1Password migrants thread

[bradl]

This is all sound and fury about nothing more than a few bucks. 1Password works flawlessly for me over my multiple MacOS, iOS, and Windows 10 devices and also over my wife's iOS device. One family payment per month, and it seems to stop all intruders in their tracks.

Zero fury on my part. Saw the price was increasing so decided to see what was out there before deciding. Found something different I liked.

Zero fury or price concerns on my part, as I have never been a 1Password user. I wanted the most secure solution that works, and I now have that. That it is cheaper than 1Password is a bonus.

For me, price was a problem. Seeing that I had paid for the standalone version of 1Password and had been using it for years, it makes absolutely no sense for me to pay for it again, let alone pay for a monthly or annual subscription to repurchase what I already had. One wouldn't pay for the same car that they have had for the past 15 years that they had completely paid off 13 years into those 15 years. So why would I pay for something I already have, have owned outright, and then pay to not have any control over what I already have?

"Nothing more than a few bucks?" That statement makes absolutely zero sense.

BL.

 

[johnkree]

What’s your point? There as a vulnerability and it got fixed. All password managers do this.

Edit: here are list of vulnerabilities with Keepass. Again, as long as they get fixed, this is a moot point.

I was responding to the post before this, which simply repeated 1Password's advertising, suggesting that 1Password is secure. You're right, every program has bugs, as I said, any code can contain security issues and vulnerabilities.
Therefore, 1Password is not secure. Just like no program is secure. The difference is that I can't see for myself if the holes have really been closed. And that they have removed the ability to decide for myself where my Vault is stored. I have to trust that Agilebits is telling the truth. And that's hard for me to do. Because they have repeatedly broken their promises, deleted reviews, hidden the cancel button,....

This is all sound and fury about nothing more than a few bucks. 1Password works flawlessly for me over my multiple MacOS, iOS, and Windows 10 devices and also over my wife's iOS device. One family payment per month, and it seems to stop all intruders in their tracks.

Perfect. I'm glad it works for you. And it may still be the best solution for the whole family. Because it is easy to use. I guess the only easier solution is Apples Password.
There also is no fury on my side. Especially not about a few bucks. I bought every iteration of Things, I bought every version of Hazel. I will probably buy the next Affinity Suite again, Keyboard Maestro,...

I don't mind paying for good software. I'm not ok with lying to your user base. I don't mind targeting companies as new customers. I'm not ok with shifting the whole experience to corporate with Electron, no user vaults, telemetry,...

And it's not fury. It is the sum of a lot of things that have convinced me that 1Password is not the right choice for me.

 

[Mr. Heckles]

I was responding to the post before this, which simply repeated 1Password's advertising, suggesting that 1Password is secure. You're right, every program has bugs, as I said, any code can contain security issues and vulnerabilities.
Therefore, 1Password is not secure. Just like no program is secure. The difference is that I can't see for myself if the holes have really been closed. And that they have removed the ability to decide for myself where my Vault is stored. I have to trust that Agilebits is telling the truth. And that's hard for me to do. Because they have repeatedly broken their promises, deleted reviews, hidden the cancel button,....


Perfect. I'm glad it works for you. And it may still be the best solution for the whole family. Because it is easy to use. I guess the only easier solution is Apples Password.
There also is no fury on my side. Especially not about a few bucks. I bought every iteration of Things, I bought every version of Hazel. I will probably buy the next Affinity Suite again, Keyboard Maestro,...

I don't mind paying for good software. I'm not ok with lying to your user base. I don't mind targeting companies as new customers. I'm not ok with shifting the whole experience to corporate with Electron, no user vaults, telemetry,...

And it's not fury. It is the sum of a lot of things that have convinced me that 1Password is not the right choice for me.

So, the audits that 1Password does and other password managers do, all the audits lie? Ok

 

[MacBH928]

1password seems to be falling from the popular list

 

[Mr. Heckles]

1password seems to be falling from the popular list

View attachment 2199587

And? That’s because people are complaining going to subscription. They had Face ID issues, but that is fixed. The people complaining about the subscription has nothing to do with the actual app.

I go though most reviews. It’s like on eBay or Amazon when I see a bad review because UPS did something out of the sellers hands.

I get your goal is to bash them.

 

[MacBH928]

I am pretty sure EVERY password manager says this. It's easy to cherry pick stuff you want to post.

And I was correct...
Bitwarden's TOS


They too, can change the pricing:

Keeper also has wording they are not responsible also:

My point was that if you pay over using the FOSS options you are not getting any "Extra" security. They all declare you are on your own. Do not think that just because you pay you will be "protected".

I think it all boils down to which developers you trust to have your back.

@gregmac19
thanks for the link. I know someone posted here on before about it but couldn't find it.

This is all sound and fury about nothing more than a few bucks. 1Password works flawlessly for me over my multiple MacOS, iOS, and Windows 10 devices and also over my wife's iOS device. One family payment per month, and it seems to stop all intruders in their tracks.

You are missing the point. This thread not to say that 1password is a bad product. This thread is about saying we do not like 1password business behaviour and decision and decided to migrate. Here are some issues:-

• Agilebits paints the subscription model as something their customers asked for 😂
• electron app
• abandoned support for paid license users
• no longer offer license, forced subscription
• no longer offer local vault storage. Forced their cloud storage

If you have no problem with this by all means use 1password, its a good app if not the overall best but there are caveats

At the cost of leaving your data in the cloud. Not everyone wants that lack of control over their data, especially since what a lot of people are looking for is something that 1Password had been offering for over 10 years.

Additionally, the same thing that you are saying here is the same thing that people said about both Dashlane and LastPass.. and look what happened.

BL.

exactly,

I am guessing these corporates do not hire idiots for cybersecurity either and look at the mess

Data Breaches That Have Happened in 2024 & 2025 - Updated List

An Apple data breach, as well as breaches suffered by Meta, Twitter, and Samsung, have affected millions of people over the past 12 months.

tech.co

 

[MacBH928]

There are couple problems here.

And? That’s because people are complaining going to subscription. They had Face ID issues, but that is fixed. The people complaining about the subscription has nothing to do with the actual app.

If people complain about subscription -> People stop paying -> lose customer -> business shutdown

see how it works? Customer must be happy despite the product being great or not. Its the whole idea behind a business . You have something that someone else willing to pay for. Which reminds me of Segway that had a cool product just no body wanted to buy it.

I go though most reviews. It’s like on eBay or Amazon when I see a bad review because UPS did something out of the sellers hands.

Thats different, UPS fault is not the vendor's fault. agilebits decisions is their actions not 3rd party.

I get your goal is to bash them.

They deserve to get bashed because what I got from them is the same vibe I get from Facebook, they want to milk the user for maximum profit for themselves. I choose to do business with people who work more on a win-win scenario like Bitwarden, Carbon Copy Cloner, iStatMenus and such...

 

[Mr. Heckles]

There are couple problems here.
If people complain about subscription -> People stop paying -> lose customer -> business shutdown

If…. If they were truly losing money, they would have raised prices and there would be layoffs. The fact they haven’t raised the prices yet since the subscription came out says a lot. Everyone’s prices is going up, including Apple Music. I expect 1Password will raise prices, because everything is costing more.

Thats different, UPS fault is not the vendor's fault. agilebits decisions is their actions not 3rd party.

You’re 100% right it’s UPS’s fault, but people like to give poor reviews to the product because of it, and I see it all the time. Anyone with 1/2 a brain would read though comments to get the real story. Just like you need to read them on Amazon and eBay.

People who give bad review on other things besides the actual app itself and on how it works, they just like to complain and whine.

They deserve to get bashed because what I got from them is the same vibe I get from Facebook, they want to milk the user for maximum profit for themselves. I choose to do business with people who work more on a win-win scenario like Bitwarden, Carbon Copy Cloner, iStatMenus and such...

Again, if they wanted to milk their users, wouldn’t they have raised their prices a few times by now? They haven’t in years.

Now Evernote IMO milks thier users, they are going up again to over $14 a month. This is the 2nd time I know off hand they raised prices in the last 3 years.

If 1Password raises now, it’s still not bad considering they haven’t raised it in years (again, since the subscription came out). You also can’t compare this to Facebook, because facebook has a whole different model to make money. When has the price of Facebook gone up… so how are they miking it’s users? Everyone on Facebook knows the price is your data.

I use Bitwarden (I always try others just so I can keep up on stuff) and I said it and others have too, it’s not as polished. Even though it’s not as polished, I do recommend it.

 

[johnkree]

So, the audits that 1Password does and other password managers do, all the audits lie? Ok

Oh, what do audits have to do with what I said? Potato tomato? 1Password had security flaws despite having audits.
Audits are done to find security flaws and to gain customer trust. The first part makes sense, the second part not because it's like:
"We don't listen to what private customers want, we have to listen to the corporate ones because there's the most money to be made. So what do we do to get those private customers back? Ah, lets do some yearly audits. My excel sheet says audits are cheaper than local vaults."
It's the 101 of big company attitude. Let's think big.
Audits mean that a private company pays another private company a lot of money to look at their stuff and give them a certificate that they are legit and not shady. This is ridiculous by itself.

LastPass was and is regularly audited by external companies. Despite this fact it had 3 data breaches since August 22. Three. In two cases they stole user data like customer data, email adresses, names, phone numbers, billing information and security questions and answers.

Wirecard, a German payment processing company, experienced a major scandal in 2020. The company was accused of inflating its revenues and fabricating billions of dollars in fictitious assets. The scandal revealed deficiencies in the auditing process, as external auditors from Ernst & Young were unable to identify the fraudulent practices.

WorldCom, a telecommunications company, engaged in accounting fraud on a massive scale. The company inflated its profits by over $11 billion through improper accounting practices. Despite external audits conducted by reputable firms such as Arthur Andersen and KPMG, the fraud went undetected until internal whistleblowers brought it to light.

Lehman Brothers: Lehman Brothers, a global financial services firm, collapsed in 2008 in one of the largest bankruptcies in history. The collapse revealed extensive accounting and financial irregularities, including the use of accounting techniques to disguise debt levels. The company's external auditor, Ernst & Young, faced criticism for its failure to raise concerns about Lehman Brothers' accounting practices.

Nord VPN was audited by external companies. Despite the audits it had a data breach in 2018.

And? That’s because people are complaining going to subscription. They had Face ID issues, but that is fixed. The people complaining about the subscription has nothing to do with the actual app.

I go though most reviews. It’s like on eBay or Amazon when I see a bad review because UPS did something out of the sellers hands.

I get your goal is to bash them.

Really? Because most of the reviews on google I can read are about clunkyness, slow UI, too big icons, crashes...

1Password: Passwort-Manager – Apps bei Google Play

Der sichere Passwortmanager zum Speichern von Passwörtern, Karten, Notizen usw.

play.google.com

The same in the app store:
clunky, not saving generated passwords, not working as intended,...

‎1Password: Passwort Manager

‎1Password hilft Menschen seit 2006 dabei, ihre Passwörter zu vergessen. Laut The New York Times Wirecutter genießt 1Password das Vertrauen von Millionen von Menschen und mehr als 150.000 Unternehmen und „bietet die beste Kombination aus Funktionen, Kompatibilität, Sicherheit und...

apps.apple.com

 

[Mr. Heckles]

Oh, what do audits have to do with what I said? Potato tomato? 1Password had security flaws despite having audits.
Audits are done to find security flaws and to gain customer trust. The first part makes sense, the second part not because it's like:
"We don't listen to what private customers want, we have to listen to the corporate ones because there's the most money to be made. So what do we do to get those private customers back? Ah, lets do some yearly audits. My excel sheet says audits are cheaper than local vaults."
It's the 101 of big company attitude. Let's think big.
Audits mean that a private company pays another private company a lot of money to look at their stuff and give them a certificate that they are legit and not shady. This is ridiculous by itself.

LastPass was and is regularly audited by external companies. Despite this fact it had 3 data breaches since August 22. Three. In two cases they stole user data like customer data, email adresses, names, phone numbers, billing information and security questions and answers.

Wirecard, a German payment processing company, experienced a major scandal in 2020. The company was accused of inflating its revenues and fabricating billions of dollars in fictitious assets. The scandal revealed deficiencies in the auditing process, as external auditors from Ernst & Young were unable to identify the fraudulent practices.

WorldCom, a telecommunications company, engaged in accounting fraud on a massive scale. The company inflated its profits by over $11 billion through improper accounting practices. Despite external audits conducted by reputable firms such as Arthur Andersen and KPMG, the fraud went undetected until internal whistleblowers brought it to light.

Lehman Brothers: Lehman Brothers, a global financial services firm, collapsed in 2008 in one of the largest bankruptcies in history. The collapse revealed extensive accounting and financial irregularities, including the use of accounting techniques to disguise debt levels. The company's external auditor, Ernst & Young, faced criticism for its failure to raise concerns about Lehman Brothers' accounting practices.

Nord VPN was audited by external companies. Despite the audits it had a data breach in 2018.



Really? Because most of the reviews on google I can read are about clunkyness, slow UI, too big icons, crashes...

1Password: Passwort-Manager – Apps bei Google Play

Der sichere Passwortmanager zum Speichern von Passwörtern, Karten, Notizen usw.

play.google.com

The same in the app store:
clunky, not saving generated passwords, not working as intended,...

‎1Password: Passwort Manager

‎1Password hilft Menschen seit 2006 dabei, ihre Passwörter zu vergessen. Laut The New York Times Wirecutter genießt 1Password das Vertrauen von Millionen von Menschen und mehr als 150.000 Unternehmen und „bietet die beste Kombination aus Funktionen, Kompatibilität, Sicherheit und...

apps.apple.com

So, you’re saying Bitwarden’s audits are the same issue then…. Everything you say about audits, every single company can do the same. So, why trust any apps at all?

I was saying audits because you said 1Password claims it’s secure, well I was showing you why they say that (one of the reasons).

I need to find the article, I think it was on Reddit. 1Password has the most audits. Having 1 audit 5 years ago doesn’t mean anything. 1Password had audits just a few months ago. They also have a million dollar bounty.

Show me an app or operating system that doesn’t have some issues. I haven’t been on Google, but I bet if your remove “they went subscription omg”, it would be different.

 

[Septercius]

If…. If they were truly losing money, they would have raised prices and there would be layoffs. The fact they haven’t raised the prices yet since the subscription came out says a lot. Everyone’s prices is going up, including Apple Music. I expect 1Password will raise prices, because everything is costing more.

Didn't they get a huge load of investment from external sources? That would remove the need to raise prices. So the fact that they haven't increased prices actually says very little.

 

[johnkree]

So, you’re saying Bitwarden’s audits are the same issue then…. Everything you say about audits, every single company can do the same. So, why trust any apps at all?

I was saying audits because you said 1Password claims it’s secure, well I was showing you why they say that (one of the reasons).

No. I was saying that there are two reasons for audits: The first is to give external entities access and find issues. That is a good thing.
The second reason is pure marketing. A big company is paying another company to give them a certificate they can pin to their landing page to assure customers of their good will and honesty. Which is ridiculous because we all know that money can buy almost everything and that audits in a lot of cases have been absolutely useless (Wirecard,...).

And yes, if you want to compare Bitwarden and 1Password:
Bitwarden has about 15-20 Million users (8% market share). If just 0.1% of them are able to read code, there are thousands who have the ability to review and audit the code on a daily basis.

Thousands. Daily. Not one or two times a year by a company they are paying for.

I need to find the article, I think it was on Reddit. 1Password has the most audits. Having 1 audit 5 years ago doesn’t mean anything. 1Password had audits just a few months ago. They also have a million dollar bounty.

Show me an app or operating system that doesn’t have some issues. I haven’t been on Google, but I bet if your remove “they went subscription omg”, it would be different.

See above and my other post: Audits don't mean a thing. They are literally paid reviews. You have to trust the audit company that they are honest. And yes there are some very renowned audit companies. Per example the one that audited Wirecard. Do you think a company like Microsoft would pay an external company to write a bad review?

Didn't they get a huge load of investment from external sources? That would remove the need to raise prices. So the fact that they haven't increased prices actually says very little.

620 millions in 2022. They are now at 570 employees and still have plans to grow and buy other companies. Everyone who still thinks that Agilebits is your friendly neighborhood garage developer is illusionary. It is just another big corp with big corp goals:
Market Expansion, Mergers and Acquisitions, International Expansion, Strategic Partnerships and Alliances, Operational Efficiency...

 

[maflynn]

If just 0.1% of them are able to read code, there are thousands who have the ability to review and audit the code on a daily basis.

But do thousands of people review the code? I'm not knocking BW, and I think having it opensource is great, but I do wonder if the benefit of opensource is over exaggerated

 

[Alwis]

But do thousands of people review the code? I'm not knocking BW, and I think having it opensource is great, but I do wonder if the benefit of opensource is over exaggerated

I did once to verify their claim, that data is encrypted locally and not on the server, but for sure I will not do this on a daily basis.

 

[Mr. Heckles]

No. I was saying that there are two reasons for audits: The first is to give external entities access and find issues. That is a good thing.
The second reason is pure marketing. A big company is paying another company to give them a certificate they can pin to their landing page to assure customers of their good will and honesty. Which is ridiculous because we all know that money can buy almost everything and that audits in a lot of cases have been absolutely useless (Wirecard,...).

And yes, if you want to compare Bitwarden and 1Password:
Bitwarden has about 15-20 Million users (8% market share). If just 0.1% of them are able to read code, there are thousands who have the ability to review and audit the code on a daily basis.

Thousands. Daily. Not one or two times a year by a company they are paying for.


See above and my other post: Audits don't mean a thing. They are literally paid reviews. You have to trust the audit company that they are honest. And yes there are some very renowned audit companies. Per example the one that audited Wirecard. Do you think a company like Microsoft would pay an external company to write a bad review?

You think the companies that audit do it for free and out of the kindness of their hearts? They also have employees and bills to pay. There is a difference paying someone to do it and paying someone off to do something. These companies also put their names on it. If they missed something, it would make them look really bad and no one else would use them. You think a company would risk losing credibility and going out of business?

Banks also do audits, but don’t trust them. Apple also has a bounty and audit program, but don’t use their products because the audits mean nothing. Great.

Didn't they get a huge load of investment from external sources? That would remove the need to raise prices. So the fact that they haven't increased prices actually says very little.

Every company I dealt with with something like this, the investors usually want their money back quickly, and want to see a return. Again, they aren’t giving money out of the kindness of their hearts, they do it because they want to make money, that’s how investing works.

I worked for a company that use to buy apartment complexes. They would buy one, raise rents right away (because they want to make their money back as fast as possible) and sell it to the next company. The next company would do the same.

 

[MacBH928]

If…. If they were truly losing money, they would have raised prices and there would be layoffs. The fact they haven’t raised the prices yet since the subscription came out says a lot. Everyone’s prices is going up, including Apple Music. I expect 1Password will raise prices, because everything is costing more.

Again, if they wanted to milk their users, wouldn’t they have raised their prices a few times by now? They haven’t in years.

Now Evernote IMO milks thier users, they are going up again to over $14 a month. This is the 2nd time I know off hand they raised prices in the last 3 years.

If 1Password raises now, it’s still not bad considering they haven’t raised it in years (again, since the subscription came out). You also can’t compare this to Facebook, because facebook has a whole different model to make money. When has the price of Facebook gone up… so how are they miking it’s users? Everyone on Facebook knows the price is your data.

I doubt they dare to raise prices now. There are many other password managers and I think the moment they step it up from $3 to $5 , people will flock else where...especially when they know Bitwarden does the same thing totally free. I think in the numbers they see and realise their subscription only model was a mistake and now they are afraid to push it even further, but who knows?!

You are right about Evernote, but 2 things to consider:-

-Evernote was always subscription
-People willing to pay for a notes app are much less than people who need a password manager. Everyone needs a password manager (at least those who care about their online accounts). So globally we can see if 1PW priced at $1/m at 10M user base they will make $10M a month (hopefully the developer can finally eat) but lets assume Evernote has only 500K users willing to pay for a notes app, Even pricing it at $10/month will make them $5M a month (much much less than 1PW).

Plus I think developing a multiple platform notes app on the level of Evernote is much more complicated than password manager and hence needs more resources (I think. I am not a developer)

I use Bitwarden (I always try others just so I can keep up on stuff) and I said it and others have too, it’s not as polished. Even though it’s not as polished, I do recommend it.

You are right (although I hear 1PW8 is not smooth) but I give Bitwarden a pass because:-

-Its free , can't complain when you getting something for free
-Its FOSS

---
Even Bitwarden has issues we criticised 1PW for like no local storage and electron app (I believe), but I don't have to pay $3/M for it.

Oh, what do audits have to do with what I said? Potato tomato? 1Password had security flaws despite having audits.
Audits are done to find security flaws and to gain customer trust. The first part makes sense, the second part not because it's like:
"We don't listen to what private customers want, we have to listen to the corporate ones because there's the most money to be made. So what do we do to get those private customers back? Ah, lets do some yearly audits. My excel sheet says audits are cheaper than local vaults."
It's the 101 of big company attitude. Let's think big.
Audits mean that a private company pays another private company a lot of money to look at their stuff and give them a certificate that they are legit and not shady. This is ridiculous by itself.

LastPass was and is regularly audited by external companies. Despite this fact it had 3 data breaches since August 22. Three. In two cases they stole user data like customer data, email adresses, names, phone numbers, billing information and security questions and answers.

You know I never thought of it this way. If you get audited, what does it mean? Surely it doesn't mean you are not vulnerable to attacks so that makes security issues moot. The part I care about in an audit to know there is nothing funny happening behind the closed doors for my privacy.

Really? Because most of the reviews on google I can read are about clunkyness, slow UI, too big icons, crashes...

1Password: Passwort-Manager – Apps bei Google Play

Der sichere Passwortmanager zum Speichern von Passwörtern, Karten, Notizen usw.

play.google.com

The same in the app store:
clunky, not saving generated passwords, not working as intended,...

‎1Password: Passwort Manager

‎1Password hilft Menschen seit 2006 dabei, ihre Passwörter zu vergessen. Laut The New York Times Wirecutter genießt 1Password das Vertrauen von Millionen von Menschen und mehr als 150.000 Unternehmen und „bietet die beste Kombination aus Funktionen, Kompatibilität, Sicherheit und...

apps.apple.com

I never thought to check the play store. 1PW is the least popular and lowest rated app between the password managers it seems. Maybe 1PW is the underdog and not the main player here. 500 employees and the lowest rating. Probably all working on sales and marketing 😂

 

[Apple_Robert]

I doubt they dare to raise prices now. There are many other password managers and I think the moment they step it up from $3 to $5 , people will flock else where...especially when they know Bitwarden does the same thing totally free. I think in the numbers they see and realise their subscription only model was a mistake and now they are afraid to push it even further, but who knows?!

You are right about Evernote, but 2 things to consider:-

-Evernote was always subscription
-People willing to pay for a notes app are much less than people who need a password manager. Everyone needs a password manager (at least those who care about their online accounts). So globally we can see if 1PW priced at $1/m at 10M user base they will make $10M a month (hopefully the developer can finally eat) but lets assume Evernote has only 500K users willing to pay for a notes app, Even pricing it at $10/month will make them $5M a month (much much less than 1PW).

Plus I think developing a multiple platform notes app on the level of Evernote is much more complicated than password manager and hence needs more resources (I think. I am not a developer)





You are right (although I hear 1PW8 is not smooth) but I give Bitwarden a pass because:-

-Its free , can't complain when you getting something for free
-Its FOSS

---
Even Bitwarden has issues we criticised 1PW for like no local storage and electron app (I believe), but I don't have to pay $3/M for it.



You know I never thought of it this way. If you get audited, what does it mean? Surely it doesn't mean you are not vulnerable to attacks so that makes security issues moot. The part I care about in an audit to know there is nothing funny happening behind the closed doors for my privacy.




I never thought to check the play store. 1PW is the least popular and lowest rated app between the password managers it seems. Maybe 1PW is the underdog and not the main player here. 500 employees and the lowest rating. Probably all working on sales and marketing 😂

A low rating on the Play Store or even the App Store doesn't really mean a lot, in and of itself. Far too many people give low ratings for things that are either the users fault for not reading the description ahead of time, making assumptions before purchase, or giving a low rating because the app looks or works a little differently on a different OS.

If I want an honest opinion about an app, I will do an earnest Internet search on the product, as well as seeking some feedback from the MR community, with the latter being far more useful than making a logical fallacy conclusion like you did.

As to subscription pricing for 1Password, neither you or Mr. Heckles realistically make the arguments you have because they are both logical fallacy positions and a waste of time to debate.

 

[MacBH928]

So, you’re saying Bitwarden’s audits are the same issue then…. Everything you say about audits, every single company can do the same. So, why trust any apps at all?

The thing about Bitwarden its FOSS so any one can look any time. 1PW is closed source, so auditing happens behind closed doors.

Which is ridiculous because we all know that money can buy almost everything and that audits in a lot of cases have been absolutely useless (Wirecard,...).

They could, but then the auditing company will lose reputation and shutdown. I guess its about a long term thing or someone trying to make a cash grab from the "auditing" business.

And yes, if you want to compare Bitwarden and 1Password:
Bitwarden has about 15-20 Million users (8% market share). If just 0.1% of them are able to read code, there are thousands who have the ability to review and audit the code on a daily basis.

Thousands. Daily. Not one or two times a year by a company they are paying for.

Thats 150,000 people

See above and my other post: Audits don't mean a thing. They are literally paid reviews. You have to trust the audit company that they are honest. And yes there are some very renowned audit companies. Per example the one that audited Wirecard. Do you think a company like Microsoft would pay an external company to write a bad review?

I wonder if the review is bad, does the audited company have to publish it?

But do thousands of people review the code? I'm not knocking BW, and I think having it opensource is great, but I do wonder if the benefit of opensource is over exaggerated

I think its about popularity. If someone uploads some code on GitHub, probably not. If someone makes some piece of code that he updates himself and all the other corporates use it mindlessly, yeah I guess not (there was news lately on this). but....

If the app is popular, I am sure many people from security companies, universities, hobbyists, users, and the developers themselves are looking at it all the time. Surely some one out there wants to add to their CV that he was the person to discover "X" flaw in the popular "X" app. to add bling to himself.

I did once to verify their claim, that data is encrypted locally and not on the server, but for sure I will not do this on a daily basis.

Did you like read the whole code? I tried to lookup how many lines of code that is but couldn't find out

 

[MacBH928]

A low rating on the Play Store or even the App Store doesn't really mean a lot, in and of itself. Far too many people give low ratings for things that are either the users fault for not reading the description ahead of time, making assumptions before purchase, or giving a low rating because the app looks or works a little differently on a different OS.

If I want an honest opinion about an app, I will do an earnest Internet search on the product, as well as seeking some feedback from the MR community, with the latter being far more useful than making a logical fallacy conclusion like you did.

You are right, but its not a good sign. Its hard to say that an app that has 2 star rating is actually better than an app with 5 star ratings. Could it be? yes, but not a good sign.

As to subscription pricing for 1Password, neither you or Mr. Heckles realistically make the arguments you have because they are both logical fallacy positions and a waste of time to debate.

Not sure about it being logically fallacy. I am not debating it. Just pointing out possibilities. It just frustrates me when I hear someone say "subscription is necessity so the developer can make money" . We have proved this to be false as many vendors are thriving on the license model like Affinity and Carbon Copy Cloner.

If a developer wants to be subscription, up to him/them, I just choose not to join that bandwagon . At least not for the simpler apps that I do not make a living off. If I was a movie editor , yeah, I'd pay for Adobe Premier or FCP. I'll give them $50-100 a month but I will be making $4-$5K because I used their tool.

 

[Mr. Heckles]

The thing about Bitwarden its FOSS so any one can look any time. 1PW is closed source, so auditing happens behind closed doors.

I get that, everyone get that. The “open source” thing is beaten like a dead horse. It’s also been said million of times, that it doesn’t mean it’s better.

 

[johnkree]

You think the companies that audit do it for free and out of the kindness of their hearts? They also have employees and bills to pay. There is a difference paying someone to do it and paying someone off to do something. These companies also put their names on it. If they missed something, it would make them look really bad and no one else would use them. You think a company would risk losing credibility and going out of business?

Banks also do audits, but don’t trust them. Apple also has a bounty and audit program, but don’t use their products because the audits mean nothing. Great.

Oh what a nice cycle of "every company needs to eat, everyone has bills to pay".
"Devs have to eat, so shut up and pay the subscription". "Auditors have to eat..." Agilebits has to grow and swallow smaller companies, right? Because even companies have to eat?
I wonder how we all survived the birth of the internet. No subs, no auditors,... Microsoft, Apple, Adobe, they all had subs from the very beginning, right out of the garage, right?

I couldn't care less about audits. What I care about is the trust I have in a company because it is doing stuff the right way = listening to their users, not doing shady stuff, not "sneaking" telemetry in their apps. Mozilla hasn't betrayed my trust. I'm happy with their products. Cultured Code has my trust. And a lot of companies. Guess what? They don't have to brag about having external audits or the most audits on the market. Because most of the time they do things right. And I'm happy with it. They don't delete posts consisting critics. They don't end support for a "lifetime" product within one year of selling it as. And they don't need telemetry to know what their users really want.

And no, I don't trust banks. Or insurances. I'm using them. Yes. But I wouldn't trust them with all my passwords and browsing data. I wouldn't give them access to my iCloud or my private fotos. I expect them to work as advertised as they expect me to read the fine print in their contracts. But if I had a choice I would rather not have a bank account. Look at how many people lost their savings because of banks. I said Wirecard several times, did I? or just google Hypo bank. Or Goldman Sachs. You really trust them?

Every company I dealt with with something like this, the investors usually want their money back quickly, and want to see a return. Again, they aren’t giving money out of the kindness of their hearts, they do it because they want to make money, that’s how investing works.

I worked for a company that use to buy apartment complexes. They would buy one, raise rents right away (because they want to make their money back as fast as possible) and sell it to the next company. The next company would do the same.

Yes they want their investment back. And they probably will. How many people are still using their "lifetime" license of 1PW 7? I guess a lot. Now all of them will switch over to version 8 and subscription. Because besides Apple Password there isn't a lot of choice for people that want it as easy as possible. Lock them in, wait till they have calmed down, raise subs when they know that there is no better way. This is so predictable. Every other "suddenly subscription" company has done the same. As if they have the same handbook.

But do thousands of people review the code? I'm not knocking BW, and I think having it opensource is great, but I do wonder if the benefit of opensource is over exaggerated

On a daily basis? No, I guess not. But with projects like Bitwarden? Arch Linux? Firefox? VLC? There are tons of people checking the code. You could do it. And it is not that hard to learn. Especially with the help of GPT3.5 and GPT4 literally everyone can do it. And Git helps a lot. Because it is logging the changes. It is not like having to review all of the code everyday. You just have to look at what has changed.
You are right, it's also not a good idea to be lulled into a false sense of security just because something is open source. But I still believe in statistics and they say that open source is safer by a big margin as long as it is a widely used open source app.

 

[johnkree]

I get that, everyone get that. The “open source” thing is beaten like a dead horse. It’s also been said million of times, that it doesn’t mean it’s better.

It has been proven that in general, open source is more secure.

 

[maflynn]

It has been proven that in general, open source is more secure.

There are examples of open source having major vulnerabilities - Just look at Apache's log4j vulnerability.

 

[Apple_Robert]

You are right, but its not a good sign. Its hard to say that an app that has 2 star rating is actually better than an app with 5 star ratings. Could it be? yes, but not a good sign.



Not sure about it being logically fallacy. I am not debating it. Just pointing out possibilities. It just frustrates me when I hear someone say "subscription is necessity so the developer can make money" . We have proved this to be false as many vendors are thriving on the license model like Affinity and Carbon Copy Cloner.

If a developer wants to be subscription, up to him/them, I just choose not to join that bandwagon . At least not for the simpler apps that I do not make a living off. If I was a movie editor , yeah, I'd pay for Adobe Premier or FCP. I'll give them $50-100 a month but I will be making $4-$5K because I used their tool.

In my opinion, the main reason the 1Password review rating took such a dive was due to the subscription model and removing the ability to keep local sync. Remove that gripe from those who are anti-sub with said app, and the overall rating is much higher.

I agree with Mr Heckles. The "open source" card has been played too much as has the audit card.

As to the subscription debate, we all have gone over that endless times. The bottom line is 1Password was bought by a different company and went subscription. That isn't going to change. No point in debating whether or not they should have.

 

[Alwis]

Did you like read the whole code? I tried to lookup how many lines of code that is but couldn't find out

No, only the parts relevant to answering my question.