HN

Need help?
<- Back
Get your passwords out of Bitwarden while you still can

Get your passwords out of Bitwarden while you still can

speckx

Comments (155)

  • craigmart
    This is an incredible overraction over a minor change that did not even happen. You can still find "Always free" in the pricing line of the very same page everyone keeps linking as proof https://bitwarden.com/products/personal/#whats-the-differenc...Edit: it actually disappeared for some time but they put it back on May 18snapshot from May 15: https://web.archive.org/web/20260515190646/https://bitwarden...snapshot from May 18: https://web.archive.org/web/20260518183728/https://bitwarden...
  • MostlyStable
    While I'm not _happy_ about the messaging changes, those alone are not enough to do more than start paying closer attention. I highly, highly doubt that vault export would be the first meaningful feature change, and so I think there will be stronger signals of actual issues before then.As I understand it, so far the only actual change is an announced increase in prices. Obviously, from the consumer perspective, cheaper is better, but this is a product where I think that a subscription plan makes sense (and the free tier, for now, still exists), and so I'm not going to get mad about price changes. Competitors exist and one doesn't think the new price is worth it, then switch to one of them (using the very-much-still-available vault export).I don't think the warning is crazy or anything, but in my personal opinion it's a little stronger/earlier than is warranted and the current appropriate response is careful watching.
  • tfarias
    I've been recommending Bitwarden for a few years now and have also been paying a yearly sub since 2022, as I always thought 10$ was a really good value.But with all this stuff coming out, I'm holding off on recommending it anymore; at least until everything calms down and the new value proposition is fully laid out.Like other folks have said, I don't think it's yet time to migrate. That being said, it doesn't hurt to do an encrypted export for backup purposes, start looking at alternatives, and reach out to people I know use Bitwarden to do the same.Keeping an eye out on how this develops.
  • 9x39
    Serious question - how come free is a requirement for a password manager? Everyone's gotta eat, including the maintainers of password managers.Tech has generous TC, lots of high-end laptops and phones worth thousands, AI & cloud spend, and yet the only acceptable price for secrets management is $0 it seems at times.
  • cjs_ac
    I store my passwords using this: https://www.passwordstore.org/It's a shell script that stores passwords in a git repository, containing one file per entry. The files are encrypted using a GPG key. Because it's just a git repository, you can synchronise it between devices using whatever infrastructure you want. I use a FOSS client for it on iOS, and there was one for Android before I got an iPhone.
  • Someone1234
    I think the caution around Bitwarden is justified; and I think it is good that the message is getting out there. I will say "while you still can" is hyperbole, and will do more to distract from the larger (correct) point about Private Equity.
  • blablabla123
    The last months didn't make Bitwarden look very good. On the other hand, what about the competition? Sure there's KeePassXC but that's essentially local. Bitwarden even has Send to quickly share with anyone.I might self-host something at some point. But even choosing something seems a menial task, not to speak of setting it actually up...
  • Terr_
    So I have an admission here: I keep seeing HN stuff about these networked password managers and I don't quite understand the appeal.Is it because everybody else is swapping between several different computers, and you need the synchronization?I just have everything in KeepassXC, and the ciphertext is subject to the same kind of backup regime I use for other files, [edit: and also additionally] a copy kept on a USB stick in my pocket.
  • arikrahman
    Just switched to KeepassXC and syncthing. Transferring keyfiles over LocalSend. This has been a great local FOSS way to keep autonomy over secrets, without even needing internet.
  • Humorist2290
    I'm taking a "wait and see" approach with Bitwarden. I've been a paying customer for a while, happy with it, and hoping the leadership changes won't be too user hostile. Still, a major reason I chose Bitwarden to begin with is they have a decent "Export" button, and all of this news reminded me that my offline backup of the vault was a few months old. Regardless of their product roadmap, they could have an incident tomorrow that keeps users away from their passwords -- offline backups are a good idea.And Vaultwarden is nice. I've used it at work, hosted it myself, and as a user of the password manager I can say it's basically indistinguishable. But I don't really pay Bitwarden for a password manager -- I pay them for a secure sync of a password manager I can share with family members who can't figure out a VPN.
  • stormed
    I only use Vaultwarden, which to my understanding is an open source reimplementation of Bitwarden's API. I personally haven't had any issues with it, not sure if it'll eventually stop being compatible with Bitwarden's official applications however.
  • fpauser
    Thats why I use vaultwarden. I also like the fact, that vaultwarden is written in rust and does not consume a lot of resources, which is great for selfhosting.
  • rootsudo
    It’s good to review, but what is the risk if you do become a paying customer?Paying mean they have revenue, an interest to keep it secure and innovate more.I recall last pass and the last pass breech and the class action from that but that resulted from improper crypto rollout.Would the same risk happen with Bitwarden?
  • TN1ck
    I switched to Apple Passwords this week. Really good passkey support, 2FA support, best iOS integration. You can even share passwords with others. Sadly no first party cli support. If you only use Apple devices, it’s really solid.
  • cjwoodall
    I wish companies that offer such a core technology and what not were at times entered into a public trust, similar to how some public lands are managed, that would protect them from private equity takeovers; I know it defeats the purpose of the companies in the first place (making money), and it probably would backfire in myriad worse ways than the problems it might solve... But I do think there are many options for how products, services and what not can be structured that give the people who maintain them what they need to thrive; without mining the users for money.Overly idealistic thinking, maybe... but still thinking.
  • nullbyte
    Since Bitwarden is open source, can't somebody create a community-driven fork? Maybe a self hosted option?
  • poisonborz
    Clients are OSS, I wonder why nobody did a Vaultwarden-style fork of them yet that would watch over upstream changes.
  • PaulHoule
    Sometimes I think when a startup announces that they are being acquired their competitors have a meeting that morning and announce that they're going to start dialing for dollars. Since acquisitions almost always hurt customers I wonder if we can start creating "poison pills" that deter them.
  • bilal4hmed
    This is getting so tiring. What are the other options out there now?
  • ranger207
    My company just finished switching from LastPass to Bitwarden. Just in time for that to become terrible too it looks like lol
  • subhobroto
    I'm a huge fan of AliasVault https://github.com/aliasvault/aliasvault - the author is responsive, receptive. The whole ecosystem is opensource.Bitwarden/Vaultwarden had a good run but if someone's going to self-host Vaultwarden, I would encourage people to look into AliasVault instead. It's a complete opensource ecosystem.
  • sys32768
    We were just about to go to BitWarden from KeePass.
  • HeartStrings
    KeepassXC
  • ChrisArchitect
    Related:The quiet renovation at Bitwardenhttps://news.ycombinator.com/item?id=48163389
  • SubiculumCode
    Yes, there are signs of an oncoming enshitification, and these types of articles gaining traction is good because it sends a signal to the company of potential consequences....but at the same time, the evidence supporting Bitwarden enshitification is pretty weak at this point. There are degrees here, not just either/or, on/off, good/shit.
  • AdmiralAsshat
    The original creator of Bitwarden still works there as a CTO. I am curious whether he has any failsafes/poison pills in his contract when he took VC money that allows him to fork the product and start over in the event that they decide they want to lock everything down.Or did he sign all of those rights away when he took the $100M "fuck you" VC funding in 2022.
  • pattilupone
    WOW. Quietly editing the 4-year-old blog post is super slimy, holy crap. Also seems like since this story was published, they edited the 4-year-old blog post again. The story points out>But the explanatory paragraph at the bottom of the same post still says the old ones: Inclusion and Transparency. Crandell’s name is still on it. The post now contradicts itself, and nobody wrote a new one.Looking at the post right now, they've corrected it to Innovation and Trust.
  • SilverElfin
    All these companies are being bought by PE right? So what's a safe vendor to use?
  • colordrops
    I knew when I started hearing ads for BitWarden on NPR that the good times were over.
  • jrm4
    Third-party password management as an isolated paid service (i.e. you don't get password management unless you pay specifically for the password management) is just a terribly bad idea all around.Waiting for people to get this.
  • VLM
    "This way your passwords are truly yours"They were never yours, and zillions of people you don't know have access to them.
  • steviedotboston
    This is a whole lot of FUD.
  • avgDev
    A tale as old as time, enshitification.
  • eleventen
    I think this is a little hyperbolic. The product may drop features, increase prices, and squeeze its free tier users. Everything enshittifies. But the idea that password export might disappear or be degraded? Nah. You'll be able to jump ship any time you want.
  • nickburns
    Anyone not already using KeePass (or KeePassXC) has been doing it wrong for at least a decade.KeePass2Android Offline and KeePassium on mobile.
  • normalaccess
    For TRUE offline password storage use "Off The Grid". A cryptographically secure paper based password generator created by Steve Gibson from he Security Now podcast.https://www.grc.com/offthegrid.htm