this post was submitted on 02 May 2026

33 points (63.2% liked)

Technology

84302 readers

4387 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

I Do Not Recommend Bitwarden (xn--gckvb8fzb.com)

submitted 1 day ago* (last edited 7 hours ago) by mesamunefire@piefed.social to c/technology@lemmy.world

27 comments fedilink hide all child comments

A review of my experience with Bitwarden after several years of self-hosting it, and why I decided to move away from the password manager.

Note: this is not my article.

top 27 comments

sorted by: hot top controversial new old

[–] punrca@piefed.world 14 points 11 hours ago (1 children)

I use KeepassXC on my laptop (completely offline), export the encrypted backup copy and store the backup offline copy and in cloud. Also, I manually import the backup file into my Keepass2AndroidOffline android app (it's a hassle, but I'm okay with it)

But for normies (non-technical folks), the benefits and convenience of using a cloud-based password manager is far outweighed by any security vulnerabilities in such password managers.

Also, Bitwarden's source code is open-source (unlike other closed-source password managers), so I trust it more.

[–] HubertManne@piefed.social 4 points 10 hours ago

Im one of the folks that reserve important items for local password manager and use bitwarden for all the various sites that if it got taken over it might be annoying but is not the end of the world.

[–] eager_eagle@lemmy.world 13 points 13 hours ago* (last edited 12 hours ago)

Bitwarden’s npm distribution pipeline stayed compromised for approximately 19 hours and 334 developers had enough time to pull the malicious package before it was caught.

It was actually about 90 minutes

Everyone running bw in a CI pipeline just handed the attackers whatever else happened to live on that machine.

only if they installed bw in that time window

Otherwise yes, I agree it'd be better if the CLI was written in a non-JS/TS ecosystem. Perhaps Rust or Go. And the criticisms to list including secrets are super valid.

[–] A_norny_mousse@piefed.zip 27 points 20 hours ago (2 children)

What's with the downvotes? The article makes good points, and brings them across politely:

it's a $100M for-profit company
it's heavy (compared to Vaultwarden, a Bitwarden compatible Rust rewrite)
its code base requires proprietary MS libraries and other esoteric (seen from the POV of a *nix user) stuff. I might have summarized this one badly, just read the chapter, it's not long.

My guess is people are salty because

they use Bitwarden and don't like to see it criticized
they got upset by the javascript overlay which is hilarious imo. I certainly got rick-rolled for a hot second.

FWIW, I don't serve my password database on the www at all. It sits on my own server and I can access it with all my devices, but the software to do that is local only.

[–] femtek@lemmy.blahaj.zone 5 points 16 hours ago (1 children)

How does your phone and laptop outside of the network get to vault warden? Just using a VPN?

[–] robador51@lemmy.ml 4 points 9 hours ago (1 children)

Not OP, but I do that with wireguard.

[–] Mister_Hangman@lemmy.world 3 points 2 hours ago

So a vpn

[–] TerHu@lemmy.dbzer0.com 5 points 19 hours ago

i really don’t get it either. i feel like op tends to write well researched and thought out blogs, which are nice to read too.

@op: you do good stuff!

[–] turdas@suppo.fi 72 points 1 day ago (1 children)

My review of your post: you need to stop using so much emphasis on everything. Not every instance of the word Bitwarden needs to be italicized. Also five different ways of storing passwords sounds insane, and harping on for a dozen paragraphs about Bitwarden's security incidents only to settle on another SaaS password manager sure is a choice.

[–] A_norny_mousse@piefed.zip 9 points 20 hours ago (1 children)

The outward appearance might not be your style, but they make good points, provide facts to support them and most importantly, they remain polite about it.

I personally think the article is worth reading, at least until just before the last chapter, in which the author outlines their own convoluted ideas. And that's where such things belong: in the last chapter.

only to settle on another SaaS

Do you mean Vaultwarden? AFAICS they do not "settle" on it, but they do argue that it is much lighter in almost every respect. And since it is Bitwarden compatible the comparison is valid.

Frankly, I think most people just got salty because of the javascript overlay which I found pretty funny; a mild prank and a good demonstration of the power of javascript.

[–] turdas@suppo.fi 2 points 9 hours ago

Do you mean Vaultwarden? AFAICS they do not "settle" on it, but they do argue that it is much lighter in almost every respect. And since it is Bitwarden compatible the comparison is valid.

I don't know which one I mean, because OP never says which SaaS password manager they switch to, they simply say they switch to a proprietary SaaS password manager:

For group A I’m going with a SaaS password manager that offers proper vault sharing, integrates with the tools clients actually use (SSO, browser extensions on corporate machines, audit logs), and takes the hosting burden off my plate. The platform is proprietary, which I would normally not be thrilled about, but given that the scope of this group is client work only, I’m accepting the trade-off.

[–] ccunning@lemmy.world 25 points 1 day ago* (last edited 23 hours ago) (4 children)

What’s with the sketchy domain name? Doesn’t really instill trust enough for me to click on let alone listen to their opinion.

ETA: TIL about punycode. Thanks all 🙏

[–] elvith@feddit.org 45 points 23 hours ago (2 children)

If the domain starts with xn- it's a telltale sign, that it's a punycode domain name. Read: it does contain characters that are not ASCII characters. This is done as domains need to be ASCII only. The format of these domains is usually xn--allASCIIcharacters-allNonASCIIcharactersEncoded.tld. Example: täst.com is xn--tst-qla.com.

If you manually type such a domain (containing characters like äöüéèçč...), many browsers will still display what you entered, but convert the domain into punycode in the background before connecting.

You can decode the domain of this post and it results in マリウス.com.

[–] MonkderVierte@lemmy.zip 3 points 22 hours ago (1 children)

This is done as domains need to be ASCII only

They don't need to, but a punycode-attack is done by using a letter of another language that looks almost identical. I think you still have to actively enable the defense against it (some about:config setting), the poster did.

[–] elvith@feddit.org 8 points 17 hours ago

DNS is ASCII only and so this conversion is done. It is not needed to display the "technical" domain name that results when you enter a domain name with non ASCII chars in apps, but yes, this prevents character confusion.

https://en.wikipedia.org/wiki/Internationalized_domain_name

In the Domain Name System, these domains use an ASCII representation consisting of the prefix xn-- followed by the Punycode translation of the Unicode representation of the language-specific alphabet or script glyphs. For example, the Cyrillic name of Russia's IDN ccTLD is рф. In Punycode representation, this is p1ai, and its DNS name is xn--p1ai.

[–] YoFrodo@lemmy.world 4 points 23 hours ago

Thats interesting! And my translation addon says it translates to "Marius"

[–] Glitchvid@lemmy.world 26 points 23 hours ago* (last edited 23 hours ago)

It's just a punycode domain, it ought be rendered in Japanese:

マリウス.com

Edit: I swear those replies weren't there when I typed mine.

[–] celia@lemmy.blahaj.zone 13 points 23 hours ago

This is puny code, and allows for non ascii characters to be used as a domain name. Your lemmy client probably does not convert it to unicode and displays it as a random looking text https://en.wikipedia.org/wiki/Punycode

[–] TerHu@lemmy.dbzer0.com 4 points 19 hours ago

they even have a blog post telling you to never click domains that look like the domain of the blog :D

[–] deegeese@sopuli.xyz 3 points 15 hours ago (5 children)

But what if you don’t want to self host your password manager?

Any non terrible choices?

[–] Samskara@sh.itjust.works 1 points 7 hours ago

Enpass works well for me across platforms.

[–] A_norny_mousse@piefed.zip 8 points 13 hours ago (1 children)

I don't think Bitwarden is a terrible choice. That said, I share the author's concerns in general.

How much does a non-selfhosted password manager cost? Weigh that against the cost of remote-mountable server storage, you can simply put your database there.
(Both costs can be 0 btw)

[–] deegeese@sopuli.xyz 5 points 11 hours ago

The real cost is time and reliability, not money.

[–] muusemuuse@sh.itjust.works 1 points 10 hours ago

Use yubikeys

[–] KairuByte@lemmy.dbzer0.com 3 points 14 hours ago

I prefer 1Password. They use a secure encryption key together with your master password. If you lose the encryption key, your data can’t be recovered. The key is only needed during the initial setup annd after that you unlock the vault on your device with your master password.

This means if their database ever gets hacked, your data is encrypted in a way that not even you could get at unless you have that secure key.

[–] xnx@piefed.social -3 points 12 hours ago

ProtonPass

[–] one_old_coder@piefed.social 0 points 23 hours ago

Your JS overlay is annoying and stupid.