You're absolutely right. Of course there is no guarantee that whatever alternative you seek won't turn out the exact same way. But unfortunately all you can do to punish that kind of behaviour is to vote with your wallet and move somewhere else. And hope it'll turn out better this time... There ARE people out there who are trying to build a profitable, ethical business instead of chasing unsustainable growth. Unfortunately the only way to find out who they are is by giving them a chance...
If you're a Bitwarden user and this doesn't worry you, you haven't been paying attention to the history of almost every company that has accepted VC funds.
It doesn't matter how well intentioned the founders are - once you accept that kind of money, it's not your product anymore. You are now in the business of making money, nothing else, and those skewed incentives will start bleeding into their product and business practices sooner or later.
As a company, Bitwarden has been a huge role model for me, and I hope they'll be the exception to the rule. But $100M is a lot of money, and I simply can't imagine it having a net-positive effect on the company and product. But we'll see...
For anyone looking for a bootstrapped, open source alternative to Bitwarden, check out Padloc:
That’s a hell of a disclaimer after a decently alarmist comment. You may be correct, but I’m not sure it’s appropriate for you to raise that point given the conflict of interest.
The only conflict of interest here is the VC looking for a quick exit as rates are rising and your comment shooting down what appears to be a bootstrapped alternative/competition.
Althought I wonder how much it will take for this padloc fellow to turn around and announce that he decided to accept VC or even worse, issuing tokens on Ethereum.
We are almost at the Minsky moment and lot of founders are going to realize they no longer own the companies built.
The product being open source doesn't prevent the situation the OP mentions. It just provides a mitigation or a workaround by forking.
I also hope it won't happen but many good projects have gone this way before.
In this case the investment is not for the password manager but for a new identity service. However if that doesn't end up providing the promised results, the shareholders will start looking at the existing successful product to extract more value. After all they own part of that now and they want their returns. It's just what they do. This will clash with the users' best interests sooner rather than later.
Then it becomes forking time but can they find a good maintainer? Open source is not always a guarantee for continuity.
Of course if the new project pans out this won't happen but it's a gamble, and one the existing userbase never asked for.
Yeah the Rust version works well. I had an issue with it when importing passwords from a file exported from Dashlane, but other than that no issues. And I run it on a bottom tier Digital Ocean vm.
Lots of people can't set up their own bitwarden servers on a slow weekend. Yeah I can, but I venture 98% of people can't. Sorry, you're assuming everyone (including every HN audience) member can do that. Are we supposed to just keep quiet? I think we all know what happens when the VC folks come in. If you haven't lived through it (I have a few times now) you've at least heard about it if you read tech news at all. As long as the comments are respectful I don't see any reason to gatekeep them
That's how it looks to me as well. OP's claim borders on FUD and comes a bit disingenuous while shilling their project. Bitwarden is opensource as well and there's also this independent popular 3rd party project that uses the bitwarden protocol that is much loved by the community.[1]
This doesn't worry me that much. In the event that incentives get skewed (which isn't certain), I guess I could just stop updating the app before that happens, or fork the last good version?
I'm interested in your alternative. I hadn't heard of it, went on your site and it looked decent, I think if I had seen this before going with Bitwarden I'd have seriously considered it, BUT now that I'm a keen BW user, it doesn't seem as if there is enough for me to switch.
Are you also definitely never going to take VC money? Or an acquisition, say, by Bitwarden? Why should I trust you (and a product I've only just learned about)?
> This doesn't worry me that much. In the event that incentives get skewed (which isn't certain), I guess I could just stop updating the app before that happens, or fork the last good version?
This is easily said, but remember you're talking about a security-sensitive application. Do you really trust yourself to keep your fork secure? I know it doesn't look like it on the surface, but password managers have become wickedly complex, especially if you require things such as shared vaults, audit logs, a zero-knowledge architecture etc. The reality is maintaining your own fork won't be feasible for the vast majority of users, even those with a technical background.
> Why should I trust you (and a product I've only just learned about)?
The simple answer is that you shouldn't. You should ALWAYS be sceptical, and look for possible indicators of a company heading down the path to the dark side. Like taking a 9-figure sum of VC money for example ;)
> Do you really trust yourself to keep your fork secure?
No, but I don't need to. Considering how many people are already contributing to Bitwarden's Github in the form of PRs and such, if worst comes to worst, there should be plenty of people who can maintain it.
Bitwarden is also open source and self hosted. If they should ever make their product not free, I can just keep running the last version and fork it to further improve it together with other people, can't I?
1. sure, it's great that it is open source and that I could self host, but honestly, it's just not worth the trouble for me and I'd rather pay 10-20 euros for someone to take care of that for me. Self hosting my password manager would take a significant time investment and constant worry whether I'm doing it right. It might be because I'm primarily an app developer now and not a backend expert anymore.
2. Most big projects like Bitwarden are alive because there is a company and many full time employees behind it. Once that's gone, relying on a couple of passionate volunteers might not be enough to keep the project alive.
All in all, I've been using Bitwarden since the LastPass fiasco, I'm very happy with it, paid user with my family, but if I had to self host or volunteer, I'd not have the bandwidth to do so and I'd rather switch to another solution, even if it would mean I need to pay.
I think that when people say "it's open source, I could just self host and maintain the project" often underestimate how much effort that really is. Sure, it's possible, but will you actually do it?
Then I must have overestimated the effort needed for an experienced dev to set things up. I assume I would need a day to figure out how to best self host. Thanks for the info, I'll give it a try this weekend.
I just looked at your CI. Very very few automated tests. It isn't a deal breaker (Bitwarden honestly isn't much better), but it doesn't instill much confidence in your application either.
Keybase was an entirely different case... first of all, they didn't just take VC funding, they were bought outright ("acqui-hired" by Zoom for their skillset). Secondly, they didn't have any significant income, whereas Bitwarden has been a profitable business all along.
I don't have a well-formed opinion one way or the other, but it is interesting to me that this comment made it to the top of HN. By contrast, a submission about Tailscale raising the same amount of money had comments that simply sounded exuberant about the implications (https://news.ycombinator.com/item?id=31259950).
Is it just that our anticipation (or foreboding) of the effects of capital infusion is biased by our priors about the company? Or, some other reason?
* What makes you invincible to investment?
* What makes you different from BitWarden? (they are also opensource, might have been bootstrapped too, also claim being autdited) You seem to only really be "an alternative", which is great, but you kind of oversell it I think.
* "I simply can't imagine it having a net-positive effect" --> or do you mean on "your" company? Because, you seem to also sell a product: access to the hosted solution of your open source product.
* Open source BitWarden server-side API implementations exist... Even in Rust (not that that matter that much given the nature of e2e encryption).
* Are you not interested to one day provide an enterprise tier over you family tier?
Disclaimer, I'm a satisfied user of BitWarden's free tier for some years.
So here my main gripes with BitWarden:
* There is an option to send them your password file for them to import it. This goes against their e2e philosophy that I believe it should have huuuuuge red tape, and it does not. They should deliver this type of functionality in a manner that I can run it on my local machine.
* Horrible UX. I've often been searching where they hide the save or edit button this time. You're product looks nicer in this department.
Good luck with your product! I'm a little busy, but I may give it a try some day. To me there is a safety in BitWarden not going belly up, and alternatives (self-hosting and your product) existing.
Not gonna lie, I'm having a hard time justifying the 3-4x increase in cost for Padloc vs. Bitwarden. The pricing is only rivaled by 1Password, which makes it a hard sell to me...
Well, there is the problem, isn't it? If people aren't willing to pay what amounts to a cup of coffee a month for a service they rely on daily, how are companies supposed to build a sustainable business without raising money?
Now that every single damn service out there is costing me a cup of coffee every month, I end up paying a couple of coffee jugs a month. Are we seriously going to shame customers for trying to cut some costs in this economic context?
As a customer, what I can do is compare with the competition. Padloc is more expensive than basically every other option out there. And as far as we can tell, Bitwarden was already running privately before this VC round (which seems aimed at expanding their offerings past password management) which doesn't seem to point to it being unprofitable at its current price point.
> Are we seriously going to shame customers for trying to cut some costs in this economic context?
That all depends on the margins of what is being offered. If you are proposing they sell a dime's worth of product for a nickel, then I would see the above post as a much more polite version of the correct response, which is "get lost."
I have no idea of the margins, and expecting customers to know about your operating costs without either disclosing them outright or asking the question is an... interesting take. All I can realistically do is compare with the competition, and the competition is cheaper across the board. Therefore my initial comment.
I'd have no problem paying more for a good product if it brings me something. In the meantime, I'm still left pondering. "Get lost" would be a rather crappy way to treat customers simply asking questions, wouldn't it?
I wish we’d stop with the cup of coffee comparison. Not everyone lives in the USA and drinks Starbucks. A cup of coffee costs 0.70€ where I live¹, cheaper than the cheapest (non-free) App Store app. Furthermore, I don’t drink coffee.
For me it’s not about the price but the recurring cost and the lock in. I’d rather pay a larger sum upfront when I’m sure I can afford it and reevaluate when it’s time to upgrade than be sucked dry bit by bit and have to drop everything to scramble to find an alternative when the developer decides to remove features and jack up the price overnight as they keep the data hostage.
¹ Smaller than a Starbucks coffee, but also higher quality.
Totally agree. Every single new subscription product someone buys that can't be run independently or avoid updates adds tech debt to their personal life. At some point that product will be killed, degraded, or made much more expensive. Software that can be purchased once and run indefinitely is all upside on the long tail.
I wish more companies followed the Jetbrains model where a subscription buys lasting access to the current version and recurring payments gets you continuous updates. It's easy to see why companies mostly avoid this model though; it's easier to squeeze users for money when you have them held captive.
Vaultwarden is an open-source password management server option that implements the Bitwarden server API which makes it compatible with all the existing client applications and browser plugins.
Since the Bitwarden feature-set is pretty darn good my hope is that some foss "bitwarden-api" client applications come along and that'll offer a more independent solution.
Thanks for the recommendation of padloc. I will be checking it out tonight. I really enjoyed my time with Bitwarden, it was quiet and calm and no sudden surprises.
Now that you criticized Bitwarden for accepting the funding, please explain how is your approach different. Are you really not interested in monetization of your own product, and developing it only for the benefit of your users, without any economic incentive from your side?
Allow me to plug my own product: https://padloc.app
The new version (currently in beta) has a "Family" plan which is perfect for this. We're also planning to introduce a "dead man's switch" feature that will grant access to selected family members or friends if you haven't logged into your account for a while. Shoot me an email at martin@padloc.app if you're interested in signing up for the beta!
I don't understand why so many password managers go through so much trouble to implement auto-fill. This one has an interesting approach that seems to be slightly less intrusive than what, say, Lastpass is doing but I still don't really see the value outweighing the cost.
Yes, auto-fill - if implemented well - can add some convenience for the user but it usually adds a significant amount of complexity to the codebase and comes with some challenges regarding security. In fact, LastPass' autofill feature is/was the root cause of some very scary vulnerabilities[1].
Copy&paste is simple, broadly understood and supported in much the same way on every single platform. And in my experience, it's really not that much slower than auto-fill.
It seems to me that most password managers these days are to tick off a list of features rather than focussing on security and usability. Mind you, Secret 2 is definitely not the best example for this - I actually quite like the clean look and simple user interface. Still, it seems like most people nowadays are judging the value of a password manager by the number of features rather than, say, security.
<shameless-plug>Padlock[2] is a minimalist, open source password manager without auto-fill, browser-integration or any other 'advanced' features. We believe that when it comes to features, less is often more, and it seems there is plenty of people agree with us.</shameless-plug>
Came here to point out the same concerns, basically. I'll add this:
5. Its seems like there is no user-specific secret in addition to the master password. If two users happen to use the same master password (which is definitely a possibility, especially with weak or easily memorizable passwords) they will basically have all the same passwords for every site!
6. Rotating your passwords regularly, at least for your highly sensitive accounts, is very important. With this approach, you can't change any one of your passwords without changing the whole lot (i.e. changing your master password) which simply isn't practical.
7. They serve the whole thing over the web, which, as has been pointed out many times over the web[1], is a bad idea.
Overall, its seems like they are looking for a overly simplistic solution for a complicated problem.
<shameless plug>Padlock[2] is a penetration-tested, open source password manager that, while using a battle-tested, 'conventional' encryption scheme for securing data, still tries to be forward thinking and to improve on the overall user experience of other password managers.</shameless plug>
For reference, I am the author of the Easy Passwords extension which uses a similar concept.
5. The user-specific part is the user name. As long as these two users don't use the same user names they won't have the same passwords.
6. Password generators typically solve this by implementing a revision counter that you can increase in order to generate a new password. LessPass has this functionality, can be seen in screenshots.
7. What is served over the web? LessPass is a browser extension, the page you see in screenshots is contained in the extension.
I obviously disagree with your conclusion. Password generators are a very nice tool, and LessPass isn't currently using the full potential of the idea. For example, Easy Passwords allows you to create a "paper backup" of your passwords - all the password metadata (website, user name, password length) is safe to be printed, yet as long as you remember your master password it is sufficient to recreate your passwords. Of course, occasionally you simply cannot change a password which is why Easy Passwords has a hybrid concept and allows storing some passwords in encrypted form (no paper backup there).
Thanks for adding some clarity here. Apparently I missed some of the finer details.
> What is served over the web?
There is a form for generating passwords right on the front page and it states nowhere that the browser extensions are the more secure / recommended way of using the tool.
Ah, I see. Yes, I have a similar one for Easy Passwords under https://palant.github.io/easypasswords/online.html - but it has a huge warning on it. This is not secure indeed and the recommended way of using that page if you absolutely have to is downloading it to your hard drive.
What alarms me much more than the appearance of bad code quality is the fact that we have no direct way of checking what's actually going on under the hood and what impact it has on security. If there is one axiomatic requirement for the trustworthiness of a password manager, it's that it must be open source. That way people don't have to guess at the code quality from their use of file extensions. Lots of people seem to have a huge phobia of storing their passwords in the cloud and I have the feeling that the provenly poor security of Lastpass [1] has contributed significantly to this.
<shameless plug>Padlock[2] is a penetration-tested, open source alternative that also has a (open source!) cloud storage solution[3] that you can even deploy to your own server if you don't trust the official one. All of this based on zero-knowledge (the server has no way of acquiring your master password or reading any of your clear-text data). Disclaimer: I'm the main contributor.</shameless plug>
Yeah, currently the only way to run it on desktop is through the Chrome app. A native, standalone desktop app for all major platforms will be released very soon, though.
> You have copied LastPass, however LastPass isn't a good design to copy.
> I never liked LastPass because it's rigid on how you can store data. Surely username+password+ website is common enough, but give the user the opportunity to add custom fields. This is how KeePass and 1Password work, it's a proved design
I agree 100%. For an open source alternative that offers the same flexibility while still trying to be as easy to use as possible, check out https://padlock.io! (Disclaimer: I'm the author)
Thanks! Well, since I've got your attention, how does Padlock Compare to Bitwarden? Maybe you could point out some major differences in what works better in Padlock than in Bitwarden? What doest Bitwarden do better and how does Padlock plan to improve? (Although, this may not be the right forum for this...).
Yeah, maybe not the right forum to cover all of your questions in detail but here are a few bullet points (note: I cust came across bitwarden, too, so this is just from what I gathered from the website and the little time I've spent playing around with it):
Similarities:
- Open Source
- Cross Platform
- It appears to be possible to host your own server
Differences:
- As pointed out somewhere else, Bitwarden is very limited in what you can store. It seems to be primarily for storing website logins and does not offer any customisation options for storing other kinds of data. Padlock is much more flexible in that it allows you to add any number of fields to any given record.
- Apart from the mobile apps, the primary way to access your data seems to be the website served over https. This is a terrible idea for a ton of reasons and I could spent all day going into all of them but lets just say that there is simply no way to handle your data in a secure and private manner this way (either you have to do crypto client-side which is inherently insecure for a website served over the net or you have to do it server-side which means you have to send your master password to the server). By contrast the Padlock app, although based on web technologies (it's built with Polymer), is only available as a packaged (and code signed!) app for all platforms. This means that you can safely do client-side encryption without having to worry about the integrity of the source code. Padlock Cloud on the other hand is built on the principle of Zero-Knowledge, meaning no unencrypted sensitive data is ever sent to the server.
I could go on forever, but this will have to do for now. If you have any specific questions, let me know!
