1Password for SSH and Git (Beta)(developer.1password.com) |
1Password for SSH and Git (Beta)(developer.1password.com) |
“Learn how to configure the 1Passwrd SSH agent”
I've stopped using 1Password everywhere I can due to their product "focus", and am working my way through a set of alternatives (currently using Secrets on the Mac and looking at the KeePass ecosystem, which keeps improving monthly):
https://taoofmac.com/space/apps/1password
Edit: It's been fun watching this get upvoted and downvoted in successive waves - for those who are curious, I suggest you check previous posts on 1Password and see if you can spot patterns in their advocates, since they were publicly called out on this a few times already (especially on Twitter).
I still have 1password 4 on Windows PC and (apparently) version 7 on Mac; they still work together, but I'm afraid at some point they will decide to drop support for dropbox and force you to use their subscription.
I'll stop paying for Dropbox and using 1password on that date.
(does Syncthing work on iOS devices? I'm not sure yet how to keep my passwords synced across devices)
I'm also worried about 1Password in the long-term with this recent VC investment which likely will create the same kind of pressures, but for now they still have the best product in the space by far and I'm in no hurry to switch to an inferior product in order to save $3/month.
On Android, you want KeePassDX which can be found on f-droid.
I have multiple keepass databases and keep them in sync with a self-hosted Nextcloud instance.
[0] https://news.ycombinator.com/newsguidelines.html#:~:text=Ple...
What do you mean by this?
If _those_ issues could be fixed, I’d probably use Secretive. Unfortunately, it broke almost all of my workflows when I installed it and it appears that the choice to use Secretive is all-or-nothing.
Is there a way I could use this on my devices with my own cloud setup (eg. dropbox/google drive/ etc.,)?
Open up my corporate laptop and login with my smart card and username/pass combo, then I can just log into any Linux machine I have authorization (group permissions) to. Been doing it this way for over a decade at this rate.
It's like all of these password manager tools were created by people who've never seen nor used these existing solutions.
Yes?
>Smart cards!?
Yes!? Or a YubiKey.
>What if I have less than a full team of full time employees able to be put aside to implement a solution?
This used to be something a middling UNIX sysadmin could configure and manage. You can also pay for someone to help you implement/manage a solution for this. Though I admit it may be overkill.
Maybe, but it sounds like your comment was written from a place where you've never had to actually implement one of those existing solutions.
Kerberos is great. It's also a holy terror to implement properly, especially cross-platform, and especially if you need to federate identity.
I've been down that path. While there are trade-offs with any decision, I wholly understand why so many organizations are going to solutions like Okta/Auth0 + Duo + password managers vs the "tried and true" methods of a directory server + Kerberos + SAML federation through Shibboleth
SCIM combined with modern cloud SSO makes life much easier than trying to support Kerberos.
I absolutely have implemented the aforementioned solution. Used to be a right of passage for middling UNIX syaadmins.
>Kerberos is great. It's also a holy terror to implement properly, especially cross-platform, and especially if you need to federate identity.
Not really, especially not really if you Active Directory.
>SCIM combined with modern cloud SSO makes life much easier than trying to support Kerberos.
SCIM with Active Directory (AKA Kerberos) works well.
I have no idea how companies managed to sell this security nightmare as a feature to actually serious people.
A single point of failure. Yeah, great idea!
https://www.troyhunt.com/password-managers-dont-have-to-be-p...
I hear a lot of "cloud password managers are bad!" but I rarely see someone follow up with a better approach. Even better to them.
I've been using a password manager for years and I've always thought I was making a good decision but then I see all these comments and I wonder if I'm missing something.
And my passwords are all, without exception, beyond 10 characters.
What you give:
- a single point of failure (one complex password you memorize that locally unlocks a DB of credentials that is stored encrypted in the cloud).
What you get:
- all passwords are unique and complex (assuming you use a password generator, which all these tools have built-in)
- the convenience of having all your passwords ready for use on any of your devices
- the convenience of auto-fill
- the convenience of being able to share logins e.g. a spouse or across your organization.
- the convenience of being able to also store, share, and auto-fill secrets besides logins (identities, credit cards, free-text notes).
Been using a password manager for 15+ years and I have never suffered fallout from the single-point of failure tradeoff, only benefits from the power and convenience I got as a result.
And why would I replace the openssh agent with 1password agent?
They don't even offer additional functionality over the open tools. "Autofill public keys in your browser for Git and other cloud platforms" - really? cat and copy - paste is now too hard?
(the above logic is why I don't make any serious money)
has it? could you detail them, i'm OOTL.
https://www.cvedetails.com/vulnerability-list/vendor_id-1255...
I see only one CVE from 2018. But I am not an expert in these circles, so would also love to know more.
> They don't even offer additional functionality over the open tools. "Autofill public keys in your browser for Git and other cloud platforms" - really? cat and copy - paste is now too hard?
In the case of browsers cat and copy/paste is often more risky than having code such as a password manager fill the fields. Password managers are less likely to be fooled by sites using tricks with their names to pose as other sites.
If you are sufficiently careful to be sure you will not be tricked by phishing attempts then cat and copy/paste should be fine.
Can you share some info on those serious vulnerabilities?
> They don't even offer additional functionality over the open tools. "Autofill public keys in your browser for Git and other cloud platforms" - really? cat and copy - paste is now too hard?
So they don't offer any additional functionality except for the functionality that you don't think is worth it?
I will never use a 3rd party service to manage my passwords or key phrases. And why in God's name are people generating SSH keys in the browser?
The thought of using it for SSH or GitHub just sounds insane to me. And as you say it doesn't even really offer any benefit over cutting and pasting from the CLI.
> And as you say it doesn't even really offer any benefit over cutting and pasting from the CLI.
It saves you from the fact that every application on your system, and some browser extensions can read your clipboard silently with no way for you to know. It saves you from phishing attacks from gіthub.com (note the i is a cyrillic i), it saves you from misconfigured permissions on your ssh folder, and from any "nosey" pip/npm install scripts that you might run on your development machine. It also means you don't lose your ssh keys in the case of data failure.
[UPDATE] although reading the replies, it looks like that appears to work. Can’t confirm as don’t use Firefox on iOS.
I don't store my passwords anywhere. I don't need to remember my passwords, they're the results of functions based on logical deduction and observation within the context of the "thing" I need the password for.
And my passwords are all, without exception, beyond 10 characters.
But many of us already pay for cloud file syncing across our devices and 1Password's previous solution worked just fine. Having it removed so they can charge their SaaS fees feels like a blatant worsening of the product.
I understand how you could object to the pricing model. I understand if 1Password sync works worse than whatever file sync you have (in my experience it's been better than Dropbox but YMMV).
However I don't think a unified data sync that all your apps plug into is some kind of unassailable product high ground. The tradeoffs for this are numerous and not always good, starting with the basic limitation that you now have a single type of sync semantics that operates at file granularity and can not optimize for the domain. Personally I don't see the huge value of having an encrypted binary blob syncing through my one-true-sync-solution—what am I gonna do with that file outside of 1Password anyway? To take some other examples I am perfectly happy to let Apple sync my Contacts and Google sync my calendar and email, and I don't object to paying for those things if they bring me significant value. It's not like I have 100 SaaS subscriptions, but 10-20 sure, and I'm happy to pay a fraction of what I pay to heat my house or streaming subscriptions in order to support solid development and maintenance of a handful of critical apps and services I use.
I kind of agree that if it works and it's in place just leave it be, but if it needs maintenance time, support time, and even development time as the product evolves then I can see the "business folks" pushing for the removal of those features so the team can focus on what more people are using.
The items in its database let you define custom fields for them, but there is no literal multi line text field. There's a "File" type, but you can't simply define fields with multi-line text values. However, every item has exactly one built-in "notes" field, but that's actually styled markdown text. And you only get one. And its name is always "notes".
It would obviously be extremely useful to be able to define an arbitrary number of arbitrarily labeled multi line text fields that are not interpreted as markdown text.
It boggles my mind that 1Password doesn't support this. What were they thinking??? It makes it a real pain in the butt to store ssh keys and certificates and a lot of other types of information in 1Password.
A single markdown "notes" field just doesn't cut it. It's not as if it's technically challenging or a security risk. It already has a "notes" field, so just turn off the "rich text" feature and allow me to make my own! I would have thought it was a pretty obvious and often requested feature, but as far as I can tell, it's impossible!
I don't like putting the private key in the notes field, because its name is still "notes" (but I'd prefer the label be the key's file name), it's actually markdown formatted text, not literal text, and what if I still want to write a note, but I've already used the notes field for the key?
HTTPS certificates including multiple certificate chains, and private keys, and those are all multi line files. And each part should go into a separate clearly labeled multi line field. And I don't want to be forced to write a copy of my server's ssh key into a local file on my laptop in order to attach it to a 1Password file field, and remember to delete it quickly before Time Machine backs it up for posterity.
Right now I am forced to concatenate all my certificates and keys into the "notes" field, and write the file name before each part, and put blank lines between each file, which is terribly inconvenient and error prone.
I also put a multi-line list of all the user names and passwords that I set up on a server.
There are millions of other reasons why anyone might want to use a multi line text field beyond ssh keys and certificates, just use your imagination.
My question is why wasn't this obvious feature supported from day 1, like I fully expected it to be with I bought a 1Password license? Why did I have to find that out for myself the hard and disappointing way, because I never noticed a section in the 1Password manual or promotional advertisements about why 1Password made the decision not to support multi line text fields. I'd love to know the reasoning behind that decision.
[Edit in response to "Maybe I don’t understand, but couldn’t you use the notes section? Wrap whatever you need in triple backticks to create a code block?":]
I PAYED for 1Password, and the company I work for standardized on it and requires we use it, so I kind of expect not to have to jump through those kinds of pointless hoops with a commercial product. I should be able to select-all/copy/paste without meticulously selecting just the right text character-by-character. The time I waste doing just that would pay for a yearly subscription to a better product.
Been a happy paying customer since 1Password v4, but I agree this seems like an easy win.
https://1password.com/downloads/command-line/
I am trying it out, and hope it will be as useful for cases like using the Google Cloud CLI's secrets command to retrieve secrets in automated scripts, like "gcloud secrets versions access latest --secret=wildcard_foo_com_pem".
https://support.1password.com/command-line-getting-started/
I've followed the installation and authentication instructions, and ran "op signin my.1password.com foo@bar.com", entered my account's secret key, my account's password, then it prompted for "Enter your six-digit authentication code:". But I didn't receive any text messages with authentication codes on my phone.
So now I am stuck. I don't have 2FA set up on my 1password account, apparently. Do I need to do that in order to use "op", and how do I do that?
More importantly, when I write a script that authenticates using the "op" command line utility, how can it accomplish the two-factor authentication step without me being present behind the keyboard and entering a response manually? And is there a better way to write a script that authenticates somehow without using my literal secret key and password and 2fa code?
This seems to be an open issue since at least March 2019. Has it been fixed yet, or is a fix planned? Should I just give up trying to use "op" to write automated unattended scripts, the way I use "gcloud secrets"?
https://1password.community/discussion/97138/cli-always-requ...
>CLI always requires authentication code
>I am using the op CLI and I also have two-factor authentication enabled. Every time I authenticate to op, it asks for the authentication code. This gets annoying quickly and does not help in my quest to automate CLI signin.
>$ op signin YYY
>Enter the password for XXX at YYY.1password.com:
>Enter your six-digit authentication code:
>Is there a way to convince op that it is running on the same host similar to the way the 1password application and browser extensions do?
>Reply:
>@razorsedge unfortunately the CLI has something of an "incomplete" implementation of 2FA, only in that it does not persist the 2FA secret after the first authentication. All the other apps persist this secret, allowing them to do 2FA "silently" in the background, but that has not yet been implemented on the CLI. It's something we look to do in the future, but I can't give a timeline on when it will be available.
>[...]
https://github.com/dcreemer/1pass/issues/17
>Support TFA for 1password accounts #17
>I have TFA enabled for my 1password account. Unfortunately, 1pass can't handle this and instead of letting me input the token, the TFA prompt instantly returns and fails.
>signing in to xxx.1password.com alpipego@xxx.com
>Enter your six-digit authentication code: [LOG] 2019/03/17 12:53:25 (ERROR) Incorrect One-Time Password length. Expected 6.
>1pass failed to signin to xxx.1password.com
>It'd be great if TFA support could be added.
These days I'm just delighted when 1password doesn't open a totally different browser when invoked from the active one.
And probably can't filter for them as easily too.
I put images of my health insurance card in 1pw.
do this. now, pretend you want to upload those image to a web portal that's asking for your insurance information. To pretend, just try and put the images of your insurance card into an email body to yourself.
See how many clicks it takes.
And in the common case that the text is only on my clipboard, for example if I copied it from a web page or shell, then I have to go to all the effort of first saving it locally into a file somewhere in the file system, before laboriously navigating to it again with 1Password (often having to wait for my USB hard drives to spin up again as my Mac is frozen for 50 seconds showing the file dialog that scans all the attached storage devices) and finally adding it as a file attachment.
And then after all that extra busy work, the plaintext secret file now is floating around unencrypted in my file system somewhere, which is exactly what I didn't need.
It's such an obvious feature that would be so easy for them to implement, it made me feel like it must be possible and super-obvious to most people, but I was just too dumb to figure out how to do it.
(No, pressing shift-return in a single line text field doesn't work. And pasting multi-line text into a text field replaces newlines by spaces, thank you.)
export SSH_AUTH_SOCK=~/.1password/agent.sock
It's unfortunate, because there is some real innovation around the per-application usage permissions:
> 1Password will ask for your consent before an SSH client can use your SSH key. Because of this, there's no concept of adding or removing keys like with the OpenSSH agent.
If an organization wishes to solve the SSH pubkey distribution problem (the main reason one would copy a private key across machines), then they should use SSH certificate authorities like [1]. In fact, I think that would be a far more interesting 1Password product—HashiCorp Vault could use some competition for this kind of use-case.
[0]: https://security.stackexchange.com/a/40061
[1]: https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-cert...
While I agree with the first half of your statement (don't share SSH keys), I cannot agree with the second (don't put SSH keys in a password manager).
For my home use of 1Password, I absolutely want to keep backups of my SSH keys in 1Password. Because, in general, there's exactly 1 SSH key which can get into my cloud instances, and I've had enough laptops die suddenly that I'm not willing to risk getting locked out by not having a backup.
You could say "well, just have a second device with backup keys" but again for home use, why would I buy another laptop just for that? Or maybe just "well keep an offline backup of your keys". Sure. In 1Password. Where I keep pretty much all of my sensitive credentials and info.
> Using the 1Password SSH agent encourages people to have "one" SSH key across devices, which means that any leaks will disproportionately impact them.
Eh. IMO, people who are inclined to use 1 key across machines are going to do it, no matter the process. I doubt this feature is going to make that any worse. But I guess we shall see.
https://community.bitwarden.com/t/implement-ssh-agent-protoc...
That will be the Electron version. No thanks.
I haven't been able to see anything about how this handles agent forwarding over SSH. Does anyone know?
Additionally, now when I do generate a password, it saves that password in my shared vault for all the world to see instead of defaulting to a private vault where only I can see it. It doesn't appear to be possible to tell it where to save that password until it becomes a login, but by that point 1Password has already leaked the password I just generated. That seems like a really terrible default, and the only way I've found around this so far is to try to remember to open the main app, go into my shared vault and delete the password that I never wanted saved in there in the first place.
It’s very simple and works very well. Better than krypt.co did for me, actually — krypt.co would occasionally randomly break, but Secretive has been rock solid. Every time something tries to use your key you get a Touch ID prompt and a notification indicating what triggered it.
This 1Password feature looks nice, but I’m switching away when version 7 stops working. AgileBits just isn’t taking 1Password in a direction that’s appealing for me… they’re clearly more interested in corporate users than individuals, and in the pursuit of a one-size-fits-all-platforms UI they’re losing the attention to detail and polish that used to be a major selling point.
0: https://github.com/PowerShell/Win32-OpenSSH/issues/1804#issu...
From doing some reading though it sounds like I might be wasting my time. Apparently it’s fine to have one key for an individual machine and to use that for everything.
What’s everyone else’s take on that? Are you reusing a single key or generating each time?
For some context on my bitterness: v6 stopped working with chrome based browsers a few years ago due to an issue with browser signatures, and the official guidance was to ( pay to ) upgrade to v7 rather than fixing the app, and so the software I had paid for was no longer usable in the way that it was when I purchased a license for it, effectively being downgraded through no fault of the end user ; Similarly, the Windows variant of 1pw has... kind of always just been a bad experience compared to the mac version, and while the controversial Electron-based unification for v8 promised to bring the experience in line with the Mac app ( not requiring purchase of another license type this time because I'd since bitten the bullet and paid for a subscription so I could actually use v7 ), it also required migration to the hosted vault system, as support for local vaults was completely dropped in the same version.
I would feel a lot more comfortable using this otherwise legitimately fantastic functionality if it didn't also require me to migrate from a local vault to the hosted version. I already didn't want my passwords hosted online; I definitely don't want my ssh agent and its private keys to be bound to said hosted service, and nothing has yet come out of 1Password's survey for self hosting the vault server in order to maintain a vault that works with 1PW 8 locally.
It's an unfortunate hill to die on, I realize; I just want to maintain control of my own stuff, using a tool that is actually nice to use ( 1Password is and has always been miles ahead of everything else in terms of the day to day user experience, otherwise I'd be able to justify looking at alternatives )
I've bought their license a couple times as the versions are updated, but they no longer support licenses and only monthly subscriptions. Fine.. I'm happy to pay that to get a great product, but as I was installing it on my new laptop they prompted me to move from my self-managed cloud sync to their hosted password management saying the cloud-sync will no longer be supported. I simply don't want to use the hosted solution, I'm not comfortable with the trust implied.
I imagine they're trying to cut down on the features that allowed someone to use it without paying a membership, but then why not just include cloud-sync in your paid features? Why remove a such a core feature that allows users to use your security product much more trustlessly?
Your vault is only ever decrypted on the client side, and the 1password service only ever stores/syncs the encrypted vault. This is why if you lose access to your secret key, your vault can never be decrypted, even by 1password - your secret key is only ever stored on your local device and never by 1password, not even a hash of it.
1password has a great white-paper on their security model if you're interested, and it's verified by 3rd party auditors.
It just requires absolute blind trust on their client apps...
> Your vault is only ever decrypted on the client side
Which is a closed source blob, so, again, requires absolute blind trust.
I would say in the past 2-3 years it has slowly become an absolute nightmare. I do not recommend it to anyone anymore. They have somehow screwed up the very basic functionality of filling in passwords on any browser I try. They continue to shift features around, break existing workflows, and even the basic tasks I rely on dozens of times a day seems to change with any significant release.
1Password got famous for building a great core product. It managed my logins I stored myself and autofilled them wherever I needed. It was clean and simple. Now they are so focused on growth and Product features like this that they have completely lost their way. As of this week I can no longer right click on a webpage and work with 1pass to find something. If the webpage attached to the original 'save login' prompt is not the one you are on - the auto popup underneath the login field has nothing to show and I cannot manually find and enter it. I have to go to the Desktop app, search, find, and copy. My team regularly wastes minutes on this each day.
Our company reevaluates platforms every couple years, in the next 12-24 months I will strongly advocate we find an alternative.
This seems like an excellent way to ensure that you reduce the security of your SSH login to either having a single-factor (password) or at best single-factor + TOTP, where you previously had a phishing-resistant cryptographic protocol.
Is this really an improvement for security, or is it just a usability improvement (i.e. sync of keys) intended to work around policies trying to improve security (i.e. required use of keys)?
(The other option is I skimmed the docs badly and maybe I've misunderstood something, it's possible.)
Edit: I did skim the docs badly, it is possible to use a FIDO2/WebAuthN key for 2FA. https://support.1password.com/security-key/
I use stow to install them on a computer when I'm setting one up.
Haven't run into any problems with this approach, my Keybase is protected with a Yubikey.
tl;dr: you can pin public keys to hosts
https://developer.1password.com/docs/ssh/agent/advanced#ssh-...
The 1Password 7 app on macOS is a beautiful native app. It "fits" in macOS, it follows macOS design paradigms.
1Password 8 does not. It is a weird self-designed UI toolkit that is well inside the uncanny valley scenario - it is a UI design that feels like it is trying to approximate all of the major platform desktop UIs without committing to actually feeling like any given platform - so it feels wrong everywhere. Honestly it would be better if it was totally different to any of the main platforms instead of vaguely approximating them. I don't care what devtools or toolkits they use to achieve what they do, I care about the end UI feel, and it's just awkward on all platforms to me.
Additionally, 1Password 8 removes the single most used feature for me - 1Password Mini - and replaces it with Quick Access. Quick Access is much more awkward to use, especially with a mouse. Everything with Quick Access involves more UI interactions than it was before. The reasoning for this is that it "feels weird" to implement parts of the app twice - but for me 1Password Mini is essentially a browser extension equivalent for every other app on your system. Quick Access is an awful replacement for that.
I really prefer 1Password 7 on macOS to 1Password 8, and I honestly prefer it on Windows too. The replacement of native apps with something that really feels like a web page in a window - with issues like context menus being stuck inside the window, or web-page style modals - is just not what I expected, and it's not what I want. Yes, it lets AgileBits bring updates to platforms more quickly because it's essentially the same backend & UI on every platform. However, as an individual user I don't need more from my password manager than 1P7 already does.
Sadly, it seems the target for AgileBits (especially with the influx of VC cash) from the outside at least is just growth and the big payouts that come from enterprise deals - individual user usecases don't matter any more. Just look at how much of a production they made out of restoring categories as an option to the sidebar. And their core featureset - form filling - is less reliable than ever for me.
I feel that there's absolutely a hole in the market here for a password manager product aimed at individuals or small families that works on at least macOS, Windows, iOS and Android - and feels native on each platform.
edit: oh, and I utterly abhor the 1Password PR style - trying to make things seem weirdly casual on serious topics, but especially the misdirection/redirection approach they always take to critiques or support queries. Just look at their support forums for any thread on purchasing standalone licenses - they always drive the discussion into "isn't our online product amazing?". Critique of features in 1P8 always becomes "but for me it's amazing" in some way. It's frustrating as hell to engage with as they never seem to actually accept criticism in any way without trying to redirect it to something somehow positive.
Can we use it on WSL?
Is there any advantage of using SSH keys to authenticate against GitHub?
A lot of long term 1Password users bought this and still use it, but the company no longer really do much to support it having pivoted to completely focus on their subscription offering. Many of their long time customers, many of which are HN users, feel they're getting shafted by the lack of updates etc to those older offerings. From what I understand a lot of the older clients and plugins that worked with the local versions don't get updated anymore. However, I'm only a customer of their subscription offering so someone else might be able to elaborate more.
No need for even more in-between software prompting for passwords.
I’m sticking with certificate+publickey SSH
Stick with the publickey and more so the SK certificates.
Each leg of the SSH hops should have their own set of SK certificates with their own distinctive SSH options.
> The standard OpenSSH agent (ssh-agent) that comes preinstalled on most systems requires you to add keys to the agent (ssh-add) every time it launches. After you've added your keys, any process can use any SSH key that the OpenSSH agent is managing. It is then up to you to remove those keys when they're not needed anymore.
> The 1Password SSH agent uses a different approach. 1Password will ask for your consent before an SSH client can use your SSH key. Because of this, there's no concept of adding or removing keys like with the OpenSSH agent.
> When your turn on the SSH agent from the 1Password preferences or settings, every eligible key is automatically available to use for SSH, but your private keys will never be used without your consent.
It's not like I'll ever need to manually interact with the socket, so keeping it out of the way would seem logical.
That's a general theme I see with all this SSO stuff. You have a few companies with root on the universe. Am I weird that this concerns me?
Unless their local client was compromised (not impossible - but if your local is compromised you're in trouble regardless), even if someone hacked them and stole their data, they would not have your clear-text info.
It's everyone's choice to make but I am personally OK with this security/convenience trade-off.. It's "good enough" for me - mostly because I trust them to know how to do this better than I could - if it means I can manage all my passwords in one place and access them from any device.
1Password also has useful (to me) quality-of-life features like integration with HaveIBeenPwned, it can also show you re-used passwords, and if you store credit cards or other info, it will also tell you when they're about to expire etc..
Plus you can store any arbitrary metadata with any record, so I even use it to store non-sensitive, but still private, info associated with logins, docs, ID, etc..
Obviously it's not ideal to share SSH keys, but lots of teams will share the default EC2 keypair for example. This makes it much easier to pop that key into 1Pass, share it with the team, and easily get everyone into the box.
And, frankly, 1Password gui is much more user-friendly than other SSH agents. Personally, I'll stick with the tried and true OpenSSH agent, but I know many will be attracted by this feature.
It does seem like a weirdly specific use-case. I wonder if they're trying to instead target people who need to use ssh keys but aren't comfortable generating or managing them on the command line. With Github requiring SSH keys for command-line pushes, this is probably a growing demographic.
Also, they have a nice CLI. I'm sure getting some of these features there is only a matter of time.
* Search is just plain broken. This was the number one reason i scrapped it. * Managing multiple vaults (i have over a dozen) is unusable. * The UI is terrible, it takes way more space to show less information than 7. * The browser integration (FF) seemed to work poorly.
Basically, once 1Password stops supporting 7, they will have lost me and anyone I can influence as a customer.
Has it allowed simple XSS vulnerabilities to turn into full blown RCEs? Absolutely.
> This resultant application is hosted within Electron to ensure we have the exact same platform as our users.
https://www.reddit.com/r/1Password/comments/o0f9cl/were_the_...
Sprinkle in a passphrase and now you have good MFA: something you know (the passphrase) and something you have (the private key).
Personally, I don't see a problem with re-using a key pair across multiple servers. I like to do one key pair per client device. This lets you manage server access per device. You can single out and remove just the key from a lost or compromised device without affecting the others.
OTOH, one key pair for all devices fails at this, plus you also have to worry about protecting the private key during distribution to multiple devices. A private key is best left on the client that generated it. Of course, once you hit enterprise, all this goes out the window. As they will probably have systems in place and compliance rules to follow.
I have considered keeping encrypted keys in my password manager per-service, and decrypt+add them to my SSH agent when they're used to offer almost the same guarantees.
Er, what? The SSH keys are being generated the same way keys for web sites are under FIDO, which is to say they're random - your physical device has no idea how many keys you have, it couldn't mandate that there's only one key if it tried. It only knows how to tell if these are keys it made (otherwise presumably a different FIDO authenticator made them) and if so use them to sign you in once somebody touches the contact.
However sometimes it's practical to use the same (private) key in multiple places. I do this for access to low-risk stuff like ssh access to my raspberry pis. I wouldn't ever move a private key around for anything remotely dangerous though.
It’s really very minor and ssh itself should warn that the servers fingerprint changed.
If something more robust is needed, ssh certs and principals can be used.
Some use Pam modules to require 2nd factor too.
Try thinking of SSH pub keys as identities or usernames and you are more on the right track.
I tend to have 1 pubkey per thing I care about, so 1 per github account, 1 per gitlab account, 1 for work, etc.
It's automatable and one less thing to worry about.
I also feel I should be realistic about the incentive structure. I want 1password to continually work on security, additional features, and quality of life stuff. That requires steady income.
As to your local vault concerns. I think you have a really valid point.
I don't disagree that they should be compensated for new versions, however, I think we have a difference of opinion on what qualifies as a patch; I'm not intrinsically against upgrading license types ( though I don't like the move to subscriptions-only ), but I also expect the software I've already paid for to be updated when a major selling point feature ( browser integration ) breaks, especially if it's only the previous version ( in spirit or in practice ).
To be honest, though, I don't really expect they'll have a similar situation in the future now that they're actively maintaining all platform versions ( and with a unified core! ), so I'm being bitter over the past and letting it seep into how I feel about v8, local vaults, and control of my data.
* to expand on this, the model used to be a desktop app where the magic happened, plus a thin browser extension that hooked into the app. Now, there seems to be a lot more happening in the browser extension, which seems to talk to the cloud service and not directly to the desktop app. (Totally possible this is completely wrong, just my WAG)
I'm sure it reqires less work from the locally installed app (and lets them do away with it altogether, even), but it creates issues - it obscures UI elements in the page with a hard to dismiss overlay (no obvious clickable way to do it) that fits below webpage UI elements when it's heuristics identify it as an appropriate field.
edit: plus I regularly find that when I try to fill form fields in Safari and Firefox that selecting the appropriate login and hitting autofill does absolutely nothing.
UGH YES. When I started using 1P (2015ish?) it was simple and reliable, and I feel like I fight it more than I use it these days.
Developers need to stop disabling the form buttons trying to be clever detecting if fields are dirty.
The issue is, the "core product" has been Sherlocked - i.e. is now an included feature on many operating systems and browsers. Apple's iCloud password manager is available on all Apple platforms plus on Windows. Android/Chrome and Windows are improving their in-built password managers as well.
So 1Password, as a business, has to pivot to selling to businesses, which is where they expect most of their revenue to come from. This has resulted in individual customers being sidelined, so perhaps you should switch to one of the free inbuilt alternatives.
What browser/sites are you having issues with? I've only been using 1Password since the Lastpass changes last year or 2 (I forget) but havent run into a site I can't autofil. I actually found it works in places Lastpass used to let me down such as CapitalOne
That shouldn't be a matter of opinion, yet it doesn't match my experience at all. 1Password 7's UI and workflow did not undergo a dramatic change in the past 2-3 years. Not even once. The UI and controls looks and feels the same as ever as it did back in 2018. I'm sure the periodic updates brought new features here and there, but none of those are even remotely close to being a disruptive change.
> If the webpage attached to the original 'save login' prompt is not the one you are on - the auto popup underneath the login field has nothing to show
That's a legitimate security measure. It's making sure that it's autofilling for the right domain. If you want working autofill, you just need to make sure that your password is associated with the right domain.
> I have to go to the Desktop app, search, find, and copy. My team regularly wastes minutes on this each day.
You only need to make an edit once to associate your password with the right domain. But if you can't be bothered, searching and copying the password is a "Cmd + \" away. It takes less than a second.
Edit: This was not an issue before 1-2 years ago when they pushed massive feature updates. It used to be Ctrl+\ or Cmd+\ to autofill and boom, the login was filled. But NOW they have decided to drop a "1Password X" browser extension that throws itself into every single login item on the web and constantly harasses the user any time they use keyboard shortcuts to navigate. Typing an email address and see your Firefox/Chrome/Safari autofill show up with a dropdown of emails to choose? You can't even use the arrow to go down and choose one; 1Password X will rear its ugly head the minute you hit the arrow down, and it'll either prompt you to autofill something or save what you just typed into 1P.
I actually think the product is well thought-out and designed. There are some website where it refuses to work, but these are in the minority, and I blame the websites for breaking 1Password, not 1Password.
Also "a nightmare" -> this feels like an unnecessary hyperbole
Is it the same URL as what was saved in the login? If not, then this is intended behaviour to stop phishing attacks and has saved my butt several times. If the autofill doesn't work, either the website has changed the base URL, I've misconfigured it, or it is a phishing site
> I have to go to the Desktop app, search, find, and copy
Use the browser extension?
I'm not sure what issues you're having. Personally not only has the product improved every year, trying other password managers makes me realise what a hard problem autofilling is and how little I have to think about it with 1P. The new desktop app has some issues though and some missing features though it's pretty snappy
Now if I open the browser extension in the top right, my Favorites are not my favorites...they're the favorites of my team and one of my shared vaults. My Suggestions tab is empty. And even better, when I search "ycombinator" or "hacker" or "hn" nothing comes up. "No results found in All Vaults" and if I click search everywhere I get "No results found"
Now when I go over to the Desktop app, I search any one of the above and I immediately find my credentials for HN. It's stupid simple just like it used to be in the browser.
This saves users from choosing their “Google” login to use with “G00gle” - why not take the minute or two to update the password entry once with the correct or additional hostnames/websites and be done with it rather than wasting time every time one logs in (as well as encouraging bad security hygene)?
Agreed, the Chrome browser extension and the Safari inline menu are garbage. Fortunately the classic extension is still available and still works great for me, as well as Safari with the inline menu option disabled. Same for the iOS extension, garbage. But luckily the classic password autofill on iOS still does work great.
If you are using the classic autofill don't you have to maintain your password in keychain as well as 1Password?
Not to say that you’re “wrong”, but since we are sharing experiences…
I have found the user experience is much worse in windows than it is in macOS. Same browsers on both.
More modern SSH servers will let you use U2F security keys in the same way, which are cheaper than the full YubiKey.
I've learned recently that YubiKey has really good documentation for how to set up their tokens to achieve different goals, it would be worth reading their docs if you're considering getting a hardware token for your keys.
In short, I see no need for using a password manager for managing ssh keys. The public key is not something that needs protecting. The private key is something that you should not share between multiple devices or generally pass around.
But of course being able to paste your public key from some tool is nice if that is a regular thing in your life. And if you switch between multiple key pairs, it's probably nice to have something more user friendly than very fiddly command line tools. I guess the latter is what 1password is trying to solve here.
The keystore is stored on a nextcloud instance which allows to share the key easily between multiple hosts. It works flawlessly with git, ssh, also Windows tools like Putty will pick it up.
I'm happy to use only a password for some sensitive things, because I can remember it.
Of course security is a spectrum and 2fa does help for a lot of stuff. Especially against websites that don't know how to hash your passwords properly (usually the ones from where passwords leak the most).
However, for those reading along, initially the 1Password web interface for my account only offered the choice of setting up a TOTP authenticator. I completed that, and still saw no option for enabling a FIDO/YubiKey device. I then went into the 2FA settings for my account, toggled the option for YubiKey support off and then on again, and returned to the 2FA settings page. Only then did I see the option to enable a YubiKey.
I was then able to add my YubiKey and I can confirm that it's working with my 1Password account as a 2FA source.
At that point though, you already have a hardware token capable of holding SSH keys, so I'm still not convinced of the benefit.
Did you have a chance to look at CLI 2.0 and 1Password 8 integration: https://developer.1password.com/docs/cli/use-biometric-unloc...
Or a special feature to transform a set of OTP recovery codes into separate password fields so I can easily copy just one and then remove it without having to edit a multiline field to remove the one I just used.
P.S: I'm not one to write "me too" comments, but there's no upvote count visibility for users. And since a designer working at 1p has eyes on the thread, it might make sense to add "me too" comments?
Having said that, I admit I generally haven't missed them for the use case of SSH keys, even though I do occasionally store those in 1Password -- I use the Secure Notes feature for that. Copy the key to the clipboard with "cat ssh.key | pbcopy", make a new Secure Note, paste. I suppose it hadn't occurred to me to do anything else in part because, well, I can't -- but also because I don't think of these as username/password combinations, I think of them as "SSH for server foobar," and the search feature works perfectly well for that.
This is arguably a workaround instead of the ideal, but I actually use Secure Notes pretty frequently. WiFi base station passwords, recovery keys, personal access tokens, stuff that in general doesn't fit the "web site with username and password and possibly 2FA key" model I'm fairly sure I started this before 1Password even had a "Notes" field.
When I do download the keys, it isn’t much of an everyday activity either
I do not need to keep transferring ssh keys regularly to my Mac- it is either a one time or a set up related activity.
1Password is just fine for storing ssh keys as attachments.
Have you considered writing to them to ask for what you need?
As someone who moved from LastPass to 1Password (after they aged off the lifetime license) though I'm happy and given their growth I'd imagine most of their customers are happy enough with it.
Unknown vulnerabilities won't need your consent.
* invoking the "Cmd + \" shortcut
* clicking on the browser extension button
* clicking on the icon in the system menu bar
None of those introduce meaningful speed bumps.
So this certainly seems quite a bit different from plain electron apps.
It still provides improved security in case of things like server-side credential breaches.
They discussed it on their blog here: https://blog.1password.com/totp-and-1password/#totp-isnt-the...
Comparing the two methods I've personally used to store my insurance card below. What are you comparing to?
1Password:
- Search
- Click on the relevant entry
- Click "Quick Look"
- Click down menu
- Click show in Finder
- Drag onto upload form field
- Search
- Right click
- Download
- Right click on downloaded file botton
- Show in finder
- Drag onto upload form field
- Right click on file
- Delete
Not really worth comparing. Could be made much quicker than anything else.
It took me a while just to DISCOVER the steps to getting a file out of 1pw, which involved a lot of false starts into different menus/screens that allow you to view the file's metadata (or preview) without actually getting the file.
Considering "copy field" is THE main functionality of 1PW, it's absolutely insane you can't just copy a file field.
the comparison to me is having the file in my downloads/desktop, which is a very simple procedure to do, as many or fewer clicks, and is a well-worn path.
I'm guessing there's a mix of performance concern and privacy concern. They want to make sure you're intentionally revealing the secret (image) and they want to hold off on decrypting the file until needed. It feels like decrypting a file is a fairly slow operation (although I'm not really sure why).
I just don't think comparing to the file in your local files is quite the same, since it's not encrypted / behind password protection. If you did this sort of thing a lot, you'd probably have it optimized down to a very accessible shortcut, after all.
We spoke about it internally many times in the past but couldn't get the solution implemented because there was always something in the way. After reading your comments and I talked to the team and we just merged a change that should appear in the nightly build and make the handling of the multi-line fields better. Having a single core in 1Password 8 makes things so much easier when it comes to implementing changes across all platforms.
Also, there is a new SSH Key item type that might help in this particular case.
-- Roustem 1Password Founder
1Password has literally blown me away every second that I've used it. And the ability to sync MFA between all your devices was the push that I needed to start using MFA.
I do have a feature request though - any chance we could lock our 1Password wallet using 2FA with SMS (like Office365 or banks) rather than a device authentication key? Main concern is that personal devices are breaking all the time ... SMS is "strong enough" and yet pretty much the only second factor that is convenient to recover in the event of a disaster.
So, if you have a .crt, .pfx, .txt or whatever, just attach it to the entry.
The 'only' downside is the comparatively high increase in database size for the hoster.
(Does the same feature exist on mobile? How are file attachments represented on mobile?)
You can't realistically MITM SSH because you will have a session mismatch. You may be able to convince a naive visitor (coming to some.machine.example with no prior contact, and not using either certificates, or secure DNS protected credentials to verify the identity of the machine) that you're some.machine.example but you can't successfully splice this to a connection with the real some.machine.example if they use public key login.
The reason is, during connection you persuaded the client that you are some.machine.example, but to do that you needed to make up keys since you don't know the real keys for some.machine.example. However the real some.machine.example does know its keys and they're different. The credentials the victim client gives you only work for your keys, they won't work for the real some.machine.example keys, and the client has no reason to present you with credentials that would work for the real some.machine.example, so you can't authenticate to the real some.machine.example as them.
For now. What happens when they eat enough of the market and displace enough other tools that the government says "Ok, now MitM the encryption." All they would need to do is push an update and re-encrypt the first time you unlock it. Now, this has always been true, but it's not on your servers and source repos yet, right now it's sandboxed.
How about internet outages? Service outages? Sure, local cache, but that cache expires.
I love PW managers, even cloud ones, but I wouldn't tie on directly to my local login and auth infrastructure to the exclusion of other local options.
I have autofill turned off because it can fill into nefarious forms if you're not careful. And I copy and paste from my pw manager into my terminal when required, because again I don't want it automatically being helpful when I want to be careful.
I'll take that risk, given probability over possibility. But thank you for pointing out at least one scenario I hadn't thought of!
> How about internet outages? Service outages? Sure, local cache, but that cache expires.
Local cache doesn't expire, also the probability of me being offline for so long that this becomes a problem is close enough to zero for my comfort.
That said, I am guessing you might be responsible for some kind of critical (even just to you) infrastructure so we probably have different variables in our "is this for me" math..
I hope no other apps are watching your clipboard.
One nice feature that 1pass has is that it will warn you when you attempt to autofill credentials for a url or mobile application that isn't listed as part of the credential.
e.g. 1pass "Logins" have a URI associated with them like "google.com" and if you visit a phishing site like "g00gle.com" and hit autofill 1pass says something along the lines of "Are you sure you want to fill these creds into g00gle.com?" and not fill until you approve. It's not foolproof, but certainly provides a nice barrier against fake login/phishing sites.
If the NSA asked for escrow or root everywhere people would freak out, yet central SSO mostly accomplishes the same thing and people are running toward it because convenience. Of course the same is true for surveillance. Private adtech does things with surveillance that would give people a heart attack if the NSA did it, and unlike the NSA they don't even pretend to be accountable to anyone we can elect.
(It's the same because governments can compel corporations under their jurisdiction and there isn't a ton a company can do about it.)
While some may find this debatable, I happen to think we just had a rather incompetent but still very concerning fascist coup attempt in the USA. Historically civilizations lose their collective minds periodically. Given that computing infrastructure is becoming the basis for virtually all communication and much of life, is it wise to centralize access control like this?
I feel like younger people of virtually all political stripes are just blithely unconcerned with this and assume "it can't happen here" or "that's something that happened back in the early 20th century but not anymore, we have totally solved stable government." I think that's incredibly naive.
It’s not ‘all my passwords stored in their database unencrypted’ easy to compromise, but it’s also not protection against a motivated agency with jurisdiction said service has to respect, and it’s also not solid protection against any state level actor if they really care/want to spend resources targeting someone.
That said, it’s all about threat assessment and trade offs. Especially for a business, what are the consequences if the NSA does x, or China does y?
For 99% of businesses? Nothing except some irritation if you find out. Same as with most things.
If someone is an activist going after those agencies/gov’ts? Probably quite severe consequences.
If I remember correctly, some of the fallout from the Chinese gov’t hacking Gmail was folks being ‘disappeared’, extended families being held hostage in China, etc.
FWIW, my main gripe is having to unlock each vault separately, as opposed to a single unlock as used to be the case on Mac / iPhone.
Electron makes integration harder.
Isn't this an anti-feature? The ability to revoke an SSH key specific to a stolen laptop from a server or your Github account seems like a benefit. Using the same SSH key on every machine is a downgrade.
On the other hand, the ability to manage access to shared keys is really nice.
All this fearmongering made me properly look at and note the memory usage of the native windows app and then the electron app after I upgraded. The new app uses a whopping 50MB more when the desktop app is open and uses 10MB less when it's not
People keep ranting and raving about this with no context and zero research. I'm sick of this especially on HN
An old grandma is looking for a little city car to take her to the neighborhood store. Solution: Use an Airbus A380. The fact that the engineers have made the plane weigh only 50 times as much as the city car is great, but it doesn't really change the fact that it's a crazy approach.
It works perfectly fine, with no missing features. I use it to store private keys and recovery codes, mainly.
Regardless, even if the backend were pure Obj-C, the point is still that now you have a UI stack and a backend stack, instead of a single desktop-native stack, and you have to manage their communications. But I guess the money they save by not managing desktop-specific codebases eventually adds up...
We're not talking about social media PWs. ssh keys are not something to add risk to, eh.
A place I worked before would store SSH keys for build machine base images (AWS AMIs) in 1Password. It wasn't worth the trouble trying to setup SSO since the machines rarely needed accessed and only by a handful of people to troubleshoot/manage them.
It's also common to share credentials when you're working with small SaaS that don't support multiple users or SSO. In addition, sometimes business integrations will have fixed credentials (like the SSH key to upload reports to a business partners SFTP server). People still need access to the keys for troubleshooting and debugging.
I mean, 1Password already stores my credentials for the AWS console, Cloudflare, Netlify, GitHub, et al. I’m not sure adding my commit keys to that pile is dramatically increasing my exposure.
So again I'll ask: what case does 1PW make to deviate from those?
If the answer is "nothing," then really the argument is purely about aesthetics.
I didn't even know it was an Electron app until months after I had installed it.
EDIT: I just tried the latest beta, and I'm happy to say that scrolling the list is now much faster! On the other hand, the blurry fonts, the lack of overscroll, the non-native dropdown menus, the inability to view your vault with the Preferences window open, and the lag when resizing the window are all still there. This does not fill me with hope that the final released version is going to be any better.
I believe the UX performance in 1Password 8 is better than any other app we built in the past: https://twitter.com/mitchchn/status/1491253916004147203?s=20
Would love to learn more about the standard shortcuts that are missing — good keyboard shortcuts is a huge priority to us!
-- Roustem 1Password Founder
How much memory is yours consuming (assuming you're using 8)?
You don't need to wait for people to "exit the company". Sharing private keys was wrong, invalidate those keys. If somebody else knows your private key it isn't private any more. Get this stuff right and rotating keys is unecessary, get it wrong and rotating keys can't help you.
Stealing passwords is much harder in comparison.
You have to thrash a full drive QUITE hard to cause any significant wear, all modern drives take care of themselves and the filesystems report which blocks are unused to let the SSD take care of itself.
Surely it's a concern in a server environment and some other "spacebar heating" workflow but in reality it doesn't happen.
This isn't the 90s, we live in the future.
Pretty much every file I use daily is always in my disk cache, but they won't all fit there if I run a bunch of electron apps.
Besides, with SSDs and NVMe your experience loading data from disk is plenty fast. Again, this is the future; I/O isn’t the bottleneck it once was.
I use 5-7 Electron apps on a daily basis and not even once have I had anything resembling memory issues. Nothing gets slow, nothing becomes unusable.
Memory most definitely is a previous resource.
If you round, approximately zero users of Electron apps know how to do what you’re talking about, and yet they continue to successfully use Electron apps across a variety of platforms.
The fact that you have to finely manage your system’s memory is a you thing, not an Electron thing. The two are entirely orthogonal.
Memory is not a precious resource, no matter how much you want to live in a world where your obsessive compulsion to manage it is reasonable.
It's not as easy as that if your private key is protected with a passphrase, which IMO ought to be the default option.
I am amused by the rationalization going on here, though... taking extra steps to secure your SSH private key because you might "npm install" something bad. There's nothing wrong with enhancing the security of your private keys through dongles or TPM chips but it's a lot better to attack the root of the problem: just don't run "npm install" (or similar untrusted code) in an environment that you don't want to get pwned.
My day job has me working with javascript packages but I don't have npm installed on my system, and never will. All of my work with npm happens inside docker containers. This offers many workflow advantages besides a layer of security.
So it is unreasonable to want to develop a JS app on the same machine I use for SSH?
Docker works I guess, but adds a lot of mental (and in the case of Docker for Mac, performance) overhead.
The issue I ran into was due to Docker for Desktop binding the local filesystem into the devcontainer running in a WSL2 VM.
The solution to this is to instead use a named volume in your docker-compose.yml and in your Dockerfile copy the files from your working directory into your devcontainer.
This provided an incredible improvement in the performance of using devcontainers in vscode. The one big drawback to this approach that I've run into is needing to make sure I commit and push my code to a git repo when I'm done working as there's not a copy stored on my local machine.
The main security benefit is here:
> 1Password will ask for your consent before an SSH client can use your SSH key. Because of this, there's no concept of adding or removing keys like with the OpenSSH agent.
This prevents SSH agent hijacking, requiring either a social engineering attack to bypass or a privesc.
This is the way.
On many OS's there are even more strict restrictions, where within a user a process can only dump the memory of processes that are its direct descendants.
I don't think running a Userify daemon on the server is better than a private key in 1Password. At least with the private key approach, you can layer on network access restrictions (firewall rules or VPN). Userify would need to create an outbound connection to its control plane to manage keys
You swap "someone could steal my private key from SaaS" with "someone could upload an additional key to SaaS" which I guess just helps if you're reusing keys for unrelated systems?
I think Userify could potentially increase auditability by limiting key sharing but I don't see it actually increasing security assuming you can revoke/rotate shared keys.
My view is backed up by the fact that people do exactly this, with great success. The complaint about memory is not reflective of the typical user experience.
I only care about managing my memory because the consequences of running out of free memory are severe. Linux as shipped by mainstream distros is quite happy to start filling swap (with attendant kswapd CPU usage) when there's multiple gigabytes of pointless inode/dentry cache to evict.
Both of these are problems that simply don't exist on Windows and MacOS. Windows because it doesn't pretend half of my system RAM is useful cache, MacOS because it does compression out of the box and doesn't appear to be so aggressive.
Linux is not good for desktop environments for exactly the reasons you outline here (and many more). It’s not Electron’s fault you’ve used the wrong tool for your desktop OS.
If 1Password was ever compromised, the attacker could use my private key to log into any server that I have access to at any time forever, and in fact I won't even know! But, if Userify is compromised, then the attacker can only deploy their OWN public key but my private key is still safe.
This means that if 1Password is compromised, ALL private keys are compromised forever. If Userify is compromised, the compromise only lasts for as long as the attacker is actually logged in as you, and the prize for the attacker isn't getting your key (because it's public already), but only that they can deploy their own public key (and that produces a notification).
So, you're right in that you still have to place some degree of trust in a third party SaaS, but the simplicity of Userify's model and narrow scope which minimizes access to any secret material is very appealing because it's very easy to understand and audit. Userify is about as close to Zero Knowledge as you can get for an SSH connection.
And, if that's not enough, I can just buy my own Userify Express server and close it off on my own private Wireguard network or VPC and never let the outside world anywhere near it.
Right, this is only a problem if you don't have another form of key and don't have login auditing
With access to Userify, an attacker could upload a key to any server anywhere and still have access.
In the original post, I mentioned we already had an easy way to rotate keys via automation. We also had CloudTrail alerts and AWS Config alerts around port 22 security group rules (they were closed by default).
Sure Userify provides a lot of these things like key management and audit trails but my original point was it's silly to worry about storing private keys in SaaS when you use SaaS for other authentication and authorization anyway.
1. I despise the binding of ⌘- and ⌘+ to zoom, and even more ⌘0 to zoom reset. I know that those are standard Electron things, but there’s absolutely no reason to make them priority bindings for 1Password.
Beyond the zoom binding, I find the default size too big, so I am running at two zooms down by default. Every time I go for the ⌘0 (all "displayed vaults" in 1Password 7), my zoom resets because of this nonsense. What would make more sense is to: (a) remove those bindings; (b) let one of the collections or accounts be marked as a _default_ collection or vault and bind the display of the default to ⌘0; (c) offer zoom sizes either in the view menu or preferences; and maybe (d) offer the zoom-in zoom-out functionality only in the menu.
2. I absolutely cannot deal with the fact that preferences, collection editing, and a few other things are pseudo-modals that block the use of every other part of the 1Password 8 UI. It’s the #1 thing that calls 1Password 8 out as an Electron app, and it makes me so not ever want to touch these things, which makes them far less useful on a day-to-day basis. If you are unwilling to fix the fact that these things are garbage, at least enable multi-tab capabilities (I would love to see a tabbed 1Password interface). That allows VS Code to be less immediately annoying.
These are in order of annoyance, not priority. I consider the pseudo-modal issue to be more important because it makes the new features that you and Dave speak of unpleasant to configure. Fix these, and I’m back to recommending 1Password 8 wholeheartedly. I’m even missing 1Password mini less and appreciating the replacement a bit more (it’s still not _quite_ as good, IMO, but it’s getting there).
2. It might look silly but we actually had an internal debate about making the preference for floating preference window. I personally do not mind the single window approach because it makes things easier for the non-experienced users. I watched my mother-in-law losing the preferences window when she tried to configure 1Password 7. I know there are certain articles claiming that all Mac apps must have a floating Preferences window but there are quite a few counter-examples as well. Anyway, that preference might still happen.
1. I certainly relate to the pain about muscle memory when it comes to the keyboard shortcuts. At the same time, having an option to easily adjust the zoom settings for an app is such a great feature. I used 1Password on a 13" laptop and on Pro Display HDR and I love the ability to change the zoom factor. I now wish I could do this in every app. Perhaps a solution could be to make all keyboard shortcuts customizable?
The preferences is small enough that I don’t care about that as much. It’s symptom as much as anything else.
The pseudo-modal for collection management is painful.
I never want to open that pseudo-modal _again_ because it’s so awful. It’s narrow, it doesn’t let me look at the vaults while I’m working through what should be in a collection, etc.
This is a problem because it’s a major feature and someone who has used 1Password from the days when it was 1Passwd and you ran the Switcher’s blog…that’s bad news for the success of the feature. Never mind that this is the only way to get to the previous behaviour of "all vaults" meaning "all vaults that have been selected to show in all vaults" and that so that you’re not constantly getting shown things that you don’t want to see by default because the collection you have the old "all useful vaults" is on ⌘5 instead of ⌘1 or (better yet ⌘0).
On the zoom:
Keep the zoom, if you must. But for the love of Jobs, don’t bind it to ⌘-, ⌘0, and ⌘=. ⌘0 should be _either_ "show preferred collection or account" or "show main window" (leaving ⌘1 for "show preferred collection or account"). Seriously, that binding is the absolute #1 thing that I hate about the Slack app, and there are _legions_ of things to hate about that. Leave the zoom options in the View menu, because your mother-in-law, if she wants to zoom in isn’t going to remember ⌘= to zoom in. She’ll look in the menus.
1Password 8 is _much_ better than it was when I started using it in July. But these two things actively make me _angry_ about using it because: (1) the pseudo-modal, especially for collection management, makes me not want to use something that looks much better than previous mechanisms, and (2) the zoom gets in the way. I’m using 1Password on a single monitor (14" MBP, previously 13" MBP) and I want to set my zoom _once_ and never think about it again, especially if I hit ⌘0 (thinking "show main window" or "show preferred collection or account") but it resets my zoom. Having the zoom bound is a papercut that happens to me multiple times a week because it makes no sense in anything except a web browser.
There are many reasons for not specifying what framework an app is built in, the most obvious of which is that the general public both has no clue what Electron is nor a desire to find out.
Just because something isn't listed doesn't mean it's "buried". Like the other commenter said, you don't routinely see users of other frameworks and languages put it front and center, why should that expectation change with Electron?
Will you add support for increased contrast again? (it was removed in v8, and was one of the many regressions that made me effectively give up on 1Password)
And you're using the words "wasted" wrong, assuming you're referring to the memory footprint of Electron. Electron uses memory to solve a compatibility problem, that's not wasted at all.
If you're actually curious, you can figure it out for yourself.
Nobody is disputing Moore's Law (and this is the first time you've brought it up!). The dispute is around whether people still experience slowdowns and other bad experiences as a result of excessive memory consumption relative to resources, despite Moore's Law. I and several other people have told you right here that they have, and you refuse to acknowledge our collective experience largely because you personally haven't shared this experience.
My ego isn't bruised. But I and others reasonably expect significantly more than a "drive-by" non-substantive negation of a claim that comes directly from personal and professional experience (i.e., gaslighting) -- especially on Hacker News, where the audience is supposed to be largely composed of mathematicians, scientists, and others who possess better-than-average ability to think deeply, logically, and in a nuanced fashion.
Also, that link you provided seriously undercuts your own argument, you do realize that right? It very clearly shows how over 90%+ of computers have 4 GB or more of memory installed, which is plenty to run multiple Electron apps.
I just can't see how this is that controversial a claim.
What's controversial (because it's false) is the claim that, "Memory is a precious resource." That is not a true statement.
Additionally, your own citation shows that at this moment in time a vanishingly small number of computers have an amount of memory that would result in any kind of performance degradation due to the use of one or a few Electron apps.
Therefore, Moore's Law applies, and we can safely say that resources which double every two years are not scarce.
Your continued insistence on a false fact will continue to be "controversial".
It doubled, people bought new laptops, and reaped those benefits by running multiple Electron apps seamlessly on those new laptops.
So it remains a false statement to say, "Memory is a precious resource."