351 comments

[ 2.6 ms ] story [ 308 ms ] thread
Ooh boy. This is amazing. The horrible Linux support they had was the reason I left 1Password. This might make me go back to 1Password.
So sorry we scared you away! Linux has been on our radar for a while but our biggest challenge was finding a way to share code between apps without writing everything in C++. Thankfully we found Rust, a systems language built around efficiency and safety. From there we were able to build the common core we've always dreamed of and were off to the races. Please give us another chance and let us know what you think. <3
> without writing everything in C++

That sounds interesting. Can you list the major technical reasons behind this decision? Also interesting will be if you could explain how Rust addressed those pain points (I have read about the general advantages that Rust has over C++, but interested in hearing how it plays out in the wild).

I'm not Dave but at a guess the biggest thing is probably memory safety, which is a huge concern for security-critical software.
Don't they have browser plugins? That's how use Lastpass on Ubuntu. I mean, besides Electron apps, who actually makes native Linux apps? (joking, not joking)
Our 1Password X extension works great on Linux. :) - Ben, 1Password
Yes. Though it was slow (slower than other extension based password managers), but worse, it was missing some of the features. I can't remember exactly what it was, but at one point I tried to edit something, but there was no way for me to add something. Though I've forgotten now, it felt quite a critical think to have at the time.
I must be easily excitable because this makes me very excited.
Me too! There will be a heck of a lot more excitement over the coming months now that our Rust client app team is firing on all cylinders.
Is this better than just using KeepPassXC with a simple kbdx file synced to an online drive? It's an honest question, I've never used 1Password before.
Yes as it isn’t subject to accidental overwrites of the data file It also has useful integrations like browser extensions so can autofill. Not sure if KeePass is capable of that. It’s a paid app though.
I use KeePass on Windows and it is definitely capable of that and much, much more (see Plugins page).

I can't imagine paying for an application when a better one is available for free.

I’m a recent windows 10 convert from Mac and a 1password user for years, I have disagreements with my buddy who is a long time windows user along these lines _all_ the time. He thinks I’m insane for essentially paying for UI I prefer (I would disagree I think there’s some structural differences, but I’m okay with being reduced to that too). It’s like asking why someone buys anything, the products exist and sell and make some people happy while being absolutely insane to others. Such is life.
I'm also happy to pay for better UI alone but that does seem to offend some people. It's usually the same people who if they find out you take vitamins will start telling you what the placebo effect is.
The reason usually is that there are people with a lot of money to throw around and there are others with less money who instead invest time to research where they can save it on a product. If then they not only find a way to save money on a product but also one with more features (so more for less) than the one people throw money at, they are in disbelieve why somebody would throw that money on the worse alternative.

I see this as quite reasonable thinking for somebody who never had too much money.

Of course it might be that in this case the much more obvious is the case: throwing your most important data into a cloud on a close source system is kinda..."optimistic".

> I’m a recent windows 10 convert from Mac

What happened, if not too sensitive to share, of course.

Ah sorry I missed it. My poor macbook pro of 8 years finally chimed it's last boot chime, so to speak. I have a windows PC that I had used mostly for games/web, so "convert" might be strong, I just haven't decided if its worth replacing :)
I used older version of 1Password on Mac and use KeePassXC on Ubuntu now. 1P is definitely slicker, and presumably the subscription comes with support. For me, not a worthwhile trade-off, but could be worth if for some people, especially those with many devices to keep in sync and business users.
I switched from KeePass to 1Password mainly to get my family on it. They really appreciated the clean workflow once they got used to it after a couple days. And the auto-sync feature combined with the mobile app has been useful for when they have to enter the Netflix password on various devices.
Same here.

Sure you can use lots of other password managers, but if we are not talking about solo use case - it's practically impossible to beat 1Pass. You can set up your team and family in minutes, with granular controls. And people will understand how to use it in a few minutes.

With most other solutions you will have to spend hours here or there. Is that time worth a few bucks? For me I would gladly pay x2 so it just works and no one has to bother me with questions.

I switched from LastPass years ago, and 1Password is great. I use a family account, and it's been easy to get my wife to use randomly generated passwords.

The only missing piece for me is a native Linux app since I use Ubuntu for all my development environments. The web browser extension works, but it's a noticeable difference moving between it and the windows desktop app. I'm super excited to give this a try.

Awesome! I'm so happy to hear this. We'd love to hear about your experiences so please share after you give it a go.
Unfortunately this only works with hosted 1Password (as far as I can tell), there doesn't seem to be any support for self hosted vaults. Can Roustem or anyone else from 1Password team clarify this?

This was the precise reason I switched to BitWarden 6 months ago, needed a solution where my passwords didn't leave my network.

I'm no Roustem but I'm close. :)

You're right, 1Password for Linux integrates tightly with the 1password.com service and as such does not support local vaults.

So how can I access credentials when I’m not connected to the internet? Not at all?
1Password always stores a local cache, you just won't get updates from other devices synced.
This is the correct answer. Thanks! - Ben, 1Password
I currently get by on Linux by syncing my 1Password vault and reimporting it to KeepassXC every time I need a newly added or updated entry. Annoying to have to create new entries on another devices and sync when I need an account on Linux but it works. Looks like this update provides me with nothing useful.

There’s no way I’m moving to a 1Password account, but I might just switch away entirely the next time I need to pay for an update or whatever, given the apparent lack of interest in serving my needs despite the amount of money I’ve paid for updates, etc. to date and the fact that it’s clearly technically possible.

> There’s no way I’m moving to a 1Password account

Why?

Use local vaults and you can firewall the application. Sync a different way and somebody would have to compromise 1Password and the sync service to get your passwords. Use a 1Password account and you have to use your master password in a web browser to manage your account.
1. I don’t like or want subscription software. I shouldn’t have to pay continuously to retain access to features I’ve paid for for years and it’s not ok to potentially lose access to my main method of creating and accessing secure logins across devices if I stop paying (which could be by choice or, whether temporary or permanently, involuntarily/accidentally).

2. I don’t want to store my data on their servers. I have ways of securely syncing data that I trust and that use only devices I control. For reasons of trust, security, etc. I want control of where my vaults are stored and it not to be the same company as the one that provides the software (for some machines/vaults I can also prevent 1Password from accessing the internet at all, to ensure the vault can’t leave a secure network, for instance).

3. If everything I store in synced folders was a separately charged service I’d be paying thousands a month. This trend is unsustainable and unwanted. I see absolutely no incremental value in the hosting service so I don’t want to pay for it.

3. The whole sleazy business model that pushes users towards subscriptions and makes it harder and harder to stay on self hosted vaults and uses things like this, described by them as the most requested feature, as leverage to try and force more users to switch. When the subscription model was introduced there were assurances to concerned customers that we were valued and this self hosted sync method would be supported. I am fine not getting features that are and should be deeply integrated with and require their hosting service (I also have no interest in ever having access to my vault via a web browser, which has the potential for horrible enough security properties that I’m glad it’s not an option (and I don’t have the time or inclination to have a feature which I don’t require anyway audited)). But when an entire desktop client is put in that bucket, it is because someone decided to make it so to try and get us to fall in line, not because it needs to be. Not the action of a company that respects any the users who still want to self host like they say they did.

At this point, with what appears to be a company that’s hostile to my use case, it’s getting difficult to justify spending more money at the next upgrade just to avoid the one time pain of evaluating options and switching to something that’s potentially better for my needs (if it, say, has a full Linux client I can use). If I move I’ll also likely plan to switch over the teams I manage that do use the subscription model. Subscription software makes far more sense in a corporate setting, and if the 1Password account fits the threat model then great, I use it, but if I am no longer using or evaluating 1Password (especially when the reason is partly trust in the company itself), that gets trickier, as does continuing to recommend it to others.

Appreciate your response. I'll reiterate what I've said past threads - I love 1Password a lot, and used it exclusively from 2012 to early 2020, in addition to using it personally I converted majority of my extended family to it as well. What irks me is that I paid for the desktop (macOS) app and iOS app once back in 2012 and once again for 1Password 7 (or 6?) upgrade, that is not enough to support the company and is primarily the reason why AgileBits went subscription route. Again - 100% understand and I'd like to support this business.

I really don't want to store my passwords on your "servers", and I'm sure there are few others like me - not a majority. In our case BitWarden's idea of paying for a subcription (happy to do it), and hosting BitWarden in my own network - pretty close to local vaults in terms of analogy.

I still like the UX of 1Password, if you ever allow local vaults and still charge subscription, I'll sign up on day 1 - I just don't want anything to do with my entire vault being hosted elsewhere, potentially irrational but when it comes to things we store in 1Password and the like - CC #, Passport number, decryption keys, licence codes, launch codes (jk) - I feel OK with my irrational paranoia.

Thanks again for making 1Password!

> I really don't want to store my passwords on your "servers", and I'm sure there are few others like me - not a majority.

Businesswise, it makes sense as a first push: get a solid UX working for existing 1pass users who sync via the cloud better access on Linux. Then move on to the less glamarous parts like local vaults.

> I just don't want anything to do with my entire vault being hosted elsewhere, potentially irrational...

There is no logical mechanism that can tell you the correct amount of risk to take on, and yet you can't take actions without accepting some degree of risk. You can't justify your tolerance of risk, so it can't be rational, and yet you have to take an action, therefore you can't be fairly accused of being irrational. It's thus neither; I call it "arational" behavior.

You might think, hold on, there's a logical way: I'll look at what happens to a group of people pursuing different risk strategies, then model the expected risk vs return, and thus I can determine the optimal level of risk.

But I'd argue it's fallacious to apply that general claim to the individual. For one, you invariably have a set of outliers who were overly risky and beat the odds, were they all wrong? If not, what's the cutoff point, and why? (And likewise, a set of outliers who were unlucky despite being overly conservative, were they also wrong?)

Another reason is, as they say in finance, "past performance is no guarantee of future results." Any model you come up with to justify a risk strategy can and will be invalidated as history unfolds.

If you can't trust them to host an encrypted blob, you can't trust them to run code on your local machine. I agree with you that the resistance isn't rational.
That isn’t logical at all. The two are completely different threat models.

I used to be a happy 1Password customer until they decided that they did not want people like me as customers. I trust the code, I don’t trust them to store my data, encrypted or not.

Why not keep storing your data locally, the same way that you were before?
They've absolutely crippled 1password to make local vaults as difficult to buy and use as possible. They don't roll out updated versions as often, many versions don't get support for local vaults for years, they make it nearly impossible to buy the non-subscription version, and you can no longer upgrade older licenses to use new versions.

Their entire business model is really sleazy and they've gone out of their way to alienate people who don't want to pay for a subscription and hosting service for something as simple and secure as locally encrypting passwords. I was a loyal customer for a long time but after a few years of them jerking non-subscribers around, I got tired of it and tell any friends and family to stay away from it.

Every company that has moved to a subscription and cloud-based product has essentially traded a one time $30-50 license to getting that (or more) every year, and the product is usually inferior from my experience.

> Every company that has moved to a subscription and cloud-based product has essentially traded a one time $30-50 license to getting that (or more) every year, and the product is usually inferior from my experience.

Two mild counterpoints:

(1) While "from my experience" is always definitionally anecdotal, most applications that I'm aware of that have moved to (or started with) a subscription-based model have released new features on a rolling schedule that's at least as fast, if not faster, than the "one-time license" model. On the Mac/iOS, there's Ulysses, Fantastical, and Drafts off the top of my head; cross-platform, the JetBrains IDEs all come to mind. (They're not precisely the same model due to their "perpetual fallback license" approach, but they're definitely trying to drive you to subscribe.) And, for all the mostly-deserved hate Adobe gets, their release cycle appears to have picked up speed since they moved to a subscription model.

(2) The one-time license model works great for applications that don't need any updates in the future beyond perhaps bug fixes. If you want ongoing support and new features, where does the money to support that come from? In years past it would have come from upgrade pricing, but programs went years between new releases and there was nothing that compelled users to upgrade if the old program was still working on their hardware. I get that as a user that's great, but for developers, it's, well, rocky. It was livable a decade ago because those big application programs were way more expensive. At today's prices, where $39 seems kinda steep, that may not be a workable business model.

As for 1Password specifically, I run it on a work laptop, a personal laptop, an iPad Pro, an iPad Mini and an iMac, and keeping the various "local vaults" in sync was always a bit of a pain in the ass -- and of course there was no way to access that vault over the web on a different machine if I really, truly needed to. And I know more than a few people using 1Password for Families. I don't think it's a "really sleazy" business model at all. It may be a business model that you don't like, but that's not the same thing.

1Password used to let you host self host web vaults. Dropbox and iCloud seem to work fine where they're still supported.

Dropping local vaults in an iOS patch was kind of sleazy. So is downplaying the ways the new security model is worse.

If you think Dropbox or iCloud have better security than Agilebits, I have a bridge to sell you.
How would Dropbox or Apple get someone's vault password?
Subscription model forced on a local password manager customer? A little sleazy.
I really don't think I could've said it better myself. Thanks for the comments. - Ben, 1Password
Maybe they weren't. 1Password used to support self hosting and third party sync services. Some versions still support some third party services but only subscriptions work everywhere.
Hosting my encrypted data means anyone with sufficient access at any single time can copy the encrypted data and attack it or me, then or later when eventually feasible.

Hosting only an executable I download and execute means the adversarial extraction of data must be contained within the executable and bypass all security from within my system. There is a window of opportunity for sending out a signal indicating the executable can not be trusted.

I do trust the team of 1Password to be competent and not evil, but there are many things that can go wrong anyway.

I remain disappointed that there is no way to set up nor configure a 1Password.com account without the web client.

> I do trust the team of 1Password to be competent and not evil, but there are many things that can go wrong anyway.

Very much this. I don't benefit in any way from having a copy of my sensitive data in their cloud, so as a very basic security principle, I don't want them to have it.

And that's just for my personal use. If they drop support for local vaults, I have to stop using it for work, too, because my employer prohibits password managers that store passwords in the cloud. My understanding is that these policies are specifically designed to keep us in compliance for government contracts, so I don't think they're changing.

I agree; and unfortunately I found self-hosted vaults to always be a bit challenging to get right, if I wanted to use my vault on multiple devices. The local-network only sync engine never worked for me, so I ended up using another third-party's servers to sync anyway. I signed up for 1password.com a couple months ago and it's been painless. To each their own!
> an executable I download and execute means the adversarial extraction of data must be contained within the executable and bypass all security from within my system

(emphasis mine)

Security is about having layers. I can't begrudge someone wanting to add layers to their security.

True, but same goes to hosting your own server.

And I would bet that a team who's job for many years is to ensure the safety of your data will do a better job at it than 99.9% of users that host it themselves.

As somebody who uses exclusively local vaults and pays via subscription, that is totally possible. It’s not possible on Linux, as noted above, but the Mac/iOS apps have supported that for the full lifespan of the subscription model.
How do you sync your local vaults across different machines?
Some of them I sync via Dropbox’s native 1Password integration. Others are stored as raw files from 1Password’s perspective, and I sync them by either copying the files or storing the file vault in Google Drive.
If you don't mind sharing: what benefit do you get from this configuration vs using the features of 1Password.com that are included in membership? - Ben, 1Password
(comment deleted)
I hope Agilebits considers adding local vault support. I’m a long time user and even a subscriber, but I don’t actually use the account I pay for, for anything except license to use the software - I still use local vaults.

I’m happy with this arrangement - it’d be a shame if the Linux client never gets this functionality.

Is this a preview of things to come for Mac/Windows? Will 1Password stop supporting self-hosted vaults?
No, this has been available for YEARS on Mac/Win, so it's not a preview of anything. Self hosted vaults haven't been in the new apps for years either, although the last version to support local vaults is still available.
The latest versions of 1Password still support locally stored vaults. They only sell the cloud service subscription these days, but you can still use local/Dropbox vaults on every platform. (except for Linux it seems)
...why? Of all possible target audiences it would seem Linux users would be the least receptive to this kind of thing.

Forgive my bluntness, but to me this looks like you're just testing forced adoption of 1password.com hosted SaaS on a platform you don't really care about before rolling out the same to Mac & Windows. Which would be unfortunate.

1password as a SaaS app has been out for years, this is not a testing balloon.
I can't speak for them, but it's my impression from using 1Password for a good few years (both the local-vault product, and then the "account" subscription service) that local vaults are basically deprecated, even though they work fine. They're just not a good way for AgileBits to make money. So they'll keep them working in the software for existing customers who paid for them and expected them to work; but they won't add new features to them (except by coincidence as part of architecture-level updates) and won't bring them to new platforms where they weren't originally promised to work. They're a legacy feature, serving legacy customers.

For the same reason that they won't bring local vaults to Linux, I don't think they'll ever kill local vaults for macOS or Windows. There are customers who paid for that product, and expect it to still work. (And, unlike e.g. an old version of Photoshop, it's implicit in the USP of a "password manager" product that it'll continue to get updated so that it works on new OSes and so forth, so that you can still have access to your passwords. You can't just stop supporting it; that'd break the whole value-prop of the product, retroactively, and so break the trust of future customers in any "password manager" products you have today.)

They killed self hosting on all platforms and other sync services on Windows. They tried to kill local vaults on iOS.
One day they will stop supporting it... They will give notice and ask you to use the online version.
This is what I like about HN, interesting people drop by from time to time to visit.

I have been a happy 1Password customer for years, but I am in the market for a change now. I really wish 1Password had an iOS client that didn't require 17+ permissions.

We're not thrilled about the 17+ requirement either and are evaluating our options there. Thanks! - Ben, 1Password
I'm in the same boat as the sibling: I'm about to move off of 1password because there's no Linux client. I'm a regular licence user, not a subscription user, and I will never buy a subscription from you but I've been happily paying to upgrade every time you release an upgrade to the regular software.

It seems that this is signalling your commitment to stop supporting users like me, and that's very disappointing.

* I will never buy a subscription from you but I've been happily paying to upgrade every time you release an upgrade to the regular software.*

So you are a subscriber in reality, it's just your payments a slightly lumpy.

A subscription implies you lose access to the software when you stop paying the subscription.

Buying a license implies you own it and are entitled to use it indefinitely. You might not get any updates but you also aren’t losing access to what you already paid for. Very, very big difference.

While I understand where you're coming from, I think "indefinitely" is a fairly impractical viewpoint in the sense of modern computing, particularly in the context of 1Password. Presumably you'll continue to update your web browser and your OS, which will at some point necessitate updates to the 1Password apps. For example, with Safari 13, which came baked in with macOS 10.15, Apple changed their entire extensions framework and retired the old one. 1Password 6 was built around the old one. So even if you have a license, and could theoretically install 1Password 6, if you're a Safari user it doesn't do you much good. Membership on the other hand would've included 1Password 7, where we implemented a Safari App Extension for Safari 13+ support. Just a counter-point for consideration. Also, for what it's worth, 1Password memberships become read-only when your subscription lapses, but you don't lose access. - Ben, 1Password
Please tell me local support is coming. I'm a longtime 1Password user who only uses local vaults and I feel like 1Password is increasingly showing me they aren't interested in me as a customer.
I am another linux user that uses local file syncing, so I guess I will have to use the old 1password 4 for windows build forever ha.
Depending on your use case, KeePassXC supports reading local vaults, but currently just reading them because I didn't have the need to try and round-trip the vaults for my on-call laptop.

I don't believe it would be an overwhelming amount of work to implement the write portion (err, aside from getting a security review) but I do seriously doubt that KeePassXC would accept the PR to change the backing store, meaning it would have to be a fork :-(

How does it compare to KeePassXC?
It's proprietary, non-free and all your passwords get send out into the wild. So it has all the things for a modern app.
Ah, it's not even open source? I'll pass then ;)
I assume the downvotes are for tone, but this is materially correct. It is proprietary, paid, and stores your data (encrypted, but that only solves some things) on remote servers, the last point being something that's associated more with newer apps.
1Password has probably been the single biggest productivity increase tool I've ever purchased. Worth every cent, and new Linux support news is fantastic.
Thank you so much for your support! This is only the beginning for our Linux client, so stay tuned for a lot more excitement!
Ah, amazing! I wonder if it'd be possible to make an Emacs auth source using the 1Password CLI? I kinda wish the CLI was more like pass
>Our new app is built on great open source projects like the Rust programming language for the underlying logic, and React for a responsive component-based UI.

Is this using webview? On Mac I believe the app is completely native, so does this mean 1Password will be switching over to using webviews across platforms?

Nice to see progress here, though 1P continuing to move away from local control to force subscriptions is regrettable. Even so, the UI hasn't been matched yet IMO, which is important for getting the less technical to use it. We're sadly also still a ways away from passwords being eliminated entirely, so it's still very important to get everyone using one.

One thing still missing I really hope to see though is the local application (on all platforms) supporting hardware tokens for unlock (with a backup master option). That'd be a nice extra security+convenience option which would work across platforms.

For many/most types of software I am in the same camp of people who would prefer to pay more upfront for a license as long as the software continues working as is - I bought it because it worked and if I chose to pay more in the future for a better version, I will make that decision based on the new features added and not the old features being held hostage.

However, for something as high-value as a password manager, I think having a subscription model makes a lot of sense. I can't think of any other class of product where timely updates from the developers are so critical to the utility of the product. You could even argue that an unpatched, out of date password manager is worse than no password manager.

So to preface: I don't use any web functionality in password managers at all, only the client applications. But that's the context for my regret over the forced subs too.

>I can't think of any other class of product where timely updates from the developers are so critical to the utility of the product.

I can think of a ton actually, although I guess it depends on what you consider important functionality there. Now, there is ongoing maintenance needed for things like keeping up with browser integration, but I'm not sure exactly what security updates should ever be needed unless they really fucked something basic up. The only things that need constant attention are their own cloud service, but that's a function of it being their own cloud service vs someone running their own server or syncing via Dropbox.

>You could even argue that an unpatched, out of date password manager is worse than no password manager.

I don't think you could frankly. Like, what's the threat model here when we're talking data that lives on our own systems and is E2EE? Fundamentally, password managers do not defend against the trusted end point being pwned, for that you need an HSM of some sort (or at least some weaker but still somewhat functional kinda of 2FA). All data from the end system should be fully encrypted before leaving, and since the system is trusted by definition timing attacks shouldn't be a concern (or at least are trivial here to negate entirely), so the security should depend purely upon the PM's ability to perform basic at rest crypto, use a decent key stretching as needed, etc. Which is frankly a solved problem with well vetted free libraries, that's not the hard part of security.

Honestly, 1Password and the like aren't that different from the macOS Keychain Access I'd been using for many many years before hand. They've got better organization and UX flow these days, and browser integration is a genuinely big deal. But I never had any problems with Dropbox sync with pre-1P.com nor do I still have any problems with sync there. In principle, the 1P team could have made all the admittedly alright group stuff and so on available as a standalone server thing people could run along with their own cloud offering of the same, similar to the way Gitlab and many others do. Buy the server/client licenses standalone and run infra yourself, or not, your call. WiFi sync didn't have to be left as primitive as it has been either. Etc. It's a business decision for them to push subs because subs are very profitable. And I recognize yeah, it's a way to make lots more money in a reliable fashion which people like. But I still regret the sub trend and think it's usually a negative overall particularly for people trying to fill situations outside the norm. 1Password's sub thing for example doesn't scale with large families, there is a huge disconnect between a small family and an "organization" in their pricing and general structure which isn't due to cost basis, it's due to their perceived ability to pay.

I'm genuinely optimistic though that things like Webauthn represent real turning points, and we're finally (10-15 years late but better late then never) moving away from the madness of service passwords and managers "have i been pwned" and all the layers that essentially recreate PKI, very badly. As far as security goes, neither I nor anyone else should need to give a single shit or change anything at all if a website is completely utterly hacked, because the only authentication that should be there should be a public cert for me. Damn it, asymmetric credentials was solved forever ago!

I just moved from (paid) 1p to bitwarden at the weekend due to lack of proper Linux support. I was just testing bitwarden and found I couldn't easily get a good export of my passwords from 1p on Linux, because only their desktop apps support that. It won't run under wine and I ended up installing a Windows VM specifically to do the export.

Was so frustrated at this it pushed me to move to bitwarden. Good for them for sorting it though.

... I wish I'd thought of booting into my Windows partition and installing 1password there, instead of spending an evening writing up an extremely overwrought export script on top of the commandline client.
Would you mind sharing it, so that other people don't have to go through the same pain you did? Maybe even creating an issue and dropping the code there could be helpful. Then somebody could pick it up and reuse the algorithms you wrote.

That'd be pretty great.

https://gist.github.com/ben0x539/9cf66dd8347c264179a89944278...

Caveat that it doesn't emit a csv you can import elsewhere, it's not extremely polished, hasn't ever been run outside of my laptop, just does a bunch of unnecessarily clever things. Needs the 1password commandline utility `op` set up (ie you have to have told it your secret key already).

It'll create `items/` and `documents/` dirs with one file per, well, item or document, named after the uuid. It tries to make a symlink named after the metadata for each file in the hope that you'll have an ok time tabcompleting your way to the desired secret. There's some attempt to not redownload files that you already have, mostly because I re-ran this thing a million times trying to get it to work.

I wrote this to be able to zip all my secrets, `scrypt` the zip file with a strong password, and put the scrypted file on a usb drive that isn't particularly well hidden, just as another fallback/recovery option in case a meteor hits 1password HQ or my paper backups catch fire.

What people have to do to avoid KDBX4 db store :) Those are easy to backup, sync etc.
I started to write that exact script myself (go to the point of realising jq probably wasn't going to cut it :), motivated by the desire to help others escape too but I just ran out of steam.

Plus, there was something not right about the fact I was actually paying for these damn tools and still having to write my own code! Thought I'd just get out as quickly as I could and not go back.

But having seen others in these threads complain, I do now feel kind of bad!

If you used Firefox or Chrome, then you could use 1Password X for Linux systems. But I'm guessing from the (paid) part that you weren't using their sync?
I used the browser tool (and 1p sync) but it still didn't support export to 1PIF format afaikt, which only the desktop GUI tools supported.
I just did the same over the weekend. Really loving BitWarden, it works and it’s fast. It did take me a bit of time to export out, scrub & format CSV, then import to BitWarden.
I just used the "1PIF" export from 1p, which bitwarden supports for import (but the 1p cli doesn't support).

I'm loving bitwarden too. It's slightly not as good as 1p in some ways, but better in more than others. That's my review :)

I’ve been using 1Password every day for over 11 years now. The oldest passwords I’ve got stored are for Twitter and Dropbox (yes, the passwords have been changed but the records were first created in 2009).

It’s one of those apps which has been made with proper craftsmanship and care, so while I’m not a Linux user, I’d have no problem recommending based solely on Agilebit’s reputation.

I used KeePass, then LastPAss, then tried 1Password about 8 years ago. I haven't even considered changing. I joined when they were still mostly focused on MacOS and iOS, the Windows and Android apps were secondary. Since then they really shifted to a totally cross platform experience, and I'm incredibly happy with the app. I'm glad they're branching out to Linux.
Why switch to this when keepass is way more portable, open source, and isn't some stupid SaaS program.
Used Dashlane for 2-3 years and then tried 1Password and I haven’t looked back. Dashlane has too many bugs to be useful all the time.
Also a longtime user. Did you kick over to their subscription model or have you stuck with the old installs attached to the grandfathered permanent license?
I'm still using the permanent license...and syncing over iCloud, while using the latest versions of the 1Password app, on macOS & iOS.

As soon as this stops working and i'm forced to get a subscription i'm moving to another password manager though. So hopefully one time purchases will remain possible.

I also considered a move but I may just get the subscription.

If Apple offered a more fully featured keychain I might just stay in their ecosystem.

€36 a year, so for a period of 5 years that makes €180. For me and my partner that would be €360 for 5 years! For a password manager...

I also considered using KeepassXC and Strongbox on iOS, which is completely free (sync the database via iCloud.) KeepassXC's browser extensions are pretty bad though, hopefully that will change sometime soon.

If you want to keep costs low, Bitwarden is currently your best option i think.

That pricing seems high until I consider the utility and importance of the tool.

I do think it should cost less, but I also sort of am hoping a solid solution built directly into iOS/macOS will appear in the next few years.

It is a much harder sell to a family member that has never bothered with a secrets manager before.

https://1password.com/families/

They’ve got a family-oriented subscription which is cheaper. Used it since it launched and it’s been transformative for both sharing credentials with my family and getting them into the habit of unique credentials on every site, and TOTP where possible as well.

I can’t recommend 1Password enough and I’ve been a customer for a very long time, predating the move to subscription pricing and cloud services.

It’s worlds improved over synchronizing with Dropbox. There’s definitely security tradeoffs but if it isn’t easy you’d lose a substantial number of people back to duplicating the same password across 370 sites.

There's a problem with the family plan:

There's always 1 person (family organizer) who is in charge of everything, and can reset the other accounts...

> If Apple offered a more fully featured keychain I might just stay in their ecosystem.

Given Apple's track record, if you care about your passwords being portable, it's unlikely that you'll be able to use their keychain on Windows/Linux/Android even if they develop it further.

But why a whole electron app just to store passwords?
Why a whole GTK or Mono app just to store passwords?

Once you’ve decided that you want to make a GUI for something you’ve already made the choice to increase the weight considerably. Electron is still the best cross platform toolkit when you need browser support too.

Electron is still the best cross platform toolkit when you need browser support too.

Agree, just though it was too much for something simple as displaying logins/pass but looks like it has lots of features?

The other versions are native. It's one of the things that sets 1Password apart. Is the Linux version Electron?
Yes. Not against Electron but maybe I'm underestimating the ui/ux complexity of a password manager since I have never use one.
More likely it is the overhead of multiplatform support that motivates them to use Electron. Their support matrix is pretty big now: iOS, Android, Web, Mac, Windows, browser extensions, Chrome OS, and Linux
Amiga, Atari, Mac OS, MS-DOS, Windows, UNIX, with teams that reached around 10 maximum.

How did we ever managed without Electron?!?

Man we were 1337!

Tbh, not that many programs with exception of games supported all the platforms. And games were built on top of VMs or engines.
"Engines" like common logic written in languages like C and C++, using in-house toolkits where RenderButton() or ShowDialog() would do the right thing on each platform.

Apparently a forgotten art.

As for VMs, I am all for stuff like React Native, not for packing Chrome with each application.

Not only it shows laziness where Web == ChromeOS, bloats the applications and is yet another way for turning everyone into Chrome developers, bye bye Web.

I understand the sentiment. But I think the best approach is a bespoke app for each platform in the own native toolkit.

I have rarely enjoyed using a Gtk or Qt app on macOS because they feel alien.

On windows for example there seems to be no rhyme or reason for widgets, mainly due to historical reasons.

Games don’t need to be consistent because they take up the whole screen and are immersive. Some very specific programs such as the Godot editor are a good example of a similar usage.

> But I think the best approach is a bespoke app for each platform in the own native toolkit.

Which is basically the first line of my comment and how we used to do back in the day, with common logic and those in-house "engines".

That would only make sense if they use Electron besides Linux.
> The other versions are native. It's one of the things that sets 1Password apart. Is the Linux version Electron?

Yes, it is very obvious from the screenshot that it’s built on top of Electron [1].

GTK nor Qt have that type of UI elements, they are obviously HTML elements stylized with CSS.

Another hint is in the files contained inside the Debian package used during the Linux installation [2]:

  root@3cb1637b3070:/# apt-get download 1password
  root@3cb1637b3070:/# dpkg --extract 1password_0.8.0-22506_amd64.deb temp
  root@3cb1637b3070:/# ls -lia ./temp/opt/1Password/
  total 177900
  661008 drwxr-xr-x 5 root root      4096 Aug  3 18:23 .
  661007 drwxr-xr-x 3 root root      4096 Aug  3 18:23 ..
  661011 -rwxr-xr-x 1 root root 129796744 Aug  3 18:21 1password
  661010 -rw-r--r-- 1 root root      1060 Aug  3 18:21 LICENSE.electron.txt
  661023 -rw-r--r-- 1 root root   4710103 Aug  3 18:21 LICENSES.chromium.html
  661021 -rwxr-xr-x 1 root root   6322128 Aug  3 18:21 chrome-sandbox
  661017 -rw-r--r-- 1 root root    179981 Aug  3 18:21 chrome_100_percent.pak
  661013 -rw-r--r-- 1 root root    321151 Aug  3 18:21 chrome_200_percent.pak
  661022 -rw-r--r-- 1 root root  10505952 Aug  3 18:21 icudtl.dat
  661012 -rwxr-xr-x 1 root root    243992 Aug  3 18:21 libEGL.so
  661014 -rwxr-xr-x 1 root root   8948960 Aug  3 18:21 libGLESv2.so
  661024 -rwxr-xr-x 1 root root   3103488 Aug  3 18:21 libffmpeg.so
  661020 -rwxr-xr-x 1 root root   4488304 Aug  3 18:21 libvk_swiftshader.so
  661018 -rwxr-xr-x 1 root root   8483376 Aug  3 18:21 libvulkan.so
  792826 drwxr-xr-x 2 root root      4096 Aug  3 18:23 locales
  792824 drwxr-xr-x 2 root root      4096 Aug  3 18:23 resources/app.asar
  661015 -rw-r--r-- 1 root root   4791423 Aug  3 18:21 resources.pak
  661009 -rw-r--r-- 1 root root     50592 Aug  3 18:21 snapshot_blob.bin
  792821 drwxr-xr-x 2 root root      4096 Aug  3 18:23 swiftshader
  661019 -rw-r--r-- 1 root root    170903 Aug  3 18:21 v8_context_snapshot.bin
  661016 -rw-r--r-- 1 root root       107 Aug  3 18:21 vk_swiftshader_icd.json
You can use “npx asar extract /opt/1Password/resources/app.asar source” to access the JavaScript files [3].

[1] https://i.imgur.com/pGJ4Wvd.png

[2] https://support.1password.com/cs/getting-started-linux/

[3] https://stackoverflow.com/a/38524534

The native versions don't look native either. You can use a web view without Electron too.

Edit: Thanks for adding the package info.

(comment deleted)
> Yes, it is very obvious from the screenshot that it’s built on top of Electron [1].

I love this. It was my first reaction when I used MS Teams ... shit, it's electron and the I got the horrible user experience as usual. And in MS Teams even the font and its rendering is hardcoded and the devs are refusing to do anything about this! So when I use MS Teams I need to look at blurry text.

EDIT: And they bundle libffmpeg.so too .... let's have a look at what version, though I guess 1password is not a good attack vendor as it'd be hard for the attacker to control input data, right.

Heh. What does the password manager use OpenGL and ffmpeg for? I guess the binary is 130MB(!) is the electron part?
Looking forward to seeing my passwords stolen by a zero day shader vulnerability...
It's GLES, my guess they are web apis and are just chrome batteries.
So another application to ignore. React Native can't kill them all soon enough.
Why shouldn't it be Electron? Should it be GTK? Why not QT?

Linux doesn't have a standard desktop environment or widget toolkit. Electron doesn't seem like a worse choice than the other options, and it's easy to find engineers who know how to work with it.

1Password doesn't just store passwords. It has a bunch of other features. It's a fairly complex app at this point. It also has fairly similar user experiences in Windows, macOS, Linux, iOS, and Android, and that's pretty hard to pull off. If Electron helps them accomplish that, that's fine.

Because Electron bundles (light) chrome and nodejs and all deps breaking desktop integration and security (the developers are now responsible for checking vulnerabilities in all bundled libraries and they are not doing it).

Those are pretty good reasons not to use electron.

> Why shouldn't it be Electron?

Because every Electron app is inconsistent with the rest of the desktop. I use a dark theme system-wide but Electron won't care [edit: 1Password has custom integration for GTK theme]. Honestly, this isn't something the developer of the app have to put years of research in (Slack for example). The toolkit is supposed to do the integration (GTK, Qt, [Cocoa?]) and clearly Electron doesn't care.

> Why not QT?

You tell me (assuming you're talking about Qt, not QuickTime)

> Electron doesn't seem like a worse choice than the other options

Not really. Its just that its lazier/cheaper to just get your web development team pretend to write a desktop app. I get it, business decisions need to factor cost into account and hence the choice. I understand when a business says "we just don't have the funds to use a proper app framework, please do with what we have for now". But instead everyone goes to pretend like Electron apps are perfect even though the reason it was chosen was almost completely based on cost.

There are also advantages for the user. For example, new features arrive for all platforms at the same time; there is no prioritization of platforms or such. Same for bugs - apart from issues stemming from Electron itself, they're likely to appear on all platforms and therefore likelier to get fixed.

In essence, the old "only X% of our users use platform Y, it's not worth it to make this feature/fix this bug for them" does not exist anymore with something like Electron, and while this is ultimately also a cost consideration, it does come with benefits for me as a user, especially if I'm on a minority platform.

> For example, new features arrive for all platforms at the same time

That (and everything else you said) is true for any cross-platform framework, not just Electron.

None of this is even relevant in this case, since they use (I hope) Cocoa/UIKit/whatever it's called on macOS, so there's anyways not _one_ framework used everywhere.
None of these are advantages over other, better cross-platform toolkits.
The important bit for us w/r/t making 1Password a better cross-platform citizen is the Rust core. - Ben, 1Password
I have been coding UIs since 1992, how did we managed to pull it off in a more heterogeneous computing world without Electron, I wonder.

PWAs and Web Widgets I can stand behind, Electron is just laziness at the expense of the user.

We managed it by nobody bothering to write apps for Linux.
They still don't bother, writing Web apps packed in an Chromium wrapper isn't writing apps for Linux.

There are plenty of Gtk and Qt based applications for Linux.

> It’s one of those apps which has been made with proper craftsmanship and care

Is it? I've been using it for sometime as well but it seems like there is a lot of room for improvement. E.g:

- Support for unlocking via Watch ID on the Mac.

- Currently on iOS when searching for a password within an app, if a site prefix is included that doesn't match what's in 1Password the list will just show no results, with no way to navigate manually to the login. Instead, you have to close the app, open 1Password, and copy/paste the credentials back in. Typically the master password will have to be re-entered as well, despite touch ID being adequate a moment prior. Since it's rare to sign up via the web now for mobile apps, this is the most common scenario for me when using 1Password for apps on my phone (and occasionally websites as well).

- Improved UI/UX on mobile. Dashlane is way better in this regard. 1Password overemphasizes features I don't need like tags and favorites and has a pretty cluttered look in general.

I like the native Mac app and open/local vault format. (Dashlane by contrast has a very buggy desktop app and requires storing everything on their servers.) But I would jump at the chance to use an alternative with a simpler UI and better experience on mobile.

We use Dashlane at work, and every day I want to switch to 1Password, which I use in my home life. Dashlane has weird permissions glitches, a really buggy and very non-intuitive desktop app, really terrible web browser extensions that makes me tear out my hair in frustration, and even the mobile app doesn’t feel like it has the features I want, like the ability to add more than one password field (useful for accounts that have PIN codes and such). Even performance-wise, Dashlane’s mobile app feels really sluggish doing things like adding 2FA via QR code’s, which 1Password seems to do instantly.
Agreed on all those points, especially the desktop app which was ultimately the breaking point for me. The only thing better about Dashlane right now is the UI on the iOS app IMO.
Thanks for the feedback! We can unlock 1Password for Mac via Apple Watch on Macs that have Secure Enclaves now. :) - Ben, 1Password
Just to clarify: the feature is currently in beta. > Unlock 1Password using your Apple Watch on Macs with a Secure Enclave. From the 1Password for Mac 7.7.BETA-0 release notes. - Ben, 1Password
Upon reading this I was incredibly excited to go try it out... until I remembered I lost my Apple Watch last week :(((
(comment deleted)
A login can have multiple URLs. For sites which don’t automatically load the right entry, you can add another URL to give 1pw a hint.

This won’t solve all your problems. It won’t even solve the problem you describe the first time you encounter it. Nor will it solve it for apps that fail to provide an INTENT URL. But hopefully it will make things a little easier.

That would improve the completion, but ideally 1Password should allow me to select the login myself within the app modal (by navigating to "all logins" with the filter deactivated), and then add the intent URL for me.
Agreed. You should consider posting to their forum. I have for several issues, and they have been responsive and helpful.
It's made with proper craftsmanship and care on the Mac (which is primarily where I've been using it for years).

The Windows client is much better after the last major release, but it's never been as slick as the Mac version (the biggest wart now is the system tray/browser extension popup).

1Password X looks nice until you try and use it, and all the company reps on the forums are very argumentative about any feature request (look for the pushback they give about resizing their super-cramped browser extension popup—and the issues with hires screens stemming from how they built it, which assumes a fixed size).

I've also got a chip on my shoulder about the "feature" they added that showed the most recently used websites in the iOS app with no way to disable it (they finally allowed setting the number to zero months later). The reps on their forums all come off with this attitude of "this is the best way, and you're wrong if you don't like it" for just about every issue that comes up.

I like the app and will continue to use it, but if my main platform wasn't macOS/iOS I would have bailed long ago.

They were also pretty dismissive of Linux for a long time, so it's kind of funny to hear it as one of their biggest requests. 1Password X narrowly prevented me from switching for a while, but I've come to see alternatives as generally better options. Yeah, they're not as flashy, but I think Bitwarden and Keepass XC do a great job.

Keepass XC may even be doing a better job at security. At least in some dimensions.

https://keepassxc.org/blog/2019-02-21-memory-security/

That’s where Agilebits has me; the UI on Mac and iOS is so much better than the alternatives. I do keep looking, Keepass XC looks really good since the last time I checked around.
KeepassXC is quite good if you mainly use it on your computer. I've been using Keepass(XC) for about 10 years, it's secure and reliable. But I'm looking to switch to 1password or Bitwarden as I'm increasingly using portable devices (phone, tablet…).
Keepass2Android works pretty well for me. You can sync your password database via google drive or other file sharing services.
Seconded, Keepass2Android is great and has very good integration on Android. You can use the autofill feature to, well, autofill the credentials fields in any app.

Has merge functionality if you've edited the password file both on mobile and computer.

It even has an offline variant that keeps everything local. I'm using that with NextCloud.

If you do end up leaving Keepass, Bitwarden has been a good experience for me. I can’t attest much about security but it seems OK from my perspective.
FWIW cache side channel attacks are primarily a threat on (shared) cloud platforms, but not as much [1] on personal devices. Considering that 1password runs in its own process and that most personal devices should have Meltdown mitigations in place, it would be prohibitively difficult to successfully launch a cache side channel attack to extract the password from outside of your device, especially at scale. Attackers would attempt to find other software vulnerabilities instead.

I think it would indeed be nice if 1password scrubbed sensitive data from memory, but not a complete deal breaker if it didn't. I do wonder if this could be more of a problem on 1passwordX, though.

[1]: not zero, but still

> all the company reps on the forums are very argumentative about any feature request

I've observed this as well and it's frustrating. Usability took a dive when the list view for entries was removed (in favor of the rich icon, column-based layout), having to manually check identically named entries to find one with the right username, but their support staff was seriously adamant about the feature not being worth the development effort because of how few people had used it. It got me looking for alternatives but I haven't switched away yet.

I apologize that we've come across that way. I'm one of the primary contributors on our forum and so I do appreciate the perspective here. The position I try to take, not being a developer or project manager myself, is that I have no power to make feature requests happen other than suggesting them to the team. As such I try to help people best use what is currently available while also passing suggestions along.

As a company we tend to keep future plans pretty close to the chest. There are sometimes things that we know we aren't going to do, and whenever possible I try to be up front about that rather than beating around the bush or giving false hope. List view is one example of this. The intention isn't to be argumentative, but rather to set expectations based on current plans.

- Ben, 1Password

I am a 1password user, and have bene for about the same amount of time, but I've been slowly looking for an alternative.

Unless I'm mistaken, 1Password no longer ephemerally decrypts passwords as needed and only while used and then scrubs the memory. [1, old but still] The excuse, if I remember it, was that garbage collected languages made this challenging. Even so, there is some irony in them moving away from the temporary, one-at-a-time, scrubbed approach just before all of the side channel attacks that allowed leaking memory across processes became widespread.

[1] https://nakedsecurity.sophos.com/2019/02/21/password-manager...

> The excuse, if I remember it, was that garbage collected languages made this challenging

This is one of the main reasons why the core of 1password was rewritten in Rust: https://support.1password.com/kb/201902a/

Except that one could make use of OS APIs for ensuring that, while still using a GC language.
Interesting. But this doesn't seem to cover the Mac version.
(comment deleted)
Apparently that craftsmanship went astray with the adoption of Electron.
Electron? You must not be talking about the Linux app because it's written in Rust.
Embedded in an Electron app, otherwise please correct me what toolkit they are using.
Yeah it sounds like Electron with React/JS UI talking to a Rust "backend". I would give them credit for keeping the important bits in Rust though
Thank you! This is correct. We understand there are concerns about Electron (some legitimate and some religious), and we've built this app with those concerns in mind. The backend is Rust, with the arguably most critical components (encryption) being open source libraries (ring). - Ben, 1Password
Why the hate for electron? I know that there are a bunch of shitty electron apps out there, but there are also great, fast and leightweight examples. Visual Studio Code is easily one of the best desktop apps I've used (on Windows) and Discord is also built on electron and works very well.

Electron isn't necessarily bad, its primarly a matter of how good your implementation is.

1. Performance

2. It encourages developers to ignore platform-specific design idioms and features.

Have you found either of those applies to 1Password for Linux? If so we'd very much like to hear about it. Thanks! - Ben, 1Password
And when we compare it with Notepad++ or Sublime it is quite clear the performance lost in the process.

I only use VSCode for workflows I am obliged to.

Microsoft's React Native team has benchmarks where Electron causes 300x performance drop versus React Native.

Speaking of it,

"Xbox app for PC gets speed boost, ditching Electron for React Native UWP"

https://www.windowscentral.com/xbox-app-pc-gets-speed-boost-...

I dream of the day that VSCode gets rebooted into React Native.

(comment deleted)
>Why the hate for electron?

Because it's terrible. It's slow and ponderous. I have yet to use something built on it that wasn't awful, and that INCLUDES VSCode.

Have you tried 1Password for Linux? - Ben, 1Password
No reason to. I don't use desktop linux.

I'm also actively looking to move away from 1P period because I don't want or need a subscription for every little app.

Yup. Password management is one of those things where I want to pick the best possible solution, over the 80% good for 20% of the cost. The risks of losing credentials are real, and terrible. Making shit easy for non-technical people is a real-world risk reduction. Making shit easy for technical people is also a real-world risk reduction, and letting me put 1P into automated workflows is great. If there's minor encroachment on territory currently held by Hashicorp Vault, then "Go 1P!" - I love competition between two genuinely good products.
I just checked my vault out of curiosity, and my first entry from 2009 is the credit card I used to purchase a 1Password licence shortly after!

It’s robust software that does was it says on the box. I was initially reluctant to move out of my local vault but the online service has been impeccable.

I've been using Bitwarden across the browser, Linux, Mac, and android, and it works great, and is fully open source, unlike 1Password.
And you can self-host it which I do
I use 1PW professionally, with our whole company having shared vaults for different departments and security levels, as well as at home, so my wife and I can share some credentials. Absolutely love it. I’m spending more and more time working from Ubuntu so I’m very happy to see this, it should make things just a bit easier.
Awesome! We'd be happy to hear any feedback once you start using it. :) - Ben, 1Password
Seriously, this is great to see. I've been using LastPass for a while but have been unhappy with it. If 1Password is taking Linux support seriously, I'll definitely switch.
LastPass for Linux works without special issues.
I assure you, we are taking Linux support seriously. When I joined the team, we had almost no one using Linux in house. This has changed in a big way and is only part of why we are now investing in making the best darn app we can for Linux.
I switched to "pass" from 1p and it is a breeze because it just works without all the bullshit and I don't have to place any trust on a company saying they do things right (they will never tell otherwise).

And 1password never cared about Linux. I had to custom-script data export, they pretty much held data hostage by making it difficult to migrate from the platform, not to speak of the undocumented data formats. But at least we did not have to install some closed source propietary thing to do something as critical as password management (browser sandboxing seems slightly better). If they cared they would open up their client‘s code for everyone to peek.

I have to call this out as a bit of a hyperbole.

They already participate, quite openly, in security audits[0], and while yes, I'd love it if it was OSS too, but the reality of making money on these services is that (especially I believe at the time 1Password was founded), is it wouldn't have likely done them any good, really. In fact it could hurt their business. I believe 1Password was one of (but not the only!) pioneers of this being a successful consumer business.

Notably, I don't think its worth detracting from a fantastic product based solely on the license of its underlying software. I'm also not aware of any 1Password data breaches.

As far as exporting goes, you can simply generate a CSV file (or plain txt)[1] as well. Not sure what the issue there was, I'd be curious to know.

While I like OSS too, and prefer it when able, I think its a stretch to say they're holding their users hostage if they want to migrate away, not to mention being OSS isn't really a predicate as to whether the software & user experience is actually any good.

disclaimer: I don't work for 1Password, but I've used it for over a decade.

[0]https://support.1password.com/security-assessments/

[1]https://support.1password.com/export/

How can one be sure that the passwords are even encrypted, without having seen the program?

Audits don’t mean much for various reasons, including the conflict of interest.

Agencies such as NSA don’t have to say loudly that they have agreements with such and such companies through PRISM-like programs.

>How can one be sure that the passwords are even encrypted, without having seen the program?

We have seen the program. We can have as many binary copies of it as we’d like.

> Audits don’t mean much for various reasons, including the conflict of interest.

[citation needed]

> Agencies such as NSA don’t have to say loudly that they have agreements with such and such companies through PRISM-like programs.

The product uses end to end encryption. The database is encrypted locally before being uploaded. They would have to be using bad encryption or stealing your password to get at it. It is understood how 1P works, they have written about it extensively.

But that's the point the OP is making, you have to trust what 1password is telling you. And they do have a very clear business interest in telling you that it uses best security practices even if they don't.

I'm doubtful that you are able to look at the binaries and extract the inner workings from that.

>But that's the point the OP is making, you have to trust what 1password is telling you.

Yeah, I have to trust a lot of software authors not to be actively malicious, because I don't have the time to audit literally everything I rely on. I have more reason to trust the authors of 1Password than those of almost any other package I use.

>And they do have a very clear business interest in telling you that it uses best security practices even if they don't.

It's been audited several times, and the authors are well known, respected, and vocal in the infosec community. And you think they have more of a business interest in hiring security professionals and lying about their practices than they do actually building a product that safeguards their users' data as they say it does? A backdoor in a product like that would be the end of their business, professional reputation, and career.

>I'm doubtful that you are able to look at the binaries and extract the inner workings from that.

Me personally? No, but there are absolutely people with that skillset, this sort of thing is perfectly doable. As far as "is this sending all my stuff to China in plaintext" goes, it's not even that hard to evaluate. You could do that without any reverse engineering at all.

These are great answers. Thank you. - Ben, 1Password
> As far as exporting goes, you can simply generate a CSV file (or plain txt)[1] as well.

There is (was?) no way to do that on Linux.

Can't say I'd ever personally use 1Password over something open source like Bitwarden, however the intriguing thing about this post is that they're using Rust for their Linux client backend. If only this was open source; we could peek under the covers and see what technology they're using.
KeepassXC is the perfect solution in my opinion. It is open source, has a huge number of features (that don't get in the way of basic usage), and has mobile apps and desktop apps that work well on all platforms. Right now I am using it on Windows, Mac, AND Linux, as well as my Android phone. I have it syncing over Dropbox, but you can sync it however you like. The Android app automatically fetches the latest version, and supports auto-complete etc. I see no reason to pay for a password manager or use something that isn't open source.
I second this. KeePass is awesome (across all platforms)
I'm the same way. The most important parts of the KeePass ecosystem to me are:

1. It runs on every platform I currently use, as well as any platform I might care to use, whether or not that platform is sufficiently "popular" for a company to justify caring about it.

2. It isn't dependent on the continued healthy existence of a company to remain usable, as I could simply self-maintain in a worst case scenario.

These are very important things about a password manager to me, personally, which is why any of these more polished/popular options would be an extremely tough sell.

Yep, there is no way I am trusting a company with maintaining access to passwords on all my accounts and my clients accounts. Keep Pass uses a well documented XML file format that, if needed, I can manually decrypt and access if for some reason, every copy of KeePass is deleted.
Doing the same using Syncthing for syncing. For basic password management across devices without having to go to "cloud", I don't see a better alternative. The new polished UI for KeepassXC on Linux is a bonus.
I just left 1password for Lastpass, took way too long unfortunately.
App looks slick. Installed on Ubuntu. Very cool.

Unsubscribed from LastPass and subscribed to a Family plan here. Hoping for updates to bring all the rest of the features. <3

EDIT: Took the opportunity to eval a couple of others. BitWarden stood out because it's open-source and cheaper for the family plan (the difference between 1Password individual and BitWarden family is not a big difference).

My thoughts:

* 1Password had a really cool app and very good import from LastPass

* Bitwarden's app is pretty good but the import breaks on Secure Notes that are a bit longer

Ultimately went with Bitwarden because it's cheap and I was able to migrate my big notes in approx 10 minutes manually.

How does 1Password compare to LastPass?

For one, LastPass _always_ freezes Chrome on me a few times a day.

1Password is pretty stable, I have not had any problems with applications freezing.

I was going to switch to LastPass since I have two younger children that I'd like to use a password manager, but LastPass has the same 17+ restriction so I'm looking for other options. But if you don't have the same issue, 1Password is a solid choice.

(comment deleted)