Hacker News new | past | comments | ask | show | jobs | submit login
1Password Secrets Automation (1password.com)
374 points by srijan4 on April 13, 2021 | hide | past | favorite | 178 comments

While this looks interesting, I'll admit I feel like there's been a bit of drift from their bread and butter over the years since they launched their cloud thing and started pushing hard towards a subscription model. I chose them long ago specifically over options like LastPass because I liked having a rich application without internet dependency and their attention to detail and features there, but it's been a while since it feels like it got major new improvements vs the site. For example, while macOS and Windows have supported smart cards and security tokens like YubiKeys forever now, and I use them to login, unlock, authorize sudo/SSH, etc every day, 1Password still has no support. There are things that can now only be done through the web interface, like finer grained control over permissions for shared vaults, and some of those are also nastily locked away behind more expensive subscriptions. I think everything should be manageable through the application, without ever visiting the site. Duplicate items across vaults remain completely manually managed, when automating stuff like that is kind of the purpose of a password manager. Etc. Heck, even within their own subscription service I think they're missing a trick by not having more powerful/flexible organization(including families) and inter-organizational capabilities.

I still think 1Password is the best option for most people. I specifically want my non-technical family and friends to use password managers too as long as its necessary, and having some multiperson capability is also key to that. I can't say though that I feel like the move to subs has been a huge win in terms of development.

Granted, I'm a little down on the whole field which colors things a bit. Ultimately underlying my feelings is a touch of bitterness that their entire industry even exists. Passwords and password managers are mostly recreating public key auth really, really badly and it stinks. Passwords and other symmetric tokens by definition should never be shared. A website being hacked should never affect me in the slightest, in the same way that me getting hacked doesn't somehow suddenly mean attackers now own Debian/Apple/FreeBSD/Microsoft. Everywhere should just have public keys. We've had the tech for decades and sufficient crypto speed on client systems since at least AES-NI. What's been missing has been glue and effort. It's frustrating every time a hack happens. We shouldn't have to care! Sigh.

Very much agree.

My pet peeve at the moment is this[1], where they removed a feature I very much like (TouchID in the standalone browser extension) and still have yet to replace that functionality despite many promises that it is just around the corner. It was removed in August 2020.

Definitely feel like they've lost sight of why people chose them in the first place, and stuff like this is certainly not helping assuage my concerns.

[1] https://1password.community/discussion/115228/temporarily-re...

It's a fundamental concern I've always had with subscriptions for non-entertainment services or trivially fungible goods. I've become a big believer in business incentives and feedback loops for sustainable commercial relationships. Individual leadership and culture can stand against them to some extent for a time, but individuals move on and it seems that near inevitably over enough years organizations tend to track and/or drift according to their incentives and impactful feedback. In a traditional software upgrade model, the default is that they get no money unless they can convince people to upgrade each time. They make their money from overcoming that default, and if people choose not to upgrade that's the most core unignorable feedback for a business that something isn't right. It doesn't guarantee responsiveness or good choices, but it forces them to think about it. From a customer perspective, not paying means the status quo, they don't gain anything new but they lose nothing either.

But with subscriptions it gets inverted. Now for the customer failure to keep paying means losing existing functionality and/or having to expend additional resources (money and time) actively moving to something else. So rather then needing to be convinced to give the company more money, it's more that they need to be convinced not to.

There's a real difference between "a customer base that is very happy" and "a customer base that is merely not irritated enough yet to overcome the inherent energy hump and go looking for a new local minima" and I worry the subscription business model makes that easier to ignore. Not that companies can't in principle find out in other ways! They can do detailed customer polling and so on. But that requires active effort and expense by the company so the temptation will always be to ignore it and follow inertia. This doesn't require the slightest bit of active malice, just a break in feedback loops resulting in drift as a company starts pursuing things from its own tunnel vision. They then look and see the money keep pouring in, so what's the problem? The threat eventually becomes that if the energy barrier is overcome and the stampede begins it's too late. It's a shame to see happen to companies I really really like and have great visions that could be even better.

There is a rub to this too however. In a pay to upgrade model you are incentivised to stuff your application with features and also need to support old versions indefinitely if they have network components.

Granted in 1Pssword case, their classic app would not have stopped working without upgrades. And to my knowledge it should also still work? I have since switched to the subscription model but I have used the old paid app years after they have switched models.

Using 1Password 6 standalone app here without issues. Dropbox integration still works, and that's all the "cloud" I need.

Same with me with 1Password 4 on Windows, via Dropbox as well

these days if you choose not to upgrade you often lose support, and for security critical software it seems you want patches... so even if annual or biannual upgrades don't feel like a subscription, they kind of are... just with a longer interval between subscription payments and a slower cadence for feature delivery.

honestly i think these things are more about lock-in or perceived lock-in, or simply not wanting to waste precious time. even though it's actually fairly easy to jump between password managers, it's still a "migration" or another task where when one's time becomes scarce the thrill of a sundry task like redoing one's passwords is overshadowed by the laundry list of things one could do with their time instead. sure, it's nice to tend the garden, but how many other things would you rather spend an afternoon on that either develop skills, enhance life or recreate in one way or another.

We very much agree that this is a pain point for those with the extension. This feature brought users (and also all our developers who rebuild... often...) a huge smile and productivity boost, so removing it was not easy. We had some fundamental issues that affected the way this feature worked which pushed us to rework it. We wanted to share more news[1] once we had some releases in the wild which recently happened.

With a recent release[2] of 1Password for Linux and the 1Password extension, the two can now communicate. Allowing you to use biometrics to unlock the extension and keep it unlocked throughout your browsing sessions.

While this news doesn't unlock this ability right away for yourself (because referencing TouchID I assume means you're a Mac friend). We will be continuing to rollout over the coming months to Windows and Mac.

[1] https://1password.community/discussion/comment/591579/#Comme...

[2] https://1password.community/discussion/119609/1password-for-...

Hi! I work for 1Password. We have this functionality available in beta with our 1Password for Linux app. It will be available on Mac and Windows in the not-too-distant future, though I can't say more specifically when that will be.

[1] https://1password.community/discussion/comment/591579/#Comme...

Can you explain why this was removed, and why it was re-introduced on a platform other than OS X (given that biometric identifiers have become standard in Apple hardware)?

To elaborate on what my colleague, Ben, said, we have been in the process moving to more common cross platform code.

A it more than a year ago we had

- 1Password for Mac and iOS written in Objective-C and Swift - 1Password for Android, written in Java - 1Password for Windows, written in C# - 1Password CLI, written in Go - 1Password web-app, in Typescript - Browser extension in Typescript

Introducing new features was an ever more difficult task. Even getting the behavior of things like password strength meters or generators behaving the same across these platforms was increasingly difficult. (Hint, they didn’t behave the same.)

So we have been taking the time to develop a common core of code that can be used everywhere. And this does take time. Writing the common modules is often relatively easy, but we have to get them to work with the platform specific code

Late 2019 was our first successful deployment of any such function, and that was the TOTP calculator. It was largely transparent to users, except for settling on which sorts of TOTP “quirks” we were going to follow. (TOTP standards are a mess, and different Authenticator apps deal with special cases differently. At least 1Password is now fully consistent with itself)

Over the past year, we’ve been plugging more such things into the apps. And it allows us to fix bugs more quickly as well ashen they are in the common code.

1Paaword for Linux is built on all the new/common code. So while it doesn’t have everything that the others do, it is also where you will see the née stuff that is coming.

This has been a huge effort, and the transition has some rough spots, but once we get there we will be able to move much more quickly in developing and refining features and behaviors.

This is an excellent answer, thanks.

Reading between the lines a bit - biometric authentication was deprecated (from ‘for Mac’) as it was broken or at risk of breaking, and further dev on legacy code was moot due to the transition?

Close: 1Password for Mac itself can still unlock using Touch ID on supported systems, it is just the integration between 1Password for Mac and the 1Password browser extension that is currently lacking. It is possible to use the 1Password Classic extension in order to have that functionality, but we're defaulting to the former now as there are so many other improvements you lose out on otherwise.

It was removed because we needed to change directions on development and continuing to maintain it as well as build out the new implementation was untenable. It came out on Linux first because the Linux app was developed with it in mind, whereas on other platforms we were re-working existing systems to integrate with it. The former materialized quicker.

- Ben, 1Password

Yeah, definitely taking them longer to get this back than they’d planned. Fortunately the ‘classic’ extension for chrome still exists and works.

Link: https://support.1password.com/cs/1password-classic-extension...

I prefer the above classic extensions for switching between Chrome, Safari, Firefox and Edge all day and not having to sign in more than once. Plus the better desktop app integration, including the ability to opt-out of cloud storage of passwords.

I use Touch ID to unlock 1P in Safari regularly every day. What are you saying isn't working?

Did you ever look at a password manager like saas pass that does not need a desktop app and the browser extension is a full blown app that is protected by 2fa?

> I specifically want my non-technical family and friends to use password managers

I consider it a victory if I can get non-techies to use their browser's facilities to store passwords, and then to choose reasonably long passwords and avoid reuse.

(I use `pass`, myself.)

I use a password manager but, as a mostly-Apple user, I see very little reason not to just use iCloud Keychain: the UX of Apple’s solution is significantly better than all the alternatives because I don’t have to remember yet another password/mfa token to type in every once in a while.

> I use a password manager but, as a mostly-Apple user, I see very little reason not to just use iCloud Keychain

Storing 2FA tokens is one thing iCloud Keychain cannot do (yet ?), and it’s the primary reason I use 1Password over iCloud Keychain.

That being said, with Big Sur, 1Password changed its default behavior from being unintrusive to literally obscuring input fields with big “unlock 1Password” pop up’s.

I’m currently evaluating using either Password-store or Bitwarden with bitwarden_rs as a backend as I really don’t want my logins synchronized anywhere I don’t control.

> That being said, with Big Sur, 1Password changed its default behavior from being unintrusive to literally obscuring input fields with big “unlock 1Password” pop up’s.

That's not a Big Sur thing, that's a 1Password thing (I've not upgraded to Big Sur still).

This UI change is what may drive me away from a family plan if it doesn't get addressed.

1Password > Prefs > Browsers > Untick 'automatically show inline menu' — may help. If not please write to our support team and we'll be happy to work with you.

This is the first thing I disable in settings

I think the fingerprint auth stuff Apple’s working on will replace MFA: as I understand it, in Safari, the MacBook’s Fingerprint sensor implements the same protocol as a Yubikey or similar.

One can only hope (and fear) they utilize the secure enclave for this task.

Hope because it would allow me to utilize my mac as a Yubikey. I have no idea how they would synchronize it to all Apple devices, but i'm fairly certain they will find a way.

Fear because it will pretty much guarantee i cannot use my password manager on other platforms.

I already use Secretive (https://github.com/maxgoedjen/secretive) to store SSH keys in the secure enclave with touch id integration, and it works really well. I also keep a couple of Yubikeys as backup :)

Most password managers support auth with touchid/face id these days, I believe.

The value prop if you're 100% on-Apple, and OK with this fact, is hard to challenge. If you have some non-apple devices that need passwords, that's where having a third-party password service makes sense.

FWIW, I use `pass`, as a mostly-Apple person who also owns a few linux devices and occasionally requires passwords while `ssh`'d into servers.

iCloud Keychain is ‘good enough’ if you are 100% in the Apple ecosystem, but there’s a lot it could do better, including password sharing as well as password export. Most glaringly there’s no support for storing additional meta data alongside the password; eg all the made up answers to “what was the street you grew up on?”, etc

I'd love to use a built-in service, but I need a service that has a web UI + Windows support + sharing support for family.

BitWarden ties into iCloud somehow. I unlock it with my fingerprint.

I choose bitwarden because I like my passwords with a 3rd party rather than the big guys google/apple/etc . It works fine as both a desktop client and browser extension.

honestly i think solutions to many of these problems have been put into practice in the cryptocurrency space.

there are commercial entities today that i don't have to trust, but will help me set up multiparty signatures for sending bitcoin transactions. i could see a similar mechanism being used for creating/revoking/recovering a compromised identity.

hierarchical deterministic wallets seem a decent blueprint for identity. if i can generate arbitrary pubkeys from a single seed, then i maintain my privacy across providers i use my identity with.

i used to think that the blockchain itself could make for a decent revocation list, but i don't think that's even neccessary. maybe it's simply time for governments to grow up and accept that the internet is critical now and as such provide basic digital identity services as they do with travel documents today. it doesn't have to be perfect, just publish revocations on behalf of citizens.

I purchased my first 1Password license when it was version 3, and have faithfully upgraded to every standalone version ever since. These days I’m not so sure I will be upgrading again (and I’m not sure there will be more stand alone versions).

The latest version is a mess on Big Sur, with unlock fields obscuring input fields, conflicting with Apples iCloud Keychain, and just not working like I expect it to.

Furthermore, stand-alone versions are buried deeper and deeper behind a cloud service subscription that brings me absolutely no value over what i already have, and adds the uncertainty of having to synchronize my most secret secrets to a cloud service.

While I can certainly forgive software errors, this has been going on for so long that I’m beginning to suspect it’s either a strangler pattern to get people to switch to the cloud solution, or it’s death by a thousand cuts.

In any case, I’ve begun evaluating alternatives. Bitwarden looks promising (though nowhere as polished), is open source, and allows me to synchronize to a service on my LAN.

Password-store uses gpg and git that also allows me to synchronize locally (though it leaks website names without the vault extension which is not supported on iOS).

Finally I’m evaluating Yubico authenticator for 2FA codes and just using iCloud Keychain for the rest.

I don't understand why people think it's some nefarious dark pattern. It's perfectly clear, the old 1Password app is winding down, the future is their hosted version.

The only way to even download the app is if you already knew about it's existence before. It's not a dark pattern, it's just directing people who sign up for 1Password today into their actually supported product instead of the end-of-lifed one. Your app will continue to work for some reasonable amount of time until some version of macOS breaks it, then you can either pick another one from numerous competitors or go with their hosted version. Sounds to me like you'll need look into the alternatives given your requirements. It is what it is, no need to attribute it to malice.

It is a dark pattern for those who put in massive time investments with the understanding that they could have the control at time went on.

Some of it is not 1Password’s fault (macOS shoves everyone to new versions with new application APIs), but not only do I now pay more for 1Password by having to use the subscription instead of a one-time purchase that could last years, but I’m now nervous about having all my eggs in one cloud basket, so to speak, and more nervous the more the cracks I see in the 1Password UI.

Source: have also been with 1Password since v3.

I still think it's pretty terrible that they previously sold a lifetime license which no longer applies to the latest versions.

You can disable the integration into the form fields. It’s the first thing I did as it never really worked.

Just out of curiosity, as someone who selfhosts Bitwarden, how is 1Password so much more polished?

I’ve never used 1Pass. Just, I’m always amazed by how well Bitwarden works and how there’s not really features I’m lacking.

As someone who switched form 1Password to Bitwarden a year or so ago, there are a few features I miss:

1. The ability to customize keybindings.

2. If try to autofill a form field, and BW is locked, then nothing happens. The same task in 1P will actually prompt me to unlock 1P, then I am able to autofill the field.

3. If create an account for a site not saved in BW, and BW is locked, then I am not prompted to save the login. However, 1P will prompt to unlock itself so that I may save the login. Also, the prompt for saving logins rarely works for me using BW, but worked rather well for me using 1P.

4. BW is not as keen as 1P for auto-filling various form fields

5. I like storing software licenses, wi-fi passwords, bank accounts, etc. in 1P vs. secure notes in BW.

6. I am not a fan of BW's folders for organizing logins.

7. BW relies too heavily on mouse usage for my liking. I felt that 1P had much better keyboard navigation.

There are probably other things I am missing, but with all that being said, I still have not left BW to return to 1P nor do I plan to anytime soon. Though, I will admit I miss many features from 1P still.

Besides what others have mentioned, there is one feature i really miss from not just bitwarden but almost every other password manager. I basically just want a password manager that can store my secrets (2FA tokens included!) in an encrypted format, integrates with filling passwords on desktops and handheld devices, _AND is able to (two way) synchronize this encrypted storage as a simple file to whatever storage i prefer.

That might be iCloud, OneDrive, WebDAV, S3, or simply just a SMB server on my local network. My main negative point about Bitwarden is that it either requires me to store passwords in a cloud on a subscription service, or it requires me to selfhost something.

Selfhosting is (probably) fine if we're talking a Plex server or something that isn't mission critical, but hosting a bitwarden server suddenly requires me to be a sysadm in my spare time, something i'd rather keep to my daytime job (and nights when operations calls, and weekends when things needs upgrading).

The only password manager i've found that ticks most boxes is password-store (https://www.passwordstore.org/), but it lacks in browser integration, and by default leaks web addresses for the stored secrets. Other than that it works well. It's self contained, and uses git for synchronization, meaning i can be "on the go", add a password, and synchronize it to a local git service on my LAN when i get back home, or in case i need it on another platform _now_, i can connect through VPN and synchronize.

Two things i miss in Bitwarden coming from 1Password are:

1. One shortcut for unlocking and auto filling. There is a long open issue[1].

2. Not needing to unlock the extension to add a new login entry. 1Password just detects new logins even when the vault is locked.

Otherwise Bitwarden is really solid.

[1] https://community.bitwarden.com/t/autofill-shortcut-should-o...

There's an open PR for 1. though it's ignored by the maintainers unfortunately https://github.com/bitwarden/browser/pull/987/files

This looks interesting. We use 1Password, and I always thought it would be useful to programmatically pull values out and use in our cloud infrastructure.

Currently we end up using the secret managers available in AWS or GCP, which seems pretty half baked. In GCP, for example, secrets are stored at a project level. It's not unusual to have certain secrets that are needed by more than one project, which means they get duplicated. The granularity also prevents me from controlling which secrets are visible to a given user.

I'd love to have one centralized source of truth for all infrastructure secrets.

This is why we use Vault. Until recently, there was no good option to host it, so you had to manage it.

It's good to have independent competition in this space.

[I work for 1Password]

1Password is not competing with Vault. In fact we have very good relationships and mutual respect with HashiCorp on many levels.

Also Secret automation integrates (acts as a provider) with HC Vault[1]

1. https://github.com/1Password/vault-plugin-secrets-onepasswor...

They're not competing with Vault,they see this as an alternative for simpler use cases where Vault is overkill, or a complimentary product otherwise.

Also it would be cool to unlock the vault via 1password.

For AWS and GCP you can setup cross-project permissions. I've run a single project of secrets, which grants specific access to various service accounts

My team uses 1Password to share account credentials, etc. When we need to deploy secrets into production, we use AWS Systems Manager Parameter Store.

The name is quite a mouthful, but we have found the service to be awesome. We have a small Python script that loads a script with environment variable definitions from the Parameter Store and we use that as an EnvFile for our systemd services.

plugging envwarden[0] which is just a tiny open source wrapper around the Bitwarden CLI to let you manage your server secrets inside your password manager.

[0] https://github.com/envwarden/envwarden

> The granularity also prevents me from controlling which secrets are visible to a given user.

What do you mean by this? Each secret has a "Permissions" tab which allows you to grant access to individual IAM users.

You're correct. Not sure if I overlooked it or at some iteration of usage it wasn't there.

We reverse engineered it so we can pull stuff ourselves.

BTW: don’t forget to empty trust in 1P. Noticed the API giving back a lot more stuff than expected and that is why.

Strange to see this. The product is a mess on MacOs right now. Support can’t decide which extension to recommend.

Their messaging has been inconsistent, saying the browser will integrate with the native client. But then also that the browser only version is the future of the product.

This says nothing of the performance and UI problems the product has faced. Recently it was so bad the company was telling people to use the beta version.

I bought the legacy versions and switched to subscription last year.

If I were unfamiliar with 1Password, I'd imagine the product is an absolute dumpster fire from your post.

In reality, the macOS and iOS clients work fine. I have a dozen friends and family members using the product with no complains on those platforms. I surely haven't seen any performance or UI problems that aren't worse on different services. Sure, there is some current confusion between the use of the 1Password X and classical browser extensions, but it's hardly "a mess."

The iOS app is stable and fine.

The MacOS native / extension interaction and choice is a mess.

From a UX perspective, the single most important thing the product can do is interact with the browser effectively. Embedded in this "feature" is that the product is stable, and responsive in behavior.

If you go to the chrome web store, 1password extension page and sort by recently updated, you'll see review after review of 1-3 star, carefully explained problems with this product.


Regarding inconsistent messaging, their support is promising they're working on native app integration but there is no timeline for this.

That's why this news is kind of a bummer. The product that I'm subscribed to is competing with this new product for resources.

There’s also 2 native apps - if you install from the App Store, you don’t get all the same OTP features as an install from the website download

That is a limitation imposed by the App Store's rules. We're unable to use the screen recording system permission to look for QR codes on screen. Otherwise all of the OTP features are there. You can drag and drop a QR code onto the reader to add an OTP to a record, for example.

- Ben, 1Password

Ben, can you address what is going on with the password save UX / convert to login flow?

I can try. Would you mind elaborating on what the issue is? What are the steps you're taking, and what is or isn't happening as expected? I don't work on our extensions directly, and it may make more sense to put you in touch with the folks who do, but I'm happy to take a look.

Hey Ben, I'm not the person you're replying to but I'm a long time paying customer and I have observed the same problem. See this post https://news.ycombinator.com/item?id=26799379 below that explains the issue in detail. Creating new login items is a needlessly complex multi-step process that involves converting a password item to a login item and manually filling in your username.

It's really hard for me to understand how you can have an otherwise great product but are failing at what I would argue is one out of the two most important features (creating logins and autofilling).

Thanks for the pointer! It looks like my colleague Oliver, who is on our extensions team, replied there. :) I hope what he had to say helps.

Thank you for the response. I didn't realize there was a different version of the chrome plugin. Will give it a try!

I’ve used 1Password for years and had no idea you could drag/drop a QR code on to the reader.


Disagree. Currently the product IS a dumpster fire imo. On macOS, half the time auto fill doesn't work. Saving a password is very inconsistent. When you auto generate a password, the least resistance UI workflow is to first save and fill it - but then when you create the account it is saved again, making it a duplicate. And don't get me started on the Windows client - on my fast gaming PC it takes forever just to unlock the vault.

I've cancelled my subscription and won't renew once it runs out.

Yes the password save, something that should be the bread and butter of UX is so awkward. It’s painful.

Sorry. :( We've made some big improvements here recently. This post may help: https://news.ycombinator.com/item?id=26805943

And the “Convert to login” button is hidden away now for some reason.

I wouldn't say the product is a dumpster fire, but core workflows are a mess. This is how you generate and save a password for a new site:

1) Extension button > Generate Password > Save & Copy 2) After creating account, extension button again > select entry > Edit 3) Click Save in opened modal 4) Click Convert to Login in opened modal 5) Click Edit in opened modal 6) Manually type in the username/email you used on the site 7) Click Save in opened modal 8) Close the modal

And this (generating and storing passwords for new accounts) is the main workflow of the product!

Yes, this convert to login only after the item being saved makes little sense. It took a few times of catching the button being shown to figure out the pattern of clicks needed to do this fundamental aspect of what the product is intended to do.

There are a few threads related to saving, and I wasn't sure which to jump in to, but I wanted to share a few of the ways we've tried to make saving better in the newer extension.

First of all, we have a new "Generator History" section, which contains passwords created by the generator. These are always available if you need them, but don't show up alongside other items, so are less important to clean up.

We've also been working on a brand new saving experience which is currently in beta. If we miss a field from the page, you can add it before you save. You can also add tags, and when updating items, see a side by side diff of the changes. There's a screenshot here if you're curious: https://twitter.com/oliverdunk_/status/1382302050369875969?s...

It sounds like you have a subscription so if you haven't already, I'd encourage you to give the new extension a try. I totally understand that native app integration might be a requirement for you there, and I'm sorry that it felt like you were getting mixed messaging. Really both things are true - we don't have a timeline for this, since it's a big bit of work and we want to get it right. Support are absolutely correct too though - we're actively working on this, and the integration with 1Password for Linux's beta is the first step, with support for other operating systems very much on our mind.

- Oliver, 1Password

Just gave the new (I guess formerly 1Password X?) extension a try and it does seem to handle saving and updating new accounts much better. Props for that, and maybe something to try for anyone else still using the old native app extension.

This is very cool. I spent about 20 minutes playing with it and was successful in setting it up and getting some janky python code to work with it. The fact that it's a local sync daemon with local API, is super smart. No worries about cloud outages.

Is Hashicorp vault "better"? Probably. However for groups that don't have the time and resources for Vault, this is a great first step. Much better than what most do which is no proper secret storage.

Another reason for the local hosting is so that we (I work for 1Password) are never in a position to acquire secrets can be used to decrypt your data.

Fair point, I hadn't thought of that. Makes perfect sense and gives me the warm security fuzzies.

The article is a little light on details but this seems like a cool addition to 1Password.

The op cli is alright but having to re-unlock it every 30 minutes (plus I'm shell dumb so my session is nuked every new tab I open) means there's quite a lot of friction compared to the desktop version where I just double tap the side button on my Apple watch

I wonder if this could be a potential alternative in some roundabout way


Somewhat unrelated rant

I like 1Password and after having tried a whirlwind of password managers, it's still the most seamless (plus having templates for things like cards, licenses and so on is useful)

I don't even mind paying the relatively small subscription fee.

That said, in the same sense that you generally know you've resigned months before you write the letter, I still remember there was a forum thread where one of the employees was seemingly user hostile.

On second thought, I don't even remember what it was about but I remember the feeling of slight frustration. Not in the entitled sense but the sense that there didn't feel like an attempt to understand the concern from the other side.

Very vague but does anyone perhaps know what this event was again? I want to say, something about supporting local vaults? I dunno, that isn't even something I was concerned about.

Probably about them not supporting personal hosting as well anymore. I get that customers got angry, but as someone who started using their product after that, with their hosting, they have been nothing but nice and receptive to feedback.

Here's to hoping there's finally a Hashicorp Vault competitor. It's shocking that the only mature option for runtime secret delivery is Vault after all these years.

Some companies have created 'competitors', but they aren't even remotely mature (google secrets manager, aws secret manager, etc)

Vault is open source, it looks like 1Password Secrets is closed source. Not really comparable. Probably not aimed at the same people.

[I work for 1Password] 1Password is not competing with Vault. In fact we have very good relationships and mutual respect with HashiCorp on many levels.

Also Secret automation integrates (acts as a provider) with HC Vault[0]

0: https://github.com/1Password/vault-plugin-secrets-onepasswor...

We use EnvKey [0], it's far friendlier to use than Vault and very mature. My only dislike is the Electron based app, but I so rarely have to open it that I can live with it.


Still no option to self host.

The founder of Envkey claimed they were working hard on V2 and self hosting 1.5 years ago[0] so it’s anyone’s guess as to why that’s been delayed/isn’t happening.

[0] https://news.ycombinator.com/item?id=21226715

Hi, I can assure you that it’s very much still in the works! It’s taken much longer than we wanted or anticipated, as we’re addressing a lot more than just self-hosting (though that’s an important piece). But we’re on the home stretch. Stay tuned.

Also a big fan of EnvKey here. We used them for over a year but ended up moving to AWS parameter store as part of a wider migration. Ability to self-host could have helped us stay on there longer, we just didn't want external dependencies in such a critical path. But otherwise, it served us well with zero hiccups.

I've had good luck with Azure KeyVault.

Ditto. The managed service provider VS user assigned rbac was confusing at first, but now I am happy that I took the time to understand it. Also the azure clouds handling of vaulted passwords in log files from services like Logic apps) is absolutely bad ass.

> Also the azure clouds handling of vaulted passwords in log files from services like Logic apps) is absolutely bad ass.

This is particularly interesting to me. Is there a good doc page or blog post that you're aware of that covers these capabilities? I'm curious and would love to learn more.

KeyVault is ideal when combined with Managed Identities. I would not leverage any service that required a connection string to access a secret.

The two you mentioned have ingrained business reasons to only work with "their" ecosystem. You need someone from outside to have an incentive to work with all.

What are your criticisms of Google secrets manager? It works well for me, but it's the only one I've used so I don't know much about the competition.

By far the biggest missing control is you can't restrict access to google secrets manager by source CIDR.

There were a bunch of other smaller nitpicks, but that was the overwhelming reason last time I looked at it.

IAM policies are designed for this reason, not IP based access controls.

E.g. in AWS you can specify the source CIDR range in an IAM policy.

You also have options like https://www.doppler.com/.

1Password is great software. I think I've finally switched over to their more all-encompassing extension on Safari and I love it. Glad to see them doing more, I am happy every time I use their software.

I've been deep in the k8s on raspberry pi's world recently and ran across someone who was doing this with Bitwarden for their personal setup. I use 1password as my password manager of choice and was immediately trying to find ways to do something similar using the 1password CLI, so this is very convenient timing.

Is anyone familiar with the secure introduction workflow using Hashicorp Vault? An orchestrator gets no more than a one-time use "cubbyhole" introduction token for a service that it is initializing. The initializing service uses the intro token to get actual credentials and secrets from the Vault. The orchestrator never touches any secrets: no secrets need to be passed as env variables anymore. With this setup, the person/service that seeds secrets into the Vault and the introduced system that uses the secrets are the only two that may ever touch them. Not sure how well this is actually documented but I gleamed enough from docs and a tech talk to figure the workflow out. It's pretty intuitive once you dig in.

Is this the same as seal wrapping that you are referring to? Honestly Vault is one of the best pieces of software that I have the joy of using, I use it on many projects small to large.

Yes, precisely. Wrapped tokens and cubbyholes. Vault is great. They put a ton of effort into it.

This feature seems really great, I have been waiting for a long time for them to fix filtering on hostname and port for OSX. This is really annoying for local development with docker. https://1password.community/discussion/99568/add-port-number...

I was hoping this was a way to automate changing my passwords. That’s something no password manager does, Anna would be great if I could rotate my hundreds of passwords on a regular basis.

LastPass has been auto-changing passwords for quite awhile now [0]. I am a 1Password user, but I've considered making the switch to LastPass for this feature alone.

- [0] http://blog.lastpass.com/2014/12/introducing-auto-password-c...

Wow that's amazing. I had no idea that existed anywhere, let alone for years now! Thanks for pointing that out... I wonder how many sites now actively support that, how it works with 2FA, etc. I have hundreds of passwords, many not from big shops. Hopefully 'it just works' with these.

It goes against most service's TOS.

The documentation is very sparse. I have a few questions.

- Why does the integration require two servers with exposed ports? The REST API documentation doesn't say which service I need to connect to for the resources, so I assume the answer is the API server, so what does the other server listen for?

- How do I request a TOTP? In particular, am I correct in my assumption that the implementation is simply providing you with the TOTP seed values, rather than a TOTP?

- Is there any audit logging whatsoever?


> - Why does the integration require two servers with exposed ports? The REST API documentation doesn't say which service I need to connect to for the resources, so I assume the answer is the API server, so what does the other server listen for?

The server you'd interact with is the API server. The other server is responsible for syncing. The fact that there are two was a design decision.

> - How do I request a TOTP? In particular, am I correct in my assumption that the implementation is simply providing you with the TOTP seed values, rather than a TOTP?

I don't believe we can provide the current OTP value as it stands. This is something I'd be happy to suggest to the team that we look at for a future iteration.

> - Is there any audit logging whatsoever?

Yes! You can either audit from the container directly, or through the item usage report in the 1Password.com web app.

If you need further assistance please feel free to reach out to us. We'd be happy to help. https://support.1password.com/contact/

- Ben, 1Password

Thanks for the reply! You didn't quite completely answer my first question. Why does the "sync" server have an exposed port? I'm going based on the docker-compose.yml you provide.

That is a documentation clarification that should be made. That exposed port in the docker-compose is only there so someone running a health check from the host could see it. The docker-compose should be updated to remove the port exposure. Thanks for bringing that up!

Neat, seems it's available to people with a Family subscription, too.

Yes indeed it is. :)

- Ben, 1Password

Ruby support for 1Password Secrets please <3

Unless it's possible to run this on premise I don't see how this could compete with Hashicorp Vault.

https://news.ycombinator.com/item?id=26799528 may help clarify.

Also this component can run on premise

- Ben, 1Password

Maybe first it’s time to add a generate secure password button to the iOS app?

I’ve never commented on a HN post, but finally you’ve all got to me.

Why are people mostly commenting moaning about something completely different to what the article is about? Fine, I get it, you don’t like 1Password’s tactics regarding subscription models. But this is about infrastructure secret management. It’s the same with Google Cloud announcements “hOw LoNg UnTiL tHeY dEprEcAtE iT???” ... boooooooring

The problem with a comment like this is that it actually commits the sin you're complaining about (i.e. not talking about what the article is actually about) worse than the comments being denounced. That can't help.

Shall I edit it and add on that I like using 1Password then? And that I think this new product feature is a really good addition to and already great product?


I've found that HN often chats about something only tangentially related to the article. And I think it's actually part of the culture here. But I agree that when you are passionate about a given topic it is a bit of a letdown when the comments are not directly about the article.

Note that we've both commented on something different from the article in this case.

Yes, the irony wasn’t lost on me haha!

I do like using 1Password, it does make life a bit easier, and I’m grateful for its existence.

I think this is an interesting offering and will take it for a spin soon!

Good comment. I disliked the 1P subscription model and moved to paying bitwarden for personal use but I use 1P for work and its a perfectly cromulent functional system, and works well.

Secrets management for network systems has been an issue since before kerberos. Having different models, isolating secrets from the repo and deployment codebase into a 3rd party module is one of the rational choices.

I would want to understand a secure secret import and export model, much as for an HSM you want to know how to move shrouded keys (if its not in FIPS mode i guess)

Thanks! It seems I started using 1Password after its model changed, so I’ve never had to really think about it, but I can appreciate the frustration.

I’m happy to just have another offering in the world of secrets management

Amazing product really works amazing great this is my password can I login to all the websites? Yes I can.

Why would anyone trust their passwords with closed source software, when there's alternatives out there that are?

Because it works seamlessly on all of my devices and has done so for years. Never encountered any issues and syncing happens within seconds.

Amusingly enough 1Password's main area of pain (for me) has been integration with Safari itself. It's much better on Chrome until you turn off Apple's password thing in Safari.

It works great to have both enabled on iPhone/iPad however. No idea why they can't fix the overlapping fields in Safari.


I've been quite happy with KeePassXC / KeePass2Android and syncing via Google Drive.

Not sure about Android but, for iOS users, it makes no sense trusting open source software. So, even if you choose strongbox or keepassium as they’re open source you’re still trusting some dude as you have no option to verify that the iOS build is the same as the build on github.

This is why I prefer to give my password to a company like Bitwarden and 1Password. At least, they have less incentive to be malicious than random dude on the store.

Bitwarden used to be a "random dude" project for quite a while...

Yeah and I’ve never used it while it was a random dude project. You need enough street cred if you want me to trust my whole life in your hands.

- A random dude behind an LLC is still a random dude — but now with limited liability :) - There is a fake "KeePass" app in the AppStore. It is published by a company.

Perhaps time is more important for reputation than being incorporated?

I trust their business incentives more than my ability to self-host securely and I value the convenience more than the extra cost.

Everyone shit's on SaaS pricing because, well, for many, many well documented reasons.

But with 1Password, I'm paying $55 per annum for 5 licenses for a product that works exceptionally well. Convenience and security here is absolutely important.

And if it means I can throw a license at my girlfriend who previously had a similar password between banking and her wifi and everything in between. And I can set her up, eat $1 a month on her behalf and EASILY onboard her vs. a stand alone license which is not convenient. You can count me as a happy subscriber. 1Password's pricing is great, and I get an awesome product in return.

I don't get the blind "all SaaS products suck and are dark patterns" vitriol that we see on HN so often.

Hah. With the gimmicks, tricks, and dark patterns this company has pulled with consumer, what are the chances professionals would trust them with something like this?

This is getting a lot of downvotes, but I agree with it to a certain degree. Have a look through the Agile Bits support forums and you'll find all the dark patterns you want - the most famous being their hiding of buy outright options to push you to subscription, and the crippling of Dropbox sync to try to push you to their proprietary sync service. I've used 1Password for well over a decade, but a lot of their tactics in the last couple of years left a real sour taste and promoted me to try out every alternative available. Luckily for Agile Bits, the alternatives are all appalling.

Yup. After using 1Password since 2014, I'm now in the very painful process of migrating to LastPassXC and syncing locally with my NAS. The way they push you to use the cloud was incredibly souring. They lost a happy customer.

To respond to some of the sibling comments:

1Password originally operated on a licensing model, but has since switched to a membership model.

It is still possible to purchase a single license, but they make it very difficult to do so. The option of a standalone license is not mentioned anywhere on their pricing page: https://1password.com/sign-up/

As I understand it, only once you have downloaded the app and are logging in do they mention that standalone licenses are available. (But, at least on Mac, this option is only available on the version of the app downloaded directly from their site, and not the version downloaded from the Mac App Store.) This support thread shows some users' frustration with this, and their support team's insistence on pushing users to the subscription model: https://1password.community/discussion/102412/where-do-i-buy...

I'm not entirely certain of the differences between the subscription model and the standalone version, but I believe the primary difference is that the subscription model will automatically sync your passwords between multiple devices.

You can achieve similar functionality with the standalone license version by storing your vault (1Password's password file) in iCloud or Dropbox, and relying on that for syncing. I use the Dropbox version and it works incredibly well, even on iOS! I think they also support Google Drive for syncing on desktop, but not on mobile. Certainly the syncing offered through their subscription model is valuable, but for users who have other options, it's just doesn't make sense.

I gladly paid for a standalone license, and have purchased licenses for my parents as gifts; the product is incredible. The Chrome extension works great, and the app can be your 2FA device, so it will automatically fill in password forms and copy the 2FA code to your clipboard. It works just as well on iOS too.

Thank you for your comment, @CodeIsTheEnd!

We always built 1Password for ourselves. It is so much easier to develop a product that you use yourself every day.

I haven't used the standalone version of 1Password for over 5 years now. The same is true for pretty much everyone working at 1Password.

Why? Because the service is much much better and more than just simple syncing of data:

- Account recovery for family and business team members

- Easy sharing of passwords and documents

- Vault permissions

- Item history/automatic backups

- Free family accounts for businesses

- Travel mode

None of these features are possible without a server doing its part.

Roustem Founder of 1Password

There's a lot of comments everywhere expressing hate for 1Password's change to a subscription model. Way more than seem justified.

I'm not overjoyed at "having to" pay a subscription for a password manager, but your points are good ones.

Paying you annually saves me and my family (four people) a lot of time and energy in managing passwords, sharing passwords, etc.

Just wanted to throw out one "+1" for the 1Password subscription offering being a worthwhile expense from my perspective.

I do wish you'd figure out the Chrome extensions on macOS, though. I don't understand why I have to choose between excellent browser integration OR more seamless integration with the native app and fingerprint support in the browser extension.

> I do wish you'd figure out the Chrome extensions on macOS, though. I don't understand why I have to choose between excellent browser integration OR more seamless integration with the native app and fingerprint support in the browser extension.

We're efforting on that! Thanks for the feedback. We currently have better integration with our 1Password for Linux beta, and that will be rolling out to other platforms as well.

- Ben, 1Password

Glad to hear!

I use 1Password for family and LastPass for work, and vastly prefer 1Password's UI and feature set.


I’m a happy user of 1Password, and while I agree that it’s good to build a product for yourself, I’d also argue that it’s valuable to be keenly aware of where you - or your employees - differ from your other users.

I pay yearly for a subscription and sync via 1Password.com

I don’t pay a subscription because I think that it’s important or necessary to sync via 1Password.com, though. I’d happily sync via Dropbox (though it sounds like that has been broken for years and isn’t getting fixed) or iCloud.

I pay because I know it costs money to keep software working nicely with its surrounding environment and to keep it secure.

Apart from the item history - which I disagree needs a server - the other feature you list aren’t of interest to me. So while I’m a big fan of the product, and I might be an outlier, I hope you’re keeping a keen eye on your users’ motivations for starting or continuing to pay for subscriptions.

I concur. Frankly, 5 licenses for $55 per annum is more than reasonable. I've got friends and family members on my family plan now and paying $1 per month, per user. Is CHEAP.

I mentioned in my sibling comment about Dropbox sync being hampered - since installing 1Password 7 my Dropbox synced vaults never sync without me explicitly opening the app settings and looking at the "Sync" option. It's like Schrödinger's sync. My primary vault now syncs over iCloud and is _much_ more reliable, but we use the Dropbox sync for work.

What gimmicks, tricks, and dark patterns are you referring to?

I've been using 1Password for my personal accounts for probably close to 10 years and have been happy with it. There are some things I feel are clunky, but I've never felt like I was being tricked or deceived by the company.

"It used to be free but now you have to pay" is really the only dark pattern they are guilty of.

To be clear, 1Password has never really been "free." It has always been a paid product. Aside from the mobile apps being made free with limited features, it was previously a paid app, then with the massive push to 1Password's service they made it a lot less free and back to paid again.

If you really want to complain... complain about how they keep pushing for their subscription, making it harder and harder to find a one time purchase.

Or their massive issues with multiple browser extensions that are a complete mess for the average person.

Or how their usability has decreased substantially.

Or how they're less a consumer product and more a business product these days.

Where is your source about it being free?

As far as I remember, I've paid for several versions and upgrades until they forced their crappy subscription service on us.

Not sure about OP but I can see a clearly dark pattern by hiding the non subscription option to the point where I had to google how to acquire one. At this point I simply gave up and choose other option.

If I have to pay yearly at least bitwarden gives me fair price and comparable service. Maybe 1pass is better than bitwarden but it's certainly not 4x better.

I think I'd better describe it as, "It used to be a one-time charge for a license, but now you need to have a subscription."

You can still get stand-alone licenses, but they do suppress that. Part of that I believe is not running afoul of App Store rules, and also because most people are finding it via the iOS and Mac app stores.

I'm still using standalone licenses quite happily, and have no issue with buying new licenses when major versions get bumped.

I don't think it was ever free. It went from standalone licenses to SaaS, but it was always a paid product.

I thought AgileBits was pretty well respected around here. What dark patterns are you referring to?

I'm assuming he's referring to their beginnings of being a mostly local password manager (iirc they also had a one-off lifetime purchase), to forcing people to migrate to their cloud only infrastructure with a relatively high subscription price.

I'd never heard of 1Password before they were fully SaaS, but as I understand it, some of the original users were pretty upset with this move. Either way, I used to be a 1Password customer, and their product, at least on the Mac, was the most polished password manager.

Yes, this. I don't have any problem with paying for updates, or even really a subscription. I have a problem with their hard push to "use our cloud", burying the abilities to not immediately create a cloud account, and the way they respond to customers in their forums when they ask about non-cloud options.

Ref: https://news.ycombinator.com/item?id=20417832

It's exactly this - the original switch to SaaS was a high price to pay for basically what you already had if you had local sync/dropbox setup.

They finally fixed many of the objections with the "family" SaaS subscription and it just works and the price may be "low enough" that I don't bother figuring out a way out of it - but it is still pretty much the perfect example of "locked in".

What do you mean by locked in? When I think of locked in, I imagine it being hard to cancel and move to another service. I switched to 1Password last year from LastPass and the first thing I checked was the process for exporting my data. It seemed on par with LassPass, which was very simple, so I made the switch.

That's the locked in - they have all your passwords and (in theory) could make a change that makes it hard to extract.

Using the term ‘locked in’ to mean ‘some day something maybe might lock me in’ is a huuuuuuge stretch. To the point that I’d say you’re wrong.

What did you switch to if you stopped using 1Password?

Bitwarden. One of the big reasons for doing so was because when I left my company, they took my Mac away from me, so I invested in a new laptop, for me there was no way I was going for Windows or Mac. So Linux it is. 1Password at the time had extremely poor support for Linux - no desktop client, their 1PasswordX was missing a lot of features and was super slow too.

I switched to Bitwarden because it's open source, and because they have a good enough Linux client. Their browser extension and desktop client doesn't come close to what 1Password provided on Mac, but it does the job.

Bitwarden isn't without its issues, but at $10 a year, and its open source nature, it's worth every penny and then some.

Thanks for sharing. I’m sorry it took us so long to release a native Linux app. We have a great app for Linux now in beta and will move it to an official release shortly.


I hope you can give us another chance.

—Dave 1Password Founder

Thank you, I'm aware of the Linux client and it got me excited when it was announced, however since switching, OSS has become more and more important to me, so it's unlikely that I'll switch back.

You can self-host this unofficial version https://github.com/dani-garcia/bitwarden_rs if you prefer. maybe not worth $10/month of your time amortized to set up, but it has been fire-and-forget for me.

My kids have started accumulating more passwords than they can memorize (and their memorized passwords were terrible), so I wanted a family password manager. I considered using "1password for familes" which I have access to for free from my day job, but if/when I leave the company then I'll have to go back to paying for it. So far I greatly prefer the experience of bitwarden over 1password. I use the web vault, the native mac app, and the linux command line app (through a janky homegrown dmenu/xclip shell script), and I have no complaints at all.

I used 1Password for a long time. When they shifted to the SaaS model I left angrily. Over time I tried out several other programs such as Enpass (came close to the original 1pw), keepass varieties, Bitwarden but found myself back at 1Password this year. One big thing, which funny enough is another dark pattern I guess, is the family account feature. I allows me to take family members on and we can share certain passwords and I think even help recover an account. This is also important because 1PW is the most easy to use password manager and my mom was really struggling with Enpass.

A new feature that adds value is not a 'dark pattern'. Lets not be dramatic.

Even moving from one-time to subscription isn't a 'dark pattern', its a business model move to shift to recurring revenue, which we know is something that businesses need to keep the lights on. You can debate the merits of it, but it's not a dark pattern in and of itself. HOW they execute that might be, but the change itself isn't. You just have a personal preference to not want to pay for it in a particular way.

> A new feature that adds value is not a 'dark pattern'. Lets not be dramatic.

Family plans are in my eyes. They log users more into the platform and makes it very difficult to switch. If you want to move away from Spotify, you now have to convince enough of the others to make it feasible.

> Even moving from one-time to subscription isn't a 'dark pattern'

I did not claim that it was one. I also was not even mad about recurring payments, to me the problematic change was that the data was now hosted on some other machine owned by the company who is producing the software (e.g. in theory single point of entry).

I'm trying to charitably understand what you're advocating for but it sounds like you're arguing that getting multiple people to use any app is criteria for dark pattern because once they do start using that app, to switch you have to convince them as a group. So.. should everyone use different apps? Or is a protocol the solution?

As far as where data is stored, which sounds a bit like a different argument, I guess what you're advocating for is some kind of peer-to-peer sync solution across family member devices that would work anywhere. That's cool but I think it may a lot of technical complexity vs a cloud solution, and it still doesn't change the fact that you still have the issue above about switching as a group.

It might be worth reviewing what dark pattern actually means - UI tricks to get people to do things they don't want to do. If people like a product enough that they convince others to use it as well, that's ... a good product? I get the data storage concern though.


I think you are interpreting too much into my side comment of “its a dark pattern I guess”. Hereby I retract this part of my statement.

Ah fair enough, I was probably being extra HN nitpicky myself. Cheers

>to forcing people to migrate to their cloud only infrastructure ... fully SaaS

A slight gentle correction. I criticize them elsewhere in this thread, but in fairness I have to point out that this isn't quite correct yet. It's still possible (though they've buried it) to buy a standalone perpetual license for the latest 1Password, run purely local vaults, or keep syncing via Dropbox, iCloud, or manually over WLAN. There isn't any hard tie to the 1Password.com service yet.

Perhaps they'll put the kibosh on that in the future. And they can be and I will criticize them for not having better local sync options, which they clearly stopped bothering with in favor of their own cloud offering. But for the time being I've still got a fully local 1Password 7 license that works the same as every previous version.

Well, until they intentionally break something like the 1password4 integration with the browser extention. And after asking why it broke they say: sorry you're out of luck but here is a shining new subscription just for you.

Now you're forced to buy the new version just for the integration that has always worked fine.

The company is clearly focusing entirely on their SaaS version, which just makes sense in this day and age. They provide the stand-alone version for people who know about and want to continue using it, but obviously they don't want to drive any new users to this end-of-life product.

In my opinion, it's not a dark pattern, it's just softly winding down the old app. That's not an unreasonable thing to do. If you want a traditional app, there are other choices.

Are you confusing this company with LastPass? I made the same mistake until I realised they are entirely separate.

Care to elaborate?

I'm a subscriber, but unfamiliar with what you're referencing. Do you mind sharing?

What are the gimmicks, tricks and dark patterns you are referring to?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact