- Google Authenticator
https://github.com/BrenoFariasdaSilva/Authy-iOS-MiTM is going to be my project for the afternoon.
is a good alter. Works perfect for me.
Famous last words...
The idea of BW doing a rug pull and suddenly removing the ability to export your vault I think would trigger a class-action lawsuit.
The real issue is potential data loss. Remember LastPass? Bought by someone and downhill it went, with multiple security incidents.
https://automaton-media.com/en/news/kadokawa-reports-sharp-d...
As I understand it, so far the only actual change is an announced increase in prices. Obviously, from the consumer perspective, cheaper is better, but this is a product where I think that a subscription plan makes sense (and the free tier, for now, still exists), and so I'm not going to get mad about price changes. Competitors exist and one doesn't think the new price is worth it, then switch to one of them (using the very-much-still-available vault export).
I don't think the warning is crazy or anything, but in my personal opinion it's a little stronger/earlier than is warranted and the current appropriate response is careful watching.
It's Bitwarden's game to lose. Forking is easy enough that there's no great need to pre-emptively fork.
>But the explanatory paragraph at the bottom of the same post still says the old ones: Inclusion and Transparency. Crandell’s name is still on it. The post now contradicts itself, and nobody wrote a new one.
Looking at the post right now, they've corrected it to Innovation and Trust.
Overly idealistic thinking, maybe... but still thinking.
Bitwarden/Vaultwarden had a good run but if someone's going to self-host Vaultwarden, I would encourage people to look into AliasVault instead. It's a complete opensource ecosystem.
It's a shell script that stores passwords in a git repository, containing one file per entry. The files are encrypted using a GPG key. Because it's just a git repository, you can synchronise it between devices using whatever infrastructure you want. I use a FOSS client for it on iOS, and there was one for Android before I got an iPhone.
Pass has a pretty good ecosystem of plugins/other clients, as well. There are open source iOS/Android clients and browser extensions so once you’re setup the day-to-day experience is not far off from any of the popular hosted password managers.
My only real issue is the dependency on gpg, as it’s pretty long in the tooth and a hassle to operate. (If you are not comfortable using gpg, spend some time learning that before you go all-in on pass!) There’s a fork[1] which swaps gpg for age, but it hasn’t attracted enough attention to get a similar ecosystem of mobile clients/browser extensions, so it’s not a very practical choice IMHO.
God help you if you want to use the PGP applet on a Yubikey or smartcard. The pieces all exist, but wiring them all up in a mobile app is hard and the result is janky.
Waiting for people to get this.
I end up helping a lot of older people for a variety of reasons with tech - 60s to 90s, family, neighbors, coworkers.
They’re not invalids and have a right to participate in the digital world, even if security requirements have exploded.
Anchoring the trust in stuff like 1Password where we setup domains, their account info, their OTP codes means they get to go to their bookmarked site, FaceID to unlock the PW manager, get automatically logged in, and do what they need.
Being able to let them navigate this world without always having to hand over the paper secrets notebook to random helpers, or lose sheets of paper with passwords, or get caught up in tracking down an SMS code is better for them. Their password manager with the autofill helps somewhat deter phishing links since relying on autofill usually signals something is off, and they call someone they trust.
My point, I guess, was that convenience is basic access for some subset of vulnerable groups of people.
Reality: people started writing their passwords on sticky notes by their computer. Possibly the worst outcome.
Convenience is part of good security.
Third-party password managers INCREASE your threat surface by orders of magnitude more than sticky notes, period. They change the number of holders of secrets from two to three, and that third one is now a juicy target. This is not theory, this has happened frequently.
Sticky notes (even better, a little private physical notebook) keep this limited to your physical location which is much easier to secure; the grandmas and grandpas I know who do this (I do similar) have a far better track record than anything else.
(I do use KeePassXC btw. I just think this is what GP's real question was)
Honestly after years of resistance I've finally partially embraced Apple's solution and have to admit it works great. I love that Hide My Email is integrated into it so well too
Vaultwarden looks neat:
> Lightweight, self-hosted server written in Rust, fully compatible with Bitwarden clients, implements the Bitwarden server API, supports organizations, attachments, web interface, website icon API, YubiKey, Duo, and multiple two-factor authentication options.
But with all this stuff coming out, I'm holding off on recommending it anymore; at least until everything calms down and the new value proposition is fully laid out.
Like other folks have said, I don't think it's yet time to migrate. That being said, it doesn't hurt to do an encrypted export for backup purposes, start looking at alternatives, and reach out to people I know use Bitwarden to do the same.
Keeping an eye out on how this develops.
As an aside, since it seems like they’re trying to make money: The aforementioned enthusiasm has gotten it adopted at a workplace of mine. The experience hasn’t been good, so no recommendation here either.
Their moat was being a trusted name in FOSS and it’s a bit sad to see them going in the direction of abandoning it.
But somebody else will probably step up and build on the ruins, like vaultwarden already has. That’s the beauty of choosing FOSS in the first place.
Hope they don't alter self hosting it.
https://github.com/dani-garcia/vaultwarden
It's entirely compatible with the clients. It also removes a lot of "rug-pull" potential, and gives you the ability to access all the nice features (ex - multi-org, multi-user, shared vaults, totp, etc...)
Honestly - part of the reason I like Bitwarden is that if they ever go full "enshittification", it's going to be relatively easy and straight-forward to just move entirely off their projects and onto open-source forks.
Because you need to back up, verify backups, monitor availability, manage updates, manage MFA, and a zillion things.
Don't get me wrong, I work in hardcore, high tech IT for 30 years and I selfhost two dozen or so of services. It is far, very far from "absurdly easy" when you start .
Sure you can run a container on your pc, and hope for the best
I’ve seen this idea so many times on HN. “Just stand up a docker container and self-host”. Or even worse: “why does anyone need GitHub - just host Bitbucket yourself”
Ok, then what?
Vaultwarden is the way. Easy to host docker. Solid. And if bitwarden blocks the clients there will be a fork.
It's leading to it anyway.
Not only is it incurring the cost of project fragmentation, but also incurring an always online cost with overly-complicated docker solutions, when a fully offline and airgapped solution already exists.
Furthermore, staying with the same ecosystem invokes the sunken cost fallacy. But the migration from Bitwarden couldn't be simpler (just export Bitwarden json file). It's almost a form of battered woman syndrome people are inflicting on themselves when quite simply they can hop onto an already proven ecosystem that doesn't bait and switch.
Afaik vaultwarden and bitwarden clients are as proven as keepass.
I need to access my accounts while I'm overseas - in fact I'm prompted for passwords far more often when I cross borders. I need my passwords at urgent moments like when I need to make a large bank transfer. I need passwords unexpectedly at all times when sessions expire or I need a new session for a device I've never logged in with.
If my home server went down for any reason at these critical moments it could be extremely bad. There are some kinds of outages I can't recover from without physically attending my server. And if I'm not very very careful there are some kinds of failures I cannot recover from at all - I have a working backup solution but so did every company that lost customer data before.
And this doesn't even touch on the security risk of hosting a database of credentials on a publicly available endpoint.
I need a trust hosted solution.
The quiet renovation at Bitwarden
And Vaultwarden is nice. I've used it at work, hosted it myself, and as a user of the password manager I can say it's basically indistinguishable. But I don't really pay Bitwarden for a password manager -- I pay them for a secure sync of a password manager I can share with family members who can't figure out a VPN.
Had previously used Enpass in the past and was pleased to see how much it had improved since then. Also allows me several choices when it comes to where I store my vaults. And fills passwords quickly and efficiently in comparison to BW.
So I've migrated fully to Enpass - clients everywhere, browser plugins available, and it just works.
With this news, it now looks as though my migration was somewhat prescient.
I also use KeypassXC as a backup on USB should it ever be needed.
This isn't a good - particularly as passkeys are effectively just certs - migrators should be aware of those caveats.
I won’t. The optics look bad and that alone is enough to show the leadership is either hostile to users or too inept to understand why their recent actions signal a change away from what people value in their product. If they don’t understand or care about the same things as the community / customers, there’s no reason to think they’ll make choices that continue to be a good value proposition for their customers.
The only thing that’s going to stop tech companies from pulling this crap is if a hint of private money coming in to ruin everything ends up ruining things before everyone gets to cash in. Basically, a mass exodus and bankruptcy would be the only outcome that makes the next company think twice about using the enshitiffication playbook.
We need some companies built around fair value instead of extortion and they need to be run like Steam. Steam has an unbreakable hold on gaming because they’ve never screwed their users.
Or did he sign all of those rights away when he took the $100M "fuck you" VC funding in 2022.
Is it because everybody else is swapping between several different computers, and you need the synchronization?
I just have everything in KeepassXC, and the ciphertext is subject to the same kind of backup regime I use for other files, [edit: and also additionally] a copy kept on a USB stick in my pocket.
.. and phones, and tablets. Yes
Also consider teams or multiple teams across an org sharing secrets. Flat files are a tough sell, so these apps eliminate almost all the hassle. We pay for a lot of 1Password accounts, and I couldn’t imagine rolling our own solution.
Bitwarden just works in all those places and the tech was, by all accounts, rock solid. AND I can pay for it instead of trying to leech off some privacy-ambiguous free tier.
Me too, but I rarely add/edit anything in .kdbx file, it rarely changes. So I just keep a copy on my phone and use KeePassDroid to open it sometimes.
If you change/edit your passwords all the time, and you like autofill and I assume other features, networked solutions are much better.
And it isn’t about changing/editing passwords all the time, it is about all the new passwords that are constantly being added.
After all, even with godlike storage-media on my keychain, it would still be susceptible to a mugger or falling down a deep hole. Until that happens, it provides redundancy and convenience, provided I can bring it to a trustworthy computer.
The people I know who use KeePass live like they’re disabled. You ask them to sign up for something and they need to schedule a half hour for it two weeks out. Ask them to use a website and they need to wait until they’re home because their biweekly manual data transfer was put off because of whatever. And if they ever drop their phone, it’s this totally unforeseeable panic they’re still recovering from two months later. I’m far from convinced it must be like this, but I’m also far from convinced that most KeePass people—or people using any other strategy—have really thought this through.
Non-technical people would not do something this complicated. They don’t even have password managers, let alone a setup like this.
Shoot, even a lot of technical people (like me) wouldn’t bother with this. It’s why I pay for a cloud-based password manager.
> Non-technical people would not do something this complicated. They don’t even have password managers, let alone a setup like this.
Google Drive/iCloud/OneDrive/Dropbox are already used by non-technical users - moreso than SaaS password managers.
> Shoot, even a lot of technical people (like me) wouldn’t bother with this. It’s why I pay for a cloud-based password manager.
What do you do for when you want to access some other type of file across devices, like notes or photos? If you have notes.txt on an FTP server, just put passwords.kdbx alongside it. If you're subscribing to some new service for each individual filetype you want to sync, with nothing for arbitrary files, that seems like considerably more hassle overall to me.
And for me, it’s just not worth the headache (and security risk) of hosting my own password manager.
How many separate services do you have for accessing files across devices, and what do you do for filetypes outside of what they cover?
> And I like having my passwords across all my devices, updating anywhere I am.
That's how it works for me with a passwords.kdbx file on my FTP server (but any cloud storage works). Same for any filetype.
> And for me, it’s just not worth the headache (and security risk) of hosting my own password manager.
What's the security risk? If anything, it's SaaS password managers that seem to semi-regularly get hit with breaches (well, mostly LastPass).
You don't need to host anything for KeePass - just plop the file next to your notes/etc.
Headache seems greater overall if you're juggling a large number of subscriptions, particularly when they start ramping up payment or moving features you rely on to higher tiers.
Talk to your local security engineer :)
On a venting note, this mentality is a frustration I have with SV, because I see it a lot. They don’t know what they don’t know, and think they can just stand up businesses without understanding the domain.
You made the claim - I'm interested to hear why you believe it, because I suspect it's based on a misunderstanding of how KeePass works.
> and think they can just stand up businesses without understanding the domain
Using KeePass is not analogous to standing up a business.
If your FTP is open to the internet, you are now responsible for alerting / monitoring, IPS/IDS, proper config management, routine automated patching, IP allow/blocklisting… all of these things require regular maintenance. Even if you stick it behind a VPN, you will need to patch, alert on, and configure the VPN and everything behind it as well, as VPNs can be compromised.
That’s why, unless I really wanted to spend time hardening the spit out of it, there’s no way I’m self hosting my passwords. I’m happy to just pay a password manager to handle all of that.
You don't need to host anything new or take on any patching responsibilities for anything you weren't before. I already had an FTP server, so put it on there. Wherever you already access arbitrary files across devices (you didn't answer what you do for files outside of your filetype-specific subscriptions, but I'd assume you just have iCloud or something) should work fine.
Not that there are zero reasons to use a SaaS password manager, just that I disagree Keepass is somehow insecure or prohibitively technical for regular users. The solution a lot of people already seem to gravitate towards (if not just password reuse) is "passwords.txt on Google Drive".
If a conflict did happen though, newer versions of Nextcloud just keep both copies and alert you to resolve it. If I had to resolve this I'd probably try the built-in database merger first: https://keepassxc.org/docs/KeePassXC_UserGuide#_merging_data...
There are several factors at play making conflicts almost impossible:
- A central device can be immediately synced to. For Nextcloud, it could be a server, for direct synchronization that I use (Syncthing), my phone (almost always online) is the intermediate device for all.
- You are usually online when creating accounts/password, so an sync can happen directly after a change
- And finally: How often do you actually _create_ accounts rather than just read the database? And how often do you do it on two devices in quick succession?
What are you guys doing to get real issues?
Even if I had a USB-stick of magical capacity and reliability, I wouldn't want to have to remember to connect and disconnect it constantly.
Most of the workstations I use completely block USB storage devices (but not fido2 keys!)
What would be super nice is to have USB wedge that I can just send my passwords from my phone to any computer like this https://www.inputstick.com/ (Expensive, sold out and also doesn't ship to the USA)
Syncing was an utter disaster. Inevitably something would cause syncs to be delayed, and then there would be a conflict and one of our changes would be silently lost. We were constantly going to lookup a password we entered, and finding it was not there anymore, at which point I would have to dig through sync conflict backup files and manually reenter the passwords that were lost, or go through the password reset flow for the sites. It was a giant mess, and that was just with two desktops and a laptop. I was using btsync at the time but all the issues I encountered apply to any file based synchronization, like syncthing, nextcloud or dropbox. Performing whole database file synchronization is simply not the right approach for password safe.
I eventually switched over to self-hosted BitWarden with the browser plugin and it has been much smoother.
But the interface of every software on a phone is so atrocious that I have never actually seen any benefit from having a password manager there that I could copy stuff from. So now I just don't have it, and haven't seen any loss yet.
That said, I store way more low-value passwords on the Firefox manager (that is synchronized) than high-value ones on the offline manager.
I use it to sync between my phone, tablet, laptop, and two desktops.
I want to be able to add a login from any of those, and have it be updated on all of them.
I might have more machines than most, but everyone has at least a computer and a phone, seems reasonable to want to link those two.
So you do understand it!
It's not a good idea to become dependent on a single corporation's products.
Passkeys too: https://sixcolors.com/post/2025/09/export-keys-securely-from...
Edit: it actually disappeared for some time but they put it back on May 18
snapshot from May 15: https://web.archive.org/web/20260515190646/https://bitwarden...
snapshot from May 18: https://web.archive.org/web/20260518183728/https://bitwarden...
There are a fair amount of multi-hundred year old companies out there.
No it absolutely must not.
When a company tells you their intention by announcing a change, it's often a good idea to listen. Even if their PR department does some good cleanup work in the aftermath.
Another recent example is GitHub charging for self-hosted CI. They backtracked, but they're still going to end up doing something. They kind of have to because of all the "get 10x cheaper actions runners by changing one line" people.
If they are going to make it not free, they can just remove it right before they make it not free.
If it was somehow a binding promise, then it doesn’t matter if they remove it or not, the promise was already made.
If it isn’t a binding promise, then it doesn’t matter if they remove it or not, the promise was not binding anyway.
> The “Always free” motto quietly reappeared on the site after its removal was uncovered and went viral on Fedi.
(And the linked article gives evidence: <https://blog.ppb1701.com/the-quiet-renovation-at-bitwarden#:...>.)
i think this is the overreaction - getting worked up about these sort of risks in general isn’t worth your time.
Otherwise you’d end up self-hosting everything strictly on OSS from maintainers you personally know and trust.
This is like someone saying, “don’t use AWS because they might raise prices some day”
Between the law suits, and the brand damage, there is likely very little upside for a company entertaining this idea.
They were never yours, and zillions of people you don't know have access to them.
KeePass2Android Offline and KeePassium on mobile.
Tech has generous TC, lots of high-end laptops and phones worth thousands, AI & cloud spend, and yet the only acceptable price for secrets management is $0 it seems at times.
Many companies offer a free tier and a paid tier and are willing to incur the cost of users who will never convert. If a company doesn't actually intend to keep it "always free" they shouldn't make the promise in the first place
It means the old guard is moving away and potentially starting initiatives not in the best interest of the user. In the worst case scenario they will sell my data or introduce stupid changes that risk security.
My advice would be… If that happens, you can worry about it then.
It seems you could lose a lot of time and sleep protecting yourself against a doomsday scenario that will probably never happen.
As soon as a company positions themselves to hold your data hostage, assume they will. I have no problem paying, but I’m not going to pay anyone trying to trap me. That’s the goal of most of these tech companies now.
My opinion and stubbornness doesn’t matter though. Identity control is getting lobbied into government legislation everywhere. Everyone’s going to pay no matter what, probably twice; once directly, once via taxes.
I might self-host something at some point. But even choosing something seems a menial task, not to speak of setting it actually up...
Paying mean they have revenue, an interest to keep it secure and innovate more.
I recall last pass and the last pass breech and the class action from that but that resulted from improper crypto rollout.
Would the same risk happen with Bitwarden?