Tell HN: Bitwarden does not export attachments in backups
I've been using Bitwarden for about 4 years now and cannot understand how a Password Manager does not export attachments when backing up your data. I understand this was the case when the only export format was a CSV file, but now with JSON files I can't get my head around the fact that I almost missed crucial SSH keys had I not checked the output. A simple solution would be to b64 encode each file and add it into an array!
It's even mentioned on their Help page - https://bitwarden.com/help/export-your-data/ but I still think it's a bit unacceptable that there isn't even a warning in the GUI about this.
And yes, I know there are ways to manually export the files, but I shouldn't have to do that.
127 comments
[ 406 ms ] story [ 977 ms ] threadThe project is open-source, maybe send them a pull request?
A contribution to Bitwarden would benefit the paid hosting, sure, but it'd also benefit folks who are self-hosting.
Just because a project is open-source doesn't mean they'll accept a pull request with your feature request in it.
Sometimes the biggest problem to getting new contributors is the current contributors. A great example of that is when Laravel asked the community on reddit why they didn't contribute or what was the biggest hurdle. Everyone responded with the guy who was triaging the tickets. Literally, he would act like a Reddit moderator. One line responses such as "Short answer is , no."
If it were to be something requiring more effort I'd suggest engaging with the project and asking if a PR would be welcome first.
can you elaborate?
[1] - https://bitwarden.com/help/custom-fields/#custom-fields-for-...
Seems it's impossible for people to run companies for the average consumer. Are their cash-flow really so bad they can't help themselves going into the enterprise market or is there something else going on?
Enterprises don’t blink at paying $50K/yr for something to improve security and save staff thousands of hours of time. Consumers are used to things being (or appearing to be) free. On a per-user basis, I’d expect consumers to ask more questions of support, while paying much less.
Enterprises are an 80/20 play. Keep your top clients happy and you’ll be fine. The first time you get a large order you realise that’s where your focus should be.
Isn't the bitwarden client opensource enough or the implementation free that someone could come in and modify the export functionality or add the functionality to the API ?
I just checked - it's using the same code and is missing attachments too.
I recognize that's not what you would use attachments for, but I'm offering that there are enterprises that get benefit from attachments, not just individual users
Our password manager is just a password manager, I suspect many other organizations are the same.
https://www.reddit.com/r/Dashlane/comments/gfwyvo/comment/fq...
This is the same thing again.
I switched to 1password before all the funding and feel like there arent any viable alternatives now.
Edit: to be clear this isnt me on reddit this thread is just what backed up bitwarden.
https://github.com/bitwarden/clients/issues/1620 (open since Feb 2021)
Aside from that, 1P has a ton more item types, which if one thinks about a password manager as a key-value store, maybe that's not interesting, but for me it's been really great having passport details in a specific spot, without having to invent my own taxonomy for squeezing passport details into key-value pairs
Speaking of taxonomy, BW's lack of tagging is a dealbreaker for me. Why in the world do I have to pick just one "folder" for an item to live in: it can be "work" *and* "aws" *and* "testing" allowing me to see all work, all aws, all testing items grouped together
I do hate the new 1P api-only approach, but I'm not going to jump ship just yet because the competition is not yet better for my needs
Their QR code scanner went poof, in favor of "take a screenshot to the clipboard," and it no longer is able to suggest based on the "bundle ID" of the native apps. I dunno if it ever did that for Windows, and of course Linux support is brand new, but annoying for my case nonetheless
Oh, try with something much worse, and open since Dec 2017 (no, migrating to a new place is no excuse at all to mark the issue as magically resolved)
https://github.com/bitwarden/clients/issues/443
Here I made a pretty clear video of the issue:
https://community.bitwarden.com/t/persistent-bitwarden-ui-an...
Did anyone care? Not that I know of. It's 2022, so that's been 5 years now.
I'll keep paying the pro account as long as it keeps working for me, but it saddens me that we still don't have a universally good and free service that can be recommended to lots of non-techies that are still stuck on the old customs of reusing passwords.
The entire export process seems to be client side. Altering the export to include files should be feasible though the Bitwarden devs might choose not to merge your code because allowing users to access all of those Azure buckets all at once must come at a significant cost.
My workaround for this is to stuff SSH keys and the like in secret fields rather than attachments. This doesn't work for larger files, but it works well enough for my use cases so far.
I'll just stick to stuffing files in notes for now, as I had been doing.
Understandable, since sibling comments are saying export happens on the client side, and Vaultwarden is merely a server-side replacement
Although also relevant is the sibling observation that if you're already running Vaultwarden isn't "backup" less "export from some faceless corporation" and more "take a backup of the vaultwanden database"?
[0] https://github.com/dani-garcia/vaultwarden
I actually wanted that functionality for my own installation but it was rejected.
So it makes a sacrifice on the attachments to make sure backup of the more important stuff keeps working even when there's no internet. Moreover downloading all the attachments takes a lot of time and doing it every day (or whatever interval) wouldn't be a good user experience.
I think the Notesnook guys were thinking of adding cloud-to-cloud backups for attachments to work around this reliably.
[0] https://notesnook.com
Because if not, then I don't understand this. If you can't back up attachments, they can't be used for anything important. If they can't be used for anything important, then what are they for?
It would be better to not have attachments at all than not let people back them up.
Why do people do this? The hands touch the hips, the call for a rage mob is made because the internet must have justice, and the kangaroo court begins.
Just use something else if it bothers you.
Okay, I guess you should ask for a refund, then.
Yes, that's a snarky response, but in all seriousness, the BW team is good at refunding, so if you're unsatisfied, ask for a refund and move on.
I wholeheartedly agree that these companies should have a warning that attachments won't export. Because I almost forgot about them.
I've been doing that in the notes section for LastPass. I think that I'm going to have to move to doing it in the Notes app since that works on all my Apple devices. And it looks like I can lock one Note without having to lock all of them.
They use the "battery horse stable" scheme so you don't have to read crazy ascii over the phone to customer support
I do believe you that it's possible to generate a password using battery-horse-stable but BW places the burden upon the user to create a "security questions" section, fill in the security question prompt, now save the item at this point because fuck the user, and then go to some other section to generate the battery-horse-staple password, copy it to the clipboard, go back into the item, edit it, go back to the section, paste the generated password, and now repeat that for the other 3 fucking required security questions
And people ask me why I pay for 1P ... I'll just link them to this process in the future, because it's a night-and-day difference how much BW hates its users
At that point you're just as secure inputting any random letters to effectively disable the security question unlock.
I store the questions and answers in the notes section because I am sure I will have the right answers to the right questions.
I also expect this to be at the same place where passwords are generated because, well, these are passwords.
My hope is that idiotic idea born in the head of a psychopath will die soon (this is just a hope, taken into account the horrible, horrible incompetence of people who design the security of sites, especially password contraints)
How did you do it?
1Password's extensions getting worse with every update gets me closer each day though.
I'm waiting for someone to point out that BW's extensions are open source and are still a dumpster fire, but for me the difference is that BW started as a dumpster fire, so I don't feel compelled to bring their extension up to sane operating levels, whereas 1P's are _mostly_ right, and just need a tune-up here and there
Some of the items you attempted to export were documents. There is currently no support for exporting Documents from 1Password.
So apparently, it exports pems. That's great. It doesn't export most attachments.
edit: This is apparently new behavior in 1password8. If you have upgraded to the very latest version, the .1PUX export does seem to finally solve this problem. But that's new - it was not true for any previous version.
This situation seems to contradict my previous assertion that AgileBits does a good job of documenting their file formats since I was unable to find the 1pif spec on their site
An individual file attachment can be as large as 500 MB[0]. It would make the JSON file too big to use.
Still, I do think that Bitwarden should warn users about it when exporting. Just mentioning it in the Help Center doesn't seem so helpful.
[0]: https://bitwarden.com/help/attachments/
I mean, I know "INSERT INTO files ('my-file.bin', X'CAFEBABE...')" gets it into sqlite, but how would a sane person get that content back out?
Not that performance or file size would matter in this case, BUT what using SQLite would allow is to use a single format for persisting all aspects of the password database, with immediate, programmatic, random access to all fields, including attachments.
But I also agree, that for this specific use-case, even SQLite is a bit of an overkill probably.
Finally, there is always https://www.passwordstore.org/ :)
The backup would be too big to use if it included all the data it's a backup of? What?
I use windows, Debian, iOS, and Firefox as the browser on desktop. Any recommendations?
So I was excited and went in with an open mind, and delighted to be supporting an open source company:
* The initial migration went off to a bad start as it didn't include everything from 1Password. Seemingly random data, and some attachments were missing. If I remember correctly, timestamps/creation dates didn't seem to migrate over, and some whole passwords weren't brought over, but no errors were reported from their migrator.
* When I went to setup my vault after the migration, I was disappointed to see that there was a distinct lack of password types. I have software licenses, credit cards, API keys, regular passwords, recovery tokens, (non-critical) GPG keys, SSH keys, etc etc that I store in my vault. BW only had/has 4 item types to choose from, which just isn't suitable if you want to correctly track the types of items for organization and filtering. There is support for custom fields, but it just isn't the same..
* No support for tagging. I tried to setup a nested folder structure alternatively, but the UX was not easy to use in the desktop application (I was assuming I could do something similar to a `mkdir -p path/to/nested/folder` but BW only allowed me to create a single folder item at a time. For 500 password items, and different "buckets" I keep to organize, I ended up abandoning folders and just kept everything in the root in a mish-mash setup.
I get that it's small and open source, and you have to temper expectations when comparing David (BW) vs Goliath (1P), but BW seems to have earned more community trust, and has an engaged community of fans. BW could absolutely provide a better experience than 1P both from a customer empathy standpoint, and from a product delivery perspective. But point 2 makes a failure (IMO) on point 1. Reading through their community forums, many of these (What I'd consider) table-stakes features have been left to rot on the tree of technical debt. Which makes me sad, because I'd pay a lot more than their current pricing model if they kept an open source attitude towards the product and could deliver more than just a "We're working on it! Stay tuned!" attitude after years of community comments. I'm gonna stick with 1P when the licenses come up for renewal, and use KeePass or Vault as an on-prem backup solution.
I truly, truly hope BW succeeds, because I'd love to move away from my current setup. But I'm not willing to capitulate my workflow because the company can't deliver on highly-requested/highly-coveted features.
I don't squarely put the blame on BW. This feels very common in the saas lifecycle: A feature has some sort of engagement/revenue metric attached to it, for growth tracking. Whether correlation is correct is a debate for another time, but many of these core features have an opaque effect on revenue or engagement (If you're a cynical product manager, an efficient tagging system correlates to less engagement, because I'm spending less time rooting around the user interface, which is less opportunity to use the application minute-by-minute), or it's considered plumbing-type work in which the revenue/engagement potential is spread out across the entire userbase, so the effect is less explosive (SSH key management[1], a niche feature requested by a loud subset of 1P users had huge awareness. But external sharing of items[2] was something I heard very little about, even though (objectively) external sharing casts a wider a shadow of net-new 1P users....
Once you actually try to use BW in earnest, you'll find it's noticeably worse than 1PW in most ways. The most glaring is that it is meh at detecting login forms and poor at detecting new account signup. These are the 2 primary flows for a pw manager! It's unforgivable. Other flaws aside, 1PW puts significant effort there and it shows.
> I truly, truly hope BW succeeds,
They've had quite long enough time already to do that. How long will you hold out hope?
I want to love BW so much. I never could get myself to look at KeePass. Anyway the primary use case I care about is sharing, not self-mgmt.
I distinctly remember, the very first new login I created after moving over to BW. Nothing happened and I just assumed BW was simply not that chatty about such things. BW fails to detect a significant number of signups for me. It's not a rare occurrence. I've had to train myself to create the login explicitly, rather than hope for auto detection.
1PW has taken a wrong direction, so I "suffer" with BW. However I don't recommend it to anyone. (no one asks, so it's not much of a concern)
100%
My rule-of-thumb is that onboarding has to be *incredibly* easy; it's the front door of an application, the user's first substantial interactions. If it's not easy or streamlined, I start wondering how the rest of the UX is. And in this case, the front door muddied the carpet inside the doors of the software, and I couldn't figure out how to make the process easy for myself, as BW is feature-gapped in many places.
>Once you actually try to use BW in earnest, you'll find it's noticeably worse than 1PW in most ways. The most glaring is that it is meh at detecting login forms and poor at detecting new account signup. These are the 2 primary flows for a pw manager!
Yes, exactly. I'd argue that login form management is the single most important selling point of a password manager. I can roll my eyes, but deal with new account signup forms. But login forms with stellar autofill is what separates the wheat from the chaff, IMO.
>They've had quite long enough time already to do that. How long will you hold out hope?
Competition makes better product for all of us, I don't want to go back to the days of LastPass, So I'll cross my fingers for them, but won't return as a customer after this initial billing cycle.
>Anyway the primary use case I care about is sharing, not self-mgmt.
I'm the inverse; self-management is more important. The only sharing I need is with my partner, which we don't do much of, considering most important shared stuff has accounts for each of us. KeePass is simply for backup purposes, but I haven't decided one way or another where I'll land between them and Vault. I lean towards Vault (Full disclosure: I work for Hashicorp) mostly because I'm more familiar with the APIs than I am with KeePass's plugin/extension frameworks.