I guess I’m the outlier in being very happy with 1Password and fine with paying for the subscription service. Not only is 1Password the best password manager I’ve used, but it makes it seamless to share stuff with my wife. I don’t care if 8 is an Electron app either, considering I usually interact with it via the browser anyway with their extension. (Also I know that the majority of what they wrote for it is Rust and fast, and I generally trust the engineers to do a good job since they’ve done a good job with it in the past) Also they make a CLI tool for accessing passwords allowing you to integrate password management there: https://1password.com/downloads/command-line/
I come at it from a slightly different angle. I got in when it was syncing via Dropbox and iCloud, and it worked perfectly fine.
The switch to a subscription service is a forced downgrade for me; it's putting functionality I already have behind a subscription.
This is particularly an issue since the old versions (versions I paid for, mind you) are slowly going away (typically as a recompilation and submission is required to keep them available on iOS devices).
This is the reason I bought my first license of 1Password many years ago. I thought the trust model of one vendor supplying the password manager but not the storage (I was using DropBox sync too at the time) was a great way to ensure that my data is safe.
Same story for me. I switched to the KeePassXC ecosystem eventually as a result — it's open source, has compatible clients for just about everything, and has one-click import for 1Password vaults.
I've been using KeePass (KeePassXC and similar) for years. macOS, Windows and Android. I've also had 1Password for a shared business vault for years as well.
I much prefer KeePassXC. I find KeepassXC substantially easier to use than 1Password on macOS. I strongly dislike 1Password's UX. It feels very cumbersome to use.
I have a shared family KeePass database as well. Works great.
I'm somewhere in between. I also paid for a non subscription version and I also feel like I was forced to upgrade to the subscription. Sadly switching password managers, especially if you share with a family, is really painful.
We now pay the subscription, a tad begrudgingly, but I have to admit 1Password overall does a great job.
I have done this, and it was horrible… for example I was missing all attachments (no notification or error messages). Also the fields are not properly converted 1:1.
All in all, it was a big mess. This was about a year ago.
Funny story: I migrated from lastpass to bitwarden a couple years back. I expected a big mess. Instead, the import was better than perfect: a bunch of accounts that wouldn't autofill in lastpass magically started to autofill after being imported into bitwarden.
I think it might be the only "better than perfect" import story I've ever experienced, and I can't rightly expect it to happen again, but it happened once and that's something.
This is the exact experience I had. I was moving from Lastpass after they sold out. I used the migration as a point in time to clean up my vault and have enjoyed a completely clean password manager ever since. Bitwarden has slowly been adding the features I wanted when I had left Lastpass - and at this point it just works for my workflow.
While I understand subscriptions can add value, I don't understand the forced model. Clearly 1Password has a subset of customers that don't want what they're forcing on customers. Maybe it's that they're positioning to sell the company and moving to 100% subscription boosts the bottom line valuation. But in the majority of cases the customer is not always delighted by this move. Sales organizations love to claim "it's what the customer wants", "it's more affordable", among other half-truths - when the reality is it's a much more consistent revenue stream that disconnects customers voting with dollars from continual enhancement of the product such that the customer is incented to upgrade.
Bitwarden's model is consumer friendly. I really appreciate being able to self-host a fully functional vault, even if I don't exercise that option. I feel confident that they won't hold my data hostage. $10/year is a great deal. +1 for bitwarden.
You... just saved me many hours. My 2021 goal is to migrate from 1Password to Bitwarden. I’ve been putting it off as I still have half a year of my subscription. But that does make it easier.
I got Windows going on a throwaway VM and installed the 1P client. Took 30 mins to an hour but surely a better option than recreating your vault by hand
It’s not a complete import, you’ll get usernames and passwords but if you’ve done anything else with it (like say attaching software license files, scans of important documents, etc) they’ll be silently dropped.
Most record types (software license, wireless router, documents, drivers licenses, email accounts, membership, passports, maybe more) don’t exist in Bitwarden. I’m not sure what happens with all of those, maybe transformed into secure note, but again with all of the attachments removed. The lack of categories is also a nuisance for organization, you can create folders but have to manage it manually.
I’m still glad I switched, having bought 1Password on a bunch of platforms and a bunch of paid upgrades before it turned into a subscription. It probably would have been less money if it had been a subscription from the start with all the times I bought it. Maybe it’s irrational, I just don’t like being so dependent on a subscription service, and having a local network sync between my devices was just fine. Same reason Lightroom can pound sand with their $120/year licensing, I’m not going to keep my photo library in something that I just have to keep paying for the rest of my life.
Bitwarden is good enough for me, with 1Password as a subscription you can look at it and realize “this is going to be $36/year forever.” If I spent any time in it, might be worth the expense. I’ve bought a lot of software and I don’t mind paying for good software. But I’ve moved the things that were attachments to an encrypted disk image, and 99% of my password manager interaction is via auto fill so I don’t actually care how polished the UI is.
Family sharing would be a more compelling reason to stick with it if you’re using that.
> It’s not a complete import, you’ll get usernames and passwords but if you’ve done anything else with it (like say attaching software license files, scans of important documents, etc) they’ll be silently dropped.
It's not quite a silent dropping -- 1Password warns you with a popup during the export that it doesn't include them in the export file. BitWarden won't warn you, but in its defense the files aren't even present for it to skip...
Before I started using 1Password I did use the secure disk image method for storing what I now store in 1Password. But it's only a few things, really, and in every case it's just to have quicker access to something normally stored in a file cabinet so I don't have to dig into the files.
It's not going away any time soon, the app is still available for MacOS and the browser extensions work just fine. Eventually they will stop supporting them but that'll just mean at some point in the future a MacOS/firefox/chrome update will break the existing app and they won't fix it. That might be 2 months from now or it might be 2+ years.
Sure, if you longer have a way to use an older version of MacOS. Not a good idea to leave your sole copy on a machine you don't have full control over.
I'm perfectly happy with paying a subscription, and think $4.99/month for 5 people is affordable.
What I'm not happy with is the possibility of password access being limited or sync breaking if 1Password servers go down. At least with Dropbox (iCloud, wifi) sync, I have full control over the local vault file.
Ultimately, it might be mostly about ownership and choice for me.
I’m glad you find it affordable but these nickle and dime things add up. Especially when the product fits into $0 software so $4.99 is infinitely higher than $0.
I feel like these small, “affordable,” services are just whittling away the Unix philosophy of do one small thing well. Layering on unnecessary crap just to charge a fee eventually comes home to roost.
Also, passwords is a lifetime need. So 80 years x 12 months = $4,790.4 and that seems like a cost that should be reduced out of one’s lifetime.
Do I want to go to Tahiti once in my life, or pay for password convenience?
Again, glad you’re happy but I don’t want to live in a world where I pay $5/month for commercials versions that crowd out what should be community, OSS tools. I love curl and it’s awesome, but don’t want to pay $5/month/forever.
We forget that taxes are inefficient and should be minimized where possible. A login tax for all eternity sucks.
Let's Encrypt SSL/TLS certificates are free, as is Apache/Nginx/Caddy to reverse proxy Nextcloud or any other solution (if a web based interface is needed). You might also need something like ngrok ( https://ngrok.com/ ) for publically accessing the instance if you're behind NAT and are hosting it on a homelab, or alternatively just put it on one of the VPSes that you're using, if you have any.
Personally i'm using a similar setup (a WireGuard VPN tunnel or two in there as well) on my pre-existing VPSes, so the effective costs are 0$ for me. And the file based approach is actually superior to any (possibly) dubious browser plugins in my eyes.
This reads like that notorious HN comment about it being trivially easy to roll your own Dropbox. Our time has value. Good UI has value. How much time is saved by just using a service like 1Password versus the design, setup, maintenance, and ongoing use of a system like you suggest with all those individual pieces?
I was just thinking the exact same thing. For technical and especially non-technical folk, getting a full nextcloud host set up and working is going to take significantly more time than a simple login into 1Password, where it just works.
Box.net supports webdav if that's what you want. I'm not aware of any other big name cloud storage providers that offer support for standard protocols. It's available for free accounts, too. This does mean the files aren't encrypted, however if your vault is encrypted that may not matter to you.
Except, you didn't need to roll your own. 1PW used to support Dropbox - it's how I still use it.
And specifically you only need the DB free tier to store a 1PW vault, so the only cost was paying for the 1PW client (which I am more than happy to pay for on major version updates, as long as it is not a subscription).
1PW removed functionality that existed, with goal (or at the very least the effect) of locking users into their own cloud platform with a new monthly bill.
For a moment I felt that perhaps I should add clarification about how I'm not trying to dismiss the cloud solutions (as in the notorious Dropbox comment), but instead am attempting to provide one of the many libre setups to answer the parent question, but in the end didn't get around to it.
My time probably isn't as valuable as that of the many people here (about 5x less earnings on average in Latvia when compared to places like US), therefore it definitely makes sense for me to upskill myself in any way possible, especially if I get usable software out of it.
But if you take the container based approach, there is almost no administration to be done:
First, install Docker: https://docs.docker.com/engine/install/ubuntu/#installation-methods (about 10 minutes, varies by distro)
Personally, i use Docker Swarm, but that's just a few more init commands and Docker Compose works as well: https://docs.docker.com/compose/install/ (about 5 minutes)
Then, set up something like Caddy for a reverse proxy: https://hub.docker.com/_/caddy (probably 20 minutes)
And then, set up Nextcloud: https://hub.docker.com/_/nextcloud (probably 20 minutes)
Lastly, install KeePass from the previously mentioned links and put the password DB in the synced folder (probably 10 minutes)
Ngrok, DNS challenges etc. might be necessary depending on the setup, but are not usually required for most regular VPSes.
Backups and updates should also be taken care of, but full VPS backups are mostly standard and you can just bump the container tag every month.
As for the UI, i agree in principle, but not in this case. KeePass has good UI and I'd argue that you don't need a team of UI and UX developers to keep track of some usernames and passwords (and maybe certificate files).
Furthermore, I'd argue that most of the cloud offerings are actually problematic because not all of them let you download the data as files. In contrast, KeePass works with files (much like SQLite) and therefore, if you'd prefer to use SD cards or Samba or NFS or whatever instead of VPSes to somewhat decrease the attack surface, or simply use tools that you know, then you can do that. Want Syncthing instead of Nextcloud? Go ahead!
I'm putting emphasis on this because the line of thinking that we need web SaaS platforms for everything is dangerous - it makes you think that the problem is more complicated than it actually is. Whereas in reality some people probably get away with using password protected spreadsheets (don't do this). The problem is complicated only from a security perspective. That's it.
The cloud solutions excel at convenience and things like browser plugins and it's good that they're offering options for the less technically inclined folk, but they're far from the only option.
I know exactly how to do it, I've tried out what has been described above.
I've got a lab for stuff I want to tinker with, but a password manager is seen as an "essential service" to me like e-mail and music. I'd much prefer to pay a bit per month and have a team of professionals deal with it if the servers go down.
If at the end of the day my home server breaks and I want to get on and watch Amazon Prime/Netflix/whatever I still can with a hosted password manager. I value my time and sanity a lot more than £2 a month.
That's a fair point! But depending on your setup, it's also possible to replicate the password database file to every single device of yours on the network.
Currently doing just that, if any of my servers go down, i can still access all of my passwords on my desktop, on my laptop, on my tablet, on my phone or on my backup servers. Of course, provided that i have KeePass or a mobile app installed and know the master password.
Oh and I do manual backups to SD cards just to be sure every month. I'm not sure how I'd do that with a cloud service where in a sense their entire company (and my network connection to it) is a single point of failure. If my internet connection goes down, how would I log in to my selfhosted software in my homelab over LAN, without being able to access the passwords?
> so getting to know how to do things by yourself is a waste of time?
Potentially. Are you looking to make a prototype, or are you trying to go to prod with mission critical data?
Most people here could trivially roll a prototype grade password manager in pretty limited time. Getting something hardened and reliable is a different story.
Recently set up something similar. DNS entry that resolves to a local ip, swag + letsencrypt reverse proxying to Nextcloud, all setup as containers and accessible anywhere over WireGuard. I'm pretty happy with it.
It does seem like an interesting and useful project, though there are also other more popular alternatives like Caddy: https://caddyserver.com/ (even though their V2 not being backwards compatible was a tad annoying)
Apart from that, just wanted to say that WireGuard is absolutely lovely! Pretty simple to set up, works well and uses way less resources than something like OpenVPN.
The real question here is how much time it takes to setup this experience and how much time it takes to maintain. You could argue that the true cost is the labor cost of implementation and maintenance at your current pay rate.
Why not? I had this setup for years before switching to bitwarden_rs.
You have apps on every device to access your password database and do autofill. I stored everything in KeePass, recovery keys, TOTP seeds, sensitive documents and notes. I get the password sharing thing for families but for a single user they have the same featureset. The only thing missing is browser access but even though I now have browser access to Bitwarden I think I’ve used it like twice. I think I used Keyweb maybe once.
It's not the same thing because the whole argument being made is in the context of 1Password and its target audience: normal users. That's your mum and dad and other very likely non-techie people.
That comparison would be $2.99 for 1Password. It is the family plan that costs $4.99, and Bitwarden's family plan is not $0. It also assumes you don't want the features in the paid version of Bitwarden, so it's not an apples-to-apples comparison. 1Password doesn't offer a free reduced-feature version, true.
I think about sustainability quite a bit and if everyone who needs password management spends what you’re comfortable spending, that’s a waste I think. And when tech stops making things cheaper and faster it’s a bit sad.
> We forget that taxes are inefficient and should be minimized where possible. A login tax for all eternity sucks.
Yes, but like in many other cases, an efficient market would mean that they will always need to be better in most aspects than whatever free, open source, or simply lower cost competitor pops up.
Unless they decide to prevent people from exporting their passwords, of course — and that's a big enough dealbreaker for me that I'd move away anyway, not caring how fancy or advanced the rest of their UX is.
If the servers go down you'll never lose access to anything. You would lose sync while the servers were down but you would be able to access everything you already had on every device.
This makes losing local vault support an even bigger cause for alarm:
> After you remove a family member’s account, they can’t sign in to 1Password, which means:
> They lose all the items in their Private vault. Because the items weren’t shared with any other family members, no one will be able to access them.
Imagine: the access credentials of the administrator gets compromised, and the entire's family's digital life, stored on 1Password, gets wiped by the malicious actor.
The attack surface would be limited if instead, the removed user's license turns into a read-only one, like how 1Password currently deals with people using local vaults, and are not on a subscription.
Affordability is a mirage- $5 per month and $60 per year wont break a bank but its a huge amount to justify other geographies where money transactions are NOT in $$
I'd vastly prefer to be able to do 'bring your own storage' but for that price I don't really see a problem with that being a "you can do that, but you pay the same subscription price anyway" feature.
When you have a 1Password.com subscription, you are not "working in the cloud" like with Google Docs or something.
Your vault is local, and synced to/from the cloud.
Basically just like Dropbox. If your internet is down and you cannot reach Dropbox, all files synced to your computer are still there, on your computer. It's just that any changes you make locally or changes made on dropbox.com cannot be synced until your connection is back.
What I have zero interest in is increasing my attack surface solely for their bottom line.
I'm also increasingly uncomfortable with the company handling my passwords engaging in the sort of spin and dark patters we've seen from AgileBits in the past few years.
Agreed. In the end 1Password has always been a subscription, just you paid "one-time" upgrades every two years to stay up-to-date with the latest version.
However the differential factor of 1Password, which was that it _didn't_ provide the storage if you didn't want it, has now gone away. Precisely why I chose 1Password when I started using it. I don't see the difference between this and any other password manager now.
There might be security or technical reasons for removing this option, but looking at how hard they've been trying to get me into a subscription during the last couple of years I just think we're on a bad case of subscription-all-the-things here.
I think bitwarden is much less cringey as a corporation if you're looking for an alternative. I use it and pay an annual subscription and have no issues. You can even self host if you get fed up with pay for a suscription or their free service.
I'm curious about how you see the attack surface increasing when using 1Password. My knowledge of how it works is that it always stores your passwords in an encrypted blob that can only be decrypted with a combination of username, "master password", and vault password. So no matter if it's in Dropbox, 1Password's servers, or your own hard drive, if anyone obtains a copy of the password file they still have to crack it before they gain access to anything.
Also I see your reply has been downvoted enough to become grey. (EDIT: Looks like between starting writing this and submitting it, you're no longer in the gray from downvotes!) I imagine it's because you made a blanket claim about spin and dark patterns without any supporting evidence. I'd be curious to know what you're referring to since I don't really keep an eagle eye on this stuff, I just use their product.
The one thing I do remember in the vein of "dark patterns" is how they effectively hid the method of doing a one-time payment for 1Password where you have to manage syncing and backing up the password file yourself. Seeing as I have no reason currently to do anything but make a charitable read of that situation which has been decried more than once on HN, I'd be willing to bet they did so for the following reason: They have had many problems in the past where a customer has lost a password file because they were not a power user and did something such as keep it on one hard drive in their only computer. (reinstalled windows, hard drive died, etc.) So they wanted to make something that would prevent that from happening for the vast majority of their customers that don't really understand stuff like backups, or don't have Dropbox, or who aren't part of Apple's ecosystem and have iCloud, etc. so that their passwords will remain safe and secure. So they made their own sync service and hid the version that would do local-only files so that only the dedicated users who really want to do that would find it and use it.
OR alternatively they're a bunch of greedy people that just want to hoover up dollars from our wallets, as people love to accuse them of here. Maybe a little of column A and column B, honestly. Something something needing to ensure they have a company that stays in the black without wanting to absolutely bloat up their own software so it becomes another useless Enterprise(TM) application with each passing paid version.
Also the only affiliation I have with 1Password is I have a friend I recently learned works for them, otherwise I'm just a customer. I just got into one of my little ADHD focuses where I really wanted to reply with something long and detailed, so please don't assume I work for them or something and am defending them because of that :)
> I'm curious about how you see the attack surface increasing when using 1Password. My knowledge of how it works is that it always stores your passwords in an encrypted blob that can only be decrypted with a combination of username, "master password", and vault password. So no matter if it's in Dropbox, 1Password's servers, or your own hard drive, if anyone obtains a copy of the password file they still have to crack it before they gain access to anything.
_If_ they obtain a copy of my password file.
"My email is nucleardog@nucleardog.example, my password is abcdef12345."
If I'm using 1Password's cloud service I'm... screwed? You now have literally my entire digital life.
If I'm syncing anywhere else, you've got a much bigger task ahead of you. First you have to _find_ where my vault is stored, then you need to gain access to it.
There's an extra layer of security to the way I want to do this. An extra factor of authentication. I don't want the only thing between you and my entire life to be one set of credentials.
> So no matter if it's in Dropbox, 1Password's servers, or your own hard drive, if anyone obtains a copy of the password file they still have to crack it before they gain access to anything.
When I keep it on an airgapped machine that's a lot harder than when it sits on 1password's internet facing servers.
> I'm curious about how you see the attack surface increasing when using 1Password.
Someone above outlined it nicely: If you let 1Password take care of encrypting the vault, and iCloud (for example) of storing the vault securely, then a malicious actor would have to compromise both products to get your secrets.
> So no matter if it's in Dropbox, 1Password's servers, or your own hard drive, if anyone obtains a copy of the password file they still have to crack it before they gain access to anything.
Except that they control the client that I'm entering the master password into. So either the password is sent to their servers anyway or a malicious actor could simply update the client to do so.
You're of course free to use whatever software you want or do whatever you want. But I think assuming that you're going to see a malicious actor updating your password manager to steal all your data shouldn't be too high on your list of things that you think will realistically happen. I'm not saying it's impossible, just one of the least likely things to happen.
But you can take your device off the network when running the password manager to ensure it isn't able to do that, for example. (Or more realistically, you can watch with something like Little Snitch or WireShark to ensure it isn't happening.) That's something you can't do when the password manager requires the network to do its main function.
It's absolutely incredible to me that people ignore one of the biggest sides of the argument for pre-baked, user friendly products like 1Password: usability for as many people as possible.
You're trusting the client whether or not it can talk on the network. A malicious update that starts generating predictable passwords for websites doesn't need a network connection.
I've been using 1Password for 3 years now. Been paying $35/year and I'm with you on this one. I really like their service. The integrations are great. I rarely use their Mac app. I use my Apple Watch to unlock 1Password in my browser. That for me, is a game changer. It's such a seamless experience. I'm a happy customer and I love the service.
1. Open 1Password Mac app
2. Go to Preferences > Security > Apple Watch (there's also option to enable Touch ID) and enable it
Make sure you have your browser 1Password plugin updated to the latest version.
When you click on the locked 1Password icon in the browser, you get the "Double click to approve" alert on your Apple Watch. You double click the side button on your watch and 1Password in your browser is now unlocked. This also works the same way with Touch ID. Hope that helps. Cheers.
Same. I share my passwords with my wife and sync them across devices. I also have a license for an older standalone app. I don’t feel cheated. I wanted to be able to share some passwords with other people.
I saw something mentioned about self-hosted vaults. That is something I might consider for my family.
I advocated for the use of 1pass at work precisely because we can share strong passwords with the team. Otherwise, people would just use the same, well-known weak passwords for everything, including business critical ones like domain registrar or Gsuite admin or the root AWS account.
I am not as happy about having another Electron app running on my local box. I hope they spent time locking things down. On the other hand, if it means my wife (on Windows) gets feature parity with my macOS client, that would be good. Even better if the Linux desktop gets feature parity and no longer have to rely on the web or browser plugin.
It saves me so much time compared to how I used to have to do it — pull out phone, unlock, open Authy, wait forever for it to load, type in code, put phone away…
It’s the little things that all add up. I’m very happy with 1Password — been using it for 10 years, and happy to subscribe, considering it’s probably my most-used utility app.
I am cognizant of this risk, and assume it, because security is always a spectrum between Secure and Convenient. If I had to pull out my phone every time I wanted to use 2FA, I for sure would not be so liberal to turn it on for all the "low value" properties the way I do now
I have never even _heard_ of someone having their 1P master password compromised and the vault(s) exfiltrated (although I grant you it could be just because the NSA doesn't write blog posts about their pwn2own victories)
It's my recollection AgileBits is also running (that is: currently) a CTF with a publicly exposed vault, so folks can test the resilience against attack for themselves
> I am cognizant of this risk, and assume it, because security is always a spectrum between Secure and Convenient.
Absolutely. But also, in such setup, the security benefit of 2FA/OTP codes are negligible at best since there are no conditions under which only one factor could be compromised without also having the other factor leaked (assuming you're using unique passwords for each identity, which is the entire point of a password manager).
However, I suppose it could be used for bypassing the inconvenience of mandated 2FA scenarios (to the dismay of your company's security team).
> there are no conditions under which only one factor could be compromised without also having the other factor leaked
Man in the middle attack,
Phishing attack,
Over the shoulder attack,
Brute force attack,
Keylogger,
Http (not https) traffic sniffing,
'Breech' of the site and realisation they host their passwords in clear text on an unsecured db online.
Then there is human error; typing password into wrong site, giving your password to the tech support cold caller, telling someone your supersecret password ...
> Man in the middle attack
> Http (not https) traffic sniffing
If you can see the password, you can also see the time-based OTP, and you can use those to gain access.
> Phishing attack
> Over the shoulder attack
If you can convince someone to provide you their password, it's highly likely you'll also be able to convince them to also provide you their time-based OTP.
> Brute force attack
A successful brute-force attack on the vault (unlikely) means you've lost both your password and your OTP secret. A sucessful brute-force attack against a remote account using a safe password (re: password managers) is very unlikely!
> 'Breech' of the site and realisation they host their passwords in clear text on an unsecured db online
The password and the OTP secret themselves have no value (given that you're using unique passwords for each account). If the attacker has breached the service back-end then it's gameover anyways, regardless of 2FA for user accounts.
> But also, in such setup, the security benefit of 2FA/OTP codes are negligible at best since there are no conditions under which only one factor could be compromised without also having the other factor leaked (assuming you're using unique passwords for each identity, which is the entire point of a password manager).
Phishing and good ole fashioned human error are two methods by which a password can be leaked without exposing the 2FA token.
I previously thought that we were just having a difference of risk tolerance, but if you think some rando can _phish_ a TOTP secret, we are not even in the same universe of risk mitigation
> Hello, dear sir, this is the USA IRS and we are going to send the FBI because your TOTP code is expired and are going to put you in jail if you don... hello? hello?!
For passive phishing (e.g. setting up an identical website to the real one) stealing a valid TOTP token is trivial and such campaigns have already been spotted in the wild [1]
> if you think some rando can _phish_ a TOTP secret
Given the context this discussion is about (someone with a 1Password vault, storing unique passwords and TOTP secrets for each account they have) do you see any scenario in which a user gets his password stolen but not the token (or the OTP secret seed altogether)?
> Hello, dear sir, this is the USA IRS
If an attacker via a phone call is able to get the victim to (a) unlock their 1Password vault, (b) spell out their password for account X, what makes you think they couldn't get them to also (c) open their 2FA app and spell out their TOTP token?
> I previously thought that we were just having a difference of risk tolerance
The point I was making is that there are no security advantages to setting up a time-based OTP as a second factor for authentication if the secret seed is going to be stored in the same vault where the passwords are: might as well just forego this TOTP setup altogether and save the extra hassle. Or get a hardware second-factor (TPM, Google Titan, Yubikey, ...)
If my password vault is compromised it's game over anyway. There's enough access in there to remove the 2FA on all of my accounts even if you didn't have the codes. There's no way I'm giving up breakglass access and risking locking myself out of my accounts permanently or while I'm on road if I lose my phone.
The point of using 2FA for me is to protect me against my password being compromised since it's a long_lived access key.
I believe there's barely no benefit to setting up a TOTP 2FA for those accounts if you're going to store the backup codes/token seed along with the password in the same vault.
> If my password vault is compromised it's game over anyway.
There are ways you could make a vault compromise not mean a complete/irreversible takeover, but that would either give up breakglass access as you say or add complexity and reduce availability.
> The point of using 2FA for me is to protect me against my password being compromised since it's a long_lived access key.
In which situations on your setup would a unique password compromise not imply there's also been a TOTP token/seed compromise?
I'll be an outlier with you. I install the app where every I am, authenticate, and BAM, I have my passwords. So easy even a caveman could do it. I've been a happy subscriber for years.
I'm with you. It's seemless, it works (on everyplatform) and it's easy to use.
At the end of the day if you want a password vault that is sync'd across devices, you're trusting someone...somewhere. Be that 1password, dropbox, or even that Linode you manually rsync your data to. You've got to decide what is the biggest risk for your own personal use cases.
For me, I'd rather store my sensitive data with a company that has demonstrated a repeated push to keep my data as secure as possible, even from itself. It's their core business, all they focus on.
I think removing the self-managed data store feature makes sense even if not everyone likes it. It removes a source of architectural complexity, and most users aren't looking for local storage anyway.
Personally, the problem of managing reliable persistence of my password database just isn't something I want to spend time on, and the incremental difference in security posture is uninteresting to me given that it's encrypted at rest anyway. In terms of waking hours spent worrying about the security of my household IT, the security and persistence of sensitive documents (mainly vs. ransomware) is a bigger problem and I like that my passwords aren't tied up in that mess.
I agree, I switched about a year or two ago to subscription and I'm quite happy with it. There are some apps/platforms that I believe /should/ be subscriptions and my password manager is absolutely one of those. 1Password has continually added new/better features year after year and the price is tiny compared to the value I get (and then subsequently provide to people in my 'family'). The UI is the best I've seen in a password manager and while design doesn't necessarily affect the ability for a PW manager to do it's core job, I prefer looking at pretty apps. Almost every time I use 1Password I leave with a smile/good-feeling.
Agreed - software like this doesn't exist in a vacuum of frozen dependencies (at least not until Urbit takes over). Subscription models make sense for stuff that requires updates over time to keep it working. Their stuff is reasonably priced and the product has been really good for years (imo).
I suppose they could do something like JetBrains where you get updates while subscribed, but realistically login breaks for users would be a mess to support and a standalone text editor is a different service.
This move makes sense to me given their market. Those that want to run a vault can use an alternative that's more of a hassle to deal with.
100% same. I've been a happy subscriber for years now, and recently switched to the Family plan to try and get my parents to start taking security a bit more seriously.
I agree with all of your points - I'm okay with their sub model, I'm okay with Electron and it's the first time I was able to convince family members to use a password manager (because it works so well)
I think the issue people have is YetAnotherCompany:tm: forcing you into their subscription walled garden.
And also from a user security standpoint, i don't think we can keep going on making enhancements to user security good practice habits if we gate keep good password habits behind paywalls.
I am a 1PW subscription user and am happy with the product (however, seeing they are moving to Electron means that is very subject to change...)
but
Saying that "customers voted with their wallet" and chose subscriptions is disingenous
Ever since they've had subscriptions they've made the standalone license page extremely difficult to find on their site. They really didn't give regular users a "choice"- they dark-patterned them into thinking subscriptions were the only option
As forthcoming / down-to-earth as these posts from the company seem- they are full of spin. Their impossible-to-find standalone license page is a topic they seem to be avoiding.
Edit to add this small addendum: It just really bothers me on an emotional level to constantly run into this juxtaposition as a user of software/hardware: liking a product but being extremely disappointed in the company offering it.
I fully agree. Been a standalone user for years and a coworker asked me recently how I got the standalone license because he didn’t think it existed anymore.
Even with me knowing it exists, I wasn’t able to find it on their site to send him. (Hint: you have to upgrade within the app, but only if you downloaded from their website, and only if no 1p account or trial is present)
Add other dark patterns like the extension being 1PX only by default and doesn't work with standalone. You have to cram through their website to find the legacy extension and even that isn’t straight forward. They tried very hard to hide all info of a standalone existing.
(Personal annoyance: locking new features like the redesigned autofill overlay to the subscription-only version even though the Safari extension fully supports it for standalone, but not the others.)
Agreed! Also a standalone user for years. (have about 400 passwords and security Qs in 5 vaults). Can even live with subscription (its just forking out a few bucks more), can even live with electron - at least a Linux client will be avaialable rightaway, but why no local store, Dropbox sync was working perfectly !
> Saying that "customers voted with their wallet" and chose subscriptions is disingenous
Honestly, I wouldn't mind paying a reasonable price for the 1Password service if it wasn't a step down in value from what I had before.
I have a slightly older version of 1Password and it works fine for my purposes. I've been holding off on the subscription transition because I would derive zero value from switching to subscription but I'd gain a monthly payment I didn't have before.
But the thing that irks me is the PR speak that is trying to spin the subscription change as something we, the customer voted for, when they've gone out of their way to force everyone into subscriptions and hide the standalone version. I know the standalone version of 1Password 7 exists, but I tried to find the price yesterday and gave up after a few minutes of poking around.
"We didn't choose this, you chose this!" is so distastefully dishonest that I have zero desire to engage with this company any more. Once my standalone license of 1Password 6 stops working, I'm upgrading to a competing product.
It's not dishonest. When they launched the service at 1password.com, you could choose which one you wanted when you downloaded and purchased. When they say "you chose this", they're referring to the time when that was on their site and people overwhelmingly chose the subscription. They posted this on the forums after the first year and made a pretty big deal about it and now everyone is acting like they did this in secret. It's in the release notes, it was on the site, and it was in the forums. I think they may have even emailed it to people at one point (I've been a user since v3). To say they're being dishonest is not true.
> they're referring to the time when that was on their site and people overwhelmingly chose the subscription
No, it's still misleading. People like me, who already had a working version at the time the subscription was rolled out, simply chose to do nothing or switch to a competing service. People who didn't want subscriptions saw the writing on the wall and started migrating to other products.
To suggest that their userbase wanted to voluntarily give up their paid-for software that was working just fine and swap it out for a subscription service just to get feature parity is silly. As you said, they made it clear that subscription was the way of the future and that anyone who didn't want a subscription product should look elsewhere, so we did. Let's not act surprised when their only remaining customers were those who wanted a subscription version.
> It's in the release notes, it was on the site, and it was in the forums. I think they may have even emailed it to people at one point (I've been a user since v3)
I don't see where anyone was claiming it was done in secret. It has been discussed at every step of the way on social sites like HN for years.
The secret part is that they've gone to great lengths to bury the standalone version 7 link on their website, and now they're claiming that not many people buy it. Of course they don't, because it's virtually impossible to find or even know that it exists unless someone passes you the link.
I think it depends on how they got 97%. They hide the standard version on the website, but the specific picture they show in-app[0] is pretty clear about the license option, so if it's 97% of people choosing the subscription via that screen i'd believe them.
I purchased a 1Password license years ago. I knew when I bought it that major version upgrades were not included and my feeling was that I would rather have a subscription so I could just seamlessly upgrade when new versions arrived.
Ever since they released the subscription option my upgrades have been very smooth and the features and improvements keep coming and I don't have to actively go and upgrade/purchase a license for a new version.
I don't know how to feel about switching to electron. I have many applications that are electron based and the quality is generally high but some do cause significant memory pressure on my macbook air.
I disagree. When the subscription service came out, they very clearly offered both options side by side and the boxes were the exact same size, had the exact same button to proceed, and the same coloring. You were given a choice.
Starting with 1Password 7's beta, they "hid" the standalone option on the site and then removed it completely and only allowed for purchasing standalone versions through the app itself but that was announced prior to them doing it.
Maybe it was a timing thing, but I strictly remember it being different than how you describe here
The only way I even know a standalone option existed at the time that I moved to 1PW was because of reviews/comments on other sites that then led me to support pages that said "oh yeah, if you still want that version, smirk smirk, then use this special link"
I haven't had a single bad experience with Bitwarden. I even pay for it now and still run it locally just to support them. Highly recommended if you don't want to be forced into 1Password's service.
I moved to Bitwarden from Lastpass also, and I'm definitely happy for the most part.
The chrome extension leaves a tiny bit to be desired, but definitely still usable:
* Not as good about determining correct sign-in URL and lots of times will send me through the auth redirect from registration
* Launching sites without mouse isn't possible (shortcut exists to open extension but can't select site to launch it using arrow keys, for instance)
* Button locations aren't consistent between search view and opening it on a site you have a password on
Definitely still the best for me though. It's frustrating, though, that I don't feel like the paid plans really give me anything useful, so I'd be paying basically just to support the product (which I'm happy to do!). It's a weird spot for sure, I feel like table-stakes for a free password product is infinite devices + usable browser extension + phone apps + password generation. But figuring out what to add on top of that is always either directed at businesses or families, or things I don't care about like 2FA or an authenticator. I want to support you, damnit!
One other thing I do not like about BW (but not enough to switch) is that when you click out of the bitwarden window, it disappears and loses your place so you have to navigate to the secret again. Kind of annoying if you are on a website that resists autofill or want to copy something from custom fields.
Tip: Pop-out the extension as a window. Even if you close it, your browser’s Ctrl+Shift+N is going to restore that window with the same secret/state, even if the vault locks.
I don’t have issues with the URL, there’s lots of options for how the matching works. I found it to be superior to 1Password (tho I haven’t used that in a few years so I donno if they improved it)
The paid plan support OTP token and allow big file so you can embed stuff like google cloud json token file. The free has 1000character limit(per field) if I remember correctly.
Bitwarden run so much faster than 1password despite being a browser extension.
The CLI is great too. I pretty much use it like a cheap version of Vault to feed secret into K8S.
I use chrome shortcuts.
In extensions, look at the option to assign keyboard shortcuts. I have set it Alt+D combination. The 2FA codes are copied in the background, and when the screen comes, ctrl+v does the magic. Simple.
I'm also happy with Bitwarden--I switched from 1Password a while ago when 1Password started the push toward subscription (which involved dropping support for features that I used, and dark UI patterns around pushing the subscription version as well as getting and using the non-subscription version).
I had bought several versions and both the Mac and Windows editions of 1Password over time, none of which were what I would consider inexpensive for a password manager. I consider their treatment of me as a customer to have been terrible.
I wouldn't be so pissed off about it if they had just dropped the product and started a new one, but slowly turning something paid for, used regularly, and liked into something different that I didn't want at all tells me that they are absolutely not worth doing business with again. They're not trustworthy.
I use Bitwarden for shared passwords with my family (using an Organisation).
For my personal passwords, I prefer keeping a local KeePass vault (I access over a local network drive, VPN in elsewhere).
I totally agree that primitives are some of the least important parts of choosing password managers, but what I like about KeePass is that you can use Argon2 as the password derivation function and specify your hardness factors. Because my laptop and desktop have a strong-enough CPU and I don't mind waiting 20-or-so seconds before the first unlock, I can set quite high values for this.
I love that KeePass works with pretty much whatever sync service you prefer. Personally, I use it with Google Drive and it even works with Android/iOS clients. However, would definitely recommend KeePassXC for desktop.
Dev here.. Thanks for the feedback. Please note that you're comparing a big product to a small open source software :) Of course would like to know how to make the extension better, so if you want to help us, make an issue to GitHub, thanks. Safari integration is coming eventually.
Bitwarden's UX is so frustrating. The Firefox extension has no memory to it.
For example, if you're logging into your credit card provider from Mint.com, you have to search your card, copy the username. when you paste the result on Mint, you lose the window, and you have to re-search for your card to get the password. Very frustrating.
This is probably an edge case where the fields in the browser cannot be identified by their ids/classname. In this kinds of a scenario, you can set extra fields (and their corresponding values) in Bitwarden after inspecting the field elements in Dev tools.
No he means that Bitwarden's extension does not remember state. When you go back and forth between the form and opening the extension window, you always start at the default page. It does not remember you had an item open before. This happens with your credit card for instance which is typically not linked to a particular url.
This is one of my annoyances as well. Copy the credit card number... go to paste it. Come back and you have to find the credit card again and then copy the next bit... then go paste and when you come back you're once again presented with the full list so you have to go find the credit card again.
I've found just opening the main app to be a better solution in these cases, but it sure is annoying.
What caused me to not consider Bitwarden was the way it handled iframes. It could send the parent sites credentials to an iframe even if the iframe was on a different domain. This is a big no-no in my book.
This was a discovery in a security review they did and choose not to change.
This was some time ago so things may have changed. But, that red flag kept me away.
1Password fills iframes based on their domain rather than the parents. If you have an entry in 1Password it will use the value for the domain of the iframe.
I'm in the same boat. Password sharing with my wife was a big plus for Bitwarden, and I got my kids in on it as well. I paid for the family plan and can share select items with my kids.
It's honestly fantastic to see how they have adapted to password managers.
Bitwarden and KeePass here, bitwarden is very good. I do not use browser plug-ins so both are kind of the same but bitwarden just wins on the little things.
personally, i use bitwarden for passwords only, and i store backups of OTP seeds in a seperate keepass file.
I have my OTP codes on yubikey for daily use. (works great, and breaking a yubikey is a lot harder then destroying your phone and losing all your OTP).
Multi-device access, browser integration, mobile platform integration, and sharing with spouse or team members. I know there are solutions to some of those based on some variant of KeePass, but using something like Bitwarden is very easy. Bitwarden is really nice in that you can host the server yourself (or use bitwarden-rs), so you're not having to mess around with WebDAV or some other storage sharing mechanism.
Though one more point that’s more than just "ease of use" is probably shared access. AFAIK Keepass has issues there while bitwarden (IIRC) supports it completely.
yeah the interface is crap compared to 1password but i do find a bit of comfort that even though it's not the best interface it's fully opensource unlike 1password.
+1 on Bitwarden. UX is perhaps not perfect. I've had some IOS sync issues but that seems to have gotten much better. Use it in Firefox every day and have no complaints.
I convinced my wife to pick it up and we now share a bunch of stuff and she loves it. And she's low tolerance for UX issues.
Is there a good command line client for bitwarden. I recently moved from keepass (using kpcli) to bitwarden (so I can share passwords with my spouse), but am so far, very unhappy with the command line tools.
The official command line tool is way too clumsy. I've tried rbw and rbw-fzf which are ok. rbw doesn't let me view all properties of an entry (attachments, notes), and rbw-fzf has issues if things have spaces in them and is limited to only passwords, not other info.
I'm a happy and paid user of bitwarden too.
On top of being open source, what made me choose it is that the desktop client downloads my vault locally in an open and secured format. So I can make an automated backup of this file wherever I want.
Mostly the same; but the only thing I miss in Bitwarden compared to Lastpass is, if the vault is logged out, it doesn't prompt me to log in (to the vault) when it finds a login prompt for a site I have saved in the vault.
1Password used to be native on the Mac, and now it's an Electron app. I'm not going to be using 1Password for this reason, and I encourage you to do the same.
Subscription business models and non-native apps are hallmarks of rot by VCs. Dump them!
When I was 18, I wrote some shareware and asked for $10 from those who used and liked the program. Lots of nice people from all over the planet sent in some money, and sometimes with letters. Most often it was a thank you note. Sometimes people requested more features in return for paying the requested amount. And occasionally they'd tack on whatever extra they thought those features were worth to them. (That amount was less than minimum wage, if I took the time to implement those features for them and release the software.)
I recently visited my friend from our programming club who saved these letters and was reminded a couple people wrote additional angry letters years after paying for the shareware. They demanded support in return for their one payment. (Of course, not only had I moved on to other projects, but I had long sold the type of computer the shareware was created for!)
So I learned early on that people unreasonably expect support for no additional cost. Or they believe the amount they paid is for support in the future, not work done in the past. It doesn't work that way economically. A constant flow of additional money has to come in the door to pay a team to do the actual support.
AFAICT, the only feasible models for supported software seem to be subscription, microtransaction or advertising. Any one-time-up-front price means it's abandonware. Which is fine for some types of software, of course, but probably not as often as users expect support.
I don't know how subscription fixes your problem. Now people will still yell at you, even once you've moved on to other projects, and even more people will do so since they actually pay and assume that it is your obligation. You haven't fixed the "people are assholes" problem.
A better solution honestly is just to accept some percentage of people will be little assholes but hopefully, as you remembered before your friend brought it up, that most people are gracious and kind. Focus on those people.
The subscription fixes the problem because you can use the money from it to solve other problems in your life like having insufficient tacos in your stomach.
Umm, the thousands of successful software companies before subscriptions, microtransactions and advertising were common in the software industry would like a word with you.
> So I learned early on that people unreasonably expect support for no additional cost. Or they believe the amount they paid is for support in the future, not work done in the past.
If I buy a piece of software, it's not unreasonable to expect it to work for some period of time after the purchase. This is especially true on the Windows side, where Microsoft has gone to great lengths to keep old APIs around and support most (but not all) old software within reason. I have engineering software programs that are a decade old that still run fine on my Windows 10 machine.
macOS has been less shy about deprecating old APIs and forcing software updates. I probably spend $500-1000 every year just upgrading a certain few software packages that charge for a new version every time a new macOS comes out, and I hate it. I don't mind paying for new versions of software, but it's becoming saddening to watch all of my macOS software rapidly decay away with each macOS upgrade unless I buy the newest version.
> it's not unreasonable to expect it to work for some period of time after the purchase.
"it works" and "the developer gives me support" are two different things. In this case, I'm sure the shareware he wrote still "worked," but clearly they thought they were entitled to perpetual updates or the ability to chat to the developer any time they like.
As far as I'm concerned, the SLA of $10 shareware I volunteered to pay for is "whatever the developer is willing and able to provide." It's $10. ¯\_(ツ)_/¯
Fwiw, 1Password isn't nuking 1P7 or existing local vaults. Those users are free to keep using v7 for as long as Apple or Microsoft allow the app to be installed on the OS. (And I do agree, macOS and iOS are both quite abrupt about cutting off support and I commend Windows for going to great lengths to avoid it)
One could argue that their support team has handled this change unskilfully and that Agilebits should have hired a larger and more skilled support team before having a way to pay that team.
One could argue that.... but one would be silly to do so.
Subscription models make sense for something that needs to stay evergreen.
Why does a password manager need a subscription? My password should never touch a 3rd party’s server, I don’t need extra features, I don’t need a login, I don’t need long-term or even short-term support.
What ongoing development does a password manager have? Is it that buggy from the get-go to need constant updates?
Sure, a local-only password manager doesn't need a subscription, and solutions such as KeePassXC demonstrate this quite well (as a user of it myself!)
However, in the case of 1Password it's not just about being a password manager; it's also about syncing passwords between devices, staying on top of (sometimes rapidly!) changing standards between devices and browser extensions, and being aware of the evolving landscape of best security practices.
> What ongoing development does a password manager have?
I shutter to think about just trying to keep the status quo across all those platforms, devices, browser extensions. How often do we have new versions of iOS or macOS? What about Windows, Android, Linux, Chrome OS?
I can think of a TON of work without adding a single feature.
Major releases of MacOS and iOS happen once a year. And most of the time they don’t break existing applications (iOS 12 notwithstanding). Almost everything from early iPhone OS to 12, and from 12 onwards worked ok, even with major resolution changes.
And the fact that we need to constantly change stuff just for the sake of change is the problem.
To add to this: I’m perfectly happy to pay a premium price for software when I need a new version. I did this with Photoshop for years, $399 per copy was perfectly fine for me because I spent that money every 3 or 4 years.
That's the point of this thread. YOU only need a new version every 3-4 years so you don't think there's any work any other time.
But you take all those platforms and all those extensions and the result is maintenance by itself is constant work. I'm not talking about change for the sake of change. I'm talking about the work just to keep the features that you have.
I have personal projects I'm working on where it feels like all I have time for is just keeping up with security updates, Ubuntu versions, DB version upgrades. Work projects are even worse with SOC2 requirements and the endless stream of CVEs.
There's no way a password manager can do nothing for 3-4 years ignoring security vulnerabilities in their dependencies that need to be patched.
You raise a valid point, and certainly then this product is not right for me due to their pricing and the features I’m paying for but never using (like Android and Ubuntu support).
It comes down to what value it provides to me for what I need it to do, which is store and retrieve passwords for me, and sync via wlan. That’s it. Why should I continually pay for Android, Ubuntu or Windows development when I don’t use their app on either of these platforms?
And additionally, as a consumer it’s not my responsibility to find a way for a company to fund its product. Saying “development goes on even without you upgrading, so you have to pay a subscription to support that” is kind of a weird argument, isn’t it. Imagine if you had to pay a subscription for using a car because next year a new model will require development and therefore you need to pay for it.
There are also what I think are reasonable models for providing people with ownership of an app but also being able to charge upgrade fees (for example, TablePlus, Dash, Sublime etc)
Most of the time the software doesn't even need to change, you just need to open up xcode and recompile the project against a new ios sdk and you're done.
I recently cancelled Evernote after 12 years of paying for it due to their new Electron client.
I've been using 1Password since 2008 and I'll be doing the same thing. I have tolerated the UI regressions and even subscription with version 7, but Electron is just unacceptable for what was once an amazing Mac app that put Apple's apps to shame.
Exactly the same here. I've had three software subscriptions until this year, mostly begrudgingly — CreativeCloud, Evernote and 1password.
I got rid of two of them — Evernote for exactly the same reason.
1pwd going the Electron route would have put me close, but not over the edge — but the fact that they seem to have willy-nilly removed local vaults does.
These days it sometimes feels like one has to write all essential software oneself. Or go back to DOS and plain text files.
> but the fact that they seem to have willy-nilly removed local vaults does.
They're a business, and 97% of their users were already on the subscription model. If you were running a business, and 97% of your users had abandoned a feature that was a headache for you to maintain, would you stubbornly keep wasting time and money on it?
Oh so THAT'S why the Evernote update sucks. The Android client is terrible, it dumps me to the useless Home whenever I scroll to the bottom. It's now unusable. I've begun transitioning to Notion because of it.
Similar here, I started using 1Password pretty early too. One of the main selling points for me: The nice, fast and native UI and the ability to keep my store local and sync it however I want.
The only wish I had over the years(and I would have gladly paid for an additional license): a linux client, even CLI would have been fine.
I'm not sure which year they started, but what they pushed instead was the announcement of online sync and other things I did not care about, at some point it became hard to even find the regular version on their website.
This was when I slowly started moving to alternatives. With the move to electron and this anouncement here I'm happy that I moved away a few years ago and their clear signal that I am not the kind of customer they have any interest in anymore.
I hate Electron as much as the next guy, but man have I been enjoying Obsidian. I mention this only because it has changed the way I write notes and manage them and I've been through the path of Evernote > Apple Notes > Bear > Obsidian.
> Subscription business models and non-native apps are hallmarks of rot by VCs. Dump them!
The costs of developing and maintaining software are recurring -- especially for security-critical software. Subscription business models align incentives towards ongoing maintenance.
Somewhere in the middle but towards the latter end of things. I believe that before the licenses, they did not have the recurring revenue to pay for a high-quality support team.
I think it's reasonable to complain about the loss of the native app when one of the key selling points (imo) is the pleasant UI. I don't really understand the almost-automatic hatred of subscriptions.
if an app has ongoing development that you benefit from, it seems entirely fair to pay a subscription. the fair alternative is a one time payment for a lifetime license with few patches priced in. I would probably prefer the latter for something like a word processor, but would you really want to use the same version of a security-critical program like a password manager for the rest of your life? if not, how do you expect them to fund development/maintenance indefinitely?
The hatred comes from their proliferation. With what seems like damn near everything moving to a subscription model, it's more money out of my pocket for usually what amounts to rent-seeking (i.e, demanding more money, more often, whilst providing no additional value).
That last bit I don't believe applies to 1Password, because there are certain things you can't do without some kind of centralization, and the article makes that case.
...but look at something like Adobe CC, what exactly does moving from a purchase to a subscription benefit me? And let's not forget about the more subtle effects, like losing the right of first sale, silent T&C changes, mandatory updates, etc - things that are only to the vendor's benefit.
> what exactly does moving from a purchase to a subscription benefit me?
It keeps the vendor financially healthy, stable and willing to keep developing the stuff you use.
Would you want to dedicate your work into a product for meagre & sporadic standalone payments pressuring you to endlessly churn out marketable feature upgrades with little time for maintenance work just to barely make ends meet? No? Then why on earth do you expect other software vendors to do that?
Even Bitwarden pushes subscriptions.
I'd love to see how many developers who complain on HN about subscriptions actually make a living primarily from selling standalone software to consumers.
This is a lame justification; software companies were quite capable of sales rather than subscriptions and have been throughout most of their existence.
This model is simply more lucrative and strips customers of a number of their rights which are inconvenient for corporations.
> what exactly does moving from a purchase to a subscription benefit me?
Trust that the company which provides something you need is far more likely to continue to be around. Suppose you tell your employer that you're taking a 1-week vacation. How does it benefit them for you to do that?
> if an app has ongoing development that you benefit from, it seems entirely fair to pay a subscription.
Agreed. Though, this latest development – the move to Electron – is a negative for me, so it leaves a part of me wondering what kind of development I have been paying for. I imagine I am not alone with such a sense of disappointment.
> I don't really understand the almost-automatic hatred of subscriptions. if an app has ongoing development that you benefit from, it seems entirely fair to pay a subscription.
I don't _want_ the ongoing development. Photoshop from 5 years ago is perfectly fine for me. Same with Lightroom, etc. I mean, I've only paid Apple _once_ for Logic Pro and have been getting upgrade after upgrade for no cost -- a nice bonus, but I'd be perfectly happy if logic's code had been set in stone at the moment of purchase, too.
The consumer-friendly option is to let the consumer decide if they want upgrades. Or for a security-focused app like 1password I'd have believed something like "we don't want to be responsible for security problems if you decide not to upgrade, thus you must buy a yearly license" but that wasn't the message at all.
They did. They offered standalone licenses and subscriptions for an entire version's lifecycle and 97% (or something crazy high like that) of the people who downloaded went for the subscription. I've been a standalone user since v3 and finally upgraded after realizing that buying a license for Windows, Mac, and Linux would cost me more over 3 years than just paying the subscription.
Let me tell you, as someone who used 1password since 3.x .. when I went to buy 7.x standalone it took me over an hour to find the page that let me buy standalone over three sessions.
Why did 97% buy the subscription? Because they hid the other version in a locked filing cabinet in a basement with a broken staircase.
No, they didn't. Subscriptions happened when version 6 came out and that's the time period they're referring to when they're talking about those stats. There was literally 2 giant boxes of equal size asking if you wanted to use an account or a standalone vault. 97% of people chose the subscription.
If every single utility and app start charging $3 or $5 per month then it becomes a problem. Software as a service is a good concept for something that is truly changing all the time, but I find it absurd that a Photoshop subscription or a huge IDE cost as much as these utilities thst used to be shareware in the past.
The old business model works but you have to keep innovating and diversify your product line. Microsoft was the best example with things like Encarta, Age of Empires and other tools like Project.
This new trend of doing these apps once, with far easier programming languages in a connected environment with plenty of docs, crash report data and things like stack overflow really makes it look that we are talking about cheap people trying to make a quick profit not unlike those free to play games.
This is kind of ridiculous. Photoshop doesn't benefit from being a subscription the way that 1Password does so it's only a problem if you decide to actually buy those for what they're asking for. Something like 1Password does truly change all the time to keep up with security practices, browser updates, and site updates so it fits with what you're describing.
For this use case, a subscription makes a lot of sense. I have no complaints, though I currently do not subscribe to this application. I would, if I felt the need.
My take on the hatred boils down to these things:
Utility type applications built as a service offer an inexpensive purchase of some kind, or are AD driven, etc... Then, features are changed, roadblocks added, user experience degraded to create problems that subscriptions pay to remedy, often poorly.
Noisy subscriptions. It's not enough to send a few bucks a month. ADS, various pitches, in app sales happening, all contribute to what might otherwise be a simple, worthy experience and solution.
It can be hard to cancel. -->if this happens to someone even once, the hate can be visceral afterword. Everyone else, no matter how well they do business is impacted to a degree.
Subscription apps / services going away on short notice. What were people paying for?
This is ridiculous. Electron works great, and if this leads to more frequent updates and a more consistent experience across platforms, that's a win for users. 1Password's Windows client, for example, has always felt behind the Mac edition, and if this brings parity and a higher feature and update velocity, that's a win. I have at least three Electron apps open right now and they are all great experiences that the vast majority of users of those products love.
This has nothing to do with VC and everything with trying to build a better product for users that is easier to work on for developers.
Electron is a pile of shit and _every_ Electron app I am forced to use should be a source of continuous shame for any dev who actually worked on it. This has nothing to do with improving features or service and is completely about increasing revenue and improving the sort of numbers investors like to see -- driven entirely by the fact that AgileBits has recently closed a B round and needs to show more revenue to justify that $2B valuation.
As a long-time 1password shill I have hit my limit and will slowly start migrating to BitWarden and iCloud Keychain.
I'm a feature developer for 1Password, and I want to clarify a few things. I've posted this already in another thread, but there seems to be some misinformation being spread that our technical decisions are being driven by VC funding.
Our decision to built the macOS app in Electron was absolutely not driven by VC money. For the past few years, we've been working on consolidating 1Password's business logic into a single Rust-powered core that could be shared across all our apps. This has many advantages: feature consistency across platforms, faster development cycles, and better security. When building the front-end for the desktop platforms that would take advantage of this new core, Electron suited us perfectly, since we could write our UI code once and make it consistent across Linux, Windows, and Mac. We actually did build a native Mac app initially alongside the cross-platform Electron app, but we eventually decided that having two separate versions of the macOS app (one in Electron, one in SwiftUI) would cause a lot of needless development churn and hassle for both customers and our support team.
I can understand your frustration about Electron, but I hope you find my explanation reasonable. Please stop spreading misinformation.
With respect, I disagree with your conclusion about a SwiftUI version causing hassle for customers. Every time I use an Electron app, I get the distinct feeling that its developers are prioritizing their experience over my own. We the users subsidize faster development cycles with wasted CPU and memory, laggy interfaces, and strange, non-native UX.
> We the users subsidize faster development cycles with wasted CPU and memory, laggy interfaces, and strange, non-native UX.
I can absolutely attest to that with a relatively underpowered computer (4 gb of RAM). I can barely use 2 electron apps after which my computer grinds to a crawl (I’m running VSCode and Slack mostly). I have stopped using the discord desktop app and exclusively use the website now.
Thank you for letting me know your concerns. Just to clarify: when I said that a SwiftUI version would cause hassle for customers, I was referring to how releasing two separate versions of our app - one in Electron, and one in SwiftUI - would be confusing for non-technical users. I should have phrased that better, my bad.
Sorry for the confusion. With 1Password 8, we re-built the entire app from the ground up. We didn't have a working SwiftUI solution that we could just pick up and use - we had to re-architect the entire frontend from the ground up. So when we made the decision to stop working on the SwiftUI app, it was far from being complete.
That Electron is an unpleasant experience and is a resource pig that makes Java look svelte? No, that is not misinformation.
That AgileBits has been doing everything it can to force people to the subscription model and that this push to subscriptions very coincidentally lines up with two rounds of VC investment for over $300M over the past couple of years? No, that is not misinformation.
It may have been easier for the dev team to use Electron as their cross-platform toolkit, it is not easier for the users to put up with the attendant bloat and reduced performance.
The ones who should stop spreading misinformation regarding the forced subscription all seem to be working for AgileBits.
That’s reasonable logic but for me with a company subscription and previously having been an individual purchaser with my backup in iCloud rather than on 1 pass servers, it doesn’t really tilt the balance - I also hate electron with a passion and will be looking to stay on 7 for as long as possible with a high likelihood of shifting to a different provider due to the forced shift to cloud storage after this.
There's a reason people prefer one over the others. You can't have one front-end for all these different platforms. Well, you can, but then it's a compromise for at least 2 out of these 3 platforms.
So you had the beautifully engineered experience of macOS to draw native user experiences from, and then you just threw it out because you wanted parity?
That doesn't make the macOS experience better, it makes it worse.
Bitwarden and iCloud Keychain user here. I'm looking forward to the 2FA improvements in this year's macOS. It'll mean I could, in theory, mostly ditch Bitwarden as that's the big use case there for me.
You can create a shortcut in the iOS shortcuts app to open the Passwords area of Settings via an icon on your Home Screen. Just open the following URL in the shortcut:
prefs:root=PASSWORDS
Best tip I have for you around iCloud Keychain right there.
that is a very low bar. VS code is still slow and eats up a ton of resources. not to mention I don't trust anything from microsoft. OP said electron = bad and you should be ashamed of using it because its helping propagate it's usage when its a cancer.
I'm with you on this one. During the end of the 90s there was a similar phenomenon for the exact same reasons, which was Java desktop apps, with their write once run anywhere motto. With the added insult that they had this awful non-standard UI most of the time. They eventually died down except for the corporate app world and things like JetBrains IDEs.
But now with Electron, which I don't like for the same reasons, as a friend once told me, allowed me to have some of my favorite apps running in Windows, Linux and Mac almost flawlessly with a good interface that finally the promise of Java was fully realized.
So while I would like people to follow more the Sublime Text approach, there is value in these Javascript based apps that lower the barrier of entry, provide widespread availability and are definitely easier to debug. Also sometimes I don't get to decide, since my org for instance makes it extremely convenient to stick with JetBrains stuff.
But hey, I'm the type of person that considered a Gentoo machine running Fluxbox far more useful than the very polished MacOS.
Electron is a tool. It can be used well. It can be used poorly. Any tool shares the same issues. I can write a shit native app and I can write a shit Electron app.
All Electron does is lower the barrier of entry to making an app and making it work cross-platform.
The problem is even the best examples of Electron apps aren't great and use far more resources than a native counterpart would.
VS Code is an example of Electron being "used well". I still find myself using other apps because they're more responsive. That tells me that Electron is inherently making the app experience worse, despite being used well
I understand the 'why' of electron, I am just not happy with the results at all.
Though maybe the world is better if that barrier of entry isn't lowered, I'm not sure what's better- a shitty app available everywhere or a good app available only on a couple of platforms...
I would argue that in general, having a lower barrier of entry to software engineering is a good thing, especially for attracting people that might not have otherwise considered it.
Someone wants to build a 5 minute app for themselves and Electron happens to be the easiest way to do it? Go for it, there's nothing stopping them. If that app happens to be useful enough for others to use it, even better, that person just solved what could have potentially been a big deal for that user.
If the people using the app are content with the features/quality and the resources it uses, why does it matter so much, especially to a third party like armchair engineers on HN, if it was built natively, on Electron, or CrappierFrameworkThatWillEventuallyReplaceElectron?
If the app isn't usable by you (and this is a general you, not specifically directed at you), then the answer is simple: don't use it. Nobody is forcing you to use Electron or any app built with it if you don't want to.
If as a user your needs are not met, whether that's due to sluggishness from Electron, incompatibility from having a native-only solution, whathaveyou, then all you really have to do is wait. A competitor will come and take its place eventually; that's what the market is there for.
So far, it seems like VS Code is more than meeting its users' needs, but like I said above, other alternatives exist and will continue to exist, and they're all great if VS Code doesn't work for your particular use.
> If the app isn't usable by you (and this is a general you, not specifically directed at you), then the answer is simple: don't use it. Nobody is forcing you to use Electron or any app built with it if you don't want to.
> If as a user your needs are not met, whether that's due to sluggishness from Electron, incompatibility from having a native-only solution, whathaveyou, then all you really have to do is wait. A competitor will come and take its place eventually; that's what the market is there for.
not the first time we've heard this argument used in different industries. I'm old enough to remember this argument about DLC's, DRMs and games being released before they are finished and get charged DLC packs to finish it. This argument falls apart when everyone starts doing it due to economic factors and complacent users/customers who blindly use what everyone else is using.
If truly everyone is doing it and you don't have any other option (which is just preposterous, there's an ever increasing number of choices out there) then maybe you're just not the target audience anymore.
Businesses aren't stupid, if a decision were to actively lose them more customers than it'd gain, they wouldn't do it. If every single business and OSS alternative suddenly switched to Electron and you had no other choice, then maybe it's you that is wrong about the value of Electron.
But, of course, that's a ridiculous hypothetical not really grounded in reality. In the real world, plenty of alternatives exist for practically every Electron app out there so if you don't want to use it, you don't have to.
And for every one of you, there's hundreds of people that think their Electron apps are fine and appreciate that they can use the exact same interface regardless of which computer they're using.
> then maybe you're just not the target audience anymore.
i see you're moving the goal post
once you have a monopoly you can do whatever you want, thus why everyone keeps talking about EEE. look at what apple is doing now with photoscanning. What they are doing is inherently bad but they are able ignore everyone and go ahead with it because their "target audience" doesn't care about this kinda stuff. Doesn't mean the rest of us shouldn't actively fight against it. your argument basically boils down to let the market and customers decide for itself. Over here there are some of us trying to tell people to not support electron because of the potential consequences, and the downward trend of the web as we see it.
> In the real world, plenty of alternatives exist for practically every Electron app out there so if you don't want to use it, you don't have to.
There's choice with password managers. But look at music. You have Deezer and Spotify. The only two free services that I'm aware of that only have Electron apps on desktop. (YT Music doesn't have an app on desktop). Spotify has exclusive content. You don't have choice when apps are the same as services. Hate the Hulu interface? You can't watch The Handmaid's Tale on Netflix. It's that kind of thing.
But even then I'd assume it was more due to the workflow than the original complaint, which was essentially "Electron = bad, you should be ashamed for using it".
No, I have plugins for roughly the same feature set/workflow in both editors. Open and edit a huge file in both editors and Sublime is more responsive.
I have to treat each Electron program as having ~5-20x the system resource footprint of an equivalent native program—because they do. So they're going to get cut, or I'm going to pick a competitor to begin with, more often than a native app. That goes especially for anything I open often, or for anything it'd be convenient or necessary to leave running most or all of the time. Rarely-used programs, I mostly don't care, and Electron's fine.
It may be a win for some users. I can’t see how switching my perfectly fine, frequently updated native app for a memory hogging web browser wrapper is a win for me. I’m actively looking for alternatives now.
I haven't commented enough to report you so I will just comment. This response goes against nearly every guideline for the site. Please don't attack fellow users just because you disagree with their opinion of technology stack. I've used a wide range of Electron applications and the quality varies just like any other tech.
Hi. I'm a feature developer for 1Password, and I want to clarify a few things. I've already posted this elsewhere, but I've seen multiple threads spreading misinformation that our technical decisions are being driven by VC funding. This could not be farther from the truth. We have been working on these changes long before we received any form of outside investments.
Over the past few years, we've been working on consolidating 1Password's business logic into a single Rust-powered core that could be shared across all our apps. This has many advantages: feature consistency across platforms, faster development cycles, and better security. When building the front-end for the desktop platforms that would take advantage of this new core, Electron suited us perfectly, since we could write our UI code once and make it consistent across Linux, Windows, and Mac. We actually did build a native Mac app initially alongside the cross-platform Electron app, but we eventually decided that having two separate versions of the macOS app (one in Electron, one in SwiftUI) would cause a lot of needless development churn and hassle for both customers and our support team.
I can understand your frustrations about Electron and our subscription-based model, but I hope you find my explanation reasonable. Please stop spreading misinformation.
Hi, long-time user, customer, and word-of-mouth recommender of 1Password for the nine years my Hacker News account has been active (give or take a few months). This is a big announcement that I'll have to chew on to understand what this means.
Can you quantify the "needless development churn and hassle for both customers and our support team" in some way? Presumably, 1Password 7 and its ancestors used native macOS APIs, which meant some degree of that given you had to do something different on Windows and/or Linux. I don't know what your support team has had to endure, but as a long-time sample size of 1, I've been incredibly satisfied with the way you've designed and engineered the macOS application (and the iOS app too!) to date; I'd be hopeful that whatever tradeoffs y'all will be making moving to Electron, the "native" feel of the macOS client wouldn't be sacrificed. Is there anything you can speak to there that I should prepare for with 1Password 8?
> Can you quantify the "needless development churn and hassle for both customers and our support team" in some way?
Sure, happy to elaborate on that! Since we were rebuilding our app from the ground up, it was a significant slow-down on development to create a user interface for both Electron and SwiftUI, requiring two separate teams of platform developers for every feature we needed to implement. There were also concerns by the documentation and support teams that we would need two separate sets of instructions for many common tasks, due to small differences in layout and look between the applications. Eventually, we had to make the tough decision to focus on a single common framework for desktop. This will allow us to ship features across every single platform far quicker than we could before.
> I'd be hopeful that whatever tradeoffs y'all will be making moving to Electron, the "native" feel of the macOS client wouldn't be sacrificed.
We've tried our very best to keep the experience the same so that the transition from 7 to 8 is smooth, and from my point of view 1Password 8 feels right at home on macOS - I especially love our new translucent sidebar. That being said, this is still in an early access stage, so there are bound to be hiccups and UI issues that need to be resolved. Please let us know if you run into any problems or have suggestions on how we can improve. And thank you for being a long-time user!
This is such nonsense that I can't let it go unremarked. I can count on the fingers of zero hands the number of times 1Password has shipped a "new feature" between major releases. There are no new features needed, it's a password manager. However, I would need to borrow some extra hands to count the number of features you've removed, features that loyal paying customers of many years depend on. 1P7 doesn't even let you keyboard navigate to the Generate Password button for goodness sake - something that I was able to do in every version up to that point.
Absolutely nothing about any decision AgileBits has made in the last 4 years has had anything to do with what customers (that's us, the people that used to give you money) want, and everything to do with nickle and diming the suckers dry.
UI consistency between different operating systems is NOT a user-focussed feature. When I'm on a Mac, I want my apps to behave like a Mac app. When I'm on Linux, I want my apps to behave like a Linux app. If you _actually_ believed that all apps should look and behave the same on any OS, why does the Android version look and behave nothing like the Mac app?
You've removed features with every major release, and this is just smashing the final nail into 1Password's coffin. You've ruined what used to be the best password manager on any platform.
I mean looking at this I can see why people came to the conclusion that this was primarily a move that VC funding caused even though AgileBits seem to vehemently deny this.
The funny thing is, they were doing just fine for years with just their own money. Now that they have sooo much more money, they suddenly can't afford separate developers for different platforms... they should be able to hire 10x more people now.
The primary issue with having two separate teams for the same platform was not money, it was time. To be clear: we wanted to build a native app in parallel with our cross-platform Electron solution, and we had the developers to do it. But unfortunately, having an additional team that needed to implement the UI for every single new feature was a significant slow-down, and we collectively realized that we could not meet our deadlines nor maintain this long term.
I'm sorry for not being more clear earlier as to why we couldn't support two separate teams for the same platform. Hopefully this clears up any confusion.
I don’t understand why two teams means slower. Are you keeping the total number of engineers the same? If you are saying 2x engineers on electron complete tasks faster than 1x on electron and 1x on native, you are basically agreeing with OPs take.
You take money to provide software. But then you become lazy and greedy and want 1 size fits all. End result is your users having clunky, high latency experience.
I think he’s saying 1x on both Electron and Swift UI was making it too hard to ship either version to an acceptable standard because each was slowing the other down due to inconsistencies, difficulty staying in parity and double communication.
Unfortunately, it’s normal in software development for multiple platforms to increase development complexity when feature and UX parity is prioritized.
Maybe I'm missing something, but i pay for those teams with my client purchases. I have a mixed computing environment and have purchased versions 3, 4, 5, 6 & 7 for three platforms.
I'd like to believe this isn't primarily profit motive. What gives me pause is how I write regularly asking for separate vaults for trivial passwords and passwords that could lead to financial ruin. The profit motive wants to keep 1Password simple to use, at the expense of security. I've been forced to buy a second password manager for sensitive passwords.
I'm sorry you feel that way. I'd love to know more about your issues with our current vault implementation in more detail, so I can pass along your feedback to the rest of the development team.
> What gives me pause is how I write regularly asking for separate vaults for trivial passwords and passwords that could lead to financial ruin.
Just to clarify, what solution are you asking for? Do you want a local vault option to store sensitive passwords? Or something else?
I am very unhappy that 1P is moving to Electron for macOS for the reasons people here have reiterated a million times. I am actively looking for alternatives now.
As much as I'm "meh" on Electron, I rarely use the actual 1Password App. On the other hand, I use the Firefox extension 30+ times a day, and that's about as far from a native app as you can get. So I think I'm fairly unlikely to notice a huge issue, and will instead be pleased that consolidating on Electron gives them greater feature velocity.
On the other side, I use the 1Password app extensively and make heavy use of all the different categories (secure notes, Windows MSDN licenses, etc). I’m extremely disappointed to see this turn into yet another sub-native browser-in-a-window experience.
You'd get rid of a working solution because of an implementation decision? I _love_ 1P, and I use it on Mac, Windows, Linux, and iOS, and it makes perfect sense that they standardize on Electron.
> You'd get rid of a working solution because of an implementation decision?
Yes, because the implementation decision has implications for both performance and UX. I’ve used 1Password since version 3 (2013!) and gotten friends and family to do the same, but I think I’m done when 7 stops working.
> I've already posted this elsewhere, but I'm seeing some misinformation that our technical decisions are being driven by VC funding. This could not be farther from the truth. We have been working on these changes long before we received any form of outside investments.
That's worse, not better.
At least being forced to by investors makes sense. The current direction of travel being voluntary means you've just got a bad nose for building security.
>would cause a lot of needless development churn and hassle
The hassle of doing what your users are paying you to do? Any child can hack a UI together in HTML but there's a reason no one (usually) pays for that.
I think a subscription business model is the only honest way to sell software that will require ongoing support. If you're comfortable with a snapshot w/o updates, then by all means buy once, but I think coming to terms with the demands of ongoing support also means coming to terms with continuing to support the product in some way.
That said, I wish there were more variations in the way to pay - a long term license with a high upfront fee and a low monthly, an immediate access option with a high montly and no up-front fee, etc.
I don't quite see why free bug fixes/minor features + paid major upgrades model should be any different from subscription model for developers, except giving the users control over when to upgrade. Control that is essential for apps that contain critical data.
BTW, I think they do have an option that you pay for 3 years upfront. At least, that was one of the options they mentioned when I complained about the lack of the option to buy a license. To me that did not seem an acceptable solution because you pay upfront and still have all the drawbacks of the subscription model such as being dependent on the trustworthiness of a quite obviously untrustworthy company. Add to that the removal of local vault option, and it becomes even less acceptable.
The developer time it takes to do bug fixes and minor features is not free, so it seems appropriate to charge a fee for it.
I know that it's very common for subscription models to coincide with forced upgrades (as this one does), but that seems like a choice on the part of the company as opposed to something inherent to the revenue model. I'd be quite happy to pay a developer to continue to maintain an older version of their software.
Like you pointed out, I think a fee structure where you pay for major updates and otherwise pay a maintenance / hosting subscription fee makes the most sense.
I think that you see open source projects that struggle along all of the time because their developers cannot afford to work on them enough. Not every project, but enough of them. I try to support projects like that too.
why does 1password need ongoing support? Take these strings, encrypt them. Let me decrypt them using a password i specify. Let me search for them and sort them.
I mean, I don't know - I don't work at the company. But it seems internally inconsistent to me to like the product, but have disdain for the professional judgement of the people who make it.
It seems like you'd be happier with a community product that has less support, but is available for free - and thankfully you have that option.
1Password on Linux is electron, and works wonderfully. Though, it's kind of sad for Mac users as they have been spoiled with native experiences for a long time.
This! Windows, Linux and macOS are OSes with very different aesthetics and concepts. Trying to emulate these (sometimes subtle) differences with a webpage won't work. And it will totally destroy the illusion if an OS update comes with a new theme.
And let's not forget that you're basically running a completely separate browser that can't re-use any memory from the other 5 separate browsers (=Electron apps) you need to run for work all day.
Last I messed with it, Electron is structured such that the UI thread is decoupled from where you're supposed to run your "logic" (for performances reasons, I assume—similar patterns are really common in GUI systems, in general) and they already have to communicate at arm's length, so 1) it's not that big a stretch to wrap some native library on the "logic" side, and 2) if you're calling back-and-forth between logic and UI a lot, rather than sitting in your logic code for long periods of time, it'd expect it to do very little for performance.
If you can’t tell the difference it doesn’t matter and I wouldn’t worry about it.
Electron apps typically don’t work for me because they don’t integrate with the rest of the system cleanly, and so once you stray off the designers’ happy path it becomes clumsy to use the app. This isn’t an esthetic or ideological argument; simply for my usage an electron app can rarely be as convenient as a native app on the Mac. Things like input integration, system service integration, selection, and responsiveness are much harder to do when you are fighting the electron abstraction, so no wonder devs leave those things out.
Just because a user can't tell the difference doesn't mean we shouldn't call out the fact that it is. Electron apps use way too many system resources. For lower powered devices, this becomes an issue.
Generally a massive bundle size, and/or inspecting the bundled frameworks themselves (right click on app -> show package -> browse folders for frameworks).
Poke around the application bundle or its supporting files directories. On macOS, the Electron.framework folder will typically be somewhere inside of the .app bundle.
I love 1Password but the subscription-only path doesn't sit well with me. They're intentionally removing key features so they can justify providing a service that I can do myself.
I'm increasingly sick of good standalone software suddenly moving to this model. They are a business, I get it.
However how many subscriptions are we going to have to end up with?
I get it with Slack, Dropbox, Github, etc as they all started with infrastructure to run. But 1Password (and Adobe and others) are pushing profits far far above their users. It's a shame.
> The overwhelming majority of people (97% in fact) choose to subscribe to our new service and many of those who initially purchased a license later changed their mind and traded it in for a membership.
With each of the last two versions, they hid the standalone version more. I'd hardly characterize all 97% of those users as voluntary.
Adding to this, they've also left showstopping sync bugs in the standalone version, and the customer support team uses this as a reason to push people to switch to the subscription service.
They were also giving away subscriptions for free for quite a while to get people to move.
> Adding to this, they've also left showstopping sync bugs in the standalone version, and the customer support team uses this as a reason to push people to switch to the subscription service.
Woah, really? Would you mind linking some threads for the benefit of everyone else skimming through this?
(I'm still on 1Password 6, and the experience is mostly smooth-sailing except for browser extensions.)
This comes from personal experience with support. For example, I experienced a bug for 6+ months where Wi-Fi syncing stopped working, and customer service said "This is a bug, but we're probably not going to fix this any time soon. Here's a free credit to upgrade to the subscription service."
I can't link to that interaction in particular, because it was over email, but you can see some of this behavior in their public forums:
- A more benign (but still important) syncing bug, where the team indicated it wasn't a priority to fix. Even though they say the bug is 'visual', it shows a lack of commitment to maintaining sync as a core feature [0]
- A public example of the sort of "bug to upsell" experience I had with support [1]
[0] is a lengthy support forum discussion discussing many points on whether WLAN sync is a worthwhile feature, even though it’s a thread specific to Windows.
[1] shows the level of support you’ll receive for the feature. They will not actively investigate issues or release fixes, AFAICT. I’ve had my own issues with it.
If you link through to the troubleshooting doc [2] from that page, you’ll see this message:
> We’re unable to troubleshoot issues with the WLAN server beyond the scope of this article. If you’ve tried everything in the article and are still unable to connect, a 1Password membership is a more reliable sync method.
I, too, took the 1PW membership route years ago for exactly this reason.
I think it depends on how they got 97%. They hide the standard version on the website, but the specific picture they show in-app[0] is pretty clear about the license option, so if it's 97% of people choosing the subscription via that screen i'd believe them.
I agree with these sentiments. I love 1Password and pay for a subscription. But this post is simply trying to gussy up their subscription-only move for maximizing MRR. Call it what it is - don't lie about it by saying you're only doing it because "everyone loves our monthly subscription service".
You can at least cycle through streaming services, dropping them when there's less content of interest and then re-adding when it has accumulated. It's much more difficult to do that with your password manager.
And you can cancel and subscribe at a moments notice, unlike cable contracts and having to use cable boxes and equipment rental fees. And you can watch whenever, wherever you want.
Sounds like a great improvement to me. You also do not have to pay for 2 to 5 streaming services. You can choose 1, or 2, or however many you want.
> You can choose 1, or 2, or however many you want.
That way you could also "choose" not to pay for cable. But the reality is that if you want to watch all the latest popular shows and movies you have to pay for 4-5 streaming services.
Even if pick-and-choose subscriptions weren't cheaper than cable (which they are, for me so far at least), I'd gladly pay up to 2x the cost of Comcast service just to avoid subsidizing Comcast's evil monopoly, and how Comcast is intentionally keeping much of the US from having real, modern internet service (read: fiber with symmetric speeds, instead of their bullshit where they pretend a 1000Mbps down/20Mbps up link is lightning-fast and don't even TELL customers what the upstream speed is).
Well this is the end of the road for me with 1password. I refuse to use anything that doesn't have a local vault. The potential damage if my vault is somehow is accessed is too high, if the vault is stored in the cloud, how can I verify that no one can access it? In that case I have to give access to this app with little snitch since it relies on internet access which means that if I received an update that would disable end to end encryption, I would be none the wiser.
Granted, the chance of attack is small but the consequences are extreme. There's no single file more valuable on my computer than my password vault.
I prefered buying the license compared to the subscription but I don't particularly mind a subscription for a service I use regularly. I mind the risk to my privacy.
Is it? I would be surprised if attacking 1Password wasn’t a priority for governments and hackers. If the encryption used on vaults is ever broken, compromised, or buggy, users are screwed.
They don't have to break the vault encryption. They just have to gain access to 1pwd's git and push out a compromised update. And then watch the passwords roll in automatically.
Yes exactly that's what I'm worried about, I'd say if that happened it would be targeted and the chance of me being targeted is small but I also don't want to ever leave myself open to such a thing (also because I've lived in autocratic countries, I don't automatically think all governments are trustworthy).
Scott Forstall, who led iOS until 2012 and oversaw the creation of the App Store, once said that he installed a new app every day to see what new ideas developers were coming up with.
The mass migration of apps to the subscription model has killed this sort of exploration and discovery of new apps. As one example, I recently looked for a flight tracker and many wanted more than $30/yr for a tool that is (to me) an occasional convenience.
I worry less about how much I pay to use an app than how much I'm paying when I'm not using the app. It sucks when I'm too busy to use my language learning app and yet somehow I still end up owing the app developer every month. By the time I end up canceling I might have wasted $60 or more, which certainly doesn't motivate me to install the next app that prompts me to subscribe.
I don't know the solution to adequately compensate developers for their work but I hope the subscription mania goes away.
I think the model needs to go back to paying for updates/support. Would be great if this was a native behavior on mobile app stores as well (you can kinda do this with Bundles on iOS but it's still kinda hacky).
Haven't paid for this software in the past 365 days? Go to the community forum. You can pay 60% of the license charge for another year of updates and support.
Developers used to be motivated to release the next versoin and make you buy their app all over again. The upside is now you dont have to buy a bunch of applications for $120 (a year if you always want the latest version) and you can just pay as you go. But like you I have had a few subs that ran over and now I avoid where ever possible.
Adobe were the last to annoy me, previously I am sure I had paid up for a few months and then unsubscribed. Now its a 12 month commitment when you take out a subscription.
Off topic; but if you want a flight tracker, and like to tinker, try feeding flightradar24 (or any of the other), while you feed them you get their full membership.
A pi and a usb tv card are all you need to get started!
Or better: support adsbexchange.com instead. They don't introduce the delay that flighttracker24 do and they don't hide military and business jets. They're really non profit.
> I don't know the solution to adequately compensate developers for their work but I hope the subscription mania goes away.
There are ways, but nobody seems to bother to provide usage-based model. Similar to how cloud providers figured multiple usage plans. I have a feeling that many apps live off people paying but using service really low, so there is no incentive. What's stopping them to offer a different price for 1h - 5h monthly access? They could upgrade to a flat fee automatically if you start using their app every day.
Microtransactions were a big craze at one point. I suppose if my my package tracker cost 25¢ per package, I wouldn't be too upset. My ad blocker tells me it blocks about 25,000 resources per month, maybe $0.00005 per ad?
The format is plain text. You can git control your password repo. You can organize into directories, etc.
It has an extension architecture; you can have it generate otps, for example. You can have specific passwords unlock with more than 1 key, if you want to do eg. family or business sharing.
There are mobile apps, browser plugins. None as smoothly polished as 1pw, but good ENOUGH. There are (imperfect) tools for migrating, but you can write your own scripts.
So far (using it for 48 hours) the worst part was setting up a gpg key.
I was reading through the comments wondering why so many technically capable people are paying for a password store service when passwordstore works nicely in the space and gives you some comfort in knowing how it works.
I highly recommend pass.
My set up is as follows:
- setup the key, share the private key to other devices who are going to use the same pass store;
- use syncthing to sync my passwords between devices (you can use github - but I just find it works nicely with syncthing;
- all passwords and other content are just gpg encrypted text files;
- use the pass cli utility to read the passwords;
- first line of the text file is the password so the apps and cli will read that into the clipboard (with a time limit to expire if you are on your phone;
- for android phones/tablets I use 'openkeychain' to manage the key and 'password store' as the app to read the encrypted text files and copy the passwords;
There are other browser extensions etc. I just don't find a need to use them though.
It has worked well for me over the years while I have seen the passwords market go more towards a subscription model over time.
My wife uses the same system, I just set it up for her and then it is seamless for her as well.
I also use and love pass on desktop, even with syncthing and browserpass, all perfectly working. But I am using yubikey to hold my key and that makes it not a good match for mobile setup. Also last time I tried, the mobile apps mentioned were not so easy to use, so I gave up on that front.
I really wish they'd offer other encryption backends than gpg. GPG is pretty long in the tooth. I never have problems with pass, all my problems are with gpg.
At the moment, it's that it has very inconsistent support in MacOS. Most of my machines are Linux, after I got the issues worked out on those it works reliably. OSX I use infrequently enough for it to be worth a ton of time troubleshooting. And so it only works rarely, like I think after a reboot. I think eventually I'll figure it out. The error I get is "no secret key". Even though when I run 'gpg' and then make sure my key is there, it still doesn't work when I run the pass commands.
But I'd rather use a backend that doesn't require as... weird... integration into the OS as GPG does. Between pinentry and having to store the passphrase, gpg just doesn't offer the same sort of out-of-the-box functionality as something less... heavy.
For me it’s more about trust. I’d rather trust a company with decades of experience this area than a bunch of random developers that published different unvetted apps on various app stores.
And technically, Syncthing doesn’t really seem viable on mobile last time I looked (and also has the problem of 3rd party apps instead of official ones).
How different we think. I'd much rather put my trust in select people, such as Jason Donenfeld (creator of pass, Wireguard &c) with impeccable track records, than random companies that are always one quick change of management away from selling all your data off to the highest bidder.
I was rather alluring to the different mobile apps which all seems to often be developed by various unknown developers (some closed source) instead of the core developers of the main project.
I too would trust the core of e.g. Syncthing or pass.
Making it all work on mobile is a completely different story though. I myself can’t do without mobile access to my passwords.
The mobile platform is one I ignore. The only thing I know with any certainty about my phone is that it's running a bunch of closed source spyware, so I'm not entrusting it with anything much - and certainly not my passwords.
I have been using passwordstore for several years now and I wouldn't be able to go back another product, even if other products were free.
Note that the private git repo can be uploaded to the cloud, which allows one to access passwords on multiple computers as well as on my phone.
Also I would like to highlight qtpass client for a very user-friendly GUI interface to quickly access passwords.
In my opinion, anyone that has basic knowledge of the terminal should be able to set up passwordstore no problem. Once it is set up, one can use qtpass or other GUI clients.
I've been using it for over two years, I absolutely love it. Check out pass-otp as well as rofi-pass (if on Linux) as I think it's the best way to have password entry on any computer. It sends the keystrokes so I can paste passwords in nested virtual environments where an extension might not be installable
Hi. I'm a feature developer for 1Password, and I want to clarify a few things. First of all, our decision to built the macOS app in Electron was absolutely not driven by VC money. For the past few years, we've been working on consolidating 1Password's business logic into a single Rust-powered core that could be shared across all our apps. This has many advantages: feature consistency across platforms, faster development cycles, and better security. When building the front-end for the desktop platforms that would take advantage of this new core, Electron suited us perfectly, since we could write our UI code once and make it consistent across Linux, Windows, and Mac. We actually did build a native Mac app initially alongside the cross-platform Electron app, but we eventually decided that having two separate versions of the macOS app (one in Electron, one in SwiftUI) would cause a lot of needless development churn and hassle for both customers and our support team.
I can understand your frustration about Electron, but I hope you find my explanation reasonable. Please stop spreading misinformation.
>Electron suited us perfectly, since we could write our UI code once and make it consistent across Linux, Windows, and Mac.
This is the source of your mistake. Users don't desire to have the same UI across different OS environments, it's only an app's developers that care about that. Cross-platform UIs are inarguably a worse user experience than UIs tailored to the conventions and designs of each OS.
A Mac app that doesn't actually feel or behave like a Mac app is not a good Mac app. The same is true with tvOS apps like YouTube and Prime Video that don't actually feel or act like good tvOS apps.
I wholly agree with this, I choose Macs and use basically exclusively "good" Mac apps since I want everything I use to just feel right. On the occasion I use Windows or Linux, I want the UX to feel akin to what other applications on those platforms use.
Kinda a random thought, but is it at all possible to build a native 1Password app using their API [1]? I haven't read Agile Bits' ToS, but I would be interested in working on / following a Mac-centric client.
> Users don't desire to have the same UI across different OS environments
Um, speak for yourself. I personally don't like having the docs showcase completely different UIs to the one I'm using. I also like having an app i can run on Linux, which has been happening a lot more since Electron became a thing (no sane company wants to write apps in GTK, and much as Qt is a great toolkit it requires expertise most SaaS vendors don't have).
You're speaking as if it's fait accompli that 1password made a mistake picking electron. It is not, and I am fairly certain they did not.
There's an argument to be made the other way around:
Maybe if you choose to use multiple platforms you should just deal with the multiple approaches to UI? Why should the single platform citizens suffer from a UI that's inconsistent with the rest of the platform?
To stretch it to an absurd case:
Imagine Slack decided that the shortcut to copy text will be Ctrl+C on all platforms. And Windows users who occasionaly use a mac would rejoice because it would save them from having to think which button to press.
Anecdote, but, my workstation is Linux, my work laptop is macOS, my personal computer is Windows where I run Linux VMs. I run 1Password across all these operating systems. Having a consistent interface is nice and it means I don't have to relearn the UI three times.
> Users don't desire to have the same UI across different OS environments, it's only an app's developers that care about that.
I guess we'll have to agree to disagree on that. I personally enjoy having consistent user interfaces across the apps that I use, and there are many other people that would say the same, so I would avoid making broad assumptions. From our perspective, consistent user interfaces are a win-win for both the development team and the majority of end users. That being said, I'll take your feedback into account.
This is a curious response. I would have used the same reasoning as an argument against Electron (or similar unified development systems): they are not consistent with all of the other native apps that people use.
I don't know if your reasoning is that looking like a web app means it is consistent with those apps, or that the apps look the same across platforms, but neither of those arguments are compelling to me. I chose the platform I am on because I think the interface is a good one that makes me more productive.
And I have never found an Electron app (or web app in general) that is as high quality as good native apps (on any platform). There are just so many compromises, and I am not even considering resource usage here. Everything just feels a little slip-shod.
Thank you for that well-written explanation of your concerns. Your frustrations are shared by many users in this thread, and I'll do my best to pass them forward to the rest of the dev team.
> I guess we'll have to agree to disagree on that.
This is such a bizarre claim. I know Agilebits understands Mac users.
To be brutally honest, I've heard this line from a lot of software shops after they decide tailoring their apps to the native platform is too expensive or inconvenient for them. Suddenly they all find that their users don't care about their native platform - I suspect if I went looking for the discussion from back when Adobe did this, I'd see the same phrasing.
> I guess we'll have to agree to disagree on that.
Let's be clear about this: you are the seller, we are the customer. You can't `agree to disagree` with your customers.
If you don't agree to what some your customers are telling you, then they won't be your customers, and you won't lose just these customers but also all the others who observe your behavior. It is a modified case of repeated prisoner's dilemma. If I observe that you tend to defect on other instances, I will less inclination to cooperate. In other words, your reputation will suffer.
On the consistent user interfaces, the consistency of an app with other apps on the same platform is much more important than the consistency of that app across platforms. Even if you use multiple platforms, you switch much more frequently between apps on the same platform than between different instances of one app across platforms.
I don't have super strong feelings about native v.s. cross-platform UIs, but I think I (and maybe others) think about this question from the "reverse" direction. I expect a given service / app / functionality to work the same everywhere, no matter the platform. This is true of tools I use through my terminal or tools I use in GUIs. Other approaches feel to me like they make using the product more difficult - I may not be able to help someone else on another OS use it, it may mean that an obscure platform has more bugs than a unified approach, etc. I understand why native may make sense, but I do not think it is a given.
But how can you justify removing the ability to have a local vault?
Why would anyone think for a second that it would be a good idea to force people to store every password for everything in their life in your cloud without an opt out?
That, even more than Electron and the subscription model (both which do bother me), is an absolutely deal breaker. I've paid for every version of 1Password since v3 in 2009, but I'm done with it now.
The original article goes into great detail as to why we're moving away from local vaults.
That being said, we are looking into gauging user interest in self-hosting. Please take a look at our survey [1] if you want to share your thoughts. Hope that helps!
I don't want self-hosted, and I definitely don't want subscription based. I, 1Password user for many years, want the local vaults!
1Password 6 is great, and I'll keep using it until it quits working on my devices, but no more after that! I used to recommend 1Password so much to people it was borderline evangelizing, but I quit recommending it once the subscription was pushed over the other options, and now that local vaults are going away I'm actively recommending against it to anyone that asks.
Guess I'll be moving to Bitwarden or Keepass myself; time to research!
Thank you for pointing me to that thread. I'll make sure to respond there as well.
I did (incorrectly) assume that the parent was talking about Electron, so that's my bad. That being said, our decision to move away from licensing is absolutely not being driven by VC funding, so the parent comment is also spreading misinformation. We were building a subscription-based model all the way back in 2014, and we're phasing out licenses for the host of reasons that were mentioned in the original article.
In my experience the impact of VC money isn't directly seen by engineers but is rather a subtle top down shift in direction. Growth matters more, revenue matters more, existing users matter a bit less versus future users, features that impede this are removed, etc. Feature direction shifts slowly but surely.
The goal of a VC company is to either grow big or die. That's it. Risky bets at the expense of existing users are expected if current growth does not meet expectations. Worst case everyone quits the app and you go bankrupt. VCs expect that 9 time out of 10 so no big deal as long as the 10th makes it big.
Hi, I didn't mention Electron in my comment, it was purely about the move to remove single time purchase and local vaults. I don't like the direction where the product is heading, therefore I want out.
The short answer is no. People often have misconceptions about Electron apps based on their experiences with a poorly written one. I've had my own fair share of bad experiences with Electron-driven apps. But the way we've utilized Electron is far different than most applications.
Our Electron app is really only a thin client over a Rust-driven backend that handles all our business logic. We only invoke Typescript when we need to render the UI; everything else goes through Rust. We even run some Swift code too, for deep integration with the operating system.
Memory is still an issue with Electron, but we're getting better at reducing the footprint. We've put a lot of work into optimizing this app, so I recommend you give it a shot; I think you'll be pleasantly surprised by how performant and responsive it is.
They've had security bugs in their browser extension before, but it is almost required to use it - the webapp works horribly without it. My least-used browser gets that extension, so it isn't running most of the time, at least. And with it, the UI is still terrible. The app is just awkward and poorly done.
The one good thing I can say is the user/group model is reasonably implemented.
I just went through all the trouble of setting up Bitwarden, the built-in 2fa from 1P doesn't seem to transfer over, or doesn't work with the chrome extension at least.
Strong "do not want" for lastpass. Run far, far away.
I switched to KeePassXC a while ago due to the increasing hostility over local stores. Looks like I was right on the money.
KeePass has served me pretty well - it's not as polished, but it works absolutely everywhere due to the numerous client apps on many OSes, and it syncs normally. Toss on something like Dropsync for mobile, and it's pretty streamlined: https://play.google.com/store/apps/details?id=com.ttxapps.dr...
I'd only recommend LastPass if you're a fan of LogMeIn, Ltd. and only being able to see your passwords either on Desktop or Mobile (on the free version).
I mean you can only view your passwords on mobile, OR you can only view your passwords on desktop. On the free version, you can't be signed into both desktop and mobile at the same time, and you can only switch 3 times.
Switched to KeePass when they introduced the subscription model. I believe the only app that I tolerate as subscription is Lightroom CC. I want to minimise subscriptions because otherwise it is 5$ here, 10$ there and at the end it can be a surprising amount I have to pay each year.
But yes, for some apps it may be worth it, but for 1Password I found suitable alternatives.
Like many others this feels bad to me. I was previously forced to upgrade to 7 so the Chrome extension worked and as a result purchased (again!) separate Windows and Mac desktop licenses. In trying to navigate the site to find out how to buy a desktop only client I encountered the multiple dark patterns to make this nearly impossible. It is no wonder that “97% of people prefer the subscription” since standalone was basically hidden. I love the product experience 1Password provides, I simply prefer managing my own vault (via Dropbox). Based on feedback here I’m going to evaluate Bitwarden. Sigh.
Please, if you haven't already, fill out this 1Password survey. They are considering self-hosted vaults but want more data on who/how it would be used:
I appreciate the need for them to do what's right for their business, and that the HN crowd is probably not representative of their broader customer base.
With that said, they've lost a customer here. I would prefer not to pay a subscription, but I might have (though if you do the math, I've had paid upgrades frequently enough I'm not sure they'd have made more money off me with a subscription).
The sticking point is the lack of local vaults and removing the native app. Very disappointing.
The reason I used 1Password to start with and not KeePass was because it was Mac native. It is so deeply depressing to have faster and more efficient computers year-on-year and have all that efficiency wasted by moving to Electron apps. It sounds absurd to say, but there's a real ecological cost to less efficient apps too; it really does add up in aggregate.
The lack of local vault is the ultimate deal breaker, not because I think 1Password are untrustworthy, but because I'm reassured that I don't _need_ to trust them in the same way with a local vault as I need to if they're hosting the vault themselves.
I think what's most disheartening about this is that the customers who dislike this the most are also likely the customers who've been with them the longest and helped them build their business. I know I've been using 1Password since v2.
Given that password management is so central to our daily productivity, jobs, personal lives, I'm not surprised people have some very strong opinions about this. I hope the 1Password management read these threads, but I doubt it.
I will stick with 1Password 7 for as long as I'm able.
Damn. This is a huge mistake. I've used 1password for over a decade. I will happily buy an upgrade license. I just don't want another subscription to my credit card. This is rent seeking!
>People are said to seek rents when they try to obtain benefits for themselves through the political arena. They typically do so by getting a subsidy for a good they produce or for being in a particular class of people, by getting a tariff on a good they produce, or by getting a special regulation that hampers their competitors.
You may not like the subscription business model, but it isn't rent seeking. Monthly payment != rent seeking.
> Rent-seeking implies extraction of uncompensated value from others without making any contribution to productivity.
I think the rent seeking comment was about removing the option for (free) Dropbox sync and only supporting the subscription-based plan. They are asking for more money for less product.
I am a big fan of 1password. I was very unhappy with the transition to subscription only, and tried bitwarden. After months of futzing around with it, I went back to 1password.
I did so after reviewing their audit results, awhat they documented about their architecture, and after they added great support for Linux. At the end of the day, not everything is a conspiracy - and their model appears to be incredibly secure.
I would like the self-hosting option (that like Bitwarden, will still require a subscription), but a big part of what I am doing is sharing credentials with family. 1Password does a great job there.
Honestly at the end of the day, everything else is about your value proposition. I didn't know or realize that 1Password had shifted to electron as asserted elsewhere. I guessed that there was a new version given that linux was supported but it made no difference for me. Great for them. Likewise, they are far more secure then me editing a password file. Eventually the market will decide here. If people really care about swift versus javascript, then it will penalize them eventually.
That said, people arguing that dashlane and others are better then 1password, given that dashlane has access to your passwords, I can't imagine that this is a choice that makes any sense given the basic requirement of a password manager (keep my passwords safe).
Please, if you haven't already, fill out this 1Password survey. They are considering self-hosted vaults but want more data on who/how it would be used:
> That said, people arguing that lastpass is better then 1password, given that lastpass has access to your passwords
Don’t get me wrong, I hate Lastpass with an unprecedented rage for something that should be a simple utility (I’m forced to use it at work and it’s a time sink), but I don’t know where you get that and would like a source.
Are you sure that the passwords that were the object of the study came from the password manager itself? The paper that is referenced says this in the introduction:
> In this paper, we seek to fill in the gaps by gathering and analyzing a large collection of leaked password datasets across multiple years and various online services
> Virginia Tech researchers led by Dr. Wang have collected a number of publicly available password datasets from the Internet in January 2017. The datasets were obtained from various online forums and data archives.
It looks like they just used already leaked passwords.
Unless they remove support for local vaults from their mobile apps, you can continue using the classic self-synced method. I sync my 1Password vault across Android and Windows using SyncThing, using 1Password 7 and the legacy browser extension in Firefox. I don't get the inline 1Password prompt in password inputs, but that's the only disadvantage (Ctrl+Alt+\ brings up the password selector anywhere in the OS, not just the browser).
In fact, if you're okay with only editing/creating password entries on your phone, you don't even need to pay for the desktop app, because you can use it in read-only mode. The Android app has no limitation to editing local vaults, and it's pretty rare for me to actually have to set up new accounts these days, so I'm fine doing it on my phone. I considered paying for 1Password X (their online offering), but it's simply not worth $45 per year for that minor convenience. I can't complain at all, because I use 1Password completely for free.
They have, as far as I can tell. Last month I tried to set up a new 1PW installation and exhaustively searched through the app menus - no sign of standalone vault support anywhere.
It's possible that it was hidden because I had previously signed in to my work's 1PW account, maybe, or that it's hidden too well for me to find. I don't know, and would be happy to learn either way.
iirc (it has been a while since I used it), this fits with what I saw. You could do it if you set it up as a local vault at the very beginning, and add a web account on top of it, but if you started with a web account it was not an option at all.
I fully expect that to happen. And it will catch many people unawares when their iOS app automatically updates and prompts them to "upgrade" to the sync service.
I've been using KeePass with Syncthing for some time. No problem if you only need to update the database from a single location and access as read-only from the rest, but there are also solutions for shared updating.
Exactly—there are two major changes: the Electron change (which I'm 'meh' on, but could accept on its own), plus entirely dropping support for local vaults in version 8.
Oh well. I've been a 1password user for maybe a decade. I don't mind paying for a subscription, but they have become increasingly user hostile over time. Pushing the in-browser versions of the product, hiding the steps to enable local vaults, and now removing local vaults entirely.
Custody of your secrets is something thing a password manager should move away from, not toward.
KeeWeb + KeePass + Dropbox gave me everything I needed to emulate 1Password, and I definitely recommend that stack if you're greatly opposed to this 1Password change.
That being said, the thing that got me to change was when I tried out 1Password for a month and ran into a few minor accessibility issues on their web frontend. I sent a support ticket and very quickly got a response back, was told those issues would be fixed, and then notified me several days later when they were. Like I'm paying 2.99 a month and still received some amazing support. I use a lot of open source projects, and if I have an issue then I try to upstream a fix because the maintainers are usually volunteers, but I've spread myself thin. 1Password gave me the impression that it's in good shape and has great support which was a burden off my mind.
I don't recommend Apple's keychain. It's smart enough to track usernames and passwords and feels very satisfying to use on an iPhone, but doesn't capture some other parts of authentication. This includes security questions, OTP, capturing notes around how sign-ins can be weird (HSAs and other portals rife with redirects), and non-iOS devices (as well as non-safari browsers).
Bitwarden is fantastic. I pay for the OTP features, though I feel keeping the codes alongside my passwords weakens my security posture. That's my choice, though.
I've used iCloud Keychain for all my personal stuff since it existed. It's pretty bare-bones, but the built-in integration into Apple's software makes it a no-brainer for me. It's worked great!
The most valuable parts of 1Password for me are storing non-password stuff like license keys, secure notes, random security question answers, and the like.
I’ve always used secure notes in the Keychain app for this. Not as smooth as 1Password, but it does the job when I need a licence number (when I get a new computer, so once every ~3 years) or an answer to a security question (can’t say how frequent that is; certainly not more than 1 every other year).
I’ve been doing that for more than a decade (more like 2 actually) without a hiccup.
Never had any reliability issues with iCloud Keychain since switching over 2-3 years ago, but obviously it's less featureful than 1Password. I liked how 1Password had a dedicated section for software licenses, but now just use a Notes note for that.
My daily drivers are a MacBook Pro and an iPhone, but I'd go with a 3rd party password manager every time for the ability to access passwords on a non-Apple device if I want.
As far as I am concerned, this is a `bait and switch` tactic. It is unethical. And it is a surefire way to shoot oneself in the corporate foot and destroy customer trust.
Nobody who values security enough to use a password manager would leave their passwords at the mercy of the next corporate turnabout, when said corporation is evidently untrustworthy.
This is the same lizard-brain self-interest unleavened by any shred of higher brain functions that people like Shkreli exhibit: `the suckers have switching costs so let's jack up the price obscenely while reducing the actual customer benefits.` Some people should be kept away from MBA programs.
So ease of access is really the number one driver. Perhaps I'm just old, but I remember when security was never supposed to be easy. When easy, it is taken for granted, and therein lies the failure of security. So essentially this cloud model gives everyone the illusion of security. Probably nothing new, since its all theater at a certain point.
This is not to takeaway from all the technical details of 1Ps approach to this, but (once again) in light of what we have seen from the "Trillion $ darling of privacy", enabling scanning of personal content one has to wonder how long before the same is applied by 1P. Remember your vault can store just about anything. I am sure it is only a matter of time before the case is made that we must think of the children.
Irony of all this, I'm someone who is paid to migrate customer security to the cloud. Runs counter to my thoughts on the matter, but not those making the financial decisions on all sides. I certainly don't fault 1P for making the prudent financial decision that 95% of their customers have made. As part of the 5% I shall wring as much out of 1P7 as possible and eventually move elsewhere.
I use 1Password, and migrated over to their subscription service some time ago. A password manager seems like the best overall option at this time.
However, given they have all the password for many people, how are they not one of the biggest targets in the world? In their old Dropbox model, I understood the security model. In the service model it's moved to "Just Trust Us".
Is there anyone who can help me understand how this model is secure?
It's basically E2EE (where the encryption key is your master password + secret key, which looks similar to a guid), with the caveat being that 1password is still accessible via the browser so you do have to trust they're not compromising you by saving your secret key + master password separately (that is, unless you're auditing the login page every time you open it).
> This worked well for nearly a decade but by 2013 the cracks were already showing. By then we had client apps for all platforms, with each one requiring their own separate purchase, often across multiple app stores. And paid upgrades to major new versions were so incredibly painful for everyone involved that we rarely had any.
I think they are being fairly transparent. Starting in 2013 there old business model stopped making sense. They were selling individual products for each platform, while trying to integrate all platforms at the same time. The natural solution was to move to a subscription model for a unified service. This provides a mutli-platform solution and generates a continuous stream of income.
As a consumer, I actually prefer this model for a security app since it means that it will continue to receive regular updates. There is lots of competition in the space of password managers so I am not worried about them increasing the cost of the service to more than a few dollars a month (if they did this I would just switch to another service).
They’ve gone over and beyond to support old licences far longer than it could be expected, and a password manager is the kind of sensitive and ubiquitous product for which SaS actually makes sense.
Anyone remotely involved in anything similar knows it’s a PITA to keep up to date while keeping device compatibility, and the folks at 1P have been doing great work.
Actually a sensitive product is exactly where this does NOT make sense. No matter how good their security is with their cloud version it will still be less secure than having a vault locally on your disk. That is a fact.
Subscription services to me are only justified if they are providing a SERVICE which they are with the web version and ability to sync through their own servers, however, using a local version with your own vault can be done without any service at all.
So to me this looks like them intentionally crippling their own software in order to force people into paying a subscription fee that is not necessary. They already hide the ability to purchase a standalone license for 1Password 7 trying to get people to pay the subscriptions so this is the next logical step.
> Actually a sensitive product is exactly where this does NOT make sense.
The idea that anyone except a tiny infinitesimal minority of all people should self host is ridiculous.
Even a lot of people with IT jobs have not enough time or knowledge to keep services like this working securely in a way that’s competitive with SaaS (i.e. these people are better served by paying others to do the job).
If you need any proof, just wander around any company that works in IT and do a simple check, see who has the latest OS version and who doesn’t.
But it was never about self-hosting: a local vault can be synced between devices on the same network - all you have to do is to open 1PW on both of them. Everyone can manage it.
Hi, I work for 1Password. I can understand your frustration that we're phasing out local vaults. Luckily, I have some good news: we're currently running a survey to gauge user interest in self-hosting options. If you're interested, go to https://survey.1password.com/self-host/ and let us know your thoughts. Thanks!
This makes sense to me. Lots of other products have head in the same direction over time (e.g. YNAB) for similar reasons.
SaaS is familiar to consumers and ultimately a nicer business model for most products. If you support SaaS for new customers, maintaining the old product / pricing model indefinitely eventually stops making sense. At some point you have to make a move like this.
It is probably particularly timely to do this because Lastpass recently changed their pricing model (whether deliberately aligned or not). It's no longer possible to use the free plan of Lastpass and use it on both desktop and mobile: you have to pick one or the other. For many use cases this is effectively a requirement to use the paid plan. So now 1password has the opportunity to push legacy users to a paid monthly subscription knowing that some portion who may have switched to Lastpass to avoid a monthly fee now won't be able to do so, and will probably just pay the monthly fee to 1password instead.
I will run the installed version of YNAB as long as it runs on my computer, and after that I'll probably run in in a virtual machine until the end of time. I am not comfortable with my financial information being on the cloud in the hands of a third party, much less so when it is not the likes of Google and Apple with armies of security engineers and can be hacked much more easily.
A number of information sharing activities cannot be limited. This is typical of any bank or financial institution. Your bank has its own vendors, many of them are themselves SaaS and cloud hosted!
My point isn't to say "Why care at all? Just open the floodgates!" Instead, my point here is that trust and security in our society is only as good as the people and institutions that back them up. We don't use bank vault doors for our front doors just because we have the knowledge that anyone with simple tools can defeat a home lock.
Therefore, I think that the choice of more inconvenient solutions made just to avoid some nebulous what-if scenarios involving privacy is often (but not always) the wrong way to go.
A) They will have all of your financial information, as opposed to banks that will each get a slice. So the data they have is much more sensitive.
B) YNAB has around 100 employees in total. They do not have the resources to secure their data the way big banks do. We all have our doubts about security at big banks, but I am sure small startups are way worse.
C) It was all unnecessary for YNAB to go online. The decision, much like 1Password's was about money, not clients. I cannot live in this day and age without a bank account. I can live with an old version of YNAB. Heck, I can live even without YNAB. If banks are necessary evil, YNAB is an unnecessary one. Why increase your attack surface with unnecessary stuff, just because there is some necessary attack surface remaining?
Re. point C, I think everyone's use case is different but for an alternative perspective: it was absolutely necessary for YNAB to go online for me to buy it.
The mobile app is a really key use case for me, and even as a technical person I just can't be bothered to set up hacky sync via dropbox or expect my family to know how to do that. Even if I could be bothered, now I'm just kicking the responsibility to dropbox + myself with all the same problems. I'd rather have the app developers manage that responsibility.
Yeah I can totally understand that. I'm similar with the sync feature: the last thing I'm going to do is give them (or their 3rd party provider) my actual bank credentials. I would feel better if they supported some type of end-to-end encryption. I can also understand how, at least from a business perspective, most users probably don't care enough to not use it.
FWIW, YNAB never receives or touches your bank credentials — sign-in happens through MX and Plaid, which hands back a token to YNAB to use[1]. For banks that support it, the process goes through OAuth and you sign in directly with your bank, so even MX and Plaid never see your credentials. The whole process is end-to-end encrypted, with no credentials stored at rest (unless necessary on the MX/Plaid side, but they handle that).
Not trying to change your usage or habits, just wanted to clarify.
Thanks for clarifying! I understand the architecture but perhaps didn't explain it properly in my comment.
It does honestly strike me as the best approach given the constraints, but here in Canada almost none of my banks are supported with OAuth flow last time I checked so giving the 3rd party providers my credentials and having them log into the bank both violates the TOS of my bank and is also far less secure than I'm comfortable with. Storing my financial details in YNAB / their partners is one thing, storing credentials that can be used to actually move or spend my money is another.
It's honestly not a huge deal for me personally. Entering the transactions manually is a good habit as I can see the balances update and mobile app is easy to use right on the spot.
Totally fair and reasonable! Too many banks here in the US too that both make it against TOS to get external access to your data and also refuse to offer anything secure like OAuth — extremely frustrating :/ At best you can try to pressure your bank to support OAuth but... we're just small fries.
Yeah banking is stuck in decade old technology in north america. Heck I'd settle for TOTP (or any 2FA in some cases) or getting rid of those harmful security images.
I held off on the new YNAB for a very long time before switching about a year and a half ago. I absolutely love the new version and the syncing works so much better than before. And the new iOS client is loads better.
What am I missing with these paid/subscription services?
I personally use KeepassXC (Linux/Android). It's shared via cloud, I have a keyfile off device so I'm satisfied it's pretty much completely locked down.
Is it browser integration? Genuinely have no idea why I'd pay for this, or why I'd trust a company with my passwords especially when it's not local.
I wouldn't use any password manager without browser integration. It's the single most critical feature to me in a password manager (ok, beyond secure storage/access). I haven't looked at Keepass lately, but unless it has a browser plugin and automatic sync between all devices (multiple computers, phones, tablets) without me having to roll my own sync solution, it's a non-starter for all but the most hardcore geeks.
I like it for a number of reasons (other wallet apps can meet these bars, as well):
1) It is very cross-platform. It works on iOS, Android, MacOS, and Windows. I believe that it is also Linux-ready.
2) It has the ability to sequester groups of passwords into "vaults," that can then be assigned in different configurations, for different accounts. This way, the Treasurer gets the banking login, and whatnot, but the Webmaster never sees them, and Treasurer never sees the CP login.
3) It seems to support a whole bunch of TFA.
4) It syncs over everything, and helps to enforce password hygiene.
It supports many more kinds of secure data than passwords and credit cards. It has specific entry types for bank accounts, passports, reward programs, software licenses, and so on.
It also has lots of built in analysis tools for determining:
- which of your passwords are reused, weak, or present in online password dumps
- what websites can have 2FA enabled on them
As well as the ability to store entire documents in vaults.
Been using 1Password since 2008 and it's the only software of its kind I recommend to anyone on any platform.
There’s some nice “sanity checks” on all passwords, manual or generated, like reused password warnings and by default it checks your logins at haveibeenpwned, which is a nice to have.
I've been a happy user of the same version of 1Password 6 for many years, the last non-subscription version. It still works on MacOS Big Sur, and the classic extensions work in Firefox and Chrome (though not safari on the mac). When it stops working, I guess I'll have to look elsewhere.
First Electron and now it is subscription only with no support for local vaults. That is a definitive scam and it turns out I was right again [0], when they added Linux moved to Electron and that was a hint in itself of where 1Password was going. [0] [1]
I'd rather use a standalone extension as a password manager than use a heavy Electron app that will run my Macbook to the ground.
I got started with 1Password SaaS based on a work account and added it for my family, so I am not losing anything with this change. I've generally been pleased with the service and its definitely been an upgrade from LastPass in terms of usability and security (no random autofills into hidden forms, no breaches etc...)- that said I'm sad to see this direction. I can't see how this could have been costly to maintain, nor that it would bring them incremental revenue given the backlash and ample competition. Maybe predictable cashflows are worth it, but in principle self-hosting should always be an option.
Got 1Password 6 full license for OSX and loved it. Of course I bought also the Android app. Then switched to an iPhone and bought the app again, peanuts. Then I had to start using again PCs and bough the windows full license for 1P 7.
I still use 1P 6 on macOS even though the missing support for Safari sucks (that actually made me switch to Firefox!)
My point is, there is literally zero added value with the subscription, it’s like buying cars with loans, in fact by buying full licenses I saved money.
I hope that 1P 6 and 7 will last me as long as possible, I don’t see any alternative at the moment. IMHO all other options are less secure and/or less convenient.
>there is literally zero added value with the subscription
Hard disagree. Any security-focused software will have plenty to keep up with between OS changes, browser changes, site changes, new UI patterns, and even simple bug-fixes that you don't get from single purchases.
1P 6 running pretty well on last macOS makes your statement wrong.
The fact that you pay a monthly fee doesn’t guarantee you anything you described. In fact there are plenty of feature requests that 1P team has just ignored over the years.
Not only there is no upside but actually the missing local vault is an horrendous downside.
As others have said, i much prefer to keep my password vault and hosting of it separate.
Being forced into a 1P subscription feels like a downgrade to me. I've been a faithful customer for years, and have used iCloud synchronization for years as well. My entire household uses the app (through family sharing).
Self hosting it is not an option for me (i know how to, and that's why it's off the table), and purchasing a $5/month subscription feels like it's overpriced for what it delivers. I can get 10 months worth of Family365 subscription for what 1P is asking for a year, and that gives me 6 accounts with 1TB storage each and the entire Office suite.
The thing that seems to annoy people the most doesn't bother me one bit though. If it works i don't care if it's electron or not.
I'm instead evaulating Secrets[1] as a replacement. It requires a $20 in-app purchase to unlock full functionality, but even with 4 people buying it, it's still only 1,5 years of 1P service. For now i will try to get the kids to use iCloud Keychain instead.
As for "what's the rush". 1P7 will receive updates for now, until it doesn't, and at some point an update to MacOS or iOS will make it stop working, at which point i will have lost access to my passwords. I much prefer to be in control of when that happens :)
I feel like Buttercup [1] doesn't get enough attention. Open source, available on all platforms, and has imports from multiple other password managers. If several people offered a small monthly donation for some time, we'd all be in a more competitive situation with password manager companies whose interests drift from our own through time.
Apple user for over 20 years. I loved my powerbook 4g and loved the first iPhones. Even though they were not the first mobile nix systems (love for the n770 Nokia tablet with Debian and root!).], I felt empowered being able to hack them easily, getting shells running and recording/analyzing sensor data on them.
I feel more and more uncomfortable in the Apple / iOS ecosystem. It’s getting closed down and commodified. Even when there is something cool in terms of tech, they know how to spoil it.
Instead of dealing with Pegasus head on and starting to fix the security culture of iOS/Mac, they make our systems less secure (less open and less hackable).
I find it sad that there are no viable alternatives for non-tech users. I switched last week to a Librem 14 with Arch Linux, KeepassXC and a pixel 5 running grapheneOS, Miiband 6 with GadgetBridge, a System 76 for work. I honestly love it, there are some hiccups, yet it feels exciting, similar like switching from Microsoft to Apple did 20 years ago.
Also moved from programming objective c / swift to rust, elixir and flutter/react. That seems where the innovation happens today for me. As I work in research I have the Privilege to easy switch … we need better alternatives and I feel even stronger about supporting open source and projects and companies that care about it (pine, purism, system76, mozilla, …).
I've been a happy user for over a decade (with a little break in there when I relied on iCloud Keychain), and happily transitioned to the subscription model when it came out. Frankly, it just made more sense - I use it on a ton of different devices, and buying a standalone version for each one cost more than the sub does.
I'm also not worried about the Mac app moving to electron - I interact with 1password via my mobile or browser plugin 99% of the time anyway, so I just don't really care.
> I'm also not worried about the Mac app moving to electron - I interact with 1password via my mobile or browser plugin 99% of the time anyway, so I just don't really care.
The main 'customer benefit` claim for the electron switch (as opposed to the 'developer benefit') they are pushing is 'consistent UI across platforms` so your view exemplifies that, at best, there is really no customer benefit to the switch.
I have the last non-subscription version on my Mac, PC and phone. They sync through Dropbox.
The chrome extensions stopped working a few years ago so I got into the habit of just manually searching, cutting and pasting my passwords, and saving new ones. I don’t even think about it and it’s very easy. Paying $3/month to have it automatically populate the user name and password fields isn’t worth it for me, especially when the browser does this pretty well once you input it the first time.
I use it dozens of times a day and it works great. It's not as nice as the modern one that works with the subscription/hosted service but it'll certainly be better than what you're currently doing to muddle through.
Yup, I'm out of here as well. Been using them since 2014, been frustrated since they heavily push you toward using their cloud, and now this shit happens.
This is disappointing. I have been using 1Password for a long time. I'm not opposed to the subscription model per-se, particularly for critical software to ensure it is supported.
But I don't want or need my passwords in the cloud. I don't want or need it to be an electron app. I want a simple, lightweight, highly secure, with good UX password manager. 1Password used to fit that bill. With each successive change it moves away from that.
Is there a single reason to use 1Password instead of Bitwarden? Bitwarden has a better UI, supports all the same platforms (including browser plugins), lets you easily manage true separation between profiles (unlike 1Password, which essentially forces you to use a single master unlock for say work and personal), and most importantly, lets you self-host. And it's free. 1Password is consumer-hostile and an inferior product.
I would not say Bitwarden has a better UI. Though I guess that's an opinion thing, but oof, is Bitwarden's UI bad. It's almost actively painful to use for me some days. The extension isn't as bad as the desktop app, but the iOS app is absolutely atrocious.
I still use it because I'd rather pay $10/yr instead of $36/yr. But I wish Bitwarden would take some time to actually make the app not awful in the UI/UX department.
I've been using this product since 3.x. I chose it because I could use a wide variety of syncing solutions. It did what it said on the tin. Gave me a place to store my passwords that was secure.
I was a happy user buying upgrades whenever they came out until 7.x where it took me over an hour to figure out how to buy the non-subscription/cloud version and instead find the link for the standalone version.
I paid for versions that I honestly didn't have any features I cared about simply because it kept doing what I wanted it to do.
Gone are the days when you can buy a hammer, and use it to hammer just as many nails as you like until it breaks. Now we have to rent a goddamned hammer apparently. Even that wouldn't be so bad if I could still keep my passwords out of their cloud provider.
They've fucked up, they don't think they have.
So what are the options for someone who just wants a simple place to store a bunch of passwords encrypted in a secure way. With decent clients for ios/mac/windows/linux that lets me be the only person who has their hads on those encrypted bits?
I spent an hour setting it up, the export worked well from 1P but you get to the very end to find out that "features" like a functioning F2A code generator or image storage are premium features that require, guess what, a subscription.
Damn it. It's only $10 a year but i'd rather buy it outright the way 1P allowed me to in the past.
I am a subscriber, an I was a standalone customer before. I've tried to self-host bitwarden-rs, but found the UX and browser extensions being subpar - and I want my wife and parents to use a password manager, too.
It runs well. However, I do not thrust their cloud (or any cloud) completely. I still have a local vault, which is synced locally on WiFi with passwords to my router, NAS, bank cards and accounts, mail accounts. The idea is that should there be a breach at 1password.com the critical accounts do not leak and the damage is limited.
Maybe I'm missing something here, but I've never understood the value of any of these password services. How can it possibly be more secure to have your entire digital life hackable with a single cloud based point of failure? Surely it's safer to simply use an encrypted text file on your local PC.
Hi. I'm a features developer for 1Password. You raise a very good question (one that I used to have myself, before I started working here). I would recommend you read our security whitepaper (https://1password.com/files/1Password-White-Paper.pdf) if you want details, but the TL;DR is that we don't know your account password and our servers only store your encrypted information (which we cannot read), and communication is done over HTTPS with an additional layer of encryption via the SRP (Secure Remote Password) protocol. You also might enjoy this blog post: https://blog.1password.com/what-if-1password-gets-hacked/
>the TL;DR is that we don't know your account password and our servers only store your encrypted information (which we cannot read), and communication is done over HTTPS with an additional layer of encryption via the SRP (Secure Remote Password) protocol.
I understand that my data is safe with you guys at rest. I'm sure your security protocols are top notch. But it's all about attack surface. Things can and do go wrong on the internet all the time. Bits get flipped, certs expire, DNS cache gets poisoned, employees get phished, and MITM is an omnipresent threat. I'd just rather avoid all of that.
It's really simple. It just doesn't consider anything unexpected happening.
Compromised algorithms are unlikely. But not impossible. Quantum computing enabling brute force attacks is unlikely in the immediate future, but not impossible. Certificate pinning compromise during transport is not implausible for state actors.
And in those scenarios and others, having the vault stored remotely on someone else's machines is inherently less secure than not.
Done with them. I have been holding out on 1Password 6 for years. The fact that you can’t get the safari extension without going to 7 has had me considering moving for a while. Now it is without a doubt that I will be migrating to bit warden or something similar. Another great product ruined.
I've been using this for probably a decade now. The UI is ugly as sin, but it works well. I use the Apple Keychain for almost everything, but for my critical passwords, I have copies in PasswordWallet.
PasswordWallet has one feature on macOS that I've not seen in any other app: auto-type, for those times you can't paste into a password field. I use it rarely, but it's nice to have when I need it.
(I have no idea if the Android or Windows clients are any good. I use it only on macOS and iOS.)
I'm chillin with 1Password 4 or something. Presumably some MacOS update will break it due to their use of some hacky undocumented API (like Omnifocus2) but until that day comes I'm quite happy syncing to dropbox. I don't like the insecurity of having to pay for something that stores critical data on an ongoing basis. If it's optional, I can make that choice. I do also like a native mac experience.
That said, I'm sure a lot of people value their current offering for a variety of reasons, and it obviously makes good business sense. I've been burned by subscriptions in the past though, and I don't want to deal with that again if it can be avoided.
I think one of the best things the U.S. government could do would be to buy and nationalize 1password and give everyone a license. Canadians too, since it was one of your companies :-)
I am being intentionally outrageous but do genuinely feel that a good password manager is foundational to good digital security and I find it baffling that it does not come bundled with operating systems or in some other way offered for free. It's such a basic thing that could be done to increase collective resilience to digital attacks.
(And if 1password doesn't want to sell there should be funding for an open source equivalent with a default server hosted by either the government or a trusted nonprofit.)
bitwarden is free (and open source) and it has just about every feature that the paid ones have. Sync across devices, desktop and mobile clients, notes etc. One of the best pieces of open source software of the last few years and I have no idea why people are paying subscription fees.
There's nothing better for orgs right now. Every startup I know of uses it heavily internally. 1Password is here to stay, though this opens up the market a bit for a free competitor or open source project to come in and really disrupt things.
I've been buying licenses since version 3 (2013) even after they started to hide the option.
Sad to see 1Password use dark patterns to push people towards subscriptions then twisting that into that people don't want licenses, at least be honest about it.
Oooh, I see, my passwords are far more securely secured in The Cloud then?
How do they plan to stay in business? "We have your passwords now! You would not want to lose them unless you agree to our new pricing policy now, would you?"
I like 1Password so much I don't mind paying for a subscription. But I have to draw the line at no local vaults because there's no other way to keep work data separate without violating company policies.
I've never tried 1Password but I've seen many here who endorse it. Does anyone have experience with both 1Password and KeepassXC? Especially with 1Password local vaults...
I used KeePassXC as the Linux client for 1Password before there was one from AgileBits, and stopped short of implementing _write_ for the opvault format because that wasn't in my use case (and I also had some non-trivial concerns about KeePassXC accepting the PR, so I was trying to pitch it as a way to get more people to import 1Password opvaults)
I would be on-board with implementing the write side to opvault if they'd accept the PR, and would also implement the browser extension protocol server if 1Password would specify it, since as others have pointed out the KeePassXC browser extension is suboptimal
Then again, with all the massive outpouring of Bitwarden support in every single one of these threads ever, I am pretty sure the real solution is just to bite the bullet and jump ship to Bitwarden/vaultwarden like everyone else seems to be doing
I'm willing to stick around long enough to see if AgileBits makes good on their local vault something something, but given the past few years of activity, I'm going with "they're bluffing" or "it'll be a horribly hobbled implementation"
> Then again, with all the massive outpouring of Bitwarden support in every single one of these threads ever, I am pretty sure the real solution is just to bite the bullet and jump ship to Bitwarden/vaultwarden like everyone else seems to be doing
To follow myself up, I seem to have found another "those people don't know what they're missing" situation because I actually did try Bitwarden (Premium) this weekend and what a dumpster fire compared to 1P
I thought about writing up all the shitshow, but ultimately it just boils down to them not caring about their product or users
For some of the platforms, I would actually be on-board with jumping in to fix the innumerable bugs, but with them being a mixed setup (open and "premium" features), the fact that so much fundamental behavior has been broken for so long with no obvious mitigation strategy makes me question whether this is something I would want to invest in
I've only briefly tried Keepass but the UI, the general clunky nature of the UX and such turned me off. To be completely fair, this was 3 years ago when Lastpass was becoming more and more useless and unreasonable. I tried out Dashlane and ended up using 1Password and have been a very happy customer since. I'm not particularly concerned with self hosting or syncing personally
A dead simple (in the good sense!) CLI program that lets GPG deal with encryption and git deal with synchronization and distribution. It's perfect. And FOSS, of course.
You don't even have to run your own internet-facing git repo for synchronization across devices. You can just put it all on GitHub or whatever.
I've stuck with 1Password for a long time, because it will work on the occasional Windows machine I need to use. However, it doesn't integrate as well as Apple's native key manager. I've been on the fence about just giving it all to Apple, but it's, like, the one thing out of literally DOZENS of services that I use that Apple does NOT control, and it's kind of important. So I'm really conflicted about the whole thing.
Considering the same but keychain always feels kind of like it’s forgotten about with one person in a dusty basement at apple working on it. Importing is weird and convoluted and requires some third-party scripts. I don’t get why they don’t just leverage their unfair position and access to private apis to make a really polished first party password manager.
They said that 97% of their users are already on subscriptions. I get that local vault users are disappointed, but there's an app for you and it's called Bitwarden.
I think 1Password made a smart business decision. By cutting loose the need to support local vaults, they can focus more development energy on other things that 97% of their users will appreciate. It's a numbers game.
That said...Electron? Ugh. I already spend half my day grumbling about the Slack app.
This is a slap in the face to all of their long time customers. To me it looks like a risky decision more than a smart one.
Note that new customers just go the subscription path because that is the only option advertised.
> They said that 97% of their users are already on subscriptions.
It is quite obvious from the response here that 97% of their users who are actually paying attention to these issues are not on the bandwagon. They should rephrase it as "we could fool 97% of our customers into switching after years of misdirection and misinformation".
I'm considering to buy macbook soon and I was thinking about moving from KeePass to 1Password, as KeePass sync between Linux and iPhone was not very nice, but reading those news I'll keep using KeePass. I hate subscription software and I'll avoid it whenever possible. Also $3/month is just too much for such a simplistic service.\
Edit: if it's an electron app, my comment does not make sense, sorry, I'd never buy it anyway.
I highly recommend Enpass -- solid UI, single purchase, local vault, and a very handy option to sync via Dropbox (and probably through other services as well).
> And now that we’ve started to roll out the next generation of 1Password apps, it’s time to say goodbye to standalone licenses.
Well, that's the end of my interest then. I had some curiosity after seeing the Rust integration, but I'm not going to pay a subscription fee to sync the smallest part of my day-to-day life. The convenience really just isn't there for me in a subscription. And no local vaults? Double no, please.
The thing I genuinely don't understand, and I really hope a 1P employee can answer for me, if it's true that 97% of your customers are subscription and have online vaults, why not just leave the other 3% alone? We pay for your service, we love it, why not reward that?
It's not like maintaining standalone licenses and local vault storage is hard, it's already there. Just maintain it.
I recommend this every time a similar news item gets posted.
Password Safe (designed by Bruce Schneier). I use the iOS and Linux apps and keep them synced via DropBox. Been around for years (I've been using it almost as long). Still getting updates. Still works.
The only fear I have with 1password (or any password vault for that matter) is that one day they disappear or see great malfunction losing my data. The thought of having to reset my password everywhere is gut wrenching. Some accounts I don't even remember I have them yet sporadically use them. Losing all of it would be a problem.
I'm using PasswordSafe probably last 2 years and happy with it. Open source, multiple vaults support, good UI, easy click-to-copy after search query.
https://gitlab.gnome.org/World/PasswordSafe
> Every so often one needs to go back to the drawing board and rebuild things completely in order to soar to ever greater heights.
No you don't. When you have an awesome product that people love, you just fucking leave it alone. These "rebuilds" always make things worse. See also: Spotify.
I was pretty stubborn at first, but honestly 7 has a lot of nice features, especially for families. You can also continue to use your old vault, though the announcement here seems kind of vague if this will continue to be true.
I gave up with 1Password around version 7 because of the push for subscriptions and switched to Secrets (Mac and iOS) - https://outercorner.com/secrets-mac/
The argument they're making in this longwinded post applies to most software today. Standalone licenses made sense when your life revolved around one PC saving data to its own hard drive. Today, if you want that, there are great free/DIY options.
Subscription based licensing is mostly rent-seeking.
The cloud storage, compute, and egress for a password manager is fractions of a penny per year per user.
Yes, engineering and upkeep and new features costs money. If those features are truly valuable, then the market would bear paying an additional one-time fee, just as photoshop 8 had to be better than photoshop 7 in some way to justify the purchase.*
But what new features could a mature password manager possibly have? Support for newer version of IOS and Android is the only must-have that comes to mind.
Subscriptions for expensive products that relies heavily on deals, licensing and huge cloud infrastructure like Netflix, Spotify, etc? Yeah, it's not rent-seeking.
Now, for an app that store your passwords, maybe some attachments and, since forever, allowed local vaults. Nowadays being intentionally crippled unless you adhere to this, comparatively, expensive annual subscription?
Yeah, that's totally textbook definition of rent-seeking behavior.
Having dabbled in productizing desktop software I think it's more because of API churn on modern OS's. It used to be you only need to buy once, and things work for years. Maybe a modest paid upgrade after a major OS upgrade.
Now OS's evolve continuously. Semantic versioning be damned!
I am currently still using them, but once my current apps are no longer supported, whenever that might happen, I will move to another solution rather than paying a subscription for the privilege of storing my data with them.
I’ll switch to Bitwarden!
Wait… Bitwarden is cloud only?
Wait… Bitwarden doesn’t allow offline editing?
Wait… Bitwarden has a self hosting docker which will end up using more RAM than an electron app?
Trying to buy 1password 7 with a local vault was literally the most miserable software experience I've ever had in decades, so I'm not surprised not many people were using it.
I'm seeing a lot of "I could do this myself" in this thread.
Okay. Then do it.
Make your own password manager. Make your own browser and iOS/Android keyboard extensions for it. Make your own cloud backup/sync of your encrypted passwords.
Can anyone confirm for me. Is it still possible to buy a stand alone license for 1Password 7? I had heard if you download the Mac app from their website it was possible however I can’t see a way
With the Apple iCloud Keychain supporting one-time (the google Authenticator style) passwords from the next major Apple OS release, I have no reason to continue to use 1Password.
I am fine with the subscription but I need local vaults. That said, macos has been making 1Password less and less differentiated, so guess I wont be renewing my subscription.
I switched to Bitwarden a long time ago. I pay for a premium sub now, should probably upgrade to a family plan @ $3 a month just haven't got around to it yet. Worth it.
For somebody who's in the Apple ecosystem it seems to me that a password-protected Numbers file should suffice. Are there security implications that I'm missing?
Due to forcing me into the Subscription model, I migrated to Bitwarden recently and never looked back. It’s been working flawlessly for several months now.
More recently, he also joined their board of advisors last year[1].
Have a TON of respect for the man, just a little surprised/disappointed these recent moves happened under his watch and would love to hear his unedited take on it all.
I'm glad I've been using Bitwarden anyway, I guess, but to me, this is totally unacceptable for security-critical software. You absolutely need to make it possible to self-host. If you're content to only ever be available to low-information, low-effort individual consumers, fine, I guess that's a market, but you've locked yourself out of ever being able to sell to high-security organizations that can't use public cloud services.
I actually don't have a problem with this, but I do have a problem with press releases that are sprayed with emojis. It's incredibly unprofessional and gives a real amateur flavor to the whole thing, which for security software is really offputting.
To be pedantic, it looks like it's actually an official reply on a community forum, not a press release. Also, thinking that the use of emoji reflects the software quality is a mistake in our current culture.
Another problem with emojis is that it is not clear what it means to different people. Recently read in the WSJ that young people find smiley faces passive-aggressive or patronizing, not friendly or positive.
Admittedly, there is a similar problem with words, but there are at least dictionaries for them. :>
I love normalizing emoji use. Its actually harmonizing the depictions because they can be wildly different across platforms, and until that occurs its part of an ongoing gag where its funny to imagine how messed up they render on someone's phone.
Like, imagine its only Gen X that complains about this, and they are the equally out of touch blackberry user whose device renders all the emojis in some messed up but hilarious way, then its a great way to make fun of them without saying anything and just keep bombarding them with an incommunicable internet, while the rest of us dont mind and some of us are also in on the joke.
It's too much fun for me too. Blushing faces and clapping hands look like kindergarden drawings, not consumer-oriented at all. I guess some people are more serious than others. :-*
i don't see any real security model here. online only is insecure by design. Hopefully for customers who stick around the user experience continues to be first class, at least, but I have my doubts about that as well. I don't know anything about this company or who makes the decisions, but as a user, in my opinion, 1password used to make every decision in a way that I would have considered correct. 1password made good decision after good decision after good decision as they grew as a company over the years. Every decision was user and security focused, and the product was consistently excellent. those days are over, apparently. from my perspective, there has been a massive shift in company/product values since the shift to the subscription service. I wish them well.
Recent and related: 1password is considering a self-hosted option to store vaults - https://news.ycombinator.com/item?id=28104134 - Aug 2021 (215 comments)