Subscription business models and non-native apps are hallmarks of rot by VCs. Dump them!
I recently visited my friend from our programming club who saved these letters and was reminded a couple people wrote additional angry letters years after paying for the shareware. They demanded support in return for their one payment. (Of course, not only had I moved on to other projects, but I had long sold the type of computer the shareware was created for!)
So I learned early on that people unreasonably expect support for no additional cost. Or they believe the amount they paid is for support in the future, not work done in the past. It doesn't work that way economically. A constant flow of additional money has to come in the door to pay a team to do the actual support.
AFAICT, the only feasible models for supported software seem to be subscription, microtransaction or advertising. Any one-time-up-front price means it's abandonware. Which is fine for some types of software, of course, but probably not as often as users expect support.
I've been using 1Password since 2008 and I'll be doing the same thing. I have tolerated the UI regressions and even subscription with version 7, but Electron is just unacceptable for what was once an amazing Mac app that put Apple's apps to shame.
The costs of developing and maintaining software are recurring -- especially for security-critical software. Subscription business models align incentives towards ongoing maintenance.
if an app has ongoing development that you benefit from, it seems entirely fair to pay a subscription. the fair alternative is a one time payment for a lifetime license with few patches priced in. I would probably prefer the latter for something like a word processor, but would you really want to use the same version of a security-critical program like a password manager for the rest of your life? if not, how do you expect them to fund development/maintenance indefinitely?
That last bit I don't believe applies to 1Password, because there are certain things you can't do without some kind of centralization, and the article makes that case.
...but look at something like Adobe CC, what exactly does moving from a purchase to a subscription benefit me? And let's not forget about the more subtle effects, like losing the right of first sale, silent T&C changes, mandatory updates, etc - things that are only to the vendor's benefit.
Agreed. Though, this latest development – the move to Electron – is a negative for me, so it leaves a part of me wondering what kind of development I have been paying for. I imagine I am not alone with such a sense of disappointment.
This has nothing to do with VC and everything with trying to build a better product for users that is easier to work on for developers.
As a long-time 1password shill I have hit my limit and will slowly start migrating to BitWarden and iCloud Keychain.
Over the past few years, we've been working on consolidating 1Password's business logic into a single Rust-powered core that could be shared across all our apps. This has many advantages: feature consistency across platforms, faster development cycles, and better security. When building the front-end for the desktop platforms that would take advantage of this new core, Electron suited us perfectly, since we could write our UI code once and make it consistent across Linux, Windows, and Mac. We actually did build a native Mac app initially alongside the cross-platform Electron app, but we eventually decided that having two separate versions of the macOS app (one in Electron, one in SwiftUI) would cause a lot of needless development churn and hassle for both customers and our support team.
I can understand your frustrations about Electron and our subscription-based model, but I hope you find my explanation reasonable. Please stop spreading misinformation.
I think a subscription business model is the only honest way to sell software that will require ongoing support. If you're comfortable with a snapshot w/o updates, then by all means buy once, but I think coming to terms with the demands of ongoing support also means coming to terms with continuing to support the product in some way.
That said, I wish there were more variations in the way to pay - a long term license with a high upfront fee and a low monthly, an immediate access option with a high montly and no up-front fee, etc.
edit: apparently 8 will be electron-based. So... no standalone subscriptions AND they've moved from native to electron :/
Can you go more into how non-native apps are a "hallmarks of rot by VCs"?
I hate them too, but my impulse is to blame MBA thinking (build once, less investment, who cares if it sucks) than VCs specifically.
They just like to say that they use Rust for the backend code. Rust for the backend of the client apps, React for the UI, wrapped in Electron.
Electron apps typically don’t work for me because they don’t integrate with the rest of the system cleanly, and so once you stray off the designers’ happy path it becomes clumsy to use the app. This isn’t an esthetic or ideological argument; simply for my usage an electron app can rarely be as convenient as a native app on the Mac. Things like input integration, system service integration, selection, and responsiveness are much harder to do when you are fighting the electron abstraction, so no wonder devs leave those things out.
The chrome extension leaves a tiny bit to be desired, but definitely still usable:
* Not as good about determining correct sign-in URL and lots of times will send me through the auth redirect from registration
* Launching sites without mouse isn't possible (shortcut exists to open extension but can't select site to launch it using arrow keys, for instance)
* Button locations aren't consistent between search view and opening it on a site you have a password on
Definitely still the best for me though. It's frustrating, though, that I don't feel like the paid plans really give me anything useful, so I'd be paying basically just to support the product (which I'm happy to do!). It's a weird spot for sure, I feel like table-stakes for a free password product is infinite devices + usable browser extension + phone apps + password generation. But figuring out what to add on top of that is always either directed at businesses or families, or things I don't care about like 2FA or an authenticator. I want to support you, damnit!
I had bought several versions and both the Mac and Windows editions of 1Password over time, none of which were what I would consider inexpensive for a password manager. I consider their treatment of me as a customer to have been terrible.
I wouldn't be so pissed off about it if they had just dropped the product and started a new one, but slowly turning something paid for, used regularly, and liked into something different that I didn't want at all tells me that they are absolutely not worth doing business with again. They're not trustworthy.
For my personal passwords, I prefer keeping a local KeePass vault (I access over a local network drive, VPN in elsewhere).
I totally agree that primitives are some of the least important parts of choosing password managers, but what I like about KeePass is that you can use Argon2 as the password derivation function and specify your hardness factors. Because my laptop and desktop have a strong-enough CPU and I don't mind waiting 20-or-so seconds before the first unlock, I can set quite high values for this.
For example, if you're logging into your credit card provider from Mint.com, you have to search your card, copy the username. when you paste the result on Mint, you lose the window, and you have to re-search for your card to get the password. Very frustrating.
This was a discovery in a security review they did and choose not to change.
This was some time ago so things may have changed. But, that red flag kept me away.
I used to use Enpass and never had an issue but it's not open-source and you have to pay for Mobile client.
It's honestly fantastic to see how they have adapted to password managers.
Lastpass frequently messed up the autologin and injected a lot of ugly css/html in the forms which Bitwarden doesn't.
Also it works really well as a chrome extension with Kiwi browser on Android.
I convinced my wife to pick it up and we now share a bunch of stuff and she loves it. And she's low tolerance for UX issues.
The official command line tool is way too clumsy. I've tried rbw and rbw-fzf which are ok. rbw doesn't let me view all properties of an entry (attachments, notes), and rbw-fzf has issues if things have spaces in them and is limited to only passwords, not other info.
i would be still using it myself but i also wanted to login to desktop applications so ive been using keepassXC since.
keepass's auto-type feature is also a great way of autofilling passwords without having to give your browser access to your password vault
The switch to a subscription service is a forced downgrade for me; it's putting functionality I already have behind a subscription.
This is particularly an issue since the old versions (versions I paid for, mind you) are slowly going away (typically as a recompilation and submission is required to keep them available on iOS devices).
We now pay the subscription, a tad begrudgingly, but I have to admit 1Password overall does a great job.
What I'm not happy with is the possibility of password access being limited or sync breaking if 1Password servers go down. At least with Dropbox (iCloud, wifi) sync, I have full control over the local vault file.
Ultimately, it might be mostly about ownership and choice for me.
What I have zero interest in is increasing my attack surface solely for their bottom line.
I'm also increasingly uncomfortable with the company handling my passwords engaging in the sort of spin and dark patters we've seen from AgileBits in the past few years.
I saw something mentioned about self-hosted vaults. That is something I might consider for my family.
I advocated for the use of 1pass at work precisely because we can share strong passwords with the team. Otherwise, people would just use the same, well-known weak passwords for everything, including business critical ones like domain registrar or Gsuite admin or the root AWS account.
I am not as happy about having another Electron app running on my local box. I hope they spent time locking things down. On the other hand, if it means my wife (on Windows) gets feature parity with my macOS client, that would be good. Even better if the Linux desktop gets feature parity and no longer have to rely on the web or browser plugin.
It saves me so much time compared to how I used to have to do it — pull out phone, unlock, open Authy, wait forever for it to load, type in code, put phone away…
It’s the little things that all add up. I’m very happy with 1Password — been using it for 10 years, and happy to subscribe, considering it’s probably my most-used utility app.
At the end of the day if you want a password vault that is sync'd across devices, you're trusting someone...somewhere. Be that 1password, dropbox, or even that Linode you manually rsync your data to. You've got to decide what is the biggest risk for your own personal use cases.
For me, I'd rather store my sensitive data with a company that has demonstrated a repeated push to keep my data as secure as possible, even from itself. It's their core business, all they focus on.
edit: I misread and was looking at the business page. $4.99/month for family and $2.99/month for user is entirely reasonable!
We have me, my wife, my eldest, and my mum on it - and it is indeed super simple to be able to share things around.
I used to have keepas/lastpass/dashlane - but 1password is the only one I've managed to convince family members to use as well
Personally, the problem of managing reliable persistence of my password database just isn't something I want to spend time on, and the incremental difference in security posture is uninteresting to me given that it's encrypted at rest anyway. In terms of waking hours spent worrying about the security of my household IT, the security and persistence of sensitive documents (mainly vs. ransomware) is a bigger problem and I like that my passwords aren't tied up in that mess.
I suppose they could do something like JetBrains where you get updates while subscribed, but realistically login breaks for users would be a mess to support and a standalone text editor is a different service.
This move makes sense to me given their market. Those that want to run a vault can use an alternative that's more of a hassle to deal with.
And also from a user security standpoint, i don't think we can keep going on making enhancements to user security good practice habits if we gate keep good password habits behind paywalls.
In fact, if you're okay with only editing/creating password entries on your phone, you don't even need to pay for the desktop app, because you can use it in read-only mode. The Android app has no limitation to editing local vaults, and it's pretty rare for me to actually have to set up new accounts these days, so I'm fine doing it on my phone. I considered paying for 1Password X (their online offering), but it's simply not worth $45 per year for that minor convenience. I can't complain at all, because I use 1Password completely for free.
https://pwsafe.info/ for Mac and iOS https://pwsafe.org/ for Windows
The underlying file format is opensource and developed by Bruce Schneier.
I use it to securely store notes and important files.
Imagine emojis in IETF RFCs. No thanks.
Admittedly, there is a similar problem with words, but there are at least dictionaries for them. :>
They have an established reputation.
Like, imagine its only Gen X that complains about this, and they are the equally out of touch blackberry user whose device renders all the emojis in some messed up but hilarious way, then its a great way to make fun of them without saying anything and just keep bombarding them with an incommunicable internet, while the rest of us dont mind and some of us are also in on the joke.
This is also a consumer product, not enterprise.
I did so after reviewing their audit results, awhat they documented about their architecture, and after they added great support for Linux. At the end of the day, not everything is a conspiracy - and their model appears to be incredibly secure.
I would like the self-hosting option (that like Bitwarden, will still require a subscription), but a big part of what I am doing is sharing credentials with family. 1Password does a great job there.
Honestly at the end of the day, everything else is about your value proposition. I didn't know or realize that 1Password had shifted to electron as asserted elsewhere. I guessed that there was a new version given that linux was supported but it made no difference for me. Great for them. Likewise, they are far more secure then me editing a password file. Eventually the market will decide here. If people really care about swift versus javascript, then it will penalize them eventually.
That said, people arguing that dashlane and others are better then 1password, given that dashlane has access to your passwords, I can't imagine that this is a choice that makes any sense given the basic requirement of a password manager (keep my passwords safe).
-- edited correction - dashlane, not lastpass.
Don’t get me wrong, I hate Lastpass with an unprecedented rage for something that should be a simple utility (I’m forced to use it at work and it’s a time sink), but I don’t know where you get that and would like a source.
Source: I work there :)
I've recently been using keychain for new accounts, but not sure I wanna bite the bullet and go all in - just need a nudge.
Bitwarden is fantastic. I pay for the OTP features, though I feel keeping the codes alongside my passwords weakens my security posture. That's my choice, though.
but
Saying that "customers voted with their wallet" and chose subscriptions is disingenous
Ever since they've had subscriptions they've made the standalone license page extremely difficult to find on their site. They really didn't give regular users a "choice"- they dark-patterned them into thinking subscriptions were the only option
As forthcoming / down-to-earth as these posts from the company seem- they are full of spin. Their impossible-to-find standalone license page is a topic they seem to be avoiding.
Edit to add this small addendum: It just really bothers me on an emotional level to constantly run into this juxtaposition as a user of software/hardware: liking a product but being extremely disappointed in the company offering it.
Even with me knowing it exists, I wasn’t able to find it on their site to send him. (Hint: you have to upgrade within the app, but only if you downloaded from their website, and only if no 1p account or trial is present)
Add other dark patterns like the extension being 1PX only by default and doesn't work with standalone. You have to cram through their website to find the legacy extension and even that isn’t straight forward. They tried very hard to hide all info of a standalone existing.
(Personal annoyance: locking new features like the redesigned autofill overlay to the subscription-only version even though the Safari extension fully supports it for standalone, but not the others.)
Honestly, I wouldn't mind paying a reasonable price for the 1Password service if it wasn't a step down in value from what I had before.
I have a slightly older version of 1Password and it works fine for my purposes. I've been holding off on the subscription transition because I would derive zero value from switching to subscription but I'd gain a monthly payment I didn't have before.
But the thing that irks me is the PR speak that is trying to spin the subscription change as something we, the customer voted for, when they've gone out of their way to force everyone into subscriptions and hide the standalone version. I know the standalone version of 1Password 7 exists, but I tried to find the price yesterday and gave up after a few minutes of poking around.
"We didn't choose this, you chose this!" is so distastefully dishonest that I have zero desire to engage with this company any more. Once my standalone license of 1Password 6 stops working, I'm upgrading to a competing product.
0: https://com-agilebits-users.s3.amazonaws.com/dave/1password7...
Ever since they released the subscription option my upgrades have been very smooth and the features and improvements keep coming and I don't have to actively go and upgrade/purchase a license for a new version.
I don't know how to feel about switching to electron. I have many applications that are electron based and the quality is generally high but some do cause significant memory pressure on my macbook air.
Starting with 1Password 7's beta, they "hid" the standalone option on the site and then removed it completely and only allowed for purchasing standalone versions through the app itself but that was announced prior to them doing it.
Are there advantages of using it over Apple's built in keychain?
Would appreciate if someone who has used/uses 1Password could comment on this.
1) It is very cross-platform. It works on iOS, Android, MacOS, and Windows. I believe that it is also Linux-ready.
2) It has the ability to sequester groups of passwords into "vaults," that can then be assigned in different configurations, for different accounts. This way, the Treasurer gets the banking login, and whatnot, but the Webmaster never sees them, and Treasurer never sees the CP login.
3) It seems to support a whole bunch of TFA.
4) It syncs over everything, and helps to enforce password hygiene.
It supports many more kinds of secure data than passwords and credit cards. It has specific entry types for bank accounts, passports, reward programs, software licenses, and so on.
It also has lots of built in analysis tools for determining: - which of your passwords are reused, weak, or present in online password dumps - what websites can have 2FA enabled on them
As well as the ability to store entire documents in vaults.
Been using 1Password since 2008 and it's the only software of its kind I recommend to anyone on any platform.
-Password sharing
There’s some nice “sanity checks” on all passwords, manual or generated, like reused password warnings and by default it checks your logins at haveibeenpwned, which is a nice to have.
If it were just me, the iCloud stuff would probably be enough.
It has a field for user name and password, both mandatory.
A password manager offers a lot more, including a field for notes or credit card numbers.
I don't think Keychain (up to but not including iOS 15 beta) supports OTP.
On macOS, not much other than Safari seems to use it, I think?
[1] https://techcrunch.com/2019/11/14/fourteen-years-after-launc...
I can understand your frustration about Electron, but I hope you find my explanation reasonable. Please stop spreading misinformation.
Lastpass is a bucket of ass.
They've had security bugs in their browser extension before, but it is almost required to use it - the webapp works horribly without it. My least-used browser gets that extension, so it isn't running most of the time, at least. And with it, the UI is still terrible. The app is just awkward and poorly done.
The one good thing I can say is the user/group model is reasonably implemented.
I switched to KeePassXC a while ago due to the increasing hostility over local stores. Looks like I was right on the money.
KeePass has served me pretty well - it's not as polished, but it works absolutely everywhere due to the numerous client apps on many OSes, and it syncs normally. Toss on something like Dropsync for mobile, and it's pretty streamlined: https://play.google.com/store/apps/details?id=com.ttxapps.dr...
I'd only recommend LastPass if you're a fan of LogMeIn, Ltd. and only being able to see your passwords either on Desktop or Mobile (on the free version).
https://www.passwordstore.org/
The format is plain text. You can git control your password repo. You can organize into directories, etc.
It has an extension architecture; you can have it generate otps, for example. You can have specific passwords unlock with more than 1 key, if you want to do eg. family or business sharing.
There are mobile apps, browser plugins. None as smoothly polished as 1pw, but good ENOUGH. There are (imperfect) tools for migrating, but you can write your own scripts.
So far (using it for 48 hours) the worst part was setting up a gpg key.
I highly recommend pass.
My set up is as follows:
- setup the key, share the private key to other devices who are going to use the same pass store;
- use syncthing to sync my passwords between devices (you can use github - but I just find it works nicely with syncthing;
- all passwords and other content are just gpg encrypted text files;
- use the pass cli utility to read the passwords;
- first line of the text file is the password so the apps and cli will read that into the clipboard (with a time limit to expire if you are on your phone;
- for android phones/tablets I use 'openkeychain' to manage the key and 'password store' as the app to read the encrypted text files and copy the passwords;
There are other browser extensions etc. I just don't find a need to use them though.
It has worked well for me over the years while I have seen the passwords market go more towards a subscription model over time.
My wife uses the same system, I just set it up for her and then it is seamless for her as well.
Note that the private git repo can be uploaded to the cloud, which allows one to access passwords on multiple computers as well as on my phone.
Also I would like to highlight qtpass client for a very user-friendly GUI interface to quickly access passwords.
In my opinion, anyone that has basic knowledge of the terminal should be able to set up passwordstore no problem. Once it is set up, one can use qtpass or other GUI clients.
SaaS is familiar to consumers and ultimately a nicer business model for most products. If you support SaaS for new customers, maintaining the old product / pricing model indefinitely eventually stops making sense. At some point you have to make a move like this.
It is probably particularly timely to do this because Lastpass recently changed their pricing model (whether deliberately aligned or not). It's no longer possible to use the free plan of Lastpass and use it on both desktop and mobile: you have to pick one or the other. For many use cases this is effectively a requirement to use the paid plan. So now 1password has the opportunity to push legacy users to a paid monthly subscription knowing that some portion who may have switched to Lastpass to avoid a monthly fee now won't be able to do so, and will probably just pay the monthly fee to 1password instead.
Check out Chase's privacy policy as an example:
https://www.chase.com/digital/resources/privacy-security/pri...
A number of information sharing activities cannot be limited. This is typical of any bank or financial institution. Your bank has its own vendors, many of them are themselves SaaS and cloud hosted!
Even large, sophisticated banks can be hacked:
https://www.nytimes.com/2019/07/30/business/bank-hacks-capit...
My point isn't to say "Why care at all? Just open the floodgates!" Instead, my point here is that trust and security in our society is only as good as the people and institutions that back them up. We don't use bank vault doors for our front doors just because we have the knowledge that anyone with simple tools can defeat a home lock.
Therefore, I think that the choice of more inconvenient solutions made just to avoid some nebulous what-if scenarios involving privacy is often (but not always) the wrong way to go.
I'm increasingly sick of good standalone software suddenly moving to this model. They are a business, I get it.
However how many subscriptions are we going to have to end up with?
I get it with Slack, Dropbox, Github, etc as they all started with infrastructure to run. But 1Password (and Adobe and others) are pushing profits far far above their users. It's a shame.
> The overwhelming majority of people (97% in fact) choose to subscribe to our new service and many of those who initially purchased a license later changed their mind and traded it in for a membership.
With each of the last two versions, they hid the standalone version more. I'd hardly characterize all 97% of those users as voluntary.
Their PR doublespeak isn't helping either: https://news.ycombinator.com/item?id=28143821
I don't think I can trust this new AgileBits.
I started making a list to answer that question myself. So far, I'm up to SEVENTEEN, but I'm sure I'm still overlooking a few.
The mass migration of apps to the subscription model has killed this sort of exploration and discovery of new apps. As one example, I recently looked for a flight tracker and many wanted more than $30/yr for a tool that is (to me) an occasional convenience.
I worry less about how much I pay to use an app than how much I'm paying when I'm not using the app. It sucks when I'm too busy to use my language learning app and yet somehow I still end up owing the app developer every month. By the time I end up canceling I might have wasted $60 or more, which certainly doesn't motivate me to install the next app that prompts me to subscribe.
I don't know the solution to adequately compensate developers for their work but I hope the subscription mania goes away.
Haven't paid for this software in the past 365 days? Go to the community forum. You can pay 60% of the license charge for another year of updates and support.
Adobe were the last to annoy me, previously I am sure I had paid up for a few months and then unsubscribed. Now its a 12 month commitment when you take out a subscription.
Off topic; but if you want a flight tracker, and like to tinker, try feeding flightradar24 (or any of the other), while you feed them you get their full membership. A pi and a usb tv card are all you need to get started!
There are ways, but nobody seems to bother to provide usage-based model. Similar to how cloud providers figured multiple usage plans. I have a feeling that many apps live off people paying but using service really low, so there is no incentive. What's stopping them to offer a different price for 1h - 5h monthly access? They could upgrade to a flat fee automatically if you start using their app every day.
Last github update 657 days ago.
Maybe it's done.
The cloud storage, compute, and egress for a password manager is fractions of a penny per year per user.
Yes, engineering and upkeep and new features costs money. If those features are truly valuable, then the market would bear paying an additional one-time fee, just as photoshop 8 had to be better than photoshop 7 in some way to justify the purchase.*
But what new features could a mature password manager possibly have? Support for newer version of IOS and Android is the only must-have that comes to mind.
* File format changes not-withstanding.
Now OS's evolve continuously. Semantic versioning be damned!
However, given they have all the password for many people, how are they not one of the biggest targets in the world? In their old Dropbox model, I understood the security model. In the service model it's moved to "Just Trust Us".
Is there anyone who can help me understand how this model is secure?
It's basically E2EE (where the encryption key is your master password + secret key, which looks similar to a guid), with the caveat being that 1password is still accessible via the browser so you do have to trust they're not compromising you by saving your secret key + master password separately (that is, unless you're auditing the login page every time you open it).
https://support.1password.com/security-assessments/
They've gone pretty far above and beyond what we're used to seeing wrt sharing security details, audit results, and architecture information.
Self hosting would be nice to keep though. Been thinking about setting up a server to hold all that stuff
This is both upsetting and disturbing.
I would be on-board with implementing the write side to opvault if they'd accept the PR, and would also implement the browser extension protocol server if 1Password would specify it, since as others have pointed out the KeePassXC browser extension is suboptimal
Then again, with all the massive outpouring of Bitwarden support in every single one of these threads ever, I am pretty sure the real solution is just to bite the bullet and jump ship to Bitwarden/vaultwarden like everyone else seems to be doing
I'm willing to stick around long enough to see if AgileBits makes good on their local vault something something, but given the past few years of activity, I'm going with "they're bluffing" or "it'll be a horribly hobbled implementation"
I think 1Password made a smart business decision. By cutting loose the need to support local vaults, they can focus more development energy on other things that 97% of their users will appreciate. It's a numbers game.
That said...Electron? Ugh. I already spend half my day grumbling about the Slack app.
It is quite obvious from the response here that 97% of their users who are actually paying attention to these issues are not on the bandwagon. They should rephrase it as "we could fool 97% of our customers into switching after years of misdirection and misinformation".
I was just disappointed that I would have to buy the app again in order to upgrade.. because I just couldn’t see why it wasn’t free update.
We'll scan your passwords so we know you're know a terrorist
wink wink
Granted, the chance of attack is small but the consequences are extreme. There's no single file more valuable on my computer than my password vault.
I prefered buying the license compared to the subscription but I don't particularly mind a subscription for a service I use regularly. I mind the risk to my privacy.
Is it? I would be surprised if attacking 1Password wasn’t a priority for governments and hackers. If the encryption used on vaults is ever broken, compromised, or buggy, users are screwed.
I don’t mind paying a subscription fee if that’s what makes the business work and allows continuous updates.
But either they give us a self-hosted option or I’m done with 1password. Keeping my passwords in someone else’s cloud is a red line for me.
https://survey.1password.com/self-host/
Hopefully they will get the picture.
Maybe I'll try bitwarden.
You may not like the subscription business model, but it isn't rent seeking. Monthly payment != rent seeking.
They’ve gone over and beyond to support old licences far longer than it could be expected, and a password manager is the kind of sensitive and ubiquitous product for which SaS actually makes sense.
Anyone remotely involved in anything similar knows it’s a PITA to keep up to date while keeping device compatibility, and the folks at 1P have been doing great work.
Subscription services to me are only justified if they are providing a SERVICE which they are with the web version and ability to sync through their own servers, however, using a local version with your own vault can be done without any service at all.
So to me this looks like them intentionally crippling their own software in order to force people into paying a subscription fee that is not necessary. They already hide the ability to purchase a standalone license for 1Password 7 trying to get people to pay the subscriptions so this is the next logical step.
I personally use KeepassXC (Linux/Android). It's shared via cloud, I have a keyfile off device so I'm satisfied it's pretty much completely locked down.
Is it browser integration? Genuinely have no idea why I'd pay for this, or why I'd trust a company with my passwords especially when it's not local.
I still use 1P 6 on macOS even though the missing support for Safari sucks (that actually made me switch to Firefox!)
My point is, there is literally zero added value with the subscription, it’s like buying cars with loans, in fact by buying full licenses I saved money.
I hope that 1P 6 and 7 will last me as long as possible, I don’t see any alternative at the moment. IMHO all other options are less secure and/or less convenient.
Hard disagree. Any security-focused software will have plenty to keep up with between OS changes, browser changes, site changes, new UI patterns, and even simple bug-fixes that you don't get from single purchases.
I'm also not worried about the Mac app moving to electron - I interact with 1password via my mobile or browser plugin 99% of the time anyway, so I just don't really care.
The main 'customer benefit` claim for the electron switch (as opposed to the 'developer benefit') they are pushing is 'consistent UI across platforms` so your view exemplifies that, at best, there is really no customer benefit to the switch.
The chrome extensions stopped working a few years ago so I got into the habit of just manually searching, cutting and pasting my passwords, and saving new ones. I don’t even think about it and it’s very easy. Paying $3/month to have it automatically populate the user name and password fields isn’t worth it for me, especially when the browser does this pretty well once you input it the first time.
I use it dozens of times a day and it works great. It's not as nice as the modern one that works with the subscription/hosted service but it'll certainly be better than what you're currently doing to muddle through.
I still use it because I'd rather pay $10/yr instead of $36/yr. But I wish Bitwarden would take some time to actually make the app not awful in the UI/UX department.
I've been using this product since 3.x. I chose it because I could use a wide variety of syncing solutions. It did what it said on the tin. Gave me a place to store my passwords that was secure.
I was a happy user buying upgrades whenever they came out until 7.x where it took me over an hour to figure out how to buy the non-subscription/cloud version and instead find the link for the standalone version.
I paid for versions that I honestly didn't have any features I cared about simply because it kept doing what I wanted it to do.
Gone are the days when you can buy a hammer, and use it to hammer just as many nails as you like until it breaks. Now we have to rent a goddamned hammer apparently. Even that wouldn't be so bad if I could still keep my passwords out of their cloud provider.
They've fucked up, they don't think they have.
So what are the options for someone who just wants a simple place to store a bunch of passwords encrypted in a secure way. With decent clients for ios/mac/windows/linux that lets me be the only person who has their hads on those encrypted bits?
https://www.passwordwallet.com/
I've been using this for probably a decade now. The UI is ugly as sin, but it works well. I use the Apple Keychain for almost everything, but for my critical passwords, I have copies in PasswordWallet.
PasswordWallet has one feature on macOS that I've not seen in any other app: auto-type, for those times you can't paste into a password field. I use it rarely, but it's nice to have when I need it.
(I have no idea if the Android or Windows clients are any good. I use it only on macOS and iOS.)
That's what the folks at 1P told us all too..
I am being intentionally outrageous but do genuinely feel that a good password manager is foundational to good digital security and I find it baffling that it does not come bundled with operating systems or in some other way offered for free. It's such a basic thing that could be done to increase collective resilience to digital attacks.
(And if 1password doesn't want to sell there should be funding for an open source equivalent with a default server hosted by either the government or a trusted nonprofit.)
bitwarden is free (and open source) and it has just about every feature that the paid ones have. Sync across devices, desktop and mobile clients, notes etc. One of the best pieces of open source software of the last few years and I have no idea why people are paying subscription fees.
How do they plan to stay in business? "We have your passwords now! You would not want to lose them unless you agree to our new pricing policy now, would you?"
[1] https://www.troyhunt.com/have-i-been-pwned-is-now-partnering...
Recent and related: 1password is considering a self-hosted option to store vaults - https://news.ycombinator.com/item?id=28104134 - Aug 2021 (215 comments)
With that said, they've lost a customer here. I would prefer not to pay a subscription, but I might have (though if you do the math, I've had paid upgrades frequently enough I'm not sure they'd have made more money off me with a subscription).
The sticking point is the lack of local vaults and removing the native app. Very disappointing.
The reason I used 1Password to start with and not KeePass was because it was Mac native. It is so deeply depressing to have faster and more efficient computers year-on-year and have all that efficiency wasted by moving to Electron apps. It sounds absurd to say, but there's a real ecological cost to less efficient apps too; it really does add up in aggregate.
The lack of local vault is the ultimate deal breaker, not because I think 1Password are untrustworthy, but because I'm reassured that I don't _need_ to trust them in the same way with a local vault as I need to if they're hosting the vault themselves.
I think what's most disheartening about this is that the customers who dislike this the most are also likely the customers who've been with them the longest and helped them build their business. I know I've been using 1Password since v2.
Given that password management is so central to our daily productivity, jobs, personal lives, I'm not surprised people have some very strong opinions about this. I hope the 1Password management read these threads, but I doubt it.
I will stick with 1Password 7 for as long as I'm able.
Custody of your secrets is something thing a password manager should move away from, not toward.
I moved my data to Bitwarden this morning.
That being said, the thing that got me to change was when I tried out 1Password for a month and ran into a few minor accessibility issues on their web frontend. I sent a support ticket and very quickly got a response back, was told those issues would be fixed, and then notified me several days later when they were. Like I'm paying 2.99 a month and still received some amazing support. I use a lot of open source projects, and if I have an issue then I try to upstream a fix because the maintainers are usually volunteers, but I've spread myself thin. 1Password gave me the impression that it's in good shape and has great support which was a burden off my mind.
Nobody who values security enough to use a password manager would leave their passwords at the mercy of the next corporate turnabout, when said corporation is evidently untrustworthy.
This is the same lizard-brain self-interest unleavened by any shred of higher brain functions that people like Shkreli exhibit: `the suckers have switching costs so let's jack up the price obscenely while reducing the actual customer benefits.` Some people should be kept away from MBA programs.
This is not to takeaway from all the technical details of 1Ps approach to this, but (once again) in light of what we have seen from the "Trillion $ darling of privacy", enabling scanning of personal content one has to wonder how long before the same is applied by 1P. Remember your vault can store just about anything. I am sure it is only a matter of time before the case is made that we must think of the children.
Irony of all this, I'm someone who is paid to migrate customer security to the cloud. Runs counter to my thoughts on the matter, but not those making the financial decisions on all sides. I certainly don't fault 1P for making the prudent financial decision that 95% of their customers have made. As part of the 5% I shall wring as much out of 1P7 as possible and eventually move elsewhere.
I think they are being fairly transparent. Starting in 2013 there old business model stopped making sense. They were selling individual products for each platform, while trying to integrate all platforms at the same time. The natural solution was to move to a subscription model for a unified service. This provides a mutli-platform solution and generates a continuous stream of income.
As a consumer, I actually prefer this model for a security app since it means that it will continue to receive regular updates. There is lots of competition in the space of password managers so I am not worried about them increasing the cost of the service to more than a few dollars a month (if they did this I would just switch to another service).
I'd rather use a standalone extension as a password manager than use a heavy Electron app that will run my Macbook to the ground.
It is either Bitwarden or Dashlane at this point.
Being forced into a 1P subscription feels like a downgrade to me. I've been a faithful customer for years, and have used iCloud synchronization for years as well. My entire household uses the app (through family sharing).
Self hosting it is not an option for me (i know how to, and that's why it's off the table), and purchasing a $5/month subscription feels like it's overpriced for what it delivers. I can get 10 months worth of Family365 subscription for what 1P is asking for a year, and that gives me 6 accounts with 1TB storage each and the entire Office suite.
The thing that seems to annoy people the most doesn't bother me one bit though. If it works i don't care if it's electron or not.
I'm instead evaulating Secrets[1] as a replacement. It requires a $20 in-app purchase to unlock full functionality, but even with 4 people buying it, it's still only 1,5 years of 1P service. For now i will try to get the kids to use iCloud Keychain instead.
As for "what's the rush". 1P7 will receive updates for now, until it doesn't, and at some point an update to MacOS or iOS will make it stop working, at which point i will have lost access to my passwords. I much prefer to be in control of when that happens :)
I feel more and more uncomfortable in the Apple / iOS ecosystem. It’s getting closed down and commodified. Even when there is something cool in terms of tech, they know how to spoil it.
Instead of dealing with Pegasus head on and starting to fix the security culture of iOS/Mac, they make our systems less secure (less open and less hackable).
I find it sad that there are no viable alternatives for non-tech users. I switched last week to a Librem 14 with Arch Linux, KeepassXC and a pixel 5 running grapheneOS, Miiband 6 with GadgetBridge, a System 76 for work. I honestly love it, there are some hiccups, yet it feels exciting, similar like switching from Microsoft to Apple did 20 years ago.
Also moved from programming objective c / swift to rust, elixir and flutter/react. That seems where the innovation happens today for me. As I work in research I have the Privilege to easy switch … we need better alternatives and I feel even stronger about supporting open source and projects and companies that care about it (pine, purism, system76, mozilla, …).
But I don't want or need my passwords in the cloud. I don't want or need it to be an electron app. I want a simple, lightweight, highly secure, with good UX password manager. 1Password used to fit that bill. With each successive change it moves away from that.
It accepts Yubikey, is open source, has good reputation and is free.
But please donate. Developers spend a lot of work on FOSS of all kind.
It runs well. However, I do not thrust their cloud (or any cloud) completely. I still have a local vault, which is synced locally on WiFi with passwords to my router, NAS, bank cards and accounts, mail accounts. The idea is that should there be a breach at 1password.com the critical accounts do not leak and the damage is limited.
Edit: Local vaults are not available anymore: https://1password.community/discussion/121638/what-is-the-fu...
I have to look for another solution, then. The all-in-cloud bullshit is not acceptable.
I am happy paying upgrade price for each new version of 1Password but I hate the idea of a subscription.
Dropbox syncing works well for me.
1Password has done almost everything they can to stop people from using the standalone version. I am disappointed and angry.
The current app is already bloated by features I don’t use, so I hoped for another evolution of this software.
(i also don’t like the web platform with all those emoji and cheesy design)
That said, I'm sure a lot of people value their current offering for a variety of reasons, and it obviously makes good business sense. I've been burned by subscriptions in the past though, and I don't want to deal with that again if it can be avoided.
Sad to see 1Password use dark patterns to push people towards subscriptions then twisting that into that people don't want licenses, at least be honest about it.
+1 customer lost.
A dead simple (in the good sense!) CLI program that lets GPG deal with encryption and git deal with synchronization and distribution. It's perfect. And FOSS, of course.
You don't even have to run your own internet-facing git repo for synchronization across devices. You can just put it all on GitHub or whatever.
Edit: if it's an electron app, my comment does not make sense, sorry, I'd never buy it anyway.
Well, that's the end of my interest then. I had some curiosity after seeing the Rust integration, but I'm not going to pay a subscription fee to sync the smallest part of my day-to-day life. The convenience really just isn't there for me in a subscription. And no local vaults? Double no, please.
It's not like maintaining standalone licenses and local vault storage is hard, it's already there. Just maintain it.
To be honest, I didn't know it supported local vaults.
No you don't. When you have an awesome product that people love, you just fucking leave it alone. These "rebuilds" always make things worse. See also: Spotify.
I am currently still using them, but once my current apps are no longer supported, whenever that might happen, I will move to another solution rather than paying a subscription for the privilege of storing my data with them.
Uh, I guess I’ll use KeePassXC then.
Trying to buy 1password 7 with a local vault was literally the most miserable software experience I've ever had in decades, so I'm not surprised not many people were using it.
Okay. Then do it.
Make your own password manager. Make your own browser and iOS/Android keyboard extensions for it. Make your own cloud backup/sync of your encrypted passwords.
Do it.
I believe in buying my software once. Not monthly.
They just committed suicide.
A good open-source alternative, I've been running it for a few years after I grew tired of 1Passwords shenanigans.
