[HN Gopher] 1Password Secrets Automation ___________________________________________________________________ 1Password Secrets Automation Author : srijan4 Score : 241 points Date : 2021-04-13 15:52 UTC (7 hours ago) (HTM) web link (blog.1password.com) (TXT) w3m dump (blog.1password.com) | xoa wrote: | While this looks interesting, I'll admit I feel like there's been | a bit of drift from their bread and butter over the years since | they launched their cloud thing and started pushing hard towards | a subscription model. I chose them long ago specifically over | options like LastPass because I liked having a rich application | without internet dependency and their attention to detail and | features there, but it's been a while since it feels like it got | major new improvements vs the site. For example, while macOS and | Windows have supported smart cards and security tokens like | YubiKeys forever now, and I use them to login, unlock, authorize | sudo/SSH, etc every day, 1Password still has no support. There | are things that can now only be done through the web interface, | like finer grained control over permissions for shared vaults, | and some of those are also nastily locked away behind more | expensive subscriptions. I think everything should be manageable | through the application, without ever visiting the site. | Duplicate items across vaults remain completely manually managed, | when automating stuff like that is kind of the purpose of a | password manager. Etc. Heck, even within their own subscription | service I think they're missing a trick by not having more | powerful/flexible organization(including families) and inter- | organizational capabilities. | | I still think 1Password is the best option for most people. I | specifically want my non-technical family and friends to use | password managers too as long as its necessary, and having some | multiperson capability is also key to that. I can't say though | that I feel like the move to subs has been a huge win in terms of | development. | | Granted, I'm a little down on the whole field which colors things | a bit. Ultimately underlying my feelings is a touch of bitterness | that their entire industry even exists. Passwords and password | managers are mostly recreating public key auth really, really | badly and it stinks. Passwords and other symmetric tokens by | definition should never be shared. A website being hacked should | _never_ affect me in the slightest, in the same way that me | getting hacked doesn 't somehow suddenly mean attackers now own | Debian/Apple/FreeBSD/Microsoft. Everywhere should just have | public keys. We've had the tech for decades and sufficient crypto | speed on client systems since at least AES-NI. What's been | missing has been glue and effort. It's frustrating every time a | hack happens. We shouldn't have to care! Sigh. | fastball wrote: | Very much agree. | | My pet peeve at the moment is this[1], where they removed a | feature I very much like (TouchID in the standalone browser | extension) and still have yet to replace that functionality | despite many promises that it is just around the corner. It was | removed in August 2020. | | Definitely feel like they've lost sight of why people chose | them in the first place, and stuff like this is certainly not | helping assuage my concerns. | | [1] https://1password.community/discussion/115228/temporarily- | re... | 1cvmask wrote: | Did you ever look at a password manager like saas pass that | does not need a desktop app and the browser extension is a | full blown app that is protected by 2fa? | xoa wrote: | It's a fundamental concern I've always had with subscriptions | for non-entertainment services or trivially fungible goods. | I've become a big believer in business incentives and | feedback loops for sustainable commercial relationships. | Individual leadership and culture can stand against them to | some extent for a time, but individuals move on and it seems | that near inevitably over enough years organizations tend to | track and/or drift according to their incentives and | impactful feedback. In a traditional software upgrade model, | the default is that they get no money unless they can | convince people to upgrade each time. They make their money | from overcoming that default, and if people choose not to | upgrade that's the most core unignorable feedback for a | business that something isn't right. It doesn't guarantee | responsiveness or good choices, but it forces them to think | about it. From a customer perspective, not paying means the | status quo, they don't gain anything new but they lose | nothing either. | | But with subscriptions it gets inverted. Now for the customer | failure to keep paying means losing existing functionality | and/or having to expend additional resources (money and time) | actively moving to something else. So rather then needing to | be convinced to give the company more money, it's more that | they need to be convinced not to. | | There's a real difference between "a customer base that is | very happy" and "a customer base that is merely not irritated | enough _yet_ to overcome the inherent energy hump and go | looking for a new local minima " and I worry the subscription | business model makes that easier to ignore. Not that | companies can't in principle find out in other ways! They can | do detailed customer polling and so on. But that requires | active effort and expense by the company so the temptation | will always be to ignore it and follow inertia. This doesn't | require the slightest bit of active malice, just a break in | feedback loops resulting in drift as a company starts | pursuing things from its own tunnel vision. They then look | and see the money keep pouring in, so what's the problem? The | threat eventually becomes that if the energy barrier is | overcome and the stampede begins it's too late. It's a shame | to see happen to companies I really really like and have | great visions that could be even better. | yoz-y wrote: | There is a rub to this too however. In a pay to upgrade | model you are incentivised to stuff your application with | features and also need to support old versions indefinitely | if they have network components. | | Granted in 1Pssword case, their classic app would not have | stopped working without upgrades. And to my knowledge it | should also still work? I have since switched to the | subscription model but I have used the old paid app years | after they have switched models. | [deleted] | pudgeball wrote: | We very much agree that this is a pain point for those with | the extension. This feature brought users (and also all our | developers who rebuild... often...) a huge smile and | productivity boost, so removing it was not easy. We had some | fundamental issues that affected the way this feature worked | which pushed us to rework it. We wanted to share more news[1] | once we had some releases in the wild which recently | happened. | | With a recent release[2] of 1Password for Linux and the | 1Password extension, the two can now communicate. Allowing | you to use biometrics to unlock the extension and keep it | unlocked throughout your browsing sessions. | | While this news doesn't unlock this ability right away for | yourself (because referencing TouchID I assume means you're a | Mac friend). We will be continuing to rollout over the coming | months to Windows and Mac. | | [1] https://1password.community/discussion/comment/591579/#Co | mme... | | [2] https://1password.community/discussion/119609/1password- | for-... | djrogers wrote: | Yeah, definitely taking them longer to get this back than | they'd planned. Fortunately the 'classic' extension for | chrome still exists and works. | lstamour wrote: | Link: https://support.1password.com/cs/1password-classic- | extension... | | I prefer the above classic extensions for switching between | Chrome, Safari, Firefox and Edge all day and not having to | sign in more than once. Plus the better desktop app | integration, including the ability to opt-out of cloud | storage of passwords. | bwoodruff wrote: | Hi! I work for 1Password. We have this functionality | available in beta with our 1Password for Linux app. It will | be available on Mac and Windows in the not-too-distant | future, though I can't say more specifically when that will | be. | | [1] https://1password.community/discussion/comment/591579/#Co | mme... | phnofive wrote: | Can you explain why this was removed, and why it was re- | introduced on a platform other than OS X (given that | biometric identifiers have become standard in Apple | hardware)? | rectang wrote: | > _I specifically want my non-technical family and friends to | use password managers_ | | I consider it a victory if I can get non-techies to use their | browser's facilities to store passwords, and then to choose | reasonably long passwords and avoid reuse. | | (I use `pass`, myself.) | fiddlerwoaroof wrote: | I use a password manager but, as a mostly-Apple user, I see | very little reason not to just use iCloud Keychain: the UX of | Apple's solution is significantly better than all the | alternatives because I don't have to remember yet another | password/mfa token to type in every once in a while. | gen220 wrote: | Most password managers support auth with touchid/face id | these days, I believe. | | The value prop if you're 100% on-Apple, and OK with this | fact, is hard to challenge. If you have some non-apple | devices that need passwords, that's where having a third- | party password service makes sense. | | FWIW, I use `pass`, as a mostly-Apple person who also owns | a few linux devices and occasionally requires passwords | while `ssh`'d into servers. | Vvector wrote: | BitWarden ties into iCloud somehow. I unlock it with my | fingerprint. | stjohnswarts wrote: | I choose bitwarden because I like my passwords with a 3rd | party rather than the big guys google/apple/etc . It | works fine as both a desktop client and browser | extension. | [deleted] | trevorishere wrote: | I'd love to use a built-in service, but I need a service | that has a web UI + Windows support + sharing support for | family. | 8fingerlouie wrote: | > I use a password manager but, as a mostly-Apple user, I | see very little reason not to just use iCloud Keychain | | Storing 2FA tokens is one thing iCloud Keychain cannot do | (yet ?), and it's the primary reason I use 1Password over | iCloud Keychain. | | That being said, with Big Sur, 1Password changed its | default behavior from being unintrusive to literally | obscuring input fields with big "unlock 1Password" pop | up's. | | I'm currently evaluating using either Password-store or | Bitwarden with bitwarden_rs as a backend as I really don't | want my logins synchronized anywhere I don't control. | oarsinsync wrote: | > That being said, with Big Sur, 1Password changed its | default behavior from being unintrusive to literally | obscuring input fields with big "unlock 1Password" pop | up's. | | That's not a Big Sur thing, that's a 1Password thing | (I've not upgraded to Big Sur still). | fiddlerwoaroof wrote: | I think the fingerprint auth stuff Apple's working on | will replace MFA: as I understand it, in Safari, the | MacBook's Fingerprint sensor implements the same protocol | as a Yubikey or similar. | patwolf wrote: | This looks interesting. We use 1Password, and I always thought it | would be useful to programmatically pull values out and use in | our cloud infrastructure. | | Currently we end up using the secret managers available in AWS or | GCP, which seems pretty half baked. In GCP, for example, secrets | are stored at a project level. It's not unusual to have certain | secrets that are needed by more than one project, which means | they get duplicated. The granularity also prevents me from | controlling which secrets are visible to a given user. | | I'd love to have one centralized source of truth for all | infrastructure secrets. | hn_throwaway_99 wrote: | > The granularity also prevents me from controlling which | secrets are visible to a given user. | | What do you mean by this? Each secret has a "Permissions" tab | which allows you to grant access to individual IAM users. | nops wrote: | https://www.vaultproject.io/ | zomglings wrote: | My team uses 1Password to share account credentials, etc. When | we need to deploy secrets into production, we use AWS Systems | Manager Parameter Store. | | The name is quite a mouthful, but we have found the service to | be awesome. We have a small Python script that loads a script | with environment variable definitions from the Parameter Store | and we use that as an EnvFile for our systemd services. | gingerlime wrote: | plugging envwarden[0] which is just a tiny open source wrapper | around the Bitwarden CLI to let you manage your server secrets | inside your password manager. | | [0] https://github.com/envwarden/envwarden | outworlder wrote: | This is why we use Vault. Until recently, there was no good | option to host it, so you had to manage it. | | It's good to have independent competition in this space. | Kudos wrote: | They're not competing with Vault,they see this as an | alternative for simpler use cases where Vault is overkill, or | a complimentary product otherwise. | whazor wrote: | Also it would be cool to unlock the vault via 1password. | stimur wrote: | [I work for 1Password] | | 1Password is not competing with Vault. In fact we have very | good relationships and mutual respect with HashiCorp on many | levels. | | Also Secret automation integrates (acts as a provider) with | HC Vault[1] | | 1. https://github.com/1Password/vault-plugin-secrets- | onepasswor... | spondyl wrote: | The article is a little light on details but this seems like a | cool addition to 1Password. | | The op cli is alright but having to re-unlock it every 30 minutes | (plus I'm shell dumb so my session is nuked every new tab I open) | means there's quite a lot of friction compared to the desktop | version where I just double tap the side button on my Apple watch | | I wonder if this could be a potential alternative in some | roundabout way | | --- | | Somewhat unrelated rant | | I like 1Password and after having tried a whirlwind of password | managers, it's still the most seamless (plus having templates for | things like cards, licenses and so on is useful) | | I don't even mind paying the relatively small subscription fee. | | That said, in the same sense that you generally know you've | resigned months before you write the letter, I still remember | there was a forum thread where one of the employees was seemingly | user hostile. | | On second thought, I don't even remember what it was about but I | remember the feeling of slight frustration. Not in the entitled | sense but the sense that there didn't feel like an attempt to | understand the concern from the other side. | | Very vague but does anyone perhaps know what this event was | again? I want to say, something about supporting local vaults? I | dunno, that isn't even something I was concerned about. | alvarlagerlof wrote: | Probably about them not supporting personal hosting as well | anymore. I get that customers got angry, but as someone who | started using their product after that, with their hosting, | they have been nothing but nice and receptive to feedback. | bredren wrote: | Strange to see this. The product is a mess on MacOs right now. | Support can't decide which extension to recommend. | | Their messaging has been inconsistent, saying the browser will | integrate with the native client. But then also that the browser | only version is the future of the product. | | This says nothing of the performance and UI problems the product | has faced. Recently it was so bad the company was telling people | to use the beta version. | | I bought the legacy versions and switched to subscription last | year. | SirensOfTitan wrote: | If I were unfamiliar with 1Password, I'd imagine the product is | an absolute dumpster fire from your post. | | In reality, the macOS and iOS clients work fine. I have a dozen | friends and family members using the product with no complains | on those platforms. I surely haven't seen any performance or UI | problems that aren't worse on different services. Sure, there | is some current confusion between the use of the 1Password X | and classical browser extensions, but it's hardly "a mess." | bredren wrote: | The iOS app is stable and fine. | | The MacOS native / extension interaction and choice is a | mess. | | From a UX perspective, the single most important thing the | product can do is interact with the browser effectively. | Embedded in this "feature" is that the product is stable, and | responsive in behavior. | | If you go to the chrome web store, 1password extension page | and sort by recently updated, you'll see review after review | of 1-3 star, carefully explained problems with this product. | | https://chrome.google.com/webstore/detail/1password-%E2%80%9. | .. | | Regarding inconsistent messaging, their support is promising | they're working on native app integration but there is no | timeline for this. | | That's why this news is kind of a bummer. The product that | I'm subscribed to is competing with this new product for | resources. | jackweirdy wrote: | There's also 2 native apps - if you install from the App | Store, you don't get all the same OTP features as an | install from the website download | dmart wrote: | I wouldn't say the product is a dumpster fire, but core | workflows are a mess. This is how you generate and save a | password for a new site: | | 1) Extension button > Generate Password > Save & Copy 2) | After creating account, extension button again > select entry | > Edit 3) Click Save in opened modal 4) Click Convert to | Login in opened modal 5) Click Edit in opened modal 6) | Manually type in the username/email you used on the site 7) | Click Save in opened modal 8) Close the modal | | And this (generating and storing passwords for new accounts) | is the main workflow of the product! | bredren wrote: | Yes, this convert to login only after the item being saved | makes little sense. It took a few times of catching the | button being shown to figure out the pattern of clicks | needed to do this fundamental aspect of what the product is | intended to do. | cloogshicer wrote: | Disagree. Currently the product IS a dumpster fire imo. On | macOS, half the time auto fill doesn't work. Saving a | password is very inconsistent. When you auto generate a | password, the least resistance UI workflow is to first save | and fill it - but then when you create the account it is | saved again, making it a duplicate. And don't get me started | on the Windows client - on my fast gaming PC it takes forever | just to unlock the vault. | | I've cancelled my subscription and won't renew once it runs | out. | bredren wrote: | Yes the password save, something that should be the bread | and butter of UX is so awkward. It's painful. | dividedbyzero wrote: | Neat, seems it's available to people with a Family subscription, | too. | Dowwie wrote: | Is anyone familiar with the secure introduction workflow using | Hashicorp Vault? An orchestrator gets no more than a one-time use | "cubbyhole" introduction token for a service that it is | initializing. The initializing service uses the intro token to | get actual credentials and secrets from the Vault. The | orchestrator never touches any secrets: no secrets need to be | passed as env variables anymore. With this setup, the | person/service that seeds secrets into the Vault and the | introduced system that uses the secrets are the only two that may | ever touch them. Not sure how well this is actually documented | but I gleamed enough from docs and a tech talk to figure the | workflow out. It's pretty intuitive once you dig in. | madjam002 wrote: | Is this the same as seal wrapping that you are referring to? | Honestly Vault is one of the best pieces of software that I | have the joy of using, I use it on many projects small to | large. | Dowwie wrote: | Yes, precisely. Wrapped tokens and cubbyholes. Vault is | great. They put a ton of effort into it. | ShakataGaNai wrote: | This is very cool. I spent about 20 minutes playing with it and | was successful in setting it up and getting some janky python | code to work with it. The fact that it's a local sync daemon with | local API, is super smart. No worries about cloud outages. | | Is Hashicorp vault "better"? Probably. However for groups that | don't have the time and resources for Vault, this is a great | first step. Much better than what most do which is no proper | secret storage. | jpgoldberg wrote: | Another reason for the local hosting is so that we (I work for | 1Password) are never in a position to acquire secrets can be | used to decrypt your data. | microdrum wrote: | Hah. With the gimmicks, tricks, and dark patterns this company | has pulled with consumer, what are the chances professionals | would trust them with something like this? | Androider wrote: | The company is clearly focusing entirely on their SaaS version, | which just makes sense in this day and age. They provide the | stand-alone version for people who know about and want to | continue using it, but obviously they don't want to drive any | new users to this end-of-life product. | | In my opinion, it's not a dark pattern, it's just softly | winding down the old app. That's not an unreasonable thing to | do. If you want a traditional app, there are other choices. | CodeIsTheEnd wrote: | To respond to some of the sibling comments: | | 1Password originally operated on a licensing model, but has | since switched to a membership model. | | It is still possible to purchase a single license, but they | make it _very difficult_ to do so. The option of a standalone | license is not mentioned anywhere on their pricing page: | https://1password.com/sign-up/ | | As I understand it, only once you have downloaded the app and | are logging in do they mention that standalone licenses are | available. (But, at least on Mac, this option is only available | on the version of the app downloaded directly from their site, | and not the version downloaded from the Mac App Store.) This | support thread shows some users' frustration with this, and | their support team's insistence on pushing users to the | subscription model: | https://1password.community/discussion/102412/where-do-i-buy... | | I'm not entirely certain of the differences between the | subscription model and the standalone version, but I believe | the primary difference is that the subscription model will | automatically sync your passwords between multiple devices. | | You can achieve similar functionality with the standalone | license version by storing your vault (1Password's password | file) in iCloud or Dropbox, and relying on that for syncing. I | use the Dropbox version and it works incredibly well, even on | iOS! I think they also support Google Drive for syncing on | desktop, but not on mobile. Certainly the syncing offered | through their subscription model is valuable, but for users who | have other options, it's just doesn't make sense. | | I gladly paid for a standalone license, and have purchased | licenses for my parents as gifts; the product is incredible. | The Chrome extension works great, and the app can be your 2FA | device, so it will automatically fill in password forms and | copy the 2FA code to your clipboard. It works just as well on | iOS too. | roustem wrote: | Thank you for your comment, @CodeIsTheEnd! | | We always built 1Password for ourselves. It is so much easier | to develop a product that you use yourself every day. | | I haven't used the standalone version of 1Password for over 5 | years now. The same is true for pretty much everyone working | at 1Password. | | Why? Because the service is much much better and more than | just simple syncing of data: | | - Account recovery for family and business team members | | - Easy sharing of passwords and documents | | - Vault permissions | | - Item history/automatic backups | | - Free family accounts for businesses | | - Travel mode | | None of these features are possible without a server doing | its part. | | Roustem Founder of 1Password | tokamak-teapot wrote: | I'm a happy user of 1Password, and while I agree that it's | good to build a product for yourself, I'd also argue that | it's valuable to be keenly aware of where you - or your | employees - differ from your other users. | | I pay yearly for a subscription and sync via 1Password.com | | I don't pay a subscription because I think that it's | important or necessary to sync via 1Password.com, though. | I'd happily sync via Dropbox (though it sounds like that | has been broken for years and isn't getting fixed) or | iCloud. | | I pay because I know it costs money to keep software | working nicely with its surrounding environment and to keep | it secure. | | Apart from the item history - which I disagree needs a | server - the other feature you list aren't of interest to | me. So while I'm a big fan of the product, and I might be | an outlier, I hope you're keeping a keen eye on your users' | motivations for starting or continuing to pay for | subscriptions. | ydant wrote: | There's a lot of comments everywhere expressing hate for | 1Password's change to a subscription model. Way more than | seem justified. | | I'm not overjoyed at "having to" pay a subscription for a | password manager, but your points are good ones. | | Paying you annually saves me and my family (four people) a | lot of time and energy in managing passwords, sharing | passwords, etc. | | Just wanted to throw out one "+1" for the 1Password | subscription offering being a worthwhile expense from my | perspective. | | I do wish you'd figure out the Chrome extensions on macOS, | though. I don't understand why I have to choose between | excellent browser integration OR more seamless integration | with the native app and fingerprint support in the browser | extension. | bwoodruff wrote: | > I do wish you'd figure out the Chrome extensions on | macOS, though. I don't understand why I have to choose | between excellent browser integration OR more seamless | integration with the native app and fingerprint support | in the browser extension. | | We're efforting on that! Thanks for the feedback. We | currently have better integration with our 1Password for | Linux beta, and that will be rolling out to other | platforms as well. | | - Ben, 1Password | ydant wrote: | Glad to hear! | | I use 1Password for family and LastPass for work, and | vastly prefer 1Password's UI and feature set. | drcongo wrote: | I mentioned in my sibling comment about Dropbox sync being | hampered - since installing 1Password 7 my Dropbox synced | vaults never sync without me explicitly opening the app | settings and looking at the "Sync" option. It's like | Schrodinger's sync. My primary vault now syncs over iCloud | and is _much_ more reliable, but we use the Dropbox sync for | work. | chrisacky wrote: | Are you confusing this company with LastPass? I made the same | mistake until I realised they are entirely separate. | alpha_squared wrote: | I'm a subscriber, but unfamiliar with what you're referencing. | Do you mind sharing? | 1cvmask wrote: | What are the gimmicks, tricks and dark patterns you are | referring to? | wskinner wrote: | Care to elaborate? | jagger27 wrote: | I thought AgileBits was pretty well respected around here. What | dark patterns are you referring to? | dastx wrote: | I'm assuming he's referring to their beginnings of being a | mostly local password manager (iirc they also had a one-off | lifetime purchase), to forcing people to migrate to their | cloud only infrastructure with a relatively high subscription | price. | | I'd never heard of 1Password before they were fully SaaS, but | as I understand it, some of the original users were pretty | upset with this move. Either way, I used to be a 1Password | customer, and their product, at least on the Mac, was the | most polished password manager. | bombcar wrote: | It's exactly this - the original switch to SaaS was a high | price to pay for basically what you already had if you had | local sync/dropbox setup. | | They finally fixed many of the objections with the "family" | SaaS subscription and it just works and the price may be | "low enough" that I don't bother figuring out a way out of | it - but it is still pretty much the perfect example of | "locked in". | ssully wrote: | What do you mean by locked in? When I think of locked in, | I imagine it being hard to cancel and move to another | service. I switched to 1Password last year from LastPass | and the first thing I checked was the process for | exporting my data. It seemed on par with LassPass, which | was very simple, so I made the switch. | bombcar wrote: | That's the locked in - they have all your passwords and | (in theory) could make a change that makes it hard to | extract. | djrogers wrote: | Using the term 'locked in' to mean 'some day something | maybe might lock me in' is a huuuuuuge stretch. To the | point that I'd say you're wrong. | anaerobicover wrote: | Yes, this. I don't have any problem with paying for | updates, or even really a subscription. I have a problem | with their hard push to "use our cloud", burying the | abilities to not immediately create a cloud account, and | the way they respond to customers in their forums when they | ask about non-cloud options. | | Ref: https://news.ycombinator.com/item?id=20417832 | xoa wrote: | > _to forcing people to migrate to their cloud only | infrastructure ... fully SaaS_ | | A slight gentle correction. I criticize them elsewhere in | this thread, but in fairness I have to point out that this | isn't quite correct yet. It's still possible (though | they've buried it) to buy a standalone perpetual license | for the latest 1Password, run purely local vaults, or keep | syncing via Dropbox, iCloud, or manually over WLAN. There | isn't any hard tie to the 1Password.com service yet. | | Perhaps they'll put the kibosh on that in the future. And | they can be and I will criticize them for not having better | local sync options, which they clearly stopped bothering | with in favor of their own cloud offering. But for the time | being I've still got a fully local 1Password 7 license that | works the same as every previous version. | umacontaparaohn wrote: | Well, until they intentionally break something like the | 1password4 integration with the browser extention. And | after asking why it broke they say: sorry you're out of | luck but here is a shining new subscription just for you. | | Now you're forced to buy the new version just for the | integration that has always worked fine. | wferrell wrote: | What did you switch to if you stopped using 1Password? | dastx wrote: | Bitwarden. One of the big reasons for doing so was | because when I left my company, they took my Mac away | from me, so I invested in a new laptop, for me there was | no way I was going for Windows or Mac. So Linux it is. | 1Password at the time had extremely poor support for | Linux - no desktop client, their 1PasswordX was missing a | lot of features and was super slow too. | | I switched to Bitwarden because it's open source, and | because they have a good enough Linux client. Their | browser extension and desktop client doesn't come close | to what 1Password provided on Mac, but it does the job. | | Bitwarden isn't without its issues, but at $10 a year, | and its open source nature, it's worth every penny and | then some. | philsnow wrote: | You can self-host this unofficial version | https://github.com/dani-garcia/bitwarden_rs if you | prefer. maybe not worth $10/month of your time amortized | to set up, but it has been fire-and-forget for me. | | My kids have started accumulating more passwords than | they can memorize (and their memorized passwords were | terrible), so I wanted a family password manager. I | considered using "1password for familes" which I have | access to for free from my day job, but if/when I leave | the company then I'll have to go back to paying for it. | So far I greatly prefer the experience of bitwarden over | 1password. I use the web vault, the native mac app, and | the linux command line app (through a janky homegrown | dmenu/xclip shell script), and I have no complaints at | all. | [deleted] | dteare wrote: | Thanks for sharing. I'm sorry it took us so long to | release a native Linux app. We have a great app for Linux | now in beta and will move it to an official release | shortly. | | https://blog.1password.com/1password-for-linux-beta-is- | now-o... | | I hope you can give us another chance. | | --Dave 1Password Founder | seppin wrote: | Hi Dave. I understand that subscription is your future no | matter what, but please don't cut off options for stand | alone licenses and local syncing. | ruph123 wrote: | I used 1Password for a long time. When they shifted to the | SaaS model I left angrily. Over time I tried out several | other programs such as Enpass (came close to the original | 1pw), keepass varieties, Bitwarden but found myself back at | 1Password this year. One big thing, which funny enough is | another dark pattern I guess, is the family account | feature. I allows me to take family members on and we can | share certain passwords and I think even help recover an | account. This is also important because 1PW is the most | easy to use password manager and my mom was really | struggling with Enpass. | npunt wrote: | A new feature that adds value is not a 'dark pattern'. | Lets not be dramatic. | | Even moving from one-time to subscription isn't a 'dark | pattern', its a business model move to shift to recurring | revenue, which we know is something that businesses need | to keep the lights on. You can debate the merits of it, | but it's not a dark pattern in and of itself. HOW they | execute that might be, but the change itself isn't. You | just have a personal preference to not want to pay for it | in a particular way. | ruph123 wrote: | > A new feature that adds value is not a 'dark pattern'. | Lets not be dramatic. | | Family plans are in my eyes. They log users more into the | platform and makes it very difficult to switch. If you | want to move away from Spotify, you now have to convince | enough of the others to make it feasible. | | > Even moving from one-time to subscription isn't a 'dark | pattern' | | I did not claim that it was one. I also was not even mad | about recurring payments, to me the problematic change | was that the data was now hosted on some other machine | owned by the company who is producing the software (e.g. | in theory single point of entry). | [deleted] | varikin wrote: | What gimmicks, tricks, and dark patterns are you referring to? | | I've been using 1Password for my personal accounts for probably | close to 10 years and have been happy with it. There are some | things I feel are clunky, but I've never felt like I was being | tricked or deceived by the company. | paxys wrote: | "It used to be free but now you have to pay" is really the | only dark pattern they are guilty of. | selykg wrote: | To be clear, 1Password has never really been "free." It has | always been a paid product. Aside from the mobile apps | being made free with limited features, it was previously a | paid app, then with the massive push to 1Password's service | they made it a lot less free and back to paid again. | | If you really want to complain... complain about how they | keep pushing for their subscription, making it harder and | harder to find a one time purchase. | | Or their massive issues with multiple browser extensions | that are a complete mess for the average person. | | Or how their usability has decreased substantially. | | Or how they're less a consumer product and more a business | product these days. | varikin wrote: | I don't think it was ever free. It went from standalone | licenses to SaaS, but it was always a paid product. | umacontaparaohn wrote: | Where is your source about it being free? | | As far as I remember, I've paid for several versions and | upgrades until they forced their crappy subscription | service on us. | | Not sure about OP but I can see a clearly dark pattern by | hiding the non subscription option to the point where I had | to google how to acquire one. At this point I simply gave | up and choose other option. | | If I have to pay yearly at least bitwarden gives me fair | price and comparable service. Maybe 1pass is better than | bitwarden but it's certainly not 4x better. | MrFoof wrote: | I think I'd better describe it as, "It used to be a one- | time charge for a license, but now you need to have a | subscription." | | You can still get stand-alone licenses, but they do | suppress that. Part of that I believe is not running afoul | of App Store rules, and also because most people are | finding it via the iOS and Mac app stores. | | I'm still using standalone licenses quite happily, and have | no issue with buying new licenses when major versions get | bumped. | drcongo wrote: | This is getting a lot of downvotes, but I agree with it to a | certain degree. Have a look through the Agile Bits support | forums and you'll find all the dark patterns you want - the | most famous being their hiding of buy outright options to push | you to subscription, and the crippling of Dropbox sync to try | to push you to their proprietary sync service. I've used | 1Password for well over a decade, but a lot of their tactics in | the last couple of years left a real sour taste and promoted me | to try out every alternative available. Luckily for Agile Bits, | the alternatives are all appalling. | cheerupplease wrote: | I've never commented on a HN post, but finally you've all got to | me. | | Why are people mostly commenting moaning about something | completely different to what the article is about? Fine, I get | it, you don't like 1Password's tactics regarding subscription | models. But this is about infrastructure secret management. It's | the same with Google Cloud announcements "hOw LoNg UnTiL tHeY | dEprEcAtE iT???" ... boooooooring | jpeeler wrote: | I've found that HN often chats about something only | tangentially related to the article. And I think it's actually | part of the culture here. But I agree that when you are | passionate about a given topic it is a bit of a letdown when | the comments are not directly about the article. | | Note that we've both commented on something different from the | article in this case. | cheerupplease wrote: | Yes, the irony wasn't lost on me haha! | | I do like using 1Password, it does make life a bit easier, | and I'm grateful for its existence. | | I think this is an interesting offering and will take it for | a spin soon! | ggm wrote: | Good comment. I disliked the 1P subscription model and moved to | paying bitwarden for personal use but I use 1P for work and its | a perfectly cromulent functional system, and works well. | | Secrets management for network systems has been an issue since | before kerberos. Having different models, isolating secrets | from the repo and deployment codebase into a 3rd party module | is one of the rational choices. | | I would want to understand a secure secret import and export | model, much as for an HSM you want to know how to move shrouded | keys (if its not in FIPS mode i guess) | cheerupplease wrote: | Thanks! It seems I started using 1Password after its model | changed, so I've never had to really think about it, but I | can appreciate the frustration. | | I'm happy to just have another offering in the world of | secrets management | bsamuels wrote: | Here's to hoping there's finally a Hashicorp Vault competitor. | It's shocking that the only mature option for runtime secret | delivery is Vault after all these years. | | Some companies have created 'competitors', but they aren't even | remotely mature (google secrets manager, aws secret manager, etc) | w0m wrote: | I've had good luck with Azure KeyVault. | trevorishere wrote: | KeyVault is ideal when combined with Managed Identities. I | would not leverage any service that required a connection | string to access a secret. | brianhorakh wrote: | Ditto. The managed service provider VS user assigned rbac was | confusing at first, but now I am happy that I took the time | to understand it. Also the azure clouds handling of vaulted | passwords in log files from services like Logic apps) is | absolutely bad ass. | haswell wrote: | > Also the azure clouds handling of vaulted passwords in | log files from services like Logic apps) is absolutely bad | ass. | | This is particularly interesting to me. Is there a good doc | page or blog post that you're aware of that covers these | capabilities? I'm curious and would love to learn more. | DangitBobby wrote: | What are your criticisms of Google secrets manager? It works | well for me, but it's the only one I've used so I don't know | much about the competition. | bsamuels wrote: | By far the biggest missing control is you can't restrict | access to google secrets manager by source CIDR. | | There were a bunch of other smaller nitpicks, but that was | the overwhelming reason last time I looked at it. | frenchman99 wrote: | Vault is open source, it looks like 1Password Secrets is closed | source. Not really comparable. Probably not aimed at the same | people. | drcongo wrote: | We use EnvKey [0], it's far friendlier to use than Vault and | very mature. My only dislike is the Electron based app, but I | so rarely have to open it that I can live with it. | | https://www.envkey.com | Ozzie_osman wrote: | Also a big fan of EnvKey here. We used them for over a year | but ended up moving to AWS parameter store as part of a wider | migration. Ability to self-host could have helped us stay on | there longer, we just didn't want external dependencies in | such a critical path. But otherwise, it served us well with | zero hiccups. | whycombagator wrote: | Still no option to self host. | | The founder of Envkey claimed they were working hard on V2 | and self hosting 1.5 years ago[0] so it's anyone's guess as | to why that's been delayed/isn't happening. | | [0] https://news.ycombinator.com/item?id=21226715 | danenania wrote: | Hi, I can assure you that it's very much still in the | works! It's taken much longer than we wanted or | anticipated, as we're addressing a lot more than just self- | hosting (though that's an important piece). But we're on | the home stretch. Stay tuned. | bombcar wrote: | The two you mentioned have ingrained business reasons to only | work with "their" ecosystem. You need someone from outside to | have an incentive to work with all. | stimur wrote: | [I work for 1Password] 1Password is not competing with Vault. | In fact we have very good relationships and mutual respect with | HashiCorp on many levels. | | Also Secret automation integrates (acts as a provider) with HC | Vault[0] | | 0: https://github.com/1Password/vault-plugin-secrets- | onepasswor... | bastijn wrote: | You also have options like https://www.doppler.com/. | macrael wrote: | 1Password is great software. I think I've finally switched over | to their more all-encompassing extension on Safari and I love it. | Glad to see them doing more, I am happy every time I use their | software. | thehermit wrote: | I've been deep in the k8s on raspberry pi's world recently and | ran across someone who was doing this with Bitwarden for their | personal setup. I use 1password as my password manager of choice | and was immediately trying to find ways to do something similar | using the 1password CLI, so this is very convenient timing. | Dedime wrote: | Why would anyone trust their passwords with closed source | software, when there's alternatives out there that are? | dmwallin wrote: | I trust their business incentives more than my ability to self- | host securely and I value the convenience more than the extra | cost. | Item_Boring wrote: | Because it works seamlessly on all of my devices and has done | so for years. Never encountered any issues and syncing happens | within seconds. | Dedime wrote: | I've been quite happy with KeePassXC / KeePass2Android and | syncing via Google Drive. | naosouumapessoa wrote: | Not sure about Android but, for iOS users, it makes no | sense trusting open source software. So, even if you choose | strongbox or keepassium as they're open source you're still | trusting some dude as you have no option to verify that the | iOS build is the same as the build on github. | | This is why I prefer to give my password to a company like | Bitwarden and 1Password. At least, they have less incentive | to be malicious than random dude on the store. | anmipo wrote: | Bitwarden used to be a "random dude" project for quite a | while... | bombcar wrote: | Amusingly enough 1Password's main area of pain (for me) has | been integration with Safari itself. It's much better on | Chrome until you turn off Apple's password thing in Safari. | | It works great to have both enabled on iPhone/iPad however. | No idea why they can't fix the overlapping fields in Safari. | | https://1password.community/discussion/116898/in-big-sur- | saf... | 8fingerlouie wrote: | I purchased my first 1Password license when it was version 3, and | have faithfully upgraded to every standalone version ever since. | These days I'm not so sure I will be upgrading again (and I'm not | sure there will be more stand alone versions). | | The latest version is a mess on Big Sur, with unlock fields | obscuring input fields, conflicting with Apples iCloud Keychain, | and just not working like I expect it to. | | Furthermore, stand-alone versions are buried deeper and deeper | behind a cloud service subscription that brings me absolutely no | value over what i already have, and adds the uncertainty of | having to synchronize my most secret secrets to a cloud service. | | While I can certainly forgive software errors, this has been | going on for so long that I'm beginning to suspect it's either a | strangler pattern to get people to switch to the cloud solution, | or it's death by a thousand cuts. | | In any case, I've begun evaluating alternatives. Bitwarden looks | promising (though nowhere as polished), is open source, and | allows me to synchronize to a service on my LAN. | | Password-store uses gpg and git that also allows me to | synchronize locally (though it leaks website names without the | vault extension which is not supported on iOS). | | Finally I'm evaluating Yubico authenticator for 2FA codes and | just using iCloud Keychain for the rest. | Androider wrote: | I don't understand why people think it's some nefarious dark | pattern. It's perfectly clear, the old 1Password app is winding | down, the future is their hosted version. | | The only way to even download the app is if you already knew | about it's existence before. It's not a dark pattern, it's just | directing people who sign up for 1Password today into their | actually supported product instead of the end-of-lifed one. | Your app will continue to work for some reasonable amount of | time until some version of macOS breaks it, then you can either | pick another one from numerous competitors or go with their | hosted version. Sounds to me like you'll need look into the | alternatives given your requirements. It is what it is, no need | to attribute it to malice. | JimBlackwood wrote: | Just out of curiosity, as someone who selfhosts Bitwarden, how | is 1Password so much more polished? | | I've never used 1Pass. Just, I'm always amazed by how well | Bitwarden works and how there's not really features I'm | lacking. | hirvi74 wrote: | As someone who switched form 1Password to Bitwarden a year or | so ago, there are a few features I miss: | | 1. The ability to customize keybindings. | | 2. If try to autofill a form field, and BW is locked, then | nothing happens. The same task in 1P will actually prompt me | to unlock 1P, then I am able to autofill the field. | | 3. If create an account for a site not saved in BW, and BW is | locked, then I am not prompted to save the login. However, 1P | will prompt to unlock itself so that I may save the login. | Also, the prompt for saving logins rarely works for me using | BW, but worked rather well for me using 1P. | | 4. BW is not as keen as 1P for auto-filling various form | fields | | 5. I like storing software licenses, wi-fi passwords, bank | accounts, etc. in 1P vs. secure notes in BW. | | 6. I am not a fan of BW's folders for organizing logins. | | 7. BW relies too heavily on mouse usage for my liking. I felt | that 1P had much better keyboard navigation. | | There are probably other things I am missing, but with all | that being said, I still have not left BW to return to 1P nor | do I plan to anytime soon. Though, I will admit I miss many | features from 1P still. | herrvogel- wrote: | Two things i miss in Bitwarden coming from 1Password are: | | 1. One shortcut for unlocking and auto filling. There is a | long open issue[1]. | | 2. Not needing to unlock the extension to add a new login | entry. 1Password just detects new logins even when the vault | is locked. | | Otherwise Bitwarden is really solid. | | [1] https://community.bitwarden.com/t/autofill-shortcut- | should-o... | dewey wrote: | You can disable the integration into the form fields. It's the | first thing I did as it never really worked. | azinman2 wrote: | I was hoping this was a way to automate changing my passwords. | That's something no password manager does, Anna would be great if | I could rotate my hundreds of passwords on a regular basis. | haswell wrote: | LastPass has been auto-changing passwords for quite awhile now | [0]. I am a 1Password user, but I've considered making the | switch to LastPass for this feature alone. | | - [0] http://blog.lastpass.com/2014/12/introducing-auto- | password-c... | azinman2 wrote: | Wow that's amazing. I had no idea that existed anywhere, let | alone for years now! Thanks for pointing that out... I wonder | how many sites now actively support that, how it works with | 2FA, etc. I have hundreds of passwords, many not from big | shops. Hopefully 'it just works' with these. ___________________________________________________________________ (page generated 2021-04-13 23:00 UTC)