On Password Managers (opens in new tab)

The 1Password situation is complicated, and is a lot less sketchy than Bray's summary would lead you to believe. 1Password has not in fact phased out their native applications or required people to use 1Password.com to store passwords (it would be insane for them to do so).

There are four issues that I'm currently aware of with 1Password:

1. They've converted from flat to subscription pricing.

2. They're pushing people to a 1Password-managed cloud sync system instead of the a la carte sync they were doing before.

3. They're promoting cloud vaults and hiding local vaults, and the Windows version of 1Password has apparently never used local vaults.

4. Now that they have 1Password.com, first-time enrollment in 1Password requires you to interact, once, with 1Password.com.

Of these, only (4) is a serious security concern. Their last release further eliminated the native app's dependency on 1Password.com. I'm confident they'll get all the way towards decoupling them, but I'm not them, so grain of salt.

I have no relationship with 1Password other than as a happy customer and as someone who does research in the field they work in. Having said that: I strongly recommend that you be very careful about what password manager you choose to use. The wrong password manager can be drastically less secure than no password manager. I recommend 1Password, and there's currently no other commercial password manager that I recommend. I'm sorry I can't go into more detail than that. :(

Just to be clear, it's still 100% possible to keep your 1Password vault in Dropbox etc and not use the SaaS version [1]. I felt like this fact was buried in the article.

Edit: Here's the link to buy the standalone license [2] which is hard to find on the site now.

In a post from the founder one week ago [3] he said, "We know that not everyone is ready to make the jump yet, and as such, we will continue to support customers who are managing their own standalone vaults. 1Password 6 and even 1Password 7 will continue to support standalone vaults."

[1]: https://support.1password.com/sync-with-dropbox/

[2]: https://agilebits.com/store

[3]: https://blog.agilebits.com/2017/07/13/why-we-love-1password-...

I use Enpass on Linux, Windows, OS X, Android, and iOS. I also use the Chrome extension. It has a similar user experience to 1Password, but is actually serverless (you sync your encrypted blob to a cloud service of your choice, or not at all). I wish Enpass were open source, but I can understand their decision not to make it so -- its desktop application is free and its mobile apps include a small perpetual license fee ($10 per user, one-time). The format of the encrypted blob is a simple SQLCipher database that uses your (memorized) master password as the secret key, so even though the application is closed source, the data seems to be stored in an open format. Overall, it's probably the best option on the market in a very bad category of software. After evaluating them all, IMO, you should run away from 1Password, Dashlane, Lastpass, etc and use Enpass instead. Even better if the place you sync your encrypted blob is protected by strict 2FA and has good (enforceable) privacy policies.

Any password manager recommendations such that people don't need to deal with 1Password's cloud-based storage?

At our company we use keepass2 with a db file synced by dropbox. Works nicely. Keepass can save all sorts of stuff alongside passwords (like credentials, api-tokens...) and there is an app too (for android at least). Might get a bit clunky if lots of people change a lot of stuff all the time but for us it is not a problem.

I'm a 1Password user, and have synced my vault between devices through both Dropbox and iCloud at various points. I can't help but feel like either there's something I'm missing or something everyone else is missing, which statistically means that it's most likely me. But:

When I sync with iCloud, Apple can't read my vault--even though it's on their servers, it's strongly encrypted with my passphrase, and the encryption/decryption happens on my devices.

When I sync with Dropbox, Dropbox can't read my vault--even though it's on their servers, it's strongly encrypted with my passphrase, and the encryption/decryption happens on my devices.

When I sync with AgileBit's own cloud... doesn't the sentence go exactly the same way? Quoting from their own current web page: "Every time you use 1Password, your data is encrypted before a single byte ever leaves your devices."

So even if the vault is on AgileBits' own servers, isn't it _no more and no less secure_ than the third-party syncing solutions they offer? Maybe that's not the case, and things actually function differently--but I haven't seen anyone describe why that would be the case. Again, maybe I'm just missing it. But I keep missing it. And it's not in Tim Bray's article, either. He's fine with putting it on somebody else's server if that server is run by Dropbox, but not if it's run by the company that he's trusting to encrypt it against people hacking Dropbox? How is this is materially different than using iCloud, Dropbox, or any other solution that puts a copy of my vault on someone else's servers for syncing purposes?

If the real argument is that there should always be a way to use a password manager with _no_ cloud-based syncing solution, I'm on board with that; it'd be a requirement for some businesses. But that doesn't seem to be the argument that's being made. And if the real argument is that you don't like subscription pricing models, that's fine. I don't like them, either. But that's not an argument about security--it's an argument about pricing models.

I've moved from LastPass to KeePass, but the biggest thing I miss from LastPass (other than the better browser integration) is a good CLI client. Lastpass-cli is great, and kpcli just isn't.

Anyone have a recommendation for a good CLI client that isn't `pass`? (I don't want to deal with GPG)

Good security hygiene is like a diet or exercise plan: the most effective one is the one you will stick with. Most users don't follow good habits because its a giant pain for non technical users to get set up. 1p's subscription plan is aimed squarely at those people and I think its a great idea. It's reasonably secure and easy to set up everywhere. That is a big deal in my mind. Yes, its not bullet proof but its a 100000% better than what the current status quo is.

Additionally, managing your own password vault is a lot like managing your own email server. There's advantages but I feel that the disadvantages are substantial. For one, the likelihood that you, one person, are going to do a better job of securing your stuff than a dedicated team is optimistic at best. Keeping your password vault safe is literally this companies full time gig and they have entire teams dedicated to it. Do I think they are infallible? Of course not. I'm not an idiot. But I think they are going to do a better job than me at keeping my stuff safe. I happily will pay for that every month.

The authors point about the 1p web portal is a good one. I don't use it out of similar concerns. Besides that, I really could not be happier with 1p as a password management solution. They have a good track record (no hacks that I am aware of) and I want the company I trust with literally the keys to my kingdom to be profitable and motivated to keep improving.

This is only tangentially related, but I believe it's time to have a unified login standard for the web. Not in the OAuth sense, as that's hard to do, but just a small, machine-readable file that tells your password manager "to log this user in, just submit credentials to /whatever/url/".

That way, your password manager would show a "login" button on the browser's toolbar when you visited any page in a site, you'd click it, and you'd be logged in (or possibly be asked for a two-factor code or be redirected to a two-factor page) immediately and certainly.

Is there anyone here who's working on a password manager who'd like to develop this with me? I've been wanting to write a spec and Django/Python implementation of it.

Does anyone know anything about Dashlane? I had a free commercial account from a previous employer and it seemed nice, other than the popup every time you logged in to an unknown website asking you to save your credentials. I'm pretty sure that was configurable, though.

I don't see Dashlane spoken about much in these conversations (I have no affiliation).

The one place that 1Password doesn't meet my needs is in ChromeOS.

The browser plugin requires the machine you're on to have the 1Password app running in the background, which is how it gets its data from the local (and synced) vault. But there is no 1Password ChromeOS app (and I don't think it's really even possible for there to be something like that in ChromeOS), so the browser plugin does not work in Chrome on ChromeOS devices.

A while back, I think the 1Password synced vault files would also have an HTML file you could load up in a browser, which would then communicate locally with the encrypted vault to gain access to your passwords, which was a workaround on ChromeOS. I'm not sure of the security implications of that process, but it isn't supported anymore.

I really like the locally synced vault with browser plugin functionality, but the fact that there isn't a solution on ChromeOS has been a sticking point for me. I've gone the route of having Google store 1Password generated passwords via Chrome's password features, for sites that I regularly access via ChromeOS, which works, but feels excessive.

The only cloud based password manager I'm willing to use is Dashlane[1]. It's supposedly "zero knowledge", and although you can never be 100% there isn't some bug waiting around to be exploited, it's a compromise I'm willing to make (the lesser evil). They also have several complementing features like encrypted notes, auto saving receipts, credit cards, batch password changer with quite a few major sites.

I'm not affiliated with them, it's just I never see them on HN compared to mainstream applications like LastPass, 1Pass, OneLogin and such.. and I think their services are better. Plus their support is great.

On the other hand, if everybody starts using it maybe it'll become a bigger target for hackers. so don't tell everyone :)

[1] http://dashlane.com

Why is the 1password login the same as the encryption password for all my other passwords? There is absolutely no reason why I should ever send them my encryption password. If they would make these two passwords separate and handle all encryption/decryption locally, I think that would solve the issue for me.

Against all recommendations I reject all password managers. I feel like all security software is eventually compromised, most frequently by business folks as in this case. Instead I use a tiny notebook that I keep in my wallet. I pick long 12+ character passwords myself, not super randomized but I haven't heard of a brute forcing attack in a long time. It allows me to easily meet weird password requirements. I feel pretty secure that it's not on a computer. Admittedly I also use Firefox's password manager to avoid typing them in all the time. I trust Mozilla for now, though I wouldn't be surprised if they are eventually compromised as their market share goes down.

Encryption Wizard [1] solves issues 1-4, but is severely lacking on #5 (device syncing). It also has no mobile support.

I've performed a cursory search to see if any OSS password manager comes close to EW on features, but didn't find anything:

* Supports CAC encryption/decryption

* Allows you to store contacts public certs

* Allows keys to decrypt

* Generates passphrases

* Allows multiple keychains to be opened at once

If anyone is looking for a (probably not profitable) OSS project/business, I would pay probably upwards of $100 for a perpetual/source available license for an Encryption Wizard clone with a mobile client & some built-in support for syncing.

[1] https://www.spi.dod.mil/ewizard.htm

With a couple UI/UX enhancements, Apple could take over the iOS/MacOS marketshare of these products with Keychain. It's already possible to use keychain in your workflow for password management, it's just not super convenient.

I'd switch from Lastpass, if Apple made it easier to autofill and autogenerate passwords and added support for sharing / teams.

IMHO this part is where the nail is hit right on the head:

>Why is AgileBits doing this? · For the same reason that Adobe has been pressuring its customers, for years now, to start subscribing to its product, rather than buying each successive version of each app. A subscription business is much nicer to operate than one where you have to go out and re-convince people to re-buy your software.

It is the part (common to many other software vendors) where they stress the "I am doing this for your own good" that irks me.

You want to change your business model? Fine.

Do you believe that this new one is better? Fine.

Do you want to convince me that you are changing the "old" model (which BTW you used until a nanosecond ago) becasue it is better for me? Hmmm.

I'm glad to see this getting more attention because it has been brewing for months and 1Password is essentially doing what they promised they wouldn't - forcing users to the subscription/online model my phasing out support for local vaults.

I'm not mad at the subscription. I'd pay them the few bucks a month happily for what is an excellent application cross-platform. I AM mad at the forced cloud sync.

My current plan is to keep using 1PW 4 on Windows as long as possible and then re-evaluate when I absolutely have to. KeePass is a close alternative, but nowhere near as polished at this point.

I'm surpised nobody cited lesspass, https://lesspass.com/#/

Nobody store your password it's pure stateless, you can access the software by the official website, your website, web plugin, the terminal

see this blog: https://blog.lesspass.com/lesspass-how-it-works-dde742dd18a4

I totally agree with Tim Bray's post. The bottom line is that the pestering that I get from AgileBits makes me, as a customer, really doubt their integrity after trusting them for years. Why are they trying to force me do to this? Obviously because they want more money (but are betraying their own oft-stated security attitudes) and maybe even for some other reason (the backdoor thing?).

I've been using password managers (KeePass, in my case) for about a year and all I can think is, why I didn't start using them earlier. It is cheaper to generate a long, random password using alphanumerical and special characters than trying to think a clever yet memorable unique password by myself, and probably more secure.

Plus, it's true that you end up storing other sensible things that are not passwords, such as API or recovery keys, because it's acts like a vault.

I totally missed this switch by AgileBits. Does anyone know how to ensure that the data file continues to be synced to Dropbox or iCloud, not AgileBits? (Looking into my configuration, it would appear that AgileBits has silently moved my data from iCloud to the AgileBits cloud.)

EDIT: Found: https://support.1password.com/sync-with-dropbox/

"2. In­stall a cam­era any­where I work and fo­cus it on my hand­s"

I feel like we need to be talking about this more. For all the hullabaloo concerning password strength and encryption key length, MANY of our secret key entry methods would be quite easily defeated by a common webcam and a pair of human eyeballs.

That's kind of scary! It's not about to make me stop using passwords, but it is going to make me stop and think before I log into anything in a coffee shop.

How can you talk about 1Password but not KeePass?

Password managers are the definition of "putting all your eggs in one basket". You need to compromise 1 (ONE) password to get access to EVERYTHING. They are a lot more convenient, but barely more secure than a plaintext notepad file. And some people actually storing bank accounts and credit cards info there. This is insane to me.

More and more, I'm recommending that friends and family get a Mooltipass[1]. It's open source, it works on any platform that supports USB HID (including mobile devices using an OTG cable), it's got multiple browser plugins, and it allows you to have "two factor" auth by seperating the pin-protected crypto key from the device itself using smart cards.

The device can be backed up, and the cards can be backed up too (since unfortunately it's not doing the crypto on the card, the card is just a verifiable pin-protected way to store the AES key) and it's an obscure enough looking device that it's not yet an easy theft target.

[1]: https://www.themooltipass.com/

If I understand correctly, the main problem here is that if a password manager at some point asks you for a password in an online environment, they're subject to coercion. This is especially dangerous if you're using auto-updating code like Javascript in a browser or code on a remote service, because it could get backdoored at any time and you wouldn't notice.

Isn't the real problem auto-updating code with access to a network? 1password.com is certainly another vector that fits this description, but if you don't trust AgileBits to manage 1password.com securely, why would you trust them to manage the app on your machine securely? Or the auto-updating Chrome plugin?

I'm not denying that there's more surface area by creating a login, but I think it's a false dichotomy to say that the app is "offline" and the website is "online". They both have network access, and if AgileBits or a random hacker can change the app's code, they'll do that. That change will be mindlessly delivered to your computer, and the bad guys will have all your passwords.

I have 1Password and I love it.

But my biggest fear that I have is; if my laptop was ever pwned in some way, due to some noval 0-day etc - is that everything stored in 1Password could be compromised. But more importantly - the hackers would have an address book of banks, servers, databases etc that I have access to.

I dont know if there is a solution - but I feel it is like putting all your eggs in one basket.

I use password managers, but I think the usual way of thinking about them is wrong

Besides password reuse being not recommended, the main issue is: most websites don't give a eff about whether they store your password correctly or not

It's a trust asymmetry, they ask you to provide a password (and most ask one with a lot of BS restrictions) THEN md5 it and put it on the database, or worse

And as said by the article (and implied by the above paragraph), there are better ways of obtaining someone's password - pwd managers are not the weakest link, at least not now

Is it still the case that the 1Password Master Password is never transacted over the web, even on 1Password.com? The encrypt/decrypt is done in the browser?

Are there any good password managers that don't have enforce going to the cloud, but work nicely with larger teams? A few people in the comments are recommending using keepass with a shared Dropbox file, but that doesn't work as well when you want different people having access to different passwords on teams.

Anyone know of a good alternative to 1Password or LastPass for teams?

Frankly I think people are insane to use any of these password manager products, whether SaaS or local. You're trusting a 3rd party to exercise control over your most sensitive digital information. Since the majority of people on HN are developer-types, you'd think "we" would write a little code, if necessary, for ourselves to make it easier to remember passwords. Basically a little DIY.

IMO, this will end badly.

I wish AgileBits didn't conflate two issues:

* I have no problem with subscription pricing, software that is maintained needs to be sold in a subscription model, period. Anyone who thinks otherwise is deceiving themselves.

* I do have a problem with entering my password (that is used to encrypt my data) into a JavaScript environment.

Give me native apps, charge me in a subscription model, don't force me into a web site version, and all will be fine.

Over time, it's become clear to me that the only business model with true longevity is open source. When I was first looking into password managers several years ago, I wanted something very simple: an iOS tool that could securely and locally encrypt a data blob with a memorized master password. 1Password did this job well for many years. Unfortunately, as with many App Store offerings, the pressing need for Agile Bits to grow has distorted the fundamental nature of the product. I was first alarmed when they added TouchID authentication: a seemingly innocuous feature, but one that necessarily stored your master password somewhere other than your head. (Fortunately, this was disabled by default.) Subsequently, features got added that stored your data on remote servers and even required you to send your master password over the web. I ignored this for the most part, but recent talk of this becoming the only use case for 1Password has put me on red alert. It's evidently time for me to start looking into OSS alternatives for my password manager, just as I have with a number of other tools in recent years.

Unfortunately, it seems that many companies these days are more interested in developing services rather than deftly solving specific user problems. Whether or not this is financially sound, it's an ongoing assault on my workflow. I can't live in fear of every utility on my system pivoting to a new business model! Fundamental software needs to be stable, and there's a good reason why most of our essentials (compression, video playback, web browsing, etc.) are free and open source.

Going forward, I hope we discover more ways to collectively fund open source software projects, large and small, because everything else is just an IOU for another future shakeup.

Question: When you add additional hardware (e.g., Yubikey) how does that effect the integrity (?) of your PWM (e.g., LastPass)?

I'm comfortable (in a I have no choice sorta way) that there is always some risk. Therefore, my next best choice is to mitigate that risk as much as possible. Obviously nothing is perfect, but it seems that using a Yubikey (or similar) raise the bar pretty high.

Yes? No?

p.s. Does anyone know of the legal implications of a Yubikey? That is, can a court order you to turn it (and PW) over? Or is there some protection from such things?

Note: I'm not doing anything nefarious. I'm just wanting to lower my sec risks, as well as maintain a respectable level of digital liberty.

I've never seen a corporate post with more comments by employees than the one where 1Password tries to explain their subscription model [1]. It makes it looks like they want to bury non company comments.

And I am a current 1Password customer and had been for years, but that post doesn't inspire confidence in me.

[1] https://blog.agilebits.com/2017/07/13/why-we-love-1password-...

> And anyhow I'm obviously a lame-ass hypocrite because I use the 1Pass­word Chrome plu­g­in to fill in forms for me, and this means I type the master password into a browser.

Actually, you don't. When you click the 1Password button in your browser, it sends a request to the 1Password app on your computer via localhost, which then opens a pop-up for you to enter your password. You're entering it in the 1Password app, not in Chrome.

In 1Password's case, I understand their desire to switch over to subscription pricing, and also have some sympathy with the notion that moving people to a cloud-based model reduces confusion and complexity (including their support costs). I also have no doubt that they now intend to take security as seriously in the future as they have in the past.

Beyond the not-insignificant risks of them screwing up, despite the best of intentions, there's nothing that prevents a change of company direction/priorities that could greatly increase the risk of a significant security breach. New senior people get brought in, crises happen that lead to poor decisions for financial or other reasons, and companies get sold to people who may well have completely different priorities.

It feels like a comparison of the available options out there is something "useful to the world".

I am not too sure how to do that but would value comments from people who have used open source password managers, or even read the code!

Shall we?

My assumptions for this list of recommended apps is at minimum:

- a single file in a well-known format is stored on a cloud service, and can be read / updated from different devices and platforms

- as this is encryption, we prefer open source code and trusted binary makers

My experience:

I use pwSafe on iOS (binary from some random guy). This backsup to dropbox.

I have a python script based on pypwsafe3 that can read the file on Linux. I have not yet tried BI-directional

I know pwSafe is based on Schneier's windows version, but frankly I have not tried to find the code or validate the binary.

So - is it worth building some kind of knowledge base here?

Completely irrelevant to this post. A long time ago I was in an Android "workshop" in one of these Google conferences and I saw a tall guy with a cowboy hat and slippers walking around and talking to people. I though to myself, "what a funny guy". We chatted for a little while and I didn't know if he was a "Google evangelist" (those that can talk tech but can barely code) or if he was just serving coffee (he was super humble and relaxed). Then I learned that was Tim Bray, one of the "creators" of XML. I never underestimated anyone anymore (I was young and stupid, sorry).

What I don't understand is: why isn't the responsibility of the browser?

The browser can verify who am I, likely in a more rigorous way than a password.

The browser can already handle interaction with the server on behalf of the user.

Sure, the user flow would need to be sorted out (e.g., to confirm the user's intent), but it seems much better than the current system we've been using since the days of .htaccess.

Any alternatives to 1Password / LastPass that support Google's SSO? I tried TeamsID before and I was ok but not nearly as feature-full as I was hoping: e.g. no automatic auto-fill on the page you land on, no password generation for new websites.

The single point of failure is my own memory. I never commit passwords to anything else. Frequent user of password recovery for online sites. Will never use a password manager trojan for obvious reasons imho.

I get your point but the truth is if the government REALLY wants your data then they're going to get it. It's not hard to install a physical keylogger for example and you'd never notice.

I thought 1Password confirmed that the cloud based storage is the default for new users -- existing and more security conscious users can still use whatever data store they choose?

What do you guys think of keeper [1]?

[1] https://keepersecurity.com/vault/

Does anyone know the state of LastPass for Applications which would be installed locally onto Windows?

If only I had a keyboard with an NFC chip, and some password software on my phone ...

I'm still using 1Password Version 3.8.22 on my Mac. Should I upgrade?

I agree with where he's coming from overall. Password managers [1] are a very important practical security measure that general users should be utilizing for the foreseeable future, and one where a good UI (as 1P and other commercial ones offer) is a genuine security feature, not just a nice-to-have, because their security implications are directly tied to how much users utilize them. That means while technical users will always have solid OSS solutions no matter what, it's worth paying attention to what major proprietary ones are doing too. This shouldn't be dismissed purely because KeePass variants or whatever exist.

And I definitely don't like the business incentives subscription models generally create when it comes to standalone software development (as opposed to a server-based service), and so far the major moves to them I have experienced (such as Adobe's) have reinforced my concerns. While in the short term individual personalities can of course do whatever, I think in the medium to long term it's very hard for development direction to stay divorced from whatever the direct economic incentives of the business model are. In turn thinking about that is one of the more important factors in thinking about to what degree a company can be depended on over the years. Because:

1. Humans have a strong tendency to favor the status quo unless there is a disruption (HN crowd likely deals with this frequently, such as with the immense power of defaults in UI design).

2. Low constant noise triggers less consideration then occasional larger spikes, even if the former adds up to more in the same time period.

3. There is direct loss associated with stopping.

4. Lock-in increases.

subscriptions are well known to be a lot stickier and less sensitive to stagnating software, pricing changes, etc., then per-version purchases are. Companies can put out "being able to focus on the longer term!" but fundamentally subscriptions remove a significant form of customer-oriented hard discipline and incentives. Some devs might be able to continue the same without it, but many clearly cannot. And I want to emphasize that this isn't at all necessarily because of any maliciousness or even greed, no "haha now we have them where we want them". It's just that a lot of humans will lose focus without some sort of hard-to-subvert, reasonably fast outside feedback loop. Subscriptions also encourage feature development and testing towards a single vertical ecosystem, even if other approaches would be perfectly viable.

AgileBits says they're keeping standalone licenses, but I see nothing about reasonable feature parity. I also agree that one of the best ways to assuage concerns is full honesty, including acknowledging obvious conflicts of interest, and in that light I agree it would have been valuable to see at least something about how this boosts their revenue, and how they're aware of the risk of making standalone licenses second class citizens and will watch for it. They've been a solid company and made a solid product overall however, so I'm willing to give them the benefit of the doubt here for now. It'd be a shame if they ultimately do go sub-only at some point, even if data can be trivially dumped to other programs.

Maybe by that time though progress will be made on finally getting websites away from password authentication entirely and in turn PMs can be rendered mostly a historical artifact.

As as an aside, though I think this blog is aimed at a general audience there are a few misunderstandings that are significant, since they're not that complex but feed misunderstandings. For example:

>In the 1Password app's sync model, however, one assumes they use the pretty-secure HTTPS-based APIs for each of these products, machine to machine, no JavaScript in the loop.

The author himself correct states that in 1Password's (or KeePass or any other client based encrypted database setup) case they're using purely offline-app endpoint encryption, and part of the entire point of that is that the transport mechanism is irrelevant. There is no need to trust anything beyond what exists on the endpoint. This matters because it relates to some of the other concern points he raises, not just cloud storage location but for example "backdoor code in a future 1Password app release that sends the goodies to the enemies". An endpoint password manager that allows abstracting sync from the application itself, at least optionally, in turn can be isolated from any net access (and/or any attempts monitored) which reduces that threat profile as well.

----

1. Effectively a mediocre reimplementation of public key auth on top of 90s-era website authentication practices that have proved sticky.

1password should just release a paid (subscription even) self-hosted version. They already have the domain bit in their apps, I can't imagine it being too much effort to work with any host.

i don't want to repeat myself ... but Bruce Schneier's PasswordSafe and only Bruce Schneier's PasswordSafe is the real deal!

Sure they haven't disabled the ability to keep your own password vault. It would be ruinous to do so at this point, even if they wanted to. But I think the writing on the wall is awfully legible.