The switch to a subscription service is a forced downgrade for me; it's putting functionality I already have behind a subscription.
This is particularly an issue since the old versions (versions I paid for, mind you) are slowly going away (typically as a recompilation and submission is required to keep them available on iOS devices).
I much prefer KeePassXC. I find KeepassXC substantially easier to use than 1Password on macOS. I strongly dislike 1Password's UX. It feels very cumbersome to use.
I have a shared family KeePass database as well. Works great.
We now pay the subscription, a tad begrudgingly, but I have to admit 1Password overall does a great job.
I think it might be the only "better than perfect" import story I've ever experienced, and I can't rightly expect it to happen again, but it happened once and that's something.
While I understand subscriptions can add value, I don't understand the forced model. Clearly 1Password has a subset of customers that don't want what they're forcing on customers. Maybe it's that they're positioning to sell the company and moving to 100% subscription boosts the bottom line valuation. But in the majority of cases the customer is not always delighted by this move. Sales organizations love to claim "it's what the customer wants", "it's more affordable", among other half-truths - when the reality is it's a much more consistent revenue stream that disconnects customers voting with dollars from continual enhancement of the product such that the customer is incented to upgrade.
I previously used LastPass but heard about Bw on HN. Saw it had Yubikey support for just $10 per year. Tried Bw. Have never regretted that decision.
I just tried to do this after comparing the features that I use and what I'm paying 1p vs. the bw rate.
There seems to be no export mechanism from web access.
I tried installing the (Linux) desktop client, which exports to a different file format from the one, single 1p format listed as supported by bw.
Bw did not like it.
I also could not get it to digest the json-like data in the alternative paste import box.
If anyone knows how I can migrate without manually entering hundreds of logins by hand, that'd be super swell.
Most record types (software license, wireless router, documents, drivers licenses, email accounts, membership, passports, maybe more) don’t exist in Bitwarden. I’m not sure what happens with all of those, maybe transformed into secure note, but again with all of the attachments removed. The lack of categories is also a nuisance for organization, you can create folders but have to manage it manually.
I’m still glad I switched, having bought 1Password on a bunch of platforms and a bunch of paid upgrades before it turned into a subscription. It probably would have been less money if it had been a subscription from the start with all the times I bought it. Maybe it’s irrational, I just don’t like being so dependent on a subscription service, and having a local network sync between my devices was just fine. Same reason Lightroom can pound sand with their $120/year licensing, I’m not going to keep my photo library in something that I just have to keep paying for the rest of my life.
Bitwarden is good enough for me, with 1Password as a subscription you can look at it and realize “this is going to be $36/year forever.” If I spent any time in it, might be worth the expense. I’ve bought a lot of software and I don’t mind paying for good software. But I’ve moved the things that were attachments to an encrypted disk image, and 99% of my password manager interaction is via auto fill so I don’t actually care how polished the UI is.
Family sharing would be a more compelling reason to stick with it if you’re using that.
It's not quite a silent dropping -- 1Password warns you with a popup during the export that it doesn't include them in the export file. BitWarden won't warn you, but in its defense the files aren't even present for it to skip...
It allows me to use the vault on all of my iOS devices and that’s sufficient.
What I'm not happy with is the possibility of password access being limited or sync breaking if 1Password servers go down. At least with Dropbox (iCloud, wifi) sync, I have full control over the local vault file.
Ultimately, it might be mostly about ownership and choice for me.
I’m glad you find it affordable but these nickle and dime things add up. Especially when the product fits into $0 software so $4.99 is infinitely higher than $0.
I feel like these small, “affordable,” services are just whittling away the Unix philosophy of do one small thing well. Layering on unnecessary crap just to charge a fee eventually comes home to roost.
Also, passwords is a lifetime need. So 80 years x 12 months = $4,790.4 and that seems like a cost that should be reduced out of one’s lifetime.
Do I want to go to Tahiti once in my life, or pay for password convenience?
Again, glad you’re happy but I don’t want to live in a world where I pay $5/month for commercials versions that crowd out what should be community, OSS tools. I love curl and it’s awesome, but don’t want to pay $5/month/forever.
We forget that taxes are inefficient and should be minimized where possible. A login tax for all eternity sucks.
What is the competition that costs $0? Bitwarden is $3.33/mo for equivalent functionality to the $4.99/mo plan from 1Password.
Let's Encrypt SSL/TLS certificates are free, as is Apache/Nginx/Caddy to reverse proxy Nextcloud or any other solution (if a web based interface is needed). You might also need something like ngrok ( https://ngrok.com/ ) for publically accessing the instance if you're behind NAT and are hosting it on a homelab, or alternatively just put it on one of the VPSes that you're using, if you have any.
Personally i'm using a similar setup (a WireGuard VPN tunnel or two in there as well) on my pre-existing VPSes, so the effective costs are 0$ for me. And the file based approach is actually superior to any (possibly) dubious browser plugins in my eyes.
Their client used to support this and they stopped. Because their current way makes them more money.
Their old client was super easy for non-technical users and groups (just enter Dropbox credentials, etc).
And specifically you only need the DB free tier to store a 1PW vault, so the only cost was paying for the 1PW client (which I am more than happy to pay for on major version updates, as long as it is not a subscription).
1PW removed functionality that existed, with goal (or at the very least the effect) of locking users into their own cloud platform with a new monthly bill.
My time probably isn't as valuable as that of the many people here (about 5x less earnings on average in Latvia when compared to places like US), therefore it definitely makes sense for me to upskill myself in any way possible, especially if I get usable software out of it.
But if you take the container based approach, there is almost no administration to be done:
First, install Docker: https://docs.docker.com/engine/install/ubuntu/#installation-methods (about 10 minutes, varies by distro)
Personally, i use Docker Swarm, but that's just a few more init commands and Docker Compose works as well: https://docs.docker.com/compose/install/ (about 5 minutes)
Then, set up something like Caddy for a reverse proxy: https://hub.docker.com/_/caddy (probably 20 minutes)
And then, set up Nextcloud: https://hub.docker.com/_/nextcloud (probably 20 minutes)
Lastly, install KeePass from the previously mentioned links and put the password DB in the synced folder (probably 10 minutes)
Ngrok, DNS challenges etc. might be necessary depending on the setup, but are not usually required for most regular VPSes.
Backups and updates should also be taken care of, but full VPS backups are mostly standard and you can just bump the container tag every month.
Furthermore, I'd argue that most of the cloud offerings are actually problematic because not all of them let you download the data as files. In contrast, KeePass works with files (much like SQLite) and therefore, if you'd prefer to use SD cards or Samba or NFS or whatever instead of VPSes to somewhat decrease the attack surface, or simply use tools that you know, then you can do that. Want Syncthing instead of Nextcloud? Go ahead!
I'm putting emphasis on this because the line of thinking that we need web SaaS platforms for everything is dangerous - it makes you think that the problem is more complicated than it actually is. Whereas in reality some people probably get away with using password protected spreadsheets (don't do this). The problem is complicated only from a security perspective. That's it.
The cloud solutions excel at convenience and things like browser plugins and it's good that they're offering options for the less technically inclined folk, but they're far from the only option.
I've got a lab for stuff I want to tinker with, but a password manager is seen as an "essential service" to me like e-mail and music. I'd much prefer to pay a bit per month and have a team of professionals deal with it if the servers go down.
If at the end of the day my home server breaks and I want to get on and watch Amazon Prime/Netflix/whatever I still can with a hosted password manager. I value my time and sanity a lot more than £2 a month.
Currently doing just that, if any of my servers go down, i can still access all of my passwords on my desktop, on my laptop, on my tablet, on my phone or on my backup servers. Of course, provided that i have KeePass or a mobile app installed and know the master password.
Oh and I do manual backups to SD cards just to be sure every month. I'm not sure how I'd do that with a cloud service where in a sense their entire company (and my network connection to it) is a single point of failure. If my internet connection goes down, how would I log in to my selfhosted software in my homelab over LAN, without being able to access the passwords?
Potentially. Are you looking to make a prototype, or are you trying to go to prod with mission critical data?
Most people here could trivially roll a prototype grade password manager in pretty limited time. Getting something hardened and reliable is a different story.
It does seem like an interesting and useful project, though there are also other more popular alternatives like Caddy: https://caddyserver.com/ (even though their V2 not being backwards compatible was a tad annoying)
Oh, and some people also have pretty good luck with software like Traefik: https://traefik.io/traefik/
Apart from that, just wanted to say that WireGuard is absolutely lovely! Pretty simple to set up, works well and uses way less resources than something like OpenVPN.
After setup I rarely have to think about it, maybe manually synch a conflict between the dB's every 3 months or so.
Overall, _very_ happy with the setup.
The $0 competition for hackers is https://github.com/dani-garcia/vaultwarden
You have apps on every device to access your password database and do autofill. I stored everything in KeePass, recovery keys, TOTP seeds, sensitive documents and notes. I get the password sharing thing for families but for a single user they have the same featureset. The only thing missing is browser access but even though I now have browser access to Bitwarden I think I’ve used it like twice. I think I used Keyweb maybe once.
Your choice of solution isn't the same thing.
We're not the primary target audience for 1Password, we just happen to fit under the umbrella anyway.
I think about sustainability quite a bit and if everyone who needs password management spends what you’re comfortable spending, that’s a waste I think. And when tech stops making things cheaper and faster it’s a bit sad.
Yes, but like in many other cases, an efficient market would mean that they will always need to be better in most aspects than whatever free, open source, or simply lower cost competitor pops up.
Unless they decide to prevent people from exporting their passwords, of course — and that's a big enough dealbreaker for me that I'd move away anyway, not caring how fancy or advanced the rest of their UX is.
Ps. They can delete accounts too: https://support.1password.com/add-remove-family-members/
This makes losing local vault support an even bigger cause for alarm:
> After you remove a family member’s account, they can’t sign in to 1Password, which means:
> They lose all the items in their Private vault. Because the items weren’t shared with any other family members, no one will be able to access them.
Imagine: the access credentials of the administrator gets compromised, and the entire's family's digital life, stored on 1Password, gets wiped by the malicious actor.
The attack surface would be limited if instead, the removed user's license turns into a read-only one, like how 1Password currently deals with people using local vaults, and are not on a subscription.
Big, big nope right there, thanks.
I have no particular qualms with paying for software whether as a one-time purchase or a subscription.
I just don't want all my stuff syncing to and reliant on 1Password's infra.
I'll pay them $5/mo to self-host my own passwords. But they won't let me. So I switched to KeepassXC.
Your vault is local, and synced to/from the cloud.
Basically just like Dropbox. If your internet is down and you cannot reach Dropbox, all files synced to your computer are still there, on your computer. It's just that any changes you make locally or changes made on dropbox.com cannot be synced until your connection is back.
What I have zero interest in is increasing my attack surface solely for their bottom line.
I'm also increasingly uncomfortable with the company handling my passwords engaging in the sort of spin and dark patters we've seen from AgileBits in the past few years.
However the differential factor of 1Password, which was that it _didn't_ provide the storage if you didn't want it, has now gone away. Precisely why I chose 1Password when I started using it. I don't see the difference between this and any other password manager now.
There might be security or technical reasons for removing this option, but looking at how hard they've been trying to get me into a subscription during the last couple of years I just think we're on a bad case of subscription-all-the-things here.
Also I see your reply has been downvoted enough to become grey. (EDIT: Looks like between starting writing this and submitting it, you're no longer in the gray from downvotes!) I imagine it's because you made a blanket claim about spin and dark patterns without any supporting evidence. I'd be curious to know what you're referring to since I don't really keep an eagle eye on this stuff, I just use their product.
The one thing I do remember in the vein of "dark patterns" is how they effectively hid the method of doing a one-time payment for 1Password where you have to manage syncing and backing up the password file yourself. Seeing as I have no reason currently to do anything but make a charitable read of that situation which has been decried more than once on HN, I'd be willing to bet they did so for the following reason: They have had many problems in the past where a customer has lost a password file because they were not a power user and did something such as keep it on one hard drive in their only computer. (reinstalled windows, hard drive died, etc.) So they wanted to make something that would prevent that from happening for the vast majority of their customers that don't really understand stuff like backups, or don't have Dropbox, or who aren't part of Apple's ecosystem and have iCloud, etc. so that their passwords will remain safe and secure. So they made their own sync service and hid the version that would do local-only files so that only the dedicated users who really want to do that would find it and use it.
OR alternatively they're a bunch of greedy people that just want to hoover up dollars from our wallets, as people love to accuse them of here. Maybe a little of column A and column B, honestly. Something something needing to ensure they have a company that stays in the black without wanting to absolutely bloat up their own software so it becomes another useless Enterprise(TM) application with each passing paid version.
Also the only affiliation I have with 1Password is I have a friend I recently learned works for them, otherwise I'm just a customer. I just got into one of my little ADHD focuses where I really wanted to reply with something long and detailed, so please don't assume I work for them or something and am defending them because of that :)
_If_ they obtain a copy of my password file.
"My email is email@example.com, my password is abcdef12345."
If I'm using 1Password's cloud service I'm... screwed? You now have literally my entire digital life.
If I'm syncing anywhere else, you've got a much bigger task ahead of you. First you have to _find_ where my vault is stored, then you need to gain access to it.
There's an extra layer of security to the way I want to do this. An extra factor of authentication. I don't want the only thing between you and my entire life to be one set of credentials.
When I keep it on an airgapped machine that's a lot harder than when it sits on 1password's internet facing servers.
Someone above outlined it nicely: If you let 1Password take care of encrypting the vault, and iCloud (for example) of storing the vault securely, then a malicious actor would have to compromise both products to get your secrets.
It's why we have a pilot and copilot on planes.
Except that they control the client that I'm entering the master password into. So either the password is sent to their servers anyway or a malicious actor could simply update the client to do so.
It's absolutely incredible to me that people ignore one of the biggest sides of the argument for pre-baked, user friendly products like 1Password: usability for as many people as possible.
Can you point me to where this gets set up? I'd love to do this.
Make sure you have your browser 1Password plugin updated to the latest version.
When you click on the locked 1Password icon in the browser, you get the "Double click to approve" alert on your Apple Watch. You double click the side button on your watch and 1Password in your browser is now unlocked. This also works the same way with Touch ID. Hope that helps. Cheers.
edit: Provided clarity regarding the Mac App
I saw something mentioned about self-hosted vaults. That is something I might consider for my family.
I advocated for the use of 1pass at work precisely because we can share strong passwords with the team. Otherwise, people would just use the same, well-known weak passwords for everything, including business critical ones like domain registrar or Gsuite admin or the root AWS account.
I am not as happy about having another Electron app running on my local box. I hope they spent time locking things down. On the other hand, if it means my wife (on Windows) gets feature parity with my macOS client, that would be good. Even better if the Linux desktop gets feature parity and no longer have to rely on the web or browser plugin.
It saves me so much time compared to how I used to have to do it — pull out phone, unlock, open Authy, wait forever for it to load, type in code, put phone away…
It’s the little things that all add up. I’m very happy with 1Password — been using it for 10 years, and happy to subscribe, considering it’s probably my most-used utility app.
Until your vault is somehow compromised and your second factor is no longer distinct from the first one...
I have never even _heard_ of someone having their 1P master password compromised and the vault(s) exfiltrated (although I grant you it could be just because the NSA doesn't write blog posts about their pwn2own victories)
It's my recollection AgileBits is also running (that is: currently) a CTF with a publicly exposed vault, so folks can test the resilience against attack for themselves
Absolutely. But also, in such setup, the security benefit of 2FA/OTP codes are negligible at best since there are no conditions under which only one factor could be compromised without also having the other factor leaked (assuming you're using unique passwords for each identity, which is the entire point of a password manager).
However, I suppose it could be used for bypassing the inconvenience of mandated 2FA scenarios (to the dismay of your company's security team).
Man in the middle attack,
Over the shoulder attack,
Brute force attack,
Http (not https) traffic sniffing,
'Breech' of the site and realisation they host their passwords in clear text on an unsecured db online.
Then there is human error; typing password into wrong site, giving your password to the tech support cold caller, telling someone your supersecret password ...
If you can see the password, you can also see the time-based OTP, and you can use those to gain access.
> Phishing attack
> Over the shoulder attack
If you can convince someone to provide you their password, it's highly likely you'll also be able to convince them to also provide you their time-based OTP.
> Brute force attack
A successful brute-force attack on the vault (unlikely) means you've lost both your password and your OTP secret. A sucessful brute-force attack against a remote account using a safe password (re: password managers) is very unlikely!
> 'Breech' of the site and realisation they host their passwords in clear text on an unsecured db online
The password and the OTP secret themselves have no value (given that you're using unique passwords for each account). If the attacker has breached the service back-end then it's gameover anyways, regardless of 2FA for user accounts.
If you're doing this there's a very limited benefit to TOTP anyways.
Phishing and good ole fashioned human error are two methods by which a password can be leaked without exposing the 2FA token.
> Hello, dear sir, this is the USA IRS and we are going to send the FBI because your TOTP code is expired and are going to put you in jail if you don... hello? hello?!
> Click this link and paste in your TOTP secret because we need to verify your identity: https://1passsword.com/2fa-verify/
> if you think some rando can _phish_ a TOTP secret
Given the context this discussion is about (someone with a 1Password vault, storing unique passwords and TOTP secrets for each account they have) do you see any scenario in which a user gets his password stolen but not the token (or the OTP secret seed altogether)?
> Hello, dear sir, this is the USA IRS
If an attacker via a phone call is able to get the victim to (a) unlock their 1Password vault, (b) spell out their password for account X, what makes you think they couldn't get them to also (c) open their 2FA app and spell out their TOTP token?
> I previously thought that we were just having a difference of risk tolerance
The point I was making is that there are no security advantages to setting up a time-based OTP as a second factor for authentication if the secret seed is going to be stored in the same vault where the passwords are: might as well just forego this TOTP setup altogether and save the extra hassle. Or get a hardware second-factor (TPM, Google Titan, Yubikey, ...)
The point of using 2FA for me is to protect me against my password being compromised since it's a long_lived access key.
> If my password vault is compromised it's game over anyway.
There are ways you could make a vault compromise not mean a complete/irreversible takeover, but that would either give up breakglass access as you say or add complexity and reduce availability.
> The point of using 2FA for me is to protect me against my password being compromised since it's a long_lived access key.
In which situations on your setup would a unique password compromise not imply there's also been a TOTP token/seed compromise?
At the end of the day if you want a password vault that is sync'd across devices, you're trusting someone...somewhere. Be that 1password, dropbox, or even that Linode you manually rsync your data to. You've got to decide what is the biggest risk for your own personal use cases.
For me, I'd rather store my sensitive data with a company that has demonstrated a repeated push to keep my data as secure as possible, even from itself. It's their core business, all they focus on.
edit: I misread and was looking at the business page. $4.99/month for family and $2.99/month for user is entirely reasonable!
We have me, my wife, my eldest, and my mum on it - and it is indeed super simple to be able to share things around.
I used to have keepas/lastpass/dashlane - but 1password is the only one I've managed to convince family members to use as well
Not sure where the signup link is, sorry.
Personally, the problem of managing reliable persistence of my password database just isn't something I want to spend time on, and the incremental difference in security posture is uninteresting to me given that it's encrypted at rest anyway. In terms of waking hours spent worrying about the security of my household IT, the security and persistence of sensitive documents (mainly vs. ransomware) is a bigger problem and I like that my passwords aren't tied up in that mess.
And that's why I only use community maintained software with no telemetry or "data driven decisions."
I suppose they could do something like JetBrains where you get updates while subscribed, but realistically login breaks for users would be a mess to support and a standalone text editor is a different service.
This move makes sense to me given their market. Those that want to run a vault can use an alternative that's more of a hassle to deal with.
And also from a user security standpoint, i don't think we can keep going on making enhancements to user security good practice habits if we gate keep good password habits behind paywalls.