Hacker News new | past | comments | ask | show | jobs | submit login
Bitwarden: Avoid at all costs (outage issue)
190 points by cabbagesauce on Sept 9, 2022 | hide | past | favorite | 129 comments
Bitwarden is experiencing an outage right now.

What I learned about it, is that they can remotely disable your browser extension which is assumed to work in offline mode. So, as soon as you have an internet connection — you get blocked. This is what happened to me like 30 minutes ago or so. Just cannot log into my account and verify a transaction because I'm stupid enough to trust them with my TOTPs and storing temp verification passwords.

The funniest stuff, though, is that the company's damage control is to remove the comments and suspend feedback from it's community forum. Given that I'm a paying customer, I'm a little bit offended by it. For a secret management company that secured $100 mil recently, it's a clear mark that the enterprise service train is on the way.

I'm lucky enough to have the offline access to the storage. But my trust to Bitwarden as a reliable service is completely ruined. Having this in mind, is there a viable alternative?

PS. Expect Spearrin to appear on HN and bring "personal" apology for the hiccup. But I won't buy it. Password manager services are almost like bank storages but on the internet. Apologizing won't fix the fact you can get remotely locked from the passwords and TOTPs at a pressing moment.




I also got hit by this, with the message "Access denied, contact customer support" ... Access denied for MY personal password database! I get that Bitwarden uploads the DB file to their cloud for seamless sharing, but why the hell is my local login/decryption reliant on THEIR login service being up?? Not acceptable.


KeePassXC (https://keepassxc.org/) - open source, full featured, standard file format, bring your own cloud storage


Another options is pass [0], which uses GPG to encrypt your stuff. Everything happens through the CLI but there are also GUI frontends for it. There's also gopass [1] which is very similar and compatible but does some extra stuff such as versioning with git.

Similarly to this API compatibility there's KeePassDX [2] for mobile phones which is compatible with the KeePass database format. There's also KeePass [3] which is the original built with .NET.

I personally use Bitwarden though because maintaining sync of databases on mobile phones is painful. Also keeping backups up to date is hard and time consuming, I do export my encrypted database once in a while though.

[0]: https://www.passwordstore.org/

[1]: https://www.gopass.pw/

[2]: https://www.keepassdx.com/

[3]: https://keepass.info/


Not a solution. My passwords database needs to work seamlessly on my laptops and phones so I only use KeepassXC and KeepassDX synced with Syncthing. Free and super effective. I don't have to do any manual work for everything to be in sync always.


Seconding Keepass and many of the compatible software as excellent choices!

Use whatever you want for sharing your database across devices, like Syncthing or Nextcloud (or even USB thumb drives), as long as you have a strong password for it (or other means of unlocking it) and it should alleviate many of the availability related complaints about file based secret management.

It even allows storing files (like SSH keys) and on some platforms has the possibility of typing your credentials for you so they don't end up in the clipboard, even though when you use the clipboard functionality they get cleared out of it after a little bit.


The good thing about Pass is that, it’s just a small bash script. It’s amazing how much it does with that footprint. It even provides QR code for transfer to phone. It has multiuser capability with multiple public keys and sharing, sync and versioning via git. There is almost no way there can be a vulnerability in the script, as you can just check it.

A touch on Yubikey will give you one password out (as opposed to unlocking the whole database). As secure as it gets!

Also very convenient to use, since the password is a short pin.

You can use CLI in scripts and handle tokens.

Good code written by a good guy!


Personally I use the official KeePass 2 executable via Mono on my desktop. I would have given KeePassXC a chance but it lacks the trigger system or a simpler alternative. I use the trigger system to sync my local database with a copy on my server via the help of a shell script (because I couldn't get the SFTP / scp plugins to work properly). The trigger runs when the local database is being saved. As a first step it disables itself, as a last step it enables itself again. As a second step the trigger calls my script which downloads the database from my server. Then it runs the sync action against the freshly downloaded database and afterwards the trigger calls my script again and instructs it to upload the database to my server. I suppose this might be problematic if multiple devices try to change the remote file at the same time but that's nothing I have to worry about and other solutions like using Dropbox or other cloud storage solutions would run into some sort of problem as well (but at least you might be given the choice of which version to keep).

On my Android phone I use Keepass2Android and it's built-in SFTP support to open the remote database (and also keep a local offline-copy). When saving it seems to synchronize with the remote file first before uploading the file, so even if I change entries on both devices the copy on my server shouldn't lose any entries. But I haven't really tried to break it yet.


I didn't find the sync that hard with pass and iOS (I'm sure Android has something equivalent): Set up a private git repo somewhere and configure passforios to pull from it. I have been running it for a few months now and it's smooth. This assumes you are on Linux or Mac.


That's FANTASTIC. THANK YOU SO MUCH. I really cannot thank you enough. Google and Brave Search failed me but I found with Startpage this pass-compatible password manager for Android with sync through Git [0]. Amazing solution. Will probably migrate my passwords to this solution soon, only need to see if I can get something similar for Aegis TOTP and life will be good.

[0]: https://passwordstore.app/


My pleasure! Ping me if you run into any issues. I also exported my TOTP keys from Authy and have them working from pass as well (using the pass otp plugin).


Have they fixed the app? It used to not work at all for me

https://github.com/mssun/passforios/issues/418


Sorry, I can't remember exactly how I imported the key, but what I did was generate new SSH ed25519 keypair, uploaded the public key as a deploy key to github, and then I think I copied the private key to iCloud and then accessed it that way.


I sync my database to my Android phone with Nextcloud, works great with KeePassDX


Nextcloud is amazing, I just don't have the resources or time to self host right now so I'm currently not using it. Big problem for me is that most cloud providers don't actually support syncing to the filesystem through Android's Storage Access Framework and instead keep all of the data in the app data, requiring me to manually export from the cloud application, and re-import into the password manager.


No need to self host nextcloud. There are many providers that give you a hosted solution. Ionos for example does 2 TB for 12 euros a month.


KeePassAndroid (not KeePassDX) has integration with the major cloud providers, I used to use it with Dropbox before I switched to self-hosting


That's amazing, I'm going to try it out since they added support for my current cloud provider at the start of this year. Another poster here has also talked about pass, which I'm going to try out too I knew it synced with Git, but I wasn't aware that the mobile applications available would do the sync through Git too.


How do people use KeePassXC? Do people not need access to their passwords when they're on their phones? And how do people choose between all the KeePass derivatives?


> on their phones?

Strongbox for iPhone/iPad: https://strongboxsafe.com/

There are plenty Android Keepass apps too, i don't have any experience with these though.

>And how do people choose

FWIW, KeePassXC is the best (most widely adopted) one for Desktop.


I have my password file on google drive. Works seamless between all my devices


I'm another very happy user of keypassxc. Passwords are too vital to me to depend on the security and reliability of network services. They also have a browser extension, so I mostly don't experience a large usability difference.


I've been using Bitwarden's clients (browser extension, mobile apps, desktop apps) with a self-hosted vaultwarden [1] server. It's marginally free if you are already self-hosting other stuff. I'm hosting it on a raspberry pi 4b at home and exposing it to public Internet through Cloudflare zero trust (also free). Had no problems so far.

[1] https://github.com/dani-garcia/vaultwarden, note that it's different from Bitwarden's official server (https://bitwarden.com/help/install-on-premise-linux/), uses less CPU/memory, and enables premium features like TOTP for free.


Vaultwarden "is the way" if you need a polished iOS client, almost too good to be true now that VC's are involved.


Added bonus - even if the client extensions/app stopped working you can still log into the vaultwarden web UI to access your secrets.


vaultwarden is awesome, just make sure you have some reliable automated backup (preferably cloud) for disaster recovery.


I have a similar setup but using a $5/month VPS that I also host a few other personal/family apps on. It works really well but I’m wondering how long the api will stay open and accessible given their recent huge VC investment.


It's not going anywhere, that's part of what the investment is to further, per their post.


Iam curious how you made the clients connect to the server behind CF zero trust. have you white-listrd a path or so for them?


No matter what password you use, I highly recommend regularly exporting a plaintext copy of it to somewhere safe like an encrypted volume on one or more of your devices.

Just do it once a month - mount the volume, export the database in plaintext directly to the volume, then unmount it.

If your password manager locks you out because of a bad software update, service outage, or you hold the wrong passport and got sanctioned, or whatever, at least you will still be able to access the vast majority of your credentials. Special password databases are nice and convenient, but plaintext is usable forever.


Or just use KeePassXC+nextcloud/syncthing as others have suggested, it's just an encrypted database with no cloud bullshit.


Can you please explain why this is an improvement over the parent comment solution?


My interpretation is that it is already self hosted, with cloud-type features, but without having to do something different, occasionally, to keep a safety net. People tend to forget to do the non-habitual, slightly painful steps. Setup your self hosted infrastructure with all the automated redundancy you want ahead of time and let it roll.


Because KeePassXC (or any other offline password manager) cannot lock you out as long as you remember your password, and you can completely avoid storing your passwords in plaintext.


This. I have an automated backup to my home server to borgbase every night. Every few weeks I do a manual export of my vaultwarden to this server. Major peace of mind.


I believe I will take this advice. Thanks for saying it.


especially when it's so easy to delete all your passwords when you use Google password manager with clear browser data feature...

wife had issue with bank and wanted to flush all browser caches, but didn't notice that for some reason passwords checkbox was preselected. it deletes all saved passwords saved in cloud without way to recover (unless you have some offline device that didn't yet synced)


I did this, didn't quite realize the implications when in a hurry trying to remove one password stored accidentally, or something.

Literally running around the house trying to shut off other PC's before Chrome could sync on them... unsuccessful. What a disaster!


This is great advice. The problem is that it is hard to have the discipline to do this month after month.


It doesn’t have to be every month. Just do it once for a start, you’ll be happier with an old backup than no backup. Then, you can just set a recurring reminder every n months on a Saturday or Sunday and do it at that time.


So, as expected this is the response from the BW people. No one got hurt, no one to be blamed. Grab a beer, turn on your Netflix and be happy.

Hello,

Thank you for contacting Bitwarden.

If you are receiving this message, you have contacted us about errors accessing your Bitwarden account. We would like to first apologize for any inconvenience.

Access should no longer be impeded when authenticating.

In our mission to continually strengthen services and protect Bitwarden users, we have employed many protections to that end. These are ever evolving and constantly being tuned. With these in place, there is potential for temporary false positives. The team is committed to refining and improving these protections.

We thank you for bringing this to our attention, and for your understanding. If you have any further questions, please let us know.

-The Bitwarden Team


In our mission to continually strengthen services and protect our brand we have employed many protections for our remote monitoring, control and IP...

what do people expect? all the wrong management are attracted to security products for exactly the reasons you suspected all along.. Lock-in is profits!


There is no lock-in to Bitwarden, stop spreading FUD. I'm not really sure how long this is going to be like this with the VC money, but right now:

- Everything is open source - You get to self host - You get to export your database at any time - You don't even need to pay to use it if you don't want to

Are local password managers objectively more secure and reliable? Yes. Does that mean that Bitwarden is just an awful product by a money seething corporation that wants to lock you into their product and dime you till your last cent? Not so sure about that.


Let me quote some excerpts from their license FAQ[0]:

> With respect to the server software available under the Bitwarden License, production use requires a separate commercial agreement with Bitwarden

> The right to use the software in a production environment, or environments directly supporting production, requires a paid Bitwarden subscription

> The Bitwarden License does not qualify as an open source license under the OSI definition

[0]: https://github.com/bitwarden/server/blob/master/LICENSE_FAQ.... (permalink → https://github.com/bitwarden/server/blob/f848eb247767fbba8a4...)


Vaultwarden [0] is under the GPL, which is probably the software you are going to run anyway since it's lighter. The server is basically only a dump pipe since encryption is done client side so there's no need to use the official one.

Also Bitwarden's software has multiple licenses, one of them being AGPL for the server and one of them being GPL for the client. The part of the code that's under the Bitwarden license which you have to pay for is SSO, SCIM and I think FIDO2 authentication as they use some Azure tools for all of these and as such they can't run on premises

Quoting from their license FAQ [1]:

> "In your GitHub repositories, how can I determine what license applies to a given software program?"

> "Each Bitwarden repository contains a LICENSE.txt file that spells out which license applies to the code in that repository."

> "In the case of the Bitwarden server repository, the files are organized into various directories. These directories are not only used for logical code organization, but also to clearly distinguish the license that a given source file falls under. All source files under the /bitwarden_license directory at the root of the server repository are subject to the Bitwarden License. If a file is not organized under the /bitwarden_license directory, the AGPL 3.0 license applies."

Vaultwarden offers those for free if you so wish, but there are no restrictions to self hosting Bitwarden.

[0]: https://github.com/dani-garcia/vaultwarden

[1]: https://github.com/bitwarden/server/blob/master/LICENSE_FAQ....


...not yet. Just as Authy was a nice TOTP software. Until they introduced their vendor lock-in TOTP format.


Authy was never open source, nor self hostable, nor did it allow you to export TOTP tokens. You also don't have to use their own TOTP format if you don't want to, in fact I've yet to see any website that actually uses it. The equivalent to Bitwarden when it comes to managing 2FA would be something like Aegis, which is open source and has feature parity with Authy.

[0]: https://getaegis.app/


If the parent means the 7 digit style when referring to authys own topt format: Cloudflare and humble bundle use those. Thankfully Aegis also supports these.


This is absolute nonsense. Bitwarden has worked absolutely perfectly for me until now, their clients work just fine and it's the password manager I always suggest to people around me.

I do both, self-host vaultwarden for a non-profit and have Bitwarden premium for personal use. A short while ago our server got nearly nuked and our Vaultwarden was down for several days, everyone in the org still could access all of our personal and shared passwords just fine, the extension and the clients stored all the necessary data offline and let us work uninterrupted until we restored the service ( ironically, it held the server's cloud provider credentials too ).

I suspect that in case of a complete outage or while not connected to the internet the client will work just fine, but on this instance something got messed up on the autentication/authorization side, so your client tried to authenticate to their server to sync up/do whatever it needs, since the server was not down but experiencing problems it received an error and logged you out.

I would argue this is by design, If the server returns an error while logging in there's probably a good reason, and especially in case of an organization account, you shouldn't have access to the passwords anymore.

You seem to have had major problems, but I assume it's likely your fault. You should not store all the means of accessing an account in a single place, I too store TOTPs on Bitwarden, but that's just for convenience, I have them on my phone Authenticator app too. But most importantly, as the name suggest, recovery codes ( which is what i assume your "temp verification passwords" are ) should be kept safe and in a separate place altogether, preferably printed even.

What you're describing here looks like nothing more than an outage, a thing that literally everyone and their dog experiences, from the non-profit like us to AWS, Microsoft, Google and Cloudflare.

Surely nothing to scream "Avoid at all costs" about.


> This is absolute nonsense. Bitwarden has worked absolutely perfectly for me until now, their clients work just fine and it's the password manager I always suggest to people around me.

Same for me.

>I suspect that in case of a complete outage or while not connected to the internet the client will work just fine, but on this instance something got messed up on the autentication/authorization side, so your client tried to authenticate to their server to sync up/do whatever it needs, since the server was not down but experiencing problems it received an error and logged you out.

If you're familiar with Bitwarden you're aware there is a Vault lock. When the laptop started and FF was launched, the extension got greyed out immediately. This means there's some sort of preflight init right after browser starts.

This behavior is not documented anywhere on their website in the troubleshooting section. And that was my first attempt to figure out the cause. Next thing was to reinstall the application and check if the problem goes away. And only after that the email to support was dispatched. So, enough effort was put before contacting BW staff. The error message is misleading[0]. So I went on to support forum[1] to learn this problem is recurring. And while I was typing my message, I have seen several messages deleted by the staff. Same happened with mine.

Given all that, where is my fault exactly?

>What you're describing here looks like nothing more than an outage, a thing that literally everyone and their dog experiences, from the non-profit like us to AWS, Microsoft, Google and Cloudflare.

It's an outage that indicated that you can loose access to BW Vault anytime they have an outage, means you can loose offline access even if the docs say otherwise[2]. To me it's false advertising at best given the iPhone's vault was in locked state as well but did not show any operational errors. Current BW users got aware of the incident and can draw conclusions and mitigate risks. I'm speaking for my experience and it's avoid at all costs now.

[0] https://imgur.com/a/y4qYcFL

[1] https://community.bitwarden.com/t/an-error-has-occured-acces...

[2] https://bitwarden.com/help/using-bitwarden-offline/


> If you're familiar with Bitwarden you're aware there is a Vault lock. When the laptop started and FF was launched, the extension got greyed out immediately. This means there's some sort of preflight init right after browser starts.

Your devices were online and their server reachable but returning erroneous messages, if we have to go based on their forum response "in most cases, your IP is most likely getting flagged by cloud protection services as malicious activity" maybe even because of a third party provider.

> So I went on to support forum[1] to learn this problem is recurring. And while I was typing my message, I have seen several messages deleted by the staff. Same happened with mine.

While I can't speak for this problem, I understand this is frustrating and agree that the staff could have managed the situation differently, but they possibly knew about the outage and were simply de-cluttering the forum from what I imagine were dozens of messages about the same problem popping in at the same time.

> It's an outage that indicated that you can loose access to BW Vault anytime they have an outage, means you can loose offline access even if the docs say otherwise[2].

By definition, during an outage you lose access to the service, whatever it may be. Their docs say nothing about them, they state that while your devices are offline the clients can still be unlocked and used in read-only mode. While this means that in theory the apps could work while their services are not reachable for whatever reason, be it the device being offline or their server being completely down, this was not the case. I agree that they could improve the experience, so that if their services are not working as expected the clients revert to offline mode until the issue is resolved. This however is not an easy problem to manage and could only be an extra bonus feature to their service.

> Given all that, where is my fault exactly?

Sorry, maybe I didn't use the correct language, when I said you were at fault I wasn't of course talking about the outage, but you having issues logging into your accounts because everything is saved in Bitwarden. My point was that while their software is extremely convenient, it should not be the only place that stores all the means of accessing a service. Reading your post at first glance made me think that because of this outage you could not access credentials + TOTPs + recovery codes. but seeing > I'm lucky enough to have the offline access to the storage. I don't know about that anymore

> ...the iPhone's vault was in locked state as well but did not show any operational errors.

Does this mean that the iPhone app was still working or was it locked like the rest?


> This however is not an easy problem to manage and could only be an extra bonus feature to their service.

Extra bonus feature? For me it's pretty obvious it's a necessity. Failover need to be in ALL case offline access.

> My point was that while their software is extremely convenient, it should not be the only place that stores all the means of accessing a service

I can't have an automatic backup done over each new password stored on it. If I need to do it manually each time, it's no longer really a password manager.


> Extra bonus feature? For me it's pretty obvious it's a necessity. Failover need to be in ALL case offline access.

It sounds simple if put that way, but there's a myriad of things that can go wrong, again, we don't know exactly what was the problem on their end, but I guess it had to do with authentication/authorization/security. It could be difficult to differentiate between a distruption of the service or abuse.

> I can't have an automatic backup done over each new password stored on it. If I need to do it manually each time, it's no longer really a password manager.

I disagree, a password manager is mostly for convenience and added security, although that could be a possibility I'm not talking about storing all the passwords somewhere else ( and thus updating the list every time ). I'm referring to the TOTPs and Recovery codes.

> it should not be the only place that stores all the means of accessing a service

If I were to lose access to Bitwarden right now, sure, I would not be able to use randomly generated passwords stored there, but my 2FA codes would still be with me, same with recovery codes, so that in the event in which I really NEED to access an account I can still do it, with increased friction of course, but I'm not locked out.


Ageed. OP's language is disrespectful to say the least. If it wasn't for this post I wouldn't have known there was an "outage"


Lots of people are mentioning that you can host these types of things yourself, I want to say that that is not a solution at all.

The entire point of these hosted password services is that they are a turnkey solution - I could give them to my mom, who knows nothing about technology, and trust that they work. I like using a turnkey solution myself even though I could self-host because I don't want to spend brain cycles on solving the "syncing passwords across multiple devices" issue.

I don't quite understand why Bitwarden even needs to have you login in order to access the passwords. Surely you could just have the salted+hashed passwords on device, and Bitwarden just syncs that data from device to device. If you work in an organization and need to revoke access, just change the password. No need to manage whether or not someone is logged in to Bitwarden.


Also re: the comparisons to AWS or Google Cloud - it's still totally different. This is more like your car being unable to start because it can't connect to the cloud. I don't expect that driving my car needs internet access, and I wouldn't expect Bitwarden needs internet access to serve me my passwords that have already been synced.


You have to log in to the extension to unlock passwords every so often though right, more than once per browser session? Presumably that's server-authenticated, and what broke here.


There's no reason for that to involve a remote server.

You have the local encrypted database.

You have the key.

Opening your front door doesn't require a trip down to the hardware store whe$e you brought it.


True, but if you go down that route there's no reason for a remote server at all. (Cf. pass.) I was just suggesting what seems to me a likely cause, since everyone was talking about 'phoning home' and 'remote disabling' as though it was intentional or more dodgy.


The remote server provides backup and sync in a convenient format which will lead to more people using password managers.

When it's down you only need to lose backup and sync.

Refusing to unlock your local database because it made some check on the backup and sync server is precisely remote disabling and is a great reason to transition off of bitwarden as it is a pretty good sign of them testing the waters for vendor lockin.


I think this is the flip-side. They want to support remote wipe, which means they can pull access.


I don't understand that argument. Using Dropbox or any other synchronisation service keepass (keepassxc on desktop/laptoo and keepass android on phone) works completely seamless. I wouldn't even notice that I am not using an online service.


This post is so sensationalist and right on the heels of that other article about BW’s new funding that hit the front page. I have to question the motives of OP and some of the commenters.

I’ve happily used BW for years without problems. My experience is so far removed from what’s been posted here that I find it hard to take seriously at all. What an incredibly low quality post that does not live up to the standards of quality I expect on HN. There’s a proper way to voice concern and criticism, and this post is simply not that.

I’d like to hear dang’s thoughts. I believe the title should be edited and the OP text should probably be as well. To the OP, you missed the mark here, but I believe you can do better on your next post. Hopefully my criticism isn’t received too harshly as it’s intended to be helpful.


For those suggesting to "just" use KeePassXC and KeePassDX, the sticking point for me is that the UI experience with Bitwarden in my desktop browser and on Android is just so darn good.

How do the KeePass' compare?

P.S. I do use a KeePassXC vault for a small amount of stuff. Discovered KeePassDX for Android this week from a recent HN comment. It is very good. After playing with it for ten minutes I deleted the other two Keepass apps I had on my phone.


I switched from KeePassXC to Bitwarden (self hosted with Vaultwarden) a couple years ago. The experience is considerably better, the BW iOS app is great, and the Firefox extension also works reasonable well. I could never get integration in either case to work as well with KeePassXC. I'm confident if BW pull any real nonsense, there will be a fork of the client, and there's no reason for Vaultwarden to go away...


> I switched from KeePassXC to Bitwarden (self hosted with Vaultwarden) a couple years ago. The experience is considerably better, the BW iOS app is great, and the Firefox extension also works reasonable well. I could never get integration in either case to work as well with KeePassXC. I'm confident if BW pull any real nonsense, there will be a fork of the client, and there's no reason for Vaultwarden to go away...

What were the issues with keepassxc integration? I have been using it and it generally works flawlessly integrating with firefox, the only thing is that you have to sometimes press the reconnect to keepass in the extension if you shut down keepass while Firefox was running.

Keepassxc also provides an ssh agent and works as my secret provider, that also works without problems if it wasn't for gnome keyrings which decides that it will stick around after you log into gnome (which I rarely do). Does BW provide secret integration?


I found it kind of a pain to keep the Firefox extension connected. Additionally, I never found a solution for sync I was happy with - I had settled on OneDrive and there is an open source OneDrive sync client for Linux, but I had a couple instances where I ended up with conflicts and having to copy new or modified entries over manually. I’m not sure that any sync client is great across all of Windows, macOS, Linux and iOS - but I use them all frequently.

I can’t really comment on secrets, I use a YubiKey for SSH and GPG for signing Git commits so I’ve never needed to look into it.


They don't disable it remotely but their apps and browser plugins will log you out and destroy local copy (experienced the same when my vaultwarden instance didn't return a response it liked due to MySQL breaking)

Annoying, but I think I see the benefit (kill it if it might be tampered with etc)


Enpass

- Local-first so you own your data

- Open about technical documentation and assisted in providing encryption scheme info to an open-source vault reader (so you own your data...) https://github.com/hazcod/enpass-cli

- Works with lots of cloud/sync providers

- Cross-platform (Windows, macOS, Linux, iOS, Android)

- Browser integration (Safari, Firefox, Chrome, Edge, Opera, Vivaldi)

- Lifetime license for $79.99


A feature that deserves its own bullet imo: Wifi sync. I suppose it's akin to Keepass+Syncthing but integrated into all clients.

I used Google Drive/OneDrive in the past but a few times vaults would get into a broken state where they couldn't connect to the provider anymore and I had to manually re-connect. It was always able to smoothly recover and sync, but I had no confidence I was synced at any given moment.

I jumped on Wifi Sync as soon as they launched it and haven't looked back—as long as I'm on the same network once in a while, everything is in sync.

Sometimes I get an itch to try the open-source/Keepass route again, especially since it seems to be much improved, but Enpass is convenient for now.


Wow, okay, yeah, I'm actually sold. There's a CLI for desktop, and it's on both ios and android. Damn. Will gleefully fork over $80 for a lifetime license if it's as good as it seems.

Why have I never heard of Enpass before? Anyone have any reason to not switch from Bitwarden to Enpass right now?


It depends if you feel happy entrusting your passwords to what is ultimately a closed source client.

I do not.

Moving to self hosted vaultwarden from keepassxc-in-syncthing was a big leap. A closed source client is a leap too far.


It's a closed-source UI on top of sqlite/SQLCipher. You'll be fine.


I mean sure... But why go out of my way to use closed source software when the open source options are right there?


For me it's the features I mentioned above - having a CLI on desktop, and both ios and android apps is so huge because I have devices in all three ecosystems! One password manager that works seamlessly across devices is very appealing to me. The Bitwarden mobile experience needs a lot of polish, if Enpass is better I would switch.


Bitwarden has a CLI also, both the official bw-cli and the nicer rbw. Can't speak for iOS but on Android bitwarden plugs into the OS password manager autofill API, same as everyone else, don't see why enpass would have a different experience.


Well, that's what I want to find out! Very rarely does autofill work for me on Bitwarden mobile - 80% of the time I have to open the app, copy, and paste my info. Not good password field recognition, and it's a regular friction point for me.


But keepass has the same thing and it is open source. That's why the OP was asking.


It is closed sourced and I am not sure that the code base was audited.


Closed source I can deal with, as long as a strong audit has been performed.

Found this: https://www.enpass.io/security-audit-report/

I'm not a security expert, so not sure if those audits are trustworthy.


That's the problem though isn't it? Unless you're an absolute expert in every aspect of a thing, you gotta trust someone who claims to be the expert, eventually. Or never trust it.

When it comes to security audits of software I often prefer to see that software failed at this or that, and was corrected, with a reasonable explanation of both the problem and the applied solution. To me, this shows that 1) the audit was actually performed and not just bought/pencil-whipped; and, 2) the developers acknowledge their [inevitable] mistakes and correct them. It also teaches me what to be aware of for other, similar software.

In other words, I would rather see a pimple once in awhile than be convinced by makeup that everything is perfect.


Well said, this is a reasonable way of looking at the situation.


I appreciate this perspective.


Oh my gosh, this is crazy. They can remotely disable your browser extension? I had just recently convinced a few people to switch from LastPass to Bitwarden. Personally I use pass with git, but that solution is not for non-technical people! What are the alternatives for our non-technical family and friends? Should we be encouraging Firefox and Chrome's built-in password managers?


If you need "seven nines", your best bet might be to host it yourself.

Probably not going to find it anywhere for $10/yr


You're one of the anon-Bitwarden boys?

1) I want sane error messages on the client side.

2) I want my feedback on community forums not to be shushed. You screwed up — own it. Community mods aren't janitors to wipe out user feedback.

3) I want the extension to be working no matter what kind of server-side problems you have. Let me know about a sync problem but don't terminate my access.

But if you do think, that for $12 I get to be treated like an dog, too bad, there's enough options for me to take my business elsewhere.


I can recommend Keeper (my current password manager of 2 years) or Passpack (previous password manager of 5 years). Never experienced any problems with either.

I am surprised that they are not more popular than "fan-favorites" like LastPass which I absolutely can't stand (it's like from the dark ages UX wise) or 1Password, or, for that matter, Bitwarden. Bitwarden particularly experience degradation of service like every month or so, maybe due to their popularity.


isn't keeper the one that sues people that disclose security vulnerabilities? I'd stay away as far as I can from that one.


Idk why you think you should be able to login to a cloud SaaS product while its down. From your comment here I highly highly doubt you were at all even remotely civil in that forum post $12 a month doesn't mean you get to be an asshole to people. Not all forms of Auth can be done locally, for example most 2fa requires server access.


I can feel uncalled hostility in your attitude, dictated by your conjecture which isn't the right indicator to make judgement about this specific incident. Ad hominem is irrelevant here since it's not about me but service operations.

Anyway, I'll still respond.

>Idk why you think you should be able to login to a cloud SaaS product while its down

The application works without internet access.

> Not all forms of Auth can be done locally, for example most 2fa requires server access.

TOTP validation can be done at the offline level. And the hardest proof of it is that the tokens themselves are generated offline. All that is required at the server side is shared secret and a Unix time syscall. This gets done at the browser extension level[0], no network required.

[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...


Not even 12/m, it's per year!!


When you are on some corp firewall or mitm bitwarden has a very strange error message about owning keys or something. Took me a while to figure out the problem


What do you mean apart from the local solutions like pass or keepass, hosting yourself for under $10/year is absolutely trivial. I mean just spin up the smallest free instance on oracle free cloud and run vault warden there. If you want additional data safety spin up another instance and synchronize your database or synchronize to a free Dropbox drive.

If you don't want to rely on a free cloud product go to lowendtalk and find an offer for a minimal VPS, which can regularly found for around $10/year.


Oh it's only been two days and my comment was right. And applies here again as yet more startup-esque pw manager alternatives are being suggested. https://news.ycombinator.com/item?id=32738675


I think maybe a good alternative type solution would be instead of a 'hosted' thing, I'd just like something like Bitwarden but your data gets pushed to devices it needs to be on, so it's always in a local database, and maybe you back it up to drive/dropbox easily, but the server just tracks when something changes/needs pushed and basically handles syncing stuff, other than that it doesn't keep any password data encrypted or otherwise, it's just a bridge.


That's possible with KeePassXC (desktop) [0], KeePassDX (mobile) [1] and Syncthing [2]. Best thing about it is that the bridge between devices is also end-to-end encrypted, which is a nice bonus if you want to sync something else. I wish there was an easier all-in-one application for this kind of stuff though, would be much easier to maintain and setup for family/friends.

[0]: https://keepassxc.org/

[1]: https://www.keepassdx.com/

[2]: https://syncthing.net/


> remotely disable your browser extension which is assumed to work in offline mode

This seems incorrect.

I experienced this issue while I was working on 1 computer which I infrequently use so I was logged out of BitWarden. Trying to login gave me that oblique error message.

I was on a conference call (and presenting of course) so I needed the password Right Now so I pulled out my laptop, which was still logged in, and was able to access the password without issues.

I'm not sure exactly when this issue started/stopped, but, I probably use my phone vault 20x a day and I never saw the issue there either, only with the one computer which was logged out.

I really don't get all of the hate on here for BW. Are people annoyed or jealous because they just got funding? I understand people suggesting alternatives (and that's great -- monocultures are bad) but some of the comments on here (including, frankly, the OP's topic and message) are just rude.

I'm a user of both the hosted BitWarden and multiple VaultWarden_rs instances and it works well for me and meets my needs. It's been very reliable to the point where if I didn't see this post, I would have just assumed the earlier issue was some fluke and moved on without a 2nd thought.

I'll probably be accused of being a shill for them and legitimate criticism is warranted, but, too much of this seems like bad faith.


It sounds as if you only were able to access the password because you had a second device that happened to already be logged in. My guess is that if BW's login servers were having a temporary outage, had you not been logged in you wouldn't have been able to login and therefore been unable to get the passwords.


I recommend hosting yourself if you are worried about a company on the internet controlling access to your passwords...

You attack Bitwarden but how would this be any different with the other hosted password services?


Even Google and AWS have outages. Bitwarden has rarely had issues.

And this is all free service. Customer expectations have skyrocketed.


Hello. I'm paying for the service. My expectation is as simple as being able to log into the password manager when the cloud has an outage and I don't experience any problems. When they did disable my log in attempts, they showed the centralized — we own your data type of an issue.


did you use 2fa?


I’m curious why no one is recommending 1Password. I use it and it’s pretty nice. Closed source though. Is that the reason people don’t recommend it here?


Censoring the forum comments is definitely a very different kind of secret management!


I highly doubt this kid was civil in that forum post.


Just install yourself a vaultvarden, migrate your data and reconfigure your client to your own Bitwarden server.


Damn I literally just created my Bitwarden account today and then immediately experienced this problem. I thought I was doing good not getting last pass, and needed the iOS app so that disqualified KeePassXC. What am I left with 1password?


Perhaps try KeePassXC on Desktop + Strongbox on iOS.


Strongbox looks amazing, thank you.


We ended up going with Team Password Manager. It's just shocking how bad multi user password management systems are. It was bad ten years ago and nothing's changed.


Ha, I switched to keepassxc this week because of the VC funds sketched me out. Makes me sad because I don't know what password manager to recommend for average users now.


Hosting a Vaultwarden instance on one of the free Oracle ARM VMs is a great alternative to their hosted service.

You own your data, get great UX thanks to their mobile clients/extensions.

Or… grab a Precursor[0] and import your bitwarden JSON export into its vault app :-)

[0]: https://betrusted.io/


The Design Flaws of Password Managers - https://www.go350.com/posts/the-design-flaws-of-password-man...


The design flaws of these systems are the fact that they are terrible at changing passwords, dealing with the arbitrary password requirements of many sites, and dealing with the fact that many sites require the storage of additional secrets for practical use that cannot be generated. (eg. secondary passwords or pin codes for privileged operations within the application, mandatory security questions, etc)


KeePassXC supports all of that?


I believe the comment you're replying to is referring to the weaknesses of deterministic password generators.


Bitwarden's apps are so poor compare to KeePass apps (KeePassXC and Strongbox), I still can't see any advantage in choosing Bitwarden (or even the self-hosted vaultwarden) over KeePass.


>because I'm stupid enough to trust them with my TOTPs and storing temp verification passwords.

I'm sorry, but isn't the highlight of your problem is that you did not separate TOTP with any service that depends on it, including BW?


Good point. At one moment, I switched to BW premium exactly for convenience purposes. Before that, it was Authy for TOTP handling and BW for password manager.


With the recent news of their 100 mil cash infusion, and now this, I'm not feeling great about Bitwarden ATM but none of the other options sound stellar either.


Bitwarden: so hot on HN right now. This is fresh on the heels of the article that was on the front page about their $100 million VC news.


No problem here. No drama. No sweat. No anxiety.


self-hosted bitwarden with vaultwarden is the best, you can use their iOS, linux, mac apps


Migrate to Bitwarden is in my roadmap. Guess I have to scrap it now.


In favor of what? I use BW, I think this is terrible news, but apart from self-hosting I don’t see any viable option.


Good to know. Thanks.


Guys keepaasxc + keepassdx + Syncthing work just fine. For $10 nobody will answer to you.

Yes, Syncthing doesn't work on iphone, buy your mother an android , or buy yourself a tie machine and write apps for windows Phone


actually syncthing on iOS is pretty great using https://apps.apple.com/app/id1539203216. I'm nothing more than a very happy user.


> buy yourself a tie machine and write apps for windows Phone

Took me too long to realize you probably meant ti[m]e machine, but I still don't see how that would fix getting a non-techy off their iPhone.


What do we want?

TIME TRAVEL!

When do we want it?

THAT'S IRRELEVANT!




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: