I’ve been using 1Password every day for over 11 years now. The oldest passwords I’ve got stored are for Twitter and Dropbox (yes, the passwords have been changed but the records were first created in 2009).
It’s one of those apps which has been made with proper craftsmanship and care, so while I’m not a Linux user, I’d have no problem recommending based solely on Agilebit’s reputation.
It's made with proper craftsmanship and care on the Mac (which is primarily where I've been using it for years).
The Windows client is much better after the last major release, but it's never been as slick as the Mac version (the biggest wart now is the system tray/browser extension popup).
1Password X looks nice until you try and use it, and all the company reps on the forums are very argumentative about any feature request (look for the pushback they give about resizing their super-cramped browser extension popup—and the issues with hires screens stemming from how they built it, which assumes a fixed size).
I've also got a chip on my shoulder about the "feature" they added that showed the most recently used websites in the iOS app with no way to disable it (they finally allowed setting the number to zero months later). The reps on their forums all come off with this attitude of "this is the best way, and you're wrong if you don't like it" for just about every issue that comes up.
I like the app and will continue to use it, but if my main platform wasn't macOS/iOS I would have bailed long ago.
> all the company reps on the forums are very argumentative about any feature request
I've observed this as well and it's frustrating. Usability took a dive when the list view for entries was removed (in favor of the rich icon, column-based layout), having to manually check identically named entries to find one with the right username, but their support staff was seriously adamant about the feature not being worth the development effort because of how few people had used it. It got me looking for alternatives but I haven't switched away yet.
I apologize that we've come across that way. I'm one of the primary contributors on our forum and so I do appreciate the perspective here. The position I try to take, not being a developer or project manager myself, is that I have no power to make feature requests happen other than suggesting them to the team. As such I try to help people best use what is currently available while also passing suggestions along.
As a company we tend to keep future plans pretty close to the chest. There are sometimes things that we know we aren't going to do, and whenever possible I try to be up front about that rather than beating around the bush or giving false hope. List view is one example of this. The intention isn't to be argumentative, but rather to set expectations based on current plans.
They were also pretty dismissive of Linux for a long time, so it's kind of funny to hear it as one of their biggest requests. 1Password X narrowly prevented me from switching for a while, but I've come to see alternatives as generally better options. Yeah, they're not as flashy, but I think Bitwarden and Keepass XC do a great job.
Keepass XC may even be doing a better job at security. At least in some dimensions.
FWIW cache side channel attacks are primarily a threat on (shared) cloud platforms, but not as much [1] on personal devices. Considering that 1password runs in its own process and that most personal devices should have Meltdown mitigations in place, it would be prohibitively difficult to successfully launch a cache side channel attack to extract the password from outside of your device, especially at scale. Attackers would attempt to find other software vulnerabilities instead.
I think it would indeed be nice if 1password scrubbed sensitive data from memory, but not a complete deal breaker if it didn't. I do wonder if this could be more of a problem on 1passwordX, though.
That’s where Agilebits has me; the UI on Mac and iOS is so much better than the alternatives. I do keep looking, Keepass XC looks really good since the last time I checked around.
KeepassXC is quite good if you mainly use it on your computer. I've been using Keepass(XC) for about 10 years, it's secure and reliable. But I'm looking to switch to 1password or Bitwarden as I'm increasingly using portable devices (phone, tablet…).
Seconded, Keepass2Android is great and has very good integration on Android. You can use the autofill feature to, well, autofill the credentials fields in any app.
Has merge functionality if you've edited the password file both on mobile and computer.
It even has an offline variant that keeps everything local. I'm using that with NextCloud.
> It’s one of those apps which has been made with proper craftsmanship and care
Is it? I've been using it for sometime as well but it seems like there is a lot of room for improvement. E.g:
- Support for unlocking via Watch ID on the Mac.
- Currently on iOS when searching for a password within an app, if a site prefix is included that doesn't match what's in 1Password the list will just show no results, with no way to navigate manually to the login. Instead, you have to close the app, open 1Password, and copy/paste the credentials back in. Typically the master password will have to be re-entered as well, despite touch ID being adequate a moment prior. Since it's rare to sign up via the web now for mobile apps, this is the most common scenario for me when using 1Password for apps on my phone (and occasionally websites as well).
- Improved UI/UX on mobile. Dashlane is way better in this regard. 1Password overemphasizes features I don't need like tags and favorites and has a pretty cluttered look in general.
I like the native Mac app and open/local vault format. (Dashlane by contrast has a very buggy desktop app and requires storing everything on their servers.) But I would jump at the chance to use an alternative with a simpler UI and better experience on mobile.
We use Dashlane at work, and every day I want to switch to 1Password, which I use in my home life. Dashlane has weird permissions glitches, a really buggy and very non-intuitive desktop app, really terrible web browser extensions that makes me tear out my hair in frustration, and even the mobile app doesn’t feel like it has the features I want, like the ability to add more than one password field (useful for accounts that have PIN codes and such). Even performance-wise, Dashlane’s mobile app feels really sluggish doing things like adding 2FA via QR code’s, which 1Password seems to do instantly.
Agreed on all those points, especially the desktop app which was ultimately the breaking point for me. The only thing better about Dashlane right now is the UI on the iOS app IMO.
Just to clarify: the feature is currently in beta.
> Unlock 1Password using your Apple Watch on Macs with a Secure Enclave.
From the 1Password for Mac 7.7.BETA-0 release notes.
- Ben, 1Password
A login can have multiple URLs. For sites which don’t automatically load the right entry, you can add another URL to give 1pw a hint.
This won’t solve all your problems. It won’t even solve the problem you describe the first time you encounter it. Nor will it solve it for apps that fail to provide an INTENT URL. But hopefully it will make things a little easier.
That would improve the completion, but ideally 1Password should allow me to select the login myself within the app modal (by navigating to "all logins" with the filter deactivated), and then add the intent URL for me.
I used KeePass, then LastPAss, then tried 1Password about 8 years ago. I haven't even considered changing. I joined when they were still mostly focused on MacOS and iOS, the Windows and Android apps were secondary. Since then they really shifted to a totally cross platform experience, and I'm incredibly happy with the app. I'm glad they're branching out to Linux.
I am a 1password user, and have bene for about the same amount of time, but I've been slowly looking for an alternative.
Unless I'm mistaken, 1Password no longer ephemerally decrypts passwords as needed and only while used and then scrubs the memory. [1, old but still] The excuse, if I remember it, was that garbage collected languages made this challenging. Even so, there is some irony in them moving away from the temporary, one-at-a-time, scrubbed approach just before all of the side channel attacks that allowed leaking memory across processes became widespread.
Yup. Password management is one of those things where I want to pick the best possible solution, over the 80% good for 20% of the cost. The risks of losing credentials are real, and terrible. Making shit easy for non-technical people is a real-world risk reduction. Making shit easy for technical people is also a real-world risk reduction, and letting me put 1P into automated workflows is great. If there's minor encroachment on territory currently held by Hashicorp Vault, then "Go 1P!" - I love competition between two genuinely good products.
I just checked my vault out of curiosity, and my first entry from 2009 is the credit card I used to purchase a 1Password licence shortly after!
It’s robust software that does was it says on the box. I was initially reluctant to move out of my local vault but the online service has been impeccable.
Why the hate for electron? I know that there are a bunch of shitty electron apps out there, but there are also great, fast and leightweight examples. Visual Studio Code is easily one of the best desktop apps I've used (on Windows) and Discord is also built on electron and works very well.
Electron isn't necessarily bad, its primarly a matter of how good your implementation is.
Thank you! This is correct. We understand there are concerns about Electron (some legitimate and some religious), and we've built this app with those concerns in mind. The backend is Rust, with the arguably most critical components (encryption) being open source libraries (ring). - Ben, 1Password
Also a longtime user. Did you kick over to their subscription model or have you stuck with the old installs attached to the grandfathered permanent license?
I'm still using the permanent license...and syncing over iCloud, while using the latest versions of the 1Password app, on macOS & iOS.
As soon as this stops working and i'm forced to get a subscription i'm moving to another password manager though. So hopefully one time purchases will remain possible.
> If Apple offered a more fully featured keychain I might just stay in their ecosystem.
Given Apple's track record, if you care about your passwords being portable, it's unlikely that you'll be able to use their keychain on Windows/Linux/Android even if they develop it further.
€36 a year, so for a period of 5 years that makes €180. For me and my partner that would be €360 for 5 years! For a password manager...
I also considered using KeepassXC and Strongbox on iOS, which is completely free (sync the database via iCloud.)
KeepassXC's browser extensions are pretty bad though, hopefully that will change sometime soon.
If you want to keep costs low, Bitwarden is currently your best option i think.
They’ve got a family-oriented subscription which is cheaper. Used it since it launched and it’s been transformative for both sharing credentials with my family and getting them into the habit of unique credentials on every site, and TOTP where possible as well.
I can’t recommend 1Password enough and I’ve been a customer for a very long time, predating the move to subscription pricing and cloud services.
It’s worlds improved over synchronizing with Dropbox. There’s definitely security tradeoffs but if it isn’t easy you’d lose a substantial number of people back to duplicating the same password across 370 sites.
Why shouldn't it be Electron? Should it be GTK? Why not QT?
Linux doesn't have a standard desktop environment or widget toolkit. Electron doesn't seem like a worse choice than the other options, and it's easy to find engineers who know how to work with it.
1Password doesn't just store passwords. It has a bunch of other features. It's a fairly complex app at this point. It also has fairly similar user experiences in Windows, macOS, Linux, iOS, and Android, and that's pretty hard to pull off. If Electron helps them accomplish that, that's fine.
Because Electron bundles (light) chrome and nodejs and all deps breaking desktop integration and security (the developers are now responsible for checking vulnerabilities in all bundled libraries and they are not doing it).
Those are pretty good reasons not to use electron.
Because every Electron app is inconsistent with the rest of the desktop. I use a dark theme system-wide but Electron won't care [edit: 1Password has custom integration for GTK theme]. Honestly, this isn't something the developer of the app have to put years of research in (Slack for example). The toolkit is supposed to do the integration (GTK, Qt, [Cocoa?]) and clearly Electron doesn't care.
> Why not QT?
You tell me (assuming you're talking about Qt, not QuickTime)
> Electron doesn't seem like a worse choice than the other options
Not really. Its just that its lazier/cheaper to just get your web development team pretend to write a desktop app. I get it, business decisions need to factor cost into account and hence the choice. I understand when a business says "we just don't have the funds to use a proper app framework, please do with what we have for now". But instead everyone goes to pretend like Electron apps are perfect even though the reason it was chosen was almost completely based on cost.
There are also advantages for the user. For example, new features arrive for all platforms at the same time; there is no prioritization of platforms or such. Same for bugs - apart from issues stemming from Electron itself, they're likely to appear on all platforms and therefore likelier to get fixed.
In essence, the old "only X% of our users use platform Y, it's not worth it to make this feature/fix this bug for them" does not exist anymore with something like Electron, and while this is ultimately also a cost consideration, it does come with benefits for me as a user, especially if I'm on a minority platform.
None of this is even relevant in this case, since they use (I hope) Cocoa/UIKit/whatever it's called on macOS, so there's anyways not _one_ framework used everywhere.
> Yes, it is very obvious from the screenshot that it’s built on top of Electron [1].
I love this. It was my first reaction when I used MS Teams ... shit, it's electron and the I got the horrible user experience as usual. And in MS Teams even the font and its rendering is hardcoded and the devs are refusing to do anything about this! So when I use MS Teams I need to look at blurry text.
EDIT: And they bundle libffmpeg.so too .... let's have a look at what version, though I guess 1password is not a good attack vendor as it'd be hard for the attacker to control input data, right.
OpenGL is included because the UI is hardware accelerated. ffmpeg comes from the toolchain (Electron, specifically). It looks like there is an open issue with Electron for that: https://github.com/electron/electron/issues/21967
More likely it is the overhead of multiplatform support that motivates them to use Electron. Their support matrix is pretty big now: iOS, Android, Web, Mac, Windows, browser extensions, Chrome OS, and Linux
"Engines" like common logic written in languages like C and C++, using in-house toolkits where RenderButton() or ShowDialog() would do the right thing on each platform.
Apparently a forgotten art.
As for VMs, I am all for stuff like React Native, not for packing Chrome with each application.
Not only it shows laziness where Web == ChromeOS, bloats the applications and is yet another way for turning everyone into Chrome developers, bye bye Web.
I understand the sentiment. But I think the best approach is a bespoke app for each platform in the own native toolkit.
I have rarely enjoyed using a Gtk or Qt app on macOS because they feel alien.
On windows for example there seems to be no rhyme or reason for widgets, mainly due to historical reasons.
Games don’t need to be consistent because they take up the whole screen and are immersive. Some very specific programs such as the Godot editor are a good example of a similar usage.
Why a whole GTK or Mono app just to store passwords?
Once you’ve decided that you want to make a GUI for something you’ve already made the choice to increase the weight considerably. Electron is still the best cross platform toolkit when you need browser support too.
It’s one of those apps which has been made with proper craftsmanship and care, so while I’m not a Linux user, I’d have no problem recommending based solely on Agilebit’s reputation.