I've been a paying subscriber to 1Password for over two years now and had the standalone version for years before that, and the way they responded in that thread really rubbed me the wrong way. Enough that maybe I'm going to start looking for other options. Maybe I'm just in a bad mood?
The OP just wanted to know if the feature was gone, and if so when did it get removed (maybe to find an archived version of the app?), and lastly why it wasn't clearly communicated, but you can just smell the smug in the responses. It's hard for me to read their little "cute" emoji as anything but sarcastic, which is reinforced by one of the developers chiming in about how they must be asking to "make their mobile apps free" and the other guy talking about how with so many users anything they do will of course be found out.
Likewise. I've been a long-time user, and currently a subscriber, but I've just found the direction 1P is heading, and the way AgileBits communicate a lot of this to be frustrating.
It's difficult to explain, but every time something like this comes up their responses frequently seem "off" and tone deaf.
I'm not sure they understand how much their product can become a part of how people go about their daily life, and how changing that, no matter how small, can have pretty significant effects, with an accompanying emotional response.
A while back they changed the way their vaults worked and you had to upgrade them. I've never been more nervous about an update to anything than I was with that update. The way the software communicated what was going to happen really didn't help, and there was a real feeling that this could all go horribly wrong.
Something I respect from Basecamp is their commitment to keeping their old products around (and keeping them maintained, even if they get no new features). They understand that they become a part of people's lives, and you mess that up at your peril. "Sunsetting" products or features has an impact on your customers that you need to be prepared for.
For reasons that are difficult to articulate I just don't trust AgileBits to not completely bugger up things for me in some way by changing something that they regard as unimportant, but to me is significant.
Even to me, this feels like I'm probably overreacting, but my passwords and online identities are so important that even the smallest hint of untrustworthyness is unnerving. The impact of losing all those details would be massive.
Yep, I feel the same way. The responses went downhill really quickly. I only just jumped back onto the MacOS bandwagon and was looking at resubscribing (I've had an awesome experience with their email customer support reps in the past which brought me back) but if this is how the public facing side of the development team acts... yikes.
I'll be much more open to alternatives now than I would have been yesterday.
I'm on the Catalina beta and the Safari Extension for 1Password 6 doesn't work (Apple only allows extensions from the App Store starting with Safari 13 - so it's not really AgileBits fault).
I chose to migrate to storing everything in iCloud Keychain instead. I understand why companies want to move to the subscription model, but I can't justify spending $36/year for an app to store my passwords.
As a user that made the switch to bitwarden the last time 1Password tried their shift to the membership-only options some 1-2 years ago, it is an excellent replacement. I do miss some better search / sorting functionality, but otherwise this works great with a local server that I maintain for keeping my Mac, Ubuntu, Windows and Android devices in sync.
Bitwarden costs only what is it 10 or 12 USD a year. LastPass costs 24 USD, and 1Password 36 USD. If you need 2FA. If you don't need 2FA then it doesn't cost as much, but I think you still have a device limit.
Bitwarden's clients are FOSS. There's a 3rd party FOSS server for it available written in Ruby. So you could even self-host.
[EDIT: there's one written in Rust as well! [1] [2]]
You can also self-host the original server, it's under AGPL[0]. I'm using this atm, and yes, I pay for the organization feature, though I could easily adjust the code to unlock it. It just doesn't feel right (same goes for the 3rd party FOSS server). But that's just me.
That would be a good option if they supported all of their clients equally, but the developer has pretty much said that he's not going to update the extension to support Safari 13. As a Safari user, it's not a good option.
> The problem with iCloud keychain for me is that I don't only use Apple devices
If I ever need to sign into something on a non-Apple OS, I look up the desired iCloud KeyChain-stored password on my iPhone, then manually retype it on the other device.
Actually, manually typing or pasting your password (assuming you aren’t using WebAuthN) opens you up to phishing attacks because you could be fooled by the URL, whereas password managers and hardware tokens will activate only for the associated domain.
I meant, I don't have to trust Windows or Android's security to not leak access into third-party password sharing apps, or the in-house security hygiene of those third-parties.
I share passwords with my coworkers (for resources that don’t support teams+sub-users) not by using any password manager, but rather by just keeping the descriptions+usernames+passwords in a Google Sheet.
We use GSuite, but that isn’t really relevant other than for controlling default ACLs to the document; you can just make a private Sheet and then share it by email to whoever you like.
Google Sheets works okay (for this use-case) pretty much everywhere you need it, including on mobile. Doesn’t auto-fill anything, of course, but since the point is sharing the password, not restricting the ACLs of the password in any enterprise sense (i.e. so people that could use a password before can then lose access to it), it’s fine to allow people to just cache the password into iCloud Keychain and/or Chrome Sync. So it’s not as much of a speed bump as you’d think.
I can appreciate that it works, but that solution is objectively worse for me. There's no convenience, it's more work, more error prone, and still a "cloud" storage solution with all its inherent issues.
I can punt on the cloud problems, but I'll pay for the convenience of a password manager in this case.
When you have sync issues, the workaround in the absence of a Force Sync button (which used to exist) is to create a dummy secure note or to log out and log in again.
Most users won't know this workaround without spending several minutes Googling and digging through search results.
I complained about the lack of a Force Sync button on the clients in the forums, and was told this:
"The reason we don't want too easy an option to force a sync is precisely because folks will choose to use that rather than reaching out to find the root cause"
Needless to say, I wasn't pleased to find out that they wanted to use their paying customers as free testers.
I'd like to switch away, but most of the alternatives I've looked at don't compare very favorably from a UI/UX perspective.
It seems their software quality in general have been going downhill recently. Lots of changes just for the sake of changing. The new extension doesn't work about 40% of the time or require multiple keystrokes to get it to pop up. The windows version is just, ugh.
Huh, I thought it was getting better across the board, and significantly faster. 1P is actually investing in proper cross-platform support, rather than only macOS, so perhaps it's just less attention to detail? The Windows client has become fantastic.
No doubt the Windows app has gotten better but there's a lot of weird quirks with it. Example off the top of my head, if you click on the favorites sidebar and try to search it only searches in favorites. On mac it searches everywhere as I'd expect.
The UI in general also just feels clunky. It's missing that polish the mac app has.
I completely agree. It used to be a very simple piece of software (I’ve used it since the beginning) and they’ve progressively tried to add more UX changes which only confuse and add reliability issues.
Simple tasks like resetting a password or adding an entry in 1Pass can often be frustrating now.
I was a booster until they added a terrible feature to bypass master password on smartphone app with pin.
Previously, with every restart of the phone, you needed to enter master. After, only when the pin is misentered once. They added this ‘new feature’ right when I was installing everything on a new personal laptop. As I recall it, I was entering the master password on my phone, over and over. One of the characters had a shift, which was a pain in the . On iPhone. So I made it lower case. Then, I updated my phone, got the 1password update, and didn’t enter the master for over a month.
Finally, I misentered the pin, and got kicked to the master. Well, you can guess what happened. I was locked out.
You know, a password works because you remember it. My situation revealed the design flaw of bypassing that. If you don’t enter the master for a long time, you lose the habit and increase the risk of losing it.
For me this is the classic example of the corrosive drive to renew a perfectly good product, which ruins the product for some users. But as a designer, I think it’s a fail, but you can’t tell them that.
This is why I like the Authy client on mobile. It periodically asks you for your encryption password just to make sure you can still remember it. Such a thoughtful idea.
I guess if you only ever use the mobile app, but still there's a desktop app and the browser extension to practice your memory.
The pin thing is a big time saver because typing on mobile still sucks, and I'd have to re-type the master everytime I switch between an app and 1Pass. I certainly wouldn't qualify it as a bad feature.
I'm not saying the pin is a 'bad' feature (in fact, I'm using BitWarden now. It uses the same UI pattern [1]). The 'feature enhancement' I'm miffed about is when the master is only ever required when you fail at the pin screen, whereas previously you needed the master after every restart of iPhone.
It's a complex system. I had a use-pattern that naturally emerged from the UI (which required the master after reboot), and my habit of turning off my phone every night. So this "feature enhancement" seemed innocuous, but had, I would argue, the unintended consequence that I lost my memory of the master because of a new feature.
I believe this is exactly the sort of thing a smart company, making a security product, should think about before they decide to add a "feature enhancement".
I mistook the great design of the original 1Password product as an indication of a "smart company" who made great decisions, and great products through testing and design.
Now I feel differently. Now I just see another one-hit wonder, who makes improvements by the wiz-bang theory. New! New! New and improved!
The unpopular decisions to drop the standalone version (local vault) is just more evidence to me that AgileBits isn't special. I put them on a pedestal with devotion and evangelism, but they're no different, and maybe worse.
And if you like this rant, you might also like my rant on TransitApp. hahah!
[1]: Before with 1Password I would have to enter the master once every 1-2 weeks. Now with Bitwarden using the same 1-fail bin to master UI, I think I've not defaulted into master for, I dunno, 6-8 months? But I've learned my lesson. I wrote the master on a piece of paper and tucked it away in a book somewhere on my bookshelf. What could go wrong?
I know this is a larger issue, but I sure feel like software quality for ANY product decreases over time. I've observed this with many, many products in my career. 1P is just the latest example.
I feel like it may be an inexorable and unavoidable consequence of an aging codebase.
It's not a law of nature. Bit rot and technical debt can be counteracted if maintainers are vigilant and focus on quality and maintainability. Unfortunately, not many examples come to mind: the Linux kernel, PostgreSQL, SQLite, OpenBSD, for instance. I can't really think of any instance managed by a for-profit organization.
With the hindsight of 20 years in the industry I believe a lot of it is due to team churn. Once the original developers are all gone much of the codebase becomes a scary black box. When I think about teams I've worked on with an OG dev still around, they've always been far more productive.
Same here. I've been using 1Password for over 11 years. Paid for multiple licenses, family subscriptions, upgrades, etc. Their recent behavior which indicates direct hostility to their long time users and obvious money grabs. Since it looks like it's subscription model no matter where I turn I'm thinking about migrating to LastPass. At least they are more or less transparent in their pricing and future intentions.
I feel exactly same. Recently I complained about decreased usability issues with re-worked 1Password mini and... felt exactly same. I won't be looking for a replacement just yet, but feeling is right there. Dropping support for standalone vaults is not unexpected development.
I was turned off by their smugness back before they had a Windows version. Their justification was that the platform didn’t allow them to build the type of beautiful software their high standards required. They’ve always had these attitudes that have rubbed me the wrong way. I’ve never gone onto their subscription model, but I’m wondering if iCloud would work for me since I’m fully in Apple’s ecosystem.
I find it very infuriating in general when someone uses a cute or smiley emoji after telling me something negative. I'm sure that mostly I'm paranoid and irrationally irate about that, but I can't help thinking that people are rubbing it in my face when they do that. Am I the problem?
I think the intent when using those emojis is to communicate that they really are trying to be nice while giving negative news. Text is a really hard medium to convey emotion or intent through. For example, I find if I want to sound positive I end up having to add an exclamation point at the end of every sentence (“Nice job.” Vs “Nice job!”)
That all being said, I absolutely agree the emojis almost always are perceived in a way that’s opposite of the intent, e.g. smug, sarcastic, or some other negative tone.
I don't think the responses are smug. Ben in particular stands out as patient, forthright, and apologetic.
> one of the developers chiming in about how they must be asking to "make their mobile apps free"
That isn't the actual quote. The developer is pointing out that the apps are "free to use as companions to our desktop apps".
> the other guy talking about how with so many users anything they do will of course be found out
This did come across clumsily, but it was in response to the false dilemma "Was it forgotten, or deliberately not mentioned in the hopes nobody [would notice]?"
Plain old Apple keychain while I evaluated other options. While I was evaluating, I realized the keychain was fine for my current needs. I'll evaluate again when my needs change.
Only smug i could tell was in regards to their free app offering, and considering it costs money and resources to maintain those free services their viewpoint is understandable. The feature was removed, they thank them for the feedback for being upset that the feature was removed.
I understand that software costs money to maintain and cloud syncing requires infrastructure. But they didn't need to act the way they did in response to someone asking a reasonable set of questions.
I don't think I'm making a big fuss about it. I'm not campaigning for a boycott or mass migration or anything. I'm just saying that as a long time customer of AgileBits the way they reacted in the linked thread really didn't sit well with me, so I'm looking for alternatives to their software.
What if I have an issue in the future? Will I also be treated poorly?
The mobile app is free, but creating entries on the mobile app is a paid feature. Either with a subscription, or by buying the "pro" features. Or at least that's how it is on Android.
One thing I've learned about software in general is that I never want to be outside of the primary use case. If you're not using it the same way that the people building it do, it's going to be a pain to use, and your requests will be ignored.
For me, 1Password wifi syncing (with local vaults) never worked quite right, and I don't think that feature has been touched by its developers in all the years since I first bought a 1Password license. It's never going to be. They're all in on their own cloud service and subscriptions.
I don't hate 1Password for using subscriptions -- that's their prerogative -- but I wish I'd known they were going to bail on the Mac-as-digital-hub architecture. That was 100% why I bought it.
I'd describe that pivot, too, as a communications breakdown.
> One thing I've learned about software in general is that I never want to be outside of the primary use case. If you're not using it the same way that the people building it do, it's going to be a pain to use, and your requests will be ignored.
While this might be true in general, one of the main advantages in choosing FOSS is that features used by a small subset of users are more likely to be kept than for proprietary software.
When a software package starts out, early-adopting power users build its popularity and help shape its growth ... until the package becomes so useful that it is now marketable to the masses. Then, for proprietary software at least, there's a strong incentive to streamline and remove anything the masses don't care about...which can alienate the same people who helped make their package great.
For FOSS, there's powerful motiviation to retain features that even only a handful of power users rely on -- lest that project be forked.
I can't remember the last time I've been feature-burned by a FOSS project. My feature-burn scars for proprietary software, however, are many -- and at least a few are quite deep.
> I can't remember the last time I've been feature-burned by a FOSS project.
The GNOME project comes to mind as free software which regularly feature-burns their users, arguing that people who really needed the feature can monkey-patch their DE's javascript to add it back in.
You're right though, most FOSS seems way less likely to remove features people actually depend on that most proprietary software.
> One thing I've learned about software in general is that I never want to be outside of the primary use case. If you're not using it the same way that the people building it do, it's going to be a pain to use, and your requests will be ignored.
If there is an obscure setting somewhere which makes something work well for you while you become a minority of users in the process, you would not use it?
>I never want to be outside of the primary use case.
You've extrapolated too far from their statement. Most people have probably been in this kind of situation and most of us have probably been burned by it at some point: Use a product for an edge case of its intended function and you risk losing that functionality at some point.
Vendors will generally cater for the masses. Where possible, avoid building your usage model around niche features. Assume that free products/features are a loss leader and will disappear at some point. Have a contingency plan if the at-risk feature is particularly important to you.
Depending on what you mean by "in some future update" and "pretty much guaranteed" (given an infinite timespan everything will disappear) I don't think that's true. I've kept my Firefox user.js (my manual about:config changes) under git over the past 3 years[0], and of the 44 options that I customised, 36 are still present and (seem[1] to be) active.
6 of the about:config user_prefs customised add-ons, so they no longer work due to the shift to Webextensions (but I can still make 5 of the customisations via another interface).
1 customised the GCLI, which was removed, and 1 customised Panorama, which was also removed. (However, most of what GCLI did, can be done some other way, and there are a couple of Webextensions faithfully emulating Panorama.)
[0] The file is older, but I added it to git only three years ago. Hence, many of the about:config changes have been "alive" for longer, but I have no record of those that were removed earlier than 3 years ago.
[1] Cursorily glancing through my comments above each entry to make sure that it still does what it was supposed to.
Really disappointing to see so much bootlicking in this thread. Yes, 1Password is a great product and, yes, AgileBits is a great team of developers. But this change sucks and spits in the face of long-time paying customers who have come to rely on 1Passwords's local features.
1Password can be both worth paying $3 a month for an also making a really bad anti-user decision here. These are not mutually exclusive.
As a former long-time 1Password user, I recently moved to using pass [1] after using their cloud features for some time. At the time I mostly moved for better change tracking with git, but I'm feeling pretty glad about the decision now that they've made this awful change. I'd highly recommend moving to pass or some other FOSS for this class of tool. Why trust your passwords to something outside your control?
This is the absolute reality with closed source proprietary software: the user has no say nor ownership in the product; they are in effect granted a revocable license to use a set of features for some indeterminate period of time. The owners of the software licenses may modify, without the user's consent, or even knowledge, the software for any reason and any purpose. On modern closed source operating systems with automatic updates, it's often even impossible to revert to a prior version. I'm not against this type of software, it has its place and purpose, but why trust it for something as critical as personal identity management and authentication? Especially when there are so many free (as in freedom, not price) and open source alternatives on the market?
You are describing closed source proprietary services. If you buy software for your local device(s), the license is generally not revokable. Which OS requires automatic updates?
I feel the same way. Everyone is praising 1Password, so I bought it and used it and while I could see that it's useful for many people, I have basic needs and may be a bit different use and recently as I started using KeePass (I'm on Windows) it's just turned out to be the perfect password manager. Last bit was KeeAgent plugin which allows me to use encrypted SSH key effortlessly. I like open nature of KeePass and I like that it's just password manager, no fancy browser integrations, I just copy&paste password when I need it and that's about it. No auto sync, I just push the button and my database synchronized to my webdav server, easy, fast and reliable and I understand and control every bit of it. And all that free, of course, it's not like 1Password asks for a lot of money, but I'm living in a poor country and even those $36 is something I have to consider. When I can rent an entire VPS with a lot of services for that price, it's hard to justify paying that kind of money. I'm OK with one time buying of software or even with buying new version (as long as it's optional), but I really don't like subscription model. I understand that developers want their salary every month, so it's kind of tough topic.
> like that it's just password manager, no fancy browser integrations,
except that that’s the most important part! without that, a text file is sufficient.
luckily there are 3p browser integrations for keypass. i’ve not used them but i assume they are reasonable considering the importance as well as the nature of the community that would write such things.
Pass is great, I moved to it from KeePass about a year ago and have never looked back. It uses your gpg key to encrypt passwords and syncs via git. Ridiculously simple and cloud nonsense free.
I also migrated to pass and then let my 1Password account freeze, and couldn't be happier. I like the philosophy behind pass a lot more, it seems like the UNIX-y way passwords should be stored, encrypted, and maintained.
I use Pass on both the desktop and Android and have done for a few years now. It works really, really well. I couldn't imagine using anything else at this point.
The only "issue" I've had is formatting my phone, but forgetting to first back up the GPG key I used. The solution is just to create a new key and (from my desktop) reencrypt all the passes. It's not hard, but it does take about 10 minutes.
I use Pass between Linux and Android with a NFC equipped Yubikey. I've never had trouble syncing but then, it's git+ssh so no great mystery there. I guess my only complaint is that I wish Android had some kind of centralized SSH support, every self-hosted styled app does it differently (keys, connections, etc).
1password has a history of being terrible at announcing product changes and unilaterally making decisions that negatively impact customers. They removed autosubmitting passwords a couple of months ago and then:
- lied about the reasoning by claiming apple mandated the change despite apple's change only affecting safari which I'm guessing makes up the minority of their browser userbase
- consistently deleted comments on their forums that pointed out they could have kept their already existing, working code in place for chrome
I rolled back to version 6 and suggest anyone else do the same.
A couple of years ago they relied on Dropbox for having a online web vault. At some point Dropbox no longer allowed to use the public folder as a web server and the answer from 1Password basically was "if you want an online vault buy a subscription from us".
I had paid well over $150 by buying all their apps and they were forcing me to throw that investment down the drain because they didn’t want to spend a couple of cents a year on hosting my vault themselves.
There was a long discussion in the forum. I moved to LastPass. The UI is not as good but it does the job and it’s free now.
You bought a product with no ongoing maintenance costs. Then demanded that they give you a free additional product with ongoing maintenance costs.
The fact that you bought their product in the past does not entitle you to demand that they build and maintain a free web hosting service. If that's your attitude, then I'm sure they're happy that you're no longer their customer.
How much ongoing maintenance have you paid for with that $150? Is it really zero? What if the app stops working the day after you purchase it?
I mean the apps seemed overpriced in the first place, and due to their decision to change their business model they decided not to provide ongoing support in a way that one might have expected they would based on what the product seemed to be and how their business seemed to operate when you purchased the product. They don't technically or legally owe you anything but nonetheless I would not want to buy anything from them after that.
The idea that they should be happy to lose a happy paying customer is absurd, is that how to build a successful business?
The actual feature AgileBits offered was the ability to construct an HTML version of your vault. They advertised using this with Dropbox to actually make it accessible, but the web hosting part was entirely Dropbox's feature. If you didn't use Dropbox, then the web hosting part never worked to begin with.
I genuinely do not understand how Dropbox removing a feature gets people mad at AgileBits instead of mad at Dropbox. Why does Dropbox get a pass for this?
>Then demanded that they give you a free additional product with ongoing maintenance costs.
That's patently false. The paid version of 1Password came with "Free updates" as listed on their site. Updates were bundled into the life of the product - if *they weren't, nobody would've ever bought it at the prices they were charging.
>Historically, AgileBits has been very generous with upgrades. Your purchase entitles you to free updates until the next major version upgrade. That means if you buy a license for version 2 of a product, you will get all 2.x releases for free, but upgrading to version 3 might require another purchase.
Free updates. Not brand new free products. "Free updates" does not mean "if Dropbox removes a feature we'll do a ton of work to replicate that feature and give it to you for free".
Like I said, there was a long discussion on their forum examining all this.
AgileBits advertised the online web vault as a feature of 1Password when I bought the software. This can be demonstrated by looking at previous versions of their website on the internet time machine. They were in obligation to provide a solution for that.
The fact that they could have spent cents per paying customer to fix this and they didn't, or that they didn't even offer some form of transition from paying customers to the subscription service is just the cherry on the cake.
AgileBits has been pushing people to the 1Password subscription model for a long time now by neglecting their "lifetime" desktop customers.
The 1Password chrome extension (not 1Password X) used to work great, then it started crashing about daily for me after one of the updates, forcing me to quit Chrome to fix it. The final straw was when they "updated" the extension to a design that looks 2 years old and is far less functional.
I finally gave in and tried out the subscription model. Here's why it's worse:
- The 1Password X extension is standalone (doesn't need the desktop app) so when you have three different Chrome profiles as I do, you have to sign in to 1Password 3 times. Super annoying.
- They force me to store my data with them. Sure they're the most trusted in the industry and do their security audits, but if they get breached, I'm fucked.
- The Command + \ shortcut to autofill and login doesn't work on 1Password X
- They could have just said that their current business model wasn't achieving the goals and that they needed to charge more (I would have paid more/for a subscription) but instead, they beat around the bush by creating a new product that is inferior.
I no longer recommend them to others for password management. I tell friends and family to use iCloud now.
This part is not true -- your data is encrypted with a randomly generated key that is kept locally. You could freely post the data they have all over the internet and it would be fine.
> This part is not true -- your data is encrypted with a randomly generated key that is kept locally. You could freely post the data they have all over the internet and it would be fine.
Do we know this is true? I assume it is, but I haven't checked the source or verified that I can encrypt/decrypt my data with my key, or that there isn't a master key that 1password has that can access it.
Hi lolsal. Ben from 1Password here. Implementation details can be found here: https://1pw.ca/whitepaper If you have any questions our security team would be happy to elaborate. They can be reached at support+security@1password.com
We're offering a (mostly) closed source solution. You can evaluate the source for the web app, and the browser extensions. If your argument is that folks shouldn't ever consider using something closed source then obviously 1Password is probably not going to be a good fit and we're at a bit of an impasse.
> Edit: also there seems to be a lot of this:
Some, yes. I'm not sure I'd say 'a lot', but yes, it is a work in progress. Our security team should be able to elaborate on any points that we have yet to detail, though, if you're interested.
I've confirmed it because you can see the data that the web browsers sends and it was encrypted. I've also tested this on LastPass and Bitwarden and from what I can see 1Password does it the best.
That MAY be the case (I'd love for a number of independent parties auditing the security, NOT paid for by AgileBits), but it's still a single point of failure. What if they have data loss? What if that data loss causes local data to be lost due to a sync operation?
I've always used the Dropbox approach + backups. If Dropbox has an outage the file is still synced locally. If Dropbox deletes the file via a sync operation I still have my backups. If I delete the files Dropbox has an undelete option.
That's a strange statement, you're a big target because you're holding lots of peoples secret data. Doesn't matter how you model it, unless your model is to have minimal data/clients.
Ben, everyone here understands the model. It isn't sophisticated and it isn't particularly special. You have a lot of [encrypted] sensitive data. On your network. On servers you own. You are a target. Once the bad guys get the data, they'll worry about the individual keys and whom they want to target.
I'm one of the many people who are both dropping 1P and advising friends and family to do the same as a result of this episode.
Yes I read about the secret key, before I became a customer of 1Password. Your response concerns me. I understand you're encrypting the data, and have put in great effort to do so. This doesn't prevent your servers being a target for all sorts of other exploits, hacking of your webservers injecting back doors etc. The fact you halve a lot of clients with secret data makes you a target.
> still a single point of failure. What if they have data loss? What if that data loss causes local data to be lost due to a sync operation?
Local data should be backed up as always, don’t rely on a cloud service to sync.
Personally I use two hard drives on my machine with time machine and regularly rotate them to ensure I have a recent backup and a less recent, network disconnected backup in case something like this should happen.
That's true, but it would also be true of a desktop app using an offline vault, and is also true of all the other desktop apps you run. The risk of someone running malicious code on your machine is a reason to use two factor auth, not a reason to avoid cloud storage for encrypted files.
> but it would also be true of a desktop app using an offline vault
Well you can set an application firewall to block all internet access of the 1Password app. So, it can't update automatically, and when you manually update it and it would contain malicious code, it still can't connect/upload anything to the internet.
You can even use 1Password sync via iCloud, which is handled externally - not by 1Password, but by macOS.
Unfortunately, this can not be done on an iOS device (no app firewall), since Apple locks down everything and decided users may not control their own devices anymore :'(
FWIW, Apple has a "VPN" API that can be used to implement a firewall (or a proxy, or etc.). I don't know whether there's a usable commercial product that does that, but if you're really into it you can certainly write your own.
Yea, but it doesn't really work because you cannot block on the application level.
You can only block hostnames/ip-addresses, and these often change with updates, so you'd have to constantly monitor and block new hosts after the app starts leaking again.
Btw, using code blocks for anything makes it unreadable on anything that isn't a 4k ultra-widescreen display (I assume, because it's certainly unreadable on my 1440p screen). I'm certainly not going to scroll back and forth just to read every single line of that.
- The 1Password X extension is standalone (doesn't need the desktop app) so when you have three different Chrome profiles as I do, you have to sign in to 1Password 3 times. Super annoying.
- They force me to store my data with them. Sure they're the most trusted in the industry and do their security audits, but if they get breached, I'm fucked.
- The Command + \ shortcut to autofill and login doesn't work on 1Password X
- They could have just said that their current business model wasn't achieving the goals and that they needed to charge more (I would have paid more/for a subscription) but instead, they beat around the bush by creating a new product that is inferior.
I'm using Safari exclusively, but back when I had Firefox installed, you could change the shortcut for 1Password X. Does it not accept Command + \ as a shortcut?
Ben from 1Password here. Firefox may, but last I checked Chrome did not. We get around that with the traditional extension by having 1Password for Mac listen for the shortcut instead of the extension itself.
Hi voska. Ben from 1Password here. I'm sorry some folks feel neglected. That certainly isn't our intent. I'd encourage anyone who feels that way to reach out to us at support@1password.com. We'd like to understand where those feelings come from and help in any way we can.
- Last time I looked into the Cmd+\ issue the primary difficulty was that not all browsers (Chrome, notably) supported \ as a keyboard shortcut for extensions. The reason we are able to get around this with the "traditional" extension is that 1Password for Mac is actually what listens for the shortcut, not the extension. The same functionality is still possible with 1Password X, just not with that specific shortcut.
- 1Password for Mac can be used with the subscription offering. It isn't necessary to use 1Password X. 1Password X is a great alternative for those who cannot install desktop software, particularly those on ChromeOS or Linux.
I'm sorry to hear you're no longer using or recommending 1Password but I hope that helps address some of your questions/concerns.
I'd like to see AgileBits continue supporting the old 1P extension (i.e. fix the crashing problem) or bring that functionality (Desktop link, only sign in once across multiple Chrome profiles, etc) into the 1PX extension.
We do support the traditional extension for both membership and standalone customers and it continues to be the recommended way to access 1Password in your browser where possible. If you're experiencing crashes with it we definitely want to know that. We hope to bring desktop integration into 1Password X but as of writing it is in beta testing so I couldn't say when / if it'll be ready for prime time. I've personally been using it extensively as part of the beta though and it is very promising if I do say so myself. Thank you!
I’d love to go iCloud only but it’s not really on the same level as 1Password yet. It can’t store multiple websites for one account, instead storing each website separately; it can’t store identities that aren’t just username and password, such as bank accounts and drivers licenses; and it doesn’t have support for two factor one time passwords, which means I’d need a separate app for that.
I used to use iCloud, and recommended it to anyone. Sign ons have become more, and more... complicated. There is 2FA, and others now, that 1Password also covers. How are you handing those with iCloud?
Is it just me or does storing your 2fa code generators in the same place as your login/pw just seem like a bad idea. I know I’m screwed if someone gained access to my 1p... but they wouldn’t be able to get into the more secure services.
Try Bitwarden, which has free tiers. You can later choose a (much cheaper) paid subscription if your needs are bigger. You can also self-host it as it’s FOSS.
+1 for Bitwarden. I recommend not saving recovery codes inside Bitwarden. For 2FA I recommend getting a Yubikey. For websites that don't support U2F, I recommend using the Authy app in single device mode with a strong sync passphrase.
I'll go against the grain and defend this. I really, really love 1Password - it's UI is incredible and it works so well - it follows the "don't make me think" philosophy which I really appreciate and makes me feel respected. It feels like a default piece of Apple software in how well it integrates with OS X and iOS. The desktop PDF QR scanner is something I didn't even know was possible to do with software, it blows my mind every time I use it. 1Password X is perfect for Linux and a great solution to the distro fragmentation problem.
So I don't know more about password management than Agilebits. They have a long history of really good ideas for their software. If they want me to use their cloud instead of local vault, that's probably a good idea. I'm more than happy to pay the $2-3 per month to have access to this, and knowing they have recurring revenue gives me confidence that they'll be around for a while.
Shady removal definitely isn’t good. On the other hand, every feature can’t be supported forever (or at least I wouldn’t want to). Seems that communication could’ve been better, though.
I’m in total agreement. It’s the most important app I use and I’d pay 5x the $60 a year I spend on the family plan without question.
I used 1PW with Dropbox for years and and years and it was a great solution — but I trust 1PW more than Dropbox to protect my stuff (and certainly more than I trust myself to setup and maintain a secure sync server), and I love 1PX. Also, the Windows app is lightyears ahead of where it was (the Windows Hello support is great), which I never thought I’d say.
Yes, I know other solutions are cheaper, but I have been a 1PW user for 12 years and I want to ensure it’ll be there for 12 more.
Plus, for me, the UX matters. I don’t just use 1PW for passwords, I keep software license, secure notes, all kinds of stuff in it. I’m not a fan of the subscriptionfication of course of everything, but this is one product I’ll make an exception for.
Last time I looked at BitWarden, its mobile app lacked basic features like a password generator and a password history tool — which makes it a total non-starter for me. I just checked and that’s been fixed (today!) and the app is looking more and more like a 1PW clone (that’s a good thing), but there were just enough papercuts that would prevent me from switching, especially when I’m a very happy 1PW user.
On the desktop, I have nothing against Electron in theory — but I prefer native apps for something like passwords, if only because of speed — I have a few thousand items in my vaults and BW was slow and 1PW is not.
Browser integration for auto fill isn’t as smooth, at least on macOS and I miss having a dedicated area for my software licenses/loyalty cards (like airlines). I haven’t used it in a while so I’d need to try it again to give it a fair assessment, but the subjective answer is “it doesn’t ‘feel’ as good.”
And unrelated to UX, I’m sure the main person behind BitWarden is a great guy, but in 2019, I’m not trusting my password manager to what is largely a one person team. When I started using 1PW in 2007, I know it was a small team. But 12 years later, I’ve been burned too often when small shops close/sell/burn-out and a password manager is too important for me to switch from something I know/trust to something that reminds me of where 1PW was a decade ago. Open source doesn’t mean open development or an active developer community. I also wasn’t impressed with the response to the critique of the cryptographic design in the security audit BW did last year. Not rotating encryption keys when you change your master password is a red flag and the problems BW faces on its own cloud are understandable, but not something I want to trust/deal with.
I’d gladly recommend BW over LastPass, but I prefer 1PW and have no intention of switching.
If you’re comfortable with FOSS solutions and the certainty of someone taking over (or not), then Bitwarden cannot be regarded as a poor solution. It also has forked implementations in some more languages and tech stacks. Any of these, including mainline, can be self-hosted for those who wish to.
This is not to imply that your preference for a larger team is invalid, but I don’t think Bitwarden and its clones are going away anytime soon.
> On the desktop, I have nothing against Electron in theory — but I prefer native apps for something like passwords, if only because of speed — I have a few thousand items in my vaults and BW was slow and 1PW is not.
I personally only use the browser extension. I never understood why a desktop app would be necessary since I have the browser window open at all times. If there was a native app I don't think I would use it.
> Browser integration for auto fill isn’t as smooth, at least on macOS and I miss having a dedicated area for my software licenses/loyalty cards (like airlines). I haven’t used it in a while so I’d need to try it again to give it a fair assessment, but the subjective answer is “it doesn’t ‘feel’ as good.”
I haven't had any problems with autofill personally. In the browser it's pretty decent. It also offers saving/updating passwords automatically when your vault is unlocked. ⌘⇧Y and ⌘⇧L shortcuts made my life easier when I discovered them. On iOS you can use the autofill if the app implements password fields properly (most apps don't). There is an option to choose Bitwarden instead of the default keychain application.
For license and memberships I simply create a folder named "Licenses" and add secure notes, create a folder named "Memberships" and add cards etc. Both entry types support key value fields inside them so you can add additional info too if it's necessary.
> And unrelated to UX, I’m sure the main person behind BitWarden is a great guy, but in 2019, I’m not trusting my password manager to what is largely a one person team. When I started using 1PW in 2007, I know it was a small team. But 12 years later, I’ve been burned too often when small shops close/sell/burn-out and a password manager is too important for me to switch from something I know/trust to something that reminds me of where 1PW was a decade ago. Open source doesn’t mean open development or an active developer community.
If 1Password isn't profitable one day it would shut down and you would be forced to switch. If Bitwarden's core developer disappeared anyone can fork it and continue development. If operations seize you can spin up your own Bitwarden server and continue from there without having to switch client apps right away. I also think there would be economic incentive to run an alternative service if Bitwarden stops functioning for some reason (+1 code quality, +1 permissive licensing).
> I also wasn’t impressed with the response to the critique of the cryptographic design in the security audit BW did last year. Not rotating encryption keys when you change your master password is a red flag and the problems BW faces on its own cloud are understandable, but not something I want to trust/deal with.
I agree the key rotation problem was a serious one (which is fixed now). Apart from that, I've read the assessment in detail and couldn't identify any case that would cause a problem for me as a personal account user. I use the browser extension on a Chromium based fork (auto-locked after ~5m) and the iOS app (w/ PIN). I also have 2FA enabled.
- BWN-01-001: You're safe unless you deliberately want to self-XSS yourself
- BWN-01-006: Minor issue, schemes:// are white-listed now.
- BWN-01-008: I don't use organization account so it doesn't effect me.
- BWN-01-010: Fixed, you can rotate keys now. I hadn't changed a compromised password before so it wouldn't affect me.
- BWN-01-009: You're safe unless you go to settings and decrease the KDF iteration count (why would anyone do that?). The first thing I did was to increase it when the option first came out. Not that the default value is unsafe, but higher is better.
- BWN-01-003, BWN-01-004 are related to the Electron desktop app. I don't know why anyone would use an Electron desktop app when they can use the browser plugin so I didn't even read these.
Overall, I'm sure 1Password is a little more polished on the UI department but I can't imagine myself using a proprietary password manager for security reasons. I made extensive research when I planned switching from my KeePass+WebDAV solution to an online password manager and decided to use Bitwarden after considering all the options. So far I'm pretty happy with it. I wanted to share my experience in case anyone else is looking for a similar solution.
For Lastpass at least, I have two specific examples: 1) in Lastpass, the password length selector is a drop down, not an input or a slider, while in 1password it is a slider. This means you need to scroll a bit to choose a longer length password in Lastpass. 2) 1password remembers your last location in the app when the app is open, so you don’t lose context (not every time but most of the time) but whenever I’ve closed Lastpass for some reason it forgets where I was at.
> For Lastpass at least, I have two specific examples: 1) in Lastpass, the password length selector is a drop down, not an input or a slider, while in 1password it is a slider. This means you need to scroll a bit to choose a longer length password in Lastpass. 2) 1password remembers your last location in the app when the app is open, so you don’t lose context (not every time but most of the time) but whenever I’ve closed Lastpass for some reason it forgets where I was at.
1. That's not true in the browser extension for chrome at least, where it is possible to type in numbers in the password length field.
2. Some people would consider the fact that it doesn't leak last information about use by retaining context as a feature.
That it is in your opinion "far more attractive" (whatever attractive means) just tells the rest of the readership (including me) exactly nothing. That you have "fewer frustrations" with 1Password idem ditto. Be specific. Mention examples. Tell us which versions you are talking about.
People mostly complains about how they handled the situation, not about the product directly (there's many people that say that the product is superior yet will migrate because of their response).
They weren't respectful and they didn't acknowledge their mistake of not showing any warning anywhere (instead deflecting to absurd justification).
> knowing they have recurring revenue gives me confidence that they'll be around for a while.
Recurring revenue is a thing that help sure, but supporting your existing user base (which he was part of) is another one. That thread show how they treat them. That give me confidence that if I get an issue, I'll get treated just as badly.
I'll personally will be looking at an alternative, even though the product is pretty great, support is part of it (and in the case of a password manager, that's quite an important part of it).
>1Password X is perfect for Linux and a great solution to the distro fragmentation problem.
Yeah, no. 1PX has no means of data export. After 10 years on Lastpass, tried to give 1P a shot. Quickly grew frustrated within a month of the linux experience, and decided to move to Bitwarden. Turns out 1PX has no means of export, and I was stuck having to migrate each account by hand, and redoing the TOTPs. Bitwarden is substantially worse in terms of the UI, but at least I don't have to deal with vendor lockin.
Ben from 1Password here. This is a valid criticism. While it also doesn't have a direct export option our CLI may help with getting data out of 1Password on Linux: https://support.1password.com/command-line-getting-started/
Hopefully in the future we can bring our robust export options to 1Password X and/or the 1Password.com web interface / CLI. We agree, export is important.
Keepass (I use keepassxc) works great across all three platforms I've used it on (Windows, Android, Linux) and the database is less than 100KB so it's easily shared on the free tier of any cloud storage provider.
1Password does have a good UX, but it's not the only option that does.
+1 I am using Keepass windows & Android versions on my 3 phones & one laptop. The desktop database is synced to Dropbox two way any changes. FolderSync app is used to get one way sync only from Dropbox to Phone.
How do you sync your password file between your phone and your computer? Currently I only use KeepassXC on my computer but plan to start using it for more accounts so will need to have my passwords there too.
I use NextCloud myself to share the actual DB, and the keepass2android[0] app.
It works great although the app looks for app names instead of URLs sometimes so you'll have to hit the search button. Takes two seconds longer but it's no sweat.
I don't know how I never heard about 1Password X. The last time I attempted to switch from macOS to Linux, the lack of 1Pasword was one of the biggest things that made it hard for me.
That said, a browser-based 1Password is really not what I want. I just really don't try web technologies for keeping my passwords safe. If I really was going to use it, this might be the only instance in which I'd actually prefer an Electron version to using it my main browser, just for the additional isolation.
Ben from 1Password here. We offer a couple options for Linux: https://support.1password.com/explore/linux/
Hopefully we can continue to expand upon these offerings. Our ops people are primarily Linux users, so we are aware of the challenges.
It seems like sometimes products hit a point where they are actually pretty much done and consumers would be best served by the product going into maintenance mode. Of course that doesn't happen because companies must grow and the spice must flow. In that case the product end up changing things for the sake of change or to enable additional monetization. I'm pretty sure Evernote hit that point years ago and could see the same argument being made for 1Password.
Indeed. I'm using ancient versions of lightroom and 1password, because companies stopped selling software the way I want it. I don't feel I'm missing out, but one day they will stop working.
Why do people have to email support to know how to buy the standalone license? This has been intentionally made complex by Agilebits (I know that the official line is “not to confuse users” or something, treating all users like they can’t understand stuff).
> I have a workflow where I use 1Password on my phone - locally, no sync, do not want sync, can not use sync. Obviously this is not my main way of using 1Password. On that phone, I often remove 1Password and reinstall it.
My guess is that he's doing this when he crosses borders or in other situations where he might be subject to an intrusive search. So he carries a minimal set of passwords that he needs for that trip in a local vault. Maybe just his airline login, a throwaway email account, and an innocuous credit card account. If he's forced to login to his 1Password account during a search or inspection, he won't reveal his lifetime accumulation of accounts and passwords.
Border security are not idiots. They know about travel mode.
Travel mode works because it can’t be changed on device and so moves the vault out of border security jurisdiction.
They can have probable cause to search your phone and will if they want to but they are unable to put you in a room with a browser and make you download something, so hence it’s out reach.
Count me as one of the users who are getting annoyed at 1Password’s attempts at recurrent monthly spending. In addition, while their cloud service is probably fine, the best option is to locally sync and not involve the cloud at all.
I would much rather just keep using the “local app” license, which sadly isn’t even available for sale anymore. In fact, I can’t even use my Windows license I bought back in the day.
One of these days I’ll probably just stop using 1Password and move on to something else. Are there any good free/one-time purchase locally syncable password apps that works on Mac/iOS?
You can definitely still buy the standalone app license, but they use a pretty dark pattern to hide it. They don't really talk about it anywhere, in the forums they will just push subscriptions, and they constantly change how you get a new license.
In the past, they moved the standalone license page from 1password.com to agilebits.com, and made it purposely difficult, if not impossible to get to.
Now here's how you do it for the most recent version:
Download and install the app. When it asks you about a subscription, there is another link that you can click, but I don't remember what it says, but it should be at the bottom of the pop-up. It will take you to a checkout page where you can get a standalone license.
They'll probably change it yet again in the next major release so YMMV in the future.
I agree, the subscription pestering is annoying. They do still offer a standalone version though. I just upgraded from an ancient Windows version (4 or 5) to 1Password 7 for $49. They really avoid mentioning that the standalone exists, but just install 7 and there is a purchase option.
I totally agree. I understand why they push subscriptions, and they offer decent value for the subscription, but they are going too far in hiding the standalone. The hard sell is probably a net loss for them.
Keepass on my work laptop (Windows).
KeepassXC on my personal laptop (Manjaro Cinnamon).
Keepass2Android on my smartphone.
MiniKeePass on my iPad.
I've moved from dropbox to google drive for synchronizing my keepass database because of the recent changes to dropbox, where you can only sync 3 devices for free accounts.
“Thanks for clarifying. All the Pro Features you paid for are still available to you.”
This seems bogus. I bought it on mobile for $10 or whatever it was and on Mac and the migration to the subscription model was basically a forced deal as far as I could tell when the update a year or two ago to the free apps on subscription change happened. Hate that aspect.
And “thanks for your feedback” seems to be the new F off.
I'm a paid licence holder for 1Password, but am uncomfortable with being more and more forcefully pushed into using their cloud-based subscription service (which while I use for work, I'd rather _not_ us personally).
What're people's experiences with alternatives to 1PW - ones that do device-device sync and work at least across iOS/macos and ideally integrate nicely with browsers and apps on both those platforms? Is BitWarden ready for prime time for something as critical as secure password storage yet? Does it's iOS app take advantage of the secure enclave features of iPhones?
I've been using Bitwarden since just after it launched. I've yet to have any issue with it. The desktop, browser, and mobile clients are all seamless and... well, just work.
I was part of the LastPass exodus after their acquision and used 1Pass with Windows and (then) OSX. The lack of Linux client was a hassle, and eventually left me shopping around. I tried Keepassx and the others, but I ran into issues with sync (most likely my error.)
I saw Bitwarden mentioned here and gave it a swing. Importing everything only took a minute, and I haven't looked back. It works on all operating systems, has 2FA, etc etc. It's perfect for my needs.
yup. similar journey. I think LastPass is going out of business - we were enterprise subscribers last year and it was impossible to get in contact with support when our license expired. couldn't even get in contact with a sales person - they literally didn't want our money anymore. Switched to BitWarden and am so much happier with the interface and such better pricing than 1password, plus i feel have always been upfront with their product development while 1password has been, um, sorta shady, imho.
that's crazy about LastPass. It was a decent product for its time, but password managers evolved quite quickly over the past few years.
My beef with 1Pass is that they charged around $35 - $50 for their standalone product during the exodus, and about a year later moved to their subscription platform --- pretty much abandoning development for the standalone users. The OSX application was far less buggy than the Windows client. And when you needed to grab a new copy of the standalone client, it was buried on their site in a FAQ.
1Pass should have offered a few months for free to pull the standalone folks over to the new service, but instead they said 'we don't have any offers, but feel free to contact sales' -- which is a difficult sell when compared to the newly polished Bitwarden that works on all systems and browsers out of the box without any requirement for payment or a subscription.
All this said, we're technical people, so we're more aware of sketchy practices and are quick to jump to different products, and may not be their target -- especially with their previous lack of Linux support.
FWIW, at work the 1PW cloud/subscription thing is a _very_ good thing, and easily worth what we pay for it.
I just don't want to have my personal password db on other people's computers, and their ever more forceful pushing to get me off the standalone apps synced between my devices over wifi has _finally_ got me looking around for alternatives. I'm _totally_ happy to pay for an alternative - I _do_ value software (especially this type of software), and Id love to be sure whatever I use has a reasonable change of being around (and being successful) in the timeframe of at east 5-10 years.
Bit I totally get that AgileBits are heading in the direction where my work is their target customer, and I am not. That's fine. I'm pretty sure I'd be making exactly that same decision if I ran/advised AgileBits.
KeePassXC is FOSS, free of cloud nonsense, works fine on desktop, and has integrations for most browsers. I have no idea about the iOS situation, but on Android KeePass2Android provides global autofill and works with a ton of storage providers (everything from Dropbox to bring-your-own-SFTP).
On iOS, there’s KyPass. It plays nicely with the Linux and Mac versions of Keepass, syncs with Dropbox, supports Touch ID, etc. There was a reasonable one-time purchase price, I believe.
I switched to the Keepass world a while back when 1Password started to try to nudge me into paying a monthly fee for software that I already paid for on multiple platforms. The Keepass variants aren’t as slick but who cares.
I actually _do_ care enough about "slickness" to be prepared to pay for it. I want to be able to keep my encrypted password db off other people's computers though - using 1PW's cloud service requiring Dropbox for multi device sync is not what I'm after...
I paid about 50$ or so for it with no complaints. I’m not willing to pay that plus a subscription fee for what is, at the end of the day, a small encrypted database.
Big fan of KeePass. On Mac KeePassXC is great, on Windows KeePass, but on iOS I use Strongbox [1] which is excellent. Auto fill works well, it's open source [2] and actively developed, I really don't trust none open source password managers
I had my whole extended family on 1PW. We've all switched to Bitwarden (after a few transgressed to LastPass, but that's behind us now), and we're happy.
Having the developer respond quickly on email is delightful, it works great on Ubuntu, macOS, Windows, Chrome OS, Android, Firefox, and sharing credentials between accounts works seamlessly.
How's BitWarden at autofilling forms on webpages? Does it work in Chrome on Android (or other mobile browsers)? Can you authenticate with a fingerprint? Can you force a non-fingerprint method after device reboot or a certain period of time?
This is one of the most interesting things I've seen in this thread. I would not have expected 1Password to make any part of their platform MIT licensed.
It works fairly well. Some sites (banking, mostly) don't work, but the UI lets you easily copy the username or password so you can paste it where it should go.
> Does it work in Chrome on Android
Yes, and Firefox on Android.
> Can you authenticate with a fingerprint
That's how I have it set up.
> Can you force a non-fingerprint method after device reboot or a certain period of time?
Maybe? I haven't seen (nor looked for) that feature.
I took one look at BitWarden and, as a security person, ran the other way when I saw the CLI expects you to enter your password on the command line in order to operate it. This password gets exposed in your shell history, to anyone who can view a process list, etc.
If a company writing a security product can be this incompetent about something so basic, I don’t have any interest in gambling that the rest of their product is any better.
Did you actually try using the CLI tool, or did you only read the documentation? The documentation isn't super clear, but in actual usage your password (nor your email) doesn't get entered into shell history or otherwise.
You can pass your email and password as arguments to the "bw login [email] [password]" command, which will put them into your history, but the default way of typing "bw login" will then prompt you for them both, masking your password just like any other CLI tool does.
If if you can do this, the fact that the documentation encourages you to do otherwise is extremely worrisome. Securely-written tools shouldn't even allow you to do this in the first place, much less promote it.
I don't think it's extremely worrisome. The arguments are in brackets a.k.a. they are optional. If a user doesn't know that they probably shouldn't be using the command line tool in the first place. Besides, if you run help on the cli tool the first example it suggests is "bw login" (without the arguments).
Regardless that this is one way to operate it (just like many CLI commands can also prompt for password) you're aware you can tell your shell to not save commands to its history?
I don’t know about the secure enclave, but I can anecdotally say that I’ve been using Bitwarden seamlessly across iOS/Windows/Linux for a while now. It uses the convenient auto fill api thing on iOS and the extension is pretty good on desktop as well. (Although I haven’t worked with it on Mac)
Haven’t had any issues, I switched from LastPass and the only feature I miss for personal use is password sharing. I think it was in the free version of LastPass but not part of Bitwarden. I didn’t really use that feature much anyway though.
Wow, this is tremendously bad communication from their team. I don't care about the local vault feature, but the lack of empathy in the responses from AgileBits is certainly making me reconsider my family account.
That’s the biggest mistake I see in that thread: all of the apologies are immediately followed by responses which are, at best, dismissive or, at worst, defensive bordering on vindictive.
That person probably got testy because they were being treated so poorly.
I don’t think I saw any validation of a reasonable concern—which is like customer service 101—let alone any type of attempt to win the user (back) over. This is classic, stereotypical techie behavior and it needs to die. And I say that as a developer (who has been plenty guilty of this tendency myself…)
I think it's more just fatigue. The user was getting really combative in their responses, and eventually you learn to just shut down emotions when you encounter that.
Skimmed the thread and it didn't come across all THAT dramatic. The user was obviously frustrated, staff apologized repeatedly, and did a fair job answering most of his technical questions.
His key beef is they neglected to mention the change in their release notes, and the optics of the oversight could be perceived as a covert move to push people toward their cloud service. I'm surprised they didn't apologize for the release notes oversight (whether or not it was inadvertent) - they kind of act like it's just another benign collateral effect that will only impact a handful of people.
Sure, maybe he's on a free plan, but when I shilled free trial versions of my software I tried to treat all [existing or potential] customers with white gloves - even the irritating ones.
@TroyHunt are you out there; any thoughts on the software change?
Where was the user getting combative? They seem to have done a stellar job in talking with support in a polite and informative way.
Whereas the company literally removed a non-trivial piece of functionality without a single mention of it in Release Notes, and then disengaged from the topic once other people came in and pointed out that this is a) bad, and b) probably a blatant attempt at pushing people into the subscription model.
Overall, I know what password manager I'm not touching now.
Having dealt with a number of interactions like this, it definitely felt like the user was trying to lead the support staff into a pothole. Its just the way the questions were asked.
Interesting. I feel that's a "damned if you do, damned if you don't" case. Is there no middle ground between being completely helpless and "trying to lead the support staff into a pothole"? How would a proper support request from a person who understands the product and their own use cases look like?
Perhaps. I asked my roommate how she felt about the thread and she described that same feeling. Us humans can sometimes pick up on things weirdly I guess!
The user got combative when they didn’t address a core piece of his concerns: that they didn’t provide notification. I empathize with not wanting to deal with a combative user but when that user happens to actually be right and when the negative consequences are all of your own making, my empathy starts yielding to my low tolerance for “tomfoolery”. If they were fatigued they did it to themselves.
Additionally, this is asynchronous communication. Take a breath. Recover. Do it right.
The feature has been specifically disabled in the iOS app, still available on macOS for now.
It's extremely disappointing that the staff are being so evasive regarding their communication. For a product that is necessarily built on trust, that's the last thing that I want to see.
In my view this company took what used to be a perfectly capable, useful, and reasonably priced (well kind of high priced) app, and abused the idea of subscriptions to parlay it into a way to pay for their swimming pools and SUVs for life. People deserve to get paid, sure, but we are talking about a small utility app here. They knew they had gotten some lockin and they played it to the hilt, to the detriment of users. All the complexity they have added is optional and arguably worse. The sense of entitlement is breathtaking.
I downvoted you because it is significantly more complicated than that. It could be that the model that they were using was not sustainable (pay once per major version) and needed (or strongly wanted) more stable revenue. I agree that they push subscriptions hard and, as a user of the iCloud vault, it’s pretty frustrating to have to jump through hoops to get it to function on the current version as it did on the previous version. I also eventually bought a subscription because it was pretty complex to get the standalone app and you could not get it via Mac App Store. I have my grievances with the changes during the past two years with 1Password and Agilebits. However, I don’t believe they are doing it to “pay for their swimming pools and SUVs” but rather keep their business alive and to, yes, pay their employees.
1password seems to be slowly but surely inching towards pay-by-month model for all users, which is I assume great deal for them (persistent recurrent revenue!) but terrible deal for the user (once you are in, you are on the hook forever or you don't get access to your precious passwords). I've been a happy user of 1password for a decade. Looks like it's time to consider alternatives?
>once you are in, you are on the hook forever or you don't get access to your precious passwords
You can still view your passwords after your membership is cancelled.
>Looks like it's time to consider alternatives?
I've switched to Bitwarden and haven't looked back. It's not as 'shiny' as 1Password but they seem like a great company and everything works for me so far (using iOS, android, macOS, Ubuntu, and Firefox).
Hi callalex. Ben from 1Password here. I'd like to hear more about this situation. 1Password does indeed keep a local cache of your data and even if you cancel your subscription you continue to have read-only access. Would you mind reaching out to support@1password.com to elaborate?
> You can still view your passwords after your membership is cancelled.
You can now. But for how long? How long it would be until you need to reimage your computer or install it on other platform and new version would demand membership?
The problem here is not that it won't work right now. It's that once this mode is not supported, even if it still works you're on your own. Like using out-of-support software version - maybe it works now, but you better to have a migration plan, or one day in the future you'd be in a big trouble with nobody to help you. And passwords to every site you have login on is not exactly the type of information you want to take risks with. You need to trust the provider they have your back here, and if they are not interested in supporting users that paid their licenses but are not providing recurrent revenue, then you better have plan B.
They are already at this point. You have to use the legacy versions to avoid pay-by-month. I'd happily upgrade and pay them for new features, but I don't want my usage and data to be held hostage by them if I choose not to upgrade.
Hi chrischen. Ben from 1Password here. We do support standalone licensing and vaults in the latest versions. Please reach out to us at support@1password.com for more details. We definitely want to encourage everyone to use the latest versions, which is one of the reasons membership is such a big push for us (as it includes access to all of the latest versions).
Paid user here, so I am not affected by this problem.
However (writing this complaint here since I am sure they are monitoring this 3d) I am really disappointed by the way agilebits handled this matter.
1) the release notes were shitty and they know it;
2) no one asked for a free app but if you do that, taking it away is a baaaaaad idea;
3) it took me a lot of time to convince family members to use local vaults on their phones, if the feature is removed and they will complain with me I will be extremely unhappy.
I've been using 1Password since basically forever.
With the introduction of a subscription model, i started looking for alternatives.
While i get why companies jump on the subscription bandwagon, i on the other hand flat out refuse to pay a subscription fee for software. I don't mind paying for software, but the subscription model is not for me.
First, with a paid license for version x, i decide if the "latest & greatest" is worth it to me. If it isn't, i'll just stay with my old version.
Second, I'm old enough to know that the "latest & greatest" also includes the latest & greatest bugs. I want to decide when i upgrade. (Yes, i run Debian Stable!)
Third, as everything i (used to) use has migrated to a subscription model, it's becoming rather expensive to get anything done. Yes it's only "$X.99/mo", along with the 20 other things that are also "$X.99/mo".
For this particular use case, I've been evaluating many different solution, and i've more or less settled on [pass](https://www.passwordstore.org/). It works on Mac OS and Linux, has a very decent iOS app, and "kinda" works on Windows. I use it through WSL on windows.
It's nowhere near as polished as 1Password is, but it's mine, it's free, and it fits my needs.
I did evaluate [Bitwarden](https://bitwarden.com/) as it seemed like the next best choice to 1Password, but the "non subscription" version doesn't support 2FA tokens,
I still use 1Password frequently, but the second the local vault is gone, i am as well.
Open source.
Bruce Schnieir designed.
Windows, Mac, Linux, Android, iOS versions.
Dropbox and iCloud sync available as well as standalone operation.
Yubikey support.
I use KeeWeb[1]. Works well, it's able to sync the encrypted database on many cloud/web services, and it's based on KeePass. So even if the app stops being updated or even exists, I remain in control of my password database and can switch without having to convert anything. I use KeePass2Android[2] as well, which can be set as an AutoFill provider.
+1 I used Password Safe for more than 10 years, and the developers are top notch and really into their security. I eventually moved to KeePass just because I wanted to store attachments but if that's not a deal breaker Password Safe is awesome.
No need to say more - pwsafe is the real deal! I use it on Android and Linux - synchronize either manually with Google Drive or automatically with DropBox. It's an awesome application!
What I realy like about password safe is that you can drag passwords into text boxes. Most password manager copy your password into the clipboard where every local application can access it. With drag and drop only the designated application will be getting the password.
An application capable of reading the clipboard is just as capable of covertly taking screenshots, recording keystrokes and otherwise compromising data being executed in the context of the same system user. Is gives a false sense of security guarding the clipboard when the real threat is untrustworthy (usually closed-source and proprietary) software itself, executed as a user with privileges.
They (though admittedly along with many others) have partaken in a terrible trend of switching to subscription pricing for effectively non-subscription services.
Instead of having the option of letting me pay and upgrade if I decide to, I am forced to continue a subscription in order to continue using any version of 1Password (excluding legacy versions).
Wow! Probably would have done this had I known earlier, but at this point I feel like if I lock myself in to their platform they'll eventually get rid of this option completely at which point I'd have to find an alternative anyways.
I don't think that's correct, they completely support standalone licenses, and you can use Dropbox for syncing across devices. I'm using 1password 6 on my Mac, and 1password 7 on windows, no problem, no subscription.
Are you using it on iOS as well? It "helpfully" migrated my upgraded $9.99 or whatever it was for the iOS license to a subscription plan. Would've been fine with the standalone version, but there isn't multiple applications for 1Password on iOS.
I’m fine with them making the business decision to head in this direction. Just be up front about it. Publish a timeline, stick to it, and be done. I’m a huge 1Password fan and have no problem spending 2X what I do (for a team) but have to admit this and the few times I’ve ran into pay weirdness over the last couple of years has slightly shaken my faith in the app and company. And THAT is not the kind of feeling you want with something you have to trust so so so very much.
> The Pro Features purchase has been removed from sale, but all the features that would have been unlocked have been maintained. There is no longer anything to restore. The more I've been thinking about it, the more I am coming down on the side of restoring the single standalone vault capability for those that previously purchased the Pro Features (or the full price app when it was a paid download long ago).
BitWarden gets so many things right that using other password managers can only be the result of inertia.
And its has an open source client, plugins, and server--with instructions on how to setup your own instance if you want to. This is vital, not because I want to run it myself, but it provides a check in case the company is ever bought out or starts blowing it on policy.
Yes, Bitwarden is a very smooth experience. I'm using a self-hosted backend via the unofficial bitwarden_rs server and very happy with the client applications. My family is able to use it without any hangups, which can't be said for something like `pass`.
I purchased the 1password app back when indeed it was a standalone license. would have always been happy to pay a reasonable upgrade fee every couple of years, but of course, they went to the subscription route. Something about paying a lifetime tax to store passwords just irks me.
I recently switched to BitWarden and couldn't be happier. I can now lose my dropbox account,which is a bonus, because i was only using it for the 1password vault. Another bonus is that I can now add passwords on my mobile device, which i couldn't do with my legacy license of 1password. $10 yr get's premium service that include integrated OTP, one of my favorite features of both platforms. $10/yr is reasonable to me - after 20 years I'll only be out $200, which i feel like is a more than reasonable software license fee. I'm sure eventually they will become popular and start gauging, but for now, it's working well without having to pay a $60+ yr that 1password charges - more than the initial license fee! - and I don't need to manage that stupid vault anymore.
So I keep seeing it mentioned that AgileBits is not a target because the end user keeps the secret key locally. What mitigations do they have in place to avoid the scenario where they're breached, all encrypted passwords are exfiltrated and then wiped from their servers and then during a sync it wipes from the local 1pw. Now as an attacker you just ransom them back to individual users who can decrypt the passwords with the local key. I'm hoping multiple offsite backups? I was considering switching from last pass so genuinely curious.
Hi Grimm1. Ben from 1Password here. I think this is a great question. I'd like to put you in touch with our security team who would be best positioned to answer this. Would you mind writing into support+security@1password.com ? Thanks!
Disclosure: I work for 1Password on the security team.
First, lets discuss what the Secret Key actually does. I'm going to simplify this greatly simply because I don't want to end up in the weeds here. But I think it's important to know what it does and why.
When we designed 1Password's online service we knew that our servers would be a big target if it were storing a lot of user data. And we knew, that historically, users used terribly weak passwords. Knowing this we set out to find ways to protect against these issues.
Lets compare to our standalone vaults since it's a comparison with only us and keeps things simple. Assuming an attacker gains access to your local vault they'd have to guess your Master Password.
With 1Password membership accounts you have both a Master Password and the Secret Key. If someone were to gain access to our servers they'd have to guess both your Secret Key and Master Password together (they're combined together, again simplifying, see our white paper for the full technicals here). You can't just guess the Master Password and then the Secret Key or vice versa, you have to have both of them correct.
Say a user uses a terribly weak Master Password, this would be relatively trivial to guess if someone had your encrypted data.
Say our servers are compromised and you used a weak Master Password. The Secret Key (a 128-bit randomly generated key) is going to protect that data because even if the attacker could guess the weak Master Password, the addition of the Secret Key requires that they guess both together, making the weak Master Password not nearly as weak. For those using very strong Master Passwords, the Secret Key strengthens it even further.
With the same idea in mind, breaching our servers to acquire the encrypted data means an attacker acquires nothing but encrypted data and requires guessing the Secret Key and Master Password for every account. This is a significant undertaking and effectively improbable using today's technology.
Hopefully you now see the point of the Secret Key, it's to protect your data locally on our servers. You absolutely shouldn't use a weak Master Password, but the Secret Key protects those that potentially do.
Now, to your other questions. We do have snapshots of the database made daily. We could restore to one of those.
We are also working on (and have partially implemented) a local backup solution. The Mac client creates these backups already for users who are on our memberships (for individual and family accounts only). They are not (yet) documented nor is there a tool that can read them, but they are being made. The plan is to openly document how they're created so that anyone with the technical understanding could create their own tool for reading them. The reader part of it will come in the future, and likely part of our CLI application, though nothing is for certain at this point and subject to change.
This will allow you to have your own backups and they'll be local to you in the event that something goes wrong on our servers.
Hope that gives you some idea of how it all works. If I can answer any other questions, feel free to write in to support+security@1password.com and mention me (Kyle) and this thread (ideally a link to your question so I have context and won't feel like I have to repeat in case I forget what I may have said)
Hey, I am really sorry I didn't see this earlier I have a bad habit of browsing not signed in so I rarely see replies to my comments. I think this was a great answer to my question and I really appreciate you taking the time to write up your explanation for me.
I tried to have a family member set it up and it was really hard for them.
What do people think about a simpler service that relies on SaaS and you owning your primary email address. The service is called nopassword and you log in via a link that is sent to your primary email address. When you log in you see a hashed email address that ends in @nopassword.com. to add a new account.
To add a new account you change your email at that account to the hashed email address that ends in @nopassword.com. The nopassword service will automatically detect this, confirm the email address change, and reset your password. From now on you can find your password in the nopassword website or client.
Because every service uses a new unique email address you have the privacy and spam filtering advantages of Apple ID. Since almost every web service lets you register by email and reset your password by email it is compatible with almost everything.
After you log into a service nopassword will reset your password 16 hours later. This way intercepted passwords can never be used for long. And if a webservice has a breach nopassword will proactively reset your password.
The nopassword service will have clients for iphone/android/chrome/firefox/safari that word with native authentication (FaceID, etc.) to get in the client after validating with your primary email on install.
No. If a SaaS service can automatically set/reset my password without any intervention on my part, that means I have passwords, in unencrypted form, sitting on a third-party server I don't control. What happens when (and it is when, not if) "nopassword" is breached?
Some services are more secure than others, 1password and Okta never saw a large breach as far as I know.
If a breach would occur the race would be on to reset the password before the hackers would change the email address.
You can imagine having 1% of canary accounts that give a big alert if their email is every changed leading to a race to see who can reset accounts first.
They key difference around the risk of security breaches between this proposed service and 1password is that user data in the 1password cloud is encrypted client-side with a key derived from the user's master password, so there is no way for anyone who gains server access to see the passwords. In the proposed nopassword service, the server would have to maintain passwords in a less secure way, since it would need access to them in plain text to automate setting/resetting/filling them.
I like the disposable email portion of the idea. I'd very much like to sign up for every service with a unique email address, so I can trace the source of my spam. But I share JonathanW's concerns on the security side of your proposal.
Although I don't like the idea of paying half a dozen companies monthly/yearly fees (Myfitnesspal, Evernote, BearApp, 1Password and several others), I am convinced that selling a lifetime license is not a sustainable business model for software companies. So I do pay them. And I am fine with that.
One of the alternative business models is ads and paying with my user data, and I neither like ads, nor do I want to pay with my data.
Or they could sell access to software updates like Sketch or countless other apps? That way, the user isn’t paying for “improvements” that they don’t need.
I don’t really think there is any intended malice. I could see this being a way to remove an entire class of support issues. Having run a number of software services I could see them getting a ton of support requests that are “my computer died, how do I get my passwords back” and then they have to explain that if you use a standalone vault then the user is responsible for backing it up.
Ben from 1Password here. This is absolutely the most important reason why it was done. There are of course business considerations as well, but cutting down on potential data loss scenarios is key.
Perhaps travel across borders? Delete all data, throw an SSH key into 1Password, then once across the border, SSH to your main server to restore all data?
Interestingly, 1Password has a Travel Mode [1] that’s basically designed for this very reason.
I travel internationally quite a bit and have become paranoid (as someone whose entire work history consists of being a journalist and a software engineer, I’m almost certainly on several different watchlists) about entering certain countries and even re-entering the US, so I’ve created a travel vault for trivial things and secure notes with important phone numbers in the event of an emergency. It’s great. I restore my regular vault when I’m on a VPN and inside my hotel room or at home.
Of course, to get access to this feature you need to pay for a 1Password.com subscription (though you can restrict access to the vault to specific devices, meaning I could say my travel vault could only be accessed on iOS and not in a web browser, as an example), which wouldn’t help this person.
I understand why a lot of longtime 1Password users were/are angry about the shift to a subscription model. I’ve been a user for 12 years and know the founders and many current and former employees and I was still reticent to sign-up. Ultimately, their security audits of their system is what encouraged me to use it — especially when I acknowledged I was using Dropbox for sync for many years, which negates the security argument (I trust Agile Bits more than I trust Dropbox when it comes to security). I understand the appeal of the “roll your own” approach, but I trust 1PW more than myself when it comes to setting up and maintaining a secure server and sync and encryption too. I have the opposite opinion of LastPass, who I don’t trust — but if one wants to have mobile access to their passwords without having to rely on WLAN sync (which isn’t exactly seamless — I remember before 1PW had Dropbox support and the way you would sync the iPhone version was over WLAN with the Mac app), you have to use a sync server and for better or worse, I trust Agile Bits not just to encrypt my password database but to protect its own systems, more than I trust another cloud provider or myself.
I’ve said this before a few times and will say it again. AgileBits runs like a shady business that has used (and continues to use) dark patterns to push people to do things that they may not want to. Choosing 1Password removes choices over time.
It doesn’t matter if the app is great or what features it provides. The company is blatantly customer hostile, and its support staff probably echo top management’s words without much help for users.
I recently migrated to Bitwarden. It checks the boxes I need, including sharing specific information with someone in the free tier (though this is restricted to one person). The cheap paid tiers offer a lot more, and will not hurt your wallet like 1Password does.
You can also self-host Bitwarden server yourself, and there are ports available on different languages and stacks online if the base stack is not your preference.
I also can’t wait for Firefox Lockwise to become an equivalent competitor soon enough.
The days of commercial password managers with expensive subscriptions and poor support seem to be fading away. That’s good for everyone.
Removing a feature that has a huge chance to cause an unknowing user to shoot themselves in the foot. Sure, it should have had a mention in the the changelog, but I think this is a completely sensible thing to have done long term. You can still sync with Dropbox or the app over WiFi which shows me they're not doing this to force you into some subscription.
Sure, there’s good reasons why you might remove it but the subscription model reason is more compelling to me, a long-time user. I’m still with them for now but my trust is significantly reduced and I’m shopping around.
I don't agree because they removed a feature that, frankly, would just cause a user to lose all their passwords if they lost their device. There's still two other sync methods that don't use their service, and one of which is direct to another device without going through a third party.
The best case scenario here is they are terrible at communicating changes that might have a significant impact on my workflow. But that’s only if we look at this single incident and ignore other significant changes, also with reasons but also trending toward subscription and also with poor communication. This is why it is significant that I am a long term user. I’ve felt that push and it informs my perspective.
WLAN sync is only available in the subscription version though, you can’t use it with the standalone licence. Quite bizarre since the standalone licence is the one more likely to want it.
Hi manicdee. Ben from 1Password here. I'm sorry for any confusion we've caused, but this is not correct. It is quite the opposite. The WLAN Server in 1Password for Mac can _only_ sync _standalone_ vaults (not membership vaults). It is available with a 1Password 7 for Mac license.
You are confused. I was talking about stand alone licences, not stand alone vaults.
I will not use a 1Password.com account regardless of the country it is hosted in because I do not trust AgileBits or any government, especially not a Five Eyes entity.
Despite the lengths that AgileBits have gone to to hide the option of buying a stand-alone licence, there was one page which I can’t find now listing the benefits of each licence side by side, and it clearly stated “no wlan sync” and “no multi factor authentication” in the column for licence over subscription.
The rest of the language tries to make it sound like a good thing to have my secrets hosted on a site I do not control. In the end I bought a subscription — purely for access to wlan sync and OTP — because it’s about the same price I have been paying for previous paid upgrades and Pro features.
Also note that for 1Password 6 users who bought the Pro features, the upgrade splash screen states that 1Password 7 is a “paid upgrade” not a “subscription required for Pro features”.
For the moment I will be treating the 12 month subscription as an opportunity to explore other options before the subscription rates inevitably rise and the feature set moves inexorably towards hosting over private vault management.
On one hand I would feel slightly better if I could easily export my 1password data and stick it in an S3 bucket or something. I would even pay a premium for that.
But on the other hand I’ve had a great experience with 1password and I’m about as comfortable with them having my data as I am with Google having my data. Maybe even more so since I know they don’t read my data whereas Google does.
An interesting discussion would be how 1password handles backups, backup verification, and recovery.
I’ve seen Google mess up Gmail but everything always comes back, and I think it’s because their backup solution is exactly the insanely wicked setup you would expect from Google. Compare that to Hotmail or Yahoo Mail, both of which butchered my mailboxes multiple times back when I used those, or the infamous Microsoft Sidekick incident. I wonder where 1password falls between the two extremes.
What i hate most about all of this, is the fact that Apple locked down our devices in such a strict way that we cannot even downgrade to a previous version of an app anymore... :'(
It's very bad for a corporation (/the big 5) to have this much power over what we are allowed to do on our devices.
That’s how 1Password worked back before it got Dropbox/server sync support. You’d sync your Mac client with the iOS client or vice versa over WLAN.
The problem is that it isn’t a seamless process. You have to initiate a sync on one client or the other. Do you have situations where you might be on your phone and not have the latest database from your laptop or desktop — or two laptops could be out of sync if they aren’t on the same network.
OK, so you set clients to sync at specific intervals in the background — this can work but still might miss things and you’ve now got a client that is constantly polling another.
The reason for the external server is access continence, because any good password manager will keep the databases encrypted regardless of where they are stored. I mean, you want the server the database is on to be secure too — not to mention any browser extension that might exist — but the database itself is the most important part.
A YubiKey or a portable version of KeepassX is probably the best option for the paranoid, IMHO, over local sync (especially something like Bluetooth). Of course, for mobile access you’ll need to be able to plug a USB key into your phone. That’s probably not a problem on Android and hopefully with iOS 13, it’ll be a better iOS option too.
I've been a paying business user for 3 years. Dumping it. They must have some awfully bad execs driving their strategy. Do right by users and they whole world will eventually subscribe. Nickel, dime, and trick them, and the business will die.
These guys make a password manger product. That's it. And they encourage you to put health and passport information in there.
They should run it like a bank. Boring. Reliable. Trustworthy. That means not pulling this penny-ante nickel and diming stuff.
I find the product division between 1Password 7 and 1PasswordX confusing. I've been a standalone user since the start, and it's hard not to feel like I'm on the unblessed path. Clearly AgileBits wants reoccurring revenue, so it's in their best interest to push everyone over to that model. I find myself periodically feeling anxious that one day I'll wake up and they'll have just removed the option to sync with other providers like iCloud or Dropbox.
Hi EmersonL. Ben from 1Password here. I'm sorry for the confusion. 1Password 7 and 1Password X are very different offerings. 1Password X is a membership-only browser extension that does not require a desktop application. It is great for folks on Linux or ChromeOS who cannot use one of our desktop applications. Those who are on Mac/Windows who are using either membership or standalone are likely to better enjoy 1Password 7 which can offer a richer experience and better integration with the host operating system.
What an odd, zero-empathy approach to customer support. That's what surprises me the most about all of this, not the unannounced feature removal (which is also messed up).
Every time I ask for help on the forums, I get this same kind of response. Their forum responders always arguing with me or trying to place blame on the customer -- not just me but in responses I've read for other customers as well.
At least they're quick at responding and seem to respond to everything...
I moved to 1PW from another manager last year. Not planning on changing over this.
With that said removing a feature that allowed iOS users to use the app for free and then not putting it in the release notes is going to look like you’re trying to trick users into upgrading.
It’s obvious that if the release notes specified that it removed this feature, people would have avoided upgrading. That doesn’t inherently mean 1PW meant to trick the users but damn it sure looks that way to me.
Enpass did the same thing, removing wifi syncing. They claim it will be added back in the next version, but many versions have passed and it was not. I finally gave up and synced to the cloud. Let the NSA have a crack at it if they want to. I only wish I knew Bitwarden before I started with Enpass. Moving between password managers is a horrific experience.
This kind of thing is why I just use Pass as my password manager, I don't like having to rely on a single company for my passwords, never know when they will make breaking changes like this, or go under. With Pass, the worst case is that the utility stops working on my system, in which case I can just manually decrypt the passwords with the GPG key.
at first blush, i was going to state this is much ado over nothing. this doesn’t affect anyone but snowflakes. a company can’t be in the position of supporting snowflakes. the fact that 1pw even engages customers at the level that such an issue is discussed at all, on their own forum, speaks volumes.
but then, well, otoh after reviewing, regardless of that truth it still is despicable. removing a critical feature, without notice, in a point release, on a platform where it’s incredibly hard to rollback. 1pw needs to step up and release another point version with the feature restored.
worse that that even, is the official PR spin couched as a personal reply. it leads with “oops thought no one used this feature. sorry!”. followed much later with:
> We receive enough customer support from people who set up 1Password in this way
that’s enough for me. i was a longtime customer, using it since the start. time to move on.
Another example of a grafted on subscription model. This is getting more and more common, and in this particular case it is so contrary to what the product would dictate that it is likely going to turn out to be a footgun.
I'm over here still using 1Password 6 Standalone... Subscriptions are not something I am going to do.
I'll be looking to migrate all my keys to BitWarden in the near future.
Ben from 1Password here. We much prefer customers stick with us because they're happy with what we're offering rather than because they feel locked in. As such we offer some of the most robust export options available. I would caution that by their nature exports have to be stored unencrypted, so please use extreme caution with any such files and delete them from your disks (and backups!) as soon as you've done what you need to do with them.
I currently have a subscription to 1Password, I have no problems paying for a good service that's well designed, implemented and secure. That being said, I am a student so every dollar counts. Does anyone have experience switching from 1Pass to Bitwarden?
Yes, it’s quite simple. You just export your data from 1Password and import it into Bitwarden. Don’t forget to delete the plaintext export file after your import process is done.
Can you get in touch with us via our contact form (email method) https://support.1password.com/contact-us/ and we'll see what we can do to help you out with that. We were all students at one point in time as well so if we can help you then we'll help.
Just mention my name and this thread in the form. It'll get sent my way.
Wonder how many people this actually affects? The affected user admits they have a really unusual use case.
I thought AgileBits was fine with their responses. The last thing you can do is give people like this any hope. Be clear that you’re not going back to the way things were and stick to that.
You are mistaken about both pass and Bitwarden. pass is cross-platform (I personally have it running on Windows 10, macOS and Linux) and Bitwarden can be self-hosted on Windows, macOS and Linux.
And yes, I know who Bruce Schneier is. Not sure what your point is though.
Okay, you have a point. Bitwarden though is at the end of the day a commercial product. I don't know about the user-friendliness of pass but it certainly has a good reputation.
Are you able to make local, encrypted backups and view them later with offline software?
Any password manager that doesn't offer this is a non-starter for me. I don't want to be caught unawares when the vendor who makes my cloud-based password manager suddenly goes out of business (or if it's suffering a network outage when I really need to log in somewhere).
The subscription service is just used to sync between devices, i.e. the app works completely offline once synced. You can do the same with Dropbox without a subscription, but in that case you'll need an app license (which you can no longer buy separately). The subscription bundles the app license + syncing, for $2.99 a month.
Thanks for the responses. Not sure why my question (/opinion) was downvoted below zero, maybe it's obvious to 1Passwd users, but in any case I appreciate the answers.
What? Seems to me like the core question the user had (free or not) was a) was this removed? & b) where and how can I read about its removal, it’s not in the notes?
None of those questions were answered without repeated requests for the information. That’s shady. What exactly are you seeing that I didn’t?
Yup. They must be A/B testing AI-generated support discussions, because that's the only explanation I have for why someone would call a perfectly reasonable support request as "having an attitude", and the avoidance to engage with it "heap of support".
I'm guessing this user is like myself; someone who _purchased_ 1password back when it was $40-60.
Yes, I appreciate the fact that they're continuing to support things, and I am glad that they're finding a revenue model that supports their team, but I very much like my current setup and still haven't upgraded 1password on my Mac past version 3 because I like the old model. Skipping updates on iOS is much much harder.
I would probably pay a flat $40 again for an upgraded version with a standalone license if such a thing were still available.
If I have to paraphrase and use a popular dialogue, the first rule of the standalone license is you don’t talk about the standalone license. You won’t find anything in the website. You’d have to email support to figure out how to buy it. It’s that big a secret.
I agree. This is just another example of why freeware or free tier offerings can be a bad idea. Suddenly you have a large population users who will never convert yet are perfectly happy to suck up support hours.
I think you miss the point. Having a smaller number of paying customers means you can build a more focused product and not cater to so many use cases. It also gives you a remedy when a customer feels wronged. In the case where they pay and are unhappy you can refund their money. In the case where the user didn't pay you have less recourse.
Lots of people in this thread talking about the quality of the customer support here, and I think they're missing the point. The support staff seems to be doing their best to provide reasonable explanations for the changes. But there's a deeper question here about what responsibilities developers of free applications have regarding notifying users about major feature changes. This is just a particularly important question on platforms that don't offer fine-grained user control over application version installation (i.e. mobile).
> But there's a deeper question here about what responsibilities developers of free applications have regarding notifying users about major feature changes.
It's not even a matter of responsibility. Doing a change like this and not telling users is asking for conflict. Given that mentioning a change in Release Notes is an insignificant amount of effort compared to implementing that change in the product, I fail to see a legitimate reason to not mention the change.
When you're Facebook and have strong network effects, you can afford boiling your changelog down to "we've fixed bugs and improved performance", and giving zero information about actual changes.
Not that long ago there wasn’t even a subscription option. We each paid $40 for standalone and I’ve so far been happy with it. When the subscription option came out I politely asked if I we could put this money towards a service credit, and was (also politely) told “no”.
Same. I had paid for all their apps (mac, Windows, iOS, Android) and after Dropbox disabled the web server on the public folder 1Password’s solution was to subscribe. They didn’t even offer me meager discount.
I'm not defending the semi-aggressive users here because I don't use 1Password and didn't fully understand the support forum thread. But I think this illustrates something larger that the tech industry doesn't really understand: the world is seven billion edge cases. No two users are alike and no assumptions should be made about them.
The OP just wanted to know if the feature was gone, and if so when did it get removed (maybe to find an archived version of the app?), and lastly why it wasn't clearly communicated, but you can just smell the smug in the responses. It's hard for me to read their little "cute" emoji as anything but sarcastic, which is reinforced by one of the developers chiming in about how they must be asking to "make their mobile apps free" and the other guy talking about how with so many users anything they do will of course be found out.