People thinking this is an absurd amount of money are sleeping on how 1Password is quietly positioning itself to become the ground truth storage solution for corporate secret management, across devops and non-technical groups alike.
Given Hashicorp's market cap of 11B, and 1Password's narrative on how to become even more central to corporate use cases by being the storage layer for Vault deployments, it's a very reasonable leap for them to make!
Pretty typical for people here to be zoomed-in on the b2c side of a business because that's what they use, and fail to see the b2b side, the underwater mass of the iceberg.
I think people can see that this is targeting businesses, but they're not happy about that because they're non-business customers.
It doesn't bode well for the future direction of what has up to now been a good consumer-focused product.
Like how Dropbox has gone from "a folder that synchronizes your files" to "an electron app for having discussion threads about files" because that's what business customers want.
Hopefully the consumer marketshare has some influence on business decisions, which might make it worthwile for them to keep non-business customers. This kind of strategy certainly works for some professional software, which is often even free for students.
I suspect 1Password sees features like iCloud Keychain coming and is trying to grow into other markets because a "good enough" built-in password manager will significantly decrease their value proposition in the consumer space.
Not great if you like their product as a consumer, but 1Password's biggest feature differentiator right now is better family sharing than iOS provides. That could easily change in a future iOS version, and then it's suddenly a lot harder for 1Password to grow by selling a $60/year password manager subscription.
Enterprise features on the other hand, that's not something that OS vendors are likely to ship.
While I don't like the newer versions of Dropbox as much as the old ones, I can understand how pressure from iCloud and OneDrive pushed them toward enterprise features over consumer users.
If anything I'd bet on MS sticking it into their Office subscription, not Windows itself. So 1Password will be up against iCloud Keychain from Apple and Microsoft Passwords 365 on the enterprise front.
Unlike many _other_ product companies, they all dogwood their own code. Also, IIRC all members of a team account are given a family account for their own use (you’d obviously have to convert if you separate from the company), so they are building for _people_.
Tangentially, I had read somewhere some years ago, that the Dropbox GUI clients on some or all of Linux, Windows and macOS were written in Python and wxPython. The one that you activate from the system tray, in the case of Windows, at least.
This may have overlapped with when Guido was working there, though they may have built those clients before he joined, of course.
I think it's a little weird. I have used 1password at two jobs, and thought it was great, so I bought it for myself. They want money to sync my passwords between my Windows desktop and my iPhone. Seems reasonable to me. I program computers for a living and people pay me.
I guess there was a free self-hosted type thing at one point in the past? That was before I ever heard of the product, so I'm not that upset that it's no longer advertised heavily or whatever.
I do have one complaint. They do have k8s secret management, which I would like to use for my personal cluster, but it's just too expensive for that. Very weird to show it in the UI and then when you try to use it, quote you an insanely high price. (I just use sealed-secrets instead. If my cluster blows up, it will be a very irritating weekend rotating all the secrets. But good to do, so meh.)
I used to use 1Password when they just sold the application at a fixed price and I handle all the synchronization between machines. That option is no longer available. I'm one of the users who left because of this.
Hmmm , I have a Mac and an iPhone and the fixed price application from circa 2015-16. They are still in sync via iCloud. I can see "Sync with Dropbox" and "Sync with WLAN server" in the settings. Did you mean any custom sync options that may have existed?
> They want money to sync my passwords between my Windows desktop and my iPhone. Seems reasonable to me.
Money for service is fine, but this is a long term thing, and I'm not going to pay $180 per 5 years to keep 100KB in sync. And the software doesn't justify that price either.
I like how you had to word it in terms of 5 years just to make it sound substantial...
It's 3 dollars a month.
You could be conservative with tissue paper and make up the difference to your monthly budget... so how much cheaper can you get that cheaper than tissue paper and still expect the service to be around forever.
Just 3 dollars a month… if every piece of software I use on a daily basis cost me a few dollars then the usage cost would spiral out of control.
Now many of us are software developers here on HN, so I understand the need to charge money for software. But I paid full price for 1Password6 years ago and I haven’t needed any updates to continue using it.
Now the company refuses to sell a non-subscription service version and I’m suppose to be thankful that they’re “only” charging $3 a month?
These types of subscriptions are purely highway robbery. I’d be happy to pay for upgrades if software needs to be updated to remain compatible with browser or OS updates, but let me decide whether I feel it’s necessary.
> Just 3 dollars a month… if every piece of software I use on a daily basis cost me a few dollars then the usage cost would spiral out of control.
This sounds so much pithier than it actually is, but of course every reply will say it.
Does 1Password asking for 3 dollars make every other app on your computer suddenly need 3 dollars a month?
Every piece of software needs its own plan for continued development.
Some software you use exists because people work on it for free, some exists because massive ad-tech companies defiling the globe's privacy fund it, etc.
-
Paid subscriptions is one of those types, and as far as paid subscriptions go 3 dollars a month is bottom of the barrel.
Like if every paid subscription you had was 3 dollars how would your bills look?
Many MANY companies have tried one time payments and died over it. People are allergic to upfront payment. People just might not have the funds to pay a fair price all at once. A tech forum isn't exactly where to get perspective on that for example...
1Password clearly tried the one time payment model, and if I had to imagine for a second, I bet you one-time payment users ended up being some of their most expensive users since they had to manage disparate sync schemes.
Now at least subscription users can subsides that cost a bit...
If it was finished they'd close their doors and find a new way to make a living.
> Microsoft used to sell upgrades for their entire OS for $3 a month, released once every 3 years.
Great way to make my point. MS tried taking just 3 dollars a month for an entire OS, but because they were asking for money upfront they had to turn to a mixture advertising Candy Crush in the start menu and privacy abuse.
> If it was finished they'd close their doors and find a new way to make a living.
Well that's the big question with these services isn't it? Are they keeping their doors open because they have more value to provide? Or is this just a ruse to keep their doors open without any further value to provide?
They provide a reliable service that's never let me down when I needed it, have security updates and bug fixes, provide great support, track OS and hardware updates... not much more they need to do to justify existing.
> If it was finished they'd close their doors and find a new way to make a living.
Feature-complete, then. It needs updates but it doesn't need significant development work.
> Great way to make my point. MS tried taking just 3 dollars a month for an entire OS, but because they were asking for money upfront they had to turn to a mixture advertising Candy Crush in the start menu and privacy abuse.
They make most of their money off new computers at an even lower price. Adding candy crush and more tracking came after they switched to making upgrades free, and I really doubt it's worth $100 a seat.
They made home windows into a loss-leader. If there was a choice to pay to remove those things I bet they'd make somewhat more money. But it's not where their big revenue streams are so they don't care.
So now we've gone from talking about 1Password to you correcting your own points about a diversion you brought up.
I just now realized you're the same person from the other thread and it all makes sense now, this was never about 1Password for you. My mistake taking the bait.
And of course, I vehemently agree with anything you say about 1Password, or Windows.
Anecdotally, if you asked me to pay $30 up-front for a password manager, I would just keep using the same minimum-effort password for every site like I was doing a few years ago. Data-wise, we know that the largest drop-off during customer acquisition is when they have to input payment information.
IME most people don’t want to pay for anything at all. Which is partly why the subscription model works — try it for free for a month so you can understand the value proposition. Afterward, you’re more willing to pay for it.
> Does 1Password asking for 3 dollars make every other app on your computer suddenly need 3 dollars a month?
By your logic there’s nothing wrong with any other app asking for their own monthly toll when you feel that 1Password is justified in doing so.
> Like if every paid subscription you had was 3 dollars how would your bills look?
But 1Password never needed to be a subscription in the first place. I am still able to use 1Password6 to this day without any updates for the past 3 years. That’s $108 for software that I paid $30 originally.
> People are allergic to upfront payment. People just might not have the funds to pay a fair price all at once.
If they were truly worried about losing customers unwilling to pay upfront they’d offer both options. By forcing everyone to go subscription they see that they could have milked me for an additional $78+ without doing any work at all.
> I bet you one-time payment users ended up being some of their most expensive users since they had to manage disparate sync schemes. Now at least subscription users can subsides that cost a bit…
I don’t see why I should feel inclined to pay more to support some edge case users. I didn’t bemoan 1Password when they didn’t provide an update after Safari changed their API. I continued using the software in Firefox and Chrome.
Am I considered an “expensive user” simply because I’m unwilling to pay their toll? I haven’t gotten any support from them for the past 3 years.
We live in a capitalistic world and 1Password is free to go with whatever pricing model works for them to maximize their revenues. Likewise, I am free to warn people the poor value that they’re receiving with the current subscription model. I don’t have to aspire to be a reoccurring revenue stream to boost their $6.8B valuation…
> if every piece of software I use on a daily basis cost me a few dollars
Can I interest you in a cloud license for ls? It’s clearly critical you your day to day work, surely $5 per month it reasonable for a too, you use so frequently???
(Im a long time 1pw user and vocal supporter. I’m now wondering how they are going to generate the expected return in this investment, because I can’t see any realistic avenues for that which aren’t likely to fuck me and everybody I’ve recommended 1pw to in the last decade or so over…)
> I like how you had to word it in terms of 5 years just to make it sound substantial...
Because I'm going to be using it for that long.
> It's 3 dollars a month.
For this single app. It's easy to justify $3 at a time, but suddenly you're paying a whole cable bill for marginal value.
Decisions like this shouldn't be taken in complete isolation and rounded to zero.
> and still expect the service to be around forever
I don't want the service, just sell me the program.
I could store my data in dropbox or microsoft or any email service or facebook.
I could store it in S3 for 1 penny a month. I could pay 2/3 as much to get 100GB of space from google.
The amount of money it takes to provide this service is completely disconnected from the cost, and the value I get is not from the service.
The program is valuable, but I could buy a nice alternative program, avoid the pure-profit service, and buy myself something nice down the line. Maybe a higher tier GPU the next time I upgrade my computer. And I can only conserve so much tissue paper.
One $3-per-month service could hold my data for thousands of apps. It's reasonable to ask me to have one such service. But I'm not paying once per app.
Cool, I'm planning to use it for a lifetime. The point is that you didn't just use the monthly number because it's extremely low as far as paid software subscriptions go...
-
And I don't do this:
> Decisions like this shouldn't be taken in complete isolation and rounded to zero.
So I don't end up worrying about:
> For this single app. It's easy to justify $3 at a time, but suddenly you're paying a whole cable bill for marginal value.
-
> I don't want the service, just sell me the program.
First off you literally just said:
> Money for service is fine, but this is a long term thing, and I'm not going to pay $180 per 5 years to keep 100KB in sync.
So clearly you want the service but feel it's too expensive...
But secondly, software doesn't exist in a time bubble! Security updates, maintenance and support all exist and these are people trying to make a living while handling all that.
It's super cool that you want to get their hard work in the most personally beneficial way, but they have this very reasonably priced service that lets the people have the software, and them have their livelihood.
You can say "oh well I don't care about maintenance, I'll buy the new version if it's compatible with my OS", which again is super convenient for you... but once they hit plateaus in new users are they just supposed to pause development until old versions break?
If the utility of the program was so low you wouldn't be asking them for it without the service after all... if it's "just storing 100kb of text" there's plenty of other options out there.
10 cents a day for something that saves a lot of stress is a great price.
> So clearly you want the service but feel it's too expensive...
No, I don't. "Money for service" is fine as a principle. This particular service is something I don't want at all. Those can both be true at the same time.
> But secondly, software doesn't exist in a time bubble! Security updates, maintenance and support all exist and these are people trying to make a living while handling all that.
I'm happy to pay for software updates. But software is supposed to last more than 10-16 months. Which is how often you'd be paying a reasonable shelf price of 30-50 dollars. Generally software can be expected to last ten years without trouble.
> very reasonably priced service
What's your definition of reasonable here? $20 a month is a great deal if that's the price of security! So $20 a month would be reasonable by that metric. But I think we can both agree that's too high. So how do we decide? And it can't just be that low dollar amounts are automatically reasonable, because we're not rounding to zero.
> If the utility of the program was so low you wouldn't be asking them for it without the service after all... if it's "just storing 100kb of text" there's plenty of other options out there.
I'd say the utility of the program is worth a solid $30-50. The program does all the good stuff. The program isn't the service. The program manages my passwords, the service just syncs a tiny file.
I can get the same syncing UX in most password managers just by logging into an existing account I already have. The stress of that one-time login is nothing. It's less stress than making a new account for 1password.
> No, I don't. "Money for service" is fine as a principle
My mistake for assuming you were talking about the thing being talked about
> What's your definition of reasonable here? $20 a month is a great deal if that's the price of security! So $20 a month would be reasonable by that metric. But I think we can both agree that's too high. So how do we decide? And it can't just be that low dollar amounts are automatically reasonable, because we're not rounding to zero.
This entire paragraph is just asking me how to price software, which is already a very well covered topic and there's no answer that will fit in this comment (there's also no one person who knows a definitive answer to it).
I mean part of why $3 is reasonable compared to $20 is less sticker shock... why is there less sticker shock for $3 but there is for $20? Why $9.99 instead of $10?
> I'm happy to pay for software updates. But software is supposed to last more than 10-16 months. Which is how often you'd be paying a reasonable shelf price of 30-50 dollars. Generally software can be expected to last ten years without trouble.
This still boils down to "what I want" while ignoring the reality the creators face.
Like, software companies have gone with your reality, and before 10 years passes up and you feel like it's time to upgrade... they're gone!
What you don't seem to understand is that the sustainability of the company has a premium here.
It's not just $3 for passwords, it's $3 so I have confidence I'm not relying on 1password having indefinite growth to have people work there.
> My mistake for assuming you were talking about the thing being talked about
I said buying it is "fine". Even if that was directed specifically to this service, that doesn't mean I want it.
> there's also no one person who knows a definitive answer
Then don't be so insistent that the price is good.
> Like, software companies have gone with your reality, and before 10 years passes up and you feel like it's time to upgrade... they're gone!
I'm not saying they have to do it that way, I just think it's a reasonable way to calculate the price of the functionality.
If they want a steadier income that's fine, but wanting a full retail paycheck every single year is going too far.
> It's not just $3 for passwords, it's $3 so I have confidence I'm not relying on 1password having indefinite growth to have people work there.
On the other hand, worrying about whether companies will be around for the long term is a big reason I dislike subscriptions.
That $3 doesn't guarantee they'll still be around. And for a simple product like this, the more ambitious they get the more worried I get.
Also this company is an order of magnitude or two bigger than "sustainable". The only way they would stop selling a password manager is because of bad management or because they choose to pivot into a different market. They're not going to have insufficient money to pay the staff of their core product.
You've thrown any sort of internal consistency so far out the window at this point, I don't think you even know what you're saying anymore.
You start by implying there's something wrong with insisting on the quality of a price then...
> If they want a steadier income that's fine, but wanting a full retail paycheck every single year is going too far.
Right. So you're now you're not just saying that the subscription model is bad, you're saying that you've decided what a full retail paycheck for their software is.
-
You say:
> That $3 doesn't guarantee they'll still be around
> for a simple product like this, the more ambitious they get the more worried I get.
> Also this company is an order of magnitude or two bigger than "sustainable"
Yet it's all exactly the reason why this is true:
> They're not going to have insufficient money to pay the staff of their core product.
I mean how do you think 1Password reached the size where you're essentially calling them "too big to fail"?
They did the ramen noodle "sustainable" thing, and they'd be a footnote if they had stayed there. Instead they were ambitious, they scaled, they took people's money in a way that works for them, and now some internet person is simultaneously saying "They're so successful they'll never fail if they don't want to" and "Why are they doing what they did to reach that point???"
> Right. So you're now you're not just saying that the subscription model is bad, you're saying that you've decided what a full retail paycheck for their software is.
Did you forget that they used to sell it that way? And there are competitors with similar prices. We know what retail price is.
> "Why are they doing what they did to reach that point???"
I never asked that.
They raised their prices so they'd make more money, obviously.
When I say it's too expensive for me, that's not me being confused about why they charge that much.
I'd rather pay for a product plus some profits plus some scaling, and not pay for a product plus some profits plus extremely aggressive scaling.
They can both keep a company around for a long time, and the former might even be better for that.
Like you said a couple comments up, I want "confidence I'm not relying on 1password having indefinite growth to have people work there". The more they focus on very fast growth, the less I have of that confidence.
> I mean how do you think 1Password reached the size where you're essentially calling them "too big to fail"?
They reached a safe size before they switched to forcing subscriptions.
Not free that I was ever aware – it was a fixed-price app when I first got it – but you could store your vault on any network drive, and later Dropbox became the way to sync between mobile & desktop. But it was a bit tricky to set up with the extra auth & auth hassle and "now where did I put my vault?" issues. As much as I liked that approach, it's hard to deny the current cloud-based service is easier to get going with.
Oh, it's on their website. It's $30/month for "25 vault access credits". I have no idea what consumes a vault access credit, but didn't want to pay $30/month for a personal project.
(At my last job, I wrote something to rotate the passwords on our network equipment everyday. I just exec'd the 1password linux binary, and that was free. Why should I pay to integrate it with k8s?)
Yeah, we’ll, it sucks to pay for an app that is perfect and then have them ruin it because of their b2b aspirations. And raising money like this is just another link in the chain pulling them down into the pit of insanity that ruins the most-beloved password manager ever.
There's a chance that a push toward enterprise may even result in a feature a lot of us more savvy individual customers would love to see as well: self-hosting.
I think this underscores some (but not all!) of the negative reaction to "Zendesk plans to buy (the company behind) SurveyMonkey" — the latter of which has developed significant revenue streams from specific B2B products
They have been doing some pretty unfriendly moves towards their long-term customers, like making sure the new 1Password cannot be used without 'the cloud' like the old one could be.
I have no doubt raising more VC money will only accelerate such trends.
In fact I've decided to move off of 1Password to BitWarden, since at least one can realistically self-host it. That being said, it's not exactly easy to migrate from the latest 1Password so I wrote my own little utility to do it[1].
I think we need more competition to VC backed products in general, just imagine what would happen if the building blocks of say a GNU/Linux system we take for granted today would've been built with the mindset that investors are going to want a return on their investment.
I am not saying there's anything wrong with that in principle, but am not sure I want to surrender my passwords to these kinds of incentives.
This is exactly why I've switched from strongly recommending them, to strongly recommending against them. Plus their cloud security UX is horrendously confusing for everyone I've showed it to.
Whoever is driving their cloud push has probably made the most profitable business decision, but has absolutely no idea how to make a sane product.
Yeah I have been slowly trying to push away from 1pass as our corporate secrets overlord. 1pass is marketing towards business but screwing over their original community
Yeah I don’t know how to feel about this. I still have a license that allows me to use it with a local vault.
But I really want to get the family subscription. The Premium BitWarden plan is much cheaper than 1Password but the the Family plan doesn’t get you as much of a discount and my parents are on iPhones.
Edit: Dave Teare, the 1Password guy claims that when they were still offering standalone licences in 2018, people picked subscriptions over perpetual licences at more than a 30:1 ratio. Of course, they only showed the monthly price vs the perpetual price. But I’d hope people understand what subscription means.
Given how extremely hidden they've made the perpetual license option, I'm honestly surprised it's 30:1. That seems to be a sign of "people want this bad enough that they go hunting for it for quite a while".
I remember noticing the announcement of subscriptions (possibly a couple weeks after it happened), being concerned it'd spell the end for dropbox sync so I checked it out ASAP, and then discovering my fears were mostly justified - it still existed (and remained around for a couple years), but it was shoved waaaay off into a corner. E.g. in the next subscription-oriented version of the apps, unless you attached a synced file FIRST, the option for dropbox syncing or standalone licenses was never available. The official instructions for fixing this were to reinstall the app from scratch and attach to the file first, before signing in.
does anyone know definitively which is the last 1password version that doesn't require cloud? some folks are saying it's v6 but i have 7.8.7, and everything seems to be working fine, as far as i can tell. i still use local vaults and dropbox syncing to my ios devices without issue.
Definitively: v7 works with stand-alone / non agilebits-synced databases; v8 will not. (I think v8 is out for Windows but not yet Mac.)
I am a long-time 1Password user who recently made the leap to their hosted service. 1Password remains best-in-class for me and has a terrific security record, especially compared to their peers. While I too lament the everything-is-a-subscription-now trend, I remain a strong supporter and avid fan of 1Password.
The latest integrations offered, for browsers and for e.g. Fastmail masked email address generation [1], only work with the cloud offering. I am happy to report that these latest offerings are fantastic and have tremendous UX.
It's not v8 at least, I use it on 7 just fine (though I do use the cloud offering). I don't see why it would be tied to that though considering it's just an API integration that saves the card into your 1password for the site you're on and then fills in the credentials. That _should_ theoretically work with a local vault as well on v7.
The last time they offered stand-alone licenses was 1Password 7 in 2018. Not that long ago. But they seem to have made it harder and harder to get at the local vault settings.
so ixnay to version 8 then. are you for sure that there's no version 7 point upgrade that's broken like that?
my original license was 1password 3 (teams edition or something like that?) i believe, which i'd been upgrading all along. too bad they'll lose all this recurring revenue, even if it's not strictly as uniform and regular as subscriptions.
Previously it was one license per user per platform. I’ve bought 1Password at least 3 times and pointed them to the same vault. Can’t remember if they had paid upgrades.
If you are not inclined to host your own server, it really doesn’t seem clear to me to migrate away. Only the single and 2 user free licence and the single premium license for bitwarden is a clear winner. For families it’s not much cheaper.
I’m not even opposed to paying. I’ve bought 1P a few times. And I’d pay for another service. I think it’s the fact that they are forcing the choice that gives me a bag taste in my mouth. But this is irrational if my 2nd choice is to pay bitwarden a similar amount of money for a family subscription.
Long-term 1Password customer here, no affiliation with 1Password or AgileBits.
> They have been doing some pretty unfriendly moves towards their long-term customers
From my point of view this was not hostile at all: I used 1Password with Dropbox sync for years and absolutely loved it as a personal password manager _for myself_. But sharing of passwords with family was a real pain. I gleefully signed up for cloud-hosted 1Password Families at launch and haven't had a bit of regret. Of all the subscription services I use, at $4/mo 1Password is easily the best bang for the buck.
For sharing, it's just sooo much easer than trying to use Dropbox:
I can invite family members just by entering their email address and 1Password walks them through the setup.
I can create new vaults with the click of a button and easily select who I want to share them with.
I can revoke access to members just as easily
I don't have to have a Dropbox account and I don't have to wonder about whether I've set the right permissions on my vault files or whether my free Dropbox quota has been reached.
I don't have to share _my_ vault keys and passwords with someone else to give them access to a vault.
I can still export and back up an encrypted vault whenever and however I want.
It's no accident that all of these features are the same ones that make their product so attractive to businesses as well: ease of access and sharing are both essential for adoption by businesses.
One more note: I still have my old standalone licenses and can still go back to 1Password 4/6 with Dropbox sync any time I want and not pay another dime, as 1Password still has links to download the older versions on their website: https://1password.com/downloads/mac/
Long-term 1Password customer here as well. I understand you are willing to sacrifice security for convenience. I wouldn't mind the recurrent payment, I just cannot imagine to put both the app (which now is online) and the data in the same company hands. I couldn't live like that.
Same, I don't mind the recurring payment all that much - their apps are excellent. I used the subscription for the apps with a synced file for a couple years.
But the cloud push is absurd, and it got too aggressive for me to stomach. It means I no longer have local backups (this screwed over a friend, whose data was deleted by 1P immediately after changing account stuff and could not be recovered). Browsers are also unambiguously not well-suited for this kind of secure-environment use, as exploit after exploit demonstrates. It makes their website a huge bullseye for hacking, rather than needing to somehow attack their entire user-base independently. It's a profit-oriented decision that makes the product's security, its primary feature, worse.
> They have been doing some pretty unfriendly moves towards their long-term customers, like making sure the new 1Password cannot be used without 'the cloud' like the old one could be.
Despite disliking being forced into a subscription system, I gave it a go. Turns out I'm not smart enough to understand their cloud user interface. Was just so confusing.
> 1Password is quietly positioning itself to become the ground truth storage solution for corporate secret management
I think it is the exact opposite. They saw what Dashlane did with a few million bucks and some radio/TV ads and want to throw the same sort of gasoline on the fire. I expect they will have their own VPN, browser, credit monitoring, etc. tie in before they have real enterprise features.
They don't have FedRAMP, no HSM intergration, and it can't run in GovCloud. Not to mention it is super clunky to use compared to LastPass and others.
FWIW, I have set up many, many non-technical users on an enterprise 1Password account. To those who haven't used a password manager there is a really big learning curve and I've seen tons of struggling.
I think a lot of it is the separate "vaults" concept can be easy to fuck up. I've had multiple instances where users have accidentally saved individual credentials in a shared vault because they didn't realize they weren't saving to their private vault.
Perhaps it's just the enterprise use cases that can confuse people, I'm guessing if you're just using it as 1 person with a single private vault there are fewer issues.
It's still hard for me to fathom this valuation. For example, all the major clouds (AWS, GCP, Azure) have a Secrets Manager as simply one feature. I looked into 1Password secrets when they announced it but couldn't find any reason to use it over a cloud Secrets Manager.
For the same reason one might choose Hashicorp Vault versus the major cloud: cross-cloud, likely a richer feature set, almost certainly faster release cycles, and (for AWS specifically) no stupid "pay per request" billing to try and reason about. I'd guess it can make local development scenarios better, too
I've watched three different teams fail to get vault up and running in any kind of a sustainable way. If they could solve that problem and add a desktop client they could crush 1password in this space. Probably wouldn't hurt that tons of software engineers are absolutely pissed at their moves in the consumer space recently.
As a (paying) Hashicorp customer, my #1 problem is that there doesn't seem to be a lot of talent out there that actually knows how to use these tools and is deeply experienced in them.
And they are all critical pieces of infrastructure. I am very nervous to run a business critical site and store all its secrets in Vault, service discovery in Consul, and containers in Nomad (even though I really like all 3 and they've worked well so far) because we've had a couple of catastrophic cluster crashes where none of us had a clue how to recover without downtime and data loss. (Fortunately they happened in QA but it has delayed our production rollout of this infrastructure)
And I still don't have access to an "expert" – apart from one vendor who seems to know it inside out but is extremely expensive. So there isn't much of a choice.
So then there are two things I can do: become that expert and add that to our business offerings, or abandon the stack since it's too risky to be stuck with it. I don't want to make the mistake I made with Ember.js (nobody really knows it, it's beyond dead outside of a half dozen fortune 500 companies). I don't think that'll happen with Vault etc cuz they really are great products and ideas.
But it is a concern.
Hashicorp must know this, which is why they are betting big on HCP. I'd gladly pay for the uptime of these components to be their problem. And I am paying.
It's a leap people make. I wouldn't call it reasonable. There is no way Hashicorp generates 11 billion worth of value. The only reason they get so much cash is the big players are inflating value so they can gobble up as much cash as they can before the market comes to its senses and everything comes crashing down like in 2008.
To be honest, I've just started using that (just set up a brand-new infra, started to provision users and thought it's a good idea to hook it up to a good password manager) and I found their Secrets Automation is (IMHO) barely usable for now. One can create most basic records but that's about it. I realize they don't owe me anything, but - honestly - just from the notoriety of the brand I've had higher expectations.
I hope that's just because they don't have enough people and currently their efforts are stretched quite thin. $620M is huge amount of money, so hopefully they get new hires and would be able to deliver.
Enterprise stuff is slowly moving away from the use cases that require solutions like 1Password, and since they are neither FIPS 140-2 validated or have FedRAMP ATOs, they have alot of work to do.
They also have the issue of all of the crypto nerds going nuts when they start getting their FIPS stuff done.
Atm maybe, but since GCP/AWS provide their own solutions I don't really see 1P or Vault that much valuable - it's a pretty primitive solution with no lock-in or some hard-to-replicate technology.
I really wish they weren't doing away with 1password classic and the native mac app. I like the fact I bought a license, that I can store the data on dropbox or icloud, and it works just fine.
Yes, this is old news and sour grapes on my part. I just don't yet feel like migrating to bitwarden.
I've been using 1password for 12 years since I saw it on a tutorial on peepcode.com. I actually taught my mother how to use it, she's been using it for 9 years, and last weekend she was upgrading all her passwords to use 2fa with the QR code capturing facility.
We had to go find the 1password classic browser extension (something stopped working, needed to reinstall it) and that took a bit of doing. 1password is not making it easy to find anymore, and when she contacted customer support (before talking to me), their response was to upgrade to a paid account and store your passwords on a server.
Ugh.
Honestly, now that they've raised this much cash, would it really be that big of an inconvenience or lift for them to give mac users a native app instead of the electron one and keep allowing legacy users like me to use 1password with our existing licenses and dropbox?
I think they'd be able to hire some additional developers and product/project people to make it happen. Not continuing to work on the classic project just feels like a kick in the shins.
Now, I'm building out my kubernetes cluster at home, and bitwarden is something I'm going to experiment with as a backup, but 1password 7 works fine and I just don't want to migrate to a paid account.
C'mon 1password, make your legacy customers happy!
They should take 20 million, endow a foundation, and have the foundation hire a couple of their original devs to make a clean room, open-source equivalent to 1Password 6. Then those of us who actually just want a self hosted password manager, not a massive whacky cloud secret factory, can use that.
Sigh, what a stupid world we live in, where greed destroys everything good.
And it can already read the 1Password .opvault (the "legacy" format, stored in Dropbox and on disk) "file" format -- I would guess it wouldn't be an unholy amount of work to teach it to write out that format, too, but I stopped short of doing that work because I figured KeePassXC wouldn't merge it
After that, I would teach KeePassXC to serve the 1Password browser extension websocket protocol, because I found its UX far, far, far, far superior to KeePassXC's browser extension UX
Migrate to Bitwarden. I owned a 1 password 6 license and hung onto it for dear life until last year. I technically had a 1 password subscription from work, and when that ended last year, my password experience hit a brick wall. I couldn’t add passwords from Windows. My Mac client refused to work, I had to uninstall multiple times and delete a data directory to erase any sign that 1 password subscription was on the system.
I’m so glad I made the switch now. No pestering pop ups, equally usable on windows and Mac and iOS.
I don't even mind the subscription fee and cloud hosting personally, just make a kickass native app like they always had and I'll stay. If they force me to "upgrade" to 8 and it's not a native app then I'll just use something else like bitwarden.
Similar here, I don’t mind the subscription fee and even like that I can effortlessly pull my passwords from whichever device I need to at the moment. The new electron app is a mess though, even if its data layer is done in Rust. It feels like a cheap imitation of the old one with so many little details being wrong, along with the general sluggishness that comes with a “modern” web stack.
I’m not really happy with any of the other options either though. Bitwarden is stuck in the browser, and the various KeePass clients vary a lot in polish.
It seems a little ridiculous because the UI involved in this sort of app is trivial to build and make nice in practically any native UI toolkit released in the past 20 years. It’s just list views and text fields… I would’ve expected the hard part of building a password manager to be the functional bits, not the UI.
Right!? The hard part is integrating nicely with the OS, which is just not something that's in Electrons bag. The thing Electron "improves" for them is portability for the one thing that users really want to avoid interacting with. It's just such a confusing business decision in my eyes, and to be completely honest, part of the reason I'm looking at switching is literally that they are making a decision like this unprovoked when they have a great native app already, I just don't understand it and don't want to support a business making shit decisions like that.
Someone in this thread suggested Strongbox which looks very promising. I will stick with 1Password until they've decommissioned 7, and then make my decision whether to stay or not I think.
The new Mac app has a lot of OS-specific code for those nice integrations. Their new client is a mix of Rust, Electron UI and Swift with all secure processing and OS handoffs done in Rust and Swift.
No one owes 1Password anything but the engineering reviews often seem to miss what they're actually developing.
In Apple land you have Strongbox or Keepassium. Both are fine projects based on Keepass technology so you are basically safe and the developers are even in cool terms with themselves.
Looking around, on macOS there’s also MacPass[0] which looks decent (good enough that I could see myself contributing for the last few % of polish), and gnome-passwordsafe[1] looks reasonable on Linux (if a bit too mobile-y for a desktop app). The only notable hole in the platforms I use is Windows… perhaps it’s time to spin up a WinUI Keepass project.
The issue I see with KeePass as an standard password format is that, afaik, it does not have the native concept of OTP which is critical these days. I understand some developers have come up with ways to store the needed information to generate the OTP in some of the metadata fields. But that does not guarantee OTP interoperability between different Keepass implementations accessing the same Keepass database.
For example, using MacPass I can access my KeePass DB managed by Strongbox from iCloud Drive but the OTP field seems to be opaque to MacPass, it does not know what to do with it.
I would be happy to pay the subscription fee for a native app, especially since my partner and parents can use it under the family plan. It works great for that! I've been paying for upgrades since 2007 (version 2.0 I think).
Except that version 7 also introduced some massive UI/UX regressions! There were so many that I started collecting them in a Ulysses note so that I wouldn't forget why 1Password has gone so far downhill.
----
Attachments:
- Attachments used to be attached to entries by drag files there, and they'd show up at the bottom (if I wanted my passport, there'd be a single Passport entry with copyable fields + jpeg photos of front and back at the bottom).
- Now, every attachment is a separate document cluttering up everything. If I want my passport, I search for "passport" and three separate entries come up: entry with passport details I can copy, and passport-front.jpg and passport-back.jpg. And if I delete Passport entry, the jpegs are still hanging around.
- See [1][2]
----
When it doesn't sync, there's no "force sync" button on iOS. So I just sit there waiting...
----
Can't suppress "duplicate password" warning:
- If I reuse a password on two or more entries, each of those entries shows this warning
- No way to disable it, clutters up the UI
- Some entries have an insecure password for local use, dev use, whatever, so let me disable the warning
- Tons of threads on their forums about this complaining about it [3][4][5][6]
----
Another warning that can't be disabled in preferences: 2FA available but not enabled
- If you have an entry where 2FA is available on that site, you cannot disable the warning if you don't have it set up
- To actually disable this, you need to tag the entry with 2FA (which is dumb because it implies that it has 2FA, but the tag is showing that it DOESN'T have 2FA enabled)
----
Subdomain matching doesn't work:
- This used to actually work fine but it was removed!
- If you have a.test.com and b.test.com with different credentials, 1password treats them as the same website and will ALWAYS show entries for both, breaking autofill
- See [7][8]
----
And after all this, I still planned to continue to use 1Password until they made their version 8 Electron announcement. That's absolutely the final straw and I won't be moving forward with them after that.
Definitely felt all of these, but I moved from LastPass to 1Password after 7 had been released so didn't know they were regressions. That's really shitty actually. I am honestly infuriated by shit like this because it just doesn't make any sense at all...
Same here. I begrudgingly moved to BW right after they stopped offering perpetual licenses. The UX is poor compared to 1P but for this software I could not continue to use 1P. They've become a deceptively marketed company. I actually had a sub on top of my perpetual license -- the cost is inconsequential and I want(ed) to support their business.
Sorry to break it to you, but 1Password is not going to make any changes to suit your requirements. The company behind it is user hostile and quite stubborn. The only advice I can give is to switch from it to something else. There is absolutely no hope that your requirements will be considered. You can even post in their forums and see how they’ll shoot you down.
> Yes, this is old news and sour grapes on my part.
This is a tangent, but this isn't really the correct usage of sour grapes. "Sour grapes" implies you actually did want it to go away but are saying you didn't out of pride or something. I'm assuming that's not what you're trying to imply.
Bitwarden is a bit of a pain to self-host, it's built for a much bigger scale. Vaultwarden is a simpler solution, and is compatible with the Bitwarden apps. For a handful of users it is worth a look: https://github.com/dani-garcia/vaultwarden
This kind of announcement tends to ring all kinds of alarm bells for me. What kinds of changes should we expect to make those huge investments worthwhile for the investors?
My 1Password installation is grandfathered from a time when it was just a standalone app, without subscription. Will it just stop working one day to bully me into subscribing? Can you even start using 1Password these days without buying a subscription? I'll have to start looking for alternatives today.
Unfortunately yes. You'll still be able to use your license but once that version becomes incompatible with your OS you won't have a choice but to upgrade. I'm disappointed I won't be able to keep the Dropbox sync in 1Password 8. They did have this survey to gauge interest in self hosting it: https://survey.1password.com/self-host/
You can sync local vaults any which way. I personally use Syncthing, but any file syncing service would work.
On another note, I've been using 1Password for years, for free. The mobile app can edit local vaults without signing in, and the desktop program can view local vaults in read-only mode. If I want to edit or add a password, I do it on my phone—it's not worth $150+ to be able to do it on my PC a few times a year.
I don't have the old version installed anymore in order to check, but I thought that 1P only required that you authenticate to Dropbox (since the app just uses the Dropbox API for polling and to pull down changes), not that you turn on syncing. I mean, it's possible Dropbox is so sick they count a signin as a new device, but that would be a grave disappointment
Interesting, because in the root of my Dropbox is ".ws.agile.1Password.settings" which is a plain text file containing the "Dropbox App" path of "Apps/1Password/1Password.opvault" and my understanding of that "Apps" folder in Dropbox is that integrations can write whatever they like to it, but not write outside of it
I have a similar Apps folder for "O'Reilly" from back when I connected their app to Dropbox, and one for Joplin. It's too bad I don't have 1P 7 on my machine anymore, because I no longer have Dropbox on my machine so it would be a good test to see if it still syncs without the Dropbox client present
Seems like a lot of people are missing the piece as to probably why they need the money (and where they're pointing the company in the future). Future of 1Password: https://www.future.1password.com/
I'm actually surprised by all the reactionary comments here with almost no research. 1Password already has integrations with Fastmail and Privacy and have launched a Secrets Automation[0] offering. I'm assuming this money does go partially into the password manager (which they say has always been profitable) but I think the money would actually go into ancillary services for competitors to Vault or Okta for authentication and secrets. Of course, it's not unfounded that as consumers we'd be concerned about the affect this might have on the base product but they've been pretty open about their ambitions since the first funding round a couple of years ago
1: 1Password already backhanded users once for business reasons. They used to be a nice, local password manager that synced with dropbox or your choice of filesystem. Then they added cloud support and used dark patterns to force adoption of a subscription based cloud service while making the local version harder and harder to use. At some point I gave up, I’m not even sure it’s possible to use locally anymore. It might be that the marginal utility is worth it, but forcing my hand also broke my trust
2: This is now the path of the majority of American corporations, most especially high growth vc funded; make something awesome, grow, extract profits, die. It doesn’t really matter whether it’s burritos or password managers, we’ve seen this pattern one too many times.
> I'm actually surprised by all the reactionary comments here with almost no research.
On the contrary, many of us are already experiencing the paid SaaS squeeze from 1Password long before this fundraising.
It doesn’t matter what they claim to need the money for. The company and product already declined from a great standalone option to a forced SaaS subscription payment with the self-hosted options removed. There’s no way I’m buying the story that they’re raising more money without a goal of squeezing more money from their customers, nor will I believe that they’re only going to get this profit from other customers while ignoring the consumer space.
In the real world, companies don’t actually segment up their product offerings and operate them as separate businesses with separate profitability goals. It’s all one big product mix and they’ll be squeezing money out of everything, wherever they can find it.
This. Where is the nuance and slow thinking, folks?
I don't know much about much, but I do know that the far future of computing isn't going to involve people memorizing and typing complicated passwords, or using finicky password managers. There is massive potential for growth and vision in this space.
The conversation about 1Password's corporate direction and the impact on its products, users and the "ecosystem" they appear to care so much about has been going on for months if not years before today. There's been plenty of time for slow thinking.
I say this as a 1Password subscriber and user of its products going back all the way to 1Password 3.
Looks like they're aiming to become a cloud-based active directory, abstracting away authentication to a higher level single identity.
They want to become something like a Passport for users across the web.
If they can do this, it will be huge. But hopefully I'm not alone in hating this direction and see tracking individual identities as a small price to pay to protect freedoms.
There is also something to be said about free not actually being free, and anyone with common sense would know that "free" from Microsoft means practically the opposite.
They will probably go Dropbox route. Dropbox used to be an excellent file sync cloud service with a robust support on many platforms. They did just one thing and did it well. Now Dropbox is positioning themselves as business-team-collaboration-streamlining-platform for everything whose software is balancing between poorly programmed malware and useless enterprise bloatware.
This makes me think that the real problem here is vendor lock in. If users didn't feel such a reluctance to switch between services then there wouldn't be such an incentive to bloat existing services rather than just building it somewhere else.
Apart from lock-in, first mover advantage is a big one too. Humans don’t like change, so they stick with services as long as switching provides no big benefits.
My small company has stayed with our initial bank even though we were quite unhappy with it a couple of times. They didn’t rock the boat too hard, so we‘ve been with them for 8 years already - even though I was _this_ close to quitting sometimes.
Is there a real lock-in in case of 1Password though? I like their UX and integrations, but looks like it is easy to export and move my data to other products if required.
Did they have a choice? Companies like Google and Microsoft provide a package of file sync cloud service bundled with many other services, for the same or lower price. Most people/companies would find that a better deal.
Both the Fastmail[0] and Privacy [1] integrations have made 1Password a joy to use in the past few years. I've used premium BitWarden in the past, but the UX of 1Password is hard to beat. Congrats to the 1Password team!
A lot of comments don't seem to acknowledge the importance of UX to leveling up security. Historically, security products have had terrible UX with everyone working around these and introducing more risks. 1Password is doing a great service here by making security simple and reduces our overall attack surface.
I wholeheartedly agree with the UX comment, and for the "leveling up security" part specifically, I'll point out that 1P 8 now has a "generate horse-battery-stable 'security question' answers" button, which is about as close to the intersection of good UX and good security as I can imagine
My experience with Bitwarden is that their browser extension is gravely broken, which is a subset of UX, but crosses over into "how is this not a 'stop all work and fix it' bug?": https://github.com/bitwarden/browser/issues/1620
I have a paid Bitwarden subscription, because I wanted to give it a fair shake, but based on my experience thus far it'll be years before they catch up to AgileBits
Bitwarden, over the last few years, has been focusing on enterprise features and has largely ignored more basic stuff. It doesn’t seem like that’s going to change quickly, since the pace of development seems slow.
They've also (supposedly) been profitable since inception. It's likely that this round has a significant secondary, which means they're just cashing out part of a profitable business.
Exactly. An increasingly common thing lately is what’s effectively a “private IPO”. That’s what this sounds like - liquidity for investors / staff, and ownership to a small cadre of professionally managed funds vs. the Wild West open markets.
Funny, "private IPO" is exactly what I said to someone I was discussing these types of rounds with.
Going public has very tangible costs, but also massive intangible costs. Private markets are extremely frothy and keep ownership and control within an aligned group of investors. This can make all the difference in the world to management.
So that means what? My password manager is going to start crypto-mining, and share the profits with me? My password manager is going to report all the sites that I have stored passwords for back to the companies?
Whatever the case may be, I'm sure it's going to turn out to be something completely worthless to me.
Fortunately, there's always Keepass, which keeps plugging away doing exactly what it says on the tin.
It screams CORPORATE. Not a single mention of family or single user. It's all about business security, safely sharing data, protecting your company, etc.
I mean... that seems fine? Taking a consumer product and making a business version of it feels like a totally ok way to grow a company that already has a stable product that people like. Them making new features you don't use doesn't mean they're going to break or diminish the stuff you do use.
Sure, they could mess it up, but any company or open source project can mess everything up.
I can't remember a company that has served individuals and enterprises simultaeneously without one side getting a compromised offering.
One of the things I like about Apple is they don't really pander to the enterprise. They won't turn the business away but you can see it isn't a priority.
I'm not sure this is true. If anything, they're the perfect example of how to do it right though, which is to have products that are business OR personal focused, and not generally both. The Mac Pro and the new monitors are both very clearly only a reasonable cost point/feature set for enterprise clients. The higher end Macbook Pros are similar, especially post redesign.
Almost everything Apple makes, "Pro" name aside, is either an enterprise offering where they're ok if random consumers buy it, or a consumer item where they don't mind if enterprises buy it. I have no interest in buying a reference monitor that costs more than my last 4 computers put together, but I could just go buy one, I guess.
Optimally, 1Password does the same thing. If companies want to buy their current offering (and my current employer does) that thusfar hasn't really messed with my personal use. If they come out with some Okta competitor in the future, I won't need to care about that either unless my company uses it. Optimistically, both products can be targeted to different markets.
I'd distinguish between the professional market and enterprise.
Look at the lengths Microsoft goes to in order to maintain backwards compatibility for their enterprise customers, Apple in comparison just doesn't care.
Obviously I don't have access to the sales figures but my guess is most Mac Pros are going into audio/visual studios or else high net worth individuals. It's not the sort of thing enterprises will buy if they can avoid it.
Sure, but I'd be surprised if Crashplan was operating their home offering at a profit beforehand and just went "eh, we don't need money". 1Password seems to have a totally viable consumer market that's making them money without all that much work on it. It would seem weird for them to kill a golden goose.
Also, it is good for companies when their employees use good password management everywhere, including in their personal life. The 1Password for Teams Business plan includes a free family plan for every user, so there's mutual reinforcement there.
> Them making new features you don't use doesn't mean they're going to break or diminish the stuff you do use.
Except they have already started to diminish what used to make 1P great. We now get no native apps, no local vault storage, no upfront payments. The VC rot has already set in.
Family/individual accounts are nice and all, but most families/individuals just don't give a fuck about security nearly enough to pay a monthly fee for a password manager, and probably never will. The saturation point for them in this market is not too far off.
So they go where there's real money to be made. They are well-positioned to become the default choice to handle corporate day-to-day cyber-security needs of most non-tech businesses, and if they can pull it off even moderately successfully it will make them the biggest Canadian IT company. Family accounts never ever will.
That doesn't mean their product won't remain the best* choice for individuals and families. Microsoft also doesn't give a damn about family or single users of Office, yet we all* use it because it's still the best* product on the market.
* words like 'all' and 'best' are approximations of what's going on in the real world, not in HN where significant numbers of people may very well be using LibreOffice and the Nth fork of Keepass.
> most families/individuals just don't give a fuck about security nearly enough to pay a monthly fee for a password manager
It's more than that, most families that do care about security don't need features beyond what is built into iOS/Android. When I encouraged my wife to start using randomized passwords, I didn't even have to help her get set up. She already knew how to use Apple's password manager, so she just started using it. No setup, no additional monthly fee, just a quick decision to start using it.
When we need to share a password, we just read it off to each other and put it in our respective password managers. There aren't really any features in a paid password manager that we miss.
How do you have a universal login that doesn't require corporate onboarding? You're just not the person this landing page is positioned for. They need corporate buy-in so you the user can login with one login across all of those sites. If you the single user want to easily login to Netflix and Amazon with a click of the button, then how do you expect 1P or any org for that matter to offer that if they don't have a direct relationship with Netflix or Amazon?
This is like using Google.com to search for things to find and screaming "Google is too corporate" when you landed on the Google AdWords landing page (ads.google.com).
We have a corporate password vault and it sucks. If 1Password makes a compelling product and brings their considerable UI/UX expertise to bear on it, this could absolutely take off and make my life easier.
With 100k individual users and its background as a consumer application, 1Password wouldn't neglect the non-corporate customers—at least until David Teare retires or otherwise leaves.
1password has a corporate offering. We use it at work, and while I haven't thought about to what extent it'd scale to a huge company it works very well for small ones with the ability to e.g. share vaults and manage permissions across users.
But incidentally the same features which makes it great for work also makes it great for me to share access to vaults with my son for example.
I was speaking more about an enterprise product like Hashicorp Vault but I was quite unclear. I knew about 1Password for Teams (use Family personally).
Oddly enough 1Password could innovate productively here: use some market clout to push for a standard way for password managers to do automatic password rolling without user interaction.
Imagine a world where a standardized protocol let a company put out verifiable "we've been hacked notice" and my password manager would just take care of it next time I opened it (or throw a prompt or something).
There's a couple examples already, including one click credit card information saving (through your card issuer), and their private email aliasing through fastmail partnership.
They're probably going to develop some proprietary, closed source authentication SDK, that's not compatible with other password managers, and bribe websites to use it.
Your choice eventually will be entering a standard password and specifically engineered to be annoying CAPTCHA, or pay for 1Password. Use Keepass or BitWarden? CAPTCHA. why? "Security".
Surely there's still room for some innovation in the authentication space?
I remember a few years ago Steve Gibson was working on a certificate based system called SQRL and it sounded pretty cool to me. Maybe 1Password have some ideas of their own?
Sounds like they've noticed both macOS and Windows getting integrated cloud-based password management capabilities and feel the need to branch out in order to stay one jump ahead of irrelevance.
(Disclaimer: I'm a satisfied 1Password customer. Just noting that their competitive edge is wearing razor-thin these days.)
Agreed. And with Edge/Authenticator, it's cross-platform as well (Windows, MacOS, Android, iOS), and as of recently, it's close to feature parity. We dropped our Lastpass subscription. It's probably families like ours that has 1Password worried.
Apple provides a plug-in for Chrome to allow use of your stored passwords on Windows. Announced last year. I've tried it on Windows, appears to work, but do not know how secure it is.
---
Edited to remove references to Linux. Appears to be Windows only.
Apart from “works on stuff you didn’t buy from Apple” (a feature that I think isn’t in Apple’s interest to support well), what major features does it have that keychain syncing over iCloud doesn’t already have, or could easily add?
It goes beyond passwords. I use 1P to store documents, 2FA codes, IBANs, notes. You can also attach arbitrary metadata to each entry, and I don’t think there’s the ability to filter by category in the iCloud keychain.
Shared family vaults are the big thing for me -- I don't want to share _all_ of my passwords with my family, but 1P is a good way to share stuff like streaming service logins.
That might be because they want to make their own services more attractive (if so, I think they made the wrong choice), but also could be a legal thing.
https://www.apple.com/family-sharing/: “You can add anyone to your Family Sharing group age 13 and older and invite them to share an Apple Card”, so members of An Apple iCloud ‘family’ neither have to be family members nor live at the same address.
That’s broader than, for example, the TOS of Netflix (https://help.netflix.com/legal/termsofuse: “The Netflix service and any content accessed through the service are for your personal and non-commercial use only and may not be shared with individuals beyond your household”)
Apple might fear getting sued if they make it easy to share a Netflix password with members of a family plan.
Considering that Netflix’s ToS and Apple’s Family Sharing both say that they’re only meant for people in the same household, I don’t see “Apple might fear getting sued” as an issue.
Where do you read that for Apple’s services? Reading the “Apple Media Services Terms and Conditions” (at the confusing URL https://www.apple.com/legal/internet-services/itunes/), it doesn’t mention household, always spells “Family” with a capital letter, and as far as I can tell, only mentions these restrictions on who can join a Family:
“Family Sharing Rules: You can only belong to one Family at a time, and may join any Family no more than twice per year. You can change the Apple ID you associate with a Family no more than once every 90 days. All Family members must share the same Home Country”
They would've immediately halted cross-platform support or at least severely limited it due to institutional/organizational issues. Any 1Password subscriber not using an iPhone would soon be unhappy.
Although this could happen, I think it’s unlikely. Apple knows it’s a services company as much as a hardware company now. If you look at their existing services, they are not excluding non-Apple users.
- Apple Music has a web UI and Android app
- FaceTime recently added 3rd party links allowing non-Apple users to join calls
- Keychain is being made compatible with Windows Chrome
It’s clear from raising this much money that 1P owners are doing a “private IPO” or adding more products and features. If it’s a cash out, wouldn’t you want a privacy focused company to buy it instead of VCs funding it and expecting a return? If they are building new features and products, Apple buying it could bankroll that and temper price spikes.
This is exactly what I'm referring to. I put up with Apple's website for more than a year as my primary casual-use computer became a Windows PC.
I work on iOS apps for a living. App Store Connect has always been terrible. Bugs linger for years. Elements continue to break in unexpected ways. The place where developers receive feedback from Apple is still hard to find even though it's immensely important. The website received a major redesign a few years ago and the bugs were still there!
Now apply that lack of care to a music website. Being forced to login daily. Asked to perform 2FA daily, so I need to keep my iPhone near me if I expect to play music. Songs inexplicably not playing, if play fails repeatedly, maybe a page refresh will work. Songs inexplicably only playing previews, forcing you to log out and log back in. Zero effort to restore your previous searches.
Apple makes attempts at providing services on the web. But for those of us attempting to use those services, the experience varies from subpar to outright hostile.
> Keychain is being made compatible with Windows Chrome
Again, see how people review this in this very thread.
---
Simply providing the service does not mean it's good. That's what I mean by "institutional" and "organizational". They half- or quarter-ass what they ship, and then they leave it to rot.
So what's the pitch to the investors then - they'd arguably need to disclose this possibilty? Or is this next level of pumping up before dumping on public market via IPO?
Maybe you can't. Everybody has their own risk tolerance, but at some point, everybody's going to have to draw a line. Maybe you're only storing passwords for local services, but almost all of the credentials in my password manager are for services run on some cloud. Even then, did you evaluate all of the code for each of those services? How about the compiler code or the chips? Dell shipped out machines with a hardware trojan in 2010.
I have separate instances for work and personal accounts, so one breach wouldn't affect the other. Since my passwords are distinct, the number of accounts that would actually be useful to them is minimal, and fraud response is a pretty important metric in deciding what companies I do important business with. Identity theft is a problem, but all of this is probably more likely to be leaked in some other database, like the Equifax hack, than through an account compromised in a password manager cloud storage breach.
My password manager being compromised would indeed be a huge time suck, but I don't think the long-term consequences would be any more severe than a few key individual accounts that are probably even more vulnerable. I think things like coordinated attacks where they social engineer their way through 2FA— which have been seen in the wild— to present a greater real-world concern.
> Maybe you can't. Everybody has their own risk tolerance, but at some point, everybody's going to have to draw a line.
I'm in agreement with parent, I think putting your passwords in the cloud is a wild single point of failure. Even if you can tell a compelling story about how they carefully encrypt everything right now, you're always a silent update away from it all being dumped on the internet.
I think people (in aggregate) just don't care about the risk and will take the path of least resistance. They don't have to draw the line there, but they will.
> My password manager being compromised would indeed be a huge time suck, but I don't think the long-term consequences would be any more severe than a few key individual accounts that are probably even more vulnerable.
Having your main email account compromised seems like an absolute nightmare where you potentially lose control of every single service that you subscribe to (banking, utilities, cell phone (so maybe 2fa is even broken), medical portals, social media, etc).
Having your entire set of passwords compromised is like that on steroids. Rather than your attacker having to use your email to get to each of those services one at a time, they just have them immediately. And who says you'll even know that your stuff was compromised?
I'm a bit of a crank though. I don't do any of the smart home stuff. I see my phone as a necessary evil. If some company shoehorned an app or a WiFi connection into their product, I don't buy it. After being in tech long enough, I just want things that work for me, not for the company I bought them from.
> you're always a silent update away from it all being dumped on the internet.
This is true of all password managers that have any ability to connect to the internet. You’re one silent update away from your manager suddenly uploading all your passwords to a random endpoint in Russia.
Theoretically, if you audit the source then you only really need to care about updates to the actual code. If it doesn't do silent updates then it can't change underneath you, even if it does some kind of network operations.
Its not fool proof, but it feels better than a black box that could be a different black box tomorrow or after the next acquisition or round of investment.
> Even if you can tell a compelling story about how they carefully encrypt everything right now, you're always a silent update away from it all being dumped on the internet.
This is also true for your operating system updates, browser, browser extensions, compilers, the infrastructure for your email service provider, any libraries those things use etc. Not to mention your local password manager. Even if you don't accept push updates, do you evaluate the code? What if the vulnerability was timed to pop a few weeks after release? What if it was included in an update that patched a major vulnerability so you went faster than your normal process afforded? Even if you have a local firewall that stops external connections from unrecognized programs— what if it's a whitelisted program or the operating system or the firewall itself?
Why would you a password manager's encryption less than you would trust your email service's encryption? I'd bank on the password managers' being a lot more robust.
What about RATs that could access your local password database? RATs are a lot more common than cloud service breaches.
And as I mentioned previously, Dell shipped a hardware trojan in 2010.
There are tons of single-point attack vectors in this chain. I'm not a security expert, but storing encrypted data in cloud storage seems less likely than others be a viable target.
> Having your main email account compromised seems like an absolute nightmare where you potentially lose control of every single service that you subscribe to (banking, utilities, cell phone (so maybe 2fa is even broken), medical portals, social media, etc).
> Having your entire set of passwords compromised is like that on steroids. Rather than your attacker having to use your email to get to each of those services one at a time, they just have them immediately. And who says you'll even know that your stuff was compromised?
Let's say they did compromise your email account. Since only a few of your accounts are genuinely consequential to nefarious criminals, the number of password resets they'd need to execute might set them back, what— 5 minutes if it's not scripted? And all of it is moot if you use a 2FA method aside from email? Beyond that, considering how much more frequently email accounts get compromised, singling out the storage location for password manager databases seems pretty arbitrary.
I just don't see how the opposition stands up to a comparison of attack vectors.
Agreed, those are already risks, and ones that are a lot harder to mitigate (though I do try where I can). Does that mean I should add another one that I can easily avoid?
There are risks in both local and cloud password managers. Maybe those risks seem equivalent to some folks, and the cloud features are useful enough for it to be a no brainer for them. For me, I don't at all mind manually backing up and manually copy/pasting credentials, and I don't miss the convenience of the cloud features.
> Let's say they did compromise your email account ...
This seems focused on the case of a dedicated attacker focused on you specifically. Id think each of us is more likely to be affected by various automated attacks that are backed by large dumps of account credentials.
In any case, I agree risks already exist in other places. For me in my specific set of circumstances this just seems like an easy one to skip.
Hey— whatever works for your setup. Especially for those who don't use a smart phone and have one machine, it's probably a minimal loss in functionality.
> Does that mean I should add another one that I can easily avoid?
All other things being equal? Avoid it, of course. I firmly oppose letting perfect be the enemy of good in the sense that more secure is better than less secure even if it's not perfectly secure. But I also oppose it in the sense that rejecting beneficial functionality because it's not perfectly secure, especially when it's not close to the biggest or most attractive attack surface, doesn't make sense. Even when password managers' servers were compromised— LastPass, for example— I don't think anybody ever got ahold of passwords. KeePass OTOH was broken with KeeFarce and RATs are a lot more common than cloud service server breaches.
> This seems focused on the case of a dedicated attacker focused on you specifically. Id think each of us is more likely to be affected by various automated attacks that are backed by large dumps of account credentials.
Nope— If it was automated the distinction is even less significant. A script would only need to search your email for whatever specific types of logins it supported and fire off password resets. Non-email 2FA becomes even more of a hurdle without the option of social engineering it or some other human-touch fix.
Consider this. (very) Roughly, this is the market penetration for these products:
* computer: 90%+
* smart phone: 85%
* tablet: 50%
* computer, smart phone and tablet: 40%
Most people (in this country, at least,) have multiple devices. Most people have internet access. Most people aren't going to be able to manage storing and sharing passwords among their devices at all, let alone more securely than cloud storage would do it. So for most people's use cases, it would be like citing health when refusing to put a teaspoon of sugar into the cup of tea they're having with cake and ice cream.
So like I said, avoid it if it doesn't improve your life— I have no stake in your password management choice— but I will actively butt in to qualify the sentiments expressed in this thread because, a) many users, even on this site, aren't sophisticated enough to engage in the sort of cost/benefit analysis that we are, and b) to them, this conversation is unintentional FUD. Cloud-based password management is vastly superior to regular folks' existing methods. If they're put off by technically savvy people saying they're fundamentally insecure, that is the embodiment of perfect defeating good.
> I don't think anybody ever got ahold of passwords. KeePass OTOH was broken with KeeFarce and RATs are a lot more common than cloud service server breaches.
Can we actually know this? We only know about the breaches that we're told about, or that are found and disclosed by researchers. I'm not familiar with KeeFarce, but presumably attackers need local access, in which case you're boned anyway.
> ... many users, even on this site, aren't sophisticated enough to engage in the sort of cost/benefit analysis that we are, and b) to them, this conversation is unintentional FUD
So this is the part that I worry about. I think we're in a bit of an age of innocence with everything moving to the cloud, where everyone still believes that all of these services are going to be well meaning, competent, capable stewards for your bits. I'd love to be proven wrong, but I imagine in 10 or 20 years we're going to have a very different attitude about these things, sorta like people who were using xray machines to size shoes before they learned about the effects.
Once any info gets to the cloud, its out of your control forever, and its in a place where it can be attacked by the current ~8 billion people on the planet, and all the new people coming along after that. Its an impossible task to defend against that. Not to mention as someone like lastpass grows, what could be a juicier target than that? Why try to pwn individual services when you can just get all of the legit credentials at once from one place?
If the options are only use the same 6 character dictionary word for every account, or use a cloud subscription password manager, I'd probably recommend the latter. But for someone not tech savvy, I'd probably recommend a pen and paper with memorable (long) pass phrases before I'd recommend a cloud solution.
In the past I've recommended a local password manager with generated passwords on your one machine that you do anything sensitive with. Back it up on a thumb drive once in a while. For your most used accounts (e.g. email) that you really want to use on multiple devices, use long memorable pass phrases and just enter them in. Some people might think this is primitive, but its not that hard and it should be plenty safe for most people. Its just not as convenient.
> I think we're in a bit of an age of innocence with everything moving to the cloud, where everyone still believes that all of these services are going to be well meaning, competent, capable stewards for your bits.
> Once any info gets to the cloud, its out of your control forever.
You're propping up a straw man using a hyperbole.
> But for someone not tech savvy, I'd probably recommend a pen and paper with memorable (long) pass phrases before I'd recommend a cloud solution[...]
And then presenting your original assertion without any more evidence.
But that's all nearly beside the point.
The most difficult factor to wrangle is human psychology. Without intervention, phishing attacks just work. People re-use passwords. People switch from redox1 to 1redsox1 when forced to change them. They do this all to avoid having to think about it.
The entire point of password managers is to mitigate this. You need to compete with the psychological ease of re-using the same password repeatedly because that's the only way regular users will use it. Then, you can warn them when they're entering credentials into a site where they don't belong. You can warn users if a service they use was breached. You can warn users that their password is weak or reused or old and give them a quick solution rather than leaving them to figure it out. You're making it easy for them because that's the only way it works. If you draw two barely kissing circles on a sheet of paper, that's the Venn diagram of users who care enough about electronic security to deal with the extra irritation of using strong unique passwords but won't use an automated system to do it.
So maybe the second-weakest link is the credentials themselves, and the third weakest link is the collection of websites users submit their credentials to that don't store the passwords in AES-256 encrypted vaults with no local master password storage, like password managers do, and the fourth is probably the browser, etc.
Everything we know about the actual empirical risk of these components points to password managers, in general, being close to the bottom of that list. Prioritizing anything but the most blatant password manager security flaws over even minor user convenience will have a negative net effect. When it's a risk so obscure that we have no documented instance of it occurring among thousands of documented instances of breaches occurring in other services, I'd argue it's less safe.
If you're going to base your security strategy on intuition about our relationship with cloud services, go for it. Personally, I'll leave the faith to the priests and stick to attack vector analysis and balancing limiting attack surfaces with solutions that work most easily for most people, because that's the only way they'll use them.
Does that mean that you agree that we can't know the extent to which things have been exposed? Cause that's part of my point. Of course you can flip that around and say well you can't prove that nobody compromised your local machine, but one of those things is open to attack from many orders of magnitude more attackers by virtue of being on the open internet and in a physical space that you don't control.
> You're propping up a straw man using a hyperbole.
You're cooking up a tasty word salad there, chef. Can you give me a little more meat here? I don't quite follow. Have you never heard people say that you shouldn't write an email or send a picture that you wouldn't want to see in the newspaper? Its a similar concept. Once you send something out over the wire, your power to make decisions over what's done with it is gone. You have to hope that whatever was listening on the wire is (and will continue to be) benevolent. How do straw men and hyperbole apply here?
> The most difficult factor to wrangle is human psychology. Without intervention, phishing attacks just work. People re-use passwords. People switch from redox1 to 1redsox1 when forced to change them. They do this all to avoid having to think about it.
> The entire point of password managers is to mitigate this.
I agree. That's part of why I use a password manager, and recommend that others do so too. We just disagree on whether or not its advisable to cede control over that kind of tool to a third party.
It feels a lot like the argument that your money is safer in a bank than in your mattress, which is an argument I agree with. Except replace all the banking regulations and security with a ToS that can change anytime and emails about how very deeply we care about your security. I'll keep my cash in my safe at home in that scenario. Maybe there are some people who'd still be better off using that bank. I wouldn't feel good giving that recommendation though.
I know what a straw man is, but you just naming the term doesn't constitute an argument. Maybe a more clever person than myself could have intuited what you believed was an example of one, but I couldn't.
Russell's teapot is a new one to me. It seems you're position (correct me if I've misunderstood, or don't since you don't seem interested in the conversation anymore) that since we don't have definitive proof that we can't trust these third parties, it's wrong to distrust them. I'm too paranoid to buy that. If I can't verify, then I don't trust. Good luck with your better things.
> You can never trust cloud-hosted password managers..
If you examine the source code of a client (for example bitwarden) and make sure that it's not leaking your master password and then compile the soft yourself and not update - you'll be pretty safe.
This will make it similarly secure as e.g. keepass, because even for keepass you should be sure the source is legit
Technical trust is one thing, but I think the trust GP is referring to is more of a trust in the company's commitment to the business model. Password Managers aren't sexy. There isn't a ton of disruption possible in the field, so these companies may tend to look to expand beyond password management or get acquired. This in turn can mean the password manager product will be left to rot.
You can never fully trust any password manager unless you audit all of its source code and compile it with a compiler whose source code you have also fully audited. Good luck!
I really hope this means new product offerings with no impact on existing products, rather than "fucking with the product b/c it doesn't make us enough money".. which I'll dub corporate Marak syndrome..
Also, JetBrains syndrome - where you barely develop existing products because making new products makes you more money. Happens with kick-starters and games on steam as well.
To me it means the contrary. If they had to make those $620M back by just selling password management, then we'd all better expect it to get crazy expensive soon. But if they branch out and start making money on other products and services too, then there's a chance the product I currently use will remain affordable.
1. native app (no bullshit JS based) for speed
2. the same keybindings CMD+\ or Option+CMD+\ to fill in or pop up the menu
3. sync with icloud
4. not look like total shit (ie. lastpass)
Do these basic things and I think you can easily steal 1pass users.
I found Keychain quite horrible. Everything is or at least felt just too abstracted away so that I don't feel in control of my secrets. Might have been just the UI though. And then it's obviously not crossplatform by default. Sync your password database between your Android phone and Mac? Nope. So it's another step into vendor lock in.
All of them? There isn't a single good KeePass client on macOS.
Strongbox is the most polished but doesn't offer browser integration.
KeePassXC has a terrible UI, and MacPass doesn't remember your key file between sessions. Both require staying in your Dock and need the janky KeePassHTTP-Connector to work with a browser.
I'm surprised they haven't bought Rainbow or Metamask or made their own crypto wallet yet. Combining their current browser extension with private key management in a crypto wallet makes a lot of sense to me.
Eh. I used to use 1Password long ago, when it was still a "normal" app (one-time payment, not trying to become a unicorn). It was easy for me to switch password managers (my needs are modest, and I generally like to break my app habits once in a while). My journey included (1) self-written manager; (2) LastPass; (3) pass CLI, and (4) Bitwarden (free tier).
I'm now a happy Bitwarden user. It's ugly, and I'm a UX designer, but it's the least worst! (to me)
1Password is vastly superior to Bitwarden from a UX perspective, and considering that's literally the only reason I have a password manager, that is, by far, the most important thing.
If you think "security" is the reason you have a password manager, how come all of your accounts are tied to your email address? If you just wanted security, there are, by far, more secure tools and practices you could employ than Bitwarden (among them keeping a notebook of passwords on your person at all times).
Your comment reads, to me, as a signaling effort. "I'm aware of bad corporations and I don't support them!" is less strong of a signal than you may think.
It's funny how subjective this stuff is. After using BitWarden for a while I switched to 1Password and greatly prefer the 1Password UI. BitWarden has too much in common with Lastpass, and I hate Lastpass' UI.
Keepass + GDrive/iCloud is going to be the recommendation I provide my friends and solo business owners in an upcoming presentation.
The file itself is under your control, apps are cross platform and desktop, and it is pretty intuitive.
That plus either 2fas (allowing for local token backup) or Authy (encrypted cloud backup) of MFA, and I won't hear about Instagrams getting pwned again.
Raising hundreds of millions of dollars for a built, profitable product with a tight scope and millions of users usually means the product scope will increase as part of their new remit to drive shareholder return. If people liked the existing tightly scoped product, and for password management simpler is better for many users, this investment indicates the product will necessarily move away from the existing use cases as a condition of accepting the funds.
They will probably invest in business integration/sales. TBH we need more password management in this world and not less. Increasing scope in enterprise domain means reaching users who would otherwise just use post it's for the passwords.
I think lotsofpulp is on to something, but the other major possible answer that comes to mind is moving more into the enterprise space. If that happens, it'll no longer be for "us" because if they succeed, they'll inevitably make much more money in that space and be all but forced to pivot harder into it. That'd be much less of a betrayal than selling more data, but it would still mean that slowly but surely it would simply focus less and less on single user concerns.
IMHO it isn't intrinsically impossible to serve both enterprise and single customers, but the business people will always be internally grumbling about the slight additional expense that doesn't have a good ROI vs improving their enterprise product, and the marketing team will want every other screen to be an ad to upgrade to enterprise which discriminating users will rapidly get tired of. It'd take strong and even a bit quirky executive leadership to overcome those issues. Not impossibly strong, but strong.
Edit: Also, they don't have the option of slathering their app with generalized ads. Running ads in the context of a password manager would be insane and lose all their thought-leader users in a heartbeat, permanently. So that door is not open to them.
1Password is a SaaS utility that provides a tool for generating and storing login info and other sensitive information.
To me; that’s immensely valuable, but it’s solved for most by a combination of just using the same passwords or, on iPhones, iCloud Keychain.
Now some folks have dumped the better half of a billion into a tool I pay about $35/year for and is basically feature complete. They’ll want a return on their investment. How do you expect 1Password will give it to them?
Doesn't always lead to that but...now that the company has these investors who demand returns the company no longer has alignment with the customer. The needs of the customer and the needs of the investors are in direct opposition.
Only Sith deal in absolute slippery slope fallacies. Besides, this is a paid product with steady MRR, there's plenty of growth to be had without compromising the product. The recent integration with Fastmail for one-click creation of disposable addresses is a great example.
Hashicorp has an 11+B market cap
Okta has a 30+B market cap
The view I keep seeing here of 1P as simply a 'password manager' is myopic... It's one of their products, and currently the most visible, but it's just 1 product.
Purchased a single license for $60 back in the day. Backed up my vault to Dropbox.
For a few years, it was the best app I've ever bought.
Now with the upgrade to monthly subscription, my Windows machine is stuck on a crappy legacy version of the app. I get that every company and their mother wants that $A$$ money, but I truly miss the simplicity.
Everyone who’s just looking at this as a simple password app might be missing the boat. One killer feature for enterprise customers is teams can share secure variables as well as new credentials for services. Now I imagine a world where 1Password can be a secrets manager for your environments. I know a lot of cloud services offer this already however they’re not always great, and since most of your org may be using 1Password this would be a huge value add.
I think what this is fueling is the ability for 1Password to grow beyond a password manager to handle other sensitive sharable data
Every time I see such a pre emptive money grab (1p doesn’t need all this money upfront- they could fund new features and growth from paying customers) I know that prospective users will have to pay back a multiple of the 600M back to the investors.
Why would I choose 1pass, knowing that they’ll want even more money in the future, in perpetuity, when free alternatives exist?
I also feel like it makes them a super juicy central attack target for both commercial and state sponsored hackers.
Back in the early smartphone days one of the last mobile games that I recall that simply cost money and didn't nag you for in-app purchases was Angry Birds. You may be tempted to correct me because modern Angry Birds looks nothing like this. Trust me, it was once $1-5 and that was it. And it was pretty popular for a time.
Anyway around this time Rovio (the game studio) raised $42M [1] and I distinctly remember thinking "well that's a huge mistake" and "this is the end".
Companies that produce creative content just don't scale in a way that's compatible with VC. I include game studios and content creators like Netflix in this. Netflix is a prime example of how you just can't throw money at creating content and become HBO. While I agree with Netflix's need for original content, it's become so expensive that their monthly subscription is now too expensive for many to just have and ignore (with the recent price hike it's more expensive than HBO Max).
Anyway, I use 1Password having previously used LastPass and pay for it. I have a bad feeling about this funding round because what can possibly justify it?
To those who argue there are free alternatives, that's true but any I've used just aren't as good. It's not just generating and storing a password and filling out a form. So many companies have subtleties that make this annoying. Maybe it's the username on one page and then password on another. Or the form filling out is incompatible with some shitty Javascript or whatever. This is the real value of 1Paswword.
And can I just complain for a second about how some sites (I'm looking at you American Airlines) add a third field (surname for AA) for no reason whatsoever, which is just awkward for a password manager.
I did learn from this post about the Fastmail integration to automatically create one-use passwords. This is a feature I've long wanted and I'm surprised that Gmail doesn't do this because it seems like such an easy win for users. I may have to sign up for that.
I've been using 1password for years and so far haven't had any problem, all apps (desktop and mobile) work great, but I don't understand why they would need this kind of money, especially considering it's not free or cheap service.
I don't know if anybody uses Edge like me, but I feel like people should know that Edge with Authenticator works VERY WELL for password management. It is very close to feature parity with Lastpass and 1Password, it's cross platform, and it's free. After something like eight years, we dropped our subscription to LastPass.
How easy is it to use with random notes/apps on mobile? Some reasons I prefer a non-browser manager:
- On Android/iOS, 1P will integrate with the system password manager APIs to sign in to apps
- I can generate/store arbitrary password-like things (SSH key passwords, secret question made up answers, 2FA backup codes) that are not associated with specific domains. At least in Chrome's default password manager there wasn't a way to do something like this.
On iOS, at least, when prompted for auto-fill, you can random search for other passwords. It doesn't really have a "notes" field, but you can definitely save a password without an affiliated website.
Congrats I guess? It's been incredibly disappointing as an end user who has been on a local vault for something like ten years to be told I have to use the cloud offering if I want a version of the 1Password app on Windows that is actually equivalent to the Mac version.
It's just about as annoying as being required to ( pay for the upgrade ) to v7 in the first place because they couldn't ( or wouldn't? ) fix the code signing issue on v6 that broke browser integration a few years ago.
I really like 1Password, honestly, but I wish there was a long term support standalone-license version that just gives me the basics and local/dropbox vault storage. I explicitly do not care to rely on another cloud service, especially so for my vault of private information.
I’ve been using the older 1Password 6 version for a long time with Dropbox syncing. This is the version that still had perpetual licensing.
And it works just fine. I can see why they’re pushing so hard to force everyone to their paid SaaS service: I haven’t paid them additional money in years and yet my setup works perfectly well.
Eventually, though, one of the browser extensions will stop working and they’ll insist I upgrade if I want to keep using it.
My only hope at this point is that some other company will come along and make a password manager with equivalent UX (the only missing piece from competing products) and undercut them. Surely someone can do it with, say, only a couple million dollars invested instead of hundreds of millions.
Used 1Password for years and years. Being forced to have my password database leave my control and be hosted by a third party, AND pay a subscription fee for the privilege was a bridge too far.
I now have a vault-warden docker running on my Synology NAS at home. I have Bitwarden running on my computers and mobile devices. I have no ports open to my NAS. I'm using a UDMpro router and have an L2TP VPN configured. This allows me remote access. I pay nothing and I'm in complete control of my password data. This has turned out to be a wonderful setup and I'm very grateful that it's possible.
How many people are actually going to change away from their current 1 password account as a result of this OR how many will watch 1 password and make a move in the future if product lowers their quality vs how much of this comment thread is people expressing viewpoints but aren't tied to the product in a real way?
Obviously tough to validate but I feel like a lot of the comments are just knee jerk reactions without any real action tied to them. Curious if I am on the margin of comments though.
I assume many of us are hanging on to older 1Password versions that offered perpetual licenses and Dropbox syncing.
Once those eventually stop working (OS update, browser extension changes) I’ll be switching. But I’m not going to proactively change because there’s no reason to.
The 1Password SaaS isn’t terribly expensive, but I would have spent $100+ more on it for the exact same functionality I’ve had with my perpetual license for the past several years. I have no intention of spending more money for the same thing and having the overhead of managing yet another SaaS bill.
Skimming through their jobs board. Their are approx 100 "talent acquisition" roles open. Engineering is like 20 roles. What the hell are they going to do with so many recruiters?
I guarantee that those 20 eng roles represent 100s of actual positions.
You need to staff up talent acquisition before you staff up talent.
Also they'll probably be growing their sales team also.
I will still recommend 1Password over Bitwarden to non-tech people because their whole UX journey is so well crafted that even my parents can understand it on their own.
The valuation is most likely based on that and the potential growth in that market.
I use and pay for Bitwarden but even I always get lost in the clunky UI and get frustrated by basic tasks (to a point I am considering switching). And it only gets worse when you have multiple teams and all the secrets are mixed up.
I am surprised people are worried about 1Password getting this money and not caring about their users. How about at least they have money to be alive for the foreseeable future. I am worried about free password managers because they are broke and could sunset the app at any point and now I have to go find something else, or better yet, no financial incentive to do the best thing for the app. They do it for fun. My security is not for fun. LOL
620m at a 6.8bn valuation is staggering. If they IPO at 10bn in a year they need a plan by then to grow towards a 30bn valuation, otherwise doing an IPO makes no sense. That is unbelievably ambitious for a password app.
The founders are clearly willing to bet their company on their expansion plans. In the post they allude to expanding to the security space more generally. Curious to see this develop in the coming years.
First question is where does password manager spend that amount of money. Second question who gives that amount of money to less than 10% of password management company... Sure it can have billions of users, but still it is in no way novel or complicated product. In sense it takes anywhere near that sort of money to build or manage...
I can see the use case for these online password apps.
But I can't for the life of me understand why KeePass isn't the defacto gold standard.
It's secure, open source and you have control over the data. I would never for the life of me think of storing my important passwords with a company ever. Am I over reacting?
Have you ever tried 1Password ? I think most people who tried both will tell you that the experience is night and day. Cross-device, cross-app integrations, password sharing, etc. Like most old-school open source software, Keepass was built without UX in mind at all.
1Password lost me when they went subscription model and required mandatory servers on their system to keep it running. It went from being one of the best password storage solutions to one of the worst. I'm still using 1Password 6 as that was the last version which could run offline.
In the pre-cloud days, Dropbox was the go-to option for syncing 1Password. But Dropbox have also restricted their free offering (3-device limit) since then.
I didn't mind paying for 1Password so much, it does its job well across multiple platforms and devices, and it got me away from some very bad password habits.
Secrets was my favourite out of every password manager I tested, it's like 1Password before they started removing core functionality and implementing useless features requested by someone in marketing. It's only missing the ability to have shared vaults which sadly is key to my needs.
Regardless of the TAM of secret management and the enterprise market for it.. this is a ton of money. I don't fault 1Password for taking it if it was offered, but I personally find it off-putting. How can the market opportunity be so compelling to justify that level of investment, but at the same time require that much capital infusion to chase? If there is enough demand it should be possible to balance funding from external investment and cash flow. They've been around 17 years, so my hope is it is just early investors cashing out on a $7B valuation, which seems doesn't seem unreasonable. It is hard to know without more details.
I have 1Password installed on my Mac and in my browsers. Yet for some reason I’m constantly asked to enter my master password. Like 20 times a day. Rarely does it accept just ny fingerprint. Rarely does it work without forcing a reload of the browser. It seems like the different apps and browser tabs are constantly competing with each other and making my day miserable. Anyone have a solve for this? Am I the only one?
I wish it just worked so that anytime I needed to fill a password, I just scan my finger and get right in. Why can’t it be that simple?!!!!!!!
1password handed out a $70 off $70 purchase (or the approximate cost in CAD of their family plan) Amex credit last year. Paired with Rakuten, I made a profit by purchasing it. Now I can see why they did it.
Jesus Christ this is infuriating. Now I have to go find a different password manager that will just take my money, be profitable, and not become another fucking SV unicorn horror show capitalist wet dream.
I predict the way and death of all "cloud companies" that start out doing one thing well; they'll add features and document sharing and what not until it becomes an unholy mixture of Dropbox et al trying to "compete" with Office 365 for some reason.
1. Expanding into new markets. "Secrets management" is not easy - 1Password is currently handling it for humans but they intend to handle it for services as well, likely competing with Vault.
They could launch a full identity provider like Okta.
2. Perhaps managing other authentication methods. Passwords are dying, especially with webauthn, so it makes sense to tak eon some money to explore how to be a player in that space.
They could compete with Duo, for example, and start offering a 2FA service.
Basically, I expect that the vast majority of this money will not be going towards the 1Password that you use today but instead towards breaking into new markets. Given the size, probably new markets that are somewhat established already.
Today 1password is largely a product for tech people. Nobody around me outside tech circles is using a password manager, at all. They have the whole world to conquer!
I can envision them (sadly) bought by a larger actor in a few years, at a huge valuation.
That's funny, I only know 1password as that enterprise password manager that no nerds use, only normal people that work for not completely tech-unsavvy companies.
I don't know anyone that uses 1password privately.
I used to use Lastpass but once they were bought out, I bailed. Anytime I see these types of Password articles I always like to share that I've been using Dashlane for years and love it. Multi-platform and now its all browser based. The iOS app is great too. It also includes a VPN with the pro plan.
https://www.dashlane.com/cs/1k5JfApcebh1
Tbh, since using Firefox Sync, I have no idea why people would need anything else to manage their passwords ... Can anyone enlighten me why I would need 1Password?
Firefox Sync lacks basic functionality of a password manager. Storing notes, storing card information, sharing data securely with other users and so forth.
It uploads your passwords to their cloud. How is that okay? The key thing with a password manager is disjoint processes. You don't want the cloud provider to also be the password manager provider. A single breakin/rogue employee/government warrant and you passwords are exfiltrated.
Your "one password" is part of the encryption key for your 1Password vaults; your passwords and sensitive information stored in the vault is encrypted before it hits 1Password's cloud.
Exfiltrators would need your master password to get in.
I've no idea why would profitable company that does password management ever need to rise such amount of money. This could be an intro for big exit, who knows.
They will literally have to throw their users under the bus, limiting features and increasing existing plans. Expect 50% price increase in the next 6 months, alongside with some "great feature" with which they'll try to justify the price increase.
I mean, I think each of these products does branch out and starts to build enterprise tooling, management of stored information, maybe anti-virus and browser safety tools as well.
Seems like each of them reached their valuation going above and beyond just a "store your password securely" product.
Great news for a great team. 1Password makes a very solid product and the company genuinely helps improve the security ecosystem for their users (and, through working with browser vendors on things like extension security, all of us).
Hopefully they don’t go all cryptocoin and NFT with the funding… but given their dna, I think they will expand wisely.
I think this type of massive up-round investment is basically an IPO, likely a fair amount of secondary level of exit for founders, employees, and wouldn't be surprised if the seed/first round investors were able to unload a little (if they even wanted to)
Has anyone here speculated they might intend to use such a substantial piggy bank for some radical new aspect to their product [line]?
Not sure what... eg. perhaps some server-facing & app-facing API that would log customers in more touchlessly in a bid to become the SSO nexus of the world.
This on the surface seems like a ton of money… but I don’t know anything about this level of funding / valuations so who knows.
I love 1Password and use it for business and for personal. I recommend it to family and have migrated many people to a more secure setup as happy paying customers. Shared vaults for families are so important for emergencies.
It’s expensive though.
It doesn’t provide a quick way to share a URL with a client that isn’t a PITA.
The interface could be prettier and make more sense. Like why is the “new” button almost a secret location and barely visible.
Enabling two-factor with it is the absolute BEST but was buggy setting up. No simple iOS integration either.
There hasn’t been any super “major” updates in like 2 years to functionality (despite what blog boasts)
List goes on but it’s the best for now.
I can’t justify paying more. So hopefully there huge funding plan isn’t to squeeze little folk and is more for big business.
If Apple just went a little bit further with its manager (or even Google) I’d probably jump ship.
Why does a password manager need that kind of money ? They have their server software, apps/clients and infrastructure in place. They also have customers and presumably earn enough to maintain and grow.
What is it that they plan to add that needs 620 mil ?
As someone who uses the non-subscription version of 1-password (iOS only, syncs amongst my iOS devices but no use on my Mac) I wonder how soon they’ll pull the plug on this.
Wish I could be happy for them but instead I’m worried that I’ll lose what I have.
I have as of yet been able to find a password manager I actually enjoy and doesn't have its share of problems. LastPass, 1Pass, NordPass, Enpass, KeePass...all of them fall short or feel slow/buggy or have poor integrations.
Well, we're using dashlane for free right now and planning to pay for it (It's really cheap). I don't know what would be the use case for switching to this brand since now their focus will be to grow or die.
This makes me want to consider switching away as they know will have monetize so who knows how they will mess with me in the future. Any options out there that supports the same range of clients and are privately held ?
Bitwarden, please for the love of god add multi-account support. I know it's in the works but it's taking too long. I have work accounts and personal accounts. 1Password boiled the frog with pricing.
I love 1Password personally but hate using multiple vaults for corporate . So no company I run will ever use 1Password as it would annoying. B2c forever B2B ain’t ganna happen
I haven't changed my setup of (free) keepassxc in (free) Dropbox in 10+ years. You can even add a standalone version of keepassxc in there if you're worried about needing passwords from a new computer. Usually, simple beats free (Spotify > torrents) but somehow this setup has always just worked perfectly for me.
That being said, for friends and family I'd suggest paying for 1password. Or using a paper notebook. Most alternatives don't have a stellar track record with security.
Google/Chrome offer the best user experience for password management, but I guess many people using 1Password are doing so specifically to avoid Google?
iCloud email hiding generates addresses on iCloud domains, i.e. services will begin to flag them as a commonly-used disposable address provider and disallow them.
Also completely worthless to the vast majority of people who are not on Apple devices.
Also also, 1Password's integration with the email isn't managed by them. They talk to Fastmail, Fastmail spits out an address and tells it to 1Password, who then fills the form with it. I can ditch 1Password at any time, even delete my account, and lose nothing.
Congratulations to all the folks at 1PW! It's been a slog.
I'm very bullish on 1Password. They are the only product that I can use across my entire family and workplace with such little hand holding.
While they've pretty much solved the consumer front, there is much to be done to solve the needs of businesses. For example, right now if an employee leaves, we have to rotate everything they had access to. Their SSO support and API are pretty new, but historically managing vaults and users has been a pain. They're making steady progress.
When I went from lastpass to bitwarden I could simply export all my passwords to a json file and import them to bitwarden. I think it took like five minutes or something like that.
I recently migrated from 1Password using Dropbox for sync, to KeePassXC (Windows, Linux & Mac) and Strongbox (iPhone & iPad) still using Dropbox.
Migration was a simple matter of exporting a CSV and then just correctly selecting the column order for KeePass import.
For those who don't want to trust a third party, even with their encrypted data, I believe that home NAS sync-when-available is possible - I personally haven't tested the implications of syncing changes from multiple devices at the same time in that scenario.
I exported successfully from 1Password 6 onto Secrets and KeePassXC. Only thing missing were software licenses (some attachments may not carry over correctly or show up as notes).
I imported from 1password. I found the following problems.
- Some items did not import correctly at all because the 1password export format did not quote values (CSV). This means that if I have a password with a comma in it, I get two broken entries. This is more of a 1password issue though.
- 2FA tokens did not import and would have to be manually reset. I guess this is to be expected though.
- Some fields had different names than bitwarden was expecting, so values were imported into the wrong destination and had to be manually corrected.
This was a while back so I'm not sure if anything has been improved.
Congratulations. Authentication on internet is still a hugely underdeveloped topic, especially for normies. All the non-IT people basically have 5 weak passwords reused on 100 sites, written down on a piece of paper next to their computer or in their wallet. And of course what they don't know is all of those passwords were leaked 100 times anyway. This is a serious issue in digital society, to be fair.
Lol software like 1pass seem so pointless in days of web browsers with sync and 2fa. Deadset not really much of a reason to use them unless your like...no Microsoft in your stack at all. But I mean your probs burning coin on all kinda stuff if that's the case so paying double for a built in func probably wouldn't surprise me.
you can write your own password manager in a weekend. the encryption code is trivial. it's just a matter of ui/ux. and if you're making it only for yourself, that's not a problem. highly recommended
Ah fuck. They now need to grow at any cost to earn all that money back. And they'll throw their users under the bus, if they have to, because it's either grow like a unicorn or go bust.
Also, I sincerely have no clue how a password manager could be so expensive. Last time I checked, the excellent KeePassXC was still free open source and developed by volunteers in their free time. How come 1Password needs the equivalent of 7750 years of $80k annual salary to build the same?
> Also, I sincerely have no clue how a password manager could be so expensive. Last time I checked, the excellent KeePassXC was still free open source and developed by volunteers in their free time.
Because 1Password is easy enough to use that my wife and I can share a family plan without her getting frustrated. If one of us has a login the other needs, we can easily share it. When I evaluated KeePass, the Wife-Acceptance Factor (WAF) was not there, though maybe it's improved.
I've had the exact same experience. It took me about 5 minutes to teach my partner how to use 1Password and its been years since I had to help them use the app.
I've stopped worrying about password re-use or compromise. Now I'm teaching my kids to use it and they love it b/c they dont have to make up or remember passwords.
Yes there are other technically equivalent options but the fact I can get it setup on an iOS device in seconds and trust its used is worth every penny.
Agreed, Keepass file synced on Google Drive. Using this for 4+ years now with 0 issues. Syncs across desktop (Keeweb), Android (keepassAndroid) and ioS (StrongBox). Takes 5-10 seconds to sync.
Also zero need to give any application permissions to access my Google Account. Using native google drive apps on all services to sync the file (just using file picker dialogs with drive app installed).
Got my non tech parents setup on this. 0 questions asked once I set it up.
Also have my partner and I on the same setup...just works.
KeePassDX has its own keyboard that lets you securely input usernames, passwords, and other fields without exposing sensitive data to the clipboard (handy when autofill doesn't handle the field).
I tried both KeepassDX and Keepass2Android. In the end I went with Keepass2Android. I don't remember why I chose Keepass2Android in the end, but I can definitely recommend it.
I like Bitwarden too, but can't dismiss the fact that 1Password is superior to Bitwarden in many ways:
- Mobile UI is beautiful on 1Password.
- The UX from creating a password entry to auto-filling is easily better on 1Password. Bitwarden doesn't show autofill entries on login forms yet. That's a deal breaker, at least for me.
- Account recovery via a trusted family member.
- Additional security measure: private key in addition to master password.
Bitwarden has all those features you listed. I use it every day.
You can setup a trusted family member. You get a master password and private key incase you can't access 2fa. You can setup autofill entries. UI/UX are opinions.
You pay $40 dollars a year for Family, $10 a year for an individual. Cheaper than 1password.
I bought Lastpass when it was $12/year. Over the years and after being acquired, they tripled the price. I miss when technology used to decrease in price and provide better functionality.
Hopefully so, but I'd be willing to pay even upto 100 USD. I store a lot of things on 1Password these days that it's very hard to give up, and very convenient. It's not just passwords; medical documents, credit card details, passport, certificates, private notes.
BitWarden is not free if you compare apples to apples, and sign up for the same features including cloud hosting, 2FA, and family or enterprise accounts.
$620M isn’t for a password manager, it’s financing for a business with an enormous and growing user base.
Bitwarden is free for individuals and couples. So, it's free user-friendly (WAF!!) wise [0] in comparison to 1pass [1]. But much more important thing is the fact that bitwarden is open source and 1pass not. Closed source is deal-breaker for me.
"Crippled" is a big word. It does everything that KeePass would do, for example; it only falls short when it comes to sharing passwords among a group or family (you can send a secret via BW Send, but you cannot have a shared store unless you pay for Premium).
Yubikey and its likes are advanced features that the overwhelming majority of regular users will never need.
"Crippled" implies a degree of everyday suffering in the "cripple", or a downgrade from a previous state of health. The advanced features in Bitwarden were never free, in fact I think some of them were eventually added to free plans too. I honestly don't even want stuff like yubikey support, and could see that as feature bloat!
I don't expect everything to be free, I'm perfectly fine with the freemium model when the set of free features is reasonable - as, in my humble opinion, is the case with Bitwarden. So I wouldn't use a word like "crippled" when it's more like "normal for regular users vs enhanced for advanced needs".
I thought that it had all the same features, just not cloud sync. As far as I know the Yubikey is used for authenticating with their sync server. It doesn't actually help with the encryption
Bitwarden's free plan does have end-to-end encrypted cloud sync with no device limit. The free plan lacks TOTP support, but Bitwarden's $10/year plan does include TOTP support and is cheaper than 1Password's $35.88/year plan. Bitwarden is also open source, while 1Password is not.
I'm referring to Bitwarden Authenticator, which stores TOTP secrets and displays 6-digit codes like Google Authenticator does.[1] This feature requires a Bitwarden Premium account, with the $10/year plan being the cheapest option.[2] (Self-hosting through Vaultwarden is another option.[3])
This is separate from having TOTP 2FA on the Bitwarden account itself, which is available on the free plan.[4]
Well let me ask the much more obvious question, for something as important as protecting your passwords, why on earth would you go with a proprietary service where you have no idea about the security, that could take away your access at a whim without any recourse for you?
> Because much like privacy, password security shouldn't always be only a premium option.
So then who foots the bill? Password managers are the duct tape used to protect a user because we don't inherently trust application providers.
> proprietary code is a deal break for lots of people
Sort of. First, "lots of people" seems like "lots of people" because we're on HN. The wider population doesn't care whether your application is proprietary or not - they just want something that works. Apple's wall garden is proof of this. Second, you can still charge for a product and it be open source. An application being open source simply provides an audit log of the code and allows for "wisdom of the crowd" when it comes to bug and security issues. So yes I agree that having a password manager be openly auditable is a great feature, but I (and many others) likely would rather have the features of strong UX and known tenure (OSS tools get abandoned all of the time) then we would having an auditable source code.
Bitwarden does charge for certain features like TOTP support, organizations, and enterprise features. They manage to have subscription income while remaining open source, whereas 1Password chooses to keep its code closed source.
If you are saying that Bitwarden is worse because it offers a free plan, I disagree. It's nice that Bitwarden offers a security-audited* password manager to those who can't afford a subscription, who aren't ready to pay for one, or who don't have the means to make payments online. Unlike 1Password, Bitwarden is not pressured to deliver high returns to venture capital firms, and Bitwarden can focus on providing its product to its users at superior price points.
> Unlike 1Password, Bitwarden is not pressured to deliver high returns to venture capital firms, and Bitwarden can focus on providing its product to its users at superior price points
Well said - and this is the important part of the 'non-proprietary' argument of mine (above) - right now I consider 1Password's real customers being their shareholders/investors, not its users - the users are just another tool they use to bring value to their real customers (investors,etc.).
> If you are saying that Bitwarden is worse because it offers a free plan, I disagree.
For the record, I'm not. The overall discussion was that charging for a product was somehow bad. Bitwarden does charge for their product, just at higher tier levels. My bigger point is that you do want a provider that is going to stay solvent so charging money (which Bitwarden also does) is not some perverse way of satisfying customers.
That’s likely because they are used to BW first and was learned at home. This sort of ”phenom” happens all the time and is not only about the actual product.
There will be exact examples of the opposite happening.
I'm looking forward to Bitwarden implementing multiple account logins ("client profiles") [1] on their roadmap [2], before doing a gradual switch away from 1Password. Any time now!
There is the WAF. There is also the part where when I evaluated KeePassXC two months ago, the browser plug-in would constantly desync and require a full page refresh and entering my master password.
With 1Password, I also have to reauthenticate all the time, but unlike KeePass, TouchID works.
BitWarden works really well for me, for example. It is FOSS and has hosted option; Has autofill plugin, android app, nothing required much in the way of configuration.
The only downside is that I can't currently use my privately hosted instance as passwd safe with the chrome browser extension. This only works for the hosted version.
So I can't habe autofill, automatic saving of new/changed passwords and password creation and also use the same vault for the mobile app (Android). The mobile app can access the self hosted vault without any issue.
I would love to fully migrate to self hosted bitwarden, but the browser extension irks me. Maybe it is possible and I am just too dumb to find the solution.
on the login screen, you have a gear icon on top left corner (at least for the chrome extension), there you can add the custom url for your hosted instance.
What about Bitwarden? Open source and has a free plan for two people. The family plan includes one more seat than 1password and costs 20 € less per year
This exactly. "Selling" a password manager to a non-tech person who either uses the same password everywhere or someone who writes weak passwords on post-its is a hard sell. It's a lot of added complexity and more importantly, a different way to think about passwords: you no longer know any of your passwords, except one for the password manager itself.
1Password does a pretty good job of this; as a user I do not need to worry about syncing the database, keeping an app up to date (the website is always up to date) etc.
I have, since the family plan was first introduced, also gotten my aging parents on the plan (so my brother and I — both _far_ from where my parents live — can assist when required) and my brother.
My wife has shifted from merely using 1Password to advocating the use of password managers in general and 1Password in specific (she had a letter read by Peter Mansbridge on his podcast a couple of months ago where she did exactly that).
Nerds continue to fail to grasp the value of UI/UX. This has always been why FOSS and similar solutions have failed to compete in the market in spite of being "free" and often technically superior.
UI/UX is everything. Apple became the most valuable company in history on the back of UI/UX alone. Their tech is decent but not that much better than anyone else's, but their stuff is at least marginally easier to use and that's worth more than the GDP of quite a few countries combined.
The importance of user experience is only growing as the world becomes more and more time poor and we move more and more into an "attention economy." Saving seconds counts. If it doesn't work instantly it's broken, period.
Here's two ways I can explain it:
(1) If you value your time at $100/hour and you have to spend one hour a month maintaining something "free," that free thing costs $100/month. That's fairly expensive. It only makes sense to do this if you have a lot of surplus time on your hands.
(2) If you have ten million users and make a UI/UX improvement that saves them one minute a month and you value their time at an average of $50/hour, you just created about $8.3 million in value since that's the value of the time you just saved.
A rule of thumb that I use is that every step required to do something halves adoption. So if you have a 10 step install process, only 1 out of 1024 people who look at your product will make it to trying it.
Every developer needs to have "user experience is everything" tattooed on their forehead.
Most users don't want to tweak anything related to their phones, tablets, computers, watches. If everything your app does, isn't reachable within 1-3 clicks/swipes/presses, then forget it.
Someone suggested using two versions KeePass files...one for shared passwords, one for not shared passwords. This is NOT a substitute for clicking Share Password and literally not doing anything else.
Someone suggested storing all your passwords in the browser. This is NOT a substitute for having all of your passwords available at the app level on your iPhone. This is NOT a substitute for sharing passwords with your whole family.
I have been hearing about how X11/MOTIF will "end the Windows/Apple hegemony" for decades.
I don't know how often I've heard "X Windows is just as good as Mac OS."
It's like when your vegan friend keeps telling you that "Falafel tastes just like beef."
They have never tasted beef (or they hated the taste), so they don't have anything to compare it to. X Windows is GUI, written by people that hate GUI.
What could possibly go wrong?
All that said, it's a crazy amount of money, and I really feel that the only real work the password manager needs, is to be rewritten in native. Electron is less-than-excellent.
They must have some kind of strategy that goes beyond just being a password wallet.
Also, for some software "everyone uses" like e-mail or an office suite, you can afford maybe some complexity or annoyance. The alternative "do not use e-mail" or "do not use an office suite" is a no go for almost anyone.
The alternative "do not use a password manager" is however totally common. So if you want to get someone with limited time or affordance for annoyance (like your wife) to use a password manager, the process of setting it up and using it better be very smooth and frictionless.
I made the same argument below but I was downvoted to hell.
Bitwarden is not an alternative to 1Password that passes the wife/parent/elder test because the UX is so bad they need to call me everytime something isnt exactly working as before.
Really? I use both (Bitwarden for personal, 1Password for work) and find the UI for Bitwarden to be more complete and consistent. Like if I want to edit a login item, I must open a new browser tab in 1Password. Not so in Bitwarden. I still can't figure out how to consistently trigger the workflow to add a new login for the current website automatically without opening a new tab in 1Password. You click "Add Login" in Bitwarden.
Agreed, I used lastpass in 2016 and tried to switch to keepass. I'm more than technical enough to use keypass and sync a vault across all my devices, but I needed this to be as easy as possible. I know myself enough to understand if something doesn't feel as easy as humanly possible, I'm much less likely to use it. A decent chunk of people are not like this, which is why I believe there is this huge debate over "Keepass vs 1Password". But anyway, I switched to bitwarden and the UX was more than good enough for me. It "just works".
I even started self hosting it this year and it continues to "just work" - although I don't recommend it to most people since I now have to manage a server. I was already self hosting a lot of other things last year (wanted to move away from google/apple services) so the "cost" of self hosting Bitwarden was negligible.
Anyway I know I rambled a lot, but just wanted to chime in and throw in my opinion about bitwarden
I really hope that Bitwarden improves their UI and UX, because I really want to like it. But their Collections and sharing feature is very unclear, especially once multiple people/orgs are involved.
I'm afraid to use it because they co-mingle everything in UI and I dont accidently want to share a personal password with another org.
Being worried of sharing a password accidently is very scary UX
This seems to be a general characteristic of enthusiasts.
To design a good car for people other than car enthusiasts, you have to hate cars or at least be able to place oneself in the shoes of someone who hates cars. People who don't love cars want a car that makes them think about cars as little as possible. The purpose of a car is to carry you from one point to another, not to make you spend time on cars.
Maybe it’s because Bitwarden’s UX is actually quite good? I found 1password’s to be substantially worse when I tried it a few years ago, especially on non-Apple devices. Perhaps that’s changed, but for something so heavily touted for being well designed, I found it to be very disappointing.
There isn't one. I will continue to say this, people will continue to ignore it, and the computing ecosystem for the average person will continue to be locked down by corporations that do not ignore it. Free, open, and privacy respecting technology will remain irrelevant outside enthusiast techie circles.
It's a bit like climate change. Scientists will warn, people will ignore, and then we will abandon Miami and will probably blame the scientists.
Excellent, problem solved. I was thinking somebody would have to contribute UI changes to an open source project, but it turns out flaming people on the internet is much easier.
I can't stand nerds that fundamentally can't learn this nuance. It's like the biggest blind spot ever. There are just so many of them in the tech industry working as software engineers, which is why we have powerful tools that are a pain in the ass to use. It makes me hate software engineers, and I am one.
> UI/UX is everything. Apple became the most valuable company in history on the back of UI/UX alone. Their tech is decent but not that much better than anyone else's, but their stuff is at least marginally easier to use and that's worth more than the GDP of quite a few countries combined.
Huh, to me it's both. The UI/UX wouldn't be worth shit if their software ate battery like it was free, crashed often, was frequently janky, hogged resources to the point of being a problem, or all the fancy features underlying their UX didn't work pretty damn well without user fixing or intervention. Software quality is part of why their UX is so good, not just design languages or whatever. You don't get their level of auto-magic if you haven't done a whole bunch of things very right in the underlying code & architecture.
They're far from perfect (practically all consumer-facing software is at least kinda bad, IMO) and one can point to a handful of duds that they just can't seem to get right (Xcode, for instance) but I'd put software quality as my number one reason for using them, and I'd point to that as an absolutely vital element in their UX being well above average. It's that combo that no-one else seems able to touch—in fact, it often seems like no-one else is even trying, and I really wish they would.
> Nerds continue to fail to grasp the value of UI/UX.
Or perhaps nerds do grasp the negative value of anti-patterns in UI/UX, and reject attempts to create interfaces and usage models that remove control from the user, create vendor lock-in, or compromise privacy and security.
I think a better way of saying this is that "nerds" (i.e. power users, the type of people typically on HN) want different things out of their UI/UX than the average user. That's the beauty of having different solutions to choose from: the power user is free to use something like KeePass, where it's not as easy to use, but you can set it up exactly the way you like; and the "normal" user can go with something like 1P or LastPass for more of a "set it and forget it" model. The average user doesn't care one bit about the things that you mentioned.
Absolutely; this is the key to the whole thing. It's explained at length in the classic The Design of Everyday Things. Nerds v. normies are given the monikers "Homo logicus" and "Homo normalis". The nerds value control, understanding, and are concerned with edge cases; they accept complexity, workarounds, and the need for preparation as the cost. The latter prioritizes nearly the opposite, preferring simplicity to control, and guaranteed if partial success for the need to understand/invest time.
I think you understate your case. A lot of nerds and nerd culture is actively hostile to making things easy to use and will intentionally erect banners and over complicate systems in order to keep "normies" out and make themselves appear smart.Its rather sad really.
I ditched 1Password in favour of KeePass exactly because of UX issues. 1Password felt too magical and did too much implicit stuff to my taste. KeePass is dumb simple and that's what I need from password manager. I hope that its UX will not change.
> If you value your time at $100/hour and you have to spend one hour a month maintaining something "free," that free thing costs $100/month. That's fairly expensive.
This is quite true, but the counterpoint is that nerds enjoy spending that time. We like opening the box, poking at the wires, seeing how the cogs fit together, and tweaking things endlessly. It would be a liability for a normie, but for a nerd whose interest is piqued it's a fun Saturday project. This is why FOSS survives despite the UI/UX problems.
Not the person you were replying to, but I completely agree. I had fun setting up my Raspberry Pi as a Plex host / torrent box / home server.
Where us hobbyists go wrong is thinking any large percentage of customers want to do that. Any amount of futzing is too much. Most people want it to "just work."
This is accurate. We charge twice as much as our competitor and we consistently hear from customers that UI/UX is a massive part of the reason they choose our system.
Copy that, on the family plan, works on all the devices that need it. We trust their shared vault technology enough. 1password is compelling. Not sure it's a billion dollar thing but it's good.
> When I evaluated KeePass, the Wife-Acceptance Factor (WAF) was not there, though maybe it's improved.
How about you share one KeePass file for all shared passwords and keep another one for your personal ones? KeePassDX on Android can easily handle multiple files. I agree, it's not a perfect solution but it's rather low-tech and something the layperson might still understand.
I use KeePass everyday and I really love it. But I would never recommend it to a non-technical person over something like 1Password or Bitwarden. It's a great piece of software, but the user experience is about 15 years in the past.
It's funny you mention WAF because that's exactly what kept me away from 1password.
I loved almost everything about 1P but their reluctance to authenticate with keychain means it's a PITA for me, and an absolute deal breaker for my wife.
Has this changed or do you still have to enter your 1P password every time you log in or your session times out?
I agree with you that the 1Password UI is superior. I also didn't mean to imply that KeePassXC would be equal in every regard. That said, feature-wise, both of them solve the same problems for me.
But do you believe 7000 years of work is a realistic estimate for how much effort is needed for KeePassXC to catch up?
I'm using KeePassXC on my work computer and it takes around 30 minutes of maintenance every two weeks when the browser extension can't find the desktop app or bare functionality like "copy password" stops working and I need to reinstall.
I always thought the term was at least a little self deprecating; it definitely and doesn't mean "dumbed down so the stupid wife can actually use it."
There are a lot of technical enthusiasts and hobbyists, mostly dudes, who optimize for dumb parameters that nobody in the real world actually cares about. In this case, setting up a clunky, but fully open source password manager, when there are alternatives with objectively better UX available for relatively cheap (considering you use the thing many times each day).
In the home theater world, for a long time guys would brag about the disgusting monstrosities they've jankily hooked up in their living rooms, but a setup with high WAF means building something that's actually aesthetically appealing and congruent with the interior decor, hidden cords, not having to switch between 4 remote controls, etc.
But you're right - it should probably be SAF (Spouse Acceptance Factor).
Yeah, GP's acronym ain't great. But if you sub out "wife" for "significant other" or just "family" then you have to admit that this is a real phenomenon.
I use pass [0]. To me, it is the best password manager that I've ever used. Command-line-first, free & open source, built on git... it's great, and suits all my needs. From the perspective of someone who spends most of their day behind a CLI, it is "simple" and "just works" more than anything else.
But it's not going to work for my significant other, who is very intelligent but isn't a software engineer. They're not going to learn git so that they can manage passwords, and the app doesn't abstract away git enough for them to avoid needing learning it. Hence, despite its merits, it fails the "SO acceptance factor" or whatever you want to call it.
I wouldn't assume the phrase is casting a value judgement.
I hear the phrase from time to time in aviation. "Have to sell the first plane" / "Doesn't pass the WAF" / "Wife thinks owning two planes it too expensive." I have no reason to believe these folks are not in a loving relationship.
Same thing with email. Everyone COULD run their own email server but it's pretty clear most people don't want to. We also see it with tech companies running their own servers. Again they COULD runt heir own hardware (and some do) but it's pretty clear most companies don't want to. There are decades of examples of where people could run something themselves and having very strong preferences for using a centralized and more user friendly alternative. I don't know why we'd expect it to be any different here.
My wife has this problem. I have a bit more tolerance. There is no else I try to convince to use such software. WAF is accurate but because I don't run it by someone else.
>I, a computer programmer who has more than enough intelligence
>Stop blaming/shaming wives.
It seems like it is you who is equating tech illiteracy with intelligence, pal. There is nothing wrong with being technically illiterate (most people are) and I don't think GP is shaming his wife because of it.
If I may chime in, and sorry for acting like an annoying dude, but I also really dislike the term WAF. Of course the term makes sense if we look at IT and the world historically, but I don't get why in 2021 we still have to act like wives are tech illiterate by default, and also, what about women in IT who have tech illiterate husbands.
I've never seen a "share with family member" feature with a browser storing passwords. Also, this means I and all of my family members need to use the same web browser.
Using a 1password family plan is the only way I've been able to wrangle my parents across their slew of iOS, macs, Android, Windows, and Linux machines to stop typing in passwords.
I don't think browsers let you share passwords between users or multiple browsers. They probably don't let you store secure notes or add extra data about logins.
1password lets you share passwords with other people, even if they don't have a 1password account.
They previously raised $100M in 2021[1] and in my mind the rot has already set in. 1Password 8 is not OS-native and is an electron app. Local vaults are no longer supported - you must use AgileBits's cloud. And 1Password 7 shows non-dismissible ads for upgrading to 1Password 8[2].
Edit: They also inexplicably (and silently) dropped support for the 1Password iOS share sheet while directing users to the 1Password iOS Safari extension (which only works if you use AgileBits cloud and does not work with local vaults)[3].
Edit2: Missed another $200M raise in 2019[4]. That puts them at nearly $1B in VC funding now.
I'm hanging on to 1password 6 for as long as I can. I can't use the browser plugin on firefox anymore, so I have to copy&paste my passwords in, but at least I have my vault stored locally. I also paid something like $70 and had the rug pulled from under me when they wanted to start charging monthly on top of that.
It's not that I expect support forever for software I paid once for, but I think that the monthly, no local vault is worse than what they offered in 1password 6. I am OK with having to manually copy in passwords.
I am using 6, and the classic extension still works for me on Firefox. It was only when they discontinued (and refused to port) the Safari classic extension that I couldn't use Safari anymore.
Works for me on Chrome too, but not Brave (my browser of choice).
Are there any security concerns holding on to 1p 6.0 ? I notice the mobile app still sees updates, but could there be in theory an unpatched security hold in the desktop app ?
Yes but I don't want to use chrome, especially after they break ad blocking.
To answer your question about the security: I don't know. I don't audit it, and copying and pasting lets me not really have to worry about the security of the browser extension.
They have virtually endless developer resources and aren't building native apps?! This is insane. Not only from a performance perspective, but more importantly from a security standpoint. The more they rely on 3rd party code, the more vulnerable they are.
Exactly. Once you raise a bunch of VC money you've sold your actual business to vampires. From now on it's grow at any cost. Add bloat, feature creep, unrelated projects, cost increases, and probably user data mining and sales on top of it. How was their rather expensive subscription fee and large subscriber base not sufficient to continue operating profitably?
I’m amused by the large portion of the Hackernews userbase that seems to view venture capital as an absolute evil, given that this is YCombinator’s forum.
Can you really not think of any examples where VC capital has improved a company, product, or service?
I don't consider venture capital absolute evil (or evil at all), but don't understand why old profitable company with established user base needs to take such ludicrous amounts of money from VCs. What are they planning to do to return that investment? Grow by any means necessary and sell out with all our data to big tech company? As a long time 1Password user I have a bad feeling about this.
Dropbox, Spotify, and Twitter all used VC money to launch/improve their product. Just because you don't specifically like the traunch of VC money that was used prior to IPO doesn't mean all VC is blood-sucking.
There are countless examples of products people use that have had some form or shape. In fact, I'd argue there are rarely apps that anyone uses here on a regular basis that didn't have some form of VC money injected into them. The only one that comes to mind is (1) Basecamp (but technically they took money from Bezos) and (2) Atlassian pre IPO (now public).
I don't think the problem is with capital writ large, but rather the perverse influence of capital incentives as applied to a personal security product.
The value one gains from a personal security product (data portability, availability, accessibility) is often at odds with the interests of capital, which lean towards moat construction and rent-seeking. Over time, in a for-profit company, capital will always "win". Trading equity for other peoples' cash investments only accelerates the process.
For an adjacent example, LastPass never took a dime of VC money (afaict), but their structure as a for-profit company pushed them to lock down their product and charge rents, where they had not previously. If they had taken VC money or went public instead, it may have delayed the inevitable, but it only would have been a delay, not a solution.
People in this thread are disappointed, because these companies began their lives with a compelling, free, and user-empowering invitation, and it is sad (although not at all unpredictable) to see those features taken away by the incentives of capital. I think it's understandable, and I wouldn't read it as an indictment of VC writ large.
> For an adjacent example, LastPass never took a dime of VC money (afaict), but their structure as a for-profit company pushed them to lock down their product and charge rents, where they had not previously. If they had taken VC money or went public instead, it may have delayed the inevitable, but it only would have been a delay, not a solution.
I do not understand. It's a business. Why would anyone expect important services to be free? during ramp up there's a benefit of providing free or discounted services while you grow, learn what users want, estimate your own costs, etc; It was a free ride and you can enjoy it while it lasts. Why would anyone expect a free ride to also last forever?
In my opinion great products need a strong balance of capital and ideals. Capital incentives unchecked by a counter balance of leadership actually believing in the mission of the company can lead to bad outcomes. Pure idealism without adequate funding has another set of problems though.
> Why would anyone expect important services to be free?
I think the "common person" does not see these as growth hacks. The internet is full of things that "appear" free, and have "appeared" free forever.
You have x-ray vision for how these businesses work internally, and you describe the playbook very accurately, but most people do not have this kind of context.
Which makes it hard for those people to distinguish "good people doing good work for the good of all" from the playbook you describe. It's especially hard when the company describes itself as the former externally.
> Capital incentives unchecked by a counter balance of leadership actually believing in the mission of the company can lead to bad outcomes.
This is true. As a customer, depending on the good-will of leadership to counterbalance the influence of capital is depending on humans, and even really good ones are fallible and temporal.
A for-profit company blessed with good leadership today does not guarantee a for-profit company with good leadership tomorrow, a year from now, and so-on. Eventually, within the constructs of a for-profit company, capital always wins.
> In my opinion great products need a strong balance of capital and ideals.
Yep yep, value creation and openness are not mutually exclusive, and one does not have a monopoly on the other.
However, I'd argue that value capture and openness are mutually destructive: only one wins in the end, and the total victory of either marks the death of a business (i.e. something that generates profits for shareholders).
From a consumer's point of view, once an organization gets in the mindset of optimizing for value capture over value creation and openness, it's time to consider moving on.
The paradigm-shift of software is that the victory of openness no longer means the destruction of customer value, because OSI-licensed software can outlive the business.
> This is true. As a customer, depending on the good-will of leadership to counterbalance the influence of capital is depending on humans, and even really good ones are fallible and temporal.
Well, I dunno, you always are depending on the "good will" of leadership. They could decide to squeeze every cent and provide as little value as possible at any time, whether they have venture funding or not. If your alternative is a "non profit", look at Mozilla, plenty of people unhappy with a lot of their decisions and users feeling "betrayed". I don't think we can expect most services to run as non-profits regardless. It's an imperfect system, but is the best we've got so far.
> From a consumer's point of view, once an organization gets in the mindset of optimizing for value capture over value creation and openness, it's time to consider moving on.
I'd argue this comes after the IPO. When you have millions in venture capital, is easy to keep running the business at a loss and keep growing. When it's time to make a profit is when things start getting hard.
I suppose this is what some people don't like. They'd like founders/businesses that stay small and focused on a niche, make money but not too much and keep a good value product running. Without looking at 1Password finances though, even when it was a paid service, we don't know how profitable it was, if at all, and may be going after enterprise customers with this new funding is the only way to not only 'break even' and start making some good profits.
> you always are depending on the "good will" of leadership
This isn't true if the product is FOSS. The Mozilla Company can be a disaster, but that's OK because Firefox is OSI-licensed. It will outlive Mozilla, and one or more community forks will appear to replace it, if needs be.
For example, observe how https://rockylinux.org/ rose from the ashes of RHEL/CentOS, after Red Hat were acquired by IBM.
The lesson is that as long as there's interest in an OSS product, there is money to be made servicing (hosting, bug-fixing, whatever) it. Where there is money to be made servicing it, a business will appear to soak up the demand.
> I'd argue this comes after the IPO.
I think it's purely a function of who your shareholders are, what your unit economics are, and how much money you have in the bank. It can happen to any stage of company. In general, contrary to popular HN belief (not saying it's yours), VCs prefer not to put good money after bad.
There are many public companies that are not relentlessly pursuing value optimization, because they have good unit economics, and have invested in attracting shareholders that are aligned with this idea. They are not starved for cash, and can raise money with low-interest loans when a growth opportunity presents itself.
> Without looking at 1Password finances though, even when it was a paid service, we don't know how profitable it was, if at all, and may be going after enterprise customers with this new funding is the only way to not only 'break even' and start making some good profits.
Like you say, we can't comment on 1P directly without knowing access to their Stripe account.
One might charitably say, their business hitherto was an experiment to see if one could build a VC-scale business around the problem of personal password management. The answer is no, but they can leverage their experience gaining that knowledge into solving a similar problem at an enterprise scale. That's probably how the execs & employees think, and it's a very reasonable take.
Unfortunately, while it's optimal for long-term viability of their business, it's not optimal for the consumer world writ large. While 1P has bootstrapped at the consumer's expense and benefit, building a consumer-facing brand for themselves along the way, it is now all downhill for the consumer from here, because they are no longer the focus of the company.
One can imagine a counterfactual, where they had developed their core applications as FOSS. 1P the business could continue to make money as 1P-enterprise, and "the people" could take over maintenance of 1P-consumer, if there was sufficient interest. The valuable experience they've accrued in building their product would continue to spin off value, instead of slowly grinding to a halt.
---
Don't get me wrong, if you put me in the shoes of some exec at 1P with a fiduciary responsibility, I would do the same thing they're doing. It's the only rational direction. Their decision space is/has been heavily constrained by their initial conditions (accepting VC money, not starting with a FOSS product, etc.). If they hit `git push` to some public remote today, they risk losing the entire network they've been investing the last N years in building. It's not reasonable to expect people to make that trade.
I guess I'm hopeful that people will observe these outcomes, that it may influence their own decisions in choosing the initial conditions of their own projects. Sometimes fiduciary responsibilities contravene social responsibilities, and the superior cure for that circumstance, like with so many others, is prevention.
Yeah I get this, I'm a paying customer. Not overly worried, as long as I can export and move on to another service. I used to be a LastPass user until 2yrs ago. I was replying to the comment about LastPass starting to monetize users (e.g limiting the free tier functionality even more).
I think the big VC raise is often the moment that many companies' relationship with their users goes from friendly to adversarial. I suspect this is because the incentives become misaligned. A bootstrapped company needs to keep its users happy to keep the money coming in for operations and growth. User churn is expensive at this stage. A funded company has other options such as running at a loss to attract new users and outpace any churn in the existing user base.
I cannot and it's widely known how they ruin thing with example after example. I'm sure some VC has helped a few people inadvertently along the way (although it was likely the founders, to the chagrin of the investors, that did anything positive). The VC business is to make money, no matter how shitty they make things, by blowing them up or letting them die, they don't care for anything else, why would they.
I would think most people view YC more in line with the Angel round, which is an entirely different view point; Angel's are actual helpful people who did something on their own to achieve success (not poser VCs) and/or are mentors and coaches who want to give back, but it's unfortunate that people need to go beyond angel to VC, and the expectation from the angels is that you must or they won't make their money.
Just because we are on a YC forum doesn't mean we have to suck the industry's dick.
Viewed that way because it's the truth. It ruins everything it touches, but makes a few rich people along the way. For some that's the goal, but it's absolutely a net negative.
I can think of many times where VC capital has improved a company, in two ways. The first is in allowing a company to scale far more quickly than it could have naturally. The second is in creating connections to other companies, essentially getting a foot in the door to convince those connections to use the company's product.
But rarely improved the product. At best you have a company that does keep it's soul, and continues to improve the product as they would have on their own. Far more often, the product and pricing structure is made worse in the long run through VC investment. It's not necessarily VC interference that is solely to blame, the change in size and scope that tends to come with such investment is a massive hurdle on its own.
Of course, taking VC capital is almost certainly necessary to continue to exist, given you are competing against others who will take that capital and quickly use it to out compete you if you do not. I just view this as unfortunate, when I find companies that grow at a more natural speed to generally create better products.
I don't know. Greed? I've been following the 1Password Saga for a while (long time user), and how they responded to the electron pushback seemed like they lost their initial vision and what made them "in touch" with their users like me.
Reading about it now, it feels like the electron move was a result of the VC money. With pressure to grow comes endless A/B tests, gimmicky features, etc and having too many different platforms means you need to split the work across more devs. Trying to match the extra functionality and have the same look is pretty difficult as a program grows.
That being said I hate that 1Password needs that. It’s just a password manager at the end of the day.
With 1Password 8, they shared news that they were moving from native (mac) apps to an Electron UI/frontend with a Rust backend. They did an AMA on Reddit, but didn't show up for a while and got hammered by their users. Their refrain, until Dave Teare showed up, was "but it will be on Rust and the backend will be faster" and didn't acknowledge why users might be upset with the move from Native to Electron apps.
I think it was a mistake to even involve the online community. Of course nerds want you to build a high-quality native experience on every platform because they are heavily invested in their platform of choice. Listening to these kinds of users at all will drive your business to ruin.
Honestly building on "tech stack power users hate" is probably the easiest way to fire all your worst, most needy, users.
Alternative view: I'm glad to see 1Password obtain abundant financial backing. I use 1Password personally and at my employer. It's really good. I won't switch as long as they keep it that way. Seems as if they have enough money to do that regardless of what happens in the market.
p.s., How is this really different from going public? I'm sure they considered that option. Either way you are answerable to investors.
This isn't sustainable financing -- it's growth financing that they will eventually need profitability to make good on the investment (or drive them into the ground). I also use 1password at work and home, and I'd rather they figure out how to operate profitably without the VC-necessitated hypergrowth.
Yeah, I'm much more worried about their future now than I was 5 years ago. Having to justify a $6B valuation for a password manager means making risky moves into new markets that may not pan out. If things don't go well, AgileBits will be sold for parts. Perhaps to the same kinds of vultures who own LastPass and TravisCI.
It's not enough to be profitable (which they claimed to be in 2021). But even if they are profitable, it's unlikely they generate a lot of cash. For a secure future you also want a nice pot of cash to be able to make investments and to weather dips in the market.
1Password is like 15 or 16 years old at this point, right? The fact that they still need "financial backing" after all that time is extra alarming, IMO. They have raised nearly $1B in VC money!
This has come with all the expected side effects. No local vaults, electron apps, forced subscription payments, etc etc. More VC money makes for a worse customer experience, almost universally.
> How is this really different from going public?
Venture Capitalists are not like the general public. People trading public stocks value fundamentals - a good product that generates _profit_, _steady_ growth, etc. VCs want cancerous, explosive growth and are willing to take the risk that the pursuit of cancerous growth kills the company.
People who own public shares value return on investment, which in today's market is only loosely couple with fundamentals in many cases. It's hard to explain the value of a lot of public tech companies any other way. Rivian (RIVN) is exhibit A.
Not necessarily. Let's say you want to build aggressively to $1B revenues with a $1B annual run rate. Let's further say you pretty much keep expenses and revenue directly in line, so you don't lose money but you don't gain either while building. So, your cash reserves remain the same. As your revenue grows, the cushion you have to deal with a market downturn or seize unexpected opportunities declines. Having a cash cushion up front solves this problem.
I don't have any special insight into 1Password's strategy. But I run a company that is essentially bootstrapped and what I described is exactly how we think of cash reserves. In the bootstrapped case, there's a basic math problem that to maintain a constant runway while growing rapidly you must be cash flow positive by an increasing percentage as time goes on. Perhaps 1Password is just looking to protect a long runway that will get them to IPO.
Big fan of KeePassXC (https://github.com/keepassxreboot/keepassxc).
Works wonderfully on MacOS. I guess 1Password is a bit snazzier, but I'm really not sure what you would use $620M for in a password manager...
> Maybe they'll go the Keybase route and integrate some crypto?!
Well, congratulations, you just proposed a scenario that would make me consider leaving 1Password after all. :)
Seriously, I am somewhat concerned at this level of VC money injection; I'm not intrinsically against venture capital or such, but investors (obviously) want a return on their investment and it's hard to imagine how you get a return on that much investment with just a password manager, even one that's a subscription service.
(I am also not intrinsically against crypto and wouldn't really abandon a service just because they do something that involves it, but most blockchain technology continues to feel like a solution in search of a problem. That's another discussion, though…)
It really makes me wonder what kind of conversations had to happen to bring investors on-board. I don't want to give too much credit to investor types, but... surely this must have thrown up some red flags?
Exactly what kind of moon-shot ideas did 1Password start tossing around to get those wallets open?
I predict we start seeing "Login with 1Password" buttons on random websites next to the google and facebook buttons. I also predict it never catches on.
Hmmm.... I read the headline here and was a little perturbed. WTF does a password manager need THAT much money for.
However, after reading your comment, I hope this is the direction they go. I actually really like the future where I can have instant accounts attached to a more anonymous backend than my social media. I'm sick of things as mundane as my local gym asking for access to my fucking friends list.
Sign-up hurdles are a real thing too. I recently read that it was a major factor to Microsoft's video gaming stream service never taking off.
Based on https://www.future.1password.com/ I'm guessing it will be closer to LastPass's auto-login. It still uses the existing username/password form, but autofills and submits for you.
So a 1- or 0-click login once you hit the login form, as opposed to the current 3-click system (see login list, click to fill, click to submit). And looks like it also might handle the 2fa portion (which essentially makes it 1fa).
I'm guessing this isn't what you meant, but a password manager that integrates with the Credential Management API[1] would be amazing. Would simplify password management a lot if it got widespread adoption, and provide an easier upgrade path to strong public-key authentication using WebAuthn.
That's certainly an eyecatching idea! I'd hate to be engineer in charge of that idea, though... how would you even begin to drive webmaster adoption? Even with the leverage of their massive userbases, Google/Facebook logins are far from ubiquitous.
> how would you even begin to drive webmaster adoption?
"If your users use 1password, they won't keep forgetting their passwords (causing frustration and support burden) and won't use weak passwords that result in account takeovers (support and eng burden). Plus, you and your users won't be beholden to the whims of fb or Google".
Passwords are boring, hard and important. Customers know that, so are likely willing to spend a monthly fee to feel safe. Critically, they're unlikely to swap to a different provider when there's so much setup involved.
Sure... but "good investment" and "good VC investment" aren't exactly the same thing. 1Password isn't exactly small and it's not exactly poised to explode either.
I get that there's an untapped market of non-technical users, but I am rather skeptical that advertising alone will have much success in activating it -- they'd need some innovative approach that changes the way non-technicals approach password management.
The data that can be obtained on users by just knowing where they choose to create logins for is also worth immense amounts of money, without even talking about how often they login.
Correct, but also a warning sign. "Boring, hard and important" should rarely, if ever, be left to private companies as an isolated thing. They need to somehow be baked into the model of the other things that use it.
It's the same reason there should be no such thing as a "structural integrity" company separate from the building contractor.
"KeePassXC was still free open source and developed by volunteers in their free time."
This is not a benefit. Within the next 2 years, be wary of a log4j level exploit within Keepassxc.
If a software isn't being supported by a steady source of income, it really quickly can get behind in security and tech debt.
After all the discussion on here about how we can support open source projects, why is it still a badge of honour to say that a software has no support and is functioning on life support by "volunteers in their free time"?
I'd suggest any users of KeePassXC take their money and put it where it counts: find the organization that develops KeePassXC and give them the $60 a year that it costs to buy a commercial password manager like 1password.
If KeePassXC has all the features you need, it's worth paying them for it.
LastPass was bought for $100 million and had some security howlers.
"pass", on the other hand, has no funding and no security vulnerabilities.
I'm pretty sure it's more secure to use apps engineered with a deliberately tight scope that arent lavishly funded than egged-up VC bloated monstrosities.
You wanna bet that building in electron is gonna keep 1password more safe? I wouldnt. The attack surface on that thing is gonna be huge.
Closed source products are really well known for investing in security and keeping tech debt to a minimum. This is why no commercial closed source product depended on something like log4j without thouroughly auditing it first. Oh wait...
>How come 1Password needs the equivalent of 7750 years of $80k annual salary to build the same?
It will go to all-expense-paid trips, consultancy fees and other things you need to eventually get acquired for $10B+ by one of the big players.
Or maybe, they will pivot, spend $300M on advertisement, so every grandma gets to know the brand name, and will then do an IPO, presenting it as the next opportunity of lifetime to the unsophisticated public.
This is how you make money in the post-2008 world. The actual old-school profitability has been out of the picture for quite a while now.
So correct but also post-2008 underrepresented founders need profits more than ever because they don't fit the narrative, applications like Canva being female-led and Calendly having a black male CEO are examples.
Just as they did when all the snafu with Dropbox and the switch to a subscription based service.
Before the subscription service, I had spent hundreds buying all their apps for me and my family. 1P wasn't cheap but it was worth it. They used the users' Dropbox to host the web based vault. Obviously one day Dropbox decided it was not ok to use the public folders to host websites.
It really was a shitstorm in 1P's forums and they handled it very badly.
1P could have spent pennies hosting the vaults on S3 or something but they decided to tell their paying customers to switch to the subscription if they wanted a web based vault. They didn't even have the decency to offer a free year to the subscription or something.
3 buck per month? Family sharing for 5 buck? Nah, this is the typical bait&switch strategy (same as Netflix). It is cheap now. But it won't be cheap in the future.
> I sincerely have no clue how a password manager could be so expensive.
So you can't imagine how owning the passwords of all services of dozens of millions of users, both private users and corporate accounts, could be valuable?
> So you can't imagine how owning the passwords...
Emphasis mine.
That's the thing that bugs me about 1Password's recent moves. They don't own my passwords and I don't want them to own them. They're my passwords, and I want to store them how I want. Not be at the whims of 1Password's business strategy.
I think from a stakeholder pov, just the fact that they are the gatekeeper to your passwords make it valuable.
Imagine if the chinese government could buy all its stock through a third party company, and sit on the board, install a "party affine" CEO without morals, etc.
Just a single silent software update can upload everyone's master key un-encrypted to the cloud, and decrypt everyone's passwords, attach them to email and corporate ids, etc. without anybody noticing.
Sure, labour costs are expensive in our industry. But it's under-appreciated that once you need physical infrastructure, sales and enterprise support, that really tends to eat into your millions.
Please excuse my ignorance about this, but what do "cloud and enterprise" costs entail? Password managers seem to me like a pretty basic CRUD app. I'd imagine the average user has a few KB's max stored, and data transfer is presumably very small (no images/video/other binary data). And enterprise users are presumably running the infra on-prem so I'd think the main costs have to do with support.
Is marketing the thing with the huge price tag, or are there other huge costs I'm not thinking of?
I'll use a past life as an example; 150 person company -- 20ish people in engineering total: 5ish on doing infra, and 3 dev teams of 5ish working different verticals.
Then you have leadership, sales, marketing, HR, finance, support, and retention. By a huge margin sales, support, and retention were the largest. B2C is marketing heavy, B2B is sales heavy. If you're both then well..
Engineering can be really lean with respect to the number of customers/clients but the rest of the business can't.
1Password has the cloud, so maybe a better comparison would be bitwarden, not free (to use their hosted service) but FLOSS. Everything else stands, though ;)
But 1Password previously had the option to _not_ use their cloud, and they deliberately killed it to push people onto their subscription offering. So I think in the context of a conversation about how financial conditions will force changes which change the customer experience, I think it's entirely fair to compare them to a non-cloud option.
>they deliberately killed it to push people onto their subscription offering
There are things available via the Cloud version that aren't available with local vaults and, in order to maintain those, they decided not to put the time into implementing those changes for local vaults. Local vault users are less than 1% of their user base.
Parent comment said they killed it. They didn't kill it. You can still use local vaults currently. You won't be able to any more in newer versions because they're no longer at feature parity. Killing it to push people to the subscription model implies malice.
Yes, especially nowadays that sync errors are not commonplace. I use it with Nextcloud. But that still requires you setting up your own thing, which is why people like 1password and bitwarden.
I'll vouch for BitWarden. You can self-host or use their cloud offering. The server software and all of the clients are open source.
I've personally been using the cloud offering for several years now and feel quite satisfied with it. The free tier is generous, the premium tier is very affordable, and I can export my data to a self-hosted instance anytime I like.
Bitwarden for me. I've been using 1Password from around 2013 I think. I didn't buy into their subscription model so they've been gouging me with difficulties and cost in buying upgrades for a few years.
Apparently they have 500 members of staff these days, and millions and millions of investor dollars. Apart from maintaining browser extensions, for my own personal use I've not noticed a single interesting feature in recent years.
I moved to Bitwarden when the electron thing was announced, haven't paid any subscription yet and seem to have all the features I used before in 1Password. Bitwarden is very much recommended and I wouldn't recommend 1Password to anyone these days.
Bitwarden for private password managers and something keepass based for shared passwords in small teams works great. We use Keeweb with a keepass database on a shared Google drive. I put the master password for that in Bitwarden.
I guess for bigger enterprises you might like something with a bit more fine grained access control and auditing features. E.g. rotating the master password is a bit of a PITA. I actually did that this morning because somebody in our team left.
Most companies would want some kind of solution and most bigger companies would likely end up paying for something.
Keypass + Syncthing to get the database on all your devices. This combo has worked flawlessly for me for over 5 years now. I sync to all kinds of devices too including android phones.
> How come 1Password needs the equivalent of 7750 years of $80k annual salary to build the same?
This is once again just a case of investors hoping to make a pile of money so big they can corner a market. Sadly, they have no idea how cornering a market works (or doesn't work) in the case of digital products like this.
This opens a great opportunity for an open source disruptor to scoop their paying customers. Keeping it simple. I would be happy to throw in $100 to some crowdfunding as long as there's at least one legit security dev onboard. No Crypto bros please.
Oh no, my thoughts exactly. My wife and I were just talking about setting up 1Password to switch from LastPass. It looks like BitWarden might be the best option if only for longevity.
> Ah fuck. They now need to grow at any cost to earn all that money back. And they'll throw their users under the bus, if they have to, because it's either grow like a unicorn or go bust.
Agreed, an outbreak of featuritis is almost guaranteed. The core product works well for the job intended, but I don't want to be bothered with an expanding scope and the inevitable spam promoting the features that I don't really need.
The move to an electron client was a clear indication they intend to add lots of features. If they were more or less feature complete they would have not bothered with an electron rewrite.
They already threw their users under the bus once by changing to an insanely money-grabbing subscription model. But yes, agree with everything you said.
Yep, this will go the same way as LastPass sadly. This kind of company must have a steady positive revenue stream from it's customers. If not, it is not reliable. They will not be paying this back any time soon.
Fine by me, 1password was too expensive to begin with. Sad to see they're wasting it.
Don’t forget that this isn’t used by just individuals—businesses use it too to share credentials for things like the corporate Twitter account, internal systems, etc. I’m willing to bet that further investment there could help back up that valuation.
Realistically their B2C accounts are a sales funnel for their B2B. Because I was familiar with it for my own use, my employer uses it and they make much more money that way.
Because they also let you get free family accounts if your company uses it, they presumably then rope in a lot of individuals for personal use who then become incentivised to want their next employer to use 1password too.
The individual user is extra revenue to them. Their business is B2B. Because my company uses 1password for business I also use it for home and they get an extra $60/year from my household because I need to already use it for work.
The are going to focus on the enterprise market. Good for them but this also means that they will make things worse for small businesses and personal users. Intentionally or non-intentionally but it will happen.
I think BitWarden is a better comparison -- it's SaaS (and thereby dead simple to get set up w/ cloud sync), but it's reasonably priced with a solid free tier, and open source to boot.
I decided to go with Enpass instead of KeePass* but KeePassium for iOS gets my vote. It's faster than Strongbox, more configurable, and the developer is very responsive.
Why is it that whenever intrinsic, usual operations of capitalism are described (which happen 99% of the time) such as…
1) whenever VCs invest in shares of a project
2) they tend to subsidize money-losing unit economics to “reduce friction” resulting in attempts to lock-in people and monetize their attention later
3) when the VCs later dump it on the public, the company has to now answer to wall street shareholders and its executives are heavily pressured to have quarterly earnings calls
4) they must find ways to extract rents forever because whoever bought at the top (the majority) wants to see their shares go higher, even at the expense of the public interest
5) whereas cryptocurrency could be about collective ownership, if there is no separate shareholder class then the network participants ARE collectively owning the means of production (basically, textbook socialism)
Whenever something like this is stated, anarcho-capitalists and right wing libertarians say:
Oh, there is NOTHING wrong with capitalism. That’s not REAL capitalism. That is corporatism / cronyism. (Some go further and quote Mises/Say/Praxeology: “only individuals can act, organizations can’t act.”)
Then about collective ownership of the means of production / distribution / the network they say… “That’s not REAL SOCIALISM. Socialism is when you use central government and planning and has led to so much misery and famine…”
So, a mainstream application of capitalism isn’t “real” capitalism because laissez faire capitalism doesn’t require the State. But credit unions, housing cooperatives, democratically run universities and now cryptocurrency DAOs are not “real” socialism because socialism requires the State?
There is a huge double-standard here, and I would encourage ancaps to answer the following questions:
Why not use mainstream dictionaries and
encyclopedias for definitions?
Why not admit libertarian socialism exists
Why not compare the results of democracy
vs top down ownership in organizations
on both the participants and the public good
Also, we can move beyond Libertarian Capitalism vs Libertarian Socialism discussions, to simply ask how to best structure decision making in a project.
You can have cryptocurrency run top-down where people work on stuff to survive, and the parent company must make profits. Or you can remove the profit motive and have wikipedia, open source, science, etc. But then you’d need to subsidize people’s maslow’s needs with a UBI.
See for example how your very news and media is affected by the profit motive… compare something like WikiNews vs CNN and Fox. Where are the movements to do something about it? Here is one example I am working on myself: https://rational.app
I don't see how cryptocurrency solves any of the problems. Items 1-4 would still exist. The only difference is that the corporations would be funded with ETH/BTC/DOGE/whatever rather than US Dollars.
No, not at all. It is the difference betweena credit union and a bank, a housing cooperstive vs a landlord owned building.
To use a real world example: DisneyWorld is a city owned by a corporation, instead of democratically run. Because the people who own DisneyWorld shares (shareholder class) aren’t the visitors — the visitors buy DisneyDollars. They are the consumer class.
And there is also the working class (people who work in DisneyWorld) and their employers (small capitalists) who run a business inside DisneyWorld and pay rent.
Disneyworld and other cities could have its own smart economy with DisneyDollars and never have to raise money from speculators. Think of DisneyDollars as utility tokens and shares as security tokens for speculators.
Given Hashicorp's market cap of 11B, and 1Password's narrative on how to become even more central to corporate use cases by being the storage layer for Vault deployments, it's a very reasonable leap for them to make!
https://1password.com/secrets/
https://1password.com/secrets/integrations/
https://1password.com/enterprise-password-manager/