This isn't really a typical Venture funding, and is definitely not a "Series A". Traditionally, at this point, 1Password would probably have just gone Public, without any need for venture funding. But, why go to the hassle of doing that when you can get most of the same benefits ($$$) without any of the pain (public reporting, SOX, etc...).
The VCs at this point would be happy with a 3-4x return, because the risk is minimal - companies at this level of maturity, profitability, market dominance, and growth are highly unlikely to fail. So, if they picked up (for arguments sake) 25% of the company, giving it pre-money valuation of $800mm, all they really need to do over the next 3-4 years is build an $3.2B company, which, given 1Password's dominance/quality of product - should be relatively straightforward.
Their killer organic entry is: "Everyone" is already using them for personal password management, which means cost of training/installation/use is trivial to add the Enterprise element.
As a personal user, I consider 1Password the GitHub of password management - sure, there are lots of GitHub competitors, and you can roll your own - but, when there is one product that has completely nailed it - why bother going with anyone else.
I have been following this company for like 10 years now, if not more. 1Password is anything but a typical software company. When they were small, I forget the year, they emailed us (each) six licenses of 1Password as a thanksgiving gift. A small gesture, but clearly the courage to leave that much money on the table for a small startup is laudable. On the other hand, each of my friends who got it "free" wouldn't have considered any password manager (free or not). They had the uphill task of creating the market. I am sure all the recent password leaks helps a bit.
They sponsored Gophercon in 2018(?). I didn't even know they use Go.
Good luck to them and hopefully they will keep us from password disasters of the future. Now, if only I could convince everyone to use a password manager...
On Nov 23, 2010 (still have the e-mail in my inbox), they sent a "Happy Thanksgiving and 3 Gifts For You!" with free downloads of 2 books and links to give away a license of 1Password for Mac, 1Password for Windows, and Knox for Mac.
Small touch, but my office recently starting 1Password in large part because most of the competition only offer USD billing. While we can pay for services in USD, it's unpalatable given none of our own income or accounting is done in USD.
How did you do that? I can’t find a way to pay 1Password in € rather than $. Every year my bank is stealing^W taking a fee because 1Password is billing in USD.
These also have another distinct change beyond simply pricing, they're actually hosted in those regions. So .ca is hosted in Canada and .eu is hosted in the European Union.
The coverage for even the best password managers miss a ton of key touchpoints where they'd be useful. I use mine very reluctantly. This attitude of 'password managers for everything!' doesn't make any sense to me when half the login prompts I encounter aren't supported
I didn't feel it needed substantiation because I'm interested in discussing 1pass vs lastpass on a business level, not a technical level. I tested it over a year ago, so any complaint could well be out of date. I found it to have less features, was more buggy on android, and didn't really detect usernames and passwords on forms as well as lastpass. I used it for a few days and just couldn't come to terms with it.
I'm really surprised by that. I eventually abandoned Lastpass for 1password around a year ago because I couldn't handle Lastpass's bugs any longer. (And those bugs had eroded my confidence in their ability to keep passwords secure.) I'm also on Android, but the difference is probably that I use Firefox. LP has treated Firefox as an afterthought for quite a while now, with numerous serious bugs languishing for months or even years. Since moving to 1pw I've had very few complaints. The autofill on Android isn't perfect, but it's better than Lastpass was. And the desktop product is flawless aside from a bit of an Apple-centric design.
I use ff exclusively on android and pc/linux. I found 1pass to be inferior on android, but I also use lineageos so maybe that had something to do with it. I dunno, it might be worth another go but lastpass seems to be good enough for me. Even though it does have bugs, as long as I can get the passwords when I need it it's not a big deal for me. The big deal is making sure all forms capture and update passwords as needed, and lastpass seemed to be far better when I was messing with it.
> As a personal user, I consider 1Password the GitHub of password management
Ah, GitHub. The company which was bootstrapped and profitable like 1Password, but then took venture capital, became unprofitable, and had to sell to Microsoft. Let's hope they aren't the GitHub of password management.
GitHub being sold to Microsoft was a huge win for GitHub. They got acquired for $9B which is a staggering valuation - one they never would have gotten on their own.
Not only that, but the GitHub product is getting much better under Microsoft.
So overall I think it was a win for consumers too.
I think you are largely correct about this being a liquidity event vs series A funding; They are likely not looking at massive employee growth or marketing campaign as much as a way to unlock equity without going public.
This is good for users as it likely mean not huge changes to appease corporate overlords, but continues the sad story of limited young, profitable, small-cap Canadian tech companies available for outsider, passive investment. There are quite a few in the category of 10-15 years old, solid revenues/profit and founders that are ready to step back; most choose private equity or sovereign wealth funds investments in the 100M - 1B range over going public because of the hassle and reporting requirements. The average individual investor doesn't have access to these deals which is a shame because they tend to be established, profitable return generators. I don't blame the founders; I'd likely do the same route.
> all they really need to do over the next 3-4 years is build an $3.2B company,
I really did laugh out loud as you make it sound so easy. Having said that the money isn't in the consumer side, but the Enterprise. 1Password is only just entering this market and there are huge potential.
The potential is just as huge Apple and MS add “good enough” solutions. From a biz context, 1pwd is winning in its niche. But it’s just a feature the OS vendors haven’t prioritized from a technical context.
I am grabbing AWS keys from MacOS keychain and can access creds I save in iCloud from any device. Uh oh 1pwd
That is assuming your whole Enterprise is only on macOS, which I think none of the Fortune 500 companies are.
If you have cross platform to support, and want the best experience ( or I should say equal experience ) than a decent third party Password Manager is the only way to go.
I would have thought Google would be interested in this market, but ever since the birth of Android, all the wanted is Chrome or Android Integration.
Right now, it seems like none of the big guys provide interoperability on their password managers by design. Apple's works great for apps and Safari, but won't work on Chrome, Google only works on Chrome, Microsoft's doesn't work on an iPhone.
I switched to bitwarden from 1password when frustration with mac laptop hardware drove me to a thinkpad running fedora workstation as a daily driver and 1password's new stuff wouldn't run well in wine.
I run a self-hosted bitwarden server, which I love.
But the client is, in my opinion, not nearly as good as 1password. Its login detection is often disruptively wrong. The need to unlock the keychain each time you start a client is aggravating. The fact that the keychain doesn't lock itself when I lock the worstation is more aggravating. It's sensitive to server downtime when it should be able to work offline. The desktop app is either electron or something very similar and chews battery for me if I accidentally leave it running. 1password's secure notes are far richer. 1password's storage for software licenses is useful and bitwarden offers nothing similar that I've been able to find.
I'm not saying any of this to shit on bitwarden. I like it, and pay for it both in dollars to bitwarden and in time spent keeping the server running/patched. (Which I know is optional, but I really like having it self-hosted).
If 1password could offer me a decent linux desktop experience and a self hosted server, I'd switch back. I liked it that much better.
I have 1Password and Bitwarden on my screen right now. Bitwarden does not hold a candle to 1Password. There is no Watchtower or MFA availability notification. Yes, BW is a password manager, and that is about it.
Actually, Bitwarden does have its own Watchtower alternative; you'd access Data Breach Report in the menu, and it tells you which accounts need their passwords changed. I'm not sure if it sends a notification when a new breach comes in that includes your account.
Have I Been Pwned partnered directly with 1Password, which is probably why they're able to send out notifications directly; Bitwarden has to worry about being rate-limited.
I'm not too sure what's meant by MFA availability, but Bitwarden also lets you use it as a TOTP generator + use 2FA for logging into your vault, though those are premium features.
Those aren't core to actual password management though. Bitwarden is a very good password manager, and that's what it needs to be to fulfil its raison d'être.
If 1Password's claim to fame is functionality beyond password management, so be it, but that doesn't define it as better but rather broader scoped.
We actually use all those features in addition to password management. Our old password management strategy was an encrypted Excel spreadsheet. This creates problems, obviously. Management, at least to me, mean ACLs, reporting, auditing, and alerting. And that is on top of basic password management.
Bitwarden didn't allow Android fingerprinting when I used it a few months ago (limitation in one of their electron libraries) which pretty much ruined it for me unfortunately. Not sure if this works in IOS.
Bitwarden had a crappy (and slow) android app, a crappy (and slow, touch based interface, poor right click options, poor design, memory hungry, crippled) windows desktop app, and an OK (for a web app) desktop site.
It only beats 1Password on price.
If you don't want to pay for a fucking awesome app, good riddance to you.
Not any more. It used to be a no brainer, but they switched to cloud based subscription at great cost increase, loss of some features, and dark-patterned the native app into invisibility. Native is still available apparently, but you won't find it from the homepage, unless they were persuaded to change recently. Report an error in the native app, and they suggest switching to cloud subscription without addressing the error at all.
When my current native install of 1pw stops working I'll be migrating elsewhere.
Which until someone had to ask the question on the forum, having been unable to find any word, was not revealed at all on their main site, which was all about getting you on the sub. You wouldn't normally download the next (unlicensed) version on the off chance the buying mechanism has been quietly put in there instead. The former significant discounts for buying both phone and desktop, or Mac and Windows at the same time are gone too.
Hence it's there, but intentionally dark patterned to near invisibility. They would prefer everyone on the pointlessly expensive sub.
Yes 100%. I was a lastpass user for years but it always had its quirks for me. I switched to 1P within the last year and it is miles better and "Just Works", everywhere. I or someone in my house use 1P on Ubuntu, Android, iPhone, and macos, and it is a seamless and wonderful experience.
> Service Data (including Session and Usage data):
> When you use our Services, we receive information generated through the use of the Service, either entered by you or others who use the Services with you (for example, schedules, attendee info, etc.), or from the Service infrastructure itself, (for example, duration of session, use of webcams, connection information, etc.) We may also collect usage and log data about how the services are accessed and used, including information about the device you are using the Services on, IP addresses, location information, language settings, what operating system you are using, unique device identifiers and other diagnostic data ...
> Third Party Data: We may receive information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. We may also receive information from other affiliated companies that are a part of our corporate group. This helps us to update, expand and analyze our records, identify new prospects for marketing, and provide products and services that may be of interest to you.
> Location Information: We collect your location-based information for the purpose of providing and supporting the service and for fraud prevention and security monitoring. If you wish to opt-out of the collection and use of your collection information, you may do so by turning it off on your device settings.
> Device Information: When you use our Services, we automatically collect information on the type of device you use, operating system version, and the device identifier (or "UDID").
That's pretty much everything given they put an extension in your browser and can collect all of that info for every page you visit
> 4. Information Sharing
> ... We may share your personal information with (a) third party service providers; (b) business partners; (c) affiliated companies within our corporate structure
> Examples of how we may share information with service providers include:
The above basically says they share your info with anyone they feel like
So I don't know how you think my comment has no basis in fact. They spell out what they can do in their privacy policy. Why would they spell it out if they weren't doing it?
Compare to 1password (note I use neither service and am in no way affiliated with 1password but for comparison it's telling
> Your data is yours, and we don't want to know anything about it. We don't use it, we don't share it, and we don't sell it.
> We only collect the information necessary to provide our services and help you with troubleshooting. Personally identifiable information is never shared with third parties.
People on HN complain about Google collecting and yet we seem to have LastPass with access to all webpages you visit and also able to track every service you use them with an their policy basically says they collect and share your data (something even Google doesn't do. AFAIK google doesn't share data)
I tried 1Password before switching to LastPass in 2015 or so. I hated 1Password. Haven't had a reason to switch, as free LastPass covers my needs nicely.
Even if 1Password is dominant, it’s really in the bubble to think that most people use 1Password. Users are generally happy with their passwords syncing through Google or Apple.
The YC darling DropBox still isn’t profitable and probably never will be as they are becoming “just a feature”.
1Password will doubtfully never be profitable enough to be worth $3.2 billion. Whether they can pawn themselves off to the public markets first is another question.
It doesn't really matter if 1P is dominant across the whole market. It matters a lot if it's dominant across the part of the market that's willing to pay actual cash money for password management.
How did that work out for DropBox? Google and/or Microsoft could announce tomorrow that they are either giving the same functionality away or bundling with their Office product.
That’s originally what I said, if you define “success” as the original investors being able to pawn a money losing company off on the public market, it could be successful.
But if you define success as a company that can actually turn a profit consistently, Dropbox is not a success.
They’re selling Teams at $4/mo per user and I guess if they go after enterprise we’ll see additional tiers with features aimed specifically at that.
It doesn’t take too many deals with huge companies who need cross-platform to get to $200-300 million, and “worth” $3.2bn. Multiples from revenue have been a little interesting lately.
And as soon as they start moving into the enterprise, Microsoft is going to offer a good enough cross platform password manager and bundle it into Office 365.
People made the same argument with Slack. How is that working out?
I don’t know about Android, but iOS supports third party password managers through the extension system.
Slack has a $12bn market cap, therefore “pretty well”.
I think competition in this space is good but I use and like Slack over Teams.
I know at least two companies who pay Slack over $20MM a year, and have over 100k users provisioned onto Enterprise Grid, and who are also happy consumers of Microsoft Office 365.
Most people I know who use password managers beyond Chrome/iCloud use LastPass. All the companies I have worked for in the last 7 years have used it too.
I switched from LastPass to 1Password earlier this year (after 5+ years of use) due to issues with LastPass stopping sync.
1Password fixed that and numerous UI glitches around the actual password filling in that I was just living with. It is night and day a better experience ... and no invested interest in them (unfortunately!)
Similar situation here. Also, anecdotally, I recall hearing numerous tales of people making that switch, but few to none moving in the other direction. (Which doesn't surprise me at all having experienced both products.)
So what is to stop someone else who wants a slice of that 3 billion? We have AWS and Keepass (though it is GPL) for anyone to quickly implement there own competitor, or the already-huge userbases of Google, Apple, and Mozilla's implementations. With such a low barrier to entry, won't it become a commodity? And aren't we moving away from passwords as a whole?
1Password is slowly starting their enterprise game. All employees were offered 'free' 1Password accounts last week for entire family as long as I'm with my current company.
At the smaller level of things I see similar bets in what Earnest Capital and Tiny Seed are doing: non-controlling amount of investment in a profitable company to make a return higher than standard but with a less crazed risk profile than traditional venture capital.
> companies at this level of maturity, profitability, market dominance, and growth are highly unlikely to fail
What happens if Apple implementes their own native password manager into macOS and iOS? I know I would switch to Apple's native assuming it worked as well as 1Password.
Apple have had that since iOS 11 with iCloud Keychain. It suggests passwords for websites on signup, and offers to save them if you log in. It even correctly offers the password you used on a website when logging in on the native app equivalent for the site.
I work for a company in a similar position, which recently did a funding round like this for the sole purpose of letting some existing employees get some cash for their equity, since an IPO is a big question mark.
They might have great software - I don't know. But personally I absolutely refuse to use a paid option for a service of this type. There's just too much risk. What happens if my credit card expires and I forget to update/pay? Or I get hospitalized suddenly and there's a similar payment issue? Is my account just closed and everything deleted?
Then there's the risk of me putting everything in there and them jacking up the price. I'd either have to eat it or manually migrate everything.
There are other concerns as well. And I'm not saying I think they are dishonest. But when there are open source methods that are free and battle-tested for security, I see no reason to go with a paid option.
> Your data is yours. Even if you cancel your subscription and your account is frozen, you can still sign in to 1Password.com or in the apps to view and export your data.
If you are already liking KeePass I highly recommending KeeWeb, which is what I'm using. It reads a KeePass database and the desktop app web app are great in my opinion. And everything is free. Web app also caches in the browser and syncs to Dropbox so everything can sync between mobile and desktop.
> What happens if my credit card expires and I forget to update/pay?
I paid for it once and then used it for years and years without updating. After a few years the browser extension stopped working (was no longer compatible with current browsers) so I decided to buy again. By this time they'd moved to a subscription system and I have no idea how it works.
It used to be simple... there was an app, and if you stored the password file in Dropbox, you got cross platform support. But now the UX is terrible. I don't know where my passwords are stored, I don't know if the entire thing will stop working if I stop paying, etc. What a shame. I used to recommend it all the time but since the update there's no way I could recommend it to anyone I know who isn't a techie.
I basically do that - my core database is encrypted on Dropbox and I use a desktop app and web apps for mobile via KeeWeb which is free. KeeWeb on desktop also backs up locally in the event anything ever happens to my dropbox access, but Dropbox is the central sync point. The web app connects to Dropbox and since it's a web app there isn't even a need for the installation of an Android/iOS app. I just keep the webpage up at all times. The app is cached by design and doesn't send external connections.
If you asked me about 1password a few years ago, I would agree with you. Ever since they went to the cloud, I stopped using and recommending them to friends and family.
I now use Keypss, which is free and doesn't require the cloud.
The only reason they went to the cloud is because most people were buying one copy and sharing it with multiple people. It's a way for them to make more money, which is fine, but I really don't think a cloud-based password solution is necessary.
Edit: The 1password employees must be down voting me. It's ridiculous that I get down voted for a specific opinion about the topic.
> The 1password employees must be down voting me. It's ridiculous that I get down voted for a specific opinion about the topic.
I was going to just disagree with you without downvoting, because I specifically was looking for cross device sync and mobile support (and specifically looked for a mobile app that supported using FIDO as a second factor to protect the vault.
However, attributing downvotes to employees/shills shows an inability to consider that there may be a good counter argument.
I appreciate the subscription model, since it aligns with the fact that secure products must continue to be developed to stay secure. Security is a process, not a destination.
I used to feel very differently about this as a consumer, but when you see things from the other side as an ISV, it's obvious that a one-time fee isn't a sustainable business model - if you want the software to remain available, you need to pay for the duration.
A SaaS model works well for both sides, I think - consumers always have the latest version and their data is highly available and safe against local events (storage failure, fire, flood etc); the business has (relatively) reliay income stream.
The duration of the isv cloud contract you mean. I have ple ty of perfectly running applications where the vendor has long gone. Also, i hate paying for a relatively small feature such as a password manager. Keepass on a webdrive offers the same for free and i get to look at the source as well which in my opinion is a requirement for something zo fundamental.
> I have ple ty of perfectly running applications where the vendor has long gone
Hmm, thinking about it, for simple image editing stuff I still use a version of Paint Shop Pro from something like 10-15 years ago, and it still works great.
I think then that it depends on the kind of software, and the expectations of the user: is it beneficial to store data in the cloud for easy access from multiple devices?; do you want security updates? do you want new features?; do you want support?
I also use Keepass, with passwords stored on a cheap VPS using SFTP. Works great on Android with Keepass2Android too. But of course, this is not something a general comsumer is going to setup.
> I think then that it depends on the kind of software
I agree completely. I never want to pay more than once for Photoshop/Illustrator/etc. -- and the fact that Adobe has turned those into SaaS products really annoys me.
But products like an OS, browser, cloud-synced password manager, mail client, online git hosting, etc. -- for those, I would prefer to pay a subscription fee (to a company I trust to use it well).
well, I can attribute to anything, if there is no explanation.
When I first posted this, I had multiple down votes in the span of a few seconds with barely enough time for someone to read or even process my comments. It just seemed very suspicious.
That’s why you create a free Dropbox account or just use your free iCloud account. This is even what 1Password used to recommend as part of its setup, if I remember correctly.
I’d it was simply storage, the. It would be an add on, but it’s not. It seems like it’s more of a strategy to increase cash flow by converting to ongoing subscriptions instead of one time purchases. This is the same motivation that switched MS Office and Photoshop over to subscriptions. There’s no compelling reason to upgrade, so you get people to fork over a credit card and forget about their reoccurring charge. Cash flow becomes more predictable and possibly increases as well. This why service contract / subscription businesses are popular among investors.
I don’t blame them for trying it, but let’s not pretend this is good for users.
Man you aren't thinking deep enough. Just set up your own FTP server!
The truth is that my grandmother needs a password manager and she barely understands what minimizing a window does. "Just store your vault in dropbox" is friction and that matters much more to the huge majority of users than the fact that the vault is stored on a cloud service.
Yes, completely agree. Dropbox sync has lots of gotchas and edge cases, and was particularly bad if you edited files on multiple systems (my workstation and laptop, for instance -- I use both interchangeably depending on what I'm doing).
I can understand why 1Password built their own sync service instead of playing whack-a-mole with different cloud storage providers' quirks.
So what 1password used to do was charge a higher application fee (think it was like 40 or 50 bucks?) and then also would charge again for larger version releases. Apple (which was/is the largest part of the user base) does not provide a way to do discount pricing on upgrades, and they do provide discounted cuts on their take for subscriptions after the first year. So they absolutely were able to drop the cost to end-users after all of that was factored in, although there are users who have to pay more (people who would stick on old versions). But that’s a nightmare / costly to support, and creates misalignment.
Anyways all of that said, the 3rd party sync solutions all suffered from varying degrees of funkiness that just don’t exist with the native solution. Their switching to monthly pricing was, objectively, very successful and didn’t cost majority of users more money. But there are a small number of people who it rubbed the wrong way, clearly, but any business action is bound to piss some small number of people.
>It’s cloud-based because the majority of password management users want automatic cross-device updates without setting up their own server.
So? You can put the database on gdrive, icloud, dropbox, or any cloud service you want. I think most users understand the concept of creating a file, putting stuff in it, and putting it on a file syncing service (or usb drive).
> I think most users understand the concept of creating a file, putting stuff in it, and putting it on a file syncing service (or usb drive)
Many do, many don't.
Even for those that do, there is a significant hassle in getting a file sharing service (gdrive, icloud, dropbox) etc onto every possible device they have.
I mean, I'm with you in that I'm personally pretty skeptical of the cloud-based pw solution. But I can absolutely understand the story about a much simpler user-experience that it offers.
>there is a significant hassle in getting a file sharing service (gdrive, icloud, dropbox) etc onto every possible device they have.
What is this "significant hassle"? Surely it's not that much harder to install [sync app] + [password app] than it is to install [password app]?
>Many do, many don't.
I suspect the intersection between "people who don't know how to manipulate files" and "people who care enough about passwords and are willing to fork over $36/yr" isn't big.
> Surely it's not that much harder to install [sync app] + [password app] than it is to install [password app]?
It's literally twice as much work. Often more, because I need the password to the sync app's service. Where's that stored?
How many characters is it? Oh, it's a secure, 20-32 character password. What a pain to re-type it. Good thing it uses a ton of symbols which are a pain to type on my mobile keyboard.
> I suspect the intersection between "people who don't know how to manipulate files" and "people who care enough about passwords and are willing to fork over $36/yr" isn't big.
It's not "people who don't know how to manipulate files", it's "people who don't _like_ to manipulate files, and external services, and get them onto all of their devices".
Further, I expect the proportion of the first circle is constant and relatively small (<10%).
I expect the proportion of the second circle _was_ small, but is growing extremely rapidly.
> What is this "significant hassle"? Surely it's not that much harder to install [sync app] + [password app] than it is to install [password app]?
Or no app, just add the browser extension and you're done. Seems a lot easier to me than downloading two other apps, one I have no use for other than syncing the other one.
Or you can build your own pc from open market components, or maybe build your own components by designing your own pcb and sourcing the chips, and write your own drivers, or... etc.
Some people don't want to roll their own. You may, or may not agree with the concept of a fully managed solution, but for any non technical user, they want it to (borrow a phrase) "just work".
Couldn't agree more -- I have limited time in my life, time I don't want to spend maintaining absolutely every service I use. Very happy to pay someone else to build good software and make the pain go away.
I'd wager thousands of dollars that less than 20% of internet users understand this to the point that they won't blame others if they screw something up.
It's cloud-based so they can hold your data hostage and charge a subscription fee.
The cloud synced updating features you're talking about work fine for me already with 1Password's iCloud-backed syncing, which is how most Mac and iOS apps sync data, it's just in that model Apple has control of my data, not 1Password (and I don't pay a subscription fee), so they make it incredibly difficult to configure that way.
Wha..? I'm totally not following, iCloud syncing is completely transparent and built-in to 1Password. There's 0 extra work to support it (outside of finding how to turn it on, because it's buried in the UI), there's literally less work than 1Password's own subscription service, because that requires setting up an account whereas iCloud doesn't.
You can use iCloud without an account? Is iCloud available outside of Apple ecosystem? Otherwise it doesn't seem very relevant since its not a general solution.
Yes, you're right, this only works for Apple devices, so going cross-ecosystem is definitely a benefit of their subscription service! I disagree on that meaning it's the iCloud solution is irrelevant though, skipping the $36/a year, and the additional control over your data not being on a subscription entails, seem like relevant benefits for the people who fit those requirements!
Agreed, those are advantages of the 1Password subscription service. My opinion about 1Password wanting to migrate people to their subscription service for business reasons is based on reading forum threads over the years to figure out where they've buried the option each time there's a new version. E.g., there are two ads for their sync service on the page that describes how to use iCloud[1] (they've toned-down the messaging a ton these days, that support page didn't used exist, and the forum support thread were banging the 1Password Cloud Sync drum much harder than they do today).
Note also I'm replying to this comment "It’s cloud-based because the majority of password management users want automatic cross-device updates without setting up their own server." Seems relevant that "cross-device updates" don't require a server (at least among Apple devices)?
> Ever since they went to the cloud, I stopped using and recommending them to friends and family.
The whole point of using a password manager is that the passwords I create and use on my {desktop, laptop, work machine, phone} are immediately and seamlessly available to me on all of the other platforms.
As far as I know it is Cloud integration which enables this absolutely necessary and table-stakes functionality. Is that not true? Does e.g. Keepass provide this essential functionality without a Cloud integration of some kind?
1password had (maybe still has?) integrations with services like Dropbox where your vault would be stored on a 3rd party service like Dropbox to achieve the cross-device syncing your describing.
IMO this was the more secure implementation (assuming 1password was only storing fully encrypted files on your 3rd party cloud preference) - even if someone broke in your Dropbox, they can’t decrypt your passwords without your master pass.
An end-to-end cloud solution provided natively by 1pass is much more user friendly and easier, but requires putting an order of magnitude more trust in 1password’s security architecture (which of course is closed source).
The fundamentals are still the same, everything is encrypted with your master password before being sent to 1Password's cloud. So even if someone infiltrates 1Password's storage, all they get is encrypted files, same with Dropbox.
If that’s true, than the point I made about better security with Dropbox is moot.
As an end user, it’s abundantly clear that all encryption/decryption is done locally when using the Dropbox integration since you can see the files directly in your Dropbox. I guess I didn’t make the same assumption about the 1pass cloud service for some reason.
Just adding to this accurate statement, you can also sync a vault in iCloud. So there are at least three syncing methods:
1. 1Password Cloud
2. iCloud
3. Dropbox
And at least 2 and 3 can be used simultaneously, which is what I do, with my main vault in iCloud, and temporary vaults, e.g., passwords for a particular job, in Dropbox.
> 1password had (maybe still has?) integrations with services like Dropbox
It's not as seamless as having the functionality built-in. You have to deal with logins, authorizations, etc. I wish it could be as easy as "Do you allow 1Password to use Dropbox? (Y/N)".
> The whole point of using a password manager is that the passwords I create and use on my {desktop, laptop, work machine, phone} are immediately and seamlessly available to me on all of the other platforms.
That isn’t the whole point of 1PW though, or at least it wasn’t at the beginning, as I saw it. It was a way to avoid having to remember a unique, secure (read: probably hard to remember) password for every service that requires one. A place to store them all so you don’t have to remember, or worse, reuse the ones you can remember, and/or use easy-to-remember ones (read: less secure). It’s in the name: one password gets you access to all your passwords. Automatic form filling and cloud sync are definitely selling points and certainly convenient, but they are also risk vectors. I’d not call cloud sync essential; I get by fine without it. I just use the WiFi sync option.
If the goal is to avoid having to remember strong passwords, then a strong password generator + a paper journal is resistant to more threat models and should be preferred.
Password managers without transparent sync and autofill UX are a half-product at best.
It’s probably similar but I’m not convinced it’s preferred. If I lose that journal anyone can read it. If I lose my computer it is most likely locked already, and if not it (as well as 1PW) autolocks itself after a short time.
Also like I mentioned elsewhere, I do sync my vaults, but only using the local WiFi option.
There are nearly infinite vectors to exfiltrate files from your computer, the vast majority of which are currently unknown to you, and would be entirely undetected. And what's more, most of those vectors can be done from anywhere on the planet.
There is only one way to exfiltrate information from a notebook, it requires physical proximity, and it's very likely that you would notice.
Every rational threat model for almost every human on the planet (excepting perhaps major political, cultural, or economic figures) would conclude in the paper journal being the better (safer) choice.
The pain of doing that is nonzero, but much less than the pain of keeping the passwords synced manually, or through an intermediary like Dropbox (permissions, having Dropbox installed and running on my phone, etc.)
I'm not in a rush to put the holy grail of my personal info into someone's cloud service that I can't manage or securely delete. I think that KeePass + [Dropbox,Google Drive,etc] is the best solution. You can easily get these files on to your phone for passwords on the go.
> You can easily get these files on to your phone for passwords on the go.
Something like 80% of the value prop of my password manager use is one-tap login (with FaceID) on mobile.
Handwaving this away is failing to understand the product and market at a fundamental level.
edit: literally a paper notebook with my passwords written in it is a better solution in essentially every dimension than a non-syncing password manager.
I definitely see the benefit of storing my passwords locally and not some single point of failure, but I also wouldn't ever claim it's simple or even a good solution. It does help me ease up on creating new account to places I don't need because I think about having to create and sync up a new password between my devices.
How is that a single point of failure? You have downloaded copies on all your devices and the database is encrypted with your own master key, so even if 1Password is hacked there isn’t really a problem, just like LastPass hasn’t died when it had one.
The concern, which is fair, is that 1password's cloud is a target. And those targeting it have only one intention, which is to steal people's passwords and other information stored in the 1password cloud. In contrast, of course using the dropbox sync approach with 1password does put your information in the cloud as well. But, it's in your personal dropbox account. That dropbox account could absolutely be hacked, but very unlikely by someone with such clear intent to steal your 1password vault. Basically, 1password's cloud is the ultimate target, and your 1password vault in your personal dropbox account is not.
> As far as I know it is Cloud integration which enables this absolutely necessary and table-stakes functionality. Is that not true? Does e.g. Keepass provide this essential functionality without a Cloud integration of some kind?
Just store it in your regular sync solution. Syncthing works great, and I don't remember any issues with Dropbox back when I used that. I'd imagine that iCloud or SkyDrive would work fine too, for the masochistically inclined.
and the reason I went to their cloud solution, is so that I can sync passwords between my iPhone, Mac, PC, and Linux machines. It's $35.88 for an entire year of something that I use constantly, every day, and it works perfectly.
Agreed. It's so nice updating/creating a password on desktop, and being able to use it immediately and seamlessly on my phone or other machines.
This seamlessness is also critical for my less-technical family members on my plan. They want the better security, and recognize that a password manager is necessary. But if it was a pain to use they wouldn't put up with it.
For me, the sync has been less than perfect (Windows + Android user) on more than one occasion. There used to be a force sync button way back when, but it has since been removed as far as I can tell.
I had to Google a workaround (creating a dummy secure note was one workaround) for the times the sync wouldn't work.
I asked why there was no Force Sync button on their support forums, and was told that they took it out because they want their paying customers to report sync issues with an error report instead of giving them an instant fix via the button.
Needless to say, as someone who has been using and paying for 1PW (upgrades and subs) since around 2008, I was not impressed with that response.
To me, the Windows and Android clients seem to be second-class citizens compared to their Apple counterparts.
I agree that the DropBox integration isn't for everyone. Even if you have just Macs and iOS devices as I do, DropBox is much more expensive, so it's not worth getting just to sync passwords.
But on the other hand, for users who have DropBox already—possibly because they aren't using Linux—this does allow them to sync passwords without paying another $40 a year.
The cloud storage isn't mandatory. Just keep using Dropbox (uhh, a different cloud?) if it bothers you. This is what I do, along with a perpetual license.
The VCs at this point would be happy with a 3-4x return, because the risk is minimal - companies at this level of maturity, profitability, market dominance, and growth are highly unlikely to fail. So, if they picked up (for arguments sake) 25% of the company, giving it pre-money valuation of $800mm, all they really need to do over the next 3-4 years is build an $3.2B company, which, given 1Password's dominance/quality of product - should be relatively straightforward.
Their killer organic entry is: "Everyone" is already using them for personal password management, which means cost of training/installation/use is trivial to add the Enterprise element.
As a personal user, I consider 1Password the GitHub of password management - sure, there are lots of GitHub competitors, and you can roll your own - but, when there is one product that has completely nailed it - why bother going with anyone else.