"The Quiet Renovation at Bitwarden" (it isn't good)
(blog.ppb1701.com)
from RotatingParts@lemmy.ml to privacy@lemmy.ml on 18 May 21:24
https://lemmy.ml/post/47528153
from RotatingParts@lemmy.ml to privacy@lemmy.ml on 18 May 21:24
https://lemmy.ml/post/47528153
If you are interested in privacy you are probably interested in password storage … plus I wanted everyone to know about the inevitable future enshitification of this product. Spread the word and replacement recommendations are welcome too.
threaded - newest
This is really disappointing… I figured the open source nature of Bitwarden would save it from enshittification but as the author says, in the end, the company doesn’t need to keep it open source.
As soon as VC money comes in, the founders cash out and the enshittification begins as the VC will be expecting returns on their money.
That’s the difference between libre software and merely open source software.
Libre licenses make it hard or impractical to close the source at a later date.
Open source licenses are much more permissive and allow any entity to produce a closed source derivation at any time.
Libre licenses are all about strategically protecting the software commons from privatization.
Time to recommend alternatives?!
Nothing has beaten KeePass for me so far. It takes a bit of setting up if you want your database to sync among all your devices, but in other aspects it’s perfect for me
EDIT: In case you’re curious, I use KeePassXC on PC, KeePassDX on Android, and Syncthing to sync the database.
What drove me (and my family) from KeePass to Bitwarden was the family sharing and survivor access.
Until KeePass supports these it’s not really up to par with Bitwarden.
Especially digital legacy management is a must have for a well rounded password manager.
keepassXC supports passkeys though.
That’s cool. Bitwarden also has a blue icon if we’re talking about other unrelated features.
Same setup here, can recommend.
Don’t know if it has changed but there was a reason I went to vaultwarden. Syncing was a pain it is probably better now but not looking to go back.
I use both same products, just manually copy to phone periodic as my vault is pretty static
Made the move from bitwarden not that long ago, actually a bit before their price increase (just timing not because of it). Nothing bad about BW to say, it worked great for me for years.
My motivation was wanting my password manager fully offline.
Keepass are fantastic programs, and actually now more pleased with my move after seeing some negative moves from BW I needn’t be concerned with
+1 for Keepass!
The author wrote a guide to self-hosting VaultWarden
blog.ppb1701.com/self-hosting-vaultwarden-taking-…
How vulnerable is a VaultWarden setup to splash damage from BitWarden enshittery? I would go absolutely ham on VaultWarden if it’s independant enough from this kind of move.
I’m already hosting VaultWarden locally and would also like to know. It seems like a project that could continue independently but I’d love to hear from someone with more information.
I mean, if you read the OP, it says at the end. The clients are Apache2 and can just be formed if the API starts drifiting.
Proton Pass is a valid option.
psono.com
www.privacyguides.org/en/passwords/?h=psono#psono
How is psono? I’ve been looking to do secrets correctly in my lab for a while and its name has popped up a few times.
www.passbolt.com
Cloud version is for businesses not people, for some reason. But selfhosted is free of course.
Do I understand correctly that there is no way to implement SSO on the self-hosted version?
TLDR: Self-host Vaultwarden
Privacy oriented self-hosting survival guide, where can I find one?
Need a remind me bot rn
Privacy Guides has some recs but have some arguably bad takes sometimes. Their Self-hosting page seems reasonable though.
Vaultwarden will survive. Since the client is open source, once they close the API and break compatibility of the clients with Vaultwarden, the old version of the app can simply be forked and rebranded. I also do hope that the KeyGuard app will continue to support vaultwarden as well since if bitwarden closes the API and makes a breaking change, as is likely to happen, it will break KeyGuard as well, but it will still work with VaultWarden for some time.
The real issue is that many people who are using Bitwarden aren’t savvy enough to host Vaultwarden in a secure way. Many people are careless with things like secret keys and such and dont know how to properly secure a web facing app or a VPN into their local network. But anyone who self hosts should result learn those things anyway. This one just happens to be a particularly high risk since it contains all of your passwords for everything else.
This is why despite me self hosting some things I don’t rely on vaultwarden. I’m a flawed person and my family has no idea about anything. I don’t need to stretch my imagination very far to think of a handful of reasons why it would fail my situation. I’ll gladly pay for a password manager to not have to deal with that.
Same! I self host a number of things, but I just didn’t trust myself with something as important as this. I had been paying for bitwarden even though the free plan was sufficient, just to show support. But obviously not if they go this route. I will also gladly pay for a password manager to not have to deal with that.
That’s where I was for years until I got that surprise $80CAD credit card charge a few weeks ago. Now I have 11 months to either go with someone else or figure out a self-hosted solution I can trust. It will need several layers of backups the family can actually access in an emergency.
Just learned about KeyGuard. But I dislike their LICENSE:
All Rights Reserved
Yeah, not the best. But at least there is an alternative.
We really need a VaultWarden paid service, if there isn’t anything against doing so in the license.
I don’t know why the server needs any specialized software at all though. In the end, if it’s just some password history, why not just have a client that allows generic storage backends and you can upload to Filen or S3 or whatever else you use?
It uses a database and it’s totally possible to use SQLite as the database and sync that elsewhere. You could then find or make a small client that just accesses that db directly rather than a web service, I suppose. Though there are already several apps out there that store passwords locally and their data files can be synced, if that’s what you want.
But if you’re doing that then you may not be using this in the most common way or may not understand the risk involved. This is likely to have every one of your logins, not just a single login that may or may not be used on other sites, but the specific username and password and which site it’s associated with. On addition to access to those accounts, this links all of your accounts to a single identity which companies spend billions to do with advertising IDs, cookies, embedded scripts, and lots of other, usually shady, practices. This is a gold mine, though usually only for one or a few users, so generally not a major target unless you’re being targeted personally for some reason. So, even if they don’t get the passwords, they’ve now linked every account you have on every site to your identity.
If you are allowing the database to be relatively easily obtained by syncing it to a central location accessible over the internet, a bad actor who gets it can even take their time brute forcing any encryption that may be present in the database, but if you don’t keep encryption keys only on your local device because you want to be able to use it elsewhere, then you probably stored the keys along with the db and they dont even have to bother with that, or if it uses password based encryption, they just have to guess or brute-force a single password.
If it’s behind a properly secured web service, then even if they find an exploit in the server software, they likely have to do many queries over time to get much data and the server can mitigate that risk and/or alert the owner about new logins and such. A database in the hands of the bad actor can’t complain about too many attempts to access it or notify anyone that it’s been copied.
So, IMHO, it’s a bad idea to use synced local password managers unless you have a very robustly secure way of storing the database and the encryption keys.
Yeah I was imagining a system more like Password Store - use Git to version control secrets which are encrypted using some form of asymmetric encryption.
You store the private key somewhere you control, like a USB drive or something. Same as Bitwarden’s master password.
Yeah, there’s still a risk if you’re exposing the encrypted passwords. For example there is still some risk that governments have backdoors in some kinds of encryption, which of course means other malicious actors do as well. And there’s still brute forcing which is mitigated with a webserver layer in front of the raw data.
But there are lots of existing applications for that like keypass and its forks. Vaultwarden is more about the web services front end to the data than the data storage itself. And a web service benefits from a relational database over a flat file.
afaik everything is encrypted. not like a big blob, but the properties of items are encrypted separately, if the encrypted export format has anything to do with the database structure
That’s positive at least. I hadn’t looked at that part. Still having the whole dump of data and attacking it locally vs having to query a web server repeatedly for each attempt is a major advantage. This is why I significantly prefer Vaultwarden over a synchronized database, especially if it’s publicly synchronized in a publicly accessible git server or something making it relatively trivial to copy.
Good to know KeyGuard is an alternative. My main worry was with the extension no longer being compatible as, like you said, I doubt they’ll continue to keep the client and API open.
Yeah, fortunately Vaultwarden has enough users that probably someone will eventually create an extension for it. And in the mean time you just have to make sure to use an old version of the existing extension until that happens. It’s not like the changes in Bitwarden will affect Vaultwarden directly. The old client versions will still work until Vaultwarden changes something.
I have nothing but good things to say about Proton Pass. Syncs across iOS, macos, PC & Linux, stores not just usernames & passwords, but short notes, product keys, & can generate temporary email addresses that can be disabled when they start receiving spam
Nothing is stopping Proton from doing the same thing next week. And seeing how many people lock themselves in to Proton (by using all their services, Apple style), they have a strong incentive to also do some “restructuring” and spike prices.
Howdy, I work at Proton, this is incorrect: proton.me/blog/proton-non-profit-foundation
A nonprofit is the largest voting shareholder of Proton.
Okay, so? OpenAI is also controlled by a Non-Profit (Similar Structure to Proton, I suppose). That doesn’t stop them from being scummy. Please explain your point.
Keepassxc (linux, winblows, crapple) Keepassdx (AOSP, spydroid) Keepassium (SpIOS)
The best answer, as long as you never need to use your passwords in more than one device. Syncing a Keepass vault between PC and mobile is still tricky for some reason.
I do it all the time and it works fine. I designate my phone as my primary computing device and I always update my password database on that device and then synchronize it across to my computer using these things called USB flash drives
yeah no thanks, hard pass
There's the problem - not everyone is able or willing to physically connect a separate device to manually transfer the password vault file (for example, on partially airgapped systems or corporate environments). I personally use a self-hosted Vaultwarden for that reason - I'd rather have my main password storage device be one that is safer from being stolen (my home server)
I just tested aliasvault and its pretty good. You can even just import your pre-enshitification Vaultwarden export file.
One thing I noticed though is that your entries must have a collection or else they don’t export. But close to easy as pie to leave vaultwarden behind with their Nazi CEO.
VaultWarden != BitWarden!
I know. Either way I’m out unless they fork.
VaultWarden literally is a fork, what are you on about?
Fork means they don’t share. But its not like that.
Are you a bot? It doesn’t seem like you understand what you’re talking about.
They website says they are not but there’s is an employee of bitwarden who is allowed to contributed.
I don’t know. I will be on my toes at any notion of Nazi CEO contribution or attribution.
Again, vaultwarden is not bitwarden, I think I’m having a stroke reading this
VaiultWarden is a new implementation of the Bitwarden API. It started from scratch, never was a fork. It’s possible they (or other people) will fork the Bitwarden client.
damn I just migrated to bitwarden a few months back :(
You still have some time to decide which route to go. If you’re on the free version, stay there, but start looking for alternatives.
Proton Pass is an option. KeePass with Syncthing works great, but it is a dramatically different and more involved workflow.
I am using both, and deleted my Bitwarden account yesterday the moment I heard about this.
Also, I can’t suggest enough that you export all your credentials to an encrypted json file every now and then, and store it on an offline storage device. This is important.
I’ve been using it for years. But I have been waiting for this day to come. Because it always comes at some point without fail.
It always comes right after I migrate my family members. Same thing with lastpass and I’m still trying to get people off that.
faaaaaaa
It’s a very easy migration from Bitwarden to a self-hosted and OSS Vaultwarden, if you have means to self-host. Appreciably, many don’t want to self-host their own apps and I’m not defending Bitwarden’s enshittification at all. It comes for all tech at some point :(
I would say that Vaultwarden might not be the best introduction to self hosting given the critical nature and sensitivity of the data. And if you do maybe block the admin page from external sources.
Not sure if all tech, but definitely the ones that just want to grow grow grow. A counterexample (so far) is the Obsidian team.
thanks for all the suggestions - i’ve since moved to proton pass, not sure if I want to self host this aspect of my security stack - but will be watching closely
Why the hell is anyone using anything other than KeePass?
Doesn’t keepass only work on a single device? Meaning that you have to handle syncing the database file yourself. I prefer selfhosting vaultwarden. Maybe these changes will make me migrate to something else but for now I’m very satisfied with vaultwarden and the bitwarden client.
Yeah, I just leave the file in a NextCloud sync directory. All my desktops and laptops download it automatically, and it’s trivial to download to my phone. As an added bonus, my fucking password manager isn’t exposed to the open internet where every hacker who finds it is gonna wonder what’s inside.
WireGuard 🥹
At that point, is it really easier than NextCloud? I don’t have to worry about forgetting to disconnect and wasting my VPS’s bandwidth or ruining my ping for games. On PCs and laptops, the file is immediately local, and on mobile, it’s easier to download an updated version of the database than it is to mess with the VPN.
Yup, it is. On one hand, I would have wireguard configured regardless beacause I don’t like publicly exposing my server. On the other, if you had to do it just for this and don’t want to configure wireguard manually, just use zerotier, tailscale or netbird. They can be set up in like 15 minutes and after you get it working you don’t need to touch it again.
Eh, not worth it to me. Some of what I host is occasionally really handy to be able to access from a random machine, and I don’t want to have to deal with barriers to entry when I need in. I can appreciate the security benefits, but I’ll take my chances. Even if they break into my NextCloud, they’d have to crack an unreasonable password to break the password database open.
There’s this wild technology called a hotspot. You can use your already authenticated device to give another device access to your services indirectly.
That level of security is exactly the same as exposing your password manager to the “fucking” internet. Not sure why you criticized it before when you (incorrectly) assumed that I was doing that.
There’s also this dated technology called a wired connection that some other dated technologies require. Since I don’t get to choose every device I interact with or depend on, that’s not always available.
I would disagree. A Bitwarden instance identifies itself as such to every visitor that comes by. It advertises itself as a particularly high value target. By contrast, a lot of what a NextCloud instance hosts is often personal and more valuable to the user than a hacker, so it does not become clear if there’s anything of value inside.
It also decreases the attack surface of my password manager itself because there are fewer features in it that may have a potential exploit. Even if an attacker compromises the NextCloud instance, that may grant access to the file itself, but they still have to contend with the entire security of the password manager. No device will ever make any contact with the server for password purposes other than to sync the database file, and there’s no web interface to inject a password stealing JavaScript file.
EDIT: Forgot to mention the worst part about KeePassXC. It’s vibecoded crap.
Hotspot does not imply that it needs to be wifi. You can share your internet connection via usb tethering too. (also a wild new technology, I know)
This ignores how modern internet attacks work. Hackers don’t sit around manually browsing websites. Automated botnets scan the entire IPv4 address space 24/7 looking for specific software signatures or known unpatched vulnerabilities. If a Nextcloud exploit drops today, a bot will breach the server before the hacker even knows what is stored inside.
Also, advertises itself to whom? I’m not exposing it to the internet. How many reports can you find of people getting their Vaultwarden instance hacked? This is a lot of assumptions that don’t track with reality.
You’re putting your database file in nextcloud. That increases the attack surface of your solution, a lot.
That’s *exactly *what a client for vaultwarden does…
Vaultwarden has a web interface, true. It’s also true that I’ve literally never used it for anythin other than creating the users. I haven’t opened it in years.
You’re choosing a very petty and small hill to die on, dude. Just admit that you prefer doing it your way even if there are better alternatives.
Some environments restrict USB access for security reasons. Some environments don’t have extra ports to spare. Sometimes, I just don’t have the right cable on hand even if the environment is otherwise fine.
No, I’m well aware of that. I mean that when the inevitable scans come, the Vaultwarden instance will freely identify itself as such. An attacker would automate the breach if they detected my NextCloud instance and had an exploit ready, but then what? The contents are too unpredictable to have a one size fits all approach from there. Even if they scan all the servers they breach for password databases, they have to contend with the fact that they still have no means to try to intercept the password. They may have a slightly easier time obtaining the database, but cracking a huge pile of password databases is an infeasible task.
Yes, if I did it the way you want, I could avoid exposing it and allowing it to advertise itself, but then I would be unable to access it without a VPN or other networking tool.
I never said that Vaultwarden had been hacked. I said essentially that Vaultwarden is a single point of failure that I do not want to risk exposing to the wider internet, and I don’t want to hide the services behind a VPN because that can complicate access. It’s a little less secure, but what’s the point of security if I can’t actually use it myself?
Of the overall system, yes. Of the password database itself, not really. Slightly less potential security through lack of access, but with a sufficiently secure password, cracking it isn’t realistic. That becomes exponentially more true if you’ve got a huge pile of password databases you need to crack, as would most likely be the case for anyone who breached my server.
Yes, and you’re just about get to the problem I have with the client if you’d finish my sentence before you got smug with me.
And it’s great that for your personal use case, that works our for you. But before you decide to act like a smug asshole, maybe consider that not every situation can resolve as cleanly as yours. There are a lot of reasons that restricting access to a VPN can at times be limiting. Sure, at home on your own hardware, not really, but some people need the same tools for different purposes in different environments.
Just think beyond your own experiences and accept that other people have different needs than you for a variety of reasons that they can’t always control.
Where are you even trying to use your password manager??? You’re absolutely batshit dude. I’m not reading this wall of text.
Corporate environments don’t like you tampering with how their networks are set up. You might be able to get your hands on a portable copy of your password manager or even get installation authorized, but you might not be able to force a hotspot VPN onto the machine, and you’ll have a WAY harder time getting a VPN cleared than you will getting a password manager to work.
You should also not be ysing a corporate laptop for your private stuff. If you do need to use it, you can do use the password manager the old way, just read from your phone and manually type it in.
Lastly, since you’re proposing a corporate scenario, you wouldn’t be able to install a random program on your laptop. IT would either block the installation or you’d have to explain why you’re installing random programs on your work computer.
This is getting pathetic dude, just move on.
Yeah, but some stuff kinda blurs the line, and some stuff is just useful both places. It’s not ideal, but I can maintain some separation with different NextCloud users and different database files.
Portable versions of password managers work sometimes. There are browser extensions you might be able to use. Most notably, both of these are more likely to be authorized than a VPN tunnel into my personal machines if I even need authorization for them. In some places and jobs, you might get a little influence over what gets installed, within reason, and an open source, strictly offline password manager is less of a threat than a VPN connection to an uncontrolled endpoint. I might be able to get a Vaultwarden client, but then I’m back to exposing Vaultwarden to the open internet, which was what I didn’t want to do.
You are choosing more convenience over security, which is fine, BUT it’s good to know that syncing your passwords with NextCloud over the internet is not any more secure than syncing it over the internet any other way (that uses any encrypted transport method).
Not necessarily. Compromising Vaultwarden would allow you to inject malicious JavaScript into the login page to steal passwords. NextCloud in no way interacts with the password database, so it provides no attack surface to the password database itself. Compromising the client for my password manager would require a supply chain attack on a Linux distribution’s package repository or theft of the package signing keys for the Linux distro or the Android app
What do you mean by comprimising VaultWarden? Someone hacking into your server and changing the login page to include extra javascript? Because if they are gaining code execution on your system, then you might already be done for. I can see your point, but I’m not personally going to be worried about it specifically.
By compromising Vaultwarden, I mean exploiting some flaw in it to gain extra access that may facilitate further attacks. If they have code execution on my server, they can’t really do anything because the server never provides an interface to unlock the password database. They could attempt a more complicated malware attack on my clients, but that’s WAY more effort than an automated attack on Vaultwarden instances, probably by several orders of magnitude.
That’s a fair point, I was mostly pointing out in the original comment that VPNs are an option that stops your password manager being exposed to the internet (though if their NextCloud IS exposed to the internet and is syncing their password db, then there is not much difference).
Plus you can tunnel traffic that needs to go to your VPS through the VPN, leaving all other traffic untouched (ie not tunneled), if you are worried about leaving it connected by accident. This would be max convenience.
Compromising Vaultwarden provides an opportunity to inject malicious JavaScript and steal the database password when it’s opened. NextCloud can never leak any info about how I open my password database.
Any password manager could be comprimised. A bug could even be installed on your system or malware. What’s the difference?
NextCloud doesn’t know how you open the password db, but KeePass (for example) does, so the master pass comprimise would be with that.
Specifically the syncing part being done with any tool, doesn’t matter.
Who or how are you thinking Vaulwarden is being comprimised?
Sure, any manager could be compromised, but no client that handles my password database in any way connects to the internet, and all of them come from either signed Linux packages or signed Android apps. If Vaultwarden has a security vulnerability, you can steal the key and the database. If NextCloud is compromised, you can steal the database but not the key. To compromise the password manager client would require either stealing the publishing keys or getting the original author to publish a malicious version.
I see your point, but if your server can only be accessed through a VPN, I think the risk is mitigated. Maybe I’m being naive.
Yeah, that would largely mitigate the risk, but this whole discussion started because I personally didn’t want to do that.
You need two apps though and I personally have more faith in vaultwarden being stable than nextcloud.
Glad your “fucking” password manager isn’t exposed to the internet. Mine isn’t exposed either since I use tailscale to access it. Your comment leads me to believe that your NextCloud instance IS exposed to the internet. Wouldn’t that mean that if a hacker gets access to your account they could also get your keepass file as well?
I just typed out a response to most of this, and rather than repeat all that, I’ll copy a link here lemmy.zip/comment/26557132
A lot of it can be summed up in that compromising Vaultwarden means everything is screwed while compromising NextCloud is mainly a minor inconvenience. It provides neither information about the database’s password nor any avenue to attempt to intercept the password.
EDIT: Forgot to mention the worst part about KeePassXC. It’s vibecoded crap.
I replied to that comment. You’re assuming that compromising vaultwarden is somehow easier than compromising nextcloud. No idea why. Intercept the password where? I’m using a local client and only syncing the vault. You seem to be pretty unfamiliar with how vaultwarden works.
No, I’m assuming that compromising NextCloud is less devastating than compromising Vaultwarden, so I’m taking a calculated risk that my database’s password is secure enough to offset the slightly increased risk of access to the encrypted database because I don’t always get to choose all the software I get to use in every environment I work with, so I might have to use the web client if I can’t get the local client.
As for you only using the local client, congrats, we don’t always get to choose what we use outside the home.
Is RiiR still all the rage? Perhaps it’s time to oxidize KeePass. There are a few libraries for kdbx files and at least one ready-made CLI.
I use vaultwarden in my company - need to share some passwords/group with specific other users etc.
The one that has had multiple hacks. I’m good mate.
Do you have a source on these hacks for KeePass?
cyberpress.org/hackers-exploit-keepass-password-m…
thehackernews.com/…/keepass-exploit-allows-attack…
thanks!
edit: oh it’s phishing via ads, you could say OBS Studio has been ‘hacked’ in the same way
the second case assumes your computer is already compromised, I think at that point a RAM dump with my master password would be the last of my problems
Way too complicated for average user.
KeePass is just an app that opens files, so yeah, you can access it on as many devices that you want yo setup file syncing with. Syncthing seems to be a popular choice.
You can setup vaults to be accessible with multiple passwords, if that fits your criteria. Me, I already share the vault with my wife, so that mostly covers the need for emergency access by someone else. If I ever wanted more, I’d probably just put some basic info into my will about how to access the file.
if you were looking for an excuse to torpedo this abomination, here it is. hosting this gargantuan stack just for an encrypted csv file? at least the client (electron) gobbles up RAM like it’s free while being bug-compatible with whatever chrome version was current half a year ago.
sadly, news ain’t great on the other side of the fence - keepassXC dev is all-in on vibeshitting; latest non-polluted version is 2.7.9.; works fine and the stuff they’re working on is pretty far from essential. some unknown folks forked it but who’s to say what their expertise is.
never thought I’d disable my autoupdate timers but here we are. keep your eyes open.
Can you explain the issues with KeePass? Or is there another thread?
This is my unverified understanding of the situation.
KeepassXC team added Copilot to their workflow to manage PRs and code some basic (according to KeepassXC) stuff.
the dev vibecodes; I make a distinction between using the crap as a boilerplate helper and a full-blown agentic “hey computer, do this but do it super-good!”. not only that, they got a super-asshole vibe as they removed claude traces from the repo and then flaunted that it’s so people won’t know what parts were vibeshat. “good luck finding the cutoff point”, I’m paraphrasing here.
to each their own, but that’s a hard pass for that fork from me.
A password manager is literally the poster child for “I would rather it lack features, but be built carefully by an expert.”
What do you mean by “gargantuan” stack? I have a single docker container for vaultwarden that was very easy to set up and it uses less than 100mb of ram. Not sure about the client claims though. I haven’t really looked into it that much. Are you saying all versions of the client and extensions of BitWarden have issues?
Hey Login seems promising Free for private users, hosted in germany and end2end
www.heylogin.com/en
I guess I need to go back to a handy notebook.
Amen!
<img alt="Amen!" src="https://lemmy.world/pictrs/image/2dc7d05b-68ab-4217-bf76-08ad5e36d7f8.jpeg">
Is is time block headlines with “quiet”? Its like AI decided that word gets the most clicks and its showing up everywhere.
Yeah its like those sports headlines where they try vibe you up for some trash talk
“Player A had a perfectly blunt statement about Player B”
Only to read & find out they said Player B was great, such drama lol
All just rage bait everywhere, AI or human that’s the clicks plan
OOP is AI writing about AI
“My first 100 days at Bitwarden”
He completely misunderstands the product. Transparency is paramount. Not trust.
Not very trust inspiring. There’s a lot of flowery words encircling enshittification.
It does claim to want to always offer a free tier, but all the new values and buzzwords are funneled towards the paid versions.
How will this affect vaultwarden? I’ve been using it for 5 years and absolutely love it. I’m worried that I’ll need to switch to something else though?
The Article says:
It shouldn’t in theory. Worst case is if bitwarden closes source, just fork the latest current open version and use it.
Ideally, a group, either independent or joining with vaultwarden devs, can build/maintain the frontend for vaultwarden that is bitwarden.
God, capitalism sucks
Yeah I’m done with cloud providers for this shit, I’m going all in for Keepass
I just migrated to keepassxc last night!
I still wish there was something where it had better syncing conflict management than KeePass but wouldn’t make you unable to do anything or randomly make your passwords completely inaccessible if you or your server went offline like Bitwarden.
I run vaultwarden at home without access to it from the outside world and once the sync is done I can be offline without issue.
For me it gives me read-only access most of the time, but sometimes something happens and then it becomes completely inaccessible. Which is why due to being in the middle of a move right now I exported the entire database to my laptop so that if this happens I don’t lose access to all my accounts for the two weeks my server is in transit.
giggles in proton pass
Don’t assume that proton won’t eventually want to sell up.
It is owned by a nonprofit foundation making that unlikely
Been self-hosting Vaultwarden for a while. The backend is going nowhere, but I fear for the Android and Firefox clients in particular, unless the Vaultwarden dev bothers to maintain those too.