1Password 8 will be subscription only and won’t support local vaults(1password.community) |
1Password 8 will be subscription only and won’t support local vaults(1password.community) |
We'll scan your passwords so we know you're know a terrorist
wink wink
They just committed suicide.
A good open-source alternative, I've been running it for a few years after I grew tired of 1Passwords shenanigans.
https://www.passwordwallet.com/
I've been using this for probably a decade now. The UI is ugly as sin, but it works well. I use the Apple Keychain for almost everything, but for my critical passwords, I have copies in PasswordWallet.
PasswordWallet has one feature on macOS that I've not seen in any other app: auto-type, for those times you can't paste into a password field. I use it rarely, but it's nice to have when I need it.
(I have no idea if the Android or Windows clients are any good. I use it only on macOS and iOS.)
That's what the folks at 1P told us all too..
The current app is already bloated by features I don’t use, so I hoped for another evolution of this software.
(i also don’t like the web platform with all those emoji and cheesy design)
That said, I'm sure a lot of people value their current offering for a variety of reasons, and it obviously makes good business sense. I've been burned by subscriptions in the past though, and I don't want to deal with that again if it can be avoided.
I am being intentionally outrageous but do genuinely feel that a good password manager is foundational to good digital security and I find it baffling that it does not come bundled with operating systems or in some other way offered for free. It's such a basic thing that could be done to increase collective resilience to digital attacks.
(And if 1password doesn't want to sell there should be funding for an open source equivalent with a default server hosted by either the government or a trusted nonprofit.)
bitwarden is free (and open source) and it has just about every feature that the paid ones have. Sync across devices, desktop and mobile clients, notes etc. One of the best pieces of open source software of the last few years and I have no idea why people are paying subscription fees.
Sad to see 1Password use dark patterns to push people towards subscriptions then twisting that into that people don't want licenses, at least be honest about it.
+1 customer lost.
How do they plan to stay in business? "We have your passwords now! You would not want to lose them unless you agree to our new pricing policy now, would you?"
I would be on-board with implementing the write side to opvault if they'd accept the PR, and would also implement the browser extension protocol server if 1Password would specify it, since as others have pointed out the KeePassXC browser extension is suboptimal
Then again, with all the massive outpouring of Bitwarden support in every single one of these threads ever, I am pretty sure the real solution is just to bite the bullet and jump ship to Bitwarden/vaultwarden like everyone else seems to be doing
I'm willing to stick around long enough to see if AgileBits makes good on their local vault something something, but given the past few years of activity, I'm going with "they're bluffing" or "it'll be a horribly hobbled implementation"
To follow myself up, I seem to have found another "those people don't know what they're missing" situation because I actually did try Bitwarden (Premium) this weekend and what a dumpster fire compared to 1P
I thought about writing up all the shitshow, but ultimately it just boils down to them not caring about their product or users
For some of the platforms, I would actually be on-board with jumping in to fix the innumerable bugs, but with them being a mixed setup (open and "premium" features), the fact that so much fundamental behavior has been broken for so long with no obvious mitigation strategy makes me question whether this is something I would want to invest in
A dead simple (in the good sense!) CLI program that lets GPG deal with encryption and git deal with synchronization and distribution. It's perfect. And FOSS, of course.
You don't even have to run your own internet-facing git repo for synchronization across devices. You can just put it all on GitHub or whatever.
I think 1Password made a smart business decision. By cutting loose the need to support local vaults, they can focus more development energy on other things that 97% of their users will appreciate. It's a numbers game.
That said...Electron? Ugh. I already spend half my day grumbling about the Slack app.
It is quite obvious from the response here that 97% of their users who are actually paying attention to these issues are not on the bandwagon. They should rephrase it as "we could fool 97% of our customers into switching after years of misdirection and misinformation".
Edit: if it's an electron app, my comment does not make sense, sorry, I'd never buy it anyway.
Well, that's the end of my interest then. I had some curiosity after seeing the Rust integration, but I'm not going to pay a subscription fee to sync the smallest part of my day-to-day life. The convenience really just isn't there for me in a subscription. And no local vaults? Double no, please.
It's not like maintaining standalone licenses and local vault storage is hard, it's already there. Just maintain it.
To be honest, I didn't know it supported local vaults.
No you don't. When you have an awesome product that people love, you just fucking leave it alone. These "rebuilds" always make things worse. See also: Spotify.
I was just disappointed that I would have to buy the app again in order to upgrade.. because I just couldn’t see why it wasn’t free update.
The cloud storage, compute, and egress for a password manager is fractions of a penny per year per user.
Yes, engineering and upkeep and new features costs money. If those features are truly valuable, then the market would bear paying an additional one-time fee, just as photoshop 8 had to be better than photoshop 7 in some way to justify the purchase.*
But what new features could a mature password manager possibly have? Support for newer version of IOS and Android is the only must-have that comes to mind.
* File format changes not-withstanding.
Now OS's evolve continuously. Semantic versioning be damned!
I am currently still using them, but once my current apps are no longer supported, whenever that might happen, I will move to another solution rather than paying a subscription for the privilege of storing my data with them.
Uh, I guess I’ll use KeePassXC then.
Trying to buy 1password 7 with a local vault was literally the most miserable software experience I've ever had in decades, so I'm not surprised not many people were using it.
Okay. Then do it.
Make your own password manager. Make your own browser and iOS/Android keyboard extensions for it. Make your own cloud backup/sync of your encrypted passwords.
Do it.
[1] https://www.troyhunt.com/have-i-been-pwned-is-now-partnering...
Have a TON of respect for the man, just a little surprised/disappointed these recent moves happened under his watch and would love to hear his unedited take on it all.
[1] https://www.troyhunt.com/ive-joined-the-1password-board-of-a...
I believe in buying my software once. Not monthly.
Imagine emojis in IETF RFCs. No thanks.
Admittedly, there is a similar problem with words, but there are at least dictionaries for them. :>
They have an established reputation.
Like, imagine its only Gen X that complains about this, and they are the equally out of touch blackberry user whose device renders all the emojis in some messed up but hilarious way, then its a great way to make fun of them without saying anything and just keep bombarding them with an incommunicable internet, while the rest of us dont mind and some of us are also in on the joke.
This is also a consumer product, not enterprise.
Subscriptions for expensive products that relies heavily on deals, licensing and huge cloud infrastructure like Netflix, Spotify, etc? Yeah, it's not rent-seeking.
Now, for an app that store your passwords, maybe some attachments and, since forever, allowed local vaults. Nowadays being intentionally crippled unless you adhere to this, comparatively, expensive annual subscription?
Yeah, that's totally textbook definition of rent-seeking behavior.
They’ve gone over and beyond to support old licences far longer than it could be expected, and a password manager is the kind of sensitive and ubiquitous product for which SaS actually makes sense.
Anyone remotely involved in anything similar knows it’s a PITA to keep up to date while keeping device compatibility, and the folks at 1P have been doing great work.
Subscription services to me are only justified if they are providing a SERVICE which they are with the web version and ability to sync through their own servers, however, using a local version with your own vault can be done without any service at all.
So to me this looks like them intentionally crippling their own software in order to force people into paying a subscription fee that is not necessary. They already hide the ability to purchase a standalone license for 1Password 7 trying to get people to pay the subscriptions so this is the next logical step.
The idea that anyone except a tiny infinitesimal minority of all people should self host is ridiculous.
Even a lot of people with IT jobs have not enough time or knowledge to keep services like this working securely in a way that’s competitive with SaaS (i.e. these people are better served by paying others to do the job).
If you need any proof, just wander around any company that works in IT and do a simple check, see who has the latest OS version and who doesn’t.
SaaS is familiar to consumers and ultimately a nicer business model for most products. If you support SaaS for new customers, maintaining the old product / pricing model indefinitely eventually stops making sense. At some point you have to make a move like this.
It is probably particularly timely to do this because Lastpass recently changed their pricing model (whether deliberately aligned or not). It's no longer possible to use the free plan of Lastpass and use it on both desktop and mobile: you have to pick one or the other. For many use cases this is effectively a requirement to use the paid plan. So now 1password has the opportunity to push legacy users to a paid monthly subscription knowing that some portion who may have switched to Lastpass to avoid a monthly fee now won't be able to do so, and will probably just pay the monthly fee to 1password instead.
Check out Chase's privacy policy as an example:
https://www.chase.com/digital/resources/privacy-security/pri...
A number of information sharing activities cannot be limited. This is typical of any bank or financial institution. Your bank has its own vendors, many of them are themselves SaaS and cloud hosted!
Even large, sophisticated banks can be hacked:
https://www.nytimes.com/2019/07/30/business/bank-hacks-capit...
My point isn't to say "Why care at all? Just open the floodgates!" Instead, my point here is that trust and security in our society is only as good as the people and institutions that back them up. We don't use bank vault doors for our front doors just because we have the knowledge that anyone with simple tools can defeat a home lock.
Therefore, I think that the choice of more inconvenient solutions made just to avoid some nebulous what-if scenarios involving privacy is often (but not always) the wrong way to go.
I personally use KeepassXC (Linux/Android). It's shared via cloud, I have a keyfile off device so I'm satisfied it's pretty much completely locked down.
Is it browser integration? Genuinely have no idea why I'd pay for this, or why I'd trust a company with my passwords especially when it's not local.
Personally I don't think Dropbox/Google drive is rolling your own and works for me.
Are there advantages of using it over Apple's built in keychain?
Would appreciate if someone who has used/uses 1Password could comment on this.
1) It is very cross-platform. It works on iOS, Android, MacOS, and Windows. I believe that it is also Linux-ready.
2) It has the ability to sequester groups of passwords into "vaults," that can then be assigned in different configurations, for different accounts. This way, the Treasurer gets the banking login, and whatnot, but the Webmaster never sees them, and Treasurer never sees the CP login.
3) It seems to support a whole bunch of TFA.
4) It syncs over everything, and helps to enforce password hygiene.
It supports many more kinds of secure data than passwords and credit cards. It has specific entry types for bank accounts, passports, reward programs, software licenses, and so on.
It also has lots of built in analysis tools for determining: - which of your passwords are reused, weak, or present in online password dumps - what websites can have 2FA enabled on them
As well as the ability to store entire documents in vaults.
Been using 1Password since 2008 and it's the only software of its kind I recommend to anyone on any platform.
-Password sharing
There’s some nice “sanity checks” on all passwords, manual or generated, like reused password warnings and by default it checks your logins at haveibeenpwned, which is a nice to have.
If it were just me, the iCloud stuff would probably be enough.
It has a field for user name and password, both mandatory.
A password manager offers a lot more, including a field for notes or credit card numbers.
I don't think Keychain (up to but not including iOS 15 beta) supports OTP.
On macOS, not much other than Safari seems to use it, I think?
Last github update 657 days ago.
Maybe it's done.
I'd rather use a standalone extension as a password manager than use a heavy Electron app that will run my Macbook to the ground.
It is either Bitwarden or Dashlane at this point.
I still use 1P 6 on macOS even though the missing support for Safari sucks (that actually made me switch to Firefox!)
My point is, there is literally zero added value with the subscription, it’s like buying cars with loans, in fact by buying full licenses I saved money.
I hope that 1P 6 and 7 will last me as long as possible, I don’t see any alternative at the moment. IMHO all other options are less secure and/or less convenient.
Hard disagree. Any security-focused software will have plenty to keep up with between OS changes, browser changes, site changes, new UI patterns, and even simple bug-fixes that you don't get from single purchases.
The fact that you pay a monthly fee doesn’t guarantee you anything you described. In fact there are plenty of feature requests that 1P team has just ignored over the years.
Not only there is no upside but actually the missing local vault is an horrendous downside.
Self hosting would be nice to keep though. Been thinking about setting up a server to hold all that stuff
This is both upsetting and disturbing.
Being forced into a 1P subscription feels like a downgrade to me. I've been a faithful customer for years, and have used iCloud synchronization for years as well. My entire household uses the app (through family sharing).
Self hosting it is not an option for me (i know how to, and that's why it's off the table), and purchasing a $5/month subscription feels like it's overpriced for what it delivers. I can get 10 months worth of Family365 subscription for what 1P is asking for a year, and that gives me 6 accounts with 1TB storage each and the entire Office suite.
The thing that seems to annoy people the most doesn't bother me one bit though. If it works i don't care if it's electron or not.
I'm instead evaulating Secrets[1] as a replacement. It requires a $20 in-app purchase to unlock full functionality, but even with 4 people buying it, it's still only 1,5 years of 1P service. For now i will try to get the kids to use iCloud Keychain instead.
As for "what's the rush". 1P7 will receive updates for now, until it doesn't, and at some point an update to MacOS or iOS will make it stop working, at which point i will have lost access to my passwords. I much prefer to be in control of when that happens :)
I feel more and more uncomfortable in the Apple / iOS ecosystem. It’s getting closed down and commodified. Even when there is something cool in terms of tech, they know how to spoil it.
Instead of dealing with Pegasus head on and starting to fix the security culture of iOS/Mac, they make our systems less secure (less open and less hackable).
I find it sad that there are no viable alternatives for non-tech users. I switched last week to a Librem 14 with Arch Linux, KeepassXC and a pixel 5 running grapheneOS, Miiband 6 with GadgetBridge, a System 76 for work. I honestly love it, there are some hiccups, yet it feels exciting, similar like switching from Microsoft to Apple did 20 years ago.
Also moved from programming objective c / swift to rust, elixir and flutter/react. That seems where the innovation happens today for me. As I work in research I have the Privilege to easy switch … we need better alternatives and I feel even stronger about supporting open source and projects and companies that care about it (pine, purism, system76, mozilla, …).
I'm also not worried about the Mac app moving to electron - I interact with 1password via my mobile or browser plugin 99% of the time anyway, so I just don't really care.
The main 'customer benefit` claim for the electron switch (as opposed to the 'developer benefit') they are pushing is 'consistent UI across platforms` so your view exemplifies that, at best, there is really no customer benefit to the switch.
The chrome extensions stopped working a few years ago so I got into the habit of just manually searching, cutting and pasting my passwords, and saving new ones. I don’t even think about it and it’s very easy. Paying $3/month to have it automatically populate the user name and password fields isn’t worth it for me, especially when the browser does this pretty well once you input it the first time.
I use it dozens of times a day and it works great. It's not as nice as the modern one that works with the subscription/hosted service but it'll certainly be better than what you're currently doing to muddle through.
But I don't want or need my passwords in the cloud. I don't want or need it to be an electron app. I want a simple, lightweight, highly secure, with good UX password manager. 1Password used to fit that bill. With each successive change it moves away from that.
I still use it because I'd rather pay $10/yr instead of $36/yr. But I wish Bitwarden would take some time to actually make the app not awful in the UI/UX department.
It accepts Yubikey, is open source, has good reputation and is free.
But please donate. Developers spend a lot of work on FOSS of all kind.
I've been using this product since 3.x. I chose it because I could use a wide variety of syncing solutions. It did what it said on the tin. Gave me a place to store my passwords that was secure.
I was a happy user buying upgrades whenever they came out until 7.x where it took me over an hour to figure out how to buy the non-subscription/cloud version and instead find the link for the standalone version.
I paid for versions that I honestly didn't have any features I cared about simply because it kept doing what I wanted it to do.
Gone are the days when you can buy a hammer, and use it to hammer just as many nails as you like until it breaks. Now we have to rent a goddamned hammer apparently. Even that wouldn't be so bad if I could still keep my passwords out of their cloud provider.
They've fucked up, they don't think they have.
So what are the options for someone who just wants a simple place to store a bunch of passwords encrypted in a secure way. With decent clients for ios/mac/windows/linux that lets me be the only person who has their hads on those encrypted bits?
Damn it. It's only $10 a year but i'd rather buy it outright the way 1P allowed me to in the past.
It runs well. However, I do not thrust their cloud (or any cloud) completely. I still have a local vault, which is synced locally on WiFi with passwords to my router, NAS, bank cards and accounts, mail accounts. The idea is that should there be a breach at 1password.com the critical accounts do not leak and the damage is limited.
Edit: Local vaults are not available anymore: https://1password.community/discussion/121638/what-is-the-fu...
I have to look for another solution, then. The all-in-cloud bullshit is not acceptable.
I am happy paying upgrade price for each new version of 1Password but I hate the idea of a subscription.
Dropbox syncing works well for me.
1Password has done almost everything they can to stop people from using the standalone version. I am disappointed and angry.
I understand that my data is safe with you guys at rest. I'm sure your security protocols are top notch. But it's all about attack surface. Things can and do go wrong on the internet all the time. Bits get flipped, certs expire, DNS cache gets poisoned, employees get phished, and MITM is an omnipresent threat. I'd just rather avoid all of that.
Would you mind elaborating on this?
Compromised algorithms are unlikely. But not impossible. Quantum computing enabling brute force attacks is unlikely in the immediate future, but not impossible. Certificate pinning compromise during transport is not implausible for state actors.
And in those scenarios and others, having the vault stored remotely on someone else's machines is inherently less secure than not.
The assumptions made in the paper are clumsy.
A) They will have all of your financial information, as opposed to banks that will each get a slice. So the data they have is much more sensitive.
B) YNAB has around 100 employees in total. They do not have the resources to secure their data the way big banks do. We all have our doubts about security at big banks, but I am sure small startups are way worse.
C) It was all unnecessary for YNAB to go online. The decision, much like 1Password's was about money, not clients. I cannot live in this day and age without a bank account. I can live with an old version of YNAB. Heck, I can live even without YNAB. If banks are necessary evil, YNAB is an unnecessary one. Why increase your attack surface with unnecessary stuff, just because there is some necessary attack surface remaining?
The mobile app is a really key use case for me, and even as a technical person I just can't be bothered to set up hacky sync via dropbox or expect my family to know how to do that. Even if I could be bothered, now I'm just kicking the responsibility to dropbox + myself with all the same problems. I'd rather have the app developers manage that responsibility.
Not trying to change your usage or habits, just wanted to clarify.
It does honestly strike me as the best approach given the constraints, but here in Canada almost none of my banks are supported with OAuth flow last time I checked so giving the 3rd party providers my credentials and having them log into the bank both violates the TOS of my bank and is also far less secure than I'm comfortable with. Storing my financial details in YNAB / their partners is one thing, storing credentials that can be used to actually move or spend my money is another.
It's honestly not a huge deal for me personally. Entering the transactions manually is a good habit as I can see the balances update and mobile app is easy to use right on the spot.
Recent and related: 1password is considering a self-hosted option to store vaults - https://news.ycombinator.com/item?id=28104134 - Aug 2021 (215 comments)
The switch to a subscription service is a forced downgrade for me; it's putting functionality I already have behind a subscription.
This is particularly an issue since the old versions (versions I paid for, mind you) are slowly going away (typically as a recompilation and submission is required to keep them available on iOS devices).
We now pay the subscription, a tad begrudgingly, but I have to admit 1Password overall does a great job.
It allows me to use the vault on all of my iOS devices and that’s sufficient.
What I'm not happy with is the possibility of password access being limited or sync breaking if 1Password servers go down. At least with Dropbox (iCloud, wifi) sync, I have full control over the local vault file.
Ultimately, it might be mostly about ownership and choice for me.
I’m glad you find it affordable but these nickle and dime things add up. Especially when the product fits into $0 software so $4.99 is infinitely higher than $0.
I feel like these small, “affordable,” services are just whittling away the Unix philosophy of do one small thing well. Layering on unnecessary crap just to charge a fee eventually comes home to roost.
Also, passwords is a lifetime need. So 80 years x 12 months = $4,790.4 and that seems like a cost that should be reduced out of one’s lifetime.
Do I want to go to Tahiti once in my life, or pay for password convenience?
Again, glad you’re happy but I don’t want to live in a world where I pay $5/month for commercials versions that crowd out what should be community, OSS tools. I love curl and it’s awesome, but don’t want to pay $5/month/forever.
We forget that taxes are inefficient and should be minimized where possible. A login tax for all eternity sucks.
Your vault is local, and synced to/from the cloud.
Basically just like Dropbox. If your internet is down and you cannot reach Dropbox, all files synced to your computer are still there, on your computer. It's just that any changes you make locally or changes made on dropbox.com cannot be synced until your connection is back.
What I have zero interest in is increasing my attack surface solely for their bottom line.
I'm also increasingly uncomfortable with the company handling my passwords engaging in the sort of spin and dark patters we've seen from AgileBits in the past few years.
However the differential factor of 1Password, which was that it _didn't_ provide the storage if you didn't want it, has now gone away. Precisely why I chose 1Password when I started using it. I don't see the difference between this and any other password manager now.
There might be security or technical reasons for removing this option, but looking at how hard they've been trying to get me into a subscription during the last couple of years I just think we're on a bad case of subscription-all-the-things here.
Also I see your reply has been downvoted enough to become grey. (EDIT: Looks like between starting writing this and submitting it, you're no longer in the gray from downvotes!) I imagine it's because you made a blanket claim about spin and dark patterns without any supporting evidence. I'd be curious to know what you're referring to since I don't really keep an eagle eye on this stuff, I just use their product.
The one thing I do remember in the vein of "dark patterns" is how they effectively hid the method of doing a one-time payment for 1Password where you have to manage syncing and backing up the password file yourself. Seeing as I have no reason currently to do anything but make a charitable read of that situation which has been decried more than once on HN, I'd be willing to bet they did so for the following reason: They have had many problems in the past where a customer has lost a password file because they were not a power user and did something such as keep it on one hard drive in their only computer. (reinstalled windows, hard drive died, etc.) So they wanted to make something that would prevent that from happening for the vast majority of their customers that don't really understand stuff like backups, or don't have Dropbox, or who aren't part of Apple's ecosystem and have iCloud, etc. so that their passwords will remain safe and secure. So they made their own sync service and hid the version that would do local-only files so that only the dedicated users who really want to do that would find it and use it.
OR alternatively they're a bunch of greedy people that just want to hoover up dollars from our wallets, as people love to accuse them of here. Maybe a little of column A and column B, honestly. Something something needing to ensure they have a company that stays in the black without wanting to absolutely bloat up their own software so it becomes another useless Enterprise(TM) application with each passing paid version.
Also the only affiliation I have with 1Password is I have a friend I recently learned works for them, otherwise I'm just a customer. I just got into one of my little ADHD focuses where I really wanted to reply with something long and detailed, so please don't assume I work for them or something and am defending them because of that :)
Can you point me to where this gets set up? I'd love to do this.
I saw something mentioned about self-hosted vaults. That is something I might consider for my family.
I advocated for the use of 1pass at work precisely because we can share strong passwords with the team. Otherwise, people would just use the same, well-known weak passwords for everything, including business critical ones like domain registrar or Gsuite admin or the root AWS account.
I am not as happy about having another Electron app running on my local box. I hope they spent time locking things down. On the other hand, if it means my wife (on Windows) gets feature parity with my macOS client, that would be good. Even better if the Linux desktop gets feature parity and no longer have to rely on the web or browser plugin.
It saves me so much time compared to how I used to have to do it — pull out phone, unlock, open Authy, wait forever for it to load, type in code, put phone away…
It’s the little things that all add up. I’m very happy with 1Password — been using it for 10 years, and happy to subscribe, considering it’s probably my most-used utility app.
Until your vault is somehow compromised and your second factor is no longer distinct from the first one...
At the end of the day if you want a password vault that is sync'd across devices, you're trusting someone...somewhere. Be that 1password, dropbox, or even that Linode you manually rsync your data to. You've got to decide what is the biggest risk for your own personal use cases.
For me, I'd rather store my sensitive data with a company that has demonstrated a repeated push to keep my data as secure as possible, even from itself. It's their core business, all they focus on.
edit: I misread and was looking at the business page. $4.99/month for family and $2.99/month for user is entirely reasonable!
We have me, my wife, my eldest, and my mum on it - and it is indeed super simple to be able to share things around.
I used to have keepas/lastpass/dashlane - but 1password is the only one I've managed to convince family members to use as well
Personally, the problem of managing reliable persistence of my password database just isn't something I want to spend time on, and the incremental difference in security posture is uninteresting to me given that it's encrypted at rest anyway. In terms of waking hours spent worrying about the security of my household IT, the security and persistence of sensitive documents (mainly vs. ransomware) is a bigger problem and I like that my passwords aren't tied up in that mess.
And that's why I only use community maintained software with no telemetry or "data driven decisions."
I suppose they could do something like JetBrains where you get updates while subscribed, but realistically login breaks for users would be a mess to support and a standalone text editor is a different service.
This move makes sense to me given their market. Those that want to run a vault can use an alternative that's more of a hassle to deal with.
And also from a user security standpoint, i don't think we can keep going on making enhancements to user security good practice habits if we gate keep good password habits behind paywalls.
but
Saying that "customers voted with their wallet" and chose subscriptions is disingenous
Ever since they've had subscriptions they've made the standalone license page extremely difficult to find on their site. They really didn't give regular users a "choice"- they dark-patterned them into thinking subscriptions were the only option
As forthcoming / down-to-earth as these posts from the company seem- they are full of spin. Their impossible-to-find standalone license page is a topic they seem to be avoiding.
Edit to add this small addendum: It just really bothers me on an emotional level to constantly run into this juxtaposition as a user of software/hardware: liking a product but being extremely disappointed in the company offering it.
Subscription business models and non-native apps are hallmarks of rot by VCs. Dump them!
I'm increasingly sick of good standalone software suddenly moving to this model. They are a business, I get it.
However how many subscriptions are we going to have to end up with?
I get it with Slack, Dropbox, Github, etc as they all started with infrastructure to run. But 1Password (and Adobe and others) are pushing profits far far above their users. It's a shame.
Granted, the chance of attack is small but the consequences are extreme. There's no single file more valuable on my computer than my password vault.
I prefered buying the license compared to the subscription but I don't particularly mind a subscription for a service I use regularly. I mind the risk to my privacy.
Is it? I would be surprised if attacking 1Password wasn’t a priority for governments and hackers. If the encryption used on vaults is ever broken, compromised, or buggy, users are screwed.
The mass migration of apps to the subscription model has killed this sort of exploration and discovery of new apps. As one example, I recently looked for a flight tracker and many wanted more than $30/yr for a tool that is (to me) an occasional convenience.
I worry less about how much I pay to use an app than how much I'm paying when I'm not using the app. It sucks when I'm too busy to use my language learning app and yet somehow I still end up owing the app developer every month. By the time I end up canceling I might have wasted $60 or more, which certainly doesn't motivate me to install the next app that prompts me to subscribe.
I don't know the solution to adequately compensate developers for their work but I hope the subscription mania goes away.
https://www.passwordstore.org/
The format is plain text. You can git control your password repo. You can organize into directories, etc.
It has an extension architecture; you can have it generate otps, for example. You can have specific passwords unlock with more than 1 key, if you want to do eg. family or business sharing.
There are mobile apps, browser plugins. None as smoothly polished as 1pw, but good ENOUGH. There are (imperfect) tools for migrating, but you can write your own scripts.
So far (using it for 48 hours) the worst part was setting up a gpg key.
[1] https://techcrunch.com/2019/11/14/fourteen-years-after-launc...
I don’t mind paying a subscription fee if that’s what makes the business work and allows continuous updates.
But either they give us a self-hosted option or I’m done with 1password. Keeping my passwords in someone else’s cloud is a red line for me.
https://survey.1password.com/self-host/
Hopefully they will get the picture.
With that said, they've lost a customer here. I would prefer not to pay a subscription, but I might have (though if you do the math, I've had paid upgrades frequently enough I'm not sure they'd have made more money off me with a subscription).
The sticking point is the lack of local vaults and removing the native app. Very disappointing.
The reason I used 1Password to start with and not KeePass was because it was Mac native. It is so deeply depressing to have faster and more efficient computers year-on-year and have all that efficiency wasted by moving to Electron apps. It sounds absurd to say, but there's a real ecological cost to less efficient apps too; it really does add up in aggregate.
The lack of local vault is the ultimate deal breaker, not because I think 1Password are untrustworthy, but because I'm reassured that I don't _need_ to trust them in the same way with a local vault as I need to if they're hosting the vault themselves.
I think what's most disheartening about this is that the customers who dislike this the most are also likely the customers who've been with them the longest and helped them build their business. I know I've been using 1Password since v2.
Given that password management is so central to our daily productivity, jobs, personal lives, I'm not surprised people have some very strong opinions about this. I hope the 1Password management read these threads, but I doubt it.
I will stick with 1Password 7 for as long as I'm able.
Maybe I'll try bitwarden.
You may not like the subscription business model, but it isn't rent seeking. Monthly payment != rent seeking.
> Rent-seeking implies extraction of uncompensated value from others without making any contribution to productivity.
I think the rent seeking comment was about removing the option for (free) Dropbox sync and only supporting the subscription-based plan. They are asking for more money for less product.
I did so after reviewing their audit results, awhat they documented about their architecture, and after they added great support for Linux. At the end of the day, not everything is a conspiracy - and their model appears to be incredibly secure.
I would like the self-hosting option (that like Bitwarden, will still require a subscription), but a big part of what I am doing is sharing credentials with family. 1Password does a great job there.
Honestly at the end of the day, everything else is about your value proposition. I didn't know or realize that 1Password had shifted to electron as asserted elsewhere. I guessed that there was a new version given that linux was supported but it made no difference for me. Great for them. Likewise, they are far more secure then me editing a password file. Eventually the market will decide here. If people really care about swift versus javascript, then it will penalize them eventually.
That said, people arguing that dashlane and others are better then 1password, given that dashlane has access to your passwords, I can't imagine that this is a choice that makes any sense given the basic requirement of a password manager (keep my passwords safe).
-- edited correction - dashlane, not lastpass.
Custody of your secrets is something thing a password manager should move away from, not toward.
I moved my data to Bitwarden this morning.
That being said, the thing that got me to change was when I tried out 1Password for a month and ran into a few minor accessibility issues on their web frontend. I sent a support ticket and very quickly got a response back, was told those issues would be fixed, and then notified me several days later when they were. Like I'm paying 2.99 a month and still received some amazing support. I use a lot of open source projects, and if I have an issue then I try to upstream a fix because the maintainers are usually volunteers, but I've spread myself thin. 1Password gave me the impression that it's in good shape and has great support which was a burden off my mind.
I've recently been using keychain for new accounts, but not sure I wanna bite the bullet and go all in - just need a nudge.
Bitwarden is fantastic. I pay for the OTP features, though I feel keeping the codes alongside my passwords weakens my security posture. That's my choice, though.
I’ve been doing that for more than a decade (more like 2 actually) without a hiccup.
Nobody who values security enough to use a password manager would leave their passwords at the mercy of the next corporate turnabout, when said corporation is evidently untrustworthy.
This is the same lizard-brain self-interest unleavened by any shred of higher brain functions that people like Shkreli exhibit: `the suckers have switching costs so let's jack up the price obscenely while reducing the actual customer benefits.` Some people should be kept away from MBA programs.
This is not to takeaway from all the technical details of 1Ps approach to this, but (once again) in light of what we have seen from the "Trillion $ darling of privacy", enabling scanning of personal content one has to wonder how long before the same is applied by 1P. Remember your vault can store just about anything. I am sure it is only a matter of time before the case is made that we must think of the children.
Irony of all this, I'm someone who is paid to migrate customer security to the cloud. Runs counter to my thoughts on the matter, but not those making the financial decisions on all sides. I certainly don't fault 1P for making the prudent financial decision that 95% of their customers have made. As part of the 5% I shall wring as much out of 1P7 as possible and eventually move elsewhere.
However, given they have all the password for many people, how are they not one of the biggest targets in the world? In their old Dropbox model, I understood the security model. In the service model it's moved to "Just Trust Us".
Is there anyone who can help me understand how this model is secure?
It's basically E2EE (where the encryption key is your master password + secret key, which looks similar to a guid), with the caveat being that 1password is still accessible via the browser so you do have to trust they're not compromising you by saving your secret key + master password separately (that is, unless you're auditing the login page every time you open it).
https://support.1password.com/security-assessments/
They've gone pretty far above and beyond what we're used to seeing wrt sharing security details, audit results, and architecture information.
I think they are being fairly transparent. Starting in 2013 there old business model stopped making sense. They were selling individual products for each platform, while trying to integrate all platforms at the same time. The natural solution was to move to a subscription model for a unified service. This provides a mutli-platform solution and generates a continuous stream of income.
As a consumer, I actually prefer this model for a security app since it means that it will continue to receive regular updates. There is lots of competition in the space of password managers so I am not worried about them increasing the cost of the service to more than a few dollars a month (if they did this I would just switch to another service).
Even with me knowing it exists, I wasn’t able to find it on their site to send him. (Hint: you have to upgrade within the app, but only if you downloaded from their website, and only if no 1p account or trial is present)
Add other dark patterns like the extension being 1PX only by default and doesn't work with standalone. You have to cram through their website to find the legacy extension and even that isn’t straight forward. They tried very hard to hide all info of a standalone existing.
(Personal annoyance: locking new features like the redesigned autofill overlay to the subscription-only version even though the Safari extension fully supports it for standalone, but not the others.)
Honestly, I wouldn't mind paying a reasonable price for the 1Password service if it wasn't a step down in value from what I had before.
I have a slightly older version of 1Password and it works fine for my purposes. I've been holding off on the subscription transition because I would derive zero value from switching to subscription but I'd gain a monthly payment I didn't have before.
But the thing that irks me is the PR speak that is trying to spin the subscription change as something we, the customer voted for, when they've gone out of their way to force everyone into subscriptions and hide the standalone version. I know the standalone version of 1Password 7 exists, but I tried to find the price yesterday and gave up after a few minutes of poking around.
"We didn't choose this, you chose this!" is so distastefully dishonest that I have zero desire to engage with this company any more. Once my standalone license of 1Password 6 stops working, I'm upgrading to a competing product.
0: https://com-agilebits-users.s3.amazonaws.com/dave/1password7...
Ever since they released the subscription option my upgrades have been very smooth and the features and improvements keep coming and I don't have to actively go and upgrade/purchase a license for a new version.
I don't know how to feel about switching to electron. I have many applications that are electron based and the quality is generally high but some do cause significant memory pressure on my macbook air.
Starting with 1Password 7's beta, they "hid" the standalone option on the site and then removed it completely and only allowed for purchasing standalone versions through the app itself but that was announced prior to them doing it.
The only way I even know a standalone option existed at the time that I moved to 1PW was because of reviews/comments on other sites that then led me to support pages that said "oh yeah, if you still want that version, smirk smirk, then use this special link"
The chrome extension leaves a tiny bit to be desired, but definitely still usable:
* Not as good about determining correct sign-in URL and lots of times will send me through the auth redirect from registration
* Launching sites without mouse isn't possible (shortcut exists to open extension but can't select site to launch it using arrow keys, for instance)
* Button locations aren't consistent between search view and opening it on a site you have a password on
Definitely still the best for me though. It's frustrating, though, that I don't feel like the paid plans really give me anything useful, so I'd be paying basically just to support the product (which I'm happy to do!). It's a weird spot for sure, I feel like table-stakes for a free password product is infinite devices + usable browser extension + phone apps + password generation. But figuring out what to add on top of that is always either directed at businesses or families, or things I don't care about like 2FA or an authenticator. I want to support you, damnit!
Bitwarden run so much faster than 1password despite being a browser extension.
The CLI is great too. I pretty much use it like a cheap version of Vault to feed secret into K8S.
I had bought several versions and both the Mac and Windows editions of 1Password over time, none of which were what I would consider inexpensive for a password manager. I consider their treatment of me as a customer to have been terrible.
I wouldn't be so pissed off about it if they had just dropped the product and started a new one, but slowly turning something paid for, used regularly, and liked into something different that I didn't want at all tells me that they are absolutely not worth doing business with again. They're not trustworthy.
For my personal passwords, I prefer keeping a local KeePass vault (I access over a local network drive, VPN in elsewhere).
I totally agree that primitives are some of the least important parts of choosing password managers, but what I like about KeePass is that you can use Argon2 as the password derivation function and specify your hardness factors. Because my laptop and desktop have a strong-enough CPU and I don't mind waiting 20-or-so seconds before the first unlock, I can set quite high values for this.
For example, if you're logging into your credit card provider from Mint.com, you have to search your card, copy the username. when you paste the result on Mint, you lose the window, and you have to re-search for your card to get the password. Very frustrating.
This was a discovery in a security review they did and choose not to change.
This was some time ago so things may have changed. But, that red flag kept me away.
I used to use Enpass and never had an issue but it's not open-source and you have to pay for Mobile client.
It's honestly fantastic to see how they have adapted to password managers.
Lastpass frequently messed up the autologin and injected a lot of ugly css/html in the forms which Bitwarden doesn't.
Also it works really well as a chrome extension with Kiwi browser on Android.
- conflict-less sync; with KeepassXC, I learned to live with keepass-diff, once the inevitable sync conflict happens
- no need to have entire app running, or even installed; in browser, the extension is enough. KeepassXC was a kind of annoying to launch.
- password sharing
Advantages of KeepassXC:
- can autofill http auth dialogs; bitwarden still cannot do this
- can serve as ssh agent, so synced database takes care of your ssh keys too
I convinced my wife to pick it up and we now share a bunch of stuff and she loves it. And she's low tolerance for UX issues.
The official command line tool is way too clumsy. I've tried rbw and rbw-fzf which are ok. rbw doesn't let me view all properties of an entry (attachments, notes), and rbw-fzf has issues if things have spaces in them and is limited to only passwords, not other info.
i would be still using it myself but i also wanted to login to desktop applications so ive been using keepassXC since.
keepass's auto-type feature is also a great way of autofilling passwords without having to give your browser access to your password vault
I recently visited my friend from our programming club who saved these letters and was reminded a couple people wrote additional angry letters years after paying for the shareware. They demanded support in return for their one payment. (Of course, not only had I moved on to other projects, but I had long sold the type of computer the shareware was created for!)
So I learned early on that people unreasonably expect support for no additional cost. Or they believe the amount they paid is for support in the future, not work done in the past. It doesn't work that way economically. A constant flow of additional money has to come in the door to pay a team to do the actual support.
AFAICT, the only feasible models for supported software seem to be subscription, microtransaction or advertising. Any one-time-up-front price means it's abandonware. Which is fine for some types of software, of course, but probably not as often as users expect support.
A better solution honestly is just to accept some percentage of people will be little assholes but hopefully, as you remembered before your friend brought it up, that most people are gracious and kind. Focus on those people.
If I buy a piece of software, it's not unreasonable to expect it to work for some period of time after the purchase. This is especially true on the Windows side, where Microsoft has gone to great lengths to keep old APIs around and support most (but not all) old software within reason. I have engineering software programs that are a decade old that still run fine on my Windows 10 machine.
macOS has been less shy about deprecating old APIs and forcing software updates. I probably spend $500-1000 every year just upgrading a certain few software packages that charge for a new version every time a new macOS comes out, and I hate it. I don't mind paying for new versions of software, but it's becoming saddening to watch all of my macOS software rapidly decay away with each macOS upgrade unless I buy the newest version.
One could argue that.... but one would be silly to do so.
Why does a password manager need a subscription? My password should never touch a 3rd party’s server, I don’t need extra features, I don’t need a login, I don’t need long-term or even short-term support.
What ongoing development does a password manager have? Is it that buggy from the get-go to need constant updates?
I've been using 1Password since 2008 and I'll be doing the same thing. I have tolerated the UI regressions and even subscription with version 7, but Electron is just unacceptable for what was once an amazing Mac app that put Apple's apps to shame.
I got rid of two of them — Evernote for exactly the same reason.
1pwd going the Electron route would have put me close, but not over the edge — but the fact that they seem to have willy-nilly removed local vaults does.
These days it sometimes feels like one has to write all essential software oneself. Or go back to DOS and plain text files.
The only wish I had over the years(and I would have gladly paid for an additional license): a linux client, even CLI would have been fine. I'm not sure which year they started, but what they pushed instead was the announcement of online sync and other things I did not care about, at some point it became hard to even find the regular version on their website.
This was when I slowly started moving to alternatives. With the move to electron and this anouncement here I'm happy that I moved away a few years ago and their clear signal that I am not the kind of customer they have any interest in anymore.
The costs of developing and maintaining software are recurring -- especially for security-critical software. Subscription business models align incentives towards ongoing maintenance.
if an app has ongoing development that you benefit from, it seems entirely fair to pay a subscription. the fair alternative is a one time payment for a lifetime license with few patches priced in. I would probably prefer the latter for something like a word processor, but would you really want to use the same version of a security-critical program like a password manager for the rest of your life? if not, how do you expect them to fund development/maintenance indefinitely?
That last bit I don't believe applies to 1Password, because there are certain things you can't do without some kind of centralization, and the article makes that case.
...but look at something like Adobe CC, what exactly does moving from a purchase to a subscription benefit me? And let's not forget about the more subtle effects, like losing the right of first sale, silent T&C changes, mandatory updates, etc - things that are only to the vendor's benefit.
Agreed. Though, this latest development – the move to Electron – is a negative for me, so it leaves a part of me wondering what kind of development I have been paying for. I imagine I am not alone with such a sense of disappointment.
I don't _want_ the ongoing development. Photoshop from 5 years ago is perfectly fine for me. Same with Lightroom, etc. I mean, I've only paid Apple _once_ for Logic Pro and have been getting upgrade after upgrade for no cost -- a nice bonus, but I'd be perfectly happy if logic's code had been set in stone at the moment of purchase, too.
The consumer-friendly option is to let the consumer decide if they want upgrades. Or for a security-focused app like 1password I'd have believed something like "we don't want to be responsible for security problems if you decide not to upgrade, thus you must buy a yearly license" but that wasn't the message at all.
The old business model works but you have to keep innovating and diversify your product line. Microsoft was the best example with things like Encarta, Age of Empires and other tools like Project.
This new trend of doing these apps once, with far easier programming languages in a connected environment with plenty of docs, crash report data and things like stack overflow really makes it look that we are talking about cheap people trying to make a quick profit not unlike those free to play games.
My take on the hatred boils down to these things:
Utility type applications built as a service offer an inexpensive purchase of some kind, or are AD driven, etc... Then, features are changed, roadblocks added, user experience degraded to create problems that subscriptions pay to remedy, often poorly.
Noisy subscriptions. It's not enough to send a few bucks a month. ADS, various pitches, in app sales happening, all contribute to what might otherwise be a simple, worthy experience and solution.
It can be hard to cancel. -->if this happens to someone even once, the hate can be visceral afterword. Everyone else, no matter how well they do business is impacted to a degree.
Subscription apps / services going away on short notice. What were people paying for?
This has nothing to do with VC and everything with trying to build a better product for users that is easier to work on for developers.
As a long-time 1password shill I have hit my limit and will slowly start migrating to BitWarden and iCloud Keychain.
Over the past few years, we've been working on consolidating 1Password's business logic into a single Rust-powered core that could be shared across all our apps. This has many advantages: feature consistency across platforms, faster development cycles, and better security. When building the front-end for the desktop platforms that would take advantage of this new core, Electron suited us perfectly, since we could write our UI code once and make it consistent across Linux, Windows, and Mac. We actually did build a native Mac app initially alongside the cross-platform Electron app, but we eventually decided that having two separate versions of the macOS app (one in Electron, one in SwiftUI) would cause a lot of needless development churn and hassle for both customers and our support team.
I can understand your frustrations about Electron and our subscription-based model, but I hope you find my explanation reasonable. Please stop spreading misinformation.
Can you quantify the "needless development churn and hassle for both customers and our support team" in some way? Presumably, 1Password 7 and its ancestors used native macOS APIs, which meant some degree of that given you had to do something different on Windows and/or Linux. I don't know what your support team has had to endure, but as a long-time sample size of 1, I've been incredibly satisfied with the way you've designed and engineered the macOS application (and the iOS app too!) to date; I'd be hopeful that whatever tradeoffs y'all will be making moving to Electron, the "native" feel of the macOS client wouldn't be sacrificed. Is there anything you can speak to there that I should prepare for with 1Password 8?
That's worse, not better.
At least being forced to by investors makes sense. The current direction of travel being voluntary means you've just got a bad nose for building security.
The hassle of doing what your users are paying you to do? Any child can hack a UI together in HTML but there's a reason no one (usually) pays for that.
I think a subscription business model is the only honest way to sell software that will require ongoing support. If you're comfortable with a snapshot w/o updates, then by all means buy once, but I think coming to terms with the demands of ongoing support also means coming to terms with continuing to support the product in some way.
That said, I wish there were more variations in the way to pay - a long term license with a high upfront fee and a low monthly, an immediate access option with a high montly and no up-front fee, etc.
BTW, I think they do have an option that you pay for 3 years upfront. At least, that was one of the options they mentioned when I complained about the lack of the option to buy a license. To me that did not seem an acceptable solution because you pay upfront and still have all the drawbacks of the subscription model such as being dependent on the trustworthiness of a quite obviously untrustworthy company. Add to that the removal of local vault option, and it becomes even less acceptable.
Done.
edit: apparently 8 will be electron-based. So... no standalone subscriptions AND they've moved from native to electron :/
Can you go more into how non-native apps are a "hallmarks of rot by VCs"?
I hate them too, but my impulse is to blame MBA thinking (build once, less investment, who cares if it sucks) than VCs specifically.
They just like to say that they use Rust for the backend code. Rust for the backend of the client apps, React for the UI, wrapped in Electron.
Electron apps typically don’t work for me because they don’t integrate with the rest of the system cleanly, and so once you stray off the designers’ happy path it becomes clumsy to use the app. This isn’t an esthetic or ideological argument; simply for my usage an electron app can rarely be as convenient as a native app on the Mac. Things like input integration, system service integration, selection, and responsiveness are much harder to do when you are fighting the electron abstraction, so no wonder devs leave those things out.
> The overwhelming majority of people (97% in fact) choose to subscribe to our new service and many of those who initially purchased a license later changed their mind and traded it in for a membership.
With each of the last two versions, they hid the standalone version more. I'd hardly characterize all 97% of those users as voluntary.
Their PR doublespeak isn't helping either: https://news.ycombinator.com/item?id=28143821
I don't think I can trust this new AgileBits.
They were also giving away subscriptions for free for quite a while to get people to move.
So yes, I'm with you in questioning the number.
0: https://com-agilebits-users.s3.amazonaws.com/dave/1password7...
I started making a list to answer that question myself. So far, I'm up to SEVENTEEN, but I'm sure I'm still overlooking a few.
Haven't paid for this software in the past 365 days? Go to the community forum. You can pay 60% of the license charge for another year of updates and support.
Adobe were the last to annoy me, previously I am sure I had paid up for a few months and then unsubscribed. Now its a 12 month commitment when you take out a subscription.
Off topic; but if you want a flight tracker, and like to tinker, try feeding flightradar24 (or any of the other), while you feed them you get their full membership. A pi and a usb tv card are all you need to get started!
There are ways, but nobody seems to bother to provide usage-based model. Similar to how cloud providers figured multiple usage plans. I have a feeling that many apps live off people paying but using service really low, so there is no incentive. What's stopping them to offer a different price for 1h - 5h monthly access? They could upgrade to a flat fee automatically if you start using their app every day.
I highly recommend pass.
My set up is as follows:
- setup the key, share the private key to other devices who are going to use the same pass store;
- use syncthing to sync my passwords between devices (you can use github - but I just find it works nicely with syncthing;
- all passwords and other content are just gpg encrypted text files;
- use the pass cli utility to read the passwords;
- first line of the text file is the password so the apps and cli will read that into the clipboard (with a time limit to expire if you are on your phone;
- for android phones/tablets I use 'openkeychain' to manage the key and 'password store' as the app to read the encrypted text files and copy the passwords;
There are other browser extensions etc. I just don't find a need to use them though.
It has worked well for me over the years while I have seen the passwords market go more towards a subscription model over time.
My wife uses the same system, I just set it up for her and then it is seamless for her as well.
And technically, Syncthing doesn’t really seem viable on mobile last time I looked (and also has the problem of 3rd party apps instead of official ones).
Note that the private git repo can be uploaded to the cloud, which allows one to access passwords on multiple computers as well as on my phone.
Also I would like to highlight qtpass client for a very user-friendly GUI interface to quickly access passwords.
In my opinion, anyone that has basic knowledge of the terminal should be able to set up passwordstore no problem. Once it is set up, one can use qtpass or other GUI clients.
I can understand your frustration about Electron, but I hope you find my explanation reasonable. Please stop spreading misinformation.
This is the source of your mistake. Users don't desire to have the same UI across different OS environments, it's only an app's developers that care about that. Cross-platform UIs are inarguably a worse user experience than UIs tailored to the conventions and designs of each OS.
A Mac app that doesn't actually feel or behave like a Mac app is not a good Mac app. The same is true with tvOS apps like YouTube and Prime Video that don't actually feel or act like good tvOS apps.
Why would anyone think for a second that it would be a good idea to force people to store every password for everything in their life in your cloud without an opt out?
That, even more than Electron and the subscription model (both which do bother me), is an absolutely deal breaker. I've paid for every version of 1Password since v3 in 2009, but I'm done with it now.
Parent makes a lot of sense, actually, in context of the submission headline. There was no misinformation here at all.
Lastpass is a bucket of ass.
They've had security bugs in their browser extension before, but it is almost required to use it - the webapp works horribly without it. My least-used browser gets that extension, so it isn't running most of the time, at least. And with it, the UI is still terrible. The app is just awkward and poorly done.
The one good thing I can say is the user/group model is reasonably implemented.
I switched to KeePassXC a while ago due to the increasing hostility over local stores. Looks like I was right on the money.
KeePass has served me pretty well - it's not as polished, but it works absolutely everywhere due to the numerous client apps on many OSes, and it syncs normally. Toss on something like Dropsync for mobile, and it's pretty streamlined: https://play.google.com/store/apps/details?id=com.ttxapps.dr...
I'd only recommend LastPass if you're a fan of LogMeIn, Ltd. and only being able to see your passwords either on Desktop or Mobile (on the free version).
Don’t get me wrong, I hate Lastpass with an unprecedented rage for something that should be a simple utility (I’m forced to use it at work and it’s a time sink), but I don’t know where you get that and would like a source.
Source: I work there :)
In fact, if you're okay with only editing/creating password entries on your phone, you don't even need to pay for the desktop app, because you can use it in read-only mode. The Android app has no limitation to editing local vaults, and it's pretty rare for me to actually have to set up new accounts these days, so I'm fine doing it on my phone. I considered paying for 1Password X (their online offering), but it's simply not worth $45 per year for that minor convenience. I can't complain at all, because I use 1Password completely for free.
It's possible that it was hidden because I had previously signed in to my work's 1PW account, maybe, or that it's hidden too well for me to find. I don't know, and would be happy to learn either way.
https://pwsafe.info/ for Mac and iOS https://pwsafe.org/ for Windows
The underlying file format is opensource and developed by Bruce Schneier.
I use it to securely store notes and important files.
I have no particular qualms with paying for software whether as a one-time purchase or a subscription.
I just don't want all my stuff syncing to and reliant on 1Password's infra.
I'll pay them $5/mo to self-host my own passwords. But they won't let me. So I switched to KeepassXC.
No, it's still misleading. People like me, who already had a working version at the time the subscription was rolled out, simply chose to do nothing or switch to a competing service. People who didn't want subscriptions saw the writing on the wall and started migrating to other products.
To suggest that their userbase wanted to voluntarily give up their paid-for software that was working just fine and swap it out for a subscription service just to get feature parity is silly. As you said, they made it clear that subscription was the way of the future and that anyone who didn't want a subscription product should look elsewhere, so we did. Let's not act surprised when their only remaining customers were those who wanted a subscription version.
> It's in the release notes, it was on the site, and it was in the forums. I think they may have even emailed it to people at one point (I've been a user since v3)
I don't see where anyone was claiming it was done in secret. It has been discussed at every step of the way on social sites like HN for years.
The secret part is that they've gone to great lengths to bury the standalone version 7 link on their website, and now they're claiming that not many people buy it. Of course they don't, because it's virtually impossible to find or even know that it exists unless someone passes you the link.
Though one more point that’s more than just "ease of use" is probably shared access. AFAIK Keepass has issues there while bitwarden (IIRC) supports it completely.
I have my OTP codes on yubikey for daily use. (works great, and breaking a yubikey is a lot harder then destroying your phone and losing all your OTP).
> What gives me pause is how I write regularly asking for separate vaults for trivial passwords and passwords that could lead to financial ruin.
Just to clarify, what solution are you asking for? Do you want a local vault option to store sensitive passwords? Or something else?
And let's not forget that you're basically running a completely separate browser that can't re-use any memory from the other 5 separate browsers (=Electron apps) you need to run for work all day.
Could you elaborate on this?
What's your experience building security systems? Do you have a LinkedIn profile or a CV we could review?
It seems like you'd be happier with a community product that has less support, but is available for free - and thankfully you have that option.
I much prefer KeePassXC. I find KeepassXC substantially easier to use than 1Password on macOS. I strongly dislike 1Password's UX. It feels very cumbersome to use.
I have a shared family KeePass database as well. Works great.
I know that it's very common for subscription models to coincide with forced upgrades (as this one does), but that seems like a choice on the part of the company as opposed to something inherent to the revenue model. I'd be quite happy to pay a developer to continue to maintain an older version of their software.
Like you pointed out, I think a fee structure where you pay for major updates and otherwise pay a maintenance / hosting subscription fee makes the most sense.
I think that you see open source projects that struggle along all of the time because their developers cannot afford to work on them enough. Not every project, but enough of them. I try to support projects like that too.
https://support.logmeininc.com/lastpass/help/what-can-i-expe...
They have been talking about this for years. It was not done willy-nilly. There are limits to local vaults.
They're a business, and 97% of their users were already on the subscription model. If you were running a business, and 97% of your users had abandoned a feature that was a headache for you to maintain, would you stubbornly keep wasting time and money on it?
Bitwarden is right there waiting for you.
"it works" and "the developer gives me support" are two different things. In this case, I'm sure the shareware he wrote still "worked," but clearly they thought they were entitled to perpetual updates or the ability to chat to the developer any time they like.
As far as I'm concerned, the SLA of $10 shareware I volunteered to pay for is "whatever the developer is willing and able to provide." It's $10. ¯\_(ツ)_/¯
Fwiw, 1Password isn't nuking 1P7 or existing local vaults. Those users are free to keep using v7 for as long as Apple or Microsoft allow the app to be installed on the OS. (And I do agree, macOS and iOS are both quite abrupt about cutting off support and I commend Windows for going to great lengths to avoid it)
>by manipulating the social or political environment in which economic activities occur, rather than by creating new wealth.
Otherwise simply raising the price on something would be rent seeking.
Raising the price of something certainly can be considered rent seeking.
For example: https://pnhp.org/news/rent-seeking-by-drug-barons/
I've found just opening the main app to be a better solution in these cases, but it sure is annoying.
Make sure you have your browser 1Password plugin updated to the latest version.
When you click on the locked 1Password icon in the browser, you get the "Double click to approve" alert on your Apple Watch. You double click the side button on your watch and 1Password in your browser is now unlocked. This also works the same way with Touch ID. Hope that helps. Cheers.
edit: Provided clarity regarding the Mac App
I did (incorrectly) assume that the parent was talking about Electron, so that's my bad. That being said, our decision to move away from licensing is absolutely not being driven by VC funding, so the parent comment is also spreading misinformation. We were building a subscription-based model all the way back in 2014, and we're phasing out licenses for the host of reasons that were mentioned in the original article.
The goal of a VC company is to either grow big or die. That's it. Risky bets at the expense of existing users are expected if current growth does not meet expectations. Worst case everyone quits the app and you go bankrupt. VCs expect that 9 time out of 10 so no big deal as long as the 10th makes it big.
But I'd rather use a backend that doesn't require as... weird... integration into the OS as GPG does. Between pinentry and having to store the passphrase, gpg just doesn't offer the same sort of out-of-the-box functionality as something less... heavy.
> In this paper, we seek to fill in the gaps by gathering and analyzing a large collection of leaked password datasets across multiple years and various online services
It looks like they just used already leaked passwords.
I’ve gone so far as to test this.
In my opinion this is the right security model
Not sure where the signup link is, sorry.
Why did 97% buy the subscription? Because they hid the other version in a locked filing cabinet in a basement with a broken staircase.
I too would trust the core of e.g. Syncthing or pass.
Making it all work on mobile is a completely different story though. I myself can’t do without mobile access to my passwords.
The mobile platform is one I ignore. The only thing I know with any certainty about my phone is that it's running a bunch of closed source spyware, so I'm not entrusting it with anything much - and certainly not my passwords.
Whom would you rely on to handle something that matters to you:
A. Someone who refuses to eat until they start collapsing from hunger?
B. Someone who eats regular meals?
Our Electron app is really only a thin client over a Rust-driven backend that handles all our business logic. We only invoke Typescript when we need to render the UI; everything else goes through Rust. We even run some Swift code too, for deep integration with the operating system.
Memory is still an issue with Electron, but we're getting better at reducing the footprint. We've put a lot of work into optimizing this app, so I recommend you give it a shot; I think you'll be pleasantly surprised by how performant and responsive it is.
> Memory is still an issue with Electron
Sounds like their conceptions are correct.
My work Slack dies at least once every day, and makes my laptop scream if I have VS Code on. I don't want to know what adding 1Pw will do.
_If_ they obtain a copy of my password file.
"My email is nucleardog@nucleardog.example, my password is abcdef12345."
If I'm using 1Password's cloud service I'm... screwed? You now have literally my entire digital life.
If I'm syncing anywhere else, you've got a much bigger task ahead of you. First you have to _find_ where my vault is stored, then you need to gain access to it.
There's an extra layer of security to the way I want to do this. An extra factor of authentication. I don't want the only thing between you and my entire life to be one set of credentials.
When I keep it on an airgapped machine that's a lot harder than when it sits on 1password's internet facing servers.
Someone above outlined it nicely: If you let 1Password take care of encrypting the vault, and iCloud (for example) of storing the vault securely, then a malicious actor would have to compromise both products to get your secrets.
It's why we have a pilot and copilot on planes.
Except that they control the client that I'm entering the master password into. So either the password is sent to their servers anyway or a malicious actor could simply update the client to do so.
Ps. They can delete accounts too: https://support.1password.com/add-remove-family-members/
This makes losing local vault support an even bigger cause for alarm:
> After you remove a family member’s account, they can’t sign in to 1Password, which means:
> They lose all the items in their Private vault. Because the items weren’t shared with any other family members, no one will be able to access them.
Imagine: the access credentials of the administrator gets compromised, and the entire's family's digital life, stored on 1Password, gets wiped by the malicious actor.
The attack surface would be limited if instead, the removed user's license turns into a read-only one, like how 1Password currently deals with people using local vaults, and are not on a subscription.
Big, big nope right there, thanks.
Sounds like a great improvement to me. You also do not have to pay for 2 to 5 streaming services. You can choose 1, or 2, or however many you want.
That way you could also "choose" not to pay for cable. But the reality is that if you want to watch all the latest popular shows and movies you have to pay for 4-5 streaming services.
Not having to pay for ESPN if you do not care about ESPN is an improvement though.
It keeps the vendor financially healthy, stable and willing to keep developing the stuff you use.
Would you want to dedicate your work into a product for meagre & sporadic standalone payments pressuring you to endlessly churn out marketable feature upgrades with little time for maintenance work just to barely make ends meet? No? Then why on earth do you expect other software vendors to do that?
Even Bitwarden pushes subscriptions.
I'd love to see how many developers who complain on HN about subscriptions actually make a living primarily from selling standalone software to consumers.
This model is simply more lucrative and strips customers of a number of their rights which are inconvenient for corporations.
Trust that the company which provides something you need is far more likely to continue to be around. Suppose you tell your employer that you're taking a 1-week vacation. How does it benefit them for you to do that?
Woah, really? Would you mind linking some threads for the benefit of everyone else skimming through this?
(I'm still on 1Password 6, and the experience is mostly smooth-sailing except for browser extensions.)
I can't link to that interaction in particular, because it was over email, but you can see some of this behavior in their public forums:
- A more benign (but still important) syncing bug, where the team indicated it wasn't a priority to fix. Even though they say the bug is 'visual', it shows a lack of commitment to maintaining sync as a core feature [0]
- A public example of the sort of "bug to upsell" experience I had with support [1]
[0]: https://1password.community/discussion/comment/535160#Commen...
[1]: https://1password.community/discussion/comment/526068#Commen...
[1] shows the level of support you’ll receive for the feature. They will not actively investigate issues or release fixes, AFAICT. I’ve had my own issues with it.
If you link through to the troubleshooting doc [2] from that page, you’ll see this message:
> We’re unable to troubleshoot issues with the WLAN server beyond the scope of this article. If you’ve tried everything in the article and are still unable to connect, a 1Password membership is a more reliable sync method.
I, too, took the 1PW membership route years ago for exactly this reason.
[0]: https://1password.community/discussion/87524/on-wlan-sync-in...
[1]: https://1password.community/discussion/116400/1passowrd-on-i...
[2]: https://support.1password.com/cs/wlan-server-troubleshooting...
That being said, we are looking into gauging user interest in self-hosting. Please take a look at our survey [1] if you want to share your thoughts. Hope that helps!
1Password 6 is great, and I'll keep using it until it quits working on my devices, but no more after that! I used to recommend 1Password so much to people it was borderline evangelizing, but I quit recommending it once the subscription was pushed over the other options, and now that local vaults are going away I'm actively recommending against it to anyone that asks.
Guess I'll be moving to Bitwarden or Keepass myself; time to research!
Yes, because the implementation decision has implications for both performance and UX. I’ve used 1Password since version 3 (2013!) and gotten friends and family to do the same, but I think I’m done when 7 stops working.
It's absolutely incredible to me that people ignore one of the biggest sides of the argument for pre-baked, user friendly products like 1Password: usability for as many people as possible.
I have never even _heard_ of someone having their 1P master password compromised and the vault(s) exfiltrated (although I grant you it could be just because the NSA doesn't write blog posts about their pwn2own victories)
It's my recollection AgileBits is also running (that is: currently) a CTF with a publicly exposed vault, so folks can test the resilience against attack for themselves
Absolutely. But also, in such setup, the security benefit of 2FA/OTP codes are negligible at best since there are no conditions under which only one factor could be compromised without also having the other factor leaked (assuming you're using unique passwords for each identity, which is the entire point of a password manager).
However, I suppose it could be used for bypassing the inconvenience of mandated 2FA scenarios (to the dismay of your company's security team).
Man in the middle attack, Phishing attack, Over the shoulder attack, Brute force attack, Keylogger, Http (not https) traffic sniffing, 'Breech' of the site and realisation they host their passwords in clear text on an unsecured db online.
Then there is human error; typing password into wrong site, giving your password to the tech support cold caller, telling someone your supersecret password ...
If you're doing this there's a very limited benefit to TOTP anyways.
Phishing and good ole fashioned human error are two methods by which a password can be leaked without exposing the 2FA token.
The point of using 2FA for me is to protect me against my password being compromised since it's a long_lived access key.
> If my password vault is compromised it's game over anyway.
There are ways you could make a vault compromise not mean a complete/irreversible takeover, but that would either give up breakglass access as you say or add complexity and reduce availability.
> The point of using 2FA for me is to protect me against my password being compromised since it's a long_lived access key.
In which situations on your setup would a unique password compromise not imply there's also been a TOTP token/seed compromise?
Sure, happy to elaborate on that! Since we were rebuilding our app from the ground up, it was a significant slow-down on development to create a user interface for both Electron and SwiftUI, requiring two separate teams of platform developers for every feature we needed to implement. There were also concerns by the documentation and support teams that we would need two separate sets of instructions for many common tasks, due to small differences in layout and look between the applications. Eventually, we had to make the tough decision to focus on a single common framework for desktop. This will allow us to ship features across every single platform far quicker than we could before.
> I'd be hopeful that whatever tradeoffs y'all will be making moving to Electron, the "native" feel of the macOS client wouldn't be sacrificed.
We've tried our very best to keep the experience the same so that the transition from 7 to 8 is smooth, and from my point of view 1Password 8 feels right at home on macOS - I especially love our new translucent sidebar. That being said, this is still in an early access stage, so there are bound to be hiccups and UI issues that need to be resolved. Please let us know if you run into any problems or have suggestions on how we can improve. And thank you for being a long-time user!
Absolutely nothing about any decision AgileBits has made in the last 4 years has had anything to do with what customers (that's us, the people that used to give you money) want, and everything to do with nickle and diming the suckers dry.
UI consistency between different operating systems is NOT a user-focussed feature. When I'm on a Mac, I want my apps to behave like a Mac app. When I'm on Linux, I want my apps to behave like a Linux app. If you _actually_ believed that all apps should look and behave the same on any OS, why does the Android version look and behave nothing like the Mac app?
You've removed features with every major release, and this is just smashing the final nail into 1Password's coffin. You've ruined what used to be the best password manager on any platform.
So your margins are more important than your users’ native experiences. Got it.
I'm sorry for not being more clear earlier as to why we couldn't support two separate teams for the same platform. Hopefully this clears up any confusion.
Okay, I have a suggestion: drop Electron and keep supporting the native app you have.
However, in the case of 1Password it's not just about being a password manager; it's also about syncing passwords between devices, staying on top of (sometimes rapidly!) changing standards between devices and browser extensions, and being aware of the evolving landscape of best security practices.
This worked perfectly fine until they “fixed” it by removing Dropbox support, and now are apparently removing iCloud sync too
Way too often, automatic upgrades silently break my existing software, take away functionality or introduce new bugs.
Anyway thanks for showing me KeePassXC, looks like something I’ll be very interested in
I shutter to think about just trying to keep the status quo across all those platforms, devices, browser extensions. How often do we have new versions of iOS or macOS? What about Windows, Android, Linux, Chrome OS?
I can think of a TON of work without adding a single feature.
And the fact that we need to constantly change stuff just for the sake of change is the problem.
To add to this: I’m perfectly happy to pay a premium price for software when I need a new version. I did this with Photoshop for years, $399 per copy was perfectly fine for me because I spent that money every 3 or 4 years.
But you take all those platforms and all those extensions and the result is maintenance by itself is constant work. I'm not talking about change for the sake of change. I'm talking about the work just to keep the features that you have.
I have personal projects I'm working on where it feels like all I have time for is just keeping up with security updates, Ubuntu versions, DB version upgrades. Work projects are even worse with SOC2 requirements and the endless stream of CVEs.
There's no way a password manager can do nothing for 3-4 years ignoring security vulnerabilities in their dependencies that need to be patched.
It does not, that is why there is KeePassXC and other alternatives.
I think it might be the only "better than perfect" import story I've ever experienced, and I can't rightly expect it to happen again, but it happened once and that's something.
Thank you!
I just tried to do this after comparing the features that I use and what I'm paying 1p vs. the bw rate.
There seems to be no export mechanism from web access.
I tried installing the (Linux) desktop client, which exports to a different file format from the one, single 1p format listed as supported by bw.
Bw did not like it.
I also could not get it to digest the json-like data in the alternative paste import box.
If anyone knows how I can migrate without manually entering hundreds of logins by hand, that'd be super swell.
Most record types (software license, wireless router, documents, drivers licenses, email accounts, membership, passports, maybe more) don’t exist in Bitwarden. I’m not sure what happens with all of those, maybe transformed into secure note, but again with all of the attachments removed. The lack of categories is also a nuisance for organization, you can create folders but have to manage it manually.
I’m still glad I switched, having bought 1Password on a bunch of platforms and a bunch of paid upgrades before it turned into a subscription. It probably would have been less money if it had been a subscription from the start with all the times I bought it. Maybe it’s irrational, I just don’t like being so dependent on a subscription service, and having a local network sync between my devices was just fine. Same reason Lightroom can pound sand with their $120/year licensing, I’m not going to keep my photo library in something that I just have to keep paying for the rest of my life.
Bitwarden is good enough for me, with 1Password as a subscription you can look at it and realize “this is going to be $36/year forever.” If I spent any time in it, might be worth the expense. I’ve bought a lot of software and I don’t mind paying for good software. But I’ve moved the things that were attachments to an encrypted disk image, and 99% of my password manager interaction is via auto fill so I don’t actually care how polished the UI is.
Family sharing would be a more compelling reason to stick with it if you’re using that.
Kinda a random thought, but is it at all possible to build a native 1Password app using their API [1]? I haven't read Agile Bits' ToS, but I would be interested in working on / following a Mac-centric client.
Um, speak for yourself. I personally don't like having the docs showcase completely different UIs to the one I'm using. I also like having an app i can run on Linux, which has been happening a lot more since Electron became a thing (no sane company wants to write apps in GTK, and much as Qt is a great toolkit it requires expertise most SaaS vendors don't have).
You're speaking as if it's fait accompli that 1password made a mistake picking electron. It is not, and I am fairly certain they did not.
Maybe if you choose to use multiple platforms you should just deal with the multiple approaches to UI? Why should the single platform citizens suffer from a UI that's inconsistent with the rest of the platform?
To stretch it to an absurd case:
Imagine Slack decided that the shortcut to copy text will be Ctrl+C on all platforms. And Windows users who occasionaly use a mac would rejoice because it would save them from having to think which button to press.
I guess we'll have to agree to disagree on that. I personally enjoy having consistent user interfaces across the apps that I use, and there are many other people that would say the same, so I would avoid making broad assumptions. From our perspective, consistent user interfaces are a win-win for both the development team and the majority of end users. That being said, I'll take your feedback into account.
I don't know if your reasoning is that looking like a web app means it is consistent with those apps, or that the apps look the same across platforms, but neither of those arguments are compelling to me. I chose the platform I am on because I think the interface is a good one that makes me more productive.
And I have never found an Electron app (or web app in general) that is as high quality as good native apps (on any platform). There are just so many compromises, and I am not even considering resource usage here. Everything just feels a little slip-shod.
https://daringfireball.net/2018/12/electron_and_the_decline_...
This is such a bizarre claim. I know Agilebits understands Mac users.
To be brutally honest, I've heard this line from a lot of software shops after they decide tailoring their apps to the native platform is too expensive or inconvenient for them. Suddenly they all find that their users don't care about their native platform - I suspect if I went looking for the discussion from back when Adobe did this, I'd see the same phrasing.
I canceled my subscription today.
Let's be clear about this: you are the seller, we are the customer. You can't `agree to disagree` with your customers.
If you don't agree to what some your customers are telling you, then they won't be your customers, and you won't lose just these customers but also all the others who observe your behavior. It is a modified case of repeated prisoner's dilemma. If I observe that you tend to defect on other instances, I will less inclination to cooperate. In other words, your reputation will suffer.
On the consistent user interfaces, the consistency of an app with other apps on the same platform is much more important than the consistency of that app across platforms. Even if you use multiple platforms, you switch much more frequently between apps on the same platform than between different instances of one app across platforms.
If you can see the password, you can also see the time-based OTP, and you can use those to gain access.
> Phishing attack > Over the shoulder attack
If you can convince someone to provide you their password, it's highly likely you'll also be able to convince them to also provide you their time-based OTP.
> Brute force attack
A successful brute-force attack on the vault (unlikely) means you've lost both your password and your OTP secret. A sucessful brute-force attack against a remote account using a safe password (re: password managers) is very unlikely!
> 'Breech' of the site and realisation they host their passwords in clear text on an unsecured db online
The password and the OTP secret themselves have no value (given that you're using unique passwords for each account). If the attacker has breached the service back-end then it's gameover anyways, regardless of 2FA for user accounts.
It's not quite a silent dropping -- 1Password warns you with a popup during the export that it doesn't include them in the export file. BitWarden won't warn you, but in its defense the files aren't even present for it to skip...
You take money to provide software. But then you become lazy and greedy and want 1 size fits all. End result is your users having clunky, high latency experience.
Unfortunately, it’s normal in software development for multiple platforms to increase development complexity when feature and UX parity is prioritized.
It comes down to what value it provides to me for what I need it to do, which is store and retrieve passwords for me, and sync via wlan. That’s it. Why should I continually pay for Android, Ubuntu or Windows development when I don’t use their app on either of these platforms?
And additionally, as a consumer it’s not my responsibility to find a way for a company to fund its product. Saying “development goes on even without you upgrading, so you have to pay a subscription to support that” is kind of a weird argument, isn’t it. Imagine if you had to pay a subscription for using a car because next year a new model will require development and therefore you need to pay for it.
Bitwarden's desktop app is built on Electron..
Our decision to built the macOS app in Electron was absolutely not driven by VC money. For the past few years, we've been working on consolidating 1Password's business logic into a single Rust-powered core that could be shared across all our apps. This has many advantages: feature consistency across platforms, faster development cycles, and better security. When building the front-end for the desktop platforms that would take advantage of this new core, Electron suited us perfectly, since we could write our UI code once and make it consistent across Linux, Windows, and Mac. We actually did build a native Mac app initially alongside the cross-platform Electron app, but we eventually decided that having two separate versions of the macOS app (one in Electron, one in SwiftUI) would cause a lot of needless development churn and hassle for both customers and our support team.
I can understand your frustration about Electron, but I hope you find my explanation reasonable. Please stop spreading misinformation.
I can absolutely attest to that with a relatively underpowered computer (4 gb of RAM). I can barely use 2 electron apps after which my computer grinds to a crawl (I’m running VSCode and Slack mostly). I have stopped using the discord desktop app and exclusively use the website now.
That AgileBits has been doing everything it can to force people to the subscription model and that this push to subscriptions very coincidentally lines up with two rounds of VC investment for over $300M over the past couple of years? No, that is not misinformation.
It may have been easier for the dev team to use Electron as their cross-platform toolkit, it is not easier for the users to put up with the attendant bloat and reduced performance.
The ones who should stop spreading misinformation regarding the forced subscription all seem to be working for AgileBits.
There's a reason people prefer one over the others. You can't have one front-end for all these different platforms. Well, you can, but then it's a compromise for at least 2 out of these 3 platforms.
Even Microsoft has "Office 365 for Mac".
That doesn't make the macOS experience better, it makes it worse.
You can create a shortcut in the iOS shortcuts app to open the Passwords area of Settings via an icon on your Home Screen. Just open the following URL in the shortcut:
prefs:root=PASSWORDS
Best tip I have for you around iCloud Keychain right there.
For anyone who doesnt use shortcuts often, what you need to do in Shortcuts is:
1. Make a ‘URL’ action to prefs:root=PASSWORDS 2. Hit the ‘+’ and make a ‘Open URL’ action from safari.
Save, add to Home Screen, and you’re done.
But that doesn’t make VS Code “shit”. It’s pretty much the shining star of Electron done right.
> Hello, dear sir, this is the USA IRS and we are going to send the FBI because your TOTP code is expired and are going to put you in jail if you don... hello? hello?!
> Click this link and paste in your TOTP secret because we need to verify your identity: https://1passsword.com/2fa-verify/
> if you think some rando can _phish_ a TOTP secret
Given the context this discussion is about (someone with a 1Password vault, storing unique passwords and TOTP secrets for each account they have) do you see any scenario in which a user gets his password stolen but not the token (or the OTP secret seed altogether)?
> Hello, dear sir, this is the USA IRS
If an attacker via a phone call is able to get the victim to (a) unlock their 1Password vault, (b) spell out their password for account X, what makes you think they couldn't get them to also (c) open their 2FA app and spell out their TOTP token?
> I previously thought that we were just having a difference of risk tolerance
The point I was making is that there are no security advantages to setting up a time-based OTP as a second factor for authentication if the secret seed is going to be stored in the same vault where the passwords are: might as well just forego this TOTP setup altogether and save the extra hassle. Or get a hardware second-factor (TPM, Google Titan, Yubikey, ...)
[1]: https://www.zdnet.com/article/new-tool-automates-phishing-at...
While I understand subscriptions can add value, I don't understand the forced model. Clearly 1Password has a subset of customers that don't want what they're forcing on customers. Maybe it's that they're positioning to sell the company and moving to 100% subscription boosts the bottom line valuation. But in the majority of cases the customer is not always delighted by this move. Sales organizations love to claim "it's what the customer wants", "it's more affordable", among other half-truths - when the reality is it's a much more consistent revenue stream that disconnects customers voting with dollars from continual enhancement of the product such that the customer is incented to upgrade.
I previously used LastPass but heard about Bw on HN. Saw it had Yubikey support for just $10 per year. Tried Bw. Have never regretted that decision.
What is the competition that costs $0? Bitwarden is $3.33/mo for equivalent functionality to the $4.99/mo plan from 1Password.
Let's Encrypt SSL/TLS certificates are free, as is Apache/Nginx/Caddy to reverse proxy Nextcloud or any other solution (if a web based interface is needed). You might also need something like ngrok ( https://ngrok.com/ ) for publically accessing the instance if you're behind NAT and are hosting it on a homelab, or alternatively just put it on one of the VPSes that you're using, if you have any.
Personally i'm using a similar setup (a WireGuard VPN tunnel or two in there as well) on my pre-existing VPSes, so the effective costs are 0$ for me. And the file based approach is actually superior to any (possibly) dubious browser plugins in my eyes.
The $0 competition for hackers is https://github.com/dani-garcia/vaultwarden
I think about sustainability quite a bit and if everyone who needs password management spends what you’re comfortable spending, that’s a waste I think. And when tech stops making things cheaper and faster it’s a bit sad.
Yes, but like in many other cases, an efficient market would mean that they will always need to be better in most aspects than whatever free, open source, or simply lower cost competitor pops up.
Unless they decide to prevent people from exporting their passwords, of course — and that's a big enough dealbreaker for me that I'd move away anyway, not caring how fancy or advanced the rest of their UX is.
After setup I rarely have to think about it, maybe manually synch a conflict between the dB's every 3 months or so.
Overall, _very_ happy with the setup.
We're not the primary target audience for 1Password, we just happen to fit under the umbrella anyway.
It does seem like an interesting and useful project, though there are also other more popular alternatives like Caddy: https://caddyserver.com/ (even though their V2 not being backwards compatible was a tad annoying)
Oh, and some people also have pretty good luck with software like Traefik: https://traefik.io/traefik/
Apart from that, just wanted to say that WireGuard is absolutely lovely! Pretty simple to set up, works well and uses way less resources than something like OpenVPN.
You have apps on every device to access your password database and do autofill. I stored everything in KeePass, recovery keys, TOTP seeds, sensitive documents and notes. I get the password sharing thing for families but for a single user they have the same featureset. The only thing missing is browser access but even though I now have browser access to Bitwarden I think I’ve used it like twice. I think I used Keyweb maybe once.
Your choice of solution isn't the same thing.
that is a very low bar. VS code is still slow and eats up a ton of resources. not to mention I don't trust anything from microsoft. OP said electron = bad and you should be ashamed of using it because its helping propagate it's usage when its a cancer.
But now with Electron, which I don't like for the same reasons, as a friend once told me, allowed me to have some of my favorite apps running in Windows, Linux and Mac almost flawlessly with a good interface that finally the promise of Java was fully realized.
So while I would like people to follow more the Sublime Text approach, there is value in these Javascript based apps that lower the barrier of entry, provide widespread availability and are definitely easier to debug. Also sometimes I don't get to decide, since my org for instance makes it extremely convenient to stick with JetBrains stuff.
But hey, I'm the type of person that considered a Gentoo machine running Fluxbox far more useful than the very polished MacOS.
Electron is a tool. It can be used well. It can be used poorly. Any tool shares the same issues. I can write a shit native app and I can write a shit Electron app.
All Electron does is lower the barrier of entry to making an app and making it work cross-platform.
VS Code is an example of Electron being "used well". I still find myself using other apps because they're more responsive. That tells me that Electron is inherently making the app experience worse, despite being used well
I understand the 'why' of electron, I am just not happy with the results at all.
Though maybe the world is better if that barrier of entry isn't lowered, I'm not sure what's better- a shitty app available everywhere or a good app available only on a couple of platforms...
Their client used to support this and they stopped. Because their current way makes them more money.
Their old client was super easy for non-technical users and groups (just enter Dropbox credentials, etc).
And specifically you only need the DB free tier to store a 1PW vault, so the only cost was paying for the 1PW client (which I am more than happy to pay for on major version updates, as long as it is not a subscription).
1PW removed functionality that existed, with goal (or at the very least the effect) of locking users into their own cloud platform with a new monthly bill.
My time probably isn't as valuable as that of the many people here (about 5x less earnings on average in Latvia when compared to places like US), therefore it definitely makes sense for me to upskill myself in any way possible, especially if I get usable software out of it.
But if you take the container based approach, there is almost no administration to be done:
First, install Docker: https://docs.docker.com/engine/install/ubuntu/#installation-methods (about 10 minutes, varies by distro)
Personally, i use Docker Swarm, but that's just a few more init commands and Docker Compose works as well: https://docs.docker.com/compose/install/ (about 5 minutes)
Then, set up something like Caddy for a reverse proxy: https://hub.docker.com/_/caddy (probably 20 minutes)
And then, set up Nextcloud: https://hub.docker.com/_/nextcloud (probably 20 minutes)
Lastly, install KeePass from the previously mentioned links and put the password DB in the synced folder (probably 10 minutes)
Ngrok, DNS challenges etc. might be necessary depending on the setup, but are not usually required for most regular VPSes.
Backups and updates should also be taken care of, but full VPS backups are mostly standard and you can just bump the container tag every month.
As for the UI, i agree in principle, but not in this case. KeePass has good UI and I'd argue that you don't need a team of UI and UX developers to keep track of some usernames and passwords (and maybe certificate files).Furthermore, I'd argue that most of the cloud offerings are actually problematic because not all of them let you download the data as files. In contrast, KeePass works with files (much like SQLite) and therefore, if you'd prefer to use SD cards or Samba or NFS or whatever instead of VPSes to somewhat decrease the attack surface, or simply use tools that you know, then you can do that. Want Syncthing instead of Nextcloud? Go ahead!
I'm putting emphasis on this because the line of thinking that we need web SaaS platforms for everything is dangerous - it makes you think that the problem is more complicated than it actually is. Whereas in reality some people probably get away with using password protected spreadsheets (don't do this). The problem is complicated only from a security perspective. That's it.
The cloud solutions excel at convenience and things like browser plugins and it's good that they're offering options for the less technically inclined folk, but they're far from the only option.
I've got a lab for stuff I want to tinker with, but a password manager is seen as an "essential service" to me like e-mail and music. I'd much prefer to pay a bit per month and have a team of professionals deal with it if the servers go down.
If at the end of the day my home server breaks and I want to get on and watch Amazon Prime/Netflix/whatever I still can with a hosted password manager. I value my time and sanity a lot more than £2 a month.
Currently doing just that, if any of my servers go down, i can still access all of my passwords on my desktop, on my laptop, on my tablet, on my phone or on my backup servers. Of course, provided that i have KeePass or a mobile app installed and know the master password.
Oh and I do manual backups to SD cards just to be sure every month. I'm not sure how I'd do that with a cloud service where in a sense their entire company (and my network connection to it) is a single point of failure. If my internet connection goes down, how would I log in to my selfhosted software in my homelab over LAN, without being able to access the passwords?
Potentially. Are you looking to make a prototype, or are you trying to go to prod with mission critical data?
Most people here could trivially roll a prototype grade password manager in pretty limited time. Getting something hardened and reliable is a different story.
Someone wants to build a 5 minute app for themselves and Electron happens to be the easiest way to do it? Go for it, there's nothing stopping them. If that app happens to be useful enough for others to use it, even better, that person just solved what could have potentially been a big deal for that user.
If the people using the app are content with the features/quality and the resources it uses, why does it matter so much, especially to a third party like armchair engineers on HN, if it was built natively, on Electron, or CrappierFrameworkThatWillEventuallyReplaceElectron?
If the app isn't usable by you (and this is a general you, not specifically directed at you), then the answer is simple: don't use it. Nobody is forcing you to use Electron or any app built with it if you don't want to.
If as a user your needs are not met, whether that's due to sluggishness from Electron, incompatibility from having a native-only solution, whathaveyou, then all you really have to do is wait. A competitor will come and take its place eventually; that's what the market is there for.
So far, it seems like VS Code is more than meeting its users' needs, but like I said above, other alternatives exist and will continue to exist, and they're all great if VS Code doesn't work for your particular use.
> If as a user your needs are not met, whether that's due to sluggishness from Electron, incompatibility from having a native-only solution, whathaveyou, then all you really have to do is wait. A competitor will come and take its place eventually; that's what the market is there for.
not the first time we've heard this argument used in different industries. I'm old enough to remember this argument about DLC's, DRMs and games being released before they are finished and get charged DLC packs to finish it. This argument falls apart when everyone starts doing it due to economic factors and complacent users/customers who blindly use what everyone else is using.
Businesses aren't stupid, if a decision were to actively lose them more customers than it'd gain, they wouldn't do it. If every single business and OSS alternative suddenly switched to Electron and you had no other choice, then maybe it's you that is wrong about the value of Electron.
But, of course, that's a ridiculous hypothetical not really grounded in reality. In the real world, plenty of alternatives exist for practically every Electron app out there so if you don't want to use it, you don't have to.
And for every one of you, there's hundreds of people that think their Electron apps are fine and appreciate that they can use the exact same interface regardless of which computer they're using.
i see you're moving the goal post
once you have a monopoly you can do whatever you want, thus why everyone keeps talking about EEE. look at what apple is doing now with photoscanning. What they are doing is inherently bad but they are able ignore everyone and go ahead with it because their "target audience" doesn't care about this kinda stuff. Doesn't mean the rest of us shouldn't actively fight against it. your argument basically boils down to let the market and customers decide for itself. Over here there are some of us trying to tell people to not support electron because of the potential consequences, and the downward trend of the web as we see it.
There's choice with password managers. But look at music. You have Deezer and Spotify. The only two free services that I'm aware of that only have Electron apps on desktop. (YT Music doesn't have an app on desktop). Spotify has exclusive content. You don't have choice when apps are the same as services. Hate the Hulu interface? You can't watch The Handmaid's Tale on Netflix. It's that kind of thing.