I had checked as soon as I found out about the news the other day and it was there. I just checked on wayback machine and you're right, it was removed for some time.
However, if they're willing to put back that claim immediately, I doubt that their intention was to drop the free plan anytime soon, but probably it was to incentivize people to use the paid plans. Enshittification must happen sooner or later afterall, but fortunately vaultwarden exists and the export feature is highly unlikely gonna be removed immediately as the free plan disappears, so people could just switch to a third-party or self-hosted backend as soon as that happens.
While I'm not _happy_ about the messaging changes, those alone are not enough to do more than start paying closer attention. I highly, highly doubt that vault export would be the first meaningful feature change, and so I think there will be stronger signals of actual issues before then.
As I understand it, so far the only actual change is an announced increase in prices. Obviously, from the consumer perspective, cheaper is better, but this is a product where I think that a subscription plan makes sense (and the free tier, for now, still exists), and so I'm not going to get mad about price changes. Competitors exist and one doesn't think the new price is worth it, then switch to one of them (using the very-much-still-available vault export).
I don't think the warning is crazy or anything, but in my personal opinion it's a little stronger/earlier than is warranted and the current appropriate response is careful watching.
I hear you, but I feel like it's a better safe than sorry situation. Exporting your passwords takes two seconds. I think you can export to an encrypted file, but I just did a plain-text json file and gpg'd it. Can't hurt to play it safe.
Serious question - how come free is a requirement for a password manager? Everyone's gotta eat, including the maintainers of password managers.
Tech has generous TC, lots of high-end laptops and phones worth thousands, AI & cloud spend, and yet the only acceptable price for secrets management is $0 it seems at times.
I've been recommending Bitwarden for a few years now and have also been paying a yearly sub since 2022, as I always thought 10$ was a really good value.
But with all this stuff coming out, I'm holding off on recommending it anymore; at least until everything calms down and the new value proposition is fully laid out.
Like other folks have said, I don't think it's yet time to migrate. That being said, it doesn't hurt to do an encrypted export for backup purposes, start looking at alternatives, and reach out to people I know use Bitwarden to do the same.
Agreed. I will continue using it as it currently fulfills my needs. But Iâm not going to shout it at everybody I catch not using a password manager anymore. Iâm just not willing to take responsibility for the changes they may make in the near future.
As an aside, since it seems like theyâre trying to make money: The aforementioned enthusiasm has gotten it adopted at a workplace of mine. The experience hasnât been good, so no recommendation here either.
Their moat was being a trusted name in FOSS and itâs a bit sad to see them going in the direction of abandoning it.
But somebody else will probably step up and build on the ruins, like vaultwarden already has. Thatâs the beauty of choosing FOSS in the first place.
It's entirely compatible with the clients. It also removes a lot of "rug-pull" potential, and gives you the ability to access all the nice features (ex - multi-org, multi-user, shared vaults, totp, etc...)
Honestly - part of the reason I like Bitwarden is that if they ever go full "enshittification", it's going to be relatively easy and straight-forward to just move entirely off their projects and onto open-source forks.
It's a shell script that stores passwords in a git repository, containing one file per entry. The files are encrypted using a GPG key. Because it's just a git repository, you can synchronise it between devices using whatever infrastructure you want. I use a FOSS client for it on iOS, and there was one for Android before I got an iPhone.
I tried using pass once. I like that it follows the Unix philosophy, and I want to like it, but the fact that all of your account names are visible in the clear is a deal breaker for me.
I'm interested in this, what do you use to host the git repo? Just a private repo on something like github or your own server? How do you backup your private key?
I also use pass. Any forge you feel like is fine (I use gitlab). I backup my gpg key with `gpg âexport-owner-trust` and store that backup elsewhere.
Pass has a pretty good ecosystem of plugins/other clients, as well. There are open source iOS/Android clients and browser extensions so once youâre setup the day-to-day experience is not far off from any of the popular hosted password managers.
My only real issue is the dependency on gpg, as itâs pretty long in the tooth and a hassle to operate. (If you are not comfortable using gpg, spend some time learning that before you go all-in on pass!) Thereâs a fork[1] which swaps gpg for age, but it hasnât attracted enough attention to get a similar ecosystem of mobile clients/browser extensions, so itâs not a very practical choice IMHO.
I run Gitea on my own server. (I didn't switch to Forgejo because it's not in the Debian repositories.) I don't have a backup of my private key... I should do that.
I have used this for almost 10 years now. It's pretty barebones but it seems like the usable lifetime of commercial password managers is 4-5 years before they get enshittified, bought, discontinued, price-jacked, or otherwise made unsuitable for use. "pass" just keeps working.
So I have an admission here: I keep seeing HN stuff about these networked password managers and I don't quite understand the appeal.
Is it because everybody else is swapping between several different computers, and you need the synchronization?
I just have everything in KeepassXC, and the ciphertext is subject to the same kind of backup regime I use for other files, a copy kept on a USB stick in my pocket.
Itâs phones, mainly. People do also have multiple other devices, yes. For me another big pro is having a realtime offsite backup and being able to survive simultaneous loss of all my devices, which is plausible in correlated scenarios like a burglary, fire, mugging, car crash, etc, but I donât know how much others think of that one.
The people I know who use KeePass live like theyâre disabled. You ask them to sign up for something and they need to schedule a half hour for it two weeks out. Ask them to use a website and they need to wait until theyâre home because their biweekly manual data transfer was put off because of whatever. And if they ever drop their phone, itâs this totally unforeseeable panic theyâre still recovering from two months later. Iâm far from convinced it must be like this, but Iâm also far from convinced that most KeePass peopleâor people using any other strategyâhave really thought this through.
Multiple devices and family sharing. My wife and I share several accounts, so it's really nice that we can move them between private and shared vaults on 1Password.
Having a password manager synced to phone, desktop, laptop, browsers is handy. I used Keepass 10 years ago but I prefer integrated experiences now, particularly since I often pull them up on mobile.
Also consider teams or multiple teams across an org sharing secrets. Flat files are a tough sell, so these apps eliminate almost all the hassle. We pay for a lot of 1Password accounts, and I couldnât imagine rolling our own solution.
In my case it's exactly that. I have a Linux gaming workstation, a work-issued (and managed) MacOS laptop and a Google-branded (Pixel) Android phone.
Bitwarden just works in all those places and the tech was, by all accounts, rock solid. AND I can pay for it instead of trying to leech off some privacy-ambiguous free tier.
I think the caution around Bitwarden is justified; and I think it is good that the message is getting out there. I will say "while you still can" is hyperbole, and will do more to distract from the larger (correct) point about Private Equity.
Thats why I use vaultwarden. I also like the fact, that vaultwarden is written in rust and does not consume a lot of resources, which is great for selfhosting.
I'm taking a "wait and see" approach with Bitwarden. I've been a paying customer for a while, happy with it, and hoping the leadership changes won't be too user hostile. Still, a major reason I chose Bitwarden to begin with is they have a decent "Export" button, and all of this news reminded me that my offline backup of the vault was a few months old. Regardless of their product roadmap, they could have an incident tomorrow that keeps users away from their passwords -- offline backups are a good idea.
And Vaultwarden is nice. I've used it at work, hosted it myself, and as a user of the password manager I can say it's basically indistinguishable. But I don't really pay Bitwarden for a password manager -- I pay them for a secure sync of a password manager I can share with family members who can't figure out a VPN.
For TRUE offline password storage use "Off The Grid". A cryptographically secure paper based password generator created by Steve Gibson from he Security Now podcast.
I switched to Apple Passwords this week. Really good passkey support, 2FA support, best iOS integration. You can even share passwords with others. Sadly no first party cli support. If you only use Apple devices, itâs really solid.
I only use Apple devices myself normally, but if I'm stranded out in the middle of nowhere and have to borrow someone's Android phone or Windows box in order to connect to important stuff like my bank, I'd really rather not be out of luck. Same reason I don't self-host my vault.
I only use Vaultwarden, which to my understanding is an open source reimplementation of Bitwarden's API. I personally haven't had any issues with it, not sure if it'll eventually stop being compatible with Bitwarden's official applications however.
I wish companies that offer such a core technology and what not were at times entered into a public trust, similar to how some public lands are managed, that would protect them from private equity takeovers; I know it defeats the purpose of the companies in the first place (making money), and it probably would backfire in myriad worse ways than the problems it might solve... But I do think there are many options for how products, services and what not can be structured that give the people who maintain them what they need to thrive; without mining the users for money.
Overly idealistic thinking, maybe... but still thinking.
Public management exists for natural monopolies where no market competition is feasible. The role of the public entities is to protect competition. In this case that would be mandating import/export interoperability.
Vaultwarden is a very lean implementation of Bitwarden but if you want to look into an alternative to the Bitwarden ecosystem, I recommend - AliasVault https://github.com/aliasvault/aliasvault - check it out!
Sometimes I think when a startup announces that they are being acquired their competitors have a meeting that morning and announce that they're going to start dialing for dollars. Since acquisitions almost always hurt customers I wonder if we can start creating "poison pills" that deter them.
Yes, there are signs of an oncoming enshitification, and these types of articles gaining traction is good because it sends a signal to the company of potential consequences....but at the same time, the evidence supporting Bitwarden enshitification is pretty weak at this point. There are degrees here, not just either/or, on/off, good/shit.
Bitwarden/Vaultwarden had a good run but if someone's going to self-host Vaultwarden, I would encourage people to look into AliasVault instead. It's a complete opensource ecosystem.
The original creator of Bitwarden still works there as a CTO. I am curious whether he has any failsafes/poison pills in his contract when he took VC money that allows him to fork the product and start over in the event that they decide they want to lock everything down.
Or did he sign all of those rights away when he took the $100M "fuck you" VC funding in 2022.
WOW. Quietly editing the 4-year-old blog post is super slimy, holy crap. Also seems like since this story was published, they edited the 4-year-old blog post again. The story points out
>But the explanatory paragraph at the bottom of the same post still says the old ones: Inclusion and Transparency. Crandellâs name is still on it. The post now contradicts itself, and nobody wrote a new one.
Looking at the post right now, they've corrected it to Innovation and Trust.
Third-party password management as an isolated paid service (i.e. you don't get password management unless you pay specifically for the password management) is just a terribly bad idea all around.
A bad idea for you. My non-technical family members can barely use 1Password and it is the easiest of the lot. The idea you promote is just not realistic.
The inverse also doesnât mean convenience is a bad idea, just happens 1Password has a strong security model and is convenient.
I end up helping a lot of older people for a variety of reasons with tech - 60s to 90s, family, neighbors, coworkers.
Theyâre not invalids and have a right to participate in the digital world, even if security requirements have exploded.
Anchoring the trust in stuff like 1Password where we setup domains, their account info, their OTP codes means they get to go to their bookmarked site, FaceID to unlock the PW manager, get automatically logged in, and do what they need.
Being able to let them navigate this world without always having to hand over the paper secrets notebook to random helpers, or lose sheets of paper with passwords, or get caught up in tracking down an SMS code is better for them. Their password manager with the autofill helps somewhat deter phishing links since relying on autofill usually signals something is off, and they call someone they trust.
My point, I guess, was that convenience is basic access for some subset of vulnerable groups of people.
Its a catch 22, with password requirements getting crazy its hard to remember them. At the same time storing the passwords with a password manager means you are entrusting them for your identity. For the first party sites the passwords are hashed, however for these password manager sites they are at the most encrypted with the encryption keys that the third party already has. This essentially means a rouge password manager or rouge individual in password manager service can run away with your plaintext passwords on scale
I think this is a little hyperbolic. The product may drop features, increase prices, and squeeze its free tier users. Everything enshittifies. But the idea that password export might disappear or be degraded? Nah. You'll be able to jump ship any time you want.
Google Authenticator has an export-as-QR-code function that several other authenticator apps can parse. Is it the best/most convenient implementation? Obviously not, but you can absolutely export the codes.
This is an incredible overraction over a minor change that did not even happen. You can still find "Always free" in the pricing line of the very same page everyone keeps linking as proof https://bitwarden.com/products/personal/#whats-the-differenc...
Edit: it actually disappeared for some time but they put it back on May 18
snapshot from May 15: https://web.archive.org/web/20260515190646/https://bitwarden...
snapshot from May 18: https://web.archive.org/web/20260518183728/https://bitwarden...
The page addresses this:
> The âAlways freeâ motto quietly reappeared on the site after its removal was uncovered and went viral on Fedi.
(And the linked article gives evidence: <https://blog.ppb1701.com/the-quiet-renovation-at-bitwarden#:...>.)
Well it did happen - and then unhappened when people noticed.
I had checked as soon as I found out about the news the other day and it was there. I just checked on wayback machine and you're right, it was removed for some time. However, if they're willing to put back that claim immediately, I doubt that their intention was to drop the free plan anytime soon, but probably it was to incentivize people to use the paid plans. Enshittification must happen sooner or later afterall, but fortunately vaultwarden exists and the export feature is highly unlikely gonna be removed immediately as the free plan disappears, so people could just switch to a third-party or self-hosted backend as soon as that happens.
I'm not seeing "Always free" on that page browsing from mobile. Also, it breaks my back button. Yeah... I'm going to need to switch.
While I'm not _happy_ about the messaging changes, those alone are not enough to do more than start paying closer attention. I highly, highly doubt that vault export would be the first meaningful feature change, and so I think there will be stronger signals of actual issues before then.
As I understand it, so far the only actual change is an announced increase in prices. Obviously, from the consumer perspective, cheaper is better, but this is a product where I think that a subscription plan makes sense (and the free tier, for now, still exists), and so I'm not going to get mad about price changes. Competitors exist and one doesn't think the new price is worth it, then switch to one of them (using the very-much-still-available vault export).
I don't think the warning is crazy or anything, but in my personal opinion it's a little stronger/earlier than is warranted and the current appropriate response is careful watching.
I hear you, but I feel like it's a better safe than sorry situation. Exporting your passwords takes two seconds. I think you can export to an encrypted file, but I just did a plain-text json file and gpg'd it. Can't hurt to play it safe.
Serious question - how come free is a requirement for a password manager? Everyone's gotta eat, including the maintainers of password managers.
Tech has generous TC, lots of high-end laptops and phones worth thousands, AI & cloud spend, and yet the only acceptable price for secrets management is $0 it seems at times.
I've been recommending Bitwarden for a few years now and have also been paying a yearly sub since 2022, as I always thought 10$ was a really good value.
But with all this stuff coming out, I'm holding off on recommending it anymore; at least until everything calms down and the new value proposition is fully laid out.
Like other folks have said, I don't think it's yet time to migrate. That being said, it doesn't hurt to do an encrypted export for backup purposes, start looking at alternatives, and reach out to people I know use Bitwarden to do the same.
Keeping an eye out on how this develops.
Agreed. I will continue using it as it currently fulfills my needs. But Iâm not going to shout it at everybody I catch not using a password manager anymore. Iâm just not willing to take responsibility for the changes they may make in the near future.
As an aside, since it seems like theyâre trying to make money: The aforementioned enthusiasm has gotten it adopted at a workplace of mine. The experience hasnât been good, so no recommendation here either.
Their moat was being a trusted name in FOSS and itâs a bit sad to see them going in the direction of abandoning it.
But somebody else will probably step up and build on the ruins, like vaultwarden already has. Thatâs the beauty of choosing FOSS in the first place.
You should try hosting it yourself in docker. Absurdly easy to do if you get an llm to do it and it works very, very well.
Hope they don't alter self hosting it.
If you're going to the trouble of self-hosting, I'd suggest just running vaultwarden.
https://github.com/dani-garcia/vaultwarden
It's entirely compatible with the clients. It also removes a lot of "rug-pull" potential, and gives you the ability to access all the nice features (ex - multi-org, multi-user, shared vaults, totp, etc...)
Honestly - part of the reason I like Bitwarden is that if they ever go full "enshittification", it's going to be relatively easy and straight-forward to just move entirely off their projects and onto open-source forks.
I store my passwords using this: https://www.passwordstore.org/
It's a shell script that stores passwords in a git repository, containing one file per entry. The files are encrypted using a GPG key. Because it's just a git repository, you can synchronise it between devices using whatever infrastructure you want. I use a FOSS client for it on iOS, and there was one for Android before I got an iPhone.
I tried using pass once. I like that it follows the Unix philosophy, and I want to like it, but the fact that all of your account names are visible in the clear is a deal breaker for me.
I'm interested in this, what do you use to host the git repo? Just a private repo on something like github or your own server? How do you backup your private key?
I also use pass. Any forge you feel like is fine (I use gitlab). I backup my gpg key with `gpg âexport-owner-trust` and store that backup elsewhere.
Pass has a pretty good ecosystem of plugins/other clients, as well. There are open source iOS/Android clients and browser extensions so once youâre setup the day-to-day experience is not far off from any of the popular hosted password managers.
My only real issue is the dependency on gpg, as itâs pretty long in the tooth and a hassle to operate. (If you are not comfortable using gpg, spend some time learning that before you go all-in on pass!) Thereâs a fork[1] which swaps gpg for age, but it hasnât attracted enough attention to get a similar ecosystem of mobile clients/browser extensions, so itâs not a very practical choice IMHO.
[1]: https://github.com/FiloSottile/passage
I don't think Age will catch on as a replacement until it has a gpg-agent equivalent to facilitate access.
I run Gitea on my own server. (I didn't switch to Forgejo because it's not in the Debian repositories.) I don't have a backup of my private key... I should do that.
+1 for pass! I use this on my VPS to store secrets. I love that it syncs with GIT. Good stuff
I have used this for almost 10 years now. It's pretty barebones but it seems like the usable lifetime of commercial password managers is 4-5 years before they get enshittified, bought, discontinued, price-jacked, or otherwise made unsuitable for use. "pass" just keeps working.
So I have an admission here: I keep seeing HN stuff about these networked password managers and I don't quite understand the appeal.
Is it because everybody else is swapping between several different computers, and you need the synchronization?
I just have everything in KeepassXC, and the ciphertext is subject to the same kind of backup regime I use for other files, a copy kept on a USB stick in my pocket.
Itâs phones, mainly. People do also have multiple other devices, yes. For me another big pro is having a realtime offsite backup and being able to survive simultaneous loss of all my devices, which is plausible in correlated scenarios like a burglary, fire, mugging, car crash, etc, but I donât know how much others think of that one.
The people I know who use KeePass live like theyâre disabled. You ask them to sign up for something and they need to schedule a half hour for it two weeks out. Ask them to use a website and they need to wait until theyâre home because their biweekly manual data transfer was put off because of whatever. And if they ever drop their phone, itâs this totally unforeseeable panic theyâre still recovering from two months later. Iâm far from convinced it must be like this, but Iâm also far from convinced that most KeePass peopleâor people using any other strategyâhave really thought this through.
Multiple devices and family sharing. My wife and I share several accounts, so it's really nice that we can move them between private and shared vaults on 1Password.
> I just have everything in KeepassXC
Me too, but I rarely add/edit anything in .kdbx file, it rarely changes. So I just keep a copy on my phone and use KeePassDroid to open it sometimes.
If you change/edit your passwords all the time, and you like autofill and I assume other features, networked solutions are much better.
Having a password manager synced to phone, desktop, laptop, browsers is handy. I used Keepass 10 years ago but I prefer integrated experiences now, particularly since I often pull them up on mobile.
Also consider teams or multiple teams across an org sharing secrets. Flat files are a tough sell, so these apps eliminate almost all the hassle. We pay for a lot of 1Password accounts, and I couldnât imagine rolling our own solution.
In my case it's exactly that. I have a Linux gaming workstation, a work-issued (and managed) MacOS laptop and a Google-branded (Pixel) Android phone.
Bitwarden just works in all those places and the tech was, by all accounts, rock solid. AND I can pay for it instead of trying to leech off some privacy-ambiguous free tier.
USB sticks are infamously unreliable, not a great backup plan
Is it because everybody else is swapping between several different computers, and you need the synchronization?
.. and phones, and tablets. Yes
I think the caution around Bitwarden is justified; and I think it is good that the message is getting out there. I will say "while you still can" is hyperbole, and will do more to distract from the larger (correct) point about Private Equity.
Thats why I use vaultwarden. I also like the fact, that vaultwarden is written in rust and does not consume a lot of resources, which is great for selfhosting.
I'm taking a "wait and see" approach with Bitwarden. I've been a paying customer for a while, happy with it, and hoping the leadership changes won't be too user hostile. Still, a major reason I chose Bitwarden to begin with is they have a decent "Export" button, and all of this news reminded me that my offline backup of the vault was a few months old. Regardless of their product roadmap, they could have an incident tomorrow that keeps users away from their passwords -- offline backups are a good idea.
And Vaultwarden is nice. I've used it at work, hosted it myself, and as a user of the password manager I can say it's basically indistinguishable. But I don't really pay Bitwarden for a password manager -- I pay them for a secure sync of a password manager I can share with family members who can't figure out a VPN.
For TRUE offline password storage use "Off The Grid". A cryptographically secure paper based password generator created by Steve Gibson from he Security Now podcast.
https://www.grc.com/offthegrid.htm
I switched to Apple Passwords this week. Really good passkey support, 2FA support, best iOS integration. You can even share passwords with others. Sadly no first party cli support. If you only use Apple devices, itâs really solid.
I only use Apple devices myself normally, but if I'm stranded out in the middle of nowhere and have to borrow someone's Android phone or Windows box in order to connect to important stuff like my bank, I'd really rather not be out of luck. Same reason I don't self-host my vault.
Surely they have their reasons, but if they made Linux support work I suspect a lot of the dev community would jump. This household certainly would.
"If you only use Apple devices, itâs really solid."
It's not a good idea to become dependent on a single corporation's products.
You can leave via Strongbox (a KeePassXC client), which supports the new export system that includes Passkeys.
Anyone not already using KeePass (or KeePassXC) has been doing it wrong for at least a decade.
KeePass2Android Offline and KeePassium on mobile.
My company just finished switching from LastPass to Bitwarden. Just in time for that to become terrible too it looks like lol
I've been using LastPass for years. I really like it. Why did you switch away?
Lastpass has had multiple large breaches, especially after LogMeIn bought them out
I only use Vaultwarden, which to my understanding is an open source reimplementation of Bitwarden's API. I personally haven't had any issues with it, not sure if it'll eventually stop being compatible with Bitwarden's official applications however.
I wish companies that offer such a core technology and what not were at times entered into a public trust, similar to how some public lands are managed, that would protect them from private equity takeovers; I know it defeats the purpose of the companies in the first place (making money), and it probably would backfire in myriad worse ways than the problems it might solve... But I do think there are many options for how products, services and what not can be structured that give the people who maintain them what they need to thrive; without mining the users for money.
Overly idealistic thinking, maybe... but still thinking.
Public management exists for natural monopolies where no market competition is feasible. The role of the public entities is to protect competition. In this case that would be mandating import/export interoperability.
Clients are OSS, I wonder why nobody did a Vaultwarden-style fork of them yet that would watch over upstream changes.
Until Bitwarden screws up it's going to be difficult for any fork to get much attention. If they do, that will the moment to launch a fork.
It's Bitwarden's game to lose. Forking is easy enough that there's no great need to pre-emptively fork.
Vaultwarden is a very lean implementation of Bitwarden but if you want to look into an alternative to the Bitwarden ecosystem, I recommend - AliasVault https://github.com/aliasvault/aliasvault - check it out!
Sometimes I think when a startup announces that they are being acquired their competitors have a meeting that morning and announce that they're going to start dialing for dollars. Since acquisitions almost always hurt customers I wonder if we can start creating "poison pills" that deter them.
This is getting so tiring. What are the other options out there now?
ProtonPass
vaultwarden (self hosted)
We were just about to go to BitWarden from KeePass.
Yes, there are signs of an oncoming enshitification, and these types of articles gaining traction is good because it sends a signal to the company of potential consequences....but at the same time, the evidence supporting Bitwarden enshitification is pretty weak at this point. There are degrees here, not just either/or, on/off, good/shit.
I'm a huge fan of AliasVault https://github.com/aliasvault/aliasvault - the author is responsive, receptive. The whole ecosystem is opensource.
Bitwarden/Vaultwarden had a good run but if someone's going to self-host Vaultwarden, I would encourage people to look into AliasVault instead. It's a complete opensource ecosystem.
KeepassXC
"This way your passwords are truly yours"
They were never yours, and zillions of people you don't know have access to them.
The original creator of Bitwarden still works there as a CTO. I am curious whether he has any failsafes/poison pills in his contract when he took VC money that allows him to fork the product and start over in the event that they decide they want to lock everything down.
Or did he sign all of those rights away when he took the $100M "fuck you" VC funding in 2022.
Related:
The quiet renovation at Bitwarden
https://news.ycombinator.com/item?id=48163389
WOW. Quietly editing the 4-year-old blog post is super slimy, holy crap. Also seems like since this story was published, they edited the 4-year-old blog post again. The story points out
>But the explanatory paragraph at the bottom of the same post still says the old ones: Inclusion and Transparency. Crandellâs name is still on it. The post now contradicts itself, and nobody wrote a new one.
Looking at the post right now, they've corrected it to Innovation and Trust.
Nothing says Trust like quietly and retroactively editing old blog posts. We have always been at war with EastAsia.
Third-party password management as an isolated paid service (i.e. you don't get password management unless you pay specifically for the password management) is just a terribly bad idea all around.
Waiting for people to get this.
A bad idea for you. My non-technical family members can barely use 1Password and it is the easiest of the lot. The idea you promote is just not realistic.
Not really. That something is convenient doesn't mean that it's a good idea. It's always a matter of convenience vs security.
The inverse also doesnât mean convenience is a bad idea, just happens 1Password has a strong security model and is convenient.
I end up helping a lot of older people for a variety of reasons with tech - 60s to 90s, family, neighbors, coworkers.
Theyâre not invalids and have a right to participate in the digital world, even if security requirements have exploded.
Anchoring the trust in stuff like 1Password where we setup domains, their account info, their OTP codes means they get to go to their bookmarked site, FaceID to unlock the PW manager, get automatically logged in, and do what they need.
Being able to let them navigate this world without always having to hand over the paper secrets notebook to random helpers, or lose sheets of paper with passwords, or get caught up in tracking down an SMS code is better for them. Their password manager with the autofill helps somewhat deter phishing links since relying on autofill usually signals something is off, and they call someone they trust.
My point, I guess, was that convenience is basic access for some subset of vulnerable groups of people.
Its a catch 22, with password requirements getting crazy its hard to remember them. At the same time storing the passwords with a password manager means you are entrusting them for your identity. For the first party sites the passwords are hashed, however for these password manager sites they are at the most encrypted with the encryption keys that the third party already has. This essentially means a rouge password manager or rouge individual in password manager service can run away with your plaintext passwords on scale
This frames the only options as mediocre and better, when the reality is likely the third, most common, and worst option: nothing.
I think this is a little hyperbolic. The product may drop features, increase prices, and squeeze its free tier users. Everything enshittifies. But the idea that password export might disappear or be degraded? Nah. You'll be able to jump ship any time you want.
>You'll be able to jump ship any time you want.
Famous last words...
I mean, LastPass was a train wreck after their breach, but they didn't go as far as trying to stop me from exporting my vault when I switched to BW.
The idea of BW doing a rug pull and suddenly removing the ability to export your vault I think would trigger a class-action lawsuit.
I don't know why this is framed as "jumping ship" ... of course you can stop using it any time (and use your periodic export to go elsewhere).
The real issue is potential data loss. Remember LastPass? Bought by someone and downhill it went, with multiple security incidents.
Never underestimate the lengths companies will go to, to enshittify their product to squeeze customers for money.
Name one major password manager that blocks or paywalls export.
- Authy
- Google Authenticator
Not password managers of course, but thanks for reminding me that I should figure out how to ditch Authy.
https://github.com/BrenoFariasdaSilva/Authy-iOS-MiTM is going to be my project for the afternoon.
Ente Auth
is a good alter. Works perfect for me.
Google Authenticator has an export-as-QR-code function that several other authenticator apps can parse. Is it the best/most convenient implementation? Obviously not, but you can absolutely export the codes.
Notably not password managers.
This is a whole lot of FUD.
A tale as old as time, enshitification.