They made the standalone license almost impossible to find and get, forced a subscription on users, and made the password vault storage online for the subscriptions. Now this self-hosting survey comes as a surprise, and it would be of some relief if/when it’s implemented.
I do wonder how the licensing and pricing will be handled though.
Bitwarden officially allows self-hosting for the personal use tiers, but it seems to have some license purchase requirements even for the self-hosted options (other than the free tier).
Is there any password management application out there that makes sharing passwords or password vaults easy but is also free? I’ve looked at KeePassXC and Bitwarden. The former isn’t easy to use for sharing and sharing permissions. The latter doesn’t offer sharing among more than two people in the free tier.
> Is there any password management application out there that makes sharing passwords or password vaults easy but is also free?
For members of a relatively well-paid profession earning good wages from creating software, I wonder if the reluctance to support others earning money for quality work isn’t some form of cognitive dissonance.
// Pre-emptive “edit” before this comment has replies: Folks post a lot of arguments for “free” software any time there’s a comment such as mine — but justifications largely feel like post-hoc rationalizations conflating freedom of information and ideas with freedom from paying for value, ret-con’d stories we tell ourselves. I call BS — unless one is independently wealthy, to spend maker time on art or craft requires one to either earn money or enjoy patronage. Tools for work are more craft than art, and deserve to earn, especially as patronage or maker communes are in short supply. Not to mention the exercise of ethnocentric privilege implicit in demanding something of quality in exchange for nothing assured.
I agree to the payment. I disagree to the subscription model.
I absolutely would try to hook users on any SaaS. However, I go out of my way to avoid such products. If I can pay for them once, I much prefer it. (For something like jetbrains, I'm okay with a renewal fee because if I choose not to pay it, I can still use the older version.)
I make an exception for Bitwarden because I like the idea of my password manager having continual security updates. However, it's one of the most frustrating parts of the webification of services - I want to pay for things once, and choose if I want the expanded features at any given time.
You know, I bought 1Password version 3 licence. There’s the support. Fast forward some time and the software started recommending that I uograde to version 4. After installing it, the software told me that it requires subscription from here on. It was almost impossible to roll back to version 3. I ended up switching to Unix pass.
Similar story here. Slowly moved over to Bitwarden. UX almost as good and works well enough on all platforms. Chose Bitwarden for the company afterwards as well, only positive feedback.
I would have moved from 1Password to Bitwarden as well, but I stayed on the 1Password ship for its native app. May reconsider now, as they are moving to electron.
But in cyber security based software woulden't you need constant updates against new exploits? In something like Fusion 360 or Matlab or office I agree, if you dont need new features you shoulden't pay for updates.
> For something like jetbrains, I'm okay with a renewal fee because if I choose not to pay it, I can still use the older version.
110% agreement.
Further, the only thing I like less than subscriptions is IAP not of new feature sets but ‘pay-to-play’ where the mechanics of use are negatively distorted to gamify purchase impulse.
I’ve argued — here, since inception of IAP on Apple’s app store — that the worst thing Apple has done to consumers was normalize removing the ability to show only single purchase paid apps in the app store. An vast class of less fortunate consumers either resign to less utility or waste time on an artificial “grind”, to encourage another class of “whale” to drive corporate revenues.
I don’t mind extracting cash from whales who can afford it. I do have a problem inflicting artificial digital scarcity of utility or enjoyment on the masses to create the ‘hook’ for whales.
As for subscriptions, it’s not clear to me that the treadmill of software/hardware upgrades is benefiting core use cases.
I like paying for generational or disruptive change, “voting with my wallet” on what’s of worth to me, but after a couple decades of purchasing generations of Adobe software only when the features mattered to my work, I moved from Adobe to e.g. Affinity and feature sets I own instead of rent when these recurring subscriptions don’t appear to meaningfully benefit my productivity or output.
For instance, it’s remarkable to me how similar the principles are between today’s (re-)emergence of Markdown for document composition and the early WordStar / WordPerfect / AppleWriter tools of the 80’s. I also like the experimentation by these Makers in ability to purchase a ‘pinned’ feature set, or support ongoing refinement. (Editors whether text or code, like JetBrains mentioned, seem to have a jump on this clever — and rare positive — use of IAP.) It’s difficult to show what increased utility of word processing has come from the most recent 20 years of paying for word processing upgrades. Today’s dev efforts suggest the sweet spot may be 30 years back.
The flip side of this, economic models are still dissatisfying for affordability of basic bricks and mortar world rights such as housing. The least worst answer appears to be rent (with a dystopian jag into ad-supported!), and it may be the least worst for software is rent as well.
Except when the ongoing annual software rents have risen to the same cost as one-time purchase (again, Adobe!), contrary to bricks and mortar where the over under is often 7 years of possession and use.
Back to artificial digital scarcity — I’m concerned that advertiser funded access to quality writing is losing ground to monthly subscriptions for content. Are less fortunate kids going to be able to subscribe to NY Times, WaPo, Atlantic, Guardian, National Review, American Spectator, and so on, for $5 a month each? (News aggregations such as Next Issue could resolve this, but even as Apple’s “News+” this struggles.) Even more dissatisfying when a print publication goes down the same path as cable, first charging for something that was free, then eventually layering in the same ad content as when it was free.
Artificial scarcity based IAP, data-broker supported (ad supported is fine, individual data for content is not), and the descent into the ironic sounding “gacha” model for software or content happy meals (utilities, clickers, news, etc.) — something thoughtful has to shift before we’re living in a future less Roddenberry than Idiocracy.
With applications however you are using your resources only. If you use a web app you are using their resources which they have to pay for continuously in perpetuity. To expect a one time fee for that and forever updates just isn't feasible. There is software out there for free that does what bitwarden does. KeePassX for example, so it's not like there aren't options.
> I wonder if the reluctance to support others earning money for quality work isn’t some form of cognitive dissonance.
It's about freedom, not about price.
I will not shape my life and habits around software that can be discontinued, or suddenly changed so much that it breaks my workflows. I will not use software with proprietary formats or which has dependencies on external "cloud" services that can go away at any moment. I don't need that kind of aggravation.
Happy to pay any reasonable (or even slightly unreasonable) money for software, not an issue. Sell me each version as a stand-alone application that I can run forever without any external dependencies and I'll pay for it.
Try to lock me into a subscription model and/or make the functionality dependent on an external server, that'll be a hard No. Even if free.
With 1Password, the subscription is really expensive, and I’m afraid that the bloat the company is stuffing into the product is weakening the security. Frankly, they make too much money.
I’ve found enough bugs in the Mac product that I assume there are security issues I’m not aware of.
A 1Password subscription costs $36 a year. Their previous standalone product cost $50 per desktop OS you wanted to use it on and had a major version upgrade you needed to buy again about every two years.
If you needed it on both Mac and Windows, the subscription was cheaper.
For me it’s the feature tiering and price discrimination that turns me off. I end up paying too much (total cost over 5 years) for too little. If you look at the business pricing it’s even dumber.
The $2 billion valuation of 1password tells the entire story. They’re overcharging for what they’re providing and I think tech people can “feel” that which is why tech communities hate the subscription BS.
I don’t really think $8/user/mo for Business is overcharging compared to Slack which quickly gets into $30+ per user per month in larger shops where Enterprise Grid is required for its features.
By your argument why can’t I buy that and self-host it too, decide if I want to upgrade for more features myself?
I also think $5/mo for 1Password for Families is incredible value. Zero regrets on paying for this because it meaningfully enhances my families personal security posture through elimination of reused credentials and enabling TOTP (sharing of code generation) on many sites we use, that it is cross-platform so no excuses for everyone to not use it, and the UX is so simple you don’t need to be “tech people” to succeed.
How much you charge and how you charge is definitely divisive, but 1Password feels very much on the cheaper end of the spectrum, not “overcharging”, heck Discord Nitro is $5 (Classic) or $10 and gets you very little by comparison IMO.
>enabling TOTP (sharing of code generation) on many sites we use
Are you generating TOTP codes via 1Password or something? That seems like a degradation of security. I did a cursorary search and didn't find mention of 1Password providing such a "service".
It isn’t a degradation of security, in my opinion, it’s an upgrade, when certain accounts are involved.
For these shared accounts, such as those used by my family, and on services which don’t support account-per-person in an “organization” or “household” sense, this still provides for TOTP in a way my spouse and I can both login. Ensuring just the loss of the password isn’t enough to compromise the account is an upgrade vs. not having TOTP enabled.
Where we can both have our own accounts and use U2F tokens that’s a better story, clearly, but 1Password having this functionality is great!
I don't understand how it's not a security degredation. The point of TOTP is to make access of the service dependant on something you must have phsyically (and isolated from the internet) on you. An attacker that manages to exfiltrate 1Password data has everything they need to access the service if TOTP is part of their offering. Where as all users with TOTP on their phone would have an additional layer of protection.
Even by that blog post, they have to go out of their way and clarify that using this feature means you are not longer using two-factor authentication.
> For members of a relatively well-paid profession earning good wages from creating software, I wonder if the reluctance to support others earning money for quality work isn’t some form of cognitive dissonance.
Yep! People see open source as a goal, rather than a sustainable product being a goal.
> For members of a relatively well-paid profession earning good wages from creating software, I wonder if the reluctance to support others earning money for quality work isn’t some form of cognitive dissonance.
GP here. I agree that all software developers and maintainers need to earn an income for their work. It's just that you don't know my circumstances, my geographic location, and the constraints I have to deal with when posing such a question. Believe me when I say that I have some real constraints that cannot be surmounted on this particular front. I don't like my circumstances, but that's just how things are right now and there's nothing I can do about it.
My guess is it's over confidence, at least in my case. Often I feel like "I could do that!" Now having tried a few times I'm more willing to pay for tools, especially non-subscription ones.
There is a lot of merit to free software and open spurce spftware but in this or other cyber security cases, I would prefer a paid option that makes it clear where the devs are getting thrir money from. If it is free, than the user is the product.
Nope. "Password Storage" should not be a business that exists in the form of "if you don't pay for good password storage, you're not allowed to have it." Especially if it involves storing your password with a third party.
The technology to store passwords safely has a marginal cost of zero (it's software). People storing passwords in third party places increases the threat surface, always. Finally, it's "ecological" in that safety/security of this sort needs to be evenly distributed to work its best.
I'm not saying we shouldn't pay people to make things safer, we absolutely should. But this is a bad model for it.
It's not really different or separate from the whole "Free Software/Open source" thing; there's no easy answer.
Though there's enough potential public harm such that looking at "public health" models is not a bad idea. Most places you don't have to pull out your wallet to get a Covid vaccine, you shouldn't have to pull out your wallet to get good password safety, for roughly the same reasons -- the harm from one "infection" can spread quickly.
I'm surprised by these sweeping assumptions of what the HN audience is.
> relatively well-paid profession earning good wages from creating software
AFAIK 1password doesn't practice location-based pricing, so how can you assume that "relatively well paid" people from different geographies of the world can all find it affordable?
> Not to mention the exercise of ethnocentric privilege implicit in demanding something of quality in exchange for nothing assured.
Whoa! Knowing nothing about the OP you assume that he is the member of the oppressing class clamoring for the output of his slaves? And, since you're writing this in English, I think it's safe to guess you're assuming the person you're attacking is a white, so you're basically accusing this guy of being an entitled white who can't give up his slave labor
I was with you on the rest of the post but charges of "ethnocentric privilege" are a weird, racist escalation hiding in academic terminology there bud
Occam's Razor applies here: everybody likes free shit. This isn't a property unique to the evil whites
>In common usage, it can also simply mean any culturally biased judgment.
Also relating to the "Global North" (who it's very likely that any given poster here belongs to) and "Global South", which don't have anything to do with skin color.
Given you've created a throw-away to comment this, I suspect you know you're actually the one making a "weird escalation" and are aware that you're race-baiting in a non-genuine manner.
> They made the standalone license almost impossible to find and get, forced a subscription on users, and made the password vault storage online for the subscriptions.
1Password recently raised $100 million at a $2 billion valuation.
Looks like they're going down the Dropbox path. Shame as 1Password used to be one of my favorite apps.
You can indeed, but only if you accept what follows. You will be in charge of maintaining critical infrastructure, as well as keeping it safe from attackers.
My biggest complaint about the 1Password8 situation is that i've been "self hosting" version 7 for years using iCloud sync, and it has worked perfectly. I have my 1Password vault on every device for "free". With family sharing in iTunes, i had it for every family member for "free" as well.
With version 8 they're taking that away, and instead trying to push me to a $5/month subscription that essentially does the same thing.
I have faithfully purchased every version up until now, and had they kept local vaults/iCloud sync i would have purchased the next one as well. As it is now, self-hosted or not, i will be looking for something else. Afterall, all i really need is an encrypted file on a cloud share.
Unix Pass would be great if it didn't leak information about which sites you have logins for. "Easily" fixable by using Pass Tomb, but sadly that's not available on iOS.
Totally agree, and I notice a lot of people just blindly go down the hosting Vaultwarden route. There's a trade-off that everyone needs to consider, and much of it depends entirely on their skill level.
Having said, I'm all for self-hosting and I hope it continues to become prevalent.
I'm also all for self-hosting, but there's a difference between hosting things for your LAN, and hosting things available on the internet.
Most people have no clue about the amount of work required to runs things in a secure, redundant and resilient way. And no, a RaspberryPi in the corner, running on your LAN probably won't cut it. At least not for me.
I do this, works perfectly for sharing common passwords among my family (streaming services and utilities mainly).
I moved from 1Password, and my main gripe with Bitwarden are the apps aren't as polished. If it's not too expensive I'd consider switching back (1Password family is $60 per year, so I assume this will be less).
I'm paying for a Bitwarden subscription because I want to support their product and their vision. But I don't know, time passes and some much needed improvements don't seem to arrive.
The most glaring issue (for me, anyway; I fully understand I'm just a sample size of 1!) they have is relying on the pop-up UI of the browser, which I guess is stateless (state is lost when the popup closes, it seems?). The decision of using this UI was already wrong from its inception, IMHO, not sure why they thought it would be a good idea. But more surprising is that they haven't yet moved to the much more reliable and user friendly method of opening their UI on a new tab, which was a no brainer when using LastPass. Oh well. They said to have this in the backlog, so hopefully it gets some attention sooner than later... but in the meantime the end users are faced with silly issues like this, software that loses user data should not be a concern in the first place, and for sure they won't care about some technical explanation about how the browser handles pop-up windows.
Tavis Ormandy (of Google Project Zero) has a pretty convincing post arguing that relying on browser extensions that modify the DOM (which includes [almost?] all password managers) is a bad idea: https://lock.cmpxchg8b.com/passmgrs.html
(he recommends using your browser's built-in password manager, which isn't as convenient but is much more secure)
It'd be ideal if browsers offered standard hooks into their password-filling mechanisms. Let the password managers volunteer "I know a password for this site!" and fill it through the browser's standard UI.
Basically, I want the browsers to implement something close to what Apple has for password management on iOS. Ideally go a bit further and expose hooks for creating/saving a new login, too.
Unless they already do this, and nobody has actually taken them up on using it?
That's an amazing idea! Do you know if any browser vendor has this concept even in the radar? It would be very cool that password managers were able to do that: manage passwords, and not have to deal with each browser's idiosyncrasies which if you think about it, is just a distraction from their actual mission of being a password storage.
iPhone does this already. You can choose from different password managers (I use built inn and and old version of 1P). So works on safari, but also other apps that I assume use some standard password field.
Now that you mention it, that would a fantastic idea; create an extension that exposes some sort of API that the browser can tap into to load suggested credentials for the current domain.
I guess it makes sense, but it's a very very unhelpful suggestion... we're painfully and slowly moving in the direction of teaching users how passwords are less and less useful as long as they are not random, so the ideal alternative is having all random passwords and using a vault that remembers them for us.
But this whole proposition totally breaks if I store my Amazon password in Chrome at work, and then later I cannot access it in Firefox at home, or the native app in my Android phone.
The clipboard is not exactly a secure channel. Browsers need to catch up to mobile and provide dedicated APIs for password managers to hook into so they don’t have to interact with the DOM.
It gets worse. Their browser extension doesn't work when using a private window in Firefox. The GitHub issue[0] around it was raised in 2017. They've been blaming Mozilla for deprecating and subsequently removing an API. It's pretty ridiculous.
Good idea! I'm however limited here by the fact that (Firefox at least) only one sidebar can be open at the same time. And for me that's occupied full-time by the fantastic Tree Style Tab extension. I would definitely find it useful if more sidebars could be open at the same time.
I had the exact same experience. I don’t want to care about the app UI etc but when you use a password manager as often as you do it really matters. Not to mention selling the idea to less tech-savvy family members, it really does have to be as simple as can be.
I self-host Bitwarden_rs and use the client apps on Windows, Linux, and MacOS. To me, the UI seems very usable, polished and attractive. It doesn’t seem that different from 1Password, which I switched from a few years ago. What exactly about the UI needs improvement?
I'm a 1Password user right now, but I've tried self-hosting Bitwarden_rs and like it very much.
The one killer feature which is preventing me from switching is the ability to use multiple self-hosted servers at once (so I can separate family vaults from business) [1], but "client profiles" are likely to be implemented some time soon [2].
Now that I've learnt that local vaults are going away in 1Password 8 [3], I'll probably make a move to Bitwarden sooner rather than later.
I thought there were some features missing from vaultwarden compared to bitwarden. I think the one that stuck out to me was lack of AD integration. Any chance you’ve seen a list of what is and isn’t in vaultwarden? My search hasn’t turned anything up. Maybe they’re at feature parity now?
Good to know, extensions always feel like the weak link in password manager security (again, not a developer so happy to be proven wrong here) so I don't use them. I always just copy out of the desktop app (Ctrl + P), still a really fast keyboard-only workflow once you get used to it.
The mobile apps were the primary problem for me. Regrettably it was long enough ago that I can’t remember all the details but I’m pretty sure at the time it didn’t support TouchID for one.
I'd say give it another try sometime! The mobile app (I've only used the iOS version) is very usable and has FaceID support for those that want it. Also, safari can work with the app to pull passwords quickly.
I'm just really grateful this project exists. I've tried most of the major password managers out there and I feel like BW/VW is the clear winner, especially if you're willing to host your own server. If not, their pricing for an annual personal account is incredibly reasonable.
I find this surprising. I’ve been using Bitwarden for a few years now… the mobile app is easy to use. They even make MFA painless by automatically copying the code after the password is entered. The browser extensions seem to work fine too. Perhaps the web app is not as clean, but I rarely use it.
That lack of polish and lack of improvement over the couple years I used Bitwarden are why I switched back to 1Password. Being open-source is not a free pass to ignore issues like that.
When looking into KeePassXC, did you specifically look into the KeeShare[1] feature? As long as you have some common place to read/write a file, you can share a subset of your credentials. I agree this is not as easy as hosted solution like Bitwarden, but KeePass was always designed to be a non-hosted solution, so I think this is about as good as they can do.
GP here. Yes, I did look at the KeeShare feature, and that's what I had in mind when I said seemed not as easy to use. I'll have to read more and try it out practically.
I don't want to selfhost anything. I've spend enough years doing that. All i really need is an encrypted file that can be synchronized using a cloud of my choice.
For me its the opposite: Having Bitwarden separate (selfhosted or even their hosting) let's me even more iCloud services to become less reliant on Apple.
I've used pwsafe[1] for years, maybe over a decade. Multiple platforms supported, although macOS and iOS versions are paid (one time payment, no subscription). Store your vault anywhere you want.
> I’ve looked at KeePassXC and Bitwarden. The former isn’t easy to use for sharing and sharing permissions.
For a while, I used KeePassXC work my encrypted database file checked into my Dropbox storage. That allowed me to sync my passwords between devices but not give the cloud provider any way of knowing the passwords (since my KeePassXC master password was not stored anywhere besides in my brain). Unfortunately, Dropbox eventually changed their Android app so that synced files no longer were stored on the local filesystem, so adding a new password from Android or getting the new passwords from other devices would require manually uploading/downloading the file through the Dropbox app. I somewhat suspect this change was due to Dropbox eventually adding their own password management functionality to the app, but I didn't consider that until later, so I'm not sure how the timings lined up. In age case, after weighing my options I ended up deciding to just switch over to Bitwarden. (The migration was extremely easy; I was able to export the KeePassXC database file locally to XML file and then import that into my newly-creates Bitwarden account without any issues).
Personally I don't recommend Enpass. They switched to a subscription model like every other password manager.
They don't host your data so have no recurring expense, I don't understand how they can justify the subscription model. They have no real innovation, they added an "Audit Feature" for an additional €26.49 per year.
Sorry; I didn't know. I got the "pro" version long ago for iOS and they have basically retained that (kinda upgraded for free as now I can use on all devices). I think it cost me $10 or something. So amazing for me.
Now the same deal is $80 which I think is still ok but on the high side.
I like their hands off approach. Password autofill/save etc are also far better than most other password managers (esp bitwarden).
I use it with a vault synced via Dropbox. I'd never given their subscription service a second thought. Didn't realize it was so hard to buy that option.
GP here. Yes, there is a standalone version, but you'd have to know specific incantations and rituals to find out how and where to get it. It's purposely hidden away from the homepage and other pages about the product and pricing.
Bitwarden is OSS and if you want to really not pay for such a feature, you can strip out the license check code fairly trivially. I think its a good balance.
I do wonder how the licensing and pricing will be handled though.
Bitwarden officially allows self-hosting for the personal use tiers, but it seems to have some license purchase requirements even for the self-hosted options (other than the free tier).
Is there any password management application out there that makes sharing passwords or password vaults easy but is also free? I’ve looked at KeePassXC and Bitwarden. The former isn’t easy to use for sharing and sharing permissions. The latter doesn’t offer sharing among more than two people in the free tier.