Get your passwords out of Bitwarden while you still can
I was a long-time Bitwarden user, until a year or so ago when I started migrating my passwords first to Firefox/LibreWolf, and recently from there to a KeePass database I can transfer and use with whatever password manager application is compatible with KeePass’ file format. It seems I was accidentally on time, as it’s come out over the last few days that Bitwarden is probably going down the drain soon. In February, the company got a new CEO, and in March, it doubled its Premium price, announcing the hike deep in a feature announcement.
The new CEO seems to be a bellwether for what’s to come for Bitwarden. He’s a merger and acquisitions guy, with a history of gutting companies and selling them for parts, and changes to Bitwarden’s website also indicate where it’s headed.
The phrase “Always free” disappeared from the personal password manager page in mid-April. It used to sit prominently under the plan selector. The free plan still exists — for now — but the commitment language is gone.
And then there’s the values rewrite.
Bitwarden used to define its culture with the acronym GRIT: Gratitude, Responsibility, Inclusion, and Transparency. After May 4th, that changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.
Inclusion and Transparency are out. Innovation and Trust are in.
↫ Patrick Boyd
The “Always free” motto quietly reappeared on the site after its removal was uncovered and went viral on Fedi.
The change in CEO, the changes in values, and the removal (and reappearance) of Bitwarden’s well-known and oft-repeated commitment to its free plan have all been quiet. No announcements, no blog posts, no posts on social media – but they did change a four-year old blog post by Bitwarden’s former CEO to change that GRIT acronym. You don’t need to be an honors student to figure out where this is going, and what the new CEO’s plans are for Bitwarden.
Do as I did, and get your passwords out of BitWarden. I strongly suggest using an open format that can be used by any compatible password manager, with KeePass’ formats being the obvious choice. This way your passwords are truly yours, and not dependent on someone’s continued commitment to free plans or proprietary services that can unexpectedly change hands. Bitwarden is licensed under the Apache 2.0 license, but with all of the above, one has to wonder how long that’s going to remain a thing.
About The Author
Thom Holwerda
Follow me on Mastodon @[email protected]
9 Comments
Leave a Reply
You must be logged in to post a comment.
Схожі новини
Питання переселенців, жителів ТОТ, захисту інфраструктури в Україні, дрони обговорили в перший день Globsec-2026
Latvia scrambles NATO jets in drone alert, the latest of several in Baltic
Is the US deepening its military involvement in Nigeria?
I’m very happy with vaultwarden, “An alternative server implementation of the Bitwarden Client API, written in Rust and compatible with official Bitwarden clients.”
Hosted in my own infra and have done now for about 4 years. The bitwarden clients cache for offline usage, but if I’m out and need to add or update an entry, I fire up a wireguard session.
I should add that I do also use keepass, where I store secrets for the infra needed to run vaultwarden as well as vaultwarden master secrets themselves.
Same, but I am beginning to wonder about the client long term ability to connect to self hosted server implementations…
noberasco,
What do you mean? Aren’t the clients open source and couldn’t they be forked? It wouldn’t be the first time official antifeatures lead to FOSS projects being forked by a community that doesn’t like being bossed around.
But on the other hand there’s already a risk. Recent events at Bambu Labs highlight that people who publish their own forks can receive legal threats and be pressured to take them down.
https://www.pcgamer.com/hardware/bambu-labs-go-f-yourself-3d-printing-company-currently-under-fire-for-reportedly-blocking-3rd-parties-from-its-software-legal-threats-and-drama-aplenty/
Not sure if they’d actually do it but theoretically the same could happen with the bitwarden client.
Thanks for this! Now I remember that, when I chose to go along with Bitwarden clients and self host them with Vaultwarden, I did indeed check that the clients were open source. I had forgotten, and with recent developments I just assumed that the clients were closed source. This makes it more future proof, even in case, like Thom predicts, that the company completes the enshittification process.
BTW, before going the Bitwarden route, I had tried with KeePass, but had issues making it work with my browser. I use an immutable flavor of Linux, so I normally install apps via flatpak, but the KeePass browser extension simply refused to talk with the KeePass application…
Not sure how many of you remember Neolander (IIRC he was temporarily osnews staff). Well interestingly he wrote a password manager…
https://github.com/HadrienG2/Hashish
Fly-by-night online services. Corporate integrity at an all time low. Don’t outsource anything for personal use. It’s not worth it. Everything out there exists only to “farm” you for cash.
As a paid user, I’m not moving yet, but I’d be interested in what’s a good alternative. What I like about Bitwarden:
– FOSS
– easy to use
– has built-in sync across all platforms
– support for TOTP and Passkeys
– Autofill in browsers and apps
– Password and username generation
– emergency contact feature with dead man’s switch
– Android app does not require Play Store or Play Services. (they have an F-Droid repo in fact)
1Password is pretty decent. Switched from Bitwarden couple years ago and never looked back. Pricey but worth it if you don’t want to think about your own infrastructure.
I think Chrome and iCloud’s password managers are now good enough for most people.
I am in the process of clearing all my passwords in Chrome, as I do not want Google to have my passwords on file. Another thing I will never do is recording my credit card numbers in a “secure memo”. text blob. I plan on running VaultWarden on a dedicaged Raspberry Pi at home, once I will properly configure my inbound connection with a WireGuard.