Bitwarden scrubs 'Always free' and 'Inclusion' values from its site
fastcompany.com253 points by gpi a day ago
253 points by gpi a day ago
Actually, the part of the article that made me prick my ears up was this paragraph:
In February, longtime CEO Michael Crandell moved to an advisory role, according to LinkedIn, with no announcement from the company. His replacement, Michael Sullivan, former CEO of both Acquia and Insightsoftware, touts his experience with “all facets of mergers and acquisitions” on his own LinkedIn page, including experience working with leading private equity firms.
In combination with downplaying the free plan and removing any hint of now politically unfashionable DEI-like language, what this screams to me is: Bitwarden is being prepped for a sale.
This feels like deja-vu with Lastpass.
LogMeIn buys Lastpass, multiple massive breaches occur[, people move to Bitwarden].
Did Lastpass have a project like Vaultwarden behind it at the time? I'm hoping against hope that that will keep us with an open vault.
vaultwarden is great, but password managers are security critical software that need consistent maintenance and constant updates.
if bitwarden is acquired and the new owner decides an open source version of their product is not a business necessity, without someone actively supporting the salaries of engineers it’s unlikely to continue to be secure for much longer.
> vaultwarden is great, but password managers are security critical software that need consistent maintenance and constant updates.
You’re acting like this isn’t the case already with vaultwarden? (and it’s easier to host as well, making for easier updates) https://github.com/dani-garcia/vaultwarden/releases
Is it possible that you are assuming they are referring only to Vaultwarden itself? Half of the equation is a server component compatible with every app produced by a company, the other is every app that is produced by a company. If the company decides to stop being compatible (by changing their own communication), what are you left with besides the built-in web interface and a handful of “maybe-compatible, maybe-secure” apps?
Security updates aren’t just about the vault. What does having a fancy locking system mean if the moment you open the door everyone can just walk in?
Most people just want a product to do what it says from all their devices, and don’t care about any of this stuff. As such, they are more inclined to simply move to yet another least-friction mature ecosystem.
Vaultwarden as an alternative is a bit like suggesting a third-cousin who homebrews beer in a trash can knows a viable alternative as a nationwide replacement for Budweiser, because they both happen to use the same shape of bottles. I’m sure some family and friends might go along, but everyone else is just going to pick a new common brand that is similar to what they had, not start brewing their own beer. Some will…for a while.
The best thing about self-hosting your password vault is that you can be naive about how many times it has been compromised without detection.
(I’m not against self-hosting things — I’m against acting like it is a realistic alternative for average people who almost never have the skills to implement it securely.)
The issue is that a huge amount of value is tied up in the client applications, which do not have community-maintained equivalents.
Well, it was nice while it lasted.
I use bitwarden, but it not being able to share a single secret is becoming an issue.
In my search for alternatived I stumbled across https://passbolt.com/ AGPLv3 and does support sharing single secrets, but no free hosted version. Free if you self host of course.
It guess it's a vaultwarden without "the man in Nebraska" problem.
Looks promising. But no hosted offers for individuals as far as i can see.
This is what made me and others nervous when they announced a huge investment into the company a few years ago. It was already a good and self-sustaining product, and taking on that investment was just going to create an expectation of returns later down the line, something that was more likely to result in enshittification.
When did they remove DEI language?
And how is that relevant, either way?
It's relevant because it was ostensibly a value of Bitwarden's at some point, but they've thrown it under the bus now that they're looking for a buyer.
[flagged]
As the other person implied: if they're throwing out some values now, which other values will they throw out in the future?
To get approval for a merger under the current US admin, a company needs to show ideological purity.
yay for kowtowing to fascism to make a quick buck. the capitalist machine continues to show indifference to our suffering
Well that's a shame. I've been paying for years now, very happy in general.
What do people recommend? I'm on Linux/Firefox/android and don't want to self host.
I knew something was wrong when they started showing a popup on the web vault asking you to subscribe, every time you open it.
Enshittificstion incoming.
The price doesn't seem bad, though this case smells of some sort of greater internal shift that's, at least for me, indicative the Bitwarden is being turned into a profit-machine-at-any-cost rather than providing a good service for money.
This new CEO is a massive red flag. Literally nothing about anything relevant to the product or industry, though he's apparently good at private equity and selling orgs.
Probably worth jumping ship now before it mutates into another shitty corporate org, except this one is keeping your passwords.
Thoughts and reviews about Passbolt? TOTP handling seems a bit off, extensions are not mostly read-only (OK for me). But the "share a single secret" access control seems nice:
https://www.passbolt.com/pricing/pro
https://www.passbolt.com/vs/bitwarden/overview
https://www.passbolt.com/docs/hosting/install/
PHP backend (IMHO a downside): https://github.com/passbolt/passbolt_api. But There appears to be a significant amount of auditing behind Passbolt's security claims, assuming the information on https://www.passbolt.com/security is accurate.
I stopped endorsing closed-source software to friends and family years ago, because you can't trust the companies behind them not to quietly change directions.
Years ago I used a free workout app that I really liked. After a few months of using it I recommended it to friends. I only much later found out that I was on a grandfathered version of the free plan without ads or restrictions. The company had made changes to the free plan since I joined, and all new accounts (like my friends) were subject to ads and restrictions.
It was embarrassing to have unknowingly recommending something like that.
Bitwarden is open-source though? This is about the hosted version of it, which has a free tier. But you can run the same software on your server at home if you want, for free.
(That said, I am also concerned about the direction Bitwarden is taking. I just think this shows that even OSS projects can have direction/rugpull issues.)
> But you can run the same software on your server at home if you want, for free.
Whats to say this will still be true if the company gets sold?
The fact that Vaultwarden exists?
How long after a public sale will Bitwarden clients keep compatible with Vaultwarden? The new owners could put a check in all clients on the first day of ownership if they wanted, and Vaultwarden would immediately be obselete and useless.
I wonder if Bitwarden shit on everyone, how long it would take for Vaultwarden specific clients to appear. A browser extension would be pretty simple, app store apps are a bit more complicated because of the pay-to-play aspects.
The problem is once Vaultwarden clients appear, then Vaultwarden becomes its own complete system and is no longer able to rely on the good reputation of Bitwarden. Plus developing clients for multiple browsers and OSes is a lot more difficult than just keeping a back end up to date.
If they went this path I think I would jump ship to a paid service.
As soon as they break compatibility with the official clients, it becomes much tougher. Even though the current versions can be forked, the whole system is set up to work against any kind of grassroots effort to maintain an open source version.
Apple and Google being the gatekeepers for all mobile app distribution is a real pain point. Without the clout of a big brand name the risk of being unable to distribute apps goes up.
Except that we do have Vaultwarden, so those who haven't already switched still have an option.
Vaultwarden relies on the goodwill of Bitwarden to allow it to use its clients for compatibility. I would wager a new owner looking for money would block that pretty soon after buying the company.
The clients are open source. If Bitwarden removes the ability to select the server, people will just fork the clients.
Again, for how long? The answers to all the questions seems to be the same. If Bitwarden was sold they could remove all of this free functionality and interoperability with 3rd party clients immediately.
Then you could say well Vaultwarden will work with these forked clients, but then you are placing your security into the hands of multiple different open source maintainers and vaultwarden then has nothing to do with Bitwarden and becomes some random back end + some random 3rds party clients.
Sure, but vaultwarden as a system would be entirely usable, I don't think a lot of it is really relying on the bitwarden compatibility for much more than a little convenience.
Useable yes, but trustable? Not without some serious backing and regular auditing from some public security experts.
IMO that fact that the existing Vaultwarden system relies on Bitwarden clients and therefore caries Bitwardens secure reputation is its main selling point. Take that away and Vaultwarden is nothing more than some random back end software that can not really be trusted.