Doesn't always lead to that but...now that the company has these investors who demand returns the company no longer has alignment with the customer. The needs of the customer and the needs of the investors are in direct opposition.
Only Sith deal in absolute slippery slope fallacies. Besides, this is a paid product with steady MRR, there's plenty of growth to be had without compromising the product. The recent integration with Fastmail for one-click creation of disposable addresses is a great example.
Raising hundreds of millions of dollars for a built, profitable product with a tight scope and millions of users usually means the product scope will increase as part of their new remit to drive shareholder return. If people liked the existing tightly scoped product, and for password management simpler is better for many users, this investment indicates the product will necessarily move away from the existing use cases as a condition of accepting the funds.
They will probably invest in business integration/sales. TBH we need more password management in this world and not less. Increasing scope in enterprise domain means reaching users who would otherwise just use post it's for the passwords.
I think lotsofpulp is on to something, but the other major possible answer that comes to mind is moving more into the enterprise space. If that happens, it'll no longer be for "us" because if they succeed, they'll inevitably make much more money in that space and be all but forced to pivot harder into it. That'd be much less of a betrayal than selling more data, but it would still mean that slowly but surely it would simply focus less and less on single user concerns.
IMHO it isn't intrinsically impossible to serve both enterprise and single customers, but the business people will always be internally grumbling about the slight additional expense that doesn't have a good ROI vs improving their enterprise product, and the marketing team will want every other screen to be an ad to upgrade to enterprise which discriminating users will rapidly get tired of. It'd take strong and even a bit quirky executive leadership to overcome those issues. Not impossibly strong, but strong.
Edit: Also, they don't have the option of slathering their app with generalized ads. Running ads in the context of a password manager would be insane and lose all their thought-leader users in a heartbeat, permanently. So that door is not open to them.
1Password is a SaaS utility that provides a tool for generating and storing login info and other sensitive information.
To me; that’s immensely valuable, but it’s solved for most by a combination of just using the same passwords or, on iPhones, iCloud Keychain.
Now some folks have dumped the better half of a billion into a tool I pay about $35/year for and is basically feature complete. They’ll want a return on their investment. How do you expect 1Password will give it to them?
I predict the way and death of all "cloud companies" that start out doing one thing well; they'll add features and document sharing and what not until it becomes an unholy mixture of Dropbox et al trying to "compete" with Office 365 for some reason.
Today 1password is largely a product for tech people. Nobody around me outside tech circles is using a password manager, at all. They have the whole world to conquer!
I can envision them (sadly) bought by a larger actor in a few years, at a huge valuation.
That's funny, I only know 1password as that enterprise password manager that no nerds use, only normal people that work for not completely tech-unsavvy companies.
I don't know anyone that uses 1password privately.
1. Expanding into new markets. "Secrets management" is not easy - 1Password is currently handling it for humans but they intend to handle it for services as well, likely competing with Vault.
They could launch a full identity provider like Okta.
2. Perhaps managing other authentication methods. Passwords are dying, especially with webauthn, so it makes sense to tak eon some money to explore how to be a player in that space.
They could compete with Duo, for example, and start offering a 2FA service.
Basically, I expect that the vast majority of this money will not be going towards the 1Password that you use today but instead towards breaking into new markets. Given the size, probably new markets that are somewhat established already.
So that means what? My password manager is going to start crypto-mining, and share the profits with me? My password manager is going to report all the sites that I have stored passwords for back to the companies?
Whatever the case may be, I'm sure it's going to turn out to be something completely worthless to me.
Fortunately, there's always Keepass, which keeps plugging away doing exactly what it says on the tin.
It screams CORPORATE. Not a single mention of family or single user. It's all about business security, safely sharing data, protecting your company, etc.
I mean... that seems fine? Taking a consumer product and making a business version of it feels like a totally ok way to grow a company that already has a stable product that people like. Them making new features you don't use doesn't mean they're going to break or diminish the stuff you do use.
Sure, they could mess it up, but any company or open source project can mess everything up.
Sure, but I'd be surprised if Crashplan was operating their home offering at a profit beforehand and just went "eh, we don't need money". 1Password seems to have a totally viable consumer market that's making them money without all that much work on it. It would seem weird for them to kill a golden goose.
Also, it is good for companies when their employees use good password management everywhere, including in their personal life. The 1Password for Teams Business plan includes a free family plan for every user, so there's mutual reinforcement there.
I can't remember a company that has served individuals and enterprises simultaeneously without one side getting a compromised offering.
One of the things I like about Apple is they don't really pander to the enterprise. They won't turn the business away but you can see it isn't a priority.
I'm not sure this is true. If anything, they're the perfect example of how to do it right though, which is to have products that are business OR personal focused, and not generally both. The Mac Pro and the new monitors are both very clearly only a reasonable cost point/feature set for enterprise clients. The higher end Macbook Pros are similar, especially post redesign.
Almost everything Apple makes, "Pro" name aside, is either an enterprise offering where they're ok if random consumers buy it, or a consumer item where they don't mind if enterprises buy it. I have no interest in buying a reference monitor that costs more than my last 4 computers put together, but I could just go buy one, I guess.
Optimally, 1Password does the same thing. If companies want to buy their current offering (and my current employer does) that thusfar hasn't really messed with my personal use. If they come out with some Okta competitor in the future, I won't need to care about that either unless my company uses it. Optimistically, both products can be targeted to different markets.
I'd distinguish between the professional market and enterprise.
Look at the lengths Microsoft goes to in order to maintain backwards compatibility for their enterprise customers, Apple in comparison just doesn't care.
Obviously I don't have access to the sales figures but my guess is most Mac Pros are going into audio/visual studios or else high net worth individuals. It's not the sort of thing enterprises will buy if they can avoid it.
> Them making new features you don't use doesn't mean they're going to break or diminish the stuff you do use.
Except they have already started to diminish what used to make 1P great. We now get no native apps, no local vault storage, no upfront payments. The VC rot has already set in.
Family/individual accounts are nice and all, but most families/individuals just don't give a fuck about security nearly enough to pay a monthly fee for a password manager, and probably never will. The saturation point for them in this market is not too far off.
So they go where there's real money to be made. They are well-positioned to become the default choice to handle corporate day-to-day cyber-security needs of most non-tech businesses, and if they can pull it off even moderately successfully it will make them the biggest Canadian IT company. Family accounts never ever will.
That doesn't mean their product won't remain the best* choice for individuals and families. Microsoft also doesn't give a damn about family or single users of Office, yet we all* use it because it's still the best* product on the market.
* words like 'all' and 'best' are approximations of what's going on in the real world, not in HN where significant numbers of people may very well be using LibreOffice and the Nth fork of Keepass.
> most families/individuals just don't give a fuck about security nearly enough to pay a monthly fee for a password manager
It's more than that, most families that do care about security don't need features beyond what is built into iOS/Android. When I encouraged my wife to start using randomized passwords, I didn't even have to help her get set up. She already knew how to use Apple's password manager, so she just started using it. No setup, no additional monthly fee, just a quick decision to start using it.
When we need to share a password, we just read it off to each other and put it in our respective password managers. There aren't really any features in a paid password manager that we miss.
We have a corporate password vault and it sucks. If 1Password makes a compelling product and brings their considerable UI/UX expertise to bear on it, this could absolutely take off and make my life easier.
With 100k individual users and its background as a consumer application, 1Password wouldn't neglect the non-corporate customers—at least until David Teare retires or otherwise leaves.
1password has a corporate offering. We use it at work, and while I haven't thought about to what extent it'd scale to a huge company it works very well for small ones with the ability to e.g. share vaults and manage permissions across users.
But incidentally the same features which makes it great for work also makes it great for me to share access to vaults with my son for example.
I was speaking more about an enterprise product like Hashicorp Vault but I was quite unclear. I knew about 1Password for Teams (use Family personally).
How do you have a universal login that doesn't require corporate onboarding? You're just not the person this landing page is positioned for. They need corporate buy-in so you the user can login with one login across all of those sites. If you the single user want to easily login to Netflix and Amazon with a click of the button, then how do you expect 1P or any org for that matter to offer that if they don't have a direct relationship with Netflix or Amazon?
This is like using Google.com to search for things to find and screaming "Google is too corporate" when you landed on the Google AdWords landing page (ads.google.com).
Oddly enough 1Password could innovate productively here: use some market clout to push for a standard way for password managers to do automatic password rolling without user interaction.
Imagine a world where a standardized protocol let a company put out verifiable "we've been hacked notice" and my password manager would just take care of it next time I opened it (or throw a prompt or something).
There's a couple examples already, including one click credit card information saving (through your card issuer), and their private email aliasing through fastmail partnership.
Surely there's still room for some innovation in the authentication space?
I remember a few years ago Steve Gibson was working on a certificate based system called SQRL and it sounded pretty cool to me. Maybe 1Password have some ideas of their own?
They're probably going to develop some proprietary, closed source authentication SDK, that's not compatible with other password managers, and bribe websites to use it.
Your choice eventually will be entering a standard password and specifically engineered to be annoying CAPTCHA, or pay for 1Password. Use Keepass or BitWarden? CAPTCHA. why? "Security".
> You can never trust cloud-hosted password managers..
If you examine the source code of a client (for example bitwarden) and make sure that it's not leaking your master password and then compile the soft yourself and not update - you'll be pretty safe.
This will make it similarly secure as e.g. keepass, because even for keepass you should be sure the source is legit
Technical trust is one thing, but I think the trust GP is referring to is more of a trust in the company's commitment to the business model. Password Managers aren't sexy. There isn't a ton of disruption possible in the field, so these companies may tend to look to expand beyond password management or get acquired. This in turn can mean the password manager product will be left to rot.
Maybe you can't. Everybody has their own risk tolerance, but at some point, everybody's going to have to draw a line. Maybe you're only storing passwords for local services, but almost all of the credentials in my password manager are for services run on some cloud. Even then, did you evaluate all of the code for each of those services? How about the compiler code or the chips? Dell shipped out machines with a hardware trojan in 2010.
I have separate instances for work and personal accounts, so one breach wouldn't affect the other. Since my passwords are distinct, the number of accounts that would actually be useful to them is minimal, and fraud response is a pretty important metric in deciding what companies I do important business with. Identity theft is a problem, but all of this is probably more likely to be leaked in some other database, like the Equifax hack, than through an account compromised in a password manager cloud storage breach.
My password manager being compromised would indeed be a huge time suck, but I don't think the long-term consequences would be any more severe than a few key individual accounts that are probably even more vulnerable. I think things like coordinated attacks where they social engineer their way through 2FA— which have been seen in the wild— to present a greater real-world concern.
> Maybe you can't. Everybody has their own risk tolerance, but at some point, everybody's going to have to draw a line.
I'm in agreement with parent, I think putting your passwords in the cloud is a wild single point of failure. Even if you can tell a compelling story about how they carefully encrypt everything right now, you're always a silent update away from it all being dumped on the internet.
I think people (in aggregate) just don't care about the risk and will take the path of least resistance. They don't have to draw the line there, but they will.
> My password manager being compromised would indeed be a huge time suck, but I don't think the long-term consequences would be any more severe than a few key individual accounts that are probably even more vulnerable.
Having your main email account compromised seems like an absolute nightmare where you potentially lose control of every single service that you subscribe to (banking, utilities, cell phone (so maybe 2fa is even broken), medical portals, social media, etc).
Having your entire set of passwords compromised is like that on steroids. Rather than your attacker having to use your email to get to each of those services one at a time, they just have them immediately. And who says you'll even know that your stuff was compromised?
I'm a bit of a crank though. I don't do any of the smart home stuff. I see my phone as a necessary evil. If some company shoehorned an app or a WiFi connection into their product, I don't buy it. After being in tech long enough, I just want things that work for me, not for the company I bought them from.
> you're always a silent update away from it all being dumped on the internet.
This is true of all password managers that have any ability to connect to the internet. You’re one silent update away from your manager suddenly uploading all your passwords to a random endpoint in Russia.
Theoretically, if you audit the source then you only really need to care about updates to the actual code. If it doesn't do silent updates then it can't change underneath you, even if it does some kind of network operations.
Its not fool proof, but it feels better than a black box that could be a different black box tomorrow or after the next acquisition or round of investment.
> Even if you can tell a compelling story about how they carefully encrypt everything right now, you're always a silent update away from it all being dumped on the internet.
This is also true for your operating system updates, browser, browser extensions, compilers, the infrastructure for your email service provider, any libraries those things use etc. Not to mention your local password manager. Even if you don't accept push updates, do you evaluate the code? What if the vulnerability was timed to pop a few weeks after release? What if it was included in an update that patched a major vulnerability so you went faster than your normal process afforded? Even if you have a local firewall that stops external connections from unrecognized programs— what if it's a whitelisted program or the operating system or the firewall itself?
Why would you a password manager's encryption less than you would trust your email service's encryption? I'd bank on the password managers' being a lot more robust.
What about RATs that could access your local password database? RATs are a lot more common than cloud service breaches.
And as I mentioned previously, Dell shipped a hardware trojan in 2010.
There are tons of single-point attack vectors in this chain. I'm not a security expert, but storing encrypted data in cloud storage seems less likely than others be a viable target.
> Having your main email account compromised seems like an absolute nightmare where you potentially lose control of every single service that you subscribe to (banking, utilities, cell phone (so maybe 2fa is even broken), medical portals, social media, etc).
> Having your entire set of passwords compromised is like that on steroids. Rather than your attacker having to use your email to get to each of those services one at a time, they just have them immediately. And who says you'll even know that your stuff was compromised?
Let's say they did compromise your email account. Since only a few of your accounts are genuinely consequential to nefarious criminals, the number of password resets they'd need to execute might set them back, what— 5 minutes if it's not scripted? And all of it is moot if you use a 2FA method aside from email? Beyond that, considering how much more frequently email accounts get compromised, singling out the storage location for password manager databases seems pretty arbitrary.
I just don't see how the opposition stands up to a comparison of attack vectors.
Agreed, those are already risks, and ones that are a lot harder to mitigate (though I do try where I can). Does that mean I should add another one that I can easily avoid?
There are risks in both local and cloud password managers. Maybe those risks seem equivalent to some folks, and the cloud features are useful enough for it to be a no brainer for them. For me, I don't at all mind manually backing up and manually copy/pasting credentials, and I don't miss the convenience of the cloud features.
> Let's say they did compromise your email account ...
This seems focused on the case of a dedicated attacker focused on you specifically. Id think each of us is more likely to be affected by various automated attacks that are backed by large dumps of account credentials.
In any case, I agree risks already exist in other places. For me in my specific set of circumstances this just seems like an easy one to skip.
Hey— whatever works for your setup. Especially for those who don't use a smart phone and have one machine, it's probably a minimal loss in functionality.
> Does that mean I should add another one that I can easily avoid?
All other things being equal? Avoid it, of course. I firmly oppose letting perfect be the enemy of good in the sense that more secure is better than less secure even if it's not perfectly secure. But I also oppose it in the sense that rejecting beneficial functionality because it's not perfectly secure, especially when it's not close to the biggest or most attractive attack surface, doesn't make sense. Even when password managers' servers were compromised— LastPass, for example— I don't think anybody ever got ahold of passwords. KeePass OTOH was broken with KeeFarce and RATs are a lot more common than cloud service server breaches.
> This seems focused on the case of a dedicated attacker focused on you specifically. Id think each of us is more likely to be affected by various automated attacks that are backed by large dumps of account credentials.
Nope— If it was automated the distinction is even less significant. A script would only need to search your email for whatever specific types of logins it supported and fire off password resets. Non-email 2FA becomes even more of a hurdle without the option of social engineering it or some other human-touch fix.
Consider this. (very) Roughly, this is the market penetration for these products:
* computer: 90%+
* smart phone: 85%
* tablet: 50%
* computer, smart phone and tablet: 40%
Most people (in this country, at least,) have multiple devices. Most people have internet access. Most people aren't going to be able to manage storing and sharing passwords among their devices at all, let alone more securely than cloud storage would do it. So for most people's use cases, it would be like citing health when refusing to put a teaspoon of sugar into the cup of tea they're having with cake and ice cream.
So like I said, avoid it if it doesn't improve your life— I have no stake in your password management choice— but I will actively butt in to qualify the sentiments expressed in this thread because, a) many users, even on this site, aren't sophisticated enough to engage in the sort of cost/benefit analysis that we are, and b) to them, this conversation is unintentional FUD. Cloud-based password management is vastly superior to regular folks' existing methods. If they're put off by technically savvy people saying they're fundamentally insecure, that is the embodiment of perfect defeating good.
> I don't think anybody ever got ahold of passwords. KeePass OTOH was broken with KeeFarce and RATs are a lot more common than cloud service server breaches.
Can we actually know this? We only know about the breaches that we're told about, or that are found and disclosed by researchers. I'm not familiar with KeeFarce, but presumably attackers need local access, in which case you're boned anyway.
> ... many users, even on this site, aren't sophisticated enough to engage in the sort of cost/benefit analysis that we are, and b) to them, this conversation is unintentional FUD
So this is the part that I worry about. I think we're in a bit of an age of innocence with everything moving to the cloud, where everyone still believes that all of these services are going to be well meaning, competent, capable stewards for your bits. I'd love to be proven wrong, but I imagine in 10 or 20 years we're going to have a very different attitude about these things, sorta like people who were using xray machines to size shoes before they learned about the effects.
Once any info gets to the cloud, its out of your control forever, and its in a place where it can be attacked by the current ~8 billion people on the planet, and all the new people coming along after that. Its an impossible task to defend against that. Not to mention as someone like lastpass grows, what could be a juicier target than that? Why try to pwn individual services when you can just get all of the legit credentials at once from one place?
If the options are only use the same 6 character dictionary word for every account, or use a cloud subscription password manager, I'd probably recommend the latter. But for someone not tech savvy, I'd probably recommend a pen and paper with memorable (long) pass phrases before I'd recommend a cloud solution.
In the past I've recommended a local password manager with generated passwords on your one machine that you do anything sensitive with. Back it up on a thumb drive once in a while. For your most used accounts (e.g. email) that you really want to use on multiple devices, use long memorable pass phrases and just enter them in. Some people might think this is primitive, but its not that hard and it should be plenty safe for most people. Its just not as convenient.
> I think we're in a bit of an age of innocence with everything moving to the cloud, where everyone still believes that all of these services are going to be well meaning, competent, capable stewards for your bits.
> Once any info gets to the cloud, its out of your control forever.
You're propping up a straw man using a hyperbole.
> But for someone not tech savvy, I'd probably recommend a pen and paper with memorable (long) pass phrases before I'd recommend a cloud solution[...]
And then presenting your original assertion without any more evidence.
But that's all nearly beside the point.
The most difficult factor to wrangle is human psychology. Without intervention, phishing attacks just work. People re-use passwords. People switch from redox1 to 1redsox1 when forced to change them. They do this all to avoid having to think about it.
The entire point of password managers is to mitigate this. You need to compete with the psychological ease of re-using the same password repeatedly because that's the only way regular users will use it. Then, you can warn them when they're entering credentials into a site where they don't belong. You can warn users if a service they use was breached. You can warn users that their password is weak or reused or old and give them a quick solution rather than leaving them to figure it out. You're making it easy for them because that's the only way it works. If you draw two barely kissing circles on a sheet of paper, that's the Venn diagram of users who care enough about electronic security to deal with the extra irritation of using strong unique passwords but won't use an automated system to do it.
So maybe the second-weakest link is the credentials themselves, and the third weakest link is the collection of websites users submit their credentials to that don't store the passwords in AES-256 encrypted vaults with no local master password storage, like password managers do, and the fourth is probably the browser, etc.
Everything we know about the actual empirical risk of these components points to password managers, in general, being close to the bottom of that list. Prioritizing anything but the most blatant password manager security flaws over even minor user convenience will have a negative net effect. When it's a risk so obscure that we have no documented instance of it occurring among thousands of documented instances of breaches occurring in other services, I'd argue it's less safe.
If you're going to base your security strategy on intuition about our relationship with cloud services, go for it. Personally, I'll leave the faith to the priests and stick to attack vector analysis and balancing limiting attack surfaces with solutions that work most easily for most people, because that's the only way they'll use them.
Does that mean that you agree that we can't know the extent to which things have been exposed? Cause that's part of my point. Of course you can flip that around and say well you can't prove that nobody compromised your local machine, but one of those things is open to attack from many orders of magnitude more attackers by virtue of being on the open internet and in a physical space that you don't control.
> You're propping up a straw man using a hyperbole.
You're cooking up a tasty word salad there, chef. Can you give me a little more meat here? I don't quite follow. Have you never heard people say that you shouldn't write an email or send a picture that you wouldn't want to see in the newspaper? Its a similar concept. Once you send something out over the wire, your power to make decisions over what's done with it is gone. You have to hope that whatever was listening on the wire is (and will continue to be) benevolent. How do straw men and hyperbole apply here?
> The most difficult factor to wrangle is human psychology. Without intervention, phishing attacks just work. People re-use passwords. People switch from redox1 to 1redsox1 when forced to change them. They do this all to avoid having to think about it.
> The entire point of password managers is to mitigate this.
I agree. That's part of why I use a password manager, and recommend that others do so too. We just disagree on whether or not its advisable to cede control over that kind of tool to a third party.
It feels a lot like the argument that your money is safer in a bank than in your mattress, which is an argument I agree with. Except replace all the banking regulations and security with a ToS that can change anytime and emails about how very deeply we care about your security. I'll keep my cash in my safe at home in that scenario. Maybe there are some people who'd still be better off using that bank. I wouldn't feel good giving that recommendation though.
I know what a straw man is, but you just naming the term doesn't constitute an argument. Maybe a more clever person than myself could have intuited what you believed was an example of one, but I couldn't.
Russell's teapot is a new one to me. It seems you're position (correct me if I've misunderstood, or don't since you don't seem interested in the conversation anymore) that since we don't have definitive proof that we can't trust these third parties, it's wrong to distrust them. I'm too paranoid to buy that. If I can't verify, then I don't trust. Good luck with your better things.
You can never fully trust any password manager unless you audit all of its source code and compile it with a compiler whose source code you have also fully audited. Good luck!
I really hope this means new product offerings with no impact on existing products, rather than "fucking with the product b/c it doesn't make us enough money".. which I'll dub corporate Marak syndrome..
Also, JetBrains syndrome - where you barely develop existing products because making new products makes you more money. Happens with kick-starters and games on steam as well.
Sounds like they've noticed both macOS and Windows getting integrated cloud-based password management capabilities and feel the need to branch out in order to stay one jump ahead of irrelevance.
(Disclaimer: I'm a satisfied 1Password customer. Just noting that their competitive edge is wearing razor-thin these days.)
Apple provides a plug-in for Chrome to allow use of your stored passwords on Windows. Announced last year. I've tried it on Windows, appears to work, but do not know how secure it is.
---
Edited to remove references to Linux. Appears to be Windows only.
Apart from “works on stuff you didn’t buy from Apple” (a feature that I think isn’t in Apple’s interest to support well), what major features does it have that keychain syncing over iCloud doesn’t already have, or could easily add?
Shared family vaults are the big thing for me -- I don't want to share _all_ of my passwords with my family, but 1P is a good way to share stuff like streaming service logins.
That might be because they want to make their own services more attractive (if so, I think they made the wrong choice), but also could be a legal thing.
https://www.apple.com/family-sharing/: “You can add anyone to your Family Sharing group age 13 and older and invite them to share an Apple Card”, so members of An Apple iCloud ‘family’ neither have to be family members nor live at the same address.
That’s broader than, for example, the TOS of Netflix (https://help.netflix.com/legal/termsofuse: “The Netflix service and any content accessed through the service are for your personal and non-commercial use only and may not be shared with individuals beyond your household”)
Apple might fear getting sued if they make it easy to share a Netflix password with members of a family plan.
Considering that Netflix’s ToS and Apple’s Family Sharing both say that they’re only meant for people in the same household, I don’t see “Apple might fear getting sued” as an issue.
Where do you read that for Apple’s services? Reading the “Apple Media Services Terms and Conditions” (at the confusing URL https://www.apple.com/legal/internet-services/itunes/), it doesn’t mention household, always spells “Family” with a capital letter, and as far as I can tell, only mentions these restrictions on who can join a Family:
“Family Sharing Rules: You can only belong to one Family at a time, and may join any Family no more than twice per year. You can change the Apple ID you associate with a Family no more than once every 90 days. All Family members must share the same Home Country”
It goes beyond passwords. I use 1P to store documents, 2FA codes, IBANs, notes. You can also attach arbitrary metadata to each entry, and I don’t think there’s the ability to filter by category in the iCloud keychain.
They would've immediately halted cross-platform support or at least severely limited it due to institutional/organizational issues. Any 1Password subscriber not using an iPhone would soon be unhappy.
Although this could happen, I think it’s unlikely. Apple knows it’s a services company as much as a hardware company now. If you look at their existing services, they are not excluding non-Apple users.
- Apple Music has a web UI and Android app
- FaceTime recently added 3rd party links allowing non-Apple users to join calls
- Keychain is being made compatible with Windows Chrome
It’s clear from raising this much money that 1P owners are doing a “private IPO” or adding more products and features. If it’s a cash out, wouldn’t you want a privacy focused company to buy it instead of VCs funding it and expecting a return? If they are building new features and products, Apple buying it could bankroll that and temper price spikes.
This is exactly what I'm referring to. I put up with Apple's website for more than a year as my primary casual-use computer became a Windows PC.
I work on iOS apps for a living. App Store Connect has always been terrible. Bugs linger for years. Elements continue to break in unexpected ways. The place where developers receive feedback from Apple is still hard to find even though it's immensely important. The website received a major redesign a few years ago and the bugs were still there!
Now apply that lack of care to a music website. Being forced to login daily. Asked to perform 2FA daily, so I need to keep my iPhone near me if I expect to play music. Songs inexplicably not playing, if play fails repeatedly, maybe a page refresh will work. Songs inexplicably only playing previews, forcing you to log out and log back in. Zero effort to restore your previous searches.
Apple makes attempts at providing services on the web. But for those of us attempting to use those services, the experience varies from subpar to outright hostile.
> Keychain is being made compatible with Windows Chrome
Again, see how people review this in this very thread.
---
Simply providing the service does not mean it's good. That's what I mean by "institutional" and "organizational". They half- or quarter-ass what they ship, and then they leave it to rot.
Agreed. And with Edge/Authenticator, it's cross-platform as well (Windows, MacOS, Android, iOS), and as of recently, it's close to feature parity. We dropped our Lastpass subscription. It's probably families like ours that has 1Password worried.
So what's the pitch to the investors then - they'd arguably need to disclose this possibilty? Or is this next level of pumping up before dumping on public market via IPO?
1. native app (no bullshit JS based) for speed
2. the same keybindings CMD+\ or Option+CMD+\ to fill in or pop up the menu
3. sync with icloud
4. not look like total shit (ie. lastpass)
Do these basic things and I think you can easily steal 1pass users.
I found Keychain quite horrible. Everything is or at least felt just too abstracted away so that I don't feel in control of my secrets. Might have been just the UI though. And then it's obviously not crossplatform by default. Sync your password database between your Android phone and Mac? Nope. So it's another step into vendor lock in.
All of them? There isn't a single good KeePass client on macOS.
Strongbox is the most polished but doesn't offer browser integration.
KeePassXC has a terrible UI, and MacPass doesn't remember your key file between sessions. Both require staying in your Dock and need the janky KeePassHTTP-Connector to work with a browser.
I'm surprised they haven't bought Rainbow or Metamask or made their own crypto wallet yet. Combining their current browser extension with private key management in a crypto wallet makes a lot of sense to me.
To me it means the contrary. If they had to make those $620M back by just selling password management, then we'd all better expect it to get crazy expensive soon. But if they branch out and start making money on other products and services too, then there's a chance the product I currently use will remain affordable.
Google/Chrome offer the best user experience for password management, but I guess many people using 1Password are doing so specifically to avoid Google?
I haven't changed my setup of (free) keepassxc in (free) Dropbox in 10+ years. You can even add a standalone version of keepassxc in there if you're worried about needing passwords from a new computer. Usually, simple beats free (Spotify > torrents) but somehow this setup has always just worked perfectly for me.
That being said, for friends and family I'd suggest paying for 1password. Or using a paper notebook. Most alternatives don't have a stellar track record with security.
Both the Fastmail[0] and Privacy [1] integrations have made 1Password a joy to use in the past few years. I've used premium BitWarden in the past, but the UX of 1Password is hard to beat. Congrats to the 1Password team!
A lot of comments don't seem to acknowledge the importance of UX to leveling up security. Historically, security products have had terrible UX with everyone working around these and introducing more risks. 1Password is doing a great service here by making security simple and reduces our overall attack surface.
I wholeheartedly agree with the UX comment, and for the "leveling up security" part specifically, I'll point out that 1P 8 now has a "generate horse-battery-stable 'security question' answers" button, which is about as close to the intersection of good UX and good security as I can imagine
My experience with Bitwarden is that their browser extension is gravely broken, which is a subset of UX, but crosses over into "how is this not a 'stop all work and fix it' bug?": https://github.com/bitwarden/browser/issues/1620
I have a paid Bitwarden subscription, because I wanted to give it a fair shake, but based on my experience thus far it'll be years before they catch up to AgileBits
Bitwarden, over the last few years, has been focusing on enterprise features and has largely ignored more basic stuff. It doesn’t seem like that’s going to change quickly, since the pace of development seems slow.
I think this type of massive up-round investment is basically an IPO, likely a fair amount of secondary level of exit for founders, employees, and wouldn't be surprised if the seed/first round investors were able to unload a little (if they even wanted to)
They've also (supposedly) been profitable since inception. It's likely that this round has a significant secondary, which means they're just cashing out part of a profitable business.
Exactly. An increasingly common thing lately is what’s effectively a “private IPO”. That’s what this sounds like - liquidity for investors / staff, and ownership to a small cadre of professionally managed funds vs. the Wild West open markets.
Funny, "private IPO" is exactly what I said to someone I was discussing these types of rounds with.
Going public has very tangible costs, but also massive intangible costs. Private markets are extremely frothy and keep ownership and control within an aligned group of investors. This can make all the difference in the world to management.
I've been using 1password for years and so far haven't had any problem, all apps (desktop and mobile) work great, but I don't understand why they would need this kind of money, especially considering it's not free or cheap service.
iCloud email hiding generates addresses on iCloud domains, i.e. services will begin to flag them as a commonly-used disposable address provider and disallow them.
Also completely worthless to the vast majority of people who are not on Apple devices.
Also also, 1Password's integration with the email isn't managed by them. They talk to Fastmail, Fastmail spits out an address and tells it to 1Password, who then fills the form with it. I can ditch 1Password at any time, even delete my account, and lose nothing.
Great news for a great team. 1Password makes a very solid product and the company genuinely helps improve the security ecosystem for their users (and, through working with browser vendors on things like extension security, all of us).
Hopefully they don’t go all cryptocoin and NFT with the funding… but given their dna, I think they will expand wisely.
First question is where does password manager spend that amount of money. Second question who gives that amount of money to less than 10% of password management company... Sure it can have billions of users, but still it is in no way novel or complicated product. In sense it takes anywhere near that sort of money to build or manage...
When I went from lastpass to bitwarden I could simply export all my passwords to a json file and import them to bitwarden. I think it took like five minutes or something like that.
I imported from 1password. I found the following problems.
- Some items did not import correctly at all because the 1password export format did not quote values (CSV). This means that if I have a password with a comma in it, I get two broken entries. This is more of a 1password issue though.
- 2FA tokens did not import and would have to be manually reset. I guess this is to be expected though.
- Some fields had different names than bitwarden was expecting, so values were imported into the wrong destination and had to be manually corrected.
This was a while back so I'm not sure if anything has been improved.
I recently migrated from 1Password using Dropbox for sync, to KeePassXC (Windows, Linux & Mac) and Strongbox (iPhone & iPad) still using Dropbox.
Migration was a simple matter of exporting a CSV and then just correctly selecting the column order for KeePass import.
For those who don't want to trust a third party, even with their encrypted data, I believe that home NAS sync-when-available is possible - I personally haven't tested the implications of syncing changes from multiple devices at the same time in that scenario.
I exported successfully from 1Password 6 onto Secrets and KeePassXC. Only thing missing were software licenses (some attachments may not carry over correctly or show up as notes).
This kind of announcement tends to ring all kinds of alarm bells for me. What kinds of changes should we expect to make those huge investments worthwhile for the investors?
My 1Password installation is grandfathered from a time when it was just a standalone app, without subscription. Will it just stop working one day to bully me into subscribing? Can you even start using 1Password these days without buying a subscription? I'll have to start looking for alternatives today.
Unfortunately yes. You'll still be able to use your license but once that version becomes incompatible with your OS you won't have a choice but to upgrade. I'm disappointed I won't be able to keep the Dropbox sync in 1Password 8. They did have this survey to gauge interest in self hosting it: https://survey.1password.com/self-host/
You can sync local vaults any which way. I personally use Syncthing, but any file syncing service would work.
On another note, I've been using 1Password for years, for free. The mobile app can edit local vaults without signing in, and the desktop program can view local vaults in read-only mode. If I want to edit or add a password, I do it on my phone—it's not worth $150+ to be able to do it on my PC a few times a year.
I don't have the old version installed anymore in order to check, but I thought that 1P only required that you authenticate to Dropbox (since the app just uses the Dropbox API for polling and to pull down changes), not that you turn on syncing. I mean, it's possible Dropbox is so sick they count a signin as a new device, but that would be a grave disappointment
Interesting, because in the root of my Dropbox is ".ws.agile.1Password.settings" which is a plain text file containing the "Dropbox App" path of "Apps/1Password/1Password.opvault" and my understanding of that "Apps" folder in Dropbox is that integrations can write whatever they like to it, but not write outside of it
I have a similar Apps folder for "O'Reilly" from back when I connected their app to Dropbox, and one for Joplin. It's too bad I don't have 1P 7 on my machine anymore, because I no longer have Dropbox on my machine so it would be a good test to see if it still syncs without the Dropbox client present
Ah fuck. They now need to grow at any cost to earn all that money back. And they'll throw their users under the bus, if they have to, because it's either grow like a unicorn or go bust.
Also, I sincerely have no clue how a password manager could be so expensive. Last time I checked, the excellent KeePassXC was still free open source and developed by volunteers in their free time. How come 1Password needs the equivalent of 7750 years of $80k annual salary to build the same?
Exactly. Once you raise a bunch of VC money you've sold your actual business to vampires. From now on it's grow at any cost. Add bloat, feature creep, unrelated projects, cost increases, and probably user data mining and sales on top of it. How was their rather expensive subscription fee and large subscriber base not sufficient to continue operating profitably?
I don't know. Greed? I've been following the 1Password Saga for a while (long time user), and how they responded to the electron pushback seemed like they lost their initial vision and what made them "in touch" with their users like me.
With 1Password 8, they shared news that they were moving from native (mac) apps to an Electron UI/frontend with a Rust backend. They did an AMA on Reddit, but didn't show up for a while and got hammered by their users. Their refrain, until Dave Teare showed up, was "but it will be on Rust and the backend will be faster" and didn't acknowledge why users might be upset with the move from Native to Electron apps.
I think it was a mistake to even involve the online community. Of course nerds want you to build a high-quality native experience on every platform because they are heavily invested in their platform of choice. Listening to these kinds of users at all will drive your business to ruin.
Honestly building on "tech stack power users hate" is probably the easiest way to fire all your worst, most needy, users.
Reading about it now, it feels like the electron move was a result of the VC money. With pressure to grow comes endless A/B tests, gimmicky features, etc and having too many different platforms means you need to split the work across more devs. Trying to match the extra functionality and have the same look is pretty difficult as a program grows.
That being said I hate that 1Password needs that. It’s just a password manager at the end of the day.
I’m amused by the large portion of the Hackernews userbase that seems to view venture capital as an absolute evil, given that this is YCombinator’s forum.
Can you really not think of any examples where VC capital has improved a company, product, or service?
Dropbox, Spotify, and Twitter all used VC money to launch/improve their product. Just because you don't specifically like the traunch of VC money that was used prior to IPO doesn't mean all VC is blood-sucking.
There are countless examples of products people use that have had some form or shape. In fact, I'd argue there are rarely apps that anyone uses here on a regular basis that didn't have some form of VC money injected into them. The only one that comes to mind is (1) Basecamp (but technically they took money from Bezos) and (2) Atlassian pre IPO (now public).
I cannot and it's widely known how they ruin thing with example after example. I'm sure some VC has helped a few people inadvertently along the way (although it was likely the founders, to the chagrin of the investors, that did anything positive). The VC business is to make money, no matter how shitty they make things, by blowing them up or letting them die, they don't care for anything else, why would they.
I would think most people view YC more in line with the Angel round, which is an entirely different view point; Angel's are actual helpful people who did something on their own to achieve success (not poser VCs) and/or are mentors and coaches who want to give back, but it's unfortunate that people need to go beyond angel to VC, and the expectation from the angels is that you must or they won't make their money.
Just because we are on a YC forum doesn't mean we have to suck the industry's dick.
I don't think the problem is with capital writ large, but rather the perverse influence of capital incentives as applied to a personal security product.
The value one gains from a personal security product (data portability, availability, accessibility) is often at odds with the interests of capital, which lean towards moat construction and rent-seeking. Over time, in a for-profit company, capital will always "win". Trading equity for other peoples' cash investments only accelerates the process.
For an adjacent example, LastPass never took a dime of VC money (afaict), but their structure as a for-profit company pushed them to lock down their product and charge rents, where they had not previously. If they had taken VC money or went public instead, it may have delayed the inevitable, but it only would have been a delay, not a solution.
People in this thread are disappointed, because these companies began their lives with a compelling, free, and user-empowering invitation, and it is sad (although not at all unpredictable) to see those features taken away by the incentives of capital. I think it's understandable, and I wouldn't read it as an indictment of VC writ large.
> For an adjacent example, LastPass never took a dime of VC money (afaict), but their structure as a for-profit company pushed them to lock down their product and charge rents, where they had not previously. If they had taken VC money or went public instead, it may have delayed the inevitable, but it only would have been a delay, not a solution.
I do not understand. It's a business. Why would anyone expect important services to be free? during ramp up there's a benefit of providing free or discounted services while you grow, learn what users want, estimate your own costs, etc; It was a free ride and you can enjoy it while it lasts. Why would anyone expect a free ride to also last forever?
In my opinion great products need a strong balance of capital and ideals. Capital incentives unchecked by a counter balance of leadership actually believing in the mission of the company can lead to bad outcomes. Pure idealism without adequate funding has another set of problems though.
> Why would anyone expect important services to be free?
I think the "common person" does not see these as growth hacks. The internet is full of things that "appear" free, and have "appeared" free forever.
You have x-ray vision for how these businesses work internally, and you describe the playbook very accurately, but most people do not have this kind of context.
Which makes it hard for those people to distinguish "good people doing good work for the good of all" from the playbook you describe. It's especially hard when the company describes itself as the former externally.
> Capital incentives unchecked by a counter balance of leadership actually believing in the mission of the company can lead to bad outcomes.
This is true. As a customer, depending on the good-will of leadership to counterbalance the influence of capital is depending on humans, and even really good ones are fallible and temporal.
A for-profit company blessed with good leadership today does not guarantee a for-profit company with good leadership tomorrow, a year from now, and so-on. Eventually, within the constructs of a for-profit company, capital always wins.
> In my opinion great products need a strong balance of capital and ideals.
Yep yep, value creation and openness are not mutually exclusive, and one does not have a monopoly on the other.
However, I'd argue that value capture and openness are mutually destructive: only one wins in the end, and the total victory of either marks the death of a business (i.e. something that generates profits for shareholders).
From a consumer's point of view, once an organization gets in the mindset of optimizing for value capture over value creation and openness, it's time to consider moving on.
The paradigm-shift of software is that the victory of openness no longer means the destruction of customer value, because OSI-licensed software can outlive the business.
> This is true. As a customer, depending on the good-will of leadership to counterbalance the influence of capital is depending on humans, and even really good ones are fallible and temporal.
Well, I dunno, you always are depending on the "good will" of leadership. They could decide to squeeze every cent and provide as little value as possible at any time, whether they have venture funding or not. If your alternative is a "non profit", look at Mozilla, plenty of people unhappy with a lot of their decisions and users feeling "betrayed". I don't think we can expect most services to run as non-profits regardless. It's an imperfect system, but is the best we've got so far.
> From a consumer's point of view, once an organization gets in the mindset of optimizing for value capture over value creation and openness, it's time to consider moving on.
I'd argue this comes after the IPO. When you have millions in venture capital, is easy to keep running the business at a loss and keep growing. When it's time to make a profit is when things start getting hard.
I suppose this is what some people don't like. They'd like founders/businesses that stay small and focused on a niche, make money but not too much and keep a good value product running. Without looking at 1Password finances though, even when it was a paid service, we don't know how profitable it was, if at all, and may be going after enterprise customers with this new funding is the only way to not only 'break even' and start making some good profits.
> you always are depending on the "good will" of leadership
This isn't true if the product is FOSS. The Mozilla Company can be a disaster, but that's OK because Firefox is OSI-licensed. It will outlive Mozilla, and one or more community forks will appear to replace it, if needs be.
For example, observe how https://rockylinux.org/ rose from the ashes of RHEL/CentOS, after Red Hat were acquired by IBM.
The lesson is that as long as there's interest in an OSS product, there is money to be made servicing (hosting, bug-fixing, whatever) it. Where there is money to be made servicing it, a business will appear to soak up the demand.
> I'd argue this comes after the IPO.
I think it's purely a function of who your shareholders are, what your unit economics are, and how much money you have in the bank. It can happen to any stage of company. In general, contrary to popular HN belief (not saying it's yours), VCs prefer not to put good money after bad.
There are many public companies that are not relentlessly pursuing value optimization, because they have good unit economics, and have invested in attracting shareholders that are aligned with this idea. They are not starved for cash, and can raise money with low-interest loans when a growth opportunity presents itself.
> Without looking at 1Password finances though, even when it was a paid service, we don't know how profitable it was, if at all, and may be going after enterprise customers with this new funding is the only way to not only 'break even' and start making some good profits.
Like you say, we can't comment on 1P directly without knowing access to their Stripe account.
One might charitably say, their business hitherto was an experiment to see if one could build a VC-scale business around the problem of personal password management. The answer is no, but they can leverage their experience gaining that knowledge into solving a similar problem at an enterprise scale. That's probably how the execs & employees think, and it's a very reasonable take.
Unfortunately, while it's optimal for long-term viability of their business, it's not optimal for the consumer world writ large. While 1P has bootstrapped at the consumer's expense and benefit, building a consumer-facing brand for themselves along the way, it is now all downhill for the consumer from here, because they are no longer the focus of the company.
One can imagine a counterfactual, where they had developed their core applications as FOSS. 1P the business could continue to make money as 1P-enterprise, and "the people" could take over maintenance of 1P-consumer, if there was sufficient interest. The valuable experience they've accrued in building their product would continue to spin off value, instead of slowly grinding to a halt.
---
Don't get me wrong, if you put me in the shoes of some exec at 1P with a fiduciary responsibility, I would do the same thing they're doing. It's the only rational direction. Their decision space is/has been heavily constrained by their initial conditions (accepting VC money, not starting with a FOSS product, etc.). If they hit `git push` to some public remote today, they risk losing the entire network they've been investing the last N years in building. It's not reasonable to expect people to make that trade.
I guess I'm hopeful that people will observe these outcomes, that it may influence their own decisions in choosing the initial conditions of their own projects. Sometimes fiduciary responsibilities contravene social responsibilities, and the superior cure for that circumstance, like with so many others, is prevention.
Yeah I get this, I'm a paying customer. Not overly worried, as long as I can export and move on to another service. I used to be a LastPass user until 2yrs ago. I was replying to the comment about LastPass starting to monetize users (e.g limiting the free tier functionality even more).
I think the big VC raise is often the moment that many companies' relationship with their users goes from friendly to adversarial. I suspect this is because the incentives become misaligned. A bootstrapped company needs to keep its users happy to keep the money coming in for operations and growth. User churn is expensive at this stage. A funded company has other options such as running at a loss to attract new users and outpace any churn in the existing user base.
Viewed that way because it's the truth. It ruins everything it touches, but makes a few rich people along the way. For some that's the goal, but it's absolutely a net negative.
I can think of many times where VC capital has improved a company, in two ways. The first is in allowing a company to scale far more quickly than it could have naturally. The second is in creating connections to other companies, essentially getting a foot in the door to convince those connections to use the company's product.
But rarely improved the product. At best you have a company that does keep it's soul, and continues to improve the product as they would have on their own. Far more often, the product and pricing structure is made worse in the long run through VC investment. It's not necessarily VC interference that is solely to blame, the change in size and scope that tends to come with such investment is a massive hurdle on its own.
Of course, taking VC capital is almost certainly necessary to continue to exist, given you are competing against others who will take that capital and quickly use it to out compete you if you do not. I just view this as unfortunate, when I find companies that grow at a more natural speed to generally create better products.
I don't consider venture capital absolute evil (or evil at all), but don't understand why old profitable company with established user base needs to take such ludicrous amounts of money from VCs. What are they planning to do to return that investment? Grow by any means necessary and sell out with all our data to big tech company? As a long time 1Password user I have a bad feeling about this.
1Password has the cloud, so maybe a better comparison would be bitwarden, not free (to use their hosted service) but FLOSS. Everything else stands, though ;)
But 1Password previously had the option to _not_ use their cloud, and they deliberately killed it to push people onto their subscription offering. So I think in the context of a conversation about how financial conditions will force changes which change the customer experience, I think it's entirely fair to compare them to a non-cloud option.
>they deliberately killed it to push people onto their subscription offering
There are things available via the Cloud version that aren't available with local vaults and, in order to maintain those, they decided not to put the time into implementing those changes for local vaults. Local vault users are less than 1% of their user base.
Parent comment said they killed it. They didn't kill it. You can still use local vaults currently. You won't be able to any more in newer versions because they're no longer at feature parity. Killing it to push people to the subscription model implies malice.
Yes, especially nowadays that sync errors are not commonplace. I use it with Nextcloud. But that still requires you setting up your own thing, which is why people like 1password and bitwarden.
Big fan of KeePassXC (https://github.com/keepassxreboot/keepassxc).
Works wonderfully on MacOS. I guess 1Password is a bit snazzier, but I'm really not sure what you would use $620M for in a password manager...
> Maybe they'll go the Keybase route and integrate some crypto?!
Well, congratulations, you just proposed a scenario that would make me consider leaving 1Password after all. :)
Seriously, I am somewhat concerned at this level of VC money injection; I'm not intrinsically against venture capital or such, but investors (obviously) want a return on their investment and it's hard to imagine how you get a return on that much investment with just a password manager, even one that's a subscription service.
(I am also not intrinsically against crypto and wouldn't really abandon a service just because they do something that involves it, but most blockchain technology continues to feel like a solution in search of a problem. That's another discussion, though…)
I'll vouch for BitWarden. You can self-host or use their cloud offering. The server software and all of the clients are open source.
I've personally been using the cloud offering for several years now and feel quite satisfied with it. The free tier is generous, the premium tier is very affordable, and I can export my data to a self-hosted instance anytime I like.
Bitwarden for me. I've been using 1Password from around 2013 I think. I didn't buy into their subscription model so they've been gouging me with difficulties and cost in buying upgrades for a few years.
Apparently they have 500 members of staff these days, and millions and millions of investor dollars. Apart from maintaining browser extensions, for my own personal use I've not noticed a single interesting feature in recent years.
I moved to Bitwarden when the electron thing was announced, haven't paid any subscription yet and seem to have all the features I used before in 1Password. Bitwarden is very much recommended and I wouldn't recommend 1Password to anyone these days.
Bitwarden for private password managers and something keepass based for shared passwords in small teams works great. We use Keeweb with a keepass database on a shared Google drive. I put the master password for that in Bitwarden.
I guess for bigger enterprises you might like something with a bit more fine grained access control and auditing features. E.g. rotating the master password is a bit of a PITA. I actually did that this morning because somebody in our team left.
Most companies would want some kind of solution and most bigger companies would likely end up paying for something.
Keypass + Syncthing to get the database on all your devices. This combo has worked flawlessly for me for over 5 years now. I sync to all kinds of devices too including android phones.
Sure, labour costs are expensive in our industry. But it's under-appreciated that once you need physical infrastructure, sales and enterprise support, that really tends to eat into your millions.
Please excuse my ignorance about this, but what do "cloud and enterprise" costs entail? Password managers seem to me like a pretty basic CRUD app. I'd imagine the average user has a few KB's max stored, and data transfer is presumably very small (no images/video/other binary data). And enterprise users are presumably running the infra on-prem so I'd think the main costs have to do with support.
Is marketing the thing with the huge price tag, or are there other huge costs I'm not thinking of?
I'll use a past life as an example; 150 person company -- 20ish people in engineering total: 5ish on doing infra, and 3 dev teams of 5ish working different verticals.
Then you have leadership, sales, marketing, HR, finance, support, and retention. By a huge margin sales, support, and retention were the largest. B2C is marketing heavy, B2B is sales heavy. If you're both then well..
Engineering can be really lean with respect to the number of customers/clients but the rest of the business can't.
Yep, this will go the same way as LastPass sadly. This kind of company must have a steady positive revenue stream from it's customers. If not, it is not reliable. They will not be paying this back any time soon.
Fine by me, 1password was too expensive to begin with. Sad to see they're wasting it.
> Also, I sincerely have no clue how a password manager could be so expensive. Last time I checked, the excellent KeePassXC was still free open source and developed by volunteers in their free time.
Because 1Password is easy enough to use that my wife and I can share a family plan without her getting frustrated. If one of us has a login the other needs, we can easily share it. When I evaluated KeePass, the Wife-Acceptance Factor (WAF) was not there, though maybe it's improved.
Nerds continue to fail to grasp the value of UI/UX. This has always been why FOSS and similar solutions have failed to compete in the market in spite of being "free" and often technically superior.
UI/UX is everything. Apple became the most valuable company in history on the back of UI/UX alone. Their tech is decent but not that much better than anyone else's, but their stuff is at least marginally easier to use and that's worth more than the GDP of quite a few countries combined.
The importance of user experience is only growing as the world becomes more and more time poor and we move more and more into an "attention economy." Saving seconds counts. If it doesn't work instantly it's broken, period.
Here's two ways I can explain it:
(1) If you value your time at $100/hour and you have to spend one hour a month maintaining something "free," that free thing costs $100/month. That's fairly expensive. It only makes sense to do this if you have a lot of surplus time on your hands.
(2) If you have ten million users and make a UI/UX improvement that saves them one minute a month and you value their time at an average of $50/hour, you just created about $8.3 million in value since that's the value of the time you just saved.
A rule of thumb that I use is that every step required to do something halves adoption. So if you have a 10 step install process, only 1 out of 1024 people who look at your product will make it to trying it.
Every developer needs to have "user experience is everything" tattooed on their forehead.
I made the same argument below but I was downvoted to hell.
Bitwarden is not an alternative to 1Password that passes the wife/parent/elder test because the UX is so bad they need to call me everytime something isnt exactly working as before.
This seems to be a general characteristic of enthusiasts.
To design a good car for people other than car enthusiasts, you have to hate cars or at least be able to place oneself in the shoes of someone who hates cars. People who don't love cars want a car that makes them think about cars as little as possible. The purpose of a car is to carry you from one point to another, not to make you spend time on cars.
There isn't one. I will continue to say this, people will continue to ignore it, and the computing ecosystem for the average person will continue to be locked down by corporations that do not ignore it. Free, open, and privacy respecting technology will remain irrelevant outside enthusiast techie circles.
It's a bit like climate change. Scientists will warn, people will ignore, and then we will abandon Miami and will probably blame the scientists.
Excellent, problem solved. I was thinking somebody would have to contribute UI changes to an open source project, but it turns out flaming people on the internet is much easier.
Maybe it’s because Bitwarden’s UX is actually quite good? I found 1password’s to be substantially worse when I tried it a few years ago, especially on non-Apple devices. Perhaps that’s changed, but for something so heavily touted for being well designed, I found it to be very disappointing.
I can't stand nerds that fundamentally can't learn this nuance. It's like the biggest blind spot ever. There are just so many of them in the tech industry working as software engineers, which is why we have powerful tools that are a pain in the ass to use. It makes me hate software engineers, and I am one.
Really? I use both (Bitwarden for personal, 1Password for work) and find the UI for Bitwarden to be more complete and consistent. Like if I want to edit a login item, I must open a new browser tab in 1Password. Not so in Bitwarden. I still can't figure out how to consistently trigger the workflow to add a new login for the current website automatically without opening a new tab in 1Password. You click "Add Login" in Bitwarden.
Agreed, I used lastpass in 2016 and tried to switch to keepass. I'm more than technical enough to use keypass and sync a vault across all my devices, but I needed this to be as easy as possible. I know myself enough to understand if something doesn't feel as easy as humanly possible, I'm much less likely to use it. A decent chunk of people are not like this, which is why I believe there is this huge debate over "Keepass vs 1Password". But anyway, I switched to bitwarden and the UX was more than good enough for me. It "just works".
I even started self hosting it this year and it continues to "just work" - although I don't recommend it to most people since I now have to manage a server. I was already self hosting a lot of other things last year (wanted to move away from google/apple services) so the "cost" of self hosting Bitwarden was negligible.
Anyway I know I rambled a lot, but just wanted to chime in and throw in my opinion about bitwarden
I really hope that Bitwarden improves their UI and UX, because I really want to like it. But their Collections and sharing feature is very unclear, especially once multiple people/orgs are involved.
I'm afraid to use it because they co-mingle everything in UI and I dont accidently want to share a personal password with another org.
Being worried of sharing a password accidently is very scary UX
Most users don't want to tweak anything related to their phones, tablets, computers, watches. If everything your app does, isn't reachable within 1-3 clicks/swipes/presses, then forget it.
Someone suggested using two versions KeePass files...one for shared passwords, one for not shared passwords. This is NOT a substitute for clicking Share Password and literally not doing anything else.
Someone suggested storing all your passwords in the browser. This is NOT a substitute for having all of your passwords available at the app level on your iPhone. This is NOT a substitute for sharing passwords with your whole family.
I have been hearing about how X11/MOTIF will "end the Windows/Apple hegemony" for decades.
I don't know how often I've heard "X Windows is just as good as Mac OS."
It's like when your vegan friend keeps telling you that "Falafel tastes just like beef."
They have never tasted beef (or they hated the taste), so they don't have anything to compare it to. X Windows is GUI, written by people that hate GUI.
What could possibly go wrong?
All that said, it's a crazy amount of money, and I really feel that the only real work the password manager needs, is to be rewritten in native. Electron is less-than-excellent.
They must have some kind of strategy that goes beyond just being a password wallet.
Also, for some software "everyone uses" like e-mail or an office suite, you can afford maybe some complexity or annoyance. The alternative "do not use e-mail" or "do not use an office suite" is a no go for almost anyone.
The alternative "do not use a password manager" is however totally common. So if you want to get someone with limited time or affordance for annoyance (like your wife) to use a password manager, the process of setting it up and using it better be very smooth and frictionless.
> Nerds continue to fail to grasp the value of UI/UX.
Or perhaps nerds do grasp the negative value of anti-patterns in UI/UX, and reject attempts to create interfaces and usage models that remove control from the user, create vendor lock-in, or compromise privacy and security.
I think a better way of saying this is that "nerds" (i.e. power users, the type of people typically on HN) want different things out of their UI/UX than the average user. That's the beauty of having different solutions to choose from: the power user is free to use something like KeePass, where it's not as easy to use, but you can set it up exactly the way you like; and the "normal" user can go with something like 1P or LastPass for more of a "set it and forget it" model. The average user doesn't care one bit about the things that you mentioned.
Absolutely; this is the key to the whole thing. It's explained at length in the classic The Design of Everyday Things. Nerds v. normies are given the monikers "Homo logicus" and "Homo normalis". The nerds value control, understanding, and are concerned with edge cases; they accept complexity, workarounds, and the need for preparation as the cost. The latter prioritizes nearly the opposite, preferring simplicity to control, and guaranteed if partial success for the need to understand/invest time.
I ditched 1Password in favour of KeePass exactly because of UX issues. 1Password felt too magical and did too much implicit stuff to my taste. KeePass is dumb simple and that's what I need from password manager. I hope that its UX will not change.
This is accurate. We charge twice as much as our competitor and we consistently hear from customers that UI/UX is a massive part of the reason they choose our system.
I think you understate your case. A lot of nerds and nerd culture is actively hostile to making things easy to use and will intentionally erect banners and over complicate systems in order to keep "normies" out and make themselves appear smart.Its rather sad really.
> UI/UX is everything. Apple became the most valuable company in history on the back of UI/UX alone. Their tech is decent but not that much better than anyone else's, but their stuff is at least marginally easier to use and that's worth more than the GDP of quite a few countries combined.
Huh, to me it's both. The UI/UX wouldn't be worth shit if their software ate battery like it was free, crashed often, was frequently janky, hogged resources to the point of being a problem, or all the fancy features underlying their UX didn't work pretty damn well without user fixing or intervention. Software quality is part of why their UX is so good, not just design languages or whatever. You don't get their level of auto-magic if you haven't done a whole bunch of things very right in the underlying code & architecture.
They're far from perfect (practically all consumer-facing software is at least kinda bad, IMO) and one can point to a handful of duds that they just can't seem to get right (Xcode, for instance) but I'd put software quality as my number one reason for using them, and I'd point to that as an absolutely vital element in their UX being well above average. It's that combo that no-one else seems able to touch—in fact, it often seems like no-one else is even trying, and I really wish they would.
> If you value your time at $100/hour and you have to spend one hour a month maintaining something "free," that free thing costs $100/month. That's fairly expensive.
This is quite true, but the counterpoint is that nerds enjoy spending that time. We like opening the box, poking at the wires, seeing how the cogs fit together, and tweaking things endlessly. It would be a liability for a normie, but for a nerd whose interest is piqued it's a fun Saturday project. This is why FOSS survives despite the UI/UX problems.
Not the person you were replying to, but I completely agree. I had fun setting up my Raspberry Pi as a Plex host / torrent box / home server.
Where us hobbyists go wrong is thinking any large percentage of customers want to do that. Any amount of futzing is too much. Most people want it to "just work."
The only downside is that I can't currently use my privately hosted instance as passwd safe with the chrome browser extension. This only works for the hosted version.
So I can't habe autofill, automatic saving of new/changed passwords and password creation and also use the same vault for the mobile app (Android). The mobile app can access the self hosted vault without any issue.
I would love to fully migrate to self hosted bitwarden, but the browser extension irks me. Maybe it is possible and I am just too dumb to find the solution.
on the login screen, you have a gear icon on top left corner (at least for the chrome extension), there you can add the custom url for your hosted instance.
BitWarden works really well for me, for example. It is FOSS and has hosted option; Has autofill plugin, android app, nothing required much in the way of configuration.
> When I evaluated KeePass, the Wife-Acceptance Factor (WAF) was not there, though maybe it's improved.
How about you share one KeePass file for all shared passwords and keep another one for your personal ones? KeePassDX on Android can easily handle multiple files. I agree, it's not a perfect solution but it's rather low-tech and something the layperson might still understand.
I use KeePass everyday and I really love it. But I would never recommend it to a non-technical person over something like 1Password or Bitwarden. It's a great piece of software, but the user experience is about 15 years in the past.
What about Bitwarden? Open source and has a free plan for two people. The family plan includes one more seat than 1password and costs 20 € less per year
I've had the exact same experience. It took me about 5 minutes to teach my partner how to use 1Password and its been years since I had to help them use the app.
I've stopped worrying about password re-use or compromise. Now I'm teaching my kids to use it and they love it b/c they dont have to make up or remember passwords.
Yes there are other technically equivalent options but the fact I can get it setup on an iOS device in seconds and trust its used is worth every penny.
Agreed, Keepass file synced on Google Drive. Using this for 4+ years now with 0 issues. Syncs across desktop (Keeweb), Android (keepassAndroid) and ioS (StrongBox). Takes 5-10 seconds to sync.
Also zero need to give any application permissions to access my Google Account. Using native google drive apps on all services to sync the file (just using file picker dialogs with drive app installed).
Got my non tech parents setup on this. 0 questions asked once I set it up.
Also have my partner and I on the same setup...just works.
KeePassDX has its own keyboard that lets you securely input usernames, passwords, and other fields without exposing sensitive data to the clipboard (handy when autofill doesn't handle the field).
I tried both KeepassDX and Keepass2Android. In the end I went with Keepass2Android. I don't remember why I chose Keepass2Android in the end, but I can definitely recommend it.
There is the WAF. There is also the part where when I evaluated KeePassXC two months ago, the browser plug-in would constantly desync and require a full page refresh and entering my master password.
With 1Password, I also have to reauthenticate all the time, but unlike KeePass, TouchID works.
I don't think browsers let you share passwords between users or multiple browsers. They probably don't let you store secure notes or add extra data about logins.
1password lets you share passwords with other people, even if they don't have a 1password account.
I've never seen a "share with family member" feature with a browser storing passwords. Also, this means I and all of my family members need to use the same web browser.
Using a 1password family plan is the only way I've been able to wrangle my parents across their slew of iOS, macs, Android, Windows, and Linux machines to stop typing in passwords.
That’s likely because they are used to BW first and was learned at home. This sort of ”phenom” happens all the time and is not only about the actual product.
There will be exact examples of the opposite happening.
BitWarden is not free if you compare apples to apples, and sign up for the same features including cloud hosting, 2FA, and family or enterprise accounts.
$620M isn’t for a password manager, it’s financing for a business with an enormous and growing user base.
Bitwarden is free for individuals and couples. So, it's free user-friendly (WAF!!) wise [0] in comparison to 1pass [1]. But much more important thing is the fact that bitwarden is open source and 1pass not. Closed source is deal-breaker for me.
"Crippled" is a big word. It does everything that KeePass would do, for example; it only falls short when it comes to sharing passwords among a group or family (you can send a secret via BW Send, but you cannot have a shared store unless you pay for Premium).
Yubikey and its likes are advanced features that the overwhelming majority of regular users will never need.
"Crippled" implies a degree of everyday suffering in the "cripple", or a downgrade from a previous state of health. The advanced features in Bitwarden were never free, in fact I think some of them were eventually added to free plans too. I honestly don't even want stuff like yubikey support, and could see that as feature bloat!
I don't expect everything to be free, I'm perfectly fine with the freemium model when the set of free features is reasonable - as, in my humble opinion, is the case with Bitwarden. So I wouldn't use a word like "crippled" when it's more like "normal for regular users vs enhanced for advanced needs".
I thought that it had all the same features, just not cloud sync. As far as I know the Yubikey is used for authenticating with their sync server. It doesn't actually help with the encryption
Bitwarden's free plan does have end-to-end encrypted cloud sync with no device limit. The free plan lacks TOTP support, but Bitwarden's $10/year plan does include TOTP support and is cheaper than 1Password's $35.88/year plan. Bitwarden is also open source, while 1Password is not.
I'm referring to Bitwarden Authenticator, which stores TOTP secrets and displays 6-digit codes like Google Authenticator does.[1] This feature requires a Bitwarden Premium account, with the $10/year plan being the cheapest option.[2] (Self-hosting through Vaultwarden is another option.[3])
This is separate from having TOTP 2FA on the Bitwarden account itself, which is available on the free plan.[4]
> Because much like privacy, password security shouldn't always be only a premium option.
So then who foots the bill? Password managers are the duct tape used to protect a user because we don't inherently trust application providers.
> proprietary code is a deal break for lots of people
Sort of. First, "lots of people" seems like "lots of people" because we're on HN. The wider population doesn't care whether your application is proprietary or not - they just want something that works. Apple's wall garden is proof of this. Second, you can still charge for a product and it be open source. An application being open source simply provides an audit log of the code and allows for "wisdom of the crowd" when it comes to bug and security issues. So yes I agree that having a password manager be openly auditable is a great feature, but I (and many others) likely would rather have the features of strong UX and known tenure (OSS tools get abandoned all of the time) then we would having an auditable source code.
Bitwarden does charge for certain features like TOTP support, organizations, and enterprise features. They manage to have subscription income while remaining open source, whereas 1Password chooses to keep its code closed source.
If you are saying that Bitwarden is worse because it offers a free plan, I disagree. It's nice that Bitwarden offers a security-audited* password manager to those who can't afford a subscription, who aren't ready to pay for one, or who don't have the means to make payments online. Unlike 1Password, Bitwarden is not pressured to deliver high returns to venture capital firms, and Bitwarden can focus on providing its product to its users at superior price points.
> Unlike 1Password, Bitwarden is not pressured to deliver high returns to venture capital firms, and Bitwarden can focus on providing its product to its users at superior price points
Well said - and this is the important part of the 'non-proprietary' argument of mine (above) - right now I consider 1Password's real customers being their shareholders/investors, not its users - the users are just another tool they use to bring value to their real customers (investors,etc.).
> If you are saying that Bitwarden is worse because it offers a free plan, I disagree.
For the record, I'm not. The overall discussion was that charging for a product was somehow bad. Bitwarden does charge for their product, just at higher tier levels. My bigger point is that you do want a provider that is going to stay solvent so charging money (which Bitwarden also does) is not some perverse way of satisfying customers.
Well let me ask the much more obvious question, for something as important as protecting your passwords, why on earth would you go with a proprietary service where you have no idea about the security, that could take away your access at a whim without any recourse for you?
I like Bitwarden too, but can't dismiss the fact that 1Password is superior to Bitwarden in many ways:
- Mobile UI is beautiful on 1Password.
- The UX from creating a password entry to auto-filling is easily better on 1Password. Bitwarden doesn't show autofill entries on login forms yet. That's a deal breaker, at least for me.
- Account recovery via a trusted family member.
- Additional security measure: private key in addition to master password.
Bitwarden has all those features you listed. I use it every day.
You can setup a trusted family member. You get a master password and private key incase you can't access 2fa. You can setup autofill entries. UI/UX are opinions.
You pay $40 dollars a year for Family, $10 a year for an individual. Cheaper than 1password.
I bought Lastpass when it was $12/year. Over the years and after being acquired, they tripled the price. I miss when technology used to decrease in price and provide better functionality.
Hopefully so, but I'd be willing to pay even upto 100 USD. I store a lot of things on 1Password these days that it's very hard to give up, and very convenient. It's not just passwords; medical documents, credit card details, passport, certificates, private notes.
I'm looking forward to Bitwarden implementing multiple account logins ("client profiles") [1] on their roadmap [2], before doing a gradual switch away from 1Password. Any time now!
Copy that, on the family plan, works on all the devices that need it. We trust their shared vault technology enough. 1password is compelling. Not sure it's a billion dollar thing but it's good.
This exactly. "Selling" a password manager to a non-tech person who either uses the same password everywhere or someone who writes weak passwords on post-its is a hard sell. It's a lot of added complexity and more importantly, a different way to think about passwords: you no longer know any of your passwords, except one for the password manager itself.
1Password does a pretty good job of this; as a user I do not need to worry about syncing the database, keeping an app up to date (the website is always up to date) etc.
Same thing with email. Everyone COULD run their own email server but it's pretty clear most people don't want to. We also see it with tech companies running their own servers. Again they COULD runt heir own hardware (and some do) but it's pretty clear most companies don't want to. There are decades of examples of where people could run something themselves and having very strong preferences for using a centralized and more user friendly alternative. I don't know why we'd expect it to be any different here.
I wouldn't assume the phrase is casting a value judgement.
I hear the phrase from time to time in aviation. "Have to sell the first plane" / "Doesn't pass the WAF" / "Wife thinks owning two planes it too expensive." I have no reason to believe these folks are not in a loving relationship.
If I may chime in, and sorry for acting like an annoying dude, but I also really dislike the term WAF. Of course the term makes sense if we look at IT and the world historically, but I don't get why in 2021 we still have to act like wives are tech illiterate by default, and also, what about women in IT who have tech illiterate husbands.
Yeah, GP's acronym ain't great. But if you sub out "wife" for "significant other" or just "family" then you have to admit that this is a real phenomenon.
I use pass [0]. To me, it is the best password manager that I've ever used. Command-line-first, free & open source, built on git... it's great, and suits all my needs. From the perspective of someone who spends most of their day behind a CLI, it is "simple" and "just works" more than anything else.
But it's not going to work for my significant other, who is very intelligent but isn't a software engineer. They're not going to learn git so that they can manage passwords, and the app doesn't abstract away git enough for them to avoid needing learning it. Hence, despite its merits, it fails the "SO acceptance factor" or whatever you want to call it.
I always thought the term was at least a little self deprecating; it definitely and doesn't mean "dumbed down so the stupid wife can actually use it."
There are a lot of technical enthusiasts and hobbyists, mostly dudes, who optimize for dumb parameters that nobody in the real world actually cares about. In this case, setting up a clunky, but fully open source password manager, when there are alternatives with objectively better UX available for relatively cheap (considering you use the thing many times each day).
In the home theater world, for a long time guys would brag about the disgusting monstrosities they've jankily hooked up in their living rooms, but a setup with high WAF means building something that's actually aesthetically appealing and congruent with the interior decor, hidden cords, not having to switch between 4 remote controls, etc.
But you're right - it should probably be SAF (Spouse Acceptance Factor).
My wife has this problem. I have a bit more tolerance. There is no else I try to convince to use such software. WAF is accurate but because I don't run it by someone else.
>I, a computer programmer who has more than enough intelligence
>Stop blaming/shaming wives.
It seems like it is you who is equating tech illiteracy with intelligence, pal. There is nothing wrong with being technically illiterate (most people are) and I don't think GP is shaming his wife because of it.
I have, since the family plan was first introduced, also gotten my aging parents on the plan (so my brother and I — both _far_ from where my parents live — can assist when required) and my brother.
My wife has shifted from merely using 1Password to advocating the use of password managers in general and 1Password in specific (she had a letter read by Peter Mansbridge on his podcast a couple of months ago where she did exactly that).
I agree with you that the 1Password UI is superior. I also didn't mean to imply that KeePassXC would be equal in every regard. That said, feature-wise, both of them solve the same problems for me.
But do you believe 7000 years of work is a realistic estimate for how much effort is needed for KeePassXC to catch up?
It's funny you mention WAF because that's exactly what kept me away from 1password.
I loved almost everything about 1P but their reluctance to authenticate with keychain means it's a PITA for me, and an absolute deal breaker for my wife.
Has this changed or do you still have to enter your 1P password every time you log in or your session times out?
I'm using KeePassXC on my work computer and it takes around 30 minutes of maintenance every two weeks when the browser extension can't find the desktop app or bare functionality like "copy password" stops working and I need to reinstall.
It really makes me wonder what kind of conversations had to happen to bring investors on-board. I don't want to give too much credit to investor types, but... surely this must have thrown up some red flags?
Exactly what kind of moon-shot ideas did 1Password start tossing around to get those wallets open?
Passwords are boring, hard and important. Customers know that, so are likely willing to spend a monthly fee to feel safe. Critically, they're unlikely to swap to a different provider when there's so much setup involved.
The data that can be obtained on users by just knowing where they choose to create logins for is also worth immense amounts of money, without even talking about how often they login.
Sure... but "good investment" and "good VC investment" aren't exactly the same thing. 1Password isn't exactly small and it's not exactly poised to explode either.
I get that there's an untapped market of non-technical users, but I am rather skeptical that advertising alone will have much success in activating it -- they'd need some innovative approach that changes the way non-technicals approach password management.
Correct, but also a warning sign. "Boring, hard and important" should rarely, if ever, be left to private companies as an isolated thing. They need to somehow be baked into the model of the other things that use it.
It's the same reason there should be no such thing as a "structural integrity" company separate from the building contractor.
I predict we start seeing "Login with 1Password" buttons on random websites next to the google and facebook buttons. I also predict it never catches on.
That's certainly an eyecatching idea! I'd hate to be engineer in charge of that idea, though... how would you even begin to drive webmaster adoption? Even with the leverage of their massive userbases, Google/Facebook logins are far from ubiquitous.
> how would you even begin to drive webmaster adoption?
"If your users use 1password, they won't keep forgetting their passwords (causing frustration and support burden) and won't use weak passwords that result in account takeovers (support and eng burden). Plus, you and your users won't be beholden to the whims of fb or Google".
Hmmm.... I read the headline here and was a little perturbed. WTF does a password manager need THAT much money for.
However, after reading your comment, I hope this is the direction they go. I actually really like the future where I can have instant accounts attached to a more anonymous backend than my social media. I'm sick of things as mundane as my local gym asking for access to my fucking friends list.
Sign-up hurdles are a real thing too. I recently read that it was a major factor to Microsoft's video gaming stream service never taking off.
I'm guessing this isn't what you meant, but a password manager that integrates with the Credential Management API[1] would be amazing. Would simplify password management a lot if it got widespread adoption, and provide an easier upgrade path to strong public-key authentication using WebAuthn.
Based on https://www.future.1password.com/ I'm guessing it will be closer to LastPass's auto-login. It still uses the existing username/password form, but autofills and submits for you.
So a 1- or 0-click login once you hit the login form, as opposed to the current 3-click system (see login list, click to fill, click to submit). And looks like it also might handle the 2fa portion (which essentially makes it 1fa).
I decided to go with Enpass instead of KeePass* but KeePassium for iOS gets my vote. It's faster than Strongbox, more configurable, and the developer is very responsive.
This opens a great opportunity for an open source disruptor to scoop their paying customers. Keeping it simple. I would be happy to throw in $100 to some crowdfunding as long as there's at least one legit security dev onboard. No Crypto bros please.
They previously raised $100M in 2021[1] and in my mind the rot has already set in. 1Password 8 is not OS-native and is an electron app. Local vaults are no longer supported - you must use AgileBits's cloud. And 1Password 7 shows non-dismissible ads for upgrading to 1Password 8[2].
Edit: They also inexplicably (and silently) dropped support for the 1Password iOS share sheet while directing users to the 1Password iOS Safari extension (which only works if you use AgileBits cloud and does not work with local vaults)[3].
Edit2: Missed another $200M raise in 2019[4]. That puts them at nearly $1B in VC funding now.
I'm hanging on to 1password 6 for as long as I can. I can't use the browser plugin on firefox anymore, so I have to copy&paste my passwords in, but at least I have my vault stored locally. I also paid something like $70 and had the rug pulled from under me when they wanted to start charging monthly on top of that.
It's not that I expect support forever for software I paid once for, but I think that the monthly, no local vault is worse than what they offered in 1password 6. I am OK with having to manually copy in passwords.
I am using 6, and the classic extension still works for me on Firefox. It was only when they discontinued (and refused to port) the Safari classic extension that I couldn't use Safari anymore.
Works for me on Chrome too, but not Brave (my browser of choice).
Are there any security concerns holding on to 1p 6.0 ? I notice the mobile app still sees updates, but could there be in theory an unpatched security hold in the desktop app ?
Yes but I don't want to use chrome, especially after they break ad blocking.
To answer your question about the security: I don't know. I don't audit it, and copying and pasting lets me not really have to worry about the security of the browser extension.
They have virtually endless developer resources and aren't building native apps?! This is insane. Not only from a performance perspective, but more importantly from a security standpoint. The more they rely on 3rd party code, the more vulnerable they are.
Just as they did when all the snafu with Dropbox and the switch to a subscription based service.
Before the subscription service, I had spent hundreds buying all their apps for me and my family. 1P wasn't cheap but it was worth it. They used the users' Dropbox to host the web based vault. Obviously one day Dropbox decided it was not ok to use the public folders to host websites.
It really was a shitstorm in 1P's forums and they handled it very badly.
1P could have spent pennies hosting the vaults on S3 or something but they decided to tell their paying customers to switch to the subscription if they wanted a web based vault. They didn't even have the decency to offer a free year to the subscription or something.
3 buck per month? Family sharing for 5 buck? Nah, this is the typical bait&switch strategy (same as Netflix). It is cheap now. But it won't be cheap in the future.
Alternative view: I'm glad to see 1Password obtain abundant financial backing. I use 1Password personally and at my employer. It's really good. I won't switch as long as they keep it that way. Seems as if they have enough money to do that regardless of what happens in the market.
p.s., How is this really different from going public? I'm sure they considered that option. Either way you are answerable to investors.
It's not enough to be profitable (which they claimed to be in 2021). But even if they are profitable, it's unlikely they generate a lot of cash. For a secure future you also want a nice pot of cash to be able to make investments and to weather dips in the market.
Yeah, I'm much more worried about their future now than I was 5 years ago. Having to justify a $6B valuation for a password manager means making risky moves into new markets that may not pan out. If things don't go well, AgileBits will be sold for parts. Perhaps to the same kinds of vultures who own LastPass and TravisCI.
This isn't sustainable financing -- it's growth financing that they will eventually need profitability to make good on the investment (or drive them into the ground). I also use 1password at work and home, and I'd rather they figure out how to operate profitably without the VC-necessitated hypergrowth.
1Password is like 15 or 16 years old at this point, right? The fact that they still need "financial backing" after all that time is extra alarming, IMO. They have raised nearly $1B in VC money!
This has come with all the expected side effects. No local vaults, electron apps, forced subscription payments, etc etc. More VC money makes for a worse customer experience, almost universally.
> How is this really different from going public?
Venture Capitalists are not like the general public. People trading public stocks value fundamentals - a good product that generates _profit_, _steady_ growth, etc. VCs want cancerous, explosive growth and are willing to take the risk that the pursuit of cancerous growth kills the company.
People who own public shares value return on investment, which in today's market is only loosely couple with fundamentals in many cases. It's hard to explain the value of a lot of public tech companies any other way. Rivian (RIVN) is exhibit A.
Not necessarily. Let's say you want to build aggressively to $1B revenues with a $1B annual run rate. Let's further say you pretty much keep expenses and revenue directly in line, so you don't lose money but you don't gain either while building. So, your cash reserves remain the same. As your revenue grows, the cushion you have to deal with a market downturn or seize unexpected opportunities declines. Having a cash cushion up front solves this problem.
I don't have any special insight into 1Password's strategy. But I run a company that is essentially bootstrapped and what I described is exactly how we think of cash reserves. In the bootstrapped case, there's a basic math problem that to maintain a constant runway while growing rapidly you must be cash flow positive by an increasing percentage as time goes on. Perhaps 1Password is just looking to protect a long runway that will get them to IPO.
> I sincerely have no clue how a password manager could be so expensive.
So you can't imagine how owning the passwords of all services of dozens of millions of users, both private users and corporate accounts, could be valuable?
> So you can't imagine how owning the passwords...
Emphasis mine.
That's the thing that bugs me about 1Password's recent moves. They don't own my passwords and I don't want them to own them. They're my passwords, and I want to store them how I want. Not be at the whims of 1Password's business strategy.
I think from a stakeholder pov, just the fact that they are the gatekeeper to your passwords make it valuable.
Imagine if the chinese government could buy all its stock through a third party company, and sit on the board, install a "party affine" CEO without morals, etc.
Just a single silent software update can upload everyone's master key un-encrypted to the cloud, and decrypt everyone's passwords, attach them to email and corporate ids, etc. without anybody noticing.
Why is it that whenever intrinsic, usual operations of capitalism are described (which happen 99% of the time) such as…
1) whenever VCs invest in shares of a project
2) they tend to subsidize money-losing unit economics to “reduce friction” resulting in attempts to lock-in people and monetize their attention later
3) when the VCs later dump it on the public, the company has to now answer to wall street shareholders and its executives are heavily pressured to have quarterly earnings calls
4) they must find ways to extract rents forever because whoever bought at the top (the majority) wants to see their shares go higher, even at the expense of the public interest
5) whereas cryptocurrency could be about collective ownership, if there is no separate shareholder class then the network participants ARE collectively owning the means of production (basically, textbook socialism)
Whenever something like this is stated, anarcho-capitalists and right wing libertarians say:
Oh, there is NOTHING wrong with capitalism. That’s not REAL capitalism. That is corporatism / cronyism. (Some go further and quote Mises/Say/Praxeology: “only individuals can act, organizations can’t act.”)
Then about collective ownership of the means of production / distribution / the network they say… “That’s not REAL SOCIALISM. Socialism is when you use central government and planning and has led to so much misery and famine…”
So, a mainstream application of capitalism isn’t “real” capitalism because laissez faire capitalism doesn’t require the State. But credit unions, housing cooperatives, democratically run universities and now cryptocurrency DAOs are not “real” socialism because socialism requires the State?
There is a huge double-standard here, and I would encourage ancaps to answer the following questions:
Why not use mainstream dictionaries and
encyclopedias for definitions?
Why not admit libertarian socialism exists
Why not compare the results of democracy
vs top down ownership in organizations
on both the participants and the public good
Also, we can move beyond Libertarian Capitalism vs Libertarian Socialism discussions, to simply ask how to best structure decision making in a project.
You can have cryptocurrency run top-down where people work on stuff to survive, and the parent company must make profits. Or you can remove the profit motive and have wikipedia, open source, science, etc. But then you’d need to subsidize people’s maslow’s needs with a UBI.
See for example how your very news and media is affected by the profit motive… compare something like WikiNews vs CNN and Fox. Where are the movements to do something about it? Here is one example I am working on myself: https://rational.app
I don't see how cryptocurrency solves any of the problems. Items 1-4 would still exist. The only difference is that the corporations would be funded with ETH/BTC/DOGE/whatever rather than US Dollars.
No, not at all. It is the difference betweena credit union and a bank, a housing cooperstive vs a landlord owned building.
To use a real world example: DisneyWorld is a city owned by a corporation, instead of democratically run. Because the people who own DisneyWorld shares (shareholder class) aren’t the visitors — the visitors buy DisneyDollars. They are the consumer class.
And there is also the working class (people who work in DisneyWorld) and their employers (small capitalists) who run a business inside DisneyWorld and pay rent.
Disneyworld and other cities could have its own smart economy with DisneyDollars and never have to raise money from speculators. Think of DisneyDollars as utility tokens and shares as security tokens for speculators.
"KeePassXC was still free open source and developed by volunteers in their free time."
This is not a benefit. Within the next 2 years, be wary of a log4j level exploit within Keepassxc.
If a software isn't being supported by a steady source of income, it really quickly can get behind in security and tech debt.
After all the discussion on here about how we can support open source projects, why is it still a badge of honour to say that a software has no support and is functioning on life support by "volunteers in their free time"?
I'd suggest any users of KeePassXC take their money and put it where it counts: find the organization that develops KeePassXC and give them the $60 a year that it costs to buy a commercial password manager like 1password.
If KeePassXC has all the features you need, it's worth paying them for it.
LastPass was bought for $100 million and had some security howlers.
"pass", on the other hand, has no funding and no security vulnerabilities.
I'm pretty sure it's more secure to use apps engineered with a deliberately tight scope that arent lavishly funded than egged-up VC bloated monstrosities.
You wanna bet that building in electron is gonna keep 1password more safe? I wouldnt. The attack surface on that thing is gonna be huge.
Closed source products are really well known for investing in security and keeping tech debt to a minimum. This is why no commercial closed source product depended on something like log4j without thouroughly auditing it first. Oh wait...
> Ah fuck. They now need to grow at any cost to earn all that money back. And they'll throw their users under the bus, if they have to, because it's either grow like a unicorn or go bust.
Agreed, an outbreak of featuritis is almost guaranteed. The core product works well for the job intended, but I don't want to be bothered with an expanding scope and the inevitable spam promoting the features that I don't really need.
The move to an electron client was a clear indication they intend to add lots of features. If they were more or less feature complete they would have not bothered with an electron rewrite.
I think BitWarden is a better comparison -- it's SaaS (and thereby dead simple to get set up w/ cloud sync), but it's reasonably priced with a solid free tier, and open source to boot.
>How come 1Password needs the equivalent of 7750 years of $80k annual salary to build the same?
It will go to all-expense-paid trips, consultancy fees and other things you need to eventually get acquired for $10B+ by one of the big players.
Or maybe, they will pivot, spend $300M on advertisement, so every grandma gets to know the brand name, and will then do an IPO, presenting it as the next opportunity of lifetime to the unsophisticated public.
This is how you make money in the post-2008 world. The actual old-school profitability has been out of the picture for quite a while now.
So correct but also post-2008 underrepresented founders need profits more than ever because they don't fit the narrative, applications like Canva being female-led and Calendly having a black male CEO are examples.
Don’t forget that this isn’t used by just individuals—businesses use it too to share credentials for things like the corporate Twitter account, internal systems, etc. I’m willing to bet that further investment there could help back up that valuation.
Realistically their B2C accounts are a sales funnel for their B2B. Because I was familiar with it for my own use, my employer uses it and they make much more money that way.
Because they also let you get free family accounts if your company uses it, they presumably then rope in a lot of individuals for personal use who then become incentivised to want their next employer to use 1password too.
They already threw their users under the bus once by changing to an insanely money-grabbing subscription model. But yes, agree with everything you said.
The individual user is extra revenue to them. Their business is B2B. Because my company uses 1password for business I also use it for home and they get an extra $60/year from my household because I need to already use it for work.
Oh no, my thoughts exactly. My wife and I were just talking about setting up 1Password to switch from LastPass. It looks like BitWarden might be the best option if only for longevity.
> How come 1Password needs the equivalent of 7750 years of $80k annual salary to build the same?
This is once again just a case of investors hoping to make a pile of money so big they can corner a market. Sadly, they have no idea how cornering a market works (or doesn't work) in the case of digital products like this.
The are going to focus on the enterprise market. Good for them but this also means that they will make things worse for small businesses and personal users. Intentionally or non-intentionally but it will happen.
They will probably go Dropbox route. Dropbox used to be an excellent file sync cloud service with a robust support on many platforms. They did just one thing and did it well. Now Dropbox is positioning themselves as business-team-collaboration-streamlining-platform for everything whose software is balancing between poorly programmed malware and useless enterprise bloatware.
This makes me think that the real problem here is vendor lock in. If users didn't feel such a reluctance to switch between services then there wouldn't be such an incentive to bloat existing services rather than just building it somewhere else.
Apart from lock-in, first mover advantage is a big one too. Humans don’t like change, so they stick with services as long as switching provides no big benefits.
My small company has stayed with our initial bank even though we were quite unhappy with it a couple of times. They didn’t rock the boat too hard, so we‘ve been with them for 8 years already - even though I was _this_ close to quitting sometimes.
Is there a real lock-in in case of 1Password though? I like their UX and integrations, but looks like it is easy to export and move my data to other products if required.
Did they have a choice? Companies like Google and Microsoft provide a package of file sync cloud service bundled with many other services, for the same or lower price. Most people/companies would find that a better deal.
I will still recommend 1Password over Bitwarden to non-tech people because their whole UX journey is so well crafted that even my parents can understand it on their own.
The valuation is most likely based on that and the potential growth in that market.
I use and pay for Bitwarden but even I always get lost in the clunky UI and get frustrated by basic tasks (to a point I am considering switching). And it only gets worse when you have multiple teams and all the secrets are mixed up.
722 comments
[ 0.20 ms ] story [ 391 ms ] threadI've used 1Password for years.
It would be nice to say goodbye to Electron, though...
IMHO it isn't intrinsically impossible to serve both enterprise and single customers, but the business people will always be internally grumbling about the slight additional expense that doesn't have a good ROI vs improving their enterprise product, and the marketing team will want every other screen to be an ad to upgrade to enterprise which discriminating users will rapidly get tired of. It'd take strong and even a bit quirky executive leadership to overcome those issues. Not impossibly strong, but strong.
Edit: Also, they don't have the option of slathering their app with generalized ads. Running ads in the context of a password manager would be insane and lose all their thought-leader users in a heartbeat, permanently. So that door is not open to them.
To me; that’s immensely valuable, but it’s solved for most by a combination of just using the same passwords or, on iPhones, iCloud Keychain.
Now some folks have dumped the better half of a billion into a tool I pay about $35/year for and is basically feature complete. They’ll want a return on their investment. How do you expect 1Password will give it to them?
That's not what I'd call a "solution"
Which probably means the vast majority of their users have essentially been regraded to “product”.
I can envision them (sadly) bought by a larger actor in a few years, at a huge valuation.
I don't know anyone that uses 1password privately.
You’ll be surprised how many people don’t use a traditional computer anymore for most of their “computer time”.
And those who do still use a ‘PC’ probably mainly use Chrome or any other browser with a password manager.
The reality is that for most uses a dedicated PM is simply isn’t necessary.
They could launch a full identity provider like Okta.
2. Perhaps managing other authentication methods. Passwords are dying, especially with webauthn, so it makes sense to tak eon some money to explore how to be a player in that space.
They could compete with Duo, for example, and start offering a 2FA service.
Basically, I expect that the vast majority of this money will not be going towards the 1Password that you use today but instead towards breaking into new markets. Given the size, probably new markets that are somewhat established already.
It doesn't explicitly say enterprise all over that, but I expect it to be that way, only place you can get that sort of return on investment
https://www.macrumors.com/2021/06/10/apple-icloud-keychain-p...
Hmmm, sounds like the time to migrate may be sooner than I'd hoped.
Whatever the case may be, I'm sure it's going to turn out to be something completely worthless to me.
Fortunately, there's always Keepass, which keeps plugging away doing exactly what it says on the tin.
You're probably right. Here's their vision of the future: https://www.future.1password.com/
It screams CORPORATE. Not a single mention of family or single user. It's all about business security, safely sharing data, protecting your company, etc.
Sure, they could mess it up, but any company or open source project can mess everything up.
One of the things I like about Apple is they don't really pander to the enterprise. They won't turn the business away but you can see it isn't a priority.
Almost everything Apple makes, "Pro" name aside, is either an enterprise offering where they're ok if random consumers buy it, or a consumer item where they don't mind if enterprises buy it. I have no interest in buying a reference monitor that costs more than my last 4 computers put together, but I could just go buy one, I guess.
Optimally, 1Password does the same thing. If companies want to buy their current offering (and my current employer does) that thusfar hasn't really messed with my personal use. If they come out with some Okta competitor in the future, I won't need to care about that either unless my company uses it. Optimistically, both products can be targeted to different markets.
Look at the lengths Microsoft goes to in order to maintain backwards compatibility for their enterprise customers, Apple in comparison just doesn't care.
Obviously I don't have access to the sales figures but my guess is most Mac Pros are going into audio/visual studios or else high net worth individuals. It's not the sort of thing enterprises will buy if they can avoid it.
The problem comes in when you try to cripple the home version so that small businesses, etc don't just use that.
Luckiky when they do, github just bans their account
Except they have already started to diminish what used to make 1P great. We now get no native apps, no local vault storage, no upfront payments. The VC rot has already set in.
So they go where there's real money to be made. They are well-positioned to become the default choice to handle corporate day-to-day cyber-security needs of most non-tech businesses, and if they can pull it off even moderately successfully it will make them the biggest Canadian IT company. Family accounts never ever will.
That doesn't mean their product won't remain the best* choice for individuals and families. Microsoft also doesn't give a damn about family or single users of Office, yet we all* use it because it's still the best* product on the market.
* words like 'all' and 'best' are approximations of what's going on in the real world, not in HN where significant numbers of people may very well be using LibreOffice and the Nth fork of Keepass.
It's more than that, most families that do care about security don't need features beyond what is built into iOS/Android. When I encouraged my wife to start using randomized passwords, I didn't even have to help her get set up. She already knew how to use Apple's password manager, so she just started using it. No setup, no additional monthly fee, just a quick decision to start using it.
When we need to share a password, we just read it off to each other and put it in our respective password managers. There aren't really any features in a paid password manager that we miss.
With 100k individual users and its background as a consumer application, 1Password wouldn't neglect the non-corporate customers—at least until David Teare retires or otherwise leaves.
But incidentally the same features which makes it great for work also makes it great for me to share access to vaults with my son for example.
How do you have a universal login that doesn't require corporate onboarding? You're just not the person this landing page is positioned for. They need corporate buy-in so you the user can login with one login across all of those sites. If you the single user want to easily login to Netflix and Amazon with a click of the button, then how do you expect 1P or any org for that matter to offer that if they don't have a direct relationship with Netflix or Amazon?
This is like using Google.com to search for things to find and screaming "Google is too corporate" when you landed on the Google AdWords landing page (ads.google.com).
Imagine a world where a standardized protocol let a company put out verifiable "we've been hacked notice" and my password manager would just take care of it next time I opened it (or throw a prompt or something).
Doubt this is going to happen though.
A lot less incendiary than your hypotheticals.
https://blog.1password.com/save-in-1password-button-with-ram...
https://1password.com/fastmail/
I remember a few years ago Steve Gibson was working on a certificate based system called SQRL and it sounded pretty cool to me. Maybe 1Password have some ideas of their own?
Your choice eventually will be entering a standard password and specifically engineered to be annoying CAPTCHA, or pay for 1Password. Use Keepass or BitWarden? CAPTCHA. why? "Security".
If you examine the source code of a client (for example bitwarden) and make sure that it's not leaking your master password and then compile the soft yourself and not update - you'll be pretty safe.
This will make it similarly secure as e.g. keepass, because even for keepass you should be sure the source is legit
I have separate instances for work and personal accounts, so one breach wouldn't affect the other. Since my passwords are distinct, the number of accounts that would actually be useful to them is minimal, and fraud response is a pretty important metric in deciding what companies I do important business with. Identity theft is a problem, but all of this is probably more likely to be leaked in some other database, like the Equifax hack, than through an account compromised in a password manager cloud storage breach.
My password manager being compromised would indeed be a huge time suck, but I don't think the long-term consequences would be any more severe than a few key individual accounts that are probably even more vulnerable. I think things like coordinated attacks where they social engineer their way through 2FA— which have been seen in the wild— to present a greater real-world concern.
I'm in agreement with parent, I think putting your passwords in the cloud is a wild single point of failure. Even if you can tell a compelling story about how they carefully encrypt everything right now, you're always a silent update away from it all being dumped on the internet.
I think people (in aggregate) just don't care about the risk and will take the path of least resistance. They don't have to draw the line there, but they will.
> My password manager being compromised would indeed be a huge time suck, but I don't think the long-term consequences would be any more severe than a few key individual accounts that are probably even more vulnerable.
Having your main email account compromised seems like an absolute nightmare where you potentially lose control of every single service that you subscribe to (banking, utilities, cell phone (so maybe 2fa is even broken), medical portals, social media, etc).
Having your entire set of passwords compromised is like that on steroids. Rather than your attacker having to use your email to get to each of those services one at a time, they just have them immediately. And who says you'll even know that your stuff was compromised?
I'm a bit of a crank though. I don't do any of the smart home stuff. I see my phone as a necessary evil. If some company shoehorned an app or a WiFi connection into their product, I don't buy it. After being in tech long enough, I just want things that work for me, not for the company I bought them from.
This is true of all password managers that have any ability to connect to the internet. You’re one silent update away from your manager suddenly uploading all your passwords to a random endpoint in Russia.
Its not fool proof, but it feels better than a black box that could be a different black box tomorrow or after the next acquisition or round of investment.
This is also true for your operating system updates, browser, browser extensions, compilers, the infrastructure for your email service provider, any libraries those things use etc. Not to mention your local password manager. Even if you don't accept push updates, do you evaluate the code? What if the vulnerability was timed to pop a few weeks after release? What if it was included in an update that patched a major vulnerability so you went faster than your normal process afforded? Even if you have a local firewall that stops external connections from unrecognized programs— what if it's a whitelisted program or the operating system or the firewall itself?
Why would you a password manager's encryption less than you would trust your email service's encryption? I'd bank on the password managers' being a lot more robust.
What about RATs that could access your local password database? RATs are a lot more common than cloud service breaches.
And as I mentioned previously, Dell shipped a hardware trojan in 2010.
There are tons of single-point attack vectors in this chain. I'm not a security expert, but storing encrypted data in cloud storage seems less likely than others be a viable target.
> Having your main email account compromised seems like an absolute nightmare where you potentially lose control of every single service that you subscribe to (banking, utilities, cell phone (so maybe 2fa is even broken), medical portals, social media, etc). > Having your entire set of passwords compromised is like that on steroids. Rather than your attacker having to use your email to get to each of those services one at a time, they just have them immediately. And who says you'll even know that your stuff was compromised?
Let's say they did compromise your email account. Since only a few of your accounts are genuinely consequential to nefarious criminals, the number of password resets they'd need to execute might set them back, what— 5 minutes if it's not scripted? And all of it is moot if you use a 2FA method aside from email? Beyond that, considering how much more frequently email accounts get compromised, singling out the storage location for password manager databases seems pretty arbitrary.
I just don't see how the opposition stands up to a comparison of attack vectors.
Agreed, those are already risks, and ones that are a lot harder to mitigate (though I do try where I can). Does that mean I should add another one that I can easily avoid?
There are risks in both local and cloud password managers. Maybe those risks seem equivalent to some folks, and the cloud features are useful enough for it to be a no brainer for them. For me, I don't at all mind manually backing up and manually copy/pasting credentials, and I don't miss the convenience of the cloud features.
> Let's say they did compromise your email account ...
This seems focused on the case of a dedicated attacker focused on you specifically. Id think each of us is more likely to be affected by various automated attacks that are backed by large dumps of account credentials.
In any case, I agree risks already exist in other places. For me in my specific set of circumstances this just seems like an easy one to skip.
> Does that mean I should add another one that I can easily avoid?
All other things being equal? Avoid it, of course. I firmly oppose letting perfect be the enemy of good in the sense that more secure is better than less secure even if it's not perfectly secure. But I also oppose it in the sense that rejecting beneficial functionality because it's not perfectly secure, especially when it's not close to the biggest or most attractive attack surface, doesn't make sense. Even when password managers' servers were compromised— LastPass, for example— I don't think anybody ever got ahold of passwords. KeePass OTOH was broken with KeeFarce and RATs are a lot more common than cloud service server breaches.
> This seems focused on the case of a dedicated attacker focused on you specifically. Id think each of us is more likely to be affected by various automated attacks that are backed by large dumps of account credentials.
Nope— If it was automated the distinction is even less significant. A script would only need to search your email for whatever specific types of logins it supported and fire off password resets. Non-email 2FA becomes even more of a hurdle without the option of social engineering it or some other human-touch fix.
Consider this. (very) Roughly, this is the market penetration for these products:
* computer: 90%+
* smart phone: 85%
* tablet: 50%
* computer, smart phone and tablet: 40%
Most people (in this country, at least,) have multiple devices. Most people have internet access. Most people aren't going to be able to manage storing and sharing passwords among their devices at all, let alone more securely than cloud storage would do it. So for most people's use cases, it would be like citing health when refusing to put a teaspoon of sugar into the cup of tea they're having with cake and ice cream.
So like I said, avoid it if it doesn't improve your life— I have no stake in your password management choice— but I will actively butt in to qualify the sentiments expressed in this thread because, a) many users, even on this site, aren't sophisticated enough to engage in the sort of cost/benefit analysis that we are, and b) to them, this conversation is unintentional FUD. Cloud-based password management is vastly superior to regular folks' existing methods. If they're put off by technically savvy people saying they're fundamentally insecure, that is the embodiment of perfect defeating good.
Can we actually know this? We only know about the breaches that we're told about, or that are found and disclosed by researchers. I'm not familiar with KeeFarce, but presumably attackers need local access, in which case you're boned anyway.
> ... many users, even on this site, aren't sophisticated enough to engage in the sort of cost/benefit analysis that we are, and b) to them, this conversation is unintentional FUD
So this is the part that I worry about. I think we're in a bit of an age of innocence with everything moving to the cloud, where everyone still believes that all of these services are going to be well meaning, competent, capable stewards for your bits. I'd love to be proven wrong, but I imagine in 10 or 20 years we're going to have a very different attitude about these things, sorta like people who were using xray machines to size shoes before they learned about the effects.
Once any info gets to the cloud, its out of your control forever, and its in a place where it can be attacked by the current ~8 billion people on the planet, and all the new people coming along after that. Its an impossible task to defend against that. Not to mention as someone like lastpass grows, what could be a juicier target than that? Why try to pwn individual services when you can just get all of the legit credentials at once from one place?
If the options are only use the same 6 character dictionary word for every account, or use a cloud subscription password manager, I'd probably recommend the latter. But for someone not tech savvy, I'd probably recommend a pen and paper with memorable (long) pass phrases before I'd recommend a cloud solution.
In the past I've recommended a local password manager with generated passwords on your one machine that you do anything sensitive with. Back it up on a thumb drive once in a while. For your most used accounts (e.g. email) that you really want to use on multiple devices, use long memorable pass phrases and just enter them in. Some people might think this is primitive, but its not that hard and it should be plenty safe for most people. Its just not as convenient.
Can you ever actually prove a negative?
> I think we're in a bit of an age of innocence with everything moving to the cloud, where everyone still believes that all of these services are going to be well meaning, competent, capable stewards for your bits.
> Once any info gets to the cloud, its out of your control forever.
You're propping up a straw man using a hyperbole.
> But for someone not tech savvy, I'd probably recommend a pen and paper with memorable (long) pass phrases before I'd recommend a cloud solution[...]
And then presenting your original assertion without any more evidence.
But that's all nearly beside the point.
The most difficult factor to wrangle is human psychology. Without intervention, phishing attacks just work. People re-use passwords. People switch from redox1 to 1redsox1 when forced to change them. They do this all to avoid having to think about it.
The entire point of password managers is to mitigate this. You need to compete with the psychological ease of re-using the same password repeatedly because that's the only way regular users will use it. Then, you can warn them when they're entering credentials into a site where they don't belong. You can warn users if a service they use was breached. You can warn users that their password is weak or reused or old and give them a quick solution rather than leaving them to figure it out. You're making it easy for them because that's the only way it works. If you draw two barely kissing circles on a sheet of paper, that's the Venn diagram of users who care enough about electronic security to deal with the extra irritation of using strong unique passwords but won't use an automated system to do it.
So maybe the second-weakest link is the credentials themselves, and the third weakest link is the collection of websites users submit their credentials to that don't store the passwords in AES-256 encrypted vaults with no local master password storage, like password managers do, and the fourth is probably the browser, etc.
Everything we know about the actual empirical risk of these components points to password managers, in general, being close to the bottom of that list. Prioritizing anything but the most blatant password manager security flaws over even minor user convenience will have a negative net effect. When it's a risk so obscure that we have no documented instance of it occurring among thousands of documented instances of breaches occurring in other services, I'd argue it's less safe.
If you're going to base your security strategy on intuition about our relationship with cloud services, go for it. Personally, I'll leave the faith to the priests and stick to attack vector analysis and balancing limiting attack surfaces with solutions that work most easily for most people, because that's the only way they'll use them.
> Can you ever actually prove a negative?
Does that mean that you agree that we can't know the extent to which things have been exposed? Cause that's part of my point. Of course you can flip that around and say well you can't prove that nobody compromised your local machine, but one of those things is open to attack from many orders of magnitude more attackers by virtue of being on the open internet and in a physical space that you don't control.
> You're propping up a straw man using a hyperbole.
You're cooking up a tasty word salad there, chef. Can you give me a little more meat here? I don't quite follow. Have you never heard people say that you shouldn't write an email or send a picture that you wouldn't want to see in the newspaper? Its a similar concept. Once you send something out over the wire, your power to make decisions over what's done with it is gone. You have to hope that whatever was listening on the wire is (and will continue to be) benevolent. How do straw men and hyperbole apply here?
> The most difficult factor to wrangle is human psychology. Without intervention, phishing attacks just work. People re-use passwords. People switch from redox1 to 1redsox1 when forced to change them. They do this all to avoid having to think about it.
> The entire point of password managers is to mitigate this.
I agree. That's part of why I use a password manager, and recommend that others do so too. We just disagree on whether or not its advisable to cede control over that kind of tool to a third party.
It feels a lot like the argument that your money is safer in a bank than in your mattress, which is an argument I agree with. Except replace all the banking regulations and security with a ToS that can change anytime and emails about how very deeply we care about your security. I'll keep my cash in my safe at home in that scenario. Maybe there are some people who'd still be better off using that bank. I wouldn't feel good giving that recommendation though.
https://en.wikipedia.org/wiki/Russell%27s_teapot
https://en.wikipedia.org/wiki/Straw_man
I have better things to do.
Russell's teapot is a new one to me. It seems you're position (correct me if I've misunderstood, or don't since you don't seem interested in the conversation anymore) that since we don't have definitive proof that we can't trust these third parties, it's wrong to distrust them. I'm too paranoid to buy that. If I can't verify, then I don't trust. Good luck with your better things.
(Disclaimer: I'm a satisfied 1Password customer. Just noting that their competitive edge is wearing razor-thin these days.)
--- Edited to remove references to Linux. Appears to be Windows only.
That might be because they want to make their own services more attractive (if so, I think they made the wrong choice), but also could be a legal thing.
https://www.apple.com/family-sharing/: “You can add anyone to your Family Sharing group age 13 and older and invite them to share an Apple Card”, so members of An Apple iCloud ‘family’ neither have to be family members nor live at the same address.
That’s broader than, for example, the TOS of Netflix (https://help.netflix.com/legal/termsofuse: “The Netflix service and any content accessed through the service are for your personal and non-commercial use only and may not be shared with individuals beyond your household”)
Apple might fear getting sued if they make it easy to share a Netflix password with members of a family plan.
“Family Sharing Rules: You can only belong to one Family at a time, and may join any Family no more than twice per year. You can change the Apple ID you associate with a Family no more than once every 90 days. All Family members must share the same Home Country”
- Apple Music has a web UI and Android app
- FaceTime recently added 3rd party links allowing non-Apple users to join calls
- Keychain is being made compatible with Windows Chrome
It’s clear from raising this much money that 1P owners are doing a “private IPO” or adding more products and features. If it’s a cash out, wouldn’t you want a privacy focused company to buy it instead of VCs funding it and expecting a return? If they are building new features and products, Apple buying it could bankroll that and temper price spikes.
This is exactly what I'm referring to. I put up with Apple's website for more than a year as my primary casual-use computer became a Windows PC.
I work on iOS apps for a living. App Store Connect has always been terrible. Bugs linger for years. Elements continue to break in unexpected ways. The place where developers receive feedback from Apple is still hard to find even though it's immensely important. The website received a major redesign a few years ago and the bugs were still there!
Now apply that lack of care to a music website. Being forced to login daily. Asked to perform 2FA daily, so I need to keep my iPhone near me if I expect to play music. Songs inexplicably not playing, if play fails repeatedly, maybe a page refresh will work. Songs inexplicably only playing previews, forcing you to log out and log back in. Zero effort to restore your previous searches.
Apple makes attempts at providing services on the web. But for those of us attempting to use those services, the experience varies from subpar to outright hostile.
> Keychain is being made compatible with Windows Chrome
Again, see how people review this in this very thread.
---
Simply providing the service does not mean it's good. That's what I mean by "institutional" and "organizational". They half- or quarter-ass what they ship, and then they leave it to rot.
1. native app (no bullshit JS based) for speed 2. the same keybindings CMD+\ or Option+CMD+\ to fill in or pop up the menu 3. sync with icloud 4. not look like total shit (ie. lastpass)
Do these basic things and I think you can easily steal 1pass users.
Strongbox is the most polished but doesn't offer browser integration.
KeePassXC has a terrible UI, and MacPass doesn't remember your key file between sessions. Both require staying in your Dock and need the janky KeePassHTTP-Connector to work with a browser.
Just add crypto wallet functionality (similar encryption skills) and then facilitate both web2 and web3 login.
That being said, for friends and family I'd suggest paying for 1password. Or using a paper notebook. Most alternatives don't have a stellar track record with security.
- [0] https://blog.1password.com/fastmail-masked-email/ - [1] https://blog.1password.com/privacy-virtual-cards/
My experience with Bitwarden is that their browser extension is gravely broken, which is a subset of UX, but crosses over into "how is this not a 'stop all work and fix it' bug?": https://github.com/bitwarden/browser/issues/1620
I have a paid Bitwarden subscription, because I wanted to give it a fair shake, but based on my experience thus far it'll be years before they catch up to AgileBits
Why such a large round? Why not go for an IPO?
There's definitely going to be a feature creep and annoying changes.
Time to consider the alternatives again :(
They've also (supposedly) been profitable since inception. It's likely that this round has a significant secondary, which means they're just cashing out part of a profitable business.
Going public has very tangible costs, but also massive intangible costs. Private markets are extremely frothy and keep ownership and control within an aligned group of investors. This can make all the difference in the world to management.
Well, at least not for a few years.
This is a 50-50 proposition, at best.
I hope this doesn't mean I'll need to start looking or a new password manager.
Not to put too fine a point on it, but I fucking love this feature.
It fits in naturally with the password manager, but it has barely anything to do with password management.
https://support.apple.com/en-gb/HT210425
iCloud email hiding generates addresses on iCloud domains, i.e. services will begin to flag them as a commonly-used disposable address provider and disallow them.
Also completely worthless to the vast majority of people who are not on Apple devices.
Also also, 1Password's integration with the email isn't managed by them. They talk to Fastmail, Fastmail spits out an address and tells it to 1Password, who then fills the form with it. I can ditch 1Password at any time, even delete my account, and lose nothing.
Hopefully they don’t go all cryptocoin and NFT with the funding… but given their dna, I think they will expand wisely.
- Some items did not import correctly at all because the 1password export format did not quote values (CSV). This means that if I have a password with a comma in it, I get two broken entries. This is more of a 1password issue though.
- 2FA tokens did not import and would have to be manually reset. I guess this is to be expected though.
- Some fields had different names than bitwarden was expecting, so values were imported into the wrong destination and had to be manually corrected.
This was a while back so I'm not sure if anything has been improved.
Migration was a simple matter of exporting a CSV and then just correctly selecting the column order for KeePass import.
For those who don't want to trust a third party, even with their encrypted data, I believe that home NAS sync-when-available is possible - I personally haven't tested the implications of syncing changes from multiple devices at the same time in that scenario.
https://ryannickel.com/html/migrating_from_1password_to_keep...
My 1Password installation is grandfathered from a time when it was just a standalone app, without subscription. Will it just stop working one day to bully me into subscribing? Can you even start using 1Password these days without buying a subscription? I'll have to start looking for alternatives today.
If I can't have my passwords everywhere, then the value delivered drops off a cliff
On another note, I've been using 1Password for years, for free. The mobile app can edit local vaults without signing in, and the desktop program can view local vaults in read-only mode. If I want to edit or add a password, I do it on my phone—it's not worth $150+ to be able to do it on my PC a few times a year.
I have a similar Apps folder for "O'Reilly" from back when I connected their app to Dropbox, and one for Joplin. It's too bad I don't have 1P 7 on my machine anymore, because I no longer have Dropbox on my machine so it would be a good test to see if it still syncs without the Dropbox client present
Ah fuck. They now need to grow at any cost to earn all that money back. And they'll throw their users under the bus, if they have to, because it's either grow like a unicorn or go bust.
Also, I sincerely have no clue how a password manager could be so expensive. Last time I checked, the excellent KeePassXC was still free open source and developed by volunteers in their free time. How come 1Password needs the equivalent of 7750 years of $80k annual salary to build the same?
sales/marketing
https://www.reddit.com/r/1Password/comments/p2dmpt/all_aboar...
Honestly building on "tech stack power users hate" is probably the easiest way to fire all your worst, most needy, users.
That being said I hate that 1Password needs that. It’s just a password manager at the end of the day.
Can you really not think of any examples where VC capital has improved a company, product, or service?
I honestly can’t, do you mind sharing a few examples to prove your point?
I have a long list of “stopped using because went to shit after VC was injected”
1. WhatsApp and Facebook relation
2. Twitter and the loss of control over my feed
3. Spotify and the podcasts shenanigans
4. Dropbox and their assholery against free users
5. Evernote and their assholery against free user, increasingly useless redesigns and lack of improvement on the basics
Etc.
https://techcrunch.com/2007/07/29/more-information-on-that-s...
Dropbox, Spotify, and Twitter all used VC money to launch/improve their product. Just because you don't specifically like the traunch of VC money that was used prior to IPO doesn't mean all VC is blood-sucking.
There are countless examples of products people use that have had some form or shape. In fact, I'd argue there are rarely apps that anyone uses here on a regular basis that didn't have some form of VC money injected into them. The only one that comes to mind is (1) Basecamp (but technically they took money from Bezos) and (2) Atlassian pre IPO (now public).
I would think most people view YC more in line with the Angel round, which is an entirely different view point; Angel's are actual helpful people who did something on their own to achieve success (not poser VCs) and/or are mentors and coaches who want to give back, but it's unfortunate that people need to go beyond angel to VC, and the expectation from the angels is that you must or they won't make their money.
Just because we are on a YC forum doesn't mean we have to suck the industry's dick.
The value one gains from a personal security product (data portability, availability, accessibility) is often at odds with the interests of capital, which lean towards moat construction and rent-seeking. Over time, in a for-profit company, capital will always "win". Trading equity for other peoples' cash investments only accelerates the process.
For an adjacent example, LastPass never took a dime of VC money (afaict), but their structure as a for-profit company pushed them to lock down their product and charge rents, where they had not previously. If they had taken VC money or went public instead, it may have delayed the inevitable, but it only would have been a delay, not a solution.
People in this thread are disappointed, because these companies began their lives with a compelling, free, and user-empowering invitation, and it is sad (although not at all unpredictable) to see those features taken away by the incentives of capital. I think it's understandable, and I wouldn't read it as an indictment of VC writ large.
I do not understand. It's a business. Why would anyone expect important services to be free? during ramp up there's a benefit of providing free or discounted services while you grow, learn what users want, estimate your own costs, etc; It was a free ride and you can enjoy it while it lasts. Why would anyone expect a free ride to also last forever?
In my opinion great products need a strong balance of capital and ideals. Capital incentives unchecked by a counter balance of leadership actually believing in the mission of the company can lead to bad outcomes. Pure idealism without adequate funding has another set of problems though.
I think the "common person" does not see these as growth hacks. The internet is full of things that "appear" free, and have "appeared" free forever.
You have x-ray vision for how these businesses work internally, and you describe the playbook very accurately, but most people do not have this kind of context.
Which makes it hard for those people to distinguish "good people doing good work for the good of all" from the playbook you describe. It's especially hard when the company describes itself as the former externally.
> Capital incentives unchecked by a counter balance of leadership actually believing in the mission of the company can lead to bad outcomes.
This is true. As a customer, depending on the good-will of leadership to counterbalance the influence of capital is depending on humans, and even really good ones are fallible and temporal.
A for-profit company blessed with good leadership today does not guarantee a for-profit company with good leadership tomorrow, a year from now, and so-on. Eventually, within the constructs of a for-profit company, capital always wins.
> In my opinion great products need a strong balance of capital and ideals.
Yep yep, value creation and openness are not mutually exclusive, and one does not have a monopoly on the other.
However, I'd argue that value capture and openness are mutually destructive: only one wins in the end, and the total victory of either marks the death of a business (i.e. something that generates profits for shareholders).
From a consumer's point of view, once an organization gets in the mindset of optimizing for value capture over value creation and openness, it's time to consider moving on.
The paradigm-shift of software is that the victory of openness no longer means the destruction of customer value, because OSI-licensed software can outlive the business.
Well, I dunno, you always are depending on the "good will" of leadership. They could decide to squeeze every cent and provide as little value as possible at any time, whether they have venture funding or not. If your alternative is a "non profit", look at Mozilla, plenty of people unhappy with a lot of their decisions and users feeling "betrayed". I don't think we can expect most services to run as non-profits regardless. It's an imperfect system, but is the best we've got so far.
> From a consumer's point of view, once an organization gets in the mindset of optimizing for value capture over value creation and openness, it's time to consider moving on.
I'd argue this comes after the IPO. When you have millions in venture capital, is easy to keep running the business at a loss and keep growing. When it's time to make a profit is when things start getting hard.
I suppose this is what some people don't like. They'd like founders/businesses that stay small and focused on a niche, make money but not too much and keep a good value product running. Without looking at 1Password finances though, even when it was a paid service, we don't know how profitable it was, if at all, and may be going after enterprise customers with this new funding is the only way to not only 'break even' and start making some good profits.
This isn't true if the product is FOSS. The Mozilla Company can be a disaster, but that's OK because Firefox is OSI-licensed. It will outlive Mozilla, and one or more community forks will appear to replace it, if needs be.
For example, observe how https://rockylinux.org/ rose from the ashes of RHEL/CentOS, after Red Hat were acquired by IBM.
The lesson is that as long as there's interest in an OSS product, there is money to be made servicing (hosting, bug-fixing, whatever) it. Where there is money to be made servicing it, a business will appear to soak up the demand.
> I'd argue this comes after the IPO.
I think it's purely a function of who your shareholders are, what your unit economics are, and how much money you have in the bank. It can happen to any stage of company. In general, contrary to popular HN belief (not saying it's yours), VCs prefer not to put good money after bad.
There are many public companies that are not relentlessly pursuing value optimization, because they have good unit economics, and have invested in attracting shareholders that are aligned with this idea. They are not starved for cash, and can raise money with low-interest loans when a growth opportunity presents itself.
> Without looking at 1Password finances though, even when it was a paid service, we don't know how profitable it was, if at all, and may be going after enterprise customers with this new funding is the only way to not only 'break even' and start making some good profits.
Like you say, we can't comment on 1P directly without knowing access to their Stripe account.
One might charitably say, their business hitherto was an experiment to see if one could build a VC-scale business around the problem of personal password management. The answer is no, but they can leverage their experience gaining that knowledge into solving a similar problem at an enterprise scale. That's probably how the execs & employees think, and it's a very reasonable take.
Unfortunately, while it's optimal for long-term viability of their business, it's not optimal for the consumer world writ large. While 1P has bootstrapped at the consumer's expense and benefit, building a consumer-facing brand for themselves along the way, it is now all downhill for the consumer from here, because they are no longer the focus of the company.
One can imagine a counterfactual, where they had developed their core applications as FOSS. 1P the business could continue to make money as 1P-enterprise, and "the people" could take over maintenance of 1P-consumer, if there was sufficient interest. The valuable experience they've accrued in building their product would continue to spin off value, instead of slowly grinding to a halt.
---
Don't get me wrong, if you put me in the shoes of some exec at 1P with a fiduciary responsibility, I would do the same thing they're doing. It's the only rational direction. Their decision space is/has been heavily constrained by their initial conditions (accepting VC money, not starting with a FOSS product, etc.). If they hit `git push` to some public remote today, they risk losing the entire network they've been investing the last N years in building. It's not reasonable to expect people to make that trade.
I guess I'm hopeful that people will observe these outcomes, that it may influence their own decisions in choosing the initial conditions of their own projects. Sometimes fiduciary responsibilities contravene social responsibilities, and the superior cure for that circumstance, like with so many others, is prevention.
But rarely improved the product. At best you have a company that does keep it's soul, and continues to improve the product as they would have on their own. Far more often, the product and pricing structure is made worse in the long run through VC investment. It's not necessarily VC interference that is solely to blame, the change in size and scope that tends to come with such investment is a massive hurdle on its own.
Of course, taking VC capital is almost certainly necessary to continue to exist, given you are competing against others who will take that capital and quickly use it to out compete you if you do not. I just view this as unfortunate, when I find companies that grow at a more natural speed to generally create better products.
There are things available via the Cloud version that aren't available with local vaults and, in order to maintain those, they decided not to put the time into implementing those changes for local vaults. Local vault users are less than 1% of their user base.
Maybe they'll go the Keybase route and integrate some crypto?! (https://keybase.io/blog/keybase-stellar-launch)
Well, congratulations, you just proposed a scenario that would make me consider leaving 1Password after all. :)
Seriously, I am somewhat concerned at this level of VC money injection; I'm not intrinsically against venture capital or such, but investors (obviously) want a return on their investment and it's hard to imagine how you get a return on that much investment with just a password manager, even one that's a subscription service.
(I am also not intrinsically against crypto and wouldn't really abandon a service just because they do something that involves it, but most blockchain technology continues to feel like a solution in search of a problem. That's another discussion, though…)
Then things went downhill.
https://keepassxc.org/
I've personally been using the cloud offering for several years now and feel quite satisfied with it. The free tier is generous, the premium tier is very affordable, and I can export my data to a self-hosted instance anytime I like.
Apparently they have 500 members of staff these days, and millions and millions of investor dollars. Apart from maintaining browser extensions, for my own personal use I've not noticed a single interesting feature in recent years.
I moved to Bitwarden when the electron thing was announced, haven't paid any subscription yet and seem to have all the features I used before in 1Password. Bitwarden is very much recommended and I wouldn't recommend 1Password to anyone these days.
I guess for bigger enterprises you might like something with a bit more fine grained access control and auditing features. E.g. rotating the master password is a bit of a PITA. I actually did that this morning because somebody in our team left.
Most companies would want some kind of solution and most bigger companies would likely end up paying for something.
Sure, labour costs are expensive in our industry. But it's under-appreciated that once you need physical infrastructure, sales and enterprise support, that really tends to eat into your millions.
Is marketing the thing with the huge price tag, or are there other huge costs I'm not thinking of?
Then you have leadership, sales, marketing, HR, finance, support, and retention. By a huge margin sales, support, and retention were the largest. B2C is marketing heavy, B2B is sales heavy. If you're both then well..
Engineering can be really lean with respect to the number of customers/clients but the rest of the business can't.
Fine by me, 1password was too expensive to begin with. Sad to see they're wasting it.
Because 1Password is easy enough to use that my wife and I can share a family plan without her getting frustrated. If one of us has a login the other needs, we can easily share it. When I evaluated KeePass, the Wife-Acceptance Factor (WAF) was not there, though maybe it's improved.
UI/UX is everything. Apple became the most valuable company in history on the back of UI/UX alone. Their tech is decent but not that much better than anyone else's, but their stuff is at least marginally easier to use and that's worth more than the GDP of quite a few countries combined.
The importance of user experience is only growing as the world becomes more and more time poor and we move more and more into an "attention economy." Saving seconds counts. If it doesn't work instantly it's broken, period.
Here's two ways I can explain it:
(1) If you value your time at $100/hour and you have to spend one hour a month maintaining something "free," that free thing costs $100/month. That's fairly expensive. It only makes sense to do this if you have a lot of surplus time on your hands.
(2) If you have ten million users and make a UI/UX improvement that saves them one minute a month and you value their time at an average of $50/hour, you just created about $8.3 million in value since that's the value of the time you just saved.
A rule of thumb that I use is that every step required to do something halves adoption. So if you have a 10 step install process, only 1 out of 1024 people who look at your product will make it to trying it.
Every developer needs to have "user experience is everything" tattooed on their forehead.
Bitwarden is not an alternative to 1Password that passes the wife/parent/elder test because the UX is so bad they need to call me everytime something isnt exactly working as before.
This refusal to understand UI/UX goes way way back in hacker culture:
http://catb.org/jargon/html/P/point-and-drool-interface.html
This seems to be a general characteristic of enthusiasts.
To design a good car for people other than car enthusiasts, you have to hate cars or at least be able to place oneself in the shoes of someone who hates cars. People who don't love cars want a car that makes them think about cars as little as possible. The purpose of a car is to carry you from one point to another, not to make you spend time on cars.
It's a bit like climate change. Scientists will warn, people will ignore, and then we will abandon Miami and will probably blame the scientists.
I mean, I have 1password for work, and Bitwarden for personal..
Spot the difference: https://imgur.com/a/wJQBDjV
- "Folder: No Folder" is a bit confusing, it would be better to just require a folder when creating an entry.
- Collections vs folders is also a little confusing unless you spend time to figure it out.
- 1password shows the password reuse notice right there, instead of needing to go the web vault of bitwarden and specifically click on tools.
- 1password shows the password strength right in the entry as well.
- 1password has nicer display of the items in the vault, with sections by letter.
I even started self hosting it this year and it continues to "just work" - although I don't recommend it to most people since I now have to manage a server. I was already self hosting a lot of other things last year (wanted to move away from google/apple services) so the "cost" of self hosting Bitwarden was negligible.
Anyway I know I rambled a lot, but just wanted to chime in and throw in my opinion about bitwarden
I really hope that Bitwarden improves their UI and UX, because I really want to like it. But their Collections and sharing feature is very unclear, especially once multiple people/orgs are involved.
I'm afraid to use it because they co-mingle everything in UI and I dont accidently want to share a personal password with another org.
Being worried of sharing a password accidently is very scary UX
Most users don't want to tweak anything related to their phones, tablets, computers, watches. If everything your app does, isn't reachable within 1-3 clicks/swipes/presses, then forget it.
Someone suggested using two versions KeePass files...one for shared passwords, one for not shared passwords. This is NOT a substitute for clicking Share Password and literally not doing anything else.
Someone suggested storing all your passwords in the browser. This is NOT a substitute for having all of your passwords available at the app level on your iPhone. This is NOT a substitute for sharing passwords with your whole family.
UI/UX is EVERYTHING
I have been hearing about how X11/MOTIF will "end the Windows/Apple hegemony" for decades.
I don't know how often I've heard "X Windows is just as good as Mac OS."
It's like when your vegan friend keeps telling you that "Falafel tastes just like beef."
They have never tasted beef (or they hated the taste), so they don't have anything to compare it to. X Windows is GUI, written by people that hate GUI.
What could possibly go wrong?
All that said, it's a crazy amount of money, and I really feel that the only real work the password manager needs, is to be rewritten in native. Electron is less-than-excellent.
They must have some kind of strategy that goes beyond just being a password wallet.
The alternative "do not use a password manager" is however totally common. So if you want to get someone with limited time or affordance for annoyance (like your wife) to use a password manager, the process of setting it up and using it better be very smooth and frictionless.
1Password is very good at that part.
Or perhaps nerds do grasp the negative value of anti-patterns in UI/UX, and reject attempts to create interfaces and usage models that remove control from the user, create vendor lock-in, or compromise privacy and security.
Edit: agree with the rest
Huh, to me it's both. The UI/UX wouldn't be worth shit if their software ate battery like it was free, crashed often, was frequently janky, hogged resources to the point of being a problem, or all the fancy features underlying their UX didn't work pretty damn well without user fixing or intervention. Software quality is part of why their UX is so good, not just design languages or whatever. You don't get their level of auto-magic if you haven't done a whole bunch of things very right in the underlying code & architecture.
They're far from perfect (practically all consumer-facing software is at least kinda bad, IMO) and one can point to a handful of duds that they just can't seem to get right (Xcode, for instance) but I'd put software quality as my number one reason for using them, and I'd point to that as an absolutely vital element in their UX being well above average. It's that combo that no-one else seems able to touch—in fact, it often seems like no-one else is even trying, and I really wish they would.
This is quite true, but the counterpoint is that nerds enjoy spending that time. We like opening the box, poking at the wires, seeing how the cogs fit together, and tweaking things endlessly. It would be a liability for a normie, but for a nerd whose interest is piqued it's a fun Saturday project. This is why FOSS survives despite the UI/UX problems.
Where us hobbyists go wrong is thinking any large percentage of customers want to do that. Any amount of futzing is too much. Most people want it to "just work."
So I can't habe autofill, automatic saving of new/changed passwords and password creation and also use the same vault for the mobile app (Android). The mobile app can access the self hosted vault without any issue.
I would love to fully migrate to self hosted bitwarden, but the browser extension irks me. Maybe it is possible and I am just too dumb to find the solution.
There is a small cog in the top left side where you can change the URL to use when you login, in case you simply overlooked it.
Top left here: https://imgur.com/xCgrot0
If you click on that, the "Server URL" field is where you want to put your private instance: https://imgur.com/Gua3jSb
I could only enter email and password yesterday.
How about you share one KeePass file for all shared passwords and keep another one for your personal ones? KeePassDX on Android can easily handle multiple files. I agree, it's not a perfect solution but it's rather low-tech and something the layperson might still understand.
I've stopped worrying about password re-use or compromise. Now I'm teaching my kids to use it and they love it b/c they dont have to make up or remember passwords.
Yes there are other technically equivalent options but the fact I can get it setup on an iOS device in seconds and trust its used is worth every penny.
The same could be said about any password manager though
But to some extent it took her compromised passwords to finally start using everything.
Also zero need to give any application permissions to access my Google Account. Using native google drive apps on all services to sync the file (just using file picker dialogs with drive app installed).
Got my non tech parents setup on this. 0 questions asked once I set it up.
Also have my partner and I on the same setup...just works.
Is there one which is best for most users?
- Website: https://www.keepassdx.com
- F-Droid: https://www.f-droid.org/packages/com.kunzisoft.keepass.libre...
- Source: https://github.com/Kunzisoft/KeePassDX/releases
Another FOSS app called Keepass2Android has the same feature, but recent versions of that app are not on F-Droid.
With 1Password, I also have to reauthenticate all the time, but unlike KeePass, TouchID works.
Haha. I'm pretty sure browsers build this feature in.
1password lets you share passwords with other people, even if they don't have a 1password account.
Using a 1password family plan is the only way I've been able to wrangle my parents across their slew of iOS, macs, Android, Windows, and Linux machines to stop typing in passwords.
No built-in browser password manager will handle that.
I’m sure a family with multiple users and half a dozen devices will run into issues as well.
There will be exact examples of the opposite happening.
$620M isn’t for a password manager, it’s financing for a business with an enormous and growing user base.
[0] https://bitwarden.com/pricing/ [1] https://1password.com/teams/pricing/
Yubikey and its likes are advanced features that the overwhelming majority of regular users will never need.
I don't expect everything to be free, I'm perfectly fine with the freemium model when the set of free features is reasonable - as, in my humble opinion, is the case with Bitwarden. So I wouldn't use a word like "crippled" when it's more like "normal for regular users vs enhanced for advanced needs".
This is separate from having TOTP 2FA on the Bitwarden account itself, which is available on the free plan.[4]
[1] https://bitwarden.com/help/authenticator-keys/
[2] https://bitwarden.com/pricing/
[3] https://github.com/dani-garcia/vaultwarden
[4] https://bitwarden.com/help/setup-two-step-login/
Plus like the parent said, proprietary code is a deal break for lots of people.
So then who foots the bill? Password managers are the duct tape used to protect a user because we don't inherently trust application providers.
> proprietary code is a deal break for lots of people
Sort of. First, "lots of people" seems like "lots of people" because we're on HN. The wider population doesn't care whether your application is proprietary or not - they just want something that works. Apple's wall garden is proof of this. Second, you can still charge for a product and it be open source. An application being open source simply provides an audit log of the code and allows for "wisdom of the crowd" when it comes to bug and security issues. So yes I agree that having a password manager be openly auditable is a great feature, but I (and many others) likely would rather have the features of strong UX and known tenure (OSS tools get abandoned all of the time) then we would having an auditable source code.
If you are saying that Bitwarden is worse because it offers a free plan, I disagree. It's nice that Bitwarden offers a security-audited* password manager to those who can't afford a subscription, who aren't ready to pay for one, or who don't have the means to make payments online. Unlike 1Password, Bitwarden is not pressured to deliver high returns to venture capital firms, and Bitwarden can focus on providing its product to its users at superior price points.
* https://bitwarden.com/help/article/is-bitwarden-audited/#thi...
Well said - and this is the important part of the 'non-proprietary' argument of mine (above) - right now I consider 1Password's real customers being their shareholders/investors, not its users - the users are just another tool they use to bring value to their real customers (investors,etc.).
BitWarden's customers are their actual users.
For the record, I'm not. The overall discussion was that charging for a product was somehow bad. Bitwarden does charge for their product, just at higher tier levels. My bigger point is that you do want a provider that is going to stay solvent so charging money (which Bitwarden also does) is not some perverse way of satisfying customers.
Whoever wants to pay. Doesn't mean a product should be dismissed simply because it's "free".
- Mobile UI is beautiful on 1Password.
- The UX from creating a password entry to auto-filling is easily better on 1Password. Bitwarden doesn't show autofill entries on login forms yet. That's a deal breaker, at least for me.
- Account recovery via a trusted family member.
- Additional security measure: private key in addition to master password.
Personally, the 35 USD fee is justified.
I was able to enable that in the settings, but I've found it very hit or miss compared to when I used LastPass.
https://community.bitwarden.com/t/overlay-popup-interface/14
You can setup a trusted family member. You get a master password and private key incase you can't access 2fa. You can setup autofill entries. UI/UX are opinions.
You pay $40 dollars a year for Family, $10 a year for an individual. Cheaper than 1password.
Sure the UI/UX is a bit basic... but honestly most of us should prefer that.
https://community.bitwarden.com/t/overlay-popup-interface/14
Noted about trusted family members on Bitwarden.
I don't understand the private key part for Bitwarden. I am referring to the one here:
https://support.1password.com/secret-key-security/
Is there an equivalent for Bitwarden?
https://fred.stlouisfed.org/series/M1SL
[1] https://community.bitwarden.com/t/account-switching-log-in-w...
[2] https://community.bitwarden.com/t/bitwarden-roadmap/12865
1Password does a pretty good job of this; as a user I do not need to worry about syncing the database, keeping an app up to date (the website is always up to date) etc.
I hear the phrase from time to time in aviation. "Have to sell the first plane" / "Doesn't pass the WAF" / "Wife thinks owning two planes it too expensive." I have no reason to believe these folks are not in a loving relationship.
Nothing to do with intelligence.
The parent did no shaming; as you pointed out it’s extremely reasonable to not want to jump through hoops. Any shame is projected by yourself.
I use pass [0]. To me, it is the best password manager that I've ever used. Command-line-first, free & open source, built on git... it's great, and suits all my needs. From the perspective of someone who spends most of their day behind a CLI, it is "simple" and "just works" more than anything else.
But it's not going to work for my significant other, who is very intelligent but isn't a software engineer. They're not going to learn git so that they can manage passwords, and the app doesn't abstract away git enough for them to avoid needing learning it. Hence, despite its merits, it fails the "SO acceptance factor" or whatever you want to call it.
[0] https://www.passwordstore.org/
There are a lot of technical enthusiasts and hobbyists, mostly dudes, who optimize for dumb parameters that nobody in the real world actually cares about. In this case, setting up a clunky, but fully open source password manager, when there are alternatives with objectively better UX available for relatively cheap (considering you use the thing many times each day).
In the home theater world, for a long time guys would brag about the disgusting monstrosities they've jankily hooked up in their living rooms, but a setup with high WAF means building something that's actually aesthetically appealing and congruent with the interior decor, hidden cords, not having to switch between 4 remote controls, etc.
But you're right - it should probably be SAF (Spouse Acceptance Factor).
It seems like it is you who is equating tech illiteracy with intelligence, pal. There is nothing wrong with being technically illiterate (most people are) and I don't think GP is shaming his wife because of it.
I have, since the family plan was first introduced, also gotten my aging parents on the plan (so my brother and I — both _far_ from where my parents live — can assist when required) and my brother.
My wife has shifted from merely using 1Password to advocating the use of password managers in general and 1Password in specific (she had a letter read by Peter Mansbridge on his podcast a couple of months ago where she did exactly that).
But do you believe 7000 years of work is a realistic estimate for how much effort is needed for KeePassXC to catch up?
I don't.
I loved almost everything about 1P but their reluctance to authenticate with keychain means it's a PITA for me, and an absolute deal breaker for my wife.
Has this changed or do you still have to enter your 1P password every time you log in or your session times out?
Exactly what kind of moon-shot ideas did 1Password start tossing around to get those wallets open?
Lot of money to make with those factors.
I get that there's an untapped market of non-technical users, but I am rather skeptical that advertising alone will have much success in activating it -- they'd need some innovative approach that changes the way non-technicals approach password management.
It's the same reason there should be no such thing as a "structural integrity" company separate from the building contractor.
"If your users use 1password, they won't keep forgetting their passwords (causing frustration and support burden) and won't use weak passwords that result in account takeovers (support and eng burden). Plus, you and your users won't be beholden to the whims of fb or Google".
Just one idea.
However, after reading your comment, I hope this is the direction they go. I actually really like the future where I can have instant accounts attached to a more anonymous backend than my social media. I'm sick of things as mundane as my local gym asking for access to my fucking friends list.
Sign-up hurdles are a real thing too. I recently read that it was a major factor to Microsoft's video gaming stream service never taking off.
[1]: https://developer.mozilla.org/en-US/docs/Web/API/PasswordCre...
So a 1- or 0-click login once you hit the login form, as opposed to the current 3-click system (see login list, click to fill, click to submit). And looks like it also might handle the 2fa portion (which essentially makes it 1fa).
Currently in Lastpass If you have one account it's auto filled making it a single click.
LastPass has the option to autofill and auto-submit. 1Password doesn't, but that's my guess for what's coming.
Edit: They also inexplicably (and silently) dropped support for the 1Password iOS share sheet while directing users to the 1Password iOS Safari extension (which only works if you use AgileBits cloud and does not work with local vaults)[3].
Edit2: Missed another $200M raise in 2019[4]. That puts them at nearly $1B in VC funding now.
[1] https://techcrunch.com/2021/07/27/1password-raises-100m-at-a...
[2] https://old.reddit.com/r/1Password/comments/qjb4l4/theres_no...
[3] https://old.reddit.com/r/1Password/comments/pxpdcd/ios_share...
[4] https://techcrunch.com/2019/11/14/fourteen-years-after-launc...
It's not that I expect support forever for software I paid once for, but I think that the monthly, no local vault is worse than what they offered in 1password 6. I am OK with having to manually copy in passwords.
[0]: https://support.1password.com/cs/1password-classic-extension...
Are there any security concerns holding on to 1p 6.0 ? I notice the mobile app still sees updates, but could there be in theory an unpatched security hold in the desktop app ?
To answer your question about the security: I don't know. I don't audit it, and copying and pasting lets me not really have to worry about the security of the browser extension.
Ublock Origin still works for me, what are you referencing ?
Just as they did when all the snafu with Dropbox and the switch to a subscription based service.
Before the subscription service, I had spent hundreds buying all their apps for me and my family. 1P wasn't cheap but it was worth it. They used the users' Dropbox to host the web based vault. Obviously one day Dropbox decided it was not ok to use the public folders to host websites.
It really was a shitstorm in 1P's forums and they handled it very badly.
1P could have spent pennies hosting the vaults on S3 or something but they decided to tell their paying customers to switch to the subscription if they wanted a web based vault. They didn't even have the decency to offer a free year to the subscription or something.
p.s., How is this really different from going public? I'm sure they considered that option. Either way you are answerable to investors.
But of course they can’t do that because VC, right?
This has come with all the expected side effects. No local vaults, electron apps, forced subscription payments, etc etc. More VC money makes for a worse customer experience, almost universally.
> How is this really different from going public?
Venture Capitalists are not like the general public. People trading public stocks value fundamentals - a good product that generates _profit_, _steady_ growth, etc. VCs want cancerous, explosive growth and are willing to take the risk that the pursuit of cancerous growth kills the company.
I don't have any special insight into 1Password's strategy. But I run a company that is essentially bootstrapped and what I described is exactly how we think of cash reserves. In the bootstrapped case, there's a basic math problem that to maintain a constant runway while growing rapidly you must be cash flow positive by an increasing percentage as time goes on. Perhaps 1Password is just looking to protect a long runway that will get them to IPO.
So you can't imagine how owning the passwords of all services of dozens of millions of users, both private users and corporate accounts, could be valuable?
Emphasis mine.
That's the thing that bugs me about 1Password's recent moves. They don't own my passwords and I don't want them to own them. They're my passwords, and I want to store them how I want. Not be at the whims of 1Password's business strategy.
Imagine if the chinese government could buy all its stock through a third party company, and sit on the board, install a "party affine" CEO without morals, etc.
Just a single silent software update can upload everyone's master key un-encrypted to the cloud, and decrypt everyone's passwords, attach them to email and corporate ids, etc. without anybody noticing.
How valuable does that make 1Password?
Can't you say the same about Linux vs Windows, Gimp vs Photoshop, PostgreSQL vs Oracle, Godot vs Unity, etc?
1) whenever VCs invest in shares of a project
2) they tend to subsidize money-losing unit economics to “reduce friction” resulting in attempts to lock-in people and monetize their attention later
3) when the VCs later dump it on the public, the company has to now answer to wall street shareholders and its executives are heavily pressured to have quarterly earnings calls
4) they must find ways to extract rents forever because whoever bought at the top (the majority) wants to see their shares go higher, even at the expense of the public interest
5) whereas cryptocurrency could be about collective ownership, if there is no separate shareholder class then the network participants ARE collectively owning the means of production (basically, textbook socialism)
Whenever something like this is stated, anarcho-capitalists and right wing libertarians say:
Oh, there is NOTHING wrong with capitalism. That’s not REAL capitalism. That is corporatism / cronyism. (Some go further and quote Mises/Say/Praxeology: “only individuals can act, organizations can’t act.”)
Then about collective ownership of the means of production / distribution / the network they say… “That’s not REAL SOCIALISM. Socialism is when you use central government and planning and has led to so much misery and famine…”
So, a mainstream application of capitalism isn’t “real” capitalism because laissez faire capitalism doesn’t require the State. But credit unions, housing cooperatives, democratically run universities and now cryptocurrency DAOs are not “real” socialism because socialism requires the State?
There is a huge double-standard here, and I would encourage ancaps to answer the following questions:
Also, we can move beyond Libertarian Capitalism vs Libertarian Socialism discussions, to simply ask how to best structure decision making in a project.You can have cryptocurrency run top-down where people work on stuff to survive, and the parent company must make profits. Or you can remove the profit motive and have wikipedia, open source, science, etc. But then you’d need to subsidize people’s maslow’s needs with a UBI.
See for example how your very news and media is affected by the profit motive… compare something like WikiNews vs CNN and Fox. Where are the movements to do something about it? Here is one example I am working on myself: https://rational.app
To use a real world example: DisneyWorld is a city owned by a corporation, instead of democratically run. Because the people who own DisneyWorld shares (shareholder class) aren’t the visitors — the visitors buy DisneyDollars. They are the consumer class.
And there is also the working class (people who work in DisneyWorld) and their employers (small capitalists) who run a business inside DisneyWorld and pay rent.
Disneyworld and other cities could have its own smart economy with DisneyDollars and never have to raise money from speculators. Think of DisneyDollars as utility tokens and shares as security tokens for speculators.
Here is how it works in detail: https://intercoin.org/communities.pdf
This is not a benefit. Within the next 2 years, be wary of a log4j level exploit within Keepassxc.
If a software isn't being supported by a steady source of income, it really quickly can get behind in security and tech debt.
After all the discussion on here about how we can support open source projects, why is it still a badge of honour to say that a software has no support and is functioning on life support by "volunteers in their free time"?
I'd suggest any users of KeePassXC take their money and put it where it counts: find the organization that develops KeePassXC and give them the $60 a year that it costs to buy a commercial password manager like 1password.
If KeePassXC has all the features you need, it's worth paying them for it.
"pass", on the other hand, has no funding and no security vulnerabilities.
I'm pretty sure it's more secure to use apps engineered with a deliberately tight scope that arent lavishly funded than egged-up VC bloated monstrosities.
You wanna bet that building in electron is gonna keep 1password more safe? I wouldnt. The attack surface on that thing is gonna be huge.
> This is not a benefit.
Parent never claimed this, they were questioning why 1p would possibly need 620m for developing roughly the same value.
One of the comments on the post is that they have 600+ staff?
Why??
Agreed, an outbreak of featuritis is almost guaranteed. The core product works well for the job intended, but I don't want to be bothered with an expanding scope and the inevitable spam promoting the features that I don't really need.
It will go to all-expense-paid trips, consultancy fees and other things you need to eventually get acquired for $10B+ by one of the big players.
Or maybe, they will pivot, spend $300M on advertisement, so every grandma gets to know the brand name, and will then do an IPO, presenting it as the next opportunity of lifetime to the unsophisticated public.
This is how you make money in the post-2008 world. The actual old-school profitability has been out of the picture for quite a while now.
Because they also let you get free family accounts if your company uses it, they presumably then rope in a lot of individuals for personal use who then become incentivised to want their next employer to use 1password too.
1password is just more usable for most people.
You cannot really throw users under the bus in highly competitive and lucrative space.
It's not that difficult to export full data from 1password and move on.
They already through their consumer users under the bus when they switched to a subscription business.
I haven’t upgraded since v6, and I plan to avoid it as long as I can.
Dude, that ship sailed at their last (and first) raise. It took a little while for the shoe to drop, which was about 6 months ago.
This is once again just a case of investors hoping to make a pile of money so big they can corner a market. Sadly, they have no idea how cornering a market works (or doesn't work) in the case of digital products like this.
But that is nature of the beast.
My small company has stayed with our initial bank even though we were quite unhappy with it a couple of times. They didn’t rock the boat too hard, so we‘ve been with them for 8 years already - even though I was _this_ close to quitting sometimes.
Password manager is still hard to use for the elderlies and technically non savvy people.
I use and pay for Bitwarden but even I always get lost in the clunky UI and get frustrated by basic tasks (to a point I am considering switching). And it only gets worse when you have multiple teams and all the secrets are mixed up.