I'm not referring to Bitwarden here but isn't this the standard M.O. of any SV startup?
1. Release great product for free
2. Attract as many free users as possible to signal growth to investors
3. Keep running the unprofitable free tier at a loss as long as possible using your massive VC war chest, while locking in your users with various gotchas
4. Once you reach critical scale and gained mass user adoption and you've obliterated your competition with your bigger war chest, start monetizing and rentseeking your locked in userbase and squeezing them so the VC investors can start getting their money back or cross your fingers for an exit from a FAANG with big pockets
5. Gain a lot of negative publicity, so now a lot of startups pop up like mushrooms after rain, to poach your disgruntled users and compete with you using the exact same M.O. you did. Rinse and repeat.
The people at Bitwarden and their supporters are familiar with countless examples of this playbook. Those tricks are not as easy to pull anymore. I have seen Bitwarden be very ethical in their business so far. I recommend it to my friends and family and to my company to pay for the service. It is a similar model to Nextcloud who successfully funds their business from governments and companies and provides it free to individuals. This model can and does work well.
The people at Bitwarden and their supporters need to answer 1 simple question.
How do they increase their valuation 10+x without pulling those tricks.
Because that's what the VC funding demands. No VC is giving out $100mm for a 20% or even 100% return, which could possibly be achieved by simple growth. They're giving that money because they're expecting exponential return.
Maybe there is an enterprise play somewhere here which justifies this, while maintaining the core product in its current form. I guess we will see, but I'm not holding my breath.
The post mentions the plan to implement advanced business features, and also "Business users deserve consumer ease-of-use along with advanced integration and deployment features."
That just makes it worse. I'm a paying customer right now. VC + focus on business means the consumer stuff dies or gets neglected to the point that it should die. All resources get moved to the high-growth parts of the business once VC enters a company. Bitwarden will not be the first to get VC to change its operating principles.
Yeah I think it means "we're going enterprise, at-home users enjoy your coming time with bitwarden as it may end abruptly" . That's a bit superlative, but I suspect people should be looking for alternatives. Anything has to be better than my old way of adding my own password layer on top of an excel spreadsheet that I came up with while in college a long time ago. Bitwarden syncing was pretty nice and it not trying to turn into some kind of swiss army knife app.
Here we go again: Some company (in this case, Bitwarden) "betrayed" its customers by doing what every other firm does. And Hn goes brrr over it. Then another alternative (KeePass) appears on HN's frontpage. It's like companies are right: You can't target the niche market of programmers because their expectations are through the roof.
I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?
> VC + focus on business means the consumer stuff dies or gets neglected to the point that it should die. All resources get moved to the high-growth parts of the business once VC enters a company.
At the end of the day, engineers/programmers are the ones who implement these changes. I find it unacceptable that lots of HNers get so high minded about these issues but then go on to contribute to the problem by working at for-profit companies. Nothing wrong with either one, just choose one.
One benefit of providing a great free service to individuals is that they become champions and help sell the product. Case in point, I work in IT at a large company that currently does not have an official password manager, and I am recommending it here.
"advanced business features" can also translate as "we don't know how we're going to monetize this but we'll hopefully figure out how to make companies pay for the service"
I think that's a pretty disingenuous translation. The post describes some ideas and I'd imagine that the VCs who invested were provided with a more detailed planned.
I mean in theory it doesn't have to. Someone can run a business privately and run it the way they want and enjoy it. Make great profits, but probably not become a billionaire. VC vultures however will not allow that and they have their own pump and dump agenda.
Any company that promises a service for life is just lying- cost/benefit five years on will always fail, and new managers won't feel bound by the promise
I switched to Bitwarden after using Lastpass for years and it's pretty feature-complete for me -- it has feature parity with LP and there's a bunch of features that I don't even use.
Even the unofficial Rust-based server looks to have more features than I need:
Yup, I switched to Bitwarden and self host my own instance of it using that container. It works great. I was previously using Keepass (and later keepassxc), but it became a hassle to keep the database file in sync between all of my devices (I lost passwords at times as a result). Also the browser extension didn't work that well, nor did it have as nice of Android integration as Bitwarden.
Self hosted was a nice middle ground. No one else has a copy of my password database, and it's always in sync between devices. Stick nginx as a proxy in front of it for https and easy let's encrypt certificate management. The downside is that Keepass by default allowed me to have copies in multiple locations. Bitwarden is only on the server, but since the database is encrypted it's easy enough to have regularly scheduled backups of it. It just is an added step to find another docker host for it if my home server goes down, during which time I may not have access to my passwords.
> Also the browser extension didn't work that well, nor did it have as nice of Android integration as Bitwarden.
What were your issues? For the browser, I have some extremely minor complaints (not always detecting the correct subdomain for my selfhosted servers mainly), none for Android with Keepass2Android.
Also, no sync issues at all, but that might be related to having only 2 devices ;)
I self-host the vaultwarden server on my homelab for my family. I love being able to use collections to share passwords with my spouse and the same for each of my kids.
I got tired of Lastpass's janky clients, UI, and data breaches. Now I control the security of my passwords.
The nice thing is that it's so easy to set up a company these days that it can just take the last FOSS copy, fork it and go. It'd be a particularly good deal for BW devs, who would've got paid to R&D their own product.
Arguably, they did with Bitwarden already, no? Ie even if they don't do anything bad - they still executed steps of free users and large VC checks.
Which is to say, does it not seem like they've already executed the "trick"? Users are already there, they have cash in hand. Their motivations don't matter much here, we as users can only see their actions.
But i don't follow bitwarden at all. I avoid free products for this "trick" reason. If i'm not paying or self hosting, i'm not interested heh. Am i reading Bitwarden wrong?
The company is providing a service of vault hosting around the free software they maintain. Hosting and maintenance has many costs that need to be covered somehow, and we want them to improve the service. The hosting costs of individual users with a free though generous account is supplemented by paying companies and governments. Users are not locked in, as they can easily download their vaults and move to another solution or self host it themselves. Some free password managers such as KeypassXC require users to properly manage backups or host their vault somehow. This is too complex for most users and where Bitwarden fits well. Of course the company could go astray, but so far so good.
Password vaults are trivially small to host. The marginal costs for these individual users is small. The bigger concern is if they try to monetize these users in some way that harms them. If they ever pulled something like that, many of us would quickly switch from being proponents to vociferous enemies of the company.
I think for BW this kind of falls apart at #3. The main draw of this product for me and many others is that it's actually pretty no-frills. It's also broadly compatible with importing and exporting between dozens of other password managers.
That said, this could be a blind spot for me. Let me know if there's any gotchas I should know about here.
If we take them at their word that they're committed to keeping a fully-featured free version, what options do they have to make back a multiple of that $100 million for their investors? What many other companies have done in the past is to add a lot of new features. There are many examples of a simple, no-frills application turning into a bloated, complicated one, with a tiered subscription system. Ultimately a less streamlined, more expensive version of what it was before the funding.
Enterprise sales - that is a hugely untapped market for password managers (and a huge gap for a lot of companies where people keep their various passwords that are left after massive SSO implementations when they try to SAML everything). CyberArk plays in that space, but Bitwarden with the thoughtful way they have built this product can give them a run for their money.
I think the gotchas aren't for the early adopters and power users. It's for the people who will eventually make up the larger, more lucrative percentage of their user base starting with the friends and family of early adopters who are recommended to it.
Once they're set up with it, the idea of "importing and exporting between dozens of password managers" is meaningless. And gotchas aren't always limitations but can be "positive" like well meaning features, integrations, your company using it (so you too), etc. Lock-in comes in many forms.
Out of curiosity, why so many rotations away (and back to) BW? Most people I know stick with a single password manager almost permanently, or at least unless their manager has some kind of earth-shattering vuln announced that just shakes their trust enough to move.
I'll pass it on to the team! The designers and product people put a ton of work into making both RB and Tunnelbear delightful, and I'm glad it's making a difference :)
- They have a hosted/managed version with a free tier and a paid tier. Paid adds things like MFA and support for orgs. The more you pay, the enterprisey-er the org support gets.
- There's also a self-hosted version which follows a very similar scheme. You can start out for free, but if you want things like MFA or a self-hosted org, you're paying the Warden.
I agree. I'm not sure what they've got in store next. I imagine they might leverage the VC connections rather than the money to try and get a bigger foothold in the enterprise space, for one, but $100M is $100M and I've got no idea where that can go given the current state of things.
The amount of data in a typical password vault is insignificantly small measured in kilobytes. Bitwarden cost structure is mostly fixed costs for the infrastructure with small variable costs. If a company was providing hosting of large data stores, supporting many free users would be more difficult.
I haven't used it, and last time I heard of it, it was still called bitwarden_rs. I like the project in principle since it capitalizes on BW's open API, and that's really good work in the spirit of open-source software.
Having said that: I haven't dug into it much. I don't know what the current state of auditing on it is, or how widespread adoption is relative to the mainline BW backend. I hope they use a database backend other than BW's default MSSQL, which has always seemed like a weird choice to me coming from mostly Linux, and so mostly Postgres and Maria/MySQL, though I skew heavily developer over DBA, and that distinction may as well be personal preference (as in, I don't have an intelligent reason to dislike MSSQL beyond my habit of using other things).
Ah, the lifecycle of a company. I think of the first rounds of funding as a sort of puberty. Going public is the mid-life crisis, signaling the downward spiral towards inevitable death. Of course, being bought out is like God taking Enoch directly to heaven, where who knows what happens. Those large companies with unnatural lifespans have somehow tapped into the deep, dark magic of the Elder Ones (usually government contracts).
>Those large companies with unnatural lifespans have somehow tapped into the deep, dark magic of the Elder Ones (usually government contracts)
Or, you're Apple, and your cloud hosts the digital lives of all your users from teenage years to adulthood, so they're not gonna switch to any competitor no matter what.
Yeah This happens with google too. I have a friend who has so many business/personal docs (she's a writer) on google as well as gigabytes upon gigabytes of photos both for professional and her family. I have tried many times to go over on a weekend and help them degoogle at least their stuff after having seen reports on here of google just locking down accounts or deleting them wholesale (can't say i've seen that with apple? but it has to happen there as well) .
Sure, good on you, but once you got that position, what's stopping you from monetizing your users by selling their personal data to advertisers?
I don't understand why anyone would celebrate and worship monopolies? Publicly listed companies are not your friends. You're just a dollar sign for them.
The same thing that stops anything: terms of service.
Also: no one is worshipping, and no monopoly has been mentioned. Nor has companies being anyone's friend. There is more non sequitur than content here :)
Selling some thing would be nice, but most of what Apple sells me is a license to my own stuff, sold in perpetuity. They don't want you to own anything. They want to own it all and have you pay them for the privilege of using their stuff. With their documented planned obsolescence., they don't even want us owning what little bit we do have for any extended duration of time.
(Above statement applies to most consumer technology and "digital media" companies, social networks, etc)
My point was "buying" typically implies ownership in conversations like these, when these corporations are actively resisting you actually completely owning their products. We are more like temporary renters. And this has unfortunate consequences for the rest of the goods economy. Won't be long, as an example, before Samsung doesn't want you to actually own your refrigerator, TV, or washer, or Tesla and GM not wanting you to own your vehicle, and instead, pay them a monthly service fee for the pleasure of using your own car you "bought" (spoiler alert).
The whole idea is the thing you "buy" is really just an ephemeral vehicle of consumption and steady revenue stream for the corporation. Good for them, bad for you.
> Those large companies with unnatural lifespans have somehow tapped into the deep, dark magic of the Elder Ones (usually government contracts).
Or they are simply in businesses with enormous barriers to entry such as designing some of the most complex microchips, writing some of the most complex software, building huge facilities all over the world, and, of course, being prepared to take advantage of a new opportunity at the right place at the right time.
This is bad but how else do you fund a serious software project? Polished well tested and supported software is massively expensive to produce yet we've conditioned the market to believe it should be "free," which means the only way to really do it is to do something like the above.
If everyone expected a car to be free cars would be loaded with all kinds of convoluted bolted-on features to extract money from you: ads, special fuels that can only be produced by the maker, special licenses to drive on roads, special deals with repair shops, and so on.
What you describe is actually one of the less shady ways of funding software. The more common, successful, and shady methods are surveillance capitalism, addictionware (most of mobile gaming), and cryptocurrency scams.
If you structure the market such that honest business is difficult to impossible, things don't stop costing money. They just find less honest ways to make it.
JetBrains has already done it for years. [0] Hundreds of millions in revenue. Profitable. Zero VC capital raised. [0] Supporting, sells and develops open-source software used by millions of developers worldwide.
When I see capital raised, the treadmill for an expected return starts running and it is not for everyone.
JetBrains was also founded in Eastern Europe which probably helped a lot in getting off the ground with little money as there your dollars used to go way, way further than in the west and the local job opportunities were scarce.
In the early 2000's an experienced SW dev in my corner of Eastern Europe was lucky to take home 300 USD and would not shy away form overtime as needed. Replicating the same thing in present day would be impossible as now no self respecting experienced dev here would get out of bed for less than 2k EUR take home pay and would absolutely do the bare minimum with zero overtime, or even work way less than the contracted working time.
The 90's to early 2000's was a wild west in Eastern Europe. Few job opportunities, low wages and low CoL, plus fast internet in every home, meant that everyone was hustling hard in their free time to make a great SW product using no money at all to sell on the international market and get rich.
Now things are different here. Plenty of great paying jobs at established western companies or startups means that the people here are more likely to just want to work at random big corp or new startup for good pay and WLB rather than put 50h+ workweeks in building their own product at home like their predecessors did.
My point is that JetBrains was more of an exception by catching a great wave in time and space that can't be replicated today.
You're absolutely right. Of course there is no guarantee that whatever alternative you seek won't turn out the exact same way. But unfortunately all you can do to punish that kind of behaviour is to vote with your wallet and move somewhere else. And hope it'll turn out better this time... There ARE people out there who are trying to build a profitable, ethical business instead of chasing unsustainable growth. Unfortunately the only way to find out who they are is by giving them a chance...
4 also could add “try to avoid 5. by drawing up the regulatory ladder (such as YouTube becoming a bastion of large scale copyright enforcement)… so that it’s virtually impossible for startups to join the space.”
1. Release great product for free
2. Attract as many free users as possible to signal growth to investors
3. Keep running the unprofitable free tier at a loss as long as possible using your massive VC war chest, while locking in your users with various gotchas
4. Once you reach critical scale and gained mass user adoption and you've obliterated your competition with your bigger war chest, start monetizing and rentseeking your locked in userbase and squeezing them so the VC investors can start getting their money back or cross your fingers for an exit from a FAANG with big pockets
5. Gain a lot of negative publicity, so now a lot of startups pop up like mushrooms after rain, to poach your disgruntled users and compete with you using the exact same M.O. you did. Rinse and repeat.
Did I miss anything?