In February, longtime CEO Michael Crandell moved to an advisory role, according to LinkedIn, with no announcement from the company. His replacement, Michael Sullivan, former CEO of both Acquia and Insightsoftware, touts his experience with “all facets of mergers and acquisitions” on his own LinkedIn page, including experience working with leading private equity firms.
In combination with downplaying the free plan and removing any hint of now politically unfashionable DEI-like language, what this screams to me is: Bitwarden is being prepped for a sale.
LogMeIn buys Lastpass, multiple massive breaches occur[, people move to Bitwarden].
if bitwarden is acquired and the new owner decides an open source version of their product is not a business necessity, without someone actively supporting the salaries of engineers it’s unlikely to continue to be secure for much longer.
In my search for alternatived I stumbled across https://passbolt.com/ AGPLv3 and does support sharing single secrets, but no free hosted version. Free if you self host of course.
It guess it's a vaultwarden without "the man in Nebraska" problem.
I wanted to like it, but didn’t.
And how is that relevant, either way?
What do people recommend? I'm on Linux/Firefox/android and don't want to self host.
This new CEO is a massive red flag. Literally nothing about anything relevant to the product or industry, though he's apparently good at private equity and selling orgs.
Probably worth jumping ship now before it mutates into another shitty corporate org, except this one is keeping your passwords.
Years ago I used a free workout app that I really liked. After a few months of using it I recommended it to friends. I only much later found out that I was on a grandfathered version of the free plan without ads or restrictions. The company had made changes to the free plan since I joined, and all new accounts (like my friends) were subject to ads and restrictions.
It was embarrassing to have unknowingly recommending something like that.
(That said, I am also concerned about the direction Bitwarden is taking. I just think this shows that even OSS projects can have direction/rugpull issues.)
Whats to say this will still be true if the company gets sold?
I pay for a service for my family because I need reliable and easy for my wife and daughter to use it.
People stake their own personal reputations behind their recommendations. I don't think quietly changing the product without warning is doing right by their early adopters.
I've tried many workout apps. Besides tying you to your phone (because their Watch apps aren't great), they ALL sell out eventually.
https://www.passbolt.com/pricing/pro
https://www.passbolt.com/vs/bitwarden/overview
https://www.passbolt.com/docs/hosting/install/
PHP backend (IMHO a downside): https://github.com/passbolt/passbolt_api. But There appears to be a significant amount of auditing behind Passbolt's security claims, assuming the information on https://www.passbolt.com/security is accurate.
All those people who paid half a mil on education must appear useful at the expense of us all!
Pour one out for another open source project "optimized" by VC
I'm moderately decent at self hosting. I'm fairly confident in my backups and security.
But also, I am not a system backup nor security expert, and I don't want to become either.
The one last thing that I really want to leave to the experts is my secrets management.
My worry however is about the future - what if a core functionality goes behind a paywall.
" Just getting started? Get basic password management today. Always free. Create Free Account "
See https://bitwarden.com/pricing/
EDIT: the article correctly mention that in an UPDATE
" Update: After publication, an employee on the Bitwarden subreddit said that “Always free” had been restored on its pricing page, calling it an “oversight” by the marketing team. The product page for Bitwarden’s personal password manager remains unchanged. "
I wasn’t paying for the code tbh, I could always self-host (VaultWarden) at home behind Tailscale, it was all about the management, uptime, and most importantly, supporting a good software I used and loved for years.
Sad, really.
I’ll either move to self-hosting it at home behind TS, or going back to keepass tbh, anyway, I’m not staying on a sinking ship.
P.S: VaultWarden had a few bad CVEs this year (like an Auth Bypass), but when I looked deeper, it wouldn’t have much of a negative effect on me as a self-hosted home user that shares everything with family.
They also ruin software.
The cherry on the shit cake is that they did not give me any heads up at all. Quite sad. Bitwarden has been consistently one of the best pieces of softwares I have ever used. Simple, just does what it does and gets out of the way.
Sad really ...
But, the main developer of works at Bitwarden.
Thankfully you can easily export your passwords and move to another system (unlike say Authy where we had to inject Javascript to extract the TOTP seeds).
Separately, I don't know if there is a self-hostable password manager which allows easy family sharing. (KeepassXC won't work, I believe, because the whole vault is a single file.)
But I’ll probably have to rethink recommending it to people, since any type of friction is seriously harmful here.
The writing on the wall seems to have been when they suddenly doubled the price of a yearly subscription without notifying anyone. That struck me as skeezy as **...looks like it may just be the beginning.
I hope people are actively mirroring their GH repos, because I expect at some point they might suddenly decide to change the license to Proprietary and move to scrub the repos from the web. At which point, the community will then fork the last-free version and start to maintain a fork.
Which I really don't want to see happen, because having to move all my shit for myself and my family again after the LastPass debacle is going to be an extraordinary headache.
I am locked in with paid annual until Next January, but if I have to change again do to enshittification or changes made to, what I felt was a good open-source product and company, I am not going to be happy, nor will my family.
I'm pretty sure I have never cared about what values a company listed on its careers page, unless I am considering working there.
whenever i need any new feature, i just add it.
On password managers, anyone using ProtonPass want to chime in on how it is? I’ve read online that Proton (as a company) has a tendency to start working on new things all the time and let the ones they created remain half baked and languishing (to some extent).
I’m not into KeePass and other local password managers since I need a shared solution for multiple people using the same vault.
Obviously predictable. Bitwarden is now in the extraction phase and it is now time to pay an expensive...
...$1.65 a month.
I use Vaultwarden right now. Part of the reason was that I wanted something where there was a minimum guarantee. In the case of Vaultwarden, I can always fall back to the web interface if needed. It wouldn't be convenient, but it guarantees no one can take away my password vault.
I really hate the per user per feature per byte per year pricing structure that everything has morphed into. I don't mind paying something for good software that I rely on, but having everything locked down and controlled by a 3rd party with continually increasing subscription fees is terrible.
I've worked in the small business space my whole life and it's being destroyed. Private investors are buying everything. I'm talking about owning all the small businesses of certain types; family doctors, dentists, optometrists, vets etc. seem to be the big target. It's terrifying and most people don't even realize it.
It's very sad to see core values that turn out to be lies. Always free is a tough spot to be in, but these companies could absolutely use a better business model that doesn't kill small businesses. And, based on what I see, increasing IT costs are killing small businesses.
What we need in the small business space is a tier of services where small businesses can self host using their own on-premise, vertically scalable infrastructure (ie: 1 server). In most cases they can tolerate some downtime and, even if they don't want to, a lack of resources usually means they don't have a choice (ex: they're not running HA network connections).
Businesses with <10-20 employees are often viewed as not being worth the effort of having as a customer, so they end up with self-serve, unsupported, non-discounted, over priced, trash subscriptions. By the time they grow enough to be a valuable customer their only experience with some products is misery.
I wish I could set up small businesses with self-hosted infrastructure that can't be rug pulled while they're still small with an easy upgrade path into a hosted service if/when they grow.
I think the same: Small service businesses care most about Time To Recovery (TTR) when doing services. As long as they communicate at least by phone and the website is up, they usually tolerate downtime when they know when their backoffice services are back online.
This is classic Business Continuity Management, 5-10 questions usually make clear what must work in every case when and what has to be available for supporting this process. Example: I got a customer which prints all logistics / distribution labels in batches. They can still work where money comes in (=shipping stuff) for quite a long time (4h min, 8h max) if the next batch of labels cannot be printed / some system is going down needed to support shipping. So no need for expensive HA around legacy software, but enough time for a good process to get back online with the latest backup on replacement hardware which is already there on-site.
The thing is: HA is FAR more expensive and complicated than e.g. getting another stand-by server as fast replacement, maintain the hypervisor on this second server e.g. every six month and test restoring backups on it once a month (best: automated: IMPI boot, restore without VM networks, testing, shutdown). Same with a firewall; two used Enterprise Servers + Proxmox VE Subscription, OPNSense + 2 x N150 Hardware and two consumer WANs (e.g. Cable and VDSL) is really not that expensive if only the WAN is a bit more complicated from the POV of a SME admin because of failover. Classi VLANs+ACL and services like surveillance as needed...
> Businesses with <10-20 employees are often viewed as not being worth the effort of having as a customer, so they end up with self-serve, unsupported, non-discounted, over priced, trash subscriptions. By the time they grow enough to be a valuable customer their only experience with some products is misery.
Exactly. This is why I do SME IT since ever, no matter for which $BigCorp I've done consulting and DevOps. I automate them. I consult them. My company (plug: https://foundata.com) does it for a few bugs per month (Hypervisor, Groupware (Calendar, Mail) Firewalling, VPN, Directory Services, Jitsi/OpenCloud/BBB) if they understand that they finance the high quality of the managed services ON THEIR HARDWARE with all other customers and we do not work per-hour but per-service + we run Open Source also for other reasons than "no or fewer licensing costs".
And I like it even this does not make you rich. Because I REALLY share your concerns ("owning all the small businesses of certain types; family doctors, dentists, optometrists, vets" -> I don't know where you are from, but it is the very same here in Germany... example: https://www.ndr.de/fernsehen/sendungen/panorama3/Spekulanten...)
Just use KeePass.
I use a self hosted Nextcloud, but you don't have to.
KeePassXC allows you to automate opening a database from the URL column. My family and I share a second database and open it from there, but it's super kludgy on any other device.
My annual renewed just a month before they did that.
