10 votes

1Password 8: The story so far

31 comments

  1. [5]
    JXM
    Link
    For perspective: I've been using 1Password for over a decade and gladly pay for the family plan. I'm more than happy to pay $4 per month for an app I use dozens of times every single day. I'd also...

    For perspective: I've been using 1Password for over a decade and gladly pay for the family plan. I'm more than happy to pay $4 per month for an app I use dozens of times every single day. I'd also much rather pay someone else with a very good track record to keep that data safe and sync it between my devices than to manage it myself and hope I did it safely.

    I've tried tons of other password managers over the years and none of them come close to 1Password in terms of polish and usability. Sadly, most are pretty bad. If you're all Apple, the current 1Password app is easily the best choice. Their Mac and iOS apps are second to none. Even their Android app is pretty good.

    Of course, moving to Electron does change that. I understand their reasoning - I think Jason Snell has a good breakdown of it at Six Colors.Especially on the Mac, Electron apps feel out of place. No amount of hacking and trickery can make them feel like native apps since the Mac just does things differently than other OSes. On Windows and Linux things are a bit different and it isn't as noticeable.

    10 votes
    1. [2]
      Comment deleted by author
      Link Parent
      1. vord
        (edited )
        Link Parent
        I've used Lastpass for work, and hated almost everything about it. Bitwarden occasionally has trouble on latest Android or auto-filling a website field, otherewise it has been utterly fantastic....

        I've used Lastpass for work, and hated almost everything about it.

        Bitwarden occasionally has trouble on latest Android or auto-filling a website field, otherewise it has been utterly fantastic.

        Some of my favorite features:

        • Great CLI client
        • Offline caching
        • Adding additional elements to autofill, (inspect DOM to find it. I used it to select a dropdown for my bank.
        • Open source clients (and an API-compatible community server for self hosting)
        5 votes
    2. [3]
      vord
      Link Parent
      Always do. Electron apps almost never follow the system theme, which sticks out like a sore thumb even on most Linux configurations. On windows it sticks out less, given Windows already has horrid...

      Electron apps feel out of place.

      Always do. Electron apps almost never follow the system theme, which sticks out like a sore thumb even on most Linux configurations. On windows it sticks out less, given Windows already has horrid ui coherence.

      3 votes
      1. [2]
        JXM
        Link Parent
        True, but I think it's unfair to judge the best of one platform (Linux has some beautiful, well designed apps) against the worst Windows apps. I mean, Linux has its share of ugly apps.

        True, but I think it's unfair to judge the best of one platform (Linux has some beautiful, well designed apps) against the worst Windows apps. I mean, Linux has its share of ugly apps.

        3 votes
        1. vord
          Link Parent
          No disagreement there, however Electron apps are ugly (defined as departing from system UI) by default. And for 90% of what I use on either system, KDE is far more consistent than Windows. I've...

          No disagreement there, however Electron apps are ugly (defined as departing from system UI) by default. And for 90% of what I use on either system, KDE is far more consistent than Windows.

          I've noticed if you stick to GTK apps on Gnome and QT apps on KDE the ugly factor minimizes substantially on Linux.

          For any graphics designers out there, one of the best ways you could contribute to open source world be designing less-ugly free vector icons. Or building whole themes, but that's definitely a bigger undertaking.

          4 votes
  2. [16]
    Weldawadyathink
    Link
    The biggest changes are: Unified rust client code on all platforms Windows and macOS apps are now electron Local vaults are no longer supported I know most of the tech world has very ... strong...

    The biggest changes are:

    1. Unified rust client code on all platforms
    2. Windows and macOS apps are now electron
    3. Local vaults are no longer supported

    I know most of the tech world has very ... strong opinions about electron. Reddit is particularly enraged about the switch. I wonder what the tilderinos think about this beta?

    I have installed the beta on my work laptop (windows) and my personal laptop (Mac). So far, it has been great for me! It feels faster than 1p7. The only issues I have had so far are with the safari extension, which is apparently an issue with safari 14 that is fixed in the tech preview and macOS Monterey. Except for the settings screen, it looks close enough to a native macOS app that I would not have guessed that it was electron.

    Full disclosure: I participated in a 1passord user experience survey, and received a 1password gift card for my time. I used a version of 1p8 over a zoom call before it was released and told them about my experience. All my opinions are my own and I do not speak for AgileBits.

    6 votes
    1. [6]
      joplin
      Link Parent
      I utterly despise electron. I don't want a web app. I bought a Mac because I want to use macOS. Having my passwords stored somewhere other than only on my own machines is a deal-breaker. (I'm...

      I utterly despise electron. I don't want a web app. I bought a Mac because I want to use macOS.

      Having my passwords stored somewhere other than only on my own machines is a deal-breaker. (I'm still using local syncing and not using their cloud solution.)

      I despise subscriptions for things that provide no ongoing value. Since I don't want to store my passwords outside of my home, I don't have any need for a subscription.

      So I will definitely not be upgrading. I'll probably continue to use the version I have until it no longer works at which point I'll come up with some other solution. If I do end up being forced to put stuff in the cloud, I'll keep it with iCloud Keychain instead at that point. But that will be a last resort.

      10 votes
      1. [5]
        onyxleopard
        Link Parent
        I’ve seen a lot of people looking to migrate to Bitwarden from 1P, and most seem to be navigating that transition well.

        I’ve seen a lot of people looking to migrate to Bitwarden from 1P, and most seem to be navigating that transition well.

        3 votes
        1. [4]
          joplin
          Link Parent
          My understanding is that they use Electron as well, but I haven't looked into it in depth.

          My understanding is that they use Electron as well, but I haven't looked into it in depth.

          3 votes
          1. [3]
            onyxleopard
            Link Parent
            I think if you’re dead set against Electron, then yeah, Bitwarden isn’t going to float your boat. But, if you are dead set on keeping a local encrypted vault, it will work as a replacement for 1P....

            I think if you’re dead set against Electron, then yeah, Bitwarden isn’t going to float your boat. But, if you are dead set on keeping a local encrypted vault, it will work as a replacement for 1P.

            If you’re OK with a native maOS app (with native iOS and iPad OS clients as well) that syncs to the cloud, but is E2EE, Minimalist may be an option.

            If you want both macOS native & local, I think there are some options, but they aren’t very high profile compared to other password managers (since multi platform is a big feature in this space), and I can’t vouch for any of them.

            3 votes
            1. [2]
              joplin
              Link Parent
              If I’m going to go that route, is there any advantage to that over iCloud Keychain which already ships with my computer?

              If I’m going to go that route, is there any advantage to that over iCloud Keychain which already ships with my computer?

              2 votes
              1. onyxleopard
                Link Parent
                Not really? I think the only real features that Minimalist offers that Apple’s Keychain doesn’t is 2FA and family sharing. I imagine Apple is going to eventually roll out additional features to...

                Not really?

                I think the only real features that Minimalist offers that Apple’s Keychain doesn’t is 2FA and family sharing. I imagine Apple is going to eventually roll out additional features to Keychain since they’ve already done a lot to improve it over the years and they seem committed to maintaining it. Improving the macOS Keychain.app UX is probably not a high priority for Apple, though.

                2 votes
    2. [3]
      whbboyd
      Link Parent
      I am not a 1Password customer, and wasn't planning on becoming one, and this change… certainly doesn't change my mind. Electron is an absolute dealbreaker for me unless it's literally the only...

      I am not a 1Password customer, and wasn't planning on becoming one, and this change… certainly doesn't change my mind.

      • Electron is an absolute dealbreaker for me unless it's literally the only possible way to get the functionality I need, which is literally never the case, and certainly not in the rich world of password managers.
      • Is it correct for me to interpret "local vaults are no longer supported" as implying that offline usage is also not supported? If so, that's an absolute dealbreaker. I'm not online all the time, and I'm not wasting time on tools that could function without an internet connection, but don't. If it "sort of" works offline, then it's a dealbreaker in inverse proportion to how sort of it is. My current solution is 100% functional offline except for sync.
      • Cloud storage is a sticking point. Client-side cryptography can mitigate it somewhat, but 1Password's servers are still a single enormously juicy target to any particularly advanced attacker looking to flex its muscle. 1Password's servers may be more secure than mine, but they're also millions of times more likely to attract credible attacks.

      On the other hand:

      • Presumably older versions were written in unsafe languages (C/C++ or Objective C), and moving to Rust is a fantastic step in the right direction there. Trawling 1Password's CVEs, there aren't really enough to get a good feel for how much risk they're mitigating here.
      7 votes
      1. Weldawadyathink
        Link Parent
        Offline is definitely still supported, just not local vaults. Previously, you had the option of saving items into any number of vaults. These could either be synced through their website...

        Offline is definitely still supported, just not local vaults. Previously, you had the option of saving items into any number of vaults. These could either be synced through their website (1password account vaults) or saved to disk locally (local vaults). It was up to the user to take care of syncing this local vault file between devices (although they did support iCloud syncing between apple devices natively. these are still considered local vaults). Local vaults have been effectively deprecated for quite some time now. With account synced vaults, it is 100% functional offline, except of course sync.

        As for the cloud storage bit, everything you said is correct. However, 1password has a secret key in addition to a master password that is designed to protect your data when it is not in your control.

        About Secret Key: https://support.1password.com/secret-key-security/
        1Password Security Design Whitepaper: https://1password.com/files/1Password-White-Paper.pdf

        For me personally, I don't want to try and configure multiple services just to setup syncing my passwords. I also can not expect my family (who I force to use 1password) to setup something like that. If my family forgets their master passwords, I cannot tell them "tough luck, reset all of your passwords" (1Password lets people in a family plan reset each other's passwords, even though 1P support cannot). I don't mind paying a small yearly fee to have something that works as required most of the time. I also like that, most of the time, 1Password syncing is basically instant.

        5 votes
      2. zlsa
        Link Parent
        I think 1PW 8 will still cache passwords offline, so you should have offline functionality (but please don't take my word for it!) You just won't get synced updates when offline (obviously.) With...

        I think 1PW 8 will still cache passwords offline, so you should have offline functionality (but please don't take my word for it!) You just won't get synced updates when offline (obviously.)

        With cloud-based password storage, I'm not at all worried about someone gaining access to my passwords, since they're all E2E encrypted (that is, they're only decrypted on your machine, and the only data stored on their servers is a useless binary blob without your personal master key.) I'm far, far more worried about a "supply chain attack", where an attacker is able to introduce a vulnerability into the apps themselves.

        2 votes
    3. [2]
      aphoenix
      Link Parent
      I feel as if I am a frequent dissenter on topics like this, but I'll throw my 2 cents into the ring. The unified client code on all platforms is a good change, and it's exciting to see. The fact...

      I feel as if I am a frequent dissenter on topics like this, but I'll throw my 2 cents into the ring.

      The unified client code on all platforms is a good change, and it's exciting to see.

      The fact that the apps are now electron is probably not much of an issue for most people. Electron is one of those things that is somewhat polarizing; people who hate it really hate it. People who don't hate electron apps mostly seem to just be okay with them. I'm okay with them, as long as they're well thought out. I trust the 1Password people to think this one out fairly well. Admittedly all the machines for which this is relevant to me have lots of memory and won't have much of an issue; my MBP handles electron apps well, and my desktop computer does as well. I understand that a lot of people don't want to run Chromium for desktop applications, but it is a convenient way to package and release software, and the shortcomings for this particularly application will probably not be particularly short; after using 1Password, you should close it anyways and not just leave it open.

      Local vaults also are a non issue for me personally; I use their cloud service to store my vaults already. I have elected to trust this company with my data, and I will continue to do so. I understand people who don't want to do so; they're going to be stuck using a different service. For me, the convenience, coupled with my trust of the developer, means that this is a non issue.

      All in all, these are good changes.

      Disclosure: I already pay for the family pack (shared with my wife and daughter), and these changes seem like they will be convenient for all of us, not just for me. For what it's worth, I don't consider myself a casual user; I'm a coder / developer, and I am cognizant of security and privacy risks.

      5 votes
      1. Weldawadyathink
        Link Parent
        This almost perfectly describes my relationship with 1Password. I would much rather offload the work of maintaining a server or sync service to a third party that does it well. Like I said in my...

        This almost perfectly describes my relationship with 1Password. I would much rather offload the work of maintaining a server or sync service to a third party that does it well. Like I said in my previous post, the electron 1Password works better and faster for me than the native version (albeit on very good hardware). The native Mac version always felt a bit sluggish to me.

        3 votes
    4. [4]
      Greg
      Link Parent
      I haven't yet read the whole post, but I was looking for more info on the local vault support and I couldn't find it - any chance you could elaborate on that? As for electron, I'm not dead against...

      I haven't yet read the whole post, but I was looking for more info on the local vault support and I couldn't find it - any chance you could elaborate on that?

      As for electron, I'm not dead against but I'm highly skeptical. Right now, Slack is using 800MB of RAM over three processes, Spotify 500MB, and 1Password 150MB. I totally understand their desire to unify things from a dev perspective, but there's a significant gulf in memory between those two electron apps and the current native one. I don't explicitly care what it's written in, but it's a program I need to have open 24/7 so I really hope we don't see a 4x - 8x memory increase and/or the introduction of slow leaks.

      I happily pay decent, recurring money for this software - but the tacit agreement there is they don't cry "lack of dev resources" when it comes to security, usability, and efficiency.

      4 votes
      1. [3]
        Weldawadyathink
        Link Parent
        Local vaults just don't work anymore. I presume that, on release, there will be some onboarding process to import local vaults into a 1password.com account vault. I never used that feature (except...

        Local vaults just don't work anymore. I presume that, on release, there will be some onboarding process to import local vaults into a 1password.com account vault. I never used that feature (except accidentally), so I cannot give you more info on that. They have a few other blog posts with other information that go into more detail on that subject. The post I linked is more a future-looking point of view.


        I can totally understand the worries about memory. I just checked teams on my work computer and it is sitting at 600MB, which is a bit much for what it does.

        I am still somewhat new to the Mac platform, so I am not very familiar with how Activity Monitor counts memory usage.
        https://share.icloud.com/photos/0FPXleSlFFWn07xgOnsne9k8g
        In total, it looks like about 360MB, but I am not sure if it is double counting some of it.

        On my windows laptop, it is sitting at 21MB in the foreground app, and a total of 70MB in the background processes. Both of these are the 1P8 betas.


        One very interesting note in the blog post was about SwiftUI. They are using SwiftUI for the iOS app, which makes sense. They started by creating 2 macOS apps; a SwiftUI one for modern Mac versions and an electron one for older Mac versions. They couldn't share SwiftUI code between Mac and iOS as they hoped, so they scrapped the SwiftUI version and stuck with electron. It sounds like they may reconsider a SwiftUI or AppKit version at a later date (Maybe when SwiftUI is more mature).

        4 votes
        1. [2]
          Greg
          Link Parent
          Based on what you wrote a bit further up, it looks like the local vault question is a non-issue for me, which is good. I was a little bit thrown by the terminology, but locally stored/cloud synced...

          Based on what you wrote a bit further up, it looks like the local vault question is a non-issue for me, which is good. I was a little bit thrown by the terminology, but locally stored/cloud synced is exactly what I want anyway.

          Ultimately I guess I have to admit that a few hundred MB of extra memory isn't going to make me pick up and move to another password manager, it just kind of feels like death by a thousand cuts at this point even on a 16GB machine and it's kind of frustrating, y'know? (Do they even do 32GB M1 laptops at all? I know they did a few 32GB Intels, but not on the smaller MBP which I have). The "room full of coffee tables" analogy that @onyxleopard made over in the other thread sums up exactly how I feel right now!

          SwiftUI sounds like an interesting one, and they're pretty invested in the whole Apple ecosystem, so I guess that's a reasonable possibility either way.

          3 votes
          1. Weldawadyathink
            Link Parent
            32GB M1 devices do not exist currently. For what it’s worth, I got an 8GB M1 at launch and never had a single issue with ram, although I don’t use my laptop very much, and never do heavy...

            32GB M1 devices do not exist currently.

            For what it’s worth, I got an 8GB M1 at launch and never had a single issue with ram, although I don’t use my laptop very much, and never do heavy development workloads on it. It seems like macOS has really great ram management. That, and the super fast ssd to swap to, mitigates some of the issues of ram usage.

            I am just a layman with enough knowledge to be dangerous, so take this with a grain of salt.

            2 votes
  3. [10]
    Bear
    Link
    As much as having things in "the cloud" (a fancy term for "someone else's computer[s]") increases the convenience factor for many people, I will always prefer my password manager to store my...

    As much as having things in "the cloud" (a fancy term for "someone else's computer[s]") increases the convenience factor for many people, I will always prefer my password manager to store my database locally, and then I can make decisions about whether or not that file gets put on cloud services, who has it, etc.

    Even if the file is heavily encrypted, that should not be used as a justification to force it into the cloud.

    Personally, I prefer KeePass for my local-first password manager, with KeePass2Android as my mobile solution.

    1 vote
    1. [9]
      Adys
      Link Parent
      I don't like this HN meme, it's so thoughtless. The computer of someone whose entire job it is to keep that secure, up, and running, yes. Someone who has an entire team working full time to ensure...

      (a fancy term for "someone else's computer[s]")

      I don't like this HN meme, it's so thoughtless.

      The computer of someone whose entire job it is to keep that secure, up, and running, yes. Someone who has an entire team working full time to ensure bad things don't happen to the data in it. Someone who has a service-level agreement to back all this up. And depending on which cloud, someone who's spent anywhere between millions to billions of dollars in doing those things better than you could ever do.

      9 votes
      1. [4]
        cfabbro
        (edited )
        Link Parent
        Plus, if there is one thing my years of working in the data recovery business has taught me it's that the vast majority of people, and even a surprising amount of tech industry professionals,...

        Plus, if there is one thing my years of working in the data recovery business has taught me it's that the vast majority of people, and even a surprising amount of tech industry professionals, should not be in charge of storing their own critical data. Hell, even with my own intense paranoia about maintaining multiple backups (onsite & offsite), the idea of losing a local password vault still terrifies me so much that I just stick with a SaaS, cloud-based, password manager instead of DIYing it.

        7 votes
        1. [3]
          onyxleopard
          Link Parent
          Yeah, I consider my encrypted vault in 1PW’s cloud as a level of redundancy. If all my local devices burn up in a fire (including local backup media), I can use the web interface to still access...

          Yeah, I consider my encrypted vault in 1PW’s cloud as a level of redundancy. If all my local devices burn up in a fire (including local backup media), I can use the web interface to still access my passwords from a family member’s device. That helps put my mind at ease when I think about the prospect of trying to recover passwords from thousands of sites/services I’ve accrued over the years.

          4 votes
          1. [2]
            Weldawadyathink
            Link Parent
            Just a sidenote: Make sure you have a backup of your secret key as well. Without that, or a device logged into 1password, you are just as screwed as if you forgot your master password.

            Just a sidenote: Make sure you have a backup of your secret key as well. Without that, or a device logged into 1password, you are just as screwed as if you forgot your master password.

            4 votes
            1. onyxleopard
              Link Parent
              Yeah, I have my secret key in my Dropbox (and I know my Dropbox password).

              Yeah, I have my secret key in my Dropbox (and I know my Dropbox password).

              1 vote
      2. [4]
        Bear
        Link Parent
        And despite all that, cloud storage providers can change their terms at any time, which makes anything you have stored with them not as safe as you think it is. Remember Microsoft/OneDrive just...

        And despite all that, cloud storage providers can change their terms at any time, which makes anything you have stored with them not as safe as you think it is.

        Remember Microsoft/OneDrive just unilaterally taking away everyone's free storage over 5 GB, even if they had done tasks to earn more?

        In addition, cloud storage providers have come and gone due to economic realities of the market.

        It doesn't change the fact that "the cloud" is a flowery term that masks the reality.

        1 vote
        1. [3]
          Adys
          (edited )
          Link Parent
          You are confusing and conflating a lot of different things. First of all we are talking about 1Password, which does not have a free tier. "Free" customers aren't customers and usually don't get to...

          You are confusing and conflating a lot of different things.

          First of all we are talking about 1Password, which does not have a free tier. "Free" customers aren't customers and usually don't get to enjoy the advantages of a fair contract. If you're a fair paying customer, the company is legally obligated to provide the service they advertised to you. If they fail to do so, you can sue and win. A small amount of money every month puts you on an even ground with them. And no they don't get to "change the terms at any time", that's not how contracts work.

          Second, OneDrive and other B2C products aren't usually what is referred to when you say "someone else's computer". But that distinction feels irrelevant now so I'll let that pass.

          Third, 1password is not a cloud storage provider. Their business is security. They happen to be storing data their customers are uploading but so does every website. The difference being, a customer will be a few megabytes on average for 1Password versus a few gigabytes for a cloud storage provider. And the good alternatives are rare because good password managers are extremely far and few between.

          5 votes
          1. [2]
            Bear
            Link Parent
            As far as I am aware, customers of any service, free or paid, are still equally bound by the terms of service, just as any company is. https://1password.com/legal/terms-of-service/ Sure feels like...

            "Free" customers aren't customers and usually don't get to enjoy the advantages of a fair contract.

            As far as I am aware, customers of any service, free or paid, are still equally bound by the terms of service, just as any company is.

            And no they don't get to "change the terms at any time", that's not how contracts work.

            https://1password.com/legal/terms-of-service/

            We reserve the right, at our sole discretion, to modify or replace these Terms at any time.

            Second, OneDrive and other B2C products aren't usually what is referred to when you say "someone else's computer".

            Sure feels like someone else's computer. Walks like a duck, quacks like a duck.

            Third, 1password is not a cloud storage provider.

            And yet, they maintain your passwords in a cloud storage solution. That may be not be their exact line of business, yet without it they could not function, since they no longer support local data.

            And the good alternatives are rare because good password managers are extremely far and few between.

            "Good" is subjective. I personally use a more local password manager that leaves anything cloud related optional and up to me.

            1 vote
            1. Adys
              Link Parent
              Good isn't subjective, in terms of security good is extremely objective. Just because they store things doesn't mean they're cloud storage. Tildes also stores your posts, tildes is not a cloud...

              Good isn't subjective, in terms of security good is extremely objective.

              Just because they store things doesn't mean they're cloud storage. Tildes also stores your posts, tildes is not a cloud storage solution.

              Your understanding of how terms and contracts work is flawed. ToS are there to list the limits of what you are allowed to do, and define the service you are getting. The terms do not define the totality of all your rights. To give you an example, regardless of whether a service's terms mention GDPR, I still get to enjoy the rights GDPR grants me.

              If for example you are purchasing a 1 year subscription to 1Password and they, mid way through your subscription, decide that you can only put 20 passwords in it, they are in the wrong, legally, and it would be trivial to show it.

              I don't really feel like getting into more details than that, I'm getting the feeling you're not super receptive to having your mind changed on this. I hope I'm wrong.

              4 votes