The issue with selfhosting is that you have to either use a vpn every time you want to access your password + your server doesn't have the uptime of a cloud server
The issue with self-hosting passwords is that your entire digital life have you/your environment as the point of failure.
And I would always trust a serious team with real sysadmins with servers in a proper data center than myself. Even ignoring skill issues on my parts, there are tons of problems: device get confiscated by police, home get flooded, home get burned down, etc. You can rent a server, but then you are just using cloud service in a different way, and pay way more it. This can be mitigated with back up schedule, but then you're back to playing sysadmin. What if you're sick, or get in a car crash? It really only work well if you have a stable home and some free time, which is a luxury few can afford.
That's why I don't self-host email and password manager.
A file in my computer with a proper backup scheme is orders of magnitude more reliable than any cloud service.
Doesn't matter how good the cloud service is, they can't account for the entire range of problems internet connectivity can have. A local file trumps that anyday.
We are talking about a file less than 10mg for most people whichis trivial to copy to every USB drive, phone, tablet, etc you own and every free hosting that exists, and you still have the reliability of daily driving a file on your computer you always have access.
You don't need the luxury of my mini personal datacentre to self host a password vault.
If you're using free hosting, you're going back to cloud LOL.
It doesn't matter how many copies you have locally, flood can hit all of them at the same time. That's why it's important to have some stuff on the cloud, even if it's just a backup.
Nothing wrong with having both local and cloud copy. But if you're already going back to cloud, then what's the difference between their server and yours?
The point is, if I you use BitSomething, LastThing, OneOtherthing and tomorrow you open the app and it doesn't work and you go to their website and you have a message saying they are out of business, that the FBI seized the domain, that your country decided they should be blocked, any of those you are cooked.
The difference of using a local file is that if syncthing, dropbox, mega, google drive, onedrive, proton drive or any others you use to sync or backup goes away, your local file is still there, you just shrug and use another software to sync, if you want, later.
In one scenario you are on the cloud service hands, your passwords held hostage, in the other scenario you are using them as a disposable service just for a mild convenience, that almost doesn't affect your life if they, for some reason, cease to work.
You should always back up your stuff, cloud or not. I was just pushing back on you for being against cloud services. You can use both cloud and local. And if you already have good backup practice amongst multiple cloud services, there is literally nothing special about self-hosting a password manager, local is just one more site for back up and is not any more special. If anything, local site is one of the weakest site in your back up strategy because it's much more vulnerable to random catastrophe than cloud services. It's like one of those driving vs flying risk assessment: driving is way more dangerous in actuality, but you're in control so it feels safer.
And I'm speaking as a self-hoster myself. Some stuff is just too critical to rely on yourself.
if we're talking local databases with proper backup practices, i think we have to account for how likely a doomsday scenario is. let's say you have two storage drives, and one of them isn't connected to your computer at all times. you also sync your database to your phone because you use it there, and you're also backing it to two different (free tier) cloud storages (say, google drive and onedrive).
now, the possibility that both drives go to shit AND your phone also dies AND google fucks with your files AND microsoft also fucks with your files, all at the same time such that you suddenly don't have any backups you can restore, does exist but it's very very miniscule, specially if you consider two massive cloud providers destroying their users data would affect not only you but millions of people.
now sure, some people just don't want to deal with that, and i think this is really fair. if you're a paying customer the company has a financial incentive to keep your data safe. i just don't think storing password dbs locally is dangerous if you take proper care of them.
now, if we're talking about things like vaultwarden or email where you're hosting these on your own server, yea i don't think i'd trust myself enough to maintain such important things which i rely upon on a server exposed to the internet lol. too much of a hassle and i'd rather just use keepass.
Nothing wrong with having both local stuff and cloud stuff. More backup is better. I just want to push back on OP's point of being against cloud services. Everything local means a single point of failure, and even if you have multiple sites, if they're close to each other a single flood can wipe it all out easily. And if you're already okay with putting your stuff on the cloud, the difference between their servers and yours is that theirs are free (for normal people), have extremely high uptime and better backup practice. Literally no downsides whatever.
Vaultwarden is just the backend server though, you're still beholden to the client staying compatible.
Plus Vaultwarden's dev now works at Bitwarden, and is allowed to work on Vaultwarden on his spare time. The moment it's deemed to eat into their profits it's a very easy target.
So? If the clients decided to drive the devs behind vaultwarden would just build their own. The clients are the easy part. You can also just use the web UI from vault warden to access your passwords. Vaultwardens existence makes this whole thing a non issue.
No, Vaultwarden isn't just one dev that is also a Bitwarden employee, they already addressed this in the past. That dev is part of a broader team of volunteers, he's one of many. If he left tomorrow the project wouldn't just die.
You're right though in saying that Vaultwarden is only used because they follow the Bitwarden API, and hence is compatible with all Bitwarden clients. As explained in the blogpost, what would really break Vaultwarden is if Bitwarden decides to stop openly pusblishing its API. A lot would still be possible by reversing the API changes, but that will quickly turn into a mess. If or when that time comes, I hope the community will fork the project.
Really wish that was not the case. I just think client-server architectures are the best approach to this problem if you want reliable sync across different clients and devices, but then again we don't know how long the Bitwarden public API will be public.
But at the end of the day, we realistically have two options: good ol' KeePass, and hard-forking the clients and leaving the Bitwarden development direction entirely. :/
I just think client-server architectures are the best approach to this problem if you want reliable sync across different clients and devices
The problem is that online password managers which act as a centralized storage service are too expensive and too juicy of a target. It's only a matter of time that something goes sideways.
Vaultwarden + existing clients are open source. Bitwarden the company can decide not to support the API for new clients but they can't remove the already-working code from the Internet.
Yup, that is the reassuring part. What makes me a little uneasy is the fact that the presence of this code does not imply that an alternative version of it will be actively maintained by the community. Hopefully it will, that tends to happen when projects fuck up really hard, and they blow up the ground underneath themselves (see Emby with Jellyfin, or Owncloud with Nextcloud, etc.).
What I really hope doesn't happen is that Bitwarden ends up being smart enough to realize going all-in is a suicidal mission, so they make the disruption very gradual and very subtle in an effort to avoid the hard fork and mass migration, and we collectively fall for it.
To be honest, I can live with a little discomfort at this point. I pulled my stuff from BW. Converted it into an acceptable CSV format for KeePassXC. Have that database on my phone and laptop, and will just update the DB per device with any additions.
It sucks, but enshitificators gonna enshitificate. Better to leave the party on a high note before they upperdeck us.
I share credentials with Bitwarden -- some with my wife, and others with my kids. I don't think that this is possible with KeePass. If it was just me, it'd be great, but it's not just me and won't be until my kids are much older.
Bitwarden allows them to manage their own set of credentials, but I can share select records from my set. They can also choose to share records with me -- it goes both ways. It's convenient for things like streaming services and local tax filing credentials. I file taxes for them, but once they're done with college they're on their own in that department.
Maybe I'm wrong here, but I don't believe that KeePass allows any sort of organizational sharing.
Yes, as can paid Bitwarden -- the OP was talking about KeePass as a replacement and I was responding with why that doesn't work for me.
Vaultwarden will continue to work until Bitwarden changes the APIs. At that point the official apps / browser extensions will diverge and it will be more difficult to use.
How so? Vaultwarden has been rock solid for me. KeepassXC was great but I would run into issues where my database would get out of sync on multiple devices and a recent change or entry would be lost. Using it on just a single device is fine. The vaultwarden database is just a sqlite database file (encrypted) so it's easy to keep a backup of as well.
Vaultwarden is a self-hosted backend that is compatible with the Bitwarden API. It works out of the box with the official Bitwarden extension and clients.
I was always paying for bitwarden so their change the always free tier thing never affected me.
But now just in case I'll start keeping backups of my passwords on my PC just in caseI want to move it all.
The subtext here is that people are using online password managers in part to avoid having to manage their own files and make backups. I occasionally see people show up in /r/keepass that don't fully understand the idea that the database is a file on their hard drive that they have to manage themselves. They think they are creating an "account" that just happens to be local to their machine.
Create a password and a key file. Copy the key file to each device using physical means (USB, cable transfer etc.), avoid copying it to any online service.
Then just toss the .kdbx into Dropbox or Google drive. It's encrypted, so it's fine.
Realistically how often do you create new accounts? Syncing is
"I'll start keeping backups of my passwords on my PC just" Seriously, it doesn't matter how much you trust on your password app, everyone should always keep backups of passwords. There's no such a thing like enough backups.
While that's true, it doesn't mean you should intentionally serve yourself up on a silver platter.
Don't go crazy with security, but at least try. I assume you still lock your doors when you leave your house even though almost anyone can break in with just a $15 hammer and some time.
Depends what "offline" means. Your PC ain't exactly a fortress, and someone having access to it does not mean they have the ability to physically threaten you.
I thought the price had gone up as i got a notification that it was renewing for me. I didnt remember it being that expensive, its close to the top of what i would pay for a service without looking at an option i manage myself.
Still. Its not there yet and works just as well now as it did before. Personally i am a bit tired of keeping ahead of the drama when you could have in most cases ignored it and never known it happened.
That's not the purpose of the free tier. You get people to use it and like it and then they bring it along into other aspects of their life both personal and professional.
The conversion rate to paid skus and enterprise because someone has used something before would surprise you. Many companies operate this method such as Dropbox
The advantage to using bitwarden-type software over the keepass approach is that it has a server client model were as keepass style approach depends on a file-based encrypted vault.
This solves the synchronization issue. With keepass style approach you need another service like syncthing or google drive to sync the file between devices. Which means that it is hard to use with sandboxed software that normally can't access your files. It also means that when you have devices that are offline but are being used at the same time they can get out of sync.
When that happens with keepass you have to do a manual intervention and use a special synchronization tool to combine the different copies of the vault. Which is a risk of data loss.
It also removes the advantage keepass has in not involving network protocols.
Pass (passwordstore) is arguably superior in this regards because it depends on a directory structure with gpg2 encrypted secrets which is then (optionally) combined with git to keep things versioned and in sync. Which means that is very easy to keep things in sync on multiple devices if you don't mind using the command line.
The downside being that tools that interact with pass need to either be aware of how to use gpg and git or they are required to use the pass command line tool to do it for them. This causes problems with sandboxed software and you are also dependent on a git server somewhere (or SSH) to keep them in sync.
Where as with server-client approach with bitwarden effectively solves both the synchronization issue, works with sandboxes, and allows for offline use because each client caches the encrypted version of the credentials locally. This makes it relatively easy to do things like properly integrate with browsers.
It also is client encrypted so the server itself never is able to see the secrets contents.
That being said I don't think the bitwarden is the end all and be all. The command line client sucks, for example.
But a secrets service is definitely a superior approach to file-based syncronization.
And was recently compromised, which doesn't give me a lot of faith in their threat model.
It uses client side encryption so for most people it doesn't really matter.
The vault is always encrypted on the server with no ability to decrypt it.. so the "threat model" is exactly the same as Keepass if you are using some sort of file sync service.
It is when you get into more "enterprise" features were you want shared secretes between multiple people in groups or to have their "cloud" manage rotation and such things... that is where you can get into trouble.
Not sure exactly how all that stuff works or even how much of that bitwarden offers. Never really cared. I use vaultwarden.
I have a feeling that in the future we will see more alternatives to bitwarden, but I think that depending on file syncing is a step backwards. Being able to support multiple software, sandboxing properly, and devices is a key part of makes a "password manager" useful nowadays.
I use both - Keepass2Android has a worse UI, but supports syncing with cloud providers for the DB file. KeePassDX has significantly better UI and supports TOTP far better.
So I use the latter for TOTP codes specifically with a DB that doesn't leave the phone except for cold backup.
I use KeepassDX with the database stored in Nextcloud. Using the Nextcloud app KeepassDX can open it directly from it and thus has effective cloud sync working
Well, no. Because KeepassDX doesn't realize it's being cloud-synced, it just gets passed a "regular" file. So if you need that, you'll need Keepass2Android.
I've been using the paid version of Proton Pass for ~2.5 years now, along with the rest of the Proton Suite, and it's a very solid option. However, you will come across some sites and login flows where auto-fill won't pick up the fields, but it's not the end of the world to copy-paste. They're also pretty actively improving it and adding new features as the company grows, particularly to the native Linux apps, which I believe they have for every product now if you don't want to use web apps/extensions.
It's a little concerning reading the /r/bitwarden subreddit where a lot of comments summarize to "well, it's not a problem yet so no biggie." This isn't your cooking recipes app, this is where you're storing your most critical information.
Trust matters and waiting until there's a problem from a private equity firm is just asking for serious trouble. Private equity will never be on your side. They're run by trash people for trash people. You wouldn't even be an afterthought to them, let alone a priority.
100%. Worse, having bulletproof security is a requirement for a password manager, but it costs money to maintain. Know what equity firms hate? Things that cost money.
The only thing keeping them from laying off half their security and admin teams at this point is that they have to keep their customer base on board to keep the revenue balanced. But it quickly becomes a game of “how much can we get away with and not lose customers”, which leads to cutting corners — not something you want in security software.
There's also the fact that the free tier is a loss leader though.
They wouldn't have that much brand penetration without it, and it being that critical means that everybody would leave the instant it becomes a problem.
It's not the average enshittification of an app in which most would stay out of inertia.
The typography and spacing honestly look clean already, but the giant white card makes the page feel a bit empty on desktop.I’d tighten the vertical spacing and reduce the headline width slightly so it feels more intentional.The mint green accent works nicely though, gives it a modern editorial/blog vibe.
See the post from Plex today too? Shiiiiet even all the self hosting kings are bending to the almighty $. Better to cut the cord now and go fully independent
Meanwhile the memory card in my decade old Mooltipass mini may be peeled and scratched, but works the same it did when I bought it. A small dedicated device that emulates keyboard to type in passwords for me - does not even have networking capabilities at all.
I think the old school "unix way" of doing one thing and one thing only and doing it well is applicable to devices too.
Some of that reads like AI (though could just be me being paranoid)
But I’m keeping an eye on things too atm, however as acting IT guy for the family — I don’t have the infrastructure or knowledge to have guaranteed uptime using self-hosted in a homelab
I’d almost rather just a new startup built off the backbone of Vaultwarden
I’m not watching this because I’m worried about my own passwords. I’m watching it because this is what I document.
This is not . This is .
... And it never comes in a single dramatic a. It comes in layers. A feature post with a price change inside it. A LinkedIn update nobody made a press release about. A values page that says something slightly different than it did last week.
The real safety net is that Bitwarden’s clients are Apache 2.0 licensed. A fork would need a rebrand to stay clear of the trademark — different name, tweaked UI, same engine — but that’s a speed bump, not a wall. The web vault works through any browser regardless of what happens to the apps, so worst case you’d lose autofill temporarily while a fork caught up. Inconvenient, not catastrophic. Vaultwarden itself is already proof the model works.
Watch the clients. If they go closed, the community will notice fast, and the fork will follow.
This is the most LLM written paragraph that could ever be crafted.
I had the same impression, but only in the last paragraph, where it says:
The web vault works through any browser regardless of what happens to the apps, so worst case you’d lose autofill temporarily while a fork caught up. Inconvenient, not catastrophic. Vaultwarden itself is already proof the model works.
The "Inconvenient, not catastrophic" part inside makes that paragraph read like something AI would write. :) But probably it's my reaction because of the general state of things nowadays. The whole blog post otherwise is ok.
Glad I dropped them late last year. I guess it'll become a game of whack-a-mole now...always taking backups to whomever is the latest to promise things we need.
I guess this would be a case of "don't trust a software company with your most sensitive assets" or something like that?
Ever since I started managing my passwords through software the only one I used was KeePassXC. The day I learned about Syncthing was the day "the cloud" was over for me.
Not to mention cloud-based password managers are a very big target for hackers. Even less of a reason to trust passwords on someone else's computer
I think is not smart to put password managers in the cloud (that is just other people computer) because you don't know if they get DDoS, out of business, blocked by some reason, get out of business, or hacked, and you lost access to a very precious and sensitive asset.
Not questioning the encryption of any of those services, I'll believe they have good faith and the vaults are safe. But your access to them isn't guaranteed at all times.
fellipec@reddit
Another day, another confirmation of the decision to self-host with FOSS was one of the best of my life.
And, sincerely, trusting password vaults to cloud services never sounded that smart to me.
IntingForMarks@reddit
The issue with selfhosting is that you have to either use a vpn every time you want to access your password + your server doesn't have the uptime of a cloud server
Original-Guarantee23@reddit
You’re on /r/linux our servers have the uptime or better than a cloud server.
IntingForMarks@reddit
It's not about linux. I have a home server, but sometimes my ISP fails or my electricity goes off. Nothing I can do to prevent that
Original-Guarantee23@reddit
Sure it’s called a UPS and a cellular fallback modem. My network has never seen an outage.
IntingForMarks@reddit
Yeah and that's an amount of work and setup way higher than just setting up a server
Cold_Soft_4823@reddit
non issue, my phone is always connected to my servers dns
99.99% uptime across 658 days
fellipec@reddit
People underestimate having your own server so much.
IntingForMarks@reddit
I do have my own server with tailscale. My uptime is bounded by my ISP and my energy provider, it is not something I can control
fellipec@reddit
I live in a 3rd world country and can count in fingers of one hand the times I stay without power, and none was longer than a handful of hours.
Can't be worse in richer countries
fellipec@reddit
No. You don't need a VPN every time.
And yes, my server has uptime ofna cloud server.
IntingForMarks@reddit
So you expose your server to internet? Doesn't seem smart
fellipec@reddit
No darling, I just need the VPN when I need to sync the file, not all the time.
Equivalent-Costumes@reddit
The issue with self-hosting passwords is that your entire digital life have you/your environment as the point of failure.
And I would always trust a serious team with real sysadmins with servers in a proper data center than myself. Even ignoring skill issues on my parts, there are tons of problems: device get confiscated by police, home get flooded, home get burned down, etc. You can rent a server, but then you are just using cloud service in a different way, and pay way more it. This can be mitigated with back up schedule, but then you're back to playing sysadmin. What if you're sick, or get in a car crash? It really only work well if you have a stable home and some free time, which is a luxury few can afford.
That's why I don't self-host email and password manager.
fellipec@reddit
A file in my computer with a proper backup scheme is orders of magnitude more reliable than any cloud service.
Doesn't matter how good the cloud service is, they can't account for the entire range of problems internet connectivity can have. A local file trumps that anyday.
Equivalent-Costumes@reddit
Where are you backing up to? The cloud? You're back to cloud service.
Another drive in your home? A single flood can destroy it all.
fellipec@reddit
Multiple drives in multiple locations fam.
Since the 90s I don't lose a file.
But I'm a guy of the old age before clouds, I know my ways in clear skies
Equivalent-Costumes@reddit
And where is this multiple location? Multiple home? Paying for a separate storage unit? Having multiple relatives that let you store your stuff?
And that go back to what I said, you have a luxury few can afford. It's about you having a material advantage in life.
fellipec@reddit
We are talking about a file less than 10mg for most people whichis trivial to copy to every USB drive, phone, tablet, etc you own and every free hosting that exists, and you still have the reliability of daily driving a file on your computer you always have access.
You don't need the luxury of my mini personal datacentre to self host a password vault.
Equivalent-Costumes@reddit
If you're using free hosting, you're going back to cloud LOL.
It doesn't matter how many copies you have locally, flood can hit all of them at the same time. That's why it's important to have some stuff on the cloud, even if it's just a backup.
Nothing wrong with having both local and cloud copy. But if you're already going back to cloud, then what's the difference between their server and yours?
fellipec@reddit
The point is, if I you use BitSomething, LastThing, OneOtherthing and tomorrow you open the app and it doesn't work and you go to their website and you have a message saying they are out of business, that the FBI seized the domain, that your country decided they should be blocked, any of those you are cooked.
The difference of using a local file is that if syncthing, dropbox, mega, google drive, onedrive, proton drive or any others you use to sync or backup goes away, your local file is still there, you just shrug and use another software to sync, if you want, later.
In one scenario you are on the cloud service hands, your passwords held hostage, in the other scenario you are using them as a disposable service just for a mild convenience, that almost doesn't affect your life if they, for some reason, cease to work.
Equivalent-Costumes@reddit
You should always back up your stuff, cloud or not. I was just pushing back on you for being against cloud services. You can use both cloud and local. And if you already have good backup practice amongst multiple cloud services, there is literally nothing special about self-hosting a password manager, local is just one more site for back up and is not any more special. If anything, local site is one of the weakest site in your back up strategy because it's much more vulnerable to random catastrophe than cloud services. It's like one of those driving vs flying risk assessment: driving is way more dangerous in actuality, but you're in control so it feels safer.
And I'm speaking as a self-hoster myself. Some stuff is just too critical to rely on yourself.
Literallyapig@reddit
if we're talking local databases with proper backup practices, i think we have to account for how likely a doomsday scenario is. let's say you have two storage drives, and one of them isn't connected to your computer at all times. you also sync your database to your phone because you use it there, and you're also backing it to two different (free tier) cloud storages (say, google drive and onedrive).
now, the possibility that both drives go to shit AND your phone also dies AND google fucks with your files AND microsoft also fucks with your files, all at the same time such that you suddenly don't have any backups you can restore, does exist but it's very very miniscule, specially if you consider two massive cloud providers destroying their users data would affect not only you but millions of people.
now sure, some people just don't want to deal with that, and i think this is really fair. if you're a paying customer the company has a financial incentive to keep your data safe. i just don't think storing password dbs locally is dangerous if you take proper care of them.
now, if we're talking about things like vaultwarden or email where you're hosting these on your own server, yea i don't think i'd trust myself enough to maintain such important things which i rely upon on a server exposed to the internet lol. too much of a hassle and i'd rather just use keepass.
Equivalent-Costumes@reddit
Nothing wrong with having both local stuff and cloud stuff. More backup is better. I just want to push back on OP's point of being against cloud services. Everything local means a single point of failure, and even if you have multiple sites, if they're close to each other a single flood can wipe it all out easily. And if you're already okay with putting your stuff on the cloud, the difference between their servers and yours is that theirs are free (for normal people), have extremely high uptime and better backup practice. Literally no downsides whatever.
RoomyRoots@reddit
Just use VaultWarden. All SaaS will enshitify with time.
JockstrapCummies@reddit (OP)
Vaultwarden is just the backend server though, you're still beholden to the client staying compatible.
Plus Vaultwarden's dev now works at Bitwarden, and is allowed to work on Vaultwarden on his spare time. The moment it's deemed to eat into their profits it's a very easy target.
Original-Guarantee23@reddit
So? If the clients decided to drive the devs behind vaultwarden would just build their own. The clients are the easy part. You can also just use the web UI from vault warden to access your passwords. Vaultwardens existence makes this whole thing a non issue.
DrFossil@reddit
The clients are absolutely not the easy part.
The integration with every platform they have clients for (all of them) alone is a huge undertaking.
Fortunately the clients are open source so even if they break the API, the community can just fork the latest compatible version.
Original-Guarantee23@reddit
You have a browser extension and phone apps. Both fairly trivial. They are very simple crud apps.
DrFossil@reddit
Look, I mean this in the kindest way: you have no idea what you're talking about.
yzoug@reddit
No, Vaultwarden isn't just one dev that is also a Bitwarden employee, they already addressed this in the past. That dev is part of a broader team of volunteers, he's one of many. If he left tomorrow the project wouldn't just die.
You're right though in saying that Vaultwarden is only used because they follow the Bitwarden API, and hence is compatible with all Bitwarden clients. As explained in the blogpost, what would really break Vaultwarden is if Bitwarden decides to stop openly pusblishing its API. A lot would still be possible by reversing the API changes, but that will quickly turn into a mess. If or when that time comes, I hope the community will fork the project.
RoomyRoots@reddit
People have done more complex forks. I myself prefer KeePass but I do understand what people would prefer this model.
T8ert0t@reddit
So, we're back to KeePass, again. Great.
chic_luke@reddit
Really wish that was not the case. I just think client-server architectures are the best approach to this problem if you want reliable sync across different clients and devices, but then again we don't know how long the Bitwarden public API will be public.
But at the end of the day, we realistically have two options: good ol' KeePass, and hard-forking the clients and leaving the Bitwarden development direction entirely. :/
SunlightScribe@reddit
The problem is that online password managers which act as a centralized storage service are too expensive and too juicy of a target. It's only a matter of time that something goes sideways.
ungoogleable@reddit
Vaultwarden + existing clients are open source. Bitwarden the company can decide not to support the API for new clients but they can't remove the already-working code from the Internet.
chic_luke@reddit
Yup, that is the reassuring part. What makes me a little uneasy is the fact that the presence of this code does not imply that an alternative version of it will be actively maintained by the community. Hopefully it will, that tends to happen when projects fuck up really hard, and they blow up the ground underneath themselves (see Emby with Jellyfin, or Owncloud with Nextcloud, etc.).
What I really hope doesn't happen is that Bitwarden ends up being smart enough to realize going all-in is a suicidal mission, so they make the disruption very gradual and very subtle in an effort to avoid the hard fork and mass migration, and we collectively fall for it.
T8ert0t@reddit
To be honest, I can live with a little discomfort at this point. I pulled my stuff from BW. Converted it into an acceptable CSV format for KeePassXC. Have that database on my phone and laptop, and will just update the DB per device with any additions.
It sucks, but enshitificators gonna enshitificate. Better to leave the party on a high note before they upperdeck us.
thrakkerzog@reddit
I share credentials with Bitwarden -- some with my wife, and others with my kids. I don't think that this is possible with KeePass. If it was just me, it'd be great, but it's not just me and won't be until my kids are much older.
T8ert0t@reddit
I think.... You can do a DIY server and then just give them their own accounts.
But yeah, little odd.
thrakkerzog@reddit
Bitwarden allows them to manage their own set of credentials, but I can share select records from my set. They can also choose to share records with me -- it goes both ways. It's convenient for things like streaming services and local tax filing credentials. I file taxes for them, but once they're done with college they're on their own in that department.
Maybe I'm wrong here, but I don't believe that KeePass allows any sort of organizational sharing.
JimmyRecard@reddit
Vaultwarden can do all that.
thrakkerzog@reddit
Yes, as can paid Bitwarden -- the OP was talking about KeePass as a replacement and I was responding with why that doesn't work for me.
Vaultwarden will continue to work until Bitwarden changes the APIs. At that point the official apps / browser extensions will diverge and it will be more difficult to use.
ungoogleable@reddit
The clients are open source too. If Bitwarden the company tries that, client forks for Vaultwarden will pop up immediately.
thrakkerzog@reddit
I thought of that. I can see it happening for Android, but I'm less sure of iOS.
My mother in law uses Safari, and safari extensions need to be installed from the mac app store. The barrier to entry is pretty high.
Sarke1@reddit
Well at least the article let me know Vaultwarden is a thing.
arahman81@reddit
Too finicky, KeepassXC still better for local.
Ingenium13@reddit
How so? Vaultwarden has been rock solid for me. KeepassXC was great but I would run into issues where my database would get out of sync on multiple devices and a recent change or entry would be lost. Using it on just a single device is fine. The vaultwarden database is just a sqlite database file (encrypted) so it's easy to keep a backup of as well.
lmpcpedz@reddit
keepassXC firefox extension was making reddit, of all the websites, render slowly at every page load. is Vaultwarden extension lighter?
ungoogleable@reddit
Vaultwarden is a self-hosted backend that is compatible with the Bitwarden API. It works out of the box with the official Bitwarden extension and clients.
mlk@reddit
keepassxc + sync via dropbox
stormdelta@reddit
Same, especially since there are android/ios keepass-compatible apps that have native dropbox sync support.
T8ert0t@reddit
Yeah, although API spiking seems to be the hot new thing. (see: Reddit)
asm_lover@reddit
I was always paying for bitwarden so their change the always free tier thing never affected me. But now just in case I'll start keeping backups of my passwords on my PC just in caseI want to move it all.
Spankey_@reddit
You should be doing that anyways.
SunlightScribe@reddit
The subtext here is that people are using online password managers in part to avoid having to manage their own files and make backups. I occasionally see people show up in /r/keepass that don't fully understand the idea that the database is a file on their hard drive that they have to manage themselves. They think they are creating an "account" that just happens to be local to their machine.
asm_lover@reddit
I would actually use keypass if i had a way to sync the changes between devices.
SunlightScribe@reddit
Create a password and a key file. Copy the key file to each device using physical means (USB, cable transfer etc.), avoid copying it to any online service.
Then just toss the
.kdbxinto Dropbox or Google drive. It's encrypted, so it's fine.Realistically how often do you create new accounts? Syncing is
fellipec@reddit
This. Several times I saw people recommending those products like a set up and forget thing, that you don't back up because they already do.
LOL
black_at_heart@reddit
Keep them in a physical notebook. Bruce Schneier does: https://www.schneier.com/news/archives/2010/11/bruce_schneier_write.html
Stilgar314@reddit
"I'll start keeping backups of my passwords on my PC just" Seriously, it doesn't matter how much you trust on your password app, everyone should always keep backups of passwords. There's no such a thing like enough backups.
SanityInAnarchy@reddit
But do keep the backups encrypted. Something like keepass maybe?
Stilgar314@reddit
If someone has access to your local copy, you're already cooked: https://xkcd.com/538
SunlightScribe@reddit
While that's true, it doesn't mean you should intentionally serve yourself up on a silver platter.
Don't go crazy with security, but at least try. I assume you still lock your doors when you leave your house even though almost anyone can break in with just a $15 hammer and some time.
SanityInAnarchy@reddit
Depends what "offline" means. Your PC ain't exactly a fortress, and someone having access to it does not mean they have the ability to physically threaten you.
fellipec@reddit
Should be common sense, but of course, isn't
panickingkernel@reddit
the nice thing about bitwarden is each device authenticated to your vault can export the vaults contents.
so technically each device has a backup. even if your account on bitwarden cloud gets nuked, you can still log into the app(s) and export everything.
amberoze@reddit
Yup, time to switch to self hosted vaultwarden.
librepotato@reddit
The article is pretty convincing. The statement written by the CEO is an attempt to prevent losing the faith of the open source community.
It seems that it is becoming a money making tool. It's been funded by venture capital. It's time they made money for their investors.
I'm tired of VC money ruining everything.
quadpent@reddit
Did they publicly say that “free” was going to go away? And what will this mean for those of us that use vaultwarden going forward?
kxra@reddit
Please can Mozilla revive Firefox Lockwise?
mtlnwood@reddit
I thought the price had gone up as i got a notification that it was renewing for me. I didnt remember it being that expensive, its close to the top of what i would pay for a service without looking at an option i manage myself.
Still. Its not there yet and works just as well now as it did before. Personally i am a bit tired of keeping ahead of the drama when you could have in most cases ignored it and never known it happened.
teerre@reddit
It's silly for the their service to be free anyway. Good thing they will start to charge something
mediumwetsock@reddit
I see you just met boot
Leliana403@reddit
So how would you prefer they continue to keep the lights on? Ads in your bitwarden client? Data harvesting?
It's very easy to demand something be free with no strings forever when you're not the one paying for it.
MethylRed@reddit
That's not the purpose of the free tier. You get people to use it and like it and then they bring it along into other aspects of their life both personal and professional.
The conversion rate to paid skus and enterprise because someone has used something before would surprise you. Many companies operate this method such as Dropbox
AtlasCarry87@reddit
Ah, time to move away. Glad I started keeping local backups years ago
PlasticRemarkable917@reddit
What are good alternatives for mobile (android)?
ButterscotchSalty905@reddit
KeePassDX
natermer@reddit
The advantage to using bitwarden-type software over the keepass approach is that it has a server client model were as keepass style approach depends on a file-based encrypted vault.
This solves the synchronization issue. With keepass style approach you need another service like syncthing or google drive to sync the file between devices. Which means that it is hard to use with sandboxed software that normally can't access your files. It also means that when you have devices that are offline but are being used at the same time they can get out of sync.
When that happens with keepass you have to do a manual intervention and use a special synchronization tool to combine the different copies of the vault. Which is a risk of data loss.
It also removes the advantage keepass has in not involving network protocols.
Pass (passwordstore) is arguably superior in this regards because it depends on a directory structure with gpg2 encrypted secrets which is then (optionally) combined with git to keep things versioned and in sync. Which means that is very easy to keep things in sync on multiple devices if you don't mind using the command line.
The downside being that tools that interact with pass need to either be aware of how to use gpg and git or they are required to use the pass command line tool to do it for them. This causes problems with sandboxed software and you are also dependent on a git server somewhere (or SSH) to keep them in sync.
Where as with server-client approach with bitwarden effectively solves both the synchronization issue, works with sandboxes, and allows for offline use because each client caches the encrypted version of the credentials locally. This makes it relatively easy to do things like properly integrate with browsers.
It also is client encrypted so the server itself never is able to see the secrets contents.
That being said I don't think the bitwarden is the end all and be all. The command line client sucks, for example.
But a secrets service is definitely a superior approach to file-based syncronization.
stormdelta@reddit
And was recently compromised, which doesn't give me a lot of faith in their threat model.
I'm still considering setting up Vaultwarden though, especially if I can find an alternative CLI
natermer@reddit
It uses client side encryption so for most people it doesn't really matter.
The vault is always encrypted on the server with no ability to decrypt it.. so the "threat model" is exactly the same as Keepass if you are using some sort of file sync service.
It is when you get into more "enterprise" features were you want shared secretes between multiple people in groups or to have their "cloud" manage rotation and such things... that is where you can get into trouble.
Not sure exactly how all that stuff works or even how much of that bitwarden offers. Never really cared. I use vaultwarden.
I have a feeling that in the future we will see more alternatives to bitwarden, but I think that depending on file syncing is a step backwards. Being able to support multiple software, sandboxing properly, and devices is a key part of makes a "password manager" useful nowadays.
stormdelta@reddit
I quoted the part about the CLI because it was specifically the command-line client that was compromised, not the server.
natermer@reddit
oh. Didn't know that one.
I guess it sucked more then I realized.
stormdelta@reddit
https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127
Good news is that the compromised release was quickly found and pulled, but supply chain attacks like this are increasingly serious / common.
7lhz9x6k8emmd7c8@reddit
I'm on Keepass2Android. Is KeePassDX better?
stormdelta@reddit
I use both - Keepass2Android has a worse UI, but supports syncing with cloud providers for the DB file. KeePassDX has significantly better UI and supports TOTP far better.
So I use the latter for TOTP codes specifically with a DB that doesn't leave the phone except for cold backup.
PureTryOut@reddit
I use KeepassDX with the database stored in Nextcloud. Using the Nextcloud app KeepassDX can open it directly from it and thus has effective cloud sync working
stormdelta@reddit
Does it support merging from the file being changed elsewhere though?
PureTryOut@reddit
Well, no. Because KeepassDX doesn't realize it's being cloud-synced, it just gets passed a "regular" file. So if you need that, you'll need Keepass2Android.
JockstrapCummies@reddit (OP)
Keepass2Android: handles syncing for you
KeepassDX: you handle your own syncing
neoneat@reddit
On iporn, use Strongbox
Stilgar314@reddit
If you happen to trust Proton (the people from ProtonVPN), they run a password manager app.
ottocorrekt@reddit
I've been using the paid version of Proton Pass for ~2.5 years now, along with the rest of the Proton Suite, and it's a very solid option. However, you will come across some sites and login flows where auto-fill won't pick up the fields, but it's not the end of the world to copy-paste. They're also pretty actively improving it and adding new features as the company grows, particularly to the native Linux apps, which I believe they have for every product now if you don't want to use web apps/extensions.
SmellyOldGit@reddit
Just made the switch. The export - import process to move data is quick and painless.
junpei@reddit
Good tip, I just made the switch. Thanks for bringing this up.
FortuneIIIPick@reddit
I don't use it, never used it, no plans to use it so don't really care about it.
mayoforbutter@reddit
Wow, so interesting! Tell us more! What else do you not care about? You're the most interesting person I've ever met!
Sirusho_Yunyan@reddit
Shifted last week and cancelled my sub. The way this was communicated out, and the direction headed, yeah, I'm out.
BigBad0@reddit
Found better alternative please ?
Sirusho_Yunyan@reddit
I just use KeepassXC and Keepassium with a synced vault.
koenada@reddit
It's a little concerning reading the /r/bitwarden subreddit where a lot of comments summarize to "well, it's not a problem yet so no biggie." This isn't your cooking recipes app, this is where you're storing your most critical information.
Trust matters and waiting until there's a problem from a private equity firm is just asking for serious trouble. Private equity will never be on your side. They're run by trash people for trash people. You wouldn't even be an afterthought to them, let alone a priority.
axonxorz@reddit
Shouldn't be overly surprising, 8/10 of the top mods are employed by Bitwarden and PE never ever ever uses bots to sway opinion.
castillar@reddit
100%. Worse, having bulletproof security is a requirement for a password manager, but it costs money to maintain. Know what equity firms hate? Things that cost money.
The only thing keeping them from laying off half their security and admin teams at this point is that they have to keep their customer base on board to keep the revenue balanced. But it quickly becomes a game of “how much can we get away with and not lose customers”, which leads to cutting corners — not something you want in security software.
Zeikos@reddit
There's also the fact that the free tier is a loss leader though.
They wouldn't have that much brand penetration without it, and it being that critical means that everybody would leave the instant it becomes a problem.
It's not the average enshittification of an app in which most would stay out of inertia.
Leliana403@reddit
So how would you prefer they continue to keep the lights on? Ads in your bitwarden client? Data harvesting?
It's very easy to demand something be free with no strings forever when you're not the one paying for it.
Middle-Sand-5222@reddit
The typography and spacing honestly look clean already, but the giant white card makes the page feel a bit empty on desktop.I’d tighten the vertical spacing and reduce the headline width slightly so it feels more intentional.The mint green accent works nicely though, gives it a modern editorial/blog vibe.
The_Real_Kingpurest@reddit
See the post from Plex today too? Shiiiiet even all the self hosting kings are bending to the almighty $. Better to cut the cord now and go fully independent
voronaam@reddit
Meanwhile the memory card in my decade old Mooltipass mini may be peeled and scratched, but works the same it did when I bought it. A small dedicated device that emulates keyboard to type in passwords for me - does not even have networking capabilities at all.
I think the old school "unix way" of doing one thing and one thing only and doing it well is applicable to devices too.
aj0413@reddit
Some of that reads like AI (though could just be me being paranoid)
But I’m keeping an eye on things too atm, however as acting IT guy for the family — I don’t have the infrastructure or knowledge to have guaranteed uptime using self-hosted in a homelab
I’d almost rather just a new startup built off the backbone of Vaultwarden
AllCowsAreBurgers@reddit
Really? I cant tell, my ai detectors didnt tingle and it reads quite nicely
requef@reddit
Even if we don't take into account dashes:
This is not. This is .
A... A... A... (single dramatic a...?)
I mean, I'm no expert, but these sentences smell.
Cold_Soft_4823@reddit
This is the most LLM written paragraph that could ever be crafted.
aj0413@reddit
Hey, totally could be wrong. Using Opis for a bunch of doc generation has kinda poisoned the well so to speak lol
steel_for_humans@reddit
I had the same impression, but only in the last paragraph, where it says:
The "Inconvenient, not catastrophic" part inside makes that paragraph read like something AI would write. :) But probably it's my reaction because of the general state of things nowadays. The whole blog post otherwise is ok.
aj0413@reddit
Yeah it was only towards the end. I couldn’t quite put my finder on it, but it was that and the “I looked hard.” bit
Which reads kinda like Opus; I use that model a lot for doc generation
levir@reddit
Everything that's posted these days saying in the comments that the article reads like AI. Without fail.
fellipec@reddit
This comment sounds too much like generated by an LLM.
loozerr@reddit
Correct grammar cannot be human produced nowadays.
Sarke1@reddit
You're absolutely right! Good catch—it's not just AI detectors that have to get better, but us normal humans as well.
(how did I do?)
loozerr@reddit
You need spaces around the em dash!
Sarke1@reddit
Let me go unplug myself.
Clean_Experience1394@reddit
It's true for me, if you ever see me doing it right I've been replaced by a clanker :0
StankyBassFace@reddit
Glad I dropped them late last year. I guess it'll become a game of whack-a-mole now...always taking backups to whomever is the latest to promise things we need.
Interesting_Bet_6324@reddit
I guess this would be a case of "don't trust a software company with your most sensitive assets" or something like that?
Ever since I started managing my passwords through software the only one I used was KeePassXC. The day I learned about Syncthing was the day "the cloud" was over for me.
Not to mention cloud-based password managers are a very big target for hackers. Even less of a reason to trust passwords on someone else's computer
fellipec@reddit
I think is not smart to put password managers in the cloud (that is just other people computer) because you don't know if they get DDoS, out of business, blocked by some reason, get out of business, or hacked, and you lost access to a very precious and sensitive asset.
Not questioning the encryption of any of those services, I'll believe they have good faith and the vaults are safe. But your access to them isn't guaranteed at all times.
Natjoe64@reddit
Been using bitwarden for a long time now, had no idea. This blows.
dwbitw@reddit
Here's a link to the Bitwarden blog post on the commitment to open source and a free plan if anyone is interested.
saltyjohnson@reddit
Capitalists just can't let a good thing be good. Any product that customers enjoy is ripe for enshittification and value extraction.