I actually recommend Dashlane to friends and family who are non-technical because it’s much easier to use than any of the open source options I’ve seen.
Then I should expect you and others to be telling others to 'self-host' their passwords managers very easily. [0] Otherwise it is no different to using rest of them and you're better off with using the alternatives.
Worst case scenario it's basically just a wrapper for GPG, so you can always get at the password if you have access to your GPG keyring.
I've also never had to directly install it on Linux, it seems to come pre-installed on most distros recently (I think it's a part of GNOME or something, even though I don't use that).
Not everyone is a tech person who can plays with their password manager in a terminal to just get the basic things working. Dashlane just works out of the box.
I think they should continue to allow users to buy a license and use your own sync as they did before. I had no problem paying for a license each time a major version was release.
Honestly, I don’t feel like most here are really the majority of their target audience.
I’ll continue using it though. I haven’t found anything that works as well for me.
You buy a product to use it. Continuing to have to pay for something that already exists on my computer and doesn't require anything from them is just extortion. Subscriptions are for when you are buying a service. There is no service I am buying when using 1Password (previously).
Do you expect regular updates? Security patches (including for zero-days)? Sync across all your devices? Backup and restore? 2FA? All of this requires dedicated ongoing work from the service side, and they are giving it to you for literally $3/month.
Security updates yes, but passwords are one of the most stable, least changing-parts of anything I do with a computer. File sync is also well understood and a commodity offering. In 35 years, the only thing that’s changed for me viz logging in is the introduction of TOTPs. I’d rather not have my password manager constantly changing except for security updates. I certainly don’t want to pay a a subscription service for a company to reshuffle the UI every five years.
I’ve switched to KeePassXC and Strongbox on iOS. It’s every bit as good as 1Password was for the last ten years, and I don’t have to worry about the future of the product locking me into crappy “growth” decisions. I’ll be donating a similar subscription fee to the maintainers of KeePassXC that 1Password would ask for.
I would gladly pay the $3/month if they were doing what you mentioned in addition to adding features. One of the problems with their new subscription model is that they're replacing existing support for password syncing with a forced adoption of syncing to their cloud.
Syncing to Dropbox (or others) is going to be removed with 1Password 8 and we'll be forced to either keep the old license of 1P7 and lose out on security updates, or, to start paying a subscription and accept that they manage the syncing instead. For many that's not acceptable, and it's a bit of a slap in the face for all the supporters they've had for years now who have been promoting their product through word of mouth.
And you can still use that product (1Password 7/6, including continued iOS app support you're not paying for), but the subscription is a service that people other than you do pay for. They just released 1Password for SSH Keys and it works pretty well, that's the type of updates I expect from my continued payment for a password management service.
Subscriptions lock you in on various levels. It’s very similar to renting a house. You can get kicked out by the owner.
Subscriptions for individuals is different from subscriptions for companies. Companies want to optimise time, individuals may want to optimise cost
personally, I am inclined to pay for IDEs as I spend more than 50% of the time on it, but not so much similar amounts when I use tools no more than 5-10 times a day.
Agreed. I liked 1Password a lot more when it was not subscription-based. The client is worse, the reliability is worse, the subscription is painful. The value is not there.
But it's a password manager and I use it. Perhaps I will bother to investigate alternatives and switch before my next renewal.
If you compare the price of Bitwarden to other proprietary Password Managers it is next to nothing. If you don't even want to pay for that take a look at VaultWarden
"Almost no features" is a bit extreme. The paid version adds [0] encrypted file sending, more 2FA methods, a TOTP generator, password health and emergency access but the core password manager functionality is there in the free version.
> Bitwarden is subscription-based too. Or are you on the free tier with almost no features?
This is absolutely ridiculous. Bitwarden have one of the most unfair (for the company) free tier that I ever used. It has everything I ever need from a password management, to the point where I only pay to support the company and not for paid feature.
I was going to strongly recommend the same thing, then I read the article and I realized the original article was foolish. They are complaining about electron.
Regardless, use Bitwarden. It's free and open source. Sure, it has paid options, however, they are options. Nearly all functionality is available for free.
Also FWIW, I haven't noticed any issues since the move to Electron, and continue to find it the best password manager for me, my family, and our myriad devices.
As I type this, according to Activity Monitor there are 4 1Password processes using 0.0% of my CPU and about 225MB of my RAM.
I've not noticed anything either, to be totally honest I actually prefer the new electron version. It's a nicer application in general and I've had no performance issues at all. I only wish I could get it on my old "take anywhere" macbook which for some reason is refusing to update to the latest macos version.
I'd say my one general gripe with 1Password's current major offering is that it's awkward to backup my passwords outside of 1Password. It's possible, but requires figuring out my own solution rather than just having something baked in.
> ...the Chrome extension stopped connecting to the native app randomly.
I’ve had this issue several times a year as long as I can remember so I’m not sure it’s related to anything new. Usually solved by restarting Chrome, sometimes 1P too.
I let my subscription expire about 3 months ago. (CC handling changes in India, you know)
I have only updated about 3-4 passwords out of 100s of items I store. This has been a realisation for me.
1pass, leaves the account in read only mode since it comes from your local storage anyway.
I need to get familiarised with the Bitwarden UI, its not very similar to 1pass, so there is a adoption curve. Hosted Bitwarden with the rust variant option is an option to consider.
Hosted bitwarden is a... chore. I suggest just diving in, I don't see how anyone can't master bitwarden in 15-30 minutes (the cloud hosted version). There isn't that much
- acount
- password
- password generator for random passwords
- browser plugin
- OS app
- notes
- paid version gives you password versioning and a couple of other goodies.
I've used it on all 3 major platforms and my iphone for years without a hitch.
I was actually wondering about this. It only had 12 points at the time of this writing so I’m curious whether HackerNews weighs certain votes higher than others.
I've only watched a few articles from the new queue for through their process of hitting the front page (and it's really great to be the first one to upvote something that gets there, more people should check out that queue!)
But even with that limited knowledge, 12 points in 45 seems more than necessary to get something to the front page, at which point it has a mind of its own.
And the low quality of previously great password managers certainly strikes a chord with me... BitWarden is the only one I can stand these days, but it's not great.
Early votes are weighted higher than later votes. If you browse /new your upvotes are far more impactful. If you browse the front page, much more rare to make a difference to a submission's trajectory, unless it just got there, then you can help determine whether / how long it stays.
Because 1PW has managed to place themselves on the “wrong” side of multiple issues that the HN user base is passionate about in a kind of piss off nerds speedrun.
Transitioning to subscriberware + converting your beloved native apps to Electron + raising a bunch of money so you can abandon your loyal users to chase the enterprise market is a trifecta that is catnip for this site’s front page.
No, it originally started as standalone apps with licenses you could purchase for each platform (at that time it was mainly Mac, and a poorer alternative on Windows). You could decide where to store the encrypted password file(s) and sync them however you wanted. You could choose to upgrade to a new version, or not.
Then it changed to the subscription model and a move to storing the passwords on the cloud. At the same time, the company also hid the standalone license option from all the main and help pages where one would look for it (and it required asking in the forums to get a link).
There’s a lot to write about how the company built a good reputation in the beginning and then worked very hard to dig itself deep underground.
I can imagine. If it gives me local access to my data without paying for a subscription though, it might be all I need before I can transition fully to Bitwarden.
The problem I have with both right now is that neither have arm64 clients for Linux.
> I wish Apple Keychain is better so I can switch to use it completely.
This would be nice, but it'd need to be fully-featured, including Windows support (Linux too, but i'd be doubtful) and non-Safari password autofill support (or they could re-introduce Safari to Windows, i'd be fine with that).
Does anyone know why 1Password's client application is closed-source? For a company so "modern" and insistent on transparency, it seems weird that they wouldn't even release the client app code as at least "source available". Don't get what they would be losing here. Same question with the server. Bitwarden seems to be doing just fine with an open-source/source-available approach.
1Password is like everyone else who sells out. I bought their stuff before they had subscriptions, and now that they have subscriptions, they are crippling the product so that you have to pay up or ship out. When the time comes I’m going to Bitwarden.
I was recently troubleshooting why the classic extension had stopped working with 1Password 7. I received a message from support (who overlooked my version) that indicated that 1Password 6 would no longer work with Chrome as of 99.0.4844.74 due to a change in the code signing certificate. I did not get the impression that an update was coming to fix the issue.
It doesn't support syncing properly, if you use it on desktop + Android + iOS you have to trust three different app vendors, browser integration isn't nearly as good as 1Password, custom fields are badly integrated.
i have been operating keepass on my linux desktop and android for the last 3 years exclusively and before that, my laptop only.
the "sync" isn't really a problem. you are making too much out of sync. passwords don't change much. you don't have to change/edit your entries every other week.
i keep a live copy on my phone and a copy on the desktop. if i have to add an entry, i add that to the phone and use kde connect to send that file to the desktop. takes 2 seconds. when i open the desktop keepass, i am greeted with the updated file so its not a big deal.
with keepass there isn't an issue with trusting vendors. they do not have internet access so what are they going to exfiltrate?
You'd probably need to trust more software vendords, but at least the synchronization in a single-user setup is pretty easy with some cloud storage service (Dropbox, Google Drive, etc.).
I used to be a 1p fanboy, but the company has really deteriorated from my point of view. Once upon a time, my password data was stored entirely locally in a format that was well-documented and which I could access using tools like openssl. In other words, I could be confident that they really were encrypting my data at rest because I controlled my data and could interact with that encryption myself.
In time, they moved to a cloud-driven, subscription-based approach. I found this disconcerting since I could no longer see and control where my data was located or evaluate its encryption myself, but I was impressed enough with 1password's track record to believe that it retained a strong security culture. They began emphasizing their web- and browser-extension-based options more, especially for Linux, for which they did not have a desktop client at the time.
Notably absent from this was an export feature. It remained in the Mac desktop app, but was completely missing from 1Password X. I noticed prominent 1password staff apologizing for the apparently unintentional lock-in situation created for some users by adding new platform support without also adding data export for those platforms. They promised it would be addressed soon. It wasn't.
Last year, I went to evaluate whether it was even still possible to export passwords from the Mac client. I wanted to know that 1password was still a good tool, because my daughter was turning 10 and it was time to establish strong security habits. I wanted to be sure that what I was recommending still made sense. I was nervous. I had not actively used my Mac in years. I went to use the export feature, and found that it simply did not function. Extremely alarmed that I now had over 1,000 unique passwords stored in a database that I had no functioning means of exporting, I contacted support and outlined my issue and asked how I could get a plaintext copy of each of my passwords.
I received a reply from a self-described "Astronomer of Support," who said:
"Can you please let me know a little more about why you are wanting to export your data? Once I get a better understanding, I would be glad to help further from there! :)"
I found this very troubling. I had supported 1password for years. I had recommended it to friends and family. I had bought it for some people. In a couple jobs, I required it of my reports. I did this on the belief that 1password had a strong value on privacy and security. I felt extremely foolish. While I had adopted 1password on the grounds that it had a locally-stored vault whose encryption was easy to audit, none of that was true anymore. The export feature I was told would be forthcoming on Linux had not materialized, and the feature on my Mac no longer functioned. 1password support was asking me to explain why I would even want access to my own data by some means other than their application in the first place.
I asked the support guy how this would affect his troubleshooting, and he told me he just wanted to understand my use case since plaintext exports are a security hazard. Then he told me to download and run a program to upload a substantial amount of information about my system. There was no question as to whether I was OK with this, or an offer of any alternative.
The answer, as it happened, was straightforward: I had an old version of 1password. I don't know why having an out-of-date version stopped data export from functioning, but it did. I was able to troubleshoot that without relying on the lengthy dossier that 1password's diagnostic tool had compiled, and the support guy could have done the same. Had 1password still been a company that valued people's privacy, he probably would have simply asked me to double-check the version number in the very first e-mail, rather than ask me pointed questions about why I wanted my data anyway, or telling me to install new telemetry software and give all this new data over to him.
I wrote an email back to 1password support explaini...
Yes you can. One vault at a time. Exporting other metadata apart from basic name, password, url is very clunky. Then you will also need to manually handle attachments for each entry. Some types of entries also have "special needs". Then sometimes there are errors. I've recently migrated from 1P and it was a lot of tedious manual work. It feels like the support for exporting data is kinda neglected, so I'm glad I did it while the feature is still there.
OTOH I've helped a relative to migrate from 1P to Bitwarden who had only a single vault for browser logins with name, password and url items and the process was quick and easy.
To be clear, I was ultimately able to export. My complaint is that at the time I was doing this (July 2021), the web client, phone app and then-new Linux desktop app had no means of export, which is something 1Password support acknowledged to me at the time. They were aware of this problem for at least a couple years and left it unaddressed despite numerous customer and internal complaints, and at least one senior 1password employee who I met at a conference told me this was a fact that said employee found embarrassing. I had to go dust off my old Mac, which I was fortunate to still have, to export my data. Even then, the feature was broken in the version I had installed, and 1Password support was reluctant to help me get it to work, and only wanted to do so by collecting an unnecessary amount of information.
I've been a 1Password customer for over a decade. I've also brought them lots of consumer and business customers as I've taught people and companies I deal with to use password managers, and I thought 1Password hit the sweet spot of good usability and security.
But I cancelled my account a couple of weeks ago. Their product has been worsening over time, and the last adventure of aligning themselves with the (wrong kind of) crypto bros was the final straw for me.
I'm not really familiar with Bitwarden but it is open source and I managed to import all my data in one go from 1Password so I'm testing that for now. IT feels good to support open source at least.
I've been on Bitwarden for years. Wouldn't trade it for anything. Security source code must be open and provable, rather than trusting a vendor. Closed-source commercial vendors always face a moral hazard or risk of capture.
It's a bit less slick than commercial offerings. Form fills don't work quite as well. Maybe once a year, it glitches.
Import from Lastpass was surprisingly easy. I ran them side by side for a while.
If you can, switch AND support this great product!
I'm a big fan of Bitwarden and have been a loyal user for years. I'm a convert from LastPass and haven't looked back. I'd say more about it but I suspect there are going to be lots of positive comments that will echo my thoughts.
I used 1password for maybe 7 years and the slew of recent changes and the slow deteriorating of their product quality, paired with the fact they ignore very simple features people have asked for for ages, made me switch to Bitwarden. It's not as polished but at least I'm not wasting money.
For cloud-based, I think BitWarden is the obvious consensus. For local-first, I settled on Enpass. It's closed source and proprietary but the format is decently documented and they provided help in making an open-source database reader https://github.com/hazcod/enpass-cli
Now my passwords are somewhere I control, in a format I can read with open source tools, and sync is done by Dropbox/maestral. It's like being back on classic 1Password but slightly more stable and slightly less polished in the UI.
KeePass is looking better with every release, but I have switched to Secrets since I like the UX and don’t want to run any kind of sync service myself.
95 comments
[ 4.8 ms ] story [ 167 ms ] thread[0] https://apps.apple.com/us/app/dashlane-password-manager/id51...
[0] https://news.ycombinator.com/item?id=30071603
https://www.passwordstore.org/
Worst case scenario it's basically just a wrapper for GPG, so you can always get at the password if you have access to your GPG keyring.
I've also never had to directly install it on Linux, it seems to come pre-installed on most distros recently (I think it's a part of GNOME or something, even though I don't use that).
Bitwarden works fine.
Honestly, I don’t feel like most here are really the majority of their target audience.
I’ll continue using it though. I haven’t found anything that works as well for me.
I’ve switched to KeePassXC and Strongbox on iOS. It’s every bit as good as 1Password was for the last ten years, and I don’t have to worry about the future of the product locking me into crappy “growth” decisions. I’ll be donating a similar subscription fee to the maintainers of KeePassXC that 1Password would ask for.
Subscriptions for individuals is different from subscriptions for companies. Companies want to optimise time, individuals may want to optimise cost
personally, I am inclined to pay for IDEs as I spend more than 50% of the time on it, but not so much similar amounts when I use tools no more than 5-10 times a day.
But it's a password manager and I use it. Perhaps I will bother to investigate alternatives and switch before my next renewal.
I bought a standalone package of 1Password at one point in the past and they completely screwed me by locking to an
arcane version of the app which none of today's browser extensions support.
Happy that I bought into Bitwarden at a really low cost of 10 bucks per year which was a no-brainer to me.
[0]: https://bitwarden.com/pricing/
This is absolutely ridiculous. Bitwarden have one of the most unfair (for the company) free tier that I ever used. It has everything I ever need from a password management, to the point where I only pay to support the company and not for paid feature.
Regardless, use Bitwarden. It's free and open source. Sure, it has paid options, however, they are options. Nearly all functionality is available for free.
A, the kind of foolish of not wanting to devote half a gig of RAM and slowdowns on a basic, and quite barebones, service, like a password manager.
I think I used Bitwarden for a week before I decided to pay as the experience was above and beyond what I had with 1Password.
Think I've had it 3 years now.
I'm still very happy to pay 1Password to be responsible for my most important data.
As I type this, according to Activity Monitor there are 4 1Password processes using 0.0% of my CPU and about 225MB of my RAM.
I'll take a TUI at <30 MB tops any day. Or CLI.
Does anyone recall what the pre-Electron version used on macOS?
I'd say my one general gripe with 1Password's current major offering is that it's awkward to backup my passwords outside of 1Password. It's possible, but requires figuring out my own solution rather than just having something baked in.
I’ve had this issue several times a year as long as I can remember so I’m not sure it’s related to anything new. Usually solved by restarting Chrome, sometimes 1P too.
I have only updated about 3-4 passwords out of 100s of items I store. This has been a realisation for me.
1pass, leaves the account in read only mode since it comes from your local storage anyway.
I need to get familiarised with the Bitwarden UI, its not very similar to 1pass, so there is a adoption curve. Hosted Bitwarden with the rust variant option is an option to consider.
- acount
- password
- password generator for random passwords
- browser plugin
- OS app
- notes
- paid version gives you password versioning and a couple of other goodies.
I've used it on all 3 major platforms and my iphone for years without a hitch.
But even with that limited knowledge, 12 points in 45 seems more than necessary to get something to the front page, at which point it has a mind of its own.
And the low quality of previously great password managers certainly strikes a chord with me... BitWarden is the only one I can stand these days, but it's not great.
https://news.ycombinator.com/item?id=29993961
https://news.ycombinator.com/item?id=28145247
https://news.ycombinator.com/item?id=27194279
Transitioning to subscriberware + converting your beloved native apps to Electron + raising a bunch of money so you can abandon your loyal users to chase the enterprise market is a trifecta that is catnip for this site’s front page.
Then it changed to the subscription model and a move to storing the passwords on the cloud. At the same time, the company also hid the standalone license option from all the main and help pages where one would look for it (and it required asking in the forums to get a link).
There’s a lot to write about how the company built a good reputation in the beginning and then worked very hard to dig itself deep underground.
The problem I have with both right now is that neither have arm64 clients for Linux.
This would be nice, but it'd need to be fully-featured, including Windows support (Linux too, but i'd be doubtful) and non-Safari password autofill support (or they could re-introduce Safari to Windows, i'd be fine with that).
Windows support: https://appletoolbox.com/how-to-manage-icloud-keychain-with-...
It used to be a solid app and now its browser integration have been more and more messed up for me these last few months.
I’m having the same issues detailed here.
the "sync" isn't really a problem. you are making too much out of sync. passwords don't change much. you don't have to change/edit your entries every other week.
i keep a live copy on my phone and a copy on the desktop. if i have to add an entry, i add that to the phone and use kde connect to send that file to the desktop. takes 2 seconds. when i open the desktop keepass, i am greeted with the updated file so its not a big deal.
with keepass there isn't an issue with trusting vendors. they do not have internet access so what are they going to exfiltrate?
In time, they moved to a cloud-driven, subscription-based approach. I found this disconcerting since I could no longer see and control where my data was located or evaluate its encryption myself, but I was impressed enough with 1password's track record to believe that it retained a strong security culture. They began emphasizing their web- and browser-extension-based options more, especially for Linux, for which they did not have a desktop client at the time.
Notably absent from this was an export feature. It remained in the Mac desktop app, but was completely missing from 1Password X. I noticed prominent 1password staff apologizing for the apparently unintentional lock-in situation created for some users by adding new platform support without also adding data export for those platforms. They promised it would be addressed soon. It wasn't.
Last year, I went to evaluate whether it was even still possible to export passwords from the Mac client. I wanted to know that 1password was still a good tool, because my daughter was turning 10 and it was time to establish strong security habits. I wanted to be sure that what I was recommending still made sense. I was nervous. I had not actively used my Mac in years. I went to use the export feature, and found that it simply did not function. Extremely alarmed that I now had over 1,000 unique passwords stored in a database that I had no functioning means of exporting, I contacted support and outlined my issue and asked how I could get a plaintext copy of each of my passwords.
I received a reply from a self-described "Astronomer of Support," who said:
I found this very troubling. I had supported 1password for years. I had recommended it to friends and family. I had bought it for some people. In a couple jobs, I required it of my reports. I did this on the belief that 1password had a strong value on privacy and security. I felt extremely foolish. While I had adopted 1password on the grounds that it had a locally-stored vault whose encryption was easy to audit, none of that was true anymore. The export feature I was told would be forthcoming on Linux had not materialized, and the feature on my Mac no longer functioned. 1password support was asking me to explain why I would even want access to my own data by some means other than their application in the first place.I asked the support guy how this would affect his troubleshooting, and he told me he just wanted to understand my use case since plaintext exports are a security hazard. Then he told me to download and run a program to upload a substantial amount of information about my system. There was no question as to whether I was OK with this, or an offer of any alternative.
The answer, as it happened, was straightforward: I had an old version of 1password. I don't know why having an out-of-date version stopped data export from functioning, but it did. I was able to troubleshoot that without relying on the lengthy dossier that 1password's diagnostic tool had compiled, and the support guy could have done the same. Had 1password still been a company that valued people's privacy, he probably would have simply asked me to double-check the version number in the very first e-mail, rather than ask me pointed questions about why I wanted my data anyway, or telling me to install new telemetry software and give all this new data over to him.
I wrote an email back to 1password support explaini...
OTOH I've helped a relative to migrate from 1P to Bitwarden who had only a single vault for browser logins with name, password and url items and the process was quick and easy.
One time purchase, indie devs, support for use on Windows / Linux etc. Been very happy thus far.
[0]: https://outercorner.com/secrets-mac/
What do you mean? Secrets looks to be Apple-only no?
But I cancelled my account a couple of weeks ago. Their product has been worsening over time, and the last adventure of aligning themselves with the (wrong kind of) crypto bros was the final straw for me.
I'm not really familiar with Bitwarden but it is open source and I managed to import all my data in one go from 1Password so I'm testing that for now. IT feels good to support open source at least.
It's a bit less slick than commercial offerings. Form fills don't work quite as well. Maybe once a year, it glitches.
Import from Lastpass was surprisingly easy. I ran them side by side for a while.
If you can, switch AND support this great product!
Now my passwords are somewhere I control, in a format I can read with open source tools, and sync is done by Dropbox/maestral. It's like being back on classic 1Password but slightly more stable and slightly less polished in the UI.
KeePass is looking better with every release, but I have switched to Secrets since I like the UX and don’t want to run any kind of sync service myself.