- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
If you are interested in privacy you are probably interested in password storage … plus I wanted everyone to know about the inevitable future enshitification of this product. Spread the word and replacement recommendations are welcome too.
You must log in or # to comment.
giggles in proton pass
Don’t assume that proton won’t eventually want to sell up.
Yeah I’m done with cloud providers for this shit, I’m going all in for Keepass
I just migrated to keepassxc last night!
God, capitalism sucks
I still wish there was something where it had better syncing conflict management than KeePass but wouldn’t make you unable to do anything or randomly make your passwords completely inaccessible if you or your server went offline like Bitwarden.
I run vaultwarden at home without access to it from the outside world and once the sync is done I can be offline without issue.
For me it gives me read-only access most of the time, but sometimes something happens and then it becomes completely inaccessible. Which is why due to being in the middle of a move right now I exported the entire database to my laptop so that if this happens I don’t lose access to all my accounts for the two weeks my server is in transit.
How will this affect vaultwarden? I’ve been using it for 5 years and absolutely love it. I’m worried that I’ll need to switch to something else though?
The Article says:
A Note for Vaultwarden Users
Whether self-hosting stays viable long-term is the real question worth sitting with.
Right now it works because Bitwarden’s clients are open source and the server API is public. Vaultwarden implements that API, and the official apps can’t tell the difference. That depends on Bitwarden continuing to publish open source clients and not restricting which servers they’ll talk to — neither of which is guaranteed under new management.
The brake on the worst case: self-hosting is a listed Enterprise feature that generates real revenue. Killing it upsets paying business customers. That matters.
The catch: what Bitwarden sells to enterprises is their own official server stack, not Vaultwarden. Vaultwarden exists in a space they’ve tolerated but never endorsed. If the calculus shifts, the tolerance ends without any announcement. Just let the API drift until compatibility breaks on its own.
I don’t think that’s imminent. But I also thought the free tier commitment was ironclad, and “Always free” isn’t on the page anymore.The real safety net is that Bitwarden’s clients are Apache 2.0 licensed. A fork would need a rebrand to stay clear of the trademark — different name, tweaked UI, same engine — but that’s a speed bump, not a wall. The web vault works through any browser regardless of what happens to the apps, so worst case you’d lose autofill temporarily while a fork caught up. Inconvenient, not catastrophic. Vaultwarden itself is already proof the model works.
Watch the clients. If they go closed, the community will notice fast, and the fork will follow.
It shouldn’t in theory. Worst case is if bitwarden closes source, just fork the latest current open version and use it.
Ideally, a group, either independent or joining with vaultwarden devs, can build/maintain the frontend for vaultwarden that is bitwarden.
He completely misunderstands the product. Transparency is paramount. Not trust.
Not very trust inspiring. There’s a lot of flowery words encircling enshittification.
It does claim to want to always offer a free tier, but all the new values and buzzwords are funneled towards the paid versions.
if you were looking for an excuse to torpedo this abomination, here it is. hosting this gargantuan stack just for an encrypted csv file? at least the client (electron) gobbles up RAM like it’s free while being bug-compatible with whatever chrome version was current half a year ago.
sadly, news ain’t great on the other side of the fence - keepassXC dev is all-in on vibeshitting; latest non-polluted version is 2.7.9.; works fine and the stuff they’re working on is pretty far from essential. some unknown folks forked it but who’s to say what their expertise is.
never thought I’d disable my autoupdate timers but here we are. keep your eyes open.
What do you mean by “gargantuan” stack? I have a single docker container for vaultwarden that was very easy to set up and it uses less than 100mb of ram. Not sure about the client claims though. I haven’t really looked into it that much. Are you saying all versions of the client and extensions of BitWarden have issues?
Can you explain the issues with KeePass? Or is there another thread?
the dev vibecodes; I make a distinction between using the crap as a boilerplate helper and a full-blown agentic “hey computer, do this but do it super-good!”. not only that, they got a super-asshole vibe as they removed claude traces from the repo and then flaunted that it’s so people won’t know what parts were vibeshat. “good luck finding the cutoff point”, I’m paraphrasing here.
to each their own, but that’s a hard pass for that fork from me.
A password manager is literally the poster child for “I would rather it lack features, but be built carefully by an expert.”
This is my unverified understanding of the situation.
KeepassXC team added Copilot to their workflow to manage PRs and code some basic (according to KeepassXC) stuff.
Is is time block headlines with “quiet”? Its like AI decided that word gets the most clicks and its showing up everywhere.
Yeah its like those sports headlines where they try vibe you up for some trash talk
“Player A had a perfectly blunt statement about Player B”
Only to read & find out they said Player B was great, such drama lol
All just rage bait everywhere, AI or human that’s the clicks plan
OOP is AI writing about AI
This is really disappointing… I figured the open source nature of Bitwarden would save it from enshittification but as the author says, in the end, the company doesn’t need to keep it open source.
That’s the difference between libre software and merely open source software.
Libre licenses make it hard or impractical to close the source at a later date.
Open source licenses are much more permissive and allow any entity to produce a closed source derivation at any time.
Libre licenses are all about strategically protecting the software commons from privatization.
As soon as VC money comes in, the founders cash out and the enshittification begins as the VC will be expecting returns on their money.
Vaultwarden will survive. Since the client is open source, once they close the API and break compatibility of the clients with Vaultwarden, the old version of the app can simply be forked and rebranded. I also do hope that the KeyGuard app will continue to support vaultwarden as well since if bitwarden closes the API and makes a breaking change, as is likely to happen, it will break KeyGuard as well, but it will still work with VaultWarden for some time.
The real issue is that many people who are using Bitwarden aren’t savvy enough to host Vaultwarden in a secure way. Many people are careless with things like secret keys and such and dont know how to properly secure a web facing app or a VPN into their local network. But anyone who self hosts should result learn those things anyway. This one just happens to be a particularly high risk since it contains all of your passwords for everything else.
This is why despite me self hosting some things I don’t rely on vaultwarden. I’m a flawed person and my family has no idea about anything. I don’t need to stretch my imagination very far to think of a handful of reasons why it would fail my situation. I’ll gladly pay for a password manager to not have to deal with that.
Same! I self host a number of things, but I just didn’t trust myself with something as important as this. I had been paying for bitwarden even though the free plan was sufficient, just to show support. But obviously not if they go this route. I will also gladly pay for a password manager to not have to deal with that.
That’s where I was for years until I got that surprise $80CAD credit card charge a few weeks ago. Now I have 11 months to either go with someone else or figure out a self-hosted solution I can trust. It will need several layers of backups the family can actually access in an emergency.
Just learned about KeyGuard. But I dislike their LICENSE:
All Rights Reserved
Yeah, not the best. But at least there is an alternative.
We really need a VaultWarden paid service, if there isn’t anything against doing so in the license.
I don’t know why the server needs any specialized software at all though. In the end, if it’s just some password history, why not just have a client that allows generic storage backends and you can upload to Filen or S3 or whatever else you use?
It uses a database and it’s totally possible to use SQLite as the database and sync that elsewhere. You could then find or make a small client that just accesses that db directly rather than a web service, I suppose. Though there are already several apps out there that store passwords locally and their data files can be synced, if that’s what you want.
But if you’re doing that then you may not be using this in the most common way or may not understand the risk involved. This is likely to have every one of your logins, not just a single login that may or may not be used on other sites, but the specific username and password and which site it’s associated with. On addition to access to those accounts, this links all of your accounts to a single identity which companies spend billions to do with advertising IDs, cookies, embedded scripts, and lots of other, usually shady, practices. This is a gold mine, though usually only for one or a few users, so generally not a major target unless you’re being targeted personally for some reason. So, even if they don’t get the passwords, they’ve now linked every account you have on every site to your identity.
If you are allowing the database to be relatively easily obtained by syncing it to a central location accessible over the internet, a bad actor who gets it can even take their time brute forcing any encryption that may be present in the database, but if you don’t keep encryption keys only on your local device because you want to be able to use it elsewhere, then you probably stored the keys along with the db and they dont even have to bother with that, or if it uses password based encryption, they just have to guess or brute-force a single password.
If it’s behind a properly secured web service, then even if they find an exploit in the server software, they likely have to do many queries over time to get much data and the server can mitigate that risk and/or alert the owner about new logins and such. A database in the hands of the bad actor can’t complain about too many attempts to access it or notify anyone that it’s been copied.
So, IMHO, it’s a bad idea to use synced local password managers unless you have a very robustly secure way of storing the database and the encryption keys.
Yeah I was imagining a system more like Password Store - use Git to version control secrets which are encrypted using some form of asymmetric encryption.
You store the private key somewhere you control, like a USB drive or something. Same as Bitwarden’s master password.
Good to know KeyGuard is an alternative. My main worry was with the extension no longer being compatible as, like you said, I doubt they’ll continue to keep the client and API open.
Yeah, fortunately Vaultwarden has enough users that probably someone will eventually create an extension for it. And in the mean time you just have to make sure to use an old version of the existing extension until that happens. It’s not like the changes in Bitwarden will affect Vaultwarden directly. The old client versions will still work until Vaultwarden changes something.
damn I just migrated to bitwarden a few months back :(
I’ve been using it for years. But I have been waiting for this day to come. Because it always comes at some point without fail.
It always comes right after I migrate my family members. Same thing with lastpass and I’m still trying to get people off that.
faaaaaaa
You still have some time to decide which route to go. If you’re on the free version, stay there, but start looking for alternatives.
Proton Pass is an option. KeePass with Syncthing works great, but it is a dramatically different and more involved workflow.
I am using both, and deleted my Bitwarden account yesterday the moment I heard about this.
Also, I can’t suggest enough that you export all your credentials to an encrypted json file every now and then, and store it on an offline storage device. This is important.
thanks for all the suggestions - i’ve since moved to proton pass, not sure if I want to self host this aspect of my security stack - but will be watching closely
It’s a very easy migration from Bitwarden to a self-hosted and OSS Vaultwarden, if you have means to self-host. Appreciably, many don’t want to self-host their own apps and I’m not defending Bitwarden’s enshittification at all. It comes for all tech at some point :(
I would say that Vaultwarden might not be the best introduction to self hosting given the critical nature and sensitivity of the data. And if you do maybe block the admin page from external sources.
It comes for all tech at some point :(
Not sure if all tech, but definitely the ones that just want to grow grow grow. A counterexample (so far) is the Obsidian team.
TLDR: Self-host Vaultwarden
Time to recommend alternatives?!
Nothing has beaten KeePass for me so far. It takes a bit of setting up if you want your database to sync among all your devices, but in other aspects it’s perfect for me
EDIT: In case you’re curious, I use KeePassXC on PC, KeePassDX on Android, and Syncthing to sync the database.
What drove me (and my family) from KeePass to Bitwarden was the family sharing and survivor access.
Until KeePass supports these it’s not really up to par with Bitwarden.
Especially digital legacy management is a must have for a well rounded password manager.
keepassXC supports passkeys though.
That’s cool. Bitwarden also has a blue icon if we’re talking about other unrelated features.
Don’t know if it has changed but there was a reason I went to vaultwarden. Syncing was a pain it is probably better now but not looking to go back.
I use both same products, just manually copy to phone periodic as my vault is pretty static
Made the move from bitwarden not that long ago, actually a bit before their price increase (just timing not because of it). Nothing bad about BW to say, it worked great for me for years.
My motivation was wanting my password manager fully offline.
Keepass are fantastic programs, and actually now more pleased with my move after seeing some negative moves from BW I needn’t be concerned with
+1 for Keepass!
Same setup here, can recommend.
Proton Pass is a valid option.
The author wrote a guide to self-hosting VaultWarden
How vulnerable is a VaultWarden setup to splash damage from BitWarden enshittery? I would go absolutely ham on VaultWarden if it’s independant enough from this kind of move.
I’m already hosting VaultWarden locally and would also like to know. It seems like a project that could continue independently but I’d love to hear from someone with more information.
I mean, if you read the OP, it says at the end. The clients are Apache2 and can just be formed if the API starts drifiting.
I guess I need to go back to a handy notebook.
Amen!
