Yea KeePass (any flavour generally) + any of the sync tools works super well. Plus you do not need to trust the sync tool company to also be your password manager company :-)
If you self host, your server could still be compromised. I think the primary thing making that unlikely to happen with a self-hosted instance is being a very small target.
You might not, but the vast majority of people unfortunately already trust companies like Google with their passwords.
Likely though they will be stored and kept properly, and there won't be leaks. I only said 'unfortunately' because it hands dependence over to Google. Loss of access is the main concern.
I use Vaultwarden (formerly bitwarden_rs) just for myself.
I still use the Bitwarden extension in Firefox, which is a similar attack surface to what you describe, though probably a shade less vulnerable in practice. I’d like to replace it with something leaner and functionally superior (it’s pretty heavy, and has the major problem of mostly not working in Private Browsing windows, and some other timing/focus issues that I suspect stem from the same bad design), but I have too much other stuff I want to use.
I don’t serve the Bitwarden web interface on my server at all, but I could.
Wouldn’t Firefox’ or chrome’s built-in password manager (with a master password set) be a better way of bringing a few frequently-used low-impact passwords closer to the internet, than a plug-in written by some developer?
An interesting perspective. From that of an attacker, the random plug-in might be a much lower hanging fruit, but also a much smaller one. Obscurity is not completely without merit.
Most of them do it by encrypting the passwords with your master password so techncially you only have to trust the client on that one. But yeah, browser can get hacked, malicious client code can be pushed, lastly client bugs
Do you trust yourself to do a good job though? It's a big responsibility. I know plenty of developers that would probably mess that job up one way or another. Certainly in a corporate situation, I'd not want to take that responsibility. Because now the company suffers if I mess up. That, in a nut shell is why companies like Bitwarden exist and why many companies choose to pay them rather than people like you and me to manage their passwords.
I have bad news: it's not only true for the password manager. You have to trust the OS and every single apps you install on your computer because any of them could install a malicious update and steal all your passwords whenever you use them.
I moved from LastPass to Bitwarden a few years ago because of the nimbleness and simplicity of it, it felt so refreshing.
How much time do we have left before Bitwarden gradually becomes as bad as LastPass for the sake of high growth? 2-3 years? I’m not passing any judgement on this raise, entrepreneurs do what they gotta do.
>How much time do we have left before Bitwarden gradually becomes as bad as LastPass? 2-3 years? I’m not passing any judgement on this raise, entrepreneur do what they gotta do.
Bitwarden though actually has an API, and in turn interesting community implementation potential such as the Rust-based Vaultwarden [0]. While I agree seeing them get a huge round does raise some concern in terms of the revenue generation pressure (1Password sticks in my mind as a worse example though with their switch to forced subs-only, no local/non-1P vaults, abandonment of native apps etc), to me the real sign would be if they broke self-hosting. But even so, of course with self-hosting one could simply stop there. Doesn't feel like quite the same situation as 1P or LastPass where one was really in a fully vs partially proprietary system.
I'd be OK with paying for updates to quality clients though so long as it was a regular payment system (not paying means staying on that version vs having it stop working).
Well that’s annoying. I guess the clock is ticking on Bitwarden becoming user hostile. I can’t see how they’ll be able to produce a return on that investment at their current price points.
Having said that, I do think there is an opportunity for Bitwarden to expand into application secret management, and that could be a lucrative market with big enterprise customers if they get it right.
The announcement seems to be a generic “nothing will change” announcement though, which doesn’t inspire confidence as:
- These are almost always reneged on later
- Clearly something has changed (or why bother getting investment), they’re just not telling us what “we can deliver on our roadmap more quickly” could not possibly be more vague.
How much they chase growth and how much further investment there is will probably be one of the big concerns. Also how much ROI the investors expect.
The market does seem to have space, 1password has an estimated ~235m revenue, and lastpass and dashlane ~70m. And all of them are quite a bit larger than the latest headcount I saw for bitwarden (reap. 800, 400, and 400, versus <100 for BW).
But it is worrying, especially with bitwarden having low TCOs currently, especially for the free-er side of the offering.
It's a hilariously oversaturating market though with everyone and their mom rushing into that space with VC and non-VC funded products for the past 2 years.
In many ways it's a shame when a useful tool turns into a high growth startup. They're going to hire a bunch of developers who will need to justify their existence by adding features, they'll probably eventually either fail or get purchased and shut down. And then all the overly complex applications will start to rot.
What's wrong with saying "this is a useful tool" and leaving it at that?
Particularly if it's a trust-centric product like this. Sure, I wouldn't expect outright secret exfiltration no matter how bad it gets, but switching password management providers isn't exactly what you want to happen on a regular basis. (yes, this form of lock-in has most likely been a big factor in the investment decision)
I wonder what their costs are like? I'm not familiar with all the features of Bitwarden in particular, but a password management service is basically E2EE cloud storage for very tiny files, a simple account system, and then a bunch of clients.
Building and maintaining clients for all operating systems and browsers probably costs the most, but it can likely be done by 1 or 2 full time engineers.
Or am I completely underestimating the complexity of something like this?
Bitwarden already does one thing well. It's everything I'm looking for - open source, costs money but not much ($10/yr), 2FA, clean interface. I'm happy for the new investment, but I hope they don't start adding new things just for the sake of growing.
Also - to the people who analyze funding rounds - $100M sounds like a huge amount to me. Why would a password manager need so much money?
How did I have to scroll this far down to find someone who's actually read the post? Everybody seems to think the money is purely for expanding the password manager, while in the post they call out adjacent markets they want to expand to.
I'm cautiously optimistic that this could mean we won't see the end of Bitwarden, as those are areas where companies will pay big money.
It's not that people didn't read the statement, it's that people have learned not to trust statements like this. Ask all Heroku's customers who were just fired by Salesforce to focus on their enterprise offering for example.
If you're new to 1Password, you may enjoy their service because you won't have the memory/experience of the things that were taken away or "how it used to be."
Now, as for whether one should worry because the company screwed their existing customers once already ... that's personal risk tolerance, I guess
My opinion is that 1Password is the best product out there for the majority of users, because they're pretty good about documenting their formats, have a very good export story, their customer service is mostly good, it's a reasonable price, and their UX absolutely spanks Bitwarden up one side and down the other
But, if a few years from now they rip the ssh-agent out of their Electron apps citing some "well, we decided" reason, or they ban 3rd party clients from using their API because "of sekurity," then no one should be surprised that the scorpion stung them
Welcome to HN/Reddit. Most threads have people commenting without reading the article at all (or very briefly skimming). More or less just reacting to the headline.
And according to HN guidelines, we aren't supposed to comment on if someone has read the article or not. Stellar.
Given apple's push for passwordless web in collaboration w/ Google and M$ [1], I was worried that BW will go out of business, but they have plans for this and I hope they succeed.
I would love for Bitwarden to use this money to make SSO available to all pricing levels. Currently, in order to use SSO with Bitwarden you have to be on their "Enterprise" plan. I think SSO is too important to gate behind a paywall, especially for a company whose main product is security.
A $100M round probably means a valuation around $500-600M. They now need to grow the company to a couple billion so it can either go public (when the IPO market is alive again in a few years) or be sold to a bigger enterprise player.
$10/year customers are completely irrelevant to a company at this stage. Open source is nice as a sales bullet point, but not a central focus.
I don't really want them to grow. Growing usually means overinflated expectations and when they aren't met by the new products they will try to retrieve the shortfall from their existing customer base with additional monetisation, driving them away in the process.
I hope it won't go this way here but such a cash buyin is usually the start of a difficult time.
> $10/year customers are completely irrelevant to a company at this stage.
Yet it's exactly the plan most customers and supporters would be on. So in other words, we don't matter anymore. This is why we can't have nice things :(
When 10/year is often less than .01% of even a junior developer's salary with benefits, then yea, that does kinda mean we can't have nice things, if nice things require a few devs to implement. We've all gotten so used to getting things where the VC discount was already fully priced in over the last decade that we're deeply conditioned to expect everything to be sold at VC subsidized prices, which it turns out isn't really economical for most non-VC backed businesses to sell at.
I'm sure someone will, like clockwork, reply to me that that could be done by one developer in C, sold for $0.50 and then never patched again because UI designers just mess everything up and no one should have a smartphone anyway. If that's your idea of "nice" then you're likely living a happy life, but if you expect a UI and reliability like even oldschool 1Password or Lastpass, then $10/year isn't buying you that level of development and support.
Well, the thing is, we have nice things now. I don't think most bitwarden users are screaming for new features. Simply continuing as they are with current staffing would be preferable to risking the farm with a big new product.
And the kind of user that picks bitwarden over LastPass or 1Password is not the kind that needs a ton of support.
I guess the question is if they felt like they could continue with their current staffing. Obviously this is a really big funding round, so they clearly decided to aim for more than the status quo, but I've seen plenty of projects where it was many dev's side project, or it was a small number of full-time dev's work, but they were getting burned out and overworked trying to provide the service.
It just always feels too easy to assume that it was sustainable to run/maintain some minimally priced service. Perhaps they realized they needed more developers to have a healthy relationship with their job, and instead of raising the price to $30/year or more to match the new costs, they decided to shoot for the moon.
I'm certainly not trying to say that it's obvious that they're making the right call by taking this investment, or that this won't all fall apart. It's just also important to not assume that the status quo for them was something they could keep going on for the next 3 years.
> Why would a password manager need so much money?
The money isn't for the password manager particularly. In the article they list a number of new things they want to develop.
I think there will come a point when most mainstream web services will require "passwordless" authentication, which means users will have to register with one of a few commercial passwordless providers. Think "login to service X with Google/GitHub/Facebook" but more integrated with your phone and biometrics, and no longer optional as email and password authentication go out of fashion.
It makes sense for Bitwarden to aim to be one of those providers, if for no other reason than company survival if passwords and similar tokens become deprecated.
And the three companies behind the major platforms - Google, Apple, and Microsoft - have all agreed on a standard and will integrate a solution into their operating systems.
Yes, and what is that one like the 6th or more "auth standard" they all "agreed to" before promptly doing their own variations which then get spun into a new standard they all "agree" to before.......
Even if that is the case, storing passwords across devices is a solved problem and not enough people are willing to pay for it to be a profitable business.
Given the number of businesses out there doing it I would venture to guess you are wrong.
Also Bitwarden and other password managers are not just about storing the passwords. For example on a personal level I use bitwarden family to manage my Parents passwords and to assist them with issue on various service, this gives me away to setup accounts and securely share passwords with them for the services, and vice versa
For business we use the Enterprise products to share passwords for everything...
None of which is a "solved problem" at the OS or Browser level
> Why are large businesses “sharing passwords” between users? What happens when one user leaves?
Because not all products businesses use have fine grain authentication and authorization. For example, their registar for their domain names. And differing employees need access to it at different times.
> Isn’t sharing a password in a business context like “Things you shouldn’t do” 101?
What do you think Bitwarden does? It's fine grain authorization over shared resources (passwords) that control who can access them. You categorize, create roles, and give those roles access to specific passwords. When an employee leaves, you rotate the password. Every access is recorded for auditing. It solves a real business problem.
Now I’m curious and this comes from my job history is working at mostly small disorganized companies and then moving to one very large company where I work with other very large enterprises so I have no experience with mid size companies.
Say I work for a large company where everything is gated via an SSO - email, Slack, internal apps, ADP for payroll, my brokerage account containing my 401K information (of course I do have a separate non SSO password for this since it is my account), and Bitwarden (I see it does support SAML).
If I leave my very large organization, it’s easy enough for a manager to disable my SSO and be mostly assured that I don’t have access to anything I shouldn’t. Because “security is job 0” (How do you say where you work without saying where you work /s).
Now let’s say that BitWarden stores 10 passwords to external services and I had access to those passwords through Bitwarden. Does someone then have to go in and manually change passwords to those 10 services every time someone leaves?
> Now let’s say that BitWarden stores 10 passwords to external services and I had access to those passwords through Bitwarden. Does someone then have to go in and manually change passwords to those 10 services every time someone leaves?
To reframe this: Companies use both SSO and BitWarden, but because a typical company utilizes so many differing services with differing auth coverage (supports SSO? supports roles, permissions, etc.?) BitWarden fills the gap. BitWarden wouldn't be used for your ADP, and 401K. It may be used for your company's payment processor under one main username / password. It may be used for your root AWS account username and password. It may be used for your DNS management. Production API keys for Stripe may be stored there in plain text, but encrypted in your secret store of choice. Those are the typical use cases I see. The list of things you keep in BitWarden are small(er), but they're business critical. Whereas before they were held by the CTO of the early stage startup, now they're centralized, secured, have an audit trail, can be easily shared with others, etc. etc.
In the company I used BitWarden with, these passwords were rotated manually when an employee who had access to that password left and the new value updated in BitWarden. Maybe that's easier now?
It's also useful for things like secure temporary password delivery. I set up your account for the first time with a new service, generate a temp password you have to reset on first login, and then share it to your Password Manager space.
Also just useful for things like API keys - my team just has all of our team's allocated API keys for various services in our password manager so we don't have to go look them up in all of the various service's sites if we need them.
We all have done it at one point or another. But if I am ever in the middle of a technical presentation and mention “API Keys”, I get all types of dirty looks from security.
Notice that Square for instance strongly discourages API Keys for production.
On the AWS side (where I work) we always discourage long term use of access key/secret keys for accessing resources even though I realize it’s necessary for some integrations. Even then, most organizations also put a condition that you can only use it from known IP addresses.
Realistically? Many services charge by the seat, so for a service that doesn't get used to often, a lot of places will use a shared account as a cost-cutting measure. Subscriptions add up.
Lots of things would not have individual passwords,
Including
1. Hardware Passwords
2. BreakGlass Accounts (used if SSO Fails)
3. Vendor Passwords
4. Recovery Passwords
5. Local Admin Passwords for Servers
We also use it to store Backup Encryption Keys, VPN Tunnel Keys, SSL Cert Passwords, File Encryption Passwords, License Keys, etc etc etc
We also have our own Personal Vaults that are indivualized, so we can access both our Personal Passwords and Company passwords in one interface, that is Cross OS, Cross Browser, and has API for programming interfaces.
none of which is possible with BrowserBased or OS Based Password Storage.
Now they are also raising rounds of funding “chasing after the enterprise”. Every single time a small bootstrapped company tries to “accelerate growth by going after the enterprise” the product gets worse for consumers. See also DropBox.
1Password’s desktop app is much worse than it use to be all while each platforms built in capabilities are getting better.
>1Password’s desktop app is much worse than it use to be all while each platforms built in capabilities are getting better.
I keep reading this but as a user of 1Password over the past decade or so, the functionality hasn't changed much. I'm confused as to what they're spending all the VC money on because these re-writes haven't done much but in terms of functionality, I think it's best in class.
A full rewrite takes a lot of time. We did this twice in the past and it is always painful. We had to do it again this time because the discrepancies between the platforms became ridiculous and we had to fix this. For example, the same search would produce different results on Mac and Windows and Android.
We also took time to address some of the pain points that existed in 1Password 7. For example, it was technically possible to have a different Master Password on your Mac and iPhone, etc.
The local database was rewritten and we made sure that everything that is possible is fully encrypted. For example, all rich icons are now stored encrypted. We also changed the logging system to make sure no personal information is ever logged. At the same time, we had to make sure the data format is backwards compatible with the old version so that both 1Password 8 and 1Password 7 can be used during the transition.
We ran over 100 studies with both existing users and people who never tried 1Password before to make sure the apps are more usable by everyone.
For new users we added New Item experience that made it easier to navigate through templates and understand how to use 1Password. For developers, we added CLI integration, support for SSH keys, and a built-in SSH agent that secures your ssh private keys.
Brand new Linux app, more than 100 new features and improvements overall, on top of the full rewrite.
I'm a fan (been using it for 10yrs I think?) and think the HN sentiment around it is not representative (it's the only app I'd actually recommend to people and that I trust my family can use).
The family vault features are really great and I was glad to see the browser dropped (I didn't really get why it existed).
I do miss some native features (like the iOS letter column on the right that made it very fast to find something in the list), but generally get that there are tradeoffs to be made.
> I do miss some native features (like the iOS letter column on the right that made it very fast to find something in the list), but generally get that there are tradeoffs to be made.
You are not the only who missed this feature and it is coming back soon. It wasn't available in SwiftUI and we had to go back to UIKit to implement it.
from the founder of 1Password: would love to learn where you think it is worse.
1Password 8 has a ton of new features and it is faster than the previous version. Some of the new features like Universal Autofill and SSH Agent do not exist in any other product. It also fixes many problems that accumulated in the app over the years.
I see it from a different perspective. There are not that many real native Mac apps that both look and feel great. You could probably count them all on your hands.
Also, I certainly understand being the long time Mac expect. However, when we tested 1Password with new customers we found a ton of usability issues and many of these problems are solved in 1Password 8. One example, most new users couldn't even figure out how to create new items right away because of the look and the location of "New Item" button in the old app.
Not the person you commented to, but I think the only real loss was 1Password Mini. There is the alternate ‘search bar’ mini app which is a decent replacement, I wish that was the one that pops up by default (like used to be with Mini).
You guys make a great product otherwise. It’s the only one where I strongly recommend it over the open source alternative (Bitwarden) even though I have a strong open source bias. There’s just a 1000 things in UI and UX that you guys do slightly better than the competition, sort of an inverse death by a thousand cuts.
Sure, a standard exists, but that by itself isn't a great user experience. If you actually try to use something like a YubiKey you end up having to register multiple keys with each site to deal with lost key (assuming the site allows that in the first place). The you have to remember which keys correspond to which sites, and remember to get your backup key out each time you sign up somewhere new , etc.
Google, Apple, etc are building on WebAuthN in order to allow a trusted third party to "sync" the keys, solving the major usability hurdle for most people (as with all things security related, there's an obvious tradeoff in injecting a trusted third party, but for the vast majority of people that tradeoff still results in a significant net risk reduction). I assume Bitwarden is angling to build out their own version of something in this space.
I find that the essayist way to handle backup keys is with a printout of 10-20 pre-generated auth codes, which go in my safe. Much easier than having a backup hardware key I have to remove and then replace from my safe, each time I need to add a new service service.
Which is great if you have a printer (and are near it when you're signing up for the account, and remember to do it, and remember to put it in your safe, etc...). Just because it's the easiest way currently doesn't mean there isn't substantial room for improvement in the usability of passwordless systems. Most users aren't going to go to the trouble of printing something out like that.
I'm probably more excited about passkeys than most, but I don't see why you need $100M to add support for that. It's a pretty straightforward addition to existing password managers. Might even be easier to support than it is to build a user-friendly password autofill, all things considered.
1Password, a competitor, raised ~$650m earlier in the year off the back of exceptional growth. The investment case is likely: Bitwarden are doing well, 1Password are doing very well, maybe Bitwarden can do very well too with some additional capital. Password management is rapidly growing in mindshare, there's a big market and great room for growth, the amounts involved are commensurate with the opportunity -- every single enterprise will have a robust password management setup soon enough.
I would think so, on the business side of things. I'm not entirely sure what we pay for 1Password because we pay it without question tbh. We have a fair few subscriptions but 1Password would be up there with the indispensable ones.
The browser is the obvious option. Firefox and Chrome both implement ways to save passwords in the browsers. I believe Firefox has a service to sync them, Chrome may too (I don't use them, so I don't know).
They could reasonably tie in to whatever Office-suite you use (GSuite, Office 365).
In the enterprise, it could be part of a larger "credential management suite" product managed by security. Allow syncing and auditing of credentials, like "when was the last time this cred was changed?" with some kind of automation to generate and push a new credential when need be.
From the outside looking in, a basic credential manager doesn't seem complex enough to be a standalone product.
1Password is 4x the price and is not open source. Doesn't 1Password's stronger backing provide more risk for Bitwarden investors too (chasing the same customers but with less to spend on acquisition)?
Spitballing, $100M, assuming investors want 20% per annum return and Bitwarden do 50% profit ... they need 24M paying customers. Where are they at now?
Venture investments don't typically work that way: the goal isn't incremental returns YoY but rather major returns in the long term. Raise a fund, make a bunch of investments, report growth in valuation YoY (based on increasing valuations of portfolio) and then deliver returns once portfolio companies start to exit.
If BitWarden can use that $100m to 10x their valuation and then exit (whether that's an acquisition, going public etc.) the investors will have secured a win: if BitWarden's valuation stays where it is and returns ~$10m/year to the investor(s) over the next decade, that's not a great outcome considering the opportunity cost of capital.
Debt equity is the type of financing you're describing: lower risk, lower returns, not particularly exciting and not particularly attractive to investors if they believe the company has substantial upside potential.
Yes, I'm not familiar with expected returns for investments so my back-of-napkin maths was based on approximate housing inflation in the UK. I figured they'd want more than that as a minimum.
Clearly Bitwarden isn't a unicorn, being a smaller entity in a growing market; do VCs really expect a 10x (in couple of years?) from that sort of investment?
So, do you agree with my basic premise that they'll need a whole heap of customers, that they don't seem likely to get, in order to make any dent in the investors hoped for returns?
I’d suggest with almost absolute confidence that they are betting on unicorn status for BitWarden. I’d be surprised if they expect anything less than a >$2.5bn exit.
With smartphones leading the push towards digital everything, passwords (auth / authz) have become the most important asset, even for consumers.
Edit: An interesting conversation between Basecamp's DHH and 1Password's Teare on their series-a as an opportunity to de-risk the venture: https://archive.is/Kdnpz
Which has also become a single point of failure, and a target for social engineering since "lost device" or "stolen device" etc becomes to new defacto backdoor
I just hope we won't get repeat of LastPass - some company buys it then just keeps on life support while raising prices.
Also "OSS" version is not really open source, it's just core and all the features you really want from password manager are behind the paid license anyway
Like what? All the features that password manager needs to have (and features that 99% of people need) OSS version have it. SSO, organization management etc. is not something that "password manager" needs to have.
Like TOTP, which is part of payed variant and I consider that an essential feature of a password manager in 2022. Don't get me wrong, I am not complaining about that business decision, just answering since you asked.
I totally agree, however there are some low-criticality services where 2FA is a burden and having it in your main password manager app is a tradeoff worth consideration. Definitely NOT your primary email address.
> Why would a password manager need so much money?
A cynical take on this would be the business is at a large enough volume and growing fast enough to be valued at a certain price (eg 400M), VCs want to own a certain percentage (eg 20%), so the math dictates the round needs to be 100M (100 / (400 + 100) = 20%). Then the founders put together some story that explains why they'd need 100M.
Not saying that's what happened here but I've seen it happen this way.
They'll probably aim for competing with the likes of Okta in delegated authentication and identity management, which is a huge market which need some more competition. I'm in favor, and it really doesn't need to have any negative impact on their existing user base, at least so long as they can manage their growth and don't become a dysfunctional org because of it.
One should exercise caution about their on-premises installer, as they play fast and loose with version pinning. It's like many things in life: it works fine until it doesn't, and then debugging it will be some "oh no"
Not sure why dwbit's comment got killed, they furthered the conversation and sourced information well by, inter alia, linking to "What third-party services, libraries or identifiers are used in my Bitwarden account?" on Bitwarden's FAQ (https://bitwarden.com/help/security-faqs/#q-what-third-party...).
"For those who prefer to exclude all 3rd party communication, Firebase and Microsoft Visual Studio App Center are removed completely from the F-Droid build. Additionally, Turning off push notifications on a self-hosted Bitwarden server will disable using the push relay server."
It's ridiculously easy, especially if you use SQLite. The only downside IMO is that they take the Bitwarden frontend as is which expects the full feature set to be available. For instance, if you disable email 2fa via the admin interface (the only component vaultwarden add to the frontend), trying to set it up in the app fails silently.
Right - the benefit of FOSS is that we can keep using it as-is if we need to. I think that leads to excellent business incentives from the user’s standpoint. I’m currently a paying Bitwarden customer for convenience’s sake, but if they start messing it up I’ll just go host it myself.
bitwarden server is mostly written by bitwarden's CTO. [1]
If tomorrow bitwarden decides to do "a mongodb" (= violating the AGPL, and make it closed-source), you would have to spin up a new community to maintain the AGPL fork.
Yup:
Section 2.1: "By submitting a Contribution, you assign to Bitwarden all right, title, and interest in any copyright in the Contribution and you waive any rights, including any moral rights or database rights, that may affect our ownership of the copyright in the Contribution.
It’s a fascinating situation, really: this kind of asymmetry (AGPL for you, but not for us, even if you contribute) is antithetical to the purpose of the AGPL, but desirable for the leaders of quite a large fraction of projects that choose the license (to the point that they might either not use the AGPL or not accept contributions if they couldn’t do it).
I think a CLA that says "You provide us with an additional license to re-publish your code under any license we choose" with modifications to limit attribution, might work. That way the code is perpetually AGPL, but the company is free to offer derivative works under other licenses. Hence you can always use your code, you can fork, you can do all you want, and the company cannot take the code, as it stands at that point, away from the public.
Isn't a CLA just a standard CYA move from more established open source projects? I had to sign one to contribute to Django as well and I don't see them "pulling a MongoDB" any time soon.
My assumption is this is so that they're legally protected from contributors revoking the right to use their contribution at some later point or other obnoxious legal shenanigans.
It depends on the CLA. Some just require you to affirm that you have the rights to license your contribution, and that you license it under the license of the project, which is indeed mostly just a CYA. It doesn't allow the project to unilaterally change the license of your contribution, and I haven't seen much people have a problem with this kind of CLA.
The other common form of CLA is a copyright assignment (or something equivalent) to a foundation or company representing the project, which is much more troublesome. This allows them to basically do whatever they want with your contribution, including charging for it, or closing the source all together.
How exactly is it violating the AGPL for the author to change licenses? They require contributors to assign copyright so... BitWarden belongs entirely to BitWarden.
Right, but if you had signed a CLA then it's absolutely not violating the AGPL if the host decides to close the source. Since these organisations require that, they're not violating the AGPL.
That's not to say I agree with them and it's obviously shitty behaviour – but license violation is a specific act that they aren't guilty of.
There is the option that they are profitable, but need the investment to expand the business somehow. There is some indication of that in the press release, but it does seem a little fluffy, and a $100M is a pretty big sum of money.
I can see what you mean, but another way of looking at it is: Most investments are done with the expectation of it being worth more down the line, so someone(s) thinks there are a hundred million reasons why it is a profitable business. :-)
But maybe "are they profitable" is the wrong question. I remember 5 years ago my brother in law said "Tesla isn't profitable" and I countered with "They don't want to be profitable right now, they are growing an inventory and investing heavily in that. Showing a profit is the last thing they want to do." He seemed to be accept that answer, I mean now he has 2 Teslas. :-)
The way I read it is that they already have one minority investor, Battery Ventures and they are now adding another, PSG. PSG will get a seat on the board of directors, it's unclear if Battery Ventures have a seat. It is also unclear if the two minority investors combined holds a majority.
I hope things goes well for Bitwarden, but I'm also expecting an amazing journey in their future. I really doubt that there's enough money to be made as is to yield an acceptable return on investments for the $100M, plus whatever Battery Ventures have already put forward.
I doubt the company will just disappear. They will probably get acquired. But what it morphs into is probably not something consumers who like it now will want.
The only company that I can think of that has managed the transition well and gone public is BackBlaze.
When I ask “how can you trust the company”, I don’t mean to imply that the founders have less than good intentions. But once you take VC money, the founders intentions don’t mean much.
I’m sure the founders of both Instagram and WhatsApp - just two companies that come to mind where the founders were idealistic and they were hit hard with the reality stick once they got acquired - really believed that their company wouldn’t change for the worse once they were acquired.
Keybase was providing a solution to something most normal people did not even realize could be a problem. It was a great idea, solving a really big problem. But the awareness of that problem was very small. Hence the ability to monetize a solution aimed at the general public was also very low.
I still love the idea, but I don't see how it is a business.
How is that realistic? If they expect to get 10 billion in 10 years, they need to have 100 million paying users (if they charge $10 per user per year), which is like the entire active users count of StackOverflow - https://en.wikipedia.org/wiki/List_of_social_platforms_with_...
Or they launch entirely new products, in the same general space, with new pricing structures that aren't tied to their current offerings. They're Okta + 1Password + ...
To clarify: I'm not sure I buy the above thesis, but VCs don't expect 2x returns at this stage was my general point. They're aiming for higher.
For sure. The way I sum it up: VCs are looking for 10-to-1 odds on 100-to-1 gains. It depends on the stage, of course. This is listed as a series B, but feels kinda C-ish to me. Later stage rounds like that are unlikely to be 100-to-1, but I agree the goal is still well over 2-to-1.
Getting money back has nothing to do with revenue.
It just means the VC was able to sell their shares for that 10 billion -a price which may or may not be related to the company’s actual fiscal performance
I love that they offer a free version and are committed to it. But I depend on it for password management so much so that even if they didn't just raise 100M I'd pay for it in hopes that they stayed around. I think everyone who can, should.
It doesn't say they won't have ads or sell your data. Hint: their privacy policy is already terrible. No mention of GDPR or of them complying with any privacy laws. Their privacy policy mentions "EU-U.S. Privacy Shield Frameworks" for exporting user data to the US, a framework which has been declared bogus by the EU courts years ago.
> An open source architecture
There's no many examples of "open core" calling itself "open source" that if they decide to switch to open core they'll just be another drop in the bucket.
They also require contributors to sign a CLA, which is always a huge red flag.
> Advanced business features
What happened to "fully featured free version" above? Are the business ones separate?
Why? What is a promise like that supposed to be worth? Even if the people making it are completely honest when saying this (which I now doubt), once leadership changes this will go out the window quick.
This is in line with "Keeping our users happy is our main priority" and other quotes from the infinite pool of empty PR speak.
I used to do this. I finally had to switch off of it because the Syncthing Android experience is so bad (necessarily, because Android is bad).
I had many instances of not noticing Android had killed the Syncthing backend again despite being explicitly told not to, and then I had two out-of-sync password databases and would have to go merge them again.
I'm still bitter about it, because Syncthing as a syncing layer is so much more elegant than everyone implementing their own server and sync protocol.
I’ve been using Vaultwarden for just myself for at least a couple of years now, and it’s at 32MB of disk space (<3MB of icon_cache, <1MB of database, the rest app). The current server process, at six weeks of uptime, is at just under five minutes of CPU time (average usage 0.01% of a core), and just under 24MB of memory used (RSS).
That’s feature.
(As a matter of fact, it’s grown quite a bit since I started using it; it used to be under 20MB of disk space and 10–15MB of RSS.)
Well, you can opt into using PostgreSQL, but by default it’ll use SQLite, and that’s how I use it. More convenient and probably more efficient in general too.
I really miss seeing numbers like that. I'm in something like my 5th week of a Dropbox support ticket where they seem to think it reasonable that the headless client uses an extra 100MB of RAM every hour, eventually using 20-30GB of RAM, at which point I restart it and watch it start climbing again.
I always enjoyed the value that Bitwarden provides: free to use, password generator, and a vault to keep other texts. But somehow I never got the TOTP working.
Once I locked out of Bitwarden because of Cloudflare blocking my IP address for some unknown reason. I restarted my router and the problem got fixed.
Not everything, on their wiki page (1) they have a list of missing features. They alao state that some of them probably are not going to be implemented. At least unless someone contributed any of them.
[1] https://github.com/dani-garcia/vaultwarden/wiki#wiki-pages-b...
I would love to hear the battle stories from a helpdesk from a 20K+ rollout of bitwarden.
The UX might be a bit uphill for non-techies. (Example: Tab, Vault, Send, Generator, Settings are what is displayed for the main browser interface. Can you guess what they do? Selecting a Keyboard icon is "view account".)
Glad for them and I really hope them to succeed in the long run, engrosing the list of successful bussiness based on OS.
As a side note, I've been tempted so many times at this point on getting a payed subscription and getting rid of my "keepass+keepassdb sync via Google drive+keepass keyfile local copy on each device" for the sake of making things simpler. I've read how the internals work, checked the auditories, read forums etc. Everything looks great, but I am always paranoid of some security issue arising and my passwords being leaked. I have my entire life pretty much on my password manager and that being exposed would be disatrous at so many levels. Probably just me being irrational.
Maybe some sort of self hosting arrangement would work for you? I self-host Bitwarden behind a Wireguard VPN so it's only visible to devices I've authorised. Self-hosting comes with it's own risks of course but you would at least be in control of your data.
I agree. I've been using Vaultwarden on ARM for over a year and it's been flawless. Just excellent execution and seamless integration with the iOS App Store version of the Bitwarden client.
I do the same. I run bitwarden_rs as a docker container on a raspberry pi on my home network. Then use wireguard so I am always connected to my home network.
This works great for my family. Simple set up, and I've done 0 maintenance on it.
Have you set your family up with Wireguard as well? Did you do the setup manually or do something else clever to get their devices in your network? I've been spending a lot of time thinking about this, and always end back up at MDM, which is not a terribly desirable ending, but can't necessarily put hands on a device readily for some of them.
My biggest issue is that I have wireguard automatically enable itself when not on my home network. But there are some other networks that need to be excluded, like most airline wifis, as they don't have internet access when just trying to watch a movie.
iCloud private relay does a good job of detecting these types of networks and correctly disabling itself. I wish there was something in the wireguard client to do this, rather than just retrying over and over again...
And since wireguard sets the DNS to use the pihole on my home network, this becomes problematic if they connect to a network that has a captive portal, and needs the wifi's DNS to accept the agreement and get access to the internet before switching over to wireguard and my home DNS.
I mean if your current setup works, why change it? I just hope you aren't too reliant in GDrive if your account ends up getting nuked as I've read so many times.
While I recommend Bitwarden to my not-so-technical friends, I don't think I'm ever going to move away from my Keepass/Nextcloud setup, it just works for me.
We use BitWarden at work, we use their business/hosted offering.
We pay them $3600 per year.
Why is everyone so concerned? They’re popular enough in businesses. Their product is great for teams, hence why we pay for it. I’ve found it much better than alternatives. The killer feature for me has been safer account sharing, including 2FA (and I know it makes it somewhat redundant, but it’s safer than turning it off completely)
Indeed, they already have a business model, they won't need to cannibalize their open source password manager to make money here. They just need to grow the business side + offer new auth related services as they mention in the article.
LastPass tried to grow the B2C business which put more stress on the consumer product.
That's where Vaultwarden (https://github.com/dani-garcia/vaultwarden) comes in. You can use the official Bitwarden clients and fully host the backend by yourself. You don't need to trust Bitwarden with your data and can probably upgrade only when you need to, as the clients surely have some sort of backward compatibility.
521 comments
[ 3.3 ms ] story [ 338 ms ] threadYou have to trust the server. It could serve the user with malicious JS code or an app update at any time.
You can self host it though.
Likely though they will be stored and kept properly, and there won't be leaks. I only said 'unfortunately' because it hands dependence over to Google. Loss of access is the main concern.
I still use the Bitwarden extension in Firefox, which is a similar attack surface to what you describe, though probably a shade less vulnerable in practice. I’d like to replace it with something leaner and functionally superior (it’s pretty heavy, and has the major problem of mostly not working in Private Browsing windows, and some other timing/focus issues that I suspect stem from the same bad design), but I have too much other stuff I want to use.
I don’t serve the Bitwarden web interface on my server at all, but I could.
How much time do we have left before Bitwarden gradually becomes as bad as LastPass for the sake of high growth? 2-3 years? I’m not passing any judgement on this raise, entrepreneurs do what they gotta do.
Bitwarden though actually has an API, and in turn interesting community implementation potential such as the Rust-based Vaultwarden [0]. While I agree seeing them get a huge round does raise some concern in terms of the revenue generation pressure (1Password sticks in my mind as a worse example though with their switch to forced subs-only, no local/non-1P vaults, abandonment of native apps etc), to me the real sign would be if they broke self-hosting. But even so, of course with self-hosting one could simply stop there. Doesn't feel like quite the same situation as 1P or LastPass where one was really in a fully vs partially proprietary system.
I'd be OK with paying for updates to quality clients though so long as it was a regular payment system (not paying means staying on that version vs having it stop working).
----
0: https://github.com/dani-garcia/vaultwarden
Having said that, I do think there is an opportunity for Bitwarden to expand into application secret management, and that could be a lucrative market with big enterprise customers if they get it right.
The announcement seems to be a generic “nothing will change” announcement though, which doesn’t inspire confidence as:
- These are almost always reneged on later
- Clearly something has changed (or why bother getting investment), they’re just not telling us what “we can deliver on our roadmap more quickly” could not possibly be more vague.
I expect to see a rapid push to enterprise with individual users left behind and a lot of broken stuff along the way :/
The market does seem to have space, 1password has an estimated ~235m revenue, and lastpass and dashlane ~70m. And all of them are quite a bit larger than the latest headcount I saw for bitwarden (reap. 800, 400, and 400, versus <100 for BW).
But it is worrying, especially with bitwarden having low TCOs currently, especially for the free-er side of the offering.
You mean like they mention in the announcement that they will be doing?
What's wrong with saying "this is a useful tool" and leaving it at that?
Building and maintaining clients for all operating systems and browsers probably costs the most, but it can likely be done by 1 or 2 full time engineers.
Or am I completely underestimating the complexity of something like this?
Also - to the people who analyze funding rounds - $100M sounds like a huge amount to me. Why would a password manager need so much money?
The announcement suggests they are looking to also launch their own authentication service and tools for managing application secrets.
I'm cautiously optimistic that this could mean we won't see the end of Bitwarden, as those are areas where companies will pay big money.
Welcome to Hacker News
Now, as for whether one should worry because the company screwed their existing customers once already ... that's personal risk tolerance, I guess
My opinion is that 1Password is the best product out there for the majority of users, because they're pretty good about documenting their formats, have a very good export story, their customer service is mostly good, it's a reasonable price, and their UX absolutely spanks Bitwarden up one side and down the other
But, if a few years from now they rip the ssh-agent out of their Electron apps citing some "well, we decided" reason, or they ban 3rd party clients from using their API because "of sekurity," then no one should be surprised that the scorpion stung them
And according to HN guidelines, we aren't supposed to comment on if someone has read the article or not. Stellar.
[1] https://www.apple.com/newsroom/2022/05/apple-google-and-micr...
A $100M round probably means a valuation around $500-600M. They now need to grow the company to a couple billion so it can either go public (when the IPO market is alive again in a few years) or be sold to a bigger enterprise player.
$10/year customers are completely irrelevant to a company at this stage. Open source is nice as a sales bullet point, but not a central focus.
I hope it won't go this way here but such a cash buyin is usually the start of a difficult time.
> $10/year customers are completely irrelevant to a company at this stage.
Yet it's exactly the plan most customers and supporters would be on. So in other words, we don't matter anymore. This is why we can't have nice things :(
I'm sure someone will, like clockwork, reply to me that that could be done by one developer in C, sold for $0.50 and then never patched again because UI designers just mess everything up and no one should have a smartphone anyway. If that's your idea of "nice" then you're likely living a happy life, but if you expect a UI and reliability like even oldschool 1Password or Lastpass, then $10/year isn't buying you that level of development and support.
And the kind of user that picks bitwarden over LastPass or 1Password is not the kind that needs a ton of support.
It just always feels too easy to assume that it was sustainable to run/maintain some minimally priced service. Perhaps they realized they needed more developers to have a healthy relationship with their job, and instead of raising the price to $30/year or more to match the new costs, they decided to shoot for the moon.
I'm certainly not trying to say that it's obvious that they're making the right call by taking this investment, or that this won't all fall apart. It's just also important to not assume that the status quo for them was something they could keep going on for the next 3 years.
The money isn't for the password manager particularly. In the article they list a number of new things they want to develop.
I think there will come a point when most mainstream web services will require "passwordless" authentication, which means users will have to register with one of a few commercial passwordless providers. Think "login to service X with Google/GitHub/Facebook" but more integrated with your phone and biometrics, and no longer optional as email and password authentication go out of fashion.
It makes sense for Bitwarden to aim to be one of those providers, if for no other reason than company survival if passwords and similar tokens become deprecated.
“It’s a feature not a product”
Also Bitwarden and other password managers are not just about storing the passwords. For example on a personal level I use bitwarden family to manage my Parents passwords and to assist them with issue on various service, this gives me away to setup accounts and securely share passwords with them for the services, and vice versa
For business we use the Enterprise products to share passwords for everything...
None of which is a "solved problem" at the OS or Browser level
Isn’t sharing a password in a business context like “Things you shouldn’t do” 101?
Because not all products businesses use have fine grain authentication and authorization. For example, their registar for their domain names. And differing employees need access to it at different times.
> Isn’t sharing a password in a business context like “Things you shouldn’t do” 101?
What do you think Bitwarden does? It's fine grain authorization over shared resources (passwords) that control who can access them. You categorize, create roles, and give those roles access to specific passwords. When an employee leaves, you rotate the password. Every access is recorded for auditing. It solves a real business problem.
Say I work for a large company where everything is gated via an SSO - email, Slack, internal apps, ADP for payroll, my brokerage account containing my 401K information (of course I do have a separate non SSO password for this since it is my account), and Bitwarden (I see it does support SAML).
If I leave my very large organization, it’s easy enough for a manager to disable my SSO and be mostly assured that I don’t have access to anything I shouldn’t. Because “security is job 0” (How do you say where you work without saying where you work /s).
Now let’s say that BitWarden stores 10 passwords to external services and I had access to those passwords through Bitwarden. Does someone then have to go in and manually change passwords to those 10 services every time someone leaves?
To reframe this: Companies use both SSO and BitWarden, but because a typical company utilizes so many differing services with differing auth coverage (supports SSO? supports roles, permissions, etc.?) BitWarden fills the gap. BitWarden wouldn't be used for your ADP, and 401K. It may be used for your company's payment processor under one main username / password. It may be used for your root AWS account username and password. It may be used for your DNS management. Production API keys for Stripe may be stored there in plain text, but encrypted in your secret store of choice. Those are the typical use cases I see. The list of things you keep in BitWarden are small(er), but they're business critical. Whereas before they were held by the CTO of the early stage startup, now they're centralized, secured, have an audit trail, can be easily shared with others, etc. etc.
In the company I used BitWarden with, these passwords were rotated manually when an employee who had access to that password left and the new value updated in BitWarden. Maybe that's easier now?
Also just useful for things like API keys - my team just has all of our team's allocated API keys for various services in our password manager so we don't have to go look them up in all of the various service's sites if we need them.
https://zapier.com/engineering/apikey-oauth-jwt/
https://cloud.google.com/endpoints/docs/openapi/when-why-api...
We all have done it at one point or another. But if I am ever in the middle of a technical presentation and mention “API Keys”, I get all types of dirty looks from security.
Notice that Square for instance strongly discourages API Keys for production.
https://developer.squareup.com/docs/build-basics/access-toke...
On the AWS side (where I work) we always discourage long term use of access key/secret keys for accessing resources even though I realize it’s necessary for some integrations. Even then, most organizations also put a condition that you can only use it from known IP addresses.
Including
1. Hardware Passwords
2. BreakGlass Accounts (used if SSO Fails)
3. Vendor Passwords
4. Recovery Passwords
5. Local Admin Passwords for Servers
We also use it to store Backup Encryption Keys, VPN Tunnel Keys, SSL Cert Passwords, File Encryption Passwords, License Keys, etc etc etc
We also have our own Personal Vaults that are indivualized, so we can access both our Personal Passwords and Company passwords in one interface, that is Cross OS, Cross Browser, and has API for programming interfaces.
none of which is possible with BrowserBased or OS Based Password Storage.
1Password is doing just fine..
1Password’s desktop app is much worse than it use to be all while each platforms built in capabilities are getting better.
I keep reading this but as a user of 1Password over the past decade or so, the functionality hasn't changed much. I'm confused as to what they're spending all the VC money on because these re-writes haven't done much but in terms of functionality, I think it's best in class.
What am I missing?
A full rewrite takes a lot of time. We did this twice in the past and it is always painful. We had to do it again this time because the discrepancies between the platforms became ridiculous and we had to fix this. For example, the same search would produce different results on Mac and Windows and Android.
We also took time to address some of the pain points that existed in 1Password 7. For example, it was technically possible to have a different Master Password on your Mac and iPhone, etc.
The local database was rewritten and we made sure that everything that is possible is fully encrypted. For example, all rich icons are now stored encrypted. We also changed the logging system to make sure no personal information is ever logged. At the same time, we had to make sure the data format is backwards compatible with the old version so that both 1Password 8 and 1Password 7 can be used during the transition.
We ran over 100 studies with both existing users and people who never tried 1Password before to make sure the apps are more usable by everyone.
For new users we added New Item experience that made it easier to navigate through templates and understand how to use 1Password. For developers, we added CLI integration, support for SSH keys, and a built-in SSH agent that secures your ssh private keys.
Brand new Linux app, more than 100 new features and improvements overall, on top of the full rewrite.
I'm a fan (been using it for 10yrs I think?) and think the HN sentiment around it is not representative (it's the only app I'd actually recommend to people and that I trust my family can use).
The family vault features are really great and I was glad to see the browser dropped (I didn't really get why it existed).
I do miss some native features (like the iOS letter column on the right that made it very fast to find something in the list), but generally get that there are tradeoffs to be made.
Thanks!
> I do miss some native features (like the iOS letter column on the right that made it very fast to find something in the list), but generally get that there are tradeoffs to be made.
You are not the only who missed this feature and it is coming back soon. It wasn't available in SwiftUI and we had to go back to UIKit to implement it.
Why does 1Password not support Duo Push 2FA for personal accounts? I shouldn't need to pay for a business account to get that.
Common rust library code with platform specific UI code.
Native UI code for Android, macOS and iOS. The app is Electron based on Windows and Linux for the reasons they give in the article.
Article from a year ago, so maybe outdated.
1Password 8 has a ton of new features and it is faster than the previous version. Some of the new features like Universal Autofill and SSH Agent do not exist in any other product. It also fixes many problems that accumulated in the app over the years.
More on features here: https://1password.com/products/features/
a more visual description of what's new is here: https://1password.com/mac/
Also, I certainly understand being the long time Mac expect. However, when we tested 1Password with new customers we found a ton of usability issues and many of these problems are solved in 1Password 8. One example, most new users couldn't even figure out how to create new items right away because of the look and the location of "New Item" button in the old app.
You guys make a great product otherwise. It’s the only one where I strongly recommend it over the open source alternative (Bitwarden) even though I have a strong open source bias. There’s just a 1000 things in UI and UX that you guys do slightly better than the competition, sort of an inverse death by a thousand cuts.
Hasn't really caught on, despite being several years in the making already
Google, Apple, etc are building on WebAuthN in order to allow a trusted third party to "sync" the keys, solving the major usability hurdle for most people (as with all things security related, there's an obvious tradeoff in injecting a trusted third party, but for the vast majority of people that tradeoff still results in a significant net risk reduction). I assume Bitwarden is angling to build out their own version of something in this space.
https://www.imperialviolet.org/2022/07/04/passkeys.html
Every company’s answer to that is also the same “we will target the enterprise”.
They aren’t “doing well” if they still require outside funding.
The OS? iCloud keychain does this, it's not a compelling offering though if you need to use any other OS.
Something like Google? Not sure I'd want to risk my Google account ever getting locked and loosing access to all my other accounts.
I'm not sure what that leaves.
They could reasonably tie in to whatever Office-suite you use (GSuite, Office 365).
In the enterprise, it could be part of a larger "credential management suite" product managed by security. Allow syncing and auditing of credentials, like "when was the last time this cred was changed?" with some kind of automation to generate and push a new credential when need be.
From the outside looking in, a basic credential manager doesn't seem complex enough to be a standalone product.
Spitballing, $100M, assuming investors want 20% per annum return and Bitwarden do 50% profit ... they need 24M paying customers. Where are they at now?
If BitWarden can use that $100m to 10x their valuation and then exit (whether that's an acquisition, going public etc.) the investors will have secured a win: if BitWarden's valuation stays where it is and returns ~$10m/year to the investor(s) over the next decade, that's not a great outcome considering the opportunity cost of capital.
Debt equity is the type of financing you're describing: lower risk, lower returns, not particularly exciting and not particularly attractive to investors if they believe the company has substantial upside potential.
Clearly Bitwarden isn't a unicorn, being a smaller entity in a growing market; do VCs really expect a 10x (in couple of years?) from that sort of investment?
So, do you agree with my basic premise that they'll need a whole heap of customers, that they don't seem likely to get, in order to make any dent in the investors hoped for returns?
Edit: An interesting conversation between Basecamp's DHH and 1Password's Teare on their series-a as an opportunity to de-risk the venture: https://archive.is/Kdnpz
Also "OSS" version is not really open source, it's just core and all the features you really want from password manager are behind the paid license anyway
A cynical take on this would be the business is at a large enough volume and growing fast enough to be valued at a certain price (eg 400M), VCs want to own a certain percentage (eg 20%), so the math dictates the round needs to be 100M (100 / (400 + 100) = 20%). Then the founders put together some story that explains why they'd need 100M.
Not saying that's what happened here but I've seen it happen this way.
More often than not these corporate open source projects include spyware features (Bitwarden included) that phone home without user consent.
They claim selfhosting is a goal, yet their published client will report on your activity to Microsoft without your consent.
More info here: https://bitwarden.com/help/security-faqs/#q-what-third-party...
F-Droid: https://mobileapp.bitwarden.com/fdroid/
Self-hosting: https://bitwarden.com/help/install-on-premise-linux/
At least vaultwarden is independent and someone can fork the clients when needed.
If tomorrow bitwarden decides to do "a mongodb" (= violating the AGPL, and make it closed-source), you would have to spin up a new community to maintain the AGPL fork.
[1] https://github.com/bitwarden/server/graphs/contributors
My assumption is this is so that they're legally protected from contributors revoking the right to use their contribution at some later point or other obnoxious legal shenanigans.
The other common form of CLA is a copyright assignment (or something equivalent) to a foundation or company representing the project, which is much more troublesome. This allows them to basically do whatever they want with your contribution, including charging for it, or closing the source all together.
This is why I never sign CLA. Since I'm basically signing my rights away.
That's not to say I agree with them and it's obviously shitty behaviour – but license violation is a specific act that they aren't guilty of.
Plus it is AGPL + CLA so bitwarden themselves can do what they want
But I agree it's a great thing to strive for.
Just wait for the inevitable “Our Amazing Journey” post on their website.
But maybe "are they profitable" is the wrong question. I remember 5 years ago my brother in law said "Tesla isn't profitable" and I countered with "They don't want to be profitable right now, they are growing an inventory and investing heavily in that. Showing a profit is the last thing they want to do." He seemed to be accept that answer, I mean now he has 2 Teslas. :-)
I hope things goes well for Bitwarden, but I'm also expecting an amazing journey in their future. I really doubt that there's enough money to be made as is to yield an acceptable return on investments for the $100M, plus whatever Battery Ventures have already put forward.
The only company that I can think of that has managed the transition well and gone public is BackBlaze.
When I ask “how can you trust the company”, I don’t mean to imply that the founders have less than good intentions. But once you take VC money, the founders intentions don’t mean much.
I’m sure the founders of both Instagram and WhatsApp - just two companies that come to mind where the founders were idealistic and they were hit hard with the reality stick once they got acquired - really believed that their company wouldn’t change for the worse once they were acquired.
Keybase said the same thing.
I still love the idea, but I don't see how it is a business.
To clarify: I'm not sure I buy the above thesis, but VCs don't expect 2x returns at this stage was my general point. They're aiming for higher.
It just means the VC was able to sell their shares for that 10 billion -a price which may or may not be related to the company’s actual fiscal performance
"Open source architecture" doesn't mean all the parts you need to self host it is open.
Their "ability to self-host" already includes having to buy a license to even get 2FA
It doesn't say they won't have ads or sell your data. Hint: their privacy policy is already terrible. No mention of GDPR or of them complying with any privacy laws. Their privacy policy mentions "EU-U.S. Privacy Shield Frameworks" for exporting user data to the US, a framework which has been declared bogus by the EU courts years ago.
> An open source architecture
There's no many examples of "open core" calling itself "open source" that if they decide to switch to open core they'll just be another drop in the bucket.
They also require contributors to sign a CLA, which is always a huge red flag.
> Advanced business features
What happened to "fully featured free version" above? Are the business ones separate?
Why? What is a promise like that supposed to be worth? Even if the people making it are completely honest when saying this (which I now doubt), once leadership changes this will go out the window quick.
This is in line with "Keeping our users happy is our main priority" and other quotes from the infinite pool of empty PR speak.
I had many instances of not noticing Android had killed the Syncthing backend again despite being explicitly told not to, and then I had two out-of-sync password databases and would have to go merge them again.
I'm still bitter about it, because Syncthing as a syncing layer is so much more elegant than everyone implementing their own server and sync protocol.
- I selfhost it on my NAS so I don't have to depend on a 3rd party to sync all of my password (even though they are encrypted).
- If I need to access my passwords from a new/temp machine, there's a web UI I can access very quickly
- The client is much prettier and nicer to use. The KeyPass clients all felt very dated and clunky.
I've been using vaultwarden purely because I wanted to play around with rust and it turned into my favourite manager of all time.
10/10 would recommend!
That’s feature.
(As a matter of fact, it’s grown quite a bit since I started using it; it used to be under 20MB of disk space and 10–15MB of RSS.)
Once I locked out of Bitwarden because of Cloudflare blocking my IP address for some unknown reason. I restarted my router and the problem got fixed.
I think bitwarden's TOTP generation is a paid feature, but it still provides the option to store the secrets in the free version
Bitwarden will now be pressured to try to grow and monetize to make a return on that investment.
The UX might be a bit uphill for non-techies. (Example: Tab, Vault, Send, Generator, Settings are what is displayed for the main browser interface. Can you guess what they do? Selecting a Keyboard icon is "view account".)
As a side note, I've been tempted so many times at this point on getting a payed subscription and getting rid of my "keepass+keepassdb sync via Google drive+keepass keyfile local copy on each device" for the sake of making things simpler. I've read how the internals work, checked the auditories, read forums etc. Everything looks great, but I am always paranoid of some security issue arising and my passwords being leaked. I have my entire life pretty much on my password manager and that being exposed would be disatrous at so many levels. Probably just me being irrational.
I am also looking to self-host Bitwarden.
It has worked for me great without any issues for over a year now.
As for Wireguard, this looks pretty comprehensive: https://dev.to/tangramvision/what-they-don-t-tell-you-about-...
There are nice mobile clients available for both BW and WG.
This works great for my family. Simple set up, and I've done 0 maintenance on it.
My biggest issue is that I have wireguard automatically enable itself when not on my home network. But there are some other networks that need to be excluded, like most airline wifis, as they don't have internet access when just trying to watch a movie.
iCloud private relay does a good job of detecting these types of networks and correctly disabling itself. I wish there was something in the wireguard client to do this, rather than just retrying over and over again...
And since wireguard sets the DNS to use the pihole on my home network, this becomes problematic if they connect to a network that has a captive portal, and needs the wifi's DNS to accept the agreement and get access to the internet before switching over to wireguard and my home DNS.
While I recommend Bitwarden to my not-so-technical friends, I don't think I'm ever going to move away from my Keepass/Nextcloud setup, it just works for me.
We pay them $3600 per year.
Why is everyone so concerned? They’re popular enough in businesses. Their product is great for teams, hence why we pay for it. I’ve found it much better than alternatives. The killer feature for me has been safer account sharing, including 2FA (and I know it makes it somewhat redundant, but it’s safer than turning it off completely)
LastPass tried to grow the B2C business which put more stress on the consumer product.
https://community.bitwarden.com/t/linux-fingerprint-and-or-b...
Can you even imagine what kind of stuff they had to tell their investors in order to get 100m?