If you asked me about 1password a few years ago, I would agree with you. Ever since they went to the cloud, I stopped using and recommending them to friends and family.
I now use Keypss, which is free and doesn't require the cloud.
The only reason they went to the cloud is because most people were buying one copy and sharing it with multiple people. It's a way for them to make more money, which is fine, but I really don't think a cloud-based password solution is necessary.
Edit: The 1password employees must be down voting me. It's ridiculous that I get down voted for a specific opinion about the topic.
> The 1password employees must be down voting me. It's ridiculous that I get down voted for a specific opinion about the topic.
I was going to just disagree with you without downvoting, because I specifically was looking for cross device sync and mobile support (and specifically looked for a mobile app that supported using FIDO as a second factor to protect the vault.
However, attributing downvotes to employees/shills shows an inability to consider that there may be a good counter argument.
I appreciate the subscription model, since it aligns with the fact that secure products must continue to be developed to stay secure. Security is a process, not a destination.
I used to feel very differently about this as a consumer, but when you see things from the other side as an ISV, it's obvious that a one-time fee isn't a sustainable business model - if you want the software to remain available, you need to pay for the duration.
A SaaS model works well for both sides, I think - consumers always have the latest version and their data is highly available and safe against local events (storage failure, fire, flood etc); the business has (relatively) reliay income stream.
The duration of the isv cloud contract you mean. I have ple ty of perfectly running applications where the vendor has long gone. Also, i hate paying for a relatively small feature such as a password manager. Keepass on a webdrive offers the same for free and i get to look at the source as well which in my opinion is a requirement for something zo fundamental.
> I have ple ty of perfectly running applications where the vendor has long gone
Hmm, thinking about it, for simple image editing stuff I still use a version of Paint Shop Pro from something like 10-15 years ago, and it still works great.
I think then that it depends on the kind of software, and the expectations of the user: is it beneficial to store data in the cloud for easy access from multiple devices?; do you want security updates? do you want new features?; do you want support?
I also use Keepass, with passwords stored on a cheap VPS using SFTP. Works great on Android with Keepass2Android too. But of course, this is not something a general comsumer is going to setup.
> I think then that it depends on the kind of software
I agree completely. I never want to pay more than once for Photoshop/Illustrator/etc. -- and the fact that Adobe has turned those into SaaS products really annoys me.
But products like an OS, browser, cloud-synced password manager, mail client, online git hosting, etc. -- for those, I would prefer to pay a subscription fee (to a company I trust to use it well).
well, I can attribute to anything, if there is no explanation.
When I first posted this, I had multiple down votes in the span of a few seconds with barely enough time for someone to read or even process my comments. It just seemed very suspicious.
That’s why you create a free Dropbox account or just use your free iCloud account. This is even what 1Password used to recommend as part of its setup, if I remember correctly.
I’d it was simply storage, the. It would be an add on, but it’s not. It seems like it’s more of a strategy to increase cash flow by converting to ongoing subscriptions instead of one time purchases. This is the same motivation that switched MS Office and Photoshop over to subscriptions. There’s no compelling reason to upgrade, so you get people to fork over a credit card and forget about their reoccurring charge. Cash flow becomes more predictable and possibly increases as well. This why service contract / subscription businesses are popular among investors.
I don’t blame them for trying it, but let’s not pretend this is good for users.
Man you aren't thinking deep enough. Just set up your own FTP server!
The truth is that my grandmother needs a password manager and she barely understands what minimizing a window does. "Just store your vault in dropbox" is friction and that matters much more to the huge majority of users than the fact that the vault is stored on a cloud service.
Yes, completely agree. Dropbox sync has lots of gotchas and edge cases, and was particularly bad if you edited files on multiple systems (my workstation and laptop, for instance -- I use both interchangeably depending on what I'm doing).
I can understand why 1Password built their own sync service instead of playing whack-a-mole with different cloud storage providers' quirks.
So what 1password used to do was charge a higher application fee (think it was like 40 or 50 bucks?) and then also would charge again for larger version releases. Apple (which was/is the largest part of the user base) does not provide a way to do discount pricing on upgrades, and they do provide discounted cuts on their take for subscriptions after the first year. So they absolutely were able to drop the cost to end-users after all of that was factored in, although there are users who have to pay more (people who would stick on old versions). But that’s a nightmare / costly to support, and creates misalignment.
Anyways all of that said, the 3rd party sync solutions all suffered from varying degrees of funkiness that just don’t exist with the native solution. Their switching to monthly pricing was, objectively, very successful and didn’t cost majority of users more money. But there are a small number of people who it rubbed the wrong way, clearly, but any business action is bound to piss some small number of people.
>It’s cloud-based because the majority of password management users want automatic cross-device updates without setting up their own server.
So? You can put the database on gdrive, icloud, dropbox, or any cloud service you want. I think most users understand the concept of creating a file, putting stuff in it, and putting it on a file syncing service (or usb drive).
> I think most users understand the concept of creating a file, putting stuff in it, and putting it on a file syncing service (or usb drive)
Many do, many don't.
Even for those that do, there is a significant hassle in getting a file sharing service (gdrive, icloud, dropbox) etc onto every possible device they have.
I mean, I'm with you in that I'm personally pretty skeptical of the cloud-based pw solution. But I can absolutely understand the story about a much simpler user-experience that it offers.
>there is a significant hassle in getting a file sharing service (gdrive, icloud, dropbox) etc onto every possible device they have.
What is this "significant hassle"? Surely it's not that much harder to install [sync app] + [password app] than it is to install [password app]?
>Many do, many don't.
I suspect the intersection between "people who don't know how to manipulate files" and "people who care enough about passwords and are willing to fork over $36/yr" isn't big.
> Surely it's not that much harder to install [sync app] + [password app] than it is to install [password app]?
It's literally twice as much work. Often more, because I need the password to the sync app's service. Where's that stored?
How many characters is it? Oh, it's a secure, 20-32 character password. What a pain to re-type it. Good thing it uses a ton of symbols which are a pain to type on my mobile keyboard.
> I suspect the intersection between "people who don't know how to manipulate files" and "people who care enough about passwords and are willing to fork over $36/yr" isn't big.
It's not "people who don't know how to manipulate files", it's "people who don't _like_ to manipulate files, and external services, and get them onto all of their devices".
Further, I expect the proportion of the first circle is constant and relatively small (<10%).
I expect the proportion of the second circle _was_ small, but is growing extremely rapidly.
> What is this "significant hassle"? Surely it's not that much harder to install [sync app] + [password app] than it is to install [password app]?
Or no app, just add the browser extension and you're done. Seems a lot easier to me than downloading two other apps, one I have no use for other than syncing the other one.
Or you can build your own pc from open market components, or maybe build your own components by designing your own pcb and sourcing the chips, and write your own drivers, or... etc.
Some people don't want to roll their own. You may, or may not agree with the concept of a fully managed solution, but for any non technical user, they want it to (borrow a phrase) "just work".
Couldn't agree more -- I have limited time in my life, time I don't want to spend maintaining absolutely every service I use. Very happy to pay someone else to build good software and make the pain go away.
I'd wager thousands of dollars that less than 20% of internet users understand this to the point that they won't blame others if they screw something up.
It's cloud-based so they can hold your data hostage and charge a subscription fee.
The cloud synced updating features you're talking about work fine for me already with 1Password's iCloud-backed syncing, which is how most Mac and iOS apps sync data, it's just in that model Apple has control of my data, not 1Password (and I don't pay a subscription fee), so they make it incredibly difficult to configure that way.
Wha..? I'm totally not following, iCloud syncing is completely transparent and built-in to 1Password. There's 0 extra work to support it (outside of finding how to turn it on, because it's buried in the UI), there's literally less work than 1Password's own subscription service, because that requires setting up an account whereas iCloud doesn't.
You can use iCloud without an account? Is iCloud available outside of Apple ecosystem? Otherwise it doesn't seem very relevant since its not a general solution.
Yes, you're right, this only works for Apple devices, so going cross-ecosystem is definitely a benefit of their subscription service! I disagree on that meaning it's the iCloud solution is irrelevant though, skipping the $36/a year, and the additional control over your data not being on a subscription entails, seem like relevant benefits for the people who fit those requirements!
Agreed, those are advantages of the 1Password subscription service. My opinion about 1Password wanting to migrate people to their subscription service for business reasons is based on reading forum threads over the years to figure out where they've buried the option each time there's a new version. E.g., there are two ads for their sync service on the page that describes how to use iCloud[1] (they've toned-down the messaging a ton these days, that support page didn't used exist, and the forum support thread were banging the 1Password Cloud Sync drum much harder than they do today).
Note also I'm replying to this comment "It’s cloud-based because the majority of password management users want automatic cross-device updates without setting up their own server." Seems relevant that "cross-device updates" don't require a server (at least among Apple devices)?
> Ever since they went to the cloud, I stopped using and recommending them to friends and family.
The whole point of using a password manager is that the passwords I create and use on my {desktop, laptop, work machine, phone} are immediately and seamlessly available to me on all of the other platforms.
As far as I know it is Cloud integration which enables this absolutely necessary and table-stakes functionality. Is that not true? Does e.g. Keepass provide this essential functionality without a Cloud integration of some kind?
1password had (maybe still has?) integrations with services like Dropbox where your vault would be stored on a 3rd party service like Dropbox to achieve the cross-device syncing your describing.
IMO this was the more secure implementation (assuming 1password was only storing fully encrypted files on your 3rd party cloud preference) - even if someone broke in your Dropbox, they can’t decrypt your passwords without your master pass.
An end-to-end cloud solution provided natively by 1pass is much more user friendly and easier, but requires putting an order of magnitude more trust in 1password’s security architecture (which of course is closed source).
The fundamentals are still the same, everything is encrypted with your master password before being sent to 1Password's cloud. So even if someone infiltrates 1Password's storage, all they get is encrypted files, same with Dropbox.
If that’s true, than the point I made about better security with Dropbox is moot.
As an end user, it’s abundantly clear that all encryption/decryption is done locally when using the Dropbox integration since you can see the files directly in your Dropbox. I guess I didn’t make the same assumption about the 1pass cloud service for some reason.
Just adding to this accurate statement, you can also sync a vault in iCloud. So there are at least three syncing methods:
1. 1Password Cloud
2. iCloud
3. Dropbox
And at least 2 and 3 can be used simultaneously, which is what I do, with my main vault in iCloud, and temporary vaults, e.g., passwords for a particular job, in Dropbox.
> 1password had (maybe still has?) integrations with services like Dropbox
It's not as seamless as having the functionality built-in. You have to deal with logins, authorizations, etc. I wish it could be as easy as "Do you allow 1Password to use Dropbox? (Y/N)".
> The whole point of using a password manager is that the passwords I create and use on my {desktop, laptop, work machine, phone} are immediately and seamlessly available to me on all of the other platforms.
That isn’t the whole point of 1PW though, or at least it wasn’t at the beginning, as I saw it. It was a way to avoid having to remember a unique, secure (read: probably hard to remember) password for every service that requires one. A place to store them all so you don’t have to remember, or worse, reuse the ones you can remember, and/or use easy-to-remember ones (read: less secure). It’s in the name: one password gets you access to all your passwords. Automatic form filling and cloud sync are definitely selling points and certainly convenient, but they are also risk vectors. I’d not call cloud sync essential; I get by fine without it. I just use the WiFi sync option.
If the goal is to avoid having to remember strong passwords, then a strong password generator + a paper journal is resistant to more threat models and should be preferred.
Password managers without transparent sync and autofill UX are a half-product at best.
It’s probably similar but I’m not convinced it’s preferred. If I lose that journal anyone can read it. If I lose my computer it is most likely locked already, and if not it (as well as 1PW) autolocks itself after a short time.
Also like I mentioned elsewhere, I do sync my vaults, but only using the local WiFi option.
There are nearly infinite vectors to exfiltrate files from your computer, the vast majority of which are currently unknown to you, and would be entirely undetected. And what's more, most of those vectors can be done from anywhere on the planet.
There is only one way to exfiltrate information from a notebook, it requires physical proximity, and it's very likely that you would notice.
Every rational threat model for almost every human on the planet (excepting perhaps major political, cultural, or economic figures) would conclude in the paper journal being the better (safer) choice.
The pain of doing that is nonzero, but much less than the pain of keeping the passwords synced manually, or through an intermediary like Dropbox (permissions, having Dropbox installed and running on my phone, etc.)
I'm not in a rush to put the holy grail of my personal info into someone's cloud service that I can't manage or securely delete. I think that KeePass + [Dropbox,Google Drive,etc] is the best solution. You can easily get these files on to your phone for passwords on the go.
> You can easily get these files on to your phone for passwords on the go.
Something like 80% of the value prop of my password manager use is one-tap login (with FaceID) on mobile.
Handwaving this away is failing to understand the product and market at a fundamental level.
edit: literally a paper notebook with my passwords written in it is a better solution in essentially every dimension than a non-syncing password manager.
I definitely see the benefit of storing my passwords locally and not some single point of failure, but I also wouldn't ever claim it's simple or even a good solution. It does help me ease up on creating new account to places I don't need because I think about having to create and sync up a new password between my devices.
How is that a single point of failure? You have downloaded copies on all your devices and the database is encrypted with your own master key, so even if 1Password is hacked there isn’t really a problem, just like LastPass hasn’t died when it had one.
The concern, which is fair, is that 1password's cloud is a target. And those targeting it have only one intention, which is to steal people's passwords and other information stored in the 1password cloud. In contrast, of course using the dropbox sync approach with 1password does put your information in the cloud as well. But, it's in your personal dropbox account. That dropbox account could absolutely be hacked, but very unlikely by someone with such clear intent to steal your 1password vault. Basically, 1password's cloud is the ultimate target, and your 1password vault in your personal dropbox account is not.
> As far as I know it is Cloud integration which enables this absolutely necessary and table-stakes functionality. Is that not true? Does e.g. Keepass provide this essential functionality without a Cloud integration of some kind?
Just store it in your regular sync solution. Syncthing works great, and I don't remember any issues with Dropbox back when I used that. I'd imagine that iCloud or SkyDrive would work fine too, for the masochistically inclined.
and the reason I went to their cloud solution, is so that I can sync passwords between my iPhone, Mac, PC, and Linux machines. It's $35.88 for an entire year of something that I use constantly, every day, and it works perfectly.
Agreed. It's so nice updating/creating a password on desktop, and being able to use it immediately and seamlessly on my phone or other machines.
This seamlessness is also critical for my less-technical family members on my plan. They want the better security, and recognize that a password manager is necessary. But if it was a pain to use they wouldn't put up with it.
For me, the sync has been less than perfect (Windows + Android user) on more than one occasion. There used to be a force sync button way back when, but it has since been removed as far as I can tell.
I had to Google a workaround (creating a dummy secure note was one workaround) for the times the sync wouldn't work.
I asked why there was no Force Sync button on their support forums, and was told that they took it out because they want their paying customers to report sync issues with an error report instead of giving them an instant fix via the button.
Needless to say, as someone who has been using and paying for 1PW (upgrades and subs) since around 2008, I was not impressed with that response.
To me, the Windows and Android clients seem to be second-class citizens compared to their Apple counterparts.
I agree that the DropBox integration isn't for everyone. Even if you have just Macs and iOS devices as I do, DropBox is much more expensive, so it's not worth getting just to sync passwords.
But on the other hand, for users who have DropBox already—possibly because they aren't using Linux—this does allow them to sync passwords without paying another $40 a year.
The cloud storage isn't mandatory. Just keep using Dropbox (uhh, a different cloud?) if it bothers you. This is what I do, along with a perpetual license.
I now use Keypss, which is free and doesn't require the cloud.
The only reason they went to the cloud is because most people were buying one copy and sharing it with multiple people. It's a way for them to make more money, which is fine, but I really don't think a cloud-based password solution is necessary.
Edit: The 1password employees must be down voting me. It's ridiculous that I get down voted for a specific opinion about the topic.