Ask HN: Alternatives to Bitwarden?
I've been using (and paying for) Bitwarden for years now, but it appears they have recently chosen to abandon open source[1].
I'm not all too happy with having the rug pulled from under me. Is there an alternative that you would recommend? Preferably something that is open source, audited and has an Android client. Happy to pay a reasonable subscription.
[1] https://github.com/bitwarden/clients/issues/11611
Is this really that dire? Comment from the GitHub issue:
"Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
the SDK and the client are two separate programs
code for each program is in separate repositories
the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug."
Isn't VaultWarden what you want?
https://github.com/dani-garcia/vaultwarden
VaultWarden is only the server so far. OP is probably looking for a more “complete” provider with clients for different platforms etc.
Vaultwarden is an open source implementation of the BitWarden backend, I don’t think OP is trying to run his own server
Per their response to this issue, seems like this is a bug: While they do have some non-FOSS code in their `sdk` package, the client should still be buildable without the SDK:
> Hi @brjsp, > Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility. > > > the SDK and the client are two separate programs > code for each program is in separate repositories > the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3 > Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
The problem with that statement is what exactly does "in a way that maintains GPL compatibility" means, especially since they plan on moving more functionalities into the proprietary code, so the two "separate" components will be increasingly coupled together.
I'm not a lawyer, but I'm quite skeptical of the outcome. Is it really going to produce a valid GPLv3 licensed client? To me, it seems like the whole thing is just going to be a combined proprietary + GPLv3 license, which will contradict itself.
But again, I'm not a lawyer, so my understanding of this might be way off.
I drink enough of the foss koolaid to earn my community card but I’m also a nearly 40-year old realist. I just put everything in 1Password and pay them and forget about it.
If they do something heinous I’ll move to something else but this is not something I want to mess with.
That's a fair position - I'm also not insistent on using an open source product. I'd just prefer that the nature of the product isn't silently changed underneath me.
If it's proprietary, and that's clear from the start, I don't think that's necessarily a problem.
Not FOSS at all, but I've used 1password for years and love it. It's one of the few pieces of software that just works across my devices (Mac/iPad/Android phone), cloud sync is awesome, and built-in support for cloud-synced 2FA and Passkeys means I never have to worry about replacing devices.
I pay for a family plan and share it with family members. It's really wonderful and something I never have to worry about.
It's not the kind of thing worth wasting time self-building and hosting, IMO, especially the cloud component. I don't want to keep up with all the latest exploits and zero-days; much rather have a commercial company taking care of it with a vested interest in keeping your data safe.
There are FOSS things like Keepass XC. But the overall experience just sucks compared to 1password.
I would not recommend a password manager with a cloud component dependency, that is the means by which the proverbial rugs are pulled. It's important to be in control of the vault yourself. Any keepass variant should do such as keepass2 and keepassxc.
Use KeePass and its variants, for storing the encrypted data in a local file. Use any of the file sync products to sync the file across devices, e.g. Dropbox, Syncthing, etc.
Not having a built-in syncing mechanism is the #1 reson I'm looking to move away from KeepassXC as soon as possible. Making users kludge together their own makeshift sync methods using file shares and dropbox is honestly comical when syncing is probably one of the main features people think of when talking about password managers.
You give up control of your important file to a 3rd party who controls the encryption and the storage.
Syncthing Android app has been discontinued too this week.
I'll likely be migrating over to Proton Pass[1] since I already have a Proton Mail subscription anyway. Seems like it meets all your criteria depending on what you consider to be a reasonable cost for a subscription.
[1] https://proton.me/pass
Made the switch from BitWarden to ProtonPass a few months ago. I'm very happy with the switch despite Proton Pass missing some android functionality BitWarden has.
Take a look at Psono.
https://psono.com
It's quite similar to bitwarden, open source, has support for all common browsers with browser extensions, autofill and apps for android and iOS. You can host it yourself of use the free hosted version on https://psono.pw A nice goody: Even the enterprise version with all the enterprise features like SAML and so on is free for up to 10 users.
Very few open source password managers that have cloud sync and modern clients on popular platforms (I honestly don’t know any that I can recommend)
The logic is making things open source can allow attackers to more easily identify vulnerabilities (flawed logic, but there’s some truth to it)
I would stick to BitWarden or consider 1Password if I were you
I did see https://passky.org/ sometime back, might work for you on Android
Not open source, but a non-profit foundation guarding it: https://proton.me/pass edit: Is open source actually: https://github.com/protonpass/
in response to the topic of bitwarden being vc funded i have started to migrate to keypassxc. It works pretty fine, also export / import worked good, some minor issues with to strict db-locking policy which i think i managed to fix in the settings. It's missing cloud sync, but i do my file sync over syncthing anyway. But i'm on osx and i havent tested on windows yet.
I have been self hosting https://github.com/dani-garcia/vaultwarden, it has been good to me.
Hmmm, I'll be monitoring how this develops. I'm quite committed to Bitwarden. Let's see where this goes.
Enpass is pretty good, store your vault in your own <cloud storage>