> We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.
Thank you to Bitwarden for relicensing a thing to Free/Open License!
Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good. But for anyone with more advance needs (or who doesn't trust a password manager built into a web browser, I always recommend Bitwarden because KeepassXC + syncing is way too difficult for normal people.
I'm glad that Bitwarden moved quickly to resolve this. At least for me, Firefox's password manager isn't really a replacement. Bitwarden is approved by my employer, self-hostable, and supports logins for the litany of apps across my browsers and mobile devices. Whether it's the mobile app, mobile website, or site in my browser, Bitwarden just works for the most part. It's also quite nice that Bitwarden can store arbitrary information like CCs, secure notes, and how I capitalized the answers to security questions and other account recovery/login information.
> It's also quite nice that Bitwarden can store arbitrary information like CCs, secure notes, and how I capitalized the answers to security questions and other account recovery/login information.
+1. I use my password manager (currently 1Password, but I have been looking at self-hosting Bitwarden/Vaultwarden) more for storing credit card information and security questions.
Most built-in password managers don't cut it on that front.
> Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good
Interesting, I've always felt that browser-based password managers provided remarkably little value for most people. Using them on mobile is tricky and platform dependent, it's easy to have local-only, non-synced data and then lose it, and being multi-device is trickier, especially in a work context.
On the other hand, people generally understand installing an app on each device they own and that app doing it for them.
Firefox password sync just works. It's one of those things I never think about.
Watching friends and family struggle with bespoke, poorly integrated password managers makes me cringe and is one of the big reasons I enjoy the seamless experience of the built-in Firefox password manager.
Does it require a Firefox account? Does it only store them locally if you haven't signed in to Firefox? This is the sort of failure I've seen, where people think their passwords are synced but because they didn't sign in years ago it's actually not backed up at all. At least on Chrome you get reminded of that all the time on YouTube/Google search, etc.
I know for Safari all the sync is via iCloud meaning if you're not signed in it's locally stored and vulnerable in that way. Especially as many people can't/don't sign in to their own iCloud on work computers, or don't have a Mac.
Firefox reminds you a bunch of times, too. Would be nice if you could just link a new device via QR code (creating an account for you in the background).
The original Firefox sync worked like this (with a unique code and pairing instead of an explicit account) (this is so on the nose I suspect you may know this).
Didn't expect to click on that link and end up on a blog post I wrote 10 years ago! The old Firefox Sync / PAKE stuff was fantastic for getting sync going between devices... but people wanted backup, not sync. I wonder if we'd do anything differently confronted with the same challenge today.
it just works for websites. it does not "just work" for apps where as the platform ones do or have a chance to work with apps.
Kind of hope regulation will force apple/google/ms to allow iterations for 3rd parties to integrate with the os but on the other hand that will open a host of issues
I'm not sure how it is on iOS, but I've been using firefox as my password maanger on android. It's a trivial change in the settings and works across all apps as well.
I also recommend it to my friend group, as they can use firefox with uBlock Origin, and also have their passwords synced.
> Interesting, I've always felt that browser-based password managers provided remarkably little value for most people.
They provide the value of "you should, by design, have no idea what most of your passwords are; if you know any significant number of your passwords you probably have bad passwords".
And both Firefox and Chrome sync passwords between devices.
I used Firefox password manager for years, and moved to Bitwarden for:
- Passkey syncing
- Bitwarden on Android works properly, compared to Firefox's dedicated password app that's abandoned.
- TOTP support (to use with some apps I don't want the strongest security)
But you are maybe right, if the only browsers you use are Firefox desktop/mobile.
> because KeepassXC + syncing is way too difficult for normal people
I've been debating for ages if this is a hurdle that can be overcome by packaging or even hand-holding support. When I show "normal people" my pass+sync setup they beg me to implement it for them. Once it's running it's near-zero maintenance.
Password management is like exercise. Even when people say they understand the value and want to do it, they don't. Even if you implement it for them, if it's not something that slots perfectly into their existing routine, they're not going to do it. Thankfully passkeys are here.
100% serious question: how is using dropbox (one cloud) to sync passwords any better or more secure than using a password manager that syncs your vault for you (another cloud)? I see so many "I don't trust <insert pw manager> so I use dropbox" comments around these parts and I just don't understand what real or perceived threat is being mitigated.
I guess the idea is that you trust open source software to encrypt the vault, so Dropbox couldn't do anything with it even if they wanted to. That's also true for the open source Bitwarden clients though.
No local backup? Do you rely on the network working all the time?
I do something similar on the mobile phone (the reasining is, if there's no network, there's nothing I need to login to) but I also keep a local copy on my laptop (that I sometimes operate with limited connectivity). Without any automatic syncing, one of the two copies will be stale.
I use mobius sync and I'd say the app itself is fine, you just have to open it whenever you want things to sync. That's one of the things I miss from Android. Also you can't sync your camera folder
Nope. I have a cloud Syncthing box that is accessible over SSH, and I use ShellFish to read/write my synced folders. It works okay, especially for lazily sending stuff from my phone to my laptop.
What finally brought me to using BW was that I simultaneously needed to backup/sync my TOTPs across mobile/desktop devices, and came to have the need for sharing an increasing number of passwords with my SO. It delivered beautifully on all of that.
This isn't an area I know much about, but wouldn't there be a security risk involved with storing the TOTP seeds alongside the passwords? Or is that not a real concern?
It's a valid concern. Especially if you use the same BW for password and TOTP for the same service, you've effectively reduced 2 factors to 1. If you really must sync both your TOTP secrets and your passwords, those should be completely separate systems.
This (along with syncing on iOS) is what made me switch from `pass` to Bitwarden. Password sharing (and self-hosting sync with vaultwarden) are killer features for me.
There will always be different opinions, but my opinion is that storing your TOTPs in your password manager is at best a reduction in security because you're reducing your 2 factors down to 1 factor. If the password manager gets compromised (even phished! It needn't involve the password manager's servers getting hacked), then you gain nothing by having 2FA enabled.
I would strongly advise using something like Aegis on Android, or Gnome Authenticator on desktop (or both). I like to duplicate/backup my seeds so that I'm not SOL if my phone breaks, but I do it by having them on my laptop, desktop, and phone. That way as long as I have one of the three devices, I can always get in, and then they're not "in the cloud." Though, "in the cloud" is still better than "in the cloud alongside all my passwords."
This depends on the threat model. Having 2FA in the PW manager defends against someone phishing the password and database leaks on the server side,
which are the most common in my threat model. But note that if they can phish your pw, they can probably phish your 2FA as well.
It does obviously not protect against the scenario where someone is breaking into your password vault.
I tend to enable 2FA but conveniently save the token in the PW manager for relatively low equity stuff, just to make it less enticing for an attacker, but use hardware FIDO for everything actually important.
The only true 2nd factor is a setup where your totp codes live on a separate piece of physical hardware. If your totp codes are in an app on your phone, and your password is in a different app on your phone, you're not pure 2nd factor despite convincing yourself that you are. Anything that is convenient is not real 2FA. Real 2FA needs to be pick two of: a password in your head, a verifiable biometric signature, a code/key on your phone or separate physical hardware yubikey.
I'm not saying I think everyone needs real 2FA. I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer. 2FA is a hack put in place to mitigate passwords being relatively insecure and phishable. It's supplanted by Passkeys.
It's still 2 factors though, if someone discovers your password they don't automatically know the TOTP key. So I use TOTP in my password manager for sites where I wouldn't use 2FA otherwise (because using my phone would be inconvenient), so it's still a security improvement for me. And for critical accounts I do use Aegis on my phone.
No, factors are supposed to have different qualities, such as:
"Something you know"; "something you have"; "something you do"; "something you are [biometrics]"; "somewhere you are [geolocation]".
Passwords are in your head - "something you know".
TOTP codes are generated by a hardware token - "something you have".
If the TOTP codes are crammed into your password manager, then the factors are no longer distinguished by these qualities, but they're now the same factor, and it's not true MFA anymore, whether or not they're split up across devices, or apps.
I mean, if you're using a password manager, you're already protecting against 99% of the things that 2FA is designed to protect against. If you really wanted to, it would probably make the most sense to enable 2FA on your password manager?
Yes, through TOTPs will run you a (worth it imo) $10/year subscription. Passkeys have been supported for a while (free) on all major platforms, and I haven't seen any issues with it.
It's not end-to-end encrypted (if you enable account sync), so Microsoft can technically see your passwords. Feel free to switch or not switch based on that information.
Does the FF password manager still irrecoverably nuke your password with no versioning/undo when you accidentally or intentionally use the „forget this website” option in the history panel?
It's a welcome change. It still feels like they are trying to be too smart on licensing, especially how to combine GPL and proprietary licensed code, which I think is the root cause of the whole drama. The open core model works better as a hosted service, where you are not distributing the amalgamation of GPL and proprietary. Open core in client code seems a bit too rife for potential misunderstandings and confusions.
Hope it works out for them, though. It's a good product.
Bitwarden is still excellent, but keep an eye on them over the next few years. Remember that Bitwarden was originally a LastPass alternative without the fuckery.
I mean, it still is. It’s honestly gotten better too - for evidence, it’s the one password manager that never gets recommended by sponsored YouTubers but always gets recommended by non-sponsored YouTubers.
Well that’s one way to handle that effectively and in what seems to be open source way without fuckery; glad to hear it cause that was going to be a bit annoying migrating away from them.
Not necessarily. You can run a “Bitwarden hosting service” or something like that without violating GPL. You’d only have to make your changes available on request if you changed the actual Bitwarden source code or linked some other library into it and shared that modified version with someone else (just running it on a server doesn’t mean you need to open source changes, for example)
I don’t believe that is entirely accurate. I believe it depends on the application and what you’re doing with it whether or not you would be required to open source it. Like, if you’re distributing the application as a product, not necessarily saas application?
Yes, GPL3 only works for directly distributed software. But an important part of BitWarden is exactly such software, in the form of a browser extension.
Choosing GPL over AGPL for this kind of project combined with the previous recent CTO messaging is very telling if you consider the architecture of the software(s).
What would be a good way to backup the passwords stored in Bitwarden? I am worried that someday suddenly bitwarden could stop working and I will lose access to all the stored passwords? Should I have a physical copy of all the passwords stored in a vault at home?
If you have some sort of home server, I'd recommend hosting vaultwarden (an open-source implementation of the BitWarden server). It works fine with the official apps. Their enterprise model requires a standard API, so it's not going to break anytime soon.
People here are incredibly hard to please. Very clearly a packaging issue that got blown out of proportion.
They've done largely the right things for _years_ in terms of security. They've operated pretty transparently in terms of open sourcing. They've allowed vaultwarden to exist, and eventually created a self hostable version as well.
But one bad release with a license screw up and nobody is willing to give them an inch?
I will continue to use bitwarden, and am willing to give them the benefit of the doubt. Especially considering this action above. They are a company that is perfectly toeing the free/oss and commercial line.
You build a hundred solid bridges and you get called John the Good Bridge Builder. But lest you once screw up your software licensing and people notice and it blows up, you'll end up as John the Software Screwer in the annals of history... until next week.
It seems though, that in the world of software, you can unfuck a sheep.
What worries me, though, that people who should have known better commit such oopsie daisies more and more (across many projects, I don’t mean this one only), almost as if they are testing the waters to see what they can get away with.
Yeah - they've always used an open-core licensing model with like a few features (used only by business users/applications) behind a proprietary license. They just ended up mixing the code in a way such that the (theoretically open-source) app ended up having some utility functions for the business version mixed in. Since the client apps don't use that functionality, they split the repository so that you can build the app without using any proprietary code.
For a long time their KDF was bad and the iteration count was low. When I reported it to them they got really hostile and evasive about it.
Years later they switched to Argon, somehow solving all of the blocking problems they had repeatedly claimed they couldn’t fix.
I don’t trust the org at all. The software is ok but I only use it because it sucks marginally less than all my other options.
People who care about software freedoms don’t release proprietary software. Organizations like this or Microsoft are just engaging in open source cosplay.
> When I reported it to them they got really hostile
You're not the one who first reported it, but I did see your comments at the time. Calling them hostile is really the pot calling the kettle black, uh?
To me the story also sounds a bit like GP was a bit impatient and felt a bit ignored while the company was already working on the issue but just didn't respond promptly to per personally.
It probably doesn't matter for you if you'll never be leaving Apple's ecosystem, but for anyone else, I think that's something to keep in mind before moving to a non-portable solution like Apple keychain.
Yes, non-portable across different OEMs. But Apple Passwords app lets you export your passwords in a nice little simple csv file. It was a suspicion-filled (because it's Apple) pleasant surprise to find that out.
Two things are preventing me from doing that: I occasionally want to access my passwords in a browser (and I do not want to log in to iCloud on that machine), and I'd feel really bad about having my passkeys stored in an Apple service with absolutely no way of exporting them in case I ever do switch platforms. (Bitwarden at least includes passkeys in their JSON export format, as far as I know.)
If I wasn't busy playing with AI stuff then I would be very tempted to build my own password manager cloud service, it feels like a chance to shine shows up at least once every two years in that space.
I don't know what it is, but password managers just love the high-speed enshittification train.
Its not very easy and you shouldn't do it unless your domain is cryptography. This is something I've tried to do myself as well and realized it's better off left to the pros.
This update is great news. I was disappointed to see the issue that got raised last week, and I had started to consider looking for alternatives. I’m going to assume an honest mistake on their end and keep recommending their product. However, if they make a similar move again, I will assume the worst and move on.
My understanding is they were never closed source. Some of their code is GPL and some is proprietary, but all is source-available on GitHub. There was a bug where you couldn't build their client without a proprietary dependency, but they have fixed that so you can now build their client with only GPL code again.
Once an organisation has tried once they invariably do it again and again until they find a way to getting what they want. The customers tire of complaining over and over about little enshitifcations and eventually the company wins. Once they start it always goes the same way it just often takes a few goes before most give in.
It will years until it becomes awful but the process has started. It's really a shame every company has to do this with otherwise good products.
If that would be the case, I wouldn't have expected them to change it back. I don't think it was that bad of an impact for them, they are already big enough in non-hardcore-open-source communities that they could pull it off and afford to lose some customers to go propietary. I'm actually really positively surprised by them that they actually picked up on this issue raised by the community and that they fixed it very promptly.
Yes the trust was seriously damaged, but this move does restore it largely for me.
Whenever I've heard about someone having problems publishing a fork on the App Store, it was a trademark rather than a copyright issue. If you fork it, you must completely re-brand it to publish it on the App Store.
The last time anyone did a serious published review of the App Store terms for GPL compatibility was probably 10+ years ago.
I remember pre-COVID trying to validate the popular claim that the App Store terms were incompatible with GPLv3 but being unable to do so. None of the provisions that were originally called out by the FSF were in the App Store terms anymore at that point. Certainly nothing I found in the terms at the time indicated any incompatibility.
BitWarden has lost the trust. Besides recently there was a blocker bug on iOS and on Reddit I found out it happened earlier as well. They didn't even want to debug it and when I suggested this and asked whether they have any issue logged on Github where I could provide logs they went radio silent. Follow ups went completely unanswered. And yeah before that they had given a solution (because reinstall/re-login nothing had worked) - export your data, delete your account, create the account again, and re-import your data - that "should" work.
Honestly it was worse than "restart your computer".
I guess it's time for another FOSS player here. It's fine, such things are cyclical I guess. Happened to Lastpass and Authy and someday it will happen to Ente and 2FAS and so on.
I'm confused what you're responding to. You're making it sound like this was a bad decision and your anecdote was another thing for the pile, but this is a good decision.
When you post shit like this how they lost the trust because of a simple bug by one of the very few companies which still try and it got rectified in a few days then you will guarantee no one else will even try in the future. Isn't mullenweg damage enough to open source, was it really necessary for everyone to pigpile on Bitwarden and post some philosophy shit. You people, it's incredible. Meanwhile, despite the Stallman report being published, he is still not ousted, guess what damages open source more? And yes this is relevant if people spent half the effort they spent on dissing Bitwarden for this accident then he would be done for which actually would tremendously help open source.
https://github.com/bitwarden/clients/issues/11611#issuecomme...
> We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.
Thank you to Bitwarden for relicensing a thing to Free/Open License! Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good. But for anyone with more advance needs (or who doesn't trust a password manager built into a web browser, I always recommend Bitwarden because KeepassXC + syncing is way too difficult for normal people.
I'm glad that Bitwarden moved quickly to resolve this. At least for me, Firefox's password manager isn't really a replacement. Bitwarden is approved by my employer, self-hostable, and supports logins for the litany of apps across my browsers and mobile devices. Whether it's the mobile app, mobile website, or site in my browser, Bitwarden just works for the most part. It's also quite nice that Bitwarden can store arbitrary information like CCs, secure notes, and how I capitalized the answers to security questions and other account recovery/login information.
> It's also quite nice that Bitwarden can store arbitrary information like CCs, secure notes, and how I capitalized the answers to security questions and other account recovery/login information.
+1. I use my password manager (currently 1Password, but I have been looking at self-hosting Bitwarden/Vaultwarden) more for storing credit card information and security questions.
Most built-in password managers don't cut it on that front.
> Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good
Interesting, I've always felt that browser-based password managers provided remarkably little value for most people. Using them on mobile is tricky and platform dependent, it's easy to have local-only, non-synced data and then lose it, and being multi-device is trickier, especially in a work context.
On the other hand, people generally understand installing an app on each device they own and that app doing it for them.
Firefox password sync just works. It's one of those things I never think about.
Watching friends and family struggle with bespoke, poorly integrated password managers makes me cringe and is one of the big reasons I enjoy the seamless experience of the built-in Firefox password manager.
Does it require a Firefox account? Does it only store them locally if you haven't signed in to Firefox? This is the sort of failure I've seen, where people think their passwords are synced but because they didn't sign in years ago it's actually not backed up at all. At least on Chrome you get reminded of that all the time on YouTube/Google search, etc.
I know for Safari all the sync is via iCloud meaning if you're not signed in it's locally stored and vulnerable in that way. Especially as many people can't/don't sign in to their own iCloud on work computers, or don't have a Mac.
Firefox reminds you a bunch of times, too. Would be nice if you could just link a new device via QR code (creating an account for you in the background).
The original Firefox sync worked like this (with a unique code and pairing instead of an explicit account) (this is so on the nose I suspect you may know this).
This blog post goes over some of that history: https://blog.mozilla.org/services/2014/04/30/firefox-syncs-n...
Didn't expect to click on that link and end up on a blog post I wrote 10 years ago! The old Firefox Sync / PAKE stuff was fantastic for getting sync going between devices... but people wanted backup, not sync. I wonder if we'd do anything differently confronted with the same challenge today.
But does it work for non-website passwords like the PIN for the door at your workplace or the usernames and passwords for your computers?
Yes. You can add whatever passwords. It asks you for a URL but you can put anything in.
> It asks you for a URL but you can put anything in.
Well, that’s kind of the problem isn’t it?
Yes, you can put bogus URLs, but it’s far from a great user experience
it just works for websites. it does not "just work" for apps where as the platform ones do or have a chance to work with apps.
Kind of hope regulation will force apple/google/ms to allow iterations for 3rd parties to integrate with the os but on the other hand that will open a host of issues
Can Firefox password manager work in other apps on Android?
Does it have the ability to unlock with faceID on ios?
Yes it does.
I'm not sure how it is on iOS, but I've been using firefox as my password maanger on android. It's a trivial change in the settings and works across all apps as well.
I also recommend it to my friend group, as they can use firefox with uBlock Origin, and also have their passwords synced.
> Interesting, I've always felt that browser-based password managers provided remarkably little value for most people.
They provide the value of "you should, by design, have no idea what most of your passwords are; if you know any significant number of your passwords you probably have bad passwords".
And both Firefox and Chrome sync passwords between devices.
> people generally understand installing an app on each device they own and that app doing it for them.
an app like Firefox or Chrome, perhaps?
I used Firefox password manager for years, and moved to Bitwarden for: - Passkey syncing - Bitwarden on Android works properly, compared to Firefox's dedicated password app that's abandoned. - TOTP support (to use with some apps I don't want the strongest security)
But you are maybe right, if the only browsers you use are Firefox desktop/mobile.
> because KeepassXC + syncing is way too difficult for normal people
I've been debating for ages if this is a hurdle that can be overcome by packaging or even hand-holding support. When I show "normal people" my pass+sync setup they beg me to implement it for them. Once it's running it's near-zero maintenance.
Password management is like exercise. Even when people say they understand the value and want to do it, they don't. Even if you implement it for them, if it's not something that slots perfectly into their existing routine, they're not going to do it. Thankfully passkeys are here.
It's fine, even bad password management is better than passkeys.
Thankfully the incredible hype for passkeys has been dead for years now and people are starting to question it.
Is this... is this sarcasm? I honestly can't tell anymore.
It is not.
can you share how do you set this up?
I store the password vault in dropbox. Done.
100% serious question: how is using dropbox (one cloud) to sync passwords any better or more secure than using a password manager that syncs your vault for you (another cloud)? I see so many "I don't trust <insert pw manager> so I use dropbox" comments around these parts and I just don't understand what real or perceived threat is being mitigated.
I guess the idea is that you trust open source software to encrypt the vault, so Dropbox couldn't do anything with it even if they wanted to. That's also true for the open source Bitwarden clients though.
It’s small enough for dropbox’s free tier so it saves me a subscription.
Ah! Threat to the wallet I see. That Dropbox referral credit must still be paying dividends.
> store the password vault in dropbox
No local backup? Do you rely on the network working all the time?
I do something similar on the mobile phone (the reasining is, if there's no network, there's nothing I need to login to) but I also keep a local copy on my laptop (that I sometimes operate with limited connectivity). Without any automatic syncing, one of the two copies will be stale.
You can use syncthing too. Works just as well.
Is there a robust Syncthing app for iOS? Last time I checked there was only an affiliate project and their story wasn't convincing.
I use mobius sync and I'd say the app itself is fine, you just have to open it whenever you want things to sync. That's one of the things I miss from Android. Also you can't sync your camera folder
Nope. I have a cloud Syncthing box that is accessible over SSH, and I use ShellFish to read/write my synced folders. It works okay, especially for lazily sending stuff from my phone to my laptop.
Would love to know how you have it setup.
Built-in password managers don’t work across apps. They only work for the browsers they’re built into.
What finally brought me to using BW was that I simultaneously needed to backup/sync my TOTPs across mobile/desktop devices, and came to have the need for sharing an increasing number of passwords with my SO. It delivered beautifully on all of that.
This isn't an area I know much about, but wouldn't there be a security risk involved with storing the TOTP seeds alongside the passwords? Or is that not a real concern?
It's a valid concern. Especially if you use the same BW for password and TOTP for the same service, you've effectively reduced 2 factors to 1. If you really must sync both your TOTP secrets and your passwords, those should be completely separate systems.
It’s also the only browser that doesn’t support Passkeys yet :(
Does it support sharing passwords with family members?
This (along with syncing on iOS) is what made me switch from `pass` to Bitwarden. Password sharing (and self-hosting sync with vaultwarden) are killer features for me.
Can it store TOTPs and passkeys as well? These are two things encountered even by "regular people" more and more.
Especially keeping passkeys platform-independent is a huge advantage, in my view.
There will always be different opinions, but my opinion is that storing your TOTPs in your password manager is at best a reduction in security because you're reducing your 2 factors down to 1 factor. If the password manager gets compromised (even phished! It needn't involve the password manager's servers getting hacked), then you gain nothing by having 2FA enabled.
I would strongly advise using something like Aegis on Android, or Gnome Authenticator on desktop (or both). I like to duplicate/backup my seeds so that I'm not SOL if my phone breaks, but I do it by having them on my laptop, desktop, and phone. That way as long as I have one of the three devices, I can always get in, and then they're not "in the cloud." Though, "in the cloud" is still better than "in the cloud alongside all my passwords."
This depends on the threat model. Having 2FA in the PW manager defends against someone phishing the password and database leaks on the server side, which are the most common in my threat model. But note that if they can phish your pw, they can probably phish your 2FA as well.
It does obviously not protect against the scenario where someone is breaking into your password vault.
I tend to enable 2FA but conveniently save the token in the PW manager for relatively low equity stuff, just to make it less enticing for an attacker, but use hardware FIDO for everything actually important.
The only true 2nd factor is a setup where your totp codes live on a separate piece of physical hardware. If your totp codes are in an app on your phone, and your password is in a different app on your phone, you're not pure 2nd factor despite convincing yourself that you are. Anything that is convenient is not real 2FA. Real 2FA needs to be pick two of: a password in your head, a verifiable biometric signature, a code/key on your phone or separate physical hardware yubikey.
I'm not saying I think everyone needs real 2FA. I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer. 2FA is a hack put in place to mitigate passwords being relatively insecure and phishable. It's supplanted by Passkeys.
Sometimes the TOTP is forced on me for a service I really don't care about. That's most of mine, actually.
It's still 2 factors though, if someone discovers your password they don't automatically know the TOTP key. So I use TOTP in my password manager for sites where I wouldn't use 2FA otherwise (because using my phone would be inconvenient), so it's still a security improvement for me. And for critical accounts I do use Aegis on my phone.
Doesen't having the seeds available on all of the devices make it not 2FA? You now need only one device to login at any given time.
The second factor isn’t a second device, it’s the TOTP code.
No, factors are supposed to have different qualities, such as:
"Something you know"; "something you have"; "something you do"; "something you are [biometrics]"; "somewhere you are [geolocation]".
Passwords are in your head - "something you know".
TOTP codes are generated by a hardware token - "something you have".
If the TOTP codes are crammed into your password manager, then the factors are no longer distinguished by these qualities, but they're now the same factor, and it's not true MFA anymore, whether or not they're split up across devices, or apps.
I mean, if you're using a password manager, you're already protecting against 99% of the things that 2FA is designed to protect against. If you really wanted to, it would probably make the most sense to enable 2FA on your password manager?
Yes, through TOTPs will run you a (worth it imo) $10/year subscription. Passkeys have been supported for a while (free) on all major platforms, and I haven't seen any issues with it.
Yes, Bitwarden can store both.
I was referring to Firefox with that question.
It can't, you need a browser extension for that.
Keepass file on Google drive is kind of trivial though.
Never store anything remotely important on a Google service.
I know we are kidding but damn the news Google Drive is being sunsetted by December would ruin a lot of people's days
At this rate they'll sunset google search and their advertising business just because.
Never store the only copy of anything remotely important on any online service.
Storing copies is ok, though, provided that sensitive information is encrypted.
Firefox's password manager stores passwords in clear text unless you use a master password (very few people do).
This means that any process on the computer can read them.
It also means that, unless you also use full disk encryption, a stolen device means you're fucked.
Chrome and Safari use the OS's keychain at least, so there is some level of security.
And a standalone password manager has its own encryption.
This has been the case for a long time, and has not changed even in 2024. Please use a Primary Password if you are storing passwords in Firefox.
https://support.mozilla.org/en-US/kb/where-are-my-logins-sto...
Is the Firefox one better than the one Edge has? I've been using that for a while and it seems quite good overall.
It's not end-to-end encrypted (if you enable account sync), so Microsoft can technically see your passwords. Feel free to switch or not switch based on that information.
Firefox isn't end-to-end encrypted either anymore, IIRC.
They say it is: https://support.mozilla.org/en-US/kb/sync
It still is, as is all Firefox Account data
Does the FF password manager still irrecoverably nuke your password with no versioning/undo when you accidentally or intentionally use the „forget this website” option in the history panel?
It's a welcome change. It still feels like they are trying to be too smart on licensing, especially how to combine GPL and proprietary licensed code, which I think is the root cause of the whole drama. The open core model works better as a hosted service, where you are not distributing the amalgamation of GPL and proprietary. Open core in client code seems a bit too rife for potential misunderstandings and confusions.
Hope it works out for them, though. It's a good product.
Bitwarden is still excellent, but keep an eye on them over the next few years. Remember that Bitwarden was originally a LastPass alternative without the fuckery.
The LastPass fuckery was long and frankly egregious.
Though I don't understand why this git commit is what's linked here. I'd rather hear the discussions on it. https://github.com/bitwarden/clients/issues/11611
I mean, it still is. It’s honestly gotten better too - for evidence, it’s the one password manager that never gets recommended by sponsored YouTubers but always gets recommended by non-sponsored YouTubers.
Well that’s one way to handle that effectively and in what seems to be open source way without fuckery; glad to hear it cause that was going to be a bit annoying migrating away from them.
Props for them to step in the right direction, it wasn’t obvious at all for a few days what they would do.
Also: https://github.com/bitwarden/clients/issues/11611#issuecomme...
Previously: https://news.ycombinator.com/item?id=41893994
GPLv3 is interesting because it means to use their code in a commercial setting, then you must also have the guts to open source too.
Not necessarily. You can run a “Bitwarden hosting service” or something like that without violating GPL. You’d only have to make your changes available on request if you changed the actual Bitwarden source code or linked some other library into it and shared that modified version with someone else (just running it on a server doesn’t mean you need to open source changes, for example)
I don’t believe that is entirely accurate. I believe it depends on the application and what you’re doing with it whether or not you would be required to open source it. Like, if you’re distributing the application as a product, not necessarily saas application?
Yes, GPL3 only works for directly distributed software. But an important part of BitWarden is exactly such software, in the form of a browser extension.
Yes, this is why AGPL is superior.
I don't know why people are saying this is a bad thing.
Choosing GPL over AGPL for this kind of project combined with the previous recent CTO messaging is very telling if you consider the architecture of the software(s).
Telling what?
Similarity to past experiences of start of the declines of service/apps.
What app got worse after going open source that you're thinking of?
> after going open source
I wasn't thinking that at all. BW started as open source afaik.
What would be a good way to backup the passwords stored in Bitwarden? I am worried that someday suddenly bitwarden could stop working and I will lose access to all the stored passwords? Should I have a physical copy of all the passwords stored in a vault at home?
If you have some sort of home server, I'd recommend hosting vaultwarden (an open-source implementation of the BitWarden server). It works fine with the official apps. Their enterprise model requires a standard API, so it's not going to break anytime soon.
Export your BE vault and import it into key pass. Then store that file somewhere safe.
Desktop: keepass variants.
Android: Keepass2 android.
Use syncthing to stay in sync.
People here are incredibly hard to please. Very clearly a packaging issue that got blown out of proportion.
They've done largely the right things for _years_ in terms of security. They've operated pretty transparently in terms of open sourcing. They've allowed vaultwarden to exist, and eventually created a self hostable version as well.
But one bad release with a license screw up and nobody is willing to give them an inch?
I will continue to use bitwarden, and am willing to give them the benefit of the doubt. Especially considering this action above. They are a company that is perfectly toeing the free/oss and commercial line.
You build a hundred solid bridges and you get called John the Good Bridge Builder. But lest you once screw up your software licensing and people notice and it blows up, you'll end up as John the Software Screwer in the annals of history... until next week.
It seems though, that in the world of software, you can unfuck a sheep.
What worries me, though, that people who should have known better commit such oopsie daisies more and more (across many projects, I don’t mean this one only), almost as if they are testing the waters to see what they can get away with.
Well it is kinda blasphemy to swear with evil proprietaryness in a loving FOSS community
> But one bad release with a license screw up and nobody is willing to give them an inch?
I don't have a lot of context on the issue.
Is it clear it was just a packaging bug, rather than a move towards partially proprietary?
Yeah - they've always used an open-core licensing model with like a few features (used only by business users/applications) behind a proprietary license. They just ended up mixing the code in a way such that the (theoretically open-source) app ended up having some utility functions for the business version mixed in. Since the client apps don't use that functionality, they split the repository so that you can build the app without using any proprietary code.
Minor correction: the official self-hosted version existed BEFORE vaultwarden!
For a long time their KDF was bad and the iteration count was low. When I reported it to them they got really hostile and evasive about it.
Years later they switched to Argon, somehow solving all of the blocking problems they had repeatedly claimed they couldn’t fix.
I don’t trust the org at all. The software is ok but I only use it because it sucks marginally less than all my other options.
People who care about software freedoms don’t release proprietary software. Organizations like this or Microsoft are just engaging in open source cosplay.
> When I reported it to them they got really hostile
You're not the one who first reported it, but I did see your comments at the time. Calling them hostile is really the pot calling the kettle black, uh?
To me the story also sounds a bit like GP was a bit impatient and felt a bit ignored while the company was already working on the issue but just didn't respond promptly to per personally.
Luckily if they die another will rise up. At this point I’m thinking I’ll just use the Apple Keychain if Bitwarden gets up to no good again.
It probably doesn't matter for you if you'll never be leaving Apple's ecosystem, but for anyone else, I think that's something to keep in mind before moving to a non-portable solution like Apple keychain.
> non-portable solution like Apple keychain
Yes, non-portable across different OEMs. But Apple Passwords app lets you export your passwords in a nice little simple csv file. It was a suspicion-filled (because it's Apple) pleasant surprise to find that out.
I would love to use Apple keychain but you're right - as a mixed OS user, it's a tough sell.
Two things are preventing me from doing that: I occasionally want to access my passwords in a browser (and I do not want to log in to iCloud on that machine), and I'd feel really bad about having my passkeys stored in an Apple service with absolutely no way of exporting them in case I ever do switch platforms. (Bitwarden at least includes passkeys in their JSON export format, as far as I know.)
What was the no good that Bitwarden got up to?
https://news.ycombinator.com/item?id=41893994
Sounds like this is what they open sourced? So I don't really see the issue.
If I wasn't busy playing with AI stuff then I would be very tempted to build my own password manager cloud service, it feels like a chance to shine shows up at least once every two years in that space.
I don't know what it is, but password managers just love the high-speed enshittification train.
Its not very easy and you shouldn't do it unless your domain is cryptography. This is something I've tried to do myself as well and realized it's better off left to the pros.
I have been using bitwarden for some time, and actually pay for it because i like it so much. should i switch?
This update is great news. I was disappointed to see the issue that got raised last week, and I had started to consider looking for alternatives. I’m going to assume an honest mistake on their end and keep recommending their product. However, if they make a similar move again, I will assume the worst and move on.
Can somebody ELI5?
AFAIK they went closed source the other day which triggered backlash and now they're opening back up.
My understanding is they were never closed source. Some of their code is GPL and some is proprietary, but all is source-available on GitHub. There was a bug where you couldn't build their client without a proprietary dependency, but they have fixed that so you can now build their client with only GPL code again.
I started using BitWarden as my main password manager after the LastPass security breaches.
Once an organisation has tried once they invariably do it again and again until they find a way to getting what they want. The customers tire of complaining over and over about little enshitifcations and eventually the company wins. Once they start it always goes the same way it just often takes a few goes before most give in.
It will years until it becomes awful but the process has started. It's really a shame every company has to do this with otherwise good products.
If that would be the case, I wouldn't have expected them to change it back. I don't think it was that bad of an impact for them, they are already big enough in non-hardcore-open-source communities that they could pull it off and afford to lose some customers to go propietary. I'm actually really positively surprised by them that they actually picked up on this issue raised by the community and that they fixed it very promptly.
Yes the trust was seriously damaged, but this move does restore it largely for me.
Doesn’t GPL mean that it can’t be forked and published into the Apple iOS app store?
Presumably they are able to do it because they own the rights and can grant a non-GPL license to Apple for distribution.
This seems to me to still be a “nobody can fork this [and still have a viable iOS app] but us”.
Whenever I've heard about someone having problems publishing a fork on the App Store, it was a trademark rather than a copyright issue. If you fork it, you must completely re-brand it to publish it on the App Store.
The last time anyone did a serious published review of the App Store terms for GPL compatibility was probably 10+ years ago.
I remember pre-COVID trying to validate the popular claim that the App Store terms were incompatible with GPLv3 but being unable to do so. None of the provisions that were originally called out by the FSF were in the App Store terms anymore at that point. Certainly nothing I found in the terms at the time indicated any incompatibility.
BitWarden has lost the trust. Besides recently there was a blocker bug on iOS and on Reddit I found out it happened earlier as well. They didn't even want to debug it and when I suggested this and asked whether they have any issue logged on Github where I could provide logs they went radio silent. Follow ups went completely unanswered. And yeah before that they had given a solution (because reinstall/re-login nothing had worked) - export your data, delete your account, create the account again, and re-import your data - that "should" work. Honestly it was worse than "restart your computer".
I guess it's time for another FOSS player here. It's fine, such things are cyclical I guess. Happened to Lastpass and Authy and someday it will happen to Ente and 2FAS and so on.
> BitWarden has lost the trust. Besides...
I'm confused what you're responding to. You're making it sound like this was a bad decision and your anecdote was another thing for the pile, but this is a good decision.
When you post shit like this how they lost the trust because of a simple bug by one of the very few companies which still try and it got rectified in a few days then you will guarantee no one else will even try in the future. Isn't mullenweg damage enough to open source, was it really necessary for everyone to pigpile on Bitwarden and post some philosophy shit. You people, it's incredible. Meanwhile, despite the Stallman report being published, he is still not ousted, guess what damages open source more? And yes this is relevant if people spent half the effort they spent on dissing Bitwarden for this accident then he would be done for which actually would tremendously help open source.