Bitwarden's new CEO has a Private Equity background, removed 'Inclusion' and 'Always Free' from their website -- because of course he did
In the latest episode of "they will always sell you out" - they sold you out! Who would've thought.
Hoping for a good alternative client to appear, the writing is on the wall. Vaultwarden can't exist without "leeching" off of Bitwarden.
1000
Comments231
Jesus, I'm tired of switching password managers.
KeePassXC + KeePassDX is probably the best option, with the downside of no way to sync easily (syncthing is probably the best option there)
I might switch back at some point, been getting frustrated with the bitwarden extension performance always being so poor.
Sync however you want. Syncthing, Nextcloud, Dropbox, Gdrive etc.
Syncthing is the way to leave Google Drive, etc.
I use Nextcloud myself, but if people don't want to host a server or fuck with syncthing, they can sync it however they want as long as they use a strong enough master password/phrase (which they should be anyway.).
Oh, well, I'm talking about not having to password-lock and unlock your stuff constantly. For long-term storage, sure, that's fine; anything else would be way too tedious, though, no? I guess it depends on your use case and if you could locally automate the locking and unlocking or something.
I'm not sure what you mean. On my computer, I have to unlock the database every so often (you can set how long) with my master password. On my phone I unlock it with my fingerprint. The method of syncing the database is irrelevant.
Oops, I thought you were talking about long-term storage of files in general, like videos and docs or something, not a password database! Never mind.
Is there a proper syncthing android client now, after the official android client was discontinued?
Solid question; there are only third-party apps. A recent discussion in ![email protected] led me to most recently adopt BasicSync, which is incredibly low-profile and is probably the closest thing we can get to it.
However... if you want to get as pure as possible, you can apparently run Syncthing's Linux version directly in Termux on Android without the need for a dedicated Android app. There are also entire alternatives to Syncthing like syncspirit (which can also be run through Termux and which I'm considering trying as well).
Syncthing Fork works well for Android
Merge conflicts are a concern for KeePass, especially for those that don’t want to resolve them. Sync is difficult. AFAIK this is a very common issue with Syncthing setups.
Also, the portability from Bitwarden to KP leaves a bit to be desired, though that’s probably 90% on BW.
I've been using KeePass with Syncthing for 5+ years now and I think I've only had a sync issue once in all this time.
Granted I do make sure I only use the database on one device at a time (so not making edits on desktop and my phone at the same time) and I'm using XC and DX clients not the OG KeePass program.
I'm curious what is causing sync issues to make it "common", I use my db every day.
Yeah, it’s not an uncommon use case to accidentally or even intentionally edit the database on two online devices - I do it all the time when I want a new login to be used on my laptop right after I signed up for some new website on my PC, and the laptop just happens to have an “unpushed” change from last evening, or I edit the new login’s metadata, or whatever.
With this, I’d have to keep a mental model of the versioning of each database and avoid even touching my phone like the plague if KeePass is open on my computer.
It’s not that big of a deal, it’ll probably be a problem once every few months, but it’s annoying to keep track of and worth talking about.
Hmm, I'll have to play around with it a bit more then to see if I can trigger it.
My only gripe is the browser autofill. Sometimes it triggers correctly and sometimes it doesn't. I've noticed if I let KeePass add in a new login itself after I've manually entered it then it's much more receptive to suggesting that login correctly going forward. So I'm tempted to create a brand new database and login everything manually so KeePass will create the database entries itself to fix my gripe.
I switched over to keepass yesterday, and surprisingly the import from BW was perfect (as far as I can tell), even passkeys came over just fine.
I'm using Keepass2Android (and KeepassXC). It can copy the database from/to an sftp server, so it can easily merge the entries. I don't have the sftp server exposed to the Internet, because when I'm not home, nobody will change the database at home.
It's really not that much of an issue. I sync my database between several devices, some of which are only used occasionally. Rarely do I ever have a merge conflict.
If you're editing the database on multiple devices before they have a chance to sync with each other, maybe stop doing that. That's what causes merge issues.
I'm using KeeWeb on Mac and Windows and Keepass2Android on my Android device and I don't have any issues at all. I'm storing in OneDrive though, this is the one thing I'm using it for still.
My first password manager was KeePassXC.
Hooked it up with Syncthing, and I've never had issues aside from the occasion database duplicate.
Right, and it has a neat merge-database feature anyway, so no excuses for those holding back!
Rclone with any cloud provider is another great option that's seldom mentioned. I posted my setup as a comment on another post. You may find it here - https://programming.dev/comment/23849767
I use KeePass with KeeAnywhere. KeePass can natively sync over network share, FTP, or WebDav. With plugins, it can sync over SSH, FTPS, Amazon S3 compatible buckets (including open source compatible versions you host yourself), Azure, Box, Dropbox, Google Drive, OneDrive, and more.
That's a neat one, although it doesn't look like KeePass supports passkeys yet, at least I don't see it in the feature list.
Are you trying to use a passkey to unlock the database or for authenticating with other websites? KeePass can natively do TOTP. There's also plugins to do that. Including one that allows KeePass to be a native Windows 11 PassKey Provider.
For other websites, if I search for 'passkey' on the KeePass website feature list nothing comes up. Plugins in a password manager sketch me out a bit tbh lol
See here: https://keepass.info/help/base/placeholders.html#otp Also worth pointing out that most plugins are open source. You can read the source and compile them yourself, if you'd like.
This is for OTP not Passkeys it seems?
How do you go about loading plugins on the Android version for sync with your setup?
Yeah the performance is what made me install the desktop app, but then it's 1gb in size
XC is really nice, but the devs are kinda dicks about not integrating some sort of syncing option, instead telling everyone who asks to "just point it to a local folder and use <insert sync tool of your choice> to keep that folder updated." Which isn't terrible advice, but some of us don't have that option on managed devices.
I ended up using Keepass2Android and just pointing it at my webdav server, it seems to work pretty well!
On desktop it's already taken care of since I put the DB in my folders that already sync via Syncthing.
I love K2A, been using it for well over a decade now. I really should toss the dev some cash... They've kept the UI consistent for years.
KeePass isn't going anywhere. They're also dragging their feet on passkey support, so you might go with KeepassXC.
@slate
Wasn't there some commotion a few weeks about KeepassXC and vibe coding?
@RonnyZittledong
Yeah, there was. It was forked because of that, actually: https://codeberg.org/ChiPass
Link gives 404
https://chipass.org/
I edited the comment. It ended with a period before, I assume your client thought it was a part of the link. Does it work now?
404
I edited the comment, see my reply to @[email protected].
Yep works now.
Their AI policy looks very reasonable, and they certainly aren't vibe coding. Everything is rigorously reviewed and tested by a handful of experienced, competent humans.
They also don't effectively allow collaboration though, which is my cheif reason for using a cloud hosted password manager.
What is "collaboration" in this context?
Sharing passwords between groups of people so everyone always has the up to date version. Not breaking the world if two people try to modify the same entry as some file syncing solutions do.
Hmm, interesting, though isn't that a fault of the organization not having an account-linking system so that each person could have their own credentials but can still access the unified content? This workaround seems... flimsy, unless I'm not picturing a legit scenario in which no other method is as good, or something.
Sometimes it just makes sense to have a single team login.
Licensing for instance where each user costs money and not all users need a dedicated account to look at something of which only 1% is of importance to them.
Fair. I've clearly not worked at a place like this before!
It's the fault of my family organization or every company we use that my parent's bank, Google, phone, laptop, etc don't allow more than one set of credentials to access the same thing?
It's not just that we need to be able to share credentials the once a blue moon I need to help them by logging into their account?
Wait, I don't understand. Why do you need to do so much account-sharing? I never had half of that... and if connecting is just once in a blue moon, then it shouldn't need something like group creds anyway, right?
You know why most cloud based services charge money? For stuff like this, because it’s not free to implement and maintain.
Easy and fault-proof password sharing and syncing needs software and hardware to do. You either set it up and maintain it yourself, or pay for a product that does it - like Bitwarden.
But your argument falls apart against something like Syncthing's discovery networks combined with send-/receive-only folder types, which use no cloud yet allow the automatic, passive propagation of file updates to different users' devices... right? No cloud, no self-hosting, yet automatic syncing across multiple devices...
Parallel creating, reading, updating, deleting password entries by multiple users.
Whoa, thanks. I had no idea this was a thing...
KeePass isn't meant to be used that way. It's a personal password manager. Always has been.
Valid. But it's also valid that it now doesn't work for me or anyone who also helps manage other people's lives or works on a team ¯_(ツ)_/¯
Gotta use the right tool for the job. Sorry KeePass doesn't work for you. It really is a fantastic piece of software.
Yeah I really wish there was a usable workflow to collaborate with it.
Sure they do. Multiple people can have a file open at the same time. I use it for exactly this every day at work.
With KeePassXC, that is. I don't know if other flavors have different support. I use XC primarily for the browser extension.
And you can both modify the same things without causing horrible conflict issues? And you can share only parts of your vault with someone rather than having entirely different vaults you have to switch between? I'm assuming you mean putting the file somewhere like Google Drive, and you can access it offline even if you can't edit it offline? For feature parity with Bitwarden, obviously ideally one could edit any time and it would resolve problems when it came back online if there were any but Bitwarden doesn't allow this.
Yes, no conflicts. I don't know if you can only share part of vault; I just created a separate one for a separate team.
I wouldn't put it in Google Drive or anything like that. The separate sync logic will definitely cause conflicts.
I'm not worried about having access if I'm offline, because if I'm offline I'm not going to be able to log into anything anyway.
I guess a laptop, server, IoT device, or WiFi connection when your main device doesn't have internet is out of scope for you?
Like fixing my laptop and not wanting to type the new password into my phone instead of copy/paste, sync when online?
And how are you sharing a file, to multiple people anywhere in the world realtime ish, without a cloud service you or someone else hosts? Doesn't that necessitate some syncronization logic?
It's hosted on a local network share, so we don't need Internet access.
If can't copy paste, I just type it out.
We use a VPN to the office.
As... they... should, forever.
Two articles behind a paywall, one that won’t load, and another article that says the big problem with passkeys is…people are unfamiliar with them.
If anyone tells you that Passkeys are bad, they’re a liar. Way more safe than passwords, full stop.
Just don’t let Microsoft or Apple tie them to your device. You don’t have to do that.
Are you calling me a liar? That's pretty weird; it's not like I'm telling you to stick to passwords while I move to passkeys. With that said, though, get Bypass Paywalls Clean (Mozilla-only, as far as I know) and you'll never see another paywall again. I forgot about having that.
The problem is that this is where it's eventually going to lead to.
Not really, Vaultwarden/bitwa4den offer passkey support. When I log into a service a popup shows on my extension, I click it and I'm in. It's not gonna lead to device locking if you don't want to...
except when the wide populace starts accepting it being device locked, and your opinion does not matter anymore to those making the decisions
No one of the people I know that use passkeys use it from the phone, either they use a password manager, they have passwords on a physical note, on an excel file in the desktop, a physical yubikey, or bitwarden like me. That's everyone I physically know including every family member, friends and work people.
I know it's anecdotal, but you present your "wide populace" fact without giving sources too, and since I know no one that uses phone based passkeys, even if my experience is anecdotal, I say sus. Check your bias.
At the very least you're misguided or don't know what you're talking about. Passkeys are not vendor locked in and of themselves.
You can make the same argument against password managers because most iPhone users that use them, use Apple's one.
They will almost certainly lead to vendor lock in. Why do you think they won't? Apple's password manager is definitely an example of vendor lock in. Many others have a simple to use export feature to CSV or something that others can understand
Edit: it could be that you don't know what the WebAuthn/FIDO2 specification says or we understand it differently? Do you know how the attestation mechanism works? That ties the key to a device or software authenticator (the software authenticator is likely going to tie it to the device somehow, possibly even via a TEE).
There is no full stop there... A password that is sufficiently long will never be cracked no matter the hashing algorithm in use. Passwords are easily transferrable and can be communicated to a third party in the event of an emergency. They also provide tunable security, where you can trade off security for convenience if you want.
Some (not all, I know) passkeys are tied to a device. Stolen device means stolen passkey, and it's potentially very difficult to recover from that. Passkeys are also locked to a certain standard, passwords have no such restrictions.
Tbh I don't understand the move for passkeys replacing passwords. They should become the second factor when a user wants additional security. They're perfect for that niche.
Passkeys provide a secure way to authenticate while also being convenient. With the tradeoffs you mentioned.
I don’t like the push for only allowing some vendors to issue keys and to not allowing exporting and backups. And password should still be an option.
Password can also very easily be stolen during phishing, while passkeys are phishing resistant.
And while a hardware passkeys can be stole and used, those who steal them will still need the pin to use them, and the two major hardware passkeys options now (Yubico and Token2) both have some pin brute force protection in their firmware to slow someone down long enough for an account to be secured another way.
As for passkeys on phones, they require the pin or biometric used to unlock the phones to be used.
"Difficult to recover from" was referencing setting all of your accounts back up. I should have also included "lost" and "broken" to make that more obvious. Many hardware (most? all?) passkeys do not allow for backup and restore.
But I do see an issue with stolen hardware passkeys being used for access too if they're a primary factor. With the mitigations you mentioned hopefully holding up.
I just got Bit warden this year! Gah. Where are we jumping?
Full circle to sticky notes on monitor.
Vaultwarden
Vaultwarden relies on Bitwarden existing.
Not really. Convenience relies on the app and browser plugin, but they could be recreated like the server was.
That would be quite nice to see.
KeePass
Took me like 5 minutes to move back to KeepassXC.
i want to switch back to KeepassXC, but I very heavily use aliases in Proton Pass and can't figure out a good way to still create those on the fly AND use Keepass as my default pass provider
Keepassdx supports creating aliases via addy.io I think
Password Store is the answer, if you don’t need passkey support. You can be sure it can’t be sold. It’s the golden middle: not self hosted, but not owned by anyone.
Maybe pay for one then?
I pay for bitwarden for the yubi key support and I'm also tired of switching.
That’s troubling, I don’t like what this portends.
The new CEOs background especially suggests they’re spiffing up the company for a later sellout, why else would they pick a merger specialist for the role?
I think the original title was more helpful because it shows that this is a recent development. Maybe you can add "new CEO"?
You're right, changed
Ah shit. Here we go again!
Can anyone say “Enshittification”!
Enshitification coming right up!
Well, poop.
Every company is basically evil at this point.
There is no ethical consumption under capitalism.
I think the rope they're selling us might, one day soon, have a net positive impact.
Since Dodge v. Ford Motor Co (1919), if not earlier.
See also: https://reclaimdemocracy.org/corporate-accountability-history-corporations-us/
Yep. Thanks, Dodge brothers, for setting that precedent. Pig fuckers.
This is why corporate promises can never be trusted, because a new CEO can change those promises on a whim.
It's part of why despite being interested in Beeper, I never signed up for it because I had questions about if those privacy promises they made would be kept if they sold to a bigger company... which they eventually did.
On the plus side Bitwarden already made an official open source self-hosted version, which can be forked and/or return to the community developed Vaultwarden roots.
Meanwhile KeepassXC keeps on chugging along.
FYI beeper is really just matrix with bridges. Once I realized that I set up my own and now I have the same functionalities as beeper, self hosted, with a choice of clients.
With one difference. After merging with text.com they switched to a model with on-device bridges so that the decryption on their servers is no longer needed. Ofc it’s similar if the matrix instance and the bridges run on the own server.
Oh I was well aware at the time, but I had a lot of friends who still struggled with trying to use Matrix/Element so at the time I was seeking a simpler solution for them.
How fucking stupid do you need to be to struggle with element do they struggle to use cups are they trying to do weird advanced features on an architecture I've never heard of with a compiler built themselves wtf
element was very buggy a few years ago. the new clients are just now starting to get feature parity, and in my experience calls are still quite unstable, requiring your server to have some specific additional setup (which most public registration instances don't have), besides that not a lot of clients have implemented yet MatrixRTC calls. even the client list on matrix.org is only showing whether a client supports the former calling system.
so for the layman it's definitely not production ready yet. and even for new tech literate users some of the things are still challenging to figure out.
Nothing has fully working phone calls anymore my phone doesn't
Wow, usually people lose their shit and complain that Element is too complex and that me and the devs are being assholes asking them to use it... You know kind of like all the people here on the Fediverse who think we need to make it bigger and bring in everyone from everywhere and that the devs and users who defend them are awful for not focusing on user interface first and making it less confusing to choose a server...
Anyway, thanks for being on team reasonable, because I'm with you on this 100%, but I can't change how little people want to learn anything sadly so I make compromises with people who cant or wont learn how to do things. It sucks, people really don't seem to understand that security and convenience are a balance, and every time people argue for shit to be easier they're actually arguing for everything to be less secure. You sacrifice security for convenience, every time, and the opposite happens because you can sacrifice convenience for increased security measures. Security has to be complex by nature to be effective, and the core of Matrix is being a secure, encrypted protocol, which they have already actually put a ton of work into making easier for fucking normies. Yet, it's never enough for people. Always screams of "It's too complex! I hate thinking!"
The buttons are in a different place oh god so much blood yes I resized the window what's your point
lmao God I can feel the frustration rising in me just thinking about it. I know these are digital rather than physical objects... but do these people fail to have object permanence?
Not everyone is a tech nerd some of us just want our stuff to work stop asking us to be nerds too this is why everyone hates you fix it fix it fix it
I feel like there's a very real rejection of consciousness and self reflection I feel that as a strange person who doesn't always accommodate defaults too its really depressing in a very real sense they're rejecting personhood based on protest and and silicon valley propaganda of normalcy and frictionlessness
Has Vaultwarden said anything yet? I imagine that, if necessary, given that bitwarden's client is still open, at the point they choose to try and close it, we, the users, can fork it and establish it for vaultwarden, correct? Or, maybe even the vaultwarden team will think about forking it themselves and making a light client as well to pair with the current server.
But Vaultwarden can exist without "leeching" they just haven't needed to yet. That's more symbiotic than parasitic. The parasite class just took over Bitwarden after all.
Not to my knowledge. As far as forks go, that’s true. However, Vaultwarden would need to become an independent team, and even if they don’t take over maintaining the client, someone else would need to become independent. While it can work, it can also lead to very nasty, longstanding bugs or security issues due to scale, budget, and effort. I see this a lot with Apple apps for example - smaller developers understandably don’t want to deal with Apple’s crap and costs, and everyone suffers in the end.
If you look at the current state of the cybersecurity world, it’s not kind to open-source developers. AI-generated BS is dredging up vulnerabilities on all sides. So security is also a big concern. Someone like Bitwarden has a lot of budget to swing.
Vaultwarden itself is incredibly good, but not perfect:
https://nvd.nist.gov/vuln/detail/CVE-2026-26012.Edit: Bad example, point is security is a concern with a smaller team.
You're right. And that's why more of us need to contribute and spread the word of projects to support them.
Honestly, FOSS is our last bastion against this consumerist hellscape. I'm working on learning to build my own discord-like front end on matrix specifically for gaming. But I'm just one guy. We've all gotta pick where we place our effort and support those around us similarly.
Vaultwarden taking over bitwarden, should they shut doen as open source, I think would be entirely worthy. But it might need more people to either help vaultwarden or maintain it on their own, you're right.
To me, seeing and learning about all of these projects gives me hope. All of these people and communities working to build things out of passion and dedication, because they care and want to provide value to others. No profit motive necessary. We just need to be there to support them as we've tied capital to our survival currently.
True dat. The more people know every corporation, even the most “wholesome chungus Reddit karma 100” ones ONLY care about squeezing profits out of you, the better off we’re going to be in the future.
Check out and contribute to gomuks. It’s the go-to power user Matrix client as I’ve learned. I recently developed a theme for it to make it look more like Cinny, which itself is a bit of a Discord UI Clone. I don’t actually use gomuks, but it really needed a nice theme.
Anyone that doesn’t understand that companies exist to make profit needs to be studied at this point. You have to wonder how they even function in the world.
People don’t go work 9-5 for the fun of it and for free, do they? No, a company and/or customers pay them. Without that payment step there’s no job and there’s no product/service.
If you don’t think the company deserves your money, find another free service and use that until they start charging. Rinse and repeat - or just be an adult and pay for services and work that you like and use.
Are you genuinely unable to comprehend the concept of a company not doing evil things to make profit? You do realise I paid for it up until this point right? Thanks captain obvious for telling me I can stop paying for things.
I was fine with a price hike, I realise that paid users are subsidizing free ones and everything is getting more expensive. What I’m not fine with is the deception, shitty marketing, removal of “DEI-like” language, and a sudden clear lack of morality in the company. They lost my trust, anyone with a brain shouldn’t trust them either with their most precious online secrets.
And you call yourself a freedom advocate, then advocate for textbook enshittification which always leads to the removal of freedom lol, what a shill
You think that people are going to lose “freedom” with Bitwarden making changes? Are you serious?
They’re not doing anything “evil” lol. Inclusivity should not be a main focus of a password storage company lol. That makes no sense.
You shouldn’t have had “trust” in a company to begin with. That’s on you.
What is your matrix front end called?
It doesn't exist yet 😅 as I said, still learning and trying to avoid using AI as a lot of vibe coded discord clones popped up. I did compile a list (which probably needs updating)
https://github.com/DukePantarei/discord-alternatives-wishlist
Goddammit. Why can't we have nice things?
All hail the new Chief Enshittification Officer!
They responded on reddit and walked some of it back as an "oversight": https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/. Allegedly, I'm too lazy to verify.
A change that would require intent to make is not a mistake or oversight.
This sucks. I committed to Bitwarden years ago and now am going to have to switch before they lock me in the garden.
They also haven’t addressed the removal of inclusion and transparency from their goals.
My solution:
https://keepass.info/donate.html
(& yes, I'm linking to their donate page first)
Keep ass what though? /s
why this over keepassxc?
When someone says "use KeePass", we generally mean ”use an app based on KeePass".
Personally, I use the OG KeePass (work laptop), KeePass XC (all personal machines), Keepass2Android (personal Pixel), and Keepassium (work iPhone).
Whichever one you use is entirely subjective. Also, XC wouldn't exist without the OG KeePass, so maybe don't be a tribal weird-ass over it.
I've been wanting to move to KeePass from my current vaultwarden. What's the most seamless way to synchronize the DB across GrapheneOS and Arch?
I trust Syncthing for syncing files, but it kind of feels insufficient for an actual encrypted database.
What works for you for syncing?
The encrypted database is a file. Syncthing handles it perfectly fine. KeePass' protocol has versioning and merge support built right in, so all of the KeePass variants work great with each other without issues over Syncthing.
Just make sure you're not editing the database on multiple machines at the same time - that'll cause merge conflicts.
Thanks, that was exactly what was happening, at least in some cases. I was modifying icons on my laptop while messing with the templates on my phone.
Personally, I use a plugin for passphrases and - last time I looked - the other forks didn't handle them.
Does keepassxc support plugins now?
On my phone, I use KeePassDX from F-Droid and KeePassDroid (Not sure if that's being maintained at the moment?)
The main point is; we need to support open source developers, so pick an open-source solution and contribute, donate, etc.
KeePassXC has passphrase generation built in
i was just thinking this week with the passphrase addition how good bitwarden is and when will the other shoe drop. There it is.
Keepass (all variants and forks) has a passphrase generator, been built-in for years.
The writing is on the wall for BW, and has been for quite some time now.
Move to KeePassXC or its recent LLM-free fork while you still can, because at some point Bitwarden is going to try to go closed-source again.
Oh crap, how's KeePass got an LLM involved‽ Time to look into this now...
I did find https://codeberg.org/ChiPass/ChiPass , but it looks like a very new project.
This blog post goes over it.
...actually seems quite reasonable.
very much so.
Yeah, I'm no fan of slopcoding either, but this policy addresses those who contribute AI-generated code; it is most certainly not "our devs are shipping AI slopcode".
Seems a lot here missed this part:
Linus Torvalds does the same thing with the Linux kernel. He gets AI-generated slopcode submissions all the time. They're reviewed by real people, and like most submissions Linus gets, sloppy work is rejected, AI and human alike.
but it's so much easier to grab torches and pitchforks than to read an announcement
For once ADHD preventing me from completing a migration is a boon, I guess I'll move back to keepass
I'm going to have to just write my own one of these fucking things aren't I?
KeePassXC and Vaultwarden exist
And Strongbox for iOS. They communicate with KeepassXC to keep the vaults compatible with both software.
@captcha_incorrect is there any way to disable the TRY STRONGBOX PRO button?
Not that I know of. I bought pro.
Clue me in on why vaultwarden can’t exist without it?
It can, but vaultwarden, as it currently is, is an implementation of the server only. So if bitwarden decides to go closed source all the way, they'd haver to start either creating their own clients or fork the current bitwarden clients.
That's fine. We just treat it as a fork from this point onwards.
Okay. You first.
Sad. Replaced everything with keepassxc + syncthing
Vaultwarden here I come
No, KeePass. Fully open source, no cloud involved in any way, unless you want something to sync your data (the server only ever sees your encrypted database - all encryption and decryption is done locally). You can also host your own sync server using any of a variety of different protocols.
@[email protected]
Yep. Seconding this!
KeePass + Syncthing is the best.
Back up the database(s) regularly. (Syncthing can also retain
xnumber of versions and things like that, but also do your own 3-2-1 backups.)You can use something as simple as a Pi, or an old laptop, or even an old phone if you get creative, as an always-on syncthing server to keep them synchronized. KeePassXC even has a fancy integration with Firefox, so all you gotta do is unlock your database and click autofill on websites.
Edit: lmao seriously, not like I care but what's there to downvote about this? 😂
I use KeePass + KeeAnywhere. KeeAnywhere will sync with a wide variety of cloud storage providers. Or your own S3 data bucket server (can be self hosted or on Amazon), if you prefer. Does pretty much the same thing though with versioning. Auto filling in Firefox is done with KeePassHttp-connector on the Firefox side and the KeePassHTTP plugin in KeePass. Similar to what you describe.
Yup, been doing this combo for 5-6 years now.
I use KeePassXC on desktop and KeePassDX on Android. No issues whatsoever.
I do have a NAS so that's my "always on" device for Syncthing. Everything syncs up within like 10-15 seconds when a device connects.
I also use a key file as a pseudo 2FA that I keep on a flash drive, so you'd need my master password and my key file to unlock the database.
Going to need to work on migrating
Ok thanks for the heads up
BW news dropped, so you're going to move to something that still requires the BW app?
Circular logic, friend. Ditch everything related to BW. Move to a truly open password manager like KeePass (including its various forks).
I hate to break the news but the issue with Bitwarden is that the client sucks total ass, and there are no drop in 3rd party replacements for the browser plugin.
Been running Vaultwarden for a while now and even though the sync implementation is nice and clean, it's just not worth the end user experience.
This is really dumb when compared to literally every other password manager, open source and enterprise which does a much better job of actually being a password manager and not a glorified encrypted text file.
I'm eventually going to switch back to KeePassXC and just suggest setting a master password with Firefox's builtin password manager for everyone else who just wants a painless user experience and not have to deal with syncing vaults.
what were the questions to which they gave those responses? It's really not clear. link the source.
Once again, enshittification by the fucking suits.
Early on I decided to use only KeePass for full personal control instead of an online service. Didn't regret making that decision.
Hoping for another Moonlight/Sunshine moment! Already running Vaultwarden, rbw, and Keyguard. Just need a simple FOSS browser extension for autofill and editing entries.
For context, Moonlight was created first as a FOSS Nvidea gamestream client. Then Sunshine was created as a FOSS server implementation. Later, Nvidia dropped "official" support, now the two projects are a FOSS stack built atop a formerly proprietary protocol.
Fuck
Oh no, and I just setup Vaultwarden
Why not? No reason mobile apps and browser extensions can't be forked.
https://pawb.social/comment/22239133
The linked vulnerability has been fixed a day prior of being reported by the dev themself and it's not an issue since then, it even sais so in the cve description.
Well, yes, Vaultwarden would need more support, but that happens pretty frequently when a major provider enshitifies. Look at Godot, Lemmy, etc.
As for the CVE linked, BitWarden itself has many more: https://app.opencve.io/cve/?vendor=bitwarden
CVEs aren't an indication of poor quality. Speed to resolution is. It's not often devs themselves are finding CVEs, it's the community.
At the core, regardless of what a C suiter does to the marketing, the state of the FOSS repos is what matters. Since they already walked back the "always free" comment this whole debate may be moot, so time will tell. Hopefully the rest of the company and the public sway them to continue to support it properly themselves.
I suppose so. Maybe the corporate propaganda got to me about the security of smaller projects.
wait, did Godot enshittify?
No, hah, the opposite. Others enshitified, Godot grew because of it.
I am confused. Aren’t their clients open source? How many milliseconds will take till 100s folks will fork it?
Their server is useless and Vaultwarden is already a superior option
While I agree that they are a “at risk” company, I don’t think the software itself is at risk
I could care less that he removed inclusion, if that was all it was. But it got replaced by "innovation", which coming from a guy who proudly lists his private capital ventures sounds like a dog whistle for figuring out how to fuck over customers.
Bad portents all around.
I fucking knew this would happen years ago. Something always smelled "off" about BW.
namely the VC funding and the huge resource hungry clients to me
you saw that something on the internet will go to shit in a couple of years? speak to us, oracle! :)
Right? Lmao who would've thought??
Glad I started using Vaultwarden a while back. Just need to find better apps for android and Firefox I guess because I'm guessing they're going to try to break compatibility.
vauktwarden needs bitwarden though
I mean at this point in its evolution, what parts does vaultwarden rely on from bitwarden? The clients, but there are alternatives like keyguard for Android devices. What other layers does it rely on, I actually have been trying to figure this out myself.
Well fuck this
The year of keepass and syncthing!.
Damn I guess I’m going back to keepass again since I am not really interested in hosting a vault
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
5 acronyms in this thread; the most compressed thread commented on today has 12 acronyms.
[Thread #295 for this comm, first seen 16th May 2026, 03:30] [FAQ] [Full list] [Contact] [Source code]
Keepassxc and whatever I'm using off f droid for Android. Then is sync with proton drive. Works well for me. I do the same for my one time password backups. You don't even need to pay for a subscription to proton. These are small files. Free version is good enough
Yes, I use KeePassDX as well.
That's not good enough. Stay entirely offline. Keep your own stuff in sync via Syncthing and Syncthing-Fork daisy chains, especially if they're small files.
Has the sketchiness around the Syncthing fork hand-off get sorted?
I don't know if their behavior over the transition was ever explained but at least it was legit, last I read.
Yes, the previous maintainer of Syncthing-Fork gave it the green light. Honestly, from the explanation they gave, it sounds like they just have major social anxiety. But it's all settled. Even the maintainer for the Google Play version is good with it.
Right but fdroid is just about dead
Motherfuck!
rbw is an unofficial CLI client which works with vault warden.
They all want all of the poor people dead. They are wagging war on us.
We really need a VaultWarden service run by a non-profit.
I guess that explains the transition to AI coding as well
No one is being “sold out” lol. Anyone using the free tier has had a great run with an amazing service without paying a cent. Can’t complain about that.
I already pay for Bitwarden as it’s a great service that brings a lot of value. I’m happy to pay for it, and have zero anger at a company wanting to make money from their product.
Others might disagree, but companies can’t exist without making money. It’s insane that there are somehow still people that don’t understand how business works.
My work just started giving out 6 sponsored family licenses per employee which is awesome, so I’ll actually get to stop paying for it for a while.
Buddy, I don't know if you've been living under a rock but everything a venture capitalist touches is enshittifying. You think any of these companies you're reading headlines about are suffering to keep their doors open? When google locks down android or X starts including ads in Grok they're doing it to keep the lights on? You think if Bitwarden started cutting free services and charging more the average employee is going to get a proportional raise to the new profits?
No. We're not upset because we dont understand that a company needs to make money. We're upset because we have basic pattern recognition skills and we understand the nature of late stage capitalism on wealth inequality (at least intuitively). This (likely) isn't some smart business person coming in to balance the books, this is (likely) some rich asshole whose job is to kill the golden goose and sell it for parts before anyone catches on that you need it alive to produce eggs.
You only have the world you live in thanks to capitalism. Without calitalism things like Bitwarden wouldn’t even exist.
Companies exist to make profit. Investors want profit, that’s why they invest. That’s why these products exist in the first place.
There’s no better system than capitalism, and complaining about “late stage capitalism” and blaming everything on it is dumb.
There are profits that grow over time, keeping their promises, without harming customers, and with values at the core of the company.
Then there are profits gained immediately by cutting corners in many places, ignoring damage to reputation, and driven by greed.
These kind of news point to the second case and we all thought bitwarden was the first kind.
https://bitwarden.com/pricing/
I kind of find the headline a bit disingenuous. However, if they do move to a non-free model, I'd still pay for it. I mean $1.65/Month USD. Sure, I don't even have to think about it.
yeah fuck that... fuck subscriptions ALL OF THEM. fucn these companies, ALL OF THEM.
stop giving any of these pricks any slack. none of them deserve it, nor money.
today it's 1.65... tomorrow it's 4.99... next week it's 12.99.. stop being a mindless sheep giving them any sort of leeway. you're enabling the scammers to literally scam you more, and more and more.
I'm relocating all my shit right now because we'll.. fuck em. I am loyal to NO COMPANY. none of them deserve anything but bankruptcy at a minimum.
I've cut down my subscriptions by a lot over the past few years, and I've gotten very close to what I consider a minimum. Whenever possible, I like to buy outright.
However, surely you can understand how not every product can function as a one time purchase. For something like a password manager, they are providing an ongoing service. They are storing and serving your data.
You can self host, sure, and I'm doing a lot of that lately. But not everyone has the capacity or desire to.
All that said, this leadership shakeup is concerning and I think I'll be migrating to Proton, since I already have a Duo plan.
You don't need to self-host at all! Daisy-chain your needed files via Syncthing and Syncthing-Fork. That's literally what I do with KeePassXC and KeePassDX, keeping everything offline.
I am totally in line with not agreeing with everything being a subscription. And I absolutely dont agree with subscription creep.
So I minimize what I pay for. And let me say, in no means am I defending the change in Bitwarden here. I would never.
It isn't a realistic expectation to expect any hosted service to be free. Especially in capitalism. Someone will come along and fuck with pricing.
Not everyone has the time, knowledge, or finances to fund self hosting everything.
But to automatically assume everyone is a sheep for using a service that benefits them is a bit of a jump.
Yes, I myself value privacy, security, and the merits of self hosting as much as I can with my resources. And I have had conversations with people on these topics, and there are the folk that lack the understanding of the importance of the hill many of the folk like me stand on. So I have seen the wide spectrum of people who pay for services.
Wild take dude.
yAlL aRe ShEeP blah blah blah...
'Mindless sheep'. That's hilarious. But I get it. Nobody likes to pay for shit.
It's not 'out of touch'. It's paying for (if it comes to that) a service that houses all of my business accounts, investment accounts, personal accounts, etc, and all with a pretty damn good track record. As with any technology, you must constantly evaluate it to see if what you are spending is justified for the service you are receiving. If at such time I feel the service isn't worth the price, then sure. As of now, it's not really an issue to me.
I assure you, I am fully cognizant of what for-profit corporations do. It's one of the reasons I turned off the TV over two decades ago. There just wasn't any ROI for me.
Hmm nice profile pic
Baaaaaaa.
Man, I tell you, I wish I could live in a fantasy world where everything is free.
Not sure about “everything”, but plenty of password managers are.
There are a handful of things I do not self host.
Funny thing is I clicked the link and "Always free." was gone. Refreshed the page and it was back. Definitely something going on.
It was there when I went and took a screen shot without refreshing.
It’s so deceptive, and clearly designed to be so. They saw the backlash and added two words, real backhanded vibes.
Yeah it's not about not paying for me, it's about being able to host my own with my protections and controls
That is totally awesome and cool bro. You'll never hear me throw shade on someone for charting their own course in life or choosing a different path. In fact, to drop a little relevant Hendrix up in here:
"I'm the one who has to die when it's time for me to die. So, let me live my life the way I want."
As long as my life doesn't interfere with your life, we'll be just jippity jippity. Rock on! Git sum! It's a big world. We can all coexist.
Everyone who used and shilled them deserves thus lol
Many of us already pay for it because it’s an amazing service that we appreciate and are happy to pay for.
Not everyone is a cheapskate who thinks they deserve other people’s hard work to not be rewarded.