Hacker News new | past | comments | ask | show | jobs | submit login
Bitwarden raises $100M (bitwarden.com)
967 points by deanmoriarty on Sept 6, 2022 | hide | past | favorite | 497 comments



I switched to Bitwarden when LastPass started using silly tactics to make customers pay. I didn't switch because of the price - the service pricing of Bitwarden was a pleasant surprise.

I switched because I lost all trust in LastPass.

Managing credentials and sensitive information is all about trust. The second I lose trust in that kind of service, I don't just stop using it, I will most likely never even consider coming back as a customer and I will warn people against them. I don't give second chances to services that are trust based.

I'm pretty happy with Bitwarden so far. But if they betray my trust I'll be out of there in a day, never to return. I switched from LastPass to Bitwarden in a day. LastPass never gets a second chance.

What the VCs have to understand is that if their greed makes them push Bitwarden to engage in silly tactics, they risk driving away their customer base.


> I don't give second chances to services that are trust based.

You might run out of services then at some point.

Human beings are fallible, full stop. Also, a company isn't an individual -- management teams change, corporate priorities change, security practices improve. Judging a whole company by what a few employees did or didn't do a decade ago isn't always going to yield an optimal approach.

Refusing to give any company a second chance ever is pretty extreme. Each individual case needs to be handled on its merits -- what happened, why did it happen, do you think the company learned and implemented new policies, how many other undiscovered vulnerabilities do you think are still there? But also, how many other undiscovered vulnerabilities do you think are still there for competitors as well? Just because a competitor hasn't had a breach doesn't necessarily means it's better, it might just be lucky so far.


2001-2007, I had multiple bad experiences with Compaq, Lexmark and HP. These were so bad in terms of cost and frustration I vowed I would never buy their products or services again. It's been... 15+ years. The tech world of today is not quite the tech world of 2003. Should I ever bother with a Compaq or HP again? I probably won't, but the 'avoid at all costs' just isn't there with me any more. Perhaps I've mellowed slightly in the past 15-20 years.


I am still firmly in never-again-Hewlett-Packard camp after almost 20 years.

The final straw for me was purchasing an HP laser printer (probably the 6th or 7th one I ever bought) and it shockingly had the same extreme-low-quality level that I had experienced with HP laptops, CD ROM drives and other peripherals.

It is probably not fair but I blame Carly Fiorina for this degradation of once reliable hardware manufacturer.


My problem isn’t with quality. Their firmware makes you buy new laser jet cartridges like it was an inkjet. Stay Far away


> Should I ever bother with a Compaq..

I don’t know guys, should we tell him?


Acquired by HP?

I've been out of that world for a while, and I still see the compaq name now and then, but it looks like it's more of just a name licensing deal now?


Compaq hasn't existed in any meaningful sense in 10-15 years. HP formally retired the brand in the early 2010's, although it had all but faded away several years prior to that.


> Judging a whole company by what a few employees did or didn't do a decade ago isn't always going to yield an optimal approach.

Not the OP but i have a similar stance. However a mistake from individual employee doesn't mean that i instantly loose trust. Its the handling of the mistake what matters to me. Sweeping it under the carpet, dening their mistakes or outright lieing about mistakes is what results in me loosing trust.


> You might run out of services then at some point

I prefer using services for my password management (I'm a bitwarden user who's currently happy as well), but I would jump back to some sort of self-hosted or even offline/manual sync solution if I thought that was the only way to keep my passwords safe. I like the convenience of a service, but I would sacrifice it over my security if it got to the point where I had to choose between the two.


KeePass on a Google Drive or iCloud setup is pretty easy.


KeePassXC & KeePassDX + Syncthing is also pretty simple.


I actually used to use KeePassXC and have my (encrypted) password file sync'd through Dropbox, but their Android client changed to no support a way to have the file stored offline but also automatically sync changes, so I ended up swapping to Bitwarden. In the past I had used Nextcloud instead of Dropbox, so that would probably be one of my first ideas if I did end up deciding to stop using bitwarden.


Any reason not to use Password Safe[1]? It seems to do it all and doesn't require you to trust some Move Fast And Break Things startup's online service.

1: https://pwsafe.org


BitWarden is based almost entirely on open source so it's possible to branch the project. Given some of the language on their website and their more recent attitude towards OS licenses, my prediction is that they will use the new funding to build as many closed source modules as possible to increase user switching costs, similar to what Google is trying to do with Chrome on top of Chromium. But that is a slow process that takes years, and a lot can happen between now and then.


> You might run out of services then at some point.

This. Every SW creator (OS, framework, app) manages the risk of security vulnerabilities. It's not black and white or simple and easy.


I might, but I haven't so far. And if I do run out of password manager apps, then it is probably time to make my own.


I don't think Dell or HP make their own computers anymore - consumer stuff is all outsourced to Taiwanese/Chinese OEM's (Quanta,Wistron etc ...) - they probably still only make servers in house.

HP and Dell are just marketing companies now.


Here we go again: Some company (in this case, Bitwarden) "betrayed" its customers by doing what every other firm does. And Hn goes brrr over it. I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?

The hypocrisy is just intolerable at this point.


> What the VCs have to understand is that if their greed makes them push Bitwarden to engage in silly tactics, they risk driving away their customer base.

They don't care as long as they can extract their profit before that happens. This is VC, they will prioritize medium term gains over long term stability.


On HN, VCs are either ruthless short-term profit extracting machines or overly optimistic clowns investing in hopelessly unprofitable companies on the promise of future growth, depending entirely on the point currently being made.


tbf both may very well be true at the same time. There's certainly a larger number of both AI powered juice makers as well as "freeze your head" longevity startups than anywhere else


I bailed on lastpass when they doubled the annual price for the second year in a row. They had also just been acquired by LogMeIn, who didn’t have a great reputation.

I don’t know if I can manage another service switch. I can do it just fine, but my wife is more resistant to these kinds of changes and we need to be on the same page on this.


I just started using Dropbox Password Manager, it's a nice value-add if you are already a customer.

With the base service, Vault, and this, it's a nice overall package.


LastPass pricing model is what turned me off. I am happy to pay for services I use regularly, but I remember the pricing model didn't seem appropriate for what they were offering. The short cutoff period added insult to injury.

I checked out Bitwarden and it seemed like a better version of LastPass that just happened to be free. Their paid model doesn't appeal to me so I don't subscribe, but I would enjoy paying if they offered something that did.

(Off-topic: Bitwarden seems like an exact LastPass clone all the way down to the UI. Do they share a similar codebase or something? Like was one forked from an OSS version of the other?)


Same, I even remember paying for LastPass for a bit. It was more that I wanted to support a service I liked (same reason I pay for other services). Though I find BW's paid model a bit surprising. I know it is only $10/yr, but the only real value here is 1GB storage and yubi/fido keys. I don't have yubi keys (they seem cool but also a pain in the ass) and 1GB seems rather small.

Looking at Google, Dropbox, and Apple, storage pricings range from 4GB/$ (Apple) to 20GB/$ (Google's 5+TB plans). I'm willing to bet that offering 5GB would make it more worthwhile and a very small fraction of your users would actually use it. What are you going to store? Your passport photo and driver's license? I wonder if there would be a psychological effect here because it is really hard to tell if 1GB is enough or not. At least your average person has no idea.


One paid feature that can be very important is designating emergency access contacts. A family member had a stroke last year (doing much better now) and one thing that made life much easier was having access to his passwords - in this case because I'd set him up with Keepass years ago and still had the password saved.


Ugh, I'm paying for LastPass because I haven't gotten around to switching to Bitwarden yet. They list a monthly price, but they actually charge you annually, so you're essentially locked in for a year (if you want to make the most of your money).


Pay the monthly fee for 2 months, then if you like it go annual. Assume you like it, you are going to be using it for a year anyway.


I mean that LastPass charges you annually, not Bitwarden.


Dang changing a password manager seems like a nightmare. I use pen and paper which, given the trade offs, makes the most sense for me


I thought it would be bad, but it didn't take long when I switched to BW from LP. Half an hour maybe?

And that includes setting up Duo for push notification 2FA.


There is one thing you lose when doing this, pretty sure password history is still not a part of the export.


Oh that’s good to hear, glad it was straightforward


Last I looked, Bitwarden data is a single JSON thingy (details are hazy now).

I exported my existing passwords, converted the result to the JSON format using vim or something, and imported it. Job done.


I didn't mind paying for Lastpass, but I started planning to move away when they were bought by LogMeIn because I've seen that company's acquisitions before.

Jumped from a paid LP plan to a Bitwarden family plan with sharing and emergency access and quite happy.


I mean, it's not as if these companies care for customers like you anyway. What they want is someone who is willing to purchase their product w/o making a fuss about the negative parts of their business. In fact, I bet LastPass is happy you left.


What specifically did they do to trick you into paying?


Doesn’t really matter what Lastpass did wrong, does it? The point is that trustworthiness is the single most important value for someone who wants users to entrust them with their credentials. Another point is how easily they can lose users. The poster lost trust in them, and was able to swap them out in a day.


https://en.m.wikipedia.org/wiki/LastPass

Read the "reception" section.


If it were an individual experience, I would agree with you, but it is public knowledge.

There were press releases and emails and stuff.

I also switched away from last pass then.


It's very easy to overestimate what "everyone knows".


Public knowledge is not the same as common knowledge, I agree.


Bitwarden already does one thing well. It's everything I'm looking for - open source, costs money but not much ($10/yr), 2FA, clean interface. I'm happy for the new investment, but I hope they don't start adding new things just for the sake of growing.

Also - to the people who analyze funding rounds - $100M sounds like a huge amount to me. Why would a password manager need so much money?


> Why would a password manager need so much money?

The announcement suggests they are looking to also launch their own authentication service and tools for managing application secrets.


How did I have to scroll this far down to find someone who's actually read the post? Everybody seems to think the money is purely for expanding the password manager, while in the post they call out adjacent markets they want to expand to.

I'm cautiously optimistic that this could mean we won't see the end of Bitwarden, as those are areas where companies will pay big money.


It's not that people didn't read the statement, it's that people have learned not to trust statements like this. Ask all Heroku's customers who were just fired by Salesforce to focus on their enterprise offering for example.


I’m pretty sure it’s still because people didn’t read the statement, lol


¿Por qué no los dos?


It's because we're all still in the middle of getting burned by 1Password spending millions to make our app run worse and do less.


That perfectly describes the 1password situation.


Wait, I'm just about to switch my entire family from LastPass to 1Password because of the latest LastPass hack. Should I be wary?


If you're new to 1Password, you may enjoy their service because you won't have the memory/experience of the things that were taken away or "how it used to be."

Now, as for whether one should worry because the company screwed their existing customers once already ... that's personal risk tolerance, I guess

My opinion is that 1Password is the best product out there for the majority of users, because they're pretty good about documenting their formats, have a very good export story, their customer service is mostly good, it's a reasonable price, and their UX absolutely spanks Bitwarden up one side and down the other

But, if a few years from now they rip the ssh-agent out of their Electron apps citing some "well, we decided" reason, or they ban 3rd party clients from using their API because "of sekurity," then no one should be surprised that the scorpion stung them


I almost switched to bitwarden last week, now glad I didn't, but the problem still remains of wanting to find a password manager that isn't crap.


The road to terrible software is paved with companies trying to expand to “adjacent markets”.


Not limited to software even, plenty of examples of companies chasing larger valuations by taking on stuff outside their core competency


Can I interest you in a Metaverse?


Greed kills like speed kills. It’s all very fun and exciting until you crash.


>How did I have to scroll this far down to find someone who's actually read the post?

Welcome to Hacker News


Welcome to the internet at large.


And by extension the world. For every person who reads a story, 10 more just look at the headline and absorb it subconsciously.


Now one hour later, the post is at the top! It probably just needed time : )


Welcome to HN/Reddit. Most threads have people commenting without reading the article at all (or very briefly skimming). More or less just reacting to the headline.

And according to HN guidelines, we aren't supposed to comment on if someone has read the article or not. Stellar.


Given apple's push for passwordless web in collaboration w/ Google and M$ [1], I was worried that BW will go out of business, but they have plans for this and I hope they succeed.

[1] https://www.apple.com/newsroom/2022/05/apple-google-and-micr...


Compete with Okta, essentially


I would love for Bitwarden to use this money to make SSO available to all pricing levels. Currently, in order to use SSO with Bitwarden you have to be on their "Enterprise" plan. I think SSO is too important to gate behind a paywall, especially for a company whose main product is security.


> Why would a password manager need so much money?

The money isn't for the password manager particularly. In the article they list a number of new things they want to develop.

I think there will come a point when most mainstream web services will require "passwordless" authentication, which means users will have to register with one of a few commercial passwordless providers. Think "login to service X with Google/GitHub/Facebook" but more integrated with your phone and biometrics, and no longer optional as email and password authentication go out of fashion.

It makes sense for Bitwarden to aim to be one of those providers, if for no other reason than company survival if passwords and similar tokens become deprecated.


Isn't there already a standard for that: webauthn ?

Hasn't really caught on, despite being several years in the making already


Sure, a standard exists, but that by itself isn't a great user experience. If you actually try to use something like a YubiKey you end up having to register multiple keys with each site to deal with lost key (assuming the site allows that in the first place). The you have to remember which keys correspond to which sites, and remember to get your backup key out each time you sign up somewhere new , etc.

Google, Apple, etc are building on WebAuthN in order to allow a trusted third party to "sync" the keys, solving the major usability hurdle for most people (as with all things security related, there's an obvious tradeoff in injecting a trusted third party, but for the vast majority of people that tradeoff still results in a significant net risk reduction). I assume Bitwarden is angling to build out their own version of something in this space.

https://www.imperialviolet.org/2022/07/04/passkeys.html


I'm probably more excited about passkeys than most, but I don't see why you need $100M to add support for that. It's a pretty straightforward addition to existing password managers. Might even be easier to support than it is to build a user-friendly password autofill, all things considered.


I find that the essayist way to handle backup keys is with a printout of 10-20 pre-generated auth codes, which go in my safe. Much easier than having a backup hardware key I have to remove and then replace from my safe, each time I need to add a new service service.


Which is great if you have a printer (and are near it when you're signing up for the account, and remember to do it, and remember to put it in your safe, etc...). Just because it's the easiest way currently doesn't mean there isn't substantial room for improvement in the usability of passwordless systems. Most users aren't going to go to the trouble of printing something out like that.


You can also use a pen though your point on ease stands.


And the three companies behind the major platforms - Google, Apple, and Microsoft - have all agreed on a standard and will integrate a solution into their operating systems.


Yes, and what is that one like the 6th or more "auth standard" they all "agreed to" before promptly doing their own variations which then get spun into a new standard they all "agree" to before.......


Even if that is the case, storing passwords across devices is a solved problem and not enough people are willing to pay for it to be a profitable business.

“It’s a feature not a product”


Given the number of businesses out there doing it I would venture to guess you are wrong.

Also Bitwarden and other password managers are not just about storing the passwords. For example on a personal level I use bitwarden family to manage my Parents passwords and to assist them with issue on various service, this gives me away to setup accounts and securely share passwords with them for the services, and vice versa

For business we use the Enterprise products to share passwords for everything...

None of which is a "solved problem" at the OS or Browser level


Why are large businesses “sharing passwords” between users? What happens when one user leaves?

Isn’t sharing a password in a business context like “Things you shouldn’t do” 101?


> Why are large businesses “sharing passwords” between users? What happens when one user leaves?

Because not all products businesses use have fine grain authentication and authorization. For example, their registar for their domain names. And differing employees need access to it at different times.

> Isn’t sharing a password in a business context like “Things you shouldn’t do” 101?

What do you think Bitwarden does? It's fine grain authorization over shared resources (passwords) that control who can access them. You categorize, create roles, and give those roles access to specific passwords. When an employee leaves, you rotate the password. Every access is recorded for auditing. It solves a real business problem.


It's also useful for things like secure temporary password delivery. I set up your account for the first time with a new service, generate a temp password you have to reset on first login, and then share it to your Password Manager space.

Also just useful for things like API keys - my team just has all of our team's allocated API keys for various services in our password manager so we don't have to go look them up in all of the various service's sites if we need them.


I understand the temporary password use case. But what do you do when an employee leaves? Do you change all of the API keys?


Aren't we supposed to be rotating our keys when someone leaves no matter what technical solution to this problem we're using?


Well, I was trying to avoid the entire rant about using API Keys for security in the first place.

https://zapier.com/engineering/apikey-oauth-jwt/

https://cloud.google.com/endpoints/docs/openapi/when-why-api...

We all have done it at one point or another. But if I am ever in the middle of a technical presentation and mention “API Keys”, I get all types of dirty looks from security.

Notice that Square for instance strongly discourages API Keys for production.

https://developer.squareup.com/docs/build-basics/access-toke...

On the AWS side (where I work) we always discourage long term use of access key/secret keys for accessing resources even though I realize it’s necessary for some integrations. Even then, most organizations also put a condition that you can only use it from known IP addresses.


Now I’m curious and this comes from my job history is working at mostly small disorganized companies and then moving to one very large company where I work with other very large enterprises so I have no experience with mid size companies.

Say I work for a large company where everything is gated via an SSO - email, Slack, internal apps, ADP for payroll, my brokerage account containing my 401K information (of course I do have a separate non SSO password for this since it is my account), and Bitwarden (I see it does support SAML).

If I leave my very large organization, it’s easy enough for a manager to disable my SSO and be mostly assured that I don’t have access to anything I shouldn’t. Because “security is job 0” (How do you say where you work without saying where you work /s).

Now let’s say that BitWarden stores 10 passwords to external services and I had access to those passwords through Bitwarden. Does someone then have to go in and manually change passwords to those 10 services every time someone leaves?


> Now let’s say that BitWarden stores 10 passwords to external services and I had access to those passwords through Bitwarden. Does someone then have to go in and manually change passwords to those 10 services every time someone leaves?

To reframe this: Companies use both SSO and BitWarden, but because a typical company utilizes so many differing services with differing auth coverage (supports SSO? supports roles, permissions, etc.?) BitWarden fills the gap. BitWarden wouldn't be used for your ADP, and 401K. It may be used for your company's payment processor under one main username / password. It may be used for your root AWS account username and password. It may be used for your DNS management. Production API keys for Stripe may be stored there in plain text, but encrypted in your secret store of choice. Those are the typical use cases I see. The list of things you keep in BitWarden are small(er), but they're business critical. Whereas before they were held by the CTO of the early stage startup, now they're centralized, secured, have an audit trail, can be easily shared with others, etc. etc.

In the company I used BitWarden with, these passwords were rotated manually when an employee who had access to that password left and the new value updated in BitWarden. Maybe that's easier now?


Lots of things would not have individual passwords,

Including

1. Hardware Passwords

2. BreakGlass Accounts (used if SSO Fails)

3. Vendor Passwords

4. Recovery Passwords

5. Local Admin Passwords for Servers

We also use it to store Backup Encryption Keys, VPN Tunnel Keys, SSL Cert Passwords, File Encryption Passwords, License Keys, etc etc etc

We also have our own Personal Vaults that are indivualized, so we can access both our Personal Passwords and Company passwords in one interface, that is Cross OS, Cross Browser, and has API for programming interfaces.

none of which is possible with BrowserBased or OS Based Password Storage.


Realistically? Many services charge by the seat, so for a service that doesn't get used to often, a lot of places will use a shared account as a cost-cutting measure. Subscriptions add up.


> and not enough people are willing to pay for it to be a profitable business.

1Password is doing just fine..


Now they are also raising rounds of funding “chasing after the enterprise”. Every single time a small bootstrapped company tries to “accelerate growth by going after the enterprise” the product gets worse for consumers. See also DropBox.

1Password’s desktop app is much worse than it use to be all while each platforms built in capabilities are getting better.


>1Password’s desktop app is much worse than it use to be all while each platforms built in capabilities are getting better.

I keep reading this but as a user of 1Password over the past decade or so, the functionality hasn't changed much. I'm confused as to what they're spending all the VC money on because these re-writes haven't done much but in terms of functionality, I think it's best in class.

What am I missing?


Thank you for using 1Password!

A full rewrite takes a lot of time. We did this twice in the past and it is always painful. We had to do it again this time because the discrepancies between the platforms became ridiculous and we had to fix this. For example, the same search would produce different results on Mac and Windows and Android.

We also took time to address some of the pain points that existed in 1Password 7. For example, it was technically possible to have a different Master Password on your Mac and iPhone, etc.

The local database was rewritten and we made sure that everything that is possible is fully encrypted. For example, all rich icons are now stored encrypted. We also changed the logging system to make sure no personal information is ever logged. At the same time, we had to make sure the data format is backwards compatible with the old version so that both 1Password 8 and 1Password 7 can be used during the transition.

We ran over 100 studies with both existing users and people who never tried 1Password before to make sure the apps are more usable by everyone.

For new users we added New Item experience that made it easier to navigate through templates and understand how to use 1Password. For developers, we added CLI integration, support for SSH keys, and a built-in SSH agent that secures your ssh private keys.

Brand new Linux app, more than 100 new features and improvements overall, on top of the full rewrite.


Thanks for sharing some extra context.

I'm a fan (been using it for 10yrs I think?) and think the HN sentiment around it is not representative (it's the only app I'd actually recommend to people and that I trust my family can use).

The family vault features are really great and I was glad to see the browser dropped (I didn't really get why it existed).

I do miss some native features (like the iOS letter column on the right that made it very fast to find something in the list), but generally get that there are tradeoffs to be made.

Thanks!


Thank you so much!

> I do miss some native features (like the iOS letter column on the right that made it very fast to find something in the list), but generally get that there are tradeoffs to be made.

You are not the only who missed this feature and it is coming back soon. It wasn't available in SwiftUI and we had to go back to UIKit to implement it.


I really want to purchase 1Password Family right away, but one thing is holding me back.

Why does 1Password not support Duo Push 2FA for personal accounts? I shouldn't need to pay for a business account to get that.


While I don’t have any opinion about the features, they did have native app and now the app is Electron based.


https://blog.1password.com/1password-8-the-story-so-far/

Common rust library code with platform specific UI code.

Native UI code for Android, macOS and iOS. The app is Electron based on Windows and Linux for the reasons they give in the article.

Article from a year ago, so maybe outdated.


I use Bitwarden and almost never use the app. Most of my interaction comes from the browser plug-in and Bitwarden.com.


from the founder of 1Password: would love to learn where you think it is worse.

1Password 8 has a ton of new features and it is faster than the previous version. Some of the new features like Universal Autofill and SSH Agent do not exist in any other product. It also fixes many problems that accumulated in the app over the years.

More on features here: https://1password.com/products/features/

a more visual description of what's new is here: https://1password.com/mac/


Not the person you commented to, but I think the only real loss was 1Password Mini. There is the alternate ‘search bar’ mini app which is a decent replacement, I wish that was the one that pops up by default (like used to be with Mini).

You guys make a great product otherwise. It’s the only one where I strongly recommend it over the open source alternative (Bitwarden) even though I have a strong open source bias. There’s just a 1000 things in UI and UX that you guys do slightly better than the competition, sort of an inverse death by a thousand cuts.


It’s more of a preference for a “real native Mac app” instead of an Electron app. Long time Mac users can feel the difference.


I see it from a different perspective. There are not that many real native Mac apps that both look and feel great. You could probably count them all on your hands.

Also, I certainly understand being the long time Mac expect. However, when we tested 1Password with new customers we found a ton of usability issues and many of these problems are solved in 1Password 8. One example, most new users couldn't even figure out how to create new items right away because of the look and the location of "New Item" button in the old app.


Please stop telling users their preferences are incorrect.


That's because they did a complete rewrite of it, something they talked about on a couple podcasts before they took on funding.


1Password, a competitor, raised ~$650m earlier in the year off the back of exceptional growth. The investment case is likely: Bitwarden are doing well, 1Password are doing very well, maybe Bitwarden can do very well too with some additional capital. Password management is rapidly growing in mindshare, there's a big market and great room for growth, the amounts involved are commensurate with the opportunity -- every single enterprise will have a robust password management setup soon enough.


1Password is 4x the price and is not open source. Doesn't 1Password's stronger backing provide more risk for Bitwarden investors too (chasing the same customers but with less to spend on acquisition)?

Spitballing, $100M, assuming investors want 20% per annum return and Bitwarden do 50% profit ... they need 24M paying customers. Where are they at now?


Venture investments don't typically work that way: the goal isn't incremental returns YoY but rather major returns in the long term. Raise a fund, make a bunch of investments, report growth in valuation YoY (based on increasing valuations of portfolio) and then deliver returns once portfolio companies start to exit.

If BitWarden can use that $100m to 10x their valuation and then exit (whether that's an acquisition, going public etc.) the investors will have secured a win: if BitWarden's valuation stays where it is and returns ~$10m/year to the investor(s) over the next decade, that's not a great outcome considering the opportunity cost of capital.

Debt equity is the type of financing you're describing: lower risk, lower returns, not particularly exciting and not particularly attractive to investors if they believe the company has substantial upside potential.


Yes, I'm not familiar with expected returns for investments so my back-of-napkin maths was based on approximate housing inflation in the UK. I figured they'd want more than that as a minimum.

Clearly Bitwarden isn't a unicorn, being a smaller entity in a growing market; do VCs really expect a 10x (in couple of years?) from that sort of investment?

So, do you agree with my basic premise that they'll need a whole heap of customers, that they don't seem likely to get, in order to make any dent in the investors hoped for returns?


I’d suggest with almost absolute confidence that they are betting on unicorn status for BitWarden. I’d be surprised if they expect anything less than a >$2.5bn exit.


Or 1Password could just suffer from the DropBox problem - it’s a feature not a product.

Every company’s answer to that is also the same “we will target the enterprise”.

They aren’t “doing well” if they still require outside funding.


A feature of what service though?

The OS? iCloud keychain does this, it's not a compelling offering though if you need to use any other OS.

Something like Google? Not sure I'd want to risk my Google account ever getting locked and loosing access to all my other accounts.

I'm not sure what that leaves.


The browser is the obvious option. Firefox and Chrome both implement ways to save passwords in the browsers. I believe Firefox has a service to sync them, Chrome may too (I don't use them, so I don't know).

They could reasonably tie in to whatever Office-suite you use (GSuite, Office 365).

In the enterprise, it could be part of a larger "credential management suite" product managed by security. Allow syncing and auditing of credentials, like "when was the last time this cred was changed?" with some kind of automation to generate and push a new credential when need be.

From the outside looking in, a basic credential manager doesn't seem complex enough to be a standalone product.


Is that a large enough market to be a sustainable, profitable business?


I would think so, on the business side of things. I'm not entirely sure what we pay for 1Password because we pay it without question tbh. We have a fair few subscriptions but 1Password would be up there with the indispensable ones.


They'll probably aim for competing with the likes of Okta in delegated authentication and identity management, which is a huge market which need some more competition. I'm in favor, and it really doesn't need to have any negative impact on their existing user base, at least so long as they can manage their growth and don't become a dysfunctional org because of it.


I just hope we won't get repeat of LastPass - some company buys it then just keeps on life support while raising prices.

Also "OSS" version is not really open source, it's just core and all the features you really want from password manager are behind the paid license anyway


Like what? All the features that password manager needs to have (and features that 99% of people need) OSS version have it. SSO, organization management etc. is not something that "password manager" needs to have.


Like TOTP, which is part of payed variant and I consider that an essential feature of a password manager in 2022. Don't get me wrong, I am not complaining about that business decision, just answering since you asked.


To be fair, TOTP should be a separate device to fulfil the criteria of actually being 2FA.


I totally agree, however there are some low-criticality services where 2FA is a burden and having it in your main password manager app is a tradeoff worth consideration. Definitely NOT your primary email address.


TOTP should be on a separate device.


Enterprise sales presumably?

A $100M round probably means a valuation around $500-600M. They now need to grow the company to a couple billion so it can either go public (when the IPO market is alive again in a few years) or be sold to a bigger enterprise player.

$10/year customers are completely irrelevant to a company at this stage. Open source is nice as a sales bullet point, but not a central focus.


I don't really want them to grow. Growing usually means overinflated expectations and when they aren't met by the new products they will try to retrieve the shortfall from their existing customer base with additional monetisation, driving them away in the process.

I hope it won't go this way here but such a cash buyin is usually the start of a difficult time.

> $10/year customers are completely irrelevant to a company at this stage.

Yet it's exactly the plan most customers and supporters would be on. So in other words, we don't matter anymore. This is why we can't have nice things :(


When 10/year is often less than .01% of even a junior developer's salary with benefits, then yea, that does kinda mean we can't have nice things, if nice things require a few devs to implement. We've all gotten so used to getting things where the VC discount was already fully priced in over the last decade that we're deeply conditioned to expect everything to be sold at VC subsidized prices, which it turns out isn't really economical for most non-VC backed businesses to sell at.

I'm sure someone will, like clockwork, reply to me that that could be done by one developer in C, sold for $0.50 and then never patched again because UI designers just mess everything up and no one should have a smartphone anyway. If that's your idea of "nice" then you're likely living a happy life, but if you expect a UI and reliability like even oldschool 1Password or Lastpass, then $10/year isn't buying you that level of development and support.


Well, the thing is, we have nice things now. I don't think most bitwarden users are screaming for new features. Simply continuing as they are with current staffing would be preferable to risking the farm with a big new product.

And the kind of user that picks bitwarden over LastPass or 1Password is not the kind that needs a ton of support.


I guess the question is if they felt like they could continue with their current staffing. Obviously this is a really big funding round, so they clearly decided to aim for more than the status quo, but I've seen plenty of projects where it was many dev's side project, or it was a small number of full-time dev's work, but they were getting burned out and overworked trying to provide the service.

It just always feels too easy to assume that it was sustainable to run/maintain some minimally priced service. Perhaps they realized they needed more developers to have a healthy relationship with their job, and instead of raising the price to $30/year or more to match the new costs, they decided to shoot for the moon.

I'm certainly not trying to say that it's obvious that they're making the right call by taking this investment, or that this won't all fall apart. It's just also important to not assume that the status quo for them was something they could keep going on for the next 3 years.


> Why would a password manager need so much money?

A cynical take on this would be the business is at a large enough volume and growing fast enough to be valued at a certain price (eg 400M), VCs want to own a certain percentage (eg 20%), so the math dictates the round needs to be 100M (100 / (400 + 100) = 20%). Then the founders put together some story that explains why they'd need 100M.

Not saying that's what happened here but I've seen it happen this way.


With smartphones leading the push towards digital everything, passwords (auth / authz) have become the most important asset, even for consumers.

Edit: An interesting conversation between Basecamp's DHH and 1Password's Teare on their series-a as an opportunity to de-risk the venture: https://archive.is/Kdnpz


Which has also become a single point of failure, and a target for social engineering since "lost device" or "stolen device" etc becomes to new defacto backdoor


The interface could use a lot of work: ie search for cards and logins should not be separate. It also visually doesn’t look great.


Marketing


The code for the server is AGPLv3 https://github.com/bitwarden/server , with only things in the /bitwarden_license/ directory being proprietary.

The code for the mobile apps is GPLv3 https://github.com/bitwarden/mobile/blob/master/LICENSE.txt

The code for the clients is GPLv3 https://github.com/bitwarden/clients

These are all copyleft... with a CLA (contributor license agreement). It's the CLA that allows them the ability to dual-license for the server.

The VCs must really believe the company can produce a product based on Enterprise sales which would deliver a value North of $1B. And perhaps they can, as Bitwarden as we know it could be considered a strong beachhead to allow them to expand into other auth markets that have high value (hello Okta, Auth0, etc).

But this doesn't seem that scary for Bitwarden users at this point.


> hello Okta, Auth0, etc

YSK they are one and the same. Okta bought Auth0 in 2021[0]

[0]: https://www.okta.com/press-room/press-releases/okta-complete...


What's in the bitwarden_license folder btw?


Looks like some code regarding Bitwarden Enterprise


Oh dear, this isnt good news at all. Now they're going to be under pressure to produce excessive returns to fatten the company up for an IPO or sale. Having seen what happened to Lastpass when it was passed around from pillar to post this saddens me deeply. Lets see what anti consumer measures they start introducing to force us to pay more. Limitations on the free tier look likely and price rises as well.


It's weird seeing ppl downplay this exact scenario. They raised $100M, can they hit sales in a recession? Rates are rising for VCs, they need to generate a winner quickly more than ever. Just in time before the expected 75bps rate increase


For sure. Taking venture capital increases the odds of a large success, but also increases the odds of total failure. VCs are perfectly willing to blow up a modestly successful business if it means a chance at a giant success.

And from my perspective as a BitWarden customer, both of those outcomes could be worse for me. Obviously for failure, but many companies in their rush for new pots of money can do things that aren't great for existing customers. And then if those rushes don't work out, things like layoffs, reorgs, and other chaos can diminish customer focus, leading to long-term product decline.


Look for vaultwarden


Here we go again: Some company (in this case, Bitwarden) "betrayed" its customers by doing what every other firm does. And Hn goes brrr over it. I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?

The hypocrisy is just intolerable at this point.


> I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?

they're probably over-represented given that this is an incubator-adjacent forum but startups are vastly outnumbered by both mature businesses as well as bog-standard privately owned businesses so probably not.

Most firms don't get a hundred million dollars up front, they grow products and revenue just like everyone else, with significantly fewer distortions to users or business models.


I guess I might be now that the directors of our little company have sold it, but I assure you I am substantially more mad about that sale than I am about the Bitwarden one.


We use BitWarden at work, we use their business/hosted offering.

We pay them $3600 per year.

Why is everyone so concerned? They’re popular enough in businesses. Their product is great for teams, hence why we pay for it. I’ve found it much better than alternatives. The killer feature for me has been safer account sharing, including 2FA (and I know it makes it somewhat redundant, but it’s safer than turning it off completely)


Indeed, they already have a business model, they won't need to cannibalize their open source password manager to make money here. They just need to grow the business side + offer new auth related services as they mention in the article.

LastPass tried to grow the B2C business which put more stress on the consumer product.


Congrats to the Bitwarden team. Also wanted to mention it's a c# (dotnet) project for those who say dotnet isn't for startups.


Why would .net/C# have anything to do with the success or failure of a startup?

Is this some weird SV bubble thing I'm seeing?


C# is a rarity in SV and startups in general. There's a resourcing constraint for a team hiring only geographically in SV.

SV and startups are dominated by JavaScript/TypeScript and Python. It makes the parts of the team a bit more plug-n-play and in some calculus, makes it easier to grow the team as the company grows.

There's also a bit of cultural asymmetry that may make it harder to hire experienced senior C# engineers. C# tends to be heavily used in enterprise so a startup competing for those resources may have a hard time because of that asymmetry with such engineers seeking more stability (both in terms of employment and codebase). Startups are built to go fast and break things which is the cultural opposite of enterprise where you plod carefully, plan, test, document, release, repeat.

There's always some consideration that C# may be a liability at due diligence. I can understand to some extent since it's much easier to hire for JS/TS or Python in SV than it is to hire for C#. Not that it can't be done and C# as a language is close enough to TS that a strong TS backend engineer can easily be trained to C#.


IOW, it's a weird SV bubble thing.

I get the idea that most developers in SV don't know C#/.Net, that happens everywhere. Some areas are java, some .net, some Ruby/Python.

What I was surprised about was this weird rationalization that C#/.Net was somehow dangerous to a startup. Not only is that not true, C#/.Net is going to be better for a startup long term due to the stability that comes with that ecosystem that you flat don't get in ruby, python, js, etc.

There is absolutely nothing outside of the hiring difficulty that would ever cause problems for a startup wrt to C#/.Net.


> What I was surprised about was this weird rationalization that C#/.Net was somehow dangerous to a startup. Not only is that not true, C#/.Net is going to be better for a startup long term due to the stability that comes with that ecosystem that you flat don't get in ruby, python, js, etc.

It's "dangerous" in some scenarios for sure.

1) You want to hire locally in SV; there just isn't a concentration of developers there.

2) You want to hire senior resources for your *startup*; I emphasize startup because you're comparing apples to oranges when comparing startup to enterprise. C# is heavily used in enterprise so a startup competing for senior resources might be fighting an uphill battle

3) You want to make sure your team is plug-n-play; there's an abundance of JavaScript, TypeScript, and Python developers. For this reason, it's probably not a great idea to choose Go or Rust because now you're competing against Google and low number of senior Rust developers in general.

4) You want a full stack team; if you hire C# backend, you'll need to train your JS/TS front-end folks to be full stack. If you're full stack C#, well, you're not going to have a good time unless your app is desktop.

----

I'm a big time advocate for C# and part of the reason I joined my current startup was to see what sort of crazy team would pick C# for a SV backed startup, but I can also see the flip side of the coin.


My issue is with the idea that startups are harmed by using C#/.net.

The C#/.Net ecosystem is a batteries included ecosystem, we're not talking about trying to use C++ to implement a website.

Functionally the major difference between C#/.Net and things like node, et al, is that the C#/.Net framework will be supported far longer than the other and the upgrade path will be a lot smoother. That's not opinion, it's objective fact. I've made a lot of money supporting companies that paid for the flavor-of-the-day du jour and didn't realize they needed to stay on the rat wheel that is major upgrades. There's literally a company dedicated to support out-of-date RoR frameworks, including older versions of popular gems with security updates they maintain themselves because of this phenomenon.

My point here is this.

There is nothing inherent in C# or .Net that is dangerous to startups, that's a bubble you seem to exist in. Not choosing C# because the area is mostly Python and JS is a legitimate decision. What isn't legitimate is rationalizing that into C#/.Net itself being inappropriate for startups in general, rather than being inappropriate for that area (for ALL companies, not just startups).

This whole thing about enterprise is a red herring. Enterprise companies use Python and Ruby as well. It smacks of a community trying to rationalize something that has no true rationalization.


Kind of? It's been labeled enterprise in the past and comments here suggest it's frowned upon. It still ranks high in StackOverflow's survey too.


.NET/C# SV startup here.

Very encouraging to see the stack getting a big funding round.

.NET/C# is a very underrated backend stack for startups. Stable, mature, secure, supported by one of the tech behemoths.


I was also amazed at how easy it is to self host, manage and update a bitwarden installation, they truly made it as easy as possible.


Glad for them and I really hope them to succeed in the long run, engrosing the list of successful bussiness based on OS.

As a side note, I've been tempted so many times at this point on getting a payed subscription and getting rid of my "keepass+keepassdb sync via Google drive+keepass keyfile local copy on each device" for the sake of making things simpler. I've read how the internals work, checked the auditories, read forums etc. Everything looks great, but I am always paranoid of some security issue arising and my passwords being leaked. I have my entire life pretty much on my password manager and that being exposed would be disatrous at so many levels. Probably just me being irrational.


Maybe some sort of self hosting arrangement would work for you? I self-host Bitwarden behind a Wireguard VPN so it's only visible to devices I've authorised. Self-hosting comes with it's own risks of course but you would at least be in control of your data.


I do the same. I run bitwarden_rs as a docker container on a raspberry pi on my home network. Then use wireguard so I am always connected to my home network.

This works great for my family. Simple set up, and I've done 0 maintenance on it.


Have you set your family up with Wireguard as well? Did you do the setup manually or do something else clever to get their devices in your network? I've been spending a lot of time thinking about this, and always end back up at MDM, which is not a terribly desirable ending, but can't necessarily put hands on a device readily for some of them.


I set it up manually for my family members.

My biggest issue is that I have wireguard automatically enable itself when not on my home network. But there are some other networks that need to be excluded, like most airline wifis, as they don't have internet access when just trying to watch a movie.

iCloud private relay does a good job of detecting these types of networks and correctly disabling itself. I wish there was something in the wireguard client to do this, rather than just retrying over and over again...

And since wireguard sets the DNS to use the pihole on my home network, this becomes problematic if they connect to a network that has a captive portal, and needs the wifi's DNS to accept the agreement and get access to the internet before switching over to wireguard and my home DNS.


tailscale


Interesting approach. Any blogs you could point me to?

I am also looking to self-host Bitwarden.


I think you don't need anything else by the README of vaultwarden. https://github.com/dani-garcia/vaultwarden

It has worked for me great without any issues for over a year now.


I agree. I've been using Vaultwarden on ARM for over a year and it's been flawless. Just excellent execution and seamless integration with the iOS App Store version of the Bitwarden client.


Long time Vaultwarden user as well. The VW docker image works wonders for me.


For myself, I just followed Bitwarden's own instructions to get the server set up: https://bitwarden.com/help/install-on-premise-linux/

As for Wireguard, this looks pretty comprehensive: https://dev.to/tangramvision/what-they-don-t-tell-you-about-...

There are nice mobile clients available for both BW and WG.



this is brilliant


I mean if your current setup works, why change it? I just hope you aren't too reliant in GDrive if your account ends up getting nuked as I've read so many times.

While I recommend Bitwarden to my not-so-technical friends, I don't think I'm ever going to move away from my Keepass/Nextcloud setup, it just works for me.


Only irrational thing there was your last sentence.


In the next couple of years, I expect FIDO2 Passwordless Auth to be ubiquitous, natively supported by all OS platforms. Built-in authentication credentials managers within Apple and Google/Android platforms will get more focused attention to improve them significantly. I suspect this should basically render the consumer market not monetizable. So, their free forever strategy here is aligned.

In corporate market, I would expect more ubiquitous integration of cloud hosted identity providers and separate SSO auth providers (which will do MFA with device bound certs, biometric auth and FIDO2 auth) with all the services and they would all be protected behind BeyondCorp style VPN solutions (think Cloudflare, Tailscale etc). In this market, I wonder how they will continue to grow.


Why is it impossible to find out what the typical user experience of FIDO2 Passwordless Auth is? Every time I try and learn it's just a sea of acronyms I've never heard of before.

How do I explain FIDO2 Passwordless Auth to my mother?


Most general case consumer explanation is likely this:

No more passwords. Your biometric authentication along with your Apple/Google account on your iPhone/Android phone is all you need.

A more detailed blurb would be:

You sign-up and sign-in to websites/apps simply by responding to a biometric unlock prompt of your phone (same as unlocking your phone with DoubleClick side button + FaceID etc). Your sign-in details are saved to your iCloud / Google account. You can sign-in to the same website/app on another device (iPhone/Mac; or Android/Chrome device) by signing into your cloud account.

For Pro users, there may be more advanced flow:

Instead of using built-in phone authenticators, you may use a reputed third party secure authentication app paired with an external FIDO key (like yubikey) to do the same thing. In it's most secure configuration, it may combine device binding secret unlocked with biometric auth, an physical FIDO key you possess, and a cloud hosted MPC key that is used based on fuzzy signals like your device location and other fingerprint data etc. All this gives you secure multi-factor authentication that is safe against phishing, theft, loss etc.


Stupid question:

How to mitigate loss of phone, lets say on holidays?


Let's take the case of regular consumer with just one smart phone (let's say iPhone) as their only digital device and they don't have another phone/laptop etc. In this case, if the user lost their phone, then recovering access to their digital identity is going to be several steps:

0. First, immediately after they lost their phone, they should call the customer care number and report loss of their phone and get their sim blocked. This is critical to avoid SMS OTP based account hijacking.

1. They will buy a new iPhone and sim and recover their phone number first. (security of this step is a function of how well telcos operate this process. In my country you have to physically go to a telco authorised dealer shop, verify your identity with a government id proof – this is the weakest step and then initiate a lost sim replacement flow. You have to get a new physical sim and then you can change that to an esim if you wish. To avoid rampant hijacking, there is a mandatory waiting/cooloff period with multiple notifications being sent to old sim if it is still active).

2. They will have to recover their iCloud account on to this new phone. This involves the iCloud password, a verification code sent via SMS to your phone and your old device passcode. This will restore your iCloud account and escrowed keychain on the new phone. For this to work, you should have opted into iCloud Keychain backup.

Obviously, the biggest problem here is if you forgot either of the two passwords (iCloud account password and iPhone screen lock passcode). This is quite likely if you have been using FaceID to unlock all the time.


When you sign up for an online account, instead of inputting a password, your login is synced via your browser profile, or more likely, an account / app on your phone. To log in, you'll always either need to be signed-in on your browser, or scan a QR code on a computer to sign in to your account (WebAuthn over BLE, or cloud-assisted Bluetooth Low Energy (caBLE)).


> The Bitwarden business model will not change

  Bitwarden remains committed to
   A fully featured free version, forever
   An open source architecture
   The ability to self-host
   Advanced business features

This is great!


If you can trust that will stay at the end of the honeymoon, which is very much not a given in these cases.

At least vaultwarden is independent and someone can fork the clients when needed.


Right - the benefit of FOSS is that we can keep using it as-is if we need to. I think that leads to excellent business incentives from the user’s standpoint. I’m currently a paying Bitwarden customer for convenience’s sake, but if they start messing it up I’ll just go host it myself.


How is vaultwarden more independent than bitwarden? Aren't they both FOSS and can be forked?


bitwarden server is mostly written by bitwarden's CTO. [1]

If tomorrow bitwarden decides to do "a mongodb" (= violating the AGPL, and make it closed-source), you would have to spin up a new community to maintain the AGPL fork.

[1] https://github.com/bitwarden/server/graphs/contributors


How exactly is it violating the AGPL for the author to change licenses? They require contributors to assign copyright so... BitWarden belongs entirely to BitWarden.


Because if you've accepted patches you're not the author of the entire code base anymore. So it's not your own work, but a collaboration.

This is why I never sign CLA. Since I'm basically signing my rights away.


Right, but if you had signed a CLA then it's absolutely not violating the AGPL if the host decides to close the source. Since these organisations require that, they're not violating the AGPL.

That's not to say I agree with them and it's obviously shitty behaviour – but license violation is a specific act that they aren't guilty of.


That's only possible if Bitwarden requires a CLA, do they require a CLA for commits/PRs?


Isn't a CLA just a standard CYA move from more established open source projects? I had to sign one to contribute to Django as well and I don't see them "pulling a MongoDB" any time soon.

My assumption is this is so that they're legally protected from contributors revoking the right to use their contribution at some later point or other obnoxious legal shenanigans.


It depends on the CLA. Some just require you to affirm that you have the rights to license your contribution, and that you license it under the license of the project, which is indeed mostly just a CYA. It doesn't allow the project to unilaterally change the license of your contribution, and I haven't seen much people have a problem with this kind of CLA.

The other common form of CLA is a copyright assignment (or something equivalent) to a foundation or company representing the project, which is much more troublesome. This allows them to basically do whatever they want with your contribution, including charging for it, or closing the source all together.


Linux Kernel doesn't require attributing the code to the linux kernel for example



Yup: Section 2.1: "By submitting a Contribution, you assign to Bitwarden all right, title, and interest in any copyright in the Contribution and you waive any rights, including any moral rights or database rights, that may affect our ownership of the copyright in the Contribution.


It’s a fascinating situation, really: this kind of asymmetry (AGPL for you, but not for us, even if you contribute) is antithetical to the purpose of the AGPL, but desirable for the leaders of quite a large fraction of projects that choose the license (to the point that they might either not use the AGPL or not accept contributions if they couldn’t do it).


I think a CLA that says "You provide us with an additional license to re-publish your code under any license we choose" with modifications to limit attribution, might work. That way the code is perpetually AGPL, but the company is free to offer derivative works under other licenses. Hence you can always use your code, you can fork, you can do all you want, and the company cannot take the code, as it stands at that point, away from the public.


Bitwarden/server has some proprietary components: https://github.com/bitwarden/server/tree/master/bitwarden_li...

Plus it is AGPL + CLA so bitwarden themselves can do what they want


"I promise I will never die." - Gary Johnston, Team America: World Police

But I agree it's a great thing to strive for.


Why has someone put 100m in? Because they expect 200m back.


*10 billion back.


How is that realistic? If they expect to get 10 billion in 10 years, they need to have 100 million paying users (if they charge $10 per user per year), which is like the entire active users count of StackOverflow - https://en.wikipedia.org/wiki/List_of_social_platforms_with_...


Getting money back has nothing to do with revenue.

It just means the VC was able to sell their shares for that 10 billion -a price which may or may not be related to the company’s actual fiscal performance


$10B back in equity, not in profits. Depending on government policy and market sentiments, then it may only require keeping a promising trajectory.


Or they launch entirely new products, in the same general space, with new pricing structures that aren't tied to their current offerings. They're Okta + 1Password + ...

To clarify: I'm not sure I buy the above thesis, but VCs don't expect 2x returns at this stage was my general point. They're aiming for higher.


For sure. The way I sum it up: VCs are looking for 10-to-1 odds on 100-to-1 gains. It depends on the stage, of course. This is listed as a series B, but feels kinda C-ish to me. Later stage rounds like that are unlikely to be 100-to-1, but I agree the goal is still well over 2-to-1.


"Fully featured" does not mean "all features"

"Open source architecture" doesn't mean all the parts you need to self host it is open.

Their "ability to self-host" already includes having to buy a license to even get 2FA


How do you trust the word of a company that doesn’t have a profitable business model?

Just wait for the inevitable “Our Amazing Journey” post on their website.


The way I read it is that they already have one minority investor, Battery Ventures and they are now adding another, PSG. PSG will get a seat on the board of directors, it's unclear if Battery Ventures have a seat. It is also unclear if the two minority investors combined holds a majority.

I hope things goes well for Bitwarden, but I'm also expecting an amazing journey in their future. I really doubt that there's enough money to be made as is to yield an acceptable return on investments for the $100M, plus whatever Battery Ventures have already put forward.


(I’m outside of the edit window)

When I ask “how can you trust the company”, I don’t mean to imply that the founders have less than good intentions. But once you take VC money, the founders intentions don’t mean much.

I’m sure the founders of both Instagram and WhatsApp - just two companies that come to mind where the founders were idealistic and they were hit hard with the reality stick once they got acquired - really believed that their company wouldn’t change for the worse once they were acquired.


I doubt the company will just disappear. They will probably get acquired. But what it morphs into is probably not something consumers who like it now will want.

The only company that I can think of that has managed the transition well and gone public is BackBlaze.


I don't understand, how is their business model not profitable? Their business model is, as I understand it, paid subscriptions.


Their business model is not profitable by definition if they are spending more money than they are bringing in requiring outside funding.


There is the option that they are profitable, but need the investment to expand the business somehow. There is some indication of that in the press release, but it does seem a little fluffy, and a $100M is a pretty big sum of money.


I can see what you mean, but another way of looking at it is: Most investments are done with the expectation of it being worth more down the line, so someone(s) thinks there are a hundred million reasons why it is a profitable business. :-)

But maybe "are they profitable" is the wrong question. I remember 5 years ago my brother in law said "Tesla isn't profitable" and I countered with "They don't want to be profitable right now, they are growing an inventory and investing heavily in that. Showing a profit is the last thing they want to do." He seemed to be accept that answer, I mean now he has 2 Teslas. :-)


I love that they offer a free version and are committed to it. But I depend on it for password management so much so that even if they didn't just raise 100M I'd pay for it in hopes that they stayed around. I think everyone who can, should.


> This is great!

Why? What is a promise like that supposed to be worth? Even if the people making it are completely honest when saying this (which I now doubt), once leadership changes this will go out the window quick.

This is in line with "Keeping our users happy is our main priority" and other quotes from the infinite pool of empty PR speak.


> A fully featured free version, forever

It doesn't say they won't have ads or sell your data. Hint: their privacy policy is already terrible. No mention of GDPR or of them complying with any privacy laws. Their privacy policy mentions "EU-U.S. Privacy Shield Frameworks" for exporting user data to the US, a framework which has been declared bogus by the EU courts years ago.

> An open source architecture

There's no many examples of "open core" calling itself "open source" that if they decide to switch to open core they'll just be another drop in the bucket.

They also require contributors to sign a CLA, which is always a huge red flag.

> Advanced business features

What happened to "fully featured free version" above? Are the business ones separate?


> This is great!

Keybase said the same thing.


Keybase was providing a solution to something most normal people did not even realize could be a problem. It was a great idea, solving a really big problem. But the awareness of that problem was very small. Hence the ability to monetize a solution aimed at the general public was also very low.

I still love the idea, but I don't see how it is a business.


Remind me when they are on their 3rd CEO, 5th product head, and brand new funding sources.


I shared an office and an apartment with Kyle in 2010 and I have vivid memories of him routinely talking how bad the state of password managers was at that time. I've been a happy customer since 2017. It's been surreal watching the BitWarden team do what they have over the years. Congratulations!


This is interesting I guess. But can't say it's something to be excited about.

I've been using vaultwarden purely because I wanted to play around with rust and it turned into my favourite manager of all time.

10/10 would recommend!


But isn't it just a clone of the Bitwarden server without any extra feature?


I’ve been using Vaultwarden for just myself for at least a couple of years now, and it’s at 32MB of disk space (<3MB of icon_cache, <1MB of database, the rest app). The current server process, at six weeks of uptime, is at just under five minutes of CPU time (average usage 0.01% of a core), and just under 24MB of memory used (RSS).

That’s feature.

(As a matter of fact, it’s grown quite a bit since I started using it; it used to be under 20MB of disk space and 10–15MB of RSS.)


I really miss seeing numbers like that. I'm in something like my 5th week of a Dropbox support ticket where they seem to think it reasonable that the headless client uses an extra 100MB of RAM every hour, eventually using 20-30GB of RAM, at which point I restart it and watch it start climbing again.


Also running on PostgreSQL, not having to spin MSSQL instance


Well, you can opt into using PostgreSQL, but by default it’ll use SQLite, and that’s how I use it. More convenient and probably more efficient in general too.


Not 'just a clone'. vaultwarden is based on a totally different platform, and is less resource hungry. In particular, it consumes much less RAM.


What's your point?


I'm not referring to Bitwarden here but isn't this the standard M.O. of any SV startup?

1. Release great product for free

2. Attract as many free users as possible to signal growth to investors

3. Keep running the unprofitable free tier at a loss as long as possible using your massive VC war chest, while locking in your users with various gotchas

4. Once you reach critical scale and gained mass user adoption and you've obliterated your competition with your bigger war chest, start monetizing and rentseeking your locked in userbase and squeezing them so the VC investors can start getting their money back or cross your fingers for an exit from a FAANG with big pockets

5. Gain a lot of negative publicity, so now a lot of startups pop up like mushrooms after rain, to poach your disgruntled users and compete with you using the exact same M.O. you did. Rinse and repeat.

Did I miss anything?


The people at Bitwarden and their supporters are familiar with countless examples of this playbook. Those tricks are not as easy to pull anymore. I have seen Bitwarden be very ethical in their business so far. I recommend it to my friends and family and to my company to pay for the service. It is a similar model to Nextcloud who successfully funds their business from governments and companies and provides it free to individuals. This model can and does work well.


The people at Bitwarden and their supporters need to answer 1 simple question.

How do they increase their valuation 10+x without pulling those tricks.

Because that's what the VC funding demands. No VC is giving out $100mm for a 20% or even 100% return, which could possibly be achieved by simple growth. They're giving that money because they're expecting exponential return.

Maybe there is an enterprise play somewhere here which justifies this, while maintaining the core product in its current form. I guess we will see, but I'm not holding my breath.


> Maybe there is an enterprise play somewhere

The post mentions the plan to implement advanced business features, and also "Business users deserve consumer ease-of-use along with advanced integration and deployment features."


That just makes it worse. I'm a paying customer right now. VC + focus on business means the consumer stuff dies or gets neglected to the point that it should die. All resources get moved to the high-growth parts of the business once VC enters a company. Bitwarden will not be the first to get VC to change its operating principles.


Yeah I think it means "we're going enterprise, at-home users enjoy your coming time with bitwarden as it may end abruptly" . That's a bit superlative, but I suspect people should be looking for alternatives. Anything has to be better than my old way of adding my own password layer on top of an excel spreadsheet that I came up with while in college a long time ago. Bitwarden syncing was pretty nice and it not trying to turn into some kind of swiss army knife app.


Here we go again: Some company (in this case, Bitwarden) "betrayed" its customers by doing what every other firm does. And Hn goes brrr over it. Then another alternative (KeePass) appears on HN's frontpage. It's like companies are right: You can't target the niche market of programmers because their expectations are through the roof.

I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?

The hypocrisy is just intolerable at this point.


I usually just ignore comments like this, but I'm honestly curious. What part of my comment are you replying to?


> VC + focus on business means the consumer stuff dies or gets neglected to the point that it should die. All resources get moved to the high-growth parts of the business once VC enters a company.

At the end of the day, engineers/programmers are the ones who implement these changes. I find it unacceptable that lots of HNers get so high minded about these issues but then go on to contribute to the problem by working at for-profit companies. Nothing wrong with either one, just choose one.


One benefit of providing a great free service to individuals is that they become champions and help sell the product. Case in point, I work in IT at a large company that currently does not have an official password manager, and I am recommending it here.


"advanced business features" can also translate as "we don't know how we're going to monetize this but we'll hopefully figure out how to make companies pay for the service"


I think that's a pretty disingenuous translation. The post describes some ideas and I'd imagine that the VCs who invested were provided with a more detailed planned.


This is the only way it works out, and even those are susceptible to falling years later (Google's "free domain email for life" as an example).

The way it works is if the free/small customer cost to maintain is just absolutely minuscule compared to the total costs/revenue.


I mean in theory it doesn't have to. Someone can run a business privately and run it the way they want and enjoy it. Make great profits, but probably not become a billionaire. VC vultures however will not allow that and they have their own pump and dump agenda.


Any company that promises a service for life is just lying- cost/benefit five years on will always fail, and new managers won't feel bound by the promise


Doubling money isn't good enough? Is the business plan that risky?


The server and client-side apps/extensions for Bitwarden are open source unlike Lastpass too.

At worst, we'll have to fork a current release if BW does stupid things in the future.


until they aren't open source anymore and once the FOSS forks are many features behind the product, then they adjust pricing


I switched to Bitwarden after using Lastpass for years and it's pretty feature-complete for me -- it has feature parity with LP and there's a bunch of features that I don't even use.

Even the unofficial Rust-based server looks to have more features than I need:

https://github.com/dani-garcia/vaultwarden/wiki


Yup, I switched to Bitwarden and self host my own instance of it using that container. It works great. I was previously using Keepass (and later keepassxc), but it became a hassle to keep the database file in sync between all of my devices (I lost passwords at times as a result). Also the browser extension didn't work that well, nor did it have as nice of Android integration as Bitwarden.

Self hosted was a nice middle ground. No one else has a copy of my password database, and it's always in sync between devices. Stick nginx as a proxy in front of it for https and easy let's encrypt certificate management. The downside is that Keepass by default allowed me to have copies in multiple locations. Bitwarden is only on the server, but since the database is encrypted it's easy enough to have regularly scheduled backups of it. It just is an added step to find another docker host for it if my home server goes down, during which time I may not have access to my passwords.


> Also the browser extension didn't work that well, nor did it have as nice of Android integration as Bitwarden.

What were your issues? For the browser, I have some extremely minor complaints (not always detecting the correct subdomain for my selfhosted servers mainly), none for Android with Keepass2Android.

Also, no sync issues at all, but that might be related to having only 2 devices ;)


I self-host the vaultwarden server on my homelab for my family. I love being able to use collections to share passwords with my spouse and the same for each of my kids.

I got tired of Lastpass's janky clients, UI, and data breaches. Now I control the security of my passwords.


The nice thing is that it's so easy to set up a company these days that it can just take the last FOSS copy, fork it and go. It'd be a particularly good deal for BW devs, who would've got paid to R&D their own product.


> Those tricks are not as easy to pull anymore.

Arguably, they did with Bitwarden already, no? Ie even if they don't do anything bad - they still executed steps of free users and large VC checks.

Which is to say, does it not seem like they've already executed the "trick"? Users are already there, they have cash in hand. Their motivations don't matter much here, we as users can only see their actions.

But i don't follow bitwarden at all. I avoid free products for this "trick" reason. If i'm not paying or self hosting, i'm not interested heh. Am i reading Bitwarden wrong?


The company is providing a service of vault hosting around the free software they maintain. Hosting and maintenance has many costs that need to be covered somehow, and we want them to improve the service. The hosting costs of individual users with a free though generous account is supplemented by paying companies and governments. Users are not locked in, as they can easily download their vaults and move to another solution or self host it themselves. Some free password managers such as KeypassXC require users to properly manage backups or host their vault somehow. This is too complex for most users and where Bitwarden fits well. Of course the company could go astray, but so far so good.


> The hosting costs of individual users with a free though generous account is supplemented by paying companies and governments.

I can think of a way to lower costs... :-/


Password vaults are trivially small to host. The marginal costs for these individual users is small. The bigger concern is if they try to monetize these users in some way that harms them. If they ever pulled something like that, many of us would quickly switch from being proponents to vociferous enemies of the company.


... this just happened to 1password less than a year ago... what 'anymore' are you talking about?


Full disclosure, I'm a paying user of Bitwarden.

I think for BW this kind of falls apart at #3. The main draw of this product for me and many others is that it's actually pretty no-frills. It's also broadly compatible with importing and exporting between dozens of other password managers.

That said, this could be a blind spot for me. Let me know if there's any gotchas I should know about here.


If we take them at their word that they're committed to keeping a fully-featured free version, what options do they have to make back a multiple of that $100 million for their investors? What many other companies have done in the past is to add a lot of new features. There are many examples of a simple, no-frills application turning into a bloated, complicated one, with a tiered subscription system. Ultimately a less streamlined, more expensive version of what it was before the funding.


Enterprise sales - that is a hugely untapped market for password managers (and a huge gap for a lot of companies where people keep their various passwords that are left after massive SSO implementations when they try to SAML everything). CyberArk plays in that space, but Bitwarden with the thoughtful way they have built this product can give them a run for their money.


I think the gotchas aren't for the early adopters and power users. It's for the people who will eventually make up the larger, more lucrative percentage of their user base starting with the friends and family of early adopters who are recommended to it.

Once they're set up with it, the idea of "importing and exporting between dozens of password managers" is meaningless. And gotchas aren't always limitations but can be "positive" like well meaning features, integrations, your company using it (so you too), etc. Lock-in comes in many forms.


I have rotated out and back in to BW at least 3 times.

Hardly locked in.


Out of curiosity, why so many rotations away (and back to) BW? Most people I know stick with a single password manager almost permanently, or at least unless their manager has some kind of earth-shattering vuln announced that just shakes their trust enough to move.


I moved to RememBear, they recently went EoL. Others were trying KeePass and Password safe as local options.

Basically chasing the new shiny.


Gotcha. And small world, until recently I worked at the company behind Remembear. Shame it had to be sunset.


I loved that software more than any on my Mac. It just made me happy, the thought that went into the small stuff tickled me.


I'll pass it on to the team! The designers and product people put a ton of work into making both RB and Tunnelbear delightful, and I'm glad it's making a difference :)


That's a good point. I figure lock-in might hit the enterprise users hardest down the line.


It is fairly no frills. But they're gonna have to add some frills if they want to use up that $100M


They could try and replicate most of the keybase features. Use FOSS to market it and sell a hosted version.

That is the only direction which I think could charitably use this $100m productively.


This is actually roughly what they're doing:

- They have a hosted/managed version with a free tier and a paid tier. Paid adds things like MFA and support for orgs. The more you pay, the enterprisey-er the org support gets.

- There's also a self-hosted version which follows a very similar scheme. You can start out for free, but if you want things like MFA or a self-hosted org, you're paying the Warden.


They could do all of that without VC. To justify 100 mil of VC theyd have to expand far beyond just being a password manager.


I agree. I'm not sure what they've got in store next. I imagine they might leverage the VC connections rather than the money to try and get a bigger foothold in the enterprise space, for one, but $100M is $100M and I've got no idea where that can go given the current state of things.


The amount of data in a typical password vault is insignificantly small measured in kilobytes. Bitwarden cost structure is mostly fixed costs for the infrastructure with small variable costs. If a company was providing hosting of large data stores, supporting many free users would be more difficult.


Out of curiosity, what are your thoughts on Vaultwarden?


I haven't used it, and last time I heard of it, it was still called bitwarden_rs. I like the project in principle since it capitalizes on BW's open API, and that's really good work in the spirit of open-source software.

Having said that: I haven't dug into it much. I don't know what the current state of auditing on it is, or how widespread adoption is relative to the mainline BW backend. I hope they use a database backend other than BW's default MSSQL, which has always seemed like a weird choice to me coming from mostly Linux, and so mostly Postgres and Maria/MySQL, though I skew heavily developer over DBA, and that distinction may as well be personal preference (as in, I don't have an intelligent reason to dislike MSSQL beyond my habit of using other things).


Ah, the lifecycle of a company. I think of the first rounds of funding as a sort of puberty. Going public is the mid-life crisis, signaling the downward spiral towards inevitable death. Of course, being bought out is like God taking Enoch directly to heaven, where who knows what happens. Those large companies with unnatural lifespans have somehow tapped into the deep, dark magic of the Elder Ones (usually government contracts).


>Those large companies with unnatural lifespans have somehow tapped into the deep, dark magic of the Elder Ones (usually government contracts)

Or, you're Apple, and your cloud hosts the digital lives of all your users from teenage years to adulthood, so they're not gonna switch to any competitor no matter what.


Yeah This happens with google too. I have a friend who has so many business/personal docs (she's a writer) on google as well as gigabytes upon gigabytes of photos both for professional and her family. I have tried many times to go over on a weekend and help them degoogle at least their stuff after having seen reports on here of google just locking down accounts or deleting them wholesale (can't say i've seen that with apple? but it has to happen there as well) .


Akin to vampirism, I suppose.


If you got to that position by just selling something customers want, then good on you.


Sure, good on you, but once you got that position, what's stopping you from monetizing your users by selling their personal data to advertisers?

I don't understand why anyone would celebrate and worship monopolies? Publicly listed companies are not your friends. You're just a dollar sign for them.


The same thing that stops anything: terms of service.

Also: no one is worshipping, and no monopoly has been mentioned. Nor has companies being anyone's friend. There is more non sequitur than content here :)


>The same thing that stops anything: terms of service.

That made me chuckle.


Selling some thing would be nice, but most of what Apple sells me is a license to my own stuff, sold in perpetuity. They don't want you to own anything. They want to own it all and have you pay them for the privilege of using their stuff. With their documented planned obsolescence., they don't even want us owning what little bit we do have for any extended duration of time.

(Above statement applies to most consumer technology and "digital media" companies, social networks, etc)


I mean if they're making money from things people are freely choosing to buy, that's about as close to good as I can imagine for a large organisation.


My point was "buying" typically implies ownership in conversations like these, when these corporations are actively resisting you actually completely owning their products. We are more like temporary renters. And this has unfortunate consequences for the rest of the goods economy. Won't be long, as an example, before Samsung doesn't want you to actually own your refrigerator, TV, or washer, or Tesla and GM not wanting you to own your vehicle, and instead, pay them a monthly service fee for the pleasure of using your own car you "bought" (spoiler alert).

The whole idea is the thing you "buy" is really just an ephemeral vehicle of consumption and steady revenue stream for the corporation. Good for them, bad for you.


If any of that ever happens then at that point then there's something to talk about. And the answer will be: freely choose to buy something else.

But my overall point is that getting rich from making something high quality that lots of people what is about as honest a way as there is.


> Those large companies with unnatural lifespans have somehow tapped into the deep, dark magic of the Elder Ones (usually government contracts).

Or they are simply in businesses with enormous barriers to entry such as designing some of the most complex microchips, writing some of the most complex software, building huge facilities all over the world, and, of course, being prepared to take advantage of a new opportunity at the right place at the right time.


This is bad but how else do you fund a serious software project? Polished well tested and supported software is massively expensive to produce yet we've conditioned the market to believe it should be "free," which means the only way to really do it is to do something like the above.

If everyone expected a car to be free cars would be loaded with all kinds of convoluted bolted-on features to extract money from you: ads, special fuels that can only be produced by the maker, special licenses to drive on roads, special deals with repair shops, and so on.

What you describe is actually one of the less shady ways of funding software. The more common, successful, and shady methods are surveillance capitalism, addictionware (most of mobile gaming), and cryptocurrency scams.

If you structure the market such that honest business is difficult to impossible, things don't stop costing money. They just find less honest ways to make it.


JetBrains has already done it for years. [0] Hundreds of millions in revenue. Profitable. Zero VC capital raised. [0] Supporting, sells and develops open-source software used by millions of developers worldwide.

When I see capital raised, the treadmill for an expected return starts running and it is not for everyone.

[0] https://twitter.com/chetanp/status/1205907182396395525


>JetBrains has already done it for years.

JetBrains was also founded in Eastern Europe which probably helped a lot in getting off the ground with little money as there your dollars used to go way, way further than in the west and the local job opportunities were scarce.

In the early 2000's an experienced SW dev in my corner of Eastern Europe was lucky to take home 300 USD and would not shy away form overtime as needed. Replicating the same thing in present day would be impossible as now no self respecting experienced dev here would get out of bed for less than 2k EUR take home pay and would absolutely do the bare minimum with zero overtime, or even work way less than the contracted working time.

The 90's to early 2000's was a wild west in Eastern Europe. Few job opportunities, low wages and low CoL, plus fast internet in every home, meant that everyone was hustling hard in their free time to make a great SW product using no money at all to sell on the international market and get rich.

Now things are different here. Plenty of great paying jobs at established western companies or startups means that the people here are more likely to just want to work at random big corp or new startup for good pay and WLB rather than put 50h+ workweeks in building their own product at home like their predecessors did.

My point is that JetBrains was more of an exception by catching a great wave in time and space that can't be replicated today.


You're absolutely right. Of course there is no guarantee that whatever alternative you seek won't turn out the exact same way. But unfortunately all you can do to punish that kind of behaviour is to vote with your wallet and move somewhere else. And hope it'll turn out better this time... There ARE people out there who are trying to build a profitable, ethical business instead of chasing unsustainable growth. Unfortunately the only way to find out who they are is by giving them a chance...


This is frighteningly specific.


4 also could add “try to avoid 5. by drawing up the regulatory ladder (such as YouTube becoming a bastion of large scale copyright enforcement)… so that it’s virtually impossible for startups to join the space.”


Easiest way to do video copyright detection as a new video platform is to upload every video to Youtube and watch what it does.


Bitwarden replaced lastpass for me and really i'd never go back.

My only gripe is filling in card details, there is never a floating icon to click to do it automatically, you need to go to the menu bar and select the card.

Apart from that all perfect!


"My only gripe is filling in card details, there is never a floating icon to click to do it automatically, you need to go to the menu bar and select the card."

At one point I became convinced that this is actually a security feature. If I recall, an article demonstrated tricking users into entering their master password using those "in-browser" decorations. I could write some html/js to build your password manager icon/etc and trick you into thinking I'm your password manager? I now accept it as a necessary UX chore to leave the browser page, but would be interested in being wrong.


The only thing I miss from LastPass is the ability to store different types of credentials. Bitwarden offers a couple of basic things (login, credit card, identity, secure note) but LastPass allowed you to create new, custom credentials.

One of the things I used to store in LP was AWS IAM creds. Sure, you can store it in a Bitwarden "secure note" but it sure was convenient to have a defined format for it.


Same - between the great product, open source, and vault warden for self hosting, I have no issues giving them 10 bucks a year for them to host for me.


After lastpass announced you could only have 1 device in the free tier, I was gone too.


Not related to the fundraising, but a more general question I've had about password managers for a while: Why does anyone pay a subscription for their password manager when all you need is a client that talks to any old free cloud storage service (Dropbox, iCloud, Google Drive, etc)?

I feel like I might be grandfathered in and they switched to a new model now, but I got Enpass years ago and haven't paid since. I sync my password archive through iCloud so I don't have to trust a random company to store my password archive safely. If anything, by doing that you're centralizing a ton of user logins in a single place that would be a great target if you found a way to hack in and read them.


Sync conflicts are pretty common with KeePassXC on Dropbox (iCloud, Google Drive are not viable options on Linux).

I also didn't want to run the Dropbox client just to sync passwords. Paying Bitwarden $10/year made sense to me.


Why would you need to run the Dropbox client to sync your passwords? Shouldn't the password manager client be able to talk to the service directly?

I don't have an iCloud client installed on my devices (well, other than whatever is built into Apple devices) but Enpass just uses their APIs to sync passwords. Occasionally I have to reauthenticate on one of my machines but it tells me as soon as it loses access. Previously I synced it over Google Drive and I never installed a Google Drive client either.


It's totally possible, but that sounds like it would cost a lot of development time. The KeePassXC project in particular decided not to implement cloud connectors due to a lack of resources.


I'm not sure why you think this is that difficult of a task. This is standard fare for how clients integrate with a service. There's how many third party Twitter and Reddit clients out there, plenty made by a single person that just communicates with a public API made for integration. You can spin up a Discord bot in a few minutes. Why is this any different for syncing a file over an API?


In my experience, sync conflicts are pretty common on SyncThing, too, which is often how I hear this paired ("use KeePassXC on Syncthing for the win" type deal)

I think it's an impedance mismatch trying to take a single-user database format and trying to use it from multiple devices


Keypassxc,keypassxc browser plug-in, strongbox app for iPhone. Cloud drive of your choice for syncing. Works well


This is the stack I used before switching to bitwarden/vaultwarden. Couple of reasons why I switched:

- I selfhost it on my NAS so I don't have to depend on a 3rd party to sync all of my password (even though they are encrypted).

- If I need to access my passwords from a new/temp machine, there's a web UI I can access very quickly

- The client is much prettier and nicer to use. The KeyPass clients all felt very dated and clunky.


I've been on KeePass + Dropbox since Dropbox first became a thing and I have yet to find a reason to do it any other way.


Or SyncThing. This setup works and more people aren't considering it. The UI is great and the desktop app is not Electron based.


I used to do this. I finally had to switch off of it because the Syncthing Android experience is so bad (necessarily, because Android is bad).

I had many instances of not noticing Android had killed the Syncthing backend again despite being explicitly told not to, and then I had two out-of-sync password databases and would have to go merge them again.

I'm still bitter about it, because Syncthing as a syncing layer is so much more elegant than everyone implementing their own server and sync protocol.


This is a smart play. They are one of the very rare consumer security products in the market and they have a lot of enterprise traction. Their average user lifetime will probably average a decade, and identity is an immensely sticky tech. Just as a channel to those users, they would be an asset to some megalithic platform (the way whatsapp was to facebook) who wanted to acquire users to sell other products into. I could see a defensive acquisition by one of them in the near term while it's still cheap.

I was lucky enough to have a brief exchange with their CEO on his recent customer interview tour, and my impression was his product view was enterprise focused, which made sense in the context of this raise now. My relatively cold read was he seemed laser focused on a kind of "do what we do really well," philosophical vision on their current product, which I think is a strong asset to secure their LTCV with current customers, and that will drive their valuation.

However, I get overexcited at the growth prospect because security products are never what anyone but security people actually want, and all the products in the identity space suffer from the same problem of being top down management frameworks with integration and federation as just something you say but never do. A consumer security product people actually choose for themselves and want their employers and services to integrate with because they already like the experience of it, is just infinite level growth potential in a market of slow moving dinosaurs. Okta's massive expansion in just the last decade established that the gerontocracy of enterprise behemoths was too slow footed to respond to an incursion into the very foundation of their market (user identity), and what impressed me about this raise is that I think a well capitalized startup with traction could absolutely sack it.


That is a LOT of money. $100M. That's enough money for ~50 people to live on $100k/year for the rest of their lives. You could pick 50 thinkers, scientists, artists and say "hey you never have to work again, just do your thing". But instead you invest it in a startup that will almost certainly burn it up in a couple of years of 7 figure salaries for execs and fail.

What a waste.


It's not giving away money. There is clear goal of getting more money back than they gave.


Not for the rest of their lives. 50 people can live on $100k/year for 20 years.


if you assume typical stock market returns, ~$2M is enough to retire on and live on $100k a year of interest gained alone.


Assuming you are using recent interest rates. If you mix in recent inflation rates too it doesn't work out in inflation-adjusted dollars like that, though hopefully a lot of that is transitory from covid (or maybe we have something worse than covid in the future).


You could always get your own $100M and spend it however you like. Incidentally I have worked at more than one startup that had a burn rate of about $100M/year, and most of it went to engineering and sales salaries. The execs tended to take little to no cash comp.


I am afraid that my free tier plan data will go away. As for the self-hosting option, I am concerned that I don't have enough infrastructure to ensure the safety of my data. I wish their backend supports cheaper static store like object storage instead of full-featured database.


This actually worries me.

Bitwarden will now be pressured to try to grow and monetize to make a return on that investment.


Ok I have been putting off for sometime now, but looks like it's time to learn to host Vaultwarden


It's ridiculously easy, especially if you use SQLite. The only downside IMO is that they take the Bitwarden frontend as is which expects the full feature set to be available. For instance, if you disable email 2fa via the admin interface (the only component vaultwarden add to the frontend), trying to set it up in the app fails silently.


So many people here praising Bitwarden. I were using multiple password managers, but stuck with 1Password. Their last update is atrocious. I tried switching to Bitwarden and forced myself to live with it for 3 months. I gave up when it lost generated password. Apparently it is quite common with Bitwarden and bad connections, which I have a lot travelling to remote locations where I actually need to generate passwords.

Both app and server need so much polish. Like this is literally like touching something from 00s and everyone seems to be content with it.

I truly hope Bitwarden would put money to better their app and technology, focusing on User Experience, not on feature checklist.


Bitwarden is just great! One of the few pieces of software I am really happy to pay for.


Whatever the fuck do they need this for? I just cannot see any good reason to raise $100M. Hell, $10M might be too much.


I have exactly the same question.

I can’t imagine needing $100M for developing this kind of product. Anyone has a guess?


Good. Maybe now they can finally get around to fixing some of the rough edges for enterprisey customers. Onboarding new users is a pain. The audit UI is a pain. There is (still!) no way to share a password with another user within the same organization (except by creating a Collection and granting access to that, that's not what you want when you're creating an email account for a user and want to give them their initial password).

That, and their UI is pretty cluttered and ugly, though the latter is subjective.


This worries as a Bitwarden customer of several years. The bigger a company gets the worse its treatment of customers gets. It's not 100% true but in my experience it happens most times. I guess I should just write my own probably much less secure password keeping database just for fun as a backup and export my passwords often and keep them more local and unsecured than if it were just in the cloud. I suspect they will end free tier service in the next couple of years as well.


It’s the password manager of my choice. I hope they manage to survive. Maybe they should try increasing their annual fee. At $10/year it’s a steal


I wonder what their costs are like? I'm not familiar with all the features of Bitwarden in particular, but a password management service is basically E2EE cloud storage for very tiny files, a simple account system, and then a bunch of clients.

Building and maintaining clients for all operating systems and browsers probably costs the most, but it can likely be done by 1 or 2 full time engineers.

Or am I completely underestimating the complexity of something like this?


After posting a simple comment, now I'm getting emails from Bitwarden...

"Additional security has been placed on your Bitwarden account. We've detected several failed attempts to log into your Bitwarden account. Future login attempts for your account will be protected by a captcha."

Thanks HN! =)


Well, if Bitwarden becomes the new LastPass, there's always room for another Bitwarden.


How is the user experience of bitwarden vs lastpass?

I find lastpass clunky.. ipad app is flakey (or is it the iOS integration layer itself?)

Integrating with chrome, iOS, etc, I assume is a difficult problem so I've assumed most password managers have the same issues. But it drives me crazy they haven't innovated much either, e.g., searching for specific passwords in my vault. I have to export it to excel and then look for them, then make sure / hope that the excel file didn't drop any temporary file copies anywhere.


I just logged in via Bitwarden on Safari to reply here. My vault is self-hosted via the Vaultwarden project, which is a lighter-weight implementation written in Rust. It is hosted on the free tier of GCP, which is proving more than enough for personal use. The self-hosted server interoperates flawlessly with the official Bitwarden clients. I have no complaints regarding the user experience on MacOS/iOS/iPadOS. However, I was not a fan of the user experience on Android. I recently setup Bitwarden for a couple family members who use Android and it definitely didn't feel as frictionless as it does on my Apple devices. Not sure if that's because of how Android implements password managers or how the Bitwarden app for Android is implemented.


As folks talk about migrating, largely to yet another (insert another startup-themed password manager), I can't help but wonder.

Which has taken more time? Learning how to use gopass and a yubikey, or migrating password services every few years and paying hundreds for arbitrarily pay-walled features?

Edit: idk, maybe there's some UX aspects of the password sharing features that are more important to other folks, otherwise, the diy option is not that hard, or a UX sacrifice.


Excited to hear this. The most important use case for me that is unmet with Bitwarden is a shared vault in a company that has some pernissioning etc.

It would be cool if there were a Bitwarden "extension vault" that is only accessible so long as you are employed somewhere and which suggests rotation as part of offboarding etc. Anyway, congratulations and good luck.

How much would I pay for that? Perhaps with ACLs and stuff I think $10 / user-month


I'd be really curious to know how much the move to passkeys has factored into this. I imagine it's an immediate threat to existing password managers.


I think this has been factored into their plans [1] of bringing "consumer ease-of-use to Business users" which reads like they are moving away from the consumer market where widespread adoption of passkey will materially affect the revenues of all password management vendors.

They are betting their future on the enterprise market and the announcement blog post links to their Partner [2] page—a central part of their strategy to gain a foot-hold in that market.

In the enterprise market, inertia and regulations cause user habits to change much slowly relative to the consumer market that Bitwarden is most familiar with, plus enterprises are not price sensitive, so they can get away with charging really high prices, to justify their huge capital raise.

1: https://bitwarden.com/blog/accelerating-value-for-bitwarden-...

2: https://bitwarden.com/partners/


This makes me very glad that I switched my self-hosted password manager from Bitwarden to Vaultwarden. It implements the Bitwarden Server API so I can still use the same client applications.

I strongly suspect that this new VC-funded Bitwarden will eventually close off their applications API and client applications, but with an open-source server API provided by Vaultwarden it should be possible to create new, open-source clients, too.


So, the price for 3 millions active users is around 100m usd dollars. Or 3 dollars per a user vault. OK. Noted. It's time to switch then.


do you mean $30/user?


With extra funding, hopefully soon their search results will show folder names so that organizing by folder makes sense in a search context.


I moved to pass cli (on i3 with a simple rofi selector) and the FOSS android app https://github.com/android-password-store/Android-Password-S... synced over Syncthing and I never look back


I moved from LastPass to Bitwarden a few years ago because of the nimbleness and simplicity of it, it felt so refreshing.

How much time do we have left before Bitwarden gradually becomes as bad as LastPass for the sake of high growth? 2-3 years? I’m not passing any judgement on this raise, entrepreneurs do what they gotta do.


>How much time do we have left before Bitwarden gradually becomes as bad as LastPass? 2-3 years? I’m not passing any judgement on this raise, entrepreneur do what they gotta do.

Bitwarden though actually has an API, and in turn interesting community implementation potential such as the Rust-based Vaultwarden [0]. While I agree seeing them get a huge round does raise some concern in terms of the revenue generation pressure (1Password sticks in my mind as a worse example though with their switch to forced subs-only, no local/non-1P vaults, abandonment of native apps etc), to me the real sign would be if they broke self-hosting. But even so, of course with self-hosting one could simply stop there. Doesn't feel like quite the same situation as 1P or LastPass where one was really in a fully vs partially proprietary system.

I'd be OK with paying for updates to quality clients though so long as it was a regular payment system (not paying means staying on that version vs having it stop working).

----

0: https://github.com/dani-garcia/vaultwarden


Question: all users of the free plan just don't use 2FA or Yubikey? I am amazed how that would be good policy in 2022.

Nothing wrong with charging for a premium version, just curious how users handle things and why there seem to be so many users on the free plan. They all just don't know or care about 2FA?


You can use other free apps for 2FA, e.g. Authy. That might even be better for security because even if your password manager account is hacked/leaked, you would still have the 2FA setup in a separate app/platform. That being said, it’s of course more convenient to have passwords and 2FA tokens in the same app.


I just moved off Authy to Raivo. Authy traps you into their product... not something that you want.


Maybe with this new money they can fix the only bug stopping me from ditching LastPass https://github.com/bitwarden/clients/issues/2304


I always enjoyed the value that Bitwarden provides: free to use, password generator, and a vault to keep other texts. But somehow I never got the TOTP working.

Once I locked out of Bitwarden because of Cloudflare blocking my IP address for some unknown reason. I restarted my router and the problem got fixed.


> But somehow I never got the TOTP working.

I think bitwarden's TOTP generation is a paid feature, but it still provides the option to store the secrets in the free version


Yeah it's nice and all but I wish they brought fingerprint auth to Linux already:

https://community.bitwarden.com/t/linux-fingerprint-and-or-b...


I really like bitwarden, but I do wish their internal API was more clear/open so 3rd party clients were easier to write. There have been a few times where I've been on an obscure OS on a device too slow to run a modern web browser, but wanted to use Bitwarden.


As another perspective, by documenting that API, they're promising to retain backward compat and the documentation burden that comes with it. As long as it remains an internal API, they can fiddle with it as fast as they can get their old codebase off of it

Since their codebase is in the open, and there's already at least one other Open Source implementation, that's likely about as "clear/open" as its going to get unless this newfound $100M spawns an API team or something


Any Apple-devices users here? Why would I use this instead of Apple built-in password manager?


I think the biggest is simply having access to your data on non-apple devices and non-apple browsers. I.e. using it in Chrome or Firefox or whatever browser you want, as long as there's an extension that supports the browser it's likely available.

You can store a lot more data in Bitwarden as well, including custom fields, so you aren't stuck with just a username and password and optional 2FA. With Bitwarden you can do security questions, a notes field, etc.

Sharing with family is another big feature. Sharing your cable login, wifi password, streaming services, etc.

There's a whole list of them, but I think those are sort of the top 3 for me.


Keychain supports a 'secure note' type item which is just a blob you could drop some structured data into, but no way to specify a custom fancy form.


Right, but I often leave notes in my login items themselves. If the account doesn't use an email address to authenticate I might just put the email address in so if that email ever gets shut down I know which accounts need to be migrated, as an example of why I might do that.


Apple released a Windows app that lets you access your keychain passwords. There's also a chrome extension.


Neither of which help me on my android phone or my Linux machine...


I tried bitwarden, and went back to 1Password. My ecosystem needs to be a bit independent for apple, just in case Apple starts acting like google, and locking users out of their accounts forever. The apple keychain has a really awful interface (surprising for apple) and family management is poor.


Not sure I understand, why did you switch back?


Ahh. Didn't tackle that - integration and user interface primarily.


Oh, ok I misread the original post. Yeah I have had trouble with the browser extensions for 1Password for the last few years, will probably switch to self hosting bitwarden soon.


heh, if you think the 1P browser extensions are rough, you're going to really get a kick out of the tire-fire that the BW ones are


well i'm not using them anyway, so maybe i can save some money and not have to trust a 3rd party


I use Bitwarden mainly because I can self host the server (vaultwarden).

And even though I don’t use Windows much, it’s nice that I can use the win client there.


Its nice to have something thats OS independant. Maybe you have no plans on leaving apple now, but surely you wouldn't want to rule it out ever happening in the future. Using an external password manager just means one less pain point for migrating. Its the same with any OS, or any technology for that matter.


> Why would I use this instead of Apple built-in password manager?

Because BitWarden works on more devices than what Apple supports.


The Apple built-in password manager is worse than the Chrome built-in password manager because the Apple built-in password manager is not cross platform. The Chrome built-in password manager is worse than the Bitwarden password manager because it doesn't support credential sharing.


other than getting out of icloud passchain jail, none.

Personally I use bitwarden so I can have unified access to passwords on my windows laptop, iphone and android phones.


Been strongly considering switching from Dashlane (no idea why I chose it originally, but here we are) to Bitwarden for a while now. Despite some of the comments I don't think this changes anything, though I might just wait a little longer.


Here comes price hikes. This is why I kept asking these guys if they had a lifetime sub.


In a world where the average hardware cycle is 1-2 years, the software cycle before obsoletion is 3-5, perpetual subscription is the only way. Software written today for consumer devices like iPhones and Android devices will break is 2-3 years if not maintained, and often much sooner than that.

It sucks. Gone are the days where you could buy Microsoft Office and run it for 10-15 years.


Even better! Kudos to the team. A viable alternative to 1Password and others. I agree there are open source alternatives available, but I prefer to pay for the premium version, which works across all devices. Good stuff.


Lots of people worried about Bitwarden. Where are the people worried about PSG? As passkeys gain adoption, fewer people will need a password manager, and PSG is going to have a hard time getting their money back.


Why should anyone be worried about PSG? Deals of this magnitude take months to close, especially considering the amount of money involved, so there's no point worrying about an entity whose raison d'etre is to earn a return from the management of other people's money.


Because they look like the biggest loser in this deal. Everybody else comes out ahead. In the short term, while password managers are useful, users get a better product, and Bitwarden's employees get paid. In the long term, users don't need this product, Bitwarden's employees find other jobs, and the investors have lost their money.


This is fantastic. Bitwarden is a great service and them having more resources to do yet another thing The Right Way is only a good thing in my books. Really keen to see what they produce.


Happy user here. Congratulations to the company. Would be cool if they invested some into autofill functionality for their Android app because that doesn't seem to work as it should.


My experience with the app's autofill using both the Android Autofill Framework and the Quick-Action Tile has been great. Can you talk more about what doesn't work well for you?


I'm not the op but I find the Android experience to be pretty terrible. It almost never gives me the option to auto-fill my passwords and when it does it's usually because I already went out of my way to open Bitwarden. It's very inconsistent and frustrating. I'm not running any weird Android version either. Pixel 5, stock OS, always up-to-date.

The thing is, I've never used any other password manager on Android so I can't tell if the problem is Bitwarden or if the problem is Android.


Have you checked if it's enabled in your accessibility settings? It needs to overlay itself over other apps. After having enabled it, it started working fine.


As far as I can tell it's enabled. The only other option I see is an option to turn on an overlay button but I definitely do not want ANY app drawing a button on my screen 100% of the time.


I love Bitwarden. Super happy about this. Congrats to everyone!


What does a password manager company need $100M for? Aren’t they doing just fine without VC money? Wouldn’t $1M be largely enough?


Well, guess it's time to cancel my subscription and start preparing my departure from Bitwarden...sad to hear this.


Is this PSG related to Paris Saint-Germain?


Nope. They are part of Providence Equity

https://en.m.wikipedia.org/wiki/Providence_Equity


I'm quite happy with the premium service, and I see myself staying there for the foreseeable future.


Well I supposed authn landing in Safari this fall is good timing (for us) as a backup option


Does vaultwarden have plans to reimplement everything Bitwarden does so that we another option?


Not everything, on their wiki page (1) they have a list of missing features. They alao state that some of them probably are not going to be implemented. At least unless someone contributed any of them. [1] https://github.com/dani-garcia/vaultwarden/wiki#wiki-pages-b...


Oh $100m VC injection, exactly how 1Password started going to garbage..


Wonder if they could have raised the yearly sub or added a tier to make that instead?


Honest question: what's the main benefit to using a password manager?


Being able to have strong passwords without manually writing them down somewhere. All of my passwords are now at or near the maximum allowed character limits/complexity.

A lot of password managers have some simple UI to show you your weak passwords and it's a but of a fun game when you first import all of your passwords. Take a few days and browse all of your accounts and either delete the account or beef up the password!


Imo: Effortslessly different passwords everywhere. So if one of your passwords is leaked, you don't have to change passwords for all accounts.


serious question, is there any benefit to a password manager if you are using the Apple ecosystem via your Keychain across devices for password management with pin and faceID?


As a current 1Password (10+ years in Lastpass, 3 years in Bitwarden) user in the Apple Ecosystem, here the value adds for me:

- Ecosystem agnostic, from before I was all in on Apple

- Ties into other services I use seamlessly

   * Fastmail masked emails for signups

   * Privacy.com one time use cards/vendor locked cards for signups

Other add on I'm more dubious about:

- 1Password supposedly alters password suggestions based on the domain, adjusting password length requirements, special symbols, etc


Not really, unless you're uncomfortable using Safari and Keychain Access.


More competition in this space is good for users.


Ho the sweet irony of people praising them over 1password not two weeks ago. Queue the typical HN, "I switched from Bitwarden to X" in a couple of weeks.


The differentce is that Bitwarden is 100% open source (clients and server).

If they do something stupid, I'll run one of 2 OSS servers available and it's done (or have someone else host it for me).


It's interesting to see the tone change. Some similar points being rasied, but without the "1Password is the anti-christ" tone of previous discussions.


but why? I don't see the main core have any bigger value at all (a few millions yes, but not more)


Looking forward to autotype


After lastpass, I am a little wary about password managers. Not sure when they plan to "monetize" me.

Been using google password since lastpass turning on paywall. What's your opinion of Bitwarden? Reasons to give it a try? Having all passwords locked up is no fun.


Unlike both Google password and Lastpass, Bitwarden is open source on server and client side.

This means if worst comes to worst, the community will fork the code and set up a new server or 2.

I switched to it after the Lastpass changes and BW literally has everything LP had plus more. It even imported my thousands of LP entries on first try with no issues.


They charge for a premium plan, as per the article. We pay for a premium plan at our company.


does bitwarden scale up to 20-30-50 thousand users?


I would love to hear the battle stories from a helpdesk from a 20K+ rollout of bitwarden.

The UX might be a bit uphill for non-techies. (Example: Tab, Vault, Send, Generator, Settings are what is displayed for the main browser interface. Can you guess what they do? Selecting a Keyboard icon is "view account".)


Why would you share passwords with that many users?


that’s a lot of money for a password store


how does bitwarden compared to 1password?


Well that’s annoying. I guess the clock is ticking on Bitwarden becoming user hostile. I can’t see how they’ll be able to produce a return on that investment at their current price points.

Having said that, I do think there is an opportunity for Bitwarden to expand into application secret management, and that could be a lucrative market with big enterprise customers if they get it right.

The announcement seems to be a generic “nothing will change” announcement though, which doesn’t inspire confidence as:

- These are almost always reneged on later

- Clearly something has changed (or why bother getting investment), they’re just not telling us what “we can deliver on our roadmap more quickly” could not possibly be more vague.


I agree. That’s a huge investment for a product with a currently very low individual user price.

I expect to see a rapid push to enterprise with individual users left behind and a lot of broken stuff along the way :/


How much they chase growth and how much further investment there is will probably be one of the big concerns. Also how much ROI the investors expect.

The market does seem to have space, 1password has an estimated ~235m revenue, and lastpass and dashlane ~70m. And all of them are quite a bit larger than the latest headcount I saw for bitwarden (reap. 800, 400, and 400, versus <100 for BW).

But it is worrying, especially with bitwarden having low TCOs currently, especially for the free-er side of the offering.


> I do think there is an opportunity for Bitwarden to expand into application secret management

You mean like they mention in the announcement that they will be doing?


It's a hilariously oversaturating market though with everyone and their mom rushing into that space with VC and non-VC funded products for the past 2 years.


Ah, I missed that bit


In many ways it's a shame when a useful tool turns into a high growth startup. They're going to hire a bunch of developers who will need to justify their existence by adding features, they'll probably eventually either fail or get purchased and shut down. And then all the overly complex applications will start to rot.

What's wrong with saying "this is a useful tool" and leaving it at that?


"A million dollars isn't cool. You know what's cool? A billion dollars."


Particularly if it's a trust-centric product like this. Sure, I wouldn't expect outright secret exfiltration no matter how bad it gets, but switching password management providers isn't exactly what you want to happen on a regular basis. (yes, this form of lock-in has most likely been a big factor in the investment decision)


If you're a Bitwarden user and this doesn't worry you, you haven't been paying attention to the history of almost every company that has accepted VC funds.

It doesn't matter how well intentioned the founders are - once you accept that kind of money, it's not your product anymore. You are now in the business of making money, nothing else, and those skewed incentives will start bleeding into their product and business practices sooner or later.

As a company, Bitwarden has been a huge role model for me, and I hope they'll be the exception to the rule. But $100M is a lot of money, and I simply can't imagine it having a net-positive effect on the company and product. But we'll see...

For anyone looking for a bootstrapped, open source alternative to Bitwarden, check out Padloc:

https://padloc.app/ https://github.com/padloc/padloc

(Disclaimer: I'm the founder)


That’s a hell of a disclaimer after a decently alarmist comment. You may be correct, but I’m not sure it’s appropriate for you to raise that point given the conflict of interest.


Seriously, talk about burying the lede.


I would have simply reversed the order of the post.

"We're building padloc because we see no way to avoid X Y Z"


I fear for this world if one cannot responsibly process the data they're given after all the cards are put on the table.


The only conflict of interest here is the VC looking for a quick exit as rates are rising and your comment shooting down what appears to be a bootstrapped alternative/competition.

Althought I wonder how much it will take for this padloc fellow to turn around and announce that he decided to accept VC or even worse, issuing tokens on Ethereum.

We are almost at the Minsky moment and lot of founders are going to realize they no longer own the companies built.


disclaimer is good tho.


Isn't bitwarden[0] already open source and aren't you just asking people to trust you till you take VC money?

[0] - https://github.com/bitwarden/server


Not only that but even the clients are open source ( https://github.com/bitwarden/clients ).

There's even an unofficial Rust reimplementation of the server which is even better.

Parent post is spreading FUD on this one.


The product being open source doesn't prevent the situation the OP mentions. It just provides a mitigation or a workaround by forking.

I also hope it won't happen but many good projects have gone this way before.

In this case the investment is not for the password manager but for a new identity service. However if that doesn't end up providing the promised results, the shareholders will start looking at the existing successful product to extract more value. After all they own part of that now and they want their returns. It's just what they do. This will clash with the users' best interests sooner rather than later.

Then it becomes forking time but can they find a good maintainer? Open source is not always a guarantee for continuity.

Of course if the new project pans out this won't happen but it's a gamble, and one the existing userbase never asked for.


There is already a well-maintained third party implementation of the server.


The server and client are open-source, and independently audited regularly since 2018

https://bitwarden.com/blog/bitwarden-network-security-assess...


Yeah the Rust version works well. I had an issue with it when importing passwords from a file exported from Dashlane, but other than that no issues. And I run it on a bottom tier Digital Ocean vm.


Lots of people can't set up their own bitwarden servers on a slow weekend. Yeah I can, but I venture 98% of people can't. Sorry, you're assuming everyone (including every HN audience) member can do that. Are we supposed to just keep quiet? I think we all know what happens when the VC folks come in. If you haven't lived through it (I have a few times now) you've at least heard about it if you read tech news at all. As long as the comments are respectful I don't see any reason to gatekeep them


That's how it looks to me as well. OP's claim borders on FUD and comes a bit disingenuous while shilling their project. Bitwarden is opensource as well and there's also this independent popular 3rd party project that uses the bitwarden protocol that is much loved by the community.[1]

1: https://github.com/dani-garcia/vaultwarden


When the person declares it's their project, it's not disingenuous.


Paying Bitwarden user here.

This doesn't worry me that much. In the event that incentives get skewed (which isn't certain), I guess I could just stop updating the app before that happens, or fork the last good version?

I'm interested in your alternative. I hadn't heard of it, went on your site and it looked decent, I think if I had seen this before going with Bitwarden I'd have seriously considered it, BUT now that I'm a keen BW user, it doesn't seem as if there is enough for me to switch.

Are you also definitely never going to take VC money? Or an acquisition, say, by Bitwarden? Why should I trust you (and a product I've only just learned about)?


> This doesn't worry me that much. In the event that incentives get skewed (which isn't certain), I guess I could just stop updating the app before that happens, or fork the last good version?

This is easily said, but remember you're talking about a security-sensitive application. Do you really trust yourself to keep your fork secure? I know it doesn't look like it on the surface, but password managers have become wickedly complex, especially if you require things such as shared vaults, audit logs, a zero-knowledge architecture etc. The reality is maintaining your own fork won't be feasible for the vast majority of users, even those with a technical background.

> Why should I trust you (and a product I've only just learned about)?

The simple answer is that you shouldn't. You should ALWAYS be sceptical, and look for possible indicators of a company heading down the path to the dark side. Like taking a 9-figure sum of VC money for example ;)


> Do you really trust yourself to keep your fork secure?

No, but I don't need to. Considering how many people are already contributing to Bitwarden's Github in the form of PRs and such, if worst comes to worst, there should be plenty of people who can maintain it.


So just to be clear, "bootstrapped" means that you won't accept an offer of $100m, so we should trust you rather than bitwarden?


Well, yes. But to be fair, I bet there is a 5-year-old HN comment of a Bitwarden founder somewhere saying the same thing...


Bitwarden probably isn't worth 100M in it's current shape, and investors will want their money back (plus profits!). This means things have to change.

Change how exactly? More money needs to flow.

VC investments: a mechanism where the rich invest their spare money on other in order to extract more wealth for themselves.


Bitwarden is also open source and self hosted. If they should ever make their product not free, I can just keep running the last version and fork it to further improve it together with other people, can't I?


You can, but will you?


The points I was trying to make is that...

1. sure, it's great that it is open source and that I could self host, but honestly, it's just not worth the trouble for me and I'd rather pay 10-20 euros for someone to take care of that for me. Self hosting my password manager would take a significant time investment and constant worry whether I'm doing it right. It might be because I'm primarily an app developer now and not a backend expert anymore.

2. Most big projects like Bitwarden are alive because there is a company and many full time employees behind it. Once that's gone, relying on a couple of passionate volunteers might not be enough to keep the project alive.

All in all, I've been using Bitwarden since the LastPass fiasco, I'm very happy with it, paid user with my family, but if I had to self host or volunteer, I'd not have the bandwidth to do so and I'd rather switch to another solution, even if it would mean I need to pay.

I think that when people say "it's open source, I could just self host and maintain the project" often underestimate how much effort that really is. Sure, it's possible, but will you actually do it?


I'm already self hosting it, took 3 minutes to set up a self updating docker container.


Then I must have overestimated the effort needed for an experienced dev to set things up. I assume I would need a day to figure out how to best self host. Thanks for the info, I'll give it a try this weekend.


I just looked at your CI. Very very few automated tests. It isn't a deal breaker (Bitwarden honestly isn't much better), but it doesn't instill much confidence in your application either.

https://github.com/padloc/padloc/runs/8205722258?check_suite...


I think your conflict of interest / disclaimer should be stated at the beginning of your post


You're right. It's too late to edit it now but I'll keep it in mind for next time.


They're right you know. This happened to Keybase a while back and some nasty stuff happened to it and it is now in someone else's hands.

Hope this won't happen to Bitwarden but we'll see. But anything is still possible.


Keybase was an entirely different case... first of all, they didn't just take VC funding, they were bought outright ("acqui-hired" by Zoom for their skillset). Secondly, they didn't have any significant income, whereas Bitwarden has been a profitable business all along.


I don't have a well-formed opinion one way or the other, but it is interesting to me that this comment made it to the top of HN. By contrast, a submission about Tailscale raising the same amount of money had comments that simply sounded exuberant about the implications (https://news.ycombinator.com/item?id=31259950).

Is it just that our anticipation (or foreboding) of the effects of capital infusion is biased by our priors about the company? Or, some other reason?


Have you undergone a security audit like Bitwarden? Why would I trust you instead?

I'm (casually) looking to move off LastPass. Padloc looks pretty good, but I'm hesitant to go with an 'unproven' solution.


Yes. We've been around for quite a while actually, and have completed three independent audits. One just recently by Radically Open Security [0].

[0] https://padloc.app/blog/security-audit-ros/


Thanks, I’ll take a look.


Questions:

* What makes you invincible to investment? * What makes you different from BitWarden? (they are also opensource, might have been bootstrapped too, also claim being autdited) You seem to only really be "an alternative", which is great, but you kind of oversell it I think. * "I simply can't imagine it having a net-positive effect" --> or do you mean on "your" company? Because, you seem to also sell a product: access to the hosted solution of your open source product. * Open source BitWarden server-side API implementations exist... Even in Rust (not that that matter that much given the nature of e2e encryption). * Are you not interested to one day provide an enterprise tier over you family tier?

Disclaimer, I'm a satisfied user of BitWarden's free tier for some years.

So here my main gripes with BitWarden:

* There is an option to send them your password file for them to import it. This goes against their e2e philosophy that I believe it should have huuuuuge red tape, and it does not. They should deliver this type of functionality in a manner that I can run it on my local machine.

* Horrible UX. I've often been searching where they hide the save or edit button this time. You're product looks nicer in this department.

Good luck with your product! I'm a little busy, but I may give it a try some day. To me there is a safety in BitWarden not going belly up, and alternatives (self-hosting and your product) existing.


Not gonna lie, I'm having a hard time justifying the 3-4x increase in cost for Padloc vs. Bitwarden. The pricing is only rivaled by 1Password, which makes it a hard sell to me...


Well, there is the problem, isn't it? If people aren't willing to pay what amounts to a cup of coffee a month for a service they rely on daily, how are companies supposed to build a sustainable business without raising money?


Now that every single damn service out there is costing me a cup of coffee every month, I end up paying a couple of coffee jugs a month. Are we seriously going to shame customers for trying to cut some costs in this economic context?

As a customer, what I can do is compare with the competition. Padloc is more expensive than basically every other option out there. And as far as we can tell, Bitwarden was already running privately before this VC round (which seems aimed at expanding their offerings past password management) which doesn't seem to point to it being unprofitable at its current price point.


> Are we seriously going to shame customers for trying to cut some costs in this economic context?

That all depends on the margins of what is being offered. If you are proposing they sell a dime's worth of product for a nickel, then I would see the above post as a much more polite version of the correct response, which is "get lost."


I have no idea of the margins, and expecting customers to know about your operating costs without either disclosing them outright or asking the question is an... interesting take. All I can realistically do is compare with the competition, and the competition is cheaper across the board. Therefore my initial comment.

I'd have no problem paying more for a good product if it brings me something. In the meantime, I'm still left pondering. "Get lost" would be a rather crappy way to treat customers simply asking questions, wouldn't it?


I wish we’d stop with the cup of coffee comparison. Not everyone lives in the USA and drinks Starbucks. A cup of coffee costs 0.70€ where I live¹, cheaper than the cheapest (non-free) App Store app. Furthermore, I don’t drink coffee.

For me it’s not about the price but the recurring cost and the lock in. I’d rather pay a larger sum upfront when I’m sure I can afford it and reevaluate when it’s time to upgrade than be sucked dry bit by bit and have to drop everything to scramble to find an alternative when the developer decides to remove features and jack up the price overnight as they keep the data hostage.

¹ Smaller than a Starbucks coffee, but also higher quality.


Totally agree. Every single new subscription product someone buys that can't be run independently or avoid updates adds tech debt to their personal life. At some point that product will be killed, degraded, or made much more expensive. Software that can be purchased once and run indefinitely is all upside on the long tail.

I wish more companies followed the Jetbrains model where a subscription buys lasting access to the current version and recurring payments gets you continuous updates. It's easy to see why companies mostly avoid this model though; it's easier to squeeze users for money when you have them held captive.


I watch Netflix daily and the content costs much more to create maintain and serve. costs less than a cup of coffee per month


This.


FFS, changing password manager is a pain in the ass. I've already migrated from 1Password, now I have to do it again?

Argh. If only there was a decent cloud-based open source alternative that worked on Windows, Linux, iOS, macOS, Firefox and Chrome.


Vaultwarden is an open-source password management server option that implements the Bitwarden server API which makes it compatible with all the existing client applications and browser plugins.

Since the Bitwarden feature-set is pretty darn good my hope is that some foss "bitwarden-api" client applications come along and that'll offer a more independent solution.


A dedicated import feature for Bitwarden is coming in v4.1 later this week: https://github.com/padloc/padloc/issues/561


Yeah, that's why I have just stuck with Apple's keychain.


This is the real answer for most people - especially if they've drunk the coolaid as it were.

Keychain will continue to get better and better for those in the Apple ecosystem, and for much of those outside it, Chrome provides enough.


But only if you are deeply in, like use safari on osx instead of say firefox.

Having a windows box as well as all my macs make it less nice.


Thanks for the recommendation of padloc. I will be checking it out tonight. I really enjoyed my time with Bitwarden, it was quiet and calm and no sudden surprises.


Now that you criticized Bitwarden for accepting the funding, please explain how is your approach different. Are you really not interested in monetization of your own product, and developing it only for the benefit of your users, without any economic incentive from your side?


I don't like that Bitwarden needs an external server so I use KeepassXC but for the people that do, I guess it is always time to fork it.


What's wrong with KeePassXC?


Much more difficult syncability between desktop and mobile. Similarly, sharing a vault between multiple users is also quite more involved.


Sounds tempting, but my experience has been that when these nice companies raise a lot of money they go to shit. Dropbox comes to mind.

Can you even imagine what kind of stuff they had to tell their investors in order to get 100m?


That's where Vaultwarden (https://github.com/dani-garcia/vaultwarden) comes in. You can use the official Bitwarden clients and fully host the backend by yourself. You don't need to trust Bitwarden with your data and can probably upgrade only when you need to, as the clients surely have some sort of backward compatibility.


I would never have someone else manage my passwords for me.

You have to trust the server. It could serve the user with malicious JS code or an app update at any time.

You can self host it though.


You might not, but the vast majority of people unfortunately already trust companies like Google with their passwords.

Likely though they will be stored and kept properly, and there won't be leaks. I only said 'unfortunately' because it hands dependence over to Google. Loss of access is the main concern.


I use Vaultwarden (formerly bitwarden_rs) just for myself.

I still use the Bitwarden extension in Firefox, which is a similar attack surface to what you describe, though probably a shade less vulnerable in practice. I’d like to replace it with something leaner and functionally superior (it’s pretty heavy, and has the major problem of mostly not working in Private Browsing windows, and some other timing/focus issues that I suspect stem from the same bad design), but I have too much other stuff I want to use.

I don’t serve the Bitwarden web interface on my server at all, but I could.


Wouldn’t Firefox’ or chrome’s built-in password manager (with a master password set) be a better way of bringing a few frequently-used low-impact passwords closer to the internet, than a plug-in written by some developer?


An interesting perspective. From that of an attacker, the random plug-in might be a much lower hanging fruit, but also a much smaller one. Obscurity is not completely without merit.


Do you trust yourself to do a good job though? It's a big responsibility. I know plenty of developers that would probably mess that job up one way or another. Certainly in a corporate situation, I'd not want to take that responsibility. Because now the company suffers if I mess up. That, in a nut shell is why companies like Bitwarden exist and why many companies choose to pay them rather than people like you and me to manage their passwords.


I have bad news: it's not only true for the password manager. You have to trust the OS and every single apps you install on your computer because any of them could install a malicious update and steal all your passwords whenever you use them.


Not to mention all the code running at Ring -50 or whatever they're down to now (at least -3 iirc).


If you self host, your server could still be compromised. I think the primary thing making that unlikely to happen with a self-hosted instance is being a very small target.


Most of them do it by encrypting the passwords with your master password so techncially you only have to trust the client on that one. But yeah, browser can get hacked, malicious client code can be pushed, lastly client bugs


Host your own bitwarden instance then.


I'd rather use KeepassXC with Syncthing


Yea KeePass (any flavour generally) + any of the sync tools works super well. Plus you do not need to trust the sync tool company to also be your password manager company :-)


Shit.


The trend of open source spyware is really worrisome to me.

More often than not these corporate open source projects include spyware features (Bitwarden included) that phone home without user consent.

They claim selfhosting is a goal, yet their published client will report on your activity to Microsoft without your consent.


Citation (code snippet(s)?) please.


Bitwarden only uses Visual Studio for crash reporting, but you can skip this altogether by grabbing the F-Droid build or self-hosting.

More info here: https://bitwarden.com/help/security-faqs/#q-what-third-party...

F-Droid: https://mobileapp.bitwarden.com/fdroid/

Self-hosting: https://bitwarden.com/help/install-on-premise-linux/


One should exercise caution about their on-premises installer, as they play fast and loose with version pinning. It's like many things in life: it works fine until it doesn't, and then debugging it will be some "oh no"


Not sure why dwbit's comment got killed, they furthered the conversation and sourced information well by, inter alia, linking to "What third-party services, libraries or identifiers are used in my Bitwarden account?" on Bitwarden's FAQ (https://bitwarden.com/help/security-faqs/#q-what-third-party...).


"For those who prefer to exclude all 3rd party communication, Firebase and Microsoft Visual Studio App Center are removed completely from the F-Droid build. Additionally, Turning off push notifications on a self-hosted Bitwarden server will disable using the push relay server."




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: