1Password migrants thread

[MacBH928]

I still can't understand why dropping the local-sync option is that valuable to them. I can deal with the pricing separately—but it's the one-two punch here that seems to be most troublesome.

My only guess is that its easier to develope and maintain one method either online vault or local, the other thing is to make 1Password a continued "service" , so its not an app its a service and service is not a pay once deal.

There are more chances than not that there is a NDA or non-compete clause in effect, which would kill any shot at going off on their own for a rival product, at least in the next 6-18 months.

Someone similar tried to do the same at Intel about 2 years ago. The guy announced that he was leaving, and in the next 2 weeks he plugged in a USB stick on his laptop, got to his network share, and took his code (that he developed at Intel), and then left to go work at the same position at Micron, which is 1.5 miles down the street from Intel here. Intel caught wind of it (forensics) and sued him for not only the NDA and non-compete violations, but IP theft, because even though he wrote the code, the code that he wrote became the IP of Intel.

The lawsuit is still ongoing, and the developer was fired from Micron before even stepping foot in their building.

In this case, the developers of 1Password would be in the same position and definitely wouldn't want to risk that.

BL.

what if it was free and open source?

 

[mj_]

I think the biggest reason is why would the devs want to quit? Granted I've not been terribly active or following this thread but are the developers upset that the product they're working on is now 100% subscription based and local vaults will go by way of the dodo?

Don't read too much into it. Typical case of consensus bias.
I don't see any devs leaving either, at least not because of this particular business decision.

 

[bradl]

My only guess is that its easier to develope and maintain one method either online vault or local, the other thing is to make 1Password a continued "service" , so its not an app its a service and service is not a pay once deal.

That's the model they're trying to move to: SaaS, as that's where they think the money is. However, the problem with taking that model is how that model kills a decent revenue stream they have had for years, which is the license model and the repeat customers they get from that model.

what if it was free and open source?

Depending on how the NDA/non-compete is written, even FOSS could be out of the picture for the length of the NDA/non-compete because of the product being a rival product that would compete with 1Password. It will all come down to time and length of time for that NDA/non-compete.

BL.

 

[WelshDog]

When code for an app is open source, doesn't that mean the bad actors (as well as the good) can see everything in the code and thus have an easier time looking for exploits?

 

[BigMcGuire]

When code for an app is open source, doesn't that mean the bad actors (as well as the good) can see everything in the code and thus have an easier time looking for exploits?

Not if the encrypted programming is done right. All the keys and encryption are done after the compiled code is running, meaning that having a look at how they encrypt and what not doesn't necessarily mean any easier way of finding an exploit.

 

[bradl]

When code for an app is open source, doesn't that mean the bad actors (as well as the good) can see everything in the code and thus have an easier time looking for exploits?

No, not really.

With the code being open, those bad actors would have to have some major experience in software development to exploit anything at the code level, plus when that code is checked in, it would be reviewed by everyone on the development team, let alone tested before going out to production as a compiled binary. If they don't have that, then anything that they do at the source level is useless.

Besides, the exploit would have to be exploited only after the binary is compiled, which would happen regardless of if the source were open or closed. If anything, having the code being open source allows for the source to be patched and a new version released BEFORE the exploit is announced, leaving those bad actors behind the curve.

BL.

 

[MacBH928]

When code for an app is open source, doesn't that mean the bad actors (as well as the good) can see everything in the code and thus have an easier time looking for exploits?

I think its even more secure when its open source, since the bad actor can look at the code and even then he still can not find the exploit. Of course, given that the open source software is something that is continuously reviewed by the community not something that someone randomly uploaded somewhere 3 years ago and forgot about it

 

[MisterSavage]

It looks like iOS 15 beta 7 corrected the issue that was causing Bitwarden to crash with the iOS 15 beta.

Heads up folks

Apple fixed the actual issue in iOS 15 Beta 7, so we reverted the changes from the test flight build. If you experience crashing again, make sure to update to Beta 7

iOS App crashing on self-hosting with iOS Beta?

Is anyone running iOS 15 (Beta) with a self-hosted Bitwarden install? In my case the app crashes all the time. When uninstalling and connecting to Bitwarden directly, I have no issue. How can I troubleshoot this?

community.bitwarden.com

 

[maflynn]

You don't have much of a entrepreneurial spirit I bet. (that's ok. not meant as a slight)

Some people want to be in charge of their own destinies.

I love how people say no offense, (or in your case, not meant as a slight) and then say something negative. You're making sweeping assumptions that the developers are against this - are they? Provide some details. If not then you're using your own personal bias projecting it onto other people.

Perhaps its ignorance on your part (not meant as a slight but rather lacking in knowledge), that many professionals such as developers can be working either under a contract or have signed paperwork that
1. Restricts them from working for a competitor or on a competing product for a specified period of time.
2. Non-disclosure agreement, meaning the technologies developed/created for the product cannot be shared or used outside of 1password.
3. Anything they develop while working for the company belongs to the company.

In my professional life, at different times, I've been under various combinations of these.

To be sure, employees come and go, but a shift in using electron, actually makes a developer's life a lot easier instead of managing several different code bases for different platforms, you manage one. You actually have more time to enhance and rollout improvements as you're spending less time synchronizing changes and managing bugs across different platforms.

I have no idea if the staff at 1password hate or love this, but I was a developer and I'm still in IT and I can see the advantages (and disadvantages)

 

[MacGizmo]

I wish Apple would just clean up Keychain Access app so I can avoid the entire mess that is password managers. A fresh coat of paint, some "organization" features, etc., and I could avoid the subscription fees, and odd quirks that all these apps have.

 

[macsplusmacs]

In my professional life, at different times, I've been under various combinations of these.

As have I. Then you know certain states don't even enforce them.

I have no idea if the staff at 1password

And there we have it.

Thank you.

 

[eltoslightfoot]

As have I. Then you know certain states don't even enforce them.



And there we have it.

Thank you.

Neither do you. Thank you.

 

[maflynn]

And there we have it.

Nope, but then I wasn't the one postulating that some will quit to start their own company ¯\_(ツ)_/¯

 

[CMoore515]

I really hate what they're planning here. AgileBits has let me down... I get my sub through Eero Secure+ which is even more of a bummer.

Guess I'm trying a few others... Local vaults are a must for me.

 

[MacBH928]

I wish Apple would just clean up Keychain Access app so I can avoid the entire mess that is password managers. A fresh coat of paint, some "organization" features, etc., and I could avoid the subscription fees, and odd quirks that all these apps have.

Back in Steve Jobs days, he used to make software/hardware that makes people lives better and then sell that. He made iMovie and iTunes and gave it for free with the hardware. Now its the opposite, they make software that makes most money and has potential to grow.

This is why Apple does not take iWork suite seriously or the password manager, there is no money in it. iOS, iPhones, iWatch, new car, Streaming services...this is where they think they can make big bucks.

its a difference in philosophy.

 

[KALLT]

I just find the password section in the Settings app a poor user experience. Password auto-fill is not always working, so sometimes you do have to go there to retrieve a password; this is just cumbersome. User content should not be put in the Settings app, in my opinion. Apple should at least put that data into a separate app. There are other single-purpose apps, after all.

For me 1Password’s switch to Electron is the final straw. For the most part, Electron apps are poor experiences, they are needlessly bloated in terms of storage and RAM use and just do not fit in that well alongside native Cocoa apps. Not just looks, but behaviour too, such as keyboard shortcuts, accessibility features, state restoration and so forth. Moreover, it irks me to no end that each Electron app contains a copy of a fully-fletched browser engine for its own exclusive use. I understand that there are decent exceptions, notably Visual Studio Code by Microsoft, but I see that as the exception that proves the rule. 1Password has not been as good as it used to be anyway, with a rather poor app design (not just looks, but functionality) and annoying – and still unresolved – issues with the extension whenever the app is updated. On reflection, I found that 99% of my interaction with 1Password is through Safari's auto-fill, for which 1Password is piggy-backing on Safari APIs to begin with.

Bitwarden I find completely terrible. It to me has the worst design of the bunch of password apps I have tried. Even if I could stomach Electron, the design and user experience leaves a lot to be desired.

I will probably switch to iCloud Keychain once iOS 15 and macOS Monterey are released for those passwords that work well with auto-fill and use maybe another local app, like a KeePass derivative, to store the rest of the data. I have been testing KeePassium for iOS with a local database on an SMB server (Synology NAS) and I find it good for that purpose. The developer is currently testing a Catalyst app for macOS too. On the other hand there still is MacPass, which I hope is updated for the current macOS version soon. Both are open source.

 

[toasted ICT]

The electron app doesn't seem too secure either. Google "electron security breach" for lots of awful reports in the last year or two. Of course 1P claim that their app is totally secure... but that dont mean a whole hell of a lot to me anymore...

Now, with version 8, its mandatory to store all user data and login credentials ONLY on the developer’s server. So I Google "1Password terms and conditions” and had a read..... Agilebits take absolutely no responsibility for anything, even negligence.

I am sure that lots of organizations have similar terms, the “we are no worse than anyone else” defence …. but when they mandate that I supply them with my bank login details, credit cards and everything else, to store ONLY on their servers, entirely at my risk…. Nah.

And I have to wonder why they removed the option for paying customers to store their own data on a cloud services of their own choice … servers that Agilebits do not control, servers that do not have millions of users authentication, banking and credit card details stored in the one place.

 

[KALLT]

I came across these two comments on HackerNews. You can create a home-screen shortcut to open the passwords section in the Settings app quickly. I think this is an acceptable solution for me for the time being.

You can create a shortcut in the iOS shortcuts app to open the Passwords area of Settings via an icon on your Home Screen. Just open the following URL in the shortcut:
prefs:root=PASSWORDS
Best tip I have for you around iCloud Keychain right there.

Wow, you’re the real MVP here. Thank you.
For anyone who doesnt use shortcuts often, what you need to do in Shortcuts is:
1. Make a ‘URL’ action to prefs:root=PASSWORDS 2. Hit the ‘+’ and make a ‘Open URL’ action from safari.
Save, add to Home Screen, and you’re done.

And I have to wonder why they removed the option for paying customers to store their own data on a cloud services of their own choice … servers that Agilebits do not control, servers that do not have millions of users authentication, banking and credit card details stored in the one place.

They probably technically did not remove the option, rather they did not bother to port/replicate the local vaults in the Rust backend they built for all of their platforms. They did say years ago that online vaults is what they were focussing on, so they were likely not committed to bring local vaults back.

 

[srbNYC]

Why isn't everyone just staying on on 1P 7?

 

[MisterSavage]

Bitwarden I find completely terrible. It to me has the worst design of the bunch of password apps I have tried. Even if I could stomach Electron, the design and user experience leaves a lot to be desired.

The UI is definitely a shock after dealing with more modern looking apps. It almost turned me off of it instantly. I've actually come to really like the browser extension. Most of the time I'm just using it for autofill anyway.

Why isn't everyone just staying on on 1P 7?

If you upgrade your operating system eventually it's not going to work. It's what happened to 1P 6.

"1Password 6 was originally released at the beginning of 2016 and was discontinued in early 2018. It was developed for macOS Yosemite, El Capitan, Sierra, and High Sierra, so it will have compatibility issues with later operating system and web browser releases."

 

[toasted ICT]

@srbNYC Agilebits say "older versions will still work on the combination of operating system and browser(s) for which they were originally designed" See 1P forum.
Even if still compatible, one cannot just keep using old Operating Systems and applications without risk. Security conscious users want the latest OS (or at least one that is still supported) in order to get essential security patches and updates. Its best to use application software that is supported for the same reason. Obviously this is especially true of password managers.
AB say "On April 1st, 2020 we officially put our existing 1Password apps into maintenance mode" - interpret that as you will.

 

[bradl]

Why isn't everyone just staying on on 1P 7?

This is based on the assumption that we can get to 1P 7. That version would happen to be the last non x86-variant (read: Silicon) of the app that would allow you to use local vaults. The problem is that while you can download it, you can't purchase the standalone license, as they took the servers that generate those licenses offline. To make it worse, as a byproduct of installing 1P 7, the application puts your vaults into read-only mode until you get a license that you can't get because the license servers are offline. So anyone on an older version of 1Password now has no choice but to go up to the subscription model and no local vaults.

Then add in the issues with Electron, and we have the myriad of problems we have seen in this thread.

BL.

 

[toasted ICT]

the application puts your vaults into read-only mode until you get a license that you can't get because the license servers are offline.

Well thats a indication of the companies new ethics... so they reckon we should put all our bank access codes, credit cards and stuff on the dev servers of a company with such integrity. Not.

 

[MacBH928]

The electron app doesn't seem too secure either. Google "electron security breach" for lots of awful reports in the last year or two. Of course 1P claim that their app is totally secure... but that dont mean a whole hell of a lot to me anymore...

Now, with version 8, its mandatory to store all user data and login credentials ONLY on the developer’s server. So I Google "1Password terms and conditions” and had a read..... Agilebits take absolutely no responsibility for anything, even negligence.

I am sure that lots of organizations have similar terms, the “we are no worse than anyone else” defence …. but when they mandate that I supply them with my bank login details, credit cards and everything else, to store ONLY on their servers, entirely at my risk…. Nah.

They want to create an alternate reality where storing passwords is a service that they have to store "safely" in their servers like how you store your money in the bank. It sounds scary to know they have no guarantees if they lost your data, I do not even know my passwords which many of them are a string of alphanumerics . But I imagine they have a backup of a backup of a backup of backup.... so losing your data completely is pretty minute chance... I think...

And I have to wonder why they removed the option for paying customers to store their own data on a cloud services of their own choice … servers that Agilebits do not control, servers that do not have millions of users authentication, banking and credit card details stored in the one place.

Yikes, its scary when you put it this way. cyber criminals will be targeting that like crazy, but to be fair storing your credentials online has been going for years now by many services, so far no breaches on the password managers side. I wonder if something like the T-Mobile breach can happen to something like 1Password.

Why isn't everyone just staying on on 1P 7?

browsers keep updating like weekly, Apple forces you to upgrade your iOS and MacOS. In 1 - 2 years time the app will malfunction or break.

If someone completely finds 1password necessary they can always subscribe its just $30 or so a year, I can afford it, but out of principle I won't support that model and I will not create my own monster. I do not want humanity to rely on any 1 corporate like Google or AWS. If they would go offline, the internet as we know it will go down.

 

[bradl]

They want to create an alternate reality where storing passwords is a service that they have to store "safely" in their servers like how you store your money in the bank. It sounds scary to know they have no guarantees if they lost your data, I do not even know my passwords which many of them are a string of alphanumerics . But I imagine they have a backup of a backup of a backup of backup.... so losing your data completely is pretty minute chance... I think...

Think about it this way. I know they won't, but roll with it: what if AgileBits decides to pull up anchor, go out of business, and set sail? Keep in mind that the data you have on their servers (your passwords, vaults, etc.) is effectively their data, so they are not legally obligated to give that data back to you should they close up shop. It would take a case in court for them to give that back to you.

So to ask the recurring question: who counsels the counselor? Who does the banker use for their bank? Who backs up your backup, in case your backup is invalid or failed? My point here is that you should always have multiple copies of a backup or multiple copies of your data in different locations so you are not crippled if your backup fails. In fact, a piece of advice I learned from a DBA as he was shifting his work to me because he was leaving his job:

You are never as secure in your backups and your latest backup as your latest restore.

Backups are important, yes, and multiple backups even more important; but all of those backups are worthless if you could not restore from them. This is where a local vault comes in because you wouldn't be stuck with being dependent on them for any disaster recovery. If their service goes down for any reason, anyone using them would be effectively locked out of their password vaults until that service come back up.

If someone completely finds 1password necessary they can always subscribe its just $30 or so a year, I can afford it, but out of principle I won't support that model and I will not create my own monster. I do not want humanity to rely on any 1 corporate like Google or AWS. If they would go offline, the internet as we know it will go down.

I agree. Redundancy and control are my problem. Passwords are like PCI info. You wouldn't want someone else to have and hold your bank account number, let alone CC number to access the funds in your accounts. Why give the keys to not only your sensitive data, but data that affects your life to someone else? This could even be a case where Ben Franklin's freedom for security quote comes into play.

BL.