Ah for fuck's sake. It keeps happening to all the software I love. I guess I'll have to stop relying on convenience (I was a 1Password user years ago) and go 100% open-source. None of the libre offerings seem to be as convenient and polished, but at least they're not into some VC's pocket ready to squeeze as much profit as possible out of my paid membership.
What's a good OSS alternative that works with iOS and Linux? Anything that's audited? (perhaps that's asking for too much)
I agree, and I wish we had more power in these things than just forking. Now that I know Bitwarden took VC money, I'm also fucking out of this mess, and here I was about to renew for the 5th year in a row.
Fuck VC's, they ruin everything good. Can I say that here? It's true.
The entire finance industry has a disdain for "lifestyle businesses", that just generate enough profits for the founders and employees to live on, but will never generate an exit beyond that. I get why, but for utility products, a solid lifestyle for the employees and a useful product for users is enough, and should be enough.
And can be enough if you don't need large quantities of investment capital. If you don't _need_ it, but _want_ it to get fabulously wealthy... well, "lifestyle business" is not the path to that, by definition.
It's almost like the interests of those who want to get fabulously wealthy -- whether founders or investors -- become misaligned with the interests of the users, even steeper/faster than when you "just" have a "lifestyle business".
The thing is, founders can get fabulously wealthy with a lifestyle business or at least very wealthy, but it might take longer. But all the established money seeking rent parked at VC firms can't get a cut if you don't play ball with them.
> But all the established money seeking rent parked at VC firms can't get a cut if you don't play ball with them.
OK, but why does a founder care about that? Either they think their business model can't get them to a sustainable lifestyle business without external capital investment... or they want to get more-than-lifestyle-business wealthy, right?
Lifestyle businesses have a big flaw in American culture though; our safety net is not enough to make "meets expenses" a tenable long-term approach. We basically have to aim for a big wad of savings for later in life, which incentivizes going for exits and cash-outs.
VueScan (hamrick.com) is a very good example of a successful lifestyle business (first release in 1998). The founder and his son work on the product full-time. I don't think they have any other staff, but I could be wrong.
Perhaps, I would hope that a sustainable lifestyle business would be able to pay employees and founders enough to build a comfortable retirement nest egg through savings, investments, and compound interest.
I feel so happy that we have created "billion dollar global platforms" instead of universal healthcare or ensuring everyone was sleeping indoors. Woo-hoo!
You can definitely say that here. To me the problem isn't exactly VCs, it's the expectation of rapid, open-ended growth that ruins good products and companies. Of course, the driver for that is often VCs, but it can come from other places too.
Upvote for keepassxc. I've been using it and its predecessor with the same database file for something like 15 years and have seen many of these services come and go in the meantime. It will outlive Bitwarden for sure.
In your opinion, what would the ideal password management business model be? A non-profit like Signal? (Not rhetorical, actually curious what people want here.)
As a thought experiment, let's say there are 1000 people who get annoyed when a software product they use takes VC funding. For those 1000 people to sustain a software product with a team of 5 for 10 years at 150k average per head. you'd need 7.5MM dollars just to break even. That's $7,500 per user, or $750 per year. I doubt many people would be willing to pay that just to have a product that never takes VC funding.
And note that's just to cover labor costs. If you want it audited, that's a solid 25k per audit. Operating costs for website and infrastructure, etc. Now if the product was exceptional and beat out other products in the space and generally had a slice of the pie, the number of users would increase and per user cost would decrease. But also doing as much with a team of 5 is no small feat.
I'm not sure if there is a good business model in password management. I can't answer that question. What I do know is, a good password manager is the type of software that should strive to be feature complete. And at that point resources should be used for maintenance, security, and software/OS compatibility updates. In other words, a low-if-any growth, but profitable business assuming the software is good.
But once you get into VC funding or acquisitions, businesses tend to want to grow and bloat their products by adding features no one asked for to increase their perceived value. I know I'm tired of seeing this happen to beloved software time and time again.
Non-profit like Signal that sells cloud hosting to pay the bills, standard protocol with self-hosting option for the server like email/browsers agreed upon decades ago, anyone can create an interoperable desktop/browser/mobile client. Fully encrypted such that even the non-profit doesn't have the decryption keys.
That being said: it's unclear if anyone really understands how to build an open source product with cloud hosting covering the bills. Almost everyone either makes a deal with the devil (VC funding) or upsells too aggressively anyway.
Cloud storage and CPU usage is basically negligible per-user for a password manager. I imagine you could service hundreds of millions of users on just a couple of capable machines, similar to HN's setup. Even with hundreds of passwords, most users total mere MB's of usage -- it's even simpler than email!
I think this is one of the rare cases where corporate users can pay for big accounts with special sharing features and completely subsidize a free product for individual users. Or you could charge individual users $5 a year to cover cloud costs (more than enough), with self-hosting as an option for highly technical users to save a buck.
> sells cloud hosting to pay the bills, standard protocol with self-hosting option for the server like email/browsers agreed upon decades ago, anyone can create an interoperable desktop/browser/mobile client. Fully encrypted such that even the non-profit doesn't have the decryption keys
All of those are true of Bitwarden, except for the non-profit part...
> Or you could charge individual users $5 a year to cover cloud costs
And who pays for the development?? Bitwarden already charges only 10€/year, so they're basically doing exactly what you're proposing, but paying for development with VC money.
Even if servers were literally free (they're far from it!), do you have any idea how many users they'd need to cover just the minimal amount of developers, one business person and either an in-house or external security auditor? And who would pay for all of that during the time it took them to build up that user base??
I hate the VC culture as much as the next guy, but unless the founder is already crazy rich, you need external capital to start up any large decently company - or even a non-profit.
Another advantage to KeePass is that there's about half a million clients and most are actually written to be used for their platforms.
Lots of more "modern" password managers (as well as generally other software) kinda suffer from having this weird mixed mobile and desktop interface, inheriting all the downsides of each interface while gaining the advantages of neither. (Not to mention all the issues with porting stuff between two different OSes; Mac and Windows have completely different ideas on what an interface should look like.)
KeePass's official client being windows-only is a blessing in disguise since it means that each client developer can specifically focus on making it look good on whatever specific platform they're targeting.
I use cloud storage to store the kdbx file and sync it across a PC and my phone. It’s pretty awesome 99% of the time and just works. Once in a while you get a merge conflict and it’s not so good.
Even merge conflicts have been a lot better for me in recent years. My only worry with KeePass is that I have to rely on potentially sketchy client applications but I'm also fortunate enough to have the skills to make my own if I really felt the need. It's one of the few "not-my-solution" pieces of software which continually gives me a sense of data ownership.
I love Bitwarden. I've been a customer for years. Great product. Great team. However, I recently quit for this exact reason (evil VC influence), and migrated all of my secrets to KeePass. Yes, a slight inconvenience to manually sync across devices, but I sleep better at night knowing my secrets are no longer in the hands of some VC suit.
If a simple git-based CLI solution is appealing to you, then try https://www.passwordstore.org/. I wouldn't recommend it someone non-technical, but personally, I've never looked back.
There are iOS and Android clients, too. Not especially polished, but they do the job.
Love passwordstore, been using it for almost 6 years with zero issues while watching my friends run frantically from one compromised or greedy password manager to another.
As mentioned in other comments, BitWarden has both OSS client and server implementations. You can keep using it and if something goes wrong (or earlier, if you wish) you can always run it yourself.
I haven't seen, but would love to, a tech startup that is guaranteed not to sell out. I don't mean a promise from the founder on a blog, but a legal structure. I'm not sure what what form this would take or if it's such anathema that it could never be but it would be great to see.
I'm sure I'm not the only one who's tired of the bait-amd-switch of companies who are all about freedom until they get acquired by a giant and then start hastily walling their garden.
Is it true that they couldn't sell out though? I imagine if the buyer offered a pile of money then the majority of the owner-workers would go for it, even at the expense of the users.
Interesting how your list focuses on worker-owned cooperatives. I had mostly thought about customer-owned cooperatives up until this point. Most of my exposure is with customer-owned ones, perhaps due to living in an agricultural area (grain elevator co-ops, fuel co-ops, rural electric co-ops, rural broadband co-ops). And working for one!
I think that a worker-owned cooperative is not really in line with what I would consider to be the traditional cooperative spirit.
Customer-owned has a clear mission to deliver value to its owners. That value would be to provide various services essentially at cost. Workers are paid market rate to get the work done. Profits are given back to the owners (customers).
Worker-owned also has the mission to deliver value to the owners. The workers are going to value making as much money as possible, though being careful to not go past the point where they would find themselves without a job. So this type of co-op will be trying to extract maximum value out of the customer. This is a significantly different proposition. This type of co-op seems more like a company with an ESOP.
I could see either type choosing to sell out. I guess either the workers or customers would think they have better places to invest the capital. So I guess co-ops too have up and down lifecycles like a standard company. As the co-op becomes ineffective or no longer needed, the capital invested in it would be re-deployed.
bitwarden is opensource. you can self host. the apps in the store are compatible with the self hosted options just change the url to your server. you can also fork any of the projects and build it yourself if you don't trust them.
I wasn’t aware of this, but I’m glad I am now. If that’s the case it’s time to look elsewhere or self host, VC funds and acquisitions are rarely good for users so I’ll assume the worst.
It comes from a concern that VC backed investments demand a constant level of revenue growth, causing a company to add features or integrations that do not improve the base product. Organic growth is usually insufficient for stockholders, whose demands become a priority over stakeholders.
If the user base does not increase at some rate determined by the investor, then growth comes in the form of advertising, partnerships, or similar that negatively affect the _product_ existing customers signed up for.
This does not stem from VC but from the “C” itself - capital. In order to function in capitalism, production must facilitate the creation of surplus value that can then be appropriated. Over time, with the tendency of the rate of profit to fall and with inflation of prices, you will see a race to the bottom.
The issue is that there are a large number of products/companies (I think the vast, vast majority) whose addressable market size isn't that big, but when they take VC money they do all types of unnatural things to try to grow instead of focusing on the couple things they were really good at. Couple cases in point:
1. Totally agree with the comments that VC funding absolutely killed LastPass.
2. Twitter is probably another good example. Twitter was a really large business, but they were constantly wringing their hands about what they could do to get as big as Facebook or Instagram. What if the answer was always just "No, you'll never be that big, just don't even try". So instead of improving their core bread-and-butter (and fine, easy to argue they didn't even do that super well), they wasted a ton trying to get users who were never going to use Twitter in the first place.
3. Very closely related to this idea about "When large sums of money become toxic", the private equity consolidation in US health care is another ongoing disaster. PE comes in with the promise of "streamlining operations", but instead they are just vampires, cutting stuff to the bone so that the health care system isn't able to respond to spikes in demand (e.g. Covid): https://www.statnews.com/2022/12/14/moodys-private-equity-he...
craigslist famously rejected taking outside money for years.
But more importantly, I don't think VC or VC money is always bad, but I get extremely wary when a relatively small company gets a shitload of money that they'll then be forced to grow into a way that means they'll lose focus on their core product.
I remember when I told a friend of mine that Postman raised nearly half a billion dollars in total funding, and his jaw dropped "You mean that browser plugin that allows you to make REST calls???" And sure enough, postman got filled with more and more "enterprise-y uselessness" to the point that I just stopped using it.
> but I get extremely wary when a relatively small company gets a shitload of money that they'll then be forced to grow into a way that means they'll lose focus on their core product.
Irrationally so. That's my point. There isn't a strong indicator that correlates to a company being a craigslist vs a company being a Postman. The median is somewhere in between and its not as dire as you pose it to be.
Or it could be that the probability of having to do anti user things to earn an ROI for a $100M investment into a password manager is too high.
$100M to develop a new processor or phone or vaccine or search engine or social network that delivers video to everyone worldwide is different than $100M to a password manager or other “simpler” project.
My guess is they will follow 1Password and have more strategies to monetize users. I wonder what the difference between the two services will be at the end of the day.
1Password in my experience was the biggest scum of bait and switch I ever faced.
They used to do "lifetime" licenses which I bought into, but wouldn't support it beyond one year of release and stop giving me updates.
Later, they invested heavily into the cloud side of things, and brought in confusing subscription-based pricing which made it expensive and difficult to understand. All they're doing as of now is trying to increase prices and tear into your pockets.
With BW I have never expected the same and I am still hopeful on giving them the benefit of doubt.
1Password NEVER had lifetime licenses. We made this decision since day one because we had a product before that died because it was a "lifetime" purchase. The 1Password license is valid for the major version of the app. The license purchased would still work with that version today. If you look at the release history of 1Password apps — every version had a ton of updates made long after the app was no longer on sale. For example, 1Password 7 was updated just a month ago: https://app-updates.agilebits.com/product_history/OPM7
The licenses are also confusing — people had to purchase apps separately for every platform: macOS, Windows, iOS, Android. And then they had to purchase upgrades separately as well.
They did? Oh JFC I just switched from 1Password to avoid using a VC backed service. At least there's always Vaultwarden, now all I need is a service I can pay to host an instance for me. ...and to not take VC funding.
I switched from 1Password to Bitwarden, imported my vault, and then realized that their client doesn’t even support drag ‘n drop.
I’ve been wanting to switch from 1Password to Bitwarden for years, but each year I try it I’m just flummoxed by how atrociously behind the UX / UI still is.
Unless you (or whoever you’re getting to switch) are an absolute open source absolutist: do yourself a favor and go for 1Password.
Bitwarden is the first password manager I ever used. Where would it use drag and drop and for what? I wish it would be better controllable vie keyboard-only. That is, when you use the Firefox add on and tab out of the Bitwarden popup and tab back in again it remembers the focus on e.g. the copy password button, you just have to hit space again and tab back to the terminal window where you need to use the password. But Brave doesn't remember the focus so annoyingly I have to grab the mouse.
In 1Password there's at least a half dozen ways that drag and drop could be used:
- Drag a password into a password field
- Drag an attachment from Finder/Explorer into an item
- Drag an item from vault to vault (or collection in Bitwarden parlance)
- Drag an item into a tag or folder to add that item to the folder, or add that tag to the item
- Drag an app to the 1Password icon to create a software license item with the icon of the app as well as name
There are also drag and drop functions, some similar to above, on iOS as well.
Bitwarden is... and I agree with the grand parent here, awful from a UX angle, compared to 1Password. It's certainly functional, but that's about where it ends for me.
You must be on mac, because my 1pw experience is horrible on Linux. Edit a password in the browserextention opens an new tab in n which i have to login all again. Ugh. Bitwarden at least doesn't do that. Drag and drop? Nope.
I use 1Password on Linux and this isn't my experience.
Until recently I was using it for two different accounts in the same 1Password business account, one account enabled with integration to the desktop app and a second account on another browser profile (for admin purposes) with just the browser extension.
Neither of those necessitated logging in again in another tab.
Still using 1Password, but Firefox containers have removed the need for multiple Firefox profiles.
For a second business I use Bitwarden, and that works well, but I find 1Password superior in so many respects.
Technically it does the same thing on Mac, it opens the Mac app. But on a Mac there's universal unlock, so if you have the extension unlocked, the app will unlock, so it opens the item you want to edit in edit mode.
If you don't have the app installed it opens the website in a tab to signin and edit.
I did try to switch a year or so ago and got really frustrated. Tried again a week ago and Bitwarden does seem a little better. It helps that it feels like 1Password's app has been getting more bloated over time (though I have no data to support that assertion).
I have no interest in those things, they're good examples of what I don't want in my password manager.
Sorry, I don't mean to sound like an ass, they look like very well put together features. They just remind me of when Dropbox decided to start offering document editing. Not what I go there for.
Fair enough, everyone has their own requirements. I'd argue that all modern operating systems have password management already built-in.
We have a lot of 1Password customers with families and team members that require more than a single vault, need an option to recover team/family member access and often have to securely share data with other people, accountants and lawyers. Also, many of developers and admins that want to keep their SSH keys safe.
I refuse to use a cloud-based password manager, they will all be hacked eventually. I will continue to use and pay for the standalone 1Password as long as possible, and then be forced to self-host vaultwarden.
Doesn’t necessarily mean change will come to the current offering; acquisitions can happen because new or enhancing existing product lines (like enterprise) are in the future.
What's a good OSS alternative that works with iOS and Linux? Anything that's audited? (perhaps that's asking for too much)