I wanted to like Bitwarden, due to its “open source” nature. But 1Password is really miles ahead, and it's a little ironic, as 1Password 8 went through a major refactoring to a Node-enabled UI, which many people disliked, and it's still miles and miles ahead.
I tried teaching my father to use Bitwarden for the sole reason that it seemed to be translated into my native tongue. In his use, Bitwarden turned out to be completely unreliable. As techies, we stop noticing the little glitches, the times when Bitwarden is unable to auto-complete, or to detect a login that needs to be saved. Or the times Bitwarden logs you out of the account, or fails to use your biometrics in the browser because the app is no longer running in the background. Or the management UX of the app that's terrible. For us, these are little annoyances, but for my father it was the difference between usable and unusable.
The individual plan is very cheap, but the family plan is costly. And you can self-host, sure, but it's expensive to self-host.
When talking of self-hosting, people actually mean the alternative built from scratch in Rust (vaultwarden). Well, that project was never audited to my knowledge. Open source or not, it may have security vulnerabilities that could be exploited remotely, and I don't understand how people can trust it.
Bitwarden also took VC investments. Which is fine, I guess they need to grow, but I'm longing for projects that are owned by sustainable businesses that don't need to grow. Why does everything need freaking VC investments? The problem being that startups that took such investments are not trustworthy to be around in another year from now, sorry. Although this is true of 1Password as well.
> I wanted to like Bitwarden, due to its “open source” nature. But 1Password is really miles ahead, and it's a little ironic, as 1Password 8 went through a major refactoring to a Node-enabled UI, which many people disliked, and it's still miles and miles ahead.
Exactly my experience. When 1Password announced the shift to a crummy Electron app, I evaluated all of the major password managers, plus some less major ones, such as Strongbox. Even with the UX degradation of 1PW 8, it's still clearly superior to the others, to the point it's really not a contest.
I stuck with V7 until just a few weeks ago, when other circumstances necessitated an "upgrade". I once again evaluated the others, including Bitwarden, to see if they were "good enough". Bitwarden's UX hasn't improved as far as I can tell; more importantly, it refused to import my secrets because I had a secure note that was too big for it. Not "refused to import that note"; refused to import anything—there's no skip option. I had to do a bunch of manual nonsense, which still left me in an incomplete state because I both need that note and want it in my vault (splitting it into multiple notes is an option but also an ugly kludge).
I'm a paying user because 1€/month is the perfect price for what I'd like a password manager to cost. But you're right and the flaws are there.
Before, I used LastPass, and for me, the form field detection was miles ahead. Not a tiny bit, but _a lot_ better. And the UI built on the ephemeral pop-up was a very bad idea that after years and years they haven't decided to ditch and do it the proper way on a new tab, like LastPass, uBlock Origin, o TreeStyleTabs do.
When was the last time you used it? They just had a UI change here recently and it's better than the original. It's cheaper for personal and family accounts compared to 1password. I've been a paying customer of Bitwarden for a long time now and have never experienced any of these issues.
FYI, 1password has taken almost 1 billion dollars in vc investment. They have an obscene amount of pressure to grow.
Cloud password manager functionality can be accomplished in 6U of server space. Vault files are measured in kilobytes or megabytes, millions of customers could be handled by a single SSD RAID and a fast Xeon. Infrastructure and software to make it secure, reliable, and user friendly, add expense but not 9 digits of it.
I do realize that Bitwarden has also taken funding, but nowhere near this much. That being said I'm always baffled by some talking heads in the security space who continuously hock 1Password. I'm sorry, but when you've taken that amount of funding - the customer is no longer the customer, the investors are and that is who is being catered to. Does the industry as a whole not remember LastPass and the garbage that has become to cater to "Enterprise"? I would bet good money that I can come back to this post in less than 10 years and highlight the downfall of how 1Password has changed hands, changed direction and the product has become less than ideal or a leader in their space. The upside with Bitwarden is it can be forked and kept true to it's roots. I get it, 1Password has a few things that work slightly better - but I'm forced to use it for work and despise it's bloated feel comparative to Bitwarden.
They are moving into enterprise(or trying to anyway), see things like passage[0], etc. They are trying to grow their brand and reach beyond just a simple(but nice) password manager.
Because storage, even globally replicated, isn't the core cost or the core function of a security company.
Your app, the detection of forms (when total idiots try to prevent password managers being used), the security audits, active intrusion detection, etc... those are yet to be handled by an AI, so these cost a lot.
"Bitwarden also took VC investments. Which is fine."
Nope. With that, you've quite literally convinced me to not just avoid it forever, but to also recommend others do the same.
VC investments means "they're gonna want money back at some point," and the service they provide is too important to have that hanging in the air, especially given how badly MANY other VC backed things have screwed things up.
You've effectively told me, there's a serious, if not likely, chance that they will at some point screw me and my passwords over if I don't pay them ransom (or engage in some other similarly drastic behavior that I haven't even considered yet)
There is a difference and that is the Bitwarden bits are open source. If the masses decide to change direction and leave Bitwarden as a paid for service - they can. That can't be said about 1Password. IMO this counterbalance of OSS and VC investment can help to keep things in line - look at how this exact situation is playing out for Hashicorp. When you're $1B deep with no way for your customers to push back - you, as an end user, are no longer the customer. I still recommend Bitwarden over 1Password because of this.
Do you have any examples of startups that went to shit due to VC funding? I have a feeling you're completely right, and I want to recommend others to avoid it. I might need some examples to back this up though:)
Pebble. They had a great niche product that was growing organically and sustainably. VCs thought the smartwatch could be the next smartphone, and dumped a truckload of cash on them. Next minute they were burning all that cash pumping out too many new models.
Meanwhile everyone stopped wearing wristwatches except as a fashion statement. The original company would have survived this easily but the VCs wanted the next Apple or bust.
Hosting at data centers is expensive, hosting at home is not expensive. You probably already pay for internet, why not use it.
My home server costs me about 3 euro per month in electricity (and it is quite beefy for a home server) and it runs many services, not just Vaultwarden. Add homeassistant for smart home, nextcloud for document cloud, jellyfin for media, immich for photo backups, etc. Maintenance using docker and compose is also trivial task.
On top of that, it runs in a private network and has limited exposure to the outside world though VPN in case you need to access it away from home.
Yes, hosting a single service is more expensive, but hosting a bunch is much much cheaper.
What is this nonsense?
If you own a car and know how to drive, do you always call a taxi?
And if you drive your own car, do you pay yoursef a salary for being a driver? Including all the taxes?
> Why does everything need freaking VC investments?
I share this frustration. Putting aside the ambitions of founders and initial investors in order to address your question about "everything"...
I think it comes down to tech being perennially talent constrained. It might not feel like that right now after a year or two of big layoffs, but every time that has happened, another long hiring boom has started within a couple of years.
If there were enough competent engineers (in this case, ones that aren't going to get the company in the news for things like cryptography mistakes or sloppy data handling), then that would change all of this. But there aren't, so these companies are left competing for the scarce talent.
You need a large pool of resources for that competition. VC money (eventually replaced by liquid stock grants) is often the easiest source of that. So, VCs can help a company keep and add talent, but in return they want hypergrowth.
It's interesting to see some comments here suggesting that people should just export their bitwarden db to keepassxc (due to the VC backing), & then the other side suggesting a closed-source alternative due to better UX. Two distant sides of a spectrum.
FWIW I switched just fine. The apps definitely don’t have the fit and finish of 1Password but I was up and running pretty fast and haven’t looked back.
> But 1Password is really miles ahead, and it's a little ironic, as 1Password 8 went through a major refactoring to a Node-enabled UI, which many people disliked, and it's still miles and miles ahead.
I use BW for my personal use with my SO and 1P at work. I hit some errors in 1P that were crypting, stuff like "Failed to add this record" with no details, no help button, I had to fire up the chrome console for the extension to find out it was a 401 to our 1P portal. Very poor experience, probably related to our SSO setup but still.
Never had any weird issue like this with BW and I love the autofill shortcut and the absence of a popup when I access a password field like 1P.
So yea, YMMV as usual but definitely not miles ahead.
If 1password keeps applying their current development standards, I'm pretty sure Bitwarden will overtake them soon simply by virtue of not getting worse.
Kind of apples to orange with 1Password not being open source or having a free tier.
There are small issues with autocomplete on mobile here and there, which I have never seen a password manager do a perfect job at. Otherwise I have never had any issues with BW and the 2fa on the paid tier is great.
Have you ever tried Psono? (I am the main developer behind it). Its open source, client side encryption, offers free versions for individuals, regular audited and and bootstrapped / no VC money. Would be happy to hear your opinion how it compares to 1password.
I just had a look if psono would be for me. One thing that I discover all too often (and that is also the case here) is that SSO (openid Salm...) is considered enterprise (sorry for calling you out here right now, this is a general frustration).
If I selfhost i want to not have to manage all my services with individual logins. Selfhosting with e.g. Authentik to provide SSO and identity management is really a perfect solution, but alas so many projects lock SSO away in their enterprise edition (good on psono to not make it ridiculously expensive like often is the case).
SSO is the same login/password authentication flow, isn't it? Just its session is shared between services. Any password manager can handle that password-based authentication just fine.
I was on Bitwarden for a bit. I really really like the secure notes feature, it's great for storing secrets like keys that aren't used in a browser or android app.
But Google is so much more convenient.
I still wonder why there's no completely P2P password manager using SyncThing plus a layer of encryption. We have this near perfect tool for making multidevice apps but we don't use it for much!
I mean, you could use pass, which stores all your passwords in a gpg encrypted file. It works very well out of the box with syncthing, or anything else that can move around files, like git-annex.
The Android app for pass seems to be 2yrs old, not the worst, not the best.
I've heard KeePassX can have sync conflicts if you edit on multiple devices with the wrong timing.
I think for a real conflict-free experience you'd need to put each password in its own file, or give each device a logfile to publish CRDT updates with cr-sqlite(Looking into adding that to a baserow style app).
AFAIK the vaultwarden is just easier to set up for self-hosting. You can self-host the same server bitwarden use, but it's a lot more effort (unless they have stopped developing this recently).
I tried teaching my father to use Bitwarden for the sole reason that it seemed to be translated into my native tongue. In his use, Bitwarden turned out to be completely unreliable. As techies, we stop noticing the little glitches, the times when Bitwarden is unable to auto-complete, or to detect a login that needs to be saved. Or the times Bitwarden logs you out of the account, or fails to use your biometrics in the browser because the app is no longer running in the background. Or the management UX of the app that's terrible. For us, these are little annoyances, but for my father it was the difference between usable and unusable.
The individual plan is very cheap, but the family plan is costly. And you can self-host, sure, but it's expensive to self-host.
When talking of self-hosting, people actually mean the alternative built from scratch in Rust (vaultwarden). Well, that project was never audited to my knowledge. Open source or not, it may have security vulnerabilities that could be exploited remotely, and I don't understand how people can trust it.
Bitwarden also took VC investments. Which is fine, I guess they need to grow, but I'm longing for projects that are owned by sustainable businesses that don't need to grow. Why does everything need freaking VC investments? The problem being that startups that took such investments are not trustworthy to be around in another year from now, sorry. Although this is true of 1Password as well.