Hacker News new | past | comments | ask | show | jobs | submit login
In Its First Funding in 14 Years, 1Password Raises $200M Series A (crunchbase.com)
485 points by adamfeldman 30 days ago | hide | past | web | favorite | 384 comments

This isn't really a typical Venture funding, and is definitely not a "Series A". Traditionally, at this point, 1Password would probably have just gone Public, without any need for venture funding. But, why go to the hassle of doing that when you can get most of the same benefits ($$$) without any of the pain (public reporting, SOX, etc...).

The VCs at this point would be happy with a 3-4x return, because the risk is minimal - companies at this level of maturity, profitability, market dominance, and growth are highly unlikely to fail. So, if they picked up (for arguments sake) 25% of the company, giving it pre-money valuation of $800mm, all they really need to do over the next 3-4 years is build an $3.2B company, which, given 1Password's dominance/quality of product - should be relatively straightforward.

Their killer organic entry is: "Everyone" is already using them for personal password management, which means cost of training/installation/use is trivial to add the Enterprise element.

As a personal user, I consider 1Password the GitHub of password management - sure, there are lots of GitHub competitors, and you can roll your own - but, when there is one product that has completely nailed it - why bother going with anyone else.

I have been following this company for like 10 years now, if not more. 1Password is anything but a typical software company. When they were small, I forget the year, they emailed us (each) six licenses of 1Password as a thanksgiving gift. A small gesture, but clearly the courage to leave that much money on the table for a small startup is laudable. On the other hand, each of my friends who got it "free" wouldn't have considered any password manager (free or not). They had the uphill task of creating the market. I am sure all the recent password leaks helps a bit.

They sponsored Gophercon in 2018(?). I didn't even know they use Go.

Good luck to them and hopefully they will keep us from password disasters of the future. Now, if only I could convince everyone to use a password manager...

On Nov 23, 2010 (still have the e-mail in my inbox), they sent a "Happy Thanksgiving and 3 Gifts For You!" with free downloads of 2 books and links to give away a license of 1Password for Mac, 1Password for Windows, and Knox for Mac.

Small touch, but my office recently starting 1Password in large part because most of the competition only offer USD billing. While we can pay for services in USD, it's unpalatable given none of our own income or accounting is done in USD.

How did you do that? I can’t find a way to pay 1Password in € rather than $. Every year my bank is stealing^W taking a fee because 1Password is billing in USD.

I went through 1password.ca, 1password.eu seems to direct to pricing page with € pricing.

Fair warning: I work for 1Password

These also have another distinct change beyond simply pricing, they're actually hosted in those regions. So .ca is hosted in Canada and .eu is hosted in the European Union.


Thanks, I didn’t know there was a 1password.eu. Unfortunately for me there’s no automatic way to change region [1].

[1]: https://support.1password.com/regions/#change-your-region

The coverage for even the best password managers miss a ton of key touchpoints where they'd be useful. I use mine very reluctantly. This attitude of 'password managers for everything!' doesn't make any sense to me when half the login prompts I encounter aren't supported

I got the opportunity to try it for free from my friend who got it via work, but it wasn't really as good as lastpass...

It's really not constructive saying something like that without substantiating it.

Why was it not as good as lastpass?

I didn't feel it needed substantiation because I'm interested in discussing 1pass vs lastpass on a business level, not a technical level. I tested it over a year ago, so any complaint could well be out of date. I found it to have less features, was more buggy on android, and didn't really detect usernames and passwords on forms as well as lastpass. I used it for a few days and just couldn't come to terms with it.

I'm really surprised by that. I eventually abandoned Lastpass for 1password around a year ago because I couldn't handle Lastpass's bugs any longer. (And those bugs had eroded my confidence in their ability to keep passwords secure.) I'm also on Android, but the difference is probably that I use Firefox. LP has treated Firefox as an afterthought for quite a while now, with numerous serious bugs languishing for months or even years. Since moving to 1pw I've had very few complaints. The autofill on Android isn't perfect, but it's better than Lastpass was. And the desktop product is flawless aside from a bit of an Apple-centric design.

I use ff exclusively on android and pc/linux. I found 1pass to be inferior on android, but I also use lineageos so maybe that had something to do with it. I dunno, it might be worth another go but lastpass seems to be good enough for me. Even though it does have bugs, as long as I can get the passwords when I need it it's not a big deal for me. The big deal is making sure all forms capture and update passwords as needed, and lastpass seemed to be far better when I was messing with it.

> As a personal user, I consider 1Password the GitHub of password management

Ah, GitHub. The company which was bootstrapped and profitable like 1Password, but then took venture capital, became unprofitable, and had to sell to Microsoft. Let's hope they aren't the GitHub of password management.

GitHub being sold to Microsoft was a huge win for GitHub. They got acquired for $9B which is a staggering valuation - one they never would have gotten on their own.

Not only that, but the GitHub product is getting much better under Microsoft.

So overall I think it was a win for consumers too.

Where has this story been publicly discussed? What’s the origin of this rumor that GitHub “had to sell” due to financial stability concerns?

Unless they want Apple to buy them.

Apple already has it’s own, pretty good, password management.

Apple is using 1Password internally : https://iphone.appleinsider.com/articles/18/07/10/apple-look...

There were also rumors of an acquisition at the same time, which were denied.

I think you are largely correct about this being a liquidity event vs series A funding; They are likely not looking at massive employee growth or marketing campaign as much as a way to unlock equity without going public.

This is good for users as it likely mean not huge changes to appease corporate overlords, but continues the sad story of limited young, profitable, small-cap Canadian tech companies available for outsider, passive investment. There are quite a few in the category of 10-15 years old, solid revenues/profit and founders that are ready to step back; most choose private equity or sovereign wealth funds investments in the 100M - 1B range over going public because of the hassle and reporting requirements. The average individual investor doesn't have access to these deals which is a shame because they tend to be established, profitable return generators. I don't blame the founders; I'd likely do the same route.

> all they really need to do over the next 3-4 years is build an $3.2B company,

I really did laugh out loud as you make it sound so easy. Having said that the money isn't in the consumer side, but the Enterprise. 1Password is only just entering this market and there are huge potential.

The potential is just as huge Apple and MS add “good enough” solutions. From a biz context, 1pwd is winning in its niche. But it’s just a feature the OS vendors haven’t prioritized from a technical context.

I am grabbing AWS keys from MacOS keychain and can access creds I save in iCloud from any device. Uh oh 1pwd

That is assuming your whole Enterprise is only on macOS, which I think none of the Fortune 500 companies are.

If you have cross platform to support, and want the best experience ( or I should say equal experience ) than a decent third party Password Manager is the only way to go.

I would have thought Google would be interested in this market, but ever since the birth of Android, all the wanted is Chrome or Android Integration.

You inferred that’s what I was implying.

I wasn’t implying that at all. I said “OS vendors” and used my anecdote as one example of what I mean.

An "ok" password manager is surely a feature Microsoft will add to Office 365, with a pro upgrade to shared passwords, etc

I would say GSuite could also do it, but they'd much rather you move everything to BeyondCorp.

Right now, it seems like none of the big guys provide interoperability on their password managers by design. Apple's works great for apps and Safari, but won't work on Chrome, Google only works on Chrome, Microsoft's doesn't work on an iPhone.

an ok password manager is Chrome's password manager, isn't it?

It allows you to use smart unique passwords, syncs between devices, and uses the OS master key to hide the passwords.

It's not great, but it's probably good enough for many people.

You left out the funniest part. That the task...

> should be relatively straightforward.

This is so so true. I have tried them all. 1Password is the no-brain option that crushes all others.

I haven’t tried 1password, I have been using LastPass, would you recommend I switch?

Bitwarden IMO beats LastPass and 1Password. Very polished, hassle free experience

I have 1Password and Bitwarden on my screen right now. Bitwarden does not hold a candle to 1Password. There is no Watchtower or MFA availability notification. Yes, BW is a password manager, and that is about it.

Actually, Bitwarden does have its own Watchtower alternative; you'd access Data Breach Report in the menu, and it tells you which accounts need their passwords changed. I'm not sure if it sends a notification when a new breach comes in that includes your account.

Have I Been Pwned partnered directly with 1Password, which is probably why they're able to send out notifications directly; Bitwarden has to worry about being rate-limited.

I'm not too sure what's meant by MFA availability, but Bitwarden also lets you use it as a TOTP generator + use 2FA for logging into your vault, though those are premium features.

Those aren't core to actual password management though. Bitwarden is a very good password manager, and that's what it needs to be to fulfil its raison d'être.

If 1Password's claim to fame is functionality beyond password management, so be it, but that doesn't define it as better but rather broader scoped.

We actually use all those features in addition to password management. Our old password management strategy was an encrypted Excel spreadsheet. This creates problems, obviously. Management, at least to me, mean ACLs, reporting, auditing, and alerting. And that is on top of basic password management.

At least it has a Linux client. 1password cannot justify its price for Linux users when it only offers a browser extension…

I switched to bitwarden from 1password when frustration with mac laptop hardware drove me to a thinkpad running fedora workstation as a daily driver and 1password's new stuff wouldn't run well in wine.

I run a self-hosted bitwarden server, which I love.

But the client is, in my opinion, not nearly as good as 1password. Its login detection is often disruptively wrong. The need to unlock the keychain each time you start a client is aggravating. The fact that the keychain doesn't lock itself when I lock the worstation is more aggravating. It's sensitive to server downtime when it should be able to work offline. The desktop app is either electron or something very similar and chews battery for me if I accidentally leave it running. 1password's secure notes are far richer. 1password's storage for software licenses is useful and bitwarden offers nothing similar that I've been able to find.

I'm not saying any of this to shit on bitwarden. I like it, and pay for it both in dollars to bitwarden and in time spent keeping the server running/patched. (Which I know is optional, but I really like having it self-hosted).

If 1password could offer me a decent linux desktop experience and a self hosted server, I'd switch back. I liked it that much better.

I just switched from 1Password to Bitwarden and it is absolutely not polished compared to 1Password.

Bitwarden didn't allow Android fingerprinting when I used it a few months ago (limitation in one of their electron libraries) which pretty much ruined it for me unfortunately. Not sure if this works in IOS.

edit: I'm wrong, it didn't support touchID in OSX https://community.bitwarden.com/t/touch-id-support-for-macos...

the Mac client doesn’t support biometric login (TouchID), which we’ve only had on these computers for about four years...

Are you on an old version? I’ve been using TouchID with 1Password on Mac and FaceID on iPhone for as long as I can remember them being a thing

I think when they switched to subscription model they left people who didn’t switch on an old version

I believe they were referring to lack of TouchID support in Bitwarden, not in 1Password.

Electron finally added support for TouchID a few months ago (version 6), so hopefully that's coming

And that's one of the major reasons for me to choose 1Password - native apps on macOS, iOS and Windows

Bitwarden had a crappy (and slow) android app, a crappy (and slow, touch based interface, poor right click options, poor design, memory hungry, crippled) windows desktop app, and an OK (for a web app) desktop site.

It only beats 1Password on price.

If you don't want to pay for a fucking awesome app, good riddance to you.

Their Android app has never seemed slow or crappy to me.

It doesn't scale well though. I have my font size set to maximum, and the Bitwarden app is pretty much unusable. So I use 1Password.

I'm using the Birwarden Windows app (and Mac app) right now, and both seem great to me.

Then perhaps you never used a better app.

ditto, but on windows and Android

Yes, immediately, we use LastPass in the corporate world, and it's horrific to deal with. Slow, bloated, mess of an interface.

https://news.ycombinator.com/item?id=21172569 is a good discussion on it.

Not any more. It used to be a no brainer, but they switched to cloud based subscription at great cost increase, loss of some features, and dark-patterned the native app into invisibility. Native is still available apparently, but you won't find it from the homepage, unless they were persuaded to change recently. Report an error in the native app, and they suggest switching to cloud subscription without addressing the error at all.

When my current native install of 1pw stops working I'll be migrating elsewhere.

> Native is still available apparently, but you won't find it from the homepage, unless they were persuaded to change recently.

I haven't verified this myself, but standalone licences seem to be available for purchase in the app itself: https://discussions.agilebits.com/discussion/92275/how-do-i-...

Which until someone had to ask the question on the forum, having been unable to find any word, was not revealed at all on their main site, which was all about getting you on the sub. You wouldn't normally download the next (unlicensed) version on the off chance the buying mechanism has been quietly put in there instead. The former significant discounts for buying both phone and desktop, or Mac and Windows at the same time are gone too.

Hence it's there, but intentionally dark patterned to near invisibility. They would prefer everyone on the pointlessly expensive sub.

Can verify that it's possible. Recently (past 30 days) did an upgrade to 7 with a standalone license.

The subscription version still uses native app. It’s not a webpage or electron crap. From context, you mean “one-time purchase”.

Yes 100%. I was a lastpass user for years but it always had its quirks for me. I switched to 1P within the last year and it is miles better and "Just Works", everywhere. I or someone in my house use 1P on Ubuntu, Android, iPhone, and macos, and it is a seamless and wonderful experience.

Without hesitation. The user experience with 1Password is far better than LastPass (I’ve used both).

yes! go read LastPass's privacy policy. They spy on everything you do and share it with anyone and everyone.

This is outright false, no basis in fact whatsoever.

From their Privacy Policy

> 1. Information We Collect and Receive

> Service Data (including Session and Usage data):

> When you use our Services, we receive information generated through the use of the Service, either entered by you or others who use the Services with you (for example, schedules, attendee info, etc.), or from the Service infrastructure itself, (for example, duration of session, use of webcams, connection information, etc.) We may also collect usage and log data about how the services are accessed and used, including information about the device you are using the Services on, IP addresses, location information, language settings, what operating system you are using, unique device identifiers and other diagnostic data ...

> Third Party Data: We may receive information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. We may also receive information from other affiliated companies that are a part of our corporate group. This helps us to update, expand and analyze our records, identify new prospects for marketing, and provide products and services that may be of interest to you.

> Location Information: We collect your location-based information for the purpose of providing and supporting the service and for fraud prevention and security monitoring. If you wish to opt-out of the collection and use of your collection information, you may do so by turning it off on your device settings.

> Device Information: When you use our Services, we automatically collect information on the type of device you use, operating system version, and the device identifier (or "UDID").

That's pretty much everything given they put an extension in your browser and can collect all of that info for every page you visit

> 4. Information Sharing

> ... We may share your personal information with (a) third party service providers; (b) business partners; (c) affiliated companies within our corporate structure

> Examples of how we may share information with service providers include:

The above basically says they share your info with anyone they feel like

So I don't know how you think my comment has no basis in fact. They spell out what they can do in their privacy policy. Why would they spell it out if they weren't doing it?

Compare to 1password (note I use neither service and am in no way affiliated with 1password but for comparison it's telling

> Your data is yours, and we don't want to know anything about it. We don't use it, we don't share it, and we don't sell it.

> We only collect the information necessary to provide our services and help you with troubleshooting. Personally identifiable information is never shared with third parties.

People on HN complain about Google collecting and yet we seem to have LastPass with access to all webpages you visit and also able to track every service you use them with an their policy basically says they collect and share your data (something even Google doesn't do. AFAIK google doesn't share data)

I tried 1Password before switching to LastPass in 2015 or so. I hated 1Password. Haven't had a reason to switch, as free LastPass covers my needs nicely.

> I hated 1Password.

This is not helpful. Why did you hate it?

Even if 1Password is dominant, it’s really in the bubble to think that most people use 1Password. Users are generally happy with their passwords syncing through Google or Apple.

The YC darling DropBox still isn’t profitable and probably never will be as they are becoming “just a feature”.

1Password will doubtfully never be profitable enough to be worth $3.2 billion. Whether they can pawn themselves off to the public markets first is another question.

It doesn't really matter if 1P is dominant across the whole market. It matters a lot if it's dominant across the part of the market that's willing to pay actual cash money for password management.

How did that work out for DropBox? Google and/or Microsoft could announce tomorrow that they are either giving the same functionality away or bundling with their Office product.

It worked out well enough for them to get an exit. DBX is unexciting, but it’s not a penny stock.

And Google and Microsoft do exactly that already.

That’s originally what I said, if you define “success” as the original investors being able to pawn a money losing company off on the public market, it could be successful.

But if you define success as a company that can actually turn a profit consistently, Dropbox is not a success.

They’re selling Teams at $4/mo per user and I guess if they go after enterprise we’ll see additional tiers with features aimed specifically at that.

It doesn’t take too many deals with huge companies who need cross-platform to get to $200-300 million, and “worth” $3.2bn. Multiples from revenue have been a little interesting lately.

And as soon as they start moving into the enterprise, Microsoft is going to offer a good enough cross platform password manager and bundle it into Office 365.

People made the same argument with Slack. How is that working out?

I don’t know about Android, but iOS supports third party password managers through the extension system.

Slack has a $12bn market cap, therefore “pretty well”.

I think competition in this space is good but I use and like Slack over Teams.

I know at least two companies who pay Slack over $20MM a year, and have over 100k users provisioned onto Enterprise Grid, and who are also happy consumers of Microsoft Office 365.

What is it about people defining success of a for profit business by market cap instead of you know - the ability to make a profit?

Being able to sell $1 for 95 cents is not a successful business strategy.

Who is “everyone”? I imagine most people are just using Chrome or iCloud for personal password management.

Most people I know who use password managers beyond Chrome/iCloud use LastPass. All the companies I have worked for in the last 7 years have used it too.

I switched from LastPass to 1Password earlier this year (after 5+ years of use) due to issues with LastPass stopping sync.

1Password fixed that and numerous UI glitches around the actual password filling in that I was just living with. It is night and day a better experience ... and no invested interest in them (unfortunately!)

Similar situation here. Also, anecdotally, I recall hearing numerous tales of people making that switch, but few to none moving in the other direction. (Which doesn't surprise me at all having experienced both products.)

So what is to stop someone else who wants a slice of that 3 billion? We have AWS and Keepass (though it is GPL) for anyone to quickly implement there own competitor, or the already-huge userbases of Google, Apple, and Mozilla's implementations. With such a low barrier to entry, won't it become a commodity? And aren't we moving away from passwords as a whole?

At the smaller level of things I see similar bets in what Earnest Capital and Tiny Seed are doing: non-controlling amount of investment in a profitable company to make a return higher than standard but with a less crazed risk profile than traditional venture capital.

1Password is slowly starting their enterprise game. All employees were offered 'free' 1Password accounts last week for entire family as long as I'm with my current company.

My company offered that for individual personal accounts in 2015, but perhaps the family plan thing is new.

It is explicitly listed on the 1Password site as a benefit of the Business level plan:


"Free family accounts for all team members - $60 value per person"

I'm reading this as a negative comment - do you really feel negatively about this gesture/benefit?

> companies at this level of maturity, profitability, market dominance, and growth are highly unlikely to fail

What happens if Apple implementes their own native password manager into macOS and iOS? I know I would switch to Apple's native assuming it worked as well as 1Password.

Apple have had that since iOS 11 with iCloud Keychain. It suggests passwords for websites on signup, and offers to save them if you log in. It even correctly offers the password you used on a website when logging in on the native app equivalent for the site.

They would need to make it cross platform and work in all major browsers for me to switch and I highly doubt they would.

They already do?

I work for a company in a similar position, which recently did a funding round like this for the sole purpose of letting some existing employees get some cash for their equity, since an IPO is a big question mark.

They might have great software - I don't know. But personally I absolutely refuse to use a paid option for a service of this type. There's just too much risk. What happens if my credit card expires and I forget to update/pay? Or I get hospitalized suddenly and there's a similar payment issue? Is my account just closed and everything deleted?

Then there's the risk of me putting everything in there and them jacking up the price. I'd either have to eat it or manually migrate everything.

There are other concerns as well. And I'm not saying I think they are dishonest. But when there are open source methods that are free and battle-tested for security, I see no reason to go with a paid option.

This is a really easy question to answer. I duck-duck-went "1password what happens if I stop paying" and the first link was https://support.1password.com/membership-billing-policy/

From the link:

> Your data is yours. Even if you cancel your subscription and your account is frozen, you can still sign in to 1Password.com or in the apps to view and export your data.

I can confirm. I used it, then stopped paying. All by data is read-only accessible, even just with browser.

In the end was more happy with KeePass as 1Password was too user-friendly for me and I wanted something more stupid for passwords.

If you are already liking KeePass I highly recommending KeeWeb, which is what I'm using. It reads a KeePass database and the desktop app web app are great in my opinion. And everything is free. Web app also caches in the browser and syncs to Dropbox so everything can sync between mobile and desktop.

> What happens if my credit card expires and I forget to update/pay?

I paid for it once and then used it for years and years without updating. After a few years the browser extension stopped working (was no longer compatible with current browsers) so I decided to buy again. By this time they'd moved to a subscription system and I have no idea how it works.

It used to be simple... there was an app, and if you stored the password file in Dropbox, you got cross platform support. But now the UX is terrible. I don't know where my passwords are stored, I don't know if the entire thing will stop working if I stop paying, etc. What a shame. I used to recommend it all the time but since the update there's no way I could recommend it to anyone I know who isn't a techie.

There’s still a stand-alone app. Just upgraded a couple of weeks ago.

Do companies delete paid users' most important data for billing failures? I can't recall such a case.

Still, if you're willing to handle the availability and security concerns yourself, going self-hosted could work.

You can always backup your data and move to another manager if needed. Almost all of its competitors support importing from their format.

There's a standalone app (if you're not on Linux) and you can sync via dropbox / wifi / rsync / whatever you like.

I basically do that - my core database is encrypted on Dropbox and I use a desktop app and web apps for mobile via KeeWeb which is free. KeeWeb on desktop also backs up locally in the event anything ever happens to my dropbox access, but Dropbox is the central sync point. The web app connects to Dropbox and since it's a web app there isn't even a need for the installation of an Android/iOS app. I just keep the webpage up at all times. The app is cached by design and doesn't send external connections.

Great. What's the Sourcehut of password management?

pass (passwordstore.org) - self hosted, built from independent components (git, gpg) and completely open source.

Keepass, been using it for 10 years. Just a password manager, just works well. No fear of being locked in.

pfp: https://pfp.works/

With its generated passwords there is no way to lose your passwords in a hilarious backup failure.

> there is one product that has completely nailed it

yes that's Keepass, cause it's open source and you keep control of your password database instead of on somebody else's server.

What does "mm" in $800mm mean?

Million. Because, in the old days, accountants used 'm' for thousand. I prefer the modern style of k=1e3, M=1e6, B=1e9.

I believe this is because 1000 in Latin is “mille” (also modern French), so 1 million is one thousand thousands.

If you asked me about 1password a few years ago, I would agree with you. Ever since they went to the cloud, I stopped using and recommending them to friends and family.

I now use Keypss, which is free and doesn't require the cloud.

The only reason they went to the cloud is because most people were buying one copy and sharing it with multiple people. It's a way for them to make more money, which is fine, but I really don't think a cloud-based password solution is necessary.

Edit: The 1password employees must be down voting me. It's ridiculous that I get down voted for a specific opinion about the topic.

> The 1password employees must be down voting me. It's ridiculous that I get down voted for a specific opinion about the topic.

I was going to just disagree with you without downvoting, because I specifically was looking for cross device sync and mobile support (and specifically looked for a mobile app that supported using FIDO as a second factor to protect the vault.

However, attributing downvotes to employees/shills shows an inability to consider that there may be a good counter argument.

I appreciate the subscription model, since it aligns with the fact that secure products must continue to be developed to stay secure. Security is a process, not a destination.

I used to feel very differently about this as a consumer, but when you see things from the other side as an ISV, it's obvious that a one-time fee isn't a sustainable business model - if you want the software to remain available, you need to pay for the duration.

A SaaS model works well for both sides, I think - consumers always have the latest version and their data is highly available and safe against local events (storage failure, fire, flood etc); the business has (relatively) reliay income stream.

The duration of the isv cloud contract you mean. I have ple ty of perfectly running applications where the vendor has long gone. Also, i hate paying for a relatively small feature such as a password manager. Keepass on a webdrive offers the same for free and i get to look at the source as well which in my opinion is a requirement for something zo fundamental.

> I have ple ty of perfectly running applications where the vendor has long gone

Hmm, thinking about it, for simple image editing stuff I still use a version of Paint Shop Pro from something like 10-15 years ago, and it still works great.

I think then that it depends on the kind of software, and the expectations of the user: is it beneficial to store data in the cloud for easy access from multiple devices?; do you want security updates? do you want new features?; do you want support?

I also use Keepass, with passwords stored on a cheap VPS using SFTP. Works great on Android with Keepass2Android too. But of course, this is not something a general comsumer is going to setup.

> I think then that it depends on the kind of software

I agree completely. I never want to pay more than once for Photoshop/Illustrator/etc. -- and the fact that Adobe has turned those into SaaS products really annoys me.

But products like an OS, browser, cloud-synced password manager, mail client, online git hosting, etc. -- for those, I would prefer to pay a subscription fee (to a company I trust to use it well).

well, I can attribute to anything, if there is no explanation.

When I first posted this, I had multiple down votes in the span of a few seconds with barely enough time for someone to read or even process my comments. It just seemed very suspicious.


From HN Guidelines:

> Please don't comment about the voting on comments. It never does any good, and it makes boring reading.

You’re probably being downvoted because of this statement, which is blatantly wrong:

> The only reason they went to the cloud is because most people were buying one copy and sharing it with multiple people.

It’s cloud-based because the majority of password management users want automatic cross-device updates without setting up their own server.

That’s why you create a free Dropbox account or just use your free iCloud account. This is even what 1Password used to recommend as part of its setup, if I remember correctly.

I’d it was simply storage, the. It would be an add on, but it’s not. It seems like it’s more of a strategy to increase cash flow by converting to ongoing subscriptions instead of one time purchases. This is the same motivation that switched MS Office and Photoshop over to subscriptions. There’s no compelling reason to upgrade, so you get people to fork over a credit card and forget about their reoccurring charge. Cash flow becomes more predictable and possibly increases as well. This why service contract / subscription businesses are popular among investors.

I don’t blame them for trying it, but let’s not pretend this is good for users.

Man you aren't thinking deep enough. Just set up your own FTP server!

The truth is that my grandmother needs a password manager and she barely understands what minimizing a window does. "Just store your vault in dropbox" is friction and that matters much more to the huge majority of users than the fact that the vault is stored on a cloud service.

> Dropbox... is friction

Yes, completely agree. Dropbox sync has lots of gotchas and edge cases, and was particularly bad if you edited files on multiple systems (my workstation and laptop, for instance -- I use both interchangeably depending on what I'm doing).

I can understand why 1Password built their own sync service instead of playing whack-a-mole with different cloud storage providers' quirks.

So what 1password used to do was charge a higher application fee (think it was like 40 or 50 bucks?) and then also would charge again for larger version releases. Apple (which was/is the largest part of the user base) does not provide a way to do discount pricing on upgrades, and they do provide discounted cuts on their take for subscriptions after the first year. So they absolutely were able to drop the cost to end-users after all of that was factored in, although there are users who have to pay more (people who would stick on old versions). But that’s a nightmare / costly to support, and creates misalignment.

Anyways all of that said, the 3rd party sync solutions all suffered from varying degrees of funkiness that just don’t exist with the native solution. Their switching to monthly pricing was, objectively, very successful and didn’t cost majority of users more money. But there are a small number of people who it rubbed the wrong way, clearly, but any business action is bound to piss some small number of people.

>It’s cloud-based because the majority of password management users want automatic cross-device updates without setting up their own server.

So? You can put the database on gdrive, icloud, dropbox, or any cloud service you want. I think most users understand the concept of creating a file, putting stuff in it, and putting it on a file syncing service (or usb drive).

> I think most users understand the concept of creating a file, putting stuff in it, and putting it on a file syncing service (or usb drive)

Many do, many don't.

Even for those that do, there is a significant hassle in getting a file sharing service (gdrive, icloud, dropbox) etc onto every possible device they have.

I mean, I'm with you in that I'm personally pretty skeptical of the cloud-based pw solution. But I can absolutely understand the story about a much simpler user-experience that it offers.

>there is a significant hassle in getting a file sharing service (gdrive, icloud, dropbox) etc onto every possible device they have.

What is this "significant hassle"? Surely it's not that much harder to install [sync app] + [password app] than it is to install [password app]?

>Many do, many don't.

I suspect the intersection between "people who don't know how to manipulate files" and "people who care enough about passwords and are willing to fork over $36/yr" isn't big.

> Surely it's not that much harder to install [sync app] + [password app] than it is to install [password app]?

It's literally twice as much work. Often more, because I need the password to the sync app's service. Where's that stored?

How many characters is it? Oh, it's a secure, 20-32 character password. What a pain to re-type it. Good thing it uses a ton of symbols which are a pain to type on my mobile keyboard.

> I suspect the intersection between "people who don't know how to manipulate files" and "people who care enough about passwords and are willing to fork over $36/yr" isn't big.

It's not "people who don't know how to manipulate files", it's "people who don't _like_ to manipulate files, and external services, and get them onto all of their devices".

Further, I expect the proportion of the first circle is constant and relatively small (<10%).

I expect the proportion of the second circle _was_ small, but is growing extremely rapidly.

> What is this "significant hassle"? Surely it's not that much harder to install [sync app] + [password app] than it is to install [password app]?

Or no app, just add the browser extension and you're done. Seems a lot easier to me than downloading two other apps, one I have no use for other than syncing the other one.

Or you can build your own pc from open market components, or maybe build your own components by designing your own pcb and sourcing the chips, and write your own drivers, or... etc.

Some people don't want to roll their own. You may, or may not agree with the concept of a fully managed solution, but for any non technical user, they want it to (borrow a phrase) "just work".

It's the majority of the addressable market.

Even as a dev and ops engineer, or especially so perhaps, I want passwords to just work. Sure I could write my own but why.

Couldn't agree more -- I have limited time in my life, time I don't want to spend maintaining absolutely every service I use. Very happy to pay someone else to build good software and make the pain go away.

I absolutely understand these concepts. That's exactly why I don't want to do it.

I'd wager thousands of dollars that less than 20% of internet users understand this to the point that they won't blame others if they screw something up.

It's cloud-based so they can hold your data hostage and charge a subscription fee.

The cloud synced updating features you're talking about work fine for me already with 1Password's iCloud-backed syncing, which is how most Mac and iOS apps sync data, it's just in that model Apple has control of my data, not 1Password (and I don't pay a subscription fee), so they make it incredibly difficult to configure that way.

You do realize you’re literally like the person who was saying “who needs Dropbox i can do it myself in 5 bash lines”?

Wha..? I'm totally not following, iCloud syncing is completely transparent and built-in to 1Password. There's 0 extra work to support it (outside of finding how to turn it on, because it's buried in the UI), there's literally less work than 1Password's own subscription service, because that requires setting up an account whereas iCloud doesn't.

You can use iCloud without an account? Is iCloud available outside of Apple ecosystem? Otherwise it doesn't seem very relevant since its not a general solution.

Yes, you're right, this only works for Apple devices, so going cross-ecosystem is definitely a benefit of their subscription service! I disagree on that meaning it's the iCloud solution is irrelevant though, skipping the $36/a year, and the additional control over your data not being on a subscription entails, seem like relevant benefits for the people who fit those requirements!

Is iCloud available outside of Apple ecosystem?


What if you have a device that iCloud isn’t available on? What if you want to check passwords on someone else’s computer? Or on a public one?

Agreed, those are advantages of the 1Password subscription service. My opinion about 1Password wanting to migrate people to their subscription service for business reasons is based on reading forum threads over the years to figure out where they've buried the option each time there's a new version. E.g., there are two ads for their sync service on the page that describes how to use iCloud[1] (they've toned-down the messaging a ton these days, that support page didn't used exist, and the forum support thread were banging the 1Password Cloud Sync drum much harder than they do today).

Note also I'm replying to this comment "It’s cloud-based because the majority of password management users want automatic cross-device updates without setting up their own server." Seems relevant that "cross-device updates" don't require a server (at least among Apple devices)?

[1]: https://support.1password.com/sync-with-icloud/

> Ever since they went to the cloud, I stopped using and recommending them to friends and family.

The whole point of using a password manager is that the passwords I create and use on my {desktop, laptop, work machine, phone} are immediately and seamlessly available to me on all of the other platforms.

As far as I know it is Cloud integration which enables this absolutely necessary and table-stakes functionality. Is that not true? Does e.g. Keepass provide this essential functionality without a Cloud integration of some kind?

1password had (maybe still has?) integrations with services like Dropbox where your vault would be stored on a 3rd party service like Dropbox to achieve the cross-device syncing your describing.

IMO this was the more secure implementation (assuming 1password was only storing fully encrypted files on your 3rd party cloud preference) - even if someone broke in your Dropbox, they can’t decrypt your passwords without your master pass.

An end-to-end cloud solution provided natively by 1pass is much more user friendly and easier, but requires putting an order of magnitude more trust in 1password’s security architecture (which of course is closed source).

The fundamentals are still the same, everything is encrypted with your master password before being sent to 1Password's cloud. So even if someone infiltrates 1Password's storage, all they get is encrypted files, same with Dropbox.

If that’s true, than the point I made about better security with Dropbox is moot.

As an end user, it’s abundantly clear that all encryption/decryption is done locally when using the Dropbox integration since you can see the files directly in your Dropbox. I guess I didn’t make the same assumption about the 1pass cloud service for some reason.

This option [1Pwd vault stored in Dropbox] is still available; I've been using it for years. Highly recommended!

Just adding to this accurate statement, you can also sync a vault in iCloud. So there are at least three syncing methods:

1. 1Password Cloud

2. iCloud

3. Dropbox

And at least 2 and 3 can be used simultaneously, which is what I do, with my main vault in iCloud, and temporary vaults, e.g., passwords for a particular job, in Dropbox.

There’s also still the WiFi sync method which you can use to sync between devices without that information ever leaving your local network.

I trust 1Password 100x more than I trust any individual to keep password information safe.

> 1password had (maybe still has?) integrations with services like Dropbox

It's not as seamless as having the functionality built-in. You have to deal with logins, authorizations, etc. I wish it could be as easy as "Do you allow 1Password to use Dropbox? (Y/N)".

It isn’t more secure, unless you’re asserting Dropbox cloud is more secure than 1Password. 1Password still encrypts it on the client side.

> The whole point of using a password manager is that the passwords I create and use on my {desktop, laptop, work machine, phone} are immediately and seamlessly available to me on all of the other platforms.

That isn’t the whole point of 1PW though, or at least it wasn’t at the beginning, as I saw it. It was a way to avoid having to remember a unique, secure (read: probably hard to remember) password for every service that requires one. A place to store them all so you don’t have to remember, or worse, reuse the ones you can remember, and/or use easy-to-remember ones (read: less secure). It’s in the name: one password gets you access to all your passwords. Automatic form filling and cloud sync are definitely selling points and certainly convenient, but they are also risk vectors. I’d not call cloud sync essential; I get by fine without it. I just use the WiFi sync option.

If the goal is to avoid having to remember strong passwords, then a strong password generator + a paper journal is resistant to more threat models and should be preferred.

Password managers without transparent sync and autofill UX are a half-product at best.

It’s probably similar but I’m not convinced it’s preferred. If I lose that journal anyone can read it. If I lose my computer it is most likely locked already, and if not it (as well as 1PW) autolocks itself after a short time.

Also like I mentioned elsewhere, I do sync my vaults, but only using the local WiFi option.

There are nearly infinite vectors to exfiltrate files from your computer, the vast majority of which are currently unknown to you, and would be entirely undetected. And what's more, most of those vectors can be done from anywhere on the planet.

There is only one way to exfiltrate information from a notebook, it requires physical proximity, and it's very likely that you would notice.

Every rational threat model for almost every human on the planet (excepting perhaps major political, cultural, or economic figures) would conclude in the paper journal being the better (safer) choice.

You made a lot of good points here. Thanks for sticking with me and having a nice conversation!

Typing a long, complex password on a mobile device is tedious. Much easier to use 1Password.

The pain of doing that is nonzero, but much less than the pain of keeping the passwords synced manually, or through an intermediary like Dropbox (permissions, having Dropbox installed and running on my phone, etc.)

> Does e.g. Keepass provide this essential functionality without a Cloud integration of some kind?

For what it's worth, I use it with an ssh plugin, so I only store the database on one machine, and connect using ssh on desktop/Android.

It's also pretty straightforward to set up something like syncthing, making it easier for average person.

I'm not in a rush to put the holy grail of my personal info into someone's cloud service that I can't manage or securely delete. I think that KeePass + [Dropbox,Google Drive,etc] is the best solution. You can easily get these files on to your phone for passwords on the go.

> You can easily get these files on to your phone for passwords on the go.

Something like 80% of the value prop of my password manager use is one-tap login (with FaceID) on mobile.

Handwaving this away is failing to understand the product and market at a fundamental level.

edit: literally a paper notebook with my passwords written in it is a better solution in essentially every dimension than a non-syncing password manager.

I definitely see the benefit of storing my passwords locally and not some single point of failure, but I also wouldn't ever claim it's simple or even a good solution. It does help me ease up on creating new account to places I don't need because I think about having to create and sync up a new password between my devices.

How is that a single point of failure? You have downloaded copies on all your devices and the database is encrypted with your own master key, so even if 1Password is hacked there isn’t really a problem, just like LastPass hasn’t died when it had one.

This makes zero sense. You don't want to store passwords in the cloud, but you store your passwords in the cloud anyway!

The concern, which is fair, is that 1password's cloud is a target. And those targeting it have only one intention, which is to steal people's passwords and other information stored in the 1password cloud. In contrast, of course using the dropbox sync approach with 1password does put your information in the cloud as well. But, it's in your personal dropbox account. That dropbox account could absolutely be hacked, but very unlikely by someone with such clear intent to steal your 1password vault. Basically, 1password's cloud is the ultimate target, and your 1password vault in your personal dropbox account is not.

As a non-user of 1password, what's the value of the vault on it's own? don't you need a master password to unlock it?


A cloud you can control yourself.

> As far as I know it is Cloud integration which enables this absolutely necessary and table-stakes functionality. Is that not true? Does e.g. Keepass provide this essential functionality without a Cloud integration of some kind?

Just store it in your regular sync solution. Syncthing works great, and I don't remember any issues with Dropbox back when I used that. I'd imagine that iCloud or SkyDrive would work fine too, for the masochistically inclined.

and the reason I went to their cloud solution, is so that I can sync passwords between my iPhone, Mac, PC, and Linux machines. It's $35.88 for an entire year of something that I use constantly, every day, and it works perfectly.

Agreed. It's so nice updating/creating a password on desktop, and being able to use it immediately and seamlessly on my phone or other machines.

This seamlessness is also critical for my less-technical family members on my plan. They want the better security, and recognize that a password manager is necessary. But if it was a pain to use they wouldn't put up with it.

For me, the sync has been less than perfect (Windows + Android user) on more than one occasion. There used to be a force sync button way back when, but it has since been removed as far as I can tell.

I had to Google a workaround (creating a dummy secure note was one workaround) for the times the sync wouldn't work.

I asked why there was no Force Sync button on their support forums, and was told that they took it out because they want their paying customers to report sync issues with an error report instead of giving them an instant fix via the button.

Needless to say, as someone who has been using and paying for 1PW (upgrades and subs) since around 2008, I was not impressed with that response.

To me, the Windows and Android clients seem to be second-class citizens compared to their Apple counterparts.

>and Linux machines

They don't have a proper Linux client

FWIW, if you have DropBox, they can sync passwords via DropBox, giving you many of the same benefits as their cloud solution.

You can use the pay-one-price license if you already have the motivation to use DropBox.

That's not going to work outside of Mac or PC. Linux is a browser plugin.

I agree that the DropBox integration isn't for everyone. Even if you have just Macs and iOS devices as I do, DropBox is much more expensive, so it's not worth getting just to sync passwords.

But on the other hand, for users who have DropBox already—possibly because they aren't using Linux—this does allow them to sync passwords without paying another $40 a year.

The cloud storage isn't mandatory. Just keep using Dropbox (uhh, a different cloud?) if it bothers you. This is what I do, along with a perpetual license.

I downvoted you because you’re complaining about downvotes

1Password needs to rename their service. I have told non-technical people "oh you should really use 1Password", have have them respond "Oh I do!", only to later find out they meant they use "one password" for every service, the exact opposite of the right thing to do! It is seriously some "Who's on First?"-level bullshit that leads me to have to be incredibly meticulous and careful when recommending their product.

Imagine naming your product "'password'-as-your-password" then telling people "Oh you should really try using 'password'-as-your-password!".

Great point that I hadn't thought of, but is so true! It communicates ok in text, but verbally not well at all.

Maybe they can rebrand to "123456"

They should call it hunter2 of course.

How would you pronounce that? "star star star, star star star star"?

I'm putting my vote in for bond007.

We already have zxcvbn


For anyone missing the context on "Who's on First?"


This is pretty funny

Am I the only one who considers this a good thing?

I recently started using 1Password, and I love it. I finally jumped in because a colleague gave it glowing praise and my company gave us corporate accounts. After using it for a week through my company account, I created a separate personal account for myself. I happily pay a monthly subscription because it is a service I benefit from daily. It also lets me neatly manage personal and company accounts easily, from the same interface, while still keeping the vaults separate.

I see this as a good thing because someone will become the password manager for large companies, and that someone will likely become the password manager. I'm glad to see it's likely to become a service that I think is a good one.

I understand people are worried that the personal use will suffer, but I don't see how. (I understand why people say that - less emphasis on a smaller market - but I don't see how since the corporate offering is basically the same thing as the personal one, to an individual user.)

> Am I the only one who considers this a good thing?

This company over the years has, multiple times, basically ripped the rug out from under its users (moving to online vaults, hiding native app, switching from a single fee to monthly charge) so I really don't see it as a positive.

From comments in here it seems like they'll be focusing on Enterprise. That just leads me to assume they'll listen to consumer feedback even less.

Aren’t all your examples things that happened at the same time or basically because of one shift? The switch to being a SaaS? So that’s just one time really. The events may be spread out a bit, but it’s really just one event to me.

You're correct that these changes all happened contiguously. The "multiple times" argument isn't very accurate.

What do you mean native app? I use the native apps all the time and it’s a pretty prominent thing that you get redirect to when you press get started on their front page

They make it incredibly difficult to still pay the one-time fee for the software vs. doing the monthly charge. Like, hiding it. They have threads on their support forum of users complaining how deceptive it is. It's clear they want your vault on their servers and you paying the monthly fee instead of using Dropbox and paying a one-time fee.

Right. So that was one time they did a shift. And they slowly phased out the one time product which was a strategy they were employing from day one. They didn’t pull rug out from under customers more than once then.

That isn't what the definition of a native app is. They still have native apps, they have effectively deprecated the dropbox sync / local vault features of the app. And single pay licences are going to go away soon.

They don't give a shit about your vault. They want your money every year instead of once-off.

You are not the only one who considers it a good thing. I love 1Password and the team behind it. They already have a solid team-base offering, and giving them more resources to help improve their enterprise offering makes a lot of sense to me. I can _imagine_ the personal use suffering if they determine that's too small of a slice of pie, but I'll reserve judgement rather than assume that will happen and get preemptively disappointed.

Am I the only one who considers this a good thing?

Why do you see this as a good thing - what good will come of it for you? You’re describing a tool which already does what you want;

With this investment, 1Password need to squeeze half a billion extra dollars out of you just to give to investors. What is it that their tool doesn’t do for you, which needs that kind of trade for them to be able to build it?

Because I want them to continue to exist. They provide a service, not just a software product. This makes me even more confident they will be able to continue providing that service for many years.

I haven't tried to find out from their finances, but this move would worry me; I'd assume that previously they were independent and profitable, and that now they're on a deadline to generate a lot of return on investment and most likely future is to be acquired in a single digit number of years and then absolutely ruined by the acquiring company (because that seems to be what acquiring companies do - buy things and wreck them).

On the contrary, I think they will be less likely to be displaced by someone else who targets the corporate market.

They need to squeeze half a billion extra dollars from businesses. The growth potential will be on expanding the B2B revenues.

Well, as anecdotal data, LastPass got acquired by LogMeIn a few years ago, and since that time, it has introduced practically no new features, yet the yearly membership price has risen from $12/yr to $36/yr.

That's what happens when the scrappy young company with a valuable product gets acquired. Research and Development stops, Rent-Seeking skyrockets. Every time.

That's not actually what happened here, not to say rent-seeking won't happen in the future. R&D stopped well before acquisition, and since acquisition the main focus has been making the product scalable, reliable, and expanding to business users.

I can only assume based on your comments here and on other threads that you work/ed for LastPass, so I appreciate any insight you might lend.

I am still struggling with the idea that a company that was profitable selling licenses for $12/yr needed to then rise to $24/yr and again to $36/yr within the span of two years and somehow not be considered rent-seeking. You said this is to cater to enterprise users, and yet it's not the enterprise users that are bearing the brunt of the price increase. Absent any visibility into company workings, this feels like corporate overlords acquiring a product and declaring, "You are profitable, but our shareholders demand at least XX% profitability, so you need to make more profit, effective immediately."

Please shed whatever light you can on this.

> I see this as a good thing because someone will become the password manager for large companies, and that someone will likely become the password manager

A) 1Password was already well on its way to doing this (a lot of large companies seem to be using it); B) I'm not sure that it follows necessarily that the largest corporate option will become the largest consumer option.

I've been a customer for 10 years (coincidentally, I checked email and I downloaded it from the iOS app store 10 years today) and very happy. The two things I'd love for them to fix are:

1/ Make the Windows version feel more like the macOS one. I switch between the two OS's all the time and it always feels jarring to open the Windows one after using the other.

2/ Add an option to cache everything locally. My phone has plenty of storage and there have been a few times where I have been with cell service or wifi and unable to pull down a document or credential I have stored there.

Mostly though I love it and can't imagine what life must have been like before password managers.

Personally I like that macOS and Windows apps are different. Those are two different platforms, with their own design paradigms, human interface guidelines, etc. They should have different versions, tailored specifically for the OS they're running on. I don't like apps, usually Electron- or something like that-based, that are exactly the same on all platforms, because they feel out of place on all of them, IMHO.

Thats fine and all but there's some things the windows app just doesn't do or do well at all compared to mac. Searching is one of them, along with being able to use 1pass x with the desktop app for auth.

I'm just amazed that they have so many employees yet their window and browser apps are still really lacking.

Side nitpick: it's annoying that they're moving to 1Password X. I really don't want to run the desktop app AND an independent version in my browser. It's not as bad on mac since it can communicate with the desktop app to unlock, but on windows... ugh.

> I'm just amazed that they have so many employees yet their window and browser apps are still really lacking.

Well they're lacking an entire platform (Linux), so it's not even just about differences in polish.

I use the desktop app and browser companion extension on both Mac and Windows. AFAIK, it's not going anywhere, even though they are promoting 1PasswordX pretty heavily.

I know they're keeping it around but when you ask for a feature/bug report they push over to 1pass x, pretty defensively too.

Yep understood and I agree with most of that. It's been a gripe of mine for a while but I went back now and compared the two and the Windows one, IMHO, is much improved.

Certainly thankful in any case that there is a Windows version and I don't have to manually transcribe from my phone.

I'm pretty sure you can access all your passwords offline. So not sure what os/version you are using... but you might ask 1Password support about why that's not working for you.

I may have misspoken and been referring to secure attachments - I'll check. (This is on my iPhone).

I'm sure I've been in situations where I am trying to download a travel permit for example at a check in desk overseas and there is no signal.

I'll see if passwords are the same - maybe those are indeed kept locally.

Perhaps you are correct, I think the situation might be this:

1. Add a new 1Password item on device 1

2. Do _not_ open the 1Password app on device 2

3. At some point/the next day or whatever, device 2 goes offline

4. Now, while offline, you do not have access to the new item on device 2 because data wasn't synced because the 1Password app hasn't been opened after #1.

The problem seems, 1Password doesn't sync the data in the background (iCloud in my case.)

However, if you did sync by manually opening the app while online, all data will also be available offline later (including attachments.)

Interesting and sounds very plausible. Typically, for example, I'll add a travel doc for a trip on my desktop and then try to open it in a different location (often country) on my phone for the first time.

Maybe worth me submitting a feature request that facilitates making checked items available offline (like I think Dropbox/Google Docs iOS apps support).

I just saw this has been requested/discussed already on the 1Password forums:


Looks hopeful - thanks for the heads up.

As a long-time user of 1Password, this is worrying. I hope this turns out well, but I’m not optimistic.

You could try Bitwarden.

I feel like I've spent an absolute fortune on 1password over the last decade. I'm pretty sure it was, what, $70 when I got it 6+ years ago? Now I'm paying monthly (2.99 or 4.99/mo x .. 3-5 years?) which is pretty ironic considering a lot of us initially left LastPass to go to 1pass because it was 100% offline (I'm aware you can do local vaults still). At least the QOL updates have been coming faster lately, especially with Android.

Anyway, very curious what this means. I'm sure there's a ton of features I've not thought about in years it could use (like LastPass's IP/region blocks) but 1password has never felt like it was a fast moving feature company. Maybe this will get us that.

Kinda feels like the Wal-Mart episode of South Park, where they burn it down and all go back to shopping at a Mom-and-Pop shop: the M&P shop grows to keep up with demand, gets too big, and then they burn it down again.

It seems that the fate of every decent Password Manager is to be acquired by some rent-seeking company and have its userbase gouged.

I suppose we can all start packing up to make the move to Bitwarden. Until it's bought.

Then LastPass just buys them all and we're back to that

Very frustratingly, there's no Linux client and they recommend 1PasswordX for Linux users, which doesn't allow offline vaults, pretty sure it _requires_ 1Password's online service.

I was actually really impressed with 1passwordX, it made me switching off of OSX almost a non-issue but you're right, I didn't realize it didn't support offline vaults. They really don't like that.

It also does not allow you to export, so unless you're willing/can use the osx/windows version, you won't be able to migrate away from it. I personally solved this by writing a short bash script that uses the 1password cli client to dump the json of everything for my backups.

What is the draw to pay a subscription for a product that you have to write scripts to use, when there are free/open-source alternatives that offer a full client (like KeepassXC)?

I pay for 1Password to have the sync to work between Android, Ubuntu, Arch Linux, Windows and macOS which is the systems I usually use. KeepassXC and alternatives mention nothing about syncing passwords or tells users to self-host their syncing. I'd rather pay a company to do that for me, at least because they will probably be able to do and maintain that setup better than me.

Although, it does carry the trade off of me being reliant on a third-party for my password-sync and that I have to pay. Currently it's worth it for me.

Bitwarden offers sync and have a Linux client.

I currently use KeepassXC hosted on Dropbox, which takes care of the sync for free. And mobile apps like Keepassium or Strongbox integrate them directly.

I switched to Bitwarden three or four years ago because of the lack of a native Linux browser plugin. I used their Windows plugin via Wine but it was just a crappy option. Bitwarden does a good job.

I bought the family plan (5 licenses, I think) for $100 back in 2013. I can't upgrade past 1Password 6, but I'm ok with that. It works well enough that I can't justify a subscription just to get a few of the newer features that I probably will never use.

I'll probably have to switch if/when the firefox plugin stops working, but hopefully that won't be any time soon.

1Password always seems expensive until I remember how much one major password compromise is likely to cost me.

There are open-source alternatives which are just as secure. You're not paying for the security, but for the polish and convenience.

An unpolished, inconvenient app often doesn't get used.

> I feel like I've spent an absolute fortune on 1password over the last decade. I'm pretty sure it was, what, $70 when I got it 6+ years ago? Now I'm paying monthly (2.99 or 4.99/mo x .. 3-5 years?)

Our pricing intuition around software is so weird. That's $370 over six years. If you went to a theater and watched a movie alone every couple of months, you spent more on tickets than you did on 1Password in that time.

I mean one is giving me tons of entertainment and one is opening an encrypted file on my machine and has a lot of alternatives and was already considered overpriced. If you asked me 6+ years ago if I'd pay for $370 worth of 1password for 5 years I'd laugh you out of the room.

It's a lot easier when it's a monthly fee to get that money out of me.

And it’s no wonder they are trying to kill the offline and non-subscription options.

Saying that $370 is not a lot of money shows just how far removed the tech bubble is from the rest of the world.

"Four in 10 adults in 2017 would either borrow, sell something, or not be able pay if faced with a $400 emergency expense." https://www.federalreserve.gov/publications/files/2017-repor..., page 21. That's a lump sum expense, not paid over time, but I think it illustrates quite well that $370 is a lot of money for something most people don't even know they need.

This is not an unexpected, one-time $370 expense. It's $370 spent over six years.

According to CBS [1], the cheapest city to live in in the US Harlingen, Texas. The Nacho Supreme at Pepe's "homey" Tex-Mex "joint" [2] is $9.95. If you can afford to treat yourself to a plate of those nachos once every two months, then you could have afforded to secure all of your passwords.

[1]: https://www.cbsnews.com/pictures/10-cheapest-places-to-live-... [2]: http://pepesrgv.com/

> then you could have afforded to secure all of your passwords.

You can secure all your passwords for free (with Keepass or Bitwarden for example).

1password doesn't have to justify its price versus not securing your passwords, but versus open-source password managers.

4/10 is surprisingly low. Most of us would borrow to pay a $400 emergency expense. Are there really that many people out there paying with cash or check instead of “borrowing” by paying with credit card?

The question is not if you're carrying $400 in cash, but whether you can afford that expense. A credit card paid off in full is considered cash-equivalent: "When faced with a hypothetical expense of only $400, 59 percent of adults in 2017 say they could easily cover it, using entirely cash, savings, or a credit card paid off at the next statement (referred to, altogether, as “cash or its equivalent”)" (from the same page of that report).

The technicality of making the payment by cash or cc is beside the point, the point was that there is not 400 of savings available to immediately pay down the CC

I've read 4/10 a couple of times now, and all I hear is my math teacher yelling "reduce your fraction".

Me too, but when I think of 2/5, it is a little harder to picture. I don't know if that's just because I already let 4/10 get into my head though.

This may become another example of a good company catering well to a specific niche, then taking on money until they are unable to cater well to their original niche anymore.

Solving a specific problem well in a market worth $X is not compatible with taking 10 * $X in funding — you will be forced to start doing something else so you can make ROI. Along the way you’ll probably alienate your existing market by price gouging (like switching to a subscription based service model for a simple app), so there won’t be any turning back either.

> (like switching to a subscription based service model for a simple app)

1Password did this a couple years back, before they even took on funding!

Maybe your choice of example was a sly reference to exactly that, sorry if it was and I'm explaining your joke :). If that was your intent I hope my comment at least makes it clear to people who aren't as familiar with 1Password's history.

So what you’re saying is someone had better start working on a competing password manager today.

There are several competing password managers today of course! My take is that like Dropbox (disclaimer: paying Dropbox customer until iCloud Files is just a bit better), this is a feature, not a product (unless you need team or cross platform functionality, but for teams you should probably be enterprise grade with SSO instead of sharing creds).

I'd switch from BitWarden to a native Apple solution the moment the Keychain UX reached parity with BitWarden, n=1.

Why or why is Apple keychain so limited.

It is strictly for website address/passwords, so doesn't work for a more diverse robust security password manager.

And the sync is very flaky (when I create items within the setting application, they don't show up on my phone). And its multi steps to simply launch keychain since its not a true native app on MacOS nor iOS.

I like that keychain is limited, at least it makes me feel like there’s fewer possible vulnerabilities.

KeepassX and minikeepass on iOS are my go to for secure notes. I don’t see the need for super convenience with my credentials, I’m willing to do some work to access them.

Either way, I’m not handing over a database of login info to a SaaS company. Might make sense for large companies though.

Except it's not limited? Have you ever opened "Keychain Access" on your Mac?

No! Wow, didn’t know it had more capabilities. But I use keepassX as it’s easier to create shared databases.

As a sole user it's definitely a feature-not-product, but for teams 1Password really is a product with its extensive access controls etc.

Kinda reminds me of identity management / authentication. These also are features, right? But I feel a lot better about delegating that feature to a business whose core competency is that (eg. Okta, Google, …).

"Payment" also is a feature, but I'd never not use Stripe.

I'm inferring the same conclusion. The days of 1Password as one of the best password managers will soon be over.

Like apple, firefox, google, etc...

Once the big horses are in the game, it's over. You cannot overcome the brute force of production and cash. Just look at dropbox impoding.

Another example is G Suite. They started as "Gmail with your own domain" and switched to a corporate Office suite. Now individuals that use them regret it more and more.

At least password managers are easy to switch.

Unfortunately they already started going this route recently. I have heard BitWarden is good, but I’m turned off by the thought if an Electron apo.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact