The Slow Enshittification of Bitwarden (Or: Why We Can't Have Nice Things)

There’s a particular kind of dread that comes from watching a tool you actually trust start to show cracks. Not a dramatic collapse, just a quiet shifting of furniture. A page quietly updated. A couple of long-serving executives out the door. A new CEO whose LinkedIn profile prominently features “mergers and acquisitions” and experience with private equity firms.

That’s where Bitwarden is right now.

If you’re not across it: Bitwarden is a password manager with a genuinely good reputation. Open source, reasonably priced, a free tier that wasn’t insulting, and a self-hosted option that let the more technically minded run their own server. That last part spawned Vaultwarden, a community-built alternative server implementation that made self-hosting dramatically easier. The whole setup was, frankly, a model for how this stuff could work.

And now the “always free” language has disappeared from the website. Inclusion values, gone too. The new CEO’s background is in squeezing software companies for private equity returns. You don’t need a crystal ball for this one, though I’ll acknowledge I don’t know for certain what’s coming. Nobody does yet.

What I do know is that this pattern has a name, and we’ve all seen it before.

The comments flying around online are predictable in the best and worst ways. Some people are saying “just fork it.” Which is technically true; the clients are GPL3 licensed, and someone will fork them if things go sideways. But the people saying “just fork it” and the people who understand what it actually takes to maintain a security-critical project long-term are not always the same people. Your password manager is not a recipe blog. A fork that three people are maintaining in their spare time and nobody has audited is a different proposition entirely.

The more grounded takes are pointing toward data portability as the real safety net. Whatever you use, make sure you can export it in a format something else can import. That’s genuinely good advice regardless of what Bitwarden does. No service lasts forever. The question is whether you can leave cleanly when it ends.

I’ve been a paying Bitwarden user for a while now, partly on principle. They offered something worth supporting. That calculus gets harder when the thing you were supporting quietly changes its values page and installs someone whose entire career is about financial extraction.

Private equity doesn’t buy software companies because they love software. They buy them because they see revenue that hasn’t been optimised yet. “Optimised” is doing a lot of heavy lifting in that sentence.

The response from a Bitwarden employee on Reddit was reassuring in the way these responses always are, which is to say: not very. I don’t think they’re lying. I think they’re probably telling the truth as they currently understand it. The problem is that the truth can change very quickly when someone higher up the chain decides it needs to. We have watched this exact movie with LastPass, with Authy, with about a dozen other tools that were once good and then quietly weren’t.

The alternatives aren’t bad. KeePassXC is solid and fully open source. Passbolt exists. The self-hosting community will land somewhere. The people who care enough to be reading about this are probably going to be fine.

My quiet concern is for everyone else. The non-technical users who set up Bitwarden because someone like me told them it was the responsible thing to do. Who are now using a thing I vouched for that might be about to get considerably worse. That’s the bit that sits uncomfortably.

I don’t think the alarm bells need to be deafening yet. But I’d be backing up that vault export right about now.