People thinking this is an absurd amount of money are sleeping on how 1Password is quietly positioning itself to become the ground truth storage solution for corporate secret management, across devops and non-technical groups alike.
Given Hashicorp's market cap of 11B, and 1Password's narrative on how to become even more central to corporate use cases by being the storage layer for Vault deployments, it's a very reasonable leap for them to make!
Pretty typical for people here to be zoomed-in on the b2c side of a business because that's what they use, and fail to see the b2b side, the underwater mass of the iceberg.
I think people can see that this is targeting businesses, but they're not happy about that because they're non-business customers.
It doesn't bode well for the future direction of what has up to now been a good consumer-focused product.
Like how Dropbox has gone from "a folder that synchronizes your files" to "an electron app for having discussion threads about files" because that's what business customers want.
I think it's a little weird. I have used 1password at two jobs, and thought it was great, so I bought it for myself. They want money to sync my passwords between my Windows desktop and my iPhone. Seems reasonable to me. I program computers for a living and people pay me.
I guess there was a free self-hosted type thing at one point in the past? That was before I ever heard of the product, so I'm not that upset that it's no longer advertised heavily or whatever.
I do have one complaint. They do have k8s secret management, which I would like to use for my personal cluster, but it's just too expensive for that. Very weird to show it in the UI and then when you try to use it, quote you an insanely high price. (I just use sealed-secrets instead. If my cluster blows up, it will be a very irritating weekend rotating all the secrets. But good to do, so meh.)
Yeah, we’ll, it sucks to pay for an app that is perfect and then have them ruin it because of their b2b aspirations. And raising money like this is just another link in the chain pulling them down into the pit of insanity that ruins the most-beloved password manager ever.
There's a chance that a push toward enterprise may even result in a feature a lot of us more savvy individual customers would love to see as well: self-hosting.
I think this underscores some (but not all!) of the negative reaction to "Zendesk plans to buy (the company behind) SurveyMonkey" — the latter of which has developed significant revenue streams from specific B2B products
They have been doing some pretty unfriendly moves towards their long-term customers, like making sure the new 1Password cannot be used without 'the cloud' like the old one could be.
I have no doubt raising more VC money will only accelerate such trends.
In fact I've decided to move off of 1Password to BitWarden, since at least one can realistically self-host it. That being said, it's not exactly easy to migrate from the latest 1Password so I wrote my own little utility to do it[1].
I think we need more competition to VC backed products in general, just imagine what would happen if the building blocks of say a GNU/Linux system we take for granted today would've been built with the mindset that investors are going to want a return on their investment.
I am not saying there's anything wrong with that in principle, but am not sure I want to surrender my passwords to these kinds of incentives.
This is exactly why I've switched from strongly recommending them, to strongly recommending against them. Plus their cloud security UX is horrendously confusing for everyone I've showed it to.
Whoever is driving their cloud push has probably made the most profitable business decision, but has absolutely no idea how to make a sane product.
Yeah I don’t know how to feel about this. I still have a license that allows me to use it with a local vault.
But I really want to get the family subscription. The Premium BitWarden plan is much cheaper than 1Password but the the Family plan doesn’t get you as much of a discount and my parents are on iPhones.
Edit: Dave Teare, the 1Password guy claims that when they were still offering standalone licences in 2018, people picked subscriptions over perpetual licences at more than a 30:1 ratio. Of course, they only showed the monthly price vs the perpetual price. But I’d hope people understand what subscription means.
Long-term 1Password customer here, no affiliation with 1Password or AgileBits.
> They have been doing some pretty unfriendly moves towards their long-term customers
From my point of view this was not hostile at all: I used 1Password with Dropbox sync for years and absolutely loved it as a personal password manager _for myself_. But sharing of passwords with family was a real pain. I gleefully signed up for cloud-hosted 1Password Families at launch and haven't had a bit of regret. Of all the subscription services I use, at $4/mo 1Password is easily the best bang for the buck.
For sharing, it's just sooo much easer than trying to use Dropbox:
I can invite family members just by entering their email address and 1Password walks them through the setup.
I can create new vaults with the click of a button and easily select who I want to share them with.
I can revoke access to members just as easily
I don't have to have a Dropbox account and I don't have to wonder about whether I've set the right permissions on my vault files or whether my free Dropbox quota has been reached.
I don't have to share _my_ vault keys and passwords with someone else to give them access to a vault.
I can still export and back up an encrypted vault whenever and however I want.
It's no accident that all of these features are the same ones that make their product so attractive to businesses as well: ease of access and sharing are both essential for adoption by businesses.
One more note: I still have my old standalone licenses and can still go back to 1Password 4/6 with Dropbox sync any time I want and not pay another dime, as 1Password still has links to download the older versions on their website: https://1password.com/downloads/mac/
> They have been doing some pretty unfriendly moves towards their long-term customers, like making sure the new 1Password cannot be used without 'the cloud' like the old one could be.
Despite disliking being forced into a subscription system, I gave it a go. Turns out I'm not smart enough to understand their cloud user interface. Was just so confusing.
> 1Password is quietly positioning itself to become the ground truth storage solution for corporate secret management
I think it is the exact opposite. They saw what Dashlane did with a few million bucks and some radio/TV ads and want to throw the same sort of gasoline on the fire. I expect they will have their own VPN, browser, credit monitoring, etc. tie in before they have real enterprise features.
They don't have FedRAMP, no HSM intergration, and it can't run in GovCloud. Not to mention it is super clunky to use compared to LastPass and others.
It's still hard for me to fathom this valuation. For example, all the major clouds (AWS, GCP, Azure) have a Secrets Manager as simply one feature. I looked into 1Password secrets when they announced it but couldn't find any reason to use it over a cloud Secrets Manager.
For the same reason one might choose Hashicorp Vault versus the major cloud: cross-cloud, likely a richer feature set, almost certainly faster release cycles, and (for AWS specifically) no stupid "pay per request" billing to try and reason about. I'd guess it can make local development scenarios better, too
It's a leap people make. I wouldn't call it reasonable. There is no way Hashicorp generates 11 billion worth of value. The only reason they get so much cash is the big players are inflating value so they can gobble up as much cash as they can before the market comes to its senses and everything comes crashing down like in 2008.
To be honest, I've just started using that (just set up a brand-new infra, started to provision users and thought it's a good idea to hook it up to a good password manager) and I found their Secrets Automation is (IMHO) barely usable for now. One can create most basic records but that's about it. I realize they don't owe me anything, but - honestly - just from the notoriety of the brand I've had higher expectations.
I hope that's just because they don't have enough people and currently their efforts are stretched quite thin. $620M is huge amount of money, so hopefully they get new hires and would be able to deliver.
Enterprise stuff is slowly moving away from the use cases that require solutions like 1Password, and since they are neither FIPS 140-2 validated or have FedRAMP ATOs, they have alot of work to do.
They also have the issue of all of the crypto nerds going nuts when they start getting their FIPS stuff done.
Atm maybe, but since GCP/AWS provide their own solutions I don't really see 1P or Vault that much valuable - it's a pretty primitive solution with no lock-in or some hard-to-replicate technology.
I really wish they weren't doing away with 1password classic and the native mac app. I like the fact I bought a license, that I can store the data on dropbox or icloud, and it works just fine.
Yes, this is old news and sour grapes on my part. I just don't yet feel like migrating to bitwarden.
I've been using 1password for 12 years since I saw it on a tutorial on peepcode.com. I actually taught my mother how to use it, she's been using it for 9 years, and last weekend she was upgrading all her passwords to use 2fa with the QR code capturing facility.
We had to go find the 1password classic browser extension (something stopped working, needed to reinstall it) and that took a bit of doing. 1password is not making it easy to find anymore, and when she contacted customer support (before talking to me), their response was to upgrade to a paid account and store your passwords on a server.
Ugh.
Honestly, now that they've raised this much cash, would it really be that big of an inconvenience or lift for them to give mac users a native app instead of the electron one and keep allowing legacy users like me to use 1password with our existing licenses and dropbox?
I think they'd be able to hire some additional developers and product/project people to make it happen. Not continuing to work on the classic project just feels like a kick in the shins.
Now, I'm building out my kubernetes cluster at home, and bitwarden is something I'm going to experiment with as a backup, but 1password 7 works fine and I just don't want to migrate to a paid account.
C'mon 1password, make your legacy customers happy!
They should take 20 million, endow a foundation, and have the foundation hire a couple of their original devs to make a clean room, open-source equivalent to 1Password 6. Then those of us who actually just want a self hosted password manager, not a massive whacky cloud secret factory, can use that.
Sigh, what a stupid world we live in, where greed destroys everything good.
Migrate to Bitwarden. I owned a 1 password 6 license and hung onto it for dear life until last year. I technically had a 1 password subscription from work, and when that ended last year, my password experience hit a brick wall. I couldn’t add passwords from Windows. My Mac client refused to work, I had to uninstall multiple times and delete a data directory to erase any sign that 1 password subscription was on the system.
I’m so glad I made the switch now. No pestering pop ups, equally usable on windows and Mac and iOS.
I don't even mind the subscription fee and cloud hosting personally, just make a kickass native app like they always had and I'll stay. If they force me to "upgrade" to 8 and it's not a native app then I'll just use something else like bitwarden.
Similar here, I don’t mind the subscription fee and even like that I can effortlessly pull my passwords from whichever device I need to at the moment. The new electron app is a mess though, even if its data layer is done in Rust. It feels like a cheap imitation of the old one with so many little details being wrong, along with the general sluggishness that comes with a “modern” web stack.
I’m not really happy with any of the other options either though. Bitwarden is stuck in the browser, and the various KeePass clients vary a lot in polish.
It seems a little ridiculous because the UI involved in this sort of app is trivial to build and make nice in practically any native UI toolkit released in the past 20 years. It’s just list views and text fields… I would’ve expected the hard part of building a password manager to be the functional bits, not the UI.
I would be happy to pay the subscription fee for a native app, especially since my partner and parents can use it under the family plan. It works great for that! I've been paying for upgrades since 2007 (version 2.0 I think).
Except that version 7 also introduced some massive UI/UX regressions! There were so many that I started collecting them in a Ulysses note so that I wouldn't forget why 1Password has gone so far downhill.
----
Attachments:
- Attachments used to be attached to entries by drag files there, and they'd show up at the bottom (if I wanted my passport, there'd be a single Passport entry with copyable fields + jpeg photos of front and back at the bottom).
- Now, every attachment is a separate document cluttering up everything. If I want my passport, I search for "passport" and three separate entries come up: entry with passport details I can copy, and passport-front.jpg and passport-back.jpg. And if I delete Passport entry, the jpegs are still hanging around.
- See [1][2]
----
When it doesn't sync, there's no "force sync" button on iOS. So I just sit there waiting...
----
Can't suppress "duplicate password" warning:
- If I reuse a password on two or more entries, each of those entries shows this warning
- No way to disable it, clutters up the UI
- Some entries have an insecure password for local use, dev use, whatever, so let me disable the warning
- Tons of threads on their forums about this complaining about it [3][4][5][6]
----
Another warning that can't be disabled in preferences: 2FA available but not enabled
- If you have an entry where 2FA is available on that site, you cannot disable the warning if you don't have it set up
- To actually disable this, you need to tag the entry with 2FA (which is dumb because it implies that it has 2FA, but the tag is showing that it DOESN'T have 2FA enabled)
----
Subdomain matching doesn't work:
- This used to actually work fine but it was removed!
- If you have a.test.com and b.test.com with different credentials, 1password treats them as the same website and will ALWAYS show entries for both, breaking autofill
- See [7][8]
----
And after all this, I still planned to continue to use 1Password until they made their version 8 Electron announcement. That's absolutely the final straw and I won't be moving forward with them after that.
Same here. I begrudgingly moved to BW right after they stopped offering perpetual licenses. The UX is poor compared to 1P but for this software I could not continue to use 1P. They've become a deceptively marketed company. I actually had a sub on top of my perpetual license -- the cost is inconsequential and I want(ed) to support their business.
Sorry to break it to you, but 1Password is not going to make any changes to suit your requirements. The company behind it is user hostile and quite stubborn. The only advice I can give is to switch from it to something else. There is absolutely no hope that your requirements will be considered. You can even post in their forums and see how they’ll shoot you down.
> Yes, this is old news and sour grapes on my part.
This is a tangent, but this isn't really the correct usage of sour grapes. "Sour grapes" implies you actually did want it to go away but are saying you didn't out of pride or something. I'm assuming that's not what you're trying to imply.
Bitwarden is a bit of a pain to self-host, it's built for a much bigger scale. Vaultwarden is a simpler solution, and is compatible with the Bitwarden apps. For a handful of users it is worth a look: https://github.com/dani-garcia/vaultwarden
This kind of announcement tends to ring all kinds of alarm bells for me. What kinds of changes should we expect to make those huge investments worthwhile for the investors?
My 1Password installation is grandfathered from a time when it was just a standalone app, without subscription. Will it just stop working one day to bully me into subscribing? Can you even start using 1Password these days without buying a subscription? I'll have to start looking for alternatives today.
Unfortunately yes. You'll still be able to use your license but once that version becomes incompatible with your OS you won't have a choice but to upgrade. I'm disappointed I won't be able to keep the Dropbox sync in 1Password 8. They did have this survey to gauge interest in self hosting it: https://survey.1password.com/self-host/
Seems like a lot of people are missing the piece as to probably why they need the money (and where they're pointing the company in the future). Future of 1Password: https://www.future.1password.com/
I'm actually surprised by all the reactionary comments here with almost no research. 1Password already has integrations with Fastmail and Privacy and have launched a Secrets Automation[0] offering. I'm assuming this money does go partially into the password manager (which they say has always been profitable) but I think the money would actually go into ancillary services for competitors to Vault or Okta for authentication and secrets. Of course, it's not unfounded that as consumers we'd be concerned about the affect this might have on the base product but they've been pretty open about their ambitions since the first funding round a couple of years ago
1: 1Password already backhanded users once for business reasons. They used to be a nice, local password manager that synced with dropbox or your choice of filesystem. Then they added cloud support and used dark patterns to force adoption of a subscription based cloud service while making the local version harder and harder to use. At some point I gave up, I’m not even sure it’s possible to use locally anymore. It might be that the marginal utility is worth it, but forcing my hand also broke my trust
2: This is now the path of the majority of American corporations, most especially high growth vc funded; make something awesome, grow, extract profits, die. It doesn’t really matter whether it’s burritos or password managers, we’ve seen this pattern one too many times.
> I'm actually surprised by all the reactionary comments here with almost no research.
On the contrary, many of us are already experiencing the paid SaaS squeeze from 1Password long before this fundraising.
It doesn’t matter what they claim to need the money for. The company and product already declined from a great standalone option to a forced SaaS subscription payment with the self-hosted options removed. There’s no way I’m buying the story that they’re raising more money without a goal of squeezing more money from their customers, nor will I believe that they’re only going to get this profit from other customers while ignoring the consumer space.
In the real world, companies don’t actually segment up their product offerings and operate them as separate businesses with separate profitability goals. It’s all one big product mix and they’ll be squeezing money out of everything, wherever they can find it.
This. Where is the nuance and slow thinking, folks?
I don't know much about much, but I do know that the far future of computing isn't going to involve people memorizing and typing complicated passwords, or using finicky password managers. There is massive potential for growth and vision in this space.
Looks like they're aiming to become a cloud-based active directory, abstracting away authentication to a higher level single identity.
They want to become something like a Passport for users across the web.
If they can do this, it will be huge. But hopefully I'm not alone in hating this direction and see tracking individual identities as a small price to pay to protect freedoms.
They will probably go Dropbox route. Dropbox used to be an excellent file sync cloud service with a robust support on many platforms. They did just one thing and did it well. Now Dropbox is positioning themselves as business-team-collaboration-streamlining-platform for everything whose software is balancing between poorly programmed malware and useless enterprise bloatware.
This makes me think that the real problem here is vendor lock in. If users didn't feel such a reluctance to switch between services then there wouldn't be such an incentive to bloat existing services rather than just building it somewhere else.
Apart from lock-in, first mover advantage is a big one too. Humans don’t like change, so they stick with services as long as switching provides no big benefits.
My small company has stayed with our initial bank even though we were quite unhappy with it a couple of times. They didn’t rock the boat too hard, so we‘ve been with them for 8 years already - even though I was _this_ close to quitting sometimes.
Is there a real lock-in in case of 1Password though? I like their UX and integrations, but looks like it is easy to export and move my data to other products if required.
Did they have a choice? Companies like Google and Microsoft provide a package of file sync cloud service bundled with many other services, for the same or lower price. Most people/companies would find that a better deal.
Both the Fastmail[0] and Privacy [1] integrations have made 1Password a joy to use in the past few years. I've used premium BitWarden in the past, but the UX of 1Password is hard to beat. Congrats to the 1Password team!
A lot of comments don't seem to acknowledge the importance of UX to leveling up security. Historically, security products have had terrible UX with everyone working around these and introducing more risks. 1Password is doing a great service here by making security simple and reduces our overall attack surface.
I wholeheartedly agree with the UX comment, and for the "leveling up security" part specifically, I'll point out that 1P 8 now has a "generate horse-battery-stable 'security question' answers" button, which is about as close to the intersection of good UX and good security as I can imagine
My experience with Bitwarden is that their browser extension is gravely broken, which is a subset of UX, but crosses over into "how is this not a 'stop all work and fix it' bug?": https://github.com/bitwarden/browser/issues/1620
I have a paid Bitwarden subscription, because I wanted to give it a fair shake, but based on my experience thus far it'll be years before they catch up to AgileBits
They've also (supposedly) been profitable since inception. It's likely that this round has a significant secondary, which means they're just cashing out part of a profitable business.
Exactly. An increasingly common thing lately is what’s effectively a “private IPO”. That’s what this sounds like - liquidity for investors / staff, and ownership to a small cadre of professionally managed funds vs. the Wild West open markets.
So that means what? My password manager is going to start crypto-mining, and share the profits with me? My password manager is going to report all the sites that I have stored passwords for back to the companies?
Whatever the case may be, I'm sure it's going to turn out to be something completely worthless to me.
Fortunately, there's always Keepass, which keeps plugging away doing exactly what it says on the tin.
It screams CORPORATE. Not a single mention of family or single user. It's all about business security, safely sharing data, protecting your company, etc.
Oddly enough 1Password could innovate productively here: use some market clout to push for a standard way for password managers to do automatic password rolling without user interaction.
Imagine a world where a standardized protocol let a company put out verifiable "we've been hacked notice" and my password manager would just take care of it next time I opened it (or throw a prompt or something).
There's a couple examples already, including one click credit card information saving (through your card issuer), and their private email aliasing through fastmail partnership.
They're probably going to develop some proprietary, closed source authentication SDK, that's not compatible with other password managers, and bribe websites to use it.
Your choice eventually will be entering a standard password and specifically engineered to be annoying CAPTCHA, or pay for 1Password. Use Keepass or BitWarden? CAPTCHA. why? "Security".
Surely there's still room for some innovation in the authentication space?
I remember a few years ago Steve Gibson was working on a certificate based system called SQRL and it sounded pretty cool to me. Maybe 1Password have some ideas of their own?
Sounds like they've noticed both macOS and Windows getting integrated cloud-based password management capabilities and feel the need to branch out in order to stay one jump ahead of irrelevance.
(Disclaimer: I'm a satisfied 1Password customer. Just noting that their competitive edge is wearing razor-thin these days.)
Agreed. And with Edge/Authenticator, it's cross-platform as well (Windows, MacOS, Android, iOS), and as of recently, it's close to feature parity. We dropped our Lastpass subscription. It's probably families like ours that has 1Password worried.
So what's the pitch to the investors then - they'd arguably need to disclose this possibilty? Or is this next level of pumping up before dumping on public market via IPO?
Maybe you can't. Everybody has their own risk tolerance, but at some point, everybody's going to have to draw a line. Maybe you're only storing passwords for local services, but almost all of the credentials in my password manager are for services run on some cloud. Even then, did you evaluate all of the code for each of those services? How about the compiler code or the chips? Dell shipped out machines with a hardware trojan in 2010.
I have separate instances for work and personal accounts, so one breach wouldn't affect the other. Since my passwords are distinct, the number of accounts that would actually be useful to them is minimal, and fraud response is a pretty important metric in deciding what companies I do important business with. Identity theft is a problem, but all of this is probably more likely to be leaked in some other database, like the Equifax hack, than through an account compromised in a password manager cloud storage breach.
My password manager being compromised would indeed be a huge time suck, but I don't think the long-term consequences would be any more severe than a few key individual accounts that are probably even more vulnerable. I think things like coordinated attacks where they social engineer their way through 2FA— which have been seen in the wild— to present a greater real-world concern.
> You can never trust cloud-hosted password managers..
If you examine the source code of a client (for example bitwarden) and make sure that it's not leaking your master password and then compile the soft yourself and not update - you'll be pretty safe.
This will make it similarly secure as e.g. keepass, because even for keepass you should be sure the source is legit
You can never fully trust any password manager unless you audit all of its source code and compile it with a compiler whose source code you have also fully audited. Good luck!
I really hope this means new product offerings with no impact on existing products, rather than "fucking with the product b/c it doesn't make us enough money".. which I'll dub corporate Marak syndrome..
To me it means the contrary. If they had to make those $620M back by just selling password management, then we'd all better expect it to get crazy expensive soon. But if they branch out and start making money on other products and services too, then there's a chance the product I currently use will remain affordable.
1. native app (no bullshit JS based) for speed
2. the same keybindings CMD+\ or Option+CMD+\ to fill in or pop up the menu
3. sync with icloud
4. not look like total shit (ie. lastpass)
Do these basic things and I think you can easily steal 1pass users.
I'm surprised they haven't bought Rainbow or Metamask or made their own crypto wallet yet. Combining their current browser extension with private key management in a crypto wallet makes a lot of sense to me.
Readit News
Given Hashicorp's market cap of 11B, and 1Password's narrative on how to become even more central to corporate use cases by being the storage layer for Vault deployments, it's a very reasonable leap for them to make!
https://1password.com/secrets/
https://1password.com/secrets/integrations/
https://1password.com/enterprise-password-manager/
It doesn't bode well for the future direction of what has up to now been a good consumer-focused product.
Like how Dropbox has gone from "a folder that synchronizes your files" to "an electron app for having discussion threads about files" because that's what business customers want.
I guess there was a free self-hosted type thing at one point in the past? That was before I ever heard of the product, so I'm not that upset that it's no longer advertised heavily or whatever.
I do have one complaint. They do have k8s secret management, which I would like to use for my personal cluster, but it's just too expensive for that. Very weird to show it in the UI and then when you try to use it, quote you an insanely high price. (I just use sealed-secrets instead. If my cluster blows up, it will be a very irritating weekend rotating all the secrets. But good to do, so meh.)
I have no doubt raising more VC money will only accelerate such trends.
In fact I've decided to move off of 1Password to BitWarden, since at least one can realistically self-host it. That being said, it's not exactly easy to migrate from the latest 1Password so I wrote my own little utility to do it[1].
I think we need more competition to VC backed products in general, just imagine what would happen if the building blocks of say a GNU/Linux system we take for granted today would've been built with the mindset that investors are going to want a return on their investment.
I am not saying there's anything wrong with that in principle, but am not sure I want to surrender my passwords to these kinds of incentives.
1 - https://github.com/MatejLach/1password-linux-to-bitwarden
Whoever is driving their cloud push has probably made the most profitable business decision, but has absolutely no idea how to make a sane product.
But I really want to get the family subscription. The Premium BitWarden plan is much cheaper than 1Password but the the Family plan doesn’t get you as much of a discount and my parents are on iPhones.
Edit: Dave Teare, the 1Password guy claims that when they were still offering standalone licences in 2018, people picked subscriptions over perpetual licences at more than a 30:1 ratio. Of course, they only showed the monthly price vs the perpetual price. But I’d hope people understand what subscription means.
> They have been doing some pretty unfriendly moves towards their long-term customers
From my point of view this was not hostile at all: I used 1Password with Dropbox sync for years and absolutely loved it as a personal password manager _for myself_. But sharing of passwords with family was a real pain. I gleefully signed up for cloud-hosted 1Password Families at launch and haven't had a bit of regret. Of all the subscription services I use, at $4/mo 1Password is easily the best bang for the buck.
For sharing, it's just sooo much easer than trying to use Dropbox: I can invite family members just by entering their email address and 1Password walks them through the setup. I can create new vaults with the click of a button and easily select who I want to share them with. I can revoke access to members just as easily I don't have to have a Dropbox account and I don't have to wonder about whether I've set the right permissions on my vault files or whether my free Dropbox quota has been reached. I don't have to share _my_ vault keys and passwords with someone else to give them access to a vault. I can still export and back up an encrypted vault whenever and however I want.
It's no accident that all of these features are the same ones that make their product so attractive to businesses as well: ease of access and sharing are both essential for adoption by businesses.
One more note: I still have my old standalone licenses and can still go back to 1Password 4/6 with Dropbox sync any time I want and not pay another dime, as 1Password still has links to download the older versions on their website: https://1password.com/downloads/mac/
Despite disliking being forced into a subscription system, I gave it a go. Turns out I'm not smart enough to understand their cloud user interface. Was just so confusing.
I switched to Bitwarden.
I think it is the exact opposite. They saw what Dashlane did with a few million bucks and some radio/TV ads and want to throw the same sort of gasoline on the fire. I expect they will have their own VPN, browser, credit monitoring, etc. tie in before they have real enterprise features.
They don't have FedRAMP, no HSM intergration, and it can't run in GovCloud. Not to mention it is super clunky to use compared to LastPass and others.
Personally, I have no experience with lastpass. Just wanted to point out this anomaly.
https://github.com/1Password/onepassword-operator
This solves the “restart pods when my secret is updated” issue which suggests to me that they are not just paying lip service with these integrations.
Deleted Comment
I hope that's just because they don't have enough people and currently their efforts are stretched quite thin. $620M is huge amount of money, so hopefully they get new hires and would be able to deliver.
They also have the issue of all of the crypto nerds going nuts when they start getting their FIPS stuff done.
The "all or nothing folder" model that 1Password has has always been very frustrating to me.
Yea it is absurd compared to how much money Google and Facebook raised back in the day.
Yes, this is old news and sour grapes on my part. I just don't yet feel like migrating to bitwarden.
I've been using 1password for 12 years since I saw it on a tutorial on peepcode.com. I actually taught my mother how to use it, she's been using it for 9 years, and last weekend she was upgrading all her passwords to use 2fa with the QR code capturing facility.
We had to go find the 1password classic browser extension (something stopped working, needed to reinstall it) and that took a bit of doing. 1password is not making it easy to find anymore, and when she contacted customer support (before talking to me), their response was to upgrade to a paid account and store your passwords on a server.
Ugh.
Honestly, now that they've raised this much cash, would it really be that big of an inconvenience or lift for them to give mac users a native app instead of the electron one and keep allowing legacy users like me to use 1password with our existing licenses and dropbox?
I think they'd be able to hire some additional developers and product/project people to make it happen. Not continuing to work on the classic project just feels like a kick in the shins.
Now, I'm building out my kubernetes cluster at home, and bitwarden is something I'm going to experiment with as a backup, but 1password 7 works fine and I just don't want to migrate to a paid account.
C'mon 1password, make your legacy customers happy!
Sigh, what a stupid world we live in, where greed destroys everything good.
I’m so glad I made the switch now. No pestering pop ups, equally usable on windows and Mac and iOS.
I’m not really happy with any of the other options either though. Bitwarden is stuck in the browser, and the various KeePass clients vary a lot in polish.
It seems a little ridiculous because the UI involved in this sort of app is trivial to build and make nice in practically any native UI toolkit released in the past 20 years. It’s just list views and text fields… I would’ve expected the hard part of building a password manager to be the functional bits, not the UI.
Except that version 7 also introduced some massive UI/UX regressions! There were so many that I started collecting them in a Ulysses note so that I wouldn't forget why 1Password has gone so far downhill.
----
Attachments:
- Attachments used to be attached to entries by drag files there, and they'd show up at the bottom (if I wanted my passport, there'd be a single Passport entry with copyable fields + jpeg photos of front and back at the bottom).
- Now, every attachment is a separate document cluttering up everything. If I want my passport, I search for "passport" and three separate entries come up: entry with passport details I can copy, and passport-front.jpg and passport-back.jpg. And if I delete Passport entry, the jpegs are still hanging around.
- See [1][2]
----
When it doesn't sync, there's no "force sync" button on iOS. So I just sit there waiting...
----
Can't suppress "duplicate password" warning:
- If I reuse a password on two or more entries, each of those entries shows this warning
- No way to disable it, clutters up the UI
- Some entries have an insecure password for local use, dev use, whatever, so let me disable the warning
- Tons of threads on their forums about this complaining about it [3][4][5][6]
----
Another warning that can't be disabled in preferences: 2FA available but not enabled
- If you have an entry where 2FA is available on that site, you cannot disable the warning if you don't have it set up
- To actually disable this, you need to tag the entry with 2FA (which is dumb because it implies that it has 2FA, but the tag is showing that it DOESN'T have 2FA enabled)
----
Subdomain matching doesn't work:
- This used to actually work fine but it was removed!
- If you have a.test.com and b.test.com with different credentials, 1password treats them as the same website and will ALWAYS show entries for both, breaking autofill
- See [7][8]
----
And after all this, I still planned to continue to use 1Password until they made their version 8 Electron announcement. That's absolutely the final straw and I won't be moving forward with them after that.
1 - https://discussions.agilebits.com/discussion/92007/1password...
2 - https://discussions.agilebits.com/discussion/111892/messy-do...
3 - https://discussions.agilebits.com/discussion/95438/reused-pa...
4 - https://1password.community/discussion/106132/suppress-the-r...
5 - https://discussions.agilebits.com/discussion/115492/feature-...
6 - https://1password.community/discussion/104141/watchtower-reu...
7 - https://1password.community/discussion/89271/matching-sub-do...
8 - https://1password.community/discussion/87028/stricting-url-m...
This is a tangent, but this isn't really the correct usage of sour grapes. "Sour grapes" implies you actually did want it to go away but are saying you didn't out of pride or something. I'm assuming that's not what you're trying to imply.
My 1Password installation is grandfathered from a time when it was just a standalone app, without subscription. Will it just stop working one day to bully me into subscribing? Can you even start using 1Password these days without buying a subscription? I'll have to start looking for alternatives today.
If I can't have my passwords everywhere, then the value delivered drops off a cliff
[0] https://1password.com/secrets/
1: 1Password already backhanded users once for business reasons. They used to be a nice, local password manager that synced with dropbox or your choice of filesystem. Then they added cloud support and used dark patterns to force adoption of a subscription based cloud service while making the local version harder and harder to use. At some point I gave up, I’m not even sure it’s possible to use locally anymore. It might be that the marginal utility is worth it, but forcing my hand also broke my trust
2: This is now the path of the majority of American corporations, most especially high growth vc funded; make something awesome, grow, extract profits, die. It doesn’t really matter whether it’s burritos or password managers, we’ve seen this pattern one too many times.
On the contrary, many of us are already experiencing the paid SaaS squeeze from 1Password long before this fundraising.
It doesn’t matter what they claim to need the money for. The company and product already declined from a great standalone option to a forced SaaS subscription payment with the self-hosted options removed. There’s no way I’m buying the story that they’re raising more money without a goal of squeezing more money from their customers, nor will I believe that they’re only going to get this profit from other customers while ignoring the consumer space.
In the real world, companies don’t actually segment up their product offerings and operate them as separate businesses with separate profitability goals. It’s all one big product mix and they’ll be squeezing money out of everything, wherever they can find it.
I don't know much about much, but I do know that the far future of computing isn't going to involve people memorizing and typing complicated passwords, or using finicky password managers. There is massive potential for growth and vision in this space.
They want to become something like a Passport for users across the web.
If they can do this, it will be huge. But hopefully I'm not alone in hating this direction and see tracking individual identities as a small price to pay to protect freedoms.
Deleted Comment
My small company has stayed with our initial bank even though we were quite unhappy with it a couple of times. They didn’t rock the boat too hard, so we‘ve been with them for 8 years already - even though I was _this_ close to quitting sometimes.
- [0] https://blog.1password.com/fastmail-masked-email/ - [1] https://blog.1password.com/privacy-virtual-cards/
My experience with Bitwarden is that their browser extension is gravely broken, which is a subset of UX, but crosses over into "how is this not a 'stop all work and fix it' bug?": https://github.com/bitwarden/browser/issues/1620
I have a paid Bitwarden subscription, because I wanted to give it a fair shake, but based on my experience thus far it'll be years before they catch up to AgileBits
There's definitely going to be a feature creep and annoying changes.
Time to consider the alternatives again :(
They've also (supposedly) been profitable since inception. It's likely that this round has a significant secondary, which means they're just cashing out part of a profitable business.
Deleted Comment
Hmmm, sounds like the time to migrate may be sooner than I'd hoped.
Whatever the case may be, I'm sure it's going to turn out to be something completely worthless to me.
Fortunately, there's always Keepass, which keeps plugging away doing exactly what it says on the tin.
You're probably right. Here's their vision of the future: https://www.future.1password.com/
It screams CORPORATE. Not a single mention of family or single user. It's all about business security, safely sharing data, protecting your company, etc.
Imagine a world where a standardized protocol let a company put out verifiable "we've been hacked notice" and my password manager would just take care of it next time I opened it (or throw a prompt or something).
Doubt this is going to happen though.
A lot less incendiary than your hypotheticals.
https://blog.1password.com/save-in-1password-button-with-ram...
https://1password.com/fastmail/
Your choice eventually will be entering a standard password and specifically engineered to be annoying CAPTCHA, or pay for 1Password. Use Keepass or BitWarden? CAPTCHA. why? "Security".
I remember a few years ago Steve Gibson was working on a certificate based system called SQRL and it sounded pretty cool to me. Maybe 1Password have some ideas of their own?
(Disclaimer: I'm a satisfied 1Password customer. Just noting that their competitive edge is wearing razor-thin these days.)
I have separate instances for work and personal accounts, so one breach wouldn't affect the other. Since my passwords are distinct, the number of accounts that would actually be useful to them is minimal, and fraud response is a pretty important metric in deciding what companies I do important business with. Identity theft is a problem, but all of this is probably more likely to be leaked in some other database, like the Equifax hack, than through an account compromised in a password manager cloud storage breach.
My password manager being compromised would indeed be a huge time suck, but I don't think the long-term consequences would be any more severe than a few key individual accounts that are probably even more vulnerable. I think things like coordinated attacks where they social engineer their way through 2FA— which have been seen in the wild— to present a greater real-world concern.
If you examine the source code of a client (for example bitwarden) and make sure that it's not leaking your master password and then compile the soft yourself and not update - you'll be pretty safe.
This will make it similarly secure as e.g. keepass, because even for keepass you should be sure the source is legit
Deleted Comment
1. native app (no bullshit JS based) for speed 2. the same keybindings CMD+\ or Option+CMD+\ to fill in or pop up the menu 3. sync with icloud 4. not look like total shit (ie. lastpass)
Do these basic things and I think you can easily steal 1pass users.
Just add crypto wallet functionality (similar encryption skills) and then facilitate both web2 and web3 login.