In March 2022 I received a very well-intentioned message from MYKI Security, the company behind the MYKI password manager. Underneath all the corporate speech their plight was simple: it is very hard to turn a profit for our company so we are deciding to move to other venues.
If you haven't used or heard of MYKI, here's what it offered in its free tier:
- Unlimited passwords
- Unlimited devices
- Unlimited 2FA keys
- Unlimited secure notes
- Unlimited credit cards
A very appealing offer for most users. Their intended customers were teams and businesses but turn out there are not that many of them. Most teams either don't want a password manager ("not a problem" scenario) or they are already using a different one (LastPass etc.).
The problem with MYKI was simple: they didn't want to charge the majority of their users to encourage higher signups, more growth, etc. I was also one of their free users who refused to upgrade because I never felt any need to. I could store unlimited passwords & unlimited 2FA keys, and have them synced across unlimited devices. Why would I upgrade when there were 0 extra features I needed? That was also one of the reasons it was so hard to migrate when they did eventually kill off MYKI — no other password manager, including Bitwarden, offered the breadth of features MYKI did in their free tier.
Note:
If you are a privacy-minded individual who also takes notes, Notesnook recently open sourced all their clients with plans to open source a self-hostable sync server soon.
I'd appreciate that a lot if you can help us by starring the GitHub repo and/or trying out Notesnook.
What does this have to do with Bitwarden?
Let me explain.
Until now the only source of revenue behind Bitwarden were their users (or teams/businesses). Unlike MYKI they do not include 2FA in the free tier but everything else was free (very appealing for new users). What did they charge though? $10/yr:
That is not a boatload of money. Why? Because they know that no one would pay otherwise. Password managers don't have a lot of innovation left in them and the only saving grace behind Bitwarden is its open-source nature. Password managers are a fire-and-forget kind of software. You never even open a password manager except to unlock it. The only real use case of a password manager is to, well, manage your passwords. That's it.
Bitwarden is the only password manager recommended by the majority of the security community to layman users due to its simplicity & security. A wonderful product, to be sure.
But the problem with their approach would be apparent to any business-minded person: there is not a lot of selling potential in a password manager. After a point, you are forced to look towards the B2B market (via MYKI Teams or Bitwarden Business plans) but that is clearly not enough.
The evidence lies in the recent move by Bitwarden to raise a $100M seed fund to shift their focus towards other opportunities (authentication). Bitwarden succeeded. It got popular and hit its peak potential (aside from acquiring more users).
What does the $100M seed funding mean for Bitwarden?
Any kind of seed funding is focused on 2 primary things:
- The potential in the team/product to succeed.
- The need to generate a lot of revenue.
VC-backed startups are intensely revenue-focused. They no longer have the option to say no to business propositions that'd be harmful to the freeloaders at the cost of paywall-ing content, cutting features from the free plan, etc. This makes perfect business sense. You can't make money by selling free food.
Why would Bitwarden be any different? $100M is a lot of money. The first thing that'll happen is either the team's focus will move towards a lot of different things or they'll build things around Bitwarden turning it into a complicated mess no one wants to use (unlikely).
As with any VC-backed startup, Bitwarden will have a limited time to turn a significant profit by whatever means possible. Investors don't like to lose money. And let me tell you one thing. $100M is a lot of money and once you see & handle that kind of money, it's hard to look back. I wouldn't be surprised if after the first few years of trying, Bitwarden the password manager gets discontinued.
The impact of this decision will reverberate over a few months. If the core team starts a different project, you'll see reduced activity in their GitHub repository — the death of Bitwarden is near.
But Bitwarden is open source!
It won't become another MYKI, for sure (unless they close source their code (highly unlikely)) but won't it impact you, as a user, when suddenly the perfect product becomes buggy due to negligence? I am not sure what'll happen here. Maybe the community will take up the project, maybe another company will acquire Bitwarden. In any case, Bitwarden's future is quite shaky.
You can always stay on a certain version, never upgrade, self host and live off of that but how feasible is that for the average Joe? The open source nature of Bitwarden makes this sort of thing more bearable but it'll still be a huge hit.
What can you do?
When MYKI got acquired moving my passwords was extremely hard. There are not many open source (or closed source) alternatives that offer the same set of features as Bitwarden. I eventually settled with Keepass which isn't ideal either (manual sync, old UI, broken clients) but I am quite sure it isn't going anywhere (it's community-run, multiple clients, no centralization, no servers, just a DB version that can't be killed off).
Does this recent news mean Bitwarden is dying off? No. All this is conjecture but based on a lot of previous evidence. Seed funding is extremely bad for the consumer market (unless you are Netflix). Should you migrate to another password manager? Too soon to say anything. You're probably safe for a few years. It is only wise to prepare beforehand, however, in case something of this kind does happen. This includes researching & trying out alternatives or,if you are like me, building your own.
Closing thoughts
I honestly hope this doesn't happen and that Bitwarden stays true to their original purpose but it appears highly unlikely. Moves like these should make you cautious of what can happen (exactly what this blog aims to do).
