1Password migrants thread

[iMacDragon]

The latest version of 1p seems to indicate it should be exporting the OTP's ( it has a specific keychain export option ), but I guess not quite clean process yet then.. Will have to see about a cleanup script, there's too many items to do it manually.

 

[Fuchal]

The latest version of 1p seems to indicate it should be exporting the OTP's ( it has a specific keychain export option ), but I guess not quite clean process yet then.. Will have to see about a cleanup script, there's too many items to do it manually.

This might be helpful: https://github.com/IngmarStein/1pif-to-csv

 

[MacBH928]

This doesn't phase me as a Bitwarden user. Their whole business model is based around security, unlike Twitch. The code is already available for everyone to see. Worst case if they were hacked the bad actors would get my encrypted blob. If they were able to get into it (which is a big "if") I would have long changed my passwords before then.

Exactly.

"If for some reason Bitwarden were to get hacked and your data was exposed, your information is still protected due to strong encryption and one-way salted hashing measures taken on your Vault data and master password."

It's also looking that Twitch was a clown show for security:

A catastrophe at Twitch

The entire code base leaked online. Now what?

www.platformer.news

I'm not missing anything. That was a quote from the Bitwarden website addressing the question "what happens if Bitwarden gets hacked?" I'm well aware that the blob is my data. Someone was saying that the fact that a video game streaming service got hacked made them nervous. Unlike Twitch, Bitwarden is a company dedicated to password security and keeping that data secured. Worrying about their servers getting hacked isn't keeping me up and night but worst case if they did and someone got my encrypted blob they still would have a huge, different mountain to climb to get my unencrypted data.

I must say that the idea of a breach is very unlikely especially those cloud password businesses have been around for sometime, and out of all i trust Bitwarden the most since its open source so every can investigate the flaws already not like closed source ones where some hacker might find a backdoor the agilebits forgot about before sending an update, just look what happened to FB.

Bitwarden, for me, is a bit too much because running your own server just to use a password manger is jumping hoops for something simple 1password and EnPass has been doing for a long time. Each app has its philosophy though. I can see how cloud is amazing if you had a shared vault and my manager changes a password in his office and I get the update while I am traveling for work meeting.

I don't care about other people's blobs. I care about my personal security. As with anything, there is going to be risk. All you can do is try and minimize exposure. Even with local hosting there are risks.

There is nothing wrong with Bitwarden's setup that I can see much less Strongbox etc.

I think the thread has been going in circles for a while now, because some here are looking for the A+ app in every area checklist.

Not really, I am still benefitting from the discussion and reading about other people's experiences and ideas.

 

[MacBH928]

Currently only a few tech enthusiast know about the coming 1PW version. There might be a small **** storm when it is released and the masses realize, that local vaults are missing. Other countries may be different, but here in Germany most companies would not allow storing password on some cloud server.

This makes me very wary of cloud based password managers, I am no programmer but I feel like they know something I don't.

 

[MisterSavage]

I must say that the idea of a breach is very unlikely especially those cloud password businesses have been around for sometime, and out of all i trust Bitwarden the most since its open source so every can investigate the flaws already not like closed source ones where some hacker might find a backdoor the agilebits forgot about before sending an update, just look what happened to FB.

Yep, definitely agree. The open source codebase, third party audits, large userbase, and their frequent engagement with the community were big selling points for me.

 

[maflynn]

Currently only a few tech enthusiast know about the coming 1PW version. There might be a small **** storm when it is released and the masses realize, that local vaults are missing. Other countries may be different, but here in Germany most companies would not allow storing password on some cloud server.

AFAIK, one of the key benefits of 1Password is that its cloud based, and many medium to large companies are storing their financial data, their human resource data on the cloud now, I can't see how this would raise any more red flags then having an employee's dob, ssn and address on a third party server (say ADP, or UKG)

In all honesty, the only **** storm that will occur is with the few tech enthusiasts, Just my opinion but most people probably don't use local vaults and if they're storing their local vaults in iCloud or DropBox, then their vault is in the cloud - kind of defeating the argument of not having your vault in the cloud.

One of the biggest benefits I have with 1Password, and I suspect many other consumers use it similarly is that its works on different platforms. Windows, iOS, iPAdOS, android, MacOS, and even ChromeOS, that can only happen if you store your data on a server, i.e., the cloud, that all of those devices have access.

 

[maflynn]

I stumbled on this in looking up the 1Password controversy - wanting to see if I missed anything, and to have a better understanding. This Reddit thread is from 1password

Reddit 1Password AMA


Here's a blurb that I came across:

The vast majority of our users are subscribers and aren't using standalone vaults

This just reinforces my opinion that the vault issue is related to a vocal minority, and I get that they're upset, I'm not diminishing their emotions or frustrations. The AMA also has various blurbs about how they're NOT changing directions and they were thinking of dropping standalone vaults earlier, so this is something that's been on the table for some time.

Funny enough, most of the AMA seemed focused on vaults and how poor of a job 1Password did in communicating (no argument), and there were only a scant few references to electron.

 

[toasted ICT]

The issues with 1Password v8:

• NOW MANDATORY : keep my data on the developers honeypot server. (my data on a developers server at my risk - no thanks). I appreciate lots of people don't think this is a problem and that's OK - its your data to risk if you want.
• CAN NO LONGER SYNC via icloud, dropbox, webdav, etc if I choose. Yes, I know these are cloud services but at least its just my own Dropbox or whatever - not a honeypot commercial target full of millions of users data.
• NO OPTION to buy License purchase. Happy to buy new licences when warranted. No subscription payments - I am not happy to pay every month for fluff features that does nothing for me.
• WORSE PERFORMANCE AND LESS SECURE : 1P v8 is a demonstrably (read the reddit thread) worse performing Electron app with a bigger attack surface

So such concerns are just a "vocal minority"?.... Certainly the Agilebits company stance has consistently been that everyone wants subscriptions and only fools want local vaults...less than 3% according to the company statements on their user forum.

But interestingly, (in the reddit thread you linked) customers response to the Version 8 announcement was so bad that Agilebits shutdown their own thread to stop the adverse comments and complaints "This thread has been locked by the moderators of r/1Password New comments cannot be posted".

Nobody is saying dont use 1password. Your data, your money, your risk..everyone will what they are happy with.

 

[MisterSavage]

The vast majority of our users are subscribers and aren't using standalone vaults

What's frustrating is that they frame the subscription move as an overwhelming choice people made. If you downloaded 1Password 7 from the Mac app store you could not buy a license at all so you had to be subscription. If you downloaded 1Password 7 from their website the option to buy a license was a tiny link below the buttons to get a subscription. With this setup they almost guaranteed that subscriptions would be the choice the vast majority chose.

 

[maflynn]

overwhelming choice people made.

I know what you mean, and I hate subscriptions but even products like bitwarden push their subscription model. There are other open source options that don't have subscriptions but they seem (I've not done an exhaustive comparison) to lack a lot of the things I like about 1password.

Regardless of how you got there, most 1Password customers are subscribers and don't use standalone vaults, so the demands of getting this feature re-added is unlikely - especially given how they seemed to have dug their heels in over what they said in the AMA.

NOW MANDATORY : keep my data on the developers honeypot server. (my data on a developers server at my risk - no thanks). I appreciate lots of people don't think this is a problem and that's OK - its your data to risk if you want.
...
CAN NO LONGER SYNC via icloud, dropbox, webdav, etc if I choose. Yes, I know these are cloud services but at least its just my own Dropbox or whatever - not a honeypot commercial target full of millions of users data.

I honestly, don't see how people can complain about storing their data on a 1password server because they're concerned about data security and yet store it on iCloud or Dropbox. Yes the choice is gone, and that's a bummer but regardless of how you slice it, your data is in the cloud and in all honesty, 1PAssword is running security audits to ensure the safety of your data. Given how iCloud and dropbox are generic file sharing products they may not have the same level of protections. Either way your data is is on a server.

NO OPTION to buy License purchase. Happy to buy new licences when warranted. No subscription payments - I am not happy to pay every month for fluff features that does nothing for me.

Nope, and I get that bites - and I'm not justifying 1PAssword's move, but they are not alone, want Acrobat Pro, or photoshop - that will cost you monthly. I personally would love to get a perpetual license, but that ship has sailed.

WORSE PERFORMANCE AND LESS SECURE : 1P v8 is a demonstrably (read the reddit thread) worse performing Electron app with a bigger attack surface

Here's where there didn't seem much discussions on the AMA, there were a few mentions of Electron and performance but instead everyone was harping on the standalone vault issue. People are more or less more upset over vault thing, and instead not seeming pushing back and complaining as much about Electron. If I were to switch, it will be primarily because of the increased risk of using Electron and if the performance is inferior then what I want.

 

[MisterSavage]

I know what you mean, and I hate subscriptions but even products like bitwarden push their subscription model. There are other open source options that don't have subscriptions but they seem (I've not done an exhaustive comparison) to lack a lot of the things I like about 1password.

In my opinion I don't think it's really comparable to say Bitwarden does a "push" for subscriptions. With 1Password they made it painfully hard to find the option that wasn't a subscription and now they've removed it completely. Bitwarden has you initially sign up for the free option that you can later upgrade to the premium, $10 a year subscription (I'm referring to personal, not enterprise accounts). They say on their pricing page that the free version will be free "forever". I paid for premium because I wanted TOTP codes and to support them but I could have easily gotten by with the free version.

Regardless of how you got there, most 1Password customers are subscribers and don't use standalone vaults, so the demands of getting this feature re-added is unlikely - especially given how they seemed to have dug their heels in over what they said in the AMA.

In response to the ruckus they did put up a survey to gauge interest in self-hosted vaults (like Bitwarden already offers).

Self-hosted 1Password kick-starter | 1Password

survey.1password.com

 

[Alwis]

AFAIK, one of the key benefits of 1Password is that its cloud based, and many medium to large companies are storing their financial data, their human resource data on the cloud now, I can't see how this would raise any more red flags then having an employee's dob, ssn and address on a third party server (say ADP, or UKG)

As I said, it probably depends on where you are comming from. None of the companies that I have insight in (5 to 6000 employees) would store such data on third party servers.

Regardless of how you got there, most 1Password customers are subscribers and don't use standalone vaults, so the demands of getting this feature re-added is unlikely - especially given how they seemed to have dug their heels in over what they said in the AMA.

Which is not surprising, given how hard they made purchasing the stand alone license in the first place. For storing the data on their servers it would be interesting to know, where the majority of their users is located.

I honestly, don't see how people can complain about storing their data on a 1password server because they're concerned about data security and yet store it on iCloud or Dropbox.

I would do neither. But at least storing encrypted data on Dropbox or iCloud adds an additional level of security. Compromised 1PW credentials alone would not be enough to access the data.

 

[MadeTheSwitch]

One of the biggest benefits I have with 1Password, and I suspect many other consumers use it similarly is that its works on different platforms. Windows, iOS, iPAdOS, android, MacOS, and even ChromeOS, that can only happen if you store your data on a server, i.e., the cloud, that all of those devices have access

A cloud based server is not the only way to use a product across different platforms though. Some password products will sync over your own wifi connection.

 

[bradl]

Here's where there didn't seem much discussions on the AMA, there were a few mentions of Electron and performance but instead everyone was harping on the standalone vault issue. People are more or less more upset over vault thing, and instead not seeming pushing back and complaining as much about Electron. If I were to switch, it will be primarily because of the increased risk of using Electron and if the performance is inferior then what I want.

We all remember the days of 15 - 20 years ago with the infamous "Script Kiddies", 1337/leetspeak, etc. Most of what those kids did in what they called "hacking" was to exploit the vulnerabilities in HTML, Cascading Style Sheets, and JavaScript, with the latter being exploited the most on a user's or company's website. More on that shortly.

Electron is a language used on the Chromium web/rendering engine, which as mentioned before, has 20 million lines of code in it or more. That's a LOT for a rendering engine, which is heavily bloated, as a simple "hello world" page takes up 100MB of memory.

So now, add in an application like 1Password 8 being written in Electron which is HTML, CSS, and JavaScript based, using that Chromium engine. Electron, like all other HTML, CSS, and JavaScript pages, are still vulnerable to cross-site scripting exploits and similar exploits used by those script kiddies some 15-20 years ago. That platform is not something I would want to write an application in that is going to store password or even more sensitive data than passwords.

That's why a lot of people are up in arms about Electron outside of the bloating and performance.

BL.

 

[maflynn]

That's why a lot of people are up in arms about Electron outside of the bloating and performance.

I understand that, you missed my point - the AMA was mostly about the standalone vaults and barely touched upon the use of Electron, and even then it was more about performance issues and not making the product more vulnerable.

 

[MacBH928]

In all honesty, the only **** storm that will occur is with the few tech enthusiasts, Just my opinion but most people probably don't use local vaults and if they're storing their local vaults in iCloud or DropBox, then their vault is in the cloud - kind of defeating the argument of not having your vault in the cloud.

I think most people do not know where the passwords are stored they know its just stored. People have been preaching against anti-privacy businesses and still people continue to post their sensitive data on them and when its leaked they act surprised.

I know what you mean, and I hate subscriptions but even products like bitwarden push their subscription model.

Nope, and I get that bites - and I'm not justifying 1PAssword's move, but they are not alone, want Acrobat Pro, or photoshop - that will cost you monthly. I personally would love to get a perpetual license, but that ship has sailed.

No that ship has not sailed. If people like you continue to support subscription model it will sail eventually, but as long as people like me refuse to use the subscription model we will still have options. I have $32 a year, I just do not want to give it to AgileBits.

EnPass has licenses, Affinity Photo has license, all video games work on license (no online,serve side play), CarbonCopyCloner, LittleSnitch, Alfred, Pixelmator, FCP, iStat Menus, ..etc no the ship did not sail. Thats what AgileBits want to brain wash you with.

That being said, I rather pay a $10/m subscription for expensive software that license cost like $500-$1000 maybe like Maya3D or AVID video suite.

 

[bradl]

I'm thinking about the next models of Macs as well as the rumor mill about the next big event.

From what the main MR page is saying, there's a chance that none of this year's models of Macs will be Intel-based. If that's the case, then I could see Rosetta not lasting any longer than the next 2-3 OS releases; in fact, I wonder if it will make it to the release past Monterrey.

If it doesn't, then the clock will be running out fast for a lot of 1Password users with their privacy concerns.

BL.

 

[MacUser09]

I'm with you on that. Long time 1P user on a licence. I just use it for passwords and happy with it. Not been too bothered about data being stored on their servers, but don't need all the fluff.

I will not be going the subscription route and already have my eye on Minimalist one time lifetime payment.

1P was originally sold as a password manager for Mac and I don't blame them for going for the bigger market and the bigger bucks. But all these subscriptions add up and if there is no licence version I and many others it seems will go elsewhere.

 

[macintoshmac]

I'm with you on that. Long time 1P user on a licence. I just use it for passwords and happy with it. Not been too bothered about data being stored on their servers, but don't need all the fluff.

I will not be going the subscription route and already have my eye on Minimalist one time lifetime payment.

1P was originally sold as a password manager for Mac and I don't blame them for going for the bigger market and the bigger bucks. But all these subscriptions add up and if there is no licence version I and many others it seems will go elsewhere.

There are only two issues with 1Password that I can think of.

1. Their greed - not including standalone licenses as an option
2. The annoying UI issues (autofill dropdown issues are... challenging my zen state all the time, let's say)

Were these issues non-existent, I would have stayed with 1Password. As of right now, it has been about 5 days since I switched from 1Password to Enpass, and I am appreciating the non-annoying way it works. This is the way 1Password used to work, some versions ago.

 

[an_apple.a.day]

i believe not having a subscription model on an app is greedy and unbefitting of extended consumer use. you expect someone to charge a dollar for weeks or months of work then support you with issues/help/continued updates the rest of your lives?

 

[bradl]

i believe not having a subscription model on an app is greedy and unbefitting of extended consumer use. you expect someone to charge a dollar for weeks or months of work then support you with issues/help/continued updates the rest of your lives?

Do you pay a subscription for MacOS? Do you pay ANYTHING for MacOS? No, you don't. The last version of MacOS that was purchasable was Mountain Lion. After that, they were all free, and supported for the rest of the lifecycle.

Yet here you are, getting support, help, and continued updates for the duration of the lifecycle of the software.

You are effectively contradicting yourself here, not only with MacOS, but with any Apple product you have. Same goes for any Microsoft OS you run. Any non-365 version of MS Office. Heh.. I still got updates for 1Password 6 after doing a full TM restore to my MBA.. you know, something that they stopped supporting 2-3 years ago.. and that Time Machine restore was a little under 3 weeks ago.

Guess you better switch to Linux.. oh wait; CentOS, RHEL, Slackware, Ubuntu, Debian, SLES, and others do the same, or more: they do it for free, with that continued support.

FreeBSD is the route fo... wait, they do the same. Solaris... nope, same thing.

Guess you're stuck not using any applicable OS nowadays, because of the same thing, and none of them require a subscription.

BL.

 

[2021]

You don’t pay anything for macOS because Apple controls the entire ecosystem and gets money from macOS users via other channels. Same goes for Microsoft, you can’t fairly compare large companies with diversified and interconnected revenue streams to companies targeting one or few revenue channels. But I agree that subscription is only one of possible options.

 

[Septercius]

i believe not having a subscription model on an app is greedy and unbefitting of extended consumer use. you expect someone to charge a dollar for weeks or months of work then support you with issues/help/continued updates the rest of your lives? you’re all delusional.

Err, no. Speaking for myself, I'm quite happy to pay for major version updates. If the software is sufficiently secure and robust (which I have found 1P to be), then I don't need support with issues. If the software is easy to use and well-documented (again, which I have found 1P to be), then I don't need help.

Your argument supposes that all users are stupid, and all software is buggy and difficult to use.

And most software costs more than a dollar, by the way.

Subscriptions were not the norm for many decades. It's only recently that the concept of "software as a service" has arisen. Companies seemed to manage fine without that regular income. It's hard to conclude that it's nothing more than a money-grabbing exercise.

Why on earth should I have to subscribe for something as simple as a password manager? It has to do one thing, and one thing only. I'm not a business, so I don't need a huge amount of infrastructure (from Agilebits) to support me. I can host my own vault (locally - shock, horror). My needs are simple, and I'm happy with the software.

Subscriptions evidently work for some people. But they don't for others. So why not give us the choice? Really, how much work is it? You used to be able to buy a standalone license for 1P, so obviously it's not that difficult.

 

[MisterSavage]

i believe not having a subscription model on an app is greedy and unbefitting of extended consumer use. you expect someone to charge a dollar for weeks or months of work then support you with issues/help/continued updates the rest of your lives? you’re all delusional.

I don't expect that at all. I paid $50 for a license for 1Password 7 for my Mac in 2018. I wanted to pay for a license for 1Password 8 but they removed that option. If I would have paid their monthly fee over 3 years it would end up costing me over twice as much money. I started looking at alternatives and found another one I like (that I paid for).

 

[MacGizmo]

Nope, and I get that bites - and I'm not justifying 1PAssword's move, but they are not alone, want Acrobat Pro, or photoshop - that will cost you monthly. I personally would love to get a perpetual license, but that ship has sailed.

No that ship has not sailed.

What @maflynn meant was, that ship has sailed for apps that have already switched to a subscription model. And he is correct in saying that the ship HAS sailed. Once a company switches to subscription, there's almost no chance of it ever switching back. This is partially due to the way income is taxed for these sales.

The only financially viable option for a company to switch back to a perpetual license is to kill the current product completely, release a new version with a new name, require new payments from customers, etc. Dealing with the upgrades of existing customers alone would be a nightmare, and it still doesn't address the main reason a company switches to the subscription model to begin with – recurring income.

And if you think companies like Affinity (Serif) aren't eventually going to switch to subscription model in the future... well, enjoy that dream. The ONLY software that won't be subscription are ones that are developed by one person who does it as a side-job where they don't rely on sales of that app as their main source of income.