Back in March, I wrote about Bitwarden doubling their Premium price — and specifically how they did it. Buried in a feature announcement. Priced in fake monthly increments for a product that has never once offered monthly billing. Communicated to existing customers fifteen days before their renewal, not before.

Bitwarden responded on Mastodon. They confirmed everything in my post while apparently thinking they were defending themselves. I noted at the time that the response was its own data point.

Well. There’s more data now.

In February, as Fast Company reported, longtime CEO Michael Crandell quietly transitioned to an advisory role. No announcement from the company. You’d only know it happened if you went looking on LinkedIn. Crandell had been with Bitwarden since 2019 — back when they were still the scrappy underdog that everyone flocked to when LastPass started pulling the rug.

His replacement is Michael Sullivan, former CEO of Acquia and Insightsoftware. Sullivan’s LinkedIn page leads with his experience in “all facets of mergers and acquisitions, including direct experience with leading PE firms.”

In plain English: M&A is the business of buying and selling companies. Private equity firms buy businesses, cut costs, grow revenue, and sell them at a profit. They’re not there to run a software company long-term — they’re managing an investment toward an exit. The people hired to run those companies are hired specifically because they know how that process works.

That’s the new CEO of your password manager. That’s what he leads with.

For context: Sullivan oversaw a $1 billion acquisition of Acquia by Vista Equity Partners in 2019, and a $1 billion investment from Hg into Insightsoftware in 2021. That’s not a software guy who happened to raise some money. That’s someone whose stated specialty is the PE integration and exit process.

CFO Stephen Morrison also departed in April, replaced by former InVision CEO Michael Shenkman. Kyle Spearrin — who started building Bitwarden as a hobby project in 2015 because he was worried about what would happen to LastPass under new ownership — remains as CTO.

The irony is almost too much to type.

The phrase “Always free” disappeared from the personal password manager page in mid-April. It used to sit prominently under the plan selector. The free plan still exists — for now — but the commitment language is gone.

And then there’s the values rewrite.

Bitwarden used to define its culture with the acronym GRIT: Gratitude, Responsibility, Inclusion, and Transparency. After May 4th, that changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.

Inclusion and Transparency are out. Innovation and Trust are in.

I looked hard.

Their blog has nothing about the new CEO. No press release about the values change. No dedicated post about “Always free” being retired as a promise. The press room is silent on all of it.

There is one thing. A 2022 blog post by Crandell — “Defining and sustaining value for Bitwarden users” — was quietly edited. The GRIT list in the body now shows the new values: Innovation and Trust. But the explanatory paragraph at the bottom of the same post still says the old ones: Inclusion and Transparency. Crandell’s name is still on it. The post now contradicts itself, and nobody wrote a new one.

That’s their announcement. A half-scrubbed edit of a four-year-old post they didn’t even finish updating. Same playbook as the price hike — bury it in existing content, don’t draw attention, hope nobody reads closely enough to notice.

Somebody always does.

And since we’re here — in a 2024 interview, Crandell told Fast Company the free tier was “a firm commitment from the company. Fully featured, free forever.”

He’s in an advisory role now. “Always free” isn’t on the page.

My Vaultwarden instance has been running since January. The Bitwarden cloud account is closed — I shut it down around the time that last post went live. I’m not watching this because I’m worried about my own passwords. I’m watching it because this is what I document.

The pattern is always the same: build trust, establish dependency, then quietly renegotiate the terms. And it never comes in a single dramatic announcement. It comes in layers. A feature post with a price change inside it. A LinkedIn update nobody made a press release about. A values page that says something slightly different than it did last week.

If you’re still on Bitwarden cloud and this is giving you pause — it should. I wrote about the GitHub version of this story in March — trusted open source platform, promises of independence, years of quiet erosion, then Phase 3. The parallel is close enough to make you nervous. And if you want to actually own your vault rather than wait and see: here’s how I did it.

My read on where this is going: Sullivan’s entire career is taking companies to an exit. Maximize revenue, clean up the balance sheet, make the numbers attractive, find a buyer — a big tech company, a rival like 1Password, someone who wants the user base or the enterprise contracts. That’s what you hire this profile of CEO to do. And if that happens, the hard forks won’t be a question. The price hike got grumbling. Watching your password manager get swallowed by a company you switched away fromwould kick them off properly.

Whether self-hosting stays viable long-term is the real question worth sitting with.

Right now it works because Bitwarden’s clients are open source and the server API is public. Vaultwarden implements that API, and the official apps can’t tell the difference. That depends on Bitwarden continuing to publish open source clients and not restricting which servers they’ll talk to — neither of which is guaranteed under new management.

The brake on the worst case: self-hosting is a listed Enterprise feature that generates real revenue. Killing it upsets paying business customers. That matters.

The catch: what Bitwarden sells to enterprises is their own official server stack, not Vaultwarden. Vaultwarden exists in a space they’ve tolerated but never endorsed. If the calculus shifts, the tolerance ends without any announcement. Just let the API drift until compatibility breaks on its own.

I don’t think that’s imminent. But I also thought the free tier commitment was ironclad, and “Always free” isn’t on the page anymore.

The real safety net is that Bitwarden’s clients are Apache 2.0 licensed. A fork would need a rebrand to stay clear of the trademark — different name, tweaked UI, same engine — but that’s a speed bump, not a wall. The web vault works through any browser regardless of what happens to the apps, so worst case you’d lose autofill temporarily while a fork caught up. Inconvenient, not catastrophic. Vaultwarden itself is already proof the model works.

Watch the clients. If they go closed, the community will notice fast, and the fork will follow.