[NickHoff]

Bitwarden already does one thing well. It's everything I'm looking for - open source, costs money but not much ($10/yr), 2FA, clean interface. I'm happy for the new investment, but I hope they don't start adding new things just for the sake of growing.

Also - to the people who analyze funding rounds - $100M sounds like a huge amount to me. Why would a password manager need so much money?

[michaelmior]

> Why would a password manager need so much money?

The announcement suggests they are looking to also launch their own authentication service and tools for managing application secrets.

[cmeacham98]

How did I have to scroll this far down to find someone who's actually read the post? Everybody seems to think the money is purely for expanding the password manager, while in the post they call out adjacent markets they want to expand to.

I'm cautiously optimistic that this could mean we won't see the end of Bitwarden, as those are areas where companies will pay big money.

[Macha]

It's not that people didn't read the statement, it's that people have learned not to trust statements like this. Ask all Heroku's customers who were just fired by Salesforce to focus on their enterprise offering for example.

[ShamelessC]

I’m pretty sure it’s still because people didn’t read the statement, lol

[usefulcat]

¿Por qué no los dos?

[PascLeRasc]

It's because we're all still in the middle of getting burned by 1Password spending millions to make our app run worse and do less.

[foobiekr]

That perfectly describes the 1password situation.

[arjvik]

Wait, I'm just about to switch my entire family from LastPass to 1Password because of the latest LastPass hack. Should I be wary?

[mdaniel]

If you're new to 1Password, you may enjoy their service because you won't have the memory/experience of the things that were taken away or "how it used to be."

Now, as for whether one should worry because the company screwed their existing customers once already ... that's personal risk tolerance, I guess

My opinion is that 1Password is the best product out there for the majority of users, because they're pretty good about documenting their formats, have a very good export story, their customer service is mostly good, it's a reasonable price, and their UX absolutely spanks Bitwarden up one side and down the other

But, if a few years from now they rip the ssh-agent out of their Electron apps citing some "well, we decided" reason, or they ban 3rd party clients from using their API because "of sekurity," then no one should be surprised that the scorpion stung them

[NegativeLatency]

I almost switched to bitwarden last week, now glad I didn't, but the problem still remains of wanting to find a password manager that isn't crap.

[JohnJamesRambo]

The road to terrible software is paved with companies trying to expand to “adjacent markets”.

[NegativeLatency]

Not limited to software even, plenty of examples of companies chasing larger valuations by taking on stuff outside their core competency

[JohnJamesRambo]

Can I interest you in a Metaverse?

[FollowingTheDao]

Greed kills like speed kills. It’s all very fun and exciting until you crash.

[gundamdoubleO]

>How did I have to scroll this far down to find someone who's actually read the post?

Welcome to Hacker News

[antcas]

Welcome to the internet at large.

[iso1631]

And by extension the world. For every person who reads a story, 10 more just look at the headline and absorb it subconsciously.

[Diris]

Now one hour later, the post is at the top! It probably just needed time : )

[huimang]

Welcome to HN/Reddit. Most threads have people commenting without reading the article at all (or very briefly skimming). More or less just reacting to the headline.

And according to HN guidelines, we aren't supposed to comment on if someone has read the article or not. Stellar.

[PartiallyTyped]

Given apple's push for passwordless web in collaboration w/ Google and M$ [1], I was worried that BW will go out of business, but they have plans for this and I hope they succeed.

[1] https://www.apple.com/newsroom/2022/05/apple-google-and-micr...

[fmajid]

Compete with Okta, essentially

[Corrado]

I would love for Bitwarden to use this money to make SSO available to all pricing levels. Currently, in order to use SSO with Bitwarden you have to be on their "Enterprise" plan. I think SSO is too important to gate behind a paywall, especially for a company whose main product is security.

[jlokier]

> Why would a password manager need so much money?

The money isn't for the password manager particularly. In the article they list a number of new things they want to develop.

I think there will come a point when most mainstream web services will require "passwordless" authentication, which means users will have to register with one of a few commercial passwordless providers. Think "login to service X with Google/GitHub/Facebook" but more integrated with your phone and biometrics, and no longer optional as email and password authentication go out of fashion.

It makes sense for Bitwarden to aim to be one of those providers, if for no other reason than company survival if passwords and similar tokens become deprecated.

[411111111111111]

Isn't there already a standard for that: webauthn ?

Hasn't really caught on, despite being several years in the making already

[JshWright]

Sure, a standard exists, but that by itself isn't a great user experience. If you actually try to use something like a YubiKey you end up having to register multiple keys with each site to deal with lost key (assuming the site allows that in the first place). The you have to remember which keys correspond to which sites, and remember to get your backup key out each time you sign up somewhere new , etc.

Google, Apple, etc are building on WebAuthN in order to allow a trusted third party to "sync" the keys, solving the major usability hurdle for most people (as with all things security related, there's an obvious tradeoff in injecting a trusted third party, but for the vast majority of people that tradeoff still results in a significant net risk reduction). I assume Bitwarden is angling to build out their own version of something in this space.

https://www.imperialviolet.org/2022/07/04/passkeys.html

[Ajedi32]

I'm probably more excited about passkeys than most, but I don't see why you need $100M to add support for that. It's a pretty straightforward addition to existing password managers. Might even be easier to support than it is to build a user-friendly password autofill, all things considered.

[ensignavenger]

I find that the essayist way to handle backup keys is with a printout of 10-20 pre-generated auth codes, which go in my safe. Much easier than having a backup hardware key I have to remove and then replace from my safe, each time I need to add a new service service.

[JshWright]

Which is great if you have a printer (and are near it when you're signing up for the account, and remember to do it, and remember to put it in your safe, etc...). Just because it's the easiest way currently doesn't mean there isn't substantial room for improvement in the usability of passwordless systems. Most users aren't going to go to the trouble of printing something out like that.

[eco]

You can also use a pen though your point on ease stands.

[scarface74]

And the three companies behind the major platforms - Google, Apple, and Microsoft - have all agreed on a standard and will integrate a solution into their operating systems.

[phpisthebest]

Yes, and what is that one like the 6th or more "auth standard" they all "agreed to" before promptly doing their own variations which then get spun into a new standard they all "agree" to before.......

[scarface74]

Even if that is the case, storing passwords across devices is a solved problem and not enough people are willing to pay for it to be a profitable business.

“It’s a feature not a product”

[phpisthebest]

Given the number of businesses out there doing it I would venture to guess you are wrong.

Also Bitwarden and other password managers are not just about storing the passwords. For example on a personal level I use bitwarden family to manage my Parents passwords and to assist them with issue on various service, this gives me away to setup accounts and securely share passwords with them for the services, and vice versa

For business we use the Enterprise products to share passwords for everything...

None of which is a "solved problem" at the OS or Browser level

[scarface74]

Why are large businesses “sharing passwords” between users? What happens when one user leaves?

Isn’t sharing a password in a business context like “Things you shouldn’t do” 101?

[jorvi]

> and not enough people are willing to pay for it to be a profitable business.

1Password is doing just fine..

[scarface74]

Now they are also raising rounds of funding “chasing after the enterprise”. Every single time a small bootstrapped company tries to “accelerate growth by going after the enterprise” the product gets worse for consumers. See also DropBox.

1Password’s desktop app is much worse than it use to be all while each platforms built in capabilities are getting better.

[phphphphp]

1Password, a competitor, raised ~$650m earlier in the year off the back of exceptional growth. The investment case is likely: Bitwarden are doing well, 1Password are doing very well, maybe Bitwarden can do very well too with some additional capital. Password management is rapidly growing in mindshare, there's a big market and great room for growth, the amounts involved are commensurate with the opportunity -- every single enterprise will have a robust password management setup soon enough.

[pbhjpbhj]

1Password is 4x the price and is not open source. Doesn't 1Password's stronger backing provide more risk for Bitwarden investors too (chasing the same customers but with less to spend on acquisition)?

Spitballing, $100M, assuming investors want 20% per annum return and Bitwarden do 50% profit ... they need 24M paying customers. Where are they at now?

[phphphphp]

Venture investments don't typically work that way: the goal isn't incremental returns YoY but rather major returns in the long term. Raise a fund, make a bunch of investments, report growth in valuation YoY (based on increasing valuations of portfolio) and then deliver returns once portfolio companies start to exit.

If BitWarden can use that $100m to 10x their valuation and then exit (whether that's an acquisition, going public etc.) the investors will have secured a win: if BitWarden's valuation stays where it is and returns ~$10m/year to the investor(s) over the next decade, that's not a great outcome considering the opportunity cost of capital.

Debt equity is the type of financing you're describing: lower risk, lower returns, not particularly exciting and not particularly attractive to investors if they believe the company has substantial upside potential.

[pbhjpbhj]

Yes, I'm not familiar with expected returns for investments so my back-of-napkin maths was based on approximate housing inflation in the UK. I figured they'd want more than that as a minimum.

Clearly Bitwarden isn't a unicorn, being a smaller entity in a growing market; do VCs really expect a 10x (in couple of years?) from that sort of investment?

So, do you agree with my basic premise that they'll need a whole heap of customers, that they don't seem likely to get, in order to make any dent in the investors hoped for returns?

[phphphphp]

I’d suggest with almost absolute confidence that they are betting on unicorn status for BitWarden. I’d be surprised if they expect anything less than a >$2.5bn exit.

[scarface74]

Or 1Password could just suffer from the DropBox problem - it’s a feature not a product.

Every company’s answer to that is also the same “we will target the enterprise”.

They aren’t “doing well” if they still require outside funding.

[bengale]

A feature of what service though?

The OS? iCloud keychain does this, it's not a compelling offering though if you need to use any other OS.

Something like Google? Not sure I'd want to risk my Google account ever getting locked and loosing access to all my other accounts.

I'm not sure what that leaves.

[everforward]

The browser is the obvious option. Firefox and Chrome both implement ways to save passwords in the browsers. I believe Firefox has a service to sync them, Chrome may too (I don't use them, so I don't know).

They could reasonably tie in to whatever Office-suite you use (GSuite, Office 365).

In the enterprise, it could be part of a larger "credential management suite" product managed by security. Allow syncing and auditing of credentials, like "when was the last time this cred was changed?" with some kind of automation to generate and push a new credential when need be.

From the outside looking in, a basic credential manager doesn't seem complex enough to be a standalone product.

[scarface74]

Is that a large enough market to be a sustainable, profitable business?

[bengale]

I would think so, on the business side of things. I'm not entirely sure what we pay for 1Password because we pay it without question tbh. We have a fair few subscriptions but 1Password would be up there with the indispensable ones.

[jbotz]

They'll probably aim for competing with the likes of Okta in delegated authentication and identity management, which is a huge market which need some more competition. I'm in favor, and it really doesn't need to have any negative impact on their existing user base, at least so long as they can manage their growth and don't become a dysfunctional org because of it.

[xani_]

I just hope we won't get repeat of LastPass - some company buys it then just keeps on life support while raising prices.

Also "OSS" version is not really open source, it's just core and all the features you really want from password manager are behind the paid license anyway

[mirzap]

Like what? All the features that password manager needs to have (and features that 99% of people need) OSS version have it. SSO, organization management etc. is not something that "password manager" needs to have.

[sleepless]

Like TOTP, which is part of payed variant and I consider that an essential feature of a password manager in 2022. Don't get me wrong, I am not complaining about that business decision, just answering since you asked.

[Avamander]

To be fair, TOTP should be a separate device to fulfil the criteria of actually being 2FA.

[bmurphy1976]

I totally agree, however there are some low-criticality services where 2FA is a burden and having it in your main password manager app is a tradeoff worth consideration. Definitely NOT your primary email address.

[elcomet]

TOTP should be on a separate device.

[pavlov]

Enterprise sales presumably?

A $100M round probably means a valuation around $500-600M. They now need to grow the company to a couple billion so it can either go public (when the IPO market is alive again in a few years) or be sold to a bigger enterprise player.

$10/year customers are completely irrelevant to a company at this stage. Open source is nice as a sales bullet point, but not a central focus.

[GekkePrutser]

I don't really want them to grow. Growing usually means overinflated expectations and when they aren't met by the new products they will try to retrieve the shortfall from their existing customer base with additional monetisation, driving them away in the process.

I hope it won't go this way here but such a cash buyin is usually the start of a difficult time.

> $10/year customers are completely irrelevant to a company at this stage.

Yet it's exactly the plan most customers and supporters would be on. So in other words, we don't matter anymore. This is why we can't have nice things :(

[noirbot]

When 10/year is often less than .01% of even a junior developer's salary with benefits, then yea, that does kinda mean we can't have nice things, if nice things require a few devs to implement. We've all gotten so used to getting things where the VC discount was already fully priced in over the last decade that we're deeply conditioned to expect everything to be sold at VC subsidized prices, which it turns out isn't really economical for most non-VC backed businesses to sell at.

I'm sure someone will, like clockwork, reply to me that that could be done by one developer in C, sold for $0.50 and then never patched again because UI designers just mess everything up and no one should have a smartphone anyway. If that's your idea of "nice" then you're likely living a happy life, but if you expect a UI and reliability like even oldschool 1Password or Lastpass, then $10/year isn't buying you that level of development and support.

[GekkePrutser]

Well, the thing is, we have nice things now. I don't think most bitwarden users are screaming for new features. Simply continuing as they are with current staffing would be preferable to risking the farm with a big new product.

And the kind of user that picks bitwarden over LastPass or 1Password is not the kind that needs a ton of support.

[noirbot]

I guess the question is if they felt like they could continue with their current staffing. Obviously this is a really big funding round, so they clearly decided to aim for more than the status quo, but I've seen plenty of projects where it was many dev's side project, or it was a small number of full-time dev's work, but they were getting burned out and overworked trying to provide the service.

It just always feels too easy to assume that it was sustainable to run/maintain some minimally priced service. Perhaps they realized they needed more developers to have a healthy relationship with their job, and instead of raising the price to $30/year or more to match the new costs, they decided to shoot for the moon.

I'm certainly not trying to say that it's obvious that they're making the right call by taking this investment, or that this won't all fall apart. It's just also important to not assume that the status quo for them was something they could keep going on for the next 3 years.

[Ozzie_osman]

> Why would a password manager need so much money?

A cynical take on this would be the business is at a large enough volume and growing fast enough to be valued at a certain price (eg 400M), VCs want to own a certain percentage (eg 20%), so the math dictates the round needs to be 100M (100 / (400 + 100) = 20%). Then the founders put together some story that explains why they'd need 100M.

Not saying that's what happened here but I've seen it happen this way.

[ignoramous]

With smartphones leading the push towards digital everything, passwords (auth / authz) have become the most important asset, even for consumers.

Edit: An interesting conversation between Basecamp's DHH and 1Password's Teare on their series-a as an opportunity to de-risk the venture: https://archive.is/Kdnpz

[phpisthebest]

Which has also become a single point of failure, and a target for social engineering since "lost device" or "stolen device" etc becomes to new defacto backdoor

[dmix]

The interface could use a lot of work: ie search for cards and logins should not be separate. It also visually doesn’t look great.

[alex_suzuki]

Marketing