The Quiet Renovation at Bitwarden
121 points by UkiahSmith
121 points by UkiahSmith
Password managers seem like a mature enough product with (now) enough of a reputation for periodic enshittification that forming a software engineering co-op for paid seamless hosting of a FOSS password manager seems viable. A company limited by constitution to equity only being ownable by people actively working there. Absent that guard the external investors will come knocking eventually, with an offer too good to refuse.
Honestly, it would be easy to do that off the bitwarden base, too. Vaultwarden exists (as the article mentions) to run your own server, and there's KeyGuard, which is separate android+desktop client for bitwarden servers, too (Although I haven't got around to testing it out).
So for those familiar with Bitwarden, it wouldn't necessitate rebuilding much from scratch whatsoever.
Agree. I was a long-time 1Password user and migrated to Apple Passwords.app for personal stuff. For work, I just use whatever they give me. Not my decision.
Vista Equity are the ones that bought Citrix in 2022, and ultimately the reason I stopped working there. Nothing good can come out of this, so I consider this a signal to start looking actively for alternatives to their cloud service.
I wonder.. for those of us who cannot self-host their own credential manager (for whatever reason)... what open-source cloud-synced options remain, if we exclude bitwarden?
If you have access to any kind of file syncing, then you can use a pass-compatible DB.
I used it until last year. Good one!
But the Firefox addon hasn't been updated for 2 years: https://github.com/passff/passff
And the Android app was archived 2 years ago: https://github.com/android-password-store/Android-Password-Store I think I have seen a fork of it though.
for those of us who cannot self-host their own credential manager
I mean, you can have PikaPods or similar host it for you. You just put money in the account, and fill in some details.
I use Keepassxc, with syncing using pcloud android keepass2android, which plugs directly into pcloud. Works well. Before that I accessed my keepass file through webdav in keepass2android, that was fine too. Could still do that now, but the pcloud integration was a few taps less to set up.
I wondered about using Firefox (with its Sync service which I already use) as my password manager. It can be used in Android as password manager. Does anyone use it?
As another vaultwarden user here, I think I'd welcome a community fork. Already there's been cases where some of my official bitwarden clients had compat issues with my vaultwarden server because the release schedules didn't align well. In a community fork, these sorts of things might be addressed better leading to more stability.
Of course, losing the sheer contribution power of all the paid engineers at bitwarden would mean development of new features could slow to a crawl. For something like a password manager, I think that's okay though.
As another vaultwarden user here, I think I'd welcome a community fork.
Same here. The tricky part, of course, is building the trust to converge on a good community fork that gets made available in the mobile and browser app stores. Getting things published in those places carries significant friction and modest expenses, and is honestly what's stopping me from "just" vendoring the current FOSS clients for my own (and family/friend) use.
I am half tempted to do something like that with the web client, throw Tauri around it to make it behave like a desktop app, and live with that (and copy/paste into browsers instead of using the extension) to see how it wears.
Without knowing all this today I transitioned to 1password, something I didn't do lightly. But the UX of Bitwarden has been a bit too annoying, out of sync vaults, super complicated secret management, very bad sharing experience, hit and miss extension. After reading this I'm even more convinced by my decision.
I hear this UX complaint a lot. I almost exclusively use bitwarden on mobile. I've never had anything bad to say about the mobile app's UX.
A very very basic one is that from the 3 icons on each password in the extension, instead of having copy password, user and TOTP separately as icons so I can access the three most important actions with as few clicks as possible, they have "Open website" for some reason, a generic copy submenu and options. For the most basic operation I need to do I need 6 clicks. Open extension, click on Copy, click on User (then paste), open extension again, click on Copy, click on Password (then paste).
This is aggravated by the fact that for some reason in firefox half of the time it doesn't open the autofill drop down so I need to do this quite often.
Another very common operation, AutoFill, is behind viewing the item. So I need to click on the item and AutoFill. It is then hit or miss whether AutoFill works at all.
Another gripe of mine is that some financial passwords I have them set to re-prompt the password. But if I have to copy user, password and TOTP I need to re-type my very long master password each time instead of having a small heuristic based on password entry and time so that I can re-type it and copy all three within a minute or so for that same entry.
It's also very annoying to share passwords or other secrets with people, I cannot create a time-gated link to an entry, I need to create a separate shared secret as text, so I need to craft it each time.
All the collection system is also very awkward to use, I cannot copy to collections, I need to move it and create a new entry manually.
If I generate a password for a site from the form using bitwardens own generator, it would be nice if it saved it somewhere, it has happened to me more than once that I generate it in-line using the generate password drop-down. I then click Sign Up and Bitwarden doesn't save the info for whatever reason, then I no longer know what the password was and I need to restore password.
It's a bit inconsistent, why can't I change the collection an item is in from inside Edit for example? I constantly need to relearn where things are because there is no consistency in the UI. Why is the collection named Owner in the Edit view for example?
Maybe some of these exist, but the whole design is so badly done that I truly have a hard time navigating it.
The UI refresh is not great, but maybe this will help:
One case that bit me very often on mobile: have an entry for a service’s website, then download the service’s app. First of all, the suggestion doesn’t seem to do any pattern matching on the name (so you can’t rely on the empty state, you need to search yourself); secondly, if you found an entry, you could never associate it ”from now on” with that entry, multiplying the the annoyance. This was on iOS.
When you manually search an option, there are both auto fill, and "auto fill and save" options which will add the app to the list of allowed URLs.
I'm not sure I'd want my password manager to do overly fuzzy matching (and many app package names do not match their website domains) - seems it would increase phish risk.
No, the app was never added for me and any googling confirmed that this was an issue with tight controls on iOS ("you cannot know the ID of the app in this context", AFAICT). Did you get this to work on iOS or are you just guessing?
overly fuzzy matching
Sure, but what about a 1:1 string comparison of the hostname/app, or just defaulting to match on hostname rather than whatever more was the default (usually path I think), very often missing service.com/login vs service.com/something-else, until I picked the matching function myself (per entry, this is another papercut).
I stood up with it for years but it + other UX annoyances + work giving away 1password for free, made me leave.
I was an early adopter because of the open sourceness. I'm very happy to pay. I don't want to bother self-hosting. It's a real pity.
Still, I'll just keep my regular exports going, ready to abandon ship when it really gets crummy.
Bitwarden going to hell isn't a given, just a very loud assumption at this point. If we base our assumptions on similar circumstances at other companies / IP, then the worst case scenario is pretty dark, I'll admit. Maybe not even a risk I'm willing to take. But we're not there now. Ugh, famous last words, while I'm typing this it's hard not to fall into the doom trap.
I think the tell will be when they move the easy way to point to your own self-hosted instance out of the UI and into something that only comes from corporate configuration systems or MDMs.
That's probably when the musings around community forks will turn into action.
I see mentions of this in multiple comments. Isn't there already a community fork? Vaultwarden?
Like ~creesch said, Vaultwarden is only server-side. It's also not a fork. It's an independent reimplementation of those server interfaces that its developers consider important. It's really nice, almost comprehensive, and I use that exclusively.
But there's no community client that I'm aware of, fork or independent reimplementation. Right now, if you're using a Vaultwarden server, you're still using bitwarden's web client, desktop client, browser extensions and mobile clients.
I was suggesting that the day they make the official clients hard to use with the independent server, that is likely when you'll see movement toward community forks of those. (They're GPL3, though there was a feint toward making them depend on a proprietary SDK at one point. That'd probably inspire forks too if they went through with it.)
Thank you both.
Do you know if there's already something in the community with at least an elementary levels of activity that one could try out? A Firefox extension and an android client would be great.
I've been keeping half an eye on this Android + Desktop client but haven't tried it out. It's source-available, but proprietary, so it's not really in the spirit of what I want, at least while Bitwarden is still FOSS, but it's interesting to watch it develop.
That's for the server side afaik. Not clients like Android apps, iOS apps, the desktop clients and browser extensions for various browsers.
Whether self-hosting stays viable long-term is the real question worth sitting with.
The brake on the worst case: self-hosting is a listed Enterprise feature that generates real revenue. Killing it upsets paying business customers. That matters. The catch: …
… but that’s a speed bump, not a wall.
This is LLM slop.
That’s two poorly worded passages, I agree, but in an otherwise rather interesting and informative blog article. Calling the whole thing slop seems a bit unfair. Unless the blog post is factually incorrect, is there really a problem here?
The problem is the deception. If the author had disclosed that some of the article is machine generated, or said it was coauthored by Claude, I would not be upset (but I would also not bother reading it).
From what I have gathered in conversation on this website for some people anything that even tangibly has LLM involvement automatically falls under "slop" and should be banned. I think it does only make conversations about this more confusing. Instead of re-purposing the word slop I think it would be more straightforward for these people to just say they are fundamentally against LLM usage. Though that isn't likely to happen either. As the LLM usage genie will also be difficult to put back in it's bottle (if that is even possible) we end up with this sort of confusion.
Relevant recent meta posts:
For what it’s worth I’m not fundamentally against LLM usage, I just have no tolerance for reading LLM output passed off as genuine human communication. Once I realize the author is playing this game, I have no interest in figuring out which parts are worth salvaging. Similar to how even one instance of plagiarism taints an entire work, but put it in quotation marks and you’re fine.
While this is valuable as argument and evidence the prose absolutely reeks of having been written by LLM.
I thought this was not tolerated here?
is the real question worth sitting with
A fork would need a rebrand to stay clear of the trademark — different name, tweaked UI, same engine — but that’s a speed bump, not a wall.
My man this is so sloppy.
Let me ask a question. I am using Bitwarden at the moment, but I’ve been long looking into migrating to Apple’s built-in password manager. No complaints about Bitwarden on my side, but Apple stuff is just better integrated with the OS. However, two things stop me:
I believe you can import and export passwords as csv on macOS
Yes, you can export the passwords as CSV. Ironically, I did so earlier this year to move from Passwords.app to Bitwarden when I switched away from iOS.
If you have stolen device protection on (set to Always for locations) the Apple Passwords app will only open with FaceID (and will not ask for your phone pin even when FaceID fails, as FaceID becomes mandatory for Passwords). To transfer from Bitwarden to Apple Passwords, you can do so securely without exporting in plaintext, Apple has built in secure export/import, including passkeys. For saving a copy as backup, sure you can export and save in another device too. I highly recommend you use a strong phone pin however, as that phone is connected to the same iCloud account as your Mac and someone with access to the phone can do other types of damage other than accessing your Passwords app.
Hm, this post made me back my things up locally and create a secondary vault on Proton Pass. Things I probably should have already done, but better late than never. Private equity appearing around any entity is a huge warning sign and cause for worry.
I'm following the same path, but now I worry about all my eggs in one basket. I use Proton Mail and Drive, sometimes the VPN, already. With everything trending toward enshittification as though it's the new entropy, I feel like it's only a matter of time before Proton does the same (if they haven't already and I missed it).
Ugh, I am also a Bitwarden user. The primary advantage for me is that I share accounts information with my sisters as we try to take care of our sick, aging parents while spread out across the world. Are there any other reasonable paid services with multiple shared accounts that I can use? So far Bitwarden has been a life saver for our coordination efforts. It would be really bad to lose it.
I mean, this isn't the end of bitwarden. It's still there and it's still working and should keep working for the time. There is a potential that it gets reshaped and then resold, but most companies could. Or maybe more expensive.
If it works for you though, don't change things immediately. We use closed source paid-for things all the time, this isn't new.
I briefly tried Bitwarden a while back, but it wasn’t for me. It lacked essential features, and its user interface fell short of the polished design I was accustomed to with 1Password.
After 1Password raised their prices a few months ago, I switched to Apple Passwords. Everything worked well until I needed to use a browser other than Safari (to create new passwords) or Linux, which is incompatible.
I’m back to 1Password. /shrug /sigh
I think Firefox has an extension for Apple Passwords now, although I've not yet tried it.
It does. Chrome does too. But it's read-only. That means if I'm signing up for a new account, I can't save it Apple Passwords in the browser, which defeats the whole purpose.
Any new passwords you create in Chrome are saved to your iCloud Keychain so that they are also available across your Apple devices.
~ https://chromewebstore.google.com/detail/icloud-passw%C3%B6rter/pejdijmoenmkgeppbflobdenhhabjlaj
I don’t use it, but that doesn’t read read-only to me.
After reading this and the previous post, I started to think that maybe it's time for me to switch too. Today I have a parallel WebDAV server in my Tailscale network serving a KeePassXC database, which is now synced to my laptop, workstation and phone. I have to say Keepass2Android is much better than the Android version of Bitwarden, and I also like how KeePassXC fits better to the KDE desktop.
Before I switch fully, I want to get my Yubikey sticks delivered. But I think now is the time.
I have already switched to KeePassXC/DX to be honest. I shouldn't have had my passwords hosted anyway, even if my VPS was/is "secure".