I switched to Bitwarden when LastPass started using silly tactics to make customers pay. I didn't switch because of the price - the service pricing of Bitwarden was a pleasant surprise.
I switched because I lost all trust in LastPass.
Managing credentials and sensitive information is all about trust. The second I lose trust in that kind of service, I don't just stop using it, I will most likely never even consider coming back as a customer and I will warn people against them. I don't give second chances to services that are trust based.
I'm pretty happy with Bitwarden so far. But if they betray my trust I'll be out of there in a day, never to return. I switched from LastPass to Bitwarden in a day. LastPass never gets a second chance.
What the VCs have to understand is that if their greed makes them push Bitwarden to engage in silly tactics, they risk driving away their customer base.
> I don't give second chances to services that are trust based.
You might run out of services then at some point.
Human beings are fallible, full stop. Also, a company isn't an individual -- management teams change, corporate priorities change, security practices improve. Judging a whole company by what a few employees did or didn't do a decade ago isn't always going to yield an optimal approach.
Refusing to give any company a second chance ever is pretty extreme. Each individual case needs to be handled on its merits -- what happened, why did it happen, do you think the company learned and implemented new policies, how many other undiscovered vulnerabilities do you think are still there? But also, how many other undiscovered vulnerabilities do you think are still there for competitors as well? Just because a competitor hasn't had a breach doesn't necessarily means it's better, it might just be lucky so far.
2001-2007, I had multiple bad experiences with Compaq, Lexmark and HP. These were so bad in terms of cost and frustration I vowed I would never buy their products or services again. It's been... 15+ years. The tech world of today is not quite the tech world of 2003. Should I ever bother with a Compaq or HP again? I probably won't, but the 'avoid at all costs' just isn't there with me any more. Perhaps I've mellowed slightly in the past 15-20 years.
I am still firmly in never-again-Hewlett-Packard camp after almost 20 years.
The final straw for me was purchasing an HP laser printer (probably the 6th or 7th one I ever bought) and it shockingly had the same extreme-low-quality level that I had experienced with HP laptops, CD ROM drives and other peripherals.
It is probably not fair but I blame Carly Fiorina for this degradation of once reliable hardware manufacturer.
Compaq hasn't existed in any meaningful sense in 10-15 years. HP formally retired the brand in the early 2010's, although it had all but faded away several years prior to that.
> Judging a whole company by what a few employees did or didn't do a decade ago isn't always going to yield an optimal approach.
Not the OP but i have a similar stance. However a mistake from individual employee doesn't mean that i instantly loose trust. Its the handling of the mistake what matters to me. Sweeping it under the carpet, dening their mistakes or outright lieing about mistakes is what results in me loosing trust.
> You might run out of services then at some point
I prefer using services for my password management (I'm a bitwarden user who's currently happy as well), but I would jump back to some sort of self-hosted or even offline/manual sync solution if I thought that was the only way to keep my passwords safe. I like the convenience of a service, but I would sacrifice it over my security if it got to the point where I had to choose between the two.
I actually used to use KeePassXC and have my (encrypted) password file sync'd through Dropbox, but their Android client changed to no support a way to have the file stored offline but also automatically sync changes, so I ended up swapping to Bitwarden. In the past I had used Nextcloud instead of Dropbox, so that would probably be one of my first ideas if I did end up deciding to stop using bitwarden.
Any reason not to use Password Safe[1]? It seems to do it all and doesn't require you to trust some Move Fast And Break Things startup's online service.
BitWarden is based almost entirely on open source so it's possible to branch the project. Given some of the language on their website and their more recent attitude towards OS licenses, my prediction is that they will use the new funding to build as many closed source modules as possible to increase user switching costs, similar to what Google is trying to do with Chrome on top of Chromium. But that is a slow process that takes years, and a lot can happen between now and then.
I don't think Dell or HP make their own computers anymore - consumer stuff is all outsourced to Taiwanese/Chinese OEM's (Quanta,Wistron etc ...) - they probably still only make servers in house.
Here we go again: Some company (in this case, Bitwarden) "betrayed" its customers by doing what every other firm does. And Hn goes brrr over it.
I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?
> What the VCs have to understand is that if their greed makes them push Bitwarden to engage in silly tactics, they risk driving away their customer base.
They don't care as long as they can extract their profit before that happens. This is VC, they will prioritize medium term gains over long term stability.
On HN, VCs are either ruthless short-term profit extracting machines or overly optimistic clowns investing in hopelessly unprofitable companies on the promise of future growth, depending entirely on the point currently being made.
tbf both may very well be true at the same time. There's certainly a larger number of both AI powered juice makers as well as "freeze your head" longevity startups than anywhere else
I bailed on lastpass when they doubled the annual price for the second year in a row. They had also just been acquired by LogMeIn, who didn’t have a great reputation.
I don’t know if I can manage another service switch. I can do it just fine, but my wife is more resistant to these kinds of changes and we need to be on the same page on this.
LastPass pricing model is what turned me off. I am happy to pay for services I use regularly, but I remember the pricing model didn't seem appropriate for what they were offering. The short cutoff period added insult to injury.
I checked out Bitwarden and it seemed like a better version of LastPass that just happened to be free. Their paid model doesn't appeal to me so I don't subscribe, but I would enjoy paying if they offered something that did.
(Off-topic: Bitwarden seems like an exact LastPass clone all the way down to the UI. Do they share a similar codebase or something? Like was one forked from an OSS version of the other?)
Same, I even remember paying for LastPass for a bit. It was more that I wanted to support a service I liked (same reason I pay for other services). Though I find BW's paid model a bit surprising. I know it is only $10/yr, but the only real value here is 1GB storage and yubi/fido keys. I don't have yubi keys (they seem cool but also a pain in the ass) and 1GB seems rather small.
Looking at Google, Dropbox, and Apple, storage pricings range from 4GB/$ (Apple) to 20GB/$ (Google's 5+TB plans). I'm willing to bet that offering 5GB would make it more worthwhile and a very small fraction of your users would actually use it. What are you going to store? Your passport photo and driver's license? I wonder if there would be a psychological effect here because it is really hard to tell if 1GB is enough or not. At least your average person has no idea.
One paid feature that can be very important is designating emergency access contacts. A family member had a stroke last year (doing much better now) and one thing that made life much easier was having access to his passwords - in this case because I'd set him up with Keepass years ago and still had the password saved.
Ugh, I'm paying for LastPass because I haven't gotten around to switching to Bitwarden yet. They list a monthly price, but they actually charge you annually, so you're essentially locked in for a year (if you want to make the most of your money).
I didn't mind paying for Lastpass, but I started planning to move away when they were bought by LogMeIn because I've seen that company's acquisitions before.
Jumped from a paid LP plan to a Bitwarden family plan with sharing and emergency access and quite happy.
I mean, it's not as if these companies care for customers like you anyway. What they want is someone who is willing to purchase their product w/o making a fuss about the negative parts of their business. In fact, I bet LastPass is happy you left.
Doesn’t really matter what Lastpass did wrong, does it? The point is that trustworthiness is the single most important value for someone who wants users to entrust them with their credentials. Another point is how easily they can lose users. The poster lost trust in them, and was able to swap them out in a day.
Bitwarden already does one thing well. It's everything I'm looking for - open source, costs money but not much ($10/yr), 2FA, clean interface. I'm happy for the new investment, but I hope they don't start adding new things just for the sake of growing.
Also - to the people who analyze funding rounds - $100M sounds like a huge amount to me. Why would a password manager need so much money?
How did I have to scroll this far down to find someone who's actually read the post? Everybody seems to think the money is purely for expanding the password manager, while in the post they call out adjacent markets they want to expand to.
I'm cautiously optimistic that this could mean we won't see the end of Bitwarden, as those are areas where companies will pay big money.
It's not that people didn't read the statement, it's that people have learned not to trust statements like this. Ask all Heroku's customers who were just fired by Salesforce to focus on their enterprise offering for example.
If you're new to 1Password, you may enjoy their service because you won't have the memory/experience of the things that were taken away or "how it used to be."
Now, as for whether one should worry because the company screwed their existing customers once already ... that's personal risk tolerance, I guess
My opinion is that 1Password is the best product out there for the majority of users, because they're pretty good about documenting their formats, have a very good export story, their customer service is mostly good, it's a reasonable price, and their UX absolutely spanks Bitwarden up one side and down the other
But, if a few years from now they rip the ssh-agent out of their Electron apps citing some "well, we decided" reason, or they ban 3rd party clients from using their API because "of sekurity," then no one should be surprised that the scorpion stung them
Welcome to HN/Reddit. Most threads have people commenting without reading the article at all (or very briefly skimming). More or less just reacting to the headline.
And according to HN guidelines, we aren't supposed to comment on if someone has read the article or not. Stellar.
Given apple's push for passwordless web in collaboration w/ Google and M$ [1], I was worried that BW will go out of business, but they have plans for this and I hope they succeed.
I would love for Bitwarden to use this money to make SSO available to all pricing levels. Currently, in order to use SSO with Bitwarden you have to be on their "Enterprise" plan. I think SSO is too important to gate behind a paywall, especially for a company whose main product is security.
> Why would a password manager need so much money?
The money isn't for the password manager particularly. In the article they list a number of new things they want to develop.
I think there will come a point when most mainstream web services will require "passwordless" authentication, which means users will have to register with one of a few commercial passwordless providers. Think "login to service X with Google/GitHub/Facebook" but more integrated with your phone and biometrics, and no longer optional as email and password authentication go out of fashion.
It makes sense for Bitwarden to aim to be one of those providers, if for no other reason than company survival if passwords and similar tokens become deprecated.
Sure, a standard exists, but that by itself isn't a great user experience. If you actually try to use something like a YubiKey you end up having to register multiple keys with each site to deal with lost key (assuming the site allows that in the first place). The you have to remember which keys correspond to which sites, and remember to get your backup key out each time you sign up somewhere new , etc.
Google, Apple, etc are building on WebAuthN in order to allow a trusted third party to "sync" the keys, solving the major usability hurdle for most people (as with all things security related, there's an obvious tradeoff in injecting a trusted third party, but for the vast majority of people that tradeoff still results in a significant net risk reduction). I assume Bitwarden is angling to build out their own version of something in this space.
I'm probably more excited about passkeys than most, but I don't see why you need $100M to add support for that. It's a pretty straightforward addition to existing password managers. Might even be easier to support than it is to build a user-friendly password autofill, all things considered.
I find that the essayist way to handle backup keys is with a printout of 10-20 pre-generated auth codes, which go in my safe. Much easier than having a backup hardware key I have to remove and then replace from my safe, each time I need to add a new service service.
Which is great if you have a printer (and are near it when you're signing up for the account, and remember to do it, and remember to put it in your safe, etc...). Just because it's the easiest way currently doesn't mean there isn't substantial room for improvement in the usability of passwordless systems. Most users aren't going to go to the trouble of printing something out like that.
And the three companies behind the major platforms - Google, Apple, and Microsoft - have all agreed on a standard and will integrate a solution into their operating systems.
Yes, and what is that one like the 6th or more "auth standard" they all "agreed to" before promptly doing their own variations which then get spun into a new standard they all "agree" to before.......
Even if that is the case, storing passwords across devices is a solved problem and not enough people are willing to pay for it to be a profitable business.
Given the number of businesses out there doing it I would venture to guess you are wrong.
Also Bitwarden and other password managers are not just about storing the passwords. For example on a personal level I use bitwarden family to manage my Parents passwords and to assist them with issue on various service, this gives me away to setup accounts and securely share passwords with them for the services, and vice versa
For business we use the Enterprise products to share passwords for everything...
None of which is a "solved problem" at the OS or Browser level
> Why are large businesses “sharing passwords” between users? What happens when one user leaves?
Because not all products businesses use have fine grain authentication and authorization. For example, their registar for their domain names. And differing employees need access to it at different times.
> Isn’t sharing a password in a business context like “Things you shouldn’t do” 101?
What do you think Bitwarden does? It's fine grain authorization over shared resources (passwords) that control who can access them. You categorize, create roles, and give those roles access to specific passwords. When an employee leaves, you rotate the password. Every access is recorded for auditing. It solves a real business problem.
It's also useful for things like secure temporary password delivery. I set up your account for the first time with a new service, generate a temp password you have to reset on first login, and then share it to your Password Manager space.
Also just useful for things like API keys - my team just has all of our team's allocated API keys for various services in our password manager so we don't have to go look them up in all of the various service's sites if we need them.
We all have done it at one point or another. But if I am ever in the middle of a technical presentation and mention “API Keys”, I get all types of dirty looks from security.
Notice that Square for instance strongly discourages API Keys for production.
On the AWS side (where I work) we always discourage long term use of access key/secret keys for accessing resources even though I realize it’s necessary for some integrations. Even then, most organizations also put a condition that you can only use it from known IP addresses.
Now I’m curious and this comes from my job history is working at mostly small disorganized companies and then moving to one very large company where I work with other very large enterprises so I have no experience with mid size companies.
Say I work for a large company where everything is gated via an SSO - email, Slack, internal apps, ADP for payroll, my brokerage account containing my 401K information (of course I do have a separate non SSO password for this since it is my account), and Bitwarden (I see it does support SAML).
If I leave my very large organization, it’s easy enough for a manager to disable my SSO and be mostly assured that I don’t have access to anything I shouldn’t. Because “security is job 0” (How do you say where you work without saying where you work /s).
Now let’s say that BitWarden stores 10 passwords to external services and I had access to those passwords through Bitwarden. Does someone then have to go in and manually change passwords to those 10 services every time someone leaves?
> Now let’s say that BitWarden stores 10 passwords to external services and I had access to those passwords through Bitwarden. Does someone then have to go in and manually change passwords to those 10 services every time someone leaves?
To reframe this: Companies use both SSO and BitWarden, but because a typical company utilizes so many differing services with differing auth coverage (supports SSO? supports roles, permissions, etc.?) BitWarden fills the gap. BitWarden wouldn't be used for your ADP, and 401K. It may be used for your company's payment processor under one main username / password. It may be used for your root AWS account username and password. It may be used for your DNS management. Production API keys for Stripe may be stored there in plain text, but encrypted in your secret store of choice. Those are the typical use cases I see. The list of things you keep in BitWarden are small(er), but they're business critical. Whereas before they were held by the CTO of the early stage startup, now they're centralized, secured, have an audit trail, can be easily shared with others, etc. etc.
In the company I used BitWarden with, these passwords were rotated manually when an employee who had access to that password left and the new value updated in BitWarden. Maybe that's easier now?
Lots of things would not have individual passwords,
Including
1. Hardware Passwords
2. BreakGlass Accounts (used if SSO Fails)
3. Vendor Passwords
4. Recovery Passwords
5. Local Admin Passwords for Servers
We also use it to store Backup Encryption Keys, VPN Tunnel Keys, SSL Cert Passwords, File Encryption Passwords, License Keys, etc etc etc
We also have our own Personal Vaults that are indivualized, so we can access both our Personal Passwords and Company passwords in one interface, that is Cross OS, Cross Browser, and has API for programming interfaces.
none of which is possible with BrowserBased or OS Based Password Storage.
Realistically? Many services charge by the seat, so for a service that doesn't get used to often, a lot of places will use a shared account as a cost-cutting measure. Subscriptions add up.
Now they are also raising rounds of funding “chasing after the enterprise”. Every single time a small bootstrapped company tries to “accelerate growth by going after the enterprise” the product gets worse for consumers. See also DropBox.
1Password’s desktop app is much worse than it use to be all while each platforms built in capabilities are getting better.
>1Password’s desktop app is much worse than it use to be all while each platforms built in capabilities are getting better.
I keep reading this but as a user of 1Password over the past decade or so, the functionality hasn't changed much. I'm confused as to what they're spending all the VC money on because these re-writes haven't done much but in terms of functionality, I think it's best in class.
A full rewrite takes a lot of time. We did this twice in the past and it is always painful. We had to do it again this time because the discrepancies between the platforms became ridiculous and we had to fix this. For example, the same search would produce different results on Mac and Windows and Android.
We also took time to address some of the pain points that existed in 1Password 7. For example, it was technically possible to have a different Master Password on your Mac and iPhone, etc.
The local database was rewritten and we made sure that everything that is possible is fully encrypted. For example, all rich icons are now stored encrypted. We also changed the logging system to make sure no personal information is ever logged. At the same time, we had to make sure the data format is backwards compatible with the old version so that both 1Password 8 and 1Password 7 can be used during the transition.
We ran over 100 studies with both existing users and people who never tried 1Password before to make sure the apps are more usable by everyone.
For new users we added New Item experience that made it easier to navigate through templates and understand how to use 1Password. For developers, we added CLI integration, support for SSH keys, and a built-in SSH agent that secures your ssh private keys.
Brand new Linux app, more than 100 new features and improvements overall, on top of the full rewrite.
I'm a fan (been using it for 10yrs I think?) and think the HN sentiment around it is not representative (it's the only app I'd actually recommend to people and that I trust my family can use).
The family vault features are really great and I was glad to see the browser dropped (I didn't really get why it existed).
I do miss some native features (like the iOS letter column on the right that made it very fast to find something in the list), but generally get that there are tradeoffs to be made.
> I do miss some native features (like the iOS letter column on the right that made it very fast to find something in the list), but generally get that there are tradeoffs to be made.
You are not the only who missed this feature and it is coming back soon. It wasn't available in SwiftUI and we had to go back to UIKit to implement it.
from the founder of 1Password: would love to learn where you think it is worse.
1Password 8 has a ton of new features and it is faster than the previous version. Some of the new features like Universal Autofill and SSH Agent do not exist in any other product. It also fixes many problems that accumulated in the app over the years.
Not the person you commented to, but I think the only real loss was 1Password Mini. There is the alternate ‘search bar’ mini app which is a decent replacement, I wish that was the one that pops up by default (like used to be with Mini).
You guys make a great product otherwise. It’s the only one where I strongly recommend it over the open source alternative (Bitwarden) even though I have a strong open source bias. There’s just a 1000 things in UI and UX that you guys do slightly better than the competition, sort of an inverse death by a thousand cuts.
I see it from a different perspective. There are not that many real native Mac apps that both look and feel great. You could probably count them all on your hands.
Also, I certainly understand being the long time Mac expect. However, when we tested 1Password with new customers we found a ton of usability issues and many of these problems are solved in 1Password 8. One example, most new users couldn't even figure out how to create new items right away because of the look and the location of "New Item" button in the old app.
1Password, a competitor, raised ~$650m earlier in the year off the back of exceptional growth. The investment case is likely: Bitwarden are doing well, 1Password are doing very well, maybe Bitwarden can do very well too with some additional capital. Password management is rapidly growing in mindshare, there's a big market and great room for growth, the amounts involved are commensurate with the opportunity -- every single enterprise will have a robust password management setup soon enough.
1Password is 4x the price and is not open source. Doesn't 1Password's stronger backing provide more risk for Bitwarden investors too (chasing the same customers but with less to spend on acquisition)?
Spitballing, $100M, assuming investors want 20% per annum return and Bitwarden do 50% profit ... they need 24M paying customers. Where are they at now?
Venture investments don't typically work that way: the goal isn't incremental returns YoY but rather major returns in the long term. Raise a fund, make a bunch of investments, report growth in valuation YoY (based on increasing valuations of portfolio) and then deliver returns once portfolio companies start to exit.
If BitWarden can use that $100m to 10x their valuation and then exit (whether that's an acquisition, going public etc.) the investors will have secured a win: if BitWarden's valuation stays where it is and returns ~$10m/year to the investor(s) over the next decade, that's not a great outcome considering the opportunity cost of capital.
Debt equity is the type of financing you're describing: lower risk, lower returns, not particularly exciting and not particularly attractive to investors if they believe the company has substantial upside potential.
Yes, I'm not familiar with expected returns for investments so my back-of-napkin maths was based on approximate housing inflation in the UK. I figured they'd want more than that as a minimum.
Clearly Bitwarden isn't a unicorn, being a smaller entity in a growing market; do VCs really expect a 10x (in couple of years?) from that sort of investment?
So, do you agree with my basic premise that they'll need a whole heap of customers, that they don't seem likely to get, in order to make any dent in the investors hoped for returns?
I’d suggest with almost absolute confidence that they are betting on unicorn status for BitWarden. I’d be surprised if they expect anything less than a >$2.5bn exit.
The browser is the obvious option. Firefox and Chrome both implement ways to save passwords in the browsers. I believe Firefox has a service to sync them, Chrome may too (I don't use them, so I don't know).
They could reasonably tie in to whatever Office-suite you use (GSuite, Office 365).
In the enterprise, it could be part of a larger "credential management suite" product managed by security. Allow syncing and auditing of credentials, like "when was the last time this cred was changed?" with some kind of automation to generate and push a new credential when need be.
From the outside looking in, a basic credential manager doesn't seem complex enough to be a standalone product.
I would think so, on the business side of things. I'm not entirely sure what we pay for 1Password because we pay it without question tbh. We have a fair few subscriptions but 1Password would be up there with the indispensable ones.
They'll probably aim for competing with the likes of Okta in delegated authentication and identity management, which is a huge market which need some more competition. I'm in favor, and it really doesn't need to have any negative impact on their existing user base, at least so long as they can manage their growth and don't become a dysfunctional org because of it.
I just hope we won't get repeat of LastPass - some company buys it then just keeps on life support while raising prices.
Also "OSS" version is not really open source, it's just core and all the features you really want from password manager are behind the paid license anyway
Like what? All the features that password manager needs to have (and features that 99% of people need) OSS version have it. SSO, organization management etc. is not something that "password manager" needs to have.
Like TOTP, which is part of payed variant and I consider that an essential feature of a password manager in 2022. Don't get me wrong, I am not complaining about that business decision, just answering since you asked.
I totally agree, however there are some low-criticality services where 2FA is a burden and having it in your main password manager app is a tradeoff worth consideration. Definitely NOT your primary email address.
A $100M round probably means a valuation around $500-600M. They now need to grow the company to a couple billion so it can either go public (when the IPO market is alive again in a few years) or be sold to a bigger enterprise player.
$10/year customers are completely irrelevant to a company at this stage. Open source is nice as a sales bullet point, but not a central focus.
I don't really want them to grow. Growing usually means overinflated expectations and when they aren't met by the new products they will try to retrieve the shortfall from their existing customer base with additional monetisation, driving them away in the process.
I hope it won't go this way here but such a cash buyin is usually the start of a difficult time.
> $10/year customers are completely irrelevant to a company at this stage.
Yet it's exactly the plan most customers and supporters would be on. So in other words, we don't matter anymore. This is why we can't have nice things :(
When 10/year is often less than .01% of even a junior developer's salary with benefits, then yea, that does kinda mean we can't have nice things, if nice things require a few devs to implement. We've all gotten so used to getting things where the VC discount was already fully priced in over the last decade that we're deeply conditioned to expect everything to be sold at VC subsidized prices, which it turns out isn't really economical for most non-VC backed businesses to sell at.
I'm sure someone will, like clockwork, reply to me that that could be done by one developer in C, sold for $0.50 and then never patched again because UI designers just mess everything up and no one should have a smartphone anyway. If that's your idea of "nice" then you're likely living a happy life, but if you expect a UI and reliability like even oldschool 1Password or Lastpass, then $10/year isn't buying you that level of development and support.
Well, the thing is, we have nice things now. I don't think most bitwarden users are screaming for new features. Simply continuing as they are with current staffing would be preferable to risking the farm with a big new product.
And the kind of user that picks bitwarden over LastPass or 1Password is not the kind that needs a ton of support.
I guess the question is if they felt like they could continue with their current staffing. Obviously this is a really big funding round, so they clearly decided to aim for more than the status quo, but I've seen plenty of projects where it was many dev's side project, or it was a small number of full-time dev's work, but they were getting burned out and overworked trying to provide the service.
It just always feels too easy to assume that it was sustainable to run/maintain some minimally priced service. Perhaps they realized they needed more developers to have a healthy relationship with their job, and instead of raising the price to $30/year or more to match the new costs, they decided to shoot for the moon.
I'm certainly not trying to say that it's obvious that they're making the right call by taking this investment, or that this won't all fall apart. It's just also important to not assume that the status quo for them was something they could keep going on for the next 3 years.
> Why would a password manager need so much money?
A cynical take on this would be the business is at a large enough volume and growing fast enough to be valued at a certain price (eg 400M), VCs want to own a certain percentage (eg 20%), so the math dictates the round needs to be 100M (100 / (400 + 100) = 20%). Then the founders put together some story that explains why they'd need 100M.
Not saying that's what happened here but I've seen it happen this way.
With smartphones leading the push towards digital everything, passwords (auth / authz) have become the most important asset, even for consumers.
Edit: An interesting conversation between Basecamp's DHH and 1Password's Teare on their series-a as an opportunity to de-risk the venture: https://archive.is/Kdnpz
Which has also become a single point of failure, and a target for social engineering since "lost device" or "stolen device" etc becomes to new defacto backdoor
These are all copyleft... with a CLA (contributor license agreement). It's the CLA that allows them the ability to dual-license for the server.
The VCs must really believe the company can produce a product based on Enterprise sales which would deliver a value North of $1B. And perhaps they can, as Bitwarden as we know it could be considered a strong beachhead to allow them to expand into other auth markets that have high value (hello Okta, Auth0, etc).
But this doesn't seem that scary for Bitwarden users at this point.
Oh dear, this isnt good news at all. Now they're going to be under pressure to produce excessive returns to fatten the company up for an IPO or sale. Having seen what happened to Lastpass when it was passed around from pillar to post this saddens me deeply. Lets see what anti consumer measures they start introducing to force us to pay more. Limitations on the free tier look likely and price rises as well.
It's weird seeing ppl downplay this exact scenario. They raised $100M, can they hit sales in a recession? Rates are rising for VCs, they need to generate a winner quickly more than ever. Just in time before the expected 75bps rate increase
For sure. Taking venture capital increases the odds of a large success, but also increases the odds of total failure. VCs are perfectly willing to blow up a modestly successful business if it means a chance at a giant success.
And from my perspective as a BitWarden customer, both of those outcomes could be worse for me. Obviously for failure, but many companies in their rush for new pots of money can do things that aren't great for existing customers. And then if those rushes don't work out, things like layoffs, reorgs, and other chaos can diminish customer focus, leading to long-term product decline.
Here we go again: Some company (in this case, Bitwarden) "betrayed" its customers by doing what every other firm does. And Hn goes brrr over it.
I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?
> I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?
they're probably over-represented given that this is an incubator-adjacent forum but startups are vastly outnumbered by both mature businesses as well as bog-standard privately owned businesses so probably not.
Most firms don't get a hundred million dollars up front, they grow products and revenue just like everyone else, with significantly fewer distortions to users or business models.
I guess I might be now that the directors of our little company have sold it, but I assure you I am substantially more mad about that sale than I am about the Bitwarden one.
We use BitWarden at work, we use their business/hosted offering.
We pay them $3600 per year.
Why is everyone so concerned? They’re popular enough in businesses. Their product is great for teams, hence why we pay for it. I’ve found it much better than alternatives. The killer feature for me has been safer account sharing, including 2FA (and I know it makes it somewhat redundant, but it’s safer than turning it off completely)
Indeed, they already have a business model, they won't need to cannibalize their open source password manager to make money here. They just need to grow the business side + offer new auth related services as they mention in the article.
LastPass tried to grow the B2C business which put more stress on the consumer product.
C# is a rarity in SV and startups in general. There's a resourcing constraint for a team hiring only geographically in SV.
SV and startups are dominated by JavaScript/TypeScript and Python. It makes the parts of the team a bit more plug-n-play and in some calculus, makes it easier to grow the team as the company grows.
There's also a bit of cultural asymmetry that may make it harder to hire experienced senior C# engineers. C# tends to be heavily used in enterprise so a startup competing for those resources may have a hard time because of that asymmetry with such engineers seeking more stability (both in terms of employment and codebase). Startups are built to go fast and break things which is the cultural opposite of enterprise where you plod carefully, plan, test, document, release, repeat.
There's always some consideration that C# may be a liability at due diligence. I can understand to some extent since it's much easier to hire for JS/TS or Python in SV than it is to hire for C#. Not that it can't be done and C# as a language is close enough to TS that a strong TS backend engineer can easily be trained to C#.
I get the idea that most developers in SV don't know C#/.Net, that happens everywhere. Some areas are java, some .net, some Ruby/Python.
What I was surprised about was this weird rationalization that C#/.Net was somehow dangerous to a startup. Not only is that not true, C#/.Net is going to be better for a startup long term due to the stability that comes with that ecosystem that you flat don't get in ruby, python, js, etc.
There is absolutely nothing outside of the hiring difficulty that would ever cause problems for a startup wrt to C#/.Net.
> What I was surprised about was this weird rationalization that C#/.Net was somehow dangerous to a startup. Not only is that not true, C#/.Net is going to be better for a startup long term due to the stability that comes with that ecosystem that you flat don't get in ruby, python, js, etc.
It's "dangerous" in some scenarios for sure.
1) You want to hire locally in SV; there just isn't a concentration of developers there.
2) You want to hire senior resources for your *startup*; I emphasize startup because you're comparing apples to oranges when comparing startup to enterprise. C# is heavily used in enterprise so a startup competing for senior resources might be fighting an uphill battle
3) You want to make sure your team is plug-n-play; there's an abundance of JavaScript, TypeScript, and Python developers. For this reason, it's probably not a great idea to choose Go or Rust because now you're competing against Google and low number of senior Rust developers in general.
4) You want a full stack team; if you hire C# backend, you'll need to train your JS/TS front-end folks to be full stack. If you're full stack C#, well, you're not going to have a good time unless your app is desktop.
----
I'm a big time advocate for C# and part of the reason I joined my current startup was to see what sort of crazy team would pick C# for a SV backed startup, but I can also see the flip side of the coin.
My issue is with the idea that startups are harmed by using C#/.net.
The C#/.Net ecosystem is a batteries included ecosystem, we're not talking about trying to use C++ to implement a website.
Functionally the major difference between C#/.Net and things like node, et al, is that the C#/.Net framework will be supported far longer than the other and the upgrade path will be a lot smoother. That's not opinion, it's objective fact. I've made a lot of money supporting companies that paid for the flavor-of-the-day du jour and didn't realize they needed to stay on the rat wheel that is major upgrades. There's literally a company dedicated to support out-of-date RoR frameworks, including older versions of popular gems with security updates they maintain themselves because of this phenomenon.
My point here is this.
There is nothing inherent in C# or .Net that is dangerous to startups, that's a bubble you seem to exist in. Not choosing C# because the area is mostly Python and JS is a legitimate decision. What isn't legitimate is rationalizing that into C#/.Net itself being inappropriate for startups in general, rather than being inappropriate for that area (for ALL companies, not just startups).
This whole thing about enterprise is a red herring. Enterprise companies use Python and Ruby as well. It smacks of a community trying to rationalize something that has no true rationalization.
Glad for them and I really hope them to succeed in the long run, engrosing the list of successful bussiness based on OS.
As a side note, I've been tempted so many times at this point on getting a payed subscription and getting rid of my "keepass+keepassdb sync via Google drive+keepass keyfile local copy on each device" for the sake of making things simpler. I've read how the internals work, checked the auditories, read forums etc. Everything looks great, but I am always paranoid of some security issue arising and my passwords being leaked. I have my entire life pretty much on my password manager and that being exposed would be disatrous at so many levels. Probably just me being irrational.
Maybe some sort of self hosting arrangement would work for you? I self-host Bitwarden behind a Wireguard VPN so it's only visible to devices I've authorised. Self-hosting comes with it's own risks of course but you would at least be in control of your data.
I do the same. I run bitwarden_rs as a docker container on a raspberry pi on my home network. Then use wireguard so I am always connected to my home network.
This works great for my family. Simple set up, and I've done 0 maintenance on it.
Have you set your family up with Wireguard as well? Did you do the setup manually or do something else clever to get their devices in your network? I've been spending a lot of time thinking about this, and always end back up at MDM, which is not a terribly desirable ending, but can't necessarily put hands on a device readily for some of them.
My biggest issue is that I have wireguard automatically enable itself when not on my home network. But there are some other networks that need to be excluded, like most airline wifis, as they don't have internet access when just trying to watch a movie.
iCloud private relay does a good job of detecting these types of networks and correctly disabling itself. I wish there was something in the wireguard client to do this, rather than just retrying over and over again...
And since wireguard sets the DNS to use the pihole on my home network, this becomes problematic if they connect to a network that has a captive portal, and needs the wifi's DNS to accept the agreement and get access to the internet before switching over to wireguard and my home DNS.
I agree. I've been using Vaultwarden on ARM for over a year and it's been flawless. Just excellent execution and seamless integration with the iOS App Store version of the Bitwarden client.
I mean if your current setup works, why change it? I just hope you aren't too reliant in GDrive if your account ends up getting nuked as I've read so many times.
While I recommend Bitwarden to my not-so-technical friends, I don't think I'm ever going to move away from my Keepass/Nextcloud setup, it just works for me.
In the next couple of years, I expect FIDO2 Passwordless Auth to be ubiquitous, natively supported by all OS platforms. Built-in authentication credentials managers within Apple and Google/Android platforms will get more focused attention to improve them significantly. I suspect this should basically render the consumer market not monetizable. So, their free forever strategy here is aligned.
In corporate market, I would expect more ubiquitous integration of cloud hosted identity providers and separate SSO auth providers (which will do MFA with device bound certs, biometric auth and FIDO2 auth) with all the services and they would all be protected behind BeyondCorp style VPN solutions (think Cloudflare, Tailscale etc). In this market, I wonder how they will continue to grow.
Why is it impossible to find out what the typical user experience of FIDO2 Passwordless Auth is? Every time I try and learn it's just a sea of acronyms I've never heard of before.
How do I explain FIDO2 Passwordless Auth to my mother?
Most general case consumer explanation is likely this:
No more passwords. Your biometric authentication along with your Apple/Google account on your iPhone/Android phone is all you need.
A more detailed blurb would be:
You sign-up and sign-in to websites/apps simply by responding to a biometric unlock prompt of your phone (same as unlocking your phone with DoubleClick side button + FaceID etc). Your sign-in details are saved to your iCloud / Google account. You can sign-in to the same website/app on another device (iPhone/Mac; or Android/Chrome device) by signing into your cloud account.
For Pro users, there may be more advanced flow:
Instead of using built-in phone authenticators, you may use a reputed third party secure authentication app paired with an external FIDO key (like yubikey) to do the same thing. In it's most secure configuration, it may combine device binding secret unlocked with biometric auth, an physical FIDO key you possess, and a cloud hosted MPC key that is used based on fuzzy signals like your device location and other fingerprint data etc.
All this gives you secure multi-factor authentication that is safe against phishing, theft, loss etc.
Let's take the case of regular consumer with just one smart phone (let's say iPhone) as their only digital device and they don't have another phone/laptop etc. In this case, if the user lost their phone, then recovering access to their digital identity is going to be several steps:
0. First, immediately after they lost their phone, they should call the customer care number and report loss of their phone and get their sim blocked. This is critical to avoid SMS OTP based account hijacking.
1. They will buy a new iPhone and sim and recover their phone number first. (security of this step is a function of how well telcos operate this process. In my country you have to physically go to a telco authorised dealer shop, verify your identity with a government id proof – this is the weakest step and then initiate a lost sim replacement flow. You have to get a new physical sim and then you can change that to an esim if you wish. To avoid rampant hijacking, there is a mandatory waiting/cooloff period with multiple notifications being sent to old sim if it is still active).
2. They will have to recover their iCloud account on to this new phone. This involves the iCloud password, a verification code sent via SMS to your phone and your old device passcode. This will restore your iCloud account and escrowed keychain on the new phone. For this to work, you should have opted into iCloud Keychain backup.
Obviously, the biggest problem here is if you forgot either of the two passwords (iCloud account password and iPhone screen lock passcode). This is quite likely if you have been using FaceID to unlock all the time.
When you sign up for an online account, instead of inputting a password, your login is synced via your browser profile, or more likely, an account / app on your phone. To log in, you'll always either need to be signed-in on your browser, or scan a QR code on a computer to sign in to your account (WebAuthn over BLE, or cloud-assisted Bluetooth Low Energy (caBLE)).
Right - the benefit of FOSS is that we can keep using it as-is if we need to. I think that leads to excellent business incentives from the user’s standpoint. I’m currently a paying Bitwarden customer for convenience’s sake, but if they start messing it up I’ll just go host it myself.
bitwarden server is mostly written by bitwarden's CTO. [1]
If tomorrow bitwarden decides to do "a mongodb" (= violating the AGPL, and make it closed-source), you would have to spin up a new community to maintain the AGPL fork.
How exactly is it violating the AGPL for the author to change licenses? They require contributors to assign copyright so... BitWarden belongs entirely to BitWarden.
Right, but if you had signed a CLA then it's absolutely not violating the AGPL if the host decides to close the source. Since these organisations require that, they're not violating the AGPL.
That's not to say I agree with them and it's obviously shitty behaviour – but license violation is a specific act that they aren't guilty of.
Isn't a CLA just a standard CYA move from more established open source projects? I had to sign one to contribute to Django as well and I don't see them "pulling a MongoDB" any time soon.
My assumption is this is so that they're legally protected from contributors revoking the right to use their contribution at some later point or other obnoxious legal shenanigans.
It depends on the CLA. Some just require you to affirm that you have the rights to license your contribution, and that you license it under the license of the project, which is indeed mostly just a CYA. It doesn't allow the project to unilaterally change the license of your contribution, and I haven't seen much people have a problem with this kind of CLA.
The other common form of CLA is a copyright assignment (or something equivalent) to a foundation or company representing the project, which is much more troublesome. This allows them to basically do whatever they want with your contribution, including charging for it, or closing the source all together.
Yup:
Section 2.1: "By submitting a Contribution, you assign to Bitwarden all right, title, and interest in any copyright in the Contribution and you waive any rights, including any moral rights or database rights, that may affect our ownership of the copyright in the Contribution.
It’s a fascinating situation, really: this kind of asymmetry (AGPL for you, but not for us, even if you contribute) is antithetical to the purpose of the AGPL, but desirable for the leaders of quite a large fraction of projects that choose the license (to the point that they might either not use the AGPL or not accept contributions if they couldn’t do it).
I think a CLA that says "You provide us with an additional license to re-publish your code under any license we choose" with modifications to limit attribution, might work. That way the code is perpetually AGPL, but the company is free to offer derivative works under other licenses. Hence you can always use your code, you can fork, you can do all you want, and the company cannot take the code, as it stands at that point, away from the public.
How is that realistic? If they expect to get 10 billion in 10 years, they need to have 100 million paying users (if they charge $10 per user per year), which is like the entire active users count of StackOverflow - https://en.wikipedia.org/wiki/List_of_social_platforms_with_...
Getting money back has nothing to do with revenue.
It just means the VC was able to sell their shares for that 10 billion -a price which may or may not be related to the company’s actual fiscal performance
Or they launch entirely new products, in the same general space, with new pricing structures that aren't tied to their current offerings. They're Okta + 1Password + ...
To clarify: I'm not sure I buy the above thesis, but VCs don't expect 2x returns at this stage was my general point. They're aiming for higher.
For sure. The way I sum it up: VCs are looking for 10-to-1 odds on 100-to-1 gains. It depends on the stage, of course. This is listed as a series B, but feels kinda C-ish to me. Later stage rounds like that are unlikely to be 100-to-1, but I agree the goal is still well over 2-to-1.
The way I read it is that they already have one minority investor, Battery Ventures and they are now adding another, PSG. PSG will get a seat on the board of directors, it's unclear if Battery Ventures have a seat. It is also unclear if the two minority investors combined holds a majority.
I hope things goes well for Bitwarden, but I'm also expecting an amazing journey in their future. I really doubt that there's enough money to be made as is to yield an acceptable return on investments for the $100M, plus whatever Battery Ventures have already put forward.
When I ask “how can you trust the company”, I don’t mean to imply that the founders have less than good intentions. But once you take VC money, the founders intentions don’t mean much.
I’m sure the founders of both Instagram and WhatsApp - just two companies that come to mind where the founders were idealistic and they were hit hard with the reality stick once they got acquired - really believed that their company wouldn’t change for the worse once they were acquired.
I doubt the company will just disappear. They will probably get acquired. But what it morphs into is probably not something consumers who like it now will want.
The only company that I can think of that has managed the transition well and gone public is BackBlaze.
There is the option that they are profitable, but need the investment to expand the business somehow. There is some indication of that in the press release, but it does seem a little fluffy, and a $100M is a pretty big sum of money.
I can see what you mean, but another way of looking at it is: Most investments are done with the expectation of it being worth more down the line, so someone(s) thinks there are a hundred million reasons why it is a profitable business. :-)
But maybe "are they profitable" is the wrong question. I remember 5 years ago my brother in law said "Tesla isn't profitable" and I countered with "They don't want to be profitable right now, they are growing an inventory and investing heavily in that. Showing a profit is the last thing they want to do." He seemed to be accept that answer, I mean now he has 2 Teslas. :-)
I love that they offer a free version and are committed to it. But I depend on it for password management so much so that even if they didn't just raise 100M I'd pay for it in hopes that they stayed around. I think everyone who can, should.
Why? What is a promise like that supposed to be worth? Even if the people making it are completely honest when saying this (which I now doubt), once leadership changes this will go out the window quick.
This is in line with "Keeping our users happy is our main priority" and other quotes from the infinite pool of empty PR speak.
It doesn't say they won't have ads or sell your data. Hint: their privacy policy is already terrible. No mention of GDPR or of them complying with any privacy laws. Their privacy policy mentions "EU-U.S. Privacy Shield Frameworks" for exporting user data to the US, a framework which has been declared bogus by the EU courts years ago.
> An open source architecture
There's no many examples of "open core" calling itself "open source" that if they decide to switch to open core they'll just be another drop in the bucket.
They also require contributors to sign a CLA, which is always a huge red flag.
> Advanced business features
What happened to "fully featured free version" above? Are the business ones separate?
Keybase was providing a solution to something most normal people did not even realize could be a problem. It was a great idea, solving a really big problem. But the awareness of that problem was very small. Hence the ability to monetize a solution aimed at the general public was also very low.
I still love the idea, but I don't see how it is a business.
I shared an office and an apartment with Kyle in 2010 and I have vivid memories of him routinely talking how bad the state of password managers was at that time. I've been a happy customer since 2017. It's been surreal watching the BitWarden team do what they have over the years. Congratulations!
I’ve been using Vaultwarden for just myself for at least a couple of years now, and it’s at 32MB of disk space (<3MB of icon_cache, <1MB of database, the rest app). The current server process, at six weeks of uptime, is at just under five minutes of CPU time (average usage 0.01% of a core), and just under 24MB of memory used (RSS).
That’s feature.
(As a matter of fact, it’s grown quite a bit since I started using it; it used to be under 20MB of disk space and 10–15MB of RSS.)
I really miss seeing numbers like that. I'm in something like my 5th week of a Dropbox support ticket where they seem to think it reasonable that the headless client uses an extra 100MB of RAM every hour, eventually using 20-30GB of RAM, at which point I restart it and watch it start climbing again.
Well, you can opt into using PostgreSQL, but by default it’ll use SQLite, and that’s how I use it. More convenient and probably more efficient in general too.
I'm not referring to Bitwarden here but isn't this the standard M.O. of any SV startup?
1. Release great product for free
2. Attract as many free users as possible to signal growth to investors
3. Keep running the unprofitable free tier at a loss as long as possible using your massive VC war chest, while locking in your users with various gotchas
4. Once you reach critical scale and gained mass user adoption and you've obliterated your competition with your bigger war chest, start monetizing and rentseeking your locked in userbase and squeezing them so the VC investors can start getting their money back or cross your fingers for an exit from a FAANG with big pockets
5. Gain a lot of negative publicity, so now a lot of startups pop up like mushrooms after rain, to poach your disgruntled users and compete with you using the exact same M.O. you did. Rinse and repeat.
The people at Bitwarden and their supporters are familiar with countless examples of this playbook. Those tricks are not as easy to pull anymore. I have seen Bitwarden be very ethical in their business so far. I recommend it to my friends and family and to my company to pay for the service. It is a similar model to Nextcloud who successfully funds their business from governments and companies and provides it free to individuals. This model can and does work well.
The people at Bitwarden and their supporters need to answer 1 simple question.
How do they increase their valuation 10+x without pulling those tricks.
Because that's what the VC funding demands. No VC is giving out $100mm for a 20% or even 100% return, which could possibly be achieved by simple growth. They're giving that money because they're expecting exponential return.
Maybe there is an enterprise play somewhere here which justifies this, while maintaining the core product in its current form. I guess we will see, but I'm not holding my breath.
The post mentions the plan to implement advanced business features, and also "Business users deserve consumer ease-of-use along with advanced integration and deployment features."
That just makes it worse. I'm a paying customer right now. VC + focus on business means the consumer stuff dies or gets neglected to the point that it should die. All resources get moved to the high-growth parts of the business once VC enters a company. Bitwarden will not be the first to get VC to change its operating principles.
Yeah I think it means "we're going enterprise, at-home users enjoy your coming time with bitwarden as it may end abruptly" . That's a bit superlative, but I suspect people should be looking for alternatives. Anything has to be better than my old way of adding my own password layer on top of an excel spreadsheet that I came up with while in college a long time ago. Bitwarden syncing was pretty nice and it not trying to turn into some kind of swiss army knife app.
Here we go again: Some company (in this case, Bitwarden) "betrayed" its customers by doing what every other firm does. And Hn goes brrr over it. Then another alternative (KeePass) appears on HN's frontpage. It's like companies are right: You can't target the niche market of programmers because their expectations are through the roof.
I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?
> VC + focus on business means the consumer stuff dies or gets neglected to the point that it should die. All resources get moved to the high-growth parts of the business once VC enters a company.
At the end of the day, engineers/programmers are the ones who implement these changes. I find it unacceptable that lots of HNers get so high minded about these issues but then go on to contribute to the problem by working at for-profit companies. Nothing wrong with either one, just choose one.
One benefit of providing a great free service to individuals is that they become champions and help sell the product. Case in point, I work in IT at a large company that currently does not have an official password manager, and I am recommending it here.
"advanced business features" can also translate as "we don't know how we're going to monetize this but we'll hopefully figure out how to make companies pay for the service"
I think that's a pretty disingenuous translation. The post describes some ideas and I'd imagine that the VCs who invested were provided with a more detailed planned.
I mean in theory it doesn't have to. Someone can run a business privately and run it the way they want and enjoy it. Make great profits, but probably not become a billionaire. VC vultures however will not allow that and they have their own pump and dump agenda.
Any company that promises a service for life is just lying- cost/benefit five years on will always fail, and new managers won't feel bound by the promise
I switched to Bitwarden after using Lastpass for years and it's pretty feature-complete for me -- it has feature parity with LP and there's a bunch of features that I don't even use.
Even the unofficial Rust-based server looks to have more features than I need:
Yup, I switched to Bitwarden and self host my own instance of it using that container. It works great. I was previously using Keepass (and later keepassxc), but it became a hassle to keep the database file in sync between all of my devices (I lost passwords at times as a result). Also the browser extension didn't work that well, nor did it have as nice of Android integration as Bitwarden.
Self hosted was a nice middle ground. No one else has a copy of my password database, and it's always in sync between devices. Stick nginx as a proxy in front of it for https and easy let's encrypt certificate management. The downside is that Keepass by default allowed me to have copies in multiple locations. Bitwarden is only on the server, but since the database is encrypted it's easy enough to have regularly scheduled backups of it. It just is an added step to find another docker host for it if my home server goes down, during which time I may not have access to my passwords.
> Also the browser extension didn't work that well, nor did it have as nice of Android integration as Bitwarden.
What were your issues? For the browser, I have some extremely minor complaints (not always detecting the correct subdomain for my selfhosted servers mainly), none for Android with Keepass2Android.
Also, no sync issues at all, but that might be related to having only 2 devices ;)
I self-host the vaultwarden server on my homelab for my family. I love being able to use collections to share passwords with my spouse and the same for each of my kids.
I got tired of Lastpass's janky clients, UI, and data breaches. Now I control the security of my passwords.
The nice thing is that it's so easy to set up a company these days that it can just take the last FOSS copy, fork it and go. It'd be a particularly good deal for BW devs, who would've got paid to R&D their own product.
Arguably, they did with Bitwarden already, no? Ie even if they don't do anything bad - they still executed steps of free users and large VC checks.
Which is to say, does it not seem like they've already executed the "trick"? Users are already there, they have cash in hand. Their motivations don't matter much here, we as users can only see their actions.
But i don't follow bitwarden at all. I avoid free products for this "trick" reason. If i'm not paying or self hosting, i'm not interested heh. Am i reading Bitwarden wrong?
The company is providing a service of vault hosting around the free software they maintain. Hosting and maintenance has many costs that need to be covered somehow, and we want them to improve the service. The hosting costs of individual users with a free though generous account is supplemented by paying companies and governments. Users are not locked in, as they can easily download their vaults and move to another solution or self host it themselves. Some free password managers such as KeypassXC require users to properly manage backups or host their vault somehow. This is too complex for most users and where Bitwarden fits well. Of course the company could go astray, but so far so good.
Password vaults are trivially small to host. The marginal costs for these individual users is small. The bigger concern is if they try to monetize these users in some way that harms them. If they ever pulled something like that, many of us would quickly switch from being proponents to vociferous enemies of the company.
I think for BW this kind of falls apart at #3. The main draw of this product for me and many others is that it's actually pretty no-frills. It's also broadly compatible with importing and exporting between dozens of other password managers.
That said, this could be a blind spot for me. Let me know if there's any gotchas I should know about here.
If we take them at their word that they're committed to keeping a fully-featured free version, what options do they have to make back a multiple of that $100 million for their investors? What many other companies have done in the past is to add a lot of new features. There are many examples of a simple, no-frills application turning into a bloated, complicated one, with a tiered subscription system. Ultimately a less streamlined, more expensive version of what it was before the funding.
Enterprise sales - that is a hugely untapped market for password managers (and a huge gap for a lot of companies where people keep their various passwords that are left after massive SSO implementations when they try to SAML everything). CyberArk plays in that space, but Bitwarden with the thoughtful way they have built this product can give them a run for their money.
I think the gotchas aren't for the early adopters and power users. It's for the people who will eventually make up the larger, more lucrative percentage of their user base starting with the friends and family of early adopters who are recommended to it.
Once they're set up with it, the idea of "importing and exporting between dozens of password managers" is meaningless. And gotchas aren't always limitations but can be "positive" like well meaning features, integrations, your company using it (so you too), etc. Lock-in comes in many forms.
Out of curiosity, why so many rotations away (and back to) BW? Most people I know stick with a single password manager almost permanently, or at least unless their manager has some kind of earth-shattering vuln announced that just shakes their trust enough to move.
I'll pass it on to the team! The designers and product people put a ton of work into making both RB and Tunnelbear delightful, and I'm glad it's making a difference :)
- They have a hosted/managed version with a free tier and a paid tier. Paid adds things like MFA and support for orgs. The more you pay, the enterprisey-er the org support gets.
- There's also a self-hosted version which follows a very similar scheme. You can start out for free, but if you want things like MFA or a self-hosted org, you're paying the Warden.
I agree. I'm not sure what they've got in store next. I imagine they might leverage the VC connections rather than the money to try and get a bigger foothold in the enterprise space, for one, but $100M is $100M and I've got no idea where that can go given the current state of things.
The amount of data in a typical password vault is insignificantly small measured in kilobytes. Bitwarden cost structure is mostly fixed costs for the infrastructure with small variable costs. If a company was providing hosting of large data stores, supporting many free users would be more difficult.
I haven't used it, and last time I heard of it, it was still called bitwarden_rs. I like the project in principle since it capitalizes on BW's open API, and that's really good work in the spirit of open-source software.
Having said that: I haven't dug into it much. I don't know what the current state of auditing on it is, or how widespread adoption is relative to the mainline BW backend. I hope they use a database backend other than BW's default MSSQL, which has always seemed like a weird choice to me coming from mostly Linux, and so mostly Postgres and Maria/MySQL, though I skew heavily developer over DBA, and that distinction may as well be personal preference (as in, I don't have an intelligent reason to dislike MSSQL beyond my habit of using other things).
Ah, the lifecycle of a company. I think of the first rounds of funding as a sort of puberty. Going public is the mid-life crisis, signaling the downward spiral towards inevitable death. Of course, being bought out is like God taking Enoch directly to heaven, where who knows what happens. Those large companies with unnatural lifespans have somehow tapped into the deep, dark magic of the Elder Ones (usually government contracts).
>Those large companies with unnatural lifespans have somehow tapped into the deep, dark magic of the Elder Ones (usually government contracts)
Or, you're Apple, and your cloud hosts the digital lives of all your users from teenage years to adulthood, so they're not gonna switch to any competitor no matter what.
Yeah This happens with google too. I have a friend who has so many business/personal docs (she's a writer) on google as well as gigabytes upon gigabytes of photos both for professional and her family. I have tried many times to go over on a weekend and help them degoogle at least their stuff after having seen reports on here of google just locking down accounts or deleting them wholesale (can't say i've seen that with apple? but it has to happen there as well) .
Sure, good on you, but once you got that position, what's stopping you from monetizing your users by selling their personal data to advertisers?
I don't understand why anyone would celebrate and worship monopolies? Publicly listed companies are not your friends. You're just a dollar sign for them.
The same thing that stops anything: terms of service.
Also: no one is worshipping, and no monopoly has been mentioned. Nor has companies being anyone's friend. There is more non sequitur than content here :)
Selling some thing would be nice, but most of what Apple sells me is a license to my own stuff, sold in perpetuity. They don't want you to own anything. They want to own it all and have you pay them for the privilege of using their stuff. With their documented planned obsolescence., they don't even want us owning what little bit we do have for any extended duration of time.
(Above statement applies to most consumer technology and "digital media" companies, social networks, etc)
My point was "buying" typically implies ownership in conversations like these, when these corporations are actively resisting you actually completely owning their products. We are more like temporary renters. And this has unfortunate consequences for the rest of the goods economy. Won't be long, as an example, before Samsung doesn't want you to actually own your refrigerator, TV, or washer, or Tesla and GM not wanting you to own your vehicle, and instead, pay them a monthly service fee for the pleasure of using your own car you "bought" (spoiler alert).
The whole idea is the thing you "buy" is really just an ephemeral vehicle of consumption and steady revenue stream for the corporation. Good for them, bad for you.
> Those large companies with unnatural lifespans have somehow tapped into the deep, dark magic of the Elder Ones (usually government contracts).
Or they are simply in businesses with enormous barriers to entry such as designing some of the most complex microchips, writing some of the most complex software, building huge facilities all over the world, and, of course, being prepared to take advantage of a new opportunity at the right place at the right time.
This is bad but how else do you fund a serious software project? Polished well tested and supported software is massively expensive to produce yet we've conditioned the market to believe it should be "free," which means the only way to really do it is to do something like the above.
If everyone expected a car to be free cars would be loaded with all kinds of convoluted bolted-on features to extract money from you: ads, special fuels that can only be produced by the maker, special licenses to drive on roads, special deals with repair shops, and so on.
What you describe is actually one of the less shady ways of funding software. The more common, successful, and shady methods are surveillance capitalism, addictionware (most of mobile gaming), and cryptocurrency scams.
If you structure the market such that honest business is difficult to impossible, things don't stop costing money. They just find less honest ways to make it.
JetBrains has already done it for years. [0] Hundreds of millions in revenue. Profitable. Zero VC capital raised. [0] Supporting, sells and develops open-source software used by millions of developers worldwide.
When I see capital raised, the treadmill for an expected return starts running and it is not for everyone.
JetBrains was also founded in Eastern Europe which probably helped a lot in getting off the ground with little money as there your dollars used to go way, way further than in the west and the local job opportunities were scarce.
In the early 2000's an experienced SW dev in my corner of Eastern Europe was lucky to take home 300 USD and would not shy away form overtime as needed. Replicating the same thing in present day would be impossible as now no self respecting experienced dev here would get out of bed for less than 2k EUR take home pay and would absolutely do the bare minimum with zero overtime, or even work way less than the contracted working time.
The 90's to early 2000's was a wild west in Eastern Europe. Few job opportunities, low wages and low CoL, plus fast internet in every home, meant that everyone was hustling hard in their free time to make a great SW product using no money at all to sell on the international market and get rich.
Now things are different here. Plenty of great paying jobs at established western companies or startups means that the people here are more likely to just want to work at random big corp or new startup for good pay and WLB rather than put 50h+ workweeks in building their own product at home like their predecessors did.
My point is that JetBrains was more of an exception by catching a great wave in time and space that can't be replicated today.
You're absolutely right. Of course there is no guarantee that whatever alternative you seek won't turn out the exact same way. But unfortunately all you can do to punish that kind of behaviour is to vote with your wallet and move somewhere else. And hope it'll turn out better this time... There ARE people out there who are trying to build a profitable, ethical business instead of chasing unsustainable growth. Unfortunately the only way to find out who they are is by giving them a chance...
4 also could add “try to avoid 5. by drawing up the regulatory ladder (such as YouTube becoming a bastion of large scale copyright enforcement)… so that it’s virtually impossible for startups to join the space.”
I switched because I lost all trust in LastPass.
Managing credentials and sensitive information is all about trust. The second I lose trust in that kind of service, I don't just stop using it, I will most likely never even consider coming back as a customer and I will warn people against them. I don't give second chances to services that are trust based.
I'm pretty happy with Bitwarden so far. But if they betray my trust I'll be out of there in a day, never to return. I switched from LastPass to Bitwarden in a day. LastPass never gets a second chance.
What the VCs have to understand is that if their greed makes them push Bitwarden to engage in silly tactics, they risk driving away their customer base.