Hacker News new | past | comments | ask | show | jobs | submit login
1Password for Linux development preview (agilebits.com)
612 points by terabytest 54 days ago | hide | past | favorite | 341 comments



I’ve been using 1Password every day for over 11 years now. The oldest passwords I’ve got stored are for Twitter and Dropbox (yes, the passwords have been changed but the records were first created in 2009).

It’s one of those apps which has been made with proper craftsmanship and care, so while I’m not a Linux user, I’d have no problem recommending based solely on Agilebit’s reputation.


It's made with proper craftsmanship and care on the Mac (which is primarily where I've been using it for years).

The Windows client is much better after the last major release, but it's never been as slick as the Mac version (the biggest wart now is the system tray/browser extension popup).

1Password X looks nice until you try and use it, and all the company reps on the forums are very argumentative about any feature request (look for the pushback they give about resizing their super-cramped browser extension popup—and the issues with hires screens stemming from how they built it, which assumes a fixed size).

I've also got a chip on my shoulder about the "feature" they added that showed the most recently used websites in the iOS app with no way to disable it (they finally allowed setting the number to zero months later). The reps on their forums all come off with this attitude of "this is the best way, and you're wrong if you don't like it" for just about every issue that comes up.

I like the app and will continue to use it, but if my main platform wasn't macOS/iOS I would have bailed long ago.


> all the company reps on the forums are very argumentative about any feature request

I've observed this as well and it's frustrating. Usability took a dive when the list view for entries was removed (in favor of the rich icon, column-based layout), having to manually check identically named entries to find one with the right username, but their support staff was seriously adamant about the feature not being worth the development effort because of how few people had used it. It got me looking for alternatives but I haven't switched away yet.


I apologize that we've come across that way. I'm one of the primary contributors on our forum and so I do appreciate the perspective here. The position I try to take, not being a developer or project manager myself, is that I have no power to make feature requests happen other than suggesting them to the team. As such I try to help people best use what is currently available while also passing suggestions along.

As a company we tend to keep future plans pretty close to the chest. There are sometimes things that we know we aren't going to do, and whenever possible I try to be up front about that rather than beating around the bush or giving false hope. List view is one example of this. The intention isn't to be argumentative, but rather to set expectations based on current plans.

- Ben, 1Password


They were also pretty dismissive of Linux for a long time, so it's kind of funny to hear it as one of their biggest requests. 1Password X narrowly prevented me from switching for a while, but I've come to see alternatives as generally better options. Yeah, they're not as flashy, but I think Bitwarden and Keepass XC do a great job.

Keepass XC may even be doing a better job at security. At least in some dimensions.

https://keepassxc.org/blog/2019-02-21-memory-security/


FWIW cache side channel attacks are primarily a threat on (shared) cloud platforms, but not as much [1] on personal devices. Considering that 1password runs in its own process and that most personal devices should have Meltdown mitigations in place, it would be prohibitively difficult to successfully launch a cache side channel attack to extract the password from outside of your device, especially at scale. Attackers would attempt to find other software vulnerabilities instead.

I think it would indeed be nice if 1password scrubbed sensitive data from memory, but not a complete deal breaker if it didn't. I do wonder if this could be more of a problem on 1passwordX, though.

[1]: not zero, but still


Oops, I somehow managed to respond to the wrong comment. I meant to respond to https://news.ycombinator.com/item?id=24057416


That’s where Agilebits has me; the UI on Mac and iOS is so much better than the alternatives. I do keep looking, Keepass XC looks really good since the last time I checked around.


KeepassXC is quite good if you mainly use it on your computer. I've been using Keepass(XC) for about 10 years, it's secure and reliable. But I'm looking to switch to 1password or Bitwarden as I'm increasingly using portable devices (phone, tablet…).


Keepass2Android works pretty well for me. You can sync your password database via google drive or other file sharing services.


Seconded, Keepass2Android is great and has very good integration on Android. You can use the autofill feature to, well, autofill the credentials fields in any app.

Has merge functionality if you've edited the password file both on mobile and computer.

It even has an offline variant that keeps everything local. I'm using that with NextCloud.


If you do end up leaving Keepass, Bitwarden has been a good experience for me. I can’t attest much about security but it seems OK from my perspective.


> It’s one of those apps which has been made with proper craftsmanship and care

Is it? I've been using it for sometime as well but it seems like there is a lot of room for improvement. E.g:

- Support for unlocking via Watch ID on the Mac.

- Currently on iOS when searching for a password within an app, if a site prefix is included that doesn't match what's in 1Password the list will just show no results, with no way to navigate manually to the login. Instead, you have to close the app, open 1Password, and copy/paste the credentials back in. Typically the master password will have to be re-entered as well, despite touch ID being adequate a moment prior. Since it's rare to sign up via the web now for mobile apps, this is the most common scenario for me when using 1Password for apps on my phone (and occasionally websites as well).

- Improved UI/UX on mobile. Dashlane is way better in this regard. 1Password overemphasizes features I don't need like tags and favorites and has a pretty cluttered look in general.

I like the native Mac app and open/local vault format. (Dashlane by contrast has a very buggy desktop app and requires storing everything on their servers.) But I would jump at the chance to use an alternative with a simpler UI and better experience on mobile.


We use Dashlane at work, and every day I want to switch to 1Password, which I use in my home life. Dashlane has weird permissions glitches, a really buggy and very non-intuitive desktop app, really terrible web browser extensions that makes me tear out my hair in frustration, and even the mobile app doesn’t feel like it has the features I want, like the ability to add more than one password field (useful for accounts that have PIN codes and such). Even performance-wise, Dashlane’s mobile app feels really sluggish doing things like adding 2FA via QR code’s, which 1Password seems to do instantly.


Agreed on all those points, especially the desktop app which was ultimately the breaking point for me. The only thing better about Dashlane right now is the UI on the iOS app IMO.


Thanks for the feedback! We can unlock 1Password for Mac via Apple Watch on Macs that have Secure Enclaves now. :) - Ben, 1Password


Just to clarify: the feature is currently in beta. > Unlock 1Password using your Apple Watch on Macs with a Secure Enclave. From the 1Password for Mac 7.7.BETA-0 release notes. - Ben, 1Password


Upon reading this I was incredibly excited to go try it out... until I remembered I lost my Apple Watch last week :(((


Oof. I'm sorry. :(


A login can have multiple URLs. For sites which don’t automatically load the right entry, you can add another URL to give 1pw a hint.

This won’t solve all your problems. It won’t even solve the problem you describe the first time you encounter it. Nor will it solve it for apps that fail to provide an INTENT URL. But hopefully it will make things a little easier.


That would improve the completion, but ideally 1Password should allow me to select the login myself within the app modal (by navigating to "all logins" with the filter deactivated), and then add the intent URL for me.


Agreed. You should consider posting to their forum. I have for several issues, and they have been responsive and helpful.


I used KeePass, then LastPAss, then tried 1Password about 8 years ago. I haven't even considered changing. I joined when they were still mostly focused on MacOS and iOS, the Windows and Android apps were secondary. Since then they really shifted to a totally cross platform experience, and I'm incredibly happy with the app. I'm glad they're branching out to Linux.


Why switch to this when keepass is way more portable, open source, and isn't some stupid SaaS program.


I am a 1password user, and have bene for about the same amount of time, but I've been slowly looking for an alternative.

Unless I'm mistaken, 1Password no longer ephemerally decrypts passwords as needed and only while used and then scrubs the memory. [1, old but still] The excuse, if I remember it, was that garbage collected languages made this challenging. Even so, there is some irony in them moving away from the temporary, one-at-a-time, scrubbed approach just before all of the side channel attacks that allowed leaking memory across processes became widespread.

[1] https://nakedsecurity.sophos.com/2019/02/21/password-manager...


> The excuse, if I remember it, was that garbage collected languages made this challenging

This is one of the main reasons why the core of 1password was rewritten in Rust: https://support.1password.com/kb/201902a/


Except that one could make use of OS APIs for ensuring that, while still using a GC language.


Interesting. But this doesn't seem to cover the Mac version.


Yup. Password management is one of those things where I want to pick the best possible solution, over the 80% good for 20% of the cost. The risks of losing credentials are real, and terrible. Making shit easy for non-technical people is a real-world risk reduction. Making shit easy for technical people is also a real-world risk reduction, and letting me put 1P into automated workflows is great. If there's minor encroachment on territory currently held by Hashicorp Vault, then "Go 1P!" - I love competition between two genuinely good products.


I just checked my vault out of curiosity, and my first entry from 2009 is the credit card I used to purchase a 1Password licence shortly after!

It’s robust software that does was it says on the box. I was initially reluctant to move out of my local vault but the online service has been impeccable.


Used Dashlane for 2-3 years and then tried 1Password and I haven’t looked back. Dashlane has too many bugs to be useful all the time.


Apparently that craftsmanship went astray with the adoption of Electron.


Why the hate for electron? I know that there are a bunch of shitty electron apps out there, but there are also great, fast and leightweight examples. Visual Studio Code is easily one of the best desktop apps I've used (on Windows) and Discord is also built on electron and works very well.

Electron isn't necessarily bad, its primarly a matter of how good your implementation is.


And when we compare it with Notepad++ or Sublime it is quite clear the performance lost in the process.

I only use VSCode for workflows I am obliged to.

Microsoft's React Native team has benchmarks where Electron causes 300x performance drop versus React Native.

Speaking of it,

"Xbox app for PC gets speed boost, ditching Electron for React Native UWP"

https://www.windowscentral.com/xbox-app-pc-gets-speed-boost-...

I dream of the day that VSCode gets rebooted into React Native.


1. Performance

2. It encourages developers to ignore platform-specific design idioms and features.


Have you found either of those applies to 1Password for Linux? If so we'd very much like to hear about it. Thanks! - Ben, 1Password


>Why the hate for electron?

Because it's terrible. It's slow and ponderous. I have yet to use something built on it that wasn't awful, and that INCLUDES VSCode.


Have you tried 1Password for Linux? - Ben, 1Password


No reason to. I don't use desktop linux.

I'm also actively looking to move away from 1P period because I don't want or need a subscription for every little app.


Electron? You must not be talking about the Linux app because it's written in Rust.


Embedded in an Electron app, otherwise please correct me what toolkit they are using.


Yeah it sounds like Electron with React/JS UI talking to a Rust "backend". I would give them credit for keeping the important bits in Rust though


Thank you! This is correct. We understand there are concerns about Electron (some legitimate and some religious), and we've built this app with those concerns in mind. The backend is Rust, with the arguably most critical components (encryption) being open source libraries (ring). - Ben, 1Password


Also a longtime user. Did you kick over to their subscription model or have you stuck with the old installs attached to the grandfathered permanent license?


I'm still using the permanent license...and syncing over iCloud, while using the latest versions of the 1Password app, on macOS & iOS.

As soon as this stops working and i'm forced to get a subscription i'm moving to another password manager though. So hopefully one time purchases will remain possible.


I also considered a move but I may just get the subscription.

If Apple offered a more fully featured keychain I might just stay in their ecosystem.


> If Apple offered a more fully featured keychain I might just stay in their ecosystem.

Given Apple's track record, if you care about your passwords being portable, it's unlikely that you'll be able to use their keychain on Windows/Linux/Android even if they develop it further.


€36 a year, so for a period of 5 years that makes €180. For me and my partner that would be €360 for 5 years! For a password manager...

I also considered using KeepassXC and Strongbox on iOS, which is completely free (sync the database via iCloud.) KeepassXC's browser extensions are pretty bad though, hopefully that will change sometime soon.

If you want to keep costs low, Bitwarden is currently your best option i think.


https://1password.com/families/

They’ve got a family-oriented subscription which is cheaper. Used it since it launched and it’s been transformative for both sharing credentials with my family and getting them into the habit of unique credentials on every site, and TOTP where possible as well.

I can’t recommend 1Password enough and I’ve been a customer for a very long time, predating the move to subscription pricing and cloud services.

It’s worlds improved over synchronizing with Dropbox. There’s definitely security tradeoffs but if it isn’t easy you’d lose a substantial number of people back to duplicating the same password across 370 sites.


There's a problem with the family plan:

There's always 1 person (family organizer) who is in charge of everything, and can reset the other accounts...


That pricing seems high until I consider the utility and importance of the tool.

I do think it should cost less, but I also sort of am hoping a solid solution built directly into iOS/macOS will appear in the next few years.

It is a much harder sell to a family member that has never bothered with a secrets manager before.


But why a whole electron app just to store passwords?


Why shouldn't it be Electron? Should it be GTK? Why not QT?

Linux doesn't have a standard desktop environment or widget toolkit. Electron doesn't seem like a worse choice than the other options, and it's easy to find engineers who know how to work with it.

1Password doesn't just store passwords. It has a bunch of other features. It's a fairly complex app at this point. It also has fairly similar user experiences in Windows, macOS, Linux, iOS, and Android, and that's pretty hard to pull off. If Electron helps them accomplish that, that's fine.


Because Electron bundles (light) chrome and nodejs and all deps breaking desktop integration and security (the developers are now responsible for checking vulnerabilities in all bundled libraries and they are not doing it).

Those are pretty good reasons not to use electron.


> Why shouldn't it be Electron?

Because every Electron app is inconsistent with the rest of the desktop. I use a dark theme system-wide but Electron won't care [edit: 1Password has custom integration for GTK theme]. Honestly, this isn't something the developer of the app have to put years of research in (Slack for example). The toolkit is supposed to do the integration (GTK, Qt, [Cocoa?]) and clearly Electron doesn't care.

> Why not QT?

You tell me (assuming you're talking about Qt, not QuickTime)

> Electron doesn't seem like a worse choice than the other options

Not really. Its just that its lazier/cheaper to just get your web development team pretend to write a desktop app. I get it, business decisions need to factor cost into account and hence the choice. I understand when a business says "we just don't have the funds to use a proper app framework, please do with what we have for now". But instead everyone goes to pretend like Electron apps are perfect even though the reason it was chosen was almost completely based on cost.


There are also advantages for the user. For example, new features arrive for all platforms at the same time; there is no prioritization of platforms or such. Same for bugs - apart from issues stemming from Electron itself, they're likely to appear on all platforms and therefore likelier to get fixed.

In essence, the old "only X% of our users use platform Y, it's not worth it to make this feature/fix this bug for them" does not exist anymore with something like Electron, and while this is ultimately also a cost consideration, it does come with benefits for me as a user, especially if I'm on a minority platform.


> For example, new features arrive for all platforms at the same time

That (and everything else you said) is true for any cross-platform framework, not just Electron.


None of this is even relevant in this case, since they use (I hope) Cocoa/UIKit/whatever it's called on macOS, so there's anyways not _one_ framework used everywhere.


None of these are advantages over other, better cross-platform toolkits.


The important bit for us w/r/t making 1Password a better cross-platform citizen is the Rust core. - Ben, 1Password


I have been coding UIs since 1992, how did we managed to pull it off in a more heterogeneous computing world without Electron, I wonder.

PWAs and Web Widgets I can stand behind, Electron is just laziness at the expense of the user.


We managed it by nobody bothering to write apps for Linux.


They still don't bother, writing Web apps packed in an Chromium wrapper isn't writing apps for Linux.

There are plenty of Gtk and Qt based applications for Linux.


The other versions are native. It's one of the things that sets 1Password apart. Is the Linux version Electron?


> The other versions are native. It's one of the things that sets 1Password apart. Is the Linux version Electron?

Yes, it is very obvious from the screenshot that it’s built on top of Electron [1].

GTK nor Qt have that type of UI elements, they are obviously HTML elements stylized with CSS.

Another hint is in the files contained inside the Debian package used during the Linux installation [2]:

  root@3cb1637b3070:/# apt-get download 1password
  root@3cb1637b3070:/# dpkg --extract 1password_0.8.0-22506_amd64.deb temp
  root@3cb1637b3070:/# ls -lia ./temp/opt/1Password/
  total 177900
  661008 drwxr-xr-x 5 root root      4096 Aug  3 18:23 .
  661007 drwxr-xr-x 3 root root      4096 Aug  3 18:23 ..
  661011 -rwxr-xr-x 1 root root 129796744 Aug  3 18:21 1password
  661010 -rw-r--r-- 1 root root      1060 Aug  3 18:21 LICENSE.electron.txt
  661023 -rw-r--r-- 1 root root   4710103 Aug  3 18:21 LICENSES.chromium.html
  661021 -rwxr-xr-x 1 root root   6322128 Aug  3 18:21 chrome-sandbox
  661017 -rw-r--r-- 1 root root    179981 Aug  3 18:21 chrome_100_percent.pak
  661013 -rw-r--r-- 1 root root    321151 Aug  3 18:21 chrome_200_percent.pak
  661022 -rw-r--r-- 1 root root  10505952 Aug  3 18:21 icudtl.dat
  661012 -rwxr-xr-x 1 root root    243992 Aug  3 18:21 libEGL.so
  661014 -rwxr-xr-x 1 root root   8948960 Aug  3 18:21 libGLESv2.so
  661024 -rwxr-xr-x 1 root root   3103488 Aug  3 18:21 libffmpeg.so
  661020 -rwxr-xr-x 1 root root   4488304 Aug  3 18:21 libvk_swiftshader.so
  661018 -rwxr-xr-x 1 root root   8483376 Aug  3 18:21 libvulkan.so
  792826 drwxr-xr-x 2 root root      4096 Aug  3 18:23 locales
  792824 drwxr-xr-x 2 root root      4096 Aug  3 18:23 resources/app.asar
  661015 -rw-r--r-- 1 root root   4791423 Aug  3 18:21 resources.pak
  661009 -rw-r--r-- 1 root root     50592 Aug  3 18:21 snapshot_blob.bin
  792821 drwxr-xr-x 2 root root      4096 Aug  3 18:23 swiftshader
  661019 -rw-r--r-- 1 root root    170903 Aug  3 18:21 v8_context_snapshot.bin
  661016 -rw-r--r-- 1 root root       107 Aug  3 18:21 vk_swiftshader_icd.json
You can use “npx asar extract /opt/1Password/resources/app.asar source” to access the JavaScript files [3].

[1] https://i.imgur.com/pGJ4Wvd.png

[2] https://support.1password.com/cs/getting-started-linux/

[3] https://stackoverflow.com/a/38524534


> Yes, it is very obvious from the screenshot that it’s built on top of Electron [1].

I love this. It was my first reaction when I used MS Teams ... shit, it's electron and the I got the horrible user experience as usual. And in MS Teams even the font and its rendering is hardcoded and the devs are refusing to do anything about this! So when I use MS Teams I need to look at blurry text.

EDIT: And they bundle libffmpeg.so too .... let's have a look at what version, though I guess 1password is not a good attack vendor as it'd be hard for the attacker to control input data, right.


Why do they need libffmpeg??

I want my security critical apps to be as small as possible, not a huge pile of everything and the kitchen sink.



Heh. What does the password manager use OpenGL and ffmpeg for? I guess the binary is 130MB(!) is the electron part?


Looking forward to seeing my passwords stolen by a zero day shader vulnerability...


OpenGL is included because the UI is hardware accelerated. ffmpeg comes from the toolchain (Electron, specifically). It looks like there is an open issue with Electron for that: https://github.com/electron/electron/issues/21967


It's GLES, my guess they are web apis and are just chrome batteries.


The native versions don't look native either. You can use a web view without Electron too.

Edit: Thanks for adding the package info.


So another application to ignore. React Native can't kill them all soon enough.


Yes. Not against Electron but maybe I'm underestimating the ui/ux complexity of a password manager since I have never use one.


More likely it is the overhead of multiplatform support that motivates them to use Electron. Their support matrix is pretty big now: iOS, Android, Web, Mac, Windows, browser extensions, Chrome OS, and Linux


That would only make sense if they use Electron besides Linux.


Or if they plan to.


Amiga, Atari, Mac OS, MS-DOS, Windows, UNIX, with teams that reached around 10 maximum.

How did we ever managed without Electron?!?

Man we were 1337!


Tbh, not that many programs with exception of games supported all the platforms. And games were built on top of VMs or engines.


"Engines" like common logic written in languages like C and C++, using in-house toolkits where RenderButton() or ShowDialog() would do the right thing on each platform.

Apparently a forgotten art.

As for VMs, I am all for stuff like React Native, not for packing Chrome with each application.

Not only it shows laziness where Web == ChromeOS, bloats the applications and is yet another way for turning everyone into Chrome developers, bye bye Web.


I understand the sentiment. But I think the best approach is a bespoke app for each platform in the own native toolkit.

I have rarely enjoyed using a Gtk or Qt app on macOS because they feel alien.

On windows for example there seems to be no rhyme or reason for widgets, mainly due to historical reasons.

Games don’t need to be consistent because they take up the whole screen and are immersive. Some very specific programs such as the Godot editor are a good example of a similar usage.


> But I think the best approach is a bespoke app for each platform in the own native toolkit.

Which is basically the first line of my comment and how we used to do back in the day, with common logic and those in-house "engines".


Why a whole GTK or Mono app just to store passwords?

Once you’ve decided that you want to make a GUI for something you’ve already made the choice to increase the weight considerably. Electron is still the best cross platform toolkit when you need browser support too.


Electron is still the best cross platform toolkit when you need browser support too.

Agree, just though it was too much for something simple as displaying logins/pass but looks like it has lots of features?


I was a 1Password user from when it was fully self-hosted until they started pulling bait and switch tactics to move people to subscriptions and online vaults[1]. I also had Windows licences, and Windows was certainly a 2nd class citizen while I used 1Password. And of course, it doesn't look like the 1Password Linux client is open source. The back-end certainly isn't.

I switched to Keepass[2] initially, synchronised with NextCloud but it wasn't intuitive enough for everyone. We moved everyone to Bitwarden a few years ago using bitwarden_rs[3] and have never looked back.

[1] - https://medium.com/@kennwhite/who-moved-my-cheese-1password-...

[2] - https://keepassxc.org/

[3] - https://github.com/dani-garcia/bitwarden_rs


This comment is like a canonical example of why a company would choose not to develop for Linux. 1Password puts real resources and risk into supporting a platform that may not pay off, but it’s Not Good Enough for much of the community because:

-The client is not open source

-the backend is not open source

-it’s not “a first class citizen” right away (the Windows port is by all accounts improving)

I’m not trying to put down your comment but to point out that when you have a fragmented platform that is difficult to develop for plus a community that is often hostile to closed source or less than perfect feature parity you are going to be relatively deprived of commercial offerings. This is why we see less Linux support broadly. Not that you personally should change your opinions.


Developing for every platform has unique properties. Every platform has its own native UI toolkits and look-and-feel; try to release an Electron app, and people complain. Write a great iOS app, but no iPad port, or be a couple months late with support for The Notch, people complain.

Linux's main difference is that, with so few users, when their priorities are disrespected by Big Corporate, the populace sides with Big Corporate. Rather ironic; most of the priorities Linux users have are motivated by respecting the user's privacy, security, and freedom. It seems likely to me that its a thought process similar to why much of the downtrodden American middle-class sides with Republicans, despite rarely having their best interests in mind.

I use 1Password, and it's fine. But these complaints are legitimate. This is a closed-source security facing application from a company that has raised at-least $200,000,000, which at one time charged a large amount of up-front money ($60+) for their product, used dark patterns to drive customers to their subscription-based closed-source cloud product, then left the original users in the dust. AgileBits should have no-ones good will, and even as a 1Password user, I support anyone who uses this forum to discuss their move to alternatives.


The Linux priorities I outlined are fundamentally different. It’s a demand that the maker of the software alter the core of their business model.

This is very different from asking for a native UI or to use a core OS API, etc.

Again, it’s fine to ask for a radical business change or require it but the frequency of this as a demand does help explain why few companies go down this path.

(As for 1Password abandoning one time sales for subscriptions, to me this is a separate issue. One, it’s not news or part of the linked article, two it’s not particularly related to the Linux release, three it affects all platforms. However if you did try and relate it to this discussion I think their current business model is actually much more compatible with going open source than the old one. I don’t think they will do this but the bundling of storage with software that came with the subscription model offers a more economically viable path for open sourcing because their revenue is less dependent on being the software provider. You could argue it would actually help their sales by providing a fallback ecosystem that shows customer there is no lock in and by making it possible to audit the crypto used to ensure their infra is zero knowledge. I think even among Linux users only a small fraction want to run their own password servers. I know I don’t. But I think they would judge the risk of enabling a low rent low quality low cost turnkey competitor too high and frankly I would agree with them. I think an open core model could work where they keep the UI chrome closed but this will not satisfy the critics.)

(Also I’m a longtime 1Password user myself. I was VERY bummed by the change to subscriptions but I don’t find it as dark as you do. The product I paid $60 or whatever for many years ago still works fine; old vaults continue to function so we were not really “left in the dust.” When I moved to a subscription it was because I needed new capabilities. Sharing passwords and other secrets with other people chief among them. This is IMO worth the subscription cost. My main concern is security; I do not like having to trust their closed source crypto to keep my stuff secure on their server. One party with sensitive data and crucial code is excessive risk. However I do not want to stand up my own server. That is even worse. And all the open source alternatives would require me to do this for sync support. Which is a bit odd considering 1pw used to offer peer to peer WiFi sync. I guess this is too hard for any of the open source projects to offer.)


Thanks for the comments. The crypto is open source. We use the ring library: https://github.com/briansmith/ring - Ben, 1Password


How can I verify this claim? De-compiling?

Also it's very easy to use proper crypto in the wrong way. How can I know this is not the case here?


You make a very fair point and raise a reasonable concern. We do participate in external security audits, and will be having Cure53 do an in-depth one of 1Password for Linux. https://support.1password.com/security-assessments/


My takeaway of the grandparent comment is that 1Password squandered much of its customer goodwill, missed the opportunity to move into the Linux market, and their current attempts to build Linux support is too little too late.

If this story came out in 2015, I think the response would be a lot more favorable. At this point Bitwarden checks all those boxes and costs nothing, so it's hard to compete.


Yeah, I would note that not only is the Bitwarden code Open Source (if you want to self host), the commercial service has a free account option, and the pay options are about $1 per month per person:

https://bitwarden.com/pricing/


Do you not think that poor Linux support is a result of low users numbers rather than the communities requirements?

MacOS has higher barriers to entry than Linux if you want to be on their stores, these do not seem to be an issue for people to overcome.


I think it's fair to say users of different platforms have different needs and if a product doesn't fit that need they won't use it. I don't see any problem with that at all.


Well, maybe. I'm not a Linux desktop person, though, and I'm just as hacked off about 1P's shift to a hosted service, and their poor treatment of the Windows client.


I'm also a big fan of Bitwarden. Have tested 1Password, LastPass and a few of the other password managers over the last 5 years. This is the one that ticks all the boxes, has the least bloat, does correct matching. I support it with pleasure!


I tested Bitwarden for a while and found it was lacking features compared to 1Password. Until a few weeks back they didn't even have a "Trash", delete an item and it was gone forever.

Exporting 1Password to Bitwarden was a complete mess, attachments in items were not imported at all/deleted (you don't get a warning of this.)

Bitwarden is okay, but compared to 1Password they have a long way to go in my opinion.


Odd reply, how are these not very minor issues? Importing from 1 specific vendor is relevant for such a tiny part of the userbase.

And yes, trashcan is handy, but really not essential. You first need to make the mistake of deleting an account you wanted to keep, and then the site needs to lack a "forget your password" feature (which is already a trashcan).

A clean and fast UI, proper matching of (sub)domains, is something you use constantly. I cannot imagine they aren't more important to all/most users than the single item you mentioned.


It depends. 1Password lacks some things I'd really want (like configurable matching, having everything on a subdomain that's not on the public prefix list match is cumbersome). The Windows client is also extremely laggy and doesn't use Windows Hello half the time.

1Password X, which is almost a must-use on Windows, also has desyncing issues.

So I guess if you don't mind the above and are on macOS, it's better.


Would agree with this. I went from Mac to Windows and the 1Password client on macOS is much, much better. It's slowly improving on Windows though.


As a 1Password for Windows user, I can't say I ever experienced lag with Chrome or Firefox. I don't use Hello though, so can't speak to that.


With 1Password or 1Password X? 1Password X is good for autofill, but it's delegating management to the website which isn't very good a lot of times.

1Password proper however... using it in 2 Windows machines and both ignored the shortcut to open it at least once today.


I am very happy with Bitwarden as a product. It does everything that I want, and I like the UX better than the other password managers that I tried.

The fact that it is Open Source code that has been professionally audited also gives me an extra level of assurance.


Yeah same, Bitwarden is really good. Have been using it for the last 4 years.


I looked into the encryption of bitwarden and it seemed to use a little-known SQL encryption extension. That seemed a little too iffy for me.


FYI, the Windows application is now at the level of the macOS version. I was also annoyed by the move to a subscription model and waited a while before accepting to switch. But I'm now quite happy paying yearly given how well they improved their cross-platform support.


I can't mirror that experience, half the time the shortcuts (Ctrl+Alt+| or Shift+Alt+|) don't work for me, or are so slow in opening the application that going to the tray is faster.

I loathe the 1Password Mini interface because it doesn't have editing and wish I could just default to something that does.

There's also a lot of polish issues. For instance, if you have your taskbar with tray on a secondary screen, it still renders the context menu on the primary. If they are different sizes it might do it offscreen.


At least for me the switch to 1PasswordX messed up my password vault, which took quite some time to repair manually from backups. This drastically reduced my confidence in the software to a point where I switched to bitwarden


Yep, super annoying for me as well. I paid $60 which I feel is quite a lot for a password manager. When I built my new computer the other weekend I found everything on 1Password's site was subscription-walled, I finally found a download via a hidden Google backlink. But, of course, since I don't have a subscription it's now in read-only mode... feels really scummy of them.


The downloads for older versions aren't hidden. They are at the bottom of the respective OS download pages:

https://1password.com/downloads/mac/

https://1password.com/downloads/windows/

I still use 1Password 6 with Dropbox to sync. Works great. If you have a license, you may have the wrong (new) version, or just need to activate it.


Oh wow, this actually helped me fix it. I had to downgrade to 1Password4 for Windows (no mention my license only works with that version), and after that I was able to enter my old license key.

By hidden I meant the downloads page is only linked in the footer. All of the main 'Get Started' and 'Try Free for 30 Days' links funnel you into their subscription process. I thought signing into my account might help, but then realized I'm not able to do so in a 'legacy' account because I don't have a secret key.

What a confusing and hostile user experience to 'legacy' license purchasers. It's like they are trying to forget that we ever existed.


Same issue for me, having online vaults was the killer for me. Also the subscription made me really think if the service was worth it after all, specially after buying the apps they are asking me more money. I moved to Keepass (and opensource apps) and im fairly happy with it.

I dont think i will go back to 1Password.


A program worth using is worth buying


Woah! I think a lot of people in the free / open source community might have a problem with such a statement.

However, I do pay for a password manager because I recognise their importance and view them in a slightly different, almost unique way. I'm not averse to paying for software and services online, too.


What problems do you think they have?

Software is moving away from the classic buy-model and into a subscription/rent based model.

Free/open software does not mean no-cost.


How many times do I have to buy the same software, though?


It depends on how risk-averse your are.


I'm still using 1Password self-hosted - works fine.


I believe you can still self-host if you want. I don't understand how can you be disturbed by offering a cloud service to host your passwords could be bad to switch. I'm happy sub of 1Password and i self-hosted my passwords before for a long time.


This is the kind of thing where more paranoia is better. Their service is a big fat target. I don't understand how you can't be disturbed by that.


Personally, I'm more comfortable with a service that has entire teams whose entire job is finding and fixing holes in the service than I am with something I toss on a server somewhere and forget about for months at a time.

Realistically, which is more likely? 1) That 1Password gets breached and loses their customer information, or 2) that I install Bitwarden on my server, somebody discovers a hole in it, I don't hear about it for a while (or do but don't have time to update), and get all my passwords stolen?

For me, the second seems more likely, so I'm happy to stick with 1Password.


All the encryption happens client-side. For this to be a problem you not only have to gain access to the blobs stored on their service, but you also have to be able to decrypt them.

I expect they probably pay more attention to abnormal access than most self-hosted users would as well, so you'd actually know about a data leak faster so you could rotate your passwords.


Using keepass (synced via nextcloud) for ages now, what would be the arguments for bitwarden?


You should consider LastPass. They've had considerably fewer security breaches than KeePass and is accessible either using a local app or from any modern browser regardless of OS. It even has a smart phone app, although the phone app requires a subscription.


LastPass has a history of breaches and idiotic design choices, e.g. https://bugs.chromium.org/p/project-zero/issues/detail?id=12...


The Firefox extension is bit hit and miss, the exporting function has been broken for years (no points for guessing why that might be). I am not that happy with it and I do not recommend it. I used to pay for the access to their Android app but that became a free feature ages ago; shortly after the company changed hands, I think. The premium subscription basically gives you some online storage and better support but I don't think those features are worth the subscription cost and so I downgraded to the free tier.


I think keepass has the base functions covered, they just need a slightly better UI and a simpler way to sync passwords.

Thankfully, it's open source so I'm sure someone with fix that soon ;)


It‘s why I switched to Keeweb, it’s keepass compatible, works anywhere and has desktop apps too.


As many others have said, I'll be interested once they provide local vault support on Linux.

I dislike subscriptions - not for the financial cost as such, but because I like to evaluate whether or not I want to pay for a given version or stay on the current version. I'm happy to pay for software that provides value to me, which 1Password does (and I did pay for the existing clients). The same applies to major version updates when they add value for me - though the reality is that my usage is very basic, and I am often happy with an older version of the same software for years, so subscriptions to support continued feature development feels like an unjustified lock-in to me.

I do subscribe to some services that have a significant backend/cloud-based component, but in the case of 1Password, I sync the vault via Dropbox, so a subscription instead of licence/upgrade based pricing feels completely inappropriate.

Since I am trying to move more of my computing to Linux, it looks like at some point I'll have to look for other options than 1Password, which is a shame :-(


https://github.com/dani-garcia/bitwarden_rs

I left 1PW a few years ago as I felt them pushing towards a subscription model. I've tried a bunch of other open-source options, this one is best. Gives you a nice self-hosted bitwarden install without the overhead (in particular .log bloat) of the main bitwarden repo. You also get 2FA which I feel is essential.


I was on the same boat until recently. Long time 1Password user under Linux + local sync (since v3, 10+ years ago). Always feeling neglected by AgileBits.

Last year I got tired of having to fidget with WineHQ config every time I updated something, and decided to pony up for the cloud-based subscription.

It was the best decision ever.

Not only solves the compatibility issues (obviously), but also gave me the ability of managing different vaults, selectively share passwords within within the family, and also having some nice additional features (e.g., wiping out devices before intl travel).

All things considered, more than worth the subscription price.

The only two things that I miss from the native version:

1) ability to attach files to an entry

2) the flexibility of doing bulk operations (e.g., selecting multiple entries).

I solved the latter running 1P under a Windows VM, but hoping this Linux native version will solve now. 1 down, 1 to go.


I understand :-) I am not even arguing that the subscription price is not worth it - it might very well be.

I do however disagree with charging for this kind of software (which to me is only a local client, since I do not use or care about their backend service) via a subscription, on principle.

I'm aware that from a purely financial point of view, this is not a rational argument to make. In fact, it gets more irrational because if I could pay for updates every time, I might end up accepting a scheme where I pay more in total over the lifetime of the product - depending on whether I pay for every major version, and how high each update is priced - and I would not be dissatisfied with that.

But it's not purely a financial argument, it's about the choice of what to pay for, and what not. Being able to evaluate each version on its own merits. Paying for the syncing feature separately (in my case: Dropbox).

Basically, this kind of subscription removes freedom of choice from the customer side, which is why I am ideologically opposed to it even when it works out cheaper in the end for me.

As an aside: I find the word "subscription" to be disingenuous for these, and only use it because it has come to be used by convention. Traditionally "subscriptions" in terms of physical goods meant you retain ownership of anything you received before cancelling. Cancel a magazine, you don't need to mail back all your old copies. I tend to think of software or media "subscriptions" as "renting access", not as "subscribing", and mostly avoid them.


> I tend to think of software or media "subscriptions" as "renting access", not as "subscribing", and mostly avoid them.

This is a huge point - they're rentals, not subscriptions.

I blame cable TV "subscriptions"; in theory you can record cable programs and keep them forever (like a real subscription) but with internet TV "subscriptions" they make it very hard to do so. TiVo with a cable card will happily record HBO or Disney Channel, but it won't record HBO Max or Disney+.

Software, video streaming and game "subscriptions" should really be called rentals, because you lose access after you stop paying rent.

Apple could choose to implement actual subscriptions in their App Store. Basically you would get updates as long as you keep paying the subscription fee. Practically this would still be a rental though since Apple breaks its APIs every year.


Unfortunately this only works with hosted 1Password (as far as I can tell), there doesn't seem to be any support for self hosted vaults. Can Roustem or anyone else from 1Password team clarify this?

This was the precise reason I switched to BitWarden 6 months ago, needed a solution where my passwords didn't leave my network.


I'm no Roustem but I'm close. :)

You're right, 1Password for Linux integrates tightly with the 1password.com service and as such does not support local vaults.


Appreciate your response. I'll reiterate what I've said past threads - I love 1Password a lot, and used it exclusively from 2012 to early 2020, in addition to using it personally I converted majority of my extended family to it as well. What irks me is that I paid for the desktop (macOS) app and iOS app once back in 2012 and once again for 1Password 7 (or 6?) upgrade, that is not enough to support the company and is primarily the reason why AgileBits went subscription route. Again - 100% understand and I'd like to support this business.

I really don't want to store my passwords on your "servers", and I'm sure there are few others like me - not a majority. In our case BitWarden's idea of paying for a subcription (happy to do it), and hosting BitWarden in my own network - pretty close to local vaults in terms of analogy.

I still like the UX of 1Password, if you ever allow local vaults and still charge subscription, I'll sign up on day 1 - I just don't want anything to do with my entire vault being hosted elsewhere, potentially irrational but when it comes to things we store in 1Password and the like - CC #, Passport number, decryption keys, licence codes, launch codes (jk) - I feel OK with my irrational paranoia.

Thanks again for making 1Password!


> I really don't want to store my passwords on your "servers", and I'm sure there are few others like me - not a majority.

Businesswise, it makes sense as a first push: get a solid UX working for existing 1pass users who sync via the cloud better access on Linux. Then move on to the less glamarous parts like local vaults.

> I just don't want anything to do with my entire vault being hosted elsewhere, potentially irrational...

There is no logical mechanism that can tell you the correct amount of risk to take on, and yet you can't take actions without accepting some degree of risk. You can't justify your tolerance of risk, so it can't be rational, and yet you have to take an action, therefore you can't be fairly accused of being irrational. It's thus neither; I call it "arational" behavior.

You might think, hold on, there's a logical way: I'll look at what happens to a group of people pursuing different risk strategies, then model the expected risk vs return, and thus I can determine the optimal level of risk.

But I'd argue it's fallacious to apply that general claim to the individual. For one, you invariably have a set of outliers who were overly risky and beat the odds, were they all wrong? If not, what's the cutoff point, and why? (And likewise, a set of outliers who were unlucky despite being overly conservative, were they also wrong?)

Another reason is, as they say in finance, "past performance is no guarantee of future results." Any model you come up with to justify a risk strategy can and will be invalidated as history unfolds.


If you can't trust them to host an encrypted blob, you can't trust them to run code on your local machine. I agree with you that the resistance isn't rational.


Hosting my encrypted data means anyone with sufficient access at any single time can copy the encrypted data and attack it or me, then or later when eventually feasible.

Hosting only an executable I download and execute means the adversarial extraction of data must be contained within the executable and bypass all security from within my system. There is a window of opportunity for sending out a signal indicating the executable can not be trusted.

I do trust the team of 1Password to be competent and not evil, but there are many things that can go wrong anyway.

I remain disappointed that there is no way to set up nor configure a 1Password.com account without the web client.


> I do trust the team of 1Password to be competent and not evil, but there are many things that can go wrong anyway.

Very much this. I don't benefit in any way from having a copy of my sensitive data in their cloud, so as a very basic security principle, I don't want them to have it.

And that's just for my personal use. If they drop support for local vaults, I have to stop using it for work, too, because my employer prohibits password managers that store passwords in the cloud. My understanding is that these policies are specifically designed to keep us in compliance for government contracts, so I don't think they're changing.


I agree; and unfortunately I found self-hosted vaults to always be a bit challenging to get right, if I wanted to use my vault on multiple devices. The local-network only sync engine never worked for me, so I ended up using another third-party's servers to sync anyway. I signed up for 1password.com a couple months ago and it's been painless. To each their own!


> an executable I download and execute means the adversarial extraction of data must be contained within the executable and bypass all security from within my system

(emphasis mine)

Security is about having layers. I can't begrudge someone wanting to add layers to their security.


True, but same goes to hosting your own server.

And I would bet that a team who's job for many years is to ensure the safety of your data will do a better job at it than 99.9% of users that host it themselves.


That isn’t logical at all. The two are completely different threat models.

I used to be a happy 1Password customer until they decided that they did not want people like me as customers. I trust the code, I don’t trust them to store my data, encrypted or not.


Why not keep storing your data locally, the same way that you were before?


They've absolutely crippled 1password to make local vaults as difficult to buy and use as possible. They don't roll out updated versions as often, many versions don't get support for local vaults for years, they make it nearly impossible to buy the non-subscription version, and you can no longer upgrade older licenses to use new versions.

Their entire business model is really sleazy and they've gone out of their way to alienate people who don't want to pay for a subscription and hosting service for something as simple and secure as locally encrypting passwords. I was a loyal customer for a long time but after a few years of them jerking non-subscribers around, I got tired of it and tell any friends and family to stay away from it.

Every company that has moved to a subscription and cloud-based product has essentially traded a one time $30-50 license to getting that (or more) every year, and the product is usually inferior from my experience.


> Every company that has moved to a subscription and cloud-based product has essentially traded a one time $30-50 license to getting that (or more) every year, and the product is usually inferior from my experience.

Two mild counterpoints:

(1) While "from my experience" is always definitionally anecdotal, most applications that I'm aware of that have moved to (or started with) a subscription-based model have released new features on a rolling schedule that's at least as fast, if not faster, than the "one-time license" model. On the Mac/iOS, there's Ulysses, Fantastical, and Drafts off the top of my head; cross-platform, the JetBrains IDEs all come to mind. (They're not precisely the same model due to their "perpetual fallback license" approach, but they're definitely trying to drive you to subscribe.) And, for all the mostly-deserved hate Adobe gets, their release cycle appears to have picked up speed since they moved to a subscription model.

(2) The one-time license model works great for applications that don't need any updates in the future beyond perhaps bug fixes. If you want ongoing support and new features, where does the money to support that come from? In years past it would have come from upgrade pricing, but programs went years between new releases and there was nothing that compelled users to upgrade if the old program was still working on their hardware. I get that as a user that's great, but for developers, it's, well, rocky. It was livable a decade ago because those big application programs were way more expensive. At today's prices, where $39 seems kinda steep, that may not be a workable business model.

As for 1Password specifically, I run it on a work laptop, a personal laptop, an iPad Pro, an iPad Mini and an iMac, and keeping the various "local vaults" in sync was always a bit of a pain in the ass -- and of course there was no way to access that vault over the web on a different machine if I really, truly needed to. And I know more than a few people using 1Password for Families. I don't think it's a "really sleazy" business model at all. It may be a business model that you don't like, but that's not the same thing.


1Password used to let you host self host web vaults. Dropbox and iCloud seem to work fine where they're still supported.

Dropping local vaults in an iOS patch was kind of sleazy. So is downplaying the ways the new security model is worse.


[flagged]


How would Dropbox or Apple get someone's vault password?


I really don't think I could've said it better myself. Thanks for the comments. - Ben, 1Password


Subscription model forced on a local password manager customer? A little sleazy.


Maybe they weren't. 1Password used to support self hosting and third party sync services. Some versions still support some third party services but only subscriptions work everywhere.


As somebody who uses exclusively local vaults and pays via subscription, that is totally possible. It’s not possible on Linux, as noted above, but the Mac/iOS apps have supported that for the full lifespan of the subscription model.


How do you sync your local vaults across different machines?


Some of them I sync via Dropbox’s native 1Password integration. Others are stored as raw files from 1Password’s perspective, and I sync them by either copying the files or storing the file vault in Google Drive.


If you don't mind sharing: what benefit do you get from this configuration vs using the features of 1Password.com that are included in membership? - Ben, 1Password


I currently get by on Linux by syncing my 1Password vault and reimporting it to KeepassXC every time I need a newly added or updated entry. Annoying to have to create new entries on another devices and sync when I need an account on Linux but it works. Looks like this update provides me with nothing useful.

There’s no way I’m moving to a 1Password account, but I might just switch away entirely the next time I need to pay for an update or whatever, given the apparent lack of interest in serving my needs despite the amount of money I’ve paid for updates, etc. to date and the fact that it’s clearly technically possible.


> There’s no way I’m moving to a 1Password account

Why?


Use local vaults and you can firewall the application. Sync a different way and somebody would have to compromise 1Password and the sync service to get your passwords. Use a 1Password account and you have to use your master password in a web browser to manage your account.


1. I don’t like or want subscription software. I shouldn’t have to pay continuously to retain access to features I’ve paid for for years and it’s not ok to potentially lose access to my main method of creating and accessing secure logins across devices if I stop paying (which could be by choice or, whether temporary or permanently, involuntarily/accidentally).

2. I don’t want to store my data on their servers. I have ways of securely syncing data that I trust and that use only devices I control. For reasons of trust, security, etc. I want control of where my vaults are stored and it not to be the same company as the one that provides the software (for some machines/vaults I can also prevent 1Password from accessing the internet at all, to ensure the vault can’t leave a secure network, for instance).

3. If everything I store in synced folders was a separately charged service I’d be paying thousands a month. This trend is unsustainable and unwanted. I see absolutely no incremental value in the hosting service so I don’t want to pay for it.

3. The whole sleazy business model that pushes users towards subscriptions and makes it harder and harder to stay on self hosted vaults and uses things like this, described by them as the most requested feature, as leverage to try and force more users to switch. When the subscription model was introduced there were assurances to concerned customers that we were valued and this self hosted sync method would be supported. I am fine not getting features that are and should be deeply integrated with and require their hosting service (I also have no interest in ever having access to my vault via a web browser, which has the potential for horrible enough security properties that I’m glad it’s not an option (and I don’t have the time or inclination to have a feature which I don’t require anyway audited)). But when an entire desktop client is put in that bucket, it is because someone decided to make it so to try and get us to fall in line, not because it needs to be. Not the action of a company that respects any the users who still want to self host like they say they did.

At this point, with what appears to be a company that’s hostile to my use case, it’s getting difficult to justify spending more money at the next upgrade just to avoid the one time pain of evaluating options and switching to something that’s potentially better for my needs (if it, say, has a full Linux client I can use). If I move I’ll also likely plan to switch over the teams I manage that do use the subscription model. Subscription software makes far more sense in a corporate setting, and if the 1Password account fits the threat model then great, I use it, but if I am no longer using or evaluating 1Password (especially when the reason is partly trust in the company itself), that gets trickier, as does continuing to recommend it to others.


I'm in the same boat as the sibling: I'm about to move off of 1password because there's no Linux client. I'm a regular licence user, not a subscription user, and I will never buy a subscription from you but I've been happily paying to upgrade every time you release an upgrade to the regular software.

It seems that this is signalling your commitment to stop supporting users like me, and that's very disappointing.


* I will never buy a subscription from you but I've been happily paying to upgrade every time you release an upgrade to the regular software.*

So you are a subscriber in reality, it's just your payments a slightly lumpy.


A subscription implies you lose access to the software when you stop paying the subscription.

Buying a license implies you own it and are entitled to use it indefinitely. You might not get any updates but you also aren’t losing access to what you already paid for. Very, very big difference.


While I understand where you're coming from, I think "indefinitely" is a fairly impractical viewpoint in the sense of modern computing, particularly in the context of 1Password. Presumably you'll continue to update your web browser and your OS, which will at some point necessitate updates to the 1Password apps. For example, with Safari 13, which came baked in with macOS 10.15, Apple changed their entire extensions framework and retired the old one. 1Password 6 was built around the old one. So even if you have a license, and could theoretically install 1Password 6, if you're a Safari user it doesn't do you much good. Membership on the other hand would've included 1Password 7, where we implemented a Safari App Extension for Safari 13+ support. Just a counter-point for consideration. Also, for what it's worth, 1Password memberships become read-only when your subscription lapses, but you don't lose access. - Ben, 1Password


...why? Of all possible target audiences it would seem Linux users would be the least receptive to this kind of thing.

Forgive my bluntness, but to me this looks like you're just testing forced adoption of 1password.com hosted SaaS on a platform you don't really care about before rolling out the same to Mac & Windows. Which would be unfortunate.


I can't speak for them, but it's my impression from using 1Password for a good few years (both the local-vault product, and then the "account" subscription service) that local vaults are basically deprecated, even though they work fine. They're just not a good way for AgileBits to make money. So they'll keep them working in the software for existing customers who paid for them and expected them to work; but they won't add new features to them (except by coincidence as part of architecture-level updates) and won't bring them to new platforms where they weren't originally promised to work. They're a legacy feature, serving legacy customers.

For the same reason that they won't bring local vaults to Linux, I don't think they'll ever kill local vaults for macOS or Windows. There are customers who paid for that product, and expect it to still work. (And, unlike e.g. an old version of Photoshop, it's implicit in the USP of a "password manager" product that it'll continue to get updated so that it works on new OSes and so forth, so that you can still have access to your passwords. You can't just stop supporting it; that'd break the whole value-prop of the product, retroactively, and so break the trust of future customers in any "password manager" products you have today.)


They killed self hosting on all platforms and other sync services on Windows. They tried to kill local vaults on iOS.


One day they will stop supporting it... They will give notice and ask you to use the online version.


1password as a SaaS app has been out for years, this is not a testing balloon.


I hope Agilebits considers adding local vault support. I’m a long time user and even a subscriber, but I don’t actually use the account I pay for, for anything except license to use the software - I still use local vaults.

I’m happy with this arrangement - it’d be a shame if the Linux client never gets this functionality.


This is what I like about HN, interesting people drop by from time to time to visit.

I have been a happy 1Password customer for years, but I am in the market for a change now. I really wish 1Password had an iOS client that didn't require 17+ permissions.


We're not thrilled about the 17+ requirement either and are evaluating our options there. Thanks! - Ben, 1Password


Please tell me local support is coming. I'm a longtime 1Password user who only uses local vaults and I feel like 1Password is increasingly showing me they aren't interested in me as a customer.


Is this a preview of things to come for Mac/Windows? Will 1Password stop supporting self-hosted vaults?


No, this has been available for YEARS on Mac/Win, so it's not a preview of anything. Self hosted vaults haven't been in the new apps for years either, although the last version to support local vaults is still available.


The latest versions of 1Password still support locally stored vaults. They only sell the cloud service subscription these days, but you can still use local/Dropbox vaults on every platform. (except for Linux it seems)


So how can I access credentials when I’m not connected to the internet? Not at all?


1Password always stores a local cache, you just won't get updates from other devices synced.


This is the correct answer. Thanks! - Ben, 1Password


Its cached locally on desktop app and phone app.


I am another linux user that uses local file syncing, so I guess I will have to use the old 1password 4 for windows build forever ha.


Depending on your use case, KeePassXC supports reading local vaults, but currently just reading them because I didn't have the need to try and round-trip the vaults for my on-call laptop.

I don't believe it would be an overwhelming amount of work to implement the write portion (err, aside from getting a security review) but I do seriously doubt that KeePassXC would accept the PR to change the backing store, meaning it would have to be a fork :-(


I just moved from (paid) 1p to bitwarden at the weekend due to lack of proper Linux support. I was just testing bitwarden and found I couldn't easily get a good export of my passwords from 1p on Linux, because only their desktop apps support that. It won't run under wine and I ended up installing a Windows VM specifically to do the export.

Was so frustrated at this it pushed me to move to bitwarden. Good for them for sorting it though.


I just did the same over the weekend. Really loving BitWarden, it works and it’s fast. It did take me a bit of time to export out, scrub & format CSV, then import to BitWarden.


I just used the "1PIF" export from 1p, which bitwarden supports for import (but the 1p cli doesn't support).

I'm loving bitwarden too. It's slightly not as good as 1p in some ways, but better in more than others. That's my review :)


... I wish I'd thought of booting into my Windows partition and installing 1password there, instead of spending an evening writing up an extremely overwrought export script on top of the commandline client.


I started to write that exact script myself (go to the point of realising jq probably wasn't going to cut it :), motivated by the desire to help others escape too but I just ran out of steam.

Plus, there was something not right about the fact I was actually paying for these damn tools and still having to write my own code! Thought I'd just get out as quickly as I could and not go back.

But having seen others in these threads complain, I do now feel kind of bad!


Would you mind sharing it, so that other people don't have to go through the same pain you did? Maybe even creating an issue and dropping the code there could be helpful. Then somebody could pick it up and reuse the algorithms you wrote.

That'd be pretty great.


https://gist.github.com/ben0x539/9cf66dd8347c264179a89944278...

Caveat that it doesn't emit a csv you can import elsewhere, it's not extremely polished, hasn't ever been run outside of my laptop, just does a bunch of unnecessarily clever things. Needs the 1password commandline utility `op` set up (ie you have to have told it your secret key already).

It'll create `items/` and `documents/` dirs with one file per, well, item or document, named after the uuid. It tries to make a symlink named after the metadata for each file in the hope that you'll have an ok time tabcompleting your way to the desired secret. There's some attempt to not redownload files that you already have, mostly because I re-ran this thing a million times trying to get it to work.

I wrote this to be able to zip all my secrets, `scrypt` the zip file with a strong password, and put the scrypted file on a usb drive that isn't particularly well hidden, just as another fallback/recovery option in case a meteor hits 1password HQ or my paper backups catch fire.


What people have to do to avoid KDBX4 db store :) Those are easy to backup, sync etc.


If you used Firefox or Chrome, then you could use 1Password X for Linux systems. But I'm guessing from the (paid) part that you weren't using their sync?


I used the browser tool (and 1p sync) but it still didn't support export to 1PIF format afaikt, which only the desktop GUI tools supported.


KeepassXC is the perfect solution in my opinion. It is open source, has a huge number of features (that don't get in the way of basic usage), and has mobile apps and desktop apps that work well on all platforms. Right now I am using it on Windows, Mac, AND Linux, as well as my Android phone. I have it syncing over Dropbox, but you can sync it however you like. The Android app automatically fetches the latest version, and supports auto-complete etc. I see no reason to pay for a password manager or use something that isn't open source.


I'm the same way. The most important parts of the KeePass ecosystem to me are:

1. It runs on every platform I currently use, as well as any platform I might care to use, whether or not that platform is sufficiently "popular" for a company to justify caring about it.

2. It isn't dependent on the continued healthy existence of a company to remain usable, as I could simply self-maintain in a worst case scenario.

These are very important things about a password manager to me, personally, which is why any of these more polished/popular options would be an extremely tough sell.


Yep, there is no way I am trusting a company with maintaining access to passwords on all my accounts and my clients accounts. Keep Pass uses a well documented XML file format that, if needed, I can manually decrypt and access if for some reason, every copy of KeePass is deleted.


Doing the same using Syncthing for syncing. For basic password management across devices without having to go to "cloud", I don't see a better alternative. The new polished UI for KeepassXC on Linux is a bonus.


I second this. KeePass is awesome (across all platforms)


I switched to "pass" from 1p and it is a breeze because it just works without all the bullshit and I don't have to place any trust on a company saying they do things right (they will never tell otherwise).

And 1password never cared about Linux. I had to custom-script data export, they pretty much held data hostage by making it difficult to migrate from the platform, not to speak of the undocumented data formats. But at least we did not have to install some closed source propietary thing to do something as critical as password management (browser sandboxing seems slightly better). If they cared they would open up their client‘s code for everyone to peek.


I have to call this out as a bit of a hyperbole.

They already participate, quite openly, in security audits[0], and while yes, I'd love it if it was OSS too, but the reality of making money on these services is that (especially I believe at the time 1Password was founded), is it wouldn't have likely done them any good, really. In fact it could hurt their business. I believe 1Password was one of (but not the only!) pioneers of this being a successful consumer business.

Notably, I don't think its worth detracting from a fantastic product based solely on the license of its underlying software. I'm also not aware of any 1Password data breaches.

As far as exporting goes, you can simply generate a CSV file (or plain txt)[1] as well. Not sure what the issue there was, I'd be curious to know.

While I like OSS too, and prefer it when able, I think its a stretch to say they're holding their users hostage if they want to migrate away, not to mention being OSS isn't really a predicate as to whether the software & user experience is actually any good.

disclaimer: I don't work for 1Password, but I've used it for over a decade.

[0]https://support.1password.com/security-assessments/

[1]https://support.1password.com/export/


How can one be sure that the passwords are even encrypted, without having seen the program?

Audits don’t mean much for various reasons, including the conflict of interest.

Agencies such as NSA don’t have to say loudly that they have agreements with such and such companies through PRISM-like programs.


>How can one be sure that the passwords are even encrypted, without having seen the program?

We have seen the program. We can have as many binary copies of it as we’d like.

> Audits don’t mean much for various reasons, including the conflict of interest.

[citation needed]

> Agencies such as NSA don’t have to say loudly that they have agreements with such and such companies through PRISM-like programs.

The product uses end to end encryption. The database is encrypted locally before being uploaded. They would have to be using bad encryption or stealing your password to get at it. It is understood how 1P works, they have written about it extensively.


But that's the point the OP is making, you have to trust what 1password is telling you. And they do have a very clear business interest in telling you that it uses best security practices even if they don't.

I'm doubtful that you are able to look at the binaries and extract the inner workings from that.


>But that's the point the OP is making, you have to trust what 1password is telling you.

Yeah, I have to trust a lot of software authors not to be actively malicious, because I don't have the time to audit literally everything I rely on. I have more reason to trust the authors of 1Password than those of almost any other package I use.

>And they do have a very clear business interest in telling you that it uses best security practices even if they don't.

It's been audited several times, and the authors are well known, respected, and vocal in the infosec community. And you think they have more of a business interest in hiring security professionals and lying about their practices than they do actually building a product that safeguards their users' data as they say it does? A backdoor in a product like that would be the end of their business, professional reputation, and career.

>I'm doubtful that you are able to look at the binaries and extract the inner workings from that.

Me personally? No, but there are absolutely people with that skillset, this sort of thing is perfectly doable. As far as "is this sending all my stuff to China in plaintext" goes, it's not even that hard to evaluate. You could do that without any reverse engineering at all.


These are great answers. Thank you. - Ben, 1Password


> As far as exporting goes, you can simply generate a CSV file (or plain txt)[1] as well.

There is (was?) no way to do that on Linux.


I switched from LastPass years ago, and 1Password is great. I use a family account, and it's been easy to get my wife to use randomly generated passwords.

The only missing piece for me is a native Linux app since I use Ubuntu for all my development environments. The web browser extension works, but it's a noticeable difference moving between it and the windows desktop app. I'm super excited to give this a try.


Awesome! I'm so happy to hear this. We'd love to hear about your experiences so please share after you give it a go.


App looks slick. Installed on Ubuntu. Very cool.

Unsubscribed from LastPass and subscribed to a Family plan here. Hoping for updates to bring all the rest of the features. <3

EDIT: Took the opportunity to eval a couple of others. BitWarden stood out because it's open-source and cheaper for the family plan (the difference between 1Password individual and BitWarden family is not a big difference).

My thoughts:

* 1Password had a really cool app and very good import from LastPass

* Bitwarden's app is pretty good but the import breaks on Secure Notes that are a bit longer

Ultimately went with Bitwarden because it's cheap and I was able to migrate my big notes in approx 10 minutes manually.


I've been using Bitwarden across the browser, Linux, Mac, and android, and it works great, and is fully open source, unlike 1Password.


And you can self-host it which I do


Nice to see progress here, though 1P continuing to move away from local control to force subscriptions is regrettable. Even so, the UI hasn't been matched yet IMO, which is important for getting the less technical to use it. We're sadly also still a ways away from passwords being eliminated entirely, so it's still very important to get everyone using one.

One thing still missing I really hope to see though is the local application (on all platforms) supporting hardware tokens for unlock (with a backup master option). That'd be a nice extra security+convenience option which would work across platforms.


For many/most types of software I am in the same camp of people who would prefer to pay more upfront for a license as long as the software continues working as is - I bought it because it worked and if I chose to pay more in the future for a better version, I will make that decision based on the new features added and not the old features being held hostage.

However, for something as high-value as a password manager, I think having a subscription model makes a lot of sense. I can't think of any other class of product where timely updates from the developers are so critical to the utility of the product. You could even argue that an unpatched, out of date password manager is worse than no password manager.


So to preface: I don't use any web functionality in password managers at all, only the client applications. But that's the context for my regret over the forced subs too.

>I can't think of any other class of product where timely updates from the developers are so critical to the utility of the product.

I can think of a ton actually, although I guess it depends on what you consider important functionality there. Now, there is ongoing maintenance needed for things like keeping up with browser integration, but I'm not sure exactly what security updates should ever be needed unless they really fucked something basic up. The only things that need constant attention are their own cloud service, but that's a function of it being their own cloud service vs someone running their own server or syncing via Dropbox.

>You could even argue that an unpatched, out of date password manager is worse than no password manager.

I don't think you could frankly. Like, what's the threat model here when we're talking data that lives on our own systems and is E2EE? Fundamentally, password managers do not defend against the trusted end point being pwned, for that you need an HSM of some sort (or at least some weaker but still somewhat functional kinda of 2FA). All data from the end system should be fully encrypted before leaving, and since the system is trusted by definition timing attacks shouldn't be a concern (or at least are trivial here to negate entirely), so the security should depend purely upon the PM's ability to perform basic at rest crypto, use a decent key stretching as needed, etc. Which is frankly a solved problem with well vetted free libraries, that's not the hard part of security.

Honestly, 1Password and the like aren't that different from the macOS Keychain Access I'd been using for many many years before hand. They've got better organization and UX flow these days, and browser integration is a genuinely big deal. But I never had any problems with Dropbox sync with pre-1P.com nor do I still have any problems with sync there. In principle, the 1P team could have made all the admittedly alright group stuff and so on available as a standalone server thing people could run along with their own cloud offering of the same, similar to the way Gitlab and many others do. Buy the server/client licenses standalone and run infra yourself, or not, your call. WiFi sync didn't have to be left as primitive as it has been either. Etc. It's a business decision for them to push subs because subs are very profitable. And I recognize yeah, it's a way to make lots more money in a reliable fashion which people like. But I still regret the sub trend and think it's usually a negative overall particularly for people trying to fill situations outside the norm. 1Password's sub thing for example doesn't scale with large families, there is a huge disconnect between a small family and an "organization" in their pricing and general structure which isn't due to cost basis, it's due to their perceived ability to pay.

I'm genuinely optimistic though that things like Webauthn represent real turning points, and we're finally (10-15 years late but better late then never) moving away from the madness of service passwords and managers "have i been pwned" and all the layers that essentially recreate PKI, very badly. As far as security goes, neither I nor anyone else should need to give a single shit or change anything at all if a website is completely utterly hacked, because the only authentication that should be there should be a public cert for me. Damn it, asymmetric credentials was solved forever ago!


I pulled the plug on 1password because I hate subscriptions.

There is also no logical reason to pay agile bits for single-purpose back-end infrastructure when we already have dropbox, etc.. An encrypted password file is tiny.

Subscription apps (and subscriptions in general) are simply not scalable in their current implementation.


I don’t even mind subscriptions but they’ve still lost me as a customer for bundling the subscription pricing along with an extremely hard push into storing all my most sensitive data “in the cloud”.

Still rocking my 1Password 4 license on Windows and OSX from years ago with no plans on upgrading. When I’m finally forced to, I’ll simply switch to another product.


Having had it made clear to me again that AgileBits doesn't care for my particular market segment, I finally decided to stop using 1Password4 and holding out hope that one day they'd release something that provided the same functionality.

I'd tried a lot of password managers before and never found any that quite fit as well as 1Password, which is why I was still using it.

I'd tried Keepass and its variants every time but it was never _quite_ there. The interface was clunky and things that I expected to be core to the product (additional fields, OTP, etc) were addons.

Stumbled on KeepassXC this time. Solved most of those problems. Certainly well enough to replace the old, unsupported software I'd been using for something as important as my most vital secrets and identity documents.

Just got everything migrated over.

Bye, AgileBits! After 5 years it's been... swell?


Can't say I'd ever personally use 1Password over something open source like Bitwarden, however the intriguing thing about this post is that they're using Rust for their Linux client backend. If only this was open source; we could peek under the covers and see what technology they're using.


I use 1PW professionally, with our whole company having shared vaults for different departments and security levels, as well as at home, so my wife and I can share some credentials. Absolutely love it. I’m spending more and more time working from Ubuntu so I’m very happy to see this, it should make things just a bit easier.


Awesome! We'd be happy to hear any feedback once you start using it. :) - Ben, 1Password


I've been using keepassxc which is open source, extremely snappy (it's one of the fastest starting gui apps on my desktop) and offers all the functionality I think I need (ssh agent integration, secret service integration...). What does 1password offer that would make me switch? Why is everyone so excited about 1password and keepassxc is hardly ever mentioned?


> What does 1password offer that would make me switch?

Mostly great sync across devices, and great apps on all devices (all mobile, all browsers, and all desktop OS except Linux for now).

If you mainly use one computer and don't mind tools which are a bit less polished, it's not that compelling.


>Our new app is built on great open source projects like the Rust programming language for the underlying logic, and React for a responsive component-based UI.

Is this using webview? On Mac I believe the app is completely native, so does this mean 1Password will be switching over to using webviews across platforms?


Started with LastPass. Moved to Bitwarden a year+ ago based on NH recommendations. $10 a year with Yubikey support is a steal.

At work we use 1PW. Compared to BW I find 1PW awkward and often counterintuitive. I suppose it has to do with habits. But I had few awkward moments with going from LP to BW.

I'm not knocking 1PW. Only suggesting that if you're in the market for a PW manager, check Bitwarden


When one day AgileBits removes non-subscription sync from iOS and Android, I'll have to move to a new password manager. Currently I use syncthing for inter-computer syncing, Dropbox for the phones (iCloud too at one point).

Frustrating how difficult it was to install the iOS version without a subscription, I even wrote an article to save others the confusion: https://www.davidschlachter.com/misc/1password-ios-standalon...


Is this better than just using KeepPassXC with a simple kbdx file synced to an online drive? It's an honest question, I've never used 1Password before.


I switched from KeePass to 1Password mainly to get my family on it. They really appreciated the clean workflow once they got used to it after a couple days. And the auto-sync feature combined with the mobile app has been useful for when they have to enter the Netflix password on various devices.


Same here.

Sure you can use lots of other password managers, but if we are not talking about solo use case - it's practically impossible to beat 1Pass. You can set up your team and family in minutes, with granular controls. And people will understand how to use it in a few minutes.

With most other solutions you will have to spend hours here or there. Is that time worth a few bucks? For me I would gladly pay x2 so it just works and no one has to bother me with questions.


I used older version of 1Password on Mac and use KeePassXC on Ubuntu now. 1P is definitely slicker, and presumably the subscription comes with support. For me, not a worthwhile trade-off, but could be worth if for some people, especially those with many devices to keep in sync and business users.


Yes as it isn’t subject to accidental overwrites of the data file It also has useful integrations like browser extensions so can autofill. Not sure if KeePass is capable of that. It’s a paid app though.


I use KeePass on Windows and it is definitely capable of that and much, much more (see Plugins page).

I can't imagine paying for an application when a better one is available for free.


I’m a recent windows 10 convert from Mac and a 1password user for years, I have disagreements with my buddy who is a long time windows user along these lines _all_ the time. He thinks I’m insane for essentially paying for UI I prefer (I would disagree I think there’s some structural differences, but I’m okay with being reduced to that too). It’s like asking why someone buys anything, the products exist and sell and make some people happy while being absolutely insane to others. Such is life.


I'm also happy to pay for better UI alone but that does seem to offend some people. It's usually the same people who if they find out you take vitamins will start telling you what the placebo effect is.


The reason usually is that there are people with a lot of money to throw around and there are others with less money who instead invest time to research where they can save it on a product. If then they not only find a way to save money on a product but also one with more features (so more for less) than the one people throw money at, they are in disbelieve why somebody would throw that money on the worse alternative.

I see this as quite reasonable thinking for somebody who never had too much money.

Of course it might be that in this case the much more obvious is the case: throwing your most important data into a cloud on a close source system is kinda..."optimistic".


> I’m a recent windows 10 convert from Mac

What happened, if not too sensitive to share, of course.


Ah sorry I missed it. My poor macbook pro of 8 years finally chimed it's last boot chime, so to speak. I have a windows PC that I had used mostly for games/web, so "convert" might be strong, I just haven't decided if its worth replacing :)


Ooh boy. This is amazing. The horrible Linux support they had was the reason I left 1Password. This might make me go back to 1Password.


So sorry we scared you away! Linux has been on our radar for a while but our biggest challenge was finding a way to share code between apps without writing everything in C++. Thankfully we found Rust, a systems language built around efficiency and safety. From there we were able to build the common core we've always dreamed of and were off to the races. Please give us another chance and let us know what you think. <3


> without writing everything in C++

That sounds interesting. Can you list the major technical reasons behind this decision? Also interesting will be if you could explain how Rust addressed those pain points (I have read about the general advantages that Rust has over C++, but interested in hearing how it plays out in the wild).


I'm not Dave but at a guess the biggest thing is probably memory safety, which is a huge concern for security-critical software.


That is indeed a big part of it. - Ben, 1Password


Thanks Ben!


You're welcome!


Don't they have browser plugins? That's how use Lastpass on Ubuntu. I mean, besides Electron apps, who actually makes native Linux apps? (joking, not joking)


Yes. Though it was slow (slower than other extension based password managers), but worse, it was missing some of the features. I can't remember exactly what it was, but at one point I tried to edit something, but there was no way for me to add something. Though I've forgotten now, it felt quite a critical think to have at the time.


Our 1Password X extension works great on Linux. :) - Ben, 1Password


I love 1Password.

Something I could do without though is all of the GUI animations & transitions. They create time delays, little waits that add together that introduce unnecessary delays. Sometimes I just want to login, and I want to login now.


I had 1Password recommended to me by a friend, but the lack of Linux support was a deal breaker.

Now I've settled pretty comfortably into a different password manager. Even if the Linux port of 1P gets up to feature parity with the other versions, I don't see much of a practical reason to hassle with bothering to try it.

Granted I could be wrong. The long track record of 1P is definitely a plus. And maybe they have enough nice features to make it worth it. It's definitely a harder sell for me now though than it would have been if Linux had been a first class citizen when I was first choosing a password manager.


What are peoples thoughts about firefox lockwise? I have been using keepass for forever but I want something that easily syncs between devices and doesn't require copy/paste in to the browser. Lockwise seems perfect but I haven't used it much yet.


I use Lockwise, and the thing that drove me towards it is that it works on Linux and iOS without having to run a sync service (Dropbox/...) on my laptop. The sync is excellent and just works. The iOS app could use some work, though. It doesn't support adding or editing passwords (but Firefox for iOS does, and it's planned for Lockwise according to the issue tracker), and it's REALLY slow to start (several seconds) when using it to fill a password in the browser. I don't know what's up with that, but it's annoying.


I've found great success with KeePass and Dropbox. I use the Kee plugin in Firefox that allows autofill in the browser, and KeePass2Android on my phone which supports pluggable autofill for browsers and apps on Android.

It's not as trivial to set up as Lockwise or 1Password, but I prefer this setup because:

- 100% Open Source - I own the keyring and can sync it across literally all of my machines, plus the cloud storage provider(s) of my choice seamlessly - The keyring is protected by a key that only I know, no third party is handling the unlock on my behalf


Well, Lockwise is 100% open source, isn't it? I'm not sure there are tools for extracting the data easily, though. This may be your point and I'd agree on that.

But I've been using Lockwise for years (and the previous cloud tool from Firefox, Sync, IIRC) and it mostly does the job. Sometimes I'd like to edit the entries to a finer grain or add foreign passwords (the ones that don't relate to a webpage) but that's it. Extremely easy to get running and sync.


Well one difference is you just login with a password and you have access to all your passwords. Whereas with 1Password you use the long key to set up a new device, so it requires either memorizing that key, writing it down, or having a different device with that key on it.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: