I'm not particularly worried about Bitwarden going belly up because it has already have such a well-established open-source replacement. The worst-case scenario is that Bitwarden make the clients incompatible with Vaultwarden, and like how OP already mentioned in the post, somebody in the community will fork them as soon as this happen.
It is surprisingly very durable and maintenance-free even for a script kiddie like me to maintain. My advice is (at least when it comes to Vaultwarden) don't think too much about this, just selfhost it, at least for yourself. You'll probably be able to manage it when something happen.
and not using their official clients,
your database stays functional in perpetuity.
My host has prebuilds for Vaultwarden.
Reimplementing the server side is the easy part.
But a commercial offer will need rebranding the client, and maintaining forks is much more involved. As long as Bit warden publishes the sources ...
Theft is also usually obvious.
If self-hosting, keep at a separate location than your hard drives.
It was audited in 2024: https://www.heise.de/en/news/Password-manager-BSI-reports-cr...
I don't like being considered a resource to be stripmined by any company, but some are worse than others by the nature of our relationship. I do not need a company greedily looking at my bank password, my Google password, my brokerage account password, and even having them be tempted to look at my set of passwords with them and start valuating which password they can "intermediate" and charge me more for using. I don't even want them pondering the question of how they can break exports ("oops, sorry, passkeys can't be exported because $SECURITY_BLATHER, guess you won't be migrating" - to be fair, while I think Bitwarden had that for a bit I believe it's no longer true, but AFAIK it is true of other things that will hold passkeys for you) so that they can extract the value of my passwords to me.
I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords. I don't trust any company holding passwords to not eventually be acquired by PE/HMBA types looking to stripmine my passwords. I don't trust any company that is, once you trace the entire value chain down, basically taking out real debt with my passwords as collateral. They get the money, I get the risk. Hard pass.
So I'm not happy about self-hosting my password vault in some sense... but who else can I trust?
I like 1password, it is by far the highest quality product I've used in this category. I moved from BitWarden back then because their browser integration was quite poor.
I think I'll move to something custom, or a selfhosted keepass server, with the rugpulls, incidents, and whatnot, it is becoming too high of a risk.
Depending on your threat model, you can even just keep the .kdbx in cloud storage somewhere and point your keepass client to that. I'd recommend using a keyfile in addition to your master password though so that if anyone does happen to get a hold of the database they can't just make brute force attempts against it.
For non technical people, I just recommend to use the browser built in password managers. traviso has a good writeup why: https://lock.cmpxchg8b.com/passmgrs.html
I left LastPass because of UX paper-cuts, but I've never lost passwords on either of them.
Honestly, it's something I don't want to think about and just need it to work on mobile and desktop, so the switching friction is very high for me. I'm not going to shop around and try different password managers.
Is "rug pull" a cost thing? I'm generally frugal, but pay for a family plan and don't think twice.
Do I like the UI changes? Eh it’s not my favorite but I don’t use it that often to care.
As side note, Syncthing is an amazing piece of software. I sync everything for my other devices into a central PC and from there I do the backups.
- [0]: https://syncthing.net/
For example, one client I used had a temporary bug that just lost the notes field entirely. It was quickly fixed but it still affected me.
I’m currently using 1Password, which I still think is the best product overall as I’ve tried just about all the rest. For this product category I’m happy to pay the highest price to get the best product.
The enterprise version never went beyond password management so I'm not sure how this could have generated a viable ROI.
Overall it's not a problem for me if Bitwarden wants more money, but I have to draw the line at replacing top leadership with randoms from private equity and secret price hikes. I'm glad this is being highlighted and it's motivating me even more to find suitable FOSS-friendly alternative.
It's still on the pricing page, albeit not as prominently. "Just getting started? Get basic password management today. Always free."
I'd really, really like them to not to ruin it or make it massively more expensive.
What are you using for Syncthing on Android? There used to be an official Syncthing app for Android but then they stopped maintaining it. There was a popular fork but then that person stopped as well.
I looked into using Syncthing on iOS but there was only Möbius Sync and it didn’t run in the background. This is was made me finally switch to Bitwarden. But of course now I need figure what to do next.
as long as the house doesn't catch fire, or as long i run outside with 1 of my syncthing devices (have several), local cloud is the best.
I do share the concerns though. The change in leadership, the poor transparency, 100% price increase and the quiet change in core values.
I was happy paying $10 yearly for Bitwarden. I'm still okay with $20 but there's a seed of doubt.
Just went to the website directly: says "Get Started Free". "Always Free" is only present at the bottom of the pricing page for personal customers.
What concerns me more is that they've started using the same language that Adobe had been panned for: "$price a month, billed yearly".
To me, thats weird language for a product that (now) costs $20.00 a year. Not hundreds or thousands. Twenty dollars. For non-enterprise users.
The lack of transparency and quietly changing things around makes me wary.
They did raise the price to $20 (but the free version is still amazing). But that’s still really cheap and pretty much all services have gone up in price in the past 10 years (inflation)
I just don’t want to self-host if I can avoid it.
Staying on top of managing the application and the environment is a whole different level of diligence when the thing I’m self hosting is the keys to my life. At a minimum it would have to be behind something like a wireguard tunnel to a trusted machine, and that’s an added headache for daily use.
Yes, you want to guard the machine that hosts your passwords. You can even physically keep it at home, and only proxy its port 443 wherever you have a presence in the public Internet.
That’s not to say anything is bulletproof… nothing useful is… just that I don’t entirely trust myself to be 100% on top of something like that as a hobby hosting endeavor.
Rapidly starting to think even a vibecoded solution may be a better plan relying on commercial options. High risk of don’t roll your own crypto mistakes but realistically that’s not the threat model here anymore for the random individual. It’s online breaches or perhaps a wrench attack not highly skilled crypto adversary. Plus there are probably ready made crypto modules so wouldn’t be a true handroll
So while Bitwarden is more secure than modern Excel out of the box, neither one is a slouch. You'll definitely spend a lot of compute cracking either one. The weakest part, as always, is the user's password.
I mean I'm just spitballing here, but not convinced this is true.
From a formal security theory perspective certainly, but practically...nobody with half an ounce of skill is going to spend their time breaking one individual's custom solution that almost certainly just contains their hn password. That's if you can even get to it - selfhosted password managers are usually on LAN/behind vpn.
Risk profile wise the thing could be a god damn plain text .txt on a LAN network drive and still outperform a Lastpass.com that by definition has a giant hack-me sign on it's back.
The crypto part barely moves the needles here
Especially if the concerns around Mythos are well founded.
The mythical Mythos can't even find Claude code bugs before releases.
Holy smokes has that's not just -> THAT IS become one of my trigger words.
Also if it was handwritten, it'd have been a third in length, the rest was LLM fluff
If the content is also nonsense then that's worth talking about, but otherwise comments about LLM style are about as interesting as remarks about typos.
But Keepass is a bridge too far for them. I'm not that enthusiastic about it myself to be honest. The UX is a bit meh (for the clients/extensions I've tried) and file syncing and handling is not something I can in good conscience push to a non technical user. It's just too many moving parts and you just have to do this, that, and the other thing. It's not really fit for purpose with normal users as far as I can see. Like much OSS stuff, UX for normal people seems to be a bit of an afterthought with Keepass.
The key selling point of Bitwarden was that it is free-ish and it is easy enough to work with for somebody that is not too technical. My father is an Android user and my mother has an iphone and ipad. They need access to each other's passwords so they share the same password manager. They are both in their seventies and I need something that is similarly useful and ideally without me self hosting a lot of stuff on their behalf. I don't want to be their system administrator. And I don't want to have to sit them down to migrate their passwords every few years either.
Right now the best move to me seems to be to stick with Bitwarden. I don't really gain anything from moving them over to some other solution and there isn't really anything out there that is materially better as far as I can see.
Notionally a password manager is more secure, but is there anything stopping Bitwarden from updating the app to silently send your master password up to the mothership and selling your unencrypted vault? Even supposing they stay open source and get caught, they will still have thousands of user's data ready to sell before the rug is pulled and the game collapses.
(And besides, where do you keep your recovery codes? If some cabinet or drawer in your house is safe enough for that, it's safe enough for your book of passwords.)
All you have to do is exchange "keys" with the two machines you want to sync and then it's mostly set and forget
1: https://support.apple.com/guide/icloud-windows/set-up-icloud...
(DISCLAIMER: I am on 1Password which I've been using for long long time - way before password management in Chrome became a real thing. But let's just say, GPM is becoming more and more compelling proposition).
And then you will be screwed very hard with not recourse...
I'm thinking about running it in a container (Podman Quadlet with systemd) behind a VPN, with daily backups with borg. Anything I'm overlooking here?
Never had an issue with Vaultwarden itself. Restored from backups several times for a variety of reasons (migrating host, corrupt hard disk, re-installs) and that always worked first try.
In regards to hardering, the wiki has a good guide: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Gu....
This feels less like a guide on hardening Vaultwarden than a guide on why I should be skeptical about it.
https://github.com/dani-garcia/vaultwarden/discussions/1549#...
The upstream also had this issue, which appeared to be closed without a PR:
e.g. You can’t just provide software to people that obtains TLS certs on their behalf: you have no idea how their infra is setup.
Hosting any app on your own infra is a serious skill set.
Restore from backup testing was straightforward. We haven't had any problems w/ the application itself.
I used that that hardening guide for my setup. The one I manage is exposed to the Internet and I'm bringing traffic into it via a reverse proxy.
I just take ZFS snapshots. I've restored a couple of times that way just to test DR and it worked pretty well.
My phone and laptop both use tailscale to access this and a few other containers I have set up similarly. I also have tailscale ACL rules to limit just “me” or whomever I want to allow to use it (family etc) also on my tailnet.
Backups are encrypted and stored locally as well as to AWS glacier.
I love it and it works great.
Mine is not exposed to the public internet, though some friends of mine do. I use a VPN when I need to access fresh data from the home server, otherwise both the Firefox client and Android client will generally keep a cache of the last data pull when they had connection (so it wasn't an issue the 4 or so years I didn't have a VPN yet).
By not exposing it to the wider internet. When I use a client (iPhone, browser, etc.) while on the home network, it syncs. While off the network, the last synced data is still there. That's been good enough for me.
Not technical, but the person behind that project now works for Bitwarden so there's some risk of a rugpull. Of course it's OSS but you'll need to trust a fork or maintain it yourself if said rugpull happens.
But when friends and family ask for my recommendation I send them to Bitwarden and they pay for the service.
If it wasn’t for vaultwarden and the clients being open source I would not be using it nor recommending it.
I’d probably still be using keepass with manual sync and when friends and family ask for suggestions I’d probably shrug and say I don’t trust any of them.
Edit: Just a bit of googling turned up these as well.
https://github.com/AChep/keyguard-app https://github.com/sgolub/bitclient
I am a paid subscriber. I am kind of ok with the price increase.
The "coincident" with change of CEO and remove of "always free" tag worries me though.
I’m happy to pay for good services, but M&A means cost-cutting measures to make the company look good for acquisition and that makes me uncomfortable with letting them store secure data for me.
Switching is going to be a pain.
I pay a cleaner, I have a dishwasher, I pay someone to do my taxes, I pay for companies to host software.
Then again, I never order food and almost never get takeaway, as cooking is nice and I value my food enough to care what goes in it. Cheaper too, easily offsetting what I pay for my password manager.
Syncthing, talking to your Tailscale IP addresses if you use it, or your private WiFi network addresses if you don't use Tailscale.
One folder synced, containing keyfile2.kdbx.
30 minutes to set up and then you almost never need to think about it again. If you don't trust Tailscale, you can run a Headscale server or just not use it. And the syncing is entirely run on your machines; your data never ends up written to someone else's SSD.
It's really not much effort.
Exactly what value do they think they have left to extract from me? I'm a paying customer for a product that essentially just stores an indexed list of strings with at-rest encryption.
Their official App's autofill on my phone hasn't worked for several months now., I literally have to login to it once every couple hours just to manually copy and paste my usernames and passwords separately. I guess enshitification knows no bounds?
Circle of live, I guess.
What’s next in the circle is keepass I guess? And it’s just not friendly/robust enough yet for me to switch to it with my family who will probably just go back to using the same passwords on multiple sites if they hit resistance in ease of use.
no, if you relax the qualifier "without thinking" slightly and are okay with thinking for a few hours. There's so many off-the-shelf open source solutions now to just throw on a 5 bucks VPS, it costs you less time and money than switching or the premium plan of most of these individual services.
The point is that if there are only one or two red flags, you can risk assess them and continue as is if the risk is low. But if there are a large number of red flags, then you need to consider your exit strategy as well.
- Inclusion and Transparency values made more shitty
- Always free commitment removed. What? It’s right there “always”.
- Shittily hacking old blog post to become nonsensical
- Loss of confidence
- Stalling improvement cycle, no more repairs, just things quietly breaking and going bad.
I know this proverb as (translating from Polish): You're asking the boar if he's shitting in the forest.
"Is bear a Catholic?" doesn't seem very funny.
But a notion that everyone knows how Pope is regularly shitting in the woods absolutely is :)
The larger exampls to compare them to would be "dumping." Dump subsidized, tariff-free corn in Mexico to make it unprofitable to farm corn in Mexico, and after all of the Mexican farmers go bust, buy their land and raise the price of corn to infinity while cheaping out on the quality of seed and handling. Enshittification. Rug-pull.
Can't most of the many KeePass variants do that?
IIRC LastPass did this by slowly reducing how many devices and what kinds you could sync. They made the free option increasingly painful.
I think this is tentatively good for bitwarden - making money means you can more easily invest in the team and product. Counter to the prevailing notion in comments here, I much prefer a vc/paid product for security-critical tools.
Hope they didn't wait too long before deciding to kill the free tier.
The web interface I'd never use: I have no guarantee that my passphrase does not leave my computer. Same for the import feature: this also requires the passphrase to be sent to their servers.
Needless to say I move to the next ethical e2ee password manager if BitWarden turns it's back on open source.
With that said, I do find the direction here concerning. Quietly rewriting values, removing promise of free tier, hiking prices with almost no notice. I’m concerned that this feels sudden and sneaky. Sneaky behavior erodes trust.
Time to act accordingly.
(Well, technically, you can, but then don't complain about getting called out)
Edit: “always free” was hidden under a collapsed section
Pricing: Always free
Ctrl+f for "Always"
Edit: Actually, it is there, hidden from search under the collapsed pricing section.
https://web.archive.org/web/20260414143334/https://bitwarden...
"They put some of the rug back!" isn't enough to restore goodwill in my case.
All locally synced
There are sharing options but they are not really convenient, not a problem for me since I mostly don't share passwords
Passit still works! Just as a webapp + chrome and FF extensions. I think we had an Android app too, dunno if that's still a thing.
Maybe if the best open source option is a less viable option, I should poke at its creator to revive it...
Worked well for me, I use it for non-critical web accounts and such. KeePass for the few core accounts etc.
I'll probably switch for password management once it has a proper security audit, and for email aliases once (if) they implement IMAP/SMTP or similar so reading emails isn't restricted to in-app.
If you want to fully disassociate from bitwarden, there are vaultwarden compatible 3rd party clients. I like Keyguard.
Would love it a ton more if it could offer an experience similar to BitWarden where you can view notes linked to logins or autofill credit card details with a single click from the browser extension. But overall it's really helpful.
I'm not too worried, if bitwarden changes their price somebody is going to vibecode a decent enough solution for pennies on the dollar, or there's always apples built-in product.
I'm sure if BitWarden ever went closed source, it would be forked and maintained by the community and that most would migrate to the open source solution.
BitWarden being open source and auditable is one of the main reasons I use it, no hidden backdoors from them or three letter government agencies.
Waiting for everyone to understand this.
One of the only exceptions to this I can remember is the founder of Whatsapp, who gave an interview pretty critical of Meta some years back after it acquired Whatsapp.
[0] https://www.fastcompany.com/91542655/bitwarden-scrubs-always...
Yes, that's a very common part of an exit package for executives. Speaking from some first- and second-hand experience, you can get paid a hefty sum (6-12mo of salary worth of cash) for signing an agreement that has some amount of limits on what you can say, to whom.
There's also some kind of what I think of as a LinkedIn effect - there's a disincentive to talk trash about any organization publicly, since that's now attached to your name and might make future employers/organizations leery of hiring someone who might air their dirty laundry.
edit: s/of/and
Want to raise the price? Fine, be honest about it and make sure it stays sustainably stable for a long while.
I am not leaving because of the price, but because of the dishonest behaviour around something so central and vital to my daily life.