Hacker News new | past | comments | ask | show | jobs | submit login

I would like to throw out Bitwarden out there. Cross platforms, works on everything and can be self hosted if you so desire.



Agreed. I have been using Bitwarden for over 3 years now, paid premium user as well. No big issues, the odd bug a few times but all fixed promptly and didn't impact my ability to access my data.

While the Bitwarden apps are not as "pretty" as 1Password's I find them a little simpler to use. Obviously UI design is highly subjective though so your thoughts may be very different :)

Anyway yes I highly recommend Bitwarden. Kyle and the team have built and continue to run a top class product that costs 1/3 the price of 1Password.

Edit: To clarify I use Bitwarden solely for personal use. I cannot fairly compare Bitwarden and 1Password for multiuser/shared vault use.


While almost everything is great about Bitwarden, the 5-8 second delay when performing a search is ridiculous (considering I have about 100 records), and I'm considering paying for a better maintained alternative.


Where do you have such a delay? I just tested in my vault (via Chrome web extension and desktop app) with 377 items and search is instant.

I am on macOS Catalina although that shouldn't matter. I suggest you contact support https://bitwarden.com/contact/


It happens in the Android App. Desktop apps and extensions are OK.


Interesting. I just tested on a Pixel 2 XL running the latest public Android 11 OTA version and search doesn't lag at all. Same speed as on a iPhone 11 Pro Max.

Could it be a device issue? I highly recommend you report it to Bitwarden as Android can be a real pain in the ass to test with so many different devices out there with all kinds of strange OEM "optimisations" to the OS.


I think that is because there CPU is slow. I have the same issue on my Chromebook (5 years old) and Android (Pixel 2). All other devices are fine


From the comments, I think this is an Android-specific issue. I use Bitwarden on Android and also find that searches inexplicably take several seconds, especially when you arrive at the search query from the autocomplete popover.


This is exactly where I'm getting the delays. Which is indicative of another problem: in several websites I have to search for the login manually because Bitwarden doesn't find the credentials (according to the Android Firefox/Chrome extensions). This never happened with 1Password.


I have over a thousand items (!) in my vault and never experience delays in iOS, Firefox or chrome.

Maybe its a syncing related issue, try contacting support.


This is very strange. I have over 480 and never experienced delays in anywhere (MacOS, Android, iOS). Searches only take a second or two once you've started typing in two characters in the search box.


I've seen other people complain about this but I have never experienced it myself. On android and windows.


Where do you see this delay? I have not had this experience, Bitwarden has always been perfectly snappy for me.


It happens in the Android App.


Bitwarden is great, but I'm getting frustrated at their ridiculous excuses for not implementing fixes.

For the longest time bitwarden has been broken in the firefox's private browsing after mozilla deprecated some apis due to security concerns. They've given alternatives but they are just refusing to fix it, to the point of basically saying mozilla needs to fix the issue. What's sad is a similar mechanism is used in their chrome extension. Someone even raised a working PR that the CTO wasn't fully happy with, and asked for changes (which is fair), but the PR hasn't moved since, so I'd have expected the Bitwarden employees to take it and fix it up.

It's absolutely ridiculous to still not have this fixed years later.

By contrast, I was a 1Password customer at the time this change got introduced, and they'd pushed out a fix not long after.

I will be trying to Linux client, and if it's good enough, I'm certainly switch away.


+1 on 1Password's dedication to fixing issues. I had an obscure field selection issue on their web view and pinged the support email. It was fixed a few days later and they updated me on it.

I switched to 1Password from KeePass after 5 or so years because I just got tired of maintaining the data locally and keeping it in sync on my devices that I need the passwords on. I just backup the 1Password database locally now to calm some paranoia.


Is there any reason not to host a Keepass database on any generic cloud service? That's what I'm doing at the moment. I've never encountered any sync issues or conflicts, and take backups every now and then in case that happens.


No reason, yours is the best option IMO. You have a secure container, with a sync service of your choice. It's more transferable so you can easily migrate if you want to.


I’ve been a happy one-password customer for several years and I switched to the family subscription model to get my parents away from their little notebook of passwords. I had self-hosted a PHP based password manager for a handful of years, before switching to 1P because I wanted a “real app” with tighter OS integration. I’ve had 3 gripes and this solved one of them. The other 2 are

1) Their insistence on 1PasswordX- I want a desktop app, I want tight integration, the browser extensions work just fine if I need something quickly. 2) Poor/no support for key management- storing ssh keys as an encrypted notes is a bad work around.


As someone who can’t install 1Password many places where I have worked, 1Password X has been an amazing option.


1Password X is a sad excuse for a Linux client. Compared to the great experience one gets on MacOS (haven't used it on Windows), 1Password X is a child's toy, and a bad one at that. It did improve a bit not very long after I left 1Password, but Bitwarden hasn't been better.


I’m not saying it’s bad, it’s just grossly inferior to the native app on both macOS and Windows.


In defence of the notebook of passwords, there tends to be minimal overlap between opportunistic neighbourhood burglars and identity thieves.


Fair point- I guess digitization was somewhat selfish. A centralized DB makes it easier when I’m trying to help them with something remotely, and the “Shared Vault” facilitates easy communal logins (Netflix, Hulu, etc...)


100% agree and I did the same with my own parents.


Just so you're aware, it's a limitation within Firefox and Private mode - not Bitwarden.

```

The Bitwarden browser extension does not completely function in Firefox’s private browsing mode. This is a known issue specific only to Firefox. You will see a message indicating so when you try to open the Bitwarden popup window in a private window. We have discussed the problem with Mozilla, however, they seem unable to fix it so that extensions like Bitwarden can function entirely in private mode. ```

https://bitwarden.com/help/article/extension-wont-load-in-pr...


As I mentioned, this stopped working after Mozilla deprecated, and subsequently removed an API due to security concerns. When viewing the docs for said API, they have clearly outlined an alternative mechasmin. They have still stuck to blaming Mozilla.

An individual raised a working PR to fix this that got reviewed and some changes were requested. The individual must have abandoned the PR or something because it hasn't moved since. I would have expected Bitwarden devs to pick this up and get it merged, and address the PR changes themselves since OP isn't addressing the issues.


"By contrast, I was a 1Password customer at the time this change got introduced, and they'd pushed out a fix not long after."


Bitwarden works in private mode.

Right Click on the field > Bitwarden > Autofill


That only works if your vault is unlocked. Which is a pain, having to open a non private window, open the vault then go back to private.

Otherwise it pops up bitwarden in their top right and says it isn't available in private mode for this browser


Not knocking the project, which sounds cool, but the absolute last thing I want to self host is a password database exposed to the internet. Hard pass on that element.

1password used to have a peer to peer sync mode that I loved. No need for a server anywhere. You would open it on your Mac and then open it on your phone and if they were on the same network they would self discover. Too inconvenient, perhaps, for most users, but for the paranoid like me, it was ideal -- no servers involved at all.

(Technically, wifi sync I believe still exists IF you use 1password on Mac with a old style local vault, but it's basically unsupported. Mine just stopped working and I switched to 1password.com.)


Bitwarden only ever decrypts the password database on the client, and the login credentials you send to the server are only a hash of your actual encryption key.

In principle, you could store your Bitwarden database on a public torrent at no risk to your security :)

So, if you do trust the Bitwarden software in the first place, self-hosting it shouldn't be any more dangerous than using the managed service, because the server security isn't really a critical part of the defence model. And self-hosting allows you to build from source, if you're inclined to paranoia (Even though the worst a malicious server could do is delete your database).

That said, I have still bothered to set up strict fail2ban rules on my BW instance, because why not.


> (Even though the worst a malicious server could do is delete your database).

Unless you use the web client, and a lot of Bitwarden's functionality is only available via its web client (including critical functionality like changing your master password).


Well that’s the thing. If I’m content to trust the client side hashing or encryption on the secrets why bother setting up my own server? Conversely, if there are nefarious things that can happen on the server to compromise the data without me knowing about it, then I trust neither myself (because I’d be a bad sysadmin) nor a third party (not knowing what they’re up to). Or if I do trust a third party just use 1Password.

Reading between the lines it sounds like being able to build from source or see and install the source gives some assurance you can’t get via third party and the strong files give some assurance over me being a bad sysadmin. That’s either a sweet spot or uncanny valley depending on your perspective. :)


> If I’m content to trust the client side hashing or encryption on the secrets why bother setting up my own server?

Not that much, given that basic accounts are free. I guess that in addition to the building from source option, self-hosted Bitwarden (or at least Bitwarden-rs) includes all enterprise features for free.

The two most useful ones are probably sharing selected passwords with other users / groups, and attaching encrypted files to logins.

I wouldn't bother setting up a server and domain solely for it, but if you already have a personal webserver with a reliable backup strategy, since Bitwarden_rs barely uses any resources and is super easy to install, you might as well throw it in.

That's my case - I was already running a personal Nextcloud and Fediverse instance, so adding Bitwarden was like five lines of docker-compose and four of Caddyfile.


You don't have to have it exposed to the internet. Without an active connection, clients cant make new passwords/sync, but you can access previously saved passwords that are already synced.

It also doesn't have to be exposed to the internet. You can have it accessible behind wireguard for instance.

I have it, a DNS server, cloud storage, etc on my home lan, and use wireguard to access it on the go.


The switch from a paid for app to a renting app is my least favorite thing to come out of 1Password. I'm still on an older version that works on my laptop, desktop, iPhone, and iPad. I have a family license that allows up to 5 computers (I only use 2). My iDevice and laptop all sync via WiFi to the desktop. No iCloud, Dropbox, or whatever needed for syncing.


>no servers involved at all

Personally, I'd trust one of my servers far more than a client shouting "yo someone send me a file to overwrite my db with" over multicast on the local starbucks wifi...


> Not knocking the project, which sounds cool, but the absolute last thing I want to self host is a password database exposed to the internet. Hard pass on that element.

I have the exact opposite feeling. I would not selfhost email but I would selfhost a password manager and my files behind WireGuard, like many have said.

I have almost moved from cloud hosting to home server. This perfectly reasonable for non critical services that don’t require more than 90% availability. The simplicity of such a setup nowadays is a breeze of fresh air. Debian stable, WireGuard, syncthing, ssh, git, ... all are low maintenance and works fine with Linux and iOS clients.


I'm curious, how does syncthing and ios work for you? What kind of apps/settings do you use on the clients?


There is no support for syncthing on iOS. I managed to get it halfway working on ish, but it’s just not there, so as of now, I use the shellfish ssh app, that allows to sync folders, through WireGuard also.

Note that I use syncthing for the casual read only "important documents", such as ID copies, tax documents, ebooks, etc. I don’t sync photos, movies and such. Most editable documents are in git repos.

I sometimes work on my iPad, and then I use a ssh client or the ish app (a shell, with vim, etc).

I have used this setup for years, and it’s just low friction, low maintenance for me. I have thought about using an own cloud/nextcloud setup, but it’s just too much work for little value. Like running gitlab instead of ssh and git.


I'm concerned about self hosting a service like this as well, so I put mine behind an nginx reverse proxy that requires a client cert for auth. That way, an attacker won't even be able to reach the bitwarden server to try to get in (unless there's a vulnerability in nginx).


You can host it all behind Wireguard. That way, an attacker doesn't have access to your Nginx proxy. After all, why would the whole internet need access to your Bitwarden server (or a reverse proxy serving it)?


They have a paid hosted option that I use they just also allow you to self host which is great.


Enabling 2fa sounds like a good enough security for most.

If you mean they may have a vulnerability, they've gone through a few security audits.

If you mean you can't adequately keep your own server secure, then pass it.


Requisite:

Use bitwarden-rs if you're planning on self-hosting.

https://github.com/dani-garcia/bitwarden_rs


Yes, this is a fantastic project. The official Bitwarden Docker image is kind of wonky, it needs some sort of license and you have to generate the docker-compose.yml, etc. It really doesn't make for a good automated process at all.

bitwarden_rs on the other hand, works just fine, never had an issue with it or incompatibility with the browser extensions or mobile apps.


The "rs" project is too good to be true.

The official one uses MS SQL server and takes quite a bit of memory (which I call it a hidden monthly cost as I need to be using a bigger cloud instance) but this one only takes so little, you can host it on any cheap VPS and it has been working just fine against official clients for years.


Seconded. I tried a lot of other ones before settling for Bitwarden about two years ago. It's easily the best and most hassle-free one that covers all of my use cases. (Tried LastPass, Keepass, 1password, and a couple others)


bitwarden looks cool. what parts are open-source and what parts are closed? (are all the premium features closed-source or are they just charging for that in the hosted-by-them version?)


In the past it was entirely open source, though the hosted version did check for a license key before enabling the premium features. That said, the code for the premium features and the license key check were themselves open source.

I see some of the newer premium features, particularly around SSO are under a noncommercial visible source license of their own devising though


I went from LastPass to Bitwarden based on a HN thread a couple years ago. YubiKey support for what, a dollar a month?

I mention this because my work uses 1PW and I don't like it at all. Not the browser extension. Not the desktop app.

Bitwarden is well worth checking out.


And doesn’t force you into non-local sync. Passwords are one thing I’m not comfortable moving to cloud. After using 1Password for about 9 years I switched to BitWarden this year - just for this reason.


https://clipperz.is/

is a very worthwhile password manager. I like the UI.


then you set the Bitwarden app as iOS's password manager and your general mobile UX is greatly improved.


I'm confused how the self hosting works. Doesn't it force you to give them an email address? Why is that necessary when self-hosting?


https://bitwarden.com/download/ Download does not ask for email


I'm talking about the program, not their website. It makes you enter an email before you can do anything. Says "Log in or create new account to access your vault", with a "Create account" button that asks for an email.


Click the settings "cog" and enter your self-hosted address. Of course you need to have setup your own self-hosted instance first :)


Oh I see, thanks!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: