cabinet or drawer in your house is safe enough for that, it's safe enough for your book of passwords.)
Definitely not the most secure option, as it breaks 3-2-1 backup rule.
Too bad, because it's one of those things that could be great but just isn't in its current form.
https://github.com/dani-garcia/vaultwarden
I'm thinking about running it in a container (Podman Quadlet with systemd) behind a VPN, with daily backups with borg. Anything I'm overlooking here?
Never had an issue with Vaultwarden itself. Restored from backups several times for a variety of reasons (migrating host, corrupt hard disk, re-installs) and that always worked first try.
In regards to hardering, the wiki has a good guide: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Gu....
My phone and laptop both use tailscale to access this and a few other containers I have set up similarly. I also have tailscale ACL rules to limit just “me” or whomever I want to allow to use it (family etc) also on my tailnet.
Backups are encrypted and stored locally as well as to AWS glacier.
I love it and it works great.
Mine is not exposed to the public internet, though some friends of mine do. I use a VPN when I need to access fresh data from the home server, otherwise both the Firefox client and Android client will generally keep a cache of the last data pull when they had connection (so it wasn't an issue the 4 or so years I didn't have a VPN yet).
By not exposing it to the wider internet. When I use a client (iPhone, browser, etc.) while on the home network, it syncs. While off the network, the last synced data is still there. That's been good enough for me.
I just take ZFS snapshots. I've restored a couple of times that way just to test DR and it worked pretty well.
Not technical, but the person behind that project now works for Bitwarden so there's some risk of a rugpull. Of course it's OSS but you'll need to trust a fork or maintain it yourself if said rugpull happens.
Edit: Just a bit of googling turned up these as well.
https://github.com/AChep/keyguard-app https://github.com/sgolub/bitclient
I am a paid subscriber. I am kind of ok with the price increase.
The "coincident" with change of CEO and remove of "always free" tag worries me though.
I’m happy to pay for good services, but M&A means cost-cutting measures to make the company look good for acquisition and that makes me uncomfortable with letting them store secure data for me.
Switching is going to be a pain.
Exactly what value do they think they have left to extract from me? I'm a paying customer for a product that essentially just stores an indexed list of strings with at-rest encryption.
Their official App's autofill on my phone hasn't worked for several months now., I literally have to login to it once every couple hours just to manually copy and paste my usernames and passwords separately. I guess enshitification knows no bounds?
Circle of live, I guess.
What’s next in the circle is keepass I guess? And it’s just not friendly/robust enough yet for me to switch to it with my family who will probably just go back to using the same passwords on multiple sites if they hit resistance in ease of use.
no, if you relax the qualifier "without thinking" slightly and are okay with thinking for a few hours. There's so many off-the-shelf open source solutions now to just throw on a 5 bucks VPS, it costs you less time and money than switching or the premium plan of most of these individual services.
The point is that if there are only one or two red flags, you can risk assess them and continue as is if the risk is low. But if there are a large number of red flags, then you need to consider your exit strategy as well.
- Inclusion and Transparency values made more shitty
- Always free commitment removed. What? It’s right there “always”.
- Shittily hacking old blog post to become nonsensical
- Loss of confidence
- Stalling improvement cycle, no more repairs, just things quietly breaking and going bad.
The larger exampls to compare them to would be "dumping." Dump subsidized, tariff-free corn in Mexico to make it unprofitable to farm corn in Mexico, and after all of the Mexican farmers go bust, buy their land and raise the price of corn to infinity while cheaping out on the quality of seed and handling. Enshittification. Rug-pull.
[0]https://en.wikipedia.org/wiki/Digital_Radio_Mondiale
1: https://support.apple.com/guide/icloud-windows/set-up-icloud...
(DISCLAIMER: I am on 1Password which I've been using for long long time - way before password management in Chrome became a real thing. But let's just say, GPM is becoming more and more compelling proposition).
And then you will be screwed very hard with not recourse...
So much of our lives is now digital. Important accounts of all kinds, banking, etc.
Waiting on several giant corps to grant your loved ones access after they go through the bureaucratic hole of documentation is... rough.
Putting my master password in my will feels the same as just writing it on a note on my desk. Putting it in a note in a safety deposit box is high effort and cost.
Anyone got a better alternative way to set this up if self-hosting and not going with Vaultwarden?
You can assume incompetence for some things ("gosh I really didn't know I should communicate organizational changes more clearly!"), but re-writing history is a deliberate and conscious act of deception.
Can't most of the many KeePass variants do that?
[1]: https://www.passwordstore.org/
IIRC LastPass did this by slowly reducing how many devices and what kinds you could sync. They made the free option increasingly painful.
The web interface I'd never use: I have no guarantee that my passphrase does not leave my computer. Same for the import feature: this also requires the passphrase to be sent to their servers.
Needless to say I move to the next ethical e2ee password manager if BitWarden turns it's back on open source.
It's still on the pricing page, albeit not as prominently. "Just getting started? Get basic password management today. Always free."
With that said, I do find the direction here concerning. Quietly rewriting values, removing promise of free tier, hiking prices with almost no notice. I’m concerned that this feels sudden and sneaky. Sneaky behavior erodes trust.
Time to act accordingly.
(Well, technically, you can, but then don't complain about getting called out)
Edit: “always free” was hidden under a collapsed section
"They put some of the rug back!" isn't enough to restore goodwill in my case.
All locally synced
There are sharing options but they are not really convenient, not a problem for me since I mostly don't share passwords
Passit still works! Just as a webapp + chrome and FF extensions. I think we had an Android app too, dunno if that's still a thing.
Maybe if the best open source option is a less viable option, I should poke at its creator to revive it...
[1]: https://proton.me/blog/pass-roadmap-spring-summer-2026
Worked well for me, I use it for non-critical web accounts and such. KeePass for the few core accounts etc.
I'll probably switch for password management once it has a proper security audit, and for email aliases once (if) they implement IMAP/SMTP or similar so reading emails isn't restricted to in-app.
[1]: https://www.aliasvault.net/
If you want to fully disassociate from bitwarden, there are vaultwarden compatible 3rd party clients. I like Keyguard.
Would love it a ton more if it could offer an experience similar to BitWarden where you can view notes linked to logins or autofill credit card details with a single click from the browser extension. But overall it's really helpful.
I think this is tentatively good for bitwarden - making money means you can more easily invest in the team and product. Counter to the prevailing notion in comments here, I much prefer a vc/paid product for security-critical tools.
Hope they didn't wait too long before deciding to kill the free tier.
Both re pointing to the same file using SFTP (using key based auth).
I’ve also got an additional key file on each client which isn’t on the SSH server.
It’s working pretty nicely.
Bye bye Bitwarden.
I'm not too worried, if bitwarden changes their price somebody is going to vibecode a decent enough solution for pennies on the dollar, or there's always apples built-in product.
Waiting for everyone to understand this.
I’ve self-hosted Vaultwarden in the past and I’m planning to do it again. The lack of an iOS client is the only thing making me explore alternative solutions altogether.
I'm sure if BitWarden ever went closed source, it would be forked and maintained by the community and that most would migrate to the open source solution.
BitWarden being open source and auditable is one of the main reasons I use it, no hidden backdoors from them or three letter government agencies.
One of the only exceptions to this I can remember is the founder of Whatsapp, who gave an interview pretty critical of Meta some years back after it acquired Whatsapp.
[0] https://www.fastcompany.com/91542655/bitwarden-scrubs-always...
Yes, that's a very common part of an exit package for executives. Speaking from some first- and second-hand experience, you can get paid a hefty sum (6-12mo of salary worth of cash) for signing an agreement that has some amount of limits on what you can say, to whom.
There's also some kind of what I think of as a LinkedIn effect - there's a disincentive to talk trash about any organization publicly, since that's now attached to your name and might make future employers/organizations leery of hiring someone who might air their dirty laundry.
edit: s/of/and
Want to raise the price? Fine, be honest about it and make sure it stays sustainably stable for a long while.
I am not leaving because of the price, but because of the dishonest behaviour around something so central and vital to my daily life.