1Password migrants thread

[svenmany]

An even bigger worry is the loss of local storage. I don't really mean just supporting a local vault. The old 1Password kept daily backups on my local disk. It also supported various file formats to export my vaults. That seems to be gone now. I see there is a new format for export, with files having extension "1pux". Their forums say the ability to import 1pux files has not been implemented yet. So, effectively, there is no way to get a local copy of my passwords.

@svenmany, you are such an idiot. Research before you spout off. Oh wait, that's me!

1pux is just a zip file. When expanded it's just a text file with a JSON string. That JSON string is easily read in a text editor or programmatically accessed. Since it's not encrypted, it will be up to me to keep it an encrypted place (which is virtually everywhere for me). Where did I learn this? Well, I just asked the question on the 1Password forum.

Another user in that thread explained the a full local copy of all passwords are maintain in an SQLite database. So 1Password doesn't even need access to the servers to work. Given that, even if I forget to export the 1pux, my Time Machine backups and clones containing that database will allow me to recover my passwords in case of server failure. In terms of disaster recovery, I do have one remaining issue; I don't know how to install 1Password on a new machine without access to their servers.

Now that I'm mostly satisfied with the lack of vendor tie in or dependency on accessing their server, I only have one remaining complaint - I dislike the browser extension. But, 1Password 8 itself is beautiful, responsive, and really easy to use. I've only tried it on Windows though. Maybe I'm missing something in task manager, but 1Password consumes under 140 MB. It seems to add around 2 MB to the browser process when the extension is used.

So, now I'm left with a personal decision regarding subscriptions and the requirement to keep my passwords on their servers. That's not a complaint; it's just a mismatch between my desires and the product they're offering. 1Password (the company) doesn't have my passwords, they only store my encrypted data. So, I view that to be roughly as safe as my ARQ encrypted backups to various cloud servers (except that my ARQ backups would be a less enticing target). But still, there's no way to argue that keeping passwords in the cloud doesn't increase risk.

This does remind me to mention one thing in 1Password's favor; their support is beyond anything I've ever experienced. I ask a question (or complain about something), a member of the support team responds within a day. Often I get more than one support person responding, to make sure things are correctly and quickly handled. This is completely unrelated to contacting them directly, which is even better.

The support people are smart - across the board. They never seem to misunderstand my questions. Even when I'm nasty and complaining, they stay friendly and responsive. They often link to white papers, documentation, or other threads. I can't fault them in any way. 1Password has invested heavily in support.

My passwords are the most important things I have (don't tell my family). If I do leave 1Password, I will have to confirm that the same level of support is in place with the new product.

 

[bradl]

Right now, I think I'm down to being between two again: Codebook and Enpass.

Both are able to do what I need to do, plus both use SQLCipher, which is FOSS and peer reviewed. both are cross-platform. I'm impressed by the number of browser plugins that Enpass has. I mean, I expect support for Edge, Chrome, Firefox, and Safari. But colour me surprised for them having Opera and Vivaldi support. Plus there is a PortableApp for Enpass.

Zetetic basically wrote the book (pun intended) on password managers, as they've been in the game for 20 years, so we know their track record is impressive. I may have to give both a try and see what I can see.

BL.

 

[MisterSavage]

This does remind me to mention one thing in 1Password's favor; their support is beyond anything I've ever experienced. I ask a question (or complain about something), a member of the support team responds within a day. Often I get more than one support person responding, to make sure things are correctly and quickly handled. This is completely unrelated to contacting them directly, which is even better.

I agree that is a good thing to look for in a password manager. It's also one of the reasons why I chose Bitwarden when I ditched 1Password. They're very active in engaging with their community and holding events for the community. When I've posted questions in their forums and via direct email I've gotten an answer quickly.

 

[Huntn]

@svenmany, you are such an idiot. Research before you spout off. Oh wait, that's me!

1pux is just a zip file. When expanded it's just a text file with a JSON string. That JSON string is easily read in a text editor or programmatically accessed. Since it's not encrypted, it will be up to me to keep it an encrypted place (which is virtually everywhere for me). Where did I learn this? Well, I just asked the question on the 1Password forum.

Another user in that thread explained the a full local copy of all passwords are maintain in an SQLite database. So 1Password doesn't even need access to the servers to work. Given that, even if I forget to export the 1pux, my Time Machine backups and clones containing that database will allow me to recover my passwords in case of server failure. In terms of disaster recovery, I do have one remaining issue; I don't know how to install 1Password on a new machine without access to their servers.

Now that I'm mostly satisfied with the lack of vendor tie in or dependency on accessing their server, I only have one remaining complaint - I dislike the browser extension. But, 1Password 8 itself is beautiful, responsive, and really easy to use. I've only tried it on Windows though. Maybe I'm missing something in task manager, but 1Password consumes under 140 MB. It seems to add around 2 MB to the browser process when the extension is used.

So, now I'm left with a personal decision regarding subscriptions and the requirement to keep my passwords on their servers. That's not a complaint; it's just a mismatch between my desires and the product they're offering. 1Password (the company) doesn't have my passwords, they only store my encrypted data. So, I view that to be roughly as safe as my ARQ encrypted backups to various cloud servers (except that my ARQ backups would be a less enticing target). But still, there's no way to argue that keeping passwords in the cloud doesn't increase risk.

This does remind me to mention one thing in 1Password's favor; their support is beyond anything I've ever experienced. I ask a question (or complain about something), a member of the support team responds within a day. Often I get more than one support person responding, to make sure things are correctly and quickly handled. This is completely unrelated to contacting them directly, which is even better.

The support people are smart - across the board. They never seem to misunderstand my questions. Even when I'm nasty and complaining, they stay friendly and responsive. They often link to white papers, documentation, or other threads. I can't fault them in any way. 1Password has invested heavily in support.

My passwords are the most important things I have (don't tell my family). If I do leave 1Password, I will have to confirm that the same level of support is in place with the new product.

I remember their bs with their change in philosophy basically about everything 1PW stood for. Oh private vaults are much less targets than online servers, oh subscriptions are so much better (for us) and how they hid the purchasable version of their product in the last days of their self serving change of philosophy, everyone is renting software. Well not everyone.

Resist Subscription hegemony! ​

 

[svenmany]

I agree that is a good thing to look for in a password manager. It's also one of the reasons why I chose Bitwarden when I ditched 1Password. They're very active in engaging with their community and holding events for the community. When I've posted questions in their forums and via direct email I've gotten an answer quickly.

Right. I really do like the tone of the Bitwarden site. And open source is generally a mark in any solution's favor. I see they have a lot of training videos. It seems like a first-class company.

I did check out community.bitwarden.com. I guess you're referring to the specific forum named "User-to-User Support (Get help from other Bitwarden users)". They seemed to be positioning it in a way that distances themselves from the responsibility of responding. That actually raised a red flag for me. The 1Password forums are the furthest thing from user to user. I think every thread I've ever read has had a support person participating along with other users.

I'm bouncing around now on the Bitwarden forum and I see one person with a Biwarden logo responding a bit (agreer). I see plenty of threads where a user asks a question and some other user provides a tentative answer, and then the thread ends. I also see threads with unanswered questions. Here's a monstrous thread https://community.bitwarden.com/t/bitwarden-browser-extension-not-saving-log-ins/12086 that's spanned more than a year. It looks like someone with an official emblem by their name got involved after about a year into the problem. A few posts explain where to send a report of the problem. So, my red flag regarding the forum has not gone away.

I'm glad to hear Bitwarden answers direct mail quickly. It's also good to hear that the forum has served your needs.

 

[MisterSavage]

Right. I really do like the tone of the Bitwarden site. And open source is generally a mark in any solution's favor. I see they have a lot of training videos. It seems like a first-class company.

Besides weekly training videos they also hold monthly events where they discuss upcoming features.

I'm bouncing around now on the Bitwarden forum and I see one person with a Biwarden logo responding a bit (agreer). I see plenty of threads where a user asks a question and some other user provides a tentative answer, and then the thread ends. I also see threads with unanswered questions. Here's a monstrous thread https://community.bitwarden.com/t/bitwarden-browser-extension-not-saving-log-ins/12086 that's spanned more than a year. It looks like someone with an official emblem by their name got involved after about a year into the problem. A few posts explain where to send a report of the problem. So, my red flag regarding the forum has not gone away.

Yes, that's Trey and that's one of the BW employees I was referring to. If you look at his history he's very active is responding to user's posts. In their defense on that topic auto-saving a new website's login is something that didn't always work for me with 1Password also. But if you're expecting auto-saving for a new website to work 100% of the time BW is not going to be a good fit. When it doesn't work it takes seconds to manually create a new entry and if you used their password generator it saves a history of passwords it created for a limited amount of time so you can grab it.

 

[svenmany]

Besides weekly training videos they also hold monthly events where they discuss upcoming features.


Yes, that's Trey and that's one of the BW employees I was referring to. If you look at his history he's very active is responding to user's posts.

Thanks for your input regarding support and the like. Bitwarden seems great.

One irony, though. If I were to move to Bitwarden, I'd not go through the effort of self-hosting. So, I'd still have a subscription and my passwords on their servers. But, they are a only $40/year for a family; that is cheaper than 1Password.

I've read the self-hosting docs. The steps are all well within my experience and abilities. It might be fun to try, but I suspect I'd introduce security holes if I were to expose the server to the internet for access when not at home. I'll read back through this thread to see if that's discussed some. Maybe just sync when at home and work disconnected when not at home.

 

[MisterSavage]

I've read the self-hosting docs. The steps are all well within my experience and abilities. It might be fun to try, but I suspect I'd introduce security holes if I were to expose the server to the internet for access when not at home. I'll read back through this thread to see if that's discussed some. Maybe just sync when at home and work disconnected when not at home.

That was my concern as well. I could set it up myself, but do I trust myself to constantly be monitoring/updating my setup for security reasons? Nope.

 

[toasted ICT]

I just got a newsletter from StrongBox. This might be interesting to you.

They have introduced a new version of their product called Strongbox Zero (iOS) with all the networking code stripped out ... Basically, it’s as close as you can get to air-gapping Strongbox without actually air-gapping your device.

Anyway, the Newsletter is a pretty good read. Stuff there about WebDav and SFTP support, Apple Silicon, a UI overhaul and the 1Password Kerfuffle (some interesting comments in that last bit)

If you dont get their newsletter the details are here: https://strongboxsafe.com/updates/strongbox-newsletter-3/

PS: I have zero relationship with any password management company other than as a paying customer. I do use Strongbox for my iOS, macOS environment and prefer it to any other for the reasons I have described in various posts in this thread.

 

[MacBH928]

Funny how Codebook is one time purchase at $20 but 1Password is $3/m forever (or else!) because ItS NoT sUsTaInAbLe

Enpass does not have an Apple Silicon native app yet even after a whole year.

I am back to 1Password on the Mac since my sub is valid for a few more months. The iPhone and Android are using Enpass.

What are my options now?

Strongbox on Mac and iOS with something else for Android? I would rather not use Electron apps and any that require Rosetta today after a year of M1 chips being out. That's kinda plain shoddiness.

I am not sure how much effort it takes to build a silicon app, but my understanding is that its ok to take years to make a native app for a new architecture. What was it like 4 yeas until photoshop became native on intel?

I'm full into the Keepass universe now. Yes, the UI is nowhere near as pretty as 1Password. BUT: On iOS the 1Password app was never that great. Here Strongbox really shines. It looks great, is faster than a lightning and just works.
On MAcOS it's another story. It looks ok, I like the overview and that I can see 20-30 passwords in a row. But it isn't as refined as the iOS version. The dev is very responsive and every small issue I had was fixed after days!!
And there are enough Adroid clients for Keepass. So I don't see a problem there. Just try it!


You could circumvent the issue by making more entries for this site by hand. So when it pops up you just have to fill in the passwords by dropdown.

When you see keepass universe, do you mean you are using multiple apps based on keepass and they all work sync in harmony together no issues?

How is RememBear?

I wouldn't advise

So ..... Codebook just crashed itself and took Safari along with during an autofill instance. Awkward.

This is why I don't use products that are not flagship to the company because its a second thought to them. Its probably a tool made for their own internal use then decided to make money off it. I really doubt they are serious about it like Enpass, 1Password, or Bitwarden.

 

[MacBH928]

Any one gave MyKi a shot and tell us whats it all about?

 

[macintoshmac]

Any one gave MyKi a shot and tell us whats it all about?

A subscription, nonetheless.

 

[pacmania1982]

As a person who has never used a password manager other than Keychain - why would one require such an app? I've never worked that out.

I'm not trolling, I'm genuinely interested.

 

[macintoshmac]

I am not sure how much effort it takes to build a silicon app, but my understanding is that its ok to take years to make a native app for a new architecture. What was it like 4 yeas until photoshop became native on intel?

It was Photoshop. Hence why it may have taken them that long, but it’s also historical of them to delay.

A humble app such as App Cleaner runs without Rosetta on the M1. How long does a password manager need?

 

[macintoshmac]

As a person who has never used a password manager other than Keychain - why would one require such an app? I've never worked that out.

I'm not trolling, I'm genuinely interested.

Suppose you have two devices and remove your keychain on one device (for any reason). Suppose you also manage to do that on another device (for any reason). Guess what will happen?

All your passwords are now lost.

That’s what happened to me, so I speak from experience.

A dedicated password manager makes that kind of stupid oversight (on part of Apple) next to impossible.

 

[MisterSavage]

As a person who has never used a password manager other than Keychain - why would one require such an app? I've never worked that out.

I'm not trolling, I'm genuinely interested.

I can use my password database on my Linux box and my iPad. I can store things such as credit cards for autofilling them. I can export an JSON backup of my password database.

 

[svenmany]

and the 1Password Kerfuffle (some interesting comments in that last bit)

Kind of wish they hadn't gone to the gutter on that one. It seems like they've seen this thread and decided to join in. Maybe they feel their own product doesn't stand on its own merits, so they couldn't take the high road.

I have a lot of respect for the people who recommend Strongbox. I have less respect now for the company behind Strongbox.

 

[Apple_Robert]

Kind of wish they hadn't gone to the gutter on that one. It seems like they've seen this thread and decided to join in. Maybe they feel their own product doesn't stand on its own merits, so they couldn't take the high road.

I have a lot of respect for the people who recommend Strongbox. I have less respect now for the company behind Strongbox.

I read over the blog link. I don't see any foul play on the part of Strongbox. I also don't see any real indication that the company used this thread to take loathsome shots at Agilebits. The lack of enthusiasm for Electron is in many places on the Internet and is a valid issue for many people. You would have to do a lot of blind projecting to arrive at the conclusion you did, in my opinion. I think you should reconsider your statement.

 

[max2]

Codebook looks interesting.

 

[max2]

Never mind looks like it does it by keystrokes interesting!

 

[max2]

Sorry so how do you save new logins in Codebook then ?

 

[max2]

Anyone tried mSecure?

 

[MacBH928]

As a person who has never used a password manager other than Keychain - why would one require such an app? I've never worked that out.

I'm not trolling, I'm genuinely interested.

-Keychain has a difficult GUI imo
-very limited in options
-I think safari only?
-definitely only Apple products
-name of items difficult to understand(encryptions keys, .com.apple.xxx, certificates)
- add tags for search
-stores different info (bank accounts, notes, software registration, credit cards)

you should really use one you are missing out imo, but you are missing out if you use a good one some other might be horrible and Keychain is better. 1Password is really good but as you see the negatives made us leave:
-subscription
-forced cloud storage
-electron app
-For simply evil tactic which I do not support, I do not support companies that go greedy.

Kind of wish they hadn't gone to the gutter on that one. It seems like they've seen this thread and decided to join in. Maybe they feel their own product doesn't stand on its own merits, so they couldn't take the high road.

I have a lot of respect for the people who recommend Strongbox. I have less respect now for the company behind Strongbox.

I think you are blowing things out of proportion, there is nothing wrong they said(Strongbox) .Strongbox is not as popular as 1P but seems like they have a nice dedicated niche following. I think they are a small team with a guy who created an app for his own personal use then made it available for sale.

 

[BigMcGuire]

I think Keychain has a chrome app extension doesn’t it? I haven’t used it so can’t provide any feedback. I can try to install it on Edge next time I fire up my work computer (not till next week!) lol.

 

[svenmany]

I read over the blog link. I don't see any foul play on the part of Strongbox. I also don't see any real indication that the company used this thread to take loathsome shots at Agilebits. The lack of enthusiasm for Electron is in many places on the Internet and is a valid issue for many people. You would have to do a lot of blind projecting to arrive at the conclusion you did, in my opinion. I think you should reconsider your statement.

So Robert, you were one of the people who motivated me to take a look at Strongbox since I respect your opinion. My objection to their post says more about me than them. This is a purely subjective opinion; it impossible for me to justify my distaste for this newsletter.

"gone to the gutter" - That was too harsh. I apologize.

To be clear - as a user or prior user of 1Password, no one has to justify extreme disappointment in the direction 1Password has taken. So, my reaction should not be interpreted as any kind of support for 1Password. Also, I have nothing to say bad about the Strongbox software.

So...

The commenter, Mark, is not a user of 1Password. He's just piling on with the actual users who have real complaints. I wish he had stayed out of it. I feel he's exaggerating and posturing.

Here are some specific wordings that bothered me and my knee-jerk reaction to each (emphasis on "knee-jerk"):

The outcry was immense.

That's just pandering to the people who are mad at 1Password and are looking around for a replacement. He's just trying to foster rage and establish a camaraderie with the people who have legitimate complaints. If I'm mad about something, it's comforting to think of myself as part of a massive wave of discontent. He's using that as a tool.

made the fateful decision to abandon many of its most ardent supporters

He just wanted to use ominous language. "fateful" implies that 1Password did something that seals their fate or their users' fate. I suspect 1Password will not suffer from their decision and they're not locked into anything. I also suspect that 1Password's most ardent supporters are already using the subscription service and won't have an issue with Electron. So, it won't seal the fate of those users.

alienating former fans. Quite the coup…

I hate it when people speak for other people. I'm not alienated; I'm disappointed in 1Password. Before I started using 1Password 8 on Windows, I was actually heart-broken. But, I understood 1Password's business decision.

"Quite the coup.." That's just an insult. He's using irony to suggest it was the opposite of a coup, which dictionary.com defines as "a highly successful, unexpected stroke, act, or move; a clever action or accomplishment." Basically, he's asserting that 1Password made a stupid move. And, he's using irony to elicit a chuckle at such stupidity.

we’ve been struggling to try to help 1Password migrants

He wants to sound noble and altruistic. This is a significant business opportunity; 1Password has left Strongbox's market.

We were a little slow due to the complexity of 1Password’s export file format

Or maybe they're just understaffed. 1Password's export format is pure text JSON; it seems pretty approachable. I hear it's a one-person operation; that could be the challenge here. As a software developer, I know it's always tempting to blame the problem rather than my ability to solve it in a timely manner. Since I don't respect myself when I do that, I don't respect him now for doing it.

One thing we do promise is not to switch to Electron on you. ?

That's just the same tone that Samsung took when making fun of Apple's dropping the headphone jack. Mark is using FUD as a closing remark.

I've been experimenting with version 8 on Windows. It has a 130 MB memory footprint. It's super snappy and pretty. Although this is comparing apples to oranges, that's less memory than 1Password 7 on Mac.

I do worry some about the security concerns raised and plan on studying the issue more. But, Electron is open source and heavily used. I hope security vulnerabilities are patched quickly.


I'm sure Mark is a talented developer with a great product. I wish he had taken the high road.