72 comments

[ 5.3 ms ] story [ 137 ms ] thread
So wait, what was the last system?
> Up until this point, we’ve used our own usage and your feedback to inform our decision-making. We’ve learned and improved a lot this way. But there’s always been a drawback to this approach: we don’t know what your 1Password experience is like unless you tell us.
Ahh yes, a feature every user wishes to have in a sensitive, critical, local encryption tool - something that silently exfiltrates data to the manufacturer.

The only way it preserves privacy is if it defaults to off. Anything else is a lie in service of a fraud.

Looks like they've reversed their earlier decision and it will now be opt-in:

> You’ll see this message when you open 1Password on mobile and desktop when it’s time for you to choose whether you would like to participate [...] The choice to share your data is yours. We won’t collect anything unless you’ve confirmed you’re happy to share in-app usage data moving forward.

The post says that it does default to off:

> Later this summer, you’ll see the option to participate in our telemetry system and help improve 1Password. You don’t need to take any action right now, and we won’t collect any usage data without your awareness and consent first.

Developing modern software without being able to observe its operation is simply not realistic. Telemetry of this sort is an important driver of software quality and product improvement.

I’m convinced that people who talk this way are not recognizing the important distinctions between google-analytics-style tracking software that is just trying to squeeze more money out of users and observability-style tracking that is a key part of the software development lifecycle. If you refuse to acknowledge any value in the latter then you deserve the buggy software that results.

> Developing modern software without being able to observe its operation is simply not realistic.

Go manages to do it, as does Linux, and Debian.

I think this sort of thinking is poisonous. Just because it is common does not make it ethical or justified.

Discussion of Go toolchain wanting to add telemetry for these same reasons. This casts doubts on how well they're managing to do it.

https://github.com/golang/go/discussions/58409

They concluded (correctly) that opt-in was the only reasonable approach.
Be careful you don’t hurt yourself moving those goalposts.
>as does Linux

Linux has a lot of telemetry features which businesses can use to aggregate data on how it is operating. These businesses if they identify problems submit patches to fix them.

>and Debian

Debian has telemtry on what packages people install.

https://popcon.debian.org/

It's like "how did we ever build functional products without the ability to spy on you all the time??" I don't disagree that telemetry is ubiquitous in modern software and pretty much built into modern software dev lifecycles, but it's not like we didn't build lots of capable software before this was the case. Heck, 1Password itself seemed to be doing fine without any telemetry in the past.

The point people are making is that the one place you probably don't want telemetry software is your system critical password manager. There is a lot of potential for an "oopsie" where something accidentally gets sent that shouldn't get sent, and that's what people have an issue with.

Lots of people on this very forum have bitterly complained about a supposed major drop in product quality for 1Password since their relatively recent adoption of a cross-platform electron app.
The actual post mentions the following:

> We’ve designed our telemetry system to collect data on “events”. An event is essentially an action, like: Finishing our in-app onboarding, Unlocking 1Password, Creating a new item, Filling an item in a website or app.

> We won’t be collecting your saved passwords, passkeys, usernames, and any URLs associated with your items. Your private information is just that – private.

With it also being opt-in I dont see an issue with collecting basic numbers for how often people use the plugin or app, as long as they're telling the truth, I think it's fine.

The issue is that the data doesn't belong to the vendor - it belongs to the user. It doesn't matter that you don't personally regard it as sensitive.

Also due to things like lack of ESNI and lack of onion routing to obscure client IP address, it leaks other information to the vendor and ISP like your travel history over time (via client IP geolocation) and waking/sleeping/working hours.

Software that exfiltrates this information without advance consent is stealing it.

We are talking about a network-connected paid service. It’s revealing your IP address to the company that provides the service by its natural operation, such as synchronizing passwords between devices over the network.

> Software that exfiltrates this information without advance consent is stealing it.

I’m not sure who you are arguing with when you keep repeating this. I pointed out that the post clearly states they will obtain this consent. At any rate, you are obviously not a customer so why are you so mad?

>the data doesn't belong to the vendor - it belongs to the user

The data doesn't belong to anyone. The data is just a fact of what happened. No one owns the fact that George Washington was the first US president.

If the data doesn't belong to anyone and therefore doesn't need to be kept secret, would you be okay with <Insert Big Corp> publishing your precise location history that reveals where you live, when you leave for work, when you come back home and when you're on vacation? It's just a fact of what happened and, at least according to your logic, you don't own it.
Thank you. Parent clearly didn't read the details. And wtf is with their claim of "exfiltration" when it's opt-in and you're already explicitly entrusting 1Password with your data? smh...
Was this software audited by an external entity? I would only trust it if it was.

We're dealing with quite a serious matter here.

Was the 1P platform audited by an external entity?
Nope. Opt-in or opt-out doesn't matter. I don't even want the code in there, settings flags get ignored all the time, accidentally and intentionally. I don't know why anyone would choose a proprietary password manager.
I really hope that they're using the Prio system (https://crypto.stanford.edu/prio/), perhaps via Divvi Up (https://divviup.org/), which is offered by the fine folks at ISRG.

But, the fact that they don't mention anything other than "All event data will be de-identified and processed in aggregate before it’s used for analysis" leads me to believe it's an in-house solution for a very complicated problem, if one chooses to do it correctly.

Will this new data actually lead them to acknowledge that 1Password v8 on Electron is trash?
Indeed, if you’re already ignoring feedback as loud as the v8 pushback what could you possibly listen to via telemetry?
What's in memory, filenames, app lists,
It's funny, isn't it? They claim to need telemetry to learn how they can make things better, but v8 just plain isn't better.

I believe the reality is they need telemetry so they can use it to validate their own decisions. They can produce nice charts and tell each other they're doing a great job and feel good about it, even if users are complaining about it (or just silently accepting it, until some last straw causes them to leave).

If you were to measure my metrics, they'd still look the same as in v7, and they'd tell them nothing about the fact that I think v8 is crap, and that v8 means that one day I might just wake up and say "yeah let's try that bitwarden that HN always talks about".

It was — I complained as much as anyone, both publicly and directly to them — but to their credit they addressed all of my many issues. I’d bet that this anonymous, opt-in telemetry system is a direct result of that FUBAR’d launch.
> And at this time, our telemetry system won’t be rolled out to any team or business using 1Password.

The fact that they're doing this at all, as well as that they're dangling it as a "we may alter the agreement", makes me more hesitant to buy a team/business subscription to 1Password.

> We know that in the technology industry, “analytics” and “usage data” can be an excuse to invade your privacy.

In this case, it seems like unnecessary leakage and implementation complexity in a "you had ONE job" highly security-sensitive service.

I don't know why anyone would subscribe at all.

I think it was 7 or 8 years ago, I bought it for $50 (since moved on to another)... but it was a one-time payment with on-going rights.

Y'all have some pathologically high tolerance to subscription load or something.

For the record, I had to give up on it when they offered no self-hosted sync mechanisms... I don't trust the cloud services with my passwords, even if they are encrypted. And then I found the forum comment where they were bitching about webdav, and I just knew that it was never not going to be a shitshow.

I draw some comfort from knowing that there is a stable source of funding to the security and bug fix efforts. And a persistent incentive to not abandon this software.

I hate coffee, keyboard and software "subscriptions" which are just overpriced purchases but to me, this ain't it.

While they state it's opt-in, the image they provided shows that the share button is enabled by default. I hope it is not the case, but I personally dislike having opt-in telemetry with a button/checkbox that's enabled by default.
We currently use 1Password at work and actions like this from a company whose only job is to make sure that passwords are kept securely make me very nervous.

Are there any alternative password management tools that folks here have had a good experience with at a 100+ headcount org with varying levels of technical expertise?

Bitwarden!
+1 for bitwarden

It has served me and my family well for years now.

According to Bitwarden’s privacy policy, they do the same thing that 1Password is proposing, only without the anonymity promises. Why do you think it’s better?
Just read through the policy that is available here: https://bitwarden.com/privacy/

Yikes! Here are some quotes:

> we analyze data about your visits to our Site to do things like optimize product design. We use a variety of tools to do this, including Google Analytics. When you visit the Site using Google Analytics, we and Google may link information about your activity from that site with activity from other sites that use Google Analytics services.

> Bitwarden may use the Personal Information collected by the Site to provide you with services, ..., including: For research and development to improve the Bitwarden Service, Site and other Bitwarden services;

I was ok with that except all the way through the words “product design”, because I do think that’s a fair thing to collect data for… but it kind of went off the rails after that.
yikes, looks like i will have to self-host instead... or switch workflow to pass
Thanks for bringing this up, I should've read the TCs before moving away from their self-hosted solution.
I use and love Bitwarden, but they also took some venture money recently so I won't be surprised if something similar happens (if not already).
(comment deleted)
Oh right, they took a bunch of venture funding a bit ago, didn’t they?
They wrote that they were testing this system company-wide. They employ several hundred employees, so they must have learned some things about their product during those tests. I wonder how much more they will learn from their customers. Has anyone been in a similar position and seen what kind of difference that can make?
this is what happens when you hire people that want to adopt industry standard solutions instead of taking the time to understand their product and their audience.

or rather technical people making decisions instead of product manager type people.

password management is as simple of a feature set as you can get. less is generally more.

all of the information you would ever need to know can be gathered from a user survey. the people involved would need skillsets for interacting with users though.

this sounds like it's developers trying to gather this data, and this data will tell them absolutely nothing and only piss people off that they are even thinking about wanting it.

If their insistence on killing off the "bring-your-own" sync options hadn't made me leave their platform in 2018, this would do it now.

Even if I believe it's completely benign, I don't want my password manager phoning home.

I still don't think BitWarden is quite as nice to use as 1Password, but it's close, and my self-hosted bitwarden-rs (now VaultWarden) instance has been pretty hassle free for quite a while now.

It's beyond me why anyone would willingly choose a service like this when perfectly good (and free + open-source) services like KeePassXC and pass exist. Maybe in the corporate space, but I can't understand why an individual would choose to outsource their personal security to a for-profit corporation. Seems like this just introduces additional risk by outsourcing such an important function to a third party outside of your control.
Convenience, of course. Secondarily, lack of awareness of alternatives.
This seems accurate. I forget how much people value convenience
I can explain why. I migrated from KeePass to 1Password.

The short version of the story is that I used a mess of tooling to get a KeePass-based workflow going, and it resulted in data loss that I had to recover.

I stored my database on a cloud storage provider, and then I would read that database with various clients on my various platforms. At that time, just about none of the (good) clients were cross-platform (KeePassXC that you brought up has no mobile apps).

At that time, an open-source Mac client had a bug that caused some extra fields to be cleared/not saved. I put some important information in those notes and they were lost due to this one client being buggy. Luckily, my cloud provider kept a backup of previous database files.

That's when I realized that having someone else manage all this was way better than saving a few bucks.

I've used 1Password through a lot of new version changes and complete rewrites and I can't recommend it enough. It integrates deeply with all my devices, supports the latest developer frameworks on those devices (e.g., delivering a Safari for iOS extension as soon as extensions were added to iOS), and it's packed full of features that I never dreamed of having with KeePass.

This optional opt-in telemetry seems way more reasonable and respectful than comparable SaaS services and commercial applications, but, alas, "telemetry" is a boogie-man word. Maybe that KeePass app that dropped my data could have used some telemetry to spot that error a bit faster.

I've never used KeePass myself but for a few years it seemed like situation with Mac clients was something of a rotating door, with the client or fork that was most up to date changing constantly… seemed pretty easy to lose track of, with is not great for something where staying up to date is important.
My concern with this move isn't that "telemetry" is a boogie-man word but that it is a slippery slope that we have seen far too many companies slide down on.

The progression seems to be: No telemetry -> Opt-in telemetry -> Opt-out telemetry -> Always on telemetry -> Yeah we sell whatever data you give to us to the highest bidder, what are you going to do about it?

Speaking as someone who has this deployed at work and would be loathe to go through the trouble of having to swap this out, we need to send them a strong enough message at this stage so that they stop experimenting with this further.

The thing is, in real life, slippery slopes don't go on forever. They stop at some point.

1Password isn't going to sell data for completely morally neutral business reasons. They would get peanuts compared to the up to $8/month they get from each user in exchange for a legal, compliance, and security nightmare resulting in a bunch of lost customers.

It's most likely that they just want to make it easier to develop the product. That's where the slope ends.

Agilebits at the end of the day is a company and it does things for financial reasons. Us, from the outside looking in, trying to assign a moral value to those actions won’t make sense.

They will go down that slope until going lower won’t make them any more money. Any money that they make from the sale of data will be profit on top of the 8/mo that they are currently getting.

If there are enough users, getting the legal and compliance stuff sorted might be worth it since that would be a one-off cost to create a whole new revenue stream.

Again, just making the case as to why they could do it, not why they should or will do it.

I had the exact same experience. Back when I was using Keepass I manually synchronised the file onto 2 cloud providers because the only native sync option was rsync and WebDAV or something, which was useless for mobile.

I used to have 3 copies of the same file so that in case I forgot to sync I would not overwrite some passwords.

At some point I realised what I was doing was not much better than a glorified spreadsheet with passwords and moved on.

I think everyone outsources their personal security to for profit companies. It do you build your own locks for your doors?
> do you build your own locks for your doors?

writing down passwords isn't equivalent to owning a machine shop and having the skilled labor required to facilitate manufacture of a door lock, regardless of how hard the companies that profit from selling these kind of services tell you it might be.

Wasn't there a recent incident of amazon locking someone out of their house because of misheard information?
An Amazon delivery driver thought that the automated message of the doorbell-cam (I'm honestly not sure if it was ring) said something racist, or in a rude tone and construed it as racist, reported the "interaction, and algorithms algorithm'd.
the biggest thing for me is convenience and that is why i am using bitwarden and not keepassxc or pass at the moment.

but i am constantly tinkering on my workflow and pass seems to be really cool so who knows when i switch again!

Moved away from it a long time back. Between raising a ton of money, building an electron app and adding telemetry and sketchy agreements, I am glad I got out when I did.
I’ve only really ever otherwise used Lastpass (not of my own volition) and Keepass. Lastpass is its own dumpster fire and KeePass is sort of like “why do you need Dropbox when you can achieve what it does with rsync”. At least 1Password has decent (not great) UX. Are there other, better solutions out there?

One particular rant of mine for 1Password is that its iOS app seemingly doesn’t remember any context whatsoever. It doesn’t matter how recently you entered your password, it will prompt you for it again if the auto paste went wrong or some other trivial thing caused the entry of credentials to not go correctly.

(comment deleted)
My password manager is my memory + a notebook in a fireproof safe and I never have issues like this.
Assuming your password manager creates unique, complex passwords for each online account, how do you handle logging in when you're away from your primary machine or on your phone?
I don't let browsers/devices remember my passwords. The reason I can remember as many as I do is because I have to input them on a consistent basis.