I'm thinking about running it in a container (Podman Quadlet with systemd) behind a VPN, with daily backups with borg. Anything I'm overlooking here?
I am a paid subscriber. I am kind of ok with the price increase.
The "coincident" with change of CEO and remove of "always free" tag worries me though.
I’m happy to pay for good services, but M&A means cost-cutting measures to make the company look good for acquisition and that makes me uncomfortable with letting them store secure data for me.
Switching is going to be a pain.
Exactly what value do they think they have left to extract from me? I'm a paying customer for a product that essentially just stores an indexed list of strings with at-rest encryption.
Their official App's autofill on my phone hasn't worked for several months now., I literally have to login to it once every couple hours just to manually copy and paste my usernames and passwords separately. I guess enshitification knows no bounds?
Circle of live, I guess.
What’s next in the circle is keepass I guess? And it’s just not friendly/robust enough yet for me to switch to it with my family who will probably just go back to using the same passwords on multiple sites if they hit resistance in ease of use.
no, if you relax the qualifier "without thinking" slightly and are okay with thinking for a few hours. There's so many off-the-shelf open source solutions now to just throw on a 5 bucks VPS, it costs you less time and money than switching or the premium plan of most of these individual services.
All locally synced
There are sharing options but they are not really convenient, not a problem for me since I mostly don't share passwords
I'll probably switch for password management once it has a proper security audit, and for email aliases once (if) they implement IMAP/SMTP or similar so reading emails isn't restricted to in-app.
Passit still works! Just as a webapp + chrome and FF extensions. I think we had an Android app too, dunno if that's still a thing.
Maybe if the best open source option is a less viable option, I should poke at its creator to revive it...
If you want to fully disassociate from bitwarden, there are vaultwarden compatible 3rd party clients. I like Keyguard.
I like 1password, it is by far the highest quality product I've used in this category. I moved from BitWarden back then because their browser integration was quite poor.
I think I'll move to something custom, or a selfhosted keepass server, with the rugpulls, incidents, and whatnot, it is becoming too high of a risk.
Depending on your threat model, you can even just keep the .kdbx in cloud storage somewhere and point your keepass client to that. I'd recommend using a keyfile in addition to your master password though so that if anyone does happen to get a hold of the database they can't just make brute force attempts against it.
For non technical people, I just recommend to use the browser built in password managers. traviso has a good writeup why: https://lock.cmpxchg8b.com/passmgrs.html
I'm not particularly worried about Bitwarden going belly up because it has already have such a well-established open-source replacement. The worst-case scenario is that Bitwarden make the clients incompatible with Vaultwarden, and like how OP already mentioned in the post, somebody in the community will fork them as soon as this happen.
It is surprisingly very durable and maintenance-free even for a script kiddie like me to maintain. My advice is (at least when it comes to Vaultwarden) don't think too much about this, just selfhost it, at least for yourself. You'll probably be able to manage it when something happen.
Theft is also usually obvious.
If self-hosting, keep at a separate location than your hard drives.
It was audited in 2024: https://www.heise.de/en/news/Password-manager-BSI-reports-cr...
I don't like being considered a resource to be stripmined by any company, but some are worse than others by the nature of our relationship. I do not need a company greedily looking at my bank password, my Google password, my brokerage account password, and even having them be tempted to look at my set of passwords with them and start valuating which password they can "intermediate" and charge me more for using. I don't even want them pondering the question of how they can break exports ("oops, sorry, passkeys can't be exported because $SECURITY_BLATHER, guess you won't be migrating" - to be fair, while I think Bitwarden had that for a bit I believe it's no longer true, but AFAIK it is true of other things that will hold passkeys for you) so that they can extract the value of my passwords to me.
I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords. I don't trust any company holding passwords to not eventually be acquired by PE/HMBA types looking to stripmine my passwords. I don't trust any company that is, once you trace the entire value chain down, basically taking out real debt with my passwords as collateral. They get the money, I get the risk. Hard pass.
So I'm not happy about self-hosting my password vault in some sense... but who else can I trust?
I'm trying to work out why it feels bad to trust a private company with this kind of information, whereas "we" are happy to trust AWS with our servers, Hashicorp with our Vaults, etc.
But these businesses seem to rely on some amount of scale for their trustworthiness. Password managers seem like a cottage industry in comparison, especially as lots of their users will just be "normies" and even ones on a free tier, because ~nobody thinks they should pay for a password manager?
> I don't trust Private Equity or the Harvard MBA mindset to be allowed to hold on to my passwords.
I agree, but you have credible exit. As annoying as it is, it seems quite feasible to continuously migrate to the next provider who is currently in their "don't be evil" phase.
Someone on lobste.rs suggested there should be a worker-owned co-op for password managers. This fits my personal bias, but I wonder if it would be any more resistant to this failure mode? Co-ops can be bought out also, and depend on strong leadership to prevent this.
Maybe a customer-owned co-op instead of a worker-owned one could make it more impractical to buy out. Or a foundation model like Signal, Wikipedia etc.
EDIT: I'm reminded of https://fleetdm.com/ business model, which is heavily open source yet paid. That seems like essentially what Bitwarden was? And presumably Fleet is not protected from the same outcome, no matter how inspiring their example is right now.
As side note, Syncthing is an amazing piece of software. I sync everything for my other devices into a central PC and from there I do the backups.
- [0]: https://syncthing.net/
For example, one client I used had a temporary bug that just lost the notes field entirely. It was quickly fixed but it still affected me.
I’m currently using 1Password, which I still think is the best product overall as I’ve tried just about all the rest. For this product category I’m happy to pay the highest price to get the best product.
just to mention an alternative method for anyone that doesnt know: keepass also has a feature called 'autotype' where the desktop program can send keystrokes to fill in password fields
the benefit of this over the browser extension is that there is no connection between your browser and your keepass vault.
its also handy for filling in passwords in desktop programs or even a terminal
one downside is that you wont be able to have passwords automatically filled in as youre browsing. you need to press a hotkey, but i would consider this to be more of a good security feature to cut out any chance of your browser autofilling any hidden password fields
there is still a browser extension that i use that adds the url to the titlebar of the browser, which makes it easier for the autotype dialog to show the correct logins from your vault
https://addons.mozilla.org/en-GB/firefox/addon/add-url-to-wi...
Rapidly starting to think even a vibecoded solution may be a better plan relying on commercial options. High risk of don’t roll your own crypto mistakes but realistically that’s not the threat model here anymore for the random individual. It’s online breaches or perhaps a wrench attack not highly skilled crypto adversary. Plus there are probably ready made crypto modules so wouldn’t be a true handroll
I mean I'm just spitballing here, but not convinced this is true.
From a formal security theory perspective certainly, but practically...nobody with half an ounce of skill is going to spend their time breaking one individual's custom solution that almost certainly just contains their hn password. That's if you can even get to it - selfhosted password managers are usually on LAN/behind vpn.
Risk profile wise the thing could be a god damn plain text .txt on a LAN network drive and still outperform a Lastpass.com that by definition has a giant hack-me sign on it's back.
The crypto part barely moves the needles here
So while Bitwarden is more secure than modern Excel out of the box, neither one is a slouch. You'll definitely spend a lot of compute cracking either one. The weakest part, as always, is the user's password.
Especially if the concerns around Mythos are well founded.
The mythical Mythos can't even find Claude code bugs before releases.
But Keepass is a bridge too far for them. I'm not that enthusiastic about it myself to be honest. The UX is a bit meh (for the clients/extensions I've tried) and file syncing and handling is not something I can in good conscience push to a non technical user. It's just too many moving parts and you just have to do this, that, and the other thing. It's not really fit for purpose with normal users as far as I can see. Like much OSS stuff, UX for normal people seems to be a bit of an afterthought with Keepass.
The key selling point of Bitwarden was that it is free-ish and it is easy enough to work with for somebody that is not too technical. My father is an Android user and my mother has an iphone and ipad. They need access to each other's passwords so they share the same password manager. They are both in their seventies and I need something that is similarly useful and ideally without me self hosting a lot of stuff on their behalf. I don't want to be their system administrator. And I don't want to have to sit them down to migrate their passwords every few years either.
Right now the best move to me seems to be to stick with Bitwarden. I don't really gain anything from moving them over to some other solution and there isn't really anything out there that is materially better as far as I can see.
Notionally a password manager is more secure, but is there anything stopping Bitwarden from updating the app to silently send your master password up to the mothership and selling your unencrypted vault? Even supposing they stay open source and get caught, they will still have thousands of user's data ready to sell before the rug is pulled and the game collapses.
(And besides, where do you keep your recovery codes? If some cabinet or drawer in your house is safe enough for that, it's safe enough for your book of passwords.)
Definitely not the most secure option, as it breaks 3-2-1 backup rule.
Too bad, because it's one of those things that could be great but just isn't in its current form.
With that said, I do find the direction here concerning. Quietly rewriting values, removing promise of free tier, hiking prices with almost no notice. I’m concerned that this feels sudden and sneaky. Sneaky behavior erodes trust.
Time to act accordingly.
(Well, technically, you can, but then don't complain about getting called out)
1: https://support.apple.com/guide/icloud-windows/set-up-icloud...
And then you will be screwed very hard with not recourse...
Holy smokes has that's not just -> THAT IS become one of my trigger words.
Also if it was handwritten, it'd have been a third in length, the rest was LLM fluff
If the content is also nonsense then that's worth talking about, but otherwise comments about LLM style are about as interesting as remarks about typos.
Do I like the UI changes? Eh it’s not my favorite but I don’t use it that often to care.
What are you using for Syncthing on Android? There used to be an official Syncthing app for Android but then they stopped maintaining it. There was a popular fork but then that person stopped as well.
I looked into using Syncthing on iOS but there was only Möbius Sync and it didn’t run in the background. This is was made me finally switch to Bitwarden. But of course now I need figure what to do next.
I do share the concerns though. The change in leadership, the poor transparency, 100% price increase and the quiet change in core values.
I was happy paying $10 yearly for Bitwarden. I'm still okay with $20 but there's a seed of doubt.
Just went to the website directly: says "Get Started Free". "Always Free" is only present at the bottom of the pricing page for personal customers.
What concerns me more is that they've started using the same language that Adobe had been panned for: "$price a month, billed yearly".
To me, thats weird language for a product that (now) costs $20.00 a year. Not hundreds or thousands. Twenty dollars. For non-enterprise users.
The lack of transparency and quietly changing things around makes me wary.
They did raise the price to $20 (but the free version is still amazing). But that’s still really cheap and pretty much all services have gone up in price in the past 10 years (inflation)
Can't most of the many KeePass variants do that?
IIRC LastPass did this by slowly reducing how many devices and what kinds you could sync. They made the free option increasingly painful.
The enterprise version never went beyond password management so I'm not sure how this could have generated a viable ROI.
Don’t see too much of this talk around the comments, anymore!
If you’re seeing this comment: Are lifestyle businesses on your radar?
Please do share.
See this thread from a few days ago: https://news.ycombinator.com/item?id=48118727
The economics of software creation is changing, so it stands to reason how people engage with software will change too. Finding a niche may be a game of luck more than observation/perspiration at this stage, similar to discovering oil on your "barren" property rather than building a farm. As someone who's generally independent, though: I'd love to be wrong here!
I just don’t want to self-host if I can avoid it.
Staying on top of managing the application and the environment is a whole different level of diligence when the thing I’m self hosting is the keys to my life. At a minimum it would have to be behind something like a wireguard tunnel to a trusted machine, and that’s an added headache for daily use.
Yes, you want to guard the machine that hosts your passwords. You can even physically keep it at home, and only proxy its port 443 wherever you have a presence in the public Internet.
That’s not to say anything is bulletproof… nothing useful is… just that I don’t entirely trust myself to be 100% on top of something like that as a hobby hosting endeavor.
Both re pointing to the same file using SFTP (using key based auth).
I’ve also got an additional key file on each client which isn’t on the SSH server.
It’s working pretty nicely.
Bye bye Bitwarden.
So much of our lives is now digital. Important accounts of all kinds, banking, etc.
Waiting on several giant corps to grant your loved ones access after they go through the bureaucratic hole of documentation is... rough.
Putting my master password in my will feels the same as just writing it on a note on my desk. Putting it in a note in a safety deposit box is high effort and cost.
Anyone got a better alternative way to set this up if self-hosting and not going with Vaultwarden?
I'm not too worried, if bitwarden changes their price somebody is going to vibecode a decent enough solution for pennies on the dollar, or there's always apples built-in product.
One of the only exceptions to this I can remember is the founder of Whatsapp, who gave an interview pretty critical of Meta some years back after it acquired Whatsapp.
[0] https://www.fastcompany.com/91542655/bitwarden-scrubs-always...
Yes, that's a very common part of an exit package for executives. Speaking from some first- and second-hand experience, you can get paid a hefty sum (6-12mo of salary worth of cash) for signing an agreement that has some amount of limits on what you can say, to whom.
There's also some kind of what I think of as a LinkedIn effect - there's a disincentive to talk trash about any organization publicly, since that's now attached to your name and might make future employers/organizations leery of hiring someone who might air their dirty laundry.
Overall it's not a problem for me if Bitwarden wants more money, but I have to draw the line at replacing top leadership with randoms from private equity and secret price hikes. I'm glad this is being highlighted and it's motivating me even more to find suitable FOSS-friendly alternative.
I'd really, really like them to not to ruin it or make it massively more expensive.
You can assume incompetence for some things ("gosh I really didn't know I should communicate organizational changes more clearly!"), but re-writing history is a deliberate and conscious act of deception.
The web interface I'd never use: I have no guarantee that my passphrase does not leave my computer. Same for the import feature: this also requires the passphrase to be sent to their servers.
Needless to say I move to the next ethical e2ee password manager if BitWarden turns it's back on open source.
It's still on the pricing page, albeit not as prominently. "Just getting started? Get basic password management today. Always free."
I think this is tentatively good for bitwarden - making money means you can more easily invest in the team and product. Counter to the prevailing notion in comments here, I much prefer a vc/paid product for security-critical tools.
Hope they didn't wait too long before deciding to kill the free tier.
I'm sure if BitWarden ever went closed source, it would be forked and maintained by the community and that most would migrate to the open source solution.
BitWarden being open source and auditable is one of the main reasons I use it, no hidden backdoors from them or three letter government agencies.
Waiting for everyone to understand this.
I’ve self-hosted Vaultwarden in the past and I’m planning to do it again. The lack of an iOS client is the only thing making me explore alternative solutions altogether.
Want to raise the price? Fine, be honest about it and make sure it stays sustainably stable for a long while.
I am not leaving because of the price, but because of the dishonest behaviour around something so central and vital to my daily life.
edit: s/of/and
