Bitwarden SDK relicensed from proprietary to GPLv3

(github.com)

1005 points | by ferbivore5 days ago

35 comments

  • solarkraft4 days ago
    I’m relieved. Maybe the company would have survived this somehow, but they sure wouldn’t have been the techies’ darling anymore and that was going to be expensive.

    I hope they realized that being FOSS is their moat and it nets them a lot of goodwill (it’s the whole reason I bother with their not-quite-the-best product in the first place). The bold claim „the most trusted password manager“ was kind of justifiable while it was FOSS (if we don’t count keepass), without it not at all.

    I’m still not sure how I feel about them now. I can now somewhat trust that the applications will remain free software, but trust in the company has eroded a bit. I still haven’t seen official communication about this.

    • apitman4 days ago
      I'm cautiously optimistic, but still concerned about the long term.

      * I just don't see how taking $100 million can be good for users in the long run. By far the most likely outcomes are bloat or enshittification.

      * bitwarden does not appear to be very forkable, ie it's a complex system written in C#. The existence of Vaultwarden helps a lot with this, but what about the client apps? Forkability is the second most important protection against user-hostile action, behind being open source in the first place.

      I hope it works out. I'm a recent adopter of bitwarden, and so far the UX has blown keepass out of the water.

      • _bin_4 days ago
        The client apps can pretty easily be forked and maintained. We probably wouldn't see much feature growth but I also don't think we need that so much. Lots of OSS projects have been messed up by fundraising and communities often just fork them and keep them around so I'm not too worried. Besides, garbage features could probably just be unsupported by Vaultwarden, which has worked extremely well for me and been nothing but stable.
        • EasyMark4 days ago
          I hope that they keep it a password manager and don’t try to turn it into a “security multitool” or something. I like it how it is. They’ve been careful about adding things and I appreciate that. If they wanted to say move from an electron app to a qt or tauri app I could appreciate that as well.
      • retrochameleon3 days ago
        The UX of Bitwarden is pretty lacking compared to 1Password. I finally made the switch after years of Bitwarden because of the vast UX improvements.

        For one, it's much easier and natural to add additional pieces of information on entries in 1Password. Bitwarden's implementation of this always feels like a poorly integrated afterthought.

        • cryptos2 days ago
          The UX is exactly the reason why a stayed away from Bitwarden.
    • EasyMark4 days ago
      Eh it’s not as good as never having the OSS’ness of it challenged but it also shows they’re open to feedback and willing to reassess when customers get out the pitchforks and torches. It’s a story as old as time.
    • whimsicalism4 days ago
      the gh or had official communication. it was obviously a dep issue blown out of proportion
  • blendergeek5 days ago
    Thank you to Bitwarden for relicensing a thing to Free/Open License! Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good. But for anyone with more advance needs (or who doesn't trust a password manager built into a web browser, I always recommend Bitwarden because KeepassXC + syncing is way too difficult for normal people.
    • jasode4 days ago
      >, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good.

      But a lot of "normal people" actually need a secrets manager which is larger in scope than just a "websites urls passwords manager". This means a password manager with extra metadata fields for users to add notes, associated email aliases, etc. E.g. if a website has an extra step of "Confirm your identity by answering this question : What was your childhood pet's name?", users want a place to save the answer ("BugsBunny") in the "notes" field of a password manager.) Another example would be the secret PIN unlock code for the spouse's phone. That's not a website url, it's just a "secret" that needs to be stored in an encrypted file.

      Firefox password manager is too bare-bones with the only 2 fields being "Username" & "Password".

      The better UI/UX for normal people is to have a unified app to store all their secrets instead of having some secrets in the Firefox password manager and other non-web-url secrets saved separately in yet another app.

      • cryptos4 days ago
        I completely agree with you! Almost everyone needs to store more than only usernames and passwords for websites. Think of PIN for credit cards and the like.
      • berkes1 day ago
        AFAIK Firefox also doesn't store bank-account or creditcard details.

        Here's why I recommend bitwarden to "my mom":

        - It stores and fills in all your website passwords on your phone and on your laptop

        - It makes it easy to generate new passwords for all these places

        - It stores your PIN for your bank-accounts (in many EU country payments with PIN are the default)

        - It stores your creditcard info and 3d passwords or other extra secrets it requires.

        - It's the perfect place to store SSN, Tax IDs, "whats was the name of your first pet?" and so on.

        I've never understood the rigid structure of e.g. Firefox or even lastpass, where they e.g. insist on having an URL or even insist on a username/password. I want secret notes with optional metadata - metadata that may follow a predefined structure (username, OTP secret, url, etc) but not always. Bitwarden does this much better IMO.

      • qwertyuiop_4 days ago
        This ^ passwords just don’t live in Firefox when you are using apps that need passwords across platforms (mac ios windows) and apps. This is where Bitwarden shines.
        • jvdvegt4 days ago
          I don't know about iOS, but Firefox syncs my passwords between my Linux machine and Android phone just fine.
      • PawgerZ4 days ago
        Bitwarden also stores authenticator keys for MFA and passkeys. The custom fields, notes section, and attachments are invaluable to me as well.
      • socratics4 days ago
        Absolutely, everyone I recommend BW to appreciates the notes feature as well - it's handy to have a place to jot down important things that aren't log-ins!
    • danpalmer5 days ago
      > Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good

      Interesting, I've always felt that browser-based password managers provided remarkably little value for most people. Using them on mobile is tricky and platform dependent, it's easy to have local-only, non-synced data and then lose it, and being multi-device is trickier, especially in a work context.

      On the other hand, people generally understand installing an app on each device they own and that app doing it for them.

      • simfree5 days ago
        Firefox password sync just works. It's one of those things I never think about.

        Watching friends and family struggle with bespoke, poorly integrated password managers makes me cringe and is one of the big reasons I enjoy the seamless experience of the built-in Firefox password manager.

        • danpalmer5 days ago
          Does it require a Firefox account? Does it only store them locally if you haven't signed in to Firefox? This is the sort of failure I've seen, where people think their passwords are synced but because they didn't sign in years ago it's actually not backed up at all. At least on Chrome you get reminded of that all the time on YouTube/Google search, etc.

          I know for Safari all the sync is via iCloud meaning if you're not signed in it's locally stored and vulnerable in that way. Especially as many people can't/don't sign in to their own iCloud on work computers, or don't have a Mac.

          • neobrain4 days ago
            > Does it require a Firefox account? Does it only store them locally if you haven't signed in to Firefox?

            The passwords are available offline, so they are stored locally.

          • notpushkin5 days ago
            Firefox reminds you a bunch of times, too. Would be nice if you could just link a new device via QR code (creating an account for you in the background).
            • codys5 days ago
              The original Firefox sync worked like this (with a unique code and pairing instead of an explicit account) (this is so on the nose I suspect you may know this).

              This blog post goes over some of that history: https://blog.mozilla.org/services/2014/04/30/firefox-syncs-n...

              • callahad5 days ago
                Didn't expect to click on that link and end up on a blog post I wrote 10 years ago! The old Firefox Sync / PAKE stuff was fantastic for getting sync going between devices... but people wanted backup, not sync. I wonder if we'd do anything differently confronted with the same challenge today.
                • g8oz4 days ago
                  Hey I love the syncing
        • nox1015 days ago
          it just works for websites. it does not "just work" for apps where as the platform ones do or have a chance to work with apps.

          Kind of hope regulation will force apple/google/ms to allow iterations for 3rd parties to integrate with the os but on the other hand that will open a host of issues

          • joshvm5 days ago
            It does on iOS, but I believe the onus is on the app developer to enable the autofill feature in the form, or at least make sure that the app hints to iOS that it can be filled with a password. I'm making that assumption because there are lots of apps which don't trigger the native Apple password manager either (which is a lousy user experience). However, if one works then both do. The UI offers a choice of password manager and Face ID works to unlock it.

            I use both. Apple's manager supports OTP generation which is nice, but on desktop websites, Firefox is often more convenient.

            • phs318u5 days ago
              I use the Strongbox app on iOS [0] and the KeepassXC app my Linux laptop. The passwords.kdbx file sits on my Onedrive, which the Strongbox app can access. On Linux I use a Onedrive client [0] that I use to sync several folders within my home folder. Strongbox supports both Keepass and pwSafe database formats. It also integrates well with iOS, with autofill supported (also supports Yubikey unlock and Apple Watch unlock).

              [0] https://apps.apple.com/app/strongbox-password-manager/id8972...

              [1] https://abraunegg.github.io/

              • BodyCulture4 days ago
                This discussion is about an open source password manager. I wonder why you are recommending a closed source software? Are you aware that many people prefer open source for security software for a reason?
                • KeePassium2 days ago
                  I think most Strongbox users did not notice it turned proprietary. It's not like Strongbox advertised the change :)

                  Context: https://github.com/strongbox-password-safe/Strongbox/issues/...

                  • phs318u1 day ago
                    Correct. I did not realise this and am disappointed, having paid a pretty penny for the lifetime license. Reading the github thread, the surreptitious way they changed things is a bit of a dick move.
            • delfinom4 days ago
              Yep, it's the same problem on Android. Some app developers go full asshole with the password text boxes. There was one electric utility here that I lambasted hard and they finally fixed their form which not only didn't trigger the password manager, it literally blocked all pasting.
          • monocularvision4 days ago
            iOS already has all of the API required to integrate a password manager with the OS. Third party password managers can already integrate with both browsers and apps to provide passwords and password generation
        • mikae15 days ago
          But does it work for non-website passwords like the PIN for the door at your workplace or the usernames and passwords for your computers?
          • archermarks5 days ago
            Yes. You can add whatever passwords. It asks you for a URL but you can put anything in.
            • gouggoug5 days ago
              > It asks you for a URL but you can put anything in.

              Well, that’s kind of the problem isn’t it?

              Yes, you can put bogus URLs, but it’s far from a great user experience

              • RamRodification5 days ago
                door://businesstreet/23/A/front
              • INTPenis5 days ago
                Technically maybe someone could make you navigate to that url in the future, through mitm or some sort of DNS poisoning, and autofill a form with your password and then auto submit it.
        • ClassyJacket5 days ago
          Can Firefox password manager work in other apps on Android?
        • Nathanba5 days ago
          that's not my experience, I've lost bookmarks due to firefox sync multiple times.
        • _fs5 days ago
          Does it have the ability to unlock with faceID on ios?
        • jorvi4 days ago
          That is such a laughable statement. 1Password has incredible UI/UX. Even has e-mail masking with Fastmail. And auto-enters TOTPs, for the less-important one’s you feel comfortable saving in your password manager.
        • miki1232115 days ago
          Firefox sync made the criminal sin of implementing end-to-end encryption, enabling it by default, and being insufficiently clear to people that their passwords are lost forever when they forget the master password.

          This provides a really terrible UX to "normal" users. I woulnd't recommend that option to anybody who doesn't already know what E2E is and what tradeoffs it has.

          Google's implementation is a lot better in that regard, at least they offer plenty of avenues for account recovery.

          • KPGv24 days ago
            Can you identify the password managers that do not implement end-to-end encryption so I can avoid them forever?
          • bandrami5 days ago
            Presumably the passwords themselves have recovery/reset procedures? I can't think of a good reason to add another risk surface to a password manager given that
      • mrwm5 days ago
        I'm not sure how it is on iOS, but I've been using firefox as my password maanger on android. It's a trivial change in the settings and works across all apps as well.

        I also recommend it to my friend group, as they can use firefox with uBlock Origin, and also have their passwords synced.

        • 5 days ago
          undefined
        • tetris114 days ago
          Yep, since Android 12 I think you can set Firefox as your main password manager.

          It's genuinely delicious

      • lrem5 days ago
        All serious browser vendors offer sync to logged in users. That’s multi-device, cross platform and pretty foolproof. I still prefer Bitwarden because of self-hosting and integrating nicely with the iOS ecosystem. But there’s not much wrong with the browser approach.
        • usrusr5 days ago
          Multi device is all nice and well, but what if you use products from more than one browser vendor?
          • lrem4 days ago
            Then you’re a rare corner case that’s served by something third party.
      • CJefferson5 days ago
        I have the opposite problem. If I forget to log into bitwarden, passwords just get saved into firefox / chrome, so now I've got some passwords in bitwarden, some in chrome, some in firefox, and worst of all bitwarden doesn't seem to have an easy way to unify these databases.
        • trinsic24 days ago
          That's a bit much to put on a 3rd party password manager.
          • CJefferson4 days ago
            I have the plugin installed in my browser, why does it wait for me to log in the come to life?
      • floydnoel5 days ago
        > people generally understand installing an app on each device they own and that app doing it for them.

        an app like Firefox or Chrome, perhaps?

        • danpalmer5 days ago
          This is obviously true for the HN crowd, but for normal people I think there's a distinction. Don't underestimate the value of centering a brand and an icon on a home screen around a single function.
      • JoshTriplett5 days ago
        > Interesting, I've always felt that browser-based password managers provided remarkably little value for most people.

        They provide the value of "you should, by design, have no idea what most of your passwords are; if you know any significant number of your passwords you probably have bad passwords".

        And both Firefox and Chrome sync passwords between devices.

        • wruza5 days ago
          This is the value of any password manager, not a browser-based one.
          • JoshTriplett4 days ago
            The comment I was replying to said "browser-based password managers provided remarkably little value"; it didn't say "little value relative to other password managers".

            Much as with cell phone cameras, "the best camera is the one you have with you"; the best password manager is the one you have with you.

    • wrasee5 days ago
      If Mozilla released a separate passwords app so you could manage and access your passwords outside of Firefox I think the two would be more comparable. That would promote your passwords as part of your Mozilla account, not just Firefox.

      Bitwarden excels here, and i think is the model to beat. However, Mozilla would have the advantage since their browser integration would essentially be built-in and first class.

      Otherwise, unless you use Firefox exclusively for everything I just don't think a single browser is the right place to manage passwords. I would say that's true even for a broad audience, given the importance of passwords and security in the modern age.

      Bitwarden is also nice in that you can "lock" access to your passwords while keeping the browser open. That way, for the 99% of the time you're just browsing the internet you essentially don't have access to all your passwords "open". The last time I looked at this I had to enter my master password on opening Firefox, even if I didn't need access to my passwords. That meant that "unlocking your vault" is essentially tied to opening the browser. That alone was enough for me to bail on it.

      • openopenopen5 days ago
        > If Mozilla released a separate passwords app so you could manage and access your passwords outside of Firefox I think the two would be more comparable

        They used to have one called LockWise https://support.mozilla.org/en-US/kb/end-of-support-firefox-...

      • greensh5 days ago
        there used to be an android/ios app by mozilla called lockwise which did exactly that iirc. https://support.mozilla.org/en-US/kb/end-of-support-firefox-...
        • wrasee4 days ago
          Ah yes I remember that now, I had forgotten about that!

          Funny, especially now that I see Apple are now going the other way with a dedicated "Passwords" app on iOS 18 and macOS 15. And for Apple to do this - against their instinct for featureless simplicity and implicit integration - to give passwords their own "shop front" as a dedicated app I think really does acknowledge the first-class importance that passwords now have, even for a broad audience.

          It's a shame as I think Mozilla could really compete well in this space. They are both cross-platform, have their their own browser and have a good reputation on privacy. It's a killer combo. Bitwarden is evidence you can make it work and you don't need massive big-tech budgets to make a difference.

    • techwizrd5 days ago
      I'm glad that Bitwarden moved quickly to resolve this. At least for me, Firefox's password manager isn't really a replacement. Bitwarden is approved by my employer, self-hostable, and supports logins for the litany of apps across my browsers and mobile devices. Whether it's the mobile app, mobile website, or site in my browser, Bitwarden just works for the most part. It's also quite nice that Bitwarden can store arbitrary information like CCs, secure notes, and how I capitalized the answers to security questions and other account recovery/login information.
      • ValentineC5 days ago
        > It's also quite nice that Bitwarden can store arbitrary information like CCs, secure notes, and how I capitalized the answers to security questions and other account recovery/login information.

        +1. I use my password manager (currently 1Password, but I have been looking at self-hosting Bitwarden/Vaultwarden) more for storing credit card information and security questions.

        Most built-in password managers don't cut it on that front.

      • psd15 days ago
        It's more than self-hostable!

        There's at least one API-compatible alternative (vaultwarden) which works with the official client.

        Yay to breaking down walls.

        • seabrookmx4 days ago
          Vaultwarden is great! I've been running it for years (since it was bitwarden-rs) on a free-tier GCP VM. I use a cronjob to back up the DB to Backblaze B2 with rclone.
      • trinsic24 days ago
        Its Bitwarden only for personal use. Do they have a solution for Multi-use password sharing?
        • bloopernova4 days ago
          Yes, my wife and I each have our own bitwarden account, and an "organization" where shared passwords go. It's worked great for quite a few years now.
        • leshenka4 days ago
          in Vaultwarden you can have "organizations" that are like groups of people and you can have passwords there that are accessible by members

          No idea how this maps into Bitwarden's own offerings though but all clients support this kind of thing

          • spiffytech4 days ago
            The downside is you can only share to other users on your Vaultwarden instance. You can't e.g., set up emergency sharing to family members who use cloud Bitwarden.
            • leshenka4 days ago
              well this is true the other way around

              BW clients support having several accounts at once so you're not forced to choose. Your family can have a regular bitwarden.com account and your vw.example.com account just for emergency access

    • ahiknsr5 days ago
      > Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good.

      I use both Bitwarden and Firefox and I would strongly encourage everyone to not use the password manager in Firefox. Do you know the tab sync across devices is broken in firefox? It was broken since Aug 24 and it is still not fixed https://bugzilla.mozilla.org/show_bug.cgi?id=1913795 . If they can't sync tabs across devices, i wouldn't trust them to sync my passwords.

      • digital_voodoo5 days ago
        Interestingly, password syncing is one of the most reliable things I've seen Firefox doing during the last years. If you don't even have to think about it, that means it "just works"
    • gertop5 days ago
      Firefox's password manager stores passwords in clear text unless you use a master password (very few people do).

      This means that any process on the computer can read them.

      It also means that, unless you also use full disk encryption, a stolen device means you're fucked.

      Chrome and Safari use the OS's keychain at least, so there is some level of security.

      And a standalone password manager has its own encryption.

    • alerighi5 days ago
      I think that the Firefox password manager is good, however, relying on the browser is a terrible form of vendor lock-in. You need to use another browser (for any reason), you also need to switch password manager. Also, Firefox on Android is not great, and Bitwarden has a better integration.

      Finally, Bitwarden (the payed version) manager also passkeys and OTP codes, the Firefox password manager not.

      • klabb34 days ago
        I use both, and I agree, even if I’m very happy with Firefox. There are lots of apps outside of browsers that need passwords. It’s very common these days. Besides, does it support passkeys? That’s getting increasingly common as well.
    • bigfatfrock5 days ago
      > because KeepassXC + syncing is way too difficult for normal people

      I've been debating for ages if this is a hurdle that can be overcome by packaging or even hand-holding support. When I show "normal people" my pass+sync setup they beg me to implement it for them. Once it's running it's near-zero maintenance.

      • dcow5 days ago
        Password management is like exercise. Even when people say they understand the value and want to do it, they don't. Even if you implement it for them, if it's not something that slots perfectly into their existing routine, they're not going to do it. Thankfully passkeys are here.
        • tjoff5 days ago
          It's fine, even bad password management is better than passkeys.

          Thankfully the incredible hype for passkeys has been dead for years now and people are starting to question it.

          • runiq5 days ago
            Is this... is this sarcasm? I honestly can't tell anymore.
            • tjoff5 days ago
              It is not.
              • archi425 days ago
                Would you care to elaborate? It also matters what counts as "bad password manager" to you - Poor crypto? Poor UX? A reddit post ;-)? LastPass?

                With passkeys, both the website and the user can be pretty sure that the "password" is secure. The website knows that it's based on enough entropy, and the user knows that the website can not loose it.

                Of course if I use a random generated 80 char password I only mildly care if the website stores it plain text or not.

                But if I was a site operator, I could additionally trust that the users are using secure passwords. Without insane strength requirements (which people only work around anyway, e.g. Passw0rd!123 is usually accepted, but thisisasuperlongpassphrase often is not).

                I'm in the business of testing security, which means I sometimes crack passwords. No matter how much training you put your employees through: Somebody gonna use ${some name}${0 or 1 special char}${some birthday} - is it's the spouse, kids or affairs data, your guess is as good as mine.

                • tjoff4 days ago
                  Management, not password manager.

                  I'm not talking about technical merits, we all know passkeys are so complex they might work decently as obfuscation alone ;)

                  No, all that crap is meaningless when you give all your keys to an entity that simultaneously locks you in and couldn't give a fuck about you.

      • cryptos4 days ago
        I did that for quite some time, but I had severe issues with multiple editing users and with android apps. All the tricks I tried, like nested vaults didn't fully work in the end. So I ended up with 1Password.
      • przmk5 days ago
        Where did you manage to find "normal people" that begged you to install a password manager for them? I have yet to come across one person who wanted one.
        • archi425 days ago
          There are normal people out there who have been hacked, or knew someone who was.

          Also, some normal people are computer-smart enough to understand problems like credential-stuffing, if someone explains it to them.

      • lie075 days ago
        Would love to know how you have it setup.
      • peterpans015 days ago
        can you share how do you set this up?
        • freeone30005 days ago
          I store the password vault in dropbox. Done.
          • dcow5 days ago
            100% serious question: how is using dropbox (one cloud) to sync passwords any better or more secure than using a password manager that syncs your vault for you (another cloud)? I see so many "I don't trust <insert pw manager> so I use dropbox" comments around these parts and I just don't understand what real or perceived threat is being mitigated.
            • Brian_K_White5 days ago
              It's valuable that the syncing mechanism is seperate because that makes it agnostic. Parent comment uses Dropbox, I use Google Drive, someone else uses OneDrive, someone else uses iCloud, someone else uses Syncthing or Nextcloud, etc.

              You don't have to trust the single cloud provider to encrypt and not be able to spy. The vault is encrypted on your own device using fully open software, and the cloud only ever sees a blob they have no keys to, directly or indirectly. The encrypting/decrypting software was not written by the cloud provider.

              You don't have to trust any single cloud provider to stay up, be available in your country, stay friendly to you. If Dropbox goes down or kills your account, you just flip to any of 20 other options.

              You say you don't understand why someone prefers Dropbox over the special custom syncing, but I don't understand what the excuse is for a special vendor-specific implimentation of something that is already generic and agnostic. It's like using a browser that uses it's own version of http to download files and only works with one web site that has the matching special server.

              It's not a remotely equivalent comparison between "one cloud" and "another cloud". One is a single vendor-specific, custom purpose, single-provider thing, the other is agnostic and infinite, use any method you want from any provider you want any time you want.

              For me it's not about "mitigating a real or percieved threat". It's just basic system resilience and principle to avoid special things and prefer generic/agnostic things, and keep concerns seperated. But it is also more secure not to trust any integrated cloud provider, vs having the cloud be just storage that doesn't know anything about the blob being stored, and can't even if they turn bad, or are pressured by a government, or get hacked, etc.

            • chpatrick5 days ago
              I guess the idea is that you trust open source software to encrypt the vault, so Dropbox couldn't do anything with it even if they wanted to. That's also true for the open source Bitwarden clients though.
            • freeone30005 days ago
              It’s small enough for dropbox’s free tier so it saves me a subscription.
              • dcow5 days ago
                Ah! Threat to the wallet I see. That Dropbox referral credit must still be paying dividends.
          • teo_zero5 days ago
            > store the password vault in dropbox

            No local backup? Do you rely on the network working all the time?

            I do something similar on the mobile phone (the reasining is, if there's no network, there's nothing I need to login to) but I also keep a local copy on my laptop (that I sometimes operate with limited connectivity). Without any automatic syncing, one of the two copies will be stale.

            • anilakar5 days ago
              Back in the day we tried to sync KeePass vaults at work and ended up with a conflict about once a week, which is way too often. Not sure if other password managers have solved this.
            • Dylan168074 days ago
              > No local backup? Do you rely on the network working all the time?

              Normal dropbox behavior keeps a copy on every computer.

              • teo_zero4 days ago
                > Normal dropbox behavior

                Ah, you mean by using some app or daemon. I excluded that possibility because on at least one of my laptops I'm not allowed to install anything, so for me "normal" behavior is using Dropbox as a container for files to download when needed.

                • Dylan168074 days ago
                  Well if you do that then you get plenty of copies; just restrain your delete key finger a bit. It does risk some staleness, but only rarely.

                  And maybe you could write a small shell script to keep that particular file up to date?

                  Also the one program I've used that opens keepass files directly from dropbox servers keeps a local copy.

          • gregwebs5 days ago
            I did this a long time ago but eventually ended up with conflicts. Password managers write new entries in a file and easily avoid conflicts whereas agnostic file managers will immediately conflict if sync wasn’t working for a while on a device
            • sublimefire4 days ago
              I use it (Keepass) for a while and never got the conflict on the desktop client (osx), nor on Firefox. But the iOS app does not like the file on the Google Drive and occasionally it needs to be reloaded.
          • ekianjo5 days ago
            You can use syncthing too. Works just as well.
            • dwightgunning5 days ago
              Is there a robust Syncthing app for iOS? Last time I checked there was only an affiliate project and their story wasn't convincing.
              • subarctic5 days ago
                I use mobius sync and I'd say the app itself is fine, you just have to open it whenever you want things to sync. That's one of the things I miss from Android. Also you can't sync your camera folder
              • jcotton424 days ago
                Mobius Sync works really well, the only caveat is that it's not completely free (you're limited in the sync size unless you pay $5, but that's a one-time thing), and that while it can background sync, it's not continuous, and you'll want to open the app if you need to make sure something's synced.
              • dsp_person5 days ago
                it was just discontinued for android :(
              • conradev5 days ago
                Nope. I have a cloud Syncthing box that is accessible over SSH, and I use ShellFish to read/write my synced folders. It works okay, especially for lazily sending stuff from my phone to my laptop.
          • SkiFire135 days ago
            Instructions unclear, I have no password vault.
            • kcmastrpc4 days ago
              Right, doesn't everybody just use the same password everywhere? I don't see the point of these things.
              • KPGv24 days ago
                You laugh, but that's apparently what I did a decade and a half ago.

                I recently mounted a HDD that was at my parents' house. Most files are from 2009-2012ish. I was there one summer between undergrad and grad school and used it for a couple months.

                I found an Opera password list that I'd exported, presumably to copy over to my new laptop. It was fun last night skimming the list, seeing which websites I'd completely forgotten about that I used to have accounts for. Almost none of them even exist anymore besides the big players (Slashdot, Apple, etc.), but the point is *almost all of them had the same password*. o.O

      • sigzero4 days ago
        KeepassXC also doesn't have templates for things. It's in the works. When it comes out I might take another look at it.
    • 4 days ago
      undefined
    • Ayesh5 days ago
      I used Firefox password manager for years, and moved to Bitwarden for: - Passkey syncing - Bitwarden on Android works properly, compared to Firefox's dedicated password app that's abandoned. - TOTP support (to use with some apps I don't want the strongest security)

      But you are maybe right, if the only browsers you use are Firefox desktop/mobile.

    • elric5 days ago
      I recommend Bitwarden family plans to non-technical people. It's pretty user friendly, and you can give people emergency access. A couple of recent deaths in my life have made me painfully aware that this is something that many people really need.
      • bloopernova4 days ago
        Gen X and boomer techies are getting older.

        It's kind of funny to see how gen x in particular deals with aging. For example, menopause memes as gen x women hit perimenopause. We're supposed to be all nonchalant and cynical, and it's interesting to see those attitudes hit the immovable object of aging.

    • ants_everywhere4 days ago
      Given that Mozilla just acquihired a bunch of Meta advertising execs, I think the prudent plan would be to cautiously diversify away from putting sole trust in Firefox.
    • lxgr5 days ago
      Can it store TOTPs and passkeys as well? These are two things encountered even by "regular people" more and more.

      Especially keeping passkeys platform-independent is a huge advantage, in my view.

      • freedomben5 days ago
        There will always be different opinions, but my opinion is that storing your TOTPs in your password manager is at best a reduction in security because you're reducing your 2 factors down to 1 factor. If the password manager gets compromised (even phished! It needn't involve the password manager's servers getting hacked), then you gain nothing by having 2FA enabled.

        I would strongly advise using something like Aegis on Android, or Gnome Authenticator on desktop (or both). I like to duplicate/backup my seeds so that I'm not SOL if my phone breaks, but I do it by having them on my laptop, desktop, and phone. That way as long as I have one of the three devices, I can always get in, and then they're not "in the cloud." Though, "in the cloud" is still better than "in the cloud alongside all my passwords."

        • dcow5 days ago
          The only true 2nd factor is a setup where your totp codes live on a separate piece of physical hardware. If your totp codes are in an app on your phone, and your password is in a different app on your phone, you're not pure 2nd factor despite convincing yourself that you are. Anything that is convenient is not real 2FA. Real 2FA needs to be pick two of: a password in your head, a verifiable biometric signature, a code/key on your phone or separate physical hardware yubikey.

          I'm not saying I think everyone needs real 2FA. I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer. 2FA is a hack put in place to mitigate passwords being relatively insecure and phishable. It's supplanted by Passkeys.

          • freedomben4 days ago
            I think you're letting perfect be the enemy of good. It doesn't have to be pure 2FA to be better than 1FA. Being in separate apps does give some benefits. It's always going to be harder to compromise two apps than it is to compromise just one of them (even if the difficulty increase is marginal, it's non-zero). Often simply not being low-hanging fruit is enough to save you from an attack.

            There are plenty of things for which a 2FA in PW manager is fine, but the most important things I think it's an unnecesary and regretful reduction in security. For example, email account. Email is the "forgot password" way to get access to almost everything, so it's worth a trifling inconvenience in having to load your 2FA into a different app. Same with things like AWS, Cloudflare, and other high-value targets. For the vast majority of people, keeping your Twitter seeds in your PW manager is fine, but it's foolish to do that with your email and other high-value targets, and IMHO if you're already going to have to have two apps, you might as well just standardize and keep the seeds in your authenticator app, and your passwords in your vault. YMMV

            • dcow4 days ago
              No I’m specifically not. Did you read my 2nd paragraph? It’s essentially your argument here.

              The person I was responding to was arguing that totp in pw manager is no good. Maybe you meant to reply to them and not me?

              • freedomben4 days ago
                I did read your second paragraph. There is some ambiguity, but I ultimately decided you weren't agreeing with me because you said (emphasis added):

                > I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer.

                If you're storing your 2FA codes in your PW manager, then you're NOT using separate apps. You're using the same app (your PW manager). My argument is that you should use separate apps for the things that matter, like your email (which can be used to get access to almost every other account), and since you're already using separate apps for those things, you might as well just be consistent so you don't have to remember where each TOTP token is stored.

                I see three levels we've discussed:

                1. Pure 2FA using hardware token or equivalent (which I agree is rarely needed)

                2. Impure 2FA but separate app for storing passwords and TOTP tokens (which I'm advocating for)

                3. Storing TOTP tokens in PW manager (which you appear to be arguing for in 99.999% of cases, which is basically all of them)

                If you are actually advocating for level 2, then we agree, but from reading your 2nd paragraph it seems pretty clearly to be arguing for level 3.

                • dcow4 days ago
                  I may be arguing for (3) but then I’m not letting the perfect be the enemy of the good. I don’t fancy the security types that do that.
          • KPGv24 days ago
            > Real 2FA needs to be pick two of: a password in your head, a verifiable biometric signature, a code/key on your phone or separate physical hardware yubikey.

            My thumbprint isn't stored on my phone, so I have two factors.

            From the PCI Security Standards supplement on MFA,

            > The issue with authentication credentials embedded into the device is a potential loss of independence between factors—i.e., physical possession of the device can grant access to a secret (something you know) as well as a token (something you have) such as the device itself, or a certificate or software token stored or generated on the device. As such, independence of authentication factors is often accomplished through physical separation of the factors; however, highly robust and isolated execution environments (such as a Trusted Execution Environment [TEE], Secure Element [SE], and Trusted Platform Module [TPM]) may also be able to meet the independence requirements.

            So your phone can constitute a token, while the biometric constitutes the second factor. I don't know about Apple phones, but Google's requirements for biometrics are:

            > Capturing and recognizing your fingerprint must happen in a secure part of the hardware known as a Trusted Execution Environment (TEE).

            > Hardware access must be limited to the TEE and protected by an SELinux policy.

            > Fingerprint data must be secured within sensor hardware or trusted memory so that images of your fingerprint aren't accessible.

            • dcow4 days ago
              I think you misunderstood me. I agree that biometric plus password or device key would constitute two factors. I perhaps believe that you can’t really trust the device to have performed biometric verification without some sort of software attestation. So if the security if your protocol depends on two factor, you’d need to yes have a biometric signature or remote attestation that a biometric check has been performed.
          • lxgr4 days ago
            > Anything that is convenient is not real 2FA.

            That's a pretty user-hostile attitude. Sure, some combinations of factors are pretty unergonomic, but I'd call that a bug, not a feature.

            It's also incorrectly suggesting that somehow complexity/painful usability automatically yields security, while usually the opposite is true:

            An effective secure authentication solution absolutely must consider usability, or it's doomed to be circumvented by users in one way or another (either via some insecure practice, or by your users simply ceasing to be your users).

            • dcow4 days ago
              I’m speaking to how things are practically implemented, not making a statement about ideals.
        • czarit5 days ago
          This depends on the threat model. Having 2FA in the PW manager defends against someone phishing the password and database leaks on the server side, which are the most common in my threat model. But note that if they can phish your pw, they can probably phish your 2FA as well.

          It does obviously not protect against the scenario where someone is breaking into your password vault.

          I tend to enable 2FA but conveniently save the token in the PW manager for relatively low equity stuff, just to make it less enticing for an attacker, but use hardware FIDO for everything actually important.

          • guerby5 days ago
            Same here.

            TOTP is trivially phishable via evil nginx just like your password, and via social engineering.

            FIDO2 is not phishable and you have no secret to give out to social engineering attacks.

            • KPGv24 days ago
              > TOTP is trivially phishable . . . via social engineering

              Is it? I've been on the Internet since the 80s and haven't been phished a single time (despite being the recipient of many obvious attempts). Maybe I could be phished, but I think that's evidence it's not trivial.

              I have to wonder how many people sophisticated enough to use and pay for a password manager like Bitwarden could be "trivially" phished.

              • lxgr4 days ago
                That's great for you, but also a sample size of one (probably technically sophisticated) user, i.e. irrelevant to the bigger picture.

                The phishability of TOTP really is exactly as bad as that of passwords, except that a once-phished TOTP isn't reusable by the attacker(s), unlike a phished password.

                But even one-time access is often catastrophic, especially if it allows the attacker to rotate credentials.

        • AyyEye5 days ago
          Sometimes the TOTP is forced on me for a service I really don't care about. That's most of mine, actually.
          • freedomben4 days ago
            Indeed, when that's the case I think the PW manager is fine.

            Though, if you already have to have an app for the important stuff like your email, then IMHO it's actually simpler to just keep them all in one place even if you don't care too much about some of the tokens. Just one less thing you have to remember (i.e. where did I put service X's token again? was that in bitwarden or Aegis? etc).

        • saint_yossarian5 days ago
          It's still 2 factors though, if someone discovers your password they don't automatically know the TOTP key. So I use TOTP in my password manager for sites where I wouldn't use 2FA otherwise (because using my phone would be inconvenient), so it's still a security improvement for me. And for critical accounts I do use Aegis on my phone.
          • hsdropout5 days ago
            That's not 2FA, that's two of the same factor.

            The factors are:

            - Something you know

            - Something you have

            - Something you are (biometrics)

            • lucideer5 days ago
              That list makes for a nice slidedeck but the separation (like many things in tech) isn't as clear cut as the metaphor.

              "Something you know" (password) becomes "something you have" as soon as you store/autogenerate/rotate those passwords in a manager (which is highly recommended).

              "Something you have" in the form of a hw key is still that device generating a key (password) that device/browser APIs convey to the service in the same way as any other password.

              "Something you are" is a bit different due to the algorithms used to match biometric IDs but given that matching is less secure than cryptographic hash functions - this factor is only included in the list for convenience reasons.

              The breakdown of this metaphor is one of the reasons passkeys are seen as a good thing.

            • saint_yossarian5 days ago
              Not sure what you mean, it's still a second unique token that an attacker would need to know to access my account, so it's improving my security even when stored in my password manager. This was in response to grandparent's opinion that it's "at best a reduction in security".

              I'm not talking about my password vault getting breached, in that case I'd be fucked either way.

              • freedomben4 days ago
                > I'm not talking about my password vault getting breached, in that case I'd be fucked either way.

                But that's the whole point. If your password vault is breached, the second factor is what prevents you from being fucked. That's why putting your seeds in the vault is a reduction in security. It may be a reduction/risk that you're willing to take for convenience, but it's still a reduction.

        • lucideer5 days ago
          Aegis is no more secure than storing your TOTPs in your password manager - 2 factors primarily protect against remote attacks, which don't have direct access, in which case the app your 2nd factor lives in is moot. If your threat model involves direct access you need dedicated hardware for your 2nd factor. Most people are fine with TOTP in pw manager.

          (I do use Aegis as I like the UX but that's a separate topic)

        • magackame5 days ago
          Doesen't having the seeds available on all of the devices make it not 2FA? You now need only one device to login at any given time.
          • mason555 days ago
            The second factor isn’t a second device, it’s the TOTP code.
            • AStonesThrow5 days ago
              No, factors are supposed to have different qualities, such as:

              "Something you know"; "something you have"; "something you do"; "something you are [biometrics]"; "somewhere you are [geolocation]".

              Passwords are in your head - "something you know".

              TOTP codes are generated by a hardware token - "something you have".

              If the TOTP codes are crammed into your password manager, then the factors are no longer distinguished by these qualities, but they're now the same factor, and it's not true MFA anymore, whether or not they're split up across devices, or apps.

              • akho5 days ago
                2FA via TOTP implies two things: 1) you know a password; 2) you know the seed. This is why people criticize that approach. In practice, knowing a password and having a file (seed) seem different enough, and work against some phishing threats.

                Logging in through a password manager requires that you know a password (your master password), and have a file (your vault).

                • KPGv24 days ago
                  Or alternatively something you are (fingerprint) alongside something you have.
        • odo12425 days ago
          I mean, if you're using a password manager, you're already protecting against 99% of the things that 2FA is designed to protect against. If you really wanted to, it would probably make the most sense to enable 2FA on your password manager?
      • odo12425 days ago
        Yes, through TOTPs will run you a (worth it imo) $10/year subscription. Passkeys have been supported for a while (free) on all major platforms, and I haven't seen any issues with it.
      • Uvix5 days ago
        Yes, Bitwarden can store both.
        • lxgr5 days ago
          I was referring to Firefox with that question.
          • odo12425 days ago
            It can't, you need a browser extension for that.
          • Uvix4 days ago
            Ah, sorry for misunderstanding.
    • vitro5 days ago
      > because the built-in password manager in Firefox is too good

      If only they could add labels to the name/password combination. I have several accounts stored for a website, with generated gibberish logins that I cannot change and sometimes it takes me multiple tries to get to the correct account.

      Also, sometimes a site has two password fields - two secret codes - and for this usecase the password manager doesn't work very well either and remembers only one field.

      Other than that, I love how it just works, you add a password on one device and have it seamlessly available on the other with a very little setup. It's a nice experience.

      • vitro5 days ago
        > have several accounts stored for a website

        Another usecase for named logins are those multiple routers that you administer for your friends and family that all have http://192.168.1.1

    • sph5 days ago
      > the built-in password manager in Firefox is too good

      Too good in what way that according to you "normal" people shouldn't be using Bitwarden? Or do you just like the Firefox one but are overselling it a bit too much?

      I use Firefox, but I do not trust the Mozilla products. Bitwarden costs me $10/year so I wonder what is so amazing and groundbreaking about Firefox password sync, and does it work across browsers?

    • pmontra4 days ago
      What if you want to use a password where you don't have Firefox installed or from somebody's else computer?

      The same applies to the password manager any other browser.

      I carry with me my keepass db inside my phone and I can use it anywhere at any time.

    • angra_mainyu4 days ago
      For me, the reason bitwarden is excellent is sharing account login data with my family (I have an org account w a few members) for next to no money / year.

      Also, I regularly hop between 3 machines + a personal phone and a work phone, and I love being able to have access to my logins + secure notes across all 5 devices.

      All for the cost of a coffee/month.

    • t0bia_s5 days ago
      Syncthing android app is not developed anymore. Hopefully syncthing-fork will be.

      https://old.reddit.com/r/Syncthing/comments/1g7zpvm/syncthin...

    • SPBS5 days ago
      Built-in password managers don’t work across apps. They only work for the browsers they’re built into.
    • ezst5 days ago
      What finally brought me to using BW was that I simultaneously needed to backup/sync my TOTPs across mobile/desktop devices, and came to have the need for sharing an increasing number of passwords with my SO. It delivered beautifully on all of that.
      • CaptainNegative5 days ago
        This isn't an area I know much about, but wouldn't there be a security risk involved with storing the TOTP seeds alongside the passwords? Or is that not a real concern?
        • ezst4 days ago
          Totally correct, the lame excuse being that it didn't make the situation worse for the reason that those factors were anyway authenticated using the same device previously already. But at least I am now in much less trouble in case this device gets lost/broken/stolen/…
        • 3np5 days ago
          It's a valid concern. Especially if you use the same BW for password and TOTP for the same service, you've effectively reduced 2 factors to 1. If you really must sync both your TOTP secrets and your passwords, those should be completely separate systems.
    • Shorel5 days ago
      > Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good.

      I don't doubt the quality of Firefox's password manager, or your honesty.

      But normal people just don't use Firefox.

      • blendergeek4 days ago
        Normal people don't use Bitwarden either. And I suppose I don't know any normal people which isn't too surprising.

        Normal people use Apple's built-in password manager.

    • slightwinder5 days ago
      > I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good

      I wouldn't say it's good, but it does its job, if you can live with the insecurity and limitations. It's very comfortable, which is the only reason I'm still using it over KeePass and Bitwarden. KeepPass has no reliable Browser-integration, and Bitwarden is hard to selfhost. Firefox Passwordmanager is just there, always works, syncs without hassle, usability at it's peak (for this job).

      • seabrookmx4 days ago
        Have you tried vaultwarden (formerly bitwarden-rs)?

        It's trivial to self host. I've been running it in a GCP free tier VM for years.

        • slightwinder1 day ago
          Yes, I know vaultwarden. And it's indeed simple to start the docker-container. But no every use case can be satisfied with docker.
    • xnzakg5 days ago
      I actually switched from Firefox's password manager to Bitwarden. There used to be a bug on Android where the autofill button sometimes would stop doing anything.
    • Thaxll5 days ago
      Keepass file on Google drive is kind of trivial though.
      • throwuxiytayq5 days ago
        Never store anything remotely important on a Google service.
        • arnavpraneet5 days ago
          I know we are kidding but damn the news Google Drive is being sunsetted by December would ruin a lot of people's days
          • ClassyJacket5 days ago
            At this rate they'll sunset google search and their advertising business just because.
        • teo_zero5 days ago
          Never store the only copy of anything remotely important on any online service.

          Storing copies is ok, though, provided that sensitive information is encrypted.

    • Anunayj5 days ago
      Can someone also comment on how secure the built in password in manager in Firefox is to unsophisticated malware attacks that simply copy your browser extension data and such. Compared to bitwarden which requires a password to unlock it, and as I understand stores everything encrypted on disk.
    • BrandoElFollito4 days ago
      > because the built-in password manager in Firefox is too good

      I just checked it and it looks really basic, right? No OTP, no multiple URLs, no special URL matching?

      Where is its "goodness" (I may have missed something entirely)

    • throwuxiytayq5 days ago
      Does the FF password manager still irrecoverably nuke your password with no versioning/undo when you accidentally or intentionally use the „forget this website” option in the history panel?
    • kwanbix5 days ago
      The problem with the Firefox (or Chrome) password managers is that they only work on their browsers. Bitwarden works on any browser, on windows, macos, linux, ios, android.
    • conradev5 days ago
      It’s also the only browser that doesn’t support Passkeys yet :(
    • frenkel5 days ago
      Does it support sharing passwords with family members?
      • Yodel09145 days ago
        This (along with syncing on iOS) is what made me switch from `pass` to Bitwarden. Password sharing (and self-hosting sync with vaultwarden) are killer features for me.
    • twilo5 days ago
      Is the Firefox one better than the one Edge has? I've been using that for a while and it seems quite good overall.
      • odo12425 days ago
        It's not end-to-end encrypted (if you enable account sync), so Microsoft can technically see your passwords. Feel free to switch or not switch based on that information.
    • rnewme4 days ago
      I enjoy Ecrypted Fossil SCM instance (encryption over sqlite extension)
    • Klaphark4 days ago
      All the browser password managers are not really secure enough and give a false sense of security.
    • SV_BubbleTime4 days ago
      > built-in password manager in Firefox is too good.

      lol, sorry but this is a ridiculously narrow opinion and wouldn’t even apply to my SO and me as a two person team.

      Hmm, maybe I want my passwords on my phone?

    • 5 days ago
      undefined
  • itfossil4 days ago
    Nice to see Bitwarden make a course correction here. I wasn't looking forward to switching to another password manager, so I'm quite happy.
    • ryukafalz4 days ago
      Yeah, likewise. I'm a Bitwarden subscriber but I'd been looking into alternatives recently because of the licensing kerfuffle. But switching password managers is a pain, so I'm glad to not feel like I have to now.
      • spl7574 days ago
        KeePassXC (and I assume the other versions) can import an encrypted JSON Password Protected (NOT Account Restricted) export from Bitwarden.

        I use them both. I have KeePassXC for my local machine, and Bitwarden for things I may need out and about.

        With the browser plugins for both it's not that hard to manage them both, at least in my opinion.

        I was hoping to see some course correction on this from Bitwarden, even if the over-stated impact was really just to the SDK. They appear to understand the look of their licensing move was going to cost them more than it probably should have. Most companies refuse to change course at all, so I at least see it as encouraging.

        edit to fix a typo

        • EasyMark4 days ago
          There is little chance I’ll ever move to keepassxc as that requires me to maintain it myself and take the chance on deleting something very precious. I’ll stick with the cloud solutions for now.
          • alwayslikethis4 days ago
            Synchronizing is not too difficult. You can use syncthing or any cloud-based storage solutions you are already using. You can also back stuff up. Given it has a recycle bin I wouldn't think accidentally deleting stuff is any more likely than a cloud solution. It's probably harder to back up a cloud solution as you don't have direct access to the file.
            • xigoi4 days ago
              How does Syncthing handle concurrent writes?
        • SirGiggles4 days ago
          A caveat that bears mentioning is that an export of a Bitwarden vault does not contain attachments.
      • creesch4 days ago
        Are there other alternatives that are 1) open source 2) offer the same integration to begin with and finally 3) have been audited or are popular enough to be under constant scrutiny?

        There is of course the KeePass ecosystem, but that is why I included my second point, as with KeePass you are responsible for vault syncing, having clients for all platforms, etc.

        I suppose that it is good to be aware of other options. At the same time, jumping ship so easily also doesn't seem realistic or ideal behavior to me.

        • zie4 days ago
          I have no affiliation, just found them this week, but https://psono.com/ exists. So 1 and 2 are met and 3 is half-way there maybe? It's a self-audit but they have been around a while. Apache2 licensed.

          Again, I literally found them the other day, and other than a cursory check to make sure the UI/UX is friendly enough to compete with BW or 1P, I haven't had a chance to look through their code at all yet. I have no idea if the promises they document are met.

          • chickahoona4 days ago
            Hi, Sascha here, the main developer behind Psono. Psono has been audited multiple times so far, usually on a yearly bases. The last one here https://psono.com/blog/security-audit-2024 (you will also find a link to the audit itself)
            • zie4 days ago
              Thanks! I missed that!
        • KPGv24 days ago
          The audited part is going to be tough to meet because it's a very niche skill people generally won't do constantly for free.
        • hedora4 days ago
          I decided that vaultwarden should not have an internet accessible port. Are there any that meet those requirements and also let you (reliably!) edit/create passwords when offline?

          Also, sometimes the bitwarden client decides to blow away my local copy of the password database. I'd like it to store it pesistently on all machines so I have to lose my phone, my laptop, my vaultwarden server and its two backups before I get locked out of everything.

          Currently, the phone + laptop don't count as backup copies.

          • BrandoElFollito4 days ago
            > I decided that vaultwarden should not have an internet accessible port

            So how does your browser extension work when outside your LAN? via Tailscale or similar VPN mesh? And for people who use it outside of the LAN entirely?

            • hedora4 days ago
              The app (and iOS keyboard integration) degrades to read only mode. It works about 95% of the time. I'd rather it work 100% of the time, and be read-write.

              I don't run the browser extension. (There have been too many other password managers with exploitable password bugs.)

        • g19fanatic4 days ago
          i use the keepass ecosystem with app.keeweb.info. Its an open source webclient that can directly pull from your google drive (and other places!). I use a google drive through keeweb for syncing, 2 clicks and its syncd. Auto pulls when past pw.

          keepass works in browser (how I use it on a computer), can work offline (which is good in air-gapped instances, one of my reqs) and works directly on my android phone without issue.

          • creesch4 days ago
            It is actually sort of how I used it as well, though through nextcloud. It did still remain a hassle. It also requires all different apps to be maintained and equally safe.

            Keeweb for example has not had an active maintainer since 2022 https://github.com/keeweb/keeweb/issues/2022

        • Glazui4 days ago
          I‘ve recently learned about PassBolt, but it doesn’t meet criteria 3 I’m afraid
      • sirdvd4 days ago
        Switching is decisively a pain. But apparently this episode was what I needed to start looking seriously into VaultWarden.
        • horsawlarway4 days ago
          Huge VaultWarden fan here. It's been running absolutely unattended for about 3 years from a machine in my basement now, and it's great.

          I back things up fairly often, but otherwise I would have no idea I'm not just using the enterprise grade Bitwarden license. Things just work, features are there.

          Side-note - VaultWarden is incredibly reliable for a self-hosted free solution (I have 1 pod restart 27 days ago due to a power outage, but otherwise it basically does not fall over. No memory leaks, no high cpu consumption, no reliability problems)

          • idonttalkenough4 days ago
            Tacking onto this comment as another thumbs up for vaultwarden. "incredibly reliable" is exactly the way to describe it, in the world of tech headaches the password manager is the last thing you want to be worrying about and I can say with confidence that vaultwarden is a reliable well-oiled machine.

            Backups are also fairly easy so if need be a DR can be done (and automated) with very little hassle. The vaultwarden backend does depend upon the bitwarden apps for client devices but also features it's own web UI.

            • cmeacham984 days ago
              Your comment was marked dead FYI, I vouched for it.

              Normally this would mean you are shadow banned, but I don't see any other comments in your history getting this treatment - perhaps this comment caught the ire of some anti-spam algorithm.

              • xelamonster4 days ago
                I mean it reads like ad copy, and the entire first paragraph takes so many words to say nothing more than "I agree." As comments go, I have to say I've seen better.
            • hedora4 days ago
              Old versions of vaultwarden broke recently (for just about everyone?) due to incompatible changes on the iOS client.

              Breakage is not ideal, but here's how they handled the second, more subtle compatibility break:

              https://github.com/dani-garcia/vaultwarden/issues/5069

              I haven't worked up the courage / time to back up my database and upgrade the docker container; will probably get to it this weekend. However, I can't imagine using bitwarden with the official server (too bloated to be trustworthy), or with their cloud thing. I got burnt by lastpass. I'm not putting my passwords in a giant high-value target again.

          • BrandoElFollito4 days ago
            Same here - I just see that versions change from time to time (yeah I know I should do that manually but there we are).

            One thing I do not like (or, say, "miss") in Bitwarden/Vautwarden is the ability to make decrypted backups. I run the service for my immediate family and would like to have access to some people's passwords (of course with their agreement) to make sure they are fine.

            A solution is to use Organizations but you cannot have a "organization-only account" - an account that would exclusively save to an organization without a private vault.

            The "solution" is to tell people to move what they save to such and such Org but this works fine with me, recently with my wife but somehow my father does not do it and we sometimes end up with tense moments when it is time to get to some accounts :)

          • apitman4 days ago
            Vaultwarden is great, but it's only half the equation. If bitwarden does go user-hostile eventually, who's going to fork all the client apps and extensions?
        • AzzyHN4 days ago
          VaultWarden is great. But I don't use it, because I trust Bitwarden's infrastructure more than my own, for now at least.
      • slenk4 days ago
        I found psono and spun up a self-hosted instance. I may just try to keep them in sync for a while while this business fully settles
  • jdlyga5 days ago
    Bitwarden is still excellent, but keep an eye on them over the next few years. Remember that Bitwarden was originally a LastPass alternative without the fuckery.
    • prophesi5 days ago
      The LastPass fuckery was long and frankly egregious.

      Though I don't understand why this git commit is what's linked here. I'd rather hear the discussions on it. https://github.com/bitwarden/clients/issues/11611

      • hnbad5 days ago
        After reading through the issue thread and the final reply by Bitwarden, I think the only context this provides is that the headline should rather be something like "Bitwarden SDK fixes dependency licensing issue".

        The opening comment and the final reply are the only valuable contributions in that issue. Everything in between is random people jumping in to feign outrage or telling people to use Vaultwarden (which btw recently was in the news for more significant negative reasons). If anything it's a perfect example of the sad state of online discourse.

        • ferbivore5 days ago
          This wasn't an "issue", it was working as intended. The GPLv3 client intentionally depended on proprietary code. The CTO's comments on bitwarden/clients#11611, bitwarden/sdk#898 and fdroid/fdroiddata!15353 make it clear this was deliberate. They've now changed their stance because of the backlash.

          It looks to me like people expressed genuine concerns about being lied to by a company, one they'd trusted with their passwords no less. Calling it "feigned outrage" is a bit rude.

        • SirGiggles5 days ago
          > (which btw recently was in the news for more significant negative reasons)

          Do you by chance mean CVE-2024-{39924, 39925, 39926}?

          • hedora4 days ago
            Interestingly, none of those impact me, since they involve an authenticated attacker. I trust all the users that can log into my vaultwarden instance.

            Were there any other recent issues?

    • odo12425 days ago
      I mean, it still is. It’s honestly gotten better too - for evidence, it’s the one password manager that never gets recommended by sponsored YouTubers but always gets recommended by non-sponsored YouTubers.
      • afavour4 days ago
        It depresses me that Bitwarden has also taken VC funding, just like 1Password. It’s still a great product but as with any VC product I’m just waiting for the other shoe to drop when it’s revenue generation time.
        • KPGv24 days ago
          I honestly don't think the password manager market could bear more than $3–5/mo for an individual user or family.

          I used 1Password for years until they went from one-time payment to monthly sub and removed local sync so you could only use multiple devices by paying them. I think a big decision there was that they wanted $10/mo or something. I can't remember, but at the time it seemed ludicrous.

          Years later, when my new laptop couldn't run the final local-sync version of 1Password, I finally decide to look into password managers again, and lo and behold $3/mo. I signed up immediately.

    • throwaway9182994 days ago
      Despite being proprietary, 1Password still hasn’t had any fuckery that I am aware of. I have been tempted to switch to an open source solution many times but I think I’ll be parking right here for a few more years yet.
    • 5 days ago
      undefined
  • petterroea5 days ago
    Thank you Bitwarden for listening. This kind of stuff gives me hope for the business model of Open Source.
    • chx5 days ago
      [flagged]
      • petterroea5 days ago
        They still handled the situation in a serious and responsible manner, clearly communicating what had happened and why. They then followed up later when the problem was fixed. To me it seems clear that they understood the seriousness of the situation, and why people were initially pissed.

        I think this is the correct way of handling a rugpull scare, bug or not.

  • Scipio_Afri5 days ago
    Well that’s one way to handle that effectively and in what seems to be open source way without fuckery; glad to hear it cause that was going to be a bit annoying migrating away from them.
    • teach4 days ago
      Thank you. I had missed this story and was struggling to piece things together from the varied comments.
  • amszmidt5 days ago
    Not entirely there yet ... Some parts of have been re-licensed, some have been licensed under the old non-free software SDK license. E.g,

    https://github.com/bitwarden/sdk-internal/commit/db648d7ea85...

    • ferbivore5 days ago
      The non-GPLv3 bits are for their separate Secrets Manager product. It doesn't look like that's advertised as open-source. Bitwarden has always been open-core and not fully GPLv3, and that seems understandable; they need something to sell after all.
  • weikju5 days ago
    Props for them to step in the right direction, it wasn’t obvious at all for a few days what they would do.
    • chx5 days ago
      Repeatedly: when people post shit like this they more or less guarantee the next company won't even try. People! this is one of the few companies which open sources their product. The time to doubt and preach is not here yet... by far.
      • AdmiralAsshat4 days ago
        Not really. It was keeping them honest. This wasn't like the Winamp thing. Bitwarden has proudly proclaimed itself as "Open Source" from day one. It's right on their front page. It's in their marketing materials. It's in their podcast advertisements.

        I pay for Bitwarden based on the premise that it is open source. If it tries to pull a Meta and decide that "open source" suddenly means whatever they want it to mean in defiance of the commonly-understood meaning, I want to know about it.

        I'm glad they righted the ship on this.

  • powersnail5 days ago
    It's a welcome change. It still feels like they are trying to be too smart on licensing, especially how to combine GPL and proprietary licensed code, which I think is the root cause of the whole drama. The open core model works better as a hosted service, where you are not distributing the amalgamation of GPL and proprietary. Open core in client code seems a bit too rife for potential misunderstandings and confusions.

    Hope it works out for them, though. It's a good product.

  • threatofrain5 days ago
    GPLv3 is interesting because it means to use their code in a commercial setting, then you must also have the guts to open source too.
    • odo12425 days ago
      Not necessarily. You can run a “Bitwarden hosting service” or something like that without violating GPL. You’d only have to make your changes available on request if you changed the actual Bitwarden source code or linked some other library into it and shared that modified version with someone else (just running it on a server doesn’t mean you need to open source changes, for example)
      • hedora4 days ago
        Yeah; GPLv3 seems designed to give pure *aaS companies an unfair advantage over people that want to give users the option to buy commercially supported hardware that runs the company's software.

        For instance, Google can use bash in their backend infrastructure, but Apple cannot ship it on MacBooks or iOS anymore.

        • jcotton424 days ago
          > Yeah; GPLv3 seems designed to give pure *aaS companies an unfair advantage over people that want to give users the option to buy commercially supported hardware that runs the company's software.

          SaaS didn't exist when the GPL was drafted. If that's an issue for you, there's the AGPL.

          • alwayslikethis4 days ago
            > SaaS didn't exist when the GPL was drafted

            If you mean v3, this isn't true. AGPLv3 is written the same time as GPLv3, and references each other to maintain compatibility (a special provision that lets you use code in the other license provided you follow the other license for that component)

    • npteljes5 days ago
      Not if offered as a service. That's why they introduced the AGPL, that one has the service restriction too. In terms of a service offering, GPL software is free for the taking, and the restrictions don't apply as the distribution clause doesn't trigger.
    • sublimefire4 days ago
      The context is inaccurate because it is actually dual licensed so thinking about GPLv3 alone is not painting the whole picture.

      > The default license throughout the repository is your choice of GPL v3.0 OR BITWARDEN SOFTWARE DEVELOPMENT KIT LICENSE unless the header specifies another license. Anything contained within a directory named bitwarden_license is covered solely by the BITWARDEN SOFTWARE DEVELOPMENT KIT LICENSE.

    • hk13375 days ago
      I don’t believe that is entirely accurate. I believe it depends on the application and what you’re doing with it whether or not you would be required to open source it. Like, if you’re distributing the application as a product, not necessarily saas application?
      • nine_k5 days ago
        Yes, GPL3 only works for directly distributed software. But an important part of BitWarden is exactly such software, in the form of a browser extension.
      • HeatrayEnjoyer5 days ago
        Yes, this is why AGPL is superior.
  • rochak5 days ago
    No good thing ever lasts, especially in the world of tech. So, I'll be sticking with Bitwarden until they somehow eventually fuck it up and something else takes its place.
    • crossroadsguy5 days ago
      What will be ideal is a FOSS competitor. At least in personal usage segment until. Until they also start looking at big money and enterprise/professional (which is fine), then another competitor will come in. As long as the chain of export-import-export doesn’t break.
  • MisterKent5 days ago
    People here are incredibly hard to please. Very clearly a packaging issue that got blown out of proportion.

    They've done largely the right things for _years_ in terms of security. They've operated pretty transparently in terms of open sourcing. They've allowed vaultwarden to exist, and eventually created a self hostable version as well.

    But one bad release with a license screw up and nobody is willing to give them an inch?

    I will continue to use bitwarden, and am willing to give them the benefit of the doubt. Especially considering this action above. They are a company that is perfectly toeing the free/oss and commercial line.

    • hiatus4 days ago
      > Very clearly a packaging issue that got blown out of proportion.

      CTO: > There are no plans to adjust the SDK license at this time. We will continue to publish to our own F-Droid repo at https://mobileapp.bitwarden.com/fdroid/repo/

      https://github.com/bitwarden/sdk/issues/898

      Doesn't seem like a mistake or unintentional action.

    • j_crick5 days ago
      You build a hundred solid bridges and you get called John the Good Bridge Builder. But lest you once screw up your software licensing and people notice and it blows up, you'll end up as John the Software Screwer in the annals of history... until next week.
      • WesolyKubeczek5 days ago
        It seems though, that in the world of software, you can unfuck a sheep.

        What worries me, though, that people who should have known better commit such oopsie daisies more and more (across many projects, I don’t mean this one only), almost as if they are testing the waters to see what they can get away with.

        • j_crick4 days ago
          > almost as if they are testing the waters to see what they can get away with.

          I think if it's a pattern then it's no accident. Of course people will test things. Kids, dogs, it's all the same: if you can get away with something, why not do it?

      • gitaarik5 days ago
        Well it is kinda blasphemy to swear with evil proprietaryness in a loving FOSS community
        • ValentineC5 days ago
          And then we have WordPress, former champion of open source and GPL, with all their soap opera drama.
    • froggerexpert5 days ago
      > But one bad release with a license screw up and nobody is willing to give them an inch?

      I don't have a lot of context on the issue.

      Is it clear it was just a packaging bug, rather than a move towards partially proprietary?

      • ferbivore5 days ago
        The idea that this is was "just a packaging bug" is damage control by Bitwarden. It was a deliberate change, per the CTO's comment on https://github.com/bitwarden/sdk/issues/898 and elsewhere. They slowly worked their way towards adding this SDK dependency to every client, and the SDK was intentionally not open-source. The public outrage is the only reason Bitwarden is GPLv3 again.
      • odo12425 days ago
        Yeah - they've always used an open-core licensing model with like a few features (used only by business users/applications) behind a proprietary license. They just ended up mixing the code in a way such that the (theoretically open-source) app ended up having some utility functions for the business version mixed in. Since the client apps don't use that functionality, they split the repository so that you can build the app without using any proprietary code.
        • froggerexpert5 days ago
          Fair. I didn't know Bitwarden was open-core. In light of this, accidental packaging mixup sounds plausible.
    • the_duke5 days ago
      Minor correction: the official self-hosted version existed BEFORE vaultwarden!
    • sneak5 days ago
      For a long time their KDF was bad and the iteration count was low. When I reported it to them they got really hostile and evasive about it.

      Years later they switched to Argon, somehow solving all of the blocking problems they had repeatedly claimed they couldn’t fix.

      I don’t trust the org at all. The software is ok but I only use it because it sucks marginally less than all my other options.

      People who care about software freedoms don’t release proprietary software. Organizations like this or Microsoft are just engaging in open source cosplay.

      • gertop5 days ago
        > When I reported it to them they got really hostile

        You're not the one who first reported it, but I did see your comments at the time. Calling them hostile is really the pot calling the kettle black, uh?

        • gitaarik5 days ago
          To me the story also sounds a bit like GP was a bit impatient and felt a bit ignored while the company was already working on the issue but just didn't respond promptly to per personally.
  • AzzyHN5 days ago
    I don't know why people are saying this is a bad thing.
    • crossroadsguy5 days ago
      Similarity to past experiences of start of the declines of service/apps.
      • Capricorn24815 days ago
        What app got worse after going open source that you're thinking of?
        • alt2274 days ago
          Its not 'going open source' as they were always open source, its change of license.

          Plenty of other products started slipping downhill after management saw a need to change the license. Why else would you change your license terms if its not to then be able to change your business practises down the road?

          • Capricorn24814 days ago
            I was posing a hypothetical for people that seem to think they were never open source. They packaged a proprietary part of Bitwarden into the app and quickly relicensed it to GPL.

            I don't see how you think introducing a GPL license is gonna lead to worse business practices? Unless you don't know what the license is.

        • crossroadsguy5 days ago
          > after going open source

          I wasn't thinking that at all. BW started as open source afaik.

    • 3np5 days ago
      Choosing GPL over AGPL for this kind of project combined with the previous recent CTO messaging is very telling if you consider the architecture of the software(s).
      • wmf5 days ago
        Telling what?
  • nocoder5 days ago
    What would be a good way to backup the passwords stored in Bitwarden? I am worried that someday suddenly bitwarden could stop working and I will lose access to all the stored passwords? Should I have a physical copy of all the passwords stored in a vault at home?
    • Happily20205 days ago
      The simplest way of doing this would be to export your bitwarden vault in plaintext (as a json or csv) and then store it as a password protected zip file.

      This should be easy to encrypt and decrypt on all operating systems, and would make it easy to move your vault to a new password manager.

    • Saris23 hours ago
      Use the export feature and just save the file somewhere safe, mine is in a Cryptomator vault. You could also import to Keepass and then delete the file.
    • fy205 days ago
      If you have some sort of home server, I'd recommend hosting vaultwarden (an open-source implementation of the BitWarden server). It works fine with the official apps. Their enterprise model requires a standard API, so it's not going to break anytime soon.
      • beAbU5 days ago
        This does not take the need for separate backups way though. In fact, I'd argue it makes it even more important to maintain a 3-2-1 backup of your vault.

        Running vaultwarden on a home server is one small disaster away from losing everything. Homelabs typically don't enjoy the same level of protections and redundancies compared to a commercial DC.

    • nichos5 days ago
      Export your BE vault and import it into key pass. Then store that file somewhere safe.
    • palata5 days ago
      I personally went (a year ago) to pass: https://www.passwordstore.org/.

      It just creates a git repository that I can back up wherever I want.

    • s2l5 days ago
      Desktop: keepass variants.

      Android: Keepass2 android.

      Use syncthing to stay in sync.

      • cja5 days ago
        How to use Syncthing on Android now that the app has gone?
        • s2l4 days ago
          For this type of data, preference could be toward fully open source stack (i.e. fdroid, etc).

          Another thing I recommend is to enable versioning on syncthing for the database. This way accidental changes can be reverted easily.

    • jannes4 days ago
      You can do JSON exports within the apps. But careful, all your passwords are unencrypted in the JSON.
    • hexfish5 days ago
      Frankly I would worry about that with any third party that holds my data. There are a few Bitwarden exporters on Github that also account for attachments (something the builtin exporter doesn't for some reason).
      • aae424 days ago
        BW synchronizes all your data on each client... if you logged in before, and your server goes down, you can still log in to a recent client, it just won't be able to update

        you could recover from that

        • Saris23 hours ago
          No way to export from the client though, so you would have to recover the server unless you previously made backups with the export feature.
  • sneak5 days ago
    Doesn’t GPL mean that it can’t be forked and published into the Apple iOS app store?

    Presumably they are able to do it because they own the rights and can grant a non-GPL license to Apple for distribution.

    This seems to me to still be a “nobody can fork this [and still have a viable iOS app] but us”.

    • cxr5 days ago
      The last time anyone did a serious published review of the App Store terms for GPL compatibility was probably 10+ years ago.

      I remember pre-COVID trying to validate the popular claim that the App Store terms were incompatible with GPLv3 but being unable to do so. None of the provisions that were originally called out by the FSF were in the App Store terms anymore at that point. Certainly nothing I found in the terms at the time indicated any incompatibility.

    • FateOfNations5 days ago
      Whenever I've heard about someone having problems publishing a fork on the App Store, it was a trademark rather than a copyright issue. If you fork it, you must completely re-brand it to publish it on the App Store.
      • throwaway2905 days ago
        Don't forget disclosing the source to users!
    • master-lincoln4 days ago
      Everybody can fork this and build an iOS app. You just can't distribute through the app store as far as I understand. Would be good now if there were other means to install an app on iOS for non-devs, but users chose to ignore that issue when they joined the walled garden that is Apple Inc

      Maybe the European Union comes to the rescue... (for Europeans)

  • funvill4 days ago
    As a exercise I created my own password manager in response to the license issues with BitWarden last week.

    Its rough, but functional, an exercise not a real product, never expected to be a real product. https://github.com/funvill/FancyGorillaPasswordManager

    The tech is easy. Website, Browser extension, iOS, Android, Windows, Linux, MacOS apps done in less then a day.

    Gaining trust is hard, who is going to trust a random guy on the internet.

  • Thoreandan4 days ago
    The summary says "SDK relicensed from proprietary to GPLv3", the linked commit puts the Bitwarden license into LICENSE_SDK.txt, not GPLv3. Am I missing something?
  • jgauth5 days ago
    This update is great news. I was disappointed to see the issue that got raised last week, and I had started to consider looking for alternatives. I’m going to assume an honest mistake on their end and keep recommending their product. However, if they make a similar move again, I will assume the worst and move on.
    • ValentineC5 days ago
      To be fair, Bitwarden clients are mostly GPL and can be forked, and there's Vaultwarden for self-hosting.

      We just need to rally together a community that would maintain such a fork.

      • ferbivore5 days ago
        The iOS client can never be meaningfully forked, ironically due to the GPL. If Bitwarden goes fully hostile that's lost forever.
        • ValentineC4 days ago
          I don't understand; isn't the repo licensed under GPLv3?

          https://github.com/bitwarden/ios?tab=GPL-3.0-1-ov-file

          Is proprietary config required to build the IPA file?

          • ferbivore4 days ago
            I was under the impression that Apple requires apps to be distributed under terms which conflict with the GPLv3, so the copyright holders effectively need to dual-license an app for it to be suitable for the App Store. Uploading your own version of bitwarden/ios would then open you up to a takedown notice from Bitwarden Inc. since they didn't consent to this.

            Looking into it again, it seems like the Apple Media Services T&C now has provisions for distributing apps under a "Custom EULA", but it still has weird clauses like the one saying you can't "scrape, copy, or perform measurement, analysis, or monitoring of, any portion of the Content", which their definition of includes apps. (Ridiculous clause since it prohibits so much as looking at an app with Activity Monitor, but whatever.) The GPLv3 has a provision saying users can ignore additional restrictions, but you as an App Store uploader aren't in a position to grant that right, so... the situation still seems legally iffy enough that I'm not sure you could win against Bitwarden if they objected to a fork.

  • ok_dad5 days ago
    Luckily if they die another will rise up. At this point I’m thinking I’ll just use the Apple Keychain if Bitwarden gets up to no good again.
    • freedomben5 days ago
      It probably doesn't matter for you if you'll never be leaving Apple's ecosystem, but for anyone else, I think that's something to keep in mind before moving to a non-portable solution like Apple keychain.
      • accrual5 days ago
        I would love to use Apple keychain but you're right - as a mixed OS user, it's a tough sell.
      • crossroadsguy5 days ago
        > non-portable solution like Apple keychain

        Yes, non-portable across different OEMs. But Apple Passwords app lets you export your passwords in a nice little simple csv file. It was a suspicion-filled (because it's Apple) pleasant surprise to find that out.

        • rqtwteye4 days ago
          In the old Apple passwords thing, they used to have that export feature but they took it away at some point. Learned this the hard way when I switched to Linux for a while.
    • lxgr5 days ago
      Two things are preventing me from doing that: I occasionally want to access my passwords in a browser (and I do not want to log in to iCloud on that machine), and I'd feel really bad about having my passkeys stored in an Apple service with absolutely no way of exporting them in case I ever do switch platforms. (Bitwarden at least includes passkeys in their JSON export format, as far as I know.)
      • ValentineC5 days ago
        As another commenter has mentioned, Apple Passwords allows export to simple CSV:

        https://support.apple.com/en-us/guide/passwords/mchl35b12625...

        What I dislike about Apple Passwords is how tightly coupled everything is.

        I just tried to set it up on my Windows 10 machine with a local account, but it requires Windows Hello to be turned on, which can't be done except with a Microsoft account.

        Kinda ridiculous of them to force arbitrary restrictions on us.

        • lxgr5 days ago
          > Apple Passwords allows export to simple CSV

          Not of passkeys, to my knowledge.

          > What I dislike about Apple Passwords is how tightly coupled everything is.

          That’s definitely also discouraging me as well.

    • rascul5 days ago
      What was the no good that Bitwarden got up to?
        • Capricorn24815 days ago
          Sounds like this is what they open sourced? So I don't really see the issue.
          • ValentineC5 days ago
            It was "source available", but licensed under their proprietary Bitwarden licence and not GPLv3.
            • Capricorn24814 days ago
              What I mean is the problem is remedied now and was likely not the big deal people thought it was. Sounds like they packaged something into the software forgetting it was under a different license and quickly relicensed it. But this thread is framing it like they burned a bridge.
    • chillfox5 days ago
      If I wasn't busy playing with AI stuff then I would be very tempted to build my own password manager cloud service, it feels like a chance to shine shows up at least once every two years in that space.

      I don't know what it is, but password managers just love the high-speed enshittification train.

      • TechDebtDevin5 days ago
        Its not very easy and you shouldn't do it unless your domain is cryptography. This is something I've tried to do myself as well and realized it's better off left to the pros.
  • mbix775 days ago
    Such a pity they are starting to try to move to proprietary model. I have been using them for years. I thought they were different than other "open-source" companies (e.g. Redis).

    What are the alternatives for an open-source cross-platform password manager? Anybody has used Vaultwarden already?

    • tmpfs5 days ago
      We have been working on a open-source, cross-platform alternative called SOS[1]. The source code is on github[2] and includes a self-hostable server for syncing. It is well documented[3] for those that want go build on top of it.

      Would love your feedback if you can take it for a spin!

      [1] https://saveoursecrets.com/ [2] https://github.com/saveoursecrets/sdk [3] https://docs.rs/sos-sdk/latest/sos_sdk/

    • chx5 days ago
      No, they are not. They have a separate product which is closed source and there was a accidental mixup between the dependencies of the two. They fixed it quick. As I posted repeatedly in this issue: we need to be much much more lenient and supportive of one of the very few companies which still try. If this is the support they get why would anyone else even bother?
      • ferbivore5 days ago
        This was not an accidental mixup. Have you actually read the previous issue threads? Their stance was that "there are no plans to adjust the SDK license" before the backlash.
    • NicuCalcea5 days ago
      I've been using KeePass (mostly through third-party clients) for years and never saw a reason to switch to anything else.

      It doesn't sync between devices by default, but I see that as an advantage, you can use a cloud provider like Dropbox, your own server, FTP, Syncthing, whatever you're comfortable with.

  • Always425 days ago
    I have been using bitwarden for some time, and actually pay for it because i like it so much. should i switch?
  • aiono4 days ago
    Good to see this. Bitwarden is one of the few companies that I actually like. And even them can dissappoint when profitability requires it seems.
  • RyeCombinator5 days ago
    Can somebody ELI5?
    • chx5 days ago
      People are dicks to one of the last companies which operate in a transparent manner and open source their product.

      There was a bug, it got fixed. Nothing to see here, move along.

    • wmf5 days ago
      AFAIK they went closed source the other day which triggered backlash and now they're opening back up.
      • jth15 days ago
        My understanding is they were never closed source. Some of their code is GPL and some is proprietary, but all is source-available on GitHub. There was a bug where you couldn't build their client without a proprietary dependency, but they have fixed that so you can now build their client with only GPL code again.
        • palata5 days ago
          I don't think it was a bug. They dismissed it and clearly said that they had no intention to adjust the license: https://github.com/bitwarden/sdk/issues/898.
          • renewiltord4 days ago
            To be honest, it looks like he just had an internal model of “internal code no gpl”, “external code gpl” and mindlessly answered based on that. The fact that it made the latter impossible seems to have been successfully impressed on him.

            Overall, I’ll stay a Bitwarden customer. People fuck up and I’m a tit-for-tat-with-random-forgiveness tactic user, not grim-trigger.

            • palata4 days ago
              I could accept that he doesn't understand how open source licenses work, or doesn't care, and that it was not meant as a shady move. But still I wouldn't call it a bug, and it does not inspire confidence. Still it's not LastPass-bad.

              This said, I still recommend Bitwarden to my family. I moved to pass (https://www.passwordstore.org/) a while ago just because it corresponds better to my needs and I have more control.

  • reptation4 days ago
    I looked into Bitwarden but hard to see what it offers over Psono and the pricing is significantly steeper.
  • aussieguy12345 days ago
    I started using BitWarden as my main password manager after the LastPass security breaches.
  • PaulKeeble5 days ago
    Once an organisation has tried once they invariably do it again and again until they find a way to getting what they want. The customers tire of complaining over and over about little enshitifcations and eventually the company wins. Once they start it always goes the same way it just often takes a few goes before most give in.

    It will years until it becomes awful but the process has started. It's really a shame every company has to do this with otherwise good products.

    • gitaarik5 days ago
      If that would be the case, I wouldn't have expected them to change it back. I don't think it was that bad of an impact for them, they are already big enough in non-hardcore-open-source communities that they could pull it off and afford to lose some customers to go propietary. I'm actually really positively surprised by them that they actually picked up on this issue raised by the community and that they fixed it very promptly.

      Yes the trust was seriously damaged, but this move does restore it largely for me.

  • la_fayette4 days ago
    We moved to passbolt and we are happy with it.
  • Beijinger4 days ago
    I may check it out again. But I love the commercial product enpass.io (I use the free version, don't need it on my cell phone).
  • imaginebit4 days ago
    does it potentially compromise the data security?
  • AdmiralAsshat4 days ago
    So, crisis averted?
  • minebreaker5 days ago
    https://github.com/bitwarden/clients/issues/11611#issuecomme...

    > We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.

    • 5 days ago
      undefined
  • berry_sortoro3 days ago
    [dead]
  • jay9995 days ago
    [flagged]
  • shelled5 days ago
    BitWarden has lost the trust. Besides recently there was a blocker bug on iOS and on Reddit I found out it happened earlier as well. They didn't even want to debug it and when I suggested this and asked whether they have any issue logged on Github where I could provide logs they went radio silent. Follow ups went completely unanswered. And yeah before that they had given a solution (because reinstall/re-login nothing had worked) - export your data, delete your account, create the account again, and re-import your data - that "should" work. Honestly it was worse than "restart your computer".

    I guess it's time for another FOSS player here. It's fine, such things are cyclical I guess. Happened to Lastpass and Authy and someday it will happen to Ente and 2FAS and so on.

    • Capricorn24815 days ago
      > BitWarden has lost the trust. Besides...

      I'm confused what you're responding to. You're making it sound like this was a bad decision and your anecdote was another thing for the pile, but this is a good decision.

      • hnbad5 days ago
        Someone else linked the GitHub issue that triggered this change and most of the replies are in the same tone as the comment you're responding to.

        Which is all the more ridiculous as this looks like it wasn't really a big license change decision but more of a "forgot to change the license on a component from our internal default". Assuming malice seems like the most boneheaded reaction to this given that there are no other indications Bitwarden was trying to do anything nefarious and the previous license state would have made every single library or tool depending on it non-free.

        This is different from criticisms of Mozilla for example which often boil down to "Mozilla positioned itself as privacy-focused but adds a privacy-violating feature you have to opt out of while claiming it's actually fine". Bitwarden never was 100% FLOSS to begin with but introducing downstream license problems is clearly against their own interest. Unless you believe Bitwarden is run by evil idiots who do evil things for no good reason (business or otherwise) whatsoever and then quickly cover their tracks only when called out, "oops" is the only explanation that passes the sniff test.

        Here's what someone from Bitwarden said in that issue:

        https://github.com/bitwarden/clients/issues/11611#issuecomme...

        I think the submission should be rephrased as "Bitwarden SDK fixed license of sub-component" or something. Which of course sounds less bold and interesting and newsworthy because it really isn't.

        • kuschku5 days ago
          > forgot to change the license on a component from our internal default".

          https://gitlab.com/fdroid/fdroiddata/-/merge_requests/15353#...

          > Additionally, one thought that came to mind in evaluating this that might make this not possible is that our rust SDK, a dependency, is not published under an OSS license. See https://github.com/bitwarden/sdk . I assume that is a problem that might disqualify us from the main [fdroid] repo still.

          https://gitlab.com/fdroid/fdroiddata/-/merge_requests/15353#...

          > At the moment, there are no plans to adjust the SDK license.

          Doesn't sound like a mistake:

          https://github.com/bitwarden/sdk/issues/898#issuecomment-222...

          > There are no plans to adjust the SDK license at this time. We will continue to publish to our own F-Droid repo at https://mobileapp.bitwarden.com/fdroid/repo/

          • hnbad4 days ago
            > [O]ur goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

            This does, though:

            https://github.com/bitwarden/sdk/issues/898#issuecomment-242...

            It seems they reconsidered after the change impacted their F-Droid release. They've always been Open Core not fully Open Source so the SDK not being OSS isn't surprising. It just seems like they didn't think about the consequences of integrating a non-OSS SDK into their OSS clients.

            Your first quote actually explicitly says that this incompatibility only became apparent after the fact:

            > one thought that came to mind in evaluating this

            So, yeah, a mistake although it's not so much they "forgot to change the license" but didn't consider which license it should use and stuck with the default.

            > There are no plans to adjust the SDK license at this time

            This doesn't mean it was an intentional choice or well thought out. It would have been pretty stupid to say "yeah, we actually just went with proprietary because it's the internal default and didn't think about the pros and cons of keeping it that way" so in lieu of wanting to make a decision then and there or signaling radio silence, that's just a standard corporate non-answer.

    • chx5 days ago
      [flagged]
      • shelled5 days ago
        [flagged]
        • chx5 days ago
          Observe how I posted about content while you posted about ... me.

          There's a difference.