News

What's Really Changing at Bitwarden (and What's Exaggerated)

For several months now, articles have been piling up about a Bitwarden that's changing quietly. Before panicking and migrating, I verified each piece of information one by one. Here's what's solid, what deflated, and the only question that really matters.

Valentin
Valentin Goudet
Shelly Ambassador France
Published on May 19, 2026
9 min read
100% independent review Affiliate links
What's Really Changing at Bitwarden (and What's Exaggerated)
Share X Facebook WhatsApp
0 comments
Contents

Introduction: your password vault is changing hands in silence

Many of you have taken similar paths: leaving LastPass or Dashlane for Bitwarden. And precisely because it was the open source outsider and transparent one that promised free forever. So you entrusted it with the most sensitive thing in your digital life, namely the key that opens absolutely everything else.

Now, since the beginning of 2026, a series of very discreet changes has been accumulating at the publisher, without the slightest press release or blog post, just modifications buried that you only notice if you dig. It actually took a Fast Company journalist to pull the thread for the entire picture to finally become visible.

We're going to look at all of this with a clear head, at the time of writing this article (May 2026), and without giving in to ambient panic. First the verified facts, then what Bitwarden responded with, then why the new CEO's profile raises serious concerns, and above all that question which is the only one that really matters: who really owns your vault?

What's really happening at Bitwarden: the facts

A leadership change kept under wraps

In February 2026, Michael Crandell, who had led Bitwarden since 2019, quietly moved to a simple advisor role, without the slightest announcement from the company, to the point where you wouldn't have known about it unless you dug into his LinkedIn profile. His replacement, Michael Sullivan, is the former CEO of Acquia and Insightsoftware, and that's precisely where the detail changes everything. On his own LinkedIn page he highlights his experience with every aspect of mergers and acquisitions, including work with major private equity funds.

And this isn't an argument pulled out of thin air, because Sullivan orchestrated Acquia's acquisition by Vista Equity Partners for 1 billion dollars in 2019, then a billion-dollar investment from the Hg fund in Insightsoftware in 2021. So we're not talking about a product-focused executive who happened to raise funds on the side, but rather someone whose job is to prepare a company for resale to the highest bidder.

In the wake of that, CFO Stephen Morrison also left in April 2026, replaced by the former CEO of InVision. In the end, only Kyle Spearrin remains in his position. And he had launched Bitwarden back in 2015, precisely because he was worried about what would happen to LastPass under a new owner. The irony is almost too perfect!

The website is also quietly getting a makeover

The mention of « Always free » disappeared from the personal password manager page in mid-April, even though it had been sitting right under the plan selector. The free plan still exists, but the written commitment simply vanished.

And then there's the rewriting of values, which says a lot. Bitwarden defined its culture up until now with the acronym GRIT, for Gratitude, Responsibility, Inclusion, Transparency, except that after May 4 it now means Gratitude, Responsibility, Innovation, Trust. Inclusion and Transparency are out, Innovation and Trust are in, and all of this without any post announcing the pivot. An old 2022 article signed by Crandell was simply edited quietly, and the result is amusing, because the list of values displays the new ones while the explanatory paragraph at the bottom of the same article still cites the old ones, so the post contradicts itself without anyone having written a new one.

grit-bitwarden  What Bitwarden responded with

And here, I want to be perfectly honest, because it's important for what follows. The mention of « Always free » did disappear in the course of April, both from the pricing page and from the product page of the personal manager. But after the publication of the Fast Company investigation, a Bitwarden employee indicated on Reddit that it was an oversight by the marketing team, and the mention was put back in place. And it's verifiable on your end: at the time I'm writing these lines, « Always free » appears again both on the pricing page and on the product page.

So the U-turn is real and complete on this specific point. What remains awkward, on the other hand, is that no official communication explained either the disappearance or the restoration. The customer relationship director, Gary Orenstein, did reaffirm by email the company's commitment to a free plan that he describes as robust.

So let's be clear: to date, there is no confirmed catastrophe, the free plan is still there with no limit whatsoever on the number of passwords or devices, clients remain open source, and no one has taken anything away from you today. What we're observing are weak signals, not execution.

Why this CEO profile is raising concerns

Let's do a little decoding, because jargon tends to hide what's essential. M&A is quite simply the business of buying and selling companies, and a private equity fund buys a company, optimizes its costs, inflates its revenue, then resells it with a nice gain. These funds aren't there to run a software company for fifteen years, they pilot an investment toward an exit, and you never recruit this type of executive by accident but precisely because he knows exactly how this process unfolds.

It's a bit like hiring, to manage the house where you live daily, a property dealer whose entire career consists of quickly flipping before reselling. He can do the job just fine, that's not the question, but his logic is simply not yours. Of course at the present time, all of this remains just a reading, an interpretation of a bundle of clues, and in no way a certainty, since no one has announced the slightest sale.

Except the pattern really doesn't come out of nowhere, because in January 2026, Bitwarden already carried out its first price increase in ten years, Premium going from $9.99 to $19.80 per year (quite a jump!). Again, the news was buried in a blog post about new features, communicated to existing customers only fifteen days before their renewal, and displayed as a monthly price even though the subscription has always been billed only once a year.

Plans bitwarden

Burying the bad news, not drawing attention, betting on the friction of change: that's exactly the same tune as the silent disappearance of « Always free », and the pattern repeats invariably, you build trust, you install dependence, then you slowly renegotiate the terms.

The real question: who owns your vault?

We're getting to the heart of the matter, and it's the entire DNA of what we're defending here. Because for a password manager the threat model is truly unique in its kind: it's not an app among others, it's the master key to your entire digital life.

The good technical news is that client-side encryption means Bitwarden never sees your passwords in plain text. A sale of the company wouldn't give your decrypted vault to an acquirer. The real risk is elsewhere. It hinges on your dependence on an infrastructure and the goodwill of a future owner. The price can climb, the free plan can be trimmed, conditions can change by small increments. The only true safety net, ultimately, is that official clients are open source, so forkable by the community if things went south. And the living proof that this model is already standing on its own without Bitwarden Inc. has a name: Vaultwarden.

Vaultwarden: proof that the model works

What exactly is Vaultwarden?

Vaultwarden is an unofficial reimplementation of the Bitwarden server, written in Rust and maintained by the community. Its brilliant idea can be summed up in one sentence: it speaks exactly the same language as the official server, so all official Bitwarden clients, whether they're browser extensions, mobile apps, desktop application or command line, connect to it without even noticing the difference. All Premium features, from TOTP codes to Bitwarden Send including emergency access, attachments and organizations, are unlocked for free there.

What self-hosting really entails

Taking back control of your vault is an excellent thing, but let's be honest all the way through, because it also means accepting the responsibility that comes with it: you're now the one holding the backups, and losing your vault remains an irreversible disaster. If you don't feel ready to maintain a serious backup routine, stay comfortably on Bitwarden cloud. At $19.80 per year, Premium remains reasonable compared to the competition for fully managed infrastructure and peace of mind, even after the increase. And a botched self-hosting will always be worse than the problem we were trying to solve.

On the other hand, if you already have a Docker stack running on your NAS or on your Home Assistant server, setup won't take you more than an evening. I'm not going to detail it here, simply because I've already devoted a complete step-by-step guide to it that you'll find in my complete tutorial for self-hosting Vaultwarden. Everything's there, all you'll have to do is follow the steps.

Conclusion: no need to panic, but take back control

Let's get to the verdict. If you're on the free plan and have no personal infrastructure, there's honestly no reason to flee today, because the free plan is still there and Bitwarden backtracked on the worst, so just keep an eye on what comes next. And if you still want to move on principle, it's Proton Pass, which is free, credible, Swiss and open source, that constitutes the closest alternative to what you already know.

But for those of you who already have Home Assistant, a NAS and a Docker stack running, my preference goes very clearly to Vaultwarden, because you already have all the infrastructure on hand and it would really be a shame not to use it to take full ownership of the most sensitive data you possess.

The real warning sign to watch for will be the day official clients go closed source, because that day it's no longer about caution but about urgency. Until then, just keep in mind that digital sovereignty isn't some paranoid fad, it's just the smart reflex to take back control while it's still simple to do.

Valentin
Valentin GoudetShelly Ambassador France

Founder of Howmation. I have been coding since age 9, with a background in development and cybersecurity on government missions. I have seen too much tech made complex and hostile, and too much divisive tone on social media. Howmation is my answer: test things and explain them simply, with no jargon and no ego wars.

Visit the channel
NEWSLETTER
Don't miss a single test

The weekly roundup of tests, guides and deals.

Sign me up →
32 800 subscribers
YouTube · @Howmation
Watch the video →

Read next

Did this test help you? Share it.
One share means one less person getting ripped off. Thanks.

Comments 0

Join the conversation

Log in to share your opinion and ask your questions

No comments yet

Log in to be the first to comment