I switched to Bitwarden when LastPass started using silly tactics to make customers pay. I didn't switch because of the price - the service pricing of Bitwarden was a pleasant surprise.
I switched because I lost all trust in LastPass.
Managing credentials and sensitive information is all about trust. The second I lose trust in that kind of service, I don't just stop using it, I will most likely never even consider coming back as a customer and I will warn people against them. I don't give second chances to services that are trust based.
I'm pretty happy with Bitwarden so far. But if they betray my trust I'll be out of there in a day, never to return. I switched from LastPass to Bitwarden in a day. LastPass never gets a second chance.
What the VCs have to understand is that if their greed makes them push Bitwarden to engage in silly tactics, they risk driving away their customer base.
> I don't give second chances to services that are trust based.
You might run out of services then at some point.
Human beings are fallible, full stop. Also, a company isn't an individual -- management teams change, corporate priorities change, security practices improve. Judging a whole company by what a few employees did or didn't do a decade ago isn't always going to yield an optimal approach.
Refusing to give any company a second chance ever is pretty extreme. Each individual case needs to be handled on its merits -- what happened, why did it happen, do you think the company learned and implemented new policies, how many other undiscovered vulnerabilities do you think are still there? But also, how many other undiscovered vulnerabilities do you think are still there for competitors as well? Just because a competitor hasn't had a breach doesn't necessarily means it's better, it might just be lucky so far.
2001-2007, I had multiple bad experiences with Compaq, Lexmark and HP. These were so bad in terms of cost and frustration I vowed I would never buy their products or services again. It's been... 15+ years. The tech world of today is not quite the tech world of 2003. Should I ever bother with a Compaq or HP again? I probably won't, but the 'avoid at all costs' just isn't there with me any more. Perhaps I've mellowed slightly in the past 15-20 years.
I am still firmly in never-again-Hewlett-Packard camp after almost 20 years.
The final straw for me was purchasing an HP laser printer (probably the 6th or 7th one I ever bought) and it shockingly had the same extreme-low-quality level that I had experienced with HP laptops, CD ROM drives and other peripherals.
It is probably not fair but I blame Carly Fiorina for this degradation of once reliable hardware manufacturer.
Compaq hasn't existed in any meaningful sense in 10-15 years. HP formally retired the brand in the early 2010's, although it had all but faded away several years prior to that.
> Judging a whole company by what a few employees did or didn't do a decade ago isn't always going to yield an optimal approach.
Not the OP but i have a similar stance. However a mistake from individual employee doesn't mean that i instantly loose trust. Its the handling of the mistake what matters to me. Sweeping it under the carpet, dening their mistakes or outright lieing about mistakes is what results in me loosing trust.
> You might run out of services then at some point
I prefer using services for my password management (I'm a bitwarden user who's currently happy as well), but I would jump back to some sort of self-hosted or even offline/manual sync solution if I thought that was the only way to keep my passwords safe. I like the convenience of a service, but I would sacrifice it over my security if it got to the point where I had to choose between the two.
I actually used to use KeePassXC and have my (encrypted) password file sync'd through Dropbox, but their Android client changed to no support a way to have the file stored offline but also automatically sync changes, so I ended up swapping to Bitwarden. In the past I had used Nextcloud instead of Dropbox, so that would probably be one of my first ideas if I did end up deciding to stop using bitwarden.
Any reason not to use Password Safe[1]? It seems to do it all and doesn't require you to trust some Move Fast And Break Things startup's online service.
BitWarden is based almost entirely on open source so it's possible to branch the project. Given some of the language on their website and their more recent attitude towards OS licenses, my prediction is that they will use the new funding to build as many closed source modules as possible to increase user switching costs, similar to what Google is trying to do with Chrome on top of Chromium. But that is a slow process that takes years, and a lot can happen between now and then.
I don't think Dell or HP make their own computers anymore - consumer stuff is all outsourced to Taiwanese/Chinese OEM's (Quanta,Wistron etc ...) - they probably still only make servers in house.
Here we go again: Some company (in this case, Bitwarden) "betrayed" its customers by doing what every other firm does. And Hn goes brrr over it.
I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?
> What the VCs have to understand is that if their greed makes them push Bitwarden to engage in silly tactics, they risk driving away their customer base.
They don't care as long as they can extract their profit before that happens. This is VC, they will prioritize medium term gains over long term stability.
On HN, VCs are either ruthless short-term profit extracting machines or overly optimistic clowns investing in hopelessly unprofitable companies on the promise of future growth, depending entirely on the point currently being made.
tbf both may very well be true at the same time. There's certainly a larger number of both AI powered juice makers as well as "freeze your head" longevity startups than anywhere else
I bailed on lastpass when they doubled the annual price for the second year in a row. They had also just been acquired by LogMeIn, who didn’t have a great reputation.
I don’t know if I can manage another service switch. I can do it just fine, but my wife is more resistant to these kinds of changes and we need to be on the same page on this.
LastPass pricing model is what turned me off. I am happy to pay for services I use regularly, but I remember the pricing model didn't seem appropriate for what they were offering. The short cutoff period added insult to injury.
I checked out Bitwarden and it seemed like a better version of LastPass that just happened to be free. Their paid model doesn't appeal to me so I don't subscribe, but I would enjoy paying if they offered something that did.
(Off-topic: Bitwarden seems like an exact LastPass clone all the way down to the UI. Do they share a similar codebase or something? Like was one forked from an OSS version of the other?)
Same, I even remember paying for LastPass for a bit. It was more that I wanted to support a service I liked (same reason I pay for other services). Though I find BW's paid model a bit surprising. I know it is only $10/yr, but the only real value here is 1GB storage and yubi/fido keys. I don't have yubi keys (they seem cool but also a pain in the ass) and 1GB seems rather small.
Looking at Google, Dropbox, and Apple, storage pricings range from 4GB/$ (Apple) to 20GB/$ (Google's 5+TB plans). I'm willing to bet that offering 5GB would make it more worthwhile and a very small fraction of your users would actually use it. What are you going to store? Your passport photo and driver's license? I wonder if there would be a psychological effect here because it is really hard to tell if 1GB is enough or not. At least your average person has no idea.
One paid feature that can be very important is designating emergency access contacts. A family member had a stroke last year (doing much better now) and one thing that made life much easier was having access to his passwords - in this case because I'd set him up with Keepass years ago and still had the password saved.
Ugh, I'm paying for LastPass because I haven't gotten around to switching to Bitwarden yet. They list a monthly price, but they actually charge you annually, so you're essentially locked in for a year (if you want to make the most of your money).
I didn't mind paying for Lastpass, but I started planning to move away when they were bought by LogMeIn because I've seen that company's acquisitions before.
Jumped from a paid LP plan to a Bitwarden family plan with sharing and emergency access and quite happy.
I mean, it's not as if these companies care for customers like you anyway. What they want is someone who is willing to purchase their product w/o making a fuss about the negative parts of their business. In fact, I bet LastPass is happy you left.
Doesn’t really matter what Lastpass did wrong, does it? The point is that trustworthiness is the single most important value for someone who wants users to entrust them with their credentials. Another point is how easily they can lose users. The poster lost trust in them, and was able to swap them out in a day.
Bitwarden already does one thing well. It's everything I'm looking for - open source, costs money but not much ($10/yr), 2FA, clean interface. I'm happy for the new investment, but I hope they don't start adding new things just for the sake of growing.
Also - to the people who analyze funding rounds - $100M sounds like a huge amount to me. Why would a password manager need so much money?
How did I have to scroll this far down to find someone who's actually read the post? Everybody seems to think the money is purely for expanding the password manager, while in the post they call out adjacent markets they want to expand to.
I'm cautiously optimistic that this could mean we won't see the end of Bitwarden, as those are areas where companies will pay big money.
It's not that people didn't read the statement, it's that people have learned not to trust statements like this. Ask all Heroku's customers who were just fired by Salesforce to focus on their enterprise offering for example.
If you're new to 1Password, you may enjoy their service because you won't have the memory/experience of the things that were taken away or "how it used to be."
Now, as for whether one should worry because the company screwed their existing customers once already ... that's personal risk tolerance, I guess
My opinion is that 1Password is the best product out there for the majority of users, because they're pretty good about documenting their formats, have a very good export story, their customer service is mostly good, it's a reasonable price, and their UX absolutely spanks Bitwarden up one side and down the other
But, if a few years from now they rip the ssh-agent out of their Electron apps citing some "well, we decided" reason, or they ban 3rd party clients from using their API because "of sekurity," then no one should be surprised that the scorpion stung them
Welcome to HN/Reddit. Most threads have people commenting without reading the article at all (or very briefly skimming). More or less just reacting to the headline.
And according to HN guidelines, we aren't supposed to comment on if someone has read the article or not. Stellar.
Given apple's push for passwordless web in collaboration w/ Google and M$ [1], I was worried that BW will go out of business, but they have plans for this and I hope they succeed.
I would love for Bitwarden to use this money to make SSO available to all pricing levels. Currently, in order to use SSO with Bitwarden you have to be on their "Enterprise" plan. I think SSO is too important to gate behind a paywall, especially for a company whose main product is security.
> Why would a password manager need so much money?
The money isn't for the password manager particularly. In the article they list a number of new things they want to develop.
I think there will come a point when most mainstream web services will require "passwordless" authentication, which means users will have to register with one of a few commercial passwordless providers. Think "login to service X with Google/GitHub/Facebook" but more integrated with your phone and biometrics, and no longer optional as email and password authentication go out of fashion.
It makes sense for Bitwarden to aim to be one of those providers, if for no other reason than company survival if passwords and similar tokens become deprecated.
Sure, a standard exists, but that by itself isn't a great user experience. If you actually try to use something like a YubiKey you end up having to register multiple keys with each site to deal with lost key (assuming the site allows that in the first place). The you have to remember which keys correspond to which sites, and remember to get your backup key out each time you sign up somewhere new , etc.
Google, Apple, etc are building on WebAuthN in order to allow a trusted third party to "sync" the keys, solving the major usability hurdle for most people (as with all things security related, there's an obvious tradeoff in injecting a trusted third party, but for the vast majority of people that tradeoff still results in a significant net risk reduction). I assume Bitwarden is angling to build out their own version of something in this space.
I'm probably more excited about passkeys than most, but I don't see why you need $100M to add support for that. It's a pretty straightforward addition to existing password managers. Might even be easier to support than it is to build a user-friendly password autofill, all things considered.
I find that the essayist way to handle backup keys is with a printout of 10-20 pre-generated auth codes, which go in my safe. Much easier than having a backup hardware key I have to remove and then replace from my safe, each time I need to add a new service service.
Which is great if you have a printer (and are near it when you're signing up for the account, and remember to do it, and remember to put it in your safe, etc...). Just because it's the easiest way currently doesn't mean there isn't substantial room for improvement in the usability of passwordless systems. Most users aren't going to go to the trouble of printing something out like that.
And the three companies behind the major platforms - Google, Apple, and Microsoft - have all agreed on a standard and will integrate a solution into their operating systems.
Yes, and what is that one like the 6th or more "auth standard" they all "agreed to" before promptly doing their own variations which then get spun into a new standard they all "agree" to before.......
Even if that is the case, storing passwords across devices is a solved problem and not enough people are willing to pay for it to be a profitable business.
Given the number of businesses out there doing it I would venture to guess you are wrong.
Also Bitwarden and other password managers are not just about storing the passwords. For example on a personal level I use bitwarden family to manage my Parents passwords and to assist them with issue on various service, this gives me away to setup accounts and securely share passwords with them for the services, and vice versa
For business we use the Enterprise products to share passwords for everything...
None of which is a "solved problem" at the OS or Browser level
> Why are large businesses “sharing passwords” between users? What happens when one user leaves?
Because not all products businesses use have fine grain authentication and authorization. For example, their registar for their domain names. And differing employees need access to it at different times.
> Isn’t sharing a password in a business context like “Things you shouldn’t do” 101?
What do you think Bitwarden does? It's fine grain authorization over shared resources (passwords) that control who can access them. You categorize, create roles, and give those roles access to specific passwords. When an employee leaves, you rotate the password. Every access is recorded for auditing. It solves a real business problem.
It's also useful for things like secure temporary password delivery. I set up your account for the first time with a new service, generate a temp password you have to reset on first login, and then share it to your Password Manager space.
Also just useful for things like API keys - my team just has all of our team's allocated API keys for various services in our password manager so we don't have to go look them up in all of the various service's sites if we need them.
We all have done it at one point or another. But if I am ever in the middle of a technical presentation and mention “API Keys”, I get all types of dirty looks from security.
Notice that Square for instance strongly discourages API Keys for production.
On the AWS side (where I work) we always discourage long term use of access key/secret keys for accessing resources even though I realize it’s necessary for some integrations. Even then, most organizations also put a condition that you can only use it from known IP addresses.
Now I’m curious and this comes from my job history is working at mostly small disorganized companies and then moving to one very large company where I work with other very large enterprises so I have no experience with mid size companies.
Say I work for a large company where everything is gated via an SSO - email, Slack, internal apps, ADP for payroll, my brokerage account containing my 401K information (of course I do have a separate non SSO password for this since it is my account), and Bitwarden (I see it does support SAML).
If I leave my very large organization, it’s easy enough for a manager to disable my SSO and be mostly assured that I don’t have access to anything I shouldn’t. Because “security is job 0” (How do you say where you work without saying where you work /s).
Now let’s say that BitWarden stores 10 passwords to external services and I had access to those passwords through Bitwarden. Does someone then have to go in and manually change passwords to those 10 services every time someone leaves?
> Now let’s say that BitWarden stores 10 passwords to external services and I had access to those passwords through Bitwarden. Does someone then have to go in and manually change passwords to those 10 services every time someone leaves?
To reframe this: Companies use both SSO and BitWarden, but because a typical company utilizes so many differing services with differing auth coverage (supports SSO? supports roles, permissions, etc.?) BitWarden fills the gap. BitWarden wouldn't be used for your ADP, and 401K. It may be used for your company's payment processor under one main username / password. It may be used for your root AWS account username and password. It may be used for your DNS management. Production API keys for Stripe may be stored there in plain text, but encrypted in your secret store of choice. Those are the typical use cases I see. The list of things you keep in BitWarden are small(er), but they're business critical. Whereas before they were held by the CTO of the early stage startup, now they're centralized, secured, have an audit trail, can be easily shared with others, etc. etc.
In the company I used BitWarden with, these passwords were rotated manually when an employee who had access to that password left and the new value updated in BitWarden. Maybe that's easier now?
Lots of things would not have individual passwords,
Including
1. Hardware Passwords
2. BreakGlass Accounts (used if SSO Fails)
3. Vendor Passwords
4. Recovery Passwords
5. Local Admin Passwords for Servers
We also use it to store Backup Encryption Keys, VPN Tunnel Keys, SSL Cert Passwords, File Encryption Passwords, License Keys, etc etc etc
We also have our own Personal Vaults that are indivualized, so we can access both our Personal Passwords and Company passwords in one interface, that is Cross OS, Cross Browser, and has API for programming interfaces.
none of which is possible with BrowserBased or OS Based Password Storage.
Realistically? Many services charge by the seat, so for a service that doesn't get used to often, a lot of places will use a shared account as a cost-cutting measure. Subscriptions add up.
Now they are also raising rounds of funding “chasing after the enterprise”. Every single time a small bootstrapped company tries to “accelerate growth by going after the enterprise” the product gets worse for consumers. See also DropBox.
1Password’s desktop app is much worse than it use to be all while each platforms built in capabilities are getting better.
>1Password’s desktop app is much worse than it use to be all while each platforms built in capabilities are getting better.
I keep reading this but as a user of 1Password over the past decade or so, the functionality hasn't changed much. I'm confused as to what they're spending all the VC money on because these re-writes haven't done much but in terms of functionality, I think it's best in class.
A full rewrite takes a lot of time. We did this twice in the past and it is always painful. We had to do it again this time because the discrepancies between the platforms became ridiculous and we had to fix this. For example, the same search would produce different results on Mac and Windows and Android.
We also took time to address some of the pain points that existed in 1Password 7. For example, it was technically possible to have a different Master Password on your Mac and iPhone, etc.
The local database was rewritten and we made sure that everything that is possible is fully encrypted. For example, all rich icons are now stored encrypted. We also changed the logging system to make sure no personal information is ever logged. At the same time, we had to make sure the data format is backwards compatible with the old version so that both 1Password 8 and 1Password 7 can be used during the transition.
We ran over 100 studies with both existing users and people who never tried 1Password before to make sure the apps are more usable by everyone.
For new users we added New Item experience that made it easier to navigate through templates and understand how to use 1Password. For developers, we added CLI integration, support for SSH keys, and a built-in SSH agent that secures your ssh private keys.
Brand new Linux app, more than 100 new features and improvements overall, on top of the full rewrite.
I'm a fan (been using it for 10yrs I think?) and think the HN sentiment around it is not representative (it's the only app I'd actually recommend to people and that I trust my family can use).
The family vault features are really great and I was glad to see the browser dropped (I didn't really get why it existed).
I do miss some native features (like the iOS letter column on the right that made it very fast to find something in the list), but generally get that there are tradeoffs to be made.
> I do miss some native features (like the iOS letter column on the right that made it very fast to find something in the list), but generally get that there are tradeoffs to be made.
You are not the only who missed this feature and it is coming back soon. It wasn't available in SwiftUI and we had to go back to UIKit to implement it.
from the founder of 1Password: would love to learn where you think it is worse.
1Password 8 has a ton of new features and it is faster than the previous version. Some of the new features like Universal Autofill and SSH Agent do not exist in any other product. It also fixes many problems that accumulated in the app over the years.
Not the person you commented to, but I think the only real loss was 1Password Mini. There is the alternate ‘search bar’ mini app which is a decent replacement, I wish that was the one that pops up by default (like used to be with Mini).
You guys make a great product otherwise. It’s the only one where I strongly recommend it over the open source alternative (Bitwarden) even though I have a strong open source bias. There’s just a 1000 things in UI and UX that you guys do slightly better than the competition, sort of an inverse death by a thousand cuts.
I see it from a different perspective. There are not that many real native Mac apps that both look and feel great. You could probably count them all on your hands.
Also, I certainly understand being the long time Mac expect. However, when we tested 1Password with new customers we found a ton of usability issues and many of these problems are solved in 1Password 8. One example, most new users couldn't even figure out how to create new items right away because of the look and the location of "New Item" button in the old app.
1Password, a competitor, raised ~$650m earlier in the year off the back of exceptional growth. The investment case is likely: Bitwarden are doing well, 1Password are doing very well, maybe Bitwarden can do very well too with some additional capital. Password management is rapidly growing in mindshare, there's a big market and great room for growth, the amounts involved are commensurate with the opportunity -- every single enterprise will have a robust password management setup soon enough.
1Password is 4x the price and is not open source. Doesn't 1Password's stronger backing provide more risk for Bitwarden investors too (chasing the same customers but with less to spend on acquisition)?
Spitballing, $100M, assuming investors want 20% per annum return and Bitwarden do 50% profit ... they need 24M paying customers. Where are they at now?
Venture investments don't typically work that way: the goal isn't incremental returns YoY but rather major returns in the long term. Raise a fund, make a bunch of investments, report growth in valuation YoY (based on increasing valuations of portfolio) and then deliver returns once portfolio companies start to exit.
If BitWarden can use that $100m to 10x their valuation and then exit (whether that's an acquisition, going public etc.) the investors will have secured a win: if BitWarden's valuation stays where it is and returns ~$10m/year to the investor(s) over the next decade, that's not a great outcome considering the opportunity cost of capital.
Debt equity is the type of financing you're describing: lower risk, lower returns, not particularly exciting and not particularly attractive to investors if they believe the company has substantial upside potential.
Yes, I'm not familiar with expected returns for investments so my back-of-napkin maths was based on approximate housing inflation in the UK. I figured they'd want more than that as a minimum.
Clearly Bitwarden isn't a unicorn, being a smaller entity in a growing market; do VCs really expect a 10x (in couple of years?) from that sort of investment?
So, do you agree with my basic premise that they'll need a whole heap of customers, that they don't seem likely to get, in order to make any dent in the investors hoped for returns?
I’d suggest with almost absolute confidence that they are betting on unicorn status for BitWarden. I’d be surprised if they expect anything less than a >$2.5bn exit.
The browser is the obvious option. Firefox and Chrome both implement ways to save passwords in the browsers. I believe Firefox has a service to sync them, Chrome may too (I don't use them, so I don't know).
They could reasonably tie in to whatever Office-suite you use (GSuite, Office 365).
In the enterprise, it could be part of a larger "credential management suite" product managed by security. Allow syncing and auditing of credentials, like "when was the last time this cred was changed?" with some kind of automation to generate and push a new credential when need be.
From the outside looking in, a basic credential manager doesn't seem complex enough to be a standalone product.
I would think so, on the business side of things. I'm not entirely sure what we pay for 1Password because we pay it without question tbh. We have a fair few subscriptions but 1Password would be up there with the indispensable ones.
They'll probably aim for competing with the likes of Okta in delegated authentication and identity management, which is a huge market which need some more competition. I'm in favor, and it really doesn't need to have any negative impact on their existing user base, at least so long as they can manage their growth and don't become a dysfunctional org because of it.
I just hope we won't get repeat of LastPass - some company buys it then just keeps on life support while raising prices.
Also "OSS" version is not really open source, it's just core and all the features you really want from password manager are behind the paid license anyway
Like what? All the features that password manager needs to have (and features that 99% of people need) OSS version have it. SSO, organization management etc. is not something that "password manager" needs to have.
Like TOTP, which is part of payed variant and I consider that an essential feature of a password manager in 2022. Don't get me wrong, I am not complaining about that business decision, just answering since you asked.
I totally agree, however there are some low-criticality services where 2FA is a burden and having it in your main password manager app is a tradeoff worth consideration. Definitely NOT your primary email address.
A $100M round probably means a valuation around $500-600M. They now need to grow the company to a couple billion so it can either go public (when the IPO market is alive again in a few years) or be sold to a bigger enterprise player.
$10/year customers are completely irrelevant to a company at this stage. Open source is nice as a sales bullet point, but not a central focus.
I don't really want them to grow. Growing usually means overinflated expectations and when they aren't met by the new products they will try to retrieve the shortfall from their existing customer base with additional monetisation, driving them away in the process.
I hope it won't go this way here but such a cash buyin is usually the start of a difficult time.
> $10/year customers are completely irrelevant to a company at this stage.
Yet it's exactly the plan most customers and supporters would be on. So in other words, we don't matter anymore. This is why we can't have nice things :(
When 10/year is often less than .01% of even a junior developer's salary with benefits, then yea, that does kinda mean we can't have nice things, if nice things require a few devs to implement. We've all gotten so used to getting things where the VC discount was already fully priced in over the last decade that we're deeply conditioned to expect everything to be sold at VC subsidized prices, which it turns out isn't really economical for most non-VC backed businesses to sell at.
I'm sure someone will, like clockwork, reply to me that that could be done by one developer in C, sold for $0.50 and then never patched again because UI designers just mess everything up and no one should have a smartphone anyway. If that's your idea of "nice" then you're likely living a happy life, but if you expect a UI and reliability like even oldschool 1Password or Lastpass, then $10/year isn't buying you that level of development and support.
Well, the thing is, we have nice things now. I don't think most bitwarden users are screaming for new features. Simply continuing as they are with current staffing would be preferable to risking the farm with a big new product.
And the kind of user that picks bitwarden over LastPass or 1Password is not the kind that needs a ton of support.
I guess the question is if they felt like they could continue with their current staffing. Obviously this is a really big funding round, so they clearly decided to aim for more than the status quo, but I've seen plenty of projects where it was many dev's side project, or it was a small number of full-time dev's work, but they were getting burned out and overworked trying to provide the service.
It just always feels too easy to assume that it was sustainable to run/maintain some minimally priced service. Perhaps they realized they needed more developers to have a healthy relationship with their job, and instead of raising the price to $30/year or more to match the new costs, they decided to shoot for the moon.
I'm certainly not trying to say that it's obvious that they're making the right call by taking this investment, or that this won't all fall apart. It's just also important to not assume that the status quo for them was something they could keep going on for the next 3 years.
> Why would a password manager need so much money?
A cynical take on this would be the business is at a large enough volume and growing fast enough to be valued at a certain price (eg 400M), VCs want to own a certain percentage (eg 20%), so the math dictates the round needs to be 100M (100 / (400 + 100) = 20%). Then the founders put together some story that explains why they'd need 100M.
Not saying that's what happened here but I've seen it happen this way.
With smartphones leading the push towards digital everything, passwords (auth / authz) have become the most important asset, even for consumers.
Edit: An interesting conversation between Basecamp's DHH and 1Password's Teare on their series-a as an opportunity to de-risk the venture: https://archive.is/Kdnpz
Which has also become a single point of failure, and a target for social engineering since "lost device" or "stolen device" etc becomes to new defacto backdoor
These are all copyleft... with a CLA (contributor license agreement). It's the CLA that allows them the ability to dual-license for the server.
The VCs must really believe the company can produce a product based on Enterprise sales which would deliver a value North of $1B. And perhaps they can, as Bitwarden as we know it could be considered a strong beachhead to allow them to expand into other auth markets that have high value (hello Okta, Auth0, etc).
But this doesn't seem that scary for Bitwarden users at this point.
Oh dear, this isnt good news at all. Now they're going to be under pressure to produce excessive returns to fatten the company up for an IPO or sale. Having seen what happened to Lastpass when it was passed around from pillar to post this saddens me deeply. Lets see what anti consumer measures they start introducing to force us to pay more. Limitations on the free tier look likely and price rises as well.
It's weird seeing ppl downplay this exact scenario. They raised $100M, can they hit sales in a recession? Rates are rising for VCs, they need to generate a winner quickly more than ever. Just in time before the expected 75bps rate increase
For sure. Taking venture capital increases the odds of a large success, but also increases the odds of total failure. VCs are perfectly willing to blow up a modestly successful business if it means a chance at a giant success.
And from my perspective as a BitWarden customer, both of those outcomes could be worse for me. Obviously for failure, but many companies in their rush for new pots of money can do things that aren't great for existing customers. And then if those rushes don't work out, things like layoffs, reorgs, and other chaos can diminish customer focus, leading to long-term product decline.
Here we go again: Some company (in this case, Bitwarden) "betrayed" its customers by doing what every other firm does. And Hn goes brrr over it.
I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?
> I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?
they're probably over-represented given that this is an incubator-adjacent forum but startups are vastly outnumbered by both mature businesses as well as bog-standard privately owned businesses so probably not.
Most firms don't get a hundred million dollars up front, they grow products and revenue just like everyone else, with significantly fewer distortions to users or business models.
I guess I might be now that the directors of our little company have sold it, but I assure you I am substantially more mad about that sale than I am about the Bitwarden one.
We use BitWarden at work, we use their business/hosted offering.
We pay them $3600 per year.
Why is everyone so concerned? They’re popular enough in businesses. Their product is great for teams, hence why we pay for it. I’ve found it much better than alternatives. The killer feature for me has been safer account sharing, including 2FA (and I know it makes it somewhat redundant, but it’s safer than turning it off completely)
Indeed, they already have a business model, they won't need to cannibalize their open source password manager to make money here. They just need to grow the business side + offer new auth related services as they mention in the article.
LastPass tried to grow the B2C business which put more stress on the consumer product.
C# is a rarity in SV and startups in general. There's a resourcing constraint for a team hiring only geographically in SV.
SV and startups are dominated by JavaScript/TypeScript and Python. It makes the parts of the team a bit more plug-n-play and in some calculus, makes it easier to grow the team as the company grows.
There's also a bit of cultural asymmetry that may make it harder to hire experienced senior C# engineers. C# tends to be heavily used in enterprise so a startup competing for those resources may have a hard time because of that asymmetry with such engineers seeking more stability (both in terms of employment and codebase). Startups are built to go fast and break things which is the cultural opposite of enterprise where you plod carefully, plan, test, document, release, repeat.
There's always some consideration that C# may be a liability at due diligence. I can understand to some extent since it's much easier to hire for JS/TS or Python in SV than it is to hire for C#. Not that it can't be done and C# as a language is close enough to TS that a strong TS backend engineer can easily be trained to C#.
I get the idea that most developers in SV don't know C#/.Net, that happens everywhere. Some areas are java, some .net, some Ruby/Python.
What I was surprised about was this weird rationalization that C#/.Net was somehow dangerous to a startup. Not only is that not true, C#/.Net is going to be better for a startup long term due to the stability that comes with that ecosystem that you flat don't get in ruby, python, js, etc.
There is absolutely nothing outside of the hiring difficulty that would ever cause problems for a startup wrt to C#/.Net.
> What I was surprised about was this weird rationalization that C#/.Net was somehow dangerous to a startup. Not only is that not true, C#/.Net is going to be better for a startup long term due to the stability that comes with that ecosystem that you flat don't get in ruby, python, js, etc.
It's "dangerous" in some scenarios for sure.
1) You want to hire locally in SV; there just isn't a concentration of developers there.
2) You want to hire senior resources for your *startup*; I emphasize startup because you're comparing apples to oranges when comparing startup to enterprise. C# is heavily used in enterprise so a startup competing for senior resources might be fighting an uphill battle
3) You want to make sure your team is plug-n-play; there's an abundance of JavaScript, TypeScript, and Python developers. For this reason, it's probably not a great idea to choose Go or Rust because now you're competing against Google and low number of senior Rust developers in general.
4) You want a full stack team; if you hire C# backend, you'll need to train your JS/TS front-end folks to be full stack. If you're full stack C#, well, you're not going to have a good time unless your app is desktop.
----
I'm a big time advocate for C# and part of the reason I joined my current startup was to see what sort of crazy team would pick C# for a SV backed startup, but I can also see the flip side of the coin.
My issue is with the idea that startups are harmed by using C#/.net.
The C#/.Net ecosystem is a batteries included ecosystem, we're not talking about trying to use C++ to implement a website.
Functionally the major difference between C#/.Net and things like node, et al, is that the C#/.Net framework will be supported far longer than the other and the upgrade path will be a lot smoother. That's not opinion, it's objective fact. I've made a lot of money supporting companies that paid for the flavor-of-the-day du jour and didn't realize they needed to stay on the rat wheel that is major upgrades. There's literally a company dedicated to support out-of-date RoR frameworks, including older versions of popular gems with security updates they maintain themselves because of this phenomenon.
My point here is this.
There is nothing inherent in C# or .Net that is dangerous to startups, that's a bubble you seem to exist in. Not choosing C# because the area is mostly Python and JS is a legitimate decision. What isn't legitimate is rationalizing that into C#/.Net itself being inappropriate for startups in general, rather than being inappropriate for that area (for ALL companies, not just startups).
This whole thing about enterprise is a red herring. Enterprise companies use Python and Ruby as well. It smacks of a community trying to rationalize something that has no true rationalization.
Glad for them and I really hope them to succeed in the long run, engrosing the list of successful bussiness based on OS.
As a side note, I've been tempted so many times at this point on getting a payed subscription and getting rid of my "keepass+keepassdb sync via Google drive+keepass keyfile local copy on each device" for the sake of making things simpler. I've read how the internals work, checked the auditories, read forums etc. Everything looks great, but I am always paranoid of some security issue arising and my passwords being leaked. I have my entire life pretty much on my password manager and that being exposed would be disatrous at so many levels. Probably just me being irrational.
Maybe some sort of self hosting arrangement would work for you? I self-host Bitwarden behind a Wireguard VPN so it's only visible to devices I've authorised. Self-hosting comes with it's own risks of course but you would at least be in control of your data.
I do the same. I run bitwarden_rs as a docker container on a raspberry pi on my home network. Then use wireguard so I am always connected to my home network.
This works great for my family. Simple set up, and I've done 0 maintenance on it.
Have you set your family up with Wireguard as well? Did you do the setup manually or do something else clever to get their devices in your network? I've been spending a lot of time thinking about this, and always end back up at MDM, which is not a terribly desirable ending, but can't necessarily put hands on a device readily for some of them.
My biggest issue is that I have wireguard automatically enable itself when not on my home network. But there are some other networks that need to be excluded, like most airline wifis, as they don't have internet access when just trying to watch a movie.
iCloud private relay does a good job of detecting these types of networks and correctly disabling itself. I wish there was something in the wireguard client to do this, rather than just retrying over and over again...
And since wireguard sets the DNS to use the pihole on my home network, this becomes problematic if they connect to a network that has a captive portal, and needs the wifi's DNS to accept the agreement and get access to the internet before switching over to wireguard and my home DNS.
I agree. I've been using Vaultwarden on ARM for over a year and it's been flawless. Just excellent execution and seamless integration with the iOS App Store version of the Bitwarden client.
I mean if your current setup works, why change it? I just hope you aren't too reliant in GDrive if your account ends up getting nuked as I've read so many times.
While I recommend Bitwarden to my not-so-technical friends, I don't think I'm ever going to move away from my Keepass/Nextcloud setup, it just works for me.
In the next couple of years, I expect FIDO2 Passwordless Auth to be ubiquitous, natively supported by all OS platforms. Built-in authentication credentials managers within Apple and Google/Android platforms will get more focused attention to improve them significantly. I suspect this should basically render the consumer market not monetizable. So, their free forever strategy here is aligned.
In corporate market, I would expect more ubiquitous integration of cloud hosted identity providers and separate SSO auth providers (which will do MFA with device bound certs, biometric auth and FIDO2 auth) with all the services and they would all be protected behind BeyondCorp style VPN solutions (think Cloudflare, Tailscale etc). In this market, I wonder how they will continue to grow.
Why is it impossible to find out what the typical user experience of FIDO2 Passwordless Auth is? Every time I try and learn it's just a sea of acronyms I've never heard of before.
How do I explain FIDO2 Passwordless Auth to my mother?
Most general case consumer explanation is likely this:
No more passwords. Your biometric authentication along with your Apple/Google account on your iPhone/Android phone is all you need.
A more detailed blurb would be:
You sign-up and sign-in to websites/apps simply by responding to a biometric unlock prompt of your phone (same as unlocking your phone with DoubleClick side button + FaceID etc). Your sign-in details are saved to your iCloud / Google account. You can sign-in to the same website/app on another device (iPhone/Mac; or Android/Chrome device) by signing into your cloud account.
For Pro users, there may be more advanced flow:
Instead of using built-in phone authenticators, you may use a reputed third party secure authentication app paired with an external FIDO key (like yubikey) to do the same thing. In it's most secure configuration, it may combine device binding secret unlocked with biometric auth, an physical FIDO key you possess, and a cloud hosted MPC key that is used based on fuzzy signals like your device location and other fingerprint data etc.
All this gives you secure multi-factor authentication that is safe against phishing, theft, loss etc.
Let's take the case of regular consumer with just one smart phone (let's say iPhone) as their only digital device and they don't have another phone/laptop etc. In this case, if the user lost their phone, then recovering access to their digital identity is going to be several steps:
0. First, immediately after they lost their phone, they should call the customer care number and report loss of their phone and get their sim blocked. This is critical to avoid SMS OTP based account hijacking.
1. They will buy a new iPhone and sim and recover their phone number first. (security of this step is a function of how well telcos operate this process. In my country you have to physically go to a telco authorised dealer shop, verify your identity with a government id proof – this is the weakest step and then initiate a lost sim replacement flow. You have to get a new physical sim and then you can change that to an esim if you wish. To avoid rampant hijacking, there is a mandatory waiting/cooloff period with multiple notifications being sent to old sim if it is still active).
2. They will have to recover their iCloud account on to this new phone. This involves the iCloud password, a verification code sent via SMS to your phone and your old device passcode. This will restore your iCloud account and escrowed keychain on the new phone. For this to work, you should have opted into iCloud Keychain backup.
Obviously, the biggest problem here is if you forgot either of the two passwords (iCloud account password and iPhone screen lock passcode). This is quite likely if you have been using FaceID to unlock all the time.
When you sign up for an online account, instead of inputting a password, your login is synced via your browser profile, or more likely, an account / app on your phone. To log in, you'll always either need to be signed-in on your browser, or scan a QR code on a computer to sign in to your account (WebAuthn over BLE, or cloud-assisted Bluetooth Low Energy (caBLE)).
Right - the benefit of FOSS is that we can keep using it as-is if we need to. I think that leads to excellent business incentives from the user’s standpoint. I’m currently a paying Bitwarden customer for convenience’s sake, but if they start messing it up I’ll just go host it myself.
bitwarden server is mostly written by bitwarden's CTO. [1]
If tomorrow bitwarden decides to do "a mongodb" (= violating the AGPL, and make it closed-source), you would have to spin up a new community to maintain the AGPL fork.
How exactly is it violating the AGPL for the author to change licenses? They require contributors to assign copyright so... BitWarden belongs entirely to BitWarden.
Right, but if you had signed a CLA then it's absolutely not violating the AGPL if the host decides to close the source. Since these organisations require that, they're not violating the AGPL.
That's not to say I agree with them and it's obviously shitty behaviour – but license violation is a specific act that they aren't guilty of.
Isn't a CLA just a standard CYA move from more established open source projects? I had to sign one to contribute to Django as well and I don't see them "pulling a MongoDB" any time soon.
My assumption is this is so that they're legally protected from contributors revoking the right to use their contribution at some later point or other obnoxious legal shenanigans.
It depends on the CLA. Some just require you to affirm that you have the rights to license your contribution, and that you license it under the license of the project, which is indeed mostly just a CYA. It doesn't allow the project to unilaterally change the license of your contribution, and I haven't seen much people have a problem with this kind of CLA.
The other common form of CLA is a copyright assignment (or something equivalent) to a foundation or company representing the project, which is much more troublesome. This allows them to basically do whatever they want with your contribution, including charging for it, or closing the source all together.
Yup:
Section 2.1: "By submitting a Contribution, you assign to Bitwarden all right, title, and interest in any copyright in the Contribution and you waive any rights, including any moral rights or database rights, that may affect our ownership of the copyright in the Contribution.
It’s a fascinating situation, really: this kind of asymmetry (AGPL for you, but not for us, even if you contribute) is antithetical to the purpose of the AGPL, but desirable for the leaders of quite a large fraction of projects that choose the license (to the point that they might either not use the AGPL or not accept contributions if they couldn’t do it).
I think a CLA that says "You provide us with an additional license to re-publish your code under any license we choose" with modifications to limit attribution, might work. That way the code is perpetually AGPL, but the company is free to offer derivative works under other licenses. Hence you can always use your code, you can fork, you can do all you want, and the company cannot take the code, as it stands at that point, away from the public.
How is that realistic? If they expect to get 10 billion in 10 years, they need to have 100 million paying users (if they charge $10 per user per year), which is like the entire active users count of StackOverflow - https://en.wikipedia.org/wiki/List_of_social_platforms_with_...
Getting money back has nothing to do with revenue.
It just means the VC was able to sell their shares for that 10 billion -a price which may or may not be related to the company’s actual fiscal performance
Or they launch entirely new products, in the same general space, with new pricing structures that aren't tied to their current offerings. They're Okta + 1Password + ...
To clarify: I'm not sure I buy the above thesis, but VCs don't expect 2x returns at this stage was my general point. They're aiming for higher.
For sure. The way I sum it up: VCs are looking for 10-to-1 odds on 100-to-1 gains. It depends on the stage, of course. This is listed as a series B, but feels kinda C-ish to me. Later stage rounds like that are unlikely to be 100-to-1, but I agree the goal is still well over 2-to-1.
The way I read it is that they already have one minority investor, Battery Ventures and they are now adding another, PSG. PSG will get a seat on the board of directors, it's unclear if Battery Ventures have a seat. It is also unclear if the two minority investors combined holds a majority.
I hope things goes well for Bitwarden, but I'm also expecting an amazing journey in their future. I really doubt that there's enough money to be made as is to yield an acceptable return on investments for the $100M, plus whatever Battery Ventures have already put forward.
When I ask “how can you trust the company”, I don’t mean to imply that the founders have less than good intentions. But once you take VC money, the founders intentions don’t mean much.
I’m sure the founders of both Instagram and WhatsApp - just two companies that come to mind where the founders were idealistic and they were hit hard with the reality stick once they got acquired - really believed that their company wouldn’t change for the worse once they were acquired.
I doubt the company will just disappear. They will probably get acquired. But what it morphs into is probably not something consumers who like it now will want.
The only company that I can think of that has managed the transition well and gone public is BackBlaze.
There is the option that they are profitable, but need the investment to expand the business somehow. There is some indication of that in the press release, but it does seem a little fluffy, and a $100M is a pretty big sum of money.
I can see what you mean, but another way of looking at it is: Most investments are done with the expectation of it being worth more down the line, so someone(s) thinks there are a hundred million reasons why it is a profitable business. :-)
But maybe "are they profitable" is the wrong question. I remember 5 years ago my brother in law said "Tesla isn't profitable" and I countered with "They don't want to be profitable right now, they are growing an inventory and investing heavily in that. Showing a profit is the last thing they want to do." He seemed to be accept that answer, I mean now he has 2 Teslas. :-)
I love that they offer a free version and are committed to it. But I depend on it for password management so much so that even if they didn't just raise 100M I'd pay for it in hopes that they stayed around. I think everyone who can, should.
Why? What is a promise like that supposed to be worth? Even if the people making it are completely honest when saying this (which I now doubt), once leadership changes this will go out the window quick.
This is in line with "Keeping our users happy is our main priority" and other quotes from the infinite pool of empty PR speak.
It doesn't say they won't have ads or sell your data. Hint: their privacy policy is already terrible. No mention of GDPR or of them complying with any privacy laws. Their privacy policy mentions "EU-U.S. Privacy Shield Frameworks" for exporting user data to the US, a framework which has been declared bogus by the EU courts years ago.
> An open source architecture
There's no many examples of "open core" calling itself "open source" that if they decide to switch to open core they'll just be another drop in the bucket.
They also require contributors to sign a CLA, which is always a huge red flag.
> Advanced business features
What happened to "fully featured free version" above? Are the business ones separate?
Keybase was providing a solution to something most normal people did not even realize could be a problem. It was a great idea, solving a really big problem. But the awareness of that problem was very small. Hence the ability to monetize a solution aimed at the general public was also very low.
I still love the idea, but I don't see how it is a business.
I shared an office and an apartment with Kyle in 2010 and I have vivid memories of him routinely talking how bad the state of password managers was at that time. I've been a happy customer since 2017. It's been surreal watching the BitWarden team do what they have over the years. Congratulations!
I’ve been using Vaultwarden for just myself for at least a couple of years now, and it’s at 32MB of disk space (<3MB of icon_cache, <1MB of database, the rest app). The current server process, at six weeks of uptime, is at just under five minutes of CPU time (average usage 0.01% of a core), and just under 24MB of memory used (RSS).
That’s feature.
(As a matter of fact, it’s grown quite a bit since I started using it; it used to be under 20MB of disk space and 10–15MB of RSS.)
I really miss seeing numbers like that. I'm in something like my 5th week of a Dropbox support ticket where they seem to think it reasonable that the headless client uses an extra 100MB of RAM every hour, eventually using 20-30GB of RAM, at which point I restart it and watch it start climbing again.
Well, you can opt into using PostgreSQL, but by default it’ll use SQLite, and that’s how I use it. More convenient and probably more efficient in general too.
I'm not referring to Bitwarden here but isn't this the standard M.O. of any SV startup?
1. Release great product for free
2. Attract as many free users as possible to signal growth to investors
3. Keep running the unprofitable free tier at a loss as long as possible using your massive VC war chest, while locking in your users with various gotchas
4. Once you reach critical scale and gained mass user adoption and you've obliterated your competition with your bigger war chest, start monetizing and rentseeking your locked in userbase and squeezing them so the VC investors can start getting their money back or cross your fingers for an exit from a FAANG with big pockets
5. Gain a lot of negative publicity, so now a lot of startups pop up like mushrooms after rain, to poach your disgruntled users and compete with you using the exact same M.O. you did. Rinse and repeat.
The people at Bitwarden and their supporters are familiar with countless examples of this playbook. Those tricks are not as easy to pull anymore. I have seen Bitwarden be very ethical in their business so far. I recommend it to my friends and family and to my company to pay for the service. It is a similar model to Nextcloud who successfully funds their business from governments and companies and provides it free to individuals. This model can and does work well.
The people at Bitwarden and their supporters need to answer 1 simple question.
How do they increase their valuation 10+x without pulling those tricks.
Because that's what the VC funding demands. No VC is giving out $100mm for a 20% or even 100% return, which could possibly be achieved by simple growth. They're giving that money because they're expecting exponential return.
Maybe there is an enterprise play somewhere here which justifies this, while maintaining the core product in its current form. I guess we will see, but I'm not holding my breath.
The post mentions the plan to implement advanced business features, and also "Business users deserve consumer ease-of-use along with advanced integration and deployment features."
That just makes it worse. I'm a paying customer right now. VC + focus on business means the consumer stuff dies or gets neglected to the point that it should die. All resources get moved to the high-growth parts of the business once VC enters a company. Bitwarden will not be the first to get VC to change its operating principles.
Yeah I think it means "we're going enterprise, at-home users enjoy your coming time with bitwarden as it may end abruptly" . That's a bit superlative, but I suspect people should be looking for alternatives. Anything has to be better than my old way of adding my own password layer on top of an excel spreadsheet that I came up with while in college a long time ago. Bitwarden syncing was pretty nice and it not trying to turn into some kind of swiss army knife app.
Here we go again: Some company (in this case, Bitwarden) "betrayed" its customers by doing what every other firm does. And Hn goes brrr over it. Then another alternative (KeePass) appears on HN's frontpage. It's like companies are right: You can't target the niche market of programmers because their expectations are through the roof.
I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?
> VC + focus on business means the consumer stuff dies or gets neglected to the point that it should die. All resources get moved to the high-growth parts of the business once VC enters a company.
At the end of the day, engineers/programmers are the ones who implement these changes. I find it unacceptable that lots of HNers get so high minded about these issues but then go on to contribute to the problem by working at for-profit companies. Nothing wrong with either one, just choose one.
One benefit of providing a great free service to individuals is that they become champions and help sell the product. Case in point, I work in IT at a large company that currently does not have an official password manager, and I am recommending it here.
"advanced business features" can also translate as "we don't know how we're going to monetize this but we'll hopefully figure out how to make companies pay for the service"
I think that's a pretty disingenuous translation. The post describes some ideas and I'd imagine that the VCs who invested were provided with a more detailed planned.
I mean in theory it doesn't have to. Someone can run a business privately and run it the way they want and enjoy it. Make great profits, but probably not become a billionaire. VC vultures however will not allow that and they have their own pump and dump agenda.
Any company that promises a service for life is just lying- cost/benefit five years on will always fail, and new managers won't feel bound by the promise
I switched to Bitwarden after using Lastpass for years and it's pretty feature-complete for me -- it has feature parity with LP and there's a bunch of features that I don't even use.
Even the unofficial Rust-based server looks to have more features than I need:
Yup, I switched to Bitwarden and self host my own instance of it using that container. It works great. I was previously using Keepass (and later keepassxc), but it became a hassle to keep the database file in sync between all of my devices (I lost passwords at times as a result). Also the browser extension didn't work that well, nor did it have as nice of Android integration as Bitwarden.
Self hosted was a nice middle ground. No one else has a copy of my password database, and it's always in sync between devices. Stick nginx as a proxy in front of it for https and easy let's encrypt certificate management. The downside is that Keepass by default allowed me to have copies in multiple locations. Bitwarden is only on the server, but since the database is encrypted it's easy enough to have regularly scheduled backups of it. It just is an added step to find another docker host for it if my home server goes down, during which time I may not have access to my passwords.
> Also the browser extension didn't work that well, nor did it have as nice of Android integration as Bitwarden.
What were your issues? For the browser, I have some extremely minor complaints (not always detecting the correct subdomain for my selfhosted servers mainly), none for Android with Keepass2Android.
Also, no sync issues at all, but that might be related to having only 2 devices ;)
I self-host the vaultwarden server on my homelab for my family. I love being able to use collections to share passwords with my spouse and the same for each of my kids.
I got tired of Lastpass's janky clients, UI, and data breaches. Now I control the security of my passwords.
The nice thing is that it's so easy to set up a company these days that it can just take the last FOSS copy, fork it and go. It'd be a particularly good deal for BW devs, who would've got paid to R&D their own product.
Arguably, they did with Bitwarden already, no? Ie even if they don't do anything bad - they still executed steps of free users and large VC checks.
Which is to say, does it not seem like they've already executed the "trick"? Users are already there, they have cash in hand. Their motivations don't matter much here, we as users can only see their actions.
But i don't follow bitwarden at all. I avoid free products for this "trick" reason. If i'm not paying or self hosting, i'm not interested heh. Am i reading Bitwarden wrong?
The company is providing a service of vault hosting around the free software they maintain. Hosting and maintenance has many costs that need to be covered somehow, and we want them to improve the service. The hosting costs of individual users with a free though generous account is supplemented by paying companies and governments. Users are not locked in, as they can easily download their vaults and move to another solution or self host it themselves. Some free password managers such as KeypassXC require users to properly manage backups or host their vault somehow. This is too complex for most users and where Bitwarden fits well. Of course the company could go astray, but so far so good.
Password vaults are trivially small to host. The marginal costs for these individual users is small. The bigger concern is if they try to monetize these users in some way that harms them. If they ever pulled something like that, many of us would quickly switch from being proponents to vociferous enemies of the company.
I think for BW this kind of falls apart at #3. The main draw of this product for me and many others is that it's actually pretty no-frills. It's also broadly compatible with importing and exporting between dozens of other password managers.
That said, this could be a blind spot for me. Let me know if there's any gotchas I should know about here.
If we take them at their word that they're committed to keeping a fully-featured free version, what options do they have to make back a multiple of that $100 million for their investors? What many other companies have done in the past is to add a lot of new features. There are many examples of a simple, no-frills application turning into a bloated, complicated one, with a tiered subscription system. Ultimately a less streamlined, more expensive version of what it was before the funding.
Enterprise sales - that is a hugely untapped market for password managers (and a huge gap for a lot of companies where people keep their various passwords that are left after massive SSO implementations when they try to SAML everything). CyberArk plays in that space, but Bitwarden with the thoughtful way they have built this product can give them a run for their money.
I think the gotchas aren't for the early adopters and power users. It's for the people who will eventually make up the larger, more lucrative percentage of their user base starting with the friends and family of early adopters who are recommended to it.
Once they're set up with it, the idea of "importing and exporting between dozens of password managers" is meaningless. And gotchas aren't always limitations but can be "positive" like well meaning features, integrations, your company using it (so you too), etc. Lock-in comes in many forms.
Out of curiosity, why so many rotations away (and back to) BW? Most people I know stick with a single password manager almost permanently, or at least unless their manager has some kind of earth-shattering vuln announced that just shakes their trust enough to move.
I'll pass it on to the team! The designers and product people put a ton of work into making both RB and Tunnelbear delightful, and I'm glad it's making a difference :)
- They have a hosted/managed version with a free tier and a paid tier. Paid adds things like MFA and support for orgs. The more you pay, the enterprisey-er the org support gets.
- There's also a self-hosted version which follows a very similar scheme. You can start out for free, but if you want things like MFA or a self-hosted org, you're paying the Warden.
I agree. I'm not sure what they've got in store next. I imagine they might leverage the VC connections rather than the money to try and get a bigger foothold in the enterprise space, for one, but $100M is $100M and I've got no idea where that can go given the current state of things.
The amount of data in a typical password vault is insignificantly small measured in kilobytes. Bitwarden cost structure is mostly fixed costs for the infrastructure with small variable costs. If a company was providing hosting of large data stores, supporting many free users would be more difficult.
I haven't used it, and last time I heard of it, it was still called bitwarden_rs. I like the project in principle since it capitalizes on BW's open API, and that's really good work in the spirit of open-source software.
Having said that: I haven't dug into it much. I don't know what the current state of auditing on it is, or how widespread adoption is relative to the mainline BW backend. I hope they use a database backend other than BW's default MSSQL, which has always seemed like a weird choice to me coming from mostly Linux, and so mostly Postgres and Maria/MySQL, though I skew heavily developer over DBA, and that distinction may as well be personal preference (as in, I don't have an intelligent reason to dislike MSSQL beyond my habit of using other things).
Ah, the lifecycle of a company. I think of the first rounds of funding as a sort of puberty. Going public is the mid-life crisis, signaling the downward spiral towards inevitable death. Of course, being bought out is like God taking Enoch directly to heaven, where who knows what happens. Those large companies with unnatural lifespans have somehow tapped into the deep, dark magic of the Elder Ones (usually government contracts).
>Those large companies with unnatural lifespans have somehow tapped into the deep, dark magic of the Elder Ones (usually government contracts)
Or, you're Apple, and your cloud hosts the digital lives of all your users from teenage years to adulthood, so they're not gonna switch to any competitor no matter what.
Yeah This happens with google too. I have a friend who has so many business/personal docs (she's a writer) on google as well as gigabytes upon gigabytes of photos both for professional and her family. I have tried many times to go over on a weekend and help them degoogle at least their stuff after having seen reports on here of google just locking down accounts or deleting them wholesale (can't say i've seen that with apple? but it has to happen there as well) .
Sure, good on you, but once you got that position, what's stopping you from monetizing your users by selling their personal data to advertisers?
I don't understand why anyone would celebrate and worship monopolies? Publicly listed companies are not your friends. You're just a dollar sign for them.
The same thing that stops anything: terms of service.
Also: no one is worshipping, and no monopoly has been mentioned. Nor has companies being anyone's friend. There is more non sequitur than content here :)
Selling some thing would be nice, but most of what Apple sells me is a license to my own stuff, sold in perpetuity. They don't want you to own anything. They want to own it all and have you pay them for the privilege of using their stuff. With their documented planned obsolescence., they don't even want us owning what little bit we do have for any extended duration of time.
(Above statement applies to most consumer technology and "digital media" companies, social networks, etc)
My point was "buying" typically implies ownership in conversations like these, when these corporations are actively resisting you actually completely owning their products. We are more like temporary renters. And this has unfortunate consequences for the rest of the goods economy. Won't be long, as an example, before Samsung doesn't want you to actually own your refrigerator, TV, or washer, or Tesla and GM not wanting you to own your vehicle, and instead, pay them a monthly service fee for the pleasure of using your own car you "bought" (spoiler alert).
The whole idea is the thing you "buy" is really just an ephemeral vehicle of consumption and steady revenue stream for the corporation. Good for them, bad for you.
> Those large companies with unnatural lifespans have somehow tapped into the deep, dark magic of the Elder Ones (usually government contracts).
Or they are simply in businesses with enormous barriers to entry such as designing some of the most complex microchips, writing some of the most complex software, building huge facilities all over the world, and, of course, being prepared to take advantage of a new opportunity at the right place at the right time.
This is bad but how else do you fund a serious software project? Polished well tested and supported software is massively expensive to produce yet we've conditioned the market to believe it should be "free," which means the only way to really do it is to do something like the above.
If everyone expected a car to be free cars would be loaded with all kinds of convoluted bolted-on features to extract money from you: ads, special fuels that can only be produced by the maker, special licenses to drive on roads, special deals with repair shops, and so on.
What you describe is actually one of the less shady ways of funding software. The more common, successful, and shady methods are surveillance capitalism, addictionware (most of mobile gaming), and cryptocurrency scams.
If you structure the market such that honest business is difficult to impossible, things don't stop costing money. They just find less honest ways to make it.
JetBrains has already done it for years. [0] Hundreds of millions in revenue. Profitable. Zero VC capital raised. [0] Supporting, sells and develops open-source software used by millions of developers worldwide.
When I see capital raised, the treadmill for an expected return starts running and it is not for everyone.
JetBrains was also founded in Eastern Europe which probably helped a lot in getting off the ground with little money as there your dollars used to go way, way further than in the west and the local job opportunities were scarce.
In the early 2000's an experienced SW dev in my corner of Eastern Europe was lucky to take home 300 USD and would not shy away form overtime as needed. Replicating the same thing in present day would be impossible as now no self respecting experienced dev here would get out of bed for less than 2k EUR take home pay and would absolutely do the bare minimum with zero overtime, or even work way less than the contracted working time.
The 90's to early 2000's was a wild west in Eastern Europe. Few job opportunities, low wages and low CoL, plus fast internet in every home, meant that everyone was hustling hard in their free time to make a great SW product using no money at all to sell on the international market and get rich.
Now things are different here. Plenty of great paying jobs at established western companies or startups means that the people here are more likely to just want to work at random big corp or new startup for good pay and WLB rather than put 50h+ workweeks in building their own product at home like their predecessors did.
My point is that JetBrains was more of an exception by catching a great wave in time and space that can't be replicated today.
You're absolutely right. Of course there is no guarantee that whatever alternative you seek won't turn out the exact same way. But unfortunately all you can do to punish that kind of behaviour is to vote with your wallet and move somewhere else. And hope it'll turn out better this time... There ARE people out there who are trying to build a profitable, ethical business instead of chasing unsustainable growth. Unfortunately the only way to find out who they are is by giving them a chance...
4 also could add “try to avoid 5. by drawing up the regulatory ladder (such as YouTube becoming a bastion of large scale copyright enforcement)… so that it’s virtually impossible for startups to join the space.”
Bitwarden replaced lastpass for me and really i'd never go back.
My only gripe is filling in card details, there is never a floating icon to click to do it automatically, you need to go to the menu bar and select the card.
"My only gripe is filling in card details, there is never a floating icon to click to do it automatically, you need to go to the menu bar and select the card."
At one point I became convinced that this is actually a security feature. If I recall, an article demonstrated tricking users into entering their master password using those "in-browser" decorations. I could write some html/js to build your password manager icon/etc and trick you into thinking I'm your password manager? I now accept it as a necessary UX chore to leave the browser page, but would be interested in being wrong.
The only thing I miss from LastPass is the ability to store different types of credentials. Bitwarden offers a couple of basic things (login, credit card, identity, secure note) but LastPass allowed you to create new, custom credentials.
One of the things I used to store in LP was AWS IAM creds. Sure, you can store it in a Bitwarden "secure note" but it sure was convenient to have a defined format for it.
Same - between the great product, open source, and vault warden for self hosting, I have no issues giving them 10 bucks a year for them to host for me.
Not related to the fundraising, but a more general question I've had about password managers for a while: Why does anyone pay a subscription for their password manager when all you need is a client that talks to any old free cloud storage service (Dropbox, iCloud, Google Drive, etc)?
I feel like I might be grandfathered in and they switched to a new model now, but I got Enpass years ago and haven't paid since. I sync my password archive through iCloud so I don't have to trust a random company to store my password archive safely. If anything, by doing that you're centralizing a ton of user logins in a single place that would be a great target if you found a way to hack in and read them.
Why would you need to run the Dropbox client to sync your passwords? Shouldn't the password manager client be able to talk to the service directly?
I don't have an iCloud client installed on my devices (well, other than whatever is built into Apple devices) but Enpass just uses their APIs to sync passwords. Occasionally I have to reauthenticate on one of my machines but it tells me as soon as it loses access. Previously I synced it over Google Drive and I never installed a Google Drive client either.
It's totally possible, but that sounds like it would cost a lot of development time. The KeePassXC project in particular decided not to implement cloud connectors due to a lack of resources.
I'm not sure why you think this is that difficult of a task. This is standard fare for how clients integrate with a service. There's how many third party Twitter and Reddit clients out there, plenty made by a single person that just communicates with a public API made for integration. You can spin up a Discord bot in a few minutes. Why is this any different for syncing a file over an API?
In my experience, sync conflicts are pretty common on SyncThing, too, which is often how I hear this paired ("use KeePassXC on Syncthing for the win" type deal)
I think it's an impedance mismatch trying to take a single-user database format and trying to use it from multiple devices
I used to do this. I finally had to switch off of it because the Syncthing Android experience is so bad (necessarily, because Android is bad).
I had many instances of not noticing Android had killed the Syncthing backend again despite being explicitly told not to, and then I had two out-of-sync password databases and would have to go merge them again.
I'm still bitter about it, because Syncthing as a syncing layer is so much more elegant than everyone implementing their own server and sync protocol.
This is a smart play. They are one of the very rare consumer security products in the market and they have a lot of enterprise traction. Their average user lifetime will probably average a decade, and identity is an immensely sticky tech. Just as a channel to those users, they would be an asset to some megalithic platform (the way whatsapp was to facebook) who wanted to acquire users to sell other products into. I could see a defensive acquisition by one of them in the near term while it's still cheap.
I was lucky enough to have a brief exchange with their CEO on his recent customer interview tour, and my impression was his product view was enterprise focused, which made sense in the context of this raise now. My relatively cold read was he seemed laser focused on a kind of "do what we do really well," philosophical vision on their current product, which I think is a strong asset to secure their LTCV with current customers, and that will drive their valuation.
However, I get overexcited at the growth prospect because security products are never what anyone but security people actually want, and all the products in the identity space suffer from the same problem of being top down management frameworks with integration and federation as just something you say but never do. A consumer security product people actually choose for themselves and want their employers and services to integrate with because they already like the experience of it, is just infinite level growth potential in a market of slow moving dinosaurs. Okta's massive expansion in just the last decade established that the gerontocracy of enterprise behemoths was too slow footed to respond to an incursion into the very foundation of their market (user identity), and what impressed me about this raise is that I think a well capitalized startup with traction could absolutely sack it.
That is a LOT of money. $100M. That's enough money for ~50 people to live on $100k/year for the rest of their lives. You could pick 50 thinkers, scientists, artists and say "hey you never have to work again, just do your thing". But instead you invest it in a startup that will almost certainly burn it up in a couple of years of 7 figure salaries for execs and fail.
Assuming you are using recent interest rates. If you mix in recent inflation rates too it doesn't work out in inflation-adjusted dollars like that, though hopefully a lot of that is transitory from covid (or maybe we have something worse than covid in the future).
You could always get your own $100M and spend it however you like. Incidentally I have worked at more than one startup that had a burn rate of about $100M/year, and most of it went to engineering and sales salaries. The execs tended to take little to no cash comp.
I am afraid that my free tier plan data will go away. As for the self-hosting option, I am concerned that I don't have enough infrastructure to ensure the safety of my data. I wish their backend supports cheaper static store like object storage instead of full-featured database.
It's ridiculously easy, especially if you use SQLite. The only downside IMO is that they take the Bitwarden frontend as is which expects the full feature set to be available. For instance, if you disable email 2fa via the admin interface (the only component vaultwarden add to the frontend), trying to set it up in the app fails silently.
So many people here praising Bitwarden. I were using multiple password managers, but stuck with 1Password. Their last update is atrocious. I tried switching to Bitwarden and forced myself to live with it for 3 months. I gave up when it lost generated password. Apparently it is quite common with Bitwarden and bad connections, which I have a lot travelling to remote locations where I actually need to generate passwords.
Both app and server need so much polish. Like this is literally like touching something from 00s and everyone seems to be content with it.
I truly hope Bitwarden would put money to better their app and technology, focusing on User Experience, not on feature checklist.
Good. Maybe now they can finally get around to fixing some of the rough edges for enterprisey customers. Onboarding new users is a pain. The audit UI is a pain. There is (still!) no way to share a password with another user within the same organization (except by creating a Collection and granting access to that, that's not what you want when you're creating an email account for a user and want to give them their initial password).
That, and their UI is pretty cluttered and ugly, though the latter is subjective.
This worries as a Bitwarden customer of several years. The bigger a company gets the worse its treatment of customers gets. It's not 100% true but in my experience it happens most times. I guess I should just write my own probably much less secure password keeping database just for fun as a backup and export my passwords often and keep them more local and unsecured than if it were just in the cloud. I suspect they will end free tier service in the next couple of years as well.
I wonder what their costs are like? I'm not familiar with all the features of Bitwarden in particular, but a password management service is basically E2EE cloud storage for very tiny files, a simple account system, and then a bunch of clients.
Building and maintaining clients for all operating systems and browsers probably costs the most, but it can likely be done by 1 or 2 full time engineers.
Or am I completely underestimating the complexity of something like this?
After posting a simple comment, now I'm getting emails from Bitwarden...
"Additional security has been placed on your Bitwarden account. We've detected several failed attempts to log into your Bitwarden account. Future login attempts for your account will be protected by a captcha."
How is the user experience of bitwarden vs lastpass?
I find lastpass clunky.. ipad app is flakey (or is it the iOS integration layer itself?)
Integrating with chrome, iOS, etc, I assume is a difficult problem so I've assumed most password managers have the same issues. But it drives me crazy they haven't innovated much either, e.g., searching for specific passwords in my vault. I have to export it to excel and then look for them, then make sure / hope that the excel file didn't drop any temporary file copies anywhere.
I just logged in via Bitwarden on Safari to reply here. My vault is self-hosted via the Vaultwarden project, which is a lighter-weight implementation written in Rust. It is hosted on the free tier of GCP, which is proving more than enough for personal use. The self-hosted server interoperates flawlessly with the official Bitwarden clients. I have no complaints regarding the user experience on MacOS/iOS/iPadOS. However, I was not a fan of the user experience on Android. I recently setup Bitwarden for a couple family members who use Android and it definitely didn't feel as frictionless as it does on my Apple devices. Not sure if that's because of how Android implements password managers or how the Bitwarden app for Android is implemented.
As folks talk about migrating, largely to yet another (insert another startup-themed password manager), I can't help but wonder.
Which has taken more time? Learning how to use gopass and a yubikey, or migrating password services every few years and paying hundreds for arbitrarily pay-walled features?
Edit: idk, maybe there's some UX aspects of the password sharing features that are more important to other folks, otherwise, the diy option is not that hard, or a UX sacrifice.
Excited to hear this. The most important use case for me that is unmet with Bitwarden is a shared vault in a company that has some pernissioning etc.
It would be cool if there were a Bitwarden "extension vault" that is only accessible so long as you are employed somewhere and which suggests rotation as part of offboarding etc. Anyway, congratulations and good luck.
How much would I pay for that? Perhaps with ACLs and stuff I think $10 / user-month
I think this has been factored into their plans [1] of bringing "consumer ease-of-use to Business users" which reads like they are moving away from the consumer market where widespread adoption of passkey will materially affect the revenues of all password management vendors.
They are betting their future on the enterprise market and the announcement blog post links to their Partner [2] page—a central part of their strategy to gain a foot-hold in that market.
In the enterprise market, inertia and regulations cause user habits to change much slowly relative to the consumer market that Bitwarden is most familiar with, plus enterprises are not price sensitive, so they can get away with charging really high prices, to justify their huge capital raise.
This makes me very glad that I switched my self-hosted password manager from Bitwarden to Vaultwarden. It implements the Bitwarden Server API so I can still use the same client applications.
I strongly suspect that this new VC-funded Bitwarden will eventually close off their applications API and client applications, but with an open-source server API provided by Vaultwarden it should be possible to create new, open-source clients, too.
I moved from LastPass to Bitwarden a few years ago because of the nimbleness and simplicity of it, it felt so refreshing.
How much time do we have left before Bitwarden gradually becomes as bad as LastPass for the sake of high growth? 2-3 years? I’m not passing any judgement on this raise, entrepreneurs do what they gotta do.
>How much time do we have left before Bitwarden gradually becomes as bad as LastPass? 2-3 years? I’m not passing any judgement on this raise, entrepreneur do what they gotta do.
Bitwarden though actually has an API, and in turn interesting community implementation potential such as the Rust-based Vaultwarden [0]. While I agree seeing them get a huge round does raise some concern in terms of the revenue generation pressure (1Password sticks in my mind as a worse example though with their switch to forced subs-only, no local/non-1P vaults, abandonment of native apps etc), to me the real sign would be if they broke self-hosting. But even so, of course with self-hosting one could simply stop there. Doesn't feel like quite the same situation as 1P or LastPass where one was really in a fully vs partially proprietary system.
I'd be OK with paying for updates to quality clients though so long as it was a regular payment system (not paying means staying on that version vs having it stop working).
Question: all users of the free plan just don't use 2FA or Yubikey? I am amazed how that would be good policy in 2022.
Nothing wrong with charging for a premium version, just curious how users handle things and why there seem to be so many users on the free plan. They all just don't know or care about 2FA?
You can use other free apps for 2FA, e.g. Authy. That might even be better for security because even if your password manager account is hacked/leaked, you would still have the 2FA setup in a separate app/platform. That being said, it’s of course more convenient to have passwords and 2FA tokens in the same app.
I always enjoyed the value that Bitwarden provides: free to use, password generator, and a vault to keep other texts. But somehow I never got the TOTP working.
Once I locked out of Bitwarden because of Cloudflare blocking my IP address for some unknown reason. I restarted my router and the problem got fixed.
I really like bitwarden, but I do wish their internal API was more clear/open so 3rd party clients were easier to write. There have been a few times where I've been on an obscure OS on a device too slow to run a modern web browser, but wanted to use Bitwarden.
As another perspective, by documenting that API, they're promising to retain backward compat and the documentation burden that comes with it. As long as it remains an internal API, they can fiddle with it as fast as they can get their old codebase off of it
Since their codebase is in the open, and there's already at least one other Open Source implementation, that's likely about as "clear/open" as its going to get unless this newfound $100M spawns an API team or something
I think the biggest is simply having access to your data on non-apple devices and non-apple browsers. I.e. using it in Chrome or Firefox or whatever browser you want, as long as there's an extension that supports the browser it's likely available.
You can store a lot more data in Bitwarden as well, including custom fields, so you aren't stuck with just a username and password and optional 2FA. With Bitwarden you can do security questions, a notes field, etc.
Sharing with family is another big feature. Sharing your cable login, wifi password, streaming services, etc.
There's a whole list of them, but I think those are sort of the top 3 for me.
Right, but I often leave notes in my login items themselves. If the account doesn't use an email address to authenticate I might just put the email address in so if that email ever gets shut down I know which accounts need to be migrated, as an example of why I might do that.
I tried bitwarden, and went back to 1Password. My ecosystem needs to be a bit independent for apple, just in case Apple starts acting like google, and locking users out of their accounts forever. The apple keychain has a really awful interface (surprising for apple) and family management is poor.
Oh, ok I misread the original post. Yeah I have had trouble with the browser extensions for 1Password for the last few years, will probably switch to self hosting bitwarden soon.
Its nice to have something thats OS independant. Maybe you have no plans on leaving apple now, but surely you wouldn't want to rule it out ever happening in the future. Using an external password manager just means one less pain point for migrating. Its the same with any OS, or any technology for that matter.
The Apple built-in password manager is worse than the Chrome built-in password manager because the Apple built-in password manager is not cross platform. The Chrome built-in password manager is worse than the Bitwarden password manager because it doesn't support credential sharing.
Been strongly considering switching from Dashlane (no idea why I chose it originally, but here we are) to Bitwarden for a while now. Despite some of the comments I don't think this changes anything, though I might just wait a little longer.
In a world where the average hardware cycle is 1-2 years, the software cycle before obsoletion is 3-5, perpetual subscription is the only way. Software written today for consumer devices like iPhones and Android devices will break is 2-3 years if not maintained, and often much sooner than that.
It sucks. Gone are the days where you could buy Microsoft Office and run it for 10-15 years.
Even better!
Kudos to the team. A viable alternative to 1Password and others. I agree there are open source alternatives available, but I prefer to pay for the premium version, which works across all devices. Good stuff.
Lots of people worried about Bitwarden. Where are the people worried about PSG? As passkeys gain adoption, fewer people will need a password manager, and PSG is going to have a hard time getting their money back.
Why should anyone be worried about PSG? Deals of this magnitude take months to close, especially considering the amount of money involved, so there's no point worrying about an entity whose raison d'etre is to earn a return from the management of other people's money.
Because they look like the biggest loser in this deal. Everybody else comes out ahead. In the short term, while password managers are useful, users get a better product, and Bitwarden's employees get paid. In the long term, users don't need this product, Bitwarden's employees find other jobs, and the investors have lost their money.
This is fantastic. Bitwarden is a great service and them having more resources to do yet another thing The Right Way is only a good thing in my books. Really keen to see what they produce.
Happy user here. Congratulations to the company. Would be cool if they invested some into autofill functionality for their Android app because that doesn't seem to work as it should.
My experience with the app's autofill using both the Android Autofill Framework and the Quick-Action Tile has been great. Can you talk more about what doesn't work well for you?
I'm not the op but I find the Android experience to be pretty terrible. It almost never gives me the option to auto-fill my passwords and when it does it's usually because I already went out of my way to open Bitwarden. It's very inconsistent and frustrating. I'm not running any weird Android version either. Pixel 5, stock OS, always up-to-date.
The thing is, I've never used any other password manager on Android so I can't tell if the problem is Bitwarden or if the problem is Android.
Have you checked if it's enabled in your accessibility settings? It needs to overlay itself over other apps. After having enabled it, it started working fine.
As far as I can tell it's enabled. The only other option I see is an option to turn on an overlay button but I definitely do not want ANY app drawing a button on my screen 100% of the time.
Not everything, on their wiki page (1) they have a list of missing features. They alao state that some of them probably are not going to be implemented. At least unless someone contributed any of them.
[1] https://github.com/dani-garcia/vaultwarden/wiki#wiki-pages-b...
Being able to have strong passwords without manually writing them down somewhere. All of my passwords are now at or near the maximum allowed character limits/complexity.
A lot of password managers have some simple UI to show you your weak passwords and it's a but of a fun game when you first import all of your passwords. Take a few days and browse all of your accounts and either delete the account or beef up the password!
serious question, is there any benefit to a password manager if you are using the Apple ecosystem via your Keychain across devices for password management with pin and faceID?
Ho the sweet irony of people praising them over 1password not two weeks ago. Queue the typical HN, "I switched from Bitwarden to X" in a couple of weeks.
It's interesting to see the tone change. Some similar points being rasied, but without the "1Password is the anti-christ" tone of previous discussions.
After lastpass, I am a little wary about password managers. Not sure when they plan to "monetize" me.
Been using google password since lastpass turning on paywall. What's your opinion of Bitwarden? Reasons to give it a try? Having all passwords locked up is no fun.
Unlike both Google password and Lastpass, Bitwarden is open source on server and client side.
This means if worst comes to worst, the community will fork the code and set up a new server or 2.
I switched to it after the Lastpass changes and BW literally has everything LP had plus more. It even imported my thousands of LP entries on first try with no issues.
I would love to hear the battle stories from a helpdesk from a 20K+ rollout of bitwarden.
The UX might be a bit uphill for non-techies. (Example: Tab, Vault, Send, Generator, Settings are what is displayed for the main browser interface. Can you guess what they do? Selecting a Keyboard icon is "view account".)
Well that’s annoying. I guess the clock is ticking on Bitwarden becoming user hostile. I can’t see how they’ll be able to produce a return on that investment at their current price points.
Having said that, I do think there is an opportunity for Bitwarden to expand into application secret management, and that could be a lucrative market with big enterprise customers if they get it right.
The announcement seems to be a generic “nothing will change” announcement though, which doesn’t inspire confidence as:
- These are almost always reneged on later
- Clearly something has changed (or why bother getting investment), they’re just not telling us what “we can deliver on our roadmap more quickly” could not possibly be more vague.
How much they chase growth and how much further investment there is will probably be one of the big concerns. Also how much ROI the investors expect.
The market does seem to have space, 1password has an estimated ~235m revenue, and lastpass and dashlane ~70m. And all of them are quite a bit larger than the latest headcount I saw for bitwarden (reap. 800, 400, and 400, versus <100 for BW).
But it is worrying, especially with bitwarden having low TCOs currently, especially for the free-er side of the offering.
It's a hilariously oversaturating market though with everyone and their mom rushing into that space with VC and non-VC funded products for the past 2 years.
In many ways it's a shame when a useful tool turns into a high growth startup. They're going to hire a bunch of developers who will need to justify their existence by adding features, they'll probably eventually either fail or get purchased and shut down. And then all the overly complex applications will start to rot.
What's wrong with saying "this is a useful tool" and leaving it at that?
Particularly if it's a trust-centric product like this. Sure, I wouldn't expect outright secret exfiltration no matter how bad it gets, but switching password management providers isn't exactly what you want to happen on a regular basis. (yes, this form of lock-in has most likely been a big factor in the investment decision)
If you're a Bitwarden user and this doesn't worry you, you haven't been paying attention to the history of almost every company that has accepted VC funds.
It doesn't matter how well intentioned the founders are - once you accept that kind of money, it's not your product anymore. You are now in the business of making money, nothing else, and those skewed incentives will start bleeding into their product and business practices sooner or later.
As a company, Bitwarden has been a huge role model for me, and I hope they'll be the exception to the rule. But $100M is a lot of money, and I simply can't imagine it having a net-positive effect on the company and product. But we'll see...
For anyone looking for a bootstrapped, open source alternative to Bitwarden, check out Padloc:
That’s a hell of a disclaimer after a decently alarmist comment. You may be correct, but I’m not sure it’s appropriate for you to raise that point given the conflict of interest.
The only conflict of interest here is the VC looking for a quick exit as rates are rising and your comment shooting down what appears to be a bootstrapped alternative/competition.
Althought I wonder how much it will take for this padloc fellow to turn around and announce that he decided to accept VC or even worse, issuing tokens on Ethereum.
We are almost at the Minsky moment and lot of founders are going to realize they no longer own the companies built.
The product being open source doesn't prevent the situation the OP mentions. It just provides a mitigation or a workaround by forking.
I also hope it won't happen but many good projects have gone this way before.
In this case the investment is not for the password manager but for a new identity service. However if that doesn't end up providing the promised results, the shareholders will start looking at the existing successful product to extract more value. After all they own part of that now and they want their returns. It's just what they do. This will clash with the users' best interests sooner rather than later.
Then it becomes forking time but can they find a good maintainer? Open source is not always a guarantee for continuity.
Of course if the new project pans out this won't happen but it's a gamble, and one the existing userbase never asked for.
Yeah the Rust version works well. I had an issue with it when importing passwords from a file exported from Dashlane, but other than that no issues. And I run it on a bottom tier Digital Ocean vm.
Lots of people can't set up their own bitwarden servers on a slow weekend. Yeah I can, but I venture 98% of people can't. Sorry, you're assuming everyone (including every HN audience) member can do that. Are we supposed to just keep quiet? I think we all know what happens when the VC folks come in. If you haven't lived through it (I have a few times now) you've at least heard about it if you read tech news at all. As long as the comments are respectful I don't see any reason to gatekeep them
That's how it looks to me as well. OP's claim borders on FUD and comes a bit disingenuous while shilling their project. Bitwarden is opensource as well and there's also this independent popular 3rd party project that uses the bitwarden protocol that is much loved by the community.[1]
This doesn't worry me that much. In the event that incentives get skewed (which isn't certain), I guess I could just stop updating the app before that happens, or fork the last good version?
I'm interested in your alternative. I hadn't heard of it, went on your site and it looked decent, I think if I had seen this before going with Bitwarden I'd have seriously considered it, BUT now that I'm a keen BW user, it doesn't seem as if there is enough for me to switch.
Are you also definitely never going to take VC money? Or an acquisition, say, by Bitwarden? Why should I trust you (and a product I've only just learned about)?
> This doesn't worry me that much. In the event that incentives get skewed (which isn't certain), I guess I could just stop updating the app before that happens, or fork the last good version?
This is easily said, but remember you're talking about a security-sensitive application. Do you really trust yourself to keep your fork secure? I know it doesn't look like it on the surface, but password managers have become wickedly complex, especially if you require things such as shared vaults, audit logs, a zero-knowledge architecture etc. The reality is maintaining your own fork won't be feasible for the vast majority of users, even those with a technical background.
> Why should I trust you (and a product I've only just learned about)?
The simple answer is that you shouldn't. You should ALWAYS be sceptical, and look for possible indicators of a company heading down the path to the dark side. Like taking a 9-figure sum of VC money for example ;)
> Do you really trust yourself to keep your fork secure?
No, but I don't need to. Considering how many people are already contributing to Bitwarden's Github in the form of PRs and such, if worst comes to worst, there should be plenty of people who can maintain it.
Bitwarden is also open source and self hosted. If they should ever make their product not free, I can just keep running the last version and fork it to further improve it together with other people, can't I?
1. sure, it's great that it is open source and that I could self host, but honestly, it's just not worth the trouble for me and I'd rather pay 10-20 euros for someone to take care of that for me. Self hosting my password manager would take a significant time investment and constant worry whether I'm doing it right. It might be because I'm primarily an app developer now and not a backend expert anymore.
2. Most big projects like Bitwarden are alive because there is a company and many full time employees behind it. Once that's gone, relying on a couple of passionate volunteers might not be enough to keep the project alive.
All in all, I've been using Bitwarden since the LastPass fiasco, I'm very happy with it, paid user with my family, but if I had to self host or volunteer, I'd not have the bandwidth to do so and I'd rather switch to another solution, even if it would mean I need to pay.
I think that when people say "it's open source, I could just self host and maintain the project" often underestimate how much effort that really is. Sure, it's possible, but will you actually do it?
Then I must have overestimated the effort needed for an experienced dev to set things up. I assume I would need a day to figure out how to best self host. Thanks for the info, I'll give it a try this weekend.
I just looked at your CI. Very very few automated tests. It isn't a deal breaker (Bitwarden honestly isn't much better), but it doesn't instill much confidence in your application either.
Keybase was an entirely different case... first of all, they didn't just take VC funding, they were bought outright ("acqui-hired" by Zoom for their skillset). Secondly, they didn't have any significant income, whereas Bitwarden has been a profitable business all along.
I don't have a well-formed opinion one way or the other, but it is interesting to me that this comment made it to the top of HN. By contrast, a submission about Tailscale raising the same amount of money had comments that simply sounded exuberant about the implications (https://news.ycombinator.com/item?id=31259950).
Is it just that our anticipation (or foreboding) of the effects of capital infusion is biased by our priors about the company? Or, some other reason?
* What makes you invincible to investment?
* What makes you different from BitWarden? (they are also opensource, might have been bootstrapped too, also claim being autdited) You seem to only really be "an alternative", which is great, but you kind of oversell it I think.
* "I simply can't imagine it having a net-positive effect" --> or do you mean on "your" company? Because, you seem to also sell a product: access to the hosted solution of your open source product.
* Open source BitWarden server-side API implementations exist... Even in Rust (not that that matter that much given the nature of e2e encryption).
* Are you not interested to one day provide an enterprise tier over you family tier?
Disclaimer, I'm a satisfied user of BitWarden's free tier for some years.
So here my main gripes with BitWarden:
* There is an option to send them your password file for them to import it. This goes against their e2e philosophy that I believe it should have huuuuuge red tape, and it does not. They should deliver this type of functionality in a manner that I can run it on my local machine.
* Horrible UX. I've often been searching where they hide the save or edit button this time. You're product looks nicer in this department.
Good luck with your product! I'm a little busy, but I may give it a try some day. To me there is a safety in BitWarden not going belly up, and alternatives (self-hosting and your product) existing.
Not gonna lie, I'm having a hard time justifying the 3-4x increase in cost for Padloc vs. Bitwarden. The pricing is only rivaled by 1Password, which makes it a hard sell to me...
Well, there is the problem, isn't it? If people aren't willing to pay what amounts to a cup of coffee a month for a service they rely on daily, how are companies supposed to build a sustainable business without raising money?
Now that every single damn service out there is costing me a cup of coffee every month, I end up paying a couple of coffee jugs a month. Are we seriously going to shame customers for trying to cut some costs in this economic context?
As a customer, what I can do is compare with the competition. Padloc is more expensive than basically every other option out there. And as far as we can tell, Bitwarden was already running privately before this VC round (which seems aimed at expanding their offerings past password management) which doesn't seem to point to it being unprofitable at its current price point.
> Are we seriously going to shame customers for trying to cut some costs in this economic context?
That all depends on the margins of what is being offered. If you are proposing they sell a dime's worth of product for a nickel, then I would see the above post as a much more polite version of the correct response, which is "get lost."
I have no idea of the margins, and expecting customers to know about your operating costs without either disclosing them outright or asking the question is an... interesting take. All I can realistically do is compare with the competition, and the competition is cheaper across the board. Therefore my initial comment.
I'd have no problem paying more for a good product if it brings me something. In the meantime, I'm still left pondering. "Get lost" would be a rather crappy way to treat customers simply asking questions, wouldn't it?
I wish we’d stop with the cup of coffee comparison. Not everyone lives in the USA and drinks Starbucks. A cup of coffee costs 0.70€ where I live¹, cheaper than the cheapest (non-free) App Store app. Furthermore, I don’t drink coffee.
For me it’s not about the price but the recurring cost and the lock in. I’d rather pay a larger sum upfront when I’m sure I can afford it and reevaluate when it’s time to upgrade than be sucked dry bit by bit and have to drop everything to scramble to find an alternative when the developer decides to remove features and jack up the price overnight as they keep the data hostage.
¹ Smaller than a Starbucks coffee, but also higher quality.
Totally agree. Every single new subscription product someone buys that can't be run independently or avoid updates adds tech debt to their personal life. At some point that product will be killed, degraded, or made much more expensive. Software that can be purchased once and run indefinitely is all upside on the long tail.
I wish more companies followed the Jetbrains model where a subscription buys lasting access to the current version and recurring payments gets you continuous updates. It's easy to see why companies mostly avoid this model though; it's easier to squeeze users for money when you have them held captive.
Vaultwarden is an open-source password management server option that implements the Bitwarden server API which makes it compatible with all the existing client applications and browser plugins.
Since the Bitwarden feature-set is pretty darn good my hope is that some foss "bitwarden-api" client applications come along and that'll offer a more independent solution.
Thanks for the recommendation of padloc. I will be checking it out tonight. I really enjoyed my time with Bitwarden, it was quiet and calm and no sudden surprises.
Now that you criticized Bitwarden for accepting the funding, please explain how is your approach different. Are you really not interested in monetization of your own product, and developing it only for the benefit of your users, without any economic incentive from your side?
That's where Vaultwarden (https://github.com/dani-garcia/vaultwarden) comes in. You can use the official Bitwarden clients and fully host the backend by yourself. You don't need to trust Bitwarden with your data and can probably upgrade only when you need to, as the clients surely have some sort of backward compatibility.
You might not, but the vast majority of people unfortunately already trust companies like Google with their passwords.
Likely though they will be stored and kept properly, and there won't be leaks. I only said 'unfortunately' because it hands dependence over to Google. Loss of access is the main concern.
I use Vaultwarden (formerly bitwarden_rs) just for myself.
I still use the Bitwarden extension in Firefox, which is a similar attack surface to what you describe, though probably a shade less vulnerable in practice. I’d like to replace it with something leaner and functionally superior (it’s pretty heavy, and has the major problem of mostly not working in Private Browsing windows, and some other timing/focus issues that I suspect stem from the same bad design), but I have too much other stuff I want to use.
I don’t serve the Bitwarden web interface on my server at all, but I could.
Wouldn’t Firefox’ or chrome’s built-in password manager (with a master password set) be a better way of bringing a few frequently-used low-impact passwords closer to the internet, than a plug-in written by some developer?
An interesting perspective. From that of an attacker, the random plug-in might be a much lower hanging fruit, but also a much smaller one. Obscurity is not completely without merit.
Do you trust yourself to do a good job though? It's a big responsibility. I know plenty of developers that would probably mess that job up one way or another. Certainly in a corporate situation, I'd not want to take that responsibility. Because now the company suffers if I mess up. That, in a nut shell is why companies like Bitwarden exist and why many companies choose to pay them rather than people like you and me to manage their passwords.
I have bad news: it's not only true for the password manager. You have to trust the OS and every single apps you install on your computer because any of them could install a malicious update and steal all your passwords whenever you use them.
If you self host, your server could still be compromised. I think the primary thing making that unlikely to happen with a self-hosted instance is being a very small target.
Most of them do it by encrypting the passwords with your master password so techncially you only have to trust the client on that one. But yeah, browser can get hacked, malicious client code can be pushed, lastly client bugs
Yea KeePass (any flavour generally) + any of the sync tools works super well. Plus you do not need to trust the sync tool company to also be your password manager company :-)
One should exercise caution about their on-premises installer, as they play fast and loose with version pinning. It's like many things in life: it works fine until it doesn't, and then debugging it will be some "oh no"
Not sure why dwbit's comment got killed, they furthered the conversation and sourced information well by, inter alia, linking to "What third-party services, libraries or identifiers are used in my Bitwarden account?" on Bitwarden's FAQ (https://bitwarden.com/help/security-faqs/#q-what-third-party...).
"For those who prefer to exclude all 3rd party communication, Firebase and Microsoft Visual Studio App Center are removed completely from the F-Droid build. Additionally, Turning off push notifications on a self-hosted Bitwarden server will disable using the push relay server."
I switched because I lost all trust in LastPass.
Managing credentials and sensitive information is all about trust. The second I lose trust in that kind of service, I don't just stop using it, I will most likely never even consider coming back as a customer and I will warn people against them. I don't give second chances to services that are trust based.
I'm pretty happy with Bitwarden so far. But if they betray my trust I'll be out of there in a day, never to return. I switched from LastPass to Bitwarden in a day. LastPass never gets a second chance.
What the VCs have to understand is that if their greed makes them push Bitwarden to engage in silly tactics, they risk driving away their customer base.