Comment by welder
7 hours ago
I don't care about raising prices, I'm worried about the new CEO having a PE mindset. That means Bitwarden will now focus on extracting value while the product stagnates and degrades in quality. Time to jump ship before their security and quality goes down the drain.
Not my project but Vaultwarden is an open source (in Rust) alternative backend for Bitwarden. I believe its been around a while, and is still maintained.
https://github.com/dani-garcia/vaultwarden
Question for anyone self-hosting vaultwarden: how reliable is it and how do you harden it?
I'm thinking about running it in a container (Podman Quadlet with systemd) behind a VPN, with daily backups with borg. Anything I'm overlooking here?
I have my vaultwarden running on a container on my home-lab server acessible only from Tailscale. The container itself is only accessible as its own node on my Tailscale private network and can’t be reached any other way (there are no inbound port forwards for the container itself, tailscale handles this)
My phone and laptop both use tailscale to access this and a few other containers I have set up similarly. I also have tailscale ACL rules to limit just “me” or whomever I want to allow to use it (family etc) also on my tailnet.
Backups are encrypted and stored locally as well as to AWS glacier.
I love it and it works great.
I’ve used Vaultwarden for at lesst 7 years, I’m sure for longer but I’m not sure how long.
Never had an issue with Vaultwarden itself. Restored from backups several times for a variety of reasons (migrating host, corrupt hard disk, re-installs) and that always worked first try.
In regards to hardering, the wiki has a good guide: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Gu....
2 replies →
I've never had a reliability issue with Vaultwarden. Hosted it 5+ years now. Even with random off/on of the server and other bumps in the road in life, the Docker container I run has had no issues with hosting. The user interface is friendly but can be just a little slow.
Mine is not exposed to the public internet, though some friends of mine do. I use a VPN when I need to access fresh data from the home server, otherwise both the Firefox client and Android client will generally keep a cache of the last data pull when they had connection (so it wasn't an issue the 4 or so years I didn't have a VPN yet).
> how do you harden it?
By not exposing it to the wider internet. When I use a client (iPhone, browser, etc.) while on the home network, it syncs. While off the network, the last synced data is still there. That's been good enough for me.
2 replies →
I touched it never aside from updates and it never failed. I compiled it from sources tho
It's as reliable as you make it.
> Anything I'm overlooking here?
Not technical, but the person behind that project now works for Bitwarden so there's some risk of a rugpull. Of course it's OSS but you'll need to trust a fork or maintain it yourself if said rugpull happens.
3 replies →
Personally, I want to avoid the responsibility for hosting it myself. I'm happy to pay for that. But a reasonable amount. Today Bitwarden's price is fine for me, but I worry about what's coming.
It is still maintained, but I believe the maintainer is employed by Bitwarden now, and is working on projects in addition to Vaultwarden.
Is there an alternative frontend as well, or are you still locked in?
https://github.com/doy/rbw Is an alternative Bitwarden cli front end. Probably has plenty of scaffolding to build a GUI frontend based on it.
Edit: Just a bit of googling turned up these as well.
https://github.com/AChep/keyguard-app https://github.com/sgolub/bitclient
There is not an alternative frontend that I'm aware of, but as the article mentions, the clients are Apache 2.0 licensed, so in the event of a rug pull, a fork and rebrand of the clients would be what is needed to restore service.
Their android app at least is open source and on available on their own f-droid repo
Don't I have to rely on the OG frontend/GUI components, though? They are one automatic update away from bundling taking custom server address away with important security fixes, in a way that you are damned if you do and damned if you don't.
Technically yes but the frontend is so far open source so forking that is also something that could technically happen if company ever went back on it.
+1
I am a paid subscriber. I am kind of ok with the price increase.
The "coincident" with change of CEO and remove of "always free" tag worries me though.
I just sent them a message along these lines.
I’m happy to pay for good services, but M&A means cost-cutting measures to make the company look good for acquisition and that makes me uncomfortable with letting them store secure data for me.
Switching is going to be a pain.
It is really easy to self-host, and do so securely...
3 replies →
Yep! Feels like a hard truth about the product life-cycle. It may be time to find an alternative to what was a great alternative.
Give it less than one financial quarter and I guarantee the website will be about “identity for AI agents.”
Can anyone name a PE purchase that made a company better?
I jumped to Bitwarden because of 1P's new pricing doing exactly that.
Circle of live, I guess.
I'm getting really tired of the enshittification cycle. Learning about android verification and captcha changes recently has been another big frustration point. I moved to android as a more open alternative to apple just a few years ago, and to bitwarden from lastpass around the same time. I would like to just have these infrastructural services work well and quietly without thinking about them for many years. Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)
>Do I really have to put up with this happening faster and faster for the rest of capitalism? (I think so)
no, if you relax the qualifier "without thinking" slightly and are okay with thinking for a few hours. There's so many off-the-shelf open source solutions now to just throw on a 5 bucks VPS, it costs you less time and money than switching or the premium plan of most of these individual services.
Bitwarden hasn’t “enshittified” anything. It’s all entirely speculative
Looks pretty bad regardless of speculation. There are enough red flags to warrant actions and to consider this another enshitification.
It has already enshitified. These changes are text book.
- Inclusion and Transparency values made more shitty
- Always free commitment removed. What? It’s right there “always”.
- Shittily hacking old blog post to become nonsensical
- Loss of confidence
- Stalling improvement cycle, no more repairs, just things quietly breaking and going bad.
I don’t wait for companies to enshittify anymore. When they start making decisions that look like they’re heading in that direction, I start looking for alternatives.
1 reply →
yet. The hallmarks of enshittification are there. We've all been through the cycle of "this product is too good to be true, and provides considerably more value than it costs" "Customer Acquisition/Market Capture" phase. And we know what has to come next. They have to make the product profitable, because you cant just burn up VC money forever.
Does a bear shit in the woods?
1 reply →
Vendors doing a rug-pull isn't just capitalism. China is adding DRM to AM radio: old receivers won't work. Heck, Soviet WWII ration cards no longer give turmips.
uh, by DRM you mean Digital Radio Mondiale[0], an open digital radio broadcasting standard? sure analog receivers won't work, but hardly a rugpull lol
[0]https://en.wikipedia.org/wiki/Digital_Radio_Mondiale
1 reply →
They're not doing it to increase margin. "Enshittification" or "rug-pulls" aren't when things get worse or things change, they're when the conditions that were used to attract an audience are changed in order to extract more margin after that audience is captured.
The larger exampls to compare them to would be "dumping." Dump subsidized, tariff-free corn in Mexico to make it unprofitable to farm corn in Mexico, and after all of the Mexican farmers go bust, buy their land and raise the price of corn to infinity while cheaping out on the quality of seed and handling. Enshittification. Rug-pull.
PE? Private Equity is the slippery slope to Public Enshitification.