368 comments

[ 3.9 ms ] story [ 315 ms ] thread
BitWarden to the rescue!
BitWarden gets so many things right that using other password managers can only be the result of inertia.

And its has an open source client, plugins, and server--with instructions on how to setup your own instance if you want to. This is vital, not because I want to run it myself, but it provides a check in case the company is ever bought out or starts blowing it on policy.

IS the experience using that good? Are their iOS and macOS apps "good enough" for critical password storage?
Yup. Been using it as a daily driver for a while now as a 1Password replacement. Does everything I need.
Yes, Bitwarden is a very smooth experience. I'm using a self-hosted backend via the unofficial bitwarden_rs server and very happy with the client applications. My family is able to use it without any hangups, which can't be said for something like `pass`.
I’ve never used it, but the desktop app is Electron
Removing a feature that has a huge chance to cause an unknowing user to shoot themselves in the foot. Sure, it should have had a mention in the the changelog, but I think this is a completely sensible thing to have done long term. You can still sync with Dropbox or the app over WiFi which shows me they're not doing this to force you into some subscription.
Sure, there’s good reasons why you might remove it but the subscription model reason is more compelling to me, a long-time user. I’m still with them for now but my trust is significantly reduced and I’m shopping around.
I don't agree because they removed a feature that, frankly, would just cause a user to lose all their passwords if they lost their device. There's still two other sync methods that don't use their service, and one of which is direct to another device without going through a third party.
The best case scenario here is they are terrible at communicating changes that might have a significant impact on my workflow. But that’s only if we look at this single incident and ignore other significant changes, also with reasons but also trending toward subscription and also with poor communication. This is why it is significant that I am a long term user. I’ve felt that push and it informs my perspective.
WLAN sync is only available in the subscription version though, you can’t use it with the standalone licence. Quite bizarre since the standalone licence is the one more likely to want it.
Hi manicdee. Ben from 1Password here. I'm sorry for any confusion we've caused, but this is not correct. It is quite the opposite. The WLAN Server in 1Password for Mac can _only_ sync _standalone_ vaults (not membership vaults). It is available with a 1Password 7 for Mac license.
You are confused. I was talking about stand alone licences, not stand alone vaults.

I will not use a 1Password.com account regardless of the country it is hosted in because I do not trust AgileBits or any government, especially not a Five Eyes entity.

Despite the lengths that AgileBits have gone to to hide the option of buying a stand-alone licence, there was one page which I can’t find now listing the benefits of each licence side by side, and it clearly stated “no wlan sync” and “no multi factor authentication” in the column for licence over subscription.

The rest of the language tries to make it sound like a good thing to have my secrets hosted on a site I do not control. In the end I bought a subscription — purely for access to wlan sync and OTP — because it’s about the same price I have been paying for previous paid upgrades and Pro features.

Also note that for 1Password 6 users who bought the Pro features, the upgrade splash screen states that 1Password 7 is a “paid upgrade” not a “subscription required for Pro features”.

For the moment I will be treating the 12 month subscription as an opportunity to explore other options before the subscription rates inevitably rise and the feature set moves inexorably towards hosting over private vault management.

Not. Happy. Jan.

Wow, this is tremendously bad communication from their team. I don't care about the local vault feature, but the lack of empathy in the responses from AgileBits is certainly making me reconsider my family account.
I think it's more just fatigue. The user was getting really combative in their responses, and eventually you learn to just shut down emotions when you encounter that.
Where was the user getting combative? They seem to have done a stellar job in talking with support in a polite and informative way.

Whereas the company literally removed a non-trivial piece of functionality without a single mention of it in Release Notes, and then disengaged from the topic once other people came in and pointed out that this is a) bad, and b) probably a blatant attempt at pushing people into the subscription model.

Overall, I know what password manager I'm not touching now.

Having dealt with a number of interactions like this, it definitely felt like the user was trying to lead the support staff into a pothole. Its just the way the questions were asked.
Interesting. I feel that's a "damned if you do, damned if you don't" case. Is there no middle ground between being completely helpless and "trying to lead the support staff into a pothole"? How would a proper support request from a person who understands the product and their own use cases look like?
Perhaps. I asked my roommate how she felt about the thread and she described that same feeling. Us humans can sometimes pick up on things weirdly I guess!
Skimmed the thread and it didn't come across all THAT dramatic. The user was obviously frustrated, staff apologized repeatedly, and did a fair job answering most of his technical questions.

His key beef is they neglected to mention the change in their release notes, and the optics of the oversight could be perceived as a covert move to push people toward their cloud service. I'm surprised they didn't apologize for the release notes oversight (whether or not it was inadvertent) - they kind of act like it's just another benign collateral effect that will only impact a handful of people.

Sure, maybe he's on a free plan, but when I shilled free trial versions of my software I tried to treat all [existing or potential] customers with white gloves - even the irritating ones.

@TroyHunt are you out there; any thoughts on the software change?

The user got combative when they didn’t address a core piece of his concerns: that they didn’t provide notification. I empathize with not wanting to deal with a combative user but when that user happens to actually be right and when the negative consequences are all of your own making, my empathy starts yielding to my low tolerance for “tomfoolery”. If they were fatigued they did it to themselves.

Additionally, this is asynchronous communication. Take a breath. Recover. Do it right.

That’s the biggest mistake I see in that thread: all of the apologies are immediately followed by responses which are, at best, dismissive or, at worst, defensive bordering on vindictive.

That person probably got testy because they were being treated so poorly.

I don’t think I saw any validation of a reasonable concern—which is like customer service 101—let alone any type of attempt to win the user (back) over. This is classic, stereotypical techie behavior and it needs to die. And I say that as a developer (who has been plenty guilty of this tendency myself…)

Wow. This user on the “free plan” has quite an attitude, and is yet receiving a heap of support from Agilebits.
What? Seems to me like the core question the user had (free or not) was a) was this removed? & b) where and how can I read about its removal, it’s not in the notes?

None of those questions were answered without repeated requests for the information. That’s shady. What exactly are you seeing that I didn’t?

Yup. They must be A/B testing AI-generated support discussions, because that's the only explanation I have for why someone would call a perfectly reasonable support request as "having an attitude", and the avoidance to engage with it "heap of support".
I agree. This is just another example of why freeware or free tier offerings can be a bad idea. Suddenly you have a large population users who will never convert yet are perfectly happy to suck up support hours.
“Convert”? Support challenges your existing users are facing due to your changes is not going to help conversions. Shady.
I think you miss the point. Having a smaller number of paying customers means you can build a more focused product and not cater to so many use cases. It also gives you a remedy when a customer feels wronged. In the case where they pay and are unhappy you can refund their money. In the case where the user didn't pay you have less recourse.
This isn’t freeware. Previously we paid for a standalone licence which cost more than the current yearly recurring licence cost.
I'm guessing this user is like myself; someone who _purchased_ 1password back when it was $40-60.

Yes, I appreciate the fact that they're continuing to support things, and I am glad that they're finding a revenue model that supports their team, but I very much like my current setup and still haven't upgraded 1password on my Mac past version 3 because I like the old model. Skipping updates on iOS is much much harder.

I would probably pay a flat $40 again for an upgraded version with a standalone license if such a thing were still available.

> I would probably pay a flat $40 again for an upgraded version with a standalone license if such a thing were still available.

The v7 standalone license is still available.

https://1password.onfastspring.com/in-app/1password-7-for-ma...

Interesting. I had no idea, and would love to find any sort of copy about it on their website. How long does support last? What exactly am I buying?

I must confess the interaction in TFA makes me much more reticent to do something outside the beaten path...

If I have to paraphrase and use a popular dialogue, the first rule of the standalone license is you don’t talk about the standalone license. You won’t find anything in the website. You’d have to email support to figure out how to buy it. It’s that big a secret.
I'm a paid licence holder for 1Password, but am uncomfortable with being more and more forcefully pushed into using their cloud-based subscription service (which while I use for work, I'd rather _not_ us personally).

What're people's experiences with alternatives to 1PW - ones that do device-device sync and work at least across iOS/macos and ideally integrate nicely with browsers and apps on both those platforms? Is BitWarden ready for prime time for something as critical as secure password storage yet? Does it's iOS app take advantage of the secure enclave features of iPhones?

(comment deleted)
Not sure how it would work with iOS, but keeweb (or keepass) .kdbx files sync really well via syncthing. Even to my mobile devices.
I had my whole extended family on 1PW. We've all switched to Bitwarden (after a few transgressed to LastPass, but that's behind us now), and we're happy.

Having the developer respond quickly on email is delightful, it works great on Ubuntu, macOS, Windows, Chrome OS, Android, Firefox, and sharing credentials between accounts works seamlessly.

How's BitWarden at autofilling forms on webpages? Does it work in Chrome on Android (or other mobile browsers)? Can you authenticate with a fingerprint? Can you force a non-fingerprint method after device reboot or a certain period of time?

I might have a closer look at it myself.

> autofilling forms on webpages

It works fairly well. Some sites (banking, mostly) don't work, but the UI lets you easily copy the username or password so you can paste it where it should go.

> Does it work in Chrome on Android

Yes, and Firefox on Android.

> Can you authenticate with a fingerprint

That's how I have it set up.

> Can you force a non-fingerprint method after device reboot or a certain period of time?

Maybe? I haven't seen (nor looked for) that feature.

Autofill on desktop is pretty amazing, I never had problems. On Chrome Android it uses the autofill APIs and is quite good but not perfect.

You can authenticate with a fingerprints and afaik no, you can't force pin after a reboot/period of time.

I never had trouble with it regarding that part and still recommend it. It also accepts 2FA with an YubiKey.

I second Bitwarden. Possible to self-host, open source, and works everywhere I want to.
KeePassXC is FOSS, free of cloud nonsense, works fine on desktop, and has integrations for most browsers. I have no idea about the iOS situation, but on Android KeePass2Android provides global autofill and works with a ton of storage providers (everything from Dropbox to bring-your-own-SFTP).
On iOS, there’s KyPass. It plays nicely with the Linux and Mac versions of Keepass, syncs with Dropbox, supports Touch ID, etc. There was a reasonable one-time purchase price, I believe.

I switched to the Keepass world a while back when 1Password started to try to nudge me into paying a monthly fee for software that I already paid for on multiple platforms. The Keepass variants aren’t as slick but who cares.

I actually _do_ care enough about "slickness" to be prepared to pay for it. I want to be able to keep my encrypted password db off other people's computers though - using 1PW's cloud service requiring Dropbox for multi device sync is not what I'm after...
I paid about 50$ or so for it with no complaints. I’m not willing to pay that plus a subscription fee for what is, at the end of the day, a small encrypted database.
I don’t know about the secure enclave, but I can anecdotally say that I’ve been using Bitwarden seamlessly across iOS/Windows/Linux for a while now. It uses the convenient auto fill api thing on iOS and the extension is pretty good on desktop as well. (Although I haven’t worked with it on Mac)

Haven’t had any issues, I switched from LastPass and the only feature I miss for personal use is password sharing. I think it was in the free version of LastPass but not part of Bitwarden. I didn’t really use that feature much anyway though.

I use it daily on a Mac. Works great, just like it does on Windows/Linux/Android. Can't comment on iOS.
I've been using Bitwarden since just after it launched. I've yet to have any issue with it. The desktop, browser, and mobile clients are all seamless and... well, just work.

I was part of the LastPass exodus after their acquision and used 1Pass with Windows and (then) OSX. The lack of Linux client was a hassle, and eventually left me shopping around. I tried Keepassx and the others, but I ran into issues with sync (most likely my error.)

I saw Bitwarden mentioned here and gave it a swing. Importing everything only took a minute, and I haven't looked back. It works on all operating systems, has 2FA, etc etc. It's perfect for my needs.

At some point in the future I may go self-hosted.

yup. similar journey. I think LastPass is going out of business - we were enterprise subscribers last year and it was impossible to get in contact with support when our license expired. couldn't even get in contact with a sales person - they literally didn't want our money anymore. Switched to BitWarden and am so much happier with the interface and such better pricing than 1password, plus i feel have always been upfront with their product development while 1password has been, um, sorta shady, imho.
that's crazy about LastPass. It was a decent product for its time, but password managers evolved quite quickly over the past few years.

My beef with 1Pass is that they charged around $35 - $50 for their standalone product during the exodus, and about a year later moved to their subscription platform --- pretty much abandoning development for the standalone users. The OSX application was far less buggy than the Windows client. And when you needed to grab a new copy of the standalone client, it was buried on their site in a FAQ.

1Pass should have offered a few months for free to pull the standalone folks over to the new service, but instead they said 'we don't have any offers, but feel free to contact sales' -- which is a difficult sell when compared to the newly polished Bitwarden that works on all systems and browsers out of the box without any requirement for payment or a subscription.

All this said, we're technical people, so we're more aware of sketchy practices and are quick to jump to different products, and may not be their target -- especially with their previous lack of Linux support.

FWIW, at work the 1PW cloud/subscription thing is a _very_ good thing, and easily worth what we pay for it.

I just don't want to have my personal password db on other people's computers, and their ever more forceful pushing to get me off the standalone apps synced between my devices over wifi has _finally_ got me looking around for alternatives. I'm _totally_ happy to pay for an alternative - I _do_ value software (especially this type of software), and Id love to be sure whatever I use has a reasonable change of being around (and being successful) in the timeframe of at east 5-10 years.

Bit I totally get that AgileBits are heading in the direction where my work is their target customer, and I am not. That's fine. I'm pretty sure I'd be making exactly that same decision if I ran/advised AgileBits.

> Is BitWarden ready for prime time for something as critical as secure password storage yet?

It works pretty well, but the user experience eventually drove me back to 1Password:

https://news.ycombinator.com/item?id=19839087

#4 in particular.

Does it auto lock? That sounds annoying. Saving passwords not as big of a deal, but definitely for filling in passwords.
You can set timeout on auto lock or put it on different settings such as browser restart, OS restart, or never.
I took one look at BitWarden and, as a security person, ran the other way when I saw the CLI expects you to enter your password on the command line in order to operate it. This password gets exposed in your shell history, to anyone who can view a process list, etc.

If a company writing a security product can be this incompetent about something so basic, I don’t have any interest in gambling that the rest of their product is any better.

You mean the cli doesn’t prompt you to type the pwd separate from the cli command itself, akin to how Postgres ‘psql -p’ works?
It does. In fact, when you --help in the cli tool the first example it suggests is to login with "bw login" command which is the default way.
Did you actually try using the CLI tool, or did you only read the documentation? The documentation isn't super clear, but in actual usage your password (nor your email) doesn't get entered into shell history or otherwise.

You can pass your email and password as arguments to the "bw login [email] [password]" command, which will put them into your history, but the default way of typing "bw login" will then prompt you for them both, masking your password just like any other CLI tool does.

If if you can do this, the fact that the documentation encourages you to do otherwise is extremely worrisome. Securely-written tools shouldn't even allow you to do this in the first place, much less promote it.

https://help.bitwarden.com/article/cli/

I don't think it's extremely worrisome. The arguments are in brackets a.k.a. they are optional. If a user doesn't know that they probably shouldn't be using the command line tool in the first place. Besides, if you run help on the cli tool the first example it suggests is "bw login" (without the arguments).
Regardless that this is one way to operate it (just like many CLI commands can also prompt for password) you're aware you can tell your shell to not save commands to its history?
Are you able to make local, encrypted backups and view them later with offline software?

Any password manager that doesn't offer this is a non-starter for me. I don't want to be caught unawares when the vendor who makes my cloud-based password manager suddenly goes out of business (or if it's suffering a network outage when I really need to log in somewhere).

The cloud component is only for synchronization of passwords between devices. No network connectivity is required otherwise.
The subscription service is just used to sync between devices, i.e. the app works completely offline once synced. You can do the same with Dropbox without a subscription, but in that case you'll need an app license (which you can no longer buy separately). The subscription bundles the app license + syncing, for $2.99 a month.
Thanks for the responses. Not sure why my question (/opinion) was downvoted below zero, maybe it's obvious to 1Passwd users, but in any case I appreciate the answers.
Wonder how many people this actually affects? The affected user admits they have a really unusual use case.

I thought AgileBits was fine with their responses. The last thing you can do is give people like this any hope. Be clear that you’re not going back to the way things were and stick to that.

The feature has been specifically disabled in the iOS app, still available on macOS for now.

It's extremely disappointing that the staff are being so evasive regarding their communication. For a product that is necessarily built on trust, that's the last thing that I want to see.

I'm not defending the semi-aggressive users here because I don't use 1Password and didn't fully understand the support forum thread. But I think this illustrates something larger that the tech industry doesn't really understand: the world is seven billion edge cases. No two users are alike and no assumptions should be made about them.
1password seems to be slowly but surely inching towards pay-by-month model for all users, which is I assume great deal for them (persistent recurrent revenue!) but terrible deal for the user (once you are in, you are on the hook forever or you don't get access to your precious passwords). I've been a happy user of 1password for a decade. Looks like it's time to consider alternatives?
>once you are in, you are on the hook forever or you don't get access to your precious passwords

You can still view your passwords after your membership is cancelled.

>Looks like it's time to consider alternatives?

I've switched to Bitwarden and haven't looked back. It's not as 'shiny' as 1Password but they seem like a great company and everything works for me so far (using iOS, android, macOS, Ubuntu, and Firefox).

I used to always think I would have a local copy of my passwords but that suddenly became not true based on someone else’s whims.
Hi callalex. Ben from 1Password here. I'd like to hear more about this situation. 1Password does indeed keep a local cache of your data and even if you cancel your subscription you continue to have read-only access. Would you mind reaching out to support@1password.com to elaborate?
> You can still view your passwords after your membership is cancelled.

You can now. But for how long? How long it would be until you need to reimage your computer or install it on other platform and new version would demand membership?

The problem here is not that it won't work right now. It's that once this mode is not supported, even if it still works you're on your own. Like using out-of-support software version - maybe it works now, but you better to have a migration plan, or one day in the future you'd be in a big trouble with nobody to help you. And passwords to every site you have login on is not exactly the type of information you want to take risks with. You need to trust the provider they have your back here, and if they are not interested in supporting users that paid their licenses but are not providing recurrent revenue, then you better have plan B.

They are already at this point. You have to use the legacy versions to avoid pay-by-month. I'd happily upgrade and pay them for new features, but I don't want my usage and data to be held hostage by them if I choose not to upgrade.
Hi chrischen. Ben from 1Password here. We do support standalone licensing and vaults in the latest versions. Please reach out to us at support@1password.com for more details. We definitely want to encourage everyone to use the latest versions, which is one of the reasons membership is such a big push for us (as it includes access to all of the latest versions).
I think 1password is great and use it myself.

I tried to have a family member set it up and it was really hard for them.

What do people think about a simpler service that relies on SaaS and you owning your primary email address. The service is called nopassword and you log in via a link that is sent to your primary email address. When you log in you see a hashed email address that ends in @nopassword.com. to add a new account.

To add a new account you change your email at that account to the hashed email address that ends in @nopassword.com. The nopassword service will automatically detect this, confirm the email address change, and reset your password. From now on you can find your password in the nopassword website or client.

Because every service uses a new unique email address you have the privacy and spam filtering advantages of Apple ID. Since almost every web service lets you register by email and reset your password by email it is compatible with almost everything.

After you log into a service nopassword will reset your password 16 hours later. This way intercepted passwords can never be used for long. And if a webservice has a breach nopassword will proactively reset your password.

The nopassword service will have clients for iphone/android/chrome/firefox/safari that word with native authentication (FaceID, etc.) to get in the client after validating with your primary email on install.

Would you use this?

No. If a SaaS service can automatically set/reset my password without any intervention on my part, that means I have passwords, in unencrypted form, sitting on a third-party server I don't control. What happens when (and it is when, not if) "nopassword" is breached?
Some services are more secure than others, 1password and Okta never saw a large breach as far as I know.

If a breach would occur the race would be on to reset the password before the hackers would change the email address.

You can imagine having 1% of canary accounts that give a big alert if their email is every changed leading to a race to see who can reset accounts first.

They key difference around the risk of security breaches between this proposed service and 1password is that user data in the 1password cloud is encrypted client-side with a key derived from the user's master password, so there is no way for anyone who gains server access to see the passwords. In the proposed nopassword service, the server would have to maintain passwords in a less secure way, since it would need access to them in plain text to automate setting/resetting/filling them.
I agree it is less secure in that way.
I like the disposable email portion of the idea. I'd very much like to sign up for every service with a unique email address, so I can trace the source of my spam. But I share JonathanW's concerns on the security side of your proposal.
>I just have a very precise use case where for a period of time I only need a local vault with a few items in it.

Any guesses as to what the use case here is?

Maybe secure client engagements and they recycle a device every time a new contract kicks off?
Perhaps travel across borders? Delete all data, throw an SSH key into 1Password, then once across the border, SSH to your main server to restore all data?
Interestingly, 1Password has a Travel Mode [1] that’s basically designed for this very reason.

I travel internationally quite a bit and have become paranoid (as someone whose entire work history consists of being a journalist and a software engineer, I’m almost certainly on several different watchlists) about entering certain countries and even re-entering the US, so I’ve created a travel vault for trivial things and secure notes with important phone numbers in the event of an emergency. It’s great. I restore my regular vault when I’m on a VPN and inside my hotel room or at home.

Of course, to get access to this feature you need to pay for a 1Password.com subscription (though you can restrict access to the vault to specific devices, meaning I could say my travel vault could only be accessed on iOS and not in a web browser, as an example), which wouldn’t help this person.

I understand why a lot of longtime 1Password users were/are angry about the shift to a subscription model. I’ve been a user for 12 years and know the founders and many current and former employees and I was still reticent to sign-up. Ultimately, their security audits of their system is what encouraged me to use it — especially when I acknowledged I was using Dropbox for sync for many years, which negates the security argument (I trust Agile Bits more than I trust Dropbox when it comes to security). I understand the appeal of the “roll your own” approach, but I trust 1PW more than myself when it comes to setting up and maintaining a secure server and sync and encryption too. I have the opposite opinion of LastPass, who I don’t trust — but if one wants to have mobile access to their passwords without having to rely on WLAN sync (which isn’t exactly seamless — I remember before 1PW had Dropbox support and the way you would sync the iPhone version was over WLAN with the Mac app), you have to use a sync server and for better or worse, I trust Agile Bits not just to encrypt my password database but to protect its own systems, more than I trust another cloud provider or myself.

[1]:https://support.1password.com/travel-mode/

I used to use 1password as well, I'm in the process of transitioning to something similar for macOS that I wrote.

The iOS version with swiftUI is in the works as well.

My goal with both the macOS and (soon) iOS app is to do encrypted sync via bluetooth or wifi, with no external server ever seeing your passwords.

That’s how 1Password worked back before it got Dropbox/server sync support. You’d sync your Mac client with the iOS client or vice versa over WLAN.

The problem is that it isn’t a seamless process. You have to initiate a sync on one client or the other. Do you have situations where you might be on your phone and not have the latest database from your laptop or desktop — or two laptops could be out of sync if they aren’t on the same network.

OK, so you set clients to sync at specific intervals in the background — this can work but still might miss things and you’ve now got a client that is constantly polling another.

The reason for the external server is access continence, because any good password manager will keep the databases encrypted regardless of where they are stored. I mean, you want the server the database is on to be secure too — not to mention any browser extension that might exist — but the database itself is the most important part.

A YubiKey or a portable version of KeepassX is probably the best option for the paranoid, IMHO, over local sync (especially something like Bluetooth). Of course, for mobile access you’ll need to be able to plug a USB key into your phone. That’s probably not a problem on Android and hopefully with iOS 13, it’ll be a better iOS option too.

1password has a history of being terrible at announcing product changes and unilaterally making decisions that negatively impact customers. They removed autosubmitting passwords a couple of months ago and then:

- lied about the reasoning by claiming apple mandated the change despite apple's change only affecting safari which I'm guessing makes up the minority of their browser userbase

- consistently deleted comments on their forums that pointed out they could have kept their already existing, working code in place for chrome

I rolled back to version 6 and suggest anyone else do the same.

A couple of years ago they relied on Dropbox for having a online web vault. At some point Dropbox no longer allowed to use the public folder as a web server and the answer from 1Password basically was "if you want an online vault buy a subscription from us".

I had paid well over $150 by buying all their apps and they were forcing me to throw that investment down the drain because they didn’t want to spend a couple of cents a year on hosting my vault themselves.

There was a long discussion in the forum. I moved to LastPass. The UI is not as good but it does the job and it’s free now.

You bought a product with no ongoing maintenance costs. Then demanded that they give you a free additional product with ongoing maintenance costs.

The fact that you bought their product in the past does not entitle you to demand that they build and maintain a free web hosting service. If that's your attitude, then I'm sure they're happy that you're no longer their customer.

How much ongoing maintenance have you paid for with that $150? Is it really zero? What if the app stops working the day after you purchase it?

I mean the apps seemed overpriced in the first place, and due to their decision to change their business model they decided not to provide ongoing support in a way that one might have expected they would based on what the product seemed to be and how their business seemed to operate when you purchased the product. They don't technically or legally owe you anything but nonetheless I would not want to buy anything from them after that.

The idea that they should be happy to lose a happy paying customer is absurd, is that how to build a successful business?

>Is it really zero?

No, it isn't. I'm not sure what brought out the agilebits apologists but they ABSOLUTELY said you were entitled to updates with your license purchase.

Updates to the app. Not brand new products provided for free.

AgileBits is not culpable for Dropbox removing a feature.

AgileBits offered a feature and relied on a third party which is pretty different.
The actual feature AgileBits offered was the ability to construct an HTML version of your vault. They advertised using this with Dropbox to actually make it accessible, but the web hosting part was entirely Dropbox's feature. If you didn't use Dropbox, then the web hosting part never worked to begin with.

I genuinely do not understand how Dropbox removing a feature gets people mad at AgileBits instead of mad at Dropbox. Why does Dropbox get a pass for this?

Like I said, there was a long discussion on their forum examining all this.

AgileBits advertised the online web vault as a feature of 1Password when I bought the software. This can be demonstrated by looking at previous versions of their website on the internet time machine. They were in obligation to provide a solution for that.

The fact that they could have spent cents per paying customer to fix this and they didn't, or that they didn't even offer some form of transition from paying customers to the subscription service is just the cherry on the cake.

>Then demanded that they give you a free additional product with ongoing maintenance costs.

That's patently false. The paid version of 1Password came with "Free updates" as listed on their site. Updates were bundled into the life of the product - if *they weren't, nobody would've ever bought it at the prices they were charging.

>Historically, AgileBits has been very generous with upgrades. Your purchase entitles you to free updates until the next major version upgrade. That means if you buy a license for version 2 of a product, you will get all 2.x releases for free, but upgrading to version 3 might require another purchase.

https://web.archive.org/web/20160304084145/https://agilebits...

Free updates. Not brand new free products. "Free updates" does not mean "if Dropbox removes a feature we'll do a ton of work to replicate that feature and give it to you for free".
I currently have a subscription to 1Password, I have no problems paying for a good service that's well designed, implemented and secure. That being said, I am a student so every dollar counts. Does anyone have experience switching from 1Pass to Bitwarden?
Bitwarden appears to be mostly free, so I'm giving it a shot now!
Hi sayusasugi!

Can you get in touch with us via our contact form (email method) https://support.1password.com/contact-us/ and we'll see what we can do to help you out with that. We were all students at one point in time as well so if we can help you then we'll help.

Just mention my name and this thread in the form. It'll get sent my way.

Kyle

1Password

Yes, it’s quite simple. You just export your data from 1Password and import it into Bitwarden. Don’t forget to delete the plaintext export file after your import process is done.
This kind of thing is why I just use Pass as my password manager, I don't like having to rely on a single company for my passwords, never know when they will make breaking changes like this, or go under. With Pass, the worst case is that the utility stops working on my system, in which case I can just manually decrypt the passwords with the GPG key.
Lots of people in this thread talking about the quality of the customer support here, and I think they're missing the point. The support staff seems to be doing their best to provide reasonable explanations for the changes. But there's a deeper question here about what responsibilities developers of free applications have regarding notifying users about major feature changes. This is just a particularly important question on platforms that don't offer fine-grained user control over application version installation (i.e. mobile).
Why are you saying "free applications"? I for one paid for 1Password.
Not that long ago there wasn’t even a subscription option. We each paid $40 for standalone and I’ve so far been happy with it. When the subscription option came out I politely asked if I we could put this money towards a service credit, and was (also politely) told “no”.
Same. I had paid for all their apps (mac, Windows, iOS, Android) and after Dropbox disabled the web server on the public folder 1Password’s solution was to subscribe. They didn’t even offer me meager discount.
> But there's a deeper question here about what responsibilities developers of free applications have regarding notifying users about major feature changes.

It's not even a matter of responsibility. Doing a change like this and not telling users is asking for conflict. Given that mentioning a change in Release Notes is an insignificant amount of effort compared to implementing that change in the product, I fail to see a legitimate reason to not mention the change.

When you're Facebook and have strong network effects, you can afford boiling your changelog down to "we've fixed bugs and improved performance", and giving zero information about actual changes.

I moved to 1PW from another manager last year. Not planning on changing over this.

With that said removing a feature that allowed iOS users to use the app for free and then not putting it in the release notes is going to look like you’re trying to trick users into upgrading.

It’s obvious that if the release notes specified that it removed this feature, people would have avoided upgrading. That doesn’t inherently mean 1PW meant to trick the users but damn it sure looks that way to me.

They (though admittedly along with many others) have partaken in a terrible trend of switching to subscription pricing for effectively non-subscription services.

Instead of having the option of letting me pay and upgrade if I decide to, I am forced to continue a subscription in order to continue using any version of 1Password (excluding legacy versions).

They do have a standalone license, they just don't make it well known.

https://discussions.agilebits.com/discussion/92275/how-do-i-...

Wow! Probably would have done this had I known earlier, but at this point I feel like if I lock myself in to their platform they'll eventually get rid of this option completely at which point I'd have to find an alternative anyways.
don't bother. I bought the license for mobile and mac when those were the options and now regulated to paying subscription.
I don't think that's correct, they completely support standalone licenses, and you can use Dropbox for syncing across devices. I'm using 1password 6 on my Mac, and 1password 7 on windows, no problem, no subscription.
It is indeed possible to purchase standalone licenses for 1Password 7 for Mac and 1Password 7 for Windows and they can be synced using Dropbox.

- Ben, 1Password

Are you using it on iOS as well? It "helpfully" migrated my upgraded $9.99 or whatever it was for the iOS license to a subscription plan. Would've been fine with the standalone version, but there isn't multiple applications for 1Password on iOS.
Count me as one of the users who are getting annoyed at 1Password’s attempts at recurrent monthly spending. In addition, while their cloud service is probably fine, the best option is to locally sync and not involve the cloud at all.

I would much rather just keep using the “local app” license, which sadly isn’t even available for sale anymore. In fact, I can’t even use my Windows license I bought back in the day.

One of these days I’ll probably just stop using 1Password and move on to something else. Are there any good free/one-time purchase locally syncable password apps that works on Mac/iOS?

I switched to BitWarden from LastPass and 1Password and I couldn’t be happier. You can self host if you want but you still have to pay.
bitwarden_rs is free to selfhost
I use KeePass and sync the database using Google drive / dropbox.

It's free.

Actually keepass (i.e. .net app) or keepassx/keepassxc (Qt fork)?
Keepass on my work laptop (Windows). KeepassXC on my personal laptop (Manjaro Cinnamon). Keepass2Android on my smartphone. MiniKeePass on my iPad.

I've moved from dropbox to google drive for synchronizing my keepass database because of the recent changes to dropbox, where you can only sync 3 devices for free accounts.

I agree, the subscription pestering is annoying. They do still offer a standalone version though. I just upgraded from an ancient Windows version (4 or 5) to 1Password 7 for $49. They really avoid mentioning that the standalone exists, but just install 7 and there is a purchase option.
Well, that’s several hundred dollars of their software which I would have happily bought if they’d told me about it.
I totally agree. I understand why they push subscriptions, and they offer decent value for the subscription, but they are going too far in hiding the standalone. The hard sell is probably a net loss for them.
You can definitely still buy the standalone app license, but they use a pretty dark pattern to hide it. They don't really talk about it anywhere, in the forums they will just push subscriptions, and they constantly change how you get a new license.

In the past, they moved the standalone license page from 1password.com to agilebits.com, and made it purposely difficult, if not impossible to get to.

Now here's how you do it for the most recent version:

Download and install the app. When it asks you about a subscription, there is another link that you can click, but I don't remember what it says, but it should be at the bottom of the pop-up. It will take you to a checkout page where you can get a standalone license.

They'll probably change it yet again in the next major release so YMMV in the future.

May I very strongly recommend that you check out:

https://pwsafe.org/

Open source. Bruce Schnieir designed. Windows, Mac, Linux, Android, iOS versions. Dropbox and iCloud sync available as well as standalone operation. Yubikey support.

Need I say more?

What I realy like about password safe is that you can drag passwords into text boxes. Most password manager copy your password into the clipboard where every local application can access it. With drag and drop only the designated application will be getting the password.
An application capable of reading the clipboard is just as capable of covertly taking screenshots, recording keystrokes and otherwise compromising data being executed in the context of the same system user. Is gives a false sense of security guarding the clipboard when the real threat is untrustworthy (usually closed-source and proprietary) software itself, executed as a user with privileges.
No need to say more - pwsafe is the real deal! I use it on Android and Linux - synchronize either manually with Google Drive or automatically with DropBox. It's an awesome application!
Wow, why am I just now hearing about this?
I use KeeWeb[1]. Works well, it's able to sync the encrypted database on many cloud/web services, and it's based on KeePass. So even if the app stops being updated or even exists, I remain in control of my password database and can switch without having to convert anything. I use KeePass2Android[2] as well, which can be set as an AutoFill provider.

[1] https://keeweb.info/ [2] https://play.google.com/store/apps/details?id=keepass2androi...

+1 I used Password Safe for more than 10 years, and the developers are top notch and really into their security. I eventually moved to KeePass just because I wanted to store attachments but if that's not a deal breaker Password Safe is awesome.
The ultimate password management solution: Self-host Bitwarden on some cheap VPS, backup to B2/S3/GCS for $0.01/free.
> I have a workflow where I use 1Password on my phone - locally, no sync, do not want sync, can not use sync. Obviously this is not my main way of using 1Password. On that phone, I often remove 1Password and reinstall it.

My guess is that he's doing this when he crosses borders or in other situations where he might be subject to an intrusive search. So he carries a minimal set of passwords that he needs for that trip in a local vault. Maybe just his airline login, a throwaway email account, and an innocuous credit card account. If he's forced to login to his 1Password account during a search or inspection, he won't reveal his lifetime accumulation of accounts and passwords.

This is a great use case.
1Password actually has a feature for this called Travel Mode: https://blog.1password.com/introducing-travel-mode-protect-y...
Until border security finds out about travel mode and demands you disable it.
It could be he works for US government and protects himself from say EU border guards. Who are far less intrusive. But better save than sorry.
> It could be he works for US government and protects himself from say EU border guards.

The reverse I could imagine.

Border security are not idiots. They know about travel mode.

Travel mode works because it can’t be changed on device and so moves the vault out of border security jurisdiction.

They can have probable cause to search your phone and will if they want to but they are unable to put you in a room with a browser and make you download something, so hence it’s out reach.

Hiding in the cloud? They must be kidding...
I'll go against the grain and defend this. I really, really love 1Password - it's UI is incredible and it works so well - it follows the "don't make me think" philosophy which I really appreciate and makes me feel respected. It feels like a default piece of Apple software in how well it integrates with OS X and iOS. The desktop PDF QR scanner is something I didn't even know was possible to do with software, it blows my mind every time I use it. 1Password X is perfect for Linux and a great solution to the distro fragmentation problem.

So I don't know more about password management than Agilebits. They have a long history of really good ideas for their software. If they want me to use their cloud instead of local vault, that's probably a good idea. I'm more than happy to pay the $2-3 per month to have access to this, and knowing they have recurring revenue gives me confidence that they'll be around for a while.

Keepass (I use keepassxc) works great across all three platforms I've used it on (Windows, Android, Linux) and the database is less than 100KB so it's easily shared on the free tier of any cloud storage provider.

1Password does have a good UX, but it's not the only option that does.

+1 I am using Keepass windows & Android versions on my 3 phones & one laptop. The desktop database is synced to Dropbox two way any changes. FolderSync app is used to get one way sync only from Dropbox to Phone.
How do you sync your password file between your phone and your computer? Currently I only use KeepassXC on my computer but plan to start using it for more accounts so will need to have my passwords there too.
I use NextCloud myself to share the actual DB, and the keepass2android[0] app.

It works great although the app looks for app names instead of URLs sometimes so you'll have to hit the search button. Takes two seconds longer but it's no sweat.

You can use any file sharing service you want.

I don't know how I never heard about 1Password X. The last time I attempted to switch from macOS to Linux, the lack of 1Pasword was one of the biggest things that made it hard for me.

That said, a browser-based 1Password is really not what I want. I just really don't try web technologies for keeping my passwords safe. If I really was going to use it, this might be the only instance in which I'd actually prefer an Electron version to using it my main browser, just for the additional isolation.

At least when I tried 1PX earlier this year, there was no data export options, which is only on native desktop (ie, OSX & Windows) apps.
I’m in total agreement. It’s the most important app I use and I’d pay 5x the $60 a year I spend on the family plan without question.

I used 1PW with Dropbox for years and and years and it was a great solution — but I trust 1PW more than Dropbox to protect my stuff (and certainly more than I trust myself to setup and maintain a secure sync server), and I love 1PX. Also, the Windows app is lightyears ahead of where it was (the Windows Hello support is great), which I never thought I’d say.

Yes, I know other solutions are cheaper, but I have been a 1PW user for 12 years and I want to ensure it’ll be there for 12 more.

Plus, for me, the UX matters. I don’t just use 1PW for passwords, I keep software license, secure notes, all kinds of stuff in it. I’m not a fan of the subscriptionfication of course of everything, but this is one product I’ll make an exception for.

What makes the 1Password UI better than LastPass' or Bitwarden's?
For Lastpass at least, I have two specific examples: 1) in Lastpass, the password length selector is a drop down, not an input or a slider, while in 1password it is a slider. This means you need to scroll a bit to choose a longer length password in Lastpass. 2) 1password remembers your last location in the app when the app is open, so you don’t lose context (not every time but most of the time) but whenever I’ve closed Lastpass for some reason it forgets where I was at.
> For Lastpass at least, I have two specific examples: 1) in Lastpass, the password length selector is a drop down, not an input or a slider, while in 1password it is a slider. This means you need to scroll a bit to choose a longer length password in Lastpass. 2) 1password remembers your last location in the app when the app is open, so you don’t lose context (not every time but most of the time) but whenever I’ve closed Lastpass for some reason it forgets where I was at.

1. That's not true in the browser extension for chrome at least, where it is possible to type in numbers in the password length field.

2. Some people would consider the fact that it doesn't leak last information about use by retaining context as a feature.

> That's not true in the browser extension for chrome at least, where it is possible to type in numbers in the password length field.

Same for Firefox extension. Best feature is that nowadays Bitwarden has support for password sentences.

It's far more attractive, in my opinion, and I use both on a daily basis and I have far fewer frustrations with 1PW.
That it is in your opinion "far more attractive" (whatever attractive means) just tells the rest of the readership (including me) exactly nothing. That you have "fewer frustrations" with 1Password idem ditto. Be specific. Mention examples. Tell us which versions you are talking about.
Last time I looked at BitWarden, its mobile app lacked basic features like a password generator and a password history tool — which makes it a total non-starter for me. I just checked and that’s been fixed (today!) and the app is looking more and more like a 1PW clone (that’s a good thing), but there were just enough papercuts that would prevent me from switching, especially when I’m a very happy 1PW user.

On the desktop, I have nothing against Electron in theory — but I prefer native apps for something like passwords, if only because of speed — I have a few thousand items in my vaults and BW was slow and 1PW is not.

Browser integration for auto fill isn’t as smooth, at least on macOS and I miss having a dedicated area for my software licenses/loyalty cards (like airlines). I haven’t used it in a while so I’d need to try it again to give it a fair assessment, but the subjective answer is “it doesn’t ‘feel’ as good.”

And unrelated to UX, I’m sure the main person behind BitWarden is a great guy, but in 2019, I’m not trusting my password manager to what is largely a one person team. When I started using 1PW in 2007, I know it was a small team. But 12 years later, I’ve been burned too often when small shops close/sell/burn-out and a password manager is too important for me to switch from something I know/trust to something that reminds me of where 1PW was a decade ago. Open source doesn’t mean open development or an active developer community. I also wasn’t impressed with the response to the critique of the cryptographic design in the security audit BW did last year. Not rotating encryption keys when you change your master password is a red flag and the problems BW faces on its own cloud are understandable, but not something I want to trust/deal with.

I’d gladly recommend BW over LastPass, but I prefer 1PW and have no intention of switching.

If you’re comfortable with FOSS solutions and the certainty of someone taking over (or not), then Bitwarden cannot be regarded as a poor solution. It also has forked implementations in some more languages and tech stacks. Any of these, including mainline, can be self-hosted for those who wish to.

This is not to imply that your preference for a larger team is invalid, but I don’t think Bitwarden and its clones are going away anytime soon.

> On the desktop, I have nothing against Electron in theory — but I prefer native apps for something like passwords, if only because of speed — I have a few thousand items in my vaults and BW was slow and 1PW is not.

I personally only use the browser extension. I never understood why a desktop app would be necessary since I have the browser window open at all times. If there was a native app I don't think I would use it.

> Browser integration for auto fill isn’t as smooth, at least on macOS and I miss having a dedicated area for my software licenses/loyalty cards (like airlines). I haven’t used it in a while so I’d need to try it again to give it a fair assessment, but the subjective answer is “it doesn’t ‘feel’ as good.”

I haven't had any problems with autofill personally. In the browser it's pretty decent. It also offers saving/updating passwords automatically when your vault is unlocked. ⌘⇧Y and ⌘⇧L shortcuts made my life easier when I discovered them. On iOS you can use the autofill if the app implements password fields properly (most apps don't). There is an option to choose Bitwarden instead of the default keychain application.

For license and memberships I simply create a folder named "Licenses" and add secure notes, create a folder named "Memberships" and add cards etc. Both entry types support key value fields inside them so you can add additional info too if it's necessary.

> And unrelated to UX, I’m sure the main person behind BitWarden is a great guy, but in 2019, I’m not trusting my password manager to what is largely a one person team. When I started using 1PW in 2007, I know it was a small team. But 12 years later, I’ve been burned too often when small shops close/sell/burn-out and a password manager is too important for me to switch from something I know/trust to something that reminds me of where 1PW was a decade ago. Open source doesn’t mean open development or an active developer community.

If 1Password isn't profitable one day it would shut down and you would be forced to switch. If Bitwarden's core developer disappeared anyone can fork it and continue development. If operations seize you can spin up your own Bitwarden server and continue from there without having to switch client apps right away. I also think there would be economic incentive to run an alternative service if Bitwarden stops functioning for some reason (+1 code quality, +1 permissive licensing).

> I also wasn’t impressed with the response to the critique of the cryptographic design in the security audit BW did last year. Not rotating encryption keys when you change your master password is a red flag and the problems BW faces on its own cloud are understandable, but not something I want to trust/deal with.

I followed Bitwarden security assessment closely. https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assess...

I agree the key rotation problem was a serious one (which is fixed now). Apart from that, I've read the assessment in detail and couldn't identify any case that would cause a problem for me as a personal account user. I use the browser extension on a Chromium based fork (auto-locked after ~5m) and the iOS app (w/ PIN). I also have 2FA enabled.

- BWN-01-001: You're safe unless you deliberately want to self-XSS yourself

- BWN-01-006: Minor issue, schemes:// are white-listed now.

- BWN-01-008: I don't use organization account so it doesn't effect me.

- BWN-01-010: Fixed, you can rotate keys now. I hadn't changed a compromised password before so it wouldn't affect me.

- BWN-01-009: You're safe unless you go to settings and decrease the KDF iteration count (why would anyone do that?). The first thing I did was to increase it when the option first came out. ...

Being good at what you do does not excuse shady removal of features once your user base is big enough to drop functionality.

Or more precisely it makes a person wonder what the next step will be to alienate users which aren't aligned with the vendor's interests.

Shady removal definitely isn’t good. On the other hand, every feature can’t be supported forever (or at least I wouldn’t want to). Seems that communication could’ve been better, though.
>1Password X is perfect for Linux and a great solution to the distro fragmentation problem.

Yeah, no. 1PX has no means of data export. After 10 years on Lastpass, tried to give 1P a shot. Quickly grew frustrated within a month of the linux experience, and decided to move to Bitwarden. Turns out 1PX has no means of export, and I was stuck having to migrate each account by hand, and redoing the TOTPs. Bitwarden is substantially worse in terms of the UI, but at least I don't have to deal with vendor lockin.

Ben from 1Password here. This is a valid criticism. While it also doesn't have a direct export option our CLI may help with getting data out of 1Password on Linux: https://support.1password.com/command-line-getting-started/ Hopefully in the future we can bring our robust export options to 1Password X and/or the 1Password.com web interface / CLI. We agree, export is important.
> I'll go against the grain and defend this.

People mostly complains about how they handled the situation, not about the product directly (there's many people that say that the product is superior yet will migrate because of their response).

They weren't respectful and they didn't acknowledge their mistake of not showing any warning anywhere (instead deflecting to absurd justification).

> knowing they have recurring revenue gives me confidence that they'll be around for a while.

Recurring revenue is a thing that help sure, but supporting your existing user base (which he was part of) is another one. That thread show how they treat them. That give me confidence that if I get an issue, I'll get treated just as badly.

I'll personally will be looking at an alternative, even though the product is pretty great, support is part of it (and in the case of a password manager, that's quite an important part of it).

You are not defending this, you are simply saying you like 1Password.