I Do Not Recommend Bitwarden

24 points by raymii

LesleyLai

That "turn off JavaScript" flash message after switching tabs is annoying, and so are the altered tab titles. No, I won't turn off JavaScript by default as it just breaks too many sites. My AdBlocker is enough to block most of the stuff on the sites I normally visit, and I only use NoScript for a few naughty sites. Looks like this one just made that list

dijit

I do hate that the expectation of arbitrary code execution is the default for reading text on the internet though.

So, while I empathise with you, someone has to do something, as you said, the convenience of just leaving JS enabled everywhere outweighs this particular site for you. But at some point that convenience would be a tipping point.

madrilenyo

I have misgivings about KeePassXC, too.

I'm worried the use of AI tooling is going to accelerate their adding of features I don't want or need in a password manager. It seems mostly used now for bugfixes, but if they fix most fixes, you know what will be next. It's too tempting.

They recently added (I believe without AI) "support for more file types in the inline attachment viewer (images, HTML, and Markdown), the ability to edit text file attachments". Yeah, I don't want that code in my password manager. I have a text editor and I have apps to view files.

They just need to focus on having the best possible UX, because they are in heavy competition with 1Password.

And I'm not ready to trust the devs of KeePassX? KeePassChi? ChiPass? yet.

kraxen72

I generally agree with the arguments presented against bitwarden, but many of the issues he presented are kinda not that big of a deal and some/many are likely caused by them using vaultvarden or an otherwise custom setup, e.g. GrapheneOS and all that.

I've been using bitwarden for like 5-6 years now and only "issue" i've had with it was that when they ui-refreshed their browser extension, it was laggy for a while, which i solved by downgrading the extension to an older version from github releases and using that for a couple of months.

I would also appreciate if the author actually mentioned the SaaS alternatives he's switching to, after such a long blog, instead of just leaving the reader to do their own research (which might yield a better result after all, since you can pick the SaaS pw. manager which is best for you, but is nevertheless annoying)

if anyone here is using another password manager, preferably open-source, but most importantly one that provides free hosting, offline support, auto-sync to cloud, a browser extension with an autofill hotkey and a mobile app, i'm all ears, so i can at least try it out.

Jezza

I've been using the official stuff for a while at this point, and I will say that one of the points rings true.

Organising entries within bitwarden itself is borderline insanity. Anything as simple as a column drag and drop to organise things between organisations would be amazing. But instead we're left with a gimped system. It's hilarious that the only point of action for software that I pay for is to just create a tool myself to manage it.
rsalmond

Still laggy AF in FF, to the point where I abandoned the extension in favour of the desktop app.
aae

And all of the CLI ones are solved by rbw, which I've discovered relatively recently and have completely switched to

mtlynch

Is there another open-source solution that supports credential sharing like Bitwarden?

I've been a KeePass/KeePassXC user for 15+ years, but in situations where I need to share a set of credentials with non-developers (teammates, family members), I haven't found a better solution than Bitwarden. I've never loved Bitwarden, but I've always found it the least bad option in terms of credential vault + sharing/sync.

koala

I'm currently running Vaultwarden and I'm a little bit nervous, so I think discussion around this helps.

At work I've been enjoying SOPS for automated purposes. It's pleasant in all the ways, so I have a few uses of the Bitwarden CLI that I could replace with SOPS (or maybe Ansible vaults, which I'm already using in other places).

But I'd really like to have good password sync to my phone without relying on third-party services, and I'm not a huge fan of syncthing (because I'm weird). I have Nextcloud so I could use WebDAV...

msangi

The idea of using different software for different categories of secrets is good. The reason I reached for Vaultwarden was cross platform support (Linux and macOS) but I see a couple of places where I am using rbw on my server when something simpler would be enough

creesch

I have recently moved back to a keepass vault for most things and canceled my bitwarden account. To me the deal breaker was the CLI security breach which aside from a community forum response got no acknowledgement from them. I expected companies in this line of work to be open and communicate. Not only about the current impact but also future steps to avoid similar incidents, etc. If they don't have all that yet that is also okay, they should then communicate that and follow up later.

The minimal communication I saw from them here left a sour taste.

aae

Another product that has caught my eye somewhat recently is https://fnox.jdx.dev/

Haven't taken it for a serious spin yet, but it looks pretty good.