The title was correct but they appear to have changed the policy since the post was made, likely as a response to feedback.
Notice that in the archive from earlier today the "Who is excluded from this account email-based new device verification?" section did not have the new fifth bullet point about being able to opt-out:
Thought it was worth pointing this out since I've already seen people reply to old comments thinking people didn't read the article without realizing it was later changed.
This is terrible, honestly. One of the reasons I use Bitwarden is to be able to not know all my passwords besides the Bitwarden one. I don't know my email password, so can't use that for 2FA. Same for using my phone number or an authenticator app, if I lose my phone, I would also be locked out of my account.
The risk of someone stealing my phone is much higher than someone stealing my main password where I live. I intentionally decided not to use 2FA, because that is what makes most sense for my context. I'm ready to take full responsibility for not using 2FA, but now I can't.
Agreed. There is no way to rely on the simple model of 'my master password is the single point of failure' now. With any form of 2FA, there is now lockout risk in a way that cannot be mitigated fully. Bitwarden itself recommends printing out a recovery code and storing it in a safe, but what happens if you lose access to that safe? Or if you're traveling and need emergency access to your accounts after your phone gets stolen?
On the reddit post announcing this, Bitwarden added a response saying they will provide an opt-out option. It's unclear if this opt-out is temporary or not. It would be a huge step back for their product if 2FA becomes mandatory.
That actually happened to me a couple years ago. I was in a foreign country, and lost my phone. All I had to do was buy a new cheap phone and login to Bitwarden again. If I had 2FA enabled, I'd be completely screwed.
> Bitwarden itself recommends printing out a recovery code and storing it in a safe, but what happens if you lose access to that safe?
I feel like your own creativity is limiting you here. There are lots of options to store those backup codes. Including giving them to multiple relatives to keep in a safe place so you can call and ask for it, creating a dedicated email account with no 2fa and email the code there, leave yourself a saved answerphone message with it on so you can dial in and listen, write it in the important info section of your passport so you always have it abroad etc etc...
I'm very frustrated about this because for a lot of my family members, their phone is the only computing device they have.
When they lose it, they lose access to email, and there is no backup plan here. Using bitwarden is far far superior to them using the same password everywhere, but this will drive them back to the same behavior.
>I'm very frustrated about this because for a lot of my family members, their phone is the only computing device they have.
That's actually a really good point. My 1Password setup is resilient to device loss because I have multiple registered devices, any of which can spin up a new device with just my master password.
But if you're in a situation where you only ever have one device and lose it, then you can't bootstrap a new registration going from 0 devices to 1.
There's definitely a security/resiliency tension here. Is it desirable to have your password manager protected by just a user-specified password? That can allow you to go from 0 devices to 1, but it also greatly lowers defenses against account compromise. You can have a paper recovery kit, but people will misplace that, if they even create it in the first place. Social attestation could be a decent if imperfect mitigation: if everyone is on the same family group, then maybe the admin or the group can recover access for any one person.
Email is not a good second authentication factor anyway. I have 6 u2f tokens on my high priority digital accounts, as well as printed recovery codes in several places. Only 1-2 tokens ever actually travel with me, the others are kept safely in different locations.
Given that most people are cracked wide open if their password manager is compromised, I do feel it's sensible for a password manager to insist on 2FA, but the email chicken and egg problem is a concern for those migrating, and hopefully they backed up their recovery codes.
Email can be a perfectly good second authentication factor.
It depends on the asset you’re protecting and your threat model.
I have quite a few accounts whose value does not cross a threshold where I care about the risks of email… and my workflows would be enhanced dramatically if I could use it as a second factor.
The reason I can’t is not because of security or anything at all to benefit me, the user. It is because the services themselves need to throw sand in the gears of the bad actors abusing their services.
My email address can't be SIM swapped, my emails aren't transmitted using weak 90s encryption algorithms over the air (and via dubious, largely unauthenticated 80s protocols on the wire), and my mailbox is itself guarded by 2FA.
Same here. I'm very sad about this 2FA thing. Bitwarden was so easy to use, I could always get an access to my accounts with just my secure master password. Does anybody know good alternative?
I solved this issue using pass-otp on my computers in addition to my mobile authentication app. This way my desktop, laptop, and mobile device all have the ability to generate my Bitwarden OTP code.
In addition to your phone, you can also set up to 4 other Webauthn tokens, Yubikeys or FIDO2 devices as well as a printed recovery key. If none of those fall-backs work for you, perhaps switching to a different password manager is best.
I hear you, and I somewhat feel the same. However, a workaround would be to save the TOTP secret safely like a password. I have started treating all my TOTP secrets as my secondary passwords.
I abandoned Bitwarden a while ago in favor of Enpass after the 2nd time in 3 weeks that Bitwarden refused to open my LOCAL vault because of a problem with BITWARDEN's servers.
similar. i switched to Apple Passwords, and pretty much stopped using Chrome except for gmail. I use a multitude of browsers, but I am 99% safari for sites where I need the PWM.
I hate building a lock-in to the ecosystem though, and have been meaning to look at Enpass.
I can understand adding some friction to discourage using Bitwarden without 2FA, but requiring it seems very wrongheaded to make it mandatory. I've been using 2FA on Bitwarden for a while and it adds a lot of friction and made me very nervous that if I lost my phone that I'd be locked out of literally every account I have. I mentioned elsewhere (link below) that I have solved this issue for myself, but people shouldn't be required to jump through these hoops and introduce a greater opportunity to lose access to their accounts if they should lose their phone.
And even if F2A wouldn't have ANY downsides, it's still not their fucking business if users want to use it or not. There is a million ways to leak your credentials to a service anyway, and I don't know anything more annoying than when a service tries to protect you from yourself (sometime locking you out of your account while doing so). If a user wants to have no F2A, no backup email, to use qwerty as a password and to write it on a sticky-note attached to a display, it's their right to do so. It's not Bitwarden's (or anyone else's) responsibility.
I agree, and when I first read the headline, my reaction was "Well, I guess it's time to start researching different password managers, because I obviously can't use Bitwarden anymore."
However, despite what the headline says, this 2FA does not appear to be mandatory.
Under the heading: "Who is excluded from this account email-based new device verification?"
> Users who opt-out from their account settings, to which an option will be added, are excluded.
To clarify, this was new information added to the release within the past hour or so, which seems like the company responding to criticism. The original article gave no indication 2FA was anything but mandatory.
Thank you. The title should be changed, really. Following an ancient HN custom I've chosen to get annoyed before reading the article, and the title simply isn't true. In fact, it's exactly what GP suggested, which is a perfectly nice way to implement that. (Unless, of course, one day they get rid of that option as well...)
It seems like the alternative is to allow anyone with just the master password to get access to your vault. That doesn't seem so great.
I'm on 1Password and it's basically a 2FA setup there too: to register a device, you need to have the master password (what you know) and the secret key (what you have, randomly generated at vault creation). Losing my phone isn't a big deal because I have 1Password on multiple devices, each with a copy of the secret key, so there's pretty good hedging there.
I also carry a physical Yubikey, which grants me passwordless access to my email account (assuming I know the PIN to unlock the hardware, which I do). That's probably overkill for most people, but that's another layer of hedging too.
It's, possibly, not good enough. In case of a fire, if you left all your phones at home, you are screwed.
Exactly because of the fire risk, I set a policy for myself that all passwords should be somehow recoverable only from something that I know. However, I don't meet this policy at the moment.
Aren't you screwed if you can't get access to your home for whatever reason ?
That hopefully would only happen in extremely rare conditions, but that's not a risk everyone would take. Especially in area where losing your home is a very real risk, and you'd be hanging to your data by a string while facing an otherwise already challenging situation.
You certainly shouldn't rely on just your phone. If you store your 2FA token in Bitwarden, you can use any of your other devices that you have used Bitwarden with recently.
The 2nd factor is only needed when it's new or occasionally in other cases. I don't know why you say it adds lots of friction, unless you are frequently signing into new devices.
And as a failsafe a printed backup code is pretty important.
I understand that in theory storing the 2FA for Bitwarden in Bitwarden itself can work, but I don't know if I can ever bring myself to store the key to the car in the car, even if I pinky promise myself that I'll never lock all the car doors at once.
This is doubly true because Bitwarden has not been consistent at only asking for 2FA on brand new devices, so it's not even just me that I have to worry about locking the car doors.
I am not suggesting friction as security, I am suggesting it so that the average user is funneled towards the most secure option, i.e. using 2FA, while allowing experienced users to put in a small amount of effort to disable it.
There is still a ceiling to how secure a password can be which 2FA solutions will generally beat (mainly by the secret not being spread as far when used, such as keyloggers, window focus mishaps, or simply being sent to the server verifying it).
I like bitwarden, but there are a lot of weird things that make me want to move or find a self-hosted solution. This feature may actually cause me to leave. I actually ended up buying a subscription and then refunding it in less than an hour.
So what's going to happen? Are they going to cache my location? Or are they storing a cookie on my side? Neither sounds great. Ever hear of a VPN? That's going to make my life easier....
Some more general complaints:
The storage thing is really weird. Did you know it is just stored on their server? So you can't store locally. But the worst part, when you want to retrieve the item then you download it and it just appears in your download folder. This is TERRIBLE and both of these make it absolutely useless. I got to download it when I need it, hope I have internet in that situation, and then delete it after because I'm... storing sensitive information, right?
The new design is just terrible and could only be designed by someone who assumes you never open the panel to fill in the website. Yet... that's the *most common* reason I open that.
Things like this give me concern that those designing the tool aren't thinking about other things. When it comes to security, all the little things matter a lot.
Of course there's frustrating things that I know they have little to no control over, like all the dumb Microsoft logins I'm forced to have and then annotate because I keep logging into the wrong account. But I do like that it integrates with Firefox's relay. The only thing I wish is that it wouldn't name the mask "Generated by Bitwarden." but "the fucking website name" (sure, append "Generated by Bitwarden" but no one cares and this does nothing to help brand recognition, it just makes things confusing).
I looked into this a while back and it was quite complicated. If you're used to hosting your own infra, it may not be a big deal, but it's definitely not a simple task for even an advanced desktop user. I ended up choosing KeepassXC, which just uses a dumb file on disk that I sync with Git.
Sure, but then I need to spin up a server, lock everything down, pay money, deal with all that other stuff, and well... this isn't going to work for: my partner, my parents, my friends, my family, and so on.
If anyone works at bitwarden can you get your UI people to stop retheming for the upteenth time and instead make the "detailed view" of any entry read-only by default? Every time I need to access my notes on an entry I'm scared that I'll accidentally typo a letter into my password or a 2fa code or something
I get the desire to make the Bitwarden login more secure, but this is very likely to cause problems for users who don't have their email password memorized. 2FA already carries the burden of needing a backup if you lose your phone. This change means users will need to come up with an alternate way to log in to their email account. I'm not sure it's worth it.
I'm taking this opportunity to Ask HN: what do you think of the new Bitwarden browser extension?
Sure it looks more modern and a few things are better.
But personaly I HATE the new "copy" button.
With the old version there was a button for each field : one to copy the login, one to copy the password, one to copy the TOTP.
Now there's just a single button that will display a list of options to choose from depending on what you want to copy.
So instead of copying a field with one click, now I need to do one click, go on the right option, and another click.
Even worse: if the account contains only one field, the copy button will still display the list of options, with just one option.
How could nobody think that when the user want to copy something from a list, and this list contains only one item, the right thing to do is to copy this single thing, not ask them what they want to copy...
I don't mind the general visual update. But the change to the copy buttons was a step backwards.
To the bitwarden folks... if I'm opening up the extension 99% of the time it's one of these use cases:
1. I'm creating a login for a new site
2. I'm on a site that doesn't support autofill, and I'm manually copying user/pass/code
3. I'm filling credit card info, and want to select a specific card
Both #2 and #3 got worse with this change. Put the damn copy buttons in the huge amount of whitespace you have for the entry. Don't hide them in an overflow. Put each of the user/pass/2fa buttons in a fixed space, and don't move them.
To throw in a second viewpoint: 99% of the time I open the extension, it is to trigger auto-fill. I don't like having my credentials auto-fill on page load, I like to be the one to trigger it.
That being said, I also hated the change that hid the copy buttons, but they have a setting that brings them back.
I like it! With the width and quick copy options under appearance settings there are no glaring issues, but there are two big benefits:
1. It's much faster. This alone makes the refresh worth it imo.
2. The edit item / fill item UX is much more consistent than it was. Before, when you search for and click a card it opens the item, but if you click a card because it matches the current domain then it fills the item, to open it instead you have to click the little "open item" button. Even as a long time user I would often misclick because the context changes the behavior of clicking a card and my muscle memory would be the opposite of what I wanted. Now there's a "Fill" button when a card matches the current domain and clicking anywhere else always opens the item. My only critique is that the Fill button could be a bit bigger to so it's easier to click.
You probably know this, but I'm just writing it here because it took me a while to figure it out — you can also use the keybinding (Ctrl+Shift+L) to fill in login forms. It works 90% of time, and you don't need to copy anything. It really reduced the number of times I'm interacting with the extension's panel.
I like how it's faster than before but the modern UI design trends are starting to wear on me. If you could have the old theme with the new features that would be good.
The two-click copy button is absolutely the worst new "feature" they added. That setting should be opt-in by default.
I hate how small the "Fill" button is, and how clicking on a card that represents saved credentials is no longer assumed as an intent to fill username/password on the page you're on.
In some cases, it just falls apart when displaying over a text box and doesn't know what to do with itself, and sometimes breaks the UI for me. I keep the desktop copy around for the cases where I don't want to fiddle with the extension.
100% this is one of those changes that makes me doubtful of Bitwarden being a well maintained service in perpetuity.
Like, if this change was an accident and slipped through that is bad. If it was approved, it's even worse because as you said, it shows that the person who is in charge of how we, the users, interact with the product day-to-day doesn't understand the product or doesn't take their role seriously.
My personal problem is that I self host and the updated extension just completely fails to connect to my vaultwarden instance. I probably just need to repull the updated docker container, but it's something I would have rather not thought about. But since the extension auto updated I'm forced to think about it.
Interesting - I'm also running self-hosted and didn't have this problem (I think my last image pull was about a month ago, though - so somewhat recent).
Alternatively, at least for chromium browsers - you can download the .crx directly, unzip it (p7zip will do it), and sideload it using the "Developer mode" checkbox on chrome://extensions. Firefox sadly doesn't support this - they'll remove any sideloaded extensions on browser close.
I mean, you're explicitly choosing to self-host an alternative backend server which isn't affiliated with Bitwarden. You could have used their SaaS, or self-hosted their official backend they provide on GitHub, for free, and which is almost entirely open source (AGPL, they have some small enterprise specific bits such as SSO which are under a commercial license which is still free, just not open source).
But you choose to self-host a random person's project that tries to keep track with Bitwarden APIs and various frontends, on a best effort basis. That's a ton of risk I really wouldn't take with something as sensitive as passwords to everything.
For me, it is the double scroll bars in the browser extension. One to scroll in the list of passwords and another to get to the bottom of the extension window. This is even in "compact" mode.
It's been much, much slower to load on click for me now. Surprised others haven't experienced that so wondering if it is some extension conflict. Consistently takes 2-3 seconds to load up after click whereas before was instant-ish.
This extension is the only thing on my computer that is slow. I have an M1 Pro and an M1 Max laptop and the new visual refresh has made the extension very slow and a lot less usable.
The old one was instant on clicking the shield icon. The new one is slow and flashes a few times before showing me the UI.
Also, the entire field used to be selectable to fill fields. Now I have to aim at the tiny Fill icon and it's even harder to get to the time-based 2FA code.
I get why they've done it but I have never seen any software this slow in my life. Even just displaying the boxes seems like it needs a progress bar.
Related question: is there any way to keep the Bitwarden window open when I’m unfocusing it without popping it out into a separate window? That workflow makes copying logins painfully slow for me.
It wouldn't be so bad if the window closed but at least remembered the entry. I often have the issue where I had to search up an entry (credit card info for example) and then when I reopen the extension window I have to start the search all over again.
I love the fact it remembers what page you were on and leaves it on that page.
In the previous version, you'd go Vault -> Search -> [Find Thing] -> Copy Username, but when you de-focused the extension it would return you to the vault home, so yet again you had to do Vault -> Search -> [Find Thing] -> Copy Password.
This one, when it loses focus, it stays exactly where you left it.
Hate it (using the Firefox one). The look is weird, seems to waste space. New copy button sucks. I spent 10 minutes one day not being able to login with a copied password, bit realising it was because I was lacking the second click. Also the new suggested results (when searching) honestly just gets in the way, since the order of the results are not always the same anymore.
The new extension is a lagfest. There's a noticeable 2s latency to every action now. I don't know how something like this makes it to GA. Long ticket: https://github.com/bitwarden/clients/issues/12286
seems there are reports of different sorts of delays in the comments.
w.r.t. a small, split-second one in initial rendering, i'd take it ten times out of ten over what it was for me all these years: immediate ability to key in input, but if you typed at the precisely (im)perfect moment, which was an extremely common occurrence, the extension would bug out and not perform the actual search.
so i'm sitting there for about a whole second wasted for having waited out the threshold to realize that it bugged out yet again and didn't perform my search. then, i would have to either backspace or type in the next character in the query in order to trigger the search; this was often an unpleasant added mental overhead when backspacing would repopulate results that you were trying to filter out.
i'd rather have the split-second delay for every initial render.
Im not a fan of copy button and design as well. Dark mode has huge contrast with outlines and rounded corners are space inefficient. It's like design for small touch screen, not a desktop addon to browser. Take inspiration at uBlock.
It's awful, it's slow, it's hard to use, confusing and they made editing even worse. The old UI also had it's problems but they weren't this bad. I despise these constant UI changes that only make the product worse without any benefits.
I hated it so much I migrated to ProtonPass, deleted my data, and set my account to expire.
Then Proton CEO made some statements I found offensive, so I re-activated my Bitwarden account, migrated back, and am now learning to love the changes.
The best I've got for tips are:
1. Settings > Appearance > Quick Copy
2. Settings > Appearance > Compact Mode
3. Settings > Appearance > Extension Width > Wide
I still don't love it, but it remains the best of the bunch.
The day Bitwarden was VCed I knew there will be a time when I will be desperate to find alternatives. I guess that time is coming closer.
The thing I despise most among their UI “improvements” is entry click expands the entry now. To fill you have to find that tiny “fill” button and click that.
The new desktop browser plugin is disgusting even after I went through settings. Won’t reiterate here, one of the worst UIs I’ve ever seen and if I were to choose today, I would not choose bitwarden only because how ugly and unusable it is.
It took me a day to get used to the new UI but now I love it - just goes to show that you’ll can only get UX wrong/UX is hard. It’s good to have both options configurable though!
This one is not too bad since it's only once per device, assuming they define a device by generating some unique value at first login so I really won't have to go through it again despite any updates, changes in network, etc.
In general though I have become incredibly sick of mandatory 2FA for every-goddamn-thing. I do use it very often, but it should be my choice and not forced on me. The usual retort is blah blah blah I might understand the trade-offs but normies don't and so forcing it is a net positive, but I'm me — not them, so that usual response is just to tell me that my feelings don't matter.
Since service providers are often legally and even more often practically required to cover losses resulting from account takeovers, it's really not your choice alone.
Readit News
Notice that in the archive from earlier today the "Who is excluded from this account email-based new device verification?" section did not have the new fifth bullet point about being able to opt-out:
https://web.archive.org/web/20250128011007/https://bitwarden...
Thought it was worth pointing this out since I've already seen people reply to old comments thinking people didn't read the article without realizing it was later changed.
The risk of someone stealing my phone is much higher than someone stealing my main password where I live. I intentionally decided not to use 2FA, because that is what makes most sense for my context. I'm ready to take full responsibility for not using 2FA, but now I can't.
On the reddit post announcing this, Bitwarden added a response saying they will provide an opt-out option. It's unclear if this opt-out is temporary or not. It would be a huge step back for their product if 2FA becomes mandatory.
I feel like your own creativity is limiting you here. There are lots of options to store those backup codes. Including giving them to multiple relatives to keep in a safe place so you can call and ask for it, creating a dedicated email account with no 2fa and email the code there, leave yourself a saved answerphone message with it on so you can dial in and listen, write it in the important info section of your passport so you always have it abroad etc etc...
Deleted Comment
When they lose it, they lose access to email, and there is no backup plan here. Using bitwarden is far far superior to them using the same password everywhere, but this will drive them back to the same behavior.
That's actually a really good point. My 1Password setup is resilient to device loss because I have multiple registered devices, any of which can spin up a new device with just my master password.
But if you're in a situation where you only ever have one device and lose it, then you can't bootstrap a new registration going from 0 devices to 1.
There's definitely a security/resiliency tension here. Is it desirable to have your password manager protected by just a user-specified password? That can allow you to go from 0 devices to 1, but it also greatly lowers defenses against account compromise. You can have a paper recovery kit, but people will misplace that, if they even create it in the first place. Social attestation could be a decent if imperfect mitigation: if everyone is on the same family group, then maybe the admin or the group can recover access for any one person.
Given that most people are cracked wide open if their password manager is compromised, I do feel it's sensible for a password manager to insist on 2FA, but the email chicken and egg problem is a concern for those migrating, and hopefully they backed up their recovery codes.
It depends on the asset you’re protecting and your threat model.
I have quite a few accounts whose value does not cross a threshold where I care about the risks of email… and my workflows would be enhanced dramatically if I could use it as a second factor.
The reason I can’t is not because of security or anything at all to benefit me, the user. It is because the services themselves need to throw sand in the gears of the bad actors abusing their services.
My email address can't be SIM swapped, my emails aren't transmitted using weak 90s encryption algorithms over the air (and via dubious, largely unauthenticated 80s protocols on the wire), and my mailbox is itself guarded by 2FA.
https://github.com/tadfisher/pass-otp
I abandoned Bitwarden a while ago in favor of Enpass after the 2nd time in 3 weeks that Bitwarden refused to open my LOCAL vault because of a problem with BITWARDEN's servers.
Uh, no.
I hate building a lock-in to the ecosystem though, and have been meaning to look at Enpass.
You do have backups right?
Deleted Comment
https://news.ycombinator.com/item?id=42853696
However, despite what the headline says, this 2FA does not appear to be mandatory.
Under the heading: "Who is excluded from this account email-based new device verification?"
> Users who opt-out from their account settings, to which an option will be added, are excluded.
I'm on 1Password and it's basically a 2FA setup there too: to register a device, you need to have the master password (what you know) and the secret key (what you have, randomly generated at vault creation). Losing my phone isn't a big deal because I have 1Password on multiple devices, each with a copy of the secret key, so there's pretty good hedging there.
I also carry a physical Yubikey, which grants me passwordless access to my email account (assuming I know the PIN to unlock the hardware, which I do). That's probably overkill for most people, but that's another layer of hedging too.
Given that only I have my master password I don't see what's wrong with it.
Exactly because of the fire risk, I set a policy for myself that all passwords should be somehow recoverable only from something that I know. However, I don't meet this policy at the moment.
I use Bitwarden 2FA with my phone, but I have backup codes stored in a fireproof safe with my other important documents.
That hopefully would only happen in extremely rare conditions, but that's not a risk everyone would take. Especially in area where losing your home is a very real risk, and you'd be hanging to your data by a string while facing an otherwise already challenging situation.
The 2nd factor is only needed when it's new or occasionally in other cases. I don't know why you say it adds lots of friction, unless you are frequently signing into new devices.
And as a failsafe a printed backup code is pretty important.
This is doubly true because Bitwarden has not been consistent at only asking for 2FA on brand new devices, so it's not even just me that I have to worry about locking the car doors.
Removing the friction of many passwords is the whole reason a password manager is good in the first place!
It seems like every IT person needs this lesson reiterated to them, at least once a year...
So what's going to happen? Are they going to cache my location? Or are they storing a cookie on my side? Neither sounds great. Ever hear of a VPN? That's going to make my life easier....
Some more general complaints:
The storage thing is really weird. Did you know it is just stored on their server? So you can't store locally. But the worst part, when you want to retrieve the item then you download it and it just appears in your download folder. This is TERRIBLE and both of these make it absolutely useless. I got to download it when I need it, hope I have internet in that situation, and then delete it after because I'm... storing sensitive information, right?
The new design is just terrible and could only be designed by someone who assumes you never open the panel to fill in the website. Yet... that's the *most common* reason I open that.
Things like this give me concern that those designing the tool aren't thinking about other things. When it comes to security, all the little things matter a lot.
Of course there's frustrating things that I know they have little to no control over, like all the dumb Microsoft logins I'm forced to have and then annotate because I keep logging into the wrong account. But I do like that it integrates with Firefox's relay. The only thing I wish is that it wouldn't name the mask "Generated by Bitwarden." but "the fucking website name" (sure, append "Generated by Bitwarden" but no one cares and this does nothing to help brand recognition, it just makes things confusing).
You can selfhost Bitwarden. There is also an alternative server named vaultwarden.
passwordstore.org and "git init --bare password-store.git" somewhere on your own network.
Deleted Comment
Any reverse proxy handles that by default, its no longer a gotcha
Sure it looks more modern and a few things are better.
But personaly I HATE the new "copy" button.
With the old version there was a button for each field : one to copy the login, one to copy the password, one to copy the TOTP.
Now there's just a single button that will display a list of options to choose from depending on what you want to copy.
So instead of copying a field with one click, now I need to do one click, go on the right option, and another click.
Even worse: if the account contains only one field, the copy button will still display the list of options, with just one option.
How could nobody think that when the user want to copy something from a list, and this list contains only one item, the right thing to do is to copy this single thing, not ask them what they want to copy...
I don't mind the general visual update. But the change to the copy buttons was a step backwards.
To the bitwarden folks... if I'm opening up the extension 99% of the time it's one of these use cases:
1. I'm creating a login for a new site
2. I'm on a site that doesn't support autofill, and I'm manually copying user/pass/code
3. I'm filling credit card info, and want to select a specific card
Both #2 and #3 got worse with this change. Put the damn copy buttons in the huge amount of whitespace you have for the entry. Don't hide them in an overflow. Put each of the user/pass/2fa buttons in a fixed space, and don't move them.
That being said, I also hated the change that hid the copy buttons, but they have a setting that brings them back.
And search input until it's first rendered is lost now.
Context: I need to input a 2fa code every morning when I start working - previously this was click on Chrome extension, type work, move hand to mouse.
Now it is click, wait wait wait click again wait wait wait wait, click (menu opens finally), click on search input, type work, click on copy 2fa code
Funny how I didn't even think to look for appearance settings.
It looks like an afterthought from them because the label is the only one not translated on the extension.
Anyway, I'm more than happy to have the quick actions back!
1. It's much faster. This alone makes the refresh worth it imo.
2. The edit item / fill item UX is much more consistent than it was. Before, when you search for and click a card it opens the item, but if you click a card because it matches the current domain then it fills the item, to open it instead you have to click the little "open item" button. Even as a long time user I would often misclick because the context changes the behavior of clicking a card and my muscle memory would be the opposite of what I wanted. Now there's a "Fill" button when a card matches the current domain and clicking anywhere else always opens the item. My only critique is that the Fill button could be a bit bigger to so it's easier to click.
I hate the title "Tips for long-time Bitwarden users" like they are seeing us as dumb but whatever.
If I can get my quick buttons back, I'm glad!
That change alone is pushing me to switch password managers.
The two-click copy button is absolutely the worst new "feature" they added. That setting should be opt-in by default.
Settings -> Autofill -> Click items to autofill in Vault view
Like, if this change was an accident and slipped through that is bad. If it was approved, it's even worse because as you said, it shows that the person who is in charge of how we, the users, interact with the product day-to-day doesn't understand the product or doesn't take their role seriously.
If you want, I believe you can override the update url in chrome to stop the auto-update process in the future: https://chromeenterprise.google/policies/?policy=ExtensionSe...
Alternatively, at least for chromium browsers - you can download the .crx directly, unzip it (p7zip will do it), and sideload it using the "Developer mode" checkbox on chrome://extensions. Firefox sadly doesn't support this - they'll remove any sideloaded extensions on browser close.
I mean, you're explicitly choosing to self-host an alternative backend server which isn't affiliated with Bitwarden. You could have used their SaaS, or self-hosted their official backend they provide on GitHub, for free, and which is almost entirely open source (AGPL, they have some small enterprise specific bits such as SSO which are under a commercial license which is still free, just not open source).
But you choose to self-host a random person's project that tries to keep track with Bitwarden APIs and various frontends, on a best effort basis. That's a ton of risk I really wouldn't take with something as sensitive as passwords to everything.
I lost a couple days of new accounts/passwords because this[1] probably happened.
[1] https://github.com/dani-garcia/vaultwarden/discussions/4921
Deleted Comment
The old one was instant on clicking the shield icon. The new one is slow and flashes a few times before showing me the UI.
Also, the entire field used to be selectable to fill fields. Now I have to aim at the tiny Fill icon and it's even harder to get to the time-based 2FA code.
I get why they've done it but I have never seen any software this slow in my life. Even just displaying the boxes seems like it needs a progress bar.
In the previous version, you'd go Vault -> Search -> [Find Thing] -> Copy Username, but when you de-focused the extension it would return you to the vault home, so yet again you had to do Vault -> Search -> [Find Thing] -> Copy Password.
This one, when it loses focus, it stays exactly where you left it.
w.r.t. a small, split-second one in initial rendering, i'd take it ten times out of ten over what it was for me all these years: immediate ability to key in input, but if you typed at the precisely (im)perfect moment, which was an extremely common occurrence, the extension would bug out and not perform the actual search.
so i'm sitting there for about a whole second wasted for having waited out the threshold to realize that it bugged out yet again and didn't perform my search. then, i would have to either backspace or type in the next character in the query in order to trigger the search; this was often an unpleasant added mental overhead when backspacing would repopulate results that you were trying to filter out.
i'd rather have the split-second delay for every initial render.
At least on safari.
Then Proton CEO made some statements I found offensive, so I re-activated my Bitwarden account, migrated back, and am now learning to love the changes.
The best I've got for tips are:
1. Settings > Appearance > Quick Copy
2. Settings > Appearance > Compact Mode
3. Settings > Appearance > Extension Width > Wide
I still don't love it, but it remains the best of the bunch.
Deleted Comment
Deleted Comment
Deleted Comment
actually pretty anoying.
The thing I despise most among their UI “improvements” is entry click expands the entry now. To fill you have to find that tiny “fill” button and click that.
Deleted Comment
Bitwarden, return the normal UI back!
In general though I have become incredibly sick of mandatory 2FA for every-goddamn-thing. I do use it very often, but it should be my choice and not forced on me. The usual retort is blah blah blah I might understand the trade-offs but normies don't and so forcing it is a net positive, but I'm me — not them, so that usual response is just to tell me that my feelings don't matter.
Since service providers are often legally and even more often practically required to cover losses resulting from account takeovers, it's really not your choice alone.