I switched to "pass" from 1p and it is a breeze because it just works without all the bullshit and I don't have to place any trust on a company saying they do things right (they will never tell otherwise).
And 1password never cared about Linux. I had to custom-script data export, they pretty much held data hostage by making it difficult to migrate from the platform, not to speak of the undocumented data formats. But at least we did not have to install some closed source propietary thing to do something as critical as password management (browser sandboxing seems slightly better). If they cared they would open up their client‘s code for everyone to peek.
They already participate, quite openly, in security audits[0], and while yes, I'd love it if it was OSS too, but the reality of making money on these services is that (especially I believe at the time 1Password was founded), is it wouldn't have likely done them any good, really. In fact it could hurt their business. I believe 1Password was one of (but not the only!) pioneers of this being a successful consumer business.
Notably, I don't think its worth detracting from a fantastic product based solely on the license of its underlying software. I'm also not aware of any 1Password data breaches.
As far as exporting goes, you can simply generate a CSV file (or plain txt)[1] as well. Not sure what the issue there was, I'd be curious to know.
While I like OSS too, and prefer it when able, I think its a stretch to say they're holding their users hostage if they want to migrate away, not to mention being OSS isn't really a predicate as to whether the software & user experience is actually any good.
disclaimer: I don't work for 1Password, but I've used it for over a decade.
>How can one be sure that the passwords are even encrypted, without having seen the program?
We have seen the program. We can have as many binary copies of it as we’d like.
> Audits don’t mean much for various reasons, including the conflict of interest.
[citation needed]
> Agencies such as NSA don’t have to say loudly that they have agreements with such and such companies through PRISM-like programs.
The product uses end to end encryption. The database is encrypted locally before being uploaded. They would have to be using bad encryption or stealing your password to get at it. It is understood how 1P works, they have written about it extensively.
But that's the point the OP is making, you have to trust what 1password is telling you. And they do have a very clear business interest in telling you that it uses best security practices even if they don't.
I'm doubtful that you are able to look at the binaries and extract the inner workings from that.
>But that's the point the OP is making, you have to trust what 1password is telling you.
Yeah, I have to trust a lot of software authors not to be actively malicious, because I don't have the time to audit literally everything I rely on. I have more reason to trust the authors of 1Password than those of almost any other package I use.
>And they do have a very clear business interest in telling you that it uses best security practices even if they don't.
It's been audited several times, and the authors are well known, respected, and vocal in the infosec community. And you think they have more of a business interest in hiring security professionals and lying about their practices than they do actually building a product that safeguards their users' data as they say it does? A backdoor in a product like that would be the end of their business, professional reputation, and career.
>I'm doubtful that you are able to look at the binaries and extract the inner workings from that.
Me personally? No, but there are absolutely people with that skillset, this sort of thing is perfectly doable. As far as "is this sending all my stuff to China in plaintext" goes, it's not even that hard to evaluate. You could do that without any reverse engineering at all.
And 1password never cared about Linux. I had to custom-script data export, they pretty much held data hostage by making it difficult to migrate from the platform, not to speak of the undocumented data formats. But at least we did not have to install some closed source propietary thing to do something as critical as password management (browser sandboxing seems slightly better). If they cared they would open up their client‘s code for everyone to peek.