• fuckingkangaroos@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      I don’t understand.

      Are you saying it’s a bait and switch like Google, where they suck people in with a good product then enshittify it once they’re hooked?

      • ArkyonVeil@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        I’m not thoroughly aware of their dealings, but these amounts of private investment aren’t going to pay for themselves. If you raise 100 million, investors typically want a billion back, or more.

        From the looks of it, Bitwarden might’ve tried to go with the Open Source model to get free development resources, trust (because it’s an open source PASSWORD manager), and general goodwill. But now that they’ve deemed that got enough of a market share (or investors are starting to breathe down their necks), it’s time to start raising the walled garden.

        Even if they claim after the fact that it was a “Bug” that the client couldn’t be built without their proprietary sdk. The very fact one exists is a bad enough sign, specially when its influence is spreading.

        VC is a devil’s bargain. Raising VC money is NEVER a good sign.

      • Liz@midwest.social
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        I switched from keepass to Bitwarden because individual entries started randomly disappearing. I’m still discovering missing accounts after switching a couple of weeks ago. Sometime to do with how keepass was opening the files, because when an entry went missing it was gone even from backup files I hadn’t touched since before the entry disappeared.

        • Serinus@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          9 months ago

          Sound like something you did with replacing files. Bitwarden is dead simple, and that’s why it’s great.

      • solsangraal@lemmy.zip
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        so the “no longer open source” means they’ll be moving to a saas model or something? i’m not super cybersecurity savvy but bitwarden is what i use

        • winterayars@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          0
          ·
          9 months ago

          No, technically they already are SaaS company. That’s mostly how they make their money.

          Also it should be noted “no longer open source” doesn’t mean they’ve done a “our code is now closed and all your passwords are ours” rug pull like some other corporations. This is a technical concern with the license and it no longer meets proper FOSS standards (in other words, it has a restriction on it now that you wouldn’t see in, for example, the GPL).

          So by and large the change is very minimal, the code is still available, it’s still the best option. However, this does matter. It may be a sign of the company changing directions. It’s something they should get pushback about.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            0
            ·
            9 months ago

            From the update, it looks like they consider it a bug, which they’re working to resolve. Let’s see how they resolve it before jumping to conclusions.

          • dustyData@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            9 months ago

            The SDK was never FOSS, and was never under the GPL. Hence why they can add the text mentioned in the article. You don’t get to change the text of a FOSS license to begin with. It isn’t unheard of for text like this to be part of proprietary software that integrates with and uses FOSS that are under different licenses.

            That said, this is concerning, but whether it changes BW’s FOSS state is a matter of legal bickering that has been going on for decades.

            • KairuByte@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              0
              ·
              9 months ago

              You can’t retroactively change FOSS licensing, but oft times you can alter the licensing moving forward. Not always the case, of course. But in no way are all FOSS licenses set in stone.

    • oaklandnative@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      Proton Pass is open source and the company that runs it recently reincorporated as a Swiss non-profit to ensure their privacy mission can’t be bought out by venture capitalists etc.

      https://www.reddit.com/r/ProtonPass/comments/153t85q/proton_pass_is_open_source_and_has_now_passed_an/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button

      https://proton.me/blog/proton-non-profit-foundation

      • ilmagico@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        +1 For KeePassXC and the KeePass ecosystem. Yes, you need to sync the database yourself, but you can use any file sharing service you like, e.g. google drive, dropbox… or selfhost something like nextcloud (like I do), which for me is actually a point in its favor.

        Based on this news, I think I made the right choice back then when I decided to go with KeePass.

        • kill_dash_nine@lemm.ee
          link
          fedilink
          English
          arrow-up
          0
          ·
          9 months ago

          As someone who used to use KeePass, went to LastPass, and then Bitwarden (Vaultwarden), I finally got my non-tech literate wife to use Bitwarden. I’m concerned that KeePass might end up being more difficult if it comes down to it. I believe that KeePass had some sort of browser integration but it really has been a long time since I used it so who knows the current state. Curious how browser integration is today.

          • GHiLA@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            9 months ago

            The big issue isn’t using it, it’s syncing it.

            User A used KeePass to order pizza and changed the Papa John’s(heaven forbid) password while they were at it, on their desktop.

            syncing: “oh! This file changed! Neat!”

            User B picks up their phone and wants to order Papa John’s at work. They try, but the password isn’t right. Huh. They check KeePass. No issues. They go to change the password because they think something is wrong.

            (All the while, they never thought to see if syncthing had been woken up in the background lately)

            They change the password, update KeePass,

            syncthing opens later, goes: "Oh, hi, User B’s phone! I have a ne- Oh! You have a new password file too!!? Small world! I’ll take both!

            Now there’s two files, two users who think they both made corrections to a password, syncthing thinking nothing is wrong, and someone has to now merge the newer KeePass file over the old ones by hand and realize what happened, but the bigger problem is, no one knows anything is wrong yet and it doesn’t even take two users. This can just be you ordering on your phone after modifying on your desktop.

            well, it’s just pizza.

            As an example. Imagine an insurance app, or a banking app, or the DMV… And you won’t know for months down the line. It gets old.

            • kill_dash_nine@lemm.ee
              link
              fedilink
              English
              arrow-up
              0
              ·
              9 months ago

              Ah yeah, the fun of how that works. I recall that I had previously set up WebDAV to try to simplify my source of truth but I think that was just with the original KeePass app, not KeePassXC. I also wasn’t trying to share passwords among multiple people but I do recall having issues when I was using Dropbox to sync to my phone since I would have to actually make sure Dropbox had updated the copy of the file which required me opening the app at the time.

          • ilmagico@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            9 months ago

            I use KeePassXC’s browser integration daily and it works pretty well with Firefox (linux), well enough that I’m not complaining, but I cannot compare it with Bitwarden cause I never used it. On Android I use Keepass2Android and works well with autofill, but again, I can’t really compare it.

            Something tells me Bitwarden works better, just by virtue of being a commercially supported product, but I have no complaints with KeePassXC & Keepass2Android (KeePassDX works well on android too). Original KeePass desktop client was never great though.

    • ChillPill@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      Keepass? No cross device support, you need to manage that yourself through something like Google Drive…

      • solsangraal@lemmy.zip
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        lol that’s what i used before i switched to bitwarden-- didn’t have any complaints, but the database key file thing was kind of a pain

      • ilmagico@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        What do you mean “no cross device support”? KeePassXC supports Win, Mac, Linux and there are iOS and Android apps available…

        As for the lack of cloud and requirement to provide your own synchronization, for some (like me) that’s a feature, not a limitation :)

        • hedgehog@ttrpg.network
          link
          fedilink
          English
          arrow-up
          0
          ·
          9 months ago

          Do any of the iOS or Android apps support passkeys? I looked into this a couple days ago and didn’t find any that did. (KeePassXC does.)

          • ilmagico@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            9 months ago

            I don’t use passkeys so I don’t know. Maybe I should research into passkeys, what’s the benefit over plain old (long, randomly generated) passwords?

            • ilmagico@lemmy.world
              link
              fedilink
              English
              arrow-up
              0
              ·
              edit-2
              9 months ago

              Ok, from a quick search, it seems passkeys rely on some trusted entity (your browser, OS, …) to authenticate you, so, yeah, I’m not sure if I like that. The FIDO alliance website is all about how easy, convenient and secure passkeys are, and nothing about how they actually work under the hood, which is another red flag for me.

              I’ll stick to old-fashioned, long, secure, randomly generated passwords, thanks.

              • deejay4am@lemmy.world
                link
                fedilink
                English
                arrow-up
                0
                ·
                9 months ago

                Passkeys rely on you holding a private key. The initial design was that a device (like a browser or computer/phone) stored the private key in a TPM-protected manner, but you can also store it in a password manager.

                This is more secure than a password because of the way private/public key encryption works. Your device receives a challenge encrypted with the public key, decrypts with the private key and then responds. The private key is never revealed, so if attackers get the public key they can’t do shit with it.

                Just be sure that your private key is safe (use a strong master password for your PM vault) and your passkey can’t be stolen by hacking of a website.

                • ilmagico@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  9 months ago

                  I see, that makes sense and should be more secure, in theory. Thanks for the explanation.

                  The issue I have is, whether I need to trust a third party with my private key, e.g. Google with Android, Microsoft with Windows, etc. (yes on linux it’s different, but that’s not my only OS).

                  Also if the private key does get compromised (e.g. local malware steals it), hopefully there’s an easy way to revoke it.

            • jqubed@lemmy.world
              link
              fedilink
              English
              arrow-up
              0
              ·
              9 months ago

              I’m no expert in this but the passkeys really on some sort of public key, cryptographic pair. Your device will only send your encrypted cryptographic secret when it gets the correct encrypted cryptographic secret from the destination. This makes it much harder to steal credentials with a fake website or other service.

  • Boozilla@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 months ago

    Goddammit. It’s getting to the point I’m going to have to figure out how to write my own app for this.

    • Humanius@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      It shouldn’t even be that complex…

      I might be mistaken, but ultimately a password manager is basically nothing more than a database of passwords in an encrypted zip file. That could entirely be self-hosted with off the shelf open source applications stringed together.
      All you’d need is a nice UI stringing it all together.

      • xthexder@l.sw0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        I’ve done basically this in the past by encrypting a text file with GPG. But a real password manager will integrate with your browser and helps prevent getting phished by verifying the domain before entering a password. It also syncs across all my devices, which my GPG file only worked well on my desktop.

      • LedgeDrop@lemm.ee
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        It’s the “stringing it all together” that could be problematic.

        If you have multiple clients (desktop/cellphone) modifying the same entry (or even different entries in the same “database” ). You need something smart enough to gracefully handle this or atleast tell you about it.

        I did the whole “syncing” KeePass and it was functional, but it also meant I needed to handle conflicts - which was annoying. I switched and really appreciate the whole “it just works” with self-hosted bitwarden.

      • HereIAm@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        I see it as it’s easy to self host. But I’m not skilled nor rich enough to guarantee the availability of it. I don’t want to be stuck on a holiday without my passwords because my server back home died from black out or what have you.

        I pay for bitwarden and the proton mail package to keep the password management market a bit more competitive and it actually works out cheaper. It would be nice to have protons anonymous emails built in, but I can live with it.

        But I might have to reconsider if Bitwarden is going a different direction that what I’m paying for.

      • wintermute@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        Keepass is exactly that. Basically all the client side parts, and the database is a single encrypted file that you can sync however you want.

      • Boozilla@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        Thank you for the update! I would like to keep using it. I’ve been very happy with Bitwarden both as a password manager and a TOTP authenticator. I have even recommended it to my boss as an enterprise solution for us to use at work, and so far we are planning on replacing our current password database solution with Bitwarden.

        Unfortunately, with “enshittification” being so common these days, it was very easy to believe they were also going to the dark side. I will remain cautiously optimistic after learning it was a packaging bug.

        Here’s a link to the post on X (yes, I hate X, too) in case anyone else is doubtful:

        https://x.com/Bitwarden/status/1848135725663076446

        • ArxCyberwolf@lemmy.ca
          link
          fedilink
          English
          arrow-up
          0
          ·
          9 months ago

          Yeah, I was worried about it too. I’ve become pretty cynical when it comes to everything becoming enshittified, but I’m hoping they stick to their word.

  • ShittyBeatlesFCPres@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 months ago

    Oh, for fuck’s sake. Can we have a decent password manager that isn’t tied to a browser or company? I pay for Bitwarden. I’m not being cheap. But open source is more secure. We can look at the code ourselves if there’s a concern.

    • asap@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      9 months ago

      Nothing in the article or in the Bitwarden repo suggests that it’s moving away from open source

      • coolmojo@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        It is a license problem. The license condition of the SDK which is required to build the client app change to limit the usage of it. The new license states that you can only use the Bitwarden SDK for Bitwarden. It is against the Freedoom-0 of the Free Software Foundation. The limitation of English language is that it is hard to differentiate between Free (as in Free bear) and Free (as in Freedoom). Also open source which could mean complaining with FOSS and that source is available. This been unfortunately have been abused before.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          0
          ·
          9 months ago

          From the article, it’s a packaging bug, not a change in direction.

          Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              0
              ·
              9 months ago

              Here is the code in question. Basically, it’s a source-available, but not FOSS internal SDK, with the following language:

              The password manager SDK is not intended for public use and is not supported by Bitwarden at this stage. It is solely intended to centralize the business logic and to provide a single source of truth for the internal applications. As the SDK evolves into a more stable and feature complete state we will re-evaluate the possibility of publishing stable bindings for the public. The password manager interface is unstable and will change without warning.

              So I think the “bug” here is in not linking the original repo in the NPM package, and there’s a decent chance that this internal SDK will become FOSS in the future once it stabilizes. That said, it’s currently not FOSS, but it’s too early IMO to determine whether Bitwarden is moving in a non-FOSS direction, or if they’re just trying to keep things simple while they do some heavy refactoring to remove redundancy across apps.

              Given their past, I’m willing to give them the benefit of the doubt, but I’ll be making sure I have regular backups in case things change.

          • pmc@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            0
            ·
            9 months ago

            They now require a non-free Bitwarden SDK component. That’s what this whole conversation is about.

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              0
              ·
              9 months ago

              And the whole conversation is about a bug, not a change in direction…

              Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”

            • fmstrat@lemmy.nowsci.com
              link
              fedilink
              English
              arrow-up
              0
              ·
              9 months ago

              Only the desktop client. And the response is that not being able to compile sans SDK is an issue they will resolve.

              I still think this is bad directionally, but we need to see what happens.

        • Bilb!@lem.monster
          link
          fedilink
          English
          arrow-up
          0
          ·
          9 months ago

          This need not be the case, though! There’s an open source client on Android called Keyguard. I don’t think the desktop app was at all useful anyway. You can just log into your Vaultwarden through any browser. The desktop app is pointless.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”

        I’m not going to jump ship just yet, though I may get around to updating my backup.

        There are plenty of alternatives, so feel free to shop around. But don’t jump the gun just because of a random Phoronix article with an update that says basically the opposite of what the article claims. Wait some time to see if there are actual changes coming.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            0
            ·
            9 months ago

            Maybe. Here’s what they say in the readme of the project people are complaining about:

            The password manager SDK is not intended for public use and is not supported by Bitwarden at this stage. It is solely intended to centralize the business logic and to provide a single source of truth for the internal applications. As the SDK evolves into a more stable and feature complete state we will re-evaluate the possibility of publishing stable bindings for the public. The password manager interface is unstable and will change without warning.

            There are two ways to take this:

            • this is temporary as they’re refactoring code to reduce duplication across clients
            • refactoring is an excuse to create fully proprietary clients going forward

            Until I see evidence of the latter, I’ll stick with the project, but I’ll be more consistent about creating backups so I can switch easily if I need to.

    • asudox@programming.devOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      The server is not open source and I wouldn’t trust a business that is not just working on password managers.

      • DarkThoughts@fedia.io
        link
        fedilink
        arrow-up
        0
        ·
        9 months ago

        and I wouldn’t trust a business that is not just working on password managers.

        Because…? They’re a privacy tool oriented company, no?

        • asudox@programming.devOP
          link
          fedilink
          English
          arrow-up
          0
          ·
          9 months ago

          Because they aren’t focused on just one single service. Bitwarden is a single business only focusing on their password manager, whereas proton has a suite of tools. Passwords need to be stored absolutely in a robust and safe way. I don’t trust proton with anything at all, and the proton pass is no exception. The client might be open source, but the backend is not. It’s also not as mature as bitwarden.

          • Broken@lemmy.ml
            link
            fedilink
            English
            arrow-up
            0
            ·
            9 months ago

            These are valid points. There are many password managers, most of which it wouldn’t take much to poke holes in, especially if open source is a main criteria.

            What are some that you would consider with Bitwarden now being off the table?

      • Cris@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        Its worth noting I don’t think they’re actually a company anymore, I think they’re now a non-profit (I may be mistaken, but that’s my present understanding)

    • r00ty@kbin.life
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      If they’re moving away from open source/more monetisation then they’re going to do one of two things.

      1: Make the client incompatible (e.g you’ll need to get hold of and prevent updating of a current client).
      2: DMCA the vaultwarden repo

      If they’re going all-in on a cash grab, they’re not going to make it easy for you to get a free version.

      • potustheplant@feddit.nl
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        You can’t “dmca” the fork that was created while it was still open source. They could only prevent it from getting future updates (directly from them).

        • r00ty@kbin.life
          link
          fedilink
          arrow-up
          0
          ·
          9 months ago

          If you mean they shouldn’t. I’d agree. But, as has been seen a lot on youtube. “They” can DMCA anything they want, and the only route out is usually to take them to court.

          I mean I’d hope if they’re going in this direction they will be decent about it. But, it’s not the way things seem to be lately.

        • irotsoma@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          9 months ago

          DMCA is a tool for suppression of free information. It doesn’t require evidence that you’ve made a good faith effort to consider fair use or other legal complexity as it’s meant to take down the information before that is settled in court, but most commonly used to suppress information from a person or group who can’t afford to fight it in court. Microsoft’s Github has a history of delete first without risking their own necks to stand up for obviously fraudulent takedowns much less ones with unsettled law like APIs/SDKs.

      • schizo@forum.uncomfortable.business
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        Don’t forget option 3: someone writes a vaultwarden client independent of the closed-source crap.

        If you can write a server that fully supports the client via the documented API, then you know everything you’d need to do to make a client as well.

        • humorlessrepost@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          9 months ago

          That’s not a third option in the same list (things they are going to do), it’s an item in an entirely different list (foss responses to their actions).

  • mli@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 months ago

    Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”

    According to Bitwardens post here, this is a “packaging bug” and will be resolved.

  • Routhinator@startrek.website
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 months ago

    Alright does anyone have opinions on Nextcloud Passwords? There’s apps for it and it would sync to my Nextcloud.

    I hate this. Bitwarden has been a good app.

    • GHiLA@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      Nextcloud passwords is just a client for a KeePass vault.

      I guess it’s as good or bad as that can be, but I’m sure it’s limited in functionality to KeePassxc with plugins.

      • Wispy2891@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        Are you sure?

        Because last time I tried that it was THE worst password manager that i ever tried in my life. I’d feel safer with the ie6 password manager

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      Bitwarden has been a good app.

      And it still is. There’s no reason to stop using Bitwarden, and I will continue my plans to switch to Vaultwarden.

      As @Krzd@lemmy.world said, it’s a packaging bug, not an actual change in license. If you read the article, it says as much in the update.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      Honestly, if he can replace the current Bitwarden BE w/ Vaultwarden, that would be awesome! The last time I looked at the Bitwarden self-hostable BE, it was super heavy, which is the entire reason I was interested in Vaultwarden.

      • Magnus Åhall@lemmy.ahall.se
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        I’m running a couple of Vaultwarden instances, and it would be really nice if Bitwarden employed Garcia to improve the Rust backend. But as the bitter cynic I am, I guess it is an effort to shut down and control as much of the open source use of Bitwarden as possible.

        The worst case, someone will most likely fork Vaultwarden and we can still access it with Keyguard on mobile and the excellent Vaultwarden web interface :)

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          0
          ·
          9 months ago

          And I am an ardent optimist, hence why I see it as a good thing.

          But yes, worst case someone will fork it, and I’ll probably use that fork.

        • Magnus Åhall@lemmy.ahall.se
          link
          fedilink
          English
          arrow-up
          0
          ·
          9 months ago

          Phew, looks good on the news with the packaging bug (if they didn’t just got cold feet for worse PR/backlash than they expected and this is a backtracking).

          In this case, hopefully Garcia is employed for his expertise and can be deployed to further open source relations :)