Hacker News new | past | comments | ask | show | jobs | submit login
1Password: Standalone / Local Vault Option Gone? (agilebits.com)
350 points by Tomte on July 12, 2019 | hide | past | favorite | 360 comments



I've been a paying subscriber to 1Password for over two years now and had the standalone version for years before that, and the way they responded in that thread really rubbed me the wrong way. Enough that maybe I'm going to start looking for other options. Maybe I'm just in a bad mood?

The OP just wanted to know if the feature was gone, and if so when did it get removed (maybe to find an archived version of the app?), and lastly why it wasn't clearly communicated, but you can just smell the smug in the responses. It's hard for me to read their little "cute" emoji as anything but sarcastic, which is reinforced by one of the developers chiming in about how they must be asking to "make their mobile apps free" and the other guy talking about how with so many users anything they do will of course be found out.


Likewise. I've been a long-time user, and currently a subscriber, but I've just found the direction 1P is heading, and the way AgileBits communicate a lot of this to be frustrating.

It's difficult to explain, but every time something like this comes up their responses frequently seem "off" and tone deaf.

I'm not sure they understand how much their product can become a part of how people go about their daily life, and how changing that, no matter how small, can have pretty significant effects, with an accompanying emotional response.

A while back they changed the way their vaults worked and you had to upgrade them. I've never been more nervous about an update to anything than I was with that update. The way the software communicated what was going to happen really didn't help, and there was a real feeling that this could all go horribly wrong.

Something I respect from Basecamp is their commitment to keeping their old products around (and keeping them maintained, even if they get no new features). They understand that they become a part of people's lives, and you mess that up at your peril. "Sunsetting" products or features has an impact on your customers that you need to be prepared for.

For reasons that are difficult to articulate I just don't trust AgileBits to not completely bugger up things for me in some way by changing something that they regard as unimportant, but to me is significant.

Even to me, this feels like I'm probably overreacting, but my passwords and online identities are so important that even the smallest hint of untrustworthyness is unnerving. The impact of losing all those details would be massive.


Yep, I feel the same way. The responses went downhill really quickly. I only just jumped back onto the MacOS bandwagon and was looking at resubscribing (I've had an awesome experience with their email customer support reps in the past which brought me back) but if this is how the public facing side of the development team acts... yikes.

I'll be much more open to alternatives now than I would have been yesterday.


I'm on the Catalina beta and the Safari Extension for 1Password 6 doesn't work (Apple only allows extensions from the App Store starting with Safari 13 - so it's not really AgileBits fault).

I chose to migrate to storing everything in iCloud Keychain instead. I understand why companies want to move to the subscription model, but I can't justify spending $36/year for an app to store my passwords.


The problem with iCloud keychain for me is that I don't only use Apple devices, otherwise it might do the trick (except for TOTP 2FA stuff).

I'm trying Bitwarden now and it seems to be ok. Maybe it's time for a change.


As a user that made the switch to bitwarden the last time 1Password tried their shift to the membership-only options some 1-2 years ago, it is an excellent replacement. I do miss some better search / sorting functionality, but otherwise this works great with a local server that I maintain for keeping my Mac, Ubuntu, Windows and Android devices in sync.


Bitwarden costs only what is it 10 or 12 USD a year. LastPass costs 24 USD, and 1Password 36 USD. If you need 2FA. If you don't need 2FA then it doesn't cost as much, but I think you still have a device limit.

Bitwarden's clients are FOSS. There's a 3rd party FOSS server for it available written in Ruby. So you could even self-host.

[EDIT: there's one written in Rust as well! [1] [2]]

[1] https://github.com/jcs/rubywarden

[2] https://github.com/dani-garcia/bitwarden_rs


You can also self-host the original server, it's under AGPL[0]. I'm using this atm, and yes, I pay for the organization feature, though I could easily adjust the code to unlock it. It just doesn't feel right (same goes for the 3rd party FOSS server). But that's just me.

[0]: https://github.com/bitwarden/server


IIRC, LastPass increased to $36/yr which made me switch to Bitwarden. $10/yr with better functionality and UX


That would be a good option if they supported all of their clients equally, but the developer has pretty much said that he's not going to update the extension to support Safari 13. As a Safari user, it's not a good option.


Does BitWarden support "family" use-cases, where you share passwords between multiple accounts?


Yes. Family plan is just $1/month for 5 users and self-hosting as an option.

The free tier supports 2 users sharing.


> The problem with iCloud keychain for me is that I don't only use Apple devices

If I ever need to sign into something on a non-Apple OS, I look up the desired iCloud KeyChain-stored password on my iPhone, then manually retype it on the other device.

I feel that gives me extra security.


>...that gives me extra security

Actually, manually typing or pasting your password (assuming you aren’t using WebAuthN) opens you up to phishing attacks because you could be fooled by the URL, whereas password managers and hardware tokens will activate only for the associated domain.


I meant, I don't have to trust Windows or Android's security to not leak access into third-party password sharing apps, or the in-house security hygiene of those third-parties.

With Apple there's only one party involved.


Bitwarden will also stop working with Catalina / Safari 13 so that doesn't help this particular use case


That is not entirely true. Update: https://git.io/fjXLJ


Seems to work fine, I installed Bitwarden yesterday



Ah, it works on Catalina. I don't use Safari.


+1 for Bitwarden.


+1


+1 for Bitwarden


Correct me if I'm wrong, but you can't share passwords with iCloud Keychain, correct?

My workflow involves sharing certain accounts with family members and 1Password supports that. For now, that's the killer feature for me.


I share passwords with my coworkers (for resources that don’t support teams+sub-users) not by using any password manager, but rather by just keeping the descriptions+usernames+passwords in a Google Sheet.

We use GSuite, but that isn’t really relevant other than for controlling default ACLs to the document; you can just make a private Sheet and then share it by email to whoever you like.

Google Sheets works okay (for this use-case) pretty much everywhere you need it, including on mobile. Doesn’t auto-fill anything, of course, but since the point is sharing the password, not restricting the ACLs of the password in any enterprise sense (i.e. so people that could use a password before can then lose access to it), it’s fine to allow people to just cache the password into iCloud Keychain and/or Chrome Sync. So it’s not as much of a speed bump as you’d think.


I can appreciate that it works, but that solution is objectively worse for me. There's no convenience, it's more work, more error prone, and still a "cloud" storage solution with all its inherent issues.

I can punt on the cloud problems, but I'll pay for the convenience of a password manager in this case.


> I chose to migrate to storing everything in iCloud Keychain instead.

I did the same when 1Password moved in this direction after version 6. It was clear then that the stand alone version was going away.


> can't justify spending $36/year for an app to store my passwords.

what?

it’s not just storing your passwords. you could use a spreadsheet or plain text file for that.

$36/yr is NOTHING. this is great value for money.


Also a paying subscriber, and also appalled at the response from 1P team.

Will keep this in mind when recommending to family and friends, which I do a lot, and will definitely keep an eye out for alternatives moving forward.

The latest extension for Chrome on Windows and Mac barely works for me half the time with the latest update.


Here's a recent experience I had with them...

When you have sync issues, the workaround in the absence of a Force Sync button (which used to exist) is to create a dummy secure note or to log out and log in again.

Most users won't know this workaround without spending several minutes Googling and digging through search results.

I complained about the lack of a Force Sync button on the clients in the forums, and was told this:

"The reason we don't want too easy an option to force a sync is precisely because folks will choose to use that rather than reaching out to find the root cause"

Needless to say, I wasn't pleased to find out that they wanted to use their paying customers as free testers.

I'd like to switch away, but most of the alternatives I've looked at don't compare very favorably from a UI/UX perspective.


Try Bitwarden


It seems their software quality in general have been going downhill recently. Lots of changes just for the sake of changing. The new extension doesn't work about 40% of the time or require multiple keystrokes to get it to pop up. The windows version is just, ugh.


Huh, I thought it was getting better across the board, and significantly faster. 1P is actually investing in proper cross-platform support, rather than only macOS, so perhaps it's just less attention to detail? The Windows client has become fantastic.


No doubt the Windows app has gotten better but there's a lot of weird quirks with it. Example off the top of my head, if you click on the favorites sidebar and try to search it only searches in favorites. On mac it searches everywhere as I'd expect.

The UI in general also just feels clunky. It's missing that polish the mac app has.


I would expect contextual search, rather than "everywhere" search if I was filtering...


I don't know if I'd use the word "fantastic".

In many ways, I feel that the Windows and Android clients in particular are still second class citizens compared to their Mac/IOS counterparts.


I completely agree. It used to be a very simple piece of software (I’ve used it since the beginning) and they’ve progressively tried to add more UX changes which only confuse and add reliability issues.

Simple tasks like resetting a password or adding an entry in 1Pass can often be frustrating now.


I was a booster until they added a terrible feature to bypass master password on smartphone app with pin.

Previously, with every restart of the phone, you needed to enter master. After, only when the pin is misentered once. They added this ‘new feature’ right when I was installing everything on a new personal laptop. As I recall it, I was entering the master password on my phone, over and over. One of the characters had a shift, which was a pain in the . On iPhone. So I made it lower case. Then, I updated my phone, got the 1password update, and didn’t enter the master for over a month.

Finally, I misentered the pin, and got kicked to the master. Well, you can guess what happened. I was locked out.

You know, a password works because you remember it. My situation revealed the design flaw of bypassing that. If you don’t enter the master for a long time, you lose the habit and increase the risk of losing it.

For me this is the classic example of the corrosive drive to renew a perfectly good product, which ruins the product for some users. But as a designer, I think it’s a fail, but you can’t tell them that.


This is why I like the Authy client on mobile. It periodically asks you for your encryption password just to make sure you can still remember it. Such a thoughtful idea.


I guess if you only ever use the mobile app, but still there's a desktop app and the browser extension to practice your memory.

The pin thing is a big time saver because typing on mobile still sucks, and I'd have to re-type the master everytime I switch between an app and 1Pass. I certainly wouldn't qualify it as a bad feature.


I'm not saying the pin is a 'bad' feature (in fact, I'm using BitWarden now. It uses the same UI pattern [1]). The 'feature enhancement' I'm miffed about is when the master is only ever required when you fail at the pin screen, whereas previously you needed the master after every restart of iPhone.

It's a complex system. I had a use-pattern that naturally emerged from the UI (which required the master after reboot), and my habit of turning off my phone every night. So this "feature enhancement" seemed innocuous, but had, I would argue, the unintended consequence that I lost my memory of the master because of a new feature.

I believe this is exactly the sort of thing a smart company, making a security product, should think about before they decide to add a "feature enhancement".

I mistook the great design of the original 1Password product as an indication of a "smart company" who made great decisions, and great products through testing and design.

Now I feel differently. Now I just see another one-hit wonder, who makes improvements by the wiz-bang theory. New! New! New and improved!

The unpopular decisions to drop the standalone version (local vault) is just more evidence to me that AgileBits isn't special. I put them on a pedestal with devotion and evangelism, but they're no different, and maybe worse.

And if you like this rant, you might also like my rant on TransitApp. hahah!

[1]: Before with 1Password I would have to enter the master once every 1-2 weeks. Now with Bitwarden using the same 1-fail bin to master UI, I think I've not defaulted into master for, I dunno, 6-8 months? But I've learned my lesson. I wrote the master on a piece of paper and tucked it away in a book somewhere on my bookshelf. What could go wrong?


I know this is a larger issue, but I sure feel like software quality for ANY product decreases over time. I've observed this with many, many products in my career. 1P is just the latest example.

I feel like it may be an inexorable and unavoidable consequence of an aging codebase.


It's not a law of nature. Bit rot and technical debt can be counteracted if maintainers are vigilant and focus on quality and maintainability. Unfortunately, not many examples come to mind: the Linux kernel, PostgreSQL, SQLite, OpenBSD, for instance. I can't really think of any instance managed by a for-profit organization.


With the hindsight of 20 years in the industry I believe a lot of it is due to team churn. Once the original developers are all gone much of the codebase becomes a scary black box. When I think about teams I've worked on with an OG dev still around, they've always been far more productive.


Same here. I've been using 1Password for over 11 years. Paid for multiple licenses, family subscriptions, upgrades, etc. Their recent behavior which indicates direct hostility to their long time users and obvious money grabs. Since it looks like it's subscription model no matter where I turn I'm thinking about migrating to LastPass. At least they are more or less transparent in their pricing and future intentions.


I feel exactly same. Recently I complained about decreased usability issues with re-worked 1Password mini and... felt exactly same. I won't be looking for a replacement just yet, but feeling is right there. Dropping support for standalone vaults is not unexpected development.


I was turned off by their smugness back before they had a Windows version. Their justification was that the platform didn’t allow them to build the type of beautiful software their high standards required. They’ve always had these attitudes that have rubbed me the wrong way. I’ve never gone onto their subscription model, but I’m wondering if iCloud would work for me since I’m fully in Apple’s ecosystem.


Making pretty software in Windows is totally doable, people just don't make the effort.


I find it very infuriating in general when someone uses a cute or smiley emoji after telling me something negative. I'm sure that mostly I'm paranoid and irrationally irate about that, but I can't help thinking that people are rubbing it in my face when they do that. Am I the problem?


I think the intent when using those emojis is to communicate that they really are trying to be nice while giving negative news. Text is a really hard medium to convey emotion or intent through. For example, I find if I want to sound positive I end up having to add an exclamation point at the end of every sentence (“Nice job.” Vs “Nice job!”)

That all being said, I absolutely agree the emojis almost always are perceived in a way that’s opposite of the intent, e.g. smug, sarcastic, or some other negative tone.


I don't think the responses are smug. Ben in particular stands out as patient, forthright, and apologetic.

> one of the developers chiming in about how they must be asking to "make their mobile apps free"

That isn't the actual quote. The developer is pointing out that the apps are "free to use as companions to our desktop apps".

> the other guy talking about how with so many users anything they do will of course be found out

This did come across clumsily, but it was in response to the false dilemma "Was it forgotten, or deliberately not mentioned in the hopes nobody [would notice]?"


Reading that thread makes me happy I ditched 1Password when they first moved to a subscription model.


What did you move to?


Keepass with passhole in terminal, Keepass2Android on Android and Tusk extension in Chrome.

Keepass comunity solutions are strong and open source. And free.

https://github.com/PhilippC/keepass2android

https://subdavis.com/Tusk/

https://github.com/Evidlo/passhole


Plain old Apple keychain while I evaluated other options. While I was evaluating, I realized the keychain was fine for my current needs. I'll evaluate again when my needs change.


"Thanks for your feedback."


Only smug i could tell was in regards to their free app offering, and considering it costs money and resources to maintain those free services their viewpoint is understandable. The feature was removed, they thank them for the feedback for being upset that the feature was removed.


I understand that software costs money to maintain and cloud syncing requires infrastructure. But they didn't need to act the way they did in response to someone asking a reasonable set of questions.


I'm saying you're making a big fuss about something that 1. You have no control over, and 2. Doesn't really matter.


I don't think I'm making a big fuss about it. I'm not campaigning for a boycott or mass migration or anything. I'm just saying that as a long time customer of AgileBits the way they reacted in the linked thread really didn't sit well with me, so I'm looking for alternatives to their software.

What if I have an issue in the future? Will I also be treated poorly?


The mobile app is free, but creating entries on the mobile app is a paid feature. Either with a subscription, or by buying the "pro" features. Or at least that's how it is on Android.


One thing I've learned about software in general is that I never want to be outside of the primary use case. If you're not using it the same way that the people building it do, it's going to be a pain to use, and your requests will be ignored.

For me, 1Password wifi syncing (with local vaults) never worked quite right, and I don't think that feature has been touched by its developers in all the years since I first bought a 1Password license. It's never going to be. They're all in on their own cloud service and subscriptions.

I don't hate 1Password for using subscriptions -- that's their prerogative -- but I wish I'd known they were going to bail on the Mac-as-digital-hub architecture. That was 100% why I bought it.

I'd describe that pivot, too, as a communications breakdown.


> One thing I've learned about software in general is that I never want to be outside of the primary use case. If you're not using it the same way that the people building it do, it's going to be a pain to use, and your requests will be ignored.

While this might be true in general, one of the main advantages in choosing FOSS is that features used by a small subset of users are more likely to be kept than for proprietary software.

When a software package starts out, early-adopting power users build its popularity and help shape its growth ... until the package becomes so useful that it is now marketable to the masses. Then, for proprietary software at least, there's a strong incentive to streamline and remove anything the masses don't care about...which can alienate the same people who helped make their package great.

For FOSS, there's powerful motiviation to retain features that even only a handful of power users rely on -- lest that project be forked.

I can't remember the last time I've been feature-burned by a FOSS project. My feature-burn scars for proprietary software, however, are many -- and at least a few are quite deep.


> I can't remember the last time I've been feature-burned by a FOSS project.

The GNOME project comes to mind as free software which regularly feature-burns their users, arguing that people who really needed the feature can monkey-patch their DE's javascript to add it back in.

You're right though, most FOSS seems way less likely to remove features people actually depend on that most proprietary software.


It has been over a decade, and I don’t even use GNOME anymore, and I am still pissed at the way GNOME did their great purge in the 2.x release.


You don't need a subscription though. You can still sync through iCloud (i use iOS & macOS), without a subscription.


To be honest, if they're going to do stuff like that they shouldn't be offering those features at all.

Developers should stick to implementing features they're likely to maintain.


Local vault syncing over Wi-Fi was one of the core supported workflows back in the day.


> One thing I've learned about software in general is that I never want to be outside of the primary use case. If you're not using it the same way that the people building it do, it's going to be a pain to use, and your requests will be ignored.

If there is an obscure setting somewhere which makes something work well for you while you become a minority of users in the process, you would not use it?


GP said:

>I never want to be outside of the primary use case.

You've extrapolated too far from their statement. Most people have probably been in this kind of situation and most of us have probably been burned by it at some point: Use a product for an edge case of its intended function and you risk losing that functionality at some point.

Vendors will generally cater for the masses. Where possible, avoid building your usage model around niche features. Assume that free products/features are a loss leader and will disappear at some point. Have a contingency plan if the at-risk feature is particularly important to you.


Such setting is pretty much guaranteed to be disabled in some future update. See: Mozilla Firefox.


> Mozilla Firefox

Depending on what you mean by "in some future update" and "pretty much guaranteed" (given an infinite timespan everything will disappear) I don't think that's true. I've kept my Firefox user.js (my manual about:config changes) under git over the past 3 years[0], and of the 44 options that I customised, 36 are still present and (seem[1] to be) active.

6 of the about:config user_prefs customised add-ons, so they no longer work due to the shift to Webextensions (but I can still make 5 of the customisations via another interface).

1 customised the GCLI, which was removed, and 1 customised Panorama, which was also removed. (However, most of what GCLI did, can be done some other way, and there are a couple of Webextensions faithfully emulating Panorama.)

[0] The file is older, but I added it to git only three years ago. Hence, many of the about:config changes have been "alive" for longer, but I have no record of those that were removed earlier than 3 years ago.

[1] Cursorily glancing through my comments above each entry to make sure that it still does what it was supposed to.


Really disappointing to see so much bootlicking in this thread. Yes, 1Password is a great product and, yes, AgileBits is a great team of developers. But this change sucks and spits in the face of long-time paying customers who have come to rely on 1Passwords's local features.

1Password can be both worth paying $3 a month for an also making a really bad anti-user decision here. These are not mutually exclusive.

As a former long-time 1Password user, I recently moved to using pass [1] after using their cloud features for some time. At the time I mostly moved for better change tracking with git, but I'm feeling pretty glad about the decision now that they've made this awful change. I'd highly recommend moving to pass or some other FOSS for this class of tool. Why trust your passwords to something outside your control?

[1] https://www.passwordstore.org


This is the absolute reality with closed source proprietary software: the user has no say nor ownership in the product; they are in effect granted a revocable license to use a set of features for some indeterminate period of time. The owners of the software licenses may modify, without the user's consent, or even knowledge, the software for any reason and any purpose. On modern closed source operating systems with automatic updates, it's often even impossible to revert to a prior version. I'm not against this type of software, it has its place and purpose, but why trust it for something as critical as personal identity management and authentication? Especially when there are so many free (as in freedom, not price) and open source alternatives on the market?


You are describing closed source proprietary services. If you buy software for your local device(s), the license is generally not revokable. Which OS requires automatic updates?


Not an iOS user, but AFAIK you cannot keep iOS from updating an app. So if the developer pushes an update that nerfs the app, you're screwed.


You can turn off automatic updates, but then you have to update all apps manually. You can't just turn it off for a single app.


I feel the same way. Everyone is praising 1Password, so I bought it and used it and while I could see that it's useful for many people, I have basic needs and may be a bit different use and recently as I started using KeePass (I'm on Windows) it's just turned out to be the perfect password manager. Last bit was KeeAgent plugin which allows me to use encrypted SSH key effortlessly. I like open nature of KeePass and I like that it's just password manager, no fancy browser integrations, I just copy&paste password when I need it and that's about it. No auto sync, I just push the button and my database synchronized to my webdav server, easy, fast and reliable and I understand and control every bit of it. And all that free, of course, it's not like 1Password asks for a lot of money, but I'm living in a poor country and even those $36 is something I have to consider. When I can rent an entire VPS with a lot of services for that price, it's hard to justify paying that kind of money. I'm OK with one time buying of software or even with buying new version (as long as it's optional), but I really don't like subscription model. I understand that developers want their salary every month, so it's kind of tough topic.


> like that it's just password manager, no fancy browser integrations,

except that that’s the most important part! without that, a text file is sufficient.

luckily there are 3p browser integrations for keypass. i’ve not used them but i assume they are reasonable considering the importance as well as the nature of the community that would write such things.


Pass is great, I moved to it from KeePass about a year ago and have never looked back. It uses your gpg key to encrypt passwords and syncs via git. Ridiculously simple and cloud nonsense free.


I also migrated to pass and then let my 1Password account freeze, and couldn't be happier. I like the philosophy behind pass a lot more, it seems like the UNIX-y way passwords should be stored, encrypted, and maintained.


I'm considering moving to Pass from KeePass. Does anyone have experience with syncing it to Android?


I use Pass on both the desktop and Android and have done for a few years now. It works really, really well. I couldn't imagine using anything else at this point.

The only "issue" I've had is formatting my phone, but forgetting to first back up the GPG key I used. The solution is just to create a new key and (from my desktop) reencrypt all the passes. It's not hard, but it does take about 10 minutes.


I use Pass between Linux and Android with a NFC equipped Yubikey. I've never had trouble syncing but then, it's git+ssh so no great mystery there. I guess my only complaint is that I wish Android had some kind of centralized SSH support, every self-hosted styled app does it differently (keys, connections, etc).


This looks very interesting, do you know if there's any way to import 1Password passwords into it?


Ignore me, just spotted a tool in the links on that page.


1password has a history of being terrible at announcing product changes and unilaterally making decisions that negatively impact customers. They removed autosubmitting passwords a couple of months ago and then:

- lied about the reasoning by claiming apple mandated the change despite apple's change only affecting safari which I'm guessing makes up the minority of their browser userbase

- consistently deleted comments on their forums that pointed out they could have kept their already existing, working code in place for chrome

I rolled back to version 6 and suggest anyone else do the same.


A couple of years ago they relied on Dropbox for having a online web vault. At some point Dropbox no longer allowed to use the public folder as a web server and the answer from 1Password basically was "if you want an online vault buy a subscription from us".

I had paid well over $150 by buying all their apps and they were forcing me to throw that investment down the drain because they didn’t want to spend a couple of cents a year on hosting my vault themselves.

There was a long discussion in the forum. I moved to LastPass. The UI is not as good but it does the job and it’s free now.


You bought a product with no ongoing maintenance costs. Then demanded that they give you a free additional product with ongoing maintenance costs.

The fact that you bought their product in the past does not entitle you to demand that they build and maintain a free web hosting service. If that's your attitude, then I'm sure they're happy that you're no longer their customer.


How much ongoing maintenance have you paid for with that $150? Is it really zero? What if the app stops working the day after you purchase it?

I mean the apps seemed overpriced in the first place, and due to their decision to change their business model they decided not to provide ongoing support in a way that one might have expected they would based on what the product seemed to be and how their business seemed to operate when you purchased the product. They don't technically or legally owe you anything but nonetheless I would not want to buy anything from them after that.

The idea that they should be happy to lose a happy paying customer is absurd, is that how to build a successful business?


>Is it really zero?

No, it isn't. I'm not sure what brought out the agilebits apologists but they ABSOLUTELY said you were entitled to updates with your license purchase.


Updates to the app. Not brand new products provided for free.

AgileBits is not culpable for Dropbox removing a feature.


AgileBits offered a feature and relied on a third party which is pretty different.


The actual feature AgileBits offered was the ability to construct an HTML version of your vault. They advertised using this with Dropbox to actually make it accessible, but the web hosting part was entirely Dropbox's feature. If you didn't use Dropbox, then the web hosting part never worked to begin with.

I genuinely do not understand how Dropbox removing a feature gets people mad at AgileBits instead of mad at Dropbox. Why does Dropbox get a pass for this?


>Then demanded that they give you a free additional product with ongoing maintenance costs.

That's patently false. The paid version of 1Password came with "Free updates" as listed on their site. Updates were bundled into the life of the product - if *they weren't, nobody would've ever bought it at the prices they were charging.

>Historically, AgileBits has been very generous with upgrades. Your purchase entitles you to free updates until the next major version upgrade. That means if you buy a license for version 2 of a product, you will get all 2.x releases for free, but upgrading to version 3 might require another purchase.

https://web.archive.org/web/20160304084145/https://agilebits...


Free updates. Not brand new free products. "Free updates" does not mean "if Dropbox removes a feature we'll do a ton of work to replicate that feature and give it to you for free".


Like I said, there was a long discussion on their forum examining all this.

AgileBits advertised the online web vault as a feature of 1Password when I bought the software. This can be demonstrated by looking at previous versions of their website on the internet time machine. They were in obligation to provide a solution for that.

The fact that they could have spent cents per paying customer to fix this and they didn't, or that they didn't even offer some form of transition from paying customers to the subscription service is just the cherry on the cake.


AgileBits has been pushing people to the 1Password subscription model for a long time now by neglecting their "lifetime" desktop customers.

The 1Password chrome extension (not 1Password X) used to work great, then it started crashing about daily for me after one of the updates, forcing me to quit Chrome to fix it. The final straw was when they "updated" the extension to a design that looks 2 years old and is far less functional.

I finally gave in and tried out the subscription model. Here's why it's worse:

    - The 1Password X extension is standalone (doesn't need the desktop app) so when you have three different Chrome profiles as I do, you have to sign in to 1Password 3 times. Super annoying.
    - They force me to store my data with them. Sure they're the most trusted in the industry and do their security audits, but if they get breached, I'm fucked. 
    - The Command + \ shortcut to autofill and login doesn't work on 1Password X
    - They could have just said that their current business model wasn't achieving the goals and that they needed to charge more (I would have paid more/for a subscription) but instead, they beat around the bush by creating a new product that is inferior.
I no longer recommend them to others for password management. I tell friends and family to use iCloud now.


> if they get breached, I'm fucked.

This part is not true -- your data is encrypted with a randomly generated key that is kept locally. You could freely post the data they have all over the internet and it would be fine.


> This part is not true -- your data is encrypted with a randomly generated key that is kept locally. You could freely post the data they have all over the internet and it would be fine.

Do we know this is true? I assume it is, but I haven't checked the source or verified that I can encrypt/decrypt my data with my key, or that there isn't a master key that 1password has that can access it.


Hi lolsal. Ben from 1Password here. Implementation details can be found here: https://1pw.ca/whitepaper If you have any questions our security team would be happy to elaborate. They can be reached at support+security@1password.com


I think it's awesome that you publish a whitepaper, but it's just a whitepaper, not source. It doesn't prove anything.

Edit: also there seems to be a lot of this:

> We’re sorry. This section of this document is not yet ready. Any- thing you see in this section is at most an outline of things to come.


We're offering a (mostly) closed source solution. You can evaluate the source for the web app, and the browser extensions. If your argument is that folks shouldn't ever consider using something closed source then obviously 1Password is probably not going to be a good fit and we're at a bit of an impasse.

> Edit: also there seems to be a lot of this:

Some, yes. I'm not sure I'd say 'a lot', but yes, it is a work in progress. Our security team should be able to elaborate on any points that we have yet to detail, though, if you're interested.


I've confirmed it because you can see the data that the web browsers sends and it was encrypted. I've also tested this on LastPass and Bitwarden and from what I can see 1Password does it the best.


That MAY be the case (I'd love for a number of independent parties auditing the security, NOT paid for by AgileBits), but it's still a single point of failure. What if they have data loss? What if that data loss causes local data to be lost due to a sync operation?

I've always used the Dropbox approach + backups. If Dropbox has an outage the file is still synced locally. If Dropbox deletes the file via a sync operation I still have my backups. If I delete the files Dropbox has an undelete option.

All I want is control over the files.


It also changes the risk profile. AgileBits is a big target, my local machines are not.


Ben from 1Password here. We've designed the model so that we aren't a big target. The Secret Key helps with that. https://support.1password.com/secret-key-security/


That's a strange statement, you're a big target because you're holding lots of peoples secret data. Doesn't matter how you model it, unless your model is to have minimal data/clients.


Minimal data of value, yes. Did you read about the Secret Key?


Ben, everyone here understands the model. It isn't sophisticated and it isn't particularly special. You have a lot of [encrypted] sensitive data. On your network. On servers you own. You are a target. Once the bad guys get the data, they'll worry about the individual keys and whom they want to target.

I'm one of the many people who are both dropping 1P and advising friends and family to do the same as a result of this episode.


Yes I read about the secret key, before I became a customer of 1Password. Your response concerns me. I understand you're encrypting the data, and have put in great effort to do so. This doesn't prevent your servers being a target for all sorts of other exploits, hacking of your webservers injecting back doors etc. The fact you halve a lot of clients with secret data makes you a target.


> still a single point of failure. What if they have data loss? What if that data loss causes local data to be lost due to a sync operation?

Local data should be backed up as always, don’t rely on a cloud service to sync.

Personally I use two hard drives on my machine with time machine and regularly rotate them to ensure I have a recent backup and a less recent, network disconnected backup in case something like this should happen.


The really worry has nothing to do with the data being on a server and more about their update servers sending malicious code.


That's true, but it would also be true of a desktop app using an offline vault, and is also true of all the other desktop apps you run. The risk of someone running malicious code on your machine is a reason to use two factor auth, not a reason to avoid cloud storage for encrypted files.


> but it would also be true of a desktop app using an offline vault

Well you can set an application firewall to block all internet access of the 1Password app. So, it can't update automatically, and when you manually update it and it would contain malicious code, it still can't connect/upload anything to the internet. You can even use 1Password sync via iCloud, which is handled externally - not by 1Password, but by macOS.

Unfortunately, this can not be done on an iOS device (no app firewall), since Apple locks down everything and decided users may not control their own devices anymore :'(


FWIW, Apple has a "VPN" API that can be used to implement a firewall (or a proxy, or etc.). I don't know whether there's a usable commercial product that does that, but if you're really into it you can certainly write your own.


Yea, but it doesn't really work because you cannot block on the application level.

You can only block hostnames/ip-addresses, and these often change with updates, so you'd have to constantly monitor and block new hosts after the app starts leaking again.


Btw, using code blocks for anything makes it unreadable on anything that isn't a 4k ultra-widescreen display (I assume, because it's certainly unreadable on my 1440p screen). I'm certainly not going to scroll back and forth just to read every single line of that.


- The 1Password X extension is standalone (doesn't need the desktop app) so when you have three different Chrome profiles as I do, you have to sign in to 1Password 3 times. Super annoying.

- They force me to store my data with them. Sure they're the most trusted in the industry and do their security audits, but if they get breached, I'm fucked.

- The Command + \ shortcut to autofill and login doesn't work on 1Password X

- They could have just said that their current business model wasn't achieving the goals and that they needed to charge more (I would have paid more/for a subscription) but instead, they beat around the bush by creating a new product that is inferior.


I'm using Safari exclusively, but back when I had Firefox installed, you could change the shortcut for 1Password X. Does it not accept Command + \ as a shortcut?


Ben from 1Password here. Firefox may, but last I checked Chrome did not. We get around that with the traditional extension by having 1Password for Mac listen for the shortcut instead of the extension itself.


Cheers.


Oops. I can't edit anymore. Good to know for the future.


No worries. Maybe someday we'll find out why it still works the way it does.


Hi voska. Ben from 1Password here. I'm sorry some folks feel neglected. That certainly isn't our intent. I'd encourage anyone who feels that way to reach out to us at support@1password.com. We'd like to understand where those feelings come from and help in any way we can.

To address the concerns about 1Password X...

- We have desktop integration in beta which can help with point #1: https://discussions.agilebits.com/discussion/101231/introduc...

- Our security model has never relied on the sync service that you choose: https://support.1password.com/1password-security/

- Last time I looked into the Cmd+\ issue the primary difficulty was that not all browsers (Chrome, notably) supported \ as a keyboard shortcut for extensions. The reason we are able to get around this with the "traditional" extension is that 1Password for Mac is actually what listens for the shortcut, not the extension. The same functionality is still possible with 1Password X, just not with that specific shortcut.

- 1Password for Mac can be used with the subscription offering. It isn't necessary to use 1Password X. 1Password X is a great alternative for those who cannot install desktop software, particularly those on ChromeOS or Linux.

I'm sorry to hear you're no longer using or recommending 1Password but I hope that helps address some of your questions/concerns.


Thanks for the response. I'll send you an email.

I'd like to see AgileBits continue supporting the old 1P extension (i.e. fix the crashing problem) or bring that functionality (Desktop link, only sign in once across multiple Chrome profiles, etc) into the 1PX extension.


We do support the traditional extension for both membership and standalone customers and it continues to be the recommended way to access 1Password in your browser where possible. If you're experiencing crashes with it we definitely want to know that. We hope to bring desktop integration into 1Password X but as of writing it is in beta testing so I couldn't say when / if it'll be ready for prime time. I've personally been using it extensively as part of the beta though and it is very promising if I do say so myself. Thank you!


I’d love to go iCloud only but it’s not really on the same level as 1Password yet. It can’t store multiple websites for one account, instead storing each website separately; it can’t store identities that aren’t just username and password, such as bank accounts and drivers licenses; and it doesn’t have support for two factor one time passwords, which means I’d need a separate app for that.


> it can’t store identities that aren’t just username and password, such as bank accounts and drivers licenses

For what it's worth, you can manually create a "Secure Note" in Keychain Access and put whatever you want in there.

It doesn't do any of the other stuff you mentioned though, just thought it was a nifty mostly-unknown feature.


> I tell friends and family to use iCloud now.

I used to use iCloud, and recommended it to anyone. Sign ons have become more, and more... complicated. There is 2FA, and others now, that 1Password also covers. How are you handing those with iCloud?


Is it just me or does storing your 2fa code generators in the same place as your login/pw just seem like a bad idea. I know I’m screwed if someone gained access to my 1p... but they wouldn’t be able to get into the more secure services.


I'm still using 1P for myself, but looking for alternatives. For non-tech-savvy friends and family, I'm recommending iCloud.


Try Bitwarden, which has free tiers. You can later choose a (much cheaper) paid subscription if your needs are bigger. You can also self-host it as it’s FOSS.


I'm looking into this thanks to all the recommendations from HN :)


+1 for Bitwarden. I recommend not saving recovery codes inside Bitwarden. For 2FA I recommend getting a Yubikey. For websites that don't support U2F, I recommend using the Authy app in single device mode with a strong sync passphrase.


1Password X uses a different hotkey by default and it can be changed in the settings.


I'll go against the grain and defend this. I really, really love 1Password - it's UI is incredible and it works so well - it follows the "don't make me think" philosophy which I really appreciate and makes me feel respected. It feels like a default piece of Apple software in how well it integrates with OS X and iOS. The desktop PDF QR scanner is something I didn't even know was possible to do with software, it blows my mind every time I use it. 1Password X is perfect for Linux and a great solution to the distro fragmentation problem.

So I don't know more about password management than Agilebits. They have a long history of really good ideas for their software. If they want me to use their cloud instead of local vault, that's probably a good idea. I'm more than happy to pay the $2-3 per month to have access to this, and knowing they have recurring revenue gives me confidence that they'll be around for a while.


Being good at what you do does not excuse shady removal of features once your user base is big enough to drop functionality.

Or more precisely it makes a person wonder what the next step will be to alienate users which aren't aligned with the vendor's interests.


Shady removal definitely isn’t good. On the other hand, every feature can’t be supported forever (or at least I wouldn’t want to). Seems that communication could’ve been better, though.


I’m in total agreement. It’s the most important app I use and I’d pay 5x the $60 a year I spend on the family plan without question.

I used 1PW with Dropbox for years and and years and it was a great solution — but I trust 1PW more than Dropbox to protect my stuff (and certainly more than I trust myself to setup and maintain a secure sync server), and I love 1PX. Also, the Windows app is lightyears ahead of where it was (the Windows Hello support is great), which I never thought I’d say.

Yes, I know other solutions are cheaper, but I have been a 1PW user for 12 years and I want to ensure it’ll be there for 12 more.

Plus, for me, the UX matters. I don’t just use 1PW for passwords, I keep software license, secure notes, all kinds of stuff in it. I’m not a fan of the subscriptionfication of course of everything, but this is one product I’ll make an exception for.


What makes the 1Password UI better than LastPass' or Bitwarden's?


Last time I looked at BitWarden, its mobile app lacked basic features like a password generator and a password history tool — which makes it a total non-starter for me. I just checked and that’s been fixed (today!) and the app is looking more and more like a 1PW clone (that’s a good thing), but there were just enough papercuts that would prevent me from switching, especially when I’m a very happy 1PW user.

On the desktop, I have nothing against Electron in theory — but I prefer native apps for something like passwords, if only because of speed — I have a few thousand items in my vaults and BW was slow and 1PW is not.

Browser integration for auto fill isn’t as smooth, at least on macOS and I miss having a dedicated area for my software licenses/loyalty cards (like airlines). I haven’t used it in a while so I’d need to try it again to give it a fair assessment, but the subjective answer is “it doesn’t ‘feel’ as good.”

And unrelated to UX, I’m sure the main person behind BitWarden is a great guy, but in 2019, I’m not trusting my password manager to what is largely a one person team. When I started using 1PW in 2007, I know it was a small team. But 12 years later, I’ve been burned too often when small shops close/sell/burn-out and a password manager is too important for me to switch from something I know/trust to something that reminds me of where 1PW was a decade ago. Open source doesn’t mean open development or an active developer community. I also wasn’t impressed with the response to the critique of the cryptographic design in the security audit BW did last year. Not rotating encryption keys when you change your master password is a red flag and the problems BW faces on its own cloud are understandable, but not something I want to trust/deal with.

I’d gladly recommend BW over LastPass, but I prefer 1PW and have no intention of switching.


If you’re comfortable with FOSS solutions and the certainty of someone taking over (or not), then Bitwarden cannot be regarded as a poor solution. It also has forked implementations in some more languages and tech stacks. Any of these, including mainline, can be self-hosted for those who wish to.

This is not to imply that your preference for a larger team is invalid, but I don’t think Bitwarden and its clones are going away anytime soon.


> On the desktop, I have nothing against Electron in theory — but I prefer native apps for something like passwords, if only because of speed — I have a few thousand items in my vaults and BW was slow and 1PW is not.

I personally only use the browser extension. I never understood why a desktop app would be necessary since I have the browser window open at all times. If there was a native app I don't think I would use it.

> Browser integration for auto fill isn’t as smooth, at least on macOS and I miss having a dedicated area for my software licenses/loyalty cards (like airlines). I haven’t used it in a while so I’d need to try it again to give it a fair assessment, but the subjective answer is “it doesn’t ‘feel’ as good.”

I haven't had any problems with autofill personally. In the browser it's pretty decent. It also offers saving/updating passwords automatically when your vault is unlocked. ⌘⇧Y and ⌘⇧L shortcuts made my life easier when I discovered them. On iOS you can use the autofill if the app implements password fields properly (most apps don't). There is an option to choose Bitwarden instead of the default keychain application.

For license and memberships I simply create a folder named "Licenses" and add secure notes, create a folder named "Memberships" and add cards etc. Both entry types support key value fields inside them so you can add additional info too if it's necessary.

> And unrelated to UX, I’m sure the main person behind BitWarden is a great guy, but in 2019, I’m not trusting my password manager to what is largely a one person team. When I started using 1PW in 2007, I know it was a small team. But 12 years later, I’ve been burned too often when small shops close/sell/burn-out and a password manager is too important for me to switch from something I know/trust to something that reminds me of where 1PW was a decade ago. Open source doesn’t mean open development or an active developer community.

If 1Password isn't profitable one day it would shut down and you would be forced to switch. If Bitwarden's core developer disappeared anyone can fork it and continue development. If operations seize you can spin up your own Bitwarden server and continue from there without having to switch client apps right away. I also think there would be economic incentive to run an alternative service if Bitwarden stops functioning for some reason (+1 code quality, +1 permissive licensing).

> I also wasn’t impressed with the response to the critique of the cryptographic design in the security audit BW did last year. Not rotating encryption keys when you change your master password is a red flag and the problems BW faces on its own cloud are understandable, but not something I want to trust/deal with.

I followed Bitwarden security assessment closely. https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assess...

I agree the key rotation problem was a serious one (which is fixed now). Apart from that, I've read the assessment in detail and couldn't identify any case that would cause a problem for me as a personal account user. I use the browser extension on a Chromium based fork (auto-locked after ~5m) and the iOS app (w/ PIN). I also have 2FA enabled.

- BWN-01-001: You're safe unless you deliberately want to self-XSS yourself

- BWN-01-006: Minor issue, schemes:// are white-listed now.

- BWN-01-008: I don't use organization account so it doesn't effect me.

- BWN-01-010: Fixed, you can rotate keys now. I hadn't changed a compromised password before so it wouldn't affect me.

- BWN-01-009: You're safe unless you go to settings and decrease the KDF iteration count (why would anyone do that?). The first thing I did was to increase it when the option first came out. Not that the default value is unsafe, but higher is better.

- BWN-01-003, BWN-01-004 are related to the Electron desktop app. I don't know why anyone would use an Electron desktop app when they can use the browser plugin so I didn't even read these.

Overall, I'm sure 1Password is a little more polished on the UI department but I can't imagine myself using a proprietary password manager for security reasons. I made extensive research when I planned switching from my KeePass+WebDAV solution to an online password manager and decided to use Bitwarden after considering all the options. So far I'm pretty happy with it. I wanted to share my experience in case anyone else is looking for a similar solution.


For Lastpass at least, I have two specific examples: 1) in Lastpass, the password length selector is a drop down, not an input or a slider, while in 1password it is a slider. This means you need to scroll a bit to choose a longer length password in Lastpass. 2) 1password remembers your last location in the app when the app is open, so you don’t lose context (not every time but most of the time) but whenever I’ve closed Lastpass for some reason it forgets where I was at.


> For Lastpass at least, I have two specific examples: 1) in Lastpass, the password length selector is a drop down, not an input or a slider, while in 1password it is a slider. This means you need to scroll a bit to choose a longer length password in Lastpass. 2) 1password remembers your last location in the app when the app is open, so you don’t lose context (not every time but most of the time) but whenever I’ve closed Lastpass for some reason it forgets where I was at.

1. That's not true in the browser extension for chrome at least, where it is possible to type in numbers in the password length field.

2. Some people would consider the fact that it doesn't leak last information about use by retaining context as a feature.


> That's not true in the browser extension for chrome at least, where it is possible to type in numbers in the password length field.

Same for Firefox extension. Best feature is that nowadays Bitwarden has support for password sentences.


It's far more attractive, in my opinion, and I use both on a daily basis and I have far fewer frustrations with 1PW.


That it is in your opinion "far more attractive" (whatever attractive means) just tells the rest of the readership (including me) exactly nothing. That you have "fewer frustrations" with 1Password idem ditto. Be specific. Mention examples. Tell us which versions you are talking about.


> I'll go against the grain and defend this.

People mostly complains about how they handled the situation, not about the product directly (there's many people that say that the product is superior yet will migrate because of their response).

They weren't respectful and they didn't acknowledge their mistake of not showing any warning anywhere (instead deflecting to absurd justification).

> knowing they have recurring revenue gives me confidence that they'll be around for a while.

Recurring revenue is a thing that help sure, but supporting your existing user base (which he was part of) is another one. That thread show how they treat them. That give me confidence that if I get an issue, I'll get treated just as badly.

I'll personally will be looking at an alternative, even though the product is pretty great, support is part of it (and in the case of a password manager, that's quite an important part of it).


>1Password X is perfect for Linux and a great solution to the distro fragmentation problem.

Yeah, no. 1PX has no means of data export. After 10 years on Lastpass, tried to give 1P a shot. Quickly grew frustrated within a month of the linux experience, and decided to move to Bitwarden. Turns out 1PX has no means of export, and I was stuck having to migrate each account by hand, and redoing the TOTPs. Bitwarden is substantially worse in terms of the UI, but at least I don't have to deal with vendor lockin.


Ben from 1Password here. This is a valid criticism. While it also doesn't have a direct export option our CLI may help with getting data out of 1Password on Linux: https://support.1password.com/command-line-getting-started/ Hopefully in the future we can bring our robust export options to 1Password X and/or the 1Password.com web interface / CLI. We agree, export is important.


Keepass (I use keepassxc) works great across all three platforms I've used it on (Windows, Android, Linux) and the database is less than 100KB so it's easily shared on the free tier of any cloud storage provider.

1Password does have a good UX, but it's not the only option that does.


+1 I am using Keepass windows & Android versions on my 3 phones & one laptop. The desktop database is synced to Dropbox two way any changes. FolderSync app is used to get one way sync only from Dropbox to Phone.


How do you sync your password file between your phone and your computer? Currently I only use KeepassXC on my computer but plan to start using it for more accounts so will need to have my passwords there too.


I use NextCloud myself to share the actual DB, and the keepass2android[0] app.

It works great although the app looks for app names instead of URLs sometimes so you'll have to hit the search button. Takes two seconds longer but it's no sweat.

You can use any file sharing service you want.


Even syncthing would work fine.


You are not defending this, you are simply saying you like 1Password.


I don't know how I never heard about 1Password X. The last time I attempted to switch from macOS to Linux, the lack of 1Pasword was one of the biggest things that made it hard for me.

That said, a browser-based 1Password is really not what I want. I just really don't try web technologies for keeping my passwords safe. If I really was going to use it, this might be the only instance in which I'd actually prefer an Electron version to using it my main browser, just for the additional isolation.


Ben from 1Password here. We offer a couple options for Linux: https://support.1password.com/explore/linux/ Hopefully we can continue to expand upon these offerings. Our ops people are primarily Linux users, so we are aware of the challenges.


What 1PW recommends for people feeling unsure is a separate browser profile [1] just for 1PX. An Electron-based thing isn’t a bad idea tho.

[1]: https://support.1password.com/1password-x-security/


At least when I tried 1PX earlier this year, there was no data export options, which is only on native desktop (ie, OSX & Windows) apps.


It seems like sometimes products hit a point where they are actually pretty much done and consumers would be best served by the product going into maintenance mode. Of course that doesn't happen because companies must grow and the spice must flow. In that case the product end up changing things for the sake of change or to enable additional monetization. I'm pretty sure Evernote hit that point years ago and could see the same argument being made for 1Password.


Indeed. I'm using ancient versions of lightroom and 1password, because companies stopped selling software the way I want it. I don't feel I'm missing out, but one day they will stop working.


Hey there. Ben from 1Password here. For what it's worth... we do sell licenses for 1Password 7. Please reach out to support@1password.com for details.


Why do people have to email support to know how to buy the standalone license? This has been intentionally made complex by Agilebits (I know that the official line is “not to confuse users” or something, treating all users like they can’t understand stuff).


Oh cool, I'll come back to you once Apple inevitably breaks my 6.


Do you use Safari? If so that will unfortunately be coming with Safari 13.


> I have a workflow where I use 1Password on my phone - locally, no sync, do not want sync, can not use sync. Obviously this is not my main way of using 1Password. On that phone, I often remove 1Password and reinstall it.

My guess is that he's doing this when he crosses borders or in other situations where he might be subject to an intrusive search. So he carries a minimal set of passwords that he needs for that trip in a local vault. Maybe just his airline login, a throwaway email account, and an innocuous credit card account. If he's forced to login to his 1Password account during a search or inspection, he won't reveal his lifetime accumulation of accounts and passwords.


1Password actually has a feature for this called Travel Mode: https://blog.1password.com/introducing-travel-mode-protect-y...


Until border security finds out about travel mode and demands you disable it.


Border security are not idiots. They know about travel mode.

Travel mode works because it can’t be changed on device and so moves the vault out of border security jurisdiction.

They can have probable cause to search your phone and will if they want to but they are unable to put you in a room with a browser and make you download something, so hence it’s out reach.


It could be he works for US government and protects himself from say EU border guards. Who are far less intrusive. But better save than sorry.


> It could be he works for US government and protects himself from say EU border guards.

The reverse I could imagine.


Hiding in the cloud? They must be kidding...


This is a great use case.


Count me as one of the users who are getting annoyed at 1Password’s attempts at recurrent monthly spending. In addition, while their cloud service is probably fine, the best option is to locally sync and not involve the cloud at all.

I would much rather just keep using the “local app” license, which sadly isn’t even available for sale anymore. In fact, I can’t even use my Windows license I bought back in the day.

One of these days I’ll probably just stop using 1Password and move on to something else. Are there any good free/one-time purchase locally syncable password apps that works on Mac/iOS?


You can definitely still buy the standalone app license, but they use a pretty dark pattern to hide it. They don't really talk about it anywhere, in the forums they will just push subscriptions, and they constantly change how you get a new license.

In the past, they moved the standalone license page from 1password.com to agilebits.com, and made it purposely difficult, if not impossible to get to.

Now here's how you do it for the most recent version:

Download and install the app. When it asks you about a subscription, there is another link that you can click, but I don't remember what it says, but it should be at the bottom of the pop-up. It will take you to a checkout page where you can get a standalone license.

They'll probably change it yet again in the next major release so YMMV in the future.



I switched to BitWarden from LastPass and 1Password and I couldn’t be happier. You can self host if you want but you still have to pay.


bitwarden_rs is free to selfhost


I agree, the subscription pestering is annoying. They do still offer a standalone version though. I just upgraded from an ancient Windows version (4 or 5) to 1Password 7 for $49. They really avoid mentioning that the standalone exists, but just install 7 and there is a purchase option.


Well, that’s several hundred dollars of their software which I would have happily bought if they’d told me about it.


I totally agree. I understand why they push subscriptions, and they offer decent value for the subscription, but they are going too far in hiding the standalone. The hard sell is probably a net loss for them.


I use KeePass and sync the database using Google drive / dropbox.

It's free.


Actually keepass (i.e. .net app) or keepassx/keepassxc (Qt fork)?


Keepass on my work laptop (Windows). KeepassXC on my personal laptop (Manjaro Cinnamon). Keepass2Android on my smartphone. MiniKeePass on my iPad.

I've moved from dropbox to google drive for synchronizing my keepass database because of the recent changes to dropbox, where you can only sync 3 devices for free accounts.


“Thanks for clarifying. All the Pro Features you paid for are still available to you.”

This seems bogus. I bought it on mobile for $10 or whatever it was and on Mac and the migration to the subscription model was basically a forced deal as far as I could tell when the update a year or two ago to the free apps on subscription change happened. Hate that aspect.

And “thanks for your feedback” seems to be the new F off.


I'm a paid licence holder for 1Password, but am uncomfortable with being more and more forcefully pushed into using their cloud-based subscription service (which while I use for work, I'd rather _not_ us personally).

What're people's experiences with alternatives to 1PW - ones that do device-device sync and work at least across iOS/macos and ideally integrate nicely with browsers and apps on both those platforms? Is BitWarden ready for prime time for something as critical as secure password storage yet? Does it's iOS app take advantage of the secure enclave features of iPhones?


I've been using Bitwarden since just after it launched. I've yet to have any issue with it. The desktop, browser, and mobile clients are all seamless and... well, just work.

I was part of the LastPass exodus after their acquision and used 1Pass with Windows and (then) OSX. The lack of Linux client was a hassle, and eventually left me shopping around. I tried Keepassx and the others, but I ran into issues with sync (most likely my error.)

I saw Bitwarden mentioned here and gave it a swing. Importing everything only took a minute, and I haven't looked back. It works on all operating systems, has 2FA, etc etc. It's perfect for my needs.

At some point in the future I may go self-hosted.


yup. similar journey. I think LastPass is going out of business - we were enterprise subscribers last year and it was impossible to get in contact with support when our license expired. couldn't even get in contact with a sales person - they literally didn't want our money anymore. Switched to BitWarden and am so much happier with the interface and such better pricing than 1password, plus i feel have always been upfront with their product development while 1password has been, um, sorta shady, imho.


that's crazy about LastPass. It was a decent product for its time, but password managers evolved quite quickly over the past few years.

My beef with 1Pass is that they charged around $35 - $50 for their standalone product during the exodus, and about a year later moved to their subscription platform --- pretty much abandoning development for the standalone users. The OSX application was far less buggy than the Windows client. And when you needed to grab a new copy of the standalone client, it was buried on their site in a FAQ.

1Pass should have offered a few months for free to pull the standalone folks over to the new service, but instead they said 'we don't have any offers, but feel free to contact sales' -- which is a difficult sell when compared to the newly polished Bitwarden that works on all systems and browsers out of the box without any requirement for payment or a subscription.

All this said, we're technical people, so we're more aware of sketchy practices and are quick to jump to different products, and may not be their target -- especially with their previous lack of Linux support.


FWIW, at work the 1PW cloud/subscription thing is a _very_ good thing, and easily worth what we pay for it.

I just don't want to have my personal password db on other people's computers, and their ever more forceful pushing to get me off the standalone apps synced between my devices over wifi has _finally_ got me looking around for alternatives. I'm _totally_ happy to pay for an alternative - I _do_ value software (especially this type of software), and Id love to be sure whatever I use has a reasonable change of being around (and being successful) in the timeframe of at east 5-10 years.

Bit I totally get that AgileBits are heading in the direction where my work is their target customer, and I am not. That's fine. I'm pretty sure I'd be making exactly that same decision if I ran/advised AgileBits.


KeePassXC is FOSS, free of cloud nonsense, works fine on desktop, and has integrations for most browsers. I have no idea about the iOS situation, but on Android KeePass2Android provides global autofill and works with a ton of storage providers (everything from Dropbox to bring-your-own-SFTP).


On iOS, there’s KyPass. It plays nicely with the Linux and Mac versions of Keepass, syncs with Dropbox, supports Touch ID, etc. There was a reasonable one-time purchase price, I believe.

I switched to the Keepass world a while back when 1Password started to try to nudge me into paying a monthly fee for software that I already paid for on multiple platforms. The Keepass variants aren’t as slick but who cares.


I actually _do_ care enough about "slickness" to be prepared to pay for it. I want to be able to keep my encrypted password db off other people's computers though - using 1PW's cloud service requiring Dropbox for multi device sync is not what I'm after...


I paid about 50$ or so for it with no complaints. I’m not willing to pay that plus a subscription fee for what is, at the end of the day, a small encrypted database.


Big fan of KeePass. On Mac KeePassXC is great, on Windows KeePass, but on iOS I use Strongbox [1] which is excellent. Auto fill works well, it's open source [2] and actively developed, I really don't trust none open source password managers

[1] https://apps.apple.com/us/app/strongbox-password-safe/id8972...

[2] https://github.com/mmcguill/Strongbox/


I had my whole extended family on 1PW. We've all switched to Bitwarden (after a few transgressed to LastPass, but that's behind us now), and we're happy.

Having the developer respond quickly on email is delightful, it works great on Ubuntu, macOS, Windows, Chrome OS, Android, Firefox, and sharing credentials between accounts works seamlessly.


How's BitWarden at autofilling forms on webpages? Does it work in Chrome on Android (or other mobile browsers)? Can you authenticate with a fingerprint? Can you force a non-fingerprint method after device reboot or a certain period of time?

I might have a closer look at it myself.


> How's BitWarden at autofilling forms on webpages?

I don't think I ever had any issues with it.

It looks like it might use some old code from 1Password:

https://github.com/bitwarden/browser/blob/280f6f495f9f8bdfe3...


This is one of the most interesting things I've seen in this thread. I would not have expected 1Password to make any part of their platform MIT licensed.


Autofill on desktop is pretty amazing, I never had problems. On Chrome Android it uses the autofill APIs and is quite good but not perfect.

You can authenticate with a fingerprints and afaik no, you can't force pin after a reboot/period of time.

I never had trouble with it regarding that part and still recommend it. It also accepts 2FA with an YubiKey.


> autofilling forms on webpages

It works fairly well. Some sites (banking, mostly) don't work, but the UI lets you easily copy the username or password so you can paste it where it should go.

> Does it work in Chrome on Android

Yes, and Firefox on Android.

> Can you authenticate with a fingerprint

That's how I have it set up.

> Can you force a non-fingerprint method after device reboot or a certain period of time?

Maybe? I haven't seen (nor looked for) that feature.


I second Bitwarden. Possible to self-host, open source, and works everywhere I want to.


> Is BitWarden ready for prime time for something as critical as secure password storage yet?

It works pretty well, but the user experience eventually drove me back to 1Password:

https://news.ycombinator.com/item?id=19839087

#4 in particular.


Does it auto lock? That sounds annoying. Saving passwords not as big of a deal, but definitely for filling in passwords.


You can set timeout on auto lock or put it on different settings such as browser restart, OS restart, or never.


That’s horrible. How is that not considered a bug?


The developer says "Unfortunately the browser APIs don’t allow for this.":

https://community.bitwarden.com/t/autofill-shortcut-should-o...


Now I’m going to have to check see what 1 Password does in this situation.


I took one look at BitWarden and, as a security person, ran the other way when I saw the CLI expects you to enter your password on the command line in order to operate it. This password gets exposed in your shell history, to anyone who can view a process list, etc.

If a company writing a security product can be this incompetent about something so basic, I don’t have any interest in gambling that the rest of their product is any better.


Did you actually try using the CLI tool, or did you only read the documentation? The documentation isn't super clear, but in actual usage your password (nor your email) doesn't get entered into shell history or otherwise.

You can pass your email and password as arguments to the "bw login [email] [password]" command, which will put them into your history, but the default way of typing "bw login" will then prompt you for them both, masking your password just like any other CLI tool does.


If if you can do this, the fact that the documentation encourages you to do otherwise is extremely worrisome. Securely-written tools shouldn't even allow you to do this in the first place, much less promote it.

https://help.bitwarden.com/article/cli/


I don't think it's extremely worrisome. The arguments are in brackets a.k.a. they are optional. If a user doesn't know that they probably shouldn't be using the command line tool in the first place. Besides, if you run help on the cli tool the first example it suggests is "bw login" (without the arguments).


Regardless that this is one way to operate it (just like many CLI commands can also prompt for password) you're aware you can tell your shell to not save commands to its history?


You mean the cli doesn’t prompt you to type the pwd separate from the cli command itself, akin to how Postgres ‘psql -p’ works?


According to the docs, all of the relevant commands accept the password as an argument to the binary itself.

https://help.bitwarden.com/article/cli/


It does. In fact, when you --help in the cli tool the first example it suggests is to login with "bw login" command which is the default way.


Not sure how it would work with iOS, but keeweb (or keepass) .kdbx files sync really well via syncthing. Even to my mobile devices.


I don’t know about the secure enclave, but I can anecdotally say that I’ve been using Bitwarden seamlessly across iOS/Windows/Linux for a while now. It uses the convenient auto fill api thing on iOS and the extension is pretty good on desktop as well. (Although I haven’t worked with it on Mac)

Haven’t had any issues, I switched from LastPass and the only feature I miss for personal use is password sharing. I think it was in the free version of LastPass but not part of Bitwarden. I didn’t really use that feature much anyway though.


I use it daily on a Mac. Works great, just like it does on Windows/Linux/Android. Can't comment on iOS.


Wow, this is tremendously bad communication from their team. I don't care about the local vault feature, but the lack of empathy in the responses from AgileBits is certainly making me reconsider my family account.


That’s the biggest mistake I see in that thread: all of the apologies are immediately followed by responses which are, at best, dismissive or, at worst, defensive bordering on vindictive.

That person probably got testy because they were being treated so poorly.

I don’t think I saw any validation of a reasonable concern—which is like customer service 101—let alone any type of attempt to win the user (back) over. This is classic, stereotypical techie behavior and it needs to die. And I say that as a developer (who has been plenty guilty of this tendency myself…)


I think it's more just fatigue. The user was getting really combative in their responses, and eventually you learn to just shut down emotions when you encounter that.


Skimmed the thread and it didn't come across all THAT dramatic. The user was obviously frustrated, staff apologized repeatedly, and did a fair job answering most of his technical questions.

His key beef is they neglected to mention the change in their release notes, and the optics of the oversight could be perceived as a covert move to push people toward their cloud service. I'm surprised they didn't apologize for the release notes oversight (whether or not it was inadvertent) - they kind of act like it's just another benign collateral effect that will only impact a handful of people.

Sure, maybe he's on a free plan, but when I shilled free trial versions of my software I tried to treat all [existing or potential] customers with white gloves - even the irritating ones.

@TroyHunt are you out there; any thoughts on the software change?


Where was the user getting combative? They seem to have done a stellar job in talking with support in a polite and informative way.

Whereas the company literally removed a non-trivial piece of functionality without a single mention of it in Release Notes, and then disengaged from the topic once other people came in and pointed out that this is a) bad, and b) probably a blatant attempt at pushing people into the subscription model.

Overall, I know what password manager I'm not touching now.


Having dealt with a number of interactions like this, it definitely felt like the user was trying to lead the support staff into a pothole. Its just the way the questions were asked.


Interesting. I feel that's a "damned if you do, damned if you don't" case. Is there no middle ground between being completely helpless and "trying to lead the support staff into a pothole"? How would a proper support request from a person who understands the product and their own use cases look like?


Perhaps. I asked my roommate how she felt about the thread and she described that same feeling. Us humans can sometimes pick up on things weirdly I guess!


The user got combative when they didn’t address a core piece of his concerns: that they didn’t provide notification. I empathize with not wanting to deal with a combative user but when that user happens to actually be right and when the negative consequences are all of your own making, my empathy starts yielding to my low tolerance for “tomfoolery”. If they were fatigued they did it to themselves.

Additionally, this is asynchronous communication. Take a breath. Recover. Do it right.


The feature has been specifically disabled in the iOS app, still available on macOS for now.

It's extremely disappointing that the staff are being so evasive regarding their communication. For a product that is necessarily built on trust, that's the last thing that I want to see.


In my view this company took what used to be a perfectly capable, useful, and reasonably priced (well kind of high priced) app, and abused the idea of subscriptions to parlay it into a way to pay for their swimming pools and SUVs for life. People deserve to get paid, sure, but we are talking about a small utility app here. They knew they had gotten some lockin and they played it to the hilt, to the detriment of users. All the complexity they have added is optional and arguably worse. The sense of entitlement is breathtaking.


I downvoted you because it is significantly more complicated than that. It could be that the model that they were using was not sustainable (pay once per major version) and needed (or strongly wanted) more stable revenue. I agree that they push subscriptions hard and, as a user of the iCloud vault, it’s pretty frustrating to have to jump through hoops to get it to function on the current version as it did on the previous version. I also eventually bought a subscription because it was pretty complex to get the standalone app and you could not get it via Mac App Store. I have my grievances with the changes during the past two years with 1Password and Agilebits. However, I don’t believe they are doing it to “pay for their swimming pools and SUVs” but rather keep their business alive and to, yes, pay their employees.


1password seems to be slowly but surely inching towards pay-by-month model for all users, which is I assume great deal for them (persistent recurrent revenue!) but terrible deal for the user (once you are in, you are on the hook forever or you don't get access to your precious passwords). I've been a happy user of 1password for a decade. Looks like it's time to consider alternatives?


>once you are in, you are on the hook forever or you don't get access to your precious passwords

You can still view your passwords after your membership is cancelled.

>Looks like it's time to consider alternatives?

I've switched to Bitwarden and haven't looked back. It's not as 'shiny' as 1Password but they seem like a great company and everything works for me so far (using iOS, android, macOS, Ubuntu, and Firefox).


I used to always think I would have a local copy of my passwords but that suddenly became not true based on someone else’s whims.


Hi callalex. Ben from 1Password here. I'd like to hear more about this situation. 1Password does indeed keep a local cache of your data and even if you cancel your subscription you continue to have read-only access. Would you mind reaching out to support@1password.com to elaborate?


> You can still view your passwords after your membership is cancelled.

You can now. But for how long? How long it would be until you need to reimage your computer or install it on other platform and new version would demand membership?

The problem here is not that it won't work right now. It's that once this mode is not supported, even if it still works you're on your own. Like using out-of-support software version - maybe it works now, but you better to have a migration plan, or one day in the future you'd be in a big trouble with nobody to help you. And passwords to every site you have login on is not exactly the type of information you want to take risks with. You need to trust the provider they have your back here, and if they are not interested in supporting users that paid their licenses but are not providing recurrent revenue, then you better have plan B.


They are already at this point. You have to use the legacy versions to avoid pay-by-month. I'd happily upgrade and pay them for new features, but I don't want my usage and data to be held hostage by them if I choose not to upgrade.


Hi chrischen. Ben from 1Password here. We do support standalone licensing and vaults in the latest versions. Please reach out to us at support@1password.com for more details. We definitely want to encourage everyone to use the latest versions, which is one of the reasons membership is such a big push for us (as it includes access to all of the latest versions).


I've been using 1Password since basically forever.

With the introduction of a subscription model, i started looking for alternatives.

While i get why companies jump on the subscription bandwagon, i on the other hand flat out refuse to pay a subscription fee for software. I don't mind paying for software, but the subscription model is not for me.

First, with a paid license for version x, i decide if the "latest & greatest" is worth it to me. If it isn't, i'll just stay with my old version.

Second, I'm old enough to know that the "latest & greatest" also includes the latest & greatest bugs. I want to decide when i upgrade. (Yes, i run Debian Stable!)

Third, as everything i (used to) use has migrated to a subscription model, it's becoming rather expensive to get anything done. Yes it's only "$X.99/mo", along with the 20 other things that are also "$X.99/mo".

For this particular use case, I've been evaluating many different solution, and i've more or less settled on [pass](https://www.passwordstore.org/). It works on Mac OS and Linux, has a very decent iOS app, and "kinda" works on Windows. I use it through WSL on windows.

It's nowhere near as polished as 1Password is, but it's mine, it's free, and it fits my needs.

I did evaluate [Bitwarden](https://bitwarden.com/) as it seemed like the next best choice to 1Password, but the "non subscription" version doesn't support 2FA tokens,

I still use 1Password frequently, but the second the local vault is gone, i am as well.


Paid user here, so I am not affected by this problem.

However (writing this complaint here since I am sure they are monitoring this 3d) I am really disappointed by the way agilebits handled this matter.

1) the release notes were shitty and they know it; 2) no one asked for a free app but if you do that, taking it away is a baaaaaad idea; 3) it took me a lot of time to convince family members to use local vaults on their phones, if the feature is removed and they will complain with me I will be extremely unhappy.


May I very strongly recommend that you check out:

https://pwsafe.org/

Open source. Bruce Schnieir designed. Windows, Mac, Linux, Android, iOS versions. Dropbox and iCloud sync available as well as standalone operation. Yubikey support.

Need I say more?


I use KeeWeb[1]. Works well, it's able to sync the encrypted database on many cloud/web services, and it's based on KeePass. So even if the app stops being updated or even exists, I remain in control of my password database and can switch without having to convert anything. I use KeePass2Android[2] as well, which can be set as an AutoFill provider.

[1] https://keeweb.info/ [2] https://play.google.com/store/apps/details?id=keepass2androi...


+1 I used Password Safe for more than 10 years, and the developers are top notch and really into their security. I eventually moved to KeePass just because I wanted to store attachments but if that's not a deal breaker Password Safe is awesome.


No need to say more - pwsafe is the real deal! I use it on Android and Linux - synchronize either manually with Google Drive or automatically with DropBox. It's an awesome application!


What I realy like about password safe is that you can drag passwords into text boxes. Most password manager copy your password into the clipboard where every local application can access it. With drag and drop only the designated application will be getting the password.


An application capable of reading the clipboard is just as capable of covertly taking screenshots, recording keystrokes and otherwise compromising data being executed in the context of the same system user. Is gives a false sense of security guarding the clipboard when the real threat is untrustworthy (usually closed-source and proprietary) software itself, executed as a user with privileges.


Wow, why am I just now hearing about this?


Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: