Get the top HN stories in your inbox every day.
bad_user
tiltowait
> I wanted to like Bitwarden, due to its “open source” nature. But 1Password is really miles ahead, and it's a little ironic, as 1Password 8 went through a major refactoring to a Node-enabled UI, which many people disliked, and it's still miles and miles ahead.
Exactly my experience. When 1Password announced the shift to a crummy Electron app, I evaluated all of the major password managers, plus some less major ones, such as Strongbox. Even with the UX degradation of 1PW 8, it's still clearly superior to the others, to the point it's really not a contest.
I stuck with V7 until just a few weeks ago, when other circumstances necessitated an "upgrade". I once again evaluated the others, including Bitwarden, to see if they were "good enough". Bitwarden's UX hasn't improved as far as I can tell; more importantly, it refused to import my secrets because I had a secure note that was too big for it. Not "refused to import that note"; refused to import anything—there's no skip option. I had to do a bunch of manual nonsense, which still left me in an incomplete state because I both need that note and want it in my vault (splitting it into multiple notes is an option but also an ugly kludge).
j1elo
I'm a paying user because 1€/month is the perfect price for what I'd like a password manager to cost. But you're right and the flaws are there.
Before, I used LastPass, and for me, the form field detection was miles ahead. Not a tiny bit, but _a lot_ better. And the UI built on the ephemeral pop-up was a very bad idea that after years and years they haven't decided to ditch and do it the proper way on a new tab, like LastPass, uBlock Origin, o TreeStyleTabs do.
josephd79
When was the last time you used it? They just had a UI change here recently and it's better than the original. It's cheaper for personal and family accounts compared to 1password. I've been a paying customer of Bitwarden for a long time now and have never experienced any of these issues.
FYI, 1password has taken almost 1 billion dollars in vc investment. They have an obscene amount of pressure to grow.
flangola7
Why would a password manager need $1B?
Cloud password manager functionality can be accomplished in 6U of server space. Vault files are measured in kilobytes or megabytes, millions of customers could be handled by a single SSD RAID and a fast Xeon. Infrastructure and software to make it secure, reliable, and user friendly, add expense but not 9 digits of it.
windexh8er
I do realize that Bitwarden has also taken funding, but nowhere near this much. That being said I'm always baffled by some talking heads in the security space who continuously hock 1Password. I'm sorry, but when you've taken that amount of funding - the customer is no longer the customer, the investors are and that is who is being catered to. Does the industry as a whole not remember LastPass and the garbage that has become to cater to "Enterprise"? I would bet good money that I can come back to this post in less than 10 years and highlight the downfall of how 1Password has changed hands, changed direction and the product has become less than ideal or a leader in their space. The upside with Bitwarden is it can be forked and kept true to it's roots. I get it, 1Password has a few things that work slightly better - but I'm forced to use it for work and despise it's bloated feel comparative to Bitwarden.
zie
They are moving into enterprise(or trying to anyway), see things like passage[0], etc. They are trying to grow their brand and reach beyond just a simple(but nice) password manager.
JAlexoid
Because storage, even globally replicated, isn't the core cost or the core function of a security company.
Your app, the detection of forms (when total idiots try to prevent password managers being used), the security audits, active intrusion detection, etc... those are yet to be handled by an AI, so these cost a lot.
pacija
I would be more interested in knowing why would a password manager _get_ $1B.
jrm4
"Bitwarden also took VC investments. Which is fine."
Nope. With that, you've quite literally convinced me to not just avoid it forever, but to also recommend others do the same.
VC investments means "they're gonna want money back at some point," and the service they provide is too important to have that hanging in the air, especially given how badly MANY other VC backed things have screwed things up.
You've effectively told me, there's a serious, if not likely, chance that they will at some point screw me and my passwords over if I don't pay them ransom (or engage in some other similarly drastic behavior that I haven't even considered yet)
Kill this garbage now.
windexh8er
There is a difference and that is the Bitwarden bits are open source. If the masses decide to change direction and leave Bitwarden as a paid for service - they can. That can't be said about 1Password. IMO this counterbalance of OSS and VC investment can help to keep things in line - look at how this exact situation is playing out for Hashicorp. When you're $1B deep with no way for your customers to push back - you, as an end user, are no longer the customer. I still recommend Bitwarden over 1Password because of this.
bruh2
Do you have any examples of startups that went to shit due to VC funding? I have a feeling you're completely right, and I want to recommend others to avoid it. I might need some examples to back this up though:)
taneq
Pebble. They had a great niche product that was growing organically and sustainably. VCs thought the smartwatch could be the next smartphone, and dumped a truckload of cash on them. Next minute they were burning all that cash pumping out too many new models.
Meanwhile everyone stopped wearing wristwatches except as a fashion statement. The original company would have survived this easily but the VCs wanted the next Apple or bust.
undefined
Jnr
Hosting at data centers is expensive, hosting at home is not expensive. You probably already pay for internet, why not use it.
My home server costs me about 3 euro per month in electricity (and it is quite beefy for a home server) and it runs many services, not just Vaultwarden. Add homeassistant for smart home, nextcloud for document cloud, jellyfin for media, immich for photo backups, etc. Maintenance using docker and compose is also trivial task.
On top of that, it runs in a private network and has limited exposure to the outside world though VPN in case you need to access it away from home.
Yes, hosting a single service is more expensive, but hosting a bunch is much much cheaper.
nine_k
Do you pay yourself an SRE salary? Including all the taxes?
Infrastructure costs are not just AWS / DataDog / OpenAI bills.
Jnr
What is this nonsense? If you own a car and know how to drive, do you always call a taxi? And if you drive your own car, do you pay yoursef a salary for being a driver? Including all the taxes?
rented_mule
> Why does everything need freaking VC investments?
I share this frustration. Putting aside the ambitions of founders and initial investors in order to address your question about "everything"...
I think it comes down to tech being perennially talent constrained. It might not feel like that right now after a year or two of big layoffs, but every time that has happened, another long hiring boom has started within a couple of years.
If there were enough competent engineers (in this case, ones that aren't going to get the company in the news for things like cryptography mistakes or sloppy data handling), then that would change all of this. But there aren't, so these companies are left competing for the scarce talent.
You need a large pool of resources for that competition. VC money (eventually replaced by liquid stock grants) is often the easiest source of that. So, VCs can help a company keep and add talent, but in return they want hypergrowth.
lucideer
It's interesting to see some comments here suggesting that people should just export their bitwarden db to keepassxc (due to the VC backing), & then the other side suggesting a closed-source alternative due to better UX. Two distant sides of a spectrum.
astromd
I’ve tried to switch from 1passwprd to BW and it didn’t work out. Despite its issues, 1Password is still the most capable and stable for me.
afavour
FWIW I switched just fine. The apps definitely don’t have the fit and finish of 1Password but I was up and running pretty fast and haven’t looked back.
woernsn
Here, I also want to mention vaultwarden which is an open-source Rust implementation of the server: https://github.com/dani-garcia/vaultwarden
e12e
Just a reminder that the official bitwarden server is also FOSS (AGPL):
cvalka
Written in .NET! What a disaster...
preya2k
Only thing missing from Vaultwarden is SSO/Oauth. There’s a PR for it that’s been open for years. I’ve lost hope that it’ll ever land.
mdaniel
Have you considered just merging it into your own fork? I guess it depends on what their specific concerns are, but if it's political and not technical, I'd for sure just keep rebasing that change on top of releases and let them do as they see fit
cvalka
This is the first feature they should have implemented.
notpushkin
Using Vauldwarden for my team passwords (for personal ones I have Password Store). Zero problems except when I had to migrate to another server and it didn't pick up the database from the Docker volume I restored the first time (although it's equally likely a Docker problem or me doing something wrong).
quaintdev
> it didn't pick up the database from the Docker volume I restored the first time
This happened to me too. Moved to KepassXC with syncthing and I haven't looked back
notpushkin
KeePass is nice from my experience, but how well does it perform in a multi-user environment?
mdhen
I use vaultwarden for my personal use. It's fantastic.
jjice
Huh, more negative than I expected. For some reason I had Bitwarden as an HN darling in my head. Not sure where I got that from. I pay for premium for $10 a year. Not sure what I actually take advantage of with that honestly but I just really like the product. That said, it's not based on a lot of competition searching. Am I missing out on some big benefits in other managers?
StevePerkins
Really surprised by this as well.
So many comments are of the generic nature, "<COMPETING PRODUCT> is miles ahead", without any specifics on what that's supposed to mean. My last few employers have used LastPass and 1Password, while I use Bitwarden for my personal stuff, and I prefer the latter by far.
The browser plugin is more reliable about recognizing when I'm entering or updating a password, and offering to store or update it. The iOS version has smoother integration with password autocomplete in other native apps. It MAY be that Bitwarden lags behind in "team" sharing features, I don't know. For personal use, that class of use cases is irrelevant to me.
As near as I can tell, there seems to be a lot of HN rage that "most" of Bitwarden is open source, but there are still some proprietary bits that keep it from 100%. I never understand this mentality, that software should fall from the sky like manna from heaven and not support a business. I also don't understand why these resentments never seem to stick to products like VS Code, that are the exact same way. Maybe Bitwarden should just try a sexier-looking dark mode UI?
nativeit
I’m with you on this. I tried every popular option a few years ago and found all of them to be rather atrocious, but settled on self-hosting VW, and found its mobile integration (using BW clients/apps) to be as close to native as anything, and its 2FA (for TOTP anyway) is superb. Nothing else thus far allows me to launch a website or app and login with 2FA faster than Bitwarden. I operate under the assumption that everything has a weak spot, at least Vaultwarden isn’t hiding the source code and if BW’s VC backers dictate some kind of rule-breaking change to the service, it won’t affect my data and forks/OSS alternatives will be easily readied to interface with it.
yoyohello13
There is a weird phenomenon in software where the open source solution is held to a higher standard than other software in the space. I also have premium Bitwarden and I love it. My org uses a different "Enterprise" grade password manager and it's way more complicated to use and the interface is slower.
I just have a rule that if I can get 80% of the same features with an open source solution I'll use it, even if it's not "the best."
Scipio_Afri
Feels like an orchestrated attempt at taking down a competitor to be honest. HN has had nothing but praise about Bitwarden before this. I use it and have had nearly none of the issues people are complaining about here; the one complaint I have would be the biometrics login with the desktop app being clunky - not a show stopper.
marisnom
I've also used Bitwarden for a while now, and it works perfectly for me I have no real complaints about it. It just works and does what it needs.
tiffanyh
FYI - Bitwarden took $100M in VC money last year.
At some point, the pressure to aggressively monetize will unfortunately happen.
https://techcrunch.com/2022/09/06/open-source-password-manag...
StevePerkins
FYI - Your two primary alternatives are LastPass and 1Password. The former of which is melting down due to security flaws, and the latter has raised roughly $1B in VC money:
https://techcrunch.com/2022/01/19/1password-series-c-funding...
At a certain point, you just have to live your life. To accept that products you use might change in the future, and you might need to migrate to something else down the road.
The alternative is just keep something like KeePass around on a thumb drive, and forgo all the cloud sync, and browser and native app autocomplete integration. But those things are really the main point to all these products. Without that, I would argue that you're better off with a pad of paper in your desk drawer.
mptest
I've found ProtonPass to be useful. Depending on how you feel about the proton ecosystem. I don't know how much VC money they've taken though.
tristan957
I use Proton for everything, but until they have a ProtonPass CLI, it is a non-starter for me. I want CLI access for my terminal email client.
protonmail
If you look at the total financial means Proton has spent to develop and grow, >98% came from the community, making VC funding less than 2%. In fact, the total amount of VC money is actually even less than the money we have given away in various donations (you can learn more about those here: https://proton.me/blog/2022-lifetime-fundraiser-results).
FirmwareBurner
My take in life: whenever VC or PE investors take over, start moving away from that product and pronto.
22289d
The new CEO concerns me. I didn't know who the founder was but I always had the impression it was a lone hacker. They passed the baton. Now it's some old Web 1.0 guy who was the CEO of eFax in the 90's.
That's not the type of service I thought I was using.
I looked up their headquarters in Santa Barbara and it's a co-working space. That doesn't sound very secure. Though that could be their corp address and they're hiding where they work.
xxkylexx
The "new" CEO has been at the helm since 2019. Long before the mentioned funding in 2022.
We don't really have a HQ since we are a 100% remote company.
Source: I am the Bitwarden founder.
louthy
> The new CEO concerns me. I didn't know who the founder was but I always had the impression it was a lone hacker. They passed the baton. Now it's some old Web 1.0 guy who was the CEO of eFax in the 90's.
This sounds like ageism to me. I don't know if this guy is any good or not, but calling out someone as a 'concern' just because they were successful in the past isn't a good look. Is there anything more substantive behind your concern?
monlockandkey
Hopefully VC never ever touch Hackernews...
:)
uoaei
Hacker News is essentially a marketing and legitimization arm of a VC firm. The community around it is the value. They know what happens if they try to change it.
rootsudo
:) :o :(
unixhero
Oh sure yes they are indeed here.
shanusmagnus
I used to think this kind of talk was bullshit grandpa paranoia. Sadly, I now agree with it 100%.
andersa
What could a password managing service possibly need this amount of money for - or worse - what could they possibly plan to be doing with it to convince the VC that they will get even more money back from this deal?
midnitewarrior
They are adding new products like an enterprise Secrets Manager for deployed applications.
vdfs
Security, They need a lot of security personnel to guard data
sleepybrett
1password is going enterprise.
dabeeeenster
As someone who much prefers bootstrapping businesses, this seems like a just insane amount of money to raise.
If you had a growing popular product like this, why on earth would you raise that amount of money? This isn't a rhetorical question btw! I would honestly like to know the rationale here?!
taneq
I guess a lot of people have a hard time saying no when offered a hundred million dollars.
tycho-newman
You mostly take VC money when you can’t get credit from ordinary lenders, and your product hasn’t generated a profit.
ploum
Wow, thanks for the info. This is indeed quite a huge sum of money for such a cheap service from which you can easily migrate.
That’s a bit worrying.
bradfa
It depends. If the point of the VC money is to go after enterprise customers and to expand into other enterprisey software security products, then $100M seems reasonable to me, especially for the time when the investment happened. The VC market seems to have cooled quite a bit from when Bitwarden took that investment, so times change and maybe they were just striking while the iron was hot?
The $10/year individual plan wouldn't warrant $100M investment. But going after big companies who are going to commit to $X/year/employee or similar kinds of pricing packages might, especially if Bitwarden integrates with existing corporate directory systems and such for delegating and managing accounts.
rmdes
should OSS users of Vaultwarden be worried?
1una
Maybe. Vaultwarden is just a compatible server. All the clients (web, browser extension, desktop, cli and mobile apps) are still maintained by Bitwarden.
e12e
Please note that bitwarden server is floss too - vaultwarden is just a simpler backend to self-host (and without a dependency on Microsoft SQL server):
drumhead
The potential enshitification from this worries me. What crazy stroke will they feel they have to pull on users to satisfy the VCs need for a quick cash out.
johnchristopher
The flack bitwarden takes in almost every submission about how they are tainted because of VC investments is getting boring.
belthesar
I can understand your position, but there's more than a few of us that have watched some of our favorite products pursue new verticals for the sake of making more money, losing focus on what made them great in the first place, and ultimately dying, forcing us to pivot to some replacement that is better not because its made some revolutionary improvement to the problem space, but because it's less distracted.
All that to say, every time you hear someone talking about this, it's not because they want to talk crap about Bitwarden, it's because they are afraid of getting too sucked into yet another product that works well, only to have to leave when the company's leadership loses focus. Largely because they received pressure from investors trying to 10x their investment in the short term when they could have received sustainable dividends over time.
johnchristopher
That's a slippery slope argument though. I am happy for the people you describe that they found a support group in HN comments for the impending demise of bitwarden but it's still just noise and doesn't nurture interesting conversations. Like the recurring "this webapp requires javascript", "signal is centralized", etc. It's becoming memes.
poisonborz
We would need a Vaultwarden-like project for the clients as well to have an OS fork. https://github.com/bitwarden/clients
e12e
I'm not sure I follow - both the server and clients (with exception of one web app) is FOSS already? AGPL/GPL 3?
poisonborz
For now. It would be great if the client part would have a fork with an OS maintainer as well, who merges upstream changes but would also add features the corporate entity wouldn't want to do do. Vaultwarden is much much easier to selfhost for example.
vincentkriek
Bitwarden is great. I use it everywhere and it manages passwords well. The key feature for me is the ease of use of "organizations", which allows me to share passwords with my wife easily. A lot of accounts regarding our financials or children are shared, so we both need the password. Bitwarden makes this trivial.
faitswulff
I used to do this until I realized that my wife and I could get away with just using a single Bitwarden account.
this_is_not_you
I also use the sharing feature (aka organizations) and maybe I am too dumb but it seems that you can't see or copy the password anymore once you have shared it (even the one you yourself shared with somebody else). Which is fine for when you can use the auto-fill but that just doesn't always work or isn't always feasible.
wmal
The title is misleading. This is not fully "free and open-source". I'm actually puzzled by the licensing structure.
Bitwarden server is dual-licensed [1]
- part of it is licensed with AGPL (Open Source)
- some features are licensed with a source available Bitwarden license
Now, even the Open Source core requires you to register if you want to self host. This is to provide you with complementary services like security updates, push relay servers (?), and licensing checks. [2] Although not stated in the docs, I guess this also improves their telemetry data, as they suggest to never share the license keys between installations.
I completely understand the need to use source available licenses instead of open source. What I don't understand is why to even license parts of your app as Open Source? The resulting product is not free. Neither as in beer, nor as in speech. Does anyone know good reasons for doing that? I'm asking seriously. I'd like to better understand how companies benefit by marketing their products as Open Source, even if they are barely open source.
[1]: https://github.com/bitwarden/server/blob/master/LICENSE_FAQ....
[2]: https://bitwarden.com/help/hosting-faqs/#q-what-are-my-insta...
skjoldr
"Commercial.Core and SSO integration: Code for certain new modules that are designed and developed for use by larger organizations and enterprise environments is released under the Bitwarden License, a "source available" license."
The rest of Bitwarden is free both as in beer and as in speech. Dunno why you think otherwise. Vaultwarden exists, and Bitwarden clients are compatible with it.
wmal
Thank you, and other people, for mentioning Vaultwarden. I’ll check that out. This is, however, a separate software package, coming from different people, so not related to my question.
Bitwarden is not free as in speech, as it requires me to register with Bitwarden, Inc and get a license key to be able to self host. Also, then it uses some closed cloud services.
As for the free as in beer - this is more nuanced, but I still think it is far from free. For individuals - hosting something that requires 2-4 GB of RAM [1] is definitely not free. For companies - hosting something that doesn’t include SSO is pointless. The Bitwarden source available license, that includes SSO, does not allow production use [2], and requires a paid subscription instead.
BTW I completely understand the reasons to not open source everything. What I don’t understand is: why not use the source available Bitwarden license for the entire server codebase?
[1]: https://bitwarden.com/help/install-on-premise-linux/
[2]: https://github.com/bitwarden/server/blob/master/LICENSE_FAQ....
skjoldr
> Bitwarden is not free as in speech, as it requires me to register with Bitwarden, Inc and get a license key to be able to self host.
That is not the right understanding of the term "free" because the code is completely open-source and you can remove the parts that have to do with registration and enterprise features yourself without breaking the license agreement. You would have to maintain such a fork on your own though. It would be easier if Bitwarden Inc. themselves would maintain a completely open-sourced version and an open core version with non-free parts and registration, but they are not obligated to do so.
tjomk
Why does everyone assume that if something is open source it must also be free and licensed under permissive license allowing you whatever? Briefly looking at their website I got the impression that it was meant for transparency reasons rather than in the spirit of free and open-source.
wmal
I didn't assume it must be free of charge. I only mentioned it isn't, to point that this is not a possible reason they chose AGPL.
I did, however, assume the Open Source <=> OSI approved license. How else to define Open Source?
Transparency alone could be achieved with their own Source Available license, so it doesn't seem like a reason for double licensing.
linsomniac
Yesterday I was listening to The Changelog podcast with Steve O'Grady called "Open Source is at a Crossroads". In it he says something along the lines of: We have companies come to us saying they want to release their source under an encumbered license and we tell them that they can definitely do that but they can't call it open source, because open source means something fairly specific to developers. We work with them on getting their specific license terms set up but they come back saying "We really want to call it open source, because developers find open source cool, and we want to attract developers." Developers like it because of what open source means.
wmal
Thank you, I found the answer to my question posted above in this podcast and the article linked there [1]
So, the argument is simply that Open Source is a branding that attracts developers as a target group.
I wonder when will we start seeing commercial, source available projects posted to GitHub with a single file like stringutils.[ts|go|java|etc] MIT-licensed for a single purpose of calling the entire project "Open Source"
[1]: https://redmonk.com/sogrady/2023/08/03/why-opensource-matter...
e12e
I don't think anyone really cares, but from the wording in the license faq, it sounds like you can host the server as FOSS -only?
> ... api includes... Commercial Core which is under the Bitwarden License, however this can be disabled by using /p:DefineConstants="OSS" as an argument to dotnet while building the module.
the_gipsy
You said it yourself, marketing.
BrunoBernardino
I'm surprised no one's mentioned Padloc [1] yet. It's end-to-end encrypted, open source, easy to self host, and with a really UI + UX. I got all my family to use it and used it for a over a year, before eventually contributing actively to it.
There's even a Tauri-based desktop app!
Full disclosure: I have "contributing power" but do not make money from its sales or anything like it.
[1]: https://padloc.app
xd1936
"This app isn't available for your device because it was made for an older version of Android". Cannot install.
—Google Play on an Android 13 Pixel 7. That and the star rating are not confidence inspiring.
BrunoBernardino
Sorry, I install from the APK directly, available in the GitHub repo. I see someone already created an issue for it at https://github.com/padloc/padloc/issues/725 so thanks for bringing it up!
ax0ar
First time I’m seeing this and the branding/design shouts “stay away from me, I’m a student project!”
Not exactly the impression I’d like to see when using a password manager. And I’m a UI/UX designer in case you wonder…
BrunoBernardino
Well, it couldn't be farther away from the truth. It's a very profitable business (I tried to buy it, but I don't have nearly enough money). So I just contribute to improve things because I like it. I do get the design isn't for everyone, though, so thanks for sharing!
earthling8118
Do you care to elaborate on why you feel this way? Specifics would be appreciated. I'm not getting the same signal from it at all.
haizhung
Does it have WiFi sync? Seems like all the big players are committed to removing that, and that’s like the one single thing I want from a password manager: don’t store all my passwords in the cloud.
neandrake
Check out CodeBook, it’s not open source but it’s a 1-time fee for device type (windows, Mac, iPhone, android), up to five installs. I’ve purchased for phone, MacBook, and windows pc and been using for the past 5+ years and am satisfied with it. The product itself isn’t open source but the company which makes it does develop an open source module/extension of SQLite for encrypted database. All syncing is manually done, across Wi-Fi or it can use Dropbox or google drive.
nyolfen
wow, closed source, manual sync, and i get to pay for it?
BrunoBernardino
Nope. It stores the data end-to-end encrypted in the devices locally and synchronizes that to the cloud. I personally liked the wi-fi sync a long time ago with 1Password (before it was a subscription-based business), but since this is e2ee and open source, I'm fine with the cloud storage.
darrmit
Bitwarden is not perfect, but calling `pass` "easy" is comical - especially for those of us sharing passwords with far less technical family members - and 1Password has a very opinionated UI that seems to get more in the way than anything. I find Bitwarden to strike a good balance between security, price, and design.
That said, I do share in the concern about the funding and exec changes.
Try1275
I am a happy user and find it very convenient but how safe is it really to have all your jewels centralized in the cloud, including 2FA. It seems such a worthwhile target.
On the other hand keeping everything in sync manually seems a hassle and in the end you just encrypt on your machine and the syncing goes through the cloud anyway, so where's the difference? I'd be happy to hear thoughts on this.
UncleMeat
You absolutely must be able to create unique and reasonably strong passwords for each of the services you use. This is the absolute most critical first step in account management.
From here, we can have a discussion about broad behavior and individual behavior. We observe that at scale people reuse passwords if they are not using a password manager. End of story. Getting people to use a password manager at scale is the single largest practical improvement in account security for the general population that we have available to us right now. This is even true with the risk of a vault being stolen and unlocked. I've never seen any data that even remotely challenges this point.
Cloud management of passwords is basically non-negotiable for most people. "Oh fuck, my vault was on my computer and I dropped it on the floor and the disk broke" will be a constant occurrence. Getting everybody to properly back up their vaults is not feasible at scale.
You can separately talk about specific people if you want. If you are capable of creating unique and sufficiently strong passwords for all of your accounts, then go ahead and avoid a password manager. This will mitigate a marginal risk for you.
Tmpod
Yeah that's a good point. I have pretty much all my passwords on BitWarden but no 2FA tokens to avoid "putting all my eggs in one basket". If you centralize both secrets, you don't really have two factors of authentication anymore. I use Aegis on mobile and pass (with otp extension) on the computer, with completely different passwords from bitwarden.
If you're worried about using Bitwarden's cloud vault, you can always spin up an instance of vaultwarden (FOSS server impl in Rust) and point your clients to it. I haven't done it myself yet (though I will likely do it) but I've heard it works really well.
devjab
For me it was more a matter of convenience than security. I didn’t mind using “sameish” passwords for 90% of my accounts. Good enough not to be auto-broken on one leak, really bad if someone actually targeted me. But what eventually drove me to Bitwarden was that I needed more and more different 2FA method which were all somehow linked to my phone. Many of which weren’t actually backed up. My first idea was to just use Authy, but apparently my phone number is linked to an account that isn’t mine, and their support has been unable to do anything about it, so that’s not exactly possible. So I went with Bitwarden.
I’m not too worried about the eggs in one basket. My digital national ID and my email credentials aren’t saved on my Bitwarden, so while I obviously don’t want to lose it, it also wouldn’t be the end of the world for me.
silversmith
I'm using keepass, and the sync does not seem to be hassle - my file lives in dropbox, and it's always been synced before I open the app on another device. Bonus - backing up the database is as easy as copy-pasting a file.
kapep
For anyone who wants to avoid storing the Keepass database in the cloud store I can recommend Syncthing.
For extra security I use a key file in addition to a password which I manually transfer between devices.
ckozlowski
I'm glad to read this, as I hit upon a similar solution for my own password store. My Keepass DB lives in Dropbox, but my key file does not. If I want to open it (along with password) on a device, I manually install the key.
I'm sure I forgo some convenience by not having field auto-populate all of the time (Keepass can do some of this, but I haven't had it work reliably), but I relax knowing I need not worry about a third-party service being hacked or my credentials being behind a paywall.
hsbauauvhabzb
If your data is valuable enough, or you personally have the skills for something better, then yes it’s not the greatest solution.
For the average user, it is infinitely better to use a password manager than to use hunter42 on all their accounts.
checkyoursudo
Guess I had better go update all my passwords to hunter43 now.
autophagian
For this I self-host vaultwarden (https://github.com/dani-garcia/vaultwarden), an implementation of the bitwarden server, on my raspberry pi at home (and back up the DB frequently). It works well enough for me, and doesn't have my stuff stored in a single company's cloud.
hollander
So what if the disk crashes? Do you keep backups? In the cloud?
sigio
Always have backups... but in the bitwarden/vaultwarden case (just like with git), every client has a full copy which can be syched back to a new server, so even if you lose a server, you still have all passwords on (every) client. In my case, that is multiple browser instances on multiple laptops and the bitwarden client on android.
tuhriel
There are different places to keep backups
My relevant data is synced regularly to my nas (running a raid-1) and I weekly back the whole thing up to an offsite disk at my parents house.
Can someone who really really want it, get to it? Sure, how big of a target am I against a cloud provider?
hanniabu
can't backup to usb?
shortcake27
Storing OTPs in your password manager is like 1.5FA. It still provides protection against phishing, brute-forcing, socially engineered password resets, so it isn’t totally useless. But it doesn’t protect against your vault getting compromised.
I keep super important 2FA codes (email, github etc) elsewhere, and for less important services, I store the OTP in my password manager.
UncleMeat
OTPs don't protect against phishing. You still type the TOTP in a browser window that sends it off to the attacker. Phishing SDKs automatically handle proxying the password over and then proxying the TOTP over.
shortcake27
Depends how sophisticated the attack is. Plenty of attacks aren’t. I could have been clearer in my comment, but what I meant was “can protect” not “guaranteed protection”, I apologise if it was taken that way.
On the topic of phishing and OTPs, storing the OTP in your password manager could actually help with phishing (opposed to storing it in an authenticator), because it will only autofill on the correct domain. This can be the difference between compromising a password or the whole account.
LinAGKar
Bitwarden encrypts the data locally, so it's not readable on the server. Shouldn't be any less secure than syncing your KeePass DB to the cloud
ta8645
Unless the client is compromised. The question becomes: do you trust Bitwarden and KeePass equally, to deliver an uncompromised client?
aborsy
The difference is that Bitwarden is webapp, thus serves you code in real time. The server could serve bad JavaScript to a particular user. You have to trust the server.
Also, there is a chance of data breach. The 2FA and hardware keys are bypassed in this case. It’s all your master password.
vinckr
>The 2FA and hardware keys are bypassed in this case. It’s all your master password.
Not sure I follow. When my master password is breached, attackers would still need to have my hardware key (which I obviously don't keep in the cloud), right?
gchamonlive
In case of a password breach, yes, but the comment you are responding to refers to a data breach, where somehow the attacker dumps raw database data, which is still encrypted but only by your master password, afaik.
tkubacki
Open source and easy to use https://www.passwordstore.org/
timvisee
I created `prs` which solves a lot of painpoints I had with pass and other clients.
It is compatible with pass and uses the very same store.
rjmunro
This is a bit different. It's not a password manager app, it's more a standard for storing passwords encrypted with GPG in ~/.password-store and a reference CLI implementation. Several GUI clients exist to interact with the passwords, as well as tools to import from other password managers etc.
It sounds like a good idea, but I'm worried that a client could be at risk of a software supply chain attack - I don't think I will have the expertise to evaluate each new version.
dewey
Easy to use...for computer professionals. Try introducing pass to your family, even 1Password is not easy to set up for regular people. We have a long way to go before everyone is using passoword managers. The more realistic alternative is probably passkeys.
proaralyst
Note that pass by design leaks both the websites you have set up and the metadata of the history of each record. This might suit your threat model, or it might not.
zikduruqe
If I'm looking in your ~/.password-store directory and see entries named Finanace/, Travel/, Streaming/, Work/... you have bigger problems.
xcdzvyn
Could I ask why?
fryktelig
Wouldn't the attacker need to breach your git server first before that was leaked?
newscracker
I’ve been using Bitwarden more as a backup since it lags in more ways than one. With iOS 17 bringing password sharing, I may be able to rely on that and switch to KeePass (and its derivatives) as a cross platform backup where needed.
Products like 1Password and Dropbox first made a good consumer product before pivoting to enterprise and making the products worse. Even before the VC funding of $100 million, Bitwarden started pivoting to cater to enterprise features and neglected the consumer side. This has resulted in Bitwarden doing a minimum set of things in a very mediocre way.
Its desktop clients are based on Electron and suffer with the common issues related to that (don’t behave like native apps for keyboard shortcuts or navigation, sluggish, etc.). Its mobile app, at least on iOS, is also sluggish and has poor UX.
People have asked for additional predefined item types (like WiFi passwords, software licenses, etc.) and that’s been on the roadmap for more than five and a half years [1] with no timeframe for release in sight. It just recently changed the timeframe for this from the first half of 2023 back to “Under Research”. [2] In all likelihood, it’ll be six and a half to seven years by the time that’s done, if at all.
One positive about Bitwarden is that its free tier offers something that’s somewhat good (ProtonPass is nowhere close to this as of yet). But I don’t see anything in the password management market that’s cheap enough (like Bitwarden’s personal plan), has good features (including browser extensions) and stability, and is managed by courteous and helpful people (1Password fails on some of these).
[1]: https://community.bitwarden.com/t/additional-item-types-pre-...
[2]: https://community.bitwarden.com/t/bitwarden-roadmap/12865
luczsoma
1Password is miles ahead. Its UX is WAY better, as is its cryptography architecture and its security whitepaper (https://1passwordstatic.com/files/security/1password-white-p...). Bitwarden doesn’t even come close.
alt227
Unfortunately 1Password doesnt have the main feature that most of us are probably using bitwarden for, self hosting.
EDIT: I have just noticed this. Everyone whos interest should submit!
throwawaaarrgh
and 1Password doesn't work from behind corp proxies with custom traffic inspection certs
kstrauser
We added a steering exception to our Netskope setup for 1Password. All the traffic going there is encrypted twice anyway, once by the app and again my TLS, so inspection doesn’t show you anything interesting.
somehnguy
It does fine here
belthesar
Ironically, I tried to fill out that form, and I receive a 429 when trying to submit. I guess they aren't going to get a lot of requests to make this product a reality if they can't get feedback that folks want it.
throwaway2990
No. The user experience of 1Password is just frustrating. I use it daily for work and don’t like it. I’ve used it longer than I’ve used bitwarden.
maccard
I started with keepass, and switched to Bitwarden for personal use, and LastPass for work (before LastPass imploded). I now use 1password everywhere. I've got complaints, sure, but Bitwarden regularly fails at input field detection on mobile and web, regularly fails at login (particularly with biometric). If a tool can't reliably do it's core functionality, it's not fit for purpose.
throwaway2990
Unsure what it’s like on android but it never fails on iOS. I think both 1Password and bitwarden are great on iOS. My issue is with the chrome and Firefox plugins for 1Password. I never have issues with bitwarden but 1Password I often need to refresh after logging in.
hooverd
I've never had any issues with Bitwarden.
toyg
It lacks the one feature most of the world cares about, though: support for Android.
coder543
https://play.google.com/store/apps/details?id=com.onepasswor...
What are you talking about?
toyg
1password started on iOS and for a long time it was Apple-only. I've not checked it in ages, and when I went on the homepage today I probably got confused by their copy in the Products menu, which says "Go passwordless today and start using passkeys with 1Password in the browser and 1Password for iOS". I guess it's some specific feature only available in those versions, but I read it as them still having only iOS and web. Even if that's not the case, having features limited to the Apple world shows that Android support continues to be an afterthought.
Get the top HN stories in your inbox every day.
I wanted to like Bitwarden, due to its “open source” nature. But 1Password is really miles ahead, and it's a little ironic, as 1Password 8 went through a major refactoring to a Node-enabled UI, which many people disliked, and it's still miles and miles ahead.
I tried teaching my father to use Bitwarden for the sole reason that it seemed to be translated into my native tongue. In his use, Bitwarden turned out to be completely unreliable. As techies, we stop noticing the little glitches, the times when Bitwarden is unable to auto-complete, or to detect a login that needs to be saved. Or the times Bitwarden logs you out of the account, or fails to use your biometrics in the browser because the app is no longer running in the background. Or the management UX of the app that's terrible. For us, these are little annoyances, but for my father it was the difference between usable and unusable.
The individual plan is very cheap, but the family plan is costly. And you can self-host, sure, but it's expensive to self-host.
When talking of self-hosting, people actually mean the alternative built from scratch in Rust (vaultwarden). Well, that project was never audited to my knowledge. Open source or not, it may have security vulnerabilities that could be exploited remotely, and I don't understand how people can trust it.
Bitwarden also took VC investments. Which is fine, I guess they need to grow, but I'm longing for projects that are owned by sustainable businesses that don't need to grow. Why does everything need freaking VC investments? The problem being that startups that took such investments are not trustworthy to be around in another year from now, sorry. Although this is true of 1Password as well.