Agreed. I have been using Bitwarden for over 3 years now, paid premium user as well. No big issues, the odd bug a few times but all fixed promptly and didn't impact my ability to access my data.
While the Bitwarden apps are not as "pretty" as 1Password's I find them a little simpler to use. Obviously UI design is highly subjective though so your thoughts may be very different :)
Anyway yes I highly recommend Bitwarden. Kyle and the team have built and continue to run a top class product that costs 1/3 the price of 1Password.
Edit: To clarify I use Bitwarden solely for personal use. I cannot fairly compare Bitwarden and 1Password for multiuser/shared vault use.
While almost everything is great about Bitwarden, the 5-8 second delay when performing a search is ridiculous (considering I have about 100 records), and I'm considering paying for a better maintained alternative.
Interesting. I just tested on a Pixel 2 XL running the latest public Android 11 OTA version and search doesn't lag at all. Same speed as on a iPhone 11 Pro Max.
Could it be a device issue? I highly recommend you report it to Bitwarden as Android can be a real pain in the ass to test with so many different devices out there with all kinds of strange OEM "optimisations" to the OS.
From the comments, I think this is an Android-specific issue. I use Bitwarden on Android and also find that searches inexplicably take several seconds, especially when you arrive at the search query from the autocomplete popover.
This is exactly where I'm getting the delays. Which is indicative of another problem: in several websites I have to search for the login manually because Bitwarden doesn't find the credentials (according to the Android Firefox/Chrome extensions). This never happened with 1Password.
This is very strange. I have over 480 and never experienced delays in anywhere (MacOS, Android, iOS). Searches only take a second or two once you've started typing in two characters in the search box.
Bitwarden is great, but I'm getting frustrated at their ridiculous excuses for not implementing fixes.
For the longest time bitwarden has been broken in the firefox's private browsing after mozilla deprecated some apis due to security concerns. They've given alternatives but they are just refusing to fix it, to the point of basically saying mozilla needs to fix the issue. What's sad is a similar mechanism is used in their chrome extension. Someone even raised a working PR that the CTO wasn't fully happy with, and asked for changes (which is fair), but the PR hasn't moved since, so I'd have expected the Bitwarden employees to take it and fix it up.
It's absolutely ridiculous to still not have this fixed years later.
By contrast, I was a 1Password customer at the time this change got introduced, and they'd pushed out a fix not long after.
I will be trying to Linux client, and if it's good enough, I'm certainly switch away.
+1 on 1Password's dedication to fixing issues. I had an obscure field selection issue on their web view and pinged the support email. It was fixed a few days later and they updated me on it.
I switched to 1Password from KeePass after 5 or so years because I just got tired of maintaining the data locally and keeping it in sync on my devices that I need the passwords on. I just backup the 1Password database locally now to calm some paranoia.
Is there any reason not to host a Keepass database on any generic cloud service? That's what I'm doing at the moment. I've never encountered any sync issues or conflicts, and take backups every now and then in case that happens.
No reason, yours is the best option IMO. You have a secure container, with a sync service of your choice. It's more transferable so you can easily migrate if you want to.
I’ve been a happy one-password customer for several years and I switched to the family subscription model to get my parents away from their little notebook of passwords. I had self-hosted a PHP based password manager for a handful of years, before switching to 1P because I wanted a “real app” with tighter OS integration. I’ve had 3 gripes and this solved one of them. The other 2 are
1) Their insistence on 1PasswordX- I want a desktop app, I want tight integration, the browser extensions work just fine if I need something quickly.
2) Poor/no support for key management- storing ssh keys as an encrypted notes is a bad work around.
1Password X is a sad excuse for a Linux client. Compared to the great experience one gets on MacOS (haven't used it on Windows), 1Password X is a child's toy, and a bad one at that. It did improve a bit not very long after I left 1Password, but Bitwarden hasn't been better.
Fair point- I guess digitization was somewhat selfish. A centralized DB makes it easier when I’m trying to help them with something remotely, and the “Shared Vault” facilitates easy communal logins (Netflix, Hulu, etc...)
Just so you're aware, it's a limitation within Firefox and Private mode - not Bitwarden.
```
The Bitwarden browser extension does not completely function in Firefox’s private browsing mode. This is a known issue specific only to Firefox. You will see a message indicating so when you try to open the Bitwarden popup window in a private window. We have discussed the problem with Mozilla, however, they seem unable to fix it so that extensions like Bitwarden can function entirely in private mode.
```
As I mentioned, this stopped working after Mozilla deprecated, and subsequently removed an API due to security concerns. When viewing the docs for said API, they have clearly outlined an alternative mechasmin. They have still stuck to blaming Mozilla.
An individual raised a working PR to fix this that got reviewed and some changes were requested. The individual must have abandoned the PR or something because it hasn't moved since. I would have expected Bitwarden devs to pick this up and get it merged, and address the PR changes themselves since OP isn't addressing the issues.
Not knocking the project, which sounds cool, but the absolute last thing I want to self host is a password database exposed to the internet. Hard pass on that element.
1password used to have a peer to peer sync mode that I loved. No need for a server anywhere. You would open it on your Mac and then open it on your phone and if they were on the same network they would self discover. Too inconvenient, perhaps, for most users, but for the paranoid like me, it was ideal -- no servers involved at all.
(Technically, wifi sync I believe still exists IF you use 1password on Mac with a old style local vault, but it's basically unsupported. Mine just stopped working and I switched to 1password.com.)
Bitwarden only ever decrypts the password database on the client, and the login credentials you send to the server are only a hash of your actual encryption key.
In principle, you could store your Bitwarden database on a public torrent at no risk to your security :)
So, if you do trust the Bitwarden software in the first place, self-hosting it shouldn't be any more dangerous than using the managed service, because the server security isn't really a critical part of the defence model. And self-hosting allows you to build from source, if you're inclined to paranoia (Even though the worst a malicious server could do is delete your database).
That said, I have still
bothered to set up strict fail2ban rules on my BW instance, because why not.
> (Even though the worst a malicious server could do is delete your database).
Unless you use the web client, and a lot of Bitwarden's functionality is only available via its web client (including critical functionality like changing your master password).
Well that’s the thing. If I’m content to trust the client side hashing or encryption on the secrets why bother setting up my own server? Conversely, if there are nefarious things that can happen on the server to compromise the data without me knowing about it, then I trust neither myself (because I’d be a bad sysadmin) nor a third party (not knowing what they’re up to). Or if I do trust a third party just use 1Password.
Reading between the lines it sounds like being able to build from source or see and install the source gives some assurance you can’t get via third party and the strong files give some assurance over me being a bad sysadmin. That’s either a sweet spot or uncanny valley depending on your perspective. :)
> If I’m content to trust the client side hashing or encryption on the secrets why bother setting up my own server?
Not that much, given that basic accounts are free. I guess that in addition to the building from source option, self-hosted Bitwarden (or at least Bitwarden-rs) includes all enterprise features for free.
The two most useful ones are probably sharing selected passwords with other users / groups, and attaching encrypted files to logins.
I wouldn't bother setting up a server and domain solely for it, but if you already have a personal webserver with a reliable backup strategy, since Bitwarden_rs barely uses any resources and is super easy to install, you might as well throw it in.
That's my case - I was already running a personal Nextcloud and Fediverse instance, so adding Bitwarden was like five lines of docker-compose and four of Caddyfile.
You don't have to have it exposed to the internet. Without an active connection, clients cant make new passwords/sync, but you can access previously saved passwords that are already synced.
It also doesn't have to be exposed to the internet. You can have it accessible behind wireguard for instance.
I have it, a DNS server, cloud storage, etc on my home lan, and use wireguard to access it on the go.
The switch from a paid for app to a renting app is my least favorite thing to come out of 1Password. I'm still on an older version that works on my laptop, desktop, iPhone, and iPad. I have a family license that allows up to 5 computers (I only use 2). My iDevice and laptop all sync via WiFi to the desktop. No iCloud, Dropbox, or whatever needed for syncing.
Personally, I'd trust one of my servers far more than a client shouting "yo someone send me a file to overwrite my db with" over multicast on the local starbucks wifi...
> Not knocking the project, which sounds cool, but the absolute last thing I want to self host is a password database exposed to the internet. Hard pass on that element.
I have the exact opposite feeling.
I would not selfhost email but I would selfhost a password manager and my files behind WireGuard, like many have said.
I have almost moved from cloud hosting to home server. This perfectly reasonable for non critical services that don’t require more than 90% availability. The simplicity of such a setup nowadays is a breeze of fresh air. Debian stable, WireGuard, syncthing, ssh, git, ... all are low maintenance and works fine with Linux and iOS clients.
There is no support for syncthing on iOS. I managed to get it halfway working on ish, but it’s just not there, so as of now, I use the shellfish ssh app, that allows to sync folders, through WireGuard also.
Note that I use syncthing for the casual read only "important documents", such as ID copies, tax documents, ebooks, etc. I don’t sync photos, movies and such.
Most editable documents are in git repos.
I sometimes work on my iPad, and then I use a ssh client or the ish app (a shell, with vim, etc).
I have used this setup for years, and it’s just low friction, low maintenance for me. I have thought about using an own cloud/nextcloud setup, but it’s just too much work for little value. Like running gitlab instead of ssh and git.
I'm concerned about self hosting a service like this as well, so I put mine behind an nginx reverse proxy that requires a client cert for auth. That way, an attacker won't even be able to reach the bitwarden server to try to get in (unless there's a vulnerability in nginx).
You can host it all behind Wireguard. That way, an attacker doesn't have access to your Nginx proxy. After all, why would the whole internet need access to your Bitwarden server (or a reverse proxy serving it)?
Yes, this is a fantastic project. The official Bitwarden Docker image is kind of wonky, it needs some sort of license and you have to generate the docker-compose.yml, etc. It really doesn't make for a good automated process at all.
bitwarden_rs on the other hand, works just fine, never had an issue with it or incompatibility with the browser extensions or mobile apps.
The official one uses MS SQL server and takes quite a bit of memory (which I call it a hidden monthly cost as I need to be using a bigger cloud instance) but this one only takes so little, you can host it on any cheap VPS and it has been working just fine against official clients for years.
Seconded. I tried a lot of other ones before settling for Bitwarden about two years ago. It's easily the best and most hassle-free one that covers all of my use cases. (Tried LastPass, Keepass, 1password, and a couple others)
bitwarden looks cool. what parts are open-source and what parts are closed? (are all the premium features closed-source or are they just charging for that in the hosted-by-them version?)
In the past it was entirely open source, though the hosted version did check for a license key before enabling the premium features. That said, the code for the premium features and the license key check were themselves open source.
I see some of the newer premium features, particularly around SSO are under a noncommercial visible source license of their own devising though
And doesn’t force you into non-local sync. Passwords are one thing I’m not comfortable moving to cloud. After using 1Password for about 9 years I switched to BitWarden this year - just for this reason.
I'm talking about the program, not their website. It makes you enter an email before you can do anything. Says "Log in or create new account to access your vault", with a "Create account" button that asks for an email.
In my opinion, it should be a bare minimum for something as important as a password manager to be free software. Others have mentioned Bitwarden and Keepass in this thread, both of which meet that criteria, but personally I'll stick with pass since I don't need a GUI.
Huh, you are saying that something that is so important you want for free, and that the company building this product for you should forgo money and work simply for free? Wouldn't the opposite make far more sense that something that is so important you should pay 'more' for? They are free options that you are welcome to, but for people who want more they pay for it.
Nowhere did I mention money. It's primarily a trust issue when it comes to proprietary solutions like 1Password safekeeping your passwords. Look at Bitwarden for example: "All of our source code is hosted on GitHub and is free for anyone to review". Yet they have paid plans for individuals and businesses.
The only way to guarantee that your keyring is secure long-term is for the source code (and change history) of your password manager to be inspectable and verifiable. A promise made by a corporation is not sufficient.
You can pay a corporation to buy a product with more features or better service. But you can't pay a corporation to hold or maintain a principle. There will always be someone who can offer them more money to hold the opposing principle. Principled people who work for a corporation eventually leave and are replaced with apethetic or differently principled people.
In this case, the principle is the privacy and security of the credentials in your keyring. How much money do you think a bad actor would be willing to pay for these? How much money do you think a bad actor would be able to pay to a corporation that secures credentials for a huge number of users, and who can push arbitrary updates without pesky source code validation getting in the way? You and I don't have enough money to win this game.
Look at another high value target for comparison -- browser extensions that have a large installed userbase. Browser extensions are frequently bought for tens to hundreds of thousands of dollars by ad/tracking/malware vendors in order to quietly replace the extension with one that does their bidding, without the users' knowledge.
What's the solution to this problem? Open-source, inspectable, verifyable software that is maintained by a person or a community that shares your principles. I trust the work of Jason Donenfeld (pass, wireguard) and Raymond Hill (uBlock Origin) more than the work of any corporation selling a similar product at any price.
The incentive structure of corporations in general precludes them from being given the level of trust required for certain products.
And what makes you think that Jason or Raymond won't wake up one day and decide they had a change in principles? Just like people, companies have reputations and values. Individuals are not immune to malevolence.
Companies swap out their internal functionaries regularly, and regression to the mean suggests that as an organization they're likely to lose any principles they may have started with.
People can certainly lose their principles, but from observing past behavior (e.g. the number of times Raymond has told moneyed interests to fuck off), I believe that certain people are capable of holding certain principles for longer than a corporation would be able to.
Secondly, these individuals and communities recognize the inherent problem with needing to trust them, so they jump through hoops to make sure that publicly available binary builds are reproducible and verifiable. They publish their open-source software in a way that doesn't require you to trust them as much as you would need to trust a corporation with a closed-source product.
Not only do many corporations not bother doing this, many corporations that maintain open source products deliver binaries that obviously have more stuff baked in than their source code would suggest. For some categories of product, like a password manager, open source with reproducible builds is table stakes, not an optional feature.
You can absolutely pay a company to hold a principle.
Consider the number of companies now who are promoting sustainability as a core value, because it gives them an edge up on competition in big government tenders.
More common than you'd think, especially in physical product supply!
That's... literally the opposite of holding a principle. They're doing a thing that they don't otherwise care about because it results in an advantage today. What happens when the money runs out? When the fad shifts? When someone offers them more money to do something that conflicts with this principle?
You hold a principle because you believe (logically, axiomatically, morally, etc.) that it is correct, regardless of all other incentives that might pull you towards or away from it.
If the only reason that someone claims to hold a principle is because you're paying them, they're not actually holding that principle.
The latter in particular means that if there's a thing you wish the software did and it doesn't you can fix that.
The more central to your everyday life something is, the more important that is. We take this for granted elsewhere in our lives.
You buy a refrigerator, the fridge company doesn't get to tell you that too bad you're only allowed to keep soda in their $80 dedicated "Soda rack" and that little shelf is only for vegetables - you can just put your soda there anyway, and if you want you can even make or buy a gizmo that dispenses cans just the way you want, screw their $80 plastic garbage, you made one from stainless steel scrap at community college.
You can take Free Software like pass to pieces to understand how it works too.
The thing I keep coming back to is how it uses 'tr' to get random passwords, because it's so simple and yet when you step back it's obviously the correct design. The method goes like this:
Unix 'tr' has a mode where it just ignores all input except the character classes you selected which pass through. So e.g. you can say you want passwords with just A-Z0-9. Hook it up to /dev/urandom and the device spews random bytes into it. All the ones that aren't acceptable are just thrown away. Then you catch the desired length of output from 'tr' and you're done.
I've seen software attempt to try to bodge a budget of random bits into a fixed character set, which is very difficult to do safely and correctly - but 'pass' just doesn't try to do that at all, why bother when you can make as many random bytes as you want anyway?
> The latter in particular means that if there's a thing you wish the software did and it doesn't you can fix that.
Yeah, that's not really relevant to me... Along with ~99.5% of people out there, I will not be fucking around making customizations to my password manager. There are things you tinker with, and then there are things that hold passwords to your financial and professional life. I have not yet and will not anytime soon be rolling out my own crypto or my own password manager and trusting it with real-life credentials.
This is pretty cool. I am a long-time super-satisfied user of pass (https://www.passwordstore.org/) for all my personal needs, but my work uses shared vaults in 1password and this will make dealing with that a lot more smooth it looks like.
The reasonable person inside me wants to use a password manager, yet the paranoid in my brain is terrified. I read all those texts explaining why password managers are better, yet I am still afraid. I keep thinking in attack vectors such as someone compromising the Play Store and submitting a malicious app or other similar stuff.
I even have a Bitwarden account and have some passwords stored on it.
I also considered "offline" managers like KeepassXC, but synchronization gets way worse, and there's also the issue about trusting someone else with your mobile apps.
I will probably end up convincing myself and keep using Bitwarden more at some point, but I will also probably do some kind of password peppering/salting along with it.
> I also considered "offline" managers like KeepassXC, but synchronization gets way worse, and there's also the issue about trusting someone else with your mobile apps.
I'm using KeePassXC. Originally between three computers (Debian desktop, Debian laptop, and Microsoft laptop) where it was part of my git repo that I'd sync in between the machines as needed (git repo hosted within my own instance of gitolite, btw).
I've migrated more functionality into Syncthing - so now it's very rare that I ever need to do a manual merge within KeePassXC (which was always a robust operation anyway). KeePassXC has a setting to reload from disk if it sees that the password db file has changed, which makes this process seamless.
Part of my Syncthing setup is that I have a receive-only copy of my various repos on a Debian VM that runs a couple of archive tools (dirvish and borg) which provides for point-in-time restorations if needed.
So - I'm wondering what synchronisation problems you've had, and what you've tried. And what alternatives there are to trusting someone else's OS (replete with non-free components) on mobile, along with someone else's bundling of code into mobile packages?
There's a handful of keepass-compatible android apps, some of which are GPL, and Syncthing can keep a copy on Android easily enough, but ultimately there's a lot of trust in mobile land no matter how you slice it.
Yeah, I find synchronization the least of my problems with the Keepass family. The file format uses GUIDs internally for most changes and most conflicts are easily merged/fixed. The fact that it is synchronized as files gives a lot of flexibility in options. You can use whatever cloud file sync provider you trust that month, and you have the flexibility to switch providers as your trust model and/or threat model change.
Mobile OSes are finally making it easier for arbitrary "file" sharing between such apps. (The iOS Files app is finally "decent" for this compared to just a few years ago.)
A similar file sync option to Syncthing I like to point out is Resilio Sync, a P2P device-to-device "torrent-like" sync tool. Among other things it also supports "encrypted shares" that cannot read inside the share but can still participate as a "seed" in the torrent-like share. Resilio Sync is relatively a lot more closed/commercial than Syncthing, but it's torrent-based underpinnings make it sometimes much faster with large shares. (As with everything, trade-offs to be made based on your personal threat model.)
Yes I always wonder why keepassxc does not get mentioned more when password managers come up. It's really an excellent piece of software. Some of the features that are crucial for me:
1. ssh-agent support
2. Browser plugins
3. Can provide secret service (i.e. be a substitute for gnome-keyring and kwallet)
4. Excellent oss android client
5. Absolutely snappy, starts in an instant, compared to electron apps it's like day and night
It also has yubikey support or can support other key files, which is good if you don't trust your cloud sync for example
I use Rclone to sync the database to a online storage. It is not triggered automatically, so every time I change the database I need to manually run a one-line script. But it's not that bad because once stable, one doesn't change the database often. Rclone also support strict one-way copy. On the mobile side, Keepass2Android can automatically sync down the database.
What's your baseline? While there are theoretically more secure alternatives to using a password managers, the vast majority of people don't have the discipline or skill to implement them effectively.
Password managers make security tradeoffs, providing a nice balance of convenience and defense against many of the most important attack vectors.
So while it of course possible to come up with basically endless possible attack vectors for password managers (and indeed all software), it is most likely not a productive exercise.
Also, a small tangent, but if someone compromises the play store and is able to install malicious software on your phone, there are plenty of ways for tmem to get your password that don't involve password managers.
> the vast majority of people don't have the discipline or skill to implement them effectively.
I'd go so far as saying -- most people who think they have the discipline and skill, don't. Or rather, maybe they have it maybe for a few passwords (email, online banking, work, machine passwords).
But it's almost impossible to do well once you cross ~20 passwords. Remember trying out Goodreads years ago? Well, turns out someone's hacked into your account and is posting reviews critiquing travel books for not buying into Flat Earth Theory. You only notice when searching for your name on Google. Or even nastier scenarios.
I definitely have some password manager anxiety. I'm not too concerned about hacks or losing my password database. For me, it's more about the sense of independence, and being able to log in to my accounts using just my noggin. I might be able to remember one or two strong passwords, but not dozens, which is kind of the selling point of a password manager.
I use KeePassXC with a password and key file. I sync the database, but not the file, using Syncthing. On the whole a satisfied customer, although the browser integration isn't perfect.
password managers feel like vendor lock in. what happens if i need to move to another manager, or i need to sync everything to my phone. they go out of business, they decide to charge more. or if i pay for it and now i cant pay for it anymore.
if i sound like an idiot, id love to hear why btw! heh
I use 1Password, and they have an easy CSV export. The lock-in is very weak.
If they were to suddenly disappear, or I can't pay for it, I still have the local copies on my devices that I could export and move to some other system.
I started off with keepass, then moved to lastpass for better sync, then moved to 1password because I didn't like how lastpass works. Each of them support various forms of exporting/importing logins, so there's not much risk of vendor lockin with those. I'd assume it's the same for other managers, but you'd have to check.
My biggest issue has been that I only saved passwords when I started with keepass instead of username+passwords, which lastpass all imported as secure notes instead of logins.
Oh, I would not want to use any kind of password manager with built-in synchronization either; an integrated solution presents a much more attractive target for black hats. I've been using KeePassXC and its predecessors, and sync to other machines using Git+SSH (no third party hosting either) and to my phone using adb for a few years now. YMMV.
In addition to all other people have said, many accounts still have 2FA as secondary protection. The cost for them to 1) compromise the whole Play store; 2) Make you update both the password manager app AND authenticator app; 3) Make you login to a valuable account is way more expensive than just install a keylogger or try various scams.
As the joke tells, I don't have to beat the chasing bear behind me, I only need to be faster than the guy running alongside me.
You aren't the only one. Those "fancy" apps are too complex IMO to be trustworthy. Neither are other people's computers (aka clouds).
My secrets are stored in plain text files which are encrypted with GnuPG. Emacs (and vi too) can handle encrypted files easily, even on an Android device using the Termux (i.e. Debian) app. Syncing with rsync (even version control software is an option) works and with a bit discipline is not a major problem.
It is a bit like eating self-made food or eat what others cook. You have chances to get poisoned in both ways. I would choose to eat food prepared by others if I am not confident in my cooking skills.
Recently tried out every password manager as I was sick of LastPass being glitchy with some websites. I’m using OS X and iOS exclusively, with Safari, Chrome, and Firefox.
After trying out 1Password, Dashlane, etc. I returned to LastPass - contrary to most of the reviews I found online, LastPass works much more smoothly with most sites and apps. The integration with iOS is much nicer. I found the gap between LastPass and everything else was sufficiently large that it was a no brainer to switch back.
I’m still occasionally frustrated with LastPass, but having seen what the alternatives are I won’t be revisiting them for a good few years.
Electron has nothing to do with ChromeOS. In fact ChromeOS could not run Electron apps until the very recent "Linux app support" that's still not available on all devices AFAIK. (Or developer mode hacks + awkward ways of exposing GUI to Chrome that don't support GPU acceleration.)
Another one that didn't get the message that shipping Chrome as application runtime, with Chrome specific APIs, not available as Web standards, is hardly any different than turning the Web into ChromeOS.
Your post above reads like an incorrect factual statement, not vague message.
Either way, Electron's APIs for using native parts of the app from the web part are purely Electron's and DO NOT exist in other Chromium based products.
Personally I find the 1Password X browser extension is perfectly fine for my 1Password needs on my Linux desktop. That said the extension probably isn’t as good if you have a lot of server passwords or accounts you have to enter a lot in desktop apps. This isn’t a problem for me because I only use 1Password for web logins anyway, my various network passwords are easier to organize in pass.
> That does not come with a simple way to have your passwords and automatically though.
I suspect a typo, but could you describe the problem in more detail? I'm using KeepassXC, and while there are a few challenges around workflow, there's nothing insurmountable.
I guess for most of us on HN the big delineation is -- can you sync your password store easily (and exclusively) to your own systems, vs can you sync easily with a remote managed service.
I'm very much in the camp that eschews the latter.
As per my comment elsewhere in this thread, I've got a reasonably robust arrangement using a combination of Syncthing and KeePassXC, which so far has worked well for me.
I want to use KeePassX/KeePassXC but haven't really found any iPhone clients with Dropbox syncing + Face ID unlock. So still with 1Password even though I'm not a big fan of it anymore. It works, so there is that.
I have been using LasPass since many years ago. There's an extension for Chrome and for Firefox. On Android I use the app and even though experience is not that "automatic" it works.
I am surprised nobody mentioned LastPass is there any reason I should know?
LastPass was bought by LogMeIn, which raised some eyebrows. More recently, LogMeIn was bought by private equity vultures. That raises alarm bells for more people.
It was that plus experiencing a lot of bugginess in their apps that got me to switch to 1Password. It's been a huge improvement.
I started moving the day LogMeIn acquired them. Lastpass used to have a very open policy of notification for potential security issues and I trusted them as much as one can trust a SaaS vendor. IIRC LogMeIn completely ignored a number of security issues in their applications and refused to acknowledge vulnerabilities.
I moved from LastPass due to various security concerns, but in Chrome/Linux 1Password is a worse experience. LastPass is just smarter about creating accounts and assigning new passwords, or updating if you change them.
I've been using it for years ago. There are a few annoyances I have with it, mostly on mobile integration, but not enough for me to try to migrate to another platform.
I'd be curious is someone could explain why it would be worth the effort to transition from LastPass to some other provider.
Nah you're fine. There are other good alternatives but Lastpass does the job and that's fine. They do have a lastpass-cli which is quite nice to have as well. It operates somewhat like pass.
The 1Password macOS and Windows clients can be bought stand-alone, but their newer clients (such as the command-line client, for some reason) are subscription-only. It's confusing, and it looks like this Linux client is also subscription-only.
The 1Password macOS app is not subscription-only; the standalone purchase is just fairly well hidden because it's not the recommended path: https://support.1password.com/upgrade-mac/
This topic inevitably comes up on every HN 1Password thread.
> the standalone purchase is just fairly well hidden because it's not the recommended path
I don't care how many arguments they bring to the table that the subscription model is superior, the things that matter are still "broken" in the subscription model: Control over my data and "cost control".
With a standalone license i can control where i store my sensitive information, and don't have to rely on 1Password doing the "right thing" and protect their servers.
I can also choose if i want to upgrade, or if the current version is good enough for my needs.
I will never pay a subscription for any software.
Yes you can. Some YubiKeys support NFC (not sure if that works on iOS though), but also you can use USB-A <-> USB-C converter, USB-A <-> microUSB converter, or just a USB-C or lightning YubiKey, or convert to lightning I guess.
I use keepassxc on Dropbox. It syncs everywhere and if I have doubt about its cryptography, I browse the code, see at least what libraries it’s using, check the forks, read reviews and commentary on the source code, etc.
Maybe 1password offers UI to organizations. But for individuals and small groups, it seems to offer fees and less provable security.
In the spirit of throwing things out there: keepass/keypassx and keypassdx database(s) synced via nextcloud or syncthing is a dream. My passwords on all my devices and under my own control. Cant beat it.
This isn't ready for beta: no ability to delete logins, no ability to generate a new password or create a new login, no context menu, and not even a Cancel button for the user who starts to edit an entry and then realizes that they can't regenerate a password.
I've been using gnupass for a few years after using LastPass. I couldn't be happier. I control the codebase and all changes made to my password store via my gpg key. It's easy to use, easy to store on multiple repositories.
I have been using lastpass for more than 10 years and honestly I do enjoy the ease of use. for example biometrics on the phone. Should I switch? is it worth the time investment.
Lots of people saying they will only use an open source password manager - fair enough, that's your prerogative. But I think it's unfair if everyone just complains that this isn't open source. First people complained that 1Password wasn't on Linux. Then they made a browser extension that works on Linux, and people complained it wasn't native. Then they make a native application, and people complain that it's not open source. That's not their business model, that was never on the table. But it's worth celebrating when Linux is gaining support, even from proprietary companies. It's good that Steam supports Linux even when FreeCiv exists. It's good that Unity supports Linux even when Godot exists. Let's give 1Password some credit for supporting Linux - thanks guys!
I mean, I agree with the principle of your argument, I'm not really one to care _too_ much about specialised programs like this being closed source, especially if they have well defined migration paths and so on.
However, this has been _years_, 8 or 9 by my quick check on the App Store.
First there was the "agilekeychain" and the python libraries (blimey) to read from it, so I could kinda do my thing on linux, but then it was deprecated and they spent 18months trying to create a CLI variant that on arrival basically never worked.
Then they pushed a subscription model which was rather expensive for the functionality too, and after paying for new versions a few times I felt a bit annoyed, and I still could not access my passwords from Linux anyway..
Then they pushed really hard for their own hosted sync (for new vaults at the very least); And without dropbox I couldn't even sync to linux. I'm not sure if they went back on that.
Eitherway, the problem is not that it isn't open source per-say.
The problem is that it's an incredibly closed ecosystem as it exists today, and an expensive one- maybe you're better off looking at equivalently featured, free, and more open options... of which there are many.
No, I don't think it's the same people. But I wish the people pleased by this development would be more vocal. As a developer, I know just how discouraging it is to make an improvement and all you get back is complaints. I don't think the devs at 1Pasword deserve that treatment for taking Linux seriously as a platform.
It's not a very direct alternative. 1password uses a server and keeps everything in sync for you automagically, while on KeepassXC you have to sync your devices yourself (with some help from them). The more open source alternative would be the aforementioned Bitwarden.
I think managing your devices sync yourself is an upside, since you can establish yourself to where you sync and how. But it is more complicated to set up as a downside.
Having to sync passwords manually sounds like a hassle.
With 1Password all my credentials are on all my devices, always up to date. It integrates with the password management APIs on iOS so I can create an account on a computer and log in using this same service's app on my phone seconds later and the password will already be there, I just have to stare at the device for a second and I'm logged in.
It's all incredibly seamless and I can't imagine having to go back to managing passwords manually.
> exfiltration of all your passwords is only one of those being compromised away at any given point
No, that's absolutely not true.
Those dependencies will not automatically update in your local app. The 1password developers should be auditing all updates to those dependencies too, and if you trust the 1Password developers to be competent, then you don't have to trust 25 random developers.
Furthermore, this isn't unique to electron apps. If they wrote this in c++, you'd still have to trust 1password devs to audit a dozen libraries they'd vendor in.
It is a perfectly legitimate concern that npm dependencies are a threat vector. Obviously, at build time - but we've all heard stories how less security conscious developers let malicious code slip through with just `npm update`.
And compared to, e.g., C++ tooling (npm) makes it somewhat easier to slip a malicious update through. So it's not like that's strictly incorrect.
The concern is that is not exactly clear what processes AgileBits have in place and how they manage those dependencies. They could - and probably do - things the proper way (private registry for all dependencies, etc), but the concern is that they're accidentally missing something is perfectly valid - albeit voiced incorrectly (as a statement that it is insecure, not a question whenever they do things in a secure manner).
Brain farts just happen, even to the very best developers and teams.
The article says that it's written in rust, and also implies that it is a gtk app. That doesn't sound like an electron app to me. Did I miss something?
It's definitely an electron app. It may incorporate some rust code as well, but it also rolls in approximately the entire Chrome codebase. The decompressed AppImage is 208MB, which is mostly chrome (electron) by size.
So after ignoring Linux users for 10 years they finally decided to grant us their support. I feel my money are better spent supporting vendors who support Linux early on and do not view it as an afterthought. I will stick with LastPass.
Both of those are insanely expensive to create (movies, tv, and commercial music) and bandwidth intensive.
1pw can count the average users bandwidth in kilobytes per month. And while the software is refined, it’s about 1/1000th the complexity and infrastructure of Netflix or Spotify.
$5 is the one-time cost of a paper alphabetical index notebook that will store your passwords for decades, will never get hacked, will never fail and will never be shut down.
> It blows my mind how you can be smart enough to use Linux
Please don't overstate the intelligence required to use linux. It's not that high.
> ...and still use a proprietary closed source "password manager" on it.
People run plenty of proprietary closed source software on linux. This can include password managers, because perhaps they prefer it. Also a password manager of all things is something most people will need to use cross platform, not solely on linux.
> If it was something unimportant, like a game, ok. But a password manager? The key to all your digital life and secrets...
Games being another proprietary closed source application people run on linux. Games still present meaningful risks to your computing and privacy.
> And in addition from an American company that will upload your (encrypted) passwords to a cloud in US?
AgileBits is a Canadian company.
> And in addition, I find it deceptive that they try to confuse the potential users by pretending to be somehow involved or concerned by open source.
A company can be involved and concerned with regards to open source without releasing a product that is open source. Microsoft releases and contributes to a lot of open source software but Windows and Office are both closed source.
It is worth mentioning that even if you're using an open source manager like Bitwarden, unless you're compiling your own apps and servers you're not really guarenteed to be running the code they host on github.
Honestly, I think your opinion is unpopular because it demonstrates a serious lack of understanding or thought.
If you re-use the same password for all sites, it takes just one sketchy site being compromised for all of your other sites to become compromised. In the case of a password manager, the manager itself is the one that needs to be compromised, and you have more reason to trust them to avoid being compromised than some other random site. Some random sketchy website being hacked doesn't need to effect the rest of your network of logins if you use a manager.
Most password managers (such as 1password) won't let anyone from any machine access your stored passwords over the web by just supplying your single password. They require multiple extra steps that are quite limiting, so for the most part they first need access to a computer that you've already installed your password manager on.
Furthermore, if your password manager is compromised, you have a very clear path to your password on that manager, and then a list of all the websites, usernames and passwords that you need to change in order to regain secruity. By contrast, I'm still rediscovering old websites I used 10 years ago that used my old omni-password which was compromised.
> If you re-use the same password for all sites, it takes just one sketchy site being compromised for all of your other sites to become compromised.
And speaking as someone that operates a website accepting passwords, this happens more than you'd think. There are hackers that actively try leaked lists of username / passwords against websites using botnets. If your password is leaked by one website, people will attempt to reuse it on other websites.
Even if stand alone app vendor goes away, the app still works. There are things that I see are okay as a monthly service like Netflix or other content provider where the content is literally changing month to month.
Stand alone software that rarely changes, like 1Pass, does not warrant a monthly service fee from me. I am self-hosting the content, so I don't need their cloud services.
Playing devil's advocate here, but the service fee (at least to my mind) is more for the maintenance & upkeep of the infra.
I'd gladly move to self-hosting if it was only me. But after a few months, I was able to convince my wife to use it for convenience and security. So if there's an issue with the self-hosted version, it wouldn't just be me impacted, but my wife. And that's an SLA you don't wanna break. :D
Also, while I know I could probably do a decent job securing the hosting server, I would rather not have that on my mind. That's not my day-job, so I'll leave it to a team of people who are paid to do that.
Lastly, the service fee is $60/yr, but for sake of argument, lets call it $100. That's 2hrs of my time at my hourly pay. If setting up a self-hosted version takes me more than 2hrs to get it running, it's not worth my time.
Haha, those are great points. However, if you make $50/hour and it takes any where close to an hour to install 1Pass, you're overpaid!! The install is super simple. Setting up the passwords is an ongoing thing and something I consider outside of the initial setup of the self-hosted version.
Ha! I was referring to a self-hosted password manager. I looked at keepass some long time ago (in internet time anyways, likely 4ish years ago), and after starting to get things hooked up and trying to demo it for the spouse, I realized that it wasn't worth my time.
I'm 1000% behind them existing and am planning to toss them a donation cause I like that these FOSS alternatives exist, but I'd rather not have to manage my own in the end.
I've gotten past the stage of wanting to do it all on my own and hit the point where I'd rather pay a company to do it so I can go about the things I want to do in my free time (hobbies and spending time with my kids). I know it means I'm potentially trading privacy for this convenience, but it's something I've accepted in this case.
My new campaign is convince the spouse that we should move away from free email into paid.
I too do not begrudge someone trying to make a business model work, and I'm happy for anyone that uses that model to stop using the same username/password combo for everything. However, due to the sudden and unexpected loss of all income thanks to pandemic, I have totally given a re-think to my old saying of just throw money at the problem. I'm now one of those old farts that looks past the "affordable" monthly fees to how much extra it's costing rather than owning out right. The big exception is if the monthly expense allows me to make enough money the monthly expense makes sense.
Hacking aside... these are many ways in which it can go wrong:
- There can be an outage and you get locked out of your keys. You can have a connectivity issue to the service.
- The service can be discontinued or they could randomly terminate your account based on some automated system decision by mistake, sometimes with no right to appeal...
- They can change leadership and start mismanaging the service, or start selling your data like the services you use and such.
- They can start cutting corners and rushing unsafe things live.
- They can offshore all their development and reboot the team somewhere cheaper, at the expense of introducing defects during the transition.
- They can be ordered by a government to have a backdoor.
- There can be disgruntled employees, infiltrators, bad hires, malicious employees, etc...
And finally, they're a famous service that is known to have the keys to many other systems. This makes it very lucrative for a black hat to attempt to hack them. Even smart, dedicated people are not safe from 0day vulnerabilities that nobody know they exist.
Many things can go wrong. And what happens when they do? you can get locked out of essential services you need, or someone can ruin your life, force you to pay a ransom or even make you homeless if they wanted to.
Then, there are other aspects I don't like much. You can set a secure password, but then your browser will ask you to remember it. Some services allow you to skip MFA in a trusted computer... so then all your stuff is simply behind physical access to one of the trusted devices.
I don't know, it just doesn't feel right to me.
And by the way: I started by saying it's an opinion. It's an unpopular, provocative opinion, but I was honest enough to communicate it was indeed an opinion. I did not say it was a fact. Opinions are subjective, facts are not.
Regarding outages, services such as 1Password allow you to locally save your keys. An outage might interrupt synchronization, but you won't lose access.
As far as the other concerns, I'd say these concerns are all present in the 'single password re-use' strategy as well, except instead of choosing one single company to trust over your stuff, you now have to trust every single website you log into to safeguard your passwords, lest a malicious actor gets access to everything.
I agree there are downsides to services, but I disagree very strongly that the situation with services are no better than just re-using a password.
You're totally right. As long as you have a different, secure password for every site and service, and you keep a careful list of all of them, and make sure to keep this list backed up, and encrypted, and sync this list across your devices so you have access to it when and where needed, then you totally don't need a password manager.
...oh wait, that's literally a password manager. Sometimes opinions are unpopular for good reasons.
Presumably the alternative to 'a password manager as a service' is 'a local password database and password manager which is not a service'.
This can be something like password store, or keepass, where the attacker needs both your password database unlock key / gpg passphrase, but also needs access to the database / gpg keys, which means either physical access, or at least access to your local files.
I think there is some merit to pointing this out. If 1password allows anyone to make login attempts against their service, that means some bored teenager with a botnet can make attempts at your password.
I use password-store, and I could tell you my gpg passphrase right now, but you still couldn't access any of my passwords. You'd need to get access to my yubikey and my psasword repository before you could do anything with that passphrase at all.
I think it's true that a setup like mine, which requires a physical hardware token to decrypt my passwords, is more secure than a password service, however I also think the parent comment is totally wrong. 1password without a hw token isn't the most secure option, but it's way better than password reuse on random sites.
I've never used 1Password, but both LastPass and Bitwarden support hardware tokens like Yubikey for two-factor authentication. Keeping the encrypted store locally might give you some edge, but I personally need to be able to access secrets from more than one device, and once you allow external access then the advantage of your solution compared to hosted services disappears.
I don't think the advantage completely disappears.
Let's look at one possible attack: the attacker knows all my passwords, and they manage to steal my laptop from my car. What can they do in each scenario?
In the case of lastpass, bitwarden, or keepass, the attacker now has all my passwords. The 2fa token was used once in the past, so all the passwords are stored on the device, protected only by a password at most.
In the case of password-store with my gpg-private-key on the yubikey, the attacker still can't decrypt anything unless they also stole my yubikey, which I never leave unattended.
The fact that my private key on my yubikey isn't just required to sync or login (like it is for the 2fa case), but is rather where the actual decryption is done every single time I access a password, does have a difference.
I don't think the difference is very large though, no.
> If 1password allows anyone to make login attempts against their service, that means some bored teenager with a botnet can make attempts at your password.
They would need to guess both your master password and your 128 bit secret key.
I can agree that a 'password manager' as a service is less secure than a 'local password database that's not a service', but that's not the comparison the OP made.
They compared passwords as a service to reusing a single password and said it was the same, which IMO is foolish.
Well since this discussion is in a thread about 1password I think it's worth pointing out that 1password doesn't even support SMS as an MFA option [1].
Edit: I checked: neither the macOS nor Windows version uses it. So it's not even that they think Electron is acceptable for high-quality desktop apps. They just don't consider Linux important enough to make a high-quality app for it.
