If you're a Bitwarden user and this doesn't worry you, you haven't been paying attention to the history of almost every company that has accepted VC funds.
It doesn't matter how well intentioned the founders are - once you accept that kind of money, it's not your product anymore. You are now in the business of making money, nothing else, and those skewed incentives will start bleeding into their product and business practices sooner or later.
As a company, Bitwarden has been a huge role model for me, and I hope they'll be the exception to the rule. But $100M is a lot of money, and I simply can't imagine it having a net-positive effect on the company and product. But we'll see...
For anyone looking for a bootstrapped, open source alternative to Bitwarden, check out Padloc:
That’s a hell of a disclaimer after a decently alarmist comment. You may be correct, but I’m not sure it’s appropriate for you to raise that point given the conflict of interest.
The only conflict of interest here is the VC looking for a quick exit as rates are rising and your comment shooting down what appears to be a bootstrapped alternative/competition.
Althought I wonder how much it will take for this padloc fellow to turn around and announce that he decided to accept VC or even worse, issuing tokens on Ethereum.
We are almost at the Minsky moment and lot of founders are going to realize they no longer own the companies built.
The product being open source doesn't prevent the situation the OP mentions. It just provides a mitigation or a workaround by forking.
I also hope it won't happen but many good projects have gone this way before.
In this case the investment is not for the password manager but for a new identity service. However if that doesn't end up providing the promised results, the shareholders will start looking at the existing successful product to extract more value. After all they own part of that now and they want their returns. It's just what they do. This will clash with the users' best interests sooner rather than later.
Then it becomes forking time but can they find a good maintainer? Open source is not always a guarantee for continuity.
Of course if the new project pans out this won't happen but it's a gamble, and one the existing userbase never asked for.
Yeah the Rust version works well. I had an issue with it when importing passwords from a file exported from Dashlane, but other than that no issues. And I run it on a bottom tier Digital Ocean vm.
Lots of people can't set up their own bitwarden servers on a slow weekend. Yeah I can, but I venture 98% of people can't. Sorry, you're assuming everyone (including every HN audience) member can do that. Are we supposed to just keep quiet? I think we all know what happens when the VC folks come in. If you haven't lived through it (I have a few times now) you've at least heard about it if you read tech news at all. As long as the comments are respectful I don't see any reason to gatekeep them
That's how it looks to me as well. OP's claim borders on FUD and comes a bit disingenuous while shilling their project. Bitwarden is opensource as well and there's also this independent popular 3rd party project that uses the bitwarden protocol that is much loved by the community.[1]
This doesn't worry me that much. In the event that incentives get skewed (which isn't certain), I guess I could just stop updating the app before that happens, or fork the last good version?
I'm interested in your alternative. I hadn't heard of it, went on your site and it looked decent, I think if I had seen this before going with Bitwarden I'd have seriously considered it, BUT now that I'm a keen BW user, it doesn't seem as if there is enough for me to switch.
Are you also definitely never going to take VC money? Or an acquisition, say, by Bitwarden? Why should I trust you (and a product I've only just learned about)?
> This doesn't worry me that much. In the event that incentives get skewed (which isn't certain), I guess I could just stop updating the app before that happens, or fork the last good version?
This is easily said, but remember you're talking about a security-sensitive application. Do you really trust yourself to keep your fork secure? I know it doesn't look like it on the surface, but password managers have become wickedly complex, especially if you require things such as shared vaults, audit logs, a zero-knowledge architecture etc. The reality is maintaining your own fork won't be feasible for the vast majority of users, even those with a technical background.
> Why should I trust you (and a product I've only just learned about)?
The simple answer is that you shouldn't. You should ALWAYS be sceptical, and look for possible indicators of a company heading down the path to the dark side. Like taking a 9-figure sum of VC money for example ;)
> Do you really trust yourself to keep your fork secure?
No, but I don't need to. Considering how many people are already contributing to Bitwarden's Github in the form of PRs and such, if worst comes to worst, there should be plenty of people who can maintain it.
Bitwarden is also open source and self hosted. If they should ever make their product not free, I can just keep running the last version and fork it to further improve it together with other people, can't I?
1. sure, it's great that it is open source and that I could self host, but honestly, it's just not worth the trouble for me and I'd rather pay 10-20 euros for someone to take care of that for me. Self hosting my password manager would take a significant time investment and constant worry whether I'm doing it right. It might be because I'm primarily an app developer now and not a backend expert anymore.
2. Most big projects like Bitwarden are alive because there is a company and many full time employees behind it. Once that's gone, relying on a couple of passionate volunteers might not be enough to keep the project alive.
All in all, I've been using Bitwarden since the LastPass fiasco, I'm very happy with it, paid user with my family, but if I had to self host or volunteer, I'd not have the bandwidth to do so and I'd rather switch to another solution, even if it would mean I need to pay.
I think that when people say "it's open source, I could just self host and maintain the project" often underestimate how much effort that really is. Sure, it's possible, but will you actually do it?
Then I must have overestimated the effort needed for an experienced dev to set things up. I assume I would need a day to figure out how to best self host. Thanks for the info, I'll give it a try this weekend.
I just looked at your CI. Very very few automated tests. It isn't a deal breaker (Bitwarden honestly isn't much better), but it doesn't instill much confidence in your application either.
Keybase was an entirely different case... first of all, they didn't just take VC funding, they were bought outright ("acqui-hired" by Zoom for their skillset). Secondly, they didn't have any significant income, whereas Bitwarden has been a profitable business all along.
I don't have a well-formed opinion one way or the other, but it is interesting to me that this comment made it to the top of HN. By contrast, a submission about Tailscale raising the same amount of money had comments that simply sounded exuberant about the implications (https://news.ycombinator.com/item?id=31259950).
Is it just that our anticipation (or foreboding) of the effects of capital infusion is biased by our priors about the company? Or, some other reason?
* What makes you invincible to investment?
* What makes you different from BitWarden? (they are also opensource, might have been bootstrapped too, also claim being autdited) You seem to only really be "an alternative", which is great, but you kind of oversell it I think.
* "I simply can't imagine it having a net-positive effect" --> or do you mean on "your" company? Because, you seem to also sell a product: access to the hosted solution of your open source product.
* Open source BitWarden server-side API implementations exist... Even in Rust (not that that matter that much given the nature of e2e encryption).
* Are you not interested to one day provide an enterprise tier over you family tier?
Disclaimer, I'm a satisfied user of BitWarden's free tier for some years.
So here my main gripes with BitWarden:
* There is an option to send them your password file for them to import it. This goes against their e2e philosophy that I believe it should have huuuuuge red tape, and it does not. They should deliver this type of functionality in a manner that I can run it on my local machine.
* Horrible UX. I've often been searching where they hide the save or edit button this time. You're product looks nicer in this department.
Good luck with your product! I'm a little busy, but I may give it a try some day. To me there is a safety in BitWarden not going belly up, and alternatives (self-hosting and your product) existing.
Not gonna lie, I'm having a hard time justifying the 3-4x increase in cost for Padloc vs. Bitwarden. The pricing is only rivaled by 1Password, which makes it a hard sell to me...
Well, there is the problem, isn't it? If people aren't willing to pay what amounts to a cup of coffee a month for a service they rely on daily, how are companies supposed to build a sustainable business without raising money?
Now that every single damn service out there is costing me a cup of coffee every month, I end up paying a couple of coffee jugs a month. Are we seriously going to shame customers for trying to cut some costs in this economic context?
As a customer, what I can do is compare with the competition. Padloc is more expensive than basically every other option out there. And as far as we can tell, Bitwarden was already running privately before this VC round (which seems aimed at expanding their offerings past password management) which doesn't seem to point to it being unprofitable at its current price point.
> Are we seriously going to shame customers for trying to cut some costs in this economic context?
That all depends on the margins of what is being offered. If you are proposing they sell a dime's worth of product for a nickel, then I would see the above post as a much more polite version of the correct response, which is "get lost."
I have no idea of the margins, and expecting customers to know about your operating costs without either disclosing them outright or asking the question is an... interesting take. All I can realistically do is compare with the competition, and the competition is cheaper across the board. Therefore my initial comment.
I'd have no problem paying more for a good product if it brings me something. In the meantime, I'm still left pondering. "Get lost" would be a rather crappy way to treat customers simply asking questions, wouldn't it?
I wish we’d stop with the cup of coffee comparison. Not everyone lives in the USA and drinks Starbucks. A cup of coffee costs 0.70€ where I live¹, cheaper than the cheapest (non-free) App Store app. Furthermore, I don’t drink coffee.
For me it’s not about the price but the recurring cost and the lock in. I’d rather pay a larger sum upfront when I’m sure I can afford it and reevaluate when it’s time to upgrade than be sucked dry bit by bit and have to drop everything to scramble to find an alternative when the developer decides to remove features and jack up the price overnight as they keep the data hostage.
¹ Smaller than a Starbucks coffee, but also higher quality.
Totally agree. Every single new subscription product someone buys that can't be run independently or avoid updates adds tech debt to their personal life. At some point that product will be killed, degraded, or made much more expensive. Software that can be purchased once and run indefinitely is all upside on the long tail.
I wish more companies followed the Jetbrains model where a subscription buys lasting access to the current version and recurring payments gets you continuous updates. It's easy to see why companies mostly avoid this model though; it's easier to squeeze users for money when you have them held captive.
Vaultwarden is an open-source password management server option that implements the Bitwarden server API which makes it compatible with all the existing client applications and browser plugins.
Since the Bitwarden feature-set is pretty darn good my hope is that some foss "bitwarden-api" client applications come along and that'll offer a more independent solution.
Thanks for the recommendation of padloc. I will be checking it out tonight. I really enjoyed my time with Bitwarden, it was quiet and calm and no sudden surprises.
Now that you criticized Bitwarden for accepting the funding, please explain how is your approach different. Are you really not interested in monetization of your own product, and developing it only for the benefit of your users, without any economic incentive from your side?
It doesn't matter how well intentioned the founders are - once you accept that kind of money, it's not your product anymore. You are now in the business of making money, nothing else, and those skewed incentives will start bleeding into their product and business practices sooner or later.
As a company, Bitwarden has been a huge role model for me, and I hope they'll be the exception to the rule. But $100M is a lot of money, and I simply can't imagine it having a net-positive effect on the company and product. But we'll see...
For anyone looking for a bootstrapped, open source alternative to Bitwarden, check out Padloc:
https://padloc.app/ https://github.com/padloc/padloc
(Disclaimer: I'm the founder)