The biggest problem I see for the widespread adoption of password managers is the problem of edge and corner cases.
I can teach my parents how to use one of the more user-friendly ones, like Dashlane or 1Password, and it works great much of the time.
But for some percentage of sites, for a variety of reasons, the standard steps don't work: non-standard web forms, Javascript games, browser updates, obscure password rules, just to name a few common issues. For non-technical users, these issues are blockers -- indistinguishable from show-stopping bugs from a UX standpoint.
Since using a password manager really needs to be an all-or-nothing proposition in order to get into the habit of using it 100% of the time, this means that most users will not use one.
I'm sure the commercial managers will get better at addressing some of these over time, but I do not see a product that works flawlessly 99.9% of the time emerging anytime soon.
Anecdote: I was doing my periodic visit with my grandmother, where I tend to any overdue computer/software maintenance, resolve any questions she has, install new things if needed (i.e. someone got her a printer which she likes to use for printing photos, but it was still in the box.)
As we were going through some things, she didn't know her password for everything; she had a notebook, but it wasn't organized enough. Eventually we figured out or reset each password as needed. (She only has a few total!)
Part of me wanted to utilize a password manager; after all we could use some proper long, randomly generated ones! But I was there on the fence of... what happens when she's stuck and I'm not sitting next to her to help?
To be sure, I have about a billion online accounts. I use unique email addresses and passwords (and a password manager) so I don't really hesitate to create accounts that aren't asking me for any real information about me. And along with that, I come upon the edge cases where if you're using Firefox for Android and Bitwarden, the web site some how goes out of its way to ensure that I will end up having to type in a super complex password (or close my browser tab and walk away). My grandmother almost certainly won't hit those same edges cases. She's got email and one social media account and that's just about it. And she'll need to write down that one mega password for the password manager, and learn some new things.
So I'm not sure if it's right for her. Definitely a consideration, though, and to your point, sometimes I get angry and wish there were consequences for the companies that work so hard to break things like password managers on their web sites and in their software!
For a lot of users, a notebook next to the computer really is the best password manager possible. Someone physically stealing it really isn't the threat model we're worried about, and for the frequency of logging into things, it's not a big deal to have to copy out of a book. Make the passwords memorable phrases ("correct horse battery staple") etc to make them easy to type in.
> Make the passwords memorable phrases ("correct horse battery staple") etc to make them easy to type in.
(Insert obligatory XKCD on relative complexity)
... Gee, it sure would be nice if all sites simply allowed long-length passwords without bizarre, mutually-incompatible special character requirements.
At least the 2017 updated NIST guidelines swung back sane (less complexity requirements, 64 character maximum). So in... a couple decades we'll be able to reliably use long passwords.
An edge case I come across quite a lot: entering a long, random password into a new device (where copy-paste is never available).
I just got a new TV and wanted to sign into my Amazon Prime account. Unfortunately for me, that meant I had to enter my 32-character numbers/lowercase/uppercase/symbols Amazon password using the TV remote. I did not get it the first time.
A few months ago I got a new iPhone. They wanted me to type in my iCloud password so that all my settings and data could transfer automatically to the new phone. Similar results.
XKPasswd[0] is a nice tool to create easy to type and strong passwords. I set my own config with a structure that is specifically easy to type on phone keyboards but still has high entropy.
New iPhones don't always make you enter in your password right away. If you have your older phone or ipad nearby you can use it to setup.
I agree though, it's pretty bad once you hit those edge cases.
One nice thing with apple tv or an android box is you can typically use your phone as a remote keyboard for inputs and have access to the password manager from there. Works pretty decently with the apple remote app.
This case works well with iOS' built-in Apple TV remote, at least with 1password. Any text field selected on the ATV brings up a keyboard on the iPhone, and if it's a password field 1password works as it normally would for any other phone app.
This is why WebAuthn is a better solution long-term. It won't work with all sites initially, but the sites it does work with will work consistently, with a dead simple user experience. No obscure password rules or edge cases where some part of the usual workflow is broken; everything just works.
All we need now is a couple viable first-factor implementations in browsers and major sites, and WebAuthn can start to take over. It's really, really unfortunate that WebAuthn has been a W3C recommendation for almost a year now and yet no major browsers have integrated WebAuthn into their credential sync system so it can actually start to be used as a password alternative.
Agreed. You use a physical key to unlock your front door, your car, and your bank account. Why not use the same safety model for email and other online websites?
I've avoided any sort of autofilling stuff, I just use keepassxc and launch it when creating or checking a password. It's still a huge improvement over any past workflows. Even aside from being a password list, it's also an account list, something I think I've always wanted.
I've met people who just have a local spreadsheet they keep passwords in, because they've used Microsoft Office for years but haven't been tempted to try a proper password manager yet. If only they knew how similarly simple it could be.
I think your barrier for dismissal is way too high. Simultaneously, the more popular a password manager / autofill is the more it gets tested as part of a QA or best practices process.
IMHO paying for password storage solutions is the best way to get security. A robust solution will need updates, fixes, and improvements. The team building those will be paid somehow. Paying customers assure that ad networks and other nefarious actors cannot incentivize weak security practices.
Sure. We could all evangelize some esoteric command line FOSS system, but the general public NEEDS secure password management
What "security" could you possibly get from password storage with subscription and automatic updates that you can ignore the risks involved?
You are giving a centralized 3rd party identifying information about you because of the subscription, control over your passwords because of the updates and you have to believe and trust it's never going to deny you access even without payment, issue an update to steal those passwords or be hacked by someone who does the same or hacks you through it. Oh, and they can do all the surveillance capitalism business models since they have access to the websites you visit.
Banks have an absurd number of regulations, and for good reason. Are you suggesting password managers should be regulated similarly. I'm sure that "small" fee would increase very quickly
All software, but especially software in the privacy / protected data industries, requires ongoing updates. Pay once and you're done was a model built on exponential growth forever, which never really worked. So the next thing you could do is yearly paid upgrades but monthly recurring charges are honestly less broadly user-hostile -- more people _want_ to be billed small amounts monthly rather than larger amounts yearly, and it creates positive alignment with customers and businesses. Yearly paid upgrades were always messy and then degenerated into creating enough splash to entice users to upgrade, versus providing the best product that month that you are able to, whether that means investing in new features or investing in stability etc.
Now all of that aside -- the 1Password funding round was oriented around selling to businesses and the investments needed to run hard at that. It costs money to build a business that's competitive in that B2B market but businesses can provide healthier / less jumpy revenue streams, which is good for a business like 1Password.
The one time paid license is available if you’re willing to jump through hoops and contact support with the right incantations that they will understand. For mere mortals, it’s as good as non-existent because the AgileBits website and its support team go to great lengths to not reveal that there is such an option.
The standalone license hasn't been on the homepage as an option ever since the subscriptions started (and it still isn't there). If you go to the support home from the homepage and search for "standalone license" (or "standalone"), there are no results. So unless you happen to know that this option is available and spend time finding out how to get it, it's impossible to know. It is a dark pattern in the name of "not confusing users".
Just installed a fresh copy of 1Password for Mac. You’re right that it’s hidden and a dark pattern, but your previous comment on how to get it was wrong. When you launch the app, there’s a big “start my trial” button. You can make a vault, and then when you try to modify it 1Password will ask you to subscribe or purchase a license.
Also there are definitely results when you search for “standalone” in the support section, including the link I had in my comment.
Having access to that store on multiple computers and mobile devices is definitely a useful feature.
Set a super long generated password on your bank account and then need to log in on your phone? That's a pain if you're just using KeepPass on your desktop.
That said using an encrypted storage file and an existing file sync service (Dropbox, Box.net, Onedrive, GDrive) and a client that supports using such a file would solve the problem, and I think 1Password at least supports this.
I use Keepass. Like you said, I sync the encrypted storage file through an existing file sync service and use a keepass client on my phone. It's slightly clunkier than I imagine a well-built system designed for multiple devices would be, but it works fine.
I switched from Keepass to 1Password recently and couldn't be happier with the decision. I think I could have dealt with Keepass forever if it was just me - but my non technical partner needs access to the family passwords and accounts too. Using 1Password has been a huge boost in my password management because my partner just didn't want to use Keepass and so would just use her default username and password when signing up for new stuff. Now it's so easy that she's 100% on board, and I have to say that the ease of use for 1Password vs Keepass feels well worth the money.
I've tried that in the past and it's far outside the reach of most people. Getting just Dropbox going is like 150 keys, clicks, and taps from virgin to working on more than one device. Then there is Keepass(X/XC/2) which is FOSS but impenetrable.
Security is like investing, don't use what you don't understand. (At least at a high level.)
You don't want access to it across devices? Not having that is a huge pain with generated passwords.
That said, $200M seems crazy. You don't need that many employees for a password manager. How much of that is going to just end up being funneled to Google/FB via ads, as often happens with these raises.
> Once you’re locked into one company, there’s not much incentive to switch. In fact, doing so can be a real hassle, since it requires resetting all those passwords all over again.
Why would it be a hassle? It should be trivial to switch password managers. Do some not allow you to export or import data?
This brings up another question: How can VCs justify $200 million in funding for businesses with essentially no customer lock-in?
> Why would it be a hassle? It should be trivial to switch password managers. Do some not allow you to export or import data?
I’m not sure why TFA says it would require resetting all passwords, but to answer your point, not all password managers have the same features. For example, Bitwarden doesn’t have enough structured types to accommodate things like software licenses, WiFi passwords and other things. When you import such data into it from another password manager’s export, all this data will be in some broken up jumbled format that’s not easy to use or is probably incomplete.
For simple website logins though, every password manager should be interchangeable with another through export and import features.
> How can VCs justify $200 million in funding for businesses with essentially no customer lock-in?
Once you have a password manager you're happy with, why would you ever switch? Dashlane works fine, I do export all my passwords once or twice a year in case the sync process ever goes wrong and deletes a bunch of my data, but even with the ability to easily switch I see zero reason to ever consider alternatives.
If only password managers were consistent across all devices and apps. But I think is by far the most broken experience in any cross-platform use case.
Since I’m an Apple user I would love to use their keychain but if I want that consistency in my browser I need to use Safari and I prefer Chrome.
If I was an Android user I guess I would get the Chrome keychain by default in my android device, but not making that switch just for a password manager.
I also have 1Password at work and personal 1Password but I don’t use it anymore because I have found that is pretty easy to save passwords to my work vault which apparently will be completely lost if I ever separate from my company.
So now I’m forced to consider something like Dashlane to get the cross environment experience but then again it will probably be very broken.
Basically passwords are the most terribly user experience that you need to deal with.
It’s like having to go and do your necessities before the toilet existed. It probably was wildly uncomfortable and inconvenient.
Someone needs to invent what’s toilets are to shit, because the password experience is just that shitty.
> If I was an Android user I guess I would get the Chrome keychain by default in my android device, but not making that switch just for a password manager.
You could actually get whatever you want, PW managers can register themselves as one system-wide (at least in newer Android versions).
But does it work with the native keyboard when it sees a password field?
Edit: Nevermind. I see it now. I need to explore this. It just that it can’t be 1Password for the reasons mentioned above. Any good alternative that someone can recommend?
You could try Bitwarden (it’s not as rich as 1Password, but is adequate for web logins, cards, etc.). You can even self host forks of it if you wish. You get a lot for free, but it also has some paid tiers that are quite cheap with additional features.
Dashlane is somewhat ok. The mobile experience is broken (you'd have to use their browser I guess, never tried), and you probably cannot install it behind a corporate firewall
but I'm a happy customer for 5 years because of a killer feature : the ability to share passwords with my wife across our desktop and laptops, for all the websites we need to access both (from library to utilities, official websites, kids schools, etc, etc)
I've been using 1Password for 9 years now with >1k passwords in my vault. I'm mostly happy with it exactly because of the smooth cross device experience (all Apple based, though).
Glanced at Dashlane's Privacy Policy, but perhaps someone else is more aware: strong secure passwords and management is useful, but does this mean there are changes to essentially profile users and shared data with 3rd parties? Basically, I have Dashlane manage my accounts for X, Y, Z, etc services, my services profile is useful information for advertisers, right?
The benefits of strong secure password use more pervasively are overall good.
A huge usability bump comes with browser extensions (or integration with the mobile OS password auto fill mechanism) for the popular password managers. I’ve used auto type from some password managers that don’t have browser extensions, but the experience is not as quick or seamless.
I use 1password at work, but I don't use the browser extension. Instead of the extension entering the password, I just copy it out of 1password with a keyboard shortcut.
My browser extensions are really minimal, HTTPS Everywhere, Privacy Badger, react dev tools. The browser is the modern operating system, and in general you should reduce your surface area as much as is reasonable.
I can teach my parents how to use one of the more user-friendly ones, like Dashlane or 1Password, and it works great much of the time.
But for some percentage of sites, for a variety of reasons, the standard steps don't work: non-standard web forms, Javascript games, browser updates, obscure password rules, just to name a few common issues. For non-technical users, these issues are blockers -- indistinguishable from show-stopping bugs from a UX standpoint.
Since using a password manager really needs to be an all-or-nothing proposition in order to get into the habit of using it 100% of the time, this means that most users will not use one.
I'm sure the commercial managers will get better at addressing some of these over time, but I do not see a product that works flawlessly 99.9% of the time emerging anytime soon.