I’m relieved. Maybe the company would have survived this somehow, but they sure wouldn’t have been the techies’ darling anymore and that was going to be expensive.
I hope they realized that being FOSS is their moat and it nets them a lot of goodwill (it’s the whole reason I bother with their not-quite-the-best product in the first place). The bold claim „the most trusted password manager“ was kind of justifiable while it was FOSS (if we don’t count keepass), without it not at all.
I’m still not sure how I feel about them now. I can now somewhat trust that the applications will remain free software, but trust in the company has eroded a bit. I still haven’t seen official communication about this.
I'm cautiously optimistic, but still concerned about the long term.
* I just don't see how taking $100 million can be good for users in the long run. By far the most likely outcomes are bloat or enshittification.
* bitwarden does not appear to be very forkable, ie it's a complex system written in C#. The existence of Vaultwarden helps a lot with this, but what about the client apps? Forkability is the second most important protection against user-hostile action, behind being open source in the first place.
I hope it works out. I'm a recent adopter of bitwarden, and so far the UX has blown keepass out of the water.
The client apps can pretty easily be forked and maintained. We probably wouldn't see much feature growth but I also don't think we need that so much. Lots of OSS projects have been messed up by fundraising and communities often just fork them and keep them around so I'm not too worried. Besides, garbage features could probably just be unsupported by Vaultwarden, which has worked extremely well for me and been nothing but stable.
I hope that they keep it a password manager and don’t try to turn it into a “security multitool” or something. I like it how it is. They’ve been careful about adding things and I appreciate that. If they wanted to say move from an electron app to a qt or tauri app I could appreciate that as well.
The UX of Bitwarden is pretty lacking compared to 1Password. I finally made the switch after years of Bitwarden because of the vast UX improvements.
For one, it's much easier and natural to add additional pieces of information on entries in 1Password. Bitwarden's implementation of this always feels like a poorly integrated afterthought.
Eh it’s not as good as never having the OSS’ness of it challenged but it also shows they’re open to feedback and willing to reassess when customers get out the pitchforks and torches. It’s a story as old as time.
Thank you to Bitwarden for relicensing a thing to Free/Open License!
Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good. But for anyone with more advance needs (or who doesn't trust a password manager built into a web browser, I always recommend Bitwarden because KeepassXC + syncing is way too difficult for normal people.
>, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good.
But a lot of "normal people" actually need a secrets manager which is larger in scope than just a "websites urls passwords manager". This means a password manager with extra metadata fields for users to add notes, associated email aliases, etc. E.g. if a website has an extra step of "Confirm your identity by answering this question : What was your childhood pet's name?", users want a place to save the answer ("BugsBunny") in the "notes" field of a password manager.) Another example would be the secret PIN unlock code for the spouse's phone. That's not a website url, it's just a "secret" that needs to be stored in an encrypted file.
Firefox password manager is too bare-bones with the only 2 fields being "Username" & "Password".
The better UI/UX for normal people is to have a unified app to store all their secrets instead of having some secrets in the Firefox password manager and other non-web-url secrets saved separately in yet another app.
I completely agree with you! Almost everyone needs to store more than only usernames and passwords for websites. Think of PIN for credit cards and the like.
This ^ passwords just don’t live in Firefox when you are using apps that need passwords across platforms (mac ios windows) and apps. This is where Bitwarden shines.
Absolutely, everyone I recommend BW to appreciates the notes feature as well - it's handy to have a place to jot down important things that aren't log-ins!
> Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good
Interesting, I've always felt that browser-based password managers provided remarkably little value for most people. Using them on mobile is tricky and platform dependent, it's easy to have local-only, non-synced data and then lose it, and being multi-device is trickier, especially in a work context.
On the other hand, people generally understand installing an app on each device they own and that app doing it for them.
Firefox password sync just works. It's one of those things I never think about.
Watching friends and family struggle with bespoke, poorly integrated password managers makes me cringe and is one of the big reasons I enjoy the seamless experience of the built-in Firefox password manager.
Does it require a Firefox account? Does it only store them locally if you haven't signed in to Firefox? This is the sort of failure I've seen, where people think their passwords are synced but because they didn't sign in years ago it's actually not backed up at all. At least on Chrome you get reminded of that all the time on YouTube/Google search, etc.
I know for Safari all the sync is via iCloud meaning if you're not signed in it's locally stored and vulnerable in that way. Especially as many people can't/don't sign in to their own iCloud on work computers, or don't have a Mac.
Firefox reminds you a bunch of times, too. Would be nice if you could just link a new device via QR code (creating an account for you in the background).
The original Firefox sync worked like this (with a unique code and pairing instead of an explicit account) (this is so on the nose I suspect you may know this).
Didn't expect to click on that link and end up on a blog post I wrote 10 years ago! The old Firefox Sync / PAKE stuff was fantastic for getting sync going between devices... but people wanted backup, not sync. I wonder if we'd do anything differently confronted with the same challenge today.
it just works for websites. it does not "just work" for apps where as the platform ones do or have a chance to work with apps.
Kind of hope regulation will force apple/google/ms to allow iterations for 3rd parties to integrate with the os but on the other hand that will open a host of issues
It does on iOS, but I believe the onus is on the app developer to enable the autofill feature in the form, or at least make sure that the app hints to iOS that it can be filled with a password. I'm making that assumption because there are lots of apps which don't trigger the native Apple password manager either (which is a lousy user experience). However, if one works then both do. The UI offers a choice of password manager and Face ID works to unlock it.
I use both. Apple's manager supports OTP generation which is nice, but on desktop websites, Firefox is often more convenient.
I use the Strongbox app on iOS [0] and the KeepassXC app my Linux laptop. The passwords.kdbx file sits on my Onedrive, which the Strongbox app can access. On Linux I use a Onedrive client [0] that I use to sync several folders within my home folder. Strongbox supports both Keepass and pwSafe database formats. It also integrates well with iOS, with autofill supported (also supports Yubikey unlock and Apple Watch unlock).
This discussion is about an open source password manager. I wonder why you are recommending a closed source software? Are you aware that many people prefer open source for security software for a reason?
Yep, it's the same problem on Android. Some app developers go full asshole with the password text boxes. There was one electric utility here that I lambasted hard and they finally fixed their form which not only didn't trigger the password manager, it literally blocked all pasting.
iOS already has all of the API required to integrate a password manager with the OS. Third party password managers can already integrate with both browsers and apps to provide passwords and password generation
Technically maybe someone could make you navigate to that url in the future, through mitm or some sort of DNS poisoning, and autofill a form with your password and then auto submit it.
That is such a laughable statement. 1Password has incredible UI/UX. Even has e-mail masking with Fastmail. And auto-enters TOTPs, for the less-important one’s you feel comfortable saving in your password manager.
Firefox sync made the criminal sin of implementing end-to-end encryption, enabling it by default, and being insufficiently clear to people that their passwords are lost forever when they forget the master password.
This provides a really terrible UX to "normal" users. I woulnd't recommend that option to anybody who doesn't already know what E2E is and what tradeoffs it has.
Google's implementation is a lot better in that regard, at least they offer plenty of avenues for account recovery.
Presumably the passwords themselves have recovery/reset procedures? I can't think of a good reason to add another risk surface to a password manager given that
I'm not sure how it is on iOS, but I've been using firefox as my password maanger on android. It's a trivial change in the settings and works across all apps as well.
I also recommend it to my friend group, as they can use firefox with uBlock Origin, and also have their passwords synced.
All serious browser vendors offer sync to logged in users. That’s multi-device, cross platform and pretty foolproof. I still prefer Bitwarden because of self-hosting and integrating nicely with the iOS ecosystem. But there’s not much wrong with the browser approach.
I have the opposite problem. If I forget to log into bitwarden, passwords just get saved into firefox / chrome, so now I've got some passwords in bitwarden, some in chrome, some in firefox, and worst of all bitwarden doesn't seem to have an easy way to unify these databases.
This is obviously true for the HN crowd, but for normal people I think there's a distinction. Don't underestimate the value of centering a brand and an icon on a home screen around a single function.
> Interesting, I've always felt that browser-based password managers provided remarkably little value for most people.
They provide the value of "you should, by design, have no idea what most of your passwords are; if you know any significant number of your passwords you probably have bad passwords".
And both Firefox and Chrome sync passwords between devices.
The comment I was replying to said "browser-based password managers provided remarkably little value"; it didn't say "little value relative to other password managers".
Much as with cell phone cameras, "the best camera is the one you have with you"; the best password manager is the one you have with you.
If Mozilla released a separate passwords app so you could manage and access your passwords outside of Firefox I think the two would be more comparable. That would promote your passwords as part of your Mozilla account, not just Firefox.
Bitwarden excels here, and i think is the model to beat. However, Mozilla would have the advantage since their browser integration would essentially be built-in and first class.
Otherwise, unless you use Firefox exclusively for everything I just don't think a single browser is the right place to manage passwords. I would say that's true even for a broad audience, given the importance of passwords and security in the modern age.
Bitwarden is also nice in that you can "lock" access to your passwords while keeping the browser open. That way, for the 99% of the time you're just browsing the internet you essentially don't have access to all your passwords "open". The last time I looked at this I had to enter my master password on opening Firefox, even if I didn't need access to my passwords. That meant that "unlocking your vault" is essentially tied to opening the browser. That alone was enough for me to bail on it.
> If Mozilla released a separate passwords app so you could manage and access your passwords outside of Firefox I think the two would be more comparable
Ah yes I remember that now, I had forgotten about that!
Funny, especially now that I see Apple are now going the other way with a dedicated "Passwords" app on iOS 18 and macOS 15. And for Apple to do this - against their instinct for featureless simplicity and implicit integration - to give passwords their own "shop front" as a dedicated app I think really does acknowledge the first-class importance that passwords now have, even for a broad audience.
It's a shame as I think Mozilla could really compete well in this space. They are both cross-platform, have their their own browser and have a good reputation on privacy. It's a killer combo. Bitwarden is evidence you can make it work and you don't need massive big-tech budgets to make a difference.
I'm glad that Bitwarden moved quickly to resolve this. At least for me, Firefox's password manager isn't really a replacement. Bitwarden is approved by my employer, self-hostable, and supports logins for the litany of apps across my browsers and mobile devices. Whether it's the mobile app, mobile website, or site in my browser, Bitwarden just works for the most part. It's also quite nice that Bitwarden can store arbitrary information like CCs, secure notes, and how I capitalized the answers to security questions and other account recovery/login information.
> It's also quite nice that Bitwarden can store arbitrary information like CCs, secure notes, and how I capitalized the answers to security questions and other account recovery/login information.
+1. I use my password manager (currently 1Password, but I have been looking at self-hosting Bitwarden/Vaultwarden) more for storing credit card information and security questions.
Most built-in password managers don't cut it on that front.
Vaultwarden is great! I've been running it for years (since it was bitwarden-rs) on a free-tier GCP VM. I use a cronjob to back up the DB to Backblaze B2 with rclone.
The downside is you can only share to other users on your Vaultwarden instance. You can't e.g., set up emergency sharing to family members who use cloud Bitwarden.
BW clients support having several accounts at once so you're not forced to choose. Your family can have a regular bitwarden.com account and your vw.example.com account just for emergency access
> Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good.
I use both Bitwarden and Firefox and I would strongly encourage everyone to not use the password manager in Firefox. Do you know the tab sync across devices is broken in firefox? It was broken since Aug 24 and it is still not fixed https://bugzilla.mozilla.org/show_bug.cgi?id=1913795 . If they can't sync tabs across devices, i wouldn't trust them to sync my passwords.
Interestingly, password syncing is one of the most reliable things I've seen Firefox doing during the last years. If you don't even have to think about it, that means it "just works"
Browser password managers and their related files are the usual targets of the sophisticated malware creators. Not many people use good master passwords either if any.
I think that the Firefox password manager is good, however, relying on the browser is a terrible form of vendor lock-in. You need to use another browser (for any reason), you also need to switch password manager. Also, Firefox on Android is not great, and Bitwarden has a better integration.
Finally, Bitwarden (the payed version) manager also passkeys and OTP codes, the Firefox password manager not.
I use both, and I agree, even if I’m very happy with Firefox. There are lots of apps outside of browsers that need passwords. It’s very common these days. Besides, does it support passkeys? That’s getting increasingly common as well.
> because KeepassXC + syncing is way too difficult for normal people
I've been debating for ages if this is a hurdle that can be overcome by packaging or even hand-holding support. When I show "normal people" my pass+sync setup they beg me to implement it for them. Once it's running it's near-zero maintenance.
Password management is like exercise. Even when people say they understand the value and want to do it, they don't. Even if you implement it for them, if it's not something that slots perfectly into their existing routine, they're not going to do it. Thankfully passkeys are here.
Would you care to elaborate? It also matters what counts as "bad password manager" to you - Poor crypto? Poor UX? A reddit post ;-)? LastPass?
With passkeys, both the website and the user can be pretty sure that the "password" is secure. The website knows that it's based on enough entropy, and the user knows that the website can not loose it.
Of course if I use a random generated 80 char password I only mildly care if the website stores it plain text or not.
But if I was a site operator, I could additionally trust that the users are using secure passwords. Without insane strength requirements (which people only work around anyway, e.g. Passw0rd!123 is usually accepted, but thisisasuperlongpassphrase often is not).
I'm in the business of testing security, which means I sometimes crack passwords. No matter how much training you put your employees through: Somebody gonna use ${some name}${0 or 1 special char}${some birthday} - is it's the spouse, kids or affairs data, your guess is as good as mine.
I did that for quite some time, but I had severe issues with multiple editing users and with android apps. All the tricks I tried, like nested vaults didn't fully work in the end. So I ended up with 1Password.
Where did you manage to find "normal people" that begged you to install a password manager for them? I have yet to come across one person who wanted one.
100% serious question: how is using dropbox (one cloud) to sync passwords any better or more secure than using a password manager that syncs your vault for you (another cloud)? I see so many "I don't trust <insert pw manager> so I use dropbox" comments around these parts and I just don't understand what real or perceived threat is being mitigated.
It's valuable that the syncing mechanism is seperate because that makes it agnostic. Parent comment uses Dropbox, I use Google Drive, someone else uses OneDrive, someone else uses iCloud, someone else uses Syncthing or Nextcloud, etc.
You don't have to trust the single cloud provider to encrypt and not be able to spy. The vault is encrypted on your own device using fully open software, and the cloud only ever sees a blob they have no keys to, directly or indirectly. The encrypting/decrypting software was not written by the cloud provider.
You don't have to trust any single cloud provider to stay up, be available in your country, stay friendly to you. If Dropbox goes down or kills your account, you just flip to any of 20 other options.
You say you don't understand why someone prefers Dropbox over the special custom syncing, but I don't understand what the excuse is for a special vendor-specific implimentation of something that is already generic and agnostic. It's like using a browser that uses it's own version of http to download files and only works with one web site that has the matching special server.
It's not a remotely equivalent comparison between "one cloud" and "another cloud". One is a single vendor-specific, custom purpose, single-provider thing, the other is agnostic and infinite, use any method you want from any provider you want any time you want.
For me it's not about "mitigating a real or percieved threat". It's just basic system resilience and principle to avoid special things and prefer generic/agnostic things, and keep concerns seperated. But it is also more secure not to trust any integrated cloud provider, vs having the cloud be just storage that doesn't know anything about the blob being stored, and can't even if they turn bad, or are pressured by a government, or get hacked, etc.
I guess the idea is that you trust open source software to encrypt the vault, so Dropbox couldn't do anything with it even if they wanted to. That's also true for the open source Bitwarden clients though.
No local backup? Do you rely on the network working all the time?
I do something similar on the mobile phone (the reasining is, if there's no network, there's nothing I need to login to) but I also keep a local copy on my laptop (that I sometimes operate with limited connectivity). Without any automatic syncing, one of the two copies will be stale.
Back in the day we tried to sync KeePass vaults at work and ended up with a conflict about once a week, which is way too often. Not sure if other password managers have solved this.
Ah, you mean by using some app or daemon. I excluded that possibility because on at least one of my laptops I'm not allowed to install anything, so for me "normal" behavior is using Dropbox as a container for files to download when needed.
I did this a long time ago but eventually ended up with conflicts. Password managers write new entries in a file and easily avoid conflicts whereas agnostic file managers will immediately conflict if sync wasn’t working for a while on a device
I use it (Keepass) for a while and never got the conflict on the desktop client (osx), nor on Firefox. But the iOS app does not like the file on the Google Drive and occasionally it needs to be reloaded.
I use mobius sync and I'd say the app itself is fine, you just have to open it whenever you want things to sync. That's one of the things I miss from Android. Also you can't sync your camera folder
Mobius Sync works really well, the only caveat is that it's not completely free (you're limited in the sync size unless you pay $5, but that's a one-time thing), and that while it can background sync, it's not continuous, and you'll want to open the app if you need to make sure something's synced.
Nope. I have a cloud Syncthing box that is accessible over SSH, and I use ShellFish to read/write my synced folders. It works okay, especially for lazily sending stuff from my phone to my laptop.
You laugh, but that's apparently what I did a decade and a half ago.
I recently mounted a HDD that was at my parents' house. Most files are from 2009-2012ish. I was there one summer between undergrad and grad school and used it for a couple months.
I found an Opera password list that I'd exported, presumably to copy over to my new laptop. It was fun last night skimming the list, seeing which websites I'd completely forgotten about that I used to have accounts for. Almost none of them even exist anymore besides the big players (Slashdot, Apple, etc.), but the point is *almost all of them had the same password*. o.O
I used Firefox password manager for years, and moved to Bitwarden for:
- Passkey syncing
- Bitwarden on Android works properly, compared to Firefox's dedicated password app that's abandoned.
- TOTP support (to use with some apps I don't want the strongest security)
But you are maybe right, if the only browsers you use are Firefox desktop/mobile.
I recommend Bitwarden family plans to non-technical people. It's pretty user friendly, and you can give people emergency access. A couple of recent deaths in my life have made me painfully aware that this is something that many people really need.
It's kind of funny to see how gen x in particular deals with aging. For example, menopause memes as gen x women hit perimenopause. We're supposed to be all nonchalant and cynical, and it's interesting to see those attitudes hit the immovable object of aging.
Given that Mozilla just acquihired a bunch of Meta advertising execs, I think the prudent plan would be to cautiously diversify away from putting sole trust in Firefox.
There will always be different opinions, but my opinion is that storing your TOTPs in your password manager is at best a reduction in security because you're reducing your 2 factors down to 1 factor. If the password manager gets compromised (even phished! It needn't involve the password manager's servers getting hacked), then you gain nothing by having 2FA enabled.
I would strongly advise using something like Aegis on Android, or Gnome Authenticator on desktop (or both). I like to duplicate/backup my seeds so that I'm not SOL if my phone breaks, but I do it by having them on my laptop, desktop, and phone. That way as long as I have one of the three devices, I can always get in, and then they're not "in the cloud." Though, "in the cloud" is still better than "in the cloud alongside all my passwords."
The only true 2nd factor is a setup where your totp codes live on a separate piece of physical hardware. If your totp codes are in an app on your phone, and your password is in a different app on your phone, you're not pure 2nd factor despite convincing yourself that you are. Anything that is convenient is not real 2FA. Real 2FA needs to be pick two of: a password in your head, a verifiable biometric signature, a code/key on your phone or separate physical hardware yubikey.
I'm not saying I think everyone needs real 2FA. I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer. 2FA is a hack put in place to mitigate passwords being relatively insecure and phishable. It's supplanted by Passkeys.
I think you're letting perfect be the enemy of good. It doesn't have to be pure 2FA to be better than 1FA. Being in separate apps does give some benefits. It's always going to be harder to compromise two apps than it is to compromise just one of them (even if the difficulty increase is marginal, it's non-zero). Often simply not being low-hanging fruit is enough to save you from an attack.
There are plenty of things for which a 2FA in PW manager is fine, but the most important things I think it's an unnecesary and regretful reduction in security. For example, email account. Email is the "forgot password" way to get access to almost everything, so it's worth a trifling inconvenience in having to load your 2FA into a different app. Same with things like AWS, Cloudflare, and other high-value targets. For the vast majority of people, keeping your Twitter seeds in your PW manager is fine, but it's foolish to do that with your email and other high-value targets, and IMHO if you're already going to have to have two apps, you might as well just standardize and keep the seeds in your authenticator app, and your passwords in your vault. YMMV
I did read your second paragraph. There is some ambiguity, but I ultimately decided you weren't agreeing with me because you said (emphasis added):
> I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer.
If you're storing your 2FA codes in your PW manager, then you're NOT using separate apps. You're using the same app (your PW manager). My argument is that you should use separate apps for the things that matter, like your email (which can be used to get access to almost every other account), and since you're already using separate apps for those things, you might as well just be consistent so you don't have to remember where each TOTP token is stored.
I see three levels we've discussed:
1. Pure 2FA using hardware token or equivalent (which I agree is rarely needed)
2. Impure 2FA but separate app for storing passwords and TOTP tokens (which I'm advocating for)
3. Storing TOTP tokens in PW manager (which you appear to be arguing for in 99.999% of cases, which is basically all of them)
If you are actually advocating for level 2, then we agree, but from reading your 2nd paragraph it seems pretty clearly to be arguing for level 3.
> Real 2FA needs to be pick two of: a password in your head, a verifiable biometric signature, a code/key on your phone or separate physical hardware yubikey.
My thumbprint isn't stored on my phone, so I have two factors.
From the PCI Security Standards supplement on MFA,
> The issue with authentication credentials embedded into the device is a potential loss of independence between factors—i.e., physical possession of the device can grant access to a secret (something you know) as well as a token (something you have) such as the device itself, or a certificate or software token stored or generated on the device. As such, independence of authentication factors is often accomplished through physical separation of the factors; however, highly robust and isolated execution environments (such as a Trusted Execution Environment [TEE], Secure Element [SE], and Trusted Platform Module [TPM]) may also be able to meet the independence requirements.
So your phone can constitute a token, while the biometric constitutes the second factor. I don't know about Apple phones, but Google's requirements for biometrics are:
> Capturing and recognizing your fingerprint must happen in a secure part of the hardware known as a Trusted Execution Environment (TEE).
> Hardware access must be limited to the TEE and protected by an SELinux policy.
> Fingerprint data must be secured within sensor hardware or trusted memory so that images of your fingerprint aren't accessible.
I think you misunderstood me. I agree that biometric plus password or device key would constitute two factors. I perhaps believe that you can’t really trust the device to have performed biometric verification without some sort of software attestation. So if the security if your protocol depends on two factor, you’d need to yes have a biometric signature or remote attestation that a biometric check has been performed.
That's a pretty user-hostile attitude. Sure, some combinations of factors are pretty unergonomic, but I'd call that a bug, not a feature.
It's also incorrectly suggesting that somehow complexity/painful usability automatically yields security, while usually the opposite is true:
An effective secure authentication solution absolutely must consider usability, or it's doomed to be circumvented by users in one way or another (either via some insecure practice, or by your users simply ceasing to be your users).
This depends on the threat model. Having 2FA in the PW manager defends against someone phishing the password and database leaks on the server side,
which are the most common in my threat model. But note that if they can phish your pw, they can probably phish your 2FA as well.
It does obviously not protect against the scenario where someone is breaking into your password vault.
I tend to enable 2FA but conveniently save the token in the PW manager for relatively low equity stuff, just to make it less enticing for an attacker, but use hardware FIDO for everything actually important.
> TOTP is trivially phishable . . . via social engineering
Is it? I've been on the Internet since the 80s and haven't been phished a single time (despite being the recipient of many obvious attempts). Maybe I could be phished, but I think that's evidence it's not trivial.
I have to wonder how many people sophisticated enough to use and pay for a password manager like Bitwarden could be "trivially" phished.
That's great for you, but also a sample size of one (probably technically sophisticated) user, i.e. irrelevant to the bigger picture.
The phishability of TOTP really is exactly as bad as that of passwords, except that a once-phished TOTP isn't reusable by the attacker(s), unlike a phished password.
But even one-time access is often catastrophic, especially if it allows the attacker to rotate credentials.
Indeed, when that's the case I think the PW manager is fine.
Though, if you already have to have an app for the important stuff like your email, then IMHO it's actually simpler to just keep them all in one place even if you don't care too much about some of the tokens. Just one less thing you have to remember (i.e. where did I put service X's token again? was that in bitwarden or Aegis? etc).
It's still 2 factors though, if someone discovers your password they don't automatically know the TOTP key. So I use TOTP in my password manager for sites where I wouldn't use 2FA otherwise (because using my phone would be inconvenient), so it's still a security improvement for me. And for critical accounts I do use Aegis on my phone.
That list makes for a nice slidedeck but the separation (like many things in tech) isn't as clear cut as the metaphor.
"Something you know" (password) becomes "something you have" as soon as you store/autogenerate/rotate those passwords in a manager (which is highly recommended).
"Something you have" in the form of a hw key is still that device generating a key (password) that device/browser APIs convey to the service in the same way as any other password.
"Something you are" is a bit different due to the algorithms used to match biometric IDs but given that matching is less secure than cryptographic hash functions - this factor is only included in the list for convenience reasons.
The breakdown of this metaphor is one of the reasons passkeys are seen as a good thing.
Not sure what you mean, it's still a second unique token that an attacker would need to know to access my account, so it's improving my security even when stored in my password manager. This was in response to grandparent's opinion that it's "at best a reduction in security".
I'm not talking about my password vault getting breached, in that case I'd be fucked either way.
> I'm not talking about my password vault getting breached, in that case I'd be fucked either way.
But that's the whole point. If your password vault is breached, the second factor is what prevents you from being fucked. That's why putting your seeds in the vault is a reduction in security. It may be a reduction/risk that you're willing to take for convenience, but it's still a reduction.
Aegis is no more secure than storing your TOTPs in your password manager - 2 factors primarily protect against remote attacks, which don't have direct access, in which case the app your 2nd factor lives in is moot. If your threat model involves direct access you need dedicated hardware for your 2nd factor. Most people are fine with TOTP in pw manager.
(I do use Aegis as I like the UX but that's a separate topic)
No, factors are supposed to have different qualities, such as:
"Something you know"; "something you have"; "something you do"; "something you are [biometrics]"; "somewhere you are [geolocation]".
Passwords are in your head - "something you know".
TOTP codes are generated by a hardware token - "something you have".
If the TOTP codes are crammed into your password manager, then the factors are no longer distinguished by these qualities, but they're now the same factor, and it's not true MFA anymore, whether or not they're split up across devices, or apps.
2FA via TOTP implies two things: 1) you know a password; 2) you know the seed. This is why people criticize that approach. In practice, knowing a password and having a file (seed) seem different enough, and work against some phishing threats.
Logging in through a password manager requires that you know a password (your master password), and have a file (your vault).
I mean, if you're using a password manager, you're already protecting against 99% of the things that 2FA is designed to protect against. If you really wanted to, it would probably make the most sense to enable 2FA on your password manager?
Yes, through TOTPs will run you a (worth it imo) $10/year subscription. Passkeys have been supported for a while (free) on all major platforms, and I haven't seen any issues with it.
> because the built-in password manager in Firefox is too good
If only they could add labels to the name/password combination. I have several accounts stored for a website, with generated gibberish logins that I cannot change and sometimes it takes me multiple tries to get to the correct account.
Also, sometimes a site has two password fields - two secret codes - and for this usecase the password manager doesn't work very well either and remembers only one field.
Other than that, I love how it just works, you add a password on one device and have it seamlessly available on the other with a very little setup. It's a nice experience.
> the built-in password manager in Firefox is too good
Too good in what way that according to you "normal" people shouldn't be using Bitwarden? Or do you just like the Firefox one but are overselling it a bit too much?
I use Firefox, but I do not trust the Mozilla products. Bitwarden costs me $10/year so I wonder what is so amazing and groundbreaking about Firefox password sync, and does it work across browsers?
For me, the reason bitwarden is excellent is sharing account login data with my family (I have an org account w a few members) for next to no money / year.
Also, I regularly hop between 3 machines + a personal phone and a work phone, and I love being able to have access to my logins + secure notes across all 5 devices.
What finally brought me to using BW was that I simultaneously needed to backup/sync my TOTPs across mobile/desktop devices, and came to have the need for sharing an increasing number of passwords with my SO. It delivered beautifully on all of that.
This isn't an area I know much about, but wouldn't there be a security risk involved with storing the TOTP seeds alongside the passwords? Or is that not a real concern?
Totally correct, the lame excuse being that it didn't make the situation worse for the reason that those factors were anyway authenticated using the same device previously already. But at least I am now in much less trouble in case this device gets lost/broken/stolen/…
It's a valid concern. Especially if you use the same BW for password and TOTP for the same service, you've effectively reduced 2 factors to 1. If you really must sync both your TOTP secrets and your passwords, those should be completely separate systems.
> I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good
I wouldn't say it's good, but it does its job, if you can live with the insecurity and limitations. It's very comfortable, which is the only reason I'm still using it over KeePass and Bitwarden. KeepPass has no reliable Browser-integration, and Bitwarden is hard to selfhost. Firefox Passwordmanager is just there, always works, syncs without hassle, usability at it's peak (for this job).
I actually switched from Firefox's password manager to Bitwarden. There used to be a bug on Android where the autofill button sometimes would stop doing anything.
Can someone also comment on how secure the built in password in manager in Firefox is to unsophisticated malware attacks that simply copy your browser extension data and such. Compared to bitwarden which requires a password to unlock it, and as I understand stores everything encrypted on disk.
If you don't use a master password, it's unsafe. And even with master password, I vaguely remember it's not that safe either, but that might be outdated info.
Does the FF password manager still irrecoverably nuke your password with no versioning/undo when you accidentally or intentionally use the „forget this website” option in the history panel?
The problem with the Firefox (or Chrome) password managers is that they only work on their browsers. Bitwarden works on any browser, on windows, macos, linux, ios, android.
This (along with syncing on iOS) is what made me switch from `pass` to Bitwarden. Password sharing (and self-hosting sync with vaultwarden) are killer features for me.
It's not end-to-end encrypted (if you enable account sync), so Microsoft can technically see your passwords. Feel free to switch or not switch based on that information.
> Mozilla accounts uses your password to encrypt your data (such as bookmarks and passwords) for extra security. When you forget your password and have to reset it, this data could be erased. To prevent this from happening, generate your unique account recovery key before forgetting or resetting your password.
Yeah, likewise. I'm a Bitwarden subscriber but I'd been looking into alternatives recently because of the licensing kerfuffle. But switching password managers is a pain, so I'm glad to not feel like I have to now.
KeePassXC (and I assume the other versions) can import an encrypted JSON Password Protected (NOT Account Restricted) export from Bitwarden.
I use them both. I have KeePassXC for my local machine, and Bitwarden for things I may need out and about.
With the browser plugins for both it's not that hard to manage them both, at least in my opinion.
I was hoping to see some course correction on this from Bitwarden, even if the over-stated impact was really just to the SDK. They appear to understand the look of their licensing move was going to cost them more than it probably should have. Most companies refuse to change course at all, so I at least see it as encouraging.
There is little chance I’ll ever move to keepassxc as that requires me to maintain it myself and take the chance on deleting something very precious. I’ll stick with the cloud solutions for now.
Synchronizing is not too difficult. You can use syncthing or any cloud-based storage solutions you are already using. You can also back stuff up. Given it has a recycle bin I wouldn't think accidentally deleting stuff is any more likely than a cloud solution. It's probably harder to back up a cloud solution as you don't have direct access to the file.
Are there other alternatives that are 1) open source 2) offer the same integration to begin with and finally 3) have been audited or are popular enough to be under constant scrutiny?
There is of course the KeePass ecosystem, but that is why I included my second point, as with KeePass you are responsible for vault syncing, having clients for all platforms, etc.
I suppose that it is good to be aware of other options. At the same time, jumping ship so easily also doesn't seem realistic or ideal behavior to me.
I have no affiliation, just found them this week, but https://psono.com/ exists. So 1 and 2 are met and 3 is half-way there maybe? It's a self-audit but they have been around a while. Apache2 licensed.
Again, I literally found them the other day, and other than a cursory check to make sure the UI/UX is friendly enough to compete with BW or 1P, I haven't had a chance to look through their code at all yet. I have no idea if the promises they document are met.
Hi, Sascha here, the main developer behind Psono. Psono has been audited multiple times so far, usually on a yearly bases. The last one here https://psono.com/blog/security-audit-2024 (you will also find a link to the audit itself)
I decided that vaultwarden should not have an internet accessible port. Are there any that meet those requirements and also let you (reliably!) edit/create passwords when offline?
Also, sometimes the bitwarden client decides to blow away my local copy of the password database. I'd like it to store it pesistently on all machines so I have to lose my phone, my laptop, my vaultwarden server and its two backups before I get locked out of everything.
Currently, the phone + laptop don't count as backup copies.
> I decided that vaultwarden should not have an internet accessible port
So how does your browser extension work when outside your LAN? via Tailscale or similar VPN mesh? And for people who use it outside of the LAN entirely?
The app (and iOS keyboard integration) degrades to read only mode. It works about 95% of the time. I'd rather it work 100% of the time, and be read-write.
I don't run the browser extension. (There have been too many other password managers with exploitable password bugs.)
i use the keepass ecosystem with app.keeweb.info.
Its an open source webclient that can directly pull from your google drive (and other places!).
I use a google drive through keeweb for syncing, 2 clicks and its syncd. Auto pulls when past pw.
keepass works in browser (how I use it on a computer), can work offline (which is good in air-gapped instances, one of my reqs) and works directly on my android phone without issue.
It is actually sort of how I used it as well, though through nextcloud. It did still remain a hassle. It also requires all different apps to be maintained and equally safe.
Huge VaultWarden fan here. It's been running absolutely unattended for about 3 years from a machine in my basement now, and it's great.
I back things up fairly often, but otherwise I would have no idea I'm not just using the enterprise grade Bitwarden license. Things just work, features are there.
Side-note - VaultWarden is incredibly reliable for a self-hosted free solution (I have 1 pod restart 27 days ago due to a power outage, but otherwise it basically does not fall over. No memory leaks, no high cpu consumption, no reliability problems)
Tacking onto this comment as another thumbs up for vaultwarden. "incredibly reliable" is exactly the way to describe it, in the world of tech headaches the password manager is the last thing you want to be worrying about and I can say with confidence that vaultwarden is a reliable well-oiled machine.
Backups are also fairly easy so if need be a DR can be done (and automated) with very little hassle. The vaultwarden backend does depend upon the bitwarden apps for client devices but also features it's own web UI.
Your comment was marked dead FYI, I vouched for it.
Normally this would mean you are shadow banned, but I don't see any other comments in your history getting this treatment - perhaps this comment caught the ire of some anti-spam algorithm.
I mean it reads like ad copy, and the entire first paragraph takes so many words to say nothing more than "I agree." As comments go, I have to say I've seen better.
I haven't worked up the courage / time to back up my database and upgrade the docker container; will probably get to it this weekend. However, I can't imagine using bitwarden with the official server (too bloated to be trustworthy), or with their cloud thing. I got burnt by lastpass. I'm not putting my passwords in a giant high-value target again.
Same here - I just see that versions change from time to time (yeah I know I should do that manually but there we are).
One thing I do not like (or, say, "miss") in Bitwarden/Vautwarden is the ability to make decrypted backups. I run the service for my immediate family and would like to have access to some people's passwords (of course with their agreement) to make sure they are fine.
A solution is to use Organizations but you cannot have a "organization-only account" - an account that would exclusively save to an organization without a private vault.
The "solution" is to tell people to move what they save to such and such Org but this works fine with me, recently with my wife but somehow my father does not do it and we sometimes end up with tense moments when it is time to get to some accounts :)
Vaultwarden is great, but it's only half the equation. If bitwarden does go user-hostile eventually, who's going to fork all the client apps and extensions?
Bitwarden is still excellent, but keep an eye on them over the next few years. Remember that Bitwarden was originally a LastPass alternative without the fuckery.
After reading through the issue thread and the final reply by Bitwarden, I think the only context this provides is that the headline should rather be something like "Bitwarden SDK fixes dependency licensing issue".
The opening comment and the final reply are the only valuable contributions in that issue. Everything in between is random people jumping in to feign outrage or telling people to use Vaultwarden (which btw recently was in the news for more significant negative reasons). If anything it's a perfect example of the sad state of online discourse.
This wasn't an "issue", it was working as intended. The GPLv3 client intentionally depended on proprietary code. The CTO's comments on bitwarden/clients#11611, bitwarden/sdk#898 and fdroid/fdroiddata!15353 make it clear this was deliberate. They've now changed their stance because of the backlash.
It looks to me like people expressed genuine concerns about being lied to by a company, one they'd trusted with their passwords no less. Calling it "feigned outrage" is a bit rude.
I mean, it still is. It’s honestly gotten better too - for evidence, it’s the one password manager that never gets recommended by sponsored YouTubers but always gets recommended by non-sponsored YouTubers.
It depresses me that Bitwarden has also taken VC funding, just like 1Password. It’s still a great product but as with any VC product I’m just waiting for the other shoe to drop when it’s revenue generation time.
I honestly don't think the password manager market could bear more than $3–5/mo for an individual user or family.
I used 1Password for years until they went from one-time payment to monthly sub and removed local sync so you could only use multiple devices by paying them. I think a big decision there was that they wanted $10/mo or something. I can't remember, but at the time it seemed ludicrous.
Years later, when my new laptop couldn't run the final local-sync version of 1Password, I finally decide to look into password managers again, and lo and behold $3/mo. I signed up immediately.
Despite being proprietary, 1Password still hasn’t had any fuckery that I am aware of. I have been tempted to switch to an open source solution many times but I think I’ll be parking right here for a few more years yet.
They still handled the situation in a serious and responsible manner, clearly communicating what had happened and why. They then followed up later when the problem was fixed. To me it seems clear that they understood the seriousness of the situation, and why people were initially pissed.
I think this is the correct way of handling a rugpull scare, bug or not.
Well that’s one way to handle that effectively and in what seems to be open source way without fuckery; glad to hear it cause that was going to be a bit annoying migrating away from them.
The non-GPLv3 bits are for their separate Secrets Manager product. It doesn't look like that's advertised as open-source. Bitwarden has always been open-core and not fully GPLv3, and that seems understandable; they need something to sell after all.
Repeatedly: when people post shit like this they more or less guarantee the next company won't even try. People! this is one of the few companies which open sources their product. The time to doubt and preach is not here yet... by far.
Not really. It was keeping them honest. This wasn't like the Winamp thing. Bitwarden has proudly proclaimed itself as "Open Source" from day one. It's right on their front page. It's in their marketing materials. It's in their podcast advertisements.
I pay for Bitwarden based on the premise that it is open source. If it tries to pull a Meta and decide that "open source" suddenly means whatever they want it to mean in defiance of the commonly-understood meaning, I want to know about it.
It's a welcome change. It still feels like they are trying to be too smart on licensing, especially how to combine GPL and proprietary licensed code, which I think is the root cause of the whole drama. The open core model works better as a hosted service, where you are not distributing the amalgamation of GPL and proprietary. Open core in client code seems a bit too rife for potential misunderstandings and confusions.
Hope it works out for them, though. It's a good product.
Not necessarily. You can run a “Bitwarden hosting service” or something like that without violating GPL. You’d only have to make your changes available on request if you changed the actual Bitwarden source code or linked some other library into it and shared that modified version with someone else (just running it on a server doesn’t mean you need to open source changes, for example)
Yeah; GPLv3 seems designed to give pure *aaS companies an unfair advantage over people that want to give users the option to buy commercially supported hardware that runs the company's software.
For instance, Google can use bash in their backend infrastructure, but Apple cannot ship it on MacBooks or iOS anymore.
> Yeah; GPLv3 seems designed to give pure *aaS companies an unfair advantage over people that want to give users the option to buy commercially supported hardware that runs the company's software.
SaaS didn't exist when the GPL was drafted. If that's an issue for you, there's the AGPL.
If you mean v3, this isn't true. AGPLv3 is written the same time as GPLv3, and references each other to maintain compatibility (a special provision that lets you use code in the other license provided you follow the other license for that component)
Not if offered as a service. That's why they introduced the AGPL, that one has the service restriction too. In terms of a service offering, GPL software is free for the taking, and the restrictions don't apply as the distribution clause doesn't trigger.
The context is inaccurate because it is actually dual licensed so thinking about GPLv3 alone is not painting the whole picture.
> The default license throughout the repository is your choice of GPL v3.0 OR
BITWARDEN SOFTWARE DEVELOPMENT KIT LICENSE unless the header specifies another
license. Anything contained within a directory named bitwarden_license is
covered solely by the BITWARDEN SOFTWARE DEVELOPMENT KIT LICENSE.
I don’t believe that is entirely accurate. I believe it depends on the application and what you’re doing with it whether or not you would be required to open source it. Like, if you’re distributing the application as a product, not necessarily saas application?
Yes, GPL3 only works for directly distributed software. But an important part of BitWarden is exactly such software, in the form of a browser extension.
No good thing ever lasts, especially in the world of tech. So, I'll be sticking with Bitwarden until they somehow eventually fuck it up and something else takes its place.
What will be ideal is a FOSS competitor. At least in personal usage segment until. Until they also start looking at big money and enterprise/professional (which is fine), then another competitor will come in. As long as the chain of export-import-export doesn’t break.
People here are incredibly hard to please. Very clearly a packaging issue that got blown out of proportion.
They've done largely the right things for _years_ in terms of security. They've operated pretty transparently in terms of open sourcing. They've allowed vaultwarden to exist, and eventually created a self hostable version as well.
But one bad release with a license screw up and nobody is willing to give them an inch?
I will continue to use bitwarden, and am willing to give them the benefit of the doubt. Especially considering this action above. They are a company that is perfectly toeing the free/oss and commercial line.
You build a hundred solid bridges and you get called John the Good Bridge Builder. But lest you once screw up your software licensing and people notice and it blows up, you'll end up as John the Software Screwer in the annals of history... until next week.
It seems though, that in the world of software, you can unfuck a sheep.
What worries me, though, that people who should have known better commit such oopsie daisies more and more (across many projects, I don’t mean this one only), almost as if they are testing the waters to see what they can get away with.
> almost as if they are testing the waters to see what they can get away with.
I think if it's a pattern then it's no accident. Of course people will test things. Kids, dogs, it's all the same: if you can get away with something, why not do it?
The idea that this is was "just a packaging bug" is damage control by Bitwarden. It was a deliberate change, per the CTO's comment on https://github.com/bitwarden/sdk/issues/898 and elsewhere. They slowly worked their way towards adding this SDK dependency to every client, and the SDK was intentionally not open-source. The public outrage is the only reason Bitwarden is GPLv3 again.
Yeah - they've always used an open-core licensing model with like a few features (used only by business users/applications) behind a proprietary license. They just ended up mixing the code in a way such that the (theoretically open-source) app ended up having some utility functions for the business version mixed in. Since the client apps don't use that functionality, they split the repository so that you can build the app without using any proprietary code.
For a long time their KDF was bad and the iteration count was low. When I reported it to them they got really hostile and evasive about it.
Years later they switched to Argon, somehow solving all of the blocking problems they had repeatedly claimed they couldn’t fix.
I don’t trust the org at all. The software is ok but I only use it because it sucks marginally less than all my other options.
People who care about software freedoms don’t release proprietary software. Organizations like this or Microsoft are just engaging in open source cosplay.
> When I reported it to them they got really hostile
You're not the one who first reported it, but I did see your comments at the time. Calling them hostile is really the pot calling the kettle black, uh?
To me the story also sounds a bit like GP was a bit impatient and felt a bit ignored while the company was already working on the issue but just didn't respond promptly to per personally.
Its not 'going open source' as they were always open source, its change of license.
Plenty of other products started slipping downhill after management saw a need to change the license. Why else would you change your license terms if its not to then be able to change your business practises down the road?
I was posing a hypothetical for people that seem to think they were never open source. They packaged a proprietary part of Bitwarden into the app and quickly relicensed it to GPL.
I don't see how you think introducing a GPL license is gonna lead to worse business practices? Unless you don't know what the license is.
Choosing GPL over AGPL for this kind of project combined with the previous recent CTO messaging is very telling if you consider the architecture of the software(s).
What would be a good way to backup the passwords stored in Bitwarden? I am worried that someday suddenly bitwarden could stop working and I will lose access to all the stored passwords? Should I have a physical copy of all the passwords stored in a vault at home?
The simplest way of doing this would be to export your bitwarden vault in plaintext (as a json or csv) and then store it as a password protected zip file.
This should be easy to encrypt and decrypt on all operating systems, and would make it easy to move your vault to a new password manager.
If you have some sort of home server, I'd recommend hosting vaultwarden (an open-source implementation of the BitWarden server). It works fine with the official apps. Their enterprise model requires a standard API, so it's not going to break anytime soon.
This does not take the need for separate backups way though. In fact, I'd argue it makes it even more important to maintain a 3-2-1 backup of your vault.
Running vaultwarden on a home server is one small disaster away from losing everything. Homelabs typically don't enjoy the same level of protections and redundancies compared to a commercial DC.
Frankly I would worry about that with any third party that holds my data. There are a few Bitwarden exporters on Github that also account for attachments (something the builtin exporter doesn't for some reason).
BW synchronizes all your data on each client... if you logged in before, and your server goes down, you can still log in to a recent client, it just won't be able to update
The last time anyone did a serious published review of the App Store terms for GPL compatibility was probably 10+ years ago.
I remember pre-COVID trying to validate the popular claim that the App Store terms were incompatible with GPLv3 but being unable to do so. None of the provisions that were originally called out by the FSF were in the App Store terms anymore at that point. Certainly nothing I found in the terms at the time indicated any incompatibility.
Whenever I've heard about someone having problems publishing a fork on the App Store, it was a trademark rather than a copyright issue. If you fork it, you must completely re-brand it to publish it on the App Store.
Everybody can fork this and build an iOS app. You just can't distribute through the app store as far as I understand. Would be good now if there were other means to install an app on iOS for non-devs, but users chose to ignore that issue when they joined the walled garden that is Apple Inc
Maybe the European Union comes to the rescue... (for Europeans)
The summary says "SDK relicensed from proprietary to GPLv3", the linked commit puts the Bitwarden license into LICENSE_SDK.txt, not GPLv3. Am I missing something?
This update is great news. I was disappointed to see the issue that got raised last week, and I had started to consider looking for alternatives. I’m going to assume an honest mistake on their end and keep recommending their product. However, if they make a similar move again, I will assume the worst and move on.
I was under the impression that Apple requires apps to be distributed under terms which conflict with the GPLv3, so the copyright holders effectively need to dual-license an app for it to be suitable for the App Store. Uploading your own version of bitwarden/ios would then open you up to a takedown notice from Bitwarden Inc. since they didn't consent to this.
Looking into it again, it seems like the Apple Media Services T&C now has provisions for distributing apps under a "Custom EULA", but it still has weird clauses like the one saying you can't "scrape, copy, or perform measurement, analysis, or monitoring of, any portion of the Content", which their definition of includes apps. (Ridiculous clause since it prohibits so much as looking at an app with Activity Monitor, but whatever.) The GPLv3 has a provision saying users can ignore additional restrictions, but you as an App Store uploader aren't in a position to grant that right, so... the situation still seems legally iffy enough that I'm not sure you could win against Bitwarden if they objected to a fork.
It probably doesn't matter for you if you'll never be leaving Apple's ecosystem, but for anyone else, I think that's something to keep in mind before moving to a non-portable solution like Apple keychain.
Yes, non-portable across different OEMs. But Apple Passwords app lets you export your passwords in a nice little simple csv file. It was a suspicion-filled (because it's Apple) pleasant surprise to find that out.
In the old Apple passwords thing, they used to have that export feature but they took it away at some point. Learned this the hard way when I switched to Linux for a while.
Two things are preventing me from doing that: I occasionally want to access my passwords in a browser (and I do not want to log in to iCloud on that machine), and I'd feel really bad about having my passkeys stored in an Apple service with absolutely no way of exporting them in case I ever do switch platforms. (Bitwarden at least includes passkeys in their JSON export format, as far as I know.)
What I dislike about Apple Passwords is how tightly coupled everything is.
I just tried to set it up on my Windows 10 machine with a local account, but it requires Windows Hello to be turned on, which can't be done except with a Microsoft account.
Kinda ridiculous of them to force arbitrary restrictions on us.
What I mean is the problem is remedied now and was likely not the big deal people thought it was. Sounds like they packaged something into the software forgetting it was under a different license and quickly relicensed it. But this thread is framing it like they burned a bridge.
If I wasn't busy playing with AI stuff then I would be very tempted to build my own password manager cloud service, it feels like a chance to shine shows up at least once every two years in that space.
I don't know what it is, but password managers just love the high-speed enshittification train.
Its not very easy and you shouldn't do it unless your domain is cryptography. This is something I've tried to do myself as well and realized it's better off left to the pros.
Such a pity they are starting to try to move to proprietary model. I have been using them for years. I thought they were different than other "open-source" companies (e.g. Redis).
What are the alternatives for an open-source cross-platform password manager? Anybody has used Vaultwarden already?
We have been working on a open-source, cross-platform alternative called SOS[1]. The source code is on github[2] and includes a self-hostable server for syncing. It is well documented[3] for those that want go build on top of it.
Would love your feedback if you can take it for a spin!
No, they are not. They have a separate product which is closed source and there was a accidental mixup between the dependencies of the two. They fixed it quick. As I posted repeatedly in this issue: we need to be much much more lenient and supportive of one of the very few companies which still try. If this is the support they get why would anyone else even bother?
This was not an accidental mixup. Have you actually read the previous issue threads? Their stance was that "there are no plans to adjust the SDK license" before the backlash.
I've been using KeePass (mostly through third-party clients) for years and never saw a reason to switch to anything else.
It doesn't sync between devices by default, but I see that as an advantage, you can use a cloud provider like Dropbox, your own server, FTP, Syncthing, whatever you're comfortable with.
My understanding is they were never closed source. Some of their code is GPL and some is proprietary, but all is source-available on GitHub. There was a bug where you couldn't build their client without a proprietary dependency, but they have fixed that so you can now build their client with only GPL code again.
To be honest, it looks like he just had an internal model of “internal code no gpl”, “external code gpl” and mindlessly answered based on that. The fact that it made the latter impossible seems to have been successfully impressed on him.
Overall, I’ll stay a Bitwarden customer. People fuck up and I’m a tit-for-tat-with-random-forgiveness tactic user, not grim-trigger.
I could accept that he doesn't understand how open source licenses work, or doesn't care, and that it was not meant as a shady move. But still I wouldn't call it a bug, and it does not inspire confidence. Still it's not LastPass-bad.
This said, I still recommend Bitwarden to my family. I moved to pass (https://www.passwordstore.org/) a while ago just because it corresponds better to my needs and I have more control.
Once an organisation has tried once they invariably do it again and again until they find a way to getting what they want. The customers tire of complaining over and over about little enshitifcations and eventually the company wins. Once they start it always goes the same way it just often takes a few goes before most give in.
It will years until it becomes awful but the process has started. It's really a shame every company has to do this with otherwise good products.
If that would be the case, I wouldn't have expected them to change it back. I don't think it was that bad of an impact for them, they are already big enough in non-hardcore-open-source communities that they could pull it off and afford to lose some customers to go propietary. I'm actually really positively surprised by them that they actually picked up on this issue raised by the community and that they fixed it very promptly.
Yes the trust was seriously damaged, but this move does restore it largely for me.
> We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.
BitWarden has lost the trust. Besides recently there was a blocker bug on iOS and on Reddit I found out it happened earlier as well. They didn't even want to debug it and when I suggested this and asked whether they have any issue logged on Github where I could provide logs they went radio silent. Follow ups went completely unanswered. And yeah before that they had given a solution (because reinstall/re-login nothing had worked) - export your data, delete your account, create the account again, and re-import your data - that "should" work.
Honestly it was worse than "restart your computer".
I guess it's time for another FOSS player here. It's fine, such things are cyclical I guess. Happened to Lastpass and Authy and someday it will happen to Ente and 2FAS and so on.
I'm confused what you're responding to. You're making it sound like this was a bad decision and your anecdote was another thing for the pile, but this is a good decision.
Someone else linked the GitHub issue that triggered this change and most of the replies are in the same tone as the comment you're responding to.
Which is all the more ridiculous as this looks like it wasn't really a big license change decision but more of a "forgot to change the license on a component from our internal default". Assuming malice seems like the most boneheaded reaction to this given that there are no other indications Bitwarden was trying to do anything nefarious and the previous license state would have made every single library or tool depending on it non-free.
This is different from criticisms of Mozilla for example which often boil down to "Mozilla positioned itself as privacy-focused but adds a privacy-violating feature you have to opt out of while claiming it's actually fine". Bitwarden never was 100% FLOSS to begin with but introducing downstream license problems is clearly against their own interest. Unless you believe Bitwarden is run by evil idiots who do evil things for no good reason (business or otherwise) whatsoever and then quickly cover their tracks only when called out, "oops" is the only explanation that passes the sniff test.
Here's what someone from Bitwarden said in that issue:
I think the submission should be rephrased as "Bitwarden SDK fixed license of sub-component" or something. Which of course sounds less bold and interesting and newsworthy because it really isn't.
> Additionally, one thought that came to mind in evaluating this that might make this not possible is that our rust SDK, a dependency, is not published under an OSS license. See https://github.com/bitwarden/sdk . I assume that is a problem that might disqualify us from the main [fdroid] repo still.
It seems they reconsidered after the change impacted their F-Droid release. They've always been Open Core not fully Open Source so the SDK not being OSS isn't surprising. It just seems like they didn't think about the consequences of integrating a non-OSS SDK into their OSS clients.
Your first quote actually explicitly says that this incompatibility only became apparent after the fact:
> one thought that came to mind in evaluating this
So, yeah, a mistake although it's not so much they "forgot to change the license" but didn't consider which license it should use and stuck with the default.
> There are no plans to adjust the SDK license at this time
This doesn't mean it was an intentional choice or well thought out. It would have been pretty stupid to say "yeah, we actually just went with proprietary because it's the internal default and didn't think about the pros and cons of keeping it that way" so in lieu of wanting to make a decision then and there or signaling radio silence, that's just a standard corporate non-answer.
I’m relieved. Maybe the company would have survived this somehow, but they sure wouldn’t have been the techies’ darling anymore and that was going to be expensive.
I hope they realized that being FOSS is their moat and it nets them a lot of goodwill (it’s the whole reason I bother with their not-quite-the-best product in the first place). The bold claim „the most trusted password manager“ was kind of justifiable while it was FOSS (if we don’t count keepass), without it not at all.
I’m still not sure how I feel about them now. I can now somewhat trust that the applications will remain free software, but trust in the company has eroded a bit. I still haven’t seen official communication about this.
I'm cautiously optimistic, but still concerned about the long term.
* I just don't see how taking $100 million can be good for users in the long run. By far the most likely outcomes are bloat or enshittification.
* bitwarden does not appear to be very forkable, ie it's a complex system written in C#. The existence of Vaultwarden helps a lot with this, but what about the client apps? Forkability is the second most important protection against user-hostile action, behind being open source in the first place.
I hope it works out. I'm a recent adopter of bitwarden, and so far the UX has blown keepass out of the water.
The client apps can pretty easily be forked and maintained. We probably wouldn't see much feature growth but I also don't think we need that so much. Lots of OSS projects have been messed up by fundraising and communities often just fork them and keep them around so I'm not too worried. Besides, garbage features could probably just be unsupported by Vaultwarden, which has worked extremely well for me and been nothing but stable.
I hope that they keep it a password manager and don’t try to turn it into a “security multitool” or something. I like it how it is. They’ve been careful about adding things and I appreciate that. If they wanted to say move from an electron app to a qt or tauri app I could appreciate that as well.
The UX of Bitwarden is pretty lacking compared to 1Password. I finally made the switch after years of Bitwarden because of the vast UX improvements.
For one, it's much easier and natural to add additional pieces of information on entries in 1Password. Bitwarden's implementation of this always feels like a poorly integrated afterthought.
The UX is exactly the reason why a stayed away from Bitwarden.
Eh it’s not as good as never having the OSS’ness of it challenged but it also shows they’re open to feedback and willing to reassess when customers get out the pitchforks and torches. It’s a story as old as time.
the gh or had official communication. it was obviously a dep issue blown out of proportion
Thank you to Bitwarden for relicensing a thing to Free/Open License! Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good. But for anyone with more advance needs (or who doesn't trust a password manager built into a web browser, I always recommend Bitwarden because KeepassXC + syncing is way too difficult for normal people.
>, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good.
But a lot of "normal people" actually need a secrets manager which is larger in scope than just a "websites urls passwords manager". This means a password manager with extra metadata fields for users to add notes, associated email aliases, etc. E.g. if a website has an extra step of "Confirm your identity by answering this question : What was your childhood pet's name?", users want a place to save the answer ("BugsBunny") in the "notes" field of a password manager.) Another example would be the secret PIN unlock code for the spouse's phone. That's not a website url, it's just a "secret" that needs to be stored in an encrypted file.
Firefox password manager is too bare-bones with the only 2 fields being "Username" & "Password".
The better UI/UX for normal people is to have a unified app to store all their secrets instead of having some secrets in the Firefox password manager and other non-web-url secrets saved separately in yet another app.
I completely agree with you! Almost everyone needs to store more than only usernames and passwords for websites. Think of PIN for credit cards and the like.
[dead]
This ^ passwords just don’t live in Firefox when you are using apps that need passwords across platforms (mac ios windows) and apps. This is where Bitwarden shines.
I don't know about iOS, but Firefox syncs my passwords between my Linux machine and Android phone just fine.
Bitwarden also stores authenticator keys for MFA and passkeys. The custom fields, notes section, and attachments are invaluable to me as well.
Absolutely, everyone I recommend BW to appreciates the notes feature as well - it's handy to have a place to jot down important things that aren't log-ins!
> Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good
Interesting, I've always felt that browser-based password managers provided remarkably little value for most people. Using them on mobile is tricky and platform dependent, it's easy to have local-only, non-synced data and then lose it, and being multi-device is trickier, especially in a work context.
On the other hand, people generally understand installing an app on each device they own and that app doing it for them.
Firefox password sync just works. It's one of those things I never think about.
Watching friends and family struggle with bespoke, poorly integrated password managers makes me cringe and is one of the big reasons I enjoy the seamless experience of the built-in Firefox password manager.
Does it require a Firefox account? Does it only store them locally if you haven't signed in to Firefox? This is the sort of failure I've seen, where people think their passwords are synced but because they didn't sign in years ago it's actually not backed up at all. At least on Chrome you get reminded of that all the time on YouTube/Google search, etc.
I know for Safari all the sync is via iCloud meaning if you're not signed in it's locally stored and vulnerable in that way. Especially as many people can't/don't sign in to their own iCloud on work computers, or don't have a Mac.
> Does it require a Firefox account? Does it only store them locally if you haven't signed in to Firefox?
The passwords are available offline, so they are stored locally.
Firefox reminds you a bunch of times, too. Would be nice if you could just link a new device via QR code (creating an account for you in the background).
The original Firefox sync worked like this (with a unique code and pairing instead of an explicit account) (this is so on the nose I suspect you may know this).
This blog post goes over some of that history: https://blog.mozilla.org/services/2014/04/30/firefox-syncs-n...
Didn't expect to click on that link and end up on a blog post I wrote 10 years ago! The old Firefox Sync / PAKE stuff was fantastic for getting sync going between devices... but people wanted backup, not sync. I wonder if we'd do anything differently confronted with the same challenge today.
Hey I love the syncing
it just works for websites. it does not "just work" for apps where as the platform ones do or have a chance to work with apps.
Kind of hope regulation will force apple/google/ms to allow iterations for 3rd parties to integrate with the os but on the other hand that will open a host of issues
It does on iOS, but I believe the onus is on the app developer to enable the autofill feature in the form, or at least make sure that the app hints to iOS that it can be filled with a password. I'm making that assumption because there are lots of apps which don't trigger the native Apple password manager either (which is a lousy user experience). However, if one works then both do. The UI offers a choice of password manager and Face ID works to unlock it.
I use both. Apple's manager supports OTP generation which is nice, but on desktop websites, Firefox is often more convenient.
I use the Strongbox app on iOS [0] and the KeepassXC app my Linux laptop. The passwords.kdbx file sits on my Onedrive, which the Strongbox app can access. On Linux I use a Onedrive client [0] that I use to sync several folders within my home folder. Strongbox supports both Keepass and pwSafe database formats. It also integrates well with iOS, with autofill supported (also supports Yubikey unlock and Apple Watch unlock).
[0] https://apps.apple.com/app/strongbox-password-manager/id8972...
[1] https://abraunegg.github.io/
This discussion is about an open source password manager. I wonder why you are recommending a closed source software? Are you aware that many people prefer open source for security software for a reason?
I think most Strongbox users did not notice it turned proprietary. It's not like Strongbox advertised the change :)
Context: https://github.com/strongbox-password-safe/Strongbox/issues/...
Yep, it's the same problem on Android. Some app developers go full asshole with the password text boxes. There was one electric utility here that I lambasted hard and they finally fixed their form which not only didn't trigger the password manager, it literally blocked all pasting.
iOS already has all of the API required to integrate a password manager with the OS. Third party password managers can already integrate with both browsers and apps to provide passwords and password generation
But does it work for non-website passwords like the PIN for the door at your workplace or the usernames and passwords for your computers?
Yes. You can add whatever passwords. It asks you for a URL but you can put anything in.
> It asks you for a URL but you can put anything in.
Well, that’s kind of the problem isn’t it?
Yes, you can put bogus URLs, but it’s far from a great user experience
door://businesstreet/23/A/front
Someone understands URLs! The URL will be 30 years old soon[0], and still many people don't know what it really is.
[0] https://datatracker.ietf.org/doc/html/rfc1738
Not supported. It can't be anything.
No end user understands URLs this way. Unless Firefox teaches them this, then this is nonsense
Yes, It's a joke. Sorry
Is it? I thought you were being serious
Yes, it's a joke. Sorry.
Why, though? Isn't it actually a good suggestion?
Agree! And it's funny.
Where is the joke? I don't get it!
Why not both?
Technically maybe someone could make you navigate to that url in the future, through mitm or some sort of DNS poisoning, and autofill a form with your password and then auto submit it.
Can Firefox password manager work in other apps on Android?
Looks like yes[1]
1. https://support.mozilla.org/en-US/kb/end-of-support-firefox-...
yes and it's perfect. firefox (with ublock) are really the best experience on android.
that's not my experience, I've lost bookmarks due to firefox sync multiple times.
Does it have the ability to unlock with faceID on ios?
Yes it does.
That is such a laughable statement. 1Password has incredible UI/UX. Even has e-mail masking with Fastmail. And auto-enters TOTPs, for the less-important one’s you feel comfortable saving in your password manager.
Firefox sync made the criminal sin of implementing end-to-end encryption, enabling it by default, and being insufficiently clear to people that their passwords are lost forever when they forget the master password.
This provides a really terrible UX to "normal" users. I woulnd't recommend that option to anybody who doesn't already know what E2E is and what tradeoffs it has.
Google's implementation is a lot better in that regard, at least they offer plenty of avenues for account recovery.
Can you identify the password managers that do not implement end-to-end encryption so I can avoid them forever?
Presumably the passwords themselves have recovery/reset procedures? I can't think of a good reason to add another risk surface to a password manager given that
I'm not sure how it is on iOS, but I've been using firefox as my password maanger on android. It's a trivial change in the settings and works across all apps as well.
I also recommend it to my friend group, as they can use firefox with uBlock Origin, and also have their passwords synced.
Yep, since Android 12 I think you can set Firefox as your main password manager.
It's genuinely delicious
All serious browser vendors offer sync to logged in users. That’s multi-device, cross platform and pretty foolproof. I still prefer Bitwarden because of self-hosting and integrating nicely with the iOS ecosystem. But there’s not much wrong with the browser approach.
Multi device is all nice and well, but what if you use products from more than one browser vendor?
Then you’re a rare corner case that’s served by something third party.
I have the opposite problem. If I forget to log into bitwarden, passwords just get saved into firefox / chrome, so now I've got some passwords in bitwarden, some in chrome, some in firefox, and worst of all bitwarden doesn't seem to have an easy way to unify these databases.
That's a bit much to put on a 3rd party password manager.
I have the plugin installed in my browser, why does it wait for me to log in the come to life?
> people generally understand installing an app on each device they own and that app doing it for them.
an app like Firefox or Chrome, perhaps?
This is obviously true for the HN crowd, but for normal people I think there's a distinction. Don't underestimate the value of centering a brand and an icon on a home screen around a single function.
> Interesting, I've always felt that browser-based password managers provided remarkably little value for most people.
They provide the value of "you should, by design, have no idea what most of your passwords are; if you know any significant number of your passwords you probably have bad passwords".
And both Firefox and Chrome sync passwords between devices.
This is the value of any password manager, not a browser-based one.
The comment I was replying to said "browser-based password managers provided remarkably little value"; it didn't say "little value relative to other password managers".
Much as with cell phone cameras, "the best camera is the one you have with you"; the best password manager is the one you have with you.
If Mozilla released a separate passwords app so you could manage and access your passwords outside of Firefox I think the two would be more comparable. That would promote your passwords as part of your Mozilla account, not just Firefox.
Bitwarden excels here, and i think is the model to beat. However, Mozilla would have the advantage since their browser integration would essentially be built-in and first class.
Otherwise, unless you use Firefox exclusively for everything I just don't think a single browser is the right place to manage passwords. I would say that's true even for a broad audience, given the importance of passwords and security in the modern age.
Bitwarden is also nice in that you can "lock" access to your passwords while keeping the browser open. That way, for the 99% of the time you're just browsing the internet you essentially don't have access to all your passwords "open". The last time I looked at this I had to enter my master password on opening Firefox, even if I didn't need access to my passwords. That meant that "unlocking your vault" is essentially tied to opening the browser. That alone was enough for me to bail on it.
> If Mozilla released a separate passwords app so you could manage and access your passwords outside of Firefox I think the two would be more comparable
They used to have one called LockWise https://support.mozilla.org/en-US/kb/end-of-support-firefox-...
there used to be an android/ios app by mozilla called lockwise which did exactly that iirc. https://support.mozilla.org/en-US/kb/end-of-support-firefox-...
Ah yes I remember that now, I had forgotten about that!
Funny, especially now that I see Apple are now going the other way with a dedicated "Passwords" app on iOS 18 and macOS 15. And for Apple to do this - against their instinct for featureless simplicity and implicit integration - to give passwords their own "shop front" as a dedicated app I think really does acknowledge the first-class importance that passwords now have, even for a broad audience.
It's a shame as I think Mozilla could really compete well in this space. They are both cross-platform, have their their own browser and have a good reputation on privacy. It's a killer combo. Bitwarden is evidence you can make it work and you don't need massive big-tech budgets to make a difference.
I'm glad that Bitwarden moved quickly to resolve this. At least for me, Firefox's password manager isn't really a replacement. Bitwarden is approved by my employer, self-hostable, and supports logins for the litany of apps across my browsers and mobile devices. Whether it's the mobile app, mobile website, or site in my browser, Bitwarden just works for the most part. It's also quite nice that Bitwarden can store arbitrary information like CCs, secure notes, and how I capitalized the answers to security questions and other account recovery/login information.
> It's also quite nice that Bitwarden can store arbitrary information like CCs, secure notes, and how I capitalized the answers to security questions and other account recovery/login information.
+1. I use my password manager (currently 1Password, but I have been looking at self-hosting Bitwarden/Vaultwarden) more for storing credit card information and security questions.
Most built-in password managers don't cut it on that front.
It's more than self-hostable!
There's at least one API-compatible alternative (vaultwarden) which works with the official client.
Yay to breaking down walls.
Vaultwarden is great! I've been running it for years (since it was bitwarden-rs) on a free-tier GCP VM. I use a cronjob to back up the DB to Backblaze B2 with rclone.
Its Bitwarden only for personal use. Do they have a solution for Multi-use password sharing?
Yes, my wife and I each have our own bitwarden account, and an "organization" where shared passwords go. It's worked great for quite a few years now.
in Vaultwarden you can have "organizations" that are like groups of people and you can have passwords there that are accessible by members
No idea how this maps into Bitwarden's own offerings though but all clients support this kind of thing
The downside is you can only share to other users on your Vaultwarden instance. You can't e.g., set up emergency sharing to family members who use cloud Bitwarden.
well this is true the other way around
BW clients support having several accounts at once so you're not forced to choose. Your family can have a regular bitwarden.com account and your vw.example.com account just for emergency access
> Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good.
I use both Bitwarden and Firefox and I would strongly encourage everyone to not use the password manager in Firefox. Do you know the tab sync across devices is broken in firefox? It was broken since Aug 24 and it is still not fixed https://bugzilla.mozilla.org/show_bug.cgi?id=1913795 . If they can't sync tabs across devices, i wouldn't trust them to sync my passwords.
Interestingly, password syncing is one of the most reliable things I've seen Firefox doing during the last years. If you don't even have to think about it, that means it "just works"
Firefox's password manager stores passwords in clear text unless you use a master password (very few people do).
This means that any process on the computer can read them.
It also means that, unless you also use full disk encryption, a stolen device means you're fucked.
Chrome and Safari use the OS's keychain at least, so there is some level of security.
And a standalone password manager has its own encryption.
This has been the case for a long time, and has not changed even in 2024. Please use a Primary Password if you are storing passwords in Firefox.
https://support.mozilla.org/en-US/kb/where-are-my-logins-sto...
Browser password managers and their related files are the usual targets of the sophisticated malware creators. Not many people use good master passwords either if any.
I think that the Firefox password manager is good, however, relying on the browser is a terrible form of vendor lock-in. You need to use another browser (for any reason), you also need to switch password manager. Also, Firefox on Android is not great, and Bitwarden has a better integration.
Finally, Bitwarden (the payed version) manager also passkeys and OTP codes, the Firefox password manager not.
I use both, and I agree, even if I’m very happy with Firefox. There are lots of apps outside of browsers that need passwords. It’s very common these days. Besides, does it support passkeys? That’s getting increasingly common as well.
> because KeepassXC + syncing is way too difficult for normal people
I've been debating for ages if this is a hurdle that can be overcome by packaging or even hand-holding support. When I show "normal people" my pass+sync setup they beg me to implement it for them. Once it's running it's near-zero maintenance.
Password management is like exercise. Even when people say they understand the value and want to do it, they don't. Even if you implement it for them, if it's not something that slots perfectly into their existing routine, they're not going to do it. Thankfully passkeys are here.
It's fine, even bad password management is better than passkeys.
Thankfully the incredible hype for passkeys has been dead for years now and people are starting to question it.
Is this... is this sarcasm? I honestly can't tell anymore.
It is not.
Would you care to elaborate? It also matters what counts as "bad password manager" to you - Poor crypto? Poor UX? A reddit post ;-)? LastPass?
With passkeys, both the website and the user can be pretty sure that the "password" is secure. The website knows that it's based on enough entropy, and the user knows that the website can not loose it.
Of course if I use a random generated 80 char password I only mildly care if the website stores it plain text or not.
But if I was a site operator, I could additionally trust that the users are using secure passwords. Without insane strength requirements (which people only work around anyway, e.g. Passw0rd!123 is usually accepted, but thisisasuperlongpassphrase often is not).
I'm in the business of testing security, which means I sometimes crack passwords. No matter how much training you put your employees through: Somebody gonna use ${some name}${0 or 1 special char}${some birthday} - is it's the spouse, kids or affairs data, your guess is as good as mine.
Management, not password manager.
I'm not talking about technical merits, we all know passkeys are so complex they might work decently as obfuscation alone ;)
No, all that crap is meaningless when you give all your keys to an entity that simultaneously locks you in and couldn't give a fuck about you.
I did that for quite some time, but I had severe issues with multiple editing users and with android apps. All the tricks I tried, like nested vaults didn't fully work in the end. So I ended up with 1Password.
Where did you manage to find "normal people" that begged you to install a password manager for them? I have yet to come across one person who wanted one.
There are normal people out there who have been hacked, or knew someone who was.
Also, some normal people are computer-smart enough to understand problems like credential-stuffing, if someone explains it to them.
Would love to know how you have it setup.
can you share how do you set this up?
I store the password vault in dropbox. Done.
100% serious question: how is using dropbox (one cloud) to sync passwords any better or more secure than using a password manager that syncs your vault for you (another cloud)? I see so many "I don't trust <insert pw manager> so I use dropbox" comments around these parts and I just don't understand what real or perceived threat is being mitigated.
It's valuable that the syncing mechanism is seperate because that makes it agnostic. Parent comment uses Dropbox, I use Google Drive, someone else uses OneDrive, someone else uses iCloud, someone else uses Syncthing or Nextcloud, etc.
You don't have to trust the single cloud provider to encrypt and not be able to spy. The vault is encrypted on your own device using fully open software, and the cloud only ever sees a blob they have no keys to, directly or indirectly. The encrypting/decrypting software was not written by the cloud provider.
You don't have to trust any single cloud provider to stay up, be available in your country, stay friendly to you. If Dropbox goes down or kills your account, you just flip to any of 20 other options.
You say you don't understand why someone prefers Dropbox over the special custom syncing, but I don't understand what the excuse is for a special vendor-specific implimentation of something that is already generic and agnostic. It's like using a browser that uses it's own version of http to download files and only works with one web site that has the matching special server.
It's not a remotely equivalent comparison between "one cloud" and "another cloud". One is a single vendor-specific, custom purpose, single-provider thing, the other is agnostic and infinite, use any method you want from any provider you want any time you want.
For me it's not about "mitigating a real or percieved threat". It's just basic system resilience and principle to avoid special things and prefer generic/agnostic things, and keep concerns seperated. But it is also more secure not to trust any integrated cloud provider, vs having the cloud be just storage that doesn't know anything about the blob being stored, and can't even if they turn bad, or are pressured by a government, or get hacked, etc.
I guess the idea is that you trust open source software to encrypt the vault, so Dropbox couldn't do anything with it even if they wanted to. That's also true for the open source Bitwarden clients though.
It’s small enough for dropbox’s free tier so it saves me a subscription.
Ah! Threat to the wallet I see. That Dropbox referral credit must still be paying dividends.
> store the password vault in dropbox
No local backup? Do you rely on the network working all the time?
I do something similar on the mobile phone (the reasining is, if there's no network, there's nothing I need to login to) but I also keep a local copy on my laptop (that I sometimes operate with limited connectivity). Without any automatic syncing, one of the two copies will be stale.
Back in the day we tried to sync KeePass vaults at work and ended up with a conflict about once a week, which is way too often. Not sure if other password managers have solved this.
> No local backup? Do you rely on the network working all the time?
Normal dropbox behavior keeps a copy on every computer.
> Normal dropbox behavior
Ah, you mean by using some app or daemon. I excluded that possibility because on at least one of my laptops I'm not allowed to install anything, so for me "normal" behavior is using Dropbox as a container for files to download when needed.
Well if you do that then you get plenty of copies; just restrain your delete key finger a bit. It does risk some staleness, but only rarely.
And maybe you could write a small shell script to keep that particular file up to date?
Also the one program I've used that opens keepass files directly from dropbox servers keeps a local copy.
I did this a long time ago but eventually ended up with conflicts. Password managers write new entries in a file and easily avoid conflicts whereas agnostic file managers will immediately conflict if sync wasn’t working for a while on a device
I use it (Keepass) for a while and never got the conflict on the desktop client (osx), nor on Firefox. But the iOS app does not like the file on the Google Drive and occasionally it needs to be reloaded.
You can use syncthing too. Works just as well.
Is there a robust Syncthing app for iOS? Last time I checked there was only an affiliate project and their story wasn't convincing.
I use mobius sync and I'd say the app itself is fine, you just have to open it whenever you want things to sync. That's one of the things I miss from Android. Also you can't sync your camera folder
Mobius Sync works really well, the only caveat is that it's not completely free (you're limited in the sync size unless you pay $5, but that's a one-time thing), and that while it can background sync, it's not continuous, and you'll want to open the app if you need to make sure something's synced.
it was just discontinued for android :(
Nope. I have a cloud Syncthing box that is accessible over SSH, and I use ShellFish to read/write my synced folders. It works okay, especially for lazily sending stuff from my phone to my laptop.
Instructions unclear, I have no password vault.
Right, doesn't everybody just use the same password everywhere? I don't see the point of these things.
You laugh, but that's apparently what I did a decade and a half ago.
I recently mounted a HDD that was at my parents' house. Most files are from 2009-2012ish. I was there one summer between undergrad and grad school and used it for a couple months.
I found an Opera password list that I'd exported, presumably to copy over to my new laptop. It was fun last night skimming the list, seeing which websites I'd completely forgotten about that I used to have accounts for. Almost none of them even exist anymore besides the big players (Slashdot, Apple, etc.), but the point is *almost all of them had the same password*. o.O
KeepassXC also doesn't have templates for things. It's in the works. When it comes out I might take another look at it.
I used Firefox password manager for years, and moved to Bitwarden for: - Passkey syncing - Bitwarden on Android works properly, compared to Firefox's dedicated password app that's abandoned. - TOTP support (to use with some apps I don't want the strongest security)
But you are maybe right, if the only browsers you use are Firefox desktop/mobile.
I recommend Bitwarden family plans to non-technical people. It's pretty user friendly, and you can give people emergency access. A couple of recent deaths in my life have made me painfully aware that this is something that many people really need.
Gen X and boomer techies are getting older.
It's kind of funny to see how gen x in particular deals with aging. For example, menopause memes as gen x women hit perimenopause. We're supposed to be all nonchalant and cynical, and it's interesting to see those attitudes hit the immovable object of aging.
Given that Mozilla just acquihired a bunch of Meta advertising execs, I think the prudent plan would be to cautiously diversify away from putting sole trust in Firefox.
Can it store TOTPs and passkeys as well? These are two things encountered even by "regular people" more and more.
Especially keeping passkeys platform-independent is a huge advantage, in my view.
There will always be different opinions, but my opinion is that storing your TOTPs in your password manager is at best a reduction in security because you're reducing your 2 factors down to 1 factor. If the password manager gets compromised (even phished! It needn't involve the password manager's servers getting hacked), then you gain nothing by having 2FA enabled.
I would strongly advise using something like Aegis on Android, or Gnome Authenticator on desktop (or both). I like to duplicate/backup my seeds so that I'm not SOL if my phone breaks, but I do it by having them on my laptop, desktop, and phone. That way as long as I have one of the three devices, I can always get in, and then they're not "in the cloud." Though, "in the cloud" is still better than "in the cloud alongside all my passwords."
The only true 2nd factor is a setup where your totp codes live on a separate piece of physical hardware. If your totp codes are in an app on your phone, and your password is in a different app on your phone, you're not pure 2nd factor despite convincing yourself that you are. Anything that is convenient is not real 2FA. Real 2FA needs to be pick two of: a password in your head, a verifiable biometric signature, a code/key on your phone or separate physical hardware yubikey.
I'm not saying I think everyone needs real 2FA. I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer. 2FA is a hack put in place to mitigate passwords being relatively insecure and phishable. It's supplanted by Passkeys.
I think you're letting perfect be the enemy of good. It doesn't have to be pure 2FA to be better than 1FA. Being in separate apps does give some benefits. It's always going to be harder to compromise two apps than it is to compromise just one of them (even if the difficulty increase is marginal, it's non-zero). Often simply not being low-hanging fruit is enough to save you from an attack.
There are plenty of things for which a 2FA in PW manager is fine, but the most important things I think it's an unnecesary and regretful reduction in security. For example, email account. Email is the "forgot password" way to get access to almost everything, so it's worth a trifling inconvenience in having to load your 2FA into a different app. Same with things like AWS, Cloudflare, and other high-value targets. For the vast majority of people, keeping your Twitter seeds in your PW manager is fine, but it's foolish to do that with your email and other high-value targets, and IMHO if you're already going to have to have two apps, you might as well just standardize and keep the seeds in your authenticator app, and your passwords in your vault. YMMV
No I’m specifically not. Did you read my 2nd paragraph? It’s essentially your argument here.
The person I was responding to was arguing that totp in pw manager is no good. Maybe you meant to reply to them and not me?
I did read your second paragraph. There is some ambiguity, but I ultimately decided you weren't agreeing with me because you said (emphasis added):
> I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer.
If you're storing your 2FA codes in your PW manager, then you're NOT using separate apps. You're using the same app (your PW manager). My argument is that you should use separate apps for the things that matter, like your email (which can be used to get access to almost every other account), and since you're already using separate apps for those things, you might as well just be consistent so you don't have to remember where each TOTP token is stored.
I see three levels we've discussed:
1. Pure 2FA using hardware token or equivalent (which I agree is rarely needed)
2. Impure 2FA but separate app for storing passwords and TOTP tokens (which I'm advocating for)
3. Storing TOTP tokens in PW manager (which you appear to be arguing for in 99.999% of cases, which is basically all of them)
If you are actually advocating for level 2, then we agree, but from reading your 2nd paragraph it seems pretty clearly to be arguing for level 3.
I may be arguing for (3) but then I’m not letting the perfect be the enemy of the good. I don’t fancy the security types that do that.
> Real 2FA needs to be pick two of: a password in your head, a verifiable biometric signature, a code/key on your phone or separate physical hardware yubikey.
My thumbprint isn't stored on my phone, so I have two factors.
From the PCI Security Standards supplement on MFA,
> The issue with authentication credentials embedded into the device is a potential loss of independence between factors—i.e., physical possession of the device can grant access to a secret (something you know) as well as a token (something you have) such as the device itself, or a certificate or software token stored or generated on the device. As such, independence of authentication factors is often accomplished through physical separation of the factors; however, highly robust and isolated execution environments (such as a Trusted Execution Environment [TEE], Secure Element [SE], and Trusted Platform Module [TPM]) may also be able to meet the independence requirements.
So your phone can constitute a token, while the biometric constitutes the second factor. I don't know about Apple phones, but Google's requirements for biometrics are:
> Capturing and recognizing your fingerprint must happen in a secure part of the hardware known as a Trusted Execution Environment (TEE).
> Hardware access must be limited to the TEE and protected by an SELinux policy.
> Fingerprint data must be secured within sensor hardware or trusted memory so that images of your fingerprint aren't accessible.
I think you misunderstood me. I agree that biometric plus password or device key would constitute two factors. I perhaps believe that you can’t really trust the device to have performed biometric verification without some sort of software attestation. So if the security if your protocol depends on two factor, you’d need to yes have a biometric signature or remote attestation that a biometric check has been performed.
> Anything that is convenient is not real 2FA.
That's a pretty user-hostile attitude. Sure, some combinations of factors are pretty unergonomic, but I'd call that a bug, not a feature.
It's also incorrectly suggesting that somehow complexity/painful usability automatically yields security, while usually the opposite is true:
An effective secure authentication solution absolutely must consider usability, or it's doomed to be circumvented by users in one way or another (either via some insecure practice, or by your users simply ceasing to be your users).
I’m speaking to how things are practically implemented, not making a statement about ideals.
This depends on the threat model. Having 2FA in the PW manager defends against someone phishing the password and database leaks on the server side, which are the most common in my threat model. But note that if they can phish your pw, they can probably phish your 2FA as well.
It does obviously not protect against the scenario where someone is breaking into your password vault.
I tend to enable 2FA but conveniently save the token in the PW manager for relatively low equity stuff, just to make it less enticing for an attacker, but use hardware FIDO for everything actually important.
Same here.
TOTP is trivially phishable via evil nginx just like your password, and via social engineering.
FIDO2 is not phishable and you have no secret to give out to social engineering attacks.
> TOTP is trivially phishable . . . via social engineering
Is it? I've been on the Internet since the 80s and haven't been phished a single time (despite being the recipient of many obvious attempts). Maybe I could be phished, but I think that's evidence it's not trivial.
I have to wonder how many people sophisticated enough to use and pay for a password manager like Bitwarden could be "trivially" phished.
That's great for you, but also a sample size of one (probably technically sophisticated) user, i.e. irrelevant to the bigger picture.
The phishability of TOTP really is exactly as bad as that of passwords, except that a once-phished TOTP isn't reusable by the attacker(s), unlike a phished password.
But even one-time access is often catastrophic, especially if it allows the attacker to rotate credentials.
Sometimes the TOTP is forced on me for a service I really don't care about. That's most of mine, actually.
Indeed, when that's the case I think the PW manager is fine.
Though, if you already have to have an app for the important stuff like your email, then IMHO it's actually simpler to just keep them all in one place even if you don't care too much about some of the tokens. Just one less thing you have to remember (i.e. where did I put service X's token again? was that in bitwarden or Aegis? etc).
It's still 2 factors though, if someone discovers your password they don't automatically know the TOTP key. So I use TOTP in my password manager for sites where I wouldn't use 2FA otherwise (because using my phone would be inconvenient), so it's still a security improvement for me. And for critical accounts I do use Aegis on my phone.
That's not 2FA, that's two of the same factor.
The factors are:
- Something you know
- Something you have
- Something you are (biometrics)
That list makes for a nice slidedeck but the separation (like many things in tech) isn't as clear cut as the metaphor.
"Something you know" (password) becomes "something you have" as soon as you store/autogenerate/rotate those passwords in a manager (which is highly recommended).
"Something you have" in the form of a hw key is still that device generating a key (password) that device/browser APIs convey to the service in the same way as any other password.
"Something you are" is a bit different due to the algorithms used to match biometric IDs but given that matching is less secure than cryptographic hash functions - this factor is only included in the list for convenience reasons.
The breakdown of this metaphor is one of the reasons passkeys are seen as a good thing.
Not sure what you mean, it's still a second unique token that an attacker would need to know to access my account, so it's improving my security even when stored in my password manager. This was in response to grandparent's opinion that it's "at best a reduction in security".
I'm not talking about my password vault getting breached, in that case I'd be fucked either way.
> I'm not talking about my password vault getting breached, in that case I'd be fucked either way.
But that's the whole point. If your password vault is breached, the second factor is what prevents you from being fucked. That's why putting your seeds in the vault is a reduction in security. It may be a reduction/risk that you're willing to take for convenience, but it's still a reduction.
Aegis is no more secure than storing your TOTPs in your password manager - 2 factors primarily protect against remote attacks, which don't have direct access, in which case the app your 2nd factor lives in is moot. If your threat model involves direct access you need dedicated hardware for your 2nd factor. Most people are fine with TOTP in pw manager.
(I do use Aegis as I like the UX but that's a separate topic)
Doesen't having the seeds available on all of the devices make it not 2FA? You now need only one device to login at any given time.
The second factor isn’t a second device, it’s the TOTP code.
No, factors are supposed to have different qualities, such as:
"Something you know"; "something you have"; "something you do"; "something you are [biometrics]"; "somewhere you are [geolocation]".
Passwords are in your head - "something you know".
TOTP codes are generated by a hardware token - "something you have".
If the TOTP codes are crammed into your password manager, then the factors are no longer distinguished by these qualities, but they're now the same factor, and it's not true MFA anymore, whether or not they're split up across devices, or apps.
2FA via TOTP implies two things: 1) you know a password; 2) you know the seed. This is why people criticize that approach. In practice, knowing a password and having a file (seed) seem different enough, and work against some phishing threats.
Logging in through a password manager requires that you know a password (your master password), and have a file (your vault).
Or alternatively something you are (fingerprint) alongside something you have.
I mean, if you're using a password manager, you're already protecting against 99% of the things that 2FA is designed to protect against. If you really wanted to, it would probably make the most sense to enable 2FA on your password manager?
Yes, through TOTPs will run you a (worth it imo) $10/year subscription. Passkeys have been supported for a while (free) on all major platforms, and I haven't seen any issues with it.
Yes, Bitwarden can store both.
I was referring to Firefox with that question.
It can't, you need a browser extension for that.
Ah, sorry for misunderstanding.
> because the built-in password manager in Firefox is too good
If only they could add labels to the name/password combination. I have several accounts stored for a website, with generated gibberish logins that I cannot change and sometimes it takes me multiple tries to get to the correct account.
Also, sometimes a site has two password fields - two secret codes - and for this usecase the password manager doesn't work very well either and remembers only one field.
Other than that, I love how it just works, you add a password on one device and have it seamlessly available on the other with a very little setup. It's a nice experience.
> have several accounts stored for a website
Another usecase for named logins are those multiple routers that you administer for your friends and family that all have http://192.168.1.1
> the built-in password manager in Firefox is too good
Too good in what way that according to you "normal" people shouldn't be using Bitwarden? Or do you just like the Firefox one but are overselling it a bit too much?
I use Firefox, but I do not trust the Mozilla products. Bitwarden costs me $10/year so I wonder what is so amazing and groundbreaking about Firefox password sync, and does it work across browsers?
What if you want to use a password where you don't have Firefox installed or from somebody's else computer?
The same applies to the password manager any other browser.
I carry with me my keepass db inside my phone and I can use it anywhere at any time.
For me, the reason bitwarden is excellent is sharing account login data with my family (I have an org account w a few members) for next to no money / year.
Also, I regularly hop between 3 machines + a personal phone and a work phone, and I love being able to have access to my logins + secure notes across all 5 devices.
All for the cost of a coffee/month.
Syncthing android app is not developed anymore. Hopefully syncthing-fork will be.
https://old.reddit.com/r/Syncthing/comments/1g7zpvm/syncthin...
Built-in password managers don’t work across apps. They only work for the browsers they’re built into.
What finally brought me to using BW was that I simultaneously needed to backup/sync my TOTPs across mobile/desktop devices, and came to have the need for sharing an increasing number of passwords with my SO. It delivered beautifully on all of that.
This isn't an area I know much about, but wouldn't there be a security risk involved with storing the TOTP seeds alongside the passwords? Or is that not a real concern?
Totally correct, the lame excuse being that it didn't make the situation worse for the reason that those factors were anyway authenticated using the same device previously already. But at least I am now in much less trouble in case this device gets lost/broken/stolen/…
It's a valid concern. Especially if you use the same BW for password and TOTP for the same service, you've effectively reduced 2 factors to 1. If you really must sync both your TOTP secrets and your passwords, those should be completely separate systems.
> Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good.
I don't doubt the quality of Firefox's password manager, or your honesty.
But normal people just don't use Firefox.
Normal people don't use Bitwarden either. And I suppose I don't know any normal people which isn't too surprising.
Normal people use Apple's built-in password manager.
> I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good
I wouldn't say it's good, but it does its job, if you can live with the insecurity and limitations. It's very comfortable, which is the only reason I'm still using it over KeePass and Bitwarden. KeepPass has no reliable Browser-integration, and Bitwarden is hard to selfhost. Firefox Passwordmanager is just there, always works, syncs without hassle, usability at it's peak (for this job).
Have you tried vaultwarden (formerly bitwarden-rs)?
It's trivial to self host. I've been running it in a GCP free tier VM for years.
Yes, I know vaultwarden. And it's indeed simple to start the docker-container. But no every use case can be satisfied with docker.
I actually switched from Firefox's password manager to Bitwarden. There used to be a bug on Android where the autofill button sometimes would stop doing anything.
Keepass file on Google drive is kind of trivial though.
Never store anything remotely important on a Google service.
I know we are kidding but damn the news Google Drive is being sunsetted by December would ruin a lot of people's days
At this rate they'll sunset google search and their advertising business just because.
Never store the only copy of anything remotely important on any online service.
Storing copies is ok, though, provided that sensitive information is encrypted.
Can someone also comment on how secure the built in password in manager in Firefox is to unsophisticated malware attacks that simply copy your browser extension data and such. Compared to bitwarden which requires a password to unlock it, and as I understand stores everything encrypted on disk.
If you don't use a master password, it's unsafe. And even with master password, I vaguely remember it's not that safe either, but that might be outdated info.
This was going around the last days: https://github.com/Sohimaster/Firefox-Passwords-Decryptor
> because the built-in password manager in Firefox is too good
I just checked it and it looks really basic, right? No OTP, no multiple URLs, no special URL matching?
Where is its "goodness" (I may have missed something entirely)
Does the FF password manager still irrecoverably nuke your password with no versioning/undo when you accidentally or intentionally use the „forget this website” option in the history panel?
The problem with the Firefox (or Chrome) password managers is that they only work on their browsers. Bitwarden works on any browser, on windows, macos, linux, ios, android.
It’s also the only browser that doesn’t support Passkeys yet :(
Does it support sharing passwords with family members?
This (along with syncing on iOS) is what made me switch from `pass` to Bitwarden. Password sharing (and self-hosting sync with vaultwarden) are killer features for me.
Is the Firefox one better than the one Edge has? I've been using that for a while and it seems quite good overall.
It's not end-to-end encrypted (if you enable account sync), so Microsoft can technically see your passwords. Feel free to switch or not switch based on that information.
Firefox isn't end-to-end encrypted either anymore, IIRC.
They say it is: https://support.mozilla.org/en-US/kb/sync
I stand corrected! https://support.mozilla.org/en-US/kb/reset-your-firefox-acco...
> Mozilla accounts uses your password to encrypt your data (such as bookmarks and passwords) for extra security. When you forget your password and have to reset it, this data could be erased. To prevent this from happening, generate your unique account recovery key before forgetting or resetting your password.
It still is, as is all Firefox Account data
I enjoy Ecrypted Fossil SCM instance (encryption over sqlite extension)
All the browser password managers are not really secure enough and give a false sense of security.
> built-in password manager in Firefox is too good.
lol, sorry but this is a ridiculously narrow opinion and wouldn’t even apply to my SO and me as a two person team.
Hmm, maybe I want my passwords on my phone?
Nice to see Bitwarden make a course correction here. I wasn't looking forward to switching to another password manager, so I'm quite happy.
Yeah, likewise. I'm a Bitwarden subscriber but I'd been looking into alternatives recently because of the licensing kerfuffle. But switching password managers is a pain, so I'm glad to not feel like I have to now.
KeePassXC (and I assume the other versions) can import an encrypted JSON Password Protected (NOT Account Restricted) export from Bitwarden.
I use them both. I have KeePassXC for my local machine, and Bitwarden for things I may need out and about.
With the browser plugins for both it's not that hard to manage them both, at least in my opinion.
I was hoping to see some course correction on this from Bitwarden, even if the over-stated impact was really just to the SDK. They appear to understand the look of their licensing move was going to cost them more than it probably should have. Most companies refuse to change course at all, so I at least see it as encouraging.
edit to fix a typo
There is little chance I’ll ever move to keepassxc as that requires me to maintain it myself and take the chance on deleting something very precious. I’ll stick with the cloud solutions for now.
Synchronizing is not too difficult. You can use syncthing or any cloud-based storage solutions you are already using. You can also back stuff up. Given it has a recycle bin I wouldn't think accidentally deleting stuff is any more likely than a cloud solution. It's probably harder to back up a cloud solution as you don't have direct access to the file.
How does Syncthing handle concurrent writes?
A caveat that bears mentioning is that an export of a Bitwarden vault does not contain attachments.
Are there other alternatives that are 1) open source 2) offer the same integration to begin with and finally 3) have been audited or are popular enough to be under constant scrutiny?
There is of course the KeePass ecosystem, but that is why I included my second point, as with KeePass you are responsible for vault syncing, having clients for all platforms, etc.
I suppose that it is good to be aware of other options. At the same time, jumping ship so easily also doesn't seem realistic or ideal behavior to me.
I have no affiliation, just found them this week, but https://psono.com/ exists. So 1 and 2 are met and 3 is half-way there maybe? It's a self-audit but they have been around a while. Apache2 licensed.
Again, I literally found them the other day, and other than a cursory check to make sure the UI/UX is friendly enough to compete with BW or 1P, I haven't had a chance to look through their code at all yet. I have no idea if the promises they document are met.
Hi, Sascha here, the main developer behind Psono. Psono has been audited multiple times so far, usually on a yearly bases. The last one here https://psono.com/blog/security-audit-2024 (you will also find a link to the audit itself)
Thanks! I missed that!
https://www.passwordstore.org/
The audited part is going to be tough to meet because it's a very niche skill people generally won't do constantly for free.
I decided that vaultwarden should not have an internet accessible port. Are there any that meet those requirements and also let you (reliably!) edit/create passwords when offline?
Also, sometimes the bitwarden client decides to blow away my local copy of the password database. I'd like it to store it pesistently on all machines so I have to lose my phone, my laptop, my vaultwarden server and its two backups before I get locked out of everything.
Currently, the phone + laptop don't count as backup copies.
> I decided that vaultwarden should not have an internet accessible port
So how does your browser extension work when outside your LAN? via Tailscale or similar VPN mesh? And for people who use it outside of the LAN entirely?
The app (and iOS keyboard integration) degrades to read only mode. It works about 95% of the time. I'd rather it work 100% of the time, and be read-write.
I don't run the browser extension. (There have been too many other password managers with exploitable password bugs.)
i use the keepass ecosystem with app.keeweb.info. Its an open source webclient that can directly pull from your google drive (and other places!). I use a google drive through keeweb for syncing, 2 clicks and its syncd. Auto pulls when past pw.
keepass works in browser (how I use it on a computer), can work offline (which is good in air-gapped instances, one of my reqs) and works directly on my android phone without issue.
It is actually sort of how I used it as well, though through nextcloud. It did still remain a hassle. It also requires all different apps to be maintained and equally safe.
Keeweb for example has not had an active maintainer since 2022 https://github.com/keeweb/keeweb/issues/2022
I‘ve recently learned about PassBolt, but it doesn’t meet criteria 3 I’m afraid
Switching is decisively a pain. But apparently this episode was what I needed to start looking seriously into VaultWarden.
Huge VaultWarden fan here. It's been running absolutely unattended for about 3 years from a machine in my basement now, and it's great.
I back things up fairly often, but otherwise I would have no idea I'm not just using the enterprise grade Bitwarden license. Things just work, features are there.
Side-note - VaultWarden is incredibly reliable for a self-hosted free solution (I have 1 pod restart 27 days ago due to a power outage, but otherwise it basically does not fall over. No memory leaks, no high cpu consumption, no reliability problems)
Tacking onto this comment as another thumbs up for vaultwarden. "incredibly reliable" is exactly the way to describe it, in the world of tech headaches the password manager is the last thing you want to be worrying about and I can say with confidence that vaultwarden is a reliable well-oiled machine.
Backups are also fairly easy so if need be a DR can be done (and automated) with very little hassle. The vaultwarden backend does depend upon the bitwarden apps for client devices but also features it's own web UI.
Your comment was marked dead FYI, I vouched for it.
Normally this would mean you are shadow banned, but I don't see any other comments in your history getting this treatment - perhaps this comment caught the ire of some anti-spam algorithm.
I mean it reads like ad copy, and the entire first paragraph takes so many words to say nothing more than "I agree." As comments go, I have to say I've seen better.
I got more out of it than this one.
Old versions of vaultwarden broke recently (for just about everyone?) due to incompatible changes on the iOS client.
Breakage is not ideal, but here's how they handled the second, more subtle compatibility break:
https://github.com/dani-garcia/vaultwarden/issues/5069
I haven't worked up the courage / time to back up my database and upgrade the docker container; will probably get to it this weekend. However, I can't imagine using bitwarden with the official server (too bloated to be trustworthy), or with their cloud thing. I got burnt by lastpass. I'm not putting my passwords in a giant high-value target again.
Same here - I just see that versions change from time to time (yeah I know I should do that manually but there we are).
One thing I do not like (or, say, "miss") in Bitwarden/Vautwarden is the ability to make decrypted backups. I run the service for my immediate family and would like to have access to some people's passwords (of course with their agreement) to make sure they are fine.
A solution is to use Organizations but you cannot have a "organization-only account" - an account that would exclusively save to an organization without a private vault.
The "solution" is to tell people to move what they save to such and such Org but this works fine with me, recently with my wife but somehow my father does not do it and we sometimes end up with tense moments when it is time to get to some accounts :)
Vaultwarden is great, but it's only half the equation. If bitwarden does go user-hostile eventually, who's going to fork all the client apps and extensions?
VaultWarden is great. But I don't use it, because I trust Bitwarden's infrastructure more than my own, for now at least.
I found psono and spun up a self-hosted instance. I may just try to keep them in sync for a while while this business fully settles
Bitwarden is still excellent, but keep an eye on them over the next few years. Remember that Bitwarden was originally a LastPass alternative without the fuckery.
The LastPass fuckery was long and frankly egregious.
Though I don't understand why this git commit is what's linked here. I'd rather hear the discussions on it. https://github.com/bitwarden/clients/issues/11611
After reading through the issue thread and the final reply by Bitwarden, I think the only context this provides is that the headline should rather be something like "Bitwarden SDK fixes dependency licensing issue".
The opening comment and the final reply are the only valuable contributions in that issue. Everything in between is random people jumping in to feign outrage or telling people to use Vaultwarden (which btw recently was in the news for more significant negative reasons). If anything it's a perfect example of the sad state of online discourse.
This wasn't an "issue", it was working as intended. The GPLv3 client intentionally depended on proprietary code. The CTO's comments on bitwarden/clients#11611, bitwarden/sdk#898 and fdroid/fdroiddata!15353 make it clear this was deliberate. They've now changed their stance because of the backlash.
It looks to me like people expressed genuine concerns about being lied to by a company, one they'd trusted with their passwords no less. Calling it "feigned outrage" is a bit rude.
Real links for easy clicking:
https://gitlab.com/fdroid/fdroiddata/-/merge_requests/15353
https://github.com/bitwarden/clients/issues/11611
> (which btw recently was in the news for more significant negative reasons)
Do you by chance mean CVE-2024-{39924, 39925, 39926}?
Interestingly, none of those impact me, since they involve an authenticated attacker. I trust all the users that can log into my vaultwarden instance.
Were there any other recent issues?
I mean, it still is. It’s honestly gotten better too - for evidence, it’s the one password manager that never gets recommended by sponsored YouTubers but always gets recommended by non-sponsored YouTubers.
It depresses me that Bitwarden has also taken VC funding, just like 1Password. It’s still a great product but as with any VC product I’m just waiting for the other shoe to drop when it’s revenue generation time.
I honestly don't think the password manager market could bear more than $3–5/mo for an individual user or family.
I used 1Password for years until they went from one-time payment to monthly sub and removed local sync so you could only use multiple devices by paying them. I think a big decision there was that they wanted $10/mo or something. I can't remember, but at the time it seemed ludicrous.
Years later, when my new laptop couldn't run the final local-sync version of 1Password, I finally decide to look into password managers again, and lo and behold $3/mo. I signed up immediately.
Despite being proprietary, 1Password still hasn’t had any fuckery that I am aware of. I have been tempted to switch to an open source solution many times but I think I’ll be parking right here for a few more years yet.
Thank you Bitwarden for listening. This kind of stuff gives me hope for the business model of Open Source.
[flagged]
How would you explain that[1]?
1. https://github.com/bitwarden/sdk/issues/898#issuecomment-222...
They still handled the situation in a serious and responsible manner, clearly communicating what had happened and why. They then followed up later when the problem was fixed. To me it seems clear that they understood the seriousness of the situation, and why people were initially pissed.
I think this is the correct way of handling a rugpull scare, bug or not.
Well that’s one way to handle that effectively and in what seems to be open source way without fuckery; glad to hear it cause that was going to be a bit annoying migrating away from them.
Also: https://github.com/bitwarden/clients/issues/11611#issuecomme...
Previously: https://news.ycombinator.com/item?id=41893994
Thank you. I had missed this story and was struggling to piece things together from the varied comments.
Not entirely there yet ... Some parts of have been re-licensed, some have been licensed under the old non-free software SDK license. E.g,
https://github.com/bitwarden/sdk-internal/commit/db648d7ea85...
The non-GPLv3 bits are for their separate Secrets Manager product. It doesn't look like that's advertised as open-source. Bitwarden has always been open-core and not fully GPLv3, and that seems understandable; they need something to sell after all.
Props for them to step in the right direction, it wasn’t obvious at all for a few days what they would do.
Repeatedly: when people post shit like this they more or less guarantee the next company won't even try. People! this is one of the few companies which open sources their product. The time to doubt and preach is not here yet... by far.
Not really. It was keeping them honest. This wasn't like the Winamp thing. Bitwarden has proudly proclaimed itself as "Open Source" from day one. It's right on their front page. It's in their marketing materials. It's in their podcast advertisements.
I pay for Bitwarden based on the premise that it is open source. If it tries to pull a Meta and decide that "open source" suddenly means whatever they want it to mean in defiance of the commonly-understood meaning, I want to know about it.
I'm glad they righted the ship on this.
It's a welcome change. It still feels like they are trying to be too smart on licensing, especially how to combine GPL and proprietary licensed code, which I think is the root cause of the whole drama. The open core model works better as a hosted service, where you are not distributing the amalgamation of GPL and proprietary. Open core in client code seems a bit too rife for potential misunderstandings and confusions.
Hope it works out for them, though. It's a good product.
GPLv3 is interesting because it means to use their code in a commercial setting, then you must also have the guts to open source too.
Not necessarily. You can run a “Bitwarden hosting service” or something like that without violating GPL. You’d only have to make your changes available on request if you changed the actual Bitwarden source code or linked some other library into it and shared that modified version with someone else (just running it on a server doesn’t mean you need to open source changes, for example)
Yeah; GPLv3 seems designed to give pure *aaS companies an unfair advantage over people that want to give users the option to buy commercially supported hardware that runs the company's software.
For instance, Google can use bash in their backend infrastructure, but Apple cannot ship it on MacBooks or iOS anymore.
> Yeah; GPLv3 seems designed to give pure *aaS companies an unfair advantage over people that want to give users the option to buy commercially supported hardware that runs the company's software.
SaaS didn't exist when the GPL was drafted. If that's an issue for you, there's the AGPL.
> SaaS didn't exist when the GPL was drafted
If you mean v3, this isn't true. AGPLv3 is written the same time as GPLv3, and references each other to maintain compatibility (a special provision that lets you use code in the other license provided you follow the other license for that component)
Not if offered as a service. That's why they introduced the AGPL, that one has the service restriction too. In terms of a service offering, GPL software is free for the taking, and the restrictions don't apply as the distribution clause doesn't trigger.
The context is inaccurate because it is actually dual licensed so thinking about GPLv3 alone is not painting the whole picture.
> The default license throughout the repository is your choice of GPL v3.0 OR BITWARDEN SOFTWARE DEVELOPMENT KIT LICENSE unless the header specifies another license. Anything contained within a directory named bitwarden_license is covered solely by the BITWARDEN SOFTWARE DEVELOPMENT KIT LICENSE.
I don’t believe that is entirely accurate. I believe it depends on the application and what you’re doing with it whether or not you would be required to open source it. Like, if you’re distributing the application as a product, not necessarily saas application?
Yes, GPL3 only works for directly distributed software. But an important part of BitWarden is exactly such software, in the form of a browser extension.
Yes, this is why AGPL is superior.
No good thing ever lasts, especially in the world of tech. So, I'll be sticking with Bitwarden until they somehow eventually fuck it up and something else takes its place.
What will be ideal is a FOSS competitor. At least in personal usage segment until. Until they also start looking at big money and enterprise/professional (which is fine), then another competitor will come in. As long as the chain of export-import-export doesn’t break.
People here are incredibly hard to please. Very clearly a packaging issue that got blown out of proportion.
They've done largely the right things for _years_ in terms of security. They've operated pretty transparently in terms of open sourcing. They've allowed vaultwarden to exist, and eventually created a self hostable version as well.
But one bad release with a license screw up and nobody is willing to give them an inch?
I will continue to use bitwarden, and am willing to give them the benefit of the doubt. Especially considering this action above. They are a company that is perfectly toeing the free/oss and commercial line.
> Very clearly a packaging issue that got blown out of proportion.
CTO: > There are no plans to adjust the SDK license at this time. We will continue to publish to our own F-Droid repo at https://mobileapp.bitwarden.com/fdroid/repo/
https://github.com/bitwarden/sdk/issues/898
Doesn't seem like a mistake or unintentional action.
You build a hundred solid bridges and you get called John the Good Bridge Builder. But lest you once screw up your software licensing and people notice and it blows up, you'll end up as John the Software Screwer in the annals of history... until next week.
It seems though, that in the world of software, you can unfuck a sheep.
What worries me, though, that people who should have known better commit such oopsie daisies more and more (across many projects, I don’t mean this one only), almost as if they are testing the waters to see what they can get away with.
> almost as if they are testing the waters to see what they can get away with.
I think if it's a pattern then it's no accident. Of course people will test things. Kids, dogs, it's all the same: if you can get away with something, why not do it?
Well it is kinda blasphemy to swear with evil proprietaryness in a loving FOSS community
And then we have WordPress, former champion of open source and GPL, with all their soap opera drama.
> But one bad release with a license screw up and nobody is willing to give them an inch?
I don't have a lot of context on the issue.
Is it clear it was just a packaging bug, rather than a move towards partially proprietary?
The idea that this is was "just a packaging bug" is damage control by Bitwarden. It was a deliberate change, per the CTO's comment on https://github.com/bitwarden/sdk/issues/898 and elsewhere. They slowly worked their way towards adding this SDK dependency to every client, and the SDK was intentionally not open-source. The public outrage is the only reason Bitwarden is GPLv3 again.
Yeah - they've always used an open-core licensing model with like a few features (used only by business users/applications) behind a proprietary license. They just ended up mixing the code in a way such that the (theoretically open-source) app ended up having some utility functions for the business version mixed in. Since the client apps don't use that functionality, they split the repository so that you can build the app without using any proprietary code.
Fair. I didn't know Bitwarden was open-core. In light of this, accidental packaging mixup sounds plausible.
Minor correction: the official self-hosted version existed BEFORE vaultwarden!
For a long time their KDF was bad and the iteration count was low. When I reported it to them they got really hostile and evasive about it.
Years later they switched to Argon, somehow solving all of the blocking problems they had repeatedly claimed they couldn’t fix.
I don’t trust the org at all. The software is ok but I only use it because it sucks marginally less than all my other options.
People who care about software freedoms don’t release proprietary software. Organizations like this or Microsoft are just engaging in open source cosplay.
> When I reported it to them they got really hostile
You're not the one who first reported it, but I did see your comments at the time. Calling them hostile is really the pot calling the kettle black, uh?
To me the story also sounds a bit like GP was a bit impatient and felt a bit ignored while the company was already working on the issue but just didn't respond promptly to per personally.
I don't know why people are saying this is a bad thing.
Similarity to past experiences of start of the declines of service/apps.
What app got worse after going open source that you're thinking of?
Its not 'going open source' as they were always open source, its change of license.
Plenty of other products started slipping downhill after management saw a need to change the license. Why else would you change your license terms if its not to then be able to change your business practises down the road?
I was posing a hypothetical for people that seem to think they were never open source. They packaged a proprietary part of Bitwarden into the app and quickly relicensed it to GPL.
I don't see how you think introducing a GPL license is gonna lead to worse business practices? Unless you don't know what the license is.
> after going open source
I wasn't thinking that at all. BW started as open source afaik.
That's the point.
Choosing GPL over AGPL for this kind of project combined with the previous recent CTO messaging is very telling if you consider the architecture of the software(s).
Telling what?
What would be a good way to backup the passwords stored in Bitwarden? I am worried that someday suddenly bitwarden could stop working and I will lose access to all the stored passwords? Should I have a physical copy of all the passwords stored in a vault at home?
The simplest way of doing this would be to export your bitwarden vault in plaintext (as a json or csv) and then store it as a password protected zip file.
This should be easy to encrypt and decrypt on all operating systems, and would make it easy to move your vault to a new password manager.
If you have some sort of home server, I'd recommend hosting vaultwarden (an open-source implementation of the BitWarden server). It works fine with the official apps. Their enterprise model requires a standard API, so it's not going to break anytime soon.
This does not take the need for separate backups way though. In fact, I'd argue it makes it even more important to maintain a 3-2-1 backup of your vault.
Running vaultwarden on a home server is one small disaster away from losing everything. Homelabs typically don't enjoy the same level of protections and redundancies compared to a commercial DC.
I personally went (a year ago) to pass: https://www.passwordstore.org/.
It just creates a git repository that I can back up wherever I want.
Export your BE vault and import it into key pass. Then store that file somewhere safe.
Desktop: keepass variants.
Android: Keepass2 android.
Use syncthing to stay in sync.
How to use Syncthing on Android now that the app has gone?
There is a fork: https://github.com/Catfriend1/syncthing-android
For this type of data, preference could be toward fully open source stack (i.e. fdroid, etc).
Another thing I recommend is to enable versioning on syncthing for the database. This way accidental changes can be reverted easily.
You can do JSON exports within the apps. But careful, all your passwords are unencrypted in the JSON.
Frankly I would worry about that with any third party that holds my data. There are a few Bitwarden exporters on Github that also account for attachments (something the builtin exporter doesn't for some reason).
BW synchronizes all your data on each client... if you logged in before, and your server goes down, you can still log in to a recent client, it just won't be able to update
you could recover from that
Doesn’t GPL mean that it can’t be forked and published into the Apple iOS app store?
Presumably they are able to do it because they own the rights and can grant a non-GPL license to Apple for distribution.
This seems to me to still be a “nobody can fork this [and still have a viable iOS app] but us”.
The last time anyone did a serious published review of the App Store terms for GPL compatibility was probably 10+ years ago.
I remember pre-COVID trying to validate the popular claim that the App Store terms were incompatible with GPLv3 but being unable to do so. None of the provisions that were originally called out by the FSF were in the App Store terms anymore at that point. Certainly nothing I found in the terms at the time indicated any incompatibility.
Whenever I've heard about someone having problems publishing a fork on the App Store, it was a trademark rather than a copyright issue. If you fork it, you must completely re-brand it to publish it on the App Store.
Don't forget disclosing the source to users!
Everybody can fork this and build an iOS app. You just can't distribute through the app store as far as I understand. Would be good now if there were other means to install an app on iOS for non-devs, but users chose to ignore that issue when they joined the walled garden that is Apple Inc
Maybe the European Union comes to the rescue... (for Europeans)
As a exercise I created my own password manager in response to the license issues with BitWarden last week.
Its rough, but functional, an exercise not a real product, never expected to be a real product. https://github.com/funvill/FancyGorillaPasswordManager
The tech is easy. Website, Browser extension, iOS, Android, Windows, Linux, MacOS apps done in less then a day.
Gaining trust is hard, who is going to trust a random guy on the internet.
The summary says "SDK relicensed from proprietary to GPLv3", the linked commit puts the Bitwarden license into LICENSE_SDK.txt, not GPLv3. Am I missing something?
The change to package.json of the sdk-internal package indicates it’s now GPL3.
This comment might be more illuminating: https://github.com/bitwarden/clients/issues/11611#issuecomme...
This update is great news. I was disappointed to see the issue that got raised last week, and I had started to consider looking for alternatives. I’m going to assume an honest mistake on their end and keep recommending their product. However, if they make a similar move again, I will assume the worst and move on.
To be fair, Bitwarden clients are mostly GPL and can be forked, and there's Vaultwarden for self-hosting.
We just need to rally together a community that would maintain such a fork.
The iOS client can never be meaningfully forked, ironically due to the GPL. If Bitwarden goes fully hostile that's lost forever.
I don't understand; isn't the repo licensed under GPLv3?
https://github.com/bitwarden/ios?tab=GPL-3.0-1-ov-file
Is proprietary config required to build the IPA file?
I was under the impression that Apple requires apps to be distributed under terms which conflict with the GPLv3, so the copyright holders effectively need to dual-license an app for it to be suitable for the App Store. Uploading your own version of bitwarden/ios would then open you up to a takedown notice from Bitwarden Inc. since they didn't consent to this.
Looking into it again, it seems like the Apple Media Services T&C now has provisions for distributing apps under a "Custom EULA", but it still has weird clauses like the one saying you can't "scrape, copy, or perform measurement, analysis, or monitoring of, any portion of the Content", which their definition of includes apps. (Ridiculous clause since it prohibits so much as looking at an app with Activity Monitor, but whatever.) The GPLv3 has a provision saying users can ignore additional restrictions, but you as an App Store uploader aren't in a position to grant that right, so... the situation still seems legally iffy enough that I'm not sure you could win against Bitwarden if they objected to a fork.
Luckily if they die another will rise up. At this point I’m thinking I’ll just use the Apple Keychain if Bitwarden gets up to no good again.
It probably doesn't matter for you if you'll never be leaving Apple's ecosystem, but for anyone else, I think that's something to keep in mind before moving to a non-portable solution like Apple keychain.
I would love to use Apple keychain but you're right - as a mixed OS user, it's a tough sell.
> non-portable solution like Apple keychain
Yes, non-portable across different OEMs. But Apple Passwords app lets you export your passwords in a nice little simple csv file. It was a suspicion-filled (because it's Apple) pleasant surprise to find that out.
In the old Apple passwords thing, they used to have that export feature but they took it away at some point. Learned this the hard way when I switched to Linux for a while.
Two things are preventing me from doing that: I occasionally want to access my passwords in a browser (and I do not want to log in to iCloud on that machine), and I'd feel really bad about having my passkeys stored in an Apple service with absolutely no way of exporting them in case I ever do switch platforms. (Bitwarden at least includes passkeys in their JSON export format, as far as I know.)
As another commenter has mentioned, Apple Passwords allows export to simple CSV:
https://support.apple.com/en-us/guide/passwords/mchl35b12625...
What I dislike about Apple Passwords is how tightly coupled everything is.
I just tried to set it up on my Windows 10 machine with a local account, but it requires Windows Hello to be turned on, which can't be done except with a Microsoft account.
Kinda ridiculous of them to force arbitrary restrictions on us.
> Apple Passwords allows export to simple CSV
Not of passkeys, to my knowledge.
> What I dislike about Apple Passwords is how tightly coupled everything is.
That’s definitely also discouraging me as well.
What was the no good that Bitwarden got up to?
https://news.ycombinator.com/item?id=41893994
Sounds like this is what they open sourced? So I don't really see the issue.
It was "source available", but licensed under their proprietary Bitwarden licence and not GPLv3.
What I mean is the problem is remedied now and was likely not the big deal people thought it was. Sounds like they packaged something into the software forgetting it was under a different license and quickly relicensed it. But this thread is framing it like they burned a bridge.
If I wasn't busy playing with AI stuff then I would be very tempted to build my own password manager cloud service, it feels like a chance to shine shows up at least once every two years in that space.
I don't know what it is, but password managers just love the high-speed enshittification train.
Its not very easy and you shouldn't do it unless your domain is cryptography. This is something I've tried to do myself as well and realized it's better off left to the pros.
Such a pity they are starting to try to move to proprietary model. I have been using them for years. I thought they were different than other "open-source" companies (e.g. Redis).
What are the alternatives for an open-source cross-platform password manager? Anybody has used Vaultwarden already?
We have been working on a open-source, cross-platform alternative called SOS[1]. The source code is on github[2] and includes a self-hostable server for syncing. It is well documented[3] for those that want go build on top of it.
Would love your feedback if you can take it for a spin!
[1] https://saveoursecrets.com/ [2] https://github.com/saveoursecrets/sdk [3] https://docs.rs/sos-sdk/latest/sos_sdk/
No, they are not. They have a separate product which is closed source and there was a accidental mixup between the dependencies of the two. They fixed it quick. As I posted repeatedly in this issue: we need to be much much more lenient and supportive of one of the very few companies which still try. If this is the support they get why would anyone else even bother?
This was not an accidental mixup. Have you actually read the previous issue threads? Their stance was that "there are no plans to adjust the SDK license" before the backlash.
I've been using KeePass (mostly through third-party clients) for years and never saw a reason to switch to anything else.
It doesn't sync between devices by default, but I see that as an advantage, you can use a cloud provider like Dropbox, your own server, FTP, Syncthing, whatever you're comfortable with.
I have been using bitwarden for some time, and actually pay for it because i like it so much. should i switch?
Good to see this. Bitwarden is one of the few companies that I actually like. And even them can dissappoint when profitability requires it seems.
Can somebody ELI5?
People are dicks to one of the last companies which operate in a transparent manner and open source their product.
There was a bug, it got fixed. Nothing to see here, move along.
This doesn't look like a bug: https://github.com/bitwarden/sdk/issues/898
AFAIK they went closed source the other day which triggered backlash and now they're opening back up.
My understanding is they were never closed source. Some of their code is GPL and some is proprietary, but all is source-available on GitHub. There was a bug where you couldn't build their client without a proprietary dependency, but they have fixed that so you can now build their client with only GPL code again.
I don't think it was a bug. They dismissed it and clearly said that they had no intention to adjust the license: https://github.com/bitwarden/sdk/issues/898.
To be honest, it looks like he just had an internal model of “internal code no gpl”, “external code gpl” and mindlessly answered based on that. The fact that it made the latter impossible seems to have been successfully impressed on him.
Overall, I’ll stay a Bitwarden customer. People fuck up and I’m a tit-for-tat-with-random-forgiveness tactic user, not grim-trigger.
I could accept that he doesn't understand how open source licenses work, or doesn't care, and that it was not meant as a shady move. But still I wouldn't call it a bug, and it does not inspire confidence. Still it's not LastPass-bad.
This said, I still recommend Bitwarden to my family. I moved to pass (https://www.passwordstore.org/) a while ago just because it corresponds better to my needs and I have more control.
I looked into Bitwarden but hard to see what it offers over Psono and the pricing is significantly steeper.
I started using BitWarden as my main password manager after the LastPass security breaches.
Once an organisation has tried once they invariably do it again and again until they find a way to getting what they want. The customers tire of complaining over and over about little enshitifcations and eventually the company wins. Once they start it always goes the same way it just often takes a few goes before most give in.
It will years until it becomes awful but the process has started. It's really a shame every company has to do this with otherwise good products.
If that would be the case, I wouldn't have expected them to change it back. I don't think it was that bad of an impact for them, they are already big enough in non-hardcore-open-source communities that they could pull it off and afford to lose some customers to go propietary. I'm actually really positively surprised by them that they actually picked up on this issue raised by the community and that they fixed it very promptly.
Yes the trust was seriously damaged, but this move does restore it largely for me.
We moved to passbolt and we are happy with it.
I may check it out again. But I love the commercial product enpass.io (I use the free version, don't need it on my cell phone).
does it potentially compromise the data security?
So, crisis averted?
https://github.com/bitwarden/clients/issues/11611#issuecomme...
> We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.
[dead]
[flagged]
BitWarden has lost the trust. Besides recently there was a blocker bug on iOS and on Reddit I found out it happened earlier as well. They didn't even want to debug it and when I suggested this and asked whether they have any issue logged on Github where I could provide logs they went radio silent. Follow ups went completely unanswered. And yeah before that they had given a solution (because reinstall/re-login nothing had worked) - export your data, delete your account, create the account again, and re-import your data - that "should" work. Honestly it was worse than "restart your computer".
I guess it's time for another FOSS player here. It's fine, such things are cyclical I guess. Happened to Lastpass and Authy and someday it will happen to Ente and 2FAS and so on.
> BitWarden has lost the trust. Besides...
I'm confused what you're responding to. You're making it sound like this was a bad decision and your anecdote was another thing for the pile, but this is a good decision.
Someone else linked the GitHub issue that triggered this change and most of the replies are in the same tone as the comment you're responding to.
Which is all the more ridiculous as this looks like it wasn't really a big license change decision but more of a "forgot to change the license on a component from our internal default". Assuming malice seems like the most boneheaded reaction to this given that there are no other indications Bitwarden was trying to do anything nefarious and the previous license state would have made every single library or tool depending on it non-free.
This is different from criticisms of Mozilla for example which often boil down to "Mozilla positioned itself as privacy-focused but adds a privacy-violating feature you have to opt out of while claiming it's actually fine". Bitwarden never was 100% FLOSS to begin with but introducing downstream license problems is clearly against their own interest. Unless you believe Bitwarden is run by evil idiots who do evil things for no good reason (business or otherwise) whatsoever and then quickly cover their tracks only when called out, "oops" is the only explanation that passes the sniff test.
Here's what someone from Bitwarden said in that issue:
https://github.com/bitwarden/clients/issues/11611#issuecomme...
I think the submission should be rephrased as "Bitwarden SDK fixed license of sub-component" or something. Which of course sounds less bold and interesting and newsworthy because it really isn't.
> forgot to change the license on a component from our internal default".
https://gitlab.com/fdroid/fdroiddata/-/merge_requests/15353#...
> Additionally, one thought that came to mind in evaluating this that might make this not possible is that our rust SDK, a dependency, is not published under an OSS license. See https://github.com/bitwarden/sdk . I assume that is a problem that might disqualify us from the main [fdroid] repo still.
https://gitlab.com/fdroid/fdroiddata/-/merge_requests/15353#...
> At the moment, there are no plans to adjust the SDK license.
Doesn't sound like a mistake:
https://github.com/bitwarden/sdk/issues/898#issuecomment-222...
> There are no plans to adjust the SDK license at this time. We will continue to publish to our own F-Droid repo at https://mobileapp.bitwarden.com/fdroid/repo/
> [O]ur goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
This does, though:
https://github.com/bitwarden/sdk/issues/898#issuecomment-242...
It seems they reconsidered after the change impacted their F-Droid release. They've always been Open Core not fully Open Source so the SDK not being OSS isn't surprising. It just seems like they didn't think about the consequences of integrating a non-OSS SDK into their OSS clients.
Your first quote actually explicitly says that this incompatibility only became apparent after the fact:
> one thought that came to mind in evaluating this
So, yeah, a mistake although it's not so much they "forgot to change the license" but didn't consider which license it should use and stuck with the default.
> There are no plans to adjust the SDK license at this time
This doesn't mean it was an intentional choice or well thought out. It would have been pretty stupid to say "yeah, we actually just went with proprietary because it's the internal default and didn't think about the pros and cons of keeping it that way" so in lieu of wanting to make a decision then and there or signaling radio silence, that's just a standard corporate non-answer.
[flagged]
[flagged]
Observe how I posted about content while you posted about ... me.
There's a difference.