[HN Gopher] 1Password Secrets Automation
___________________________________________________________________
1Password Secrets Automation
Author : srijan4
Score : 241 points
Date : 2021-04-13 15:52 UTC (7 hours ago)
(HTM) web link (blog.1password.com)
(TXT) w3m dump (blog.1password.com)
| xoa wrote:
| While this looks interesting, I'll admit I feel like there's been
| a bit of drift from their bread and butter over the years since
| they launched their cloud thing and started pushing hard towards
| a subscription model. I chose them long ago specifically over
| options like LastPass because I liked having a rich application
| without internet dependency and their attention to detail and
| features there, but it's been a while since it feels like it got
| major new improvements vs the site. For example, while macOS and
| Windows have supported smart cards and security tokens like
| YubiKeys forever now, and I use them to login, unlock, authorize
| sudo/SSH, etc every day, 1Password still has no support. There
| are things that can now only be done through the web interface,
| like finer grained control over permissions for shared vaults,
| and some of those are also nastily locked away behind more
| expensive subscriptions. I think everything should be manageable
| through the application, without ever visiting the site.
| Duplicate items across vaults remain completely manually managed,
| when automating stuff like that is kind of the purpose of a
| password manager. Etc. Heck, even within their own subscription
| service I think they're missing a trick by not having more
| powerful/flexible organization(including families) and inter-
| organizational capabilities.
|
| I still think 1Password is the best option for most people. I
| specifically want my non-technical family and friends to use
| password managers too as long as its necessary, and having some
| multiperson capability is also key to that. I can't say though
| that I feel like the move to subs has been a huge win in terms of
| development.
|
| Granted, I'm a little down on the whole field which colors things
| a bit. Ultimately underlying my feelings is a touch of bitterness
| that their entire industry even exists. Passwords and password
| managers are mostly recreating public key auth really, really
| badly and it stinks. Passwords and other symmetric tokens by
| definition should never be shared. A website being hacked should
| _never_ affect me in the slightest, in the same way that me
| getting hacked doesn 't somehow suddenly mean attackers now own
| Debian/Apple/FreeBSD/Microsoft. Everywhere should just have
| public keys. We've had the tech for decades and sufficient crypto
| speed on client systems since at least AES-NI. What's been
| missing has been glue and effort. It's frustrating every time a
| hack happens. We shouldn't have to care! Sigh.
| fastball wrote:
| Very much agree.
|
| My pet peeve at the moment is this[1], where they removed a
| feature I very much like (TouchID in the standalone browser
| extension) and still have yet to replace that functionality
| despite many promises that it is just around the corner. It was
| removed in August 2020.
|
| Definitely feel like they've lost sight of why people chose
| them in the first place, and stuff like this is certainly not
| helping assuage my concerns.
|
| [1] https://1password.community/discussion/115228/temporarily-
| re...
| 1cvmask wrote:
| Did you ever look at a password manager like saas pass that
| does not need a desktop app and the browser extension is a
| full blown app that is protected by 2fa?
| xoa wrote:
| It's a fundamental concern I've always had with subscriptions
| for non-entertainment services or trivially fungible goods.
| I've become a big believer in business incentives and
| feedback loops for sustainable commercial relationships.
| Individual leadership and culture can stand against them to
| some extent for a time, but individuals move on and it seems
| that near inevitably over enough years organizations tend to
| track and/or drift according to their incentives and
| impactful feedback. In a traditional software upgrade model,
| the default is that they get no money unless they can
| convince people to upgrade each time. They make their money
| from overcoming that default, and if people choose not to
| upgrade that's the most core unignorable feedback for a
| business that something isn't right. It doesn't guarantee
| responsiveness or good choices, but it forces them to think
| about it. From a customer perspective, not paying means the
| status quo, they don't gain anything new but they lose
| nothing either.
|
| But with subscriptions it gets inverted. Now for the customer
| failure to keep paying means losing existing functionality
| and/or having to expend additional resources (money and time)
| actively moving to something else. So rather then needing to
| be convinced to give the company more money, it's more that
| they need to be convinced not to.
|
| There's a real difference between "a customer base that is
| very happy" and "a customer base that is merely not irritated
| enough _yet_ to overcome the inherent energy hump and go
| looking for a new local minima " and I worry the subscription
| business model makes that easier to ignore. Not that
| companies can't in principle find out in other ways! They can
| do detailed customer polling and so on. But that requires
| active effort and expense by the company so the temptation
| will always be to ignore it and follow inertia. This doesn't
| require the slightest bit of active malice, just a break in
| feedback loops resulting in drift as a company starts
| pursuing things from its own tunnel vision. They then look
| and see the money keep pouring in, so what's the problem? The
| threat eventually becomes that if the energy barrier is
| overcome and the stampede begins it's too late. It's a shame
| to see happen to companies I really really like and have
| great visions that could be even better.
| yoz-y wrote:
| There is a rub to this too however. In a pay to upgrade
| model you are incentivised to stuff your application with
| features and also need to support old versions indefinitely
| if they have network components.
|
| Granted in 1Pssword case, their classic app would not have
| stopped working without upgrades. And to my knowledge it
| should also still work? I have since switched to the
| subscription model but I have used the old paid app years
| after they have switched models.
| [deleted]
| pudgeball wrote:
| We very much agree that this is a pain point for those with
| the extension. This feature brought users (and also all our
| developers who rebuild... often...) a huge smile and
| productivity boost, so removing it was not easy. We had some
| fundamental issues that affected the way this feature worked
| which pushed us to rework it. We wanted to share more news[1]
| once we had some releases in the wild which recently
| happened.
|
| With a recent release[2] of 1Password for Linux and the
| 1Password extension, the two can now communicate. Allowing
| you to use biometrics to unlock the extension and keep it
| unlocked throughout your browsing sessions.
|
| While this news doesn't unlock this ability right away for
| yourself (because referencing TouchID I assume means you're a
| Mac friend). We will be continuing to rollout over the coming
| months to Windows and Mac.
|
| [1] https://1password.community/discussion/comment/591579/#Co
| mme...
|
| [2] https://1password.community/discussion/119609/1password-
| for-...
| djrogers wrote:
| Yeah, definitely taking them longer to get this back than
| they'd planned. Fortunately the 'classic' extension for
| chrome still exists and works.
| lstamour wrote:
| Link: https://support.1password.com/cs/1password-classic-
| extension...
|
| I prefer the above classic extensions for switching between
| Chrome, Safari, Firefox and Edge all day and not having to
| sign in more than once. Plus the better desktop app
| integration, including the ability to opt-out of cloud
| storage of passwords.
| bwoodruff wrote:
| Hi! I work for 1Password. We have this functionality
| available in beta with our 1Password for Linux app. It will
| be available on Mac and Windows in the not-too-distant
| future, though I can't say more specifically when that will
| be.
|
| [1] https://1password.community/discussion/comment/591579/#Co
| mme...
| phnofive wrote:
| Can you explain why this was removed, and why it was re-
| introduced on a platform other than OS X (given that
| biometric identifiers have become standard in Apple
| hardware)?
| rectang wrote:
| > _I specifically want my non-technical family and friends to
| use password managers_
|
| I consider it a victory if I can get non-techies to use their
| browser's facilities to store passwords, and then to choose
| reasonably long passwords and avoid reuse.
|
| (I use `pass`, myself.)
| fiddlerwoaroof wrote:
| I use a password manager but, as a mostly-Apple user, I see
| very little reason not to just use iCloud Keychain: the UX of
| Apple's solution is significantly better than all the
| alternatives because I don't have to remember yet another
| password/mfa token to type in every once in a while.
| gen220 wrote:
| Most password managers support auth with touchid/face id
| these days, I believe.
|
| The value prop if you're 100% on-Apple, and OK with this
| fact, is hard to challenge. If you have some non-apple
| devices that need passwords, that's where having a third-
| party password service makes sense.
|
| FWIW, I use `pass`, as a mostly-Apple person who also owns
| a few linux devices and occasionally requires passwords
| while `ssh`'d into servers.
| Vvector wrote:
| BitWarden ties into iCloud somehow. I unlock it with my
| fingerprint.
| stjohnswarts wrote:
| I choose bitwarden because I like my passwords with a 3rd
| party rather than the big guys google/apple/etc . It
| works fine as both a desktop client and browser
| extension.
| [deleted]
| trevorishere wrote:
| I'd love to use a built-in service, but I need a service
| that has a web UI + Windows support + sharing support for
| family.
| 8fingerlouie wrote:
| > I use a password manager but, as a mostly-Apple user, I
| see very little reason not to just use iCloud Keychain
|
| Storing 2FA tokens is one thing iCloud Keychain cannot do
| (yet ?), and it's the primary reason I use 1Password over
| iCloud Keychain.
|
| That being said, with Big Sur, 1Password changed its
| default behavior from being unintrusive to literally
| obscuring input fields with big "unlock 1Password" pop
| up's.
|
| I'm currently evaluating using either Password-store or
| Bitwarden with bitwarden_rs as a backend as I really don't
| want my logins synchronized anywhere I don't control.
| oarsinsync wrote:
| > That being said, with Big Sur, 1Password changed its
| default behavior from being unintrusive to literally
| obscuring input fields with big "unlock 1Password" pop
| up's.
|
| That's not a Big Sur thing, that's a 1Password thing
| (I've not upgraded to Big Sur still).
| fiddlerwoaroof wrote:
| I think the fingerprint auth stuff Apple's working on
| will replace MFA: as I understand it, in Safari, the
| MacBook's Fingerprint sensor implements the same protocol
| as a Yubikey or similar.
| patwolf wrote:
| This looks interesting. We use 1Password, and I always thought it
| would be useful to programmatically pull values out and use in
| our cloud infrastructure.
|
| Currently we end up using the secret managers available in AWS or
| GCP, which seems pretty half baked. In GCP, for example, secrets
| are stored at a project level. It's not unusual to have certain
| secrets that are needed by more than one project, which means
| they get duplicated. The granularity also prevents me from
| controlling which secrets are visible to a given user.
|
| I'd love to have one centralized source of truth for all
| infrastructure secrets.
| hn_throwaway_99 wrote:
| > The granularity also prevents me from controlling which
| secrets are visible to a given user.
|
| What do you mean by this? Each secret has a "Permissions" tab
| which allows you to grant access to individual IAM users.
| nops wrote:
| https://www.vaultproject.io/
| zomglings wrote:
| My team uses 1Password to share account credentials, etc. When
| we need to deploy secrets into production, we use AWS Systems
| Manager Parameter Store.
|
| The name is quite a mouthful, but we have found the service to
| be awesome. We have a small Python script that loads a script
| with environment variable definitions from the Parameter Store
| and we use that as an EnvFile for our systemd services.
| gingerlime wrote:
| plugging envwarden[0] which is just a tiny open source wrapper
| around the Bitwarden CLI to let you manage your server secrets
| inside your password manager.
|
| [0] https://github.com/envwarden/envwarden
| outworlder wrote:
| This is why we use Vault. Until recently, there was no good
| option to host it, so you had to manage it.
|
| It's good to have independent competition in this space.
| Kudos wrote:
| They're not competing with Vault,they see this as an
| alternative for simpler use cases where Vault is overkill, or
| a complimentary product otherwise.
| whazor wrote:
| Also it would be cool to unlock the vault via 1password.
| stimur wrote:
| [I work for 1Password]
|
| 1Password is not competing with Vault. In fact we have very
| good relationships and mutual respect with HashiCorp on many
| levels.
|
| Also Secret automation integrates (acts as a provider) with
| HC Vault[1]
|
| 1. https://github.com/1Password/vault-plugin-secrets-
| onepasswor...
| spondyl wrote:
| The article is a little light on details but this seems like a
| cool addition to 1Password.
|
| The op cli is alright but having to re-unlock it every 30 minutes
| (plus I'm shell dumb so my session is nuked every new tab I open)
| means there's quite a lot of friction compared to the desktop
| version where I just double tap the side button on my Apple watch
|
| I wonder if this could be a potential alternative in some
| roundabout way
|
| ---
|
| Somewhat unrelated rant
|
| I like 1Password and after having tried a whirlwind of password
| managers, it's still the most seamless (plus having templates for
| things like cards, licenses and so on is useful)
|
| I don't even mind paying the relatively small subscription fee.
|
| That said, in the same sense that you generally know you've
| resigned months before you write the letter, I still remember
| there was a forum thread where one of the employees was seemingly
| user hostile.
|
| On second thought, I don't even remember what it was about but I
| remember the feeling of slight frustration. Not in the entitled
| sense but the sense that there didn't feel like an attempt to
| understand the concern from the other side.
|
| Very vague but does anyone perhaps know what this event was
| again? I want to say, something about supporting local vaults? I
| dunno, that isn't even something I was concerned about.
| alvarlagerlof wrote:
| Probably about them not supporting personal hosting as well
| anymore. I get that customers got angry, but as someone who
| started using their product after that, with their hosting,
| they have been nothing but nice and receptive to feedback.
| bredren wrote:
| Strange to see this. The product is a mess on MacOs right now.
| Support can't decide which extension to recommend.
|
| Their messaging has been inconsistent, saying the browser will
| integrate with the native client. But then also that the browser
| only version is the future of the product.
|
| This says nothing of the performance and UI problems the product
| has faced. Recently it was so bad the company was telling people
| to use the beta version.
|
| I bought the legacy versions and switched to subscription last
| year.
| SirensOfTitan wrote:
| If I were unfamiliar with 1Password, I'd imagine the product is
| an absolute dumpster fire from your post.
|
| In reality, the macOS and iOS clients work fine. I have a dozen
| friends and family members using the product with no complains
| on those platforms. I surely haven't seen any performance or UI
| problems that aren't worse on different services. Sure, there
| is some current confusion between the use of the 1Password X
| and classical browser extensions, but it's hardly "a mess."
| bredren wrote:
| The iOS app is stable and fine.
|
| The MacOS native / extension interaction and choice is a
| mess.
|
| From a UX perspective, the single most important thing the
| product can do is interact with the browser effectively.
| Embedded in this "feature" is that the product is stable, and
| responsive in behavior.
|
| If you go to the chrome web store, 1password extension page
| and sort by recently updated, you'll see review after review
| of 1-3 star, carefully explained problems with this product.
|
| https://chrome.google.com/webstore/detail/1password-%E2%80%9.
| ..
|
| Regarding inconsistent messaging, their support is promising
| they're working on native app integration but there is no
| timeline for this.
|
| That's why this news is kind of a bummer. The product that
| I'm subscribed to is competing with this new product for
| resources.
| jackweirdy wrote:
| There's also 2 native apps - if you install from the App
| Store, you don't get all the same OTP features as an
| install from the website download
| dmart wrote:
| I wouldn't say the product is a dumpster fire, but core
| workflows are a mess. This is how you generate and save a
| password for a new site:
|
| 1) Extension button > Generate Password > Save & Copy 2)
| After creating account, extension button again > select entry
| > Edit 3) Click Save in opened modal 4) Click Convert to
| Login in opened modal 5) Click Edit in opened modal 6)
| Manually type in the username/email you used on the site 7)
| Click Save in opened modal 8) Close the modal
|
| And this (generating and storing passwords for new accounts)
| is the main workflow of the product!
| bredren wrote:
| Yes, this convert to login only after the item being saved
| makes little sense. It took a few times of catching the
| button being shown to figure out the pattern of clicks
| needed to do this fundamental aspect of what the product is
| intended to do.
| cloogshicer wrote:
| Disagree. Currently the product IS a dumpster fire imo. On
| macOS, half the time auto fill doesn't work. Saving a
| password is very inconsistent. When you auto generate a
| password, the least resistance UI workflow is to first save
| and fill it - but then when you create the account it is
| saved again, making it a duplicate. And don't get me started
| on the Windows client - on my fast gaming PC it takes forever
| just to unlock the vault.
|
| I've cancelled my subscription and won't renew once it runs
| out.
| bredren wrote:
| Yes the password save, something that should be the bread
| and butter of UX is so awkward. It's painful.
| dividedbyzero wrote:
| Neat, seems it's available to people with a Family subscription,
| too.
| Dowwie wrote:
| Is anyone familiar with the secure introduction workflow using
| Hashicorp Vault? An orchestrator gets no more than a one-time use
| "cubbyhole" introduction token for a service that it is
| initializing. The initializing service uses the intro token to
| get actual credentials and secrets from the Vault. The
| orchestrator never touches any secrets: no secrets need to be
| passed as env variables anymore. With this setup, the
| person/service that seeds secrets into the Vault and the
| introduced system that uses the secrets are the only two that may
| ever touch them. Not sure how well this is actually documented
| but I gleamed enough from docs and a tech talk to figure the
| workflow out. It's pretty intuitive once you dig in.
| madjam002 wrote:
| Is this the same as seal wrapping that you are referring to?
| Honestly Vault is one of the best pieces of software that I
| have the joy of using, I use it on many projects small to
| large.
| Dowwie wrote:
| Yes, precisely. Wrapped tokens and cubbyholes. Vault is
| great. They put a ton of effort into it.
| ShakataGaNai wrote:
| This is very cool. I spent about 20 minutes playing with it and
| was successful in setting it up and getting some janky python
| code to work with it. The fact that it's a local sync daemon with
| local API, is super smart. No worries about cloud outages.
|
| Is Hashicorp vault "better"? Probably. However for groups that
| don't have the time and resources for Vault, this is a great
| first step. Much better than what most do which is no proper
| secret storage.
| jpgoldberg wrote:
| Another reason for the local hosting is so that we (I work for
| 1Password) are never in a position to acquire secrets can be
| used to decrypt your data.
| microdrum wrote:
| Hah. With the gimmicks, tricks, and dark patterns this company
| has pulled with consumer, what are the chances professionals
| would trust them with something like this?
| Androider wrote:
| The company is clearly focusing entirely on their SaaS version,
| which just makes sense in this day and age. They provide the
| stand-alone version for people who know about and want to
| continue using it, but obviously they don't want to drive any
| new users to this end-of-life product.
|
| In my opinion, it's not a dark pattern, it's just softly
| winding down the old app. That's not an unreasonable thing to
| do. If you want a traditional app, there are other choices.
| CodeIsTheEnd wrote:
| To respond to some of the sibling comments:
|
| 1Password originally operated on a licensing model, but has
| since switched to a membership model.
|
| It is still possible to purchase a single license, but they
| make it _very difficult_ to do so. The option of a standalone
| license is not mentioned anywhere on their pricing page:
| https://1password.com/sign-up/
|
| As I understand it, only once you have downloaded the app and
| are logging in do they mention that standalone licenses are
| available. (But, at least on Mac, this option is only available
| on the version of the app downloaded directly from their site,
| and not the version downloaded from the Mac App Store.) This
| support thread shows some users' frustration with this, and
| their support team's insistence on pushing users to the
| subscription model:
| https://1password.community/discussion/102412/where-do-i-buy...
|
| I'm not entirely certain of the differences between the
| subscription model and the standalone version, but I believe
| the primary difference is that the subscription model will
| automatically sync your passwords between multiple devices.
|
| You can achieve similar functionality with the standalone
| license version by storing your vault (1Password's password
| file) in iCloud or Dropbox, and relying on that for syncing. I
| use the Dropbox version and it works incredibly well, even on
| iOS! I think they also support Google Drive for syncing on
| desktop, but not on mobile. Certainly the syncing offered
| through their subscription model is valuable, but for users who
| have other options, it's just doesn't make sense.
|
| I gladly paid for a standalone license, and have purchased
| licenses for my parents as gifts; the product is incredible.
| The Chrome extension works great, and the app can be your 2FA
| device, so it will automatically fill in password forms and
| copy the 2FA code to your clipboard. It works just as well on
| iOS too.
| roustem wrote:
| Thank you for your comment, @CodeIsTheEnd!
|
| We always built 1Password for ourselves. It is so much easier
| to develop a product that you use yourself every day.
|
| I haven't used the standalone version of 1Password for over 5
| years now. The same is true for pretty much everyone working
| at 1Password.
|
| Why? Because the service is much much better and more than
| just simple syncing of data:
|
| - Account recovery for family and business team members
|
| - Easy sharing of passwords and documents
|
| - Vault permissions
|
| - Item history/automatic backups
|
| - Free family accounts for businesses
|
| - Travel mode
|
| None of these features are possible without a server doing
| its part.
|
| Roustem Founder of 1Password
| tokamak-teapot wrote:
| I'm a happy user of 1Password, and while I agree that it's
| good to build a product for yourself, I'd also argue that
| it's valuable to be keenly aware of where you - or your
| employees - differ from your other users.
|
| I pay yearly for a subscription and sync via 1Password.com
|
| I don't pay a subscription because I think that it's
| important or necessary to sync via 1Password.com, though.
| I'd happily sync via Dropbox (though it sounds like that
| has been broken for years and isn't getting fixed) or
| iCloud.
|
| I pay because I know it costs money to keep software
| working nicely with its surrounding environment and to keep
| it secure.
|
| Apart from the item history - which I disagree needs a
| server - the other feature you list aren't of interest to
| me. So while I'm a big fan of the product, and I might be
| an outlier, I hope you're keeping a keen eye on your users'
| motivations for starting or continuing to pay for
| subscriptions.
| ydant wrote:
| There's a lot of comments everywhere expressing hate for
| 1Password's change to a subscription model. Way more than
| seem justified.
|
| I'm not overjoyed at "having to" pay a subscription for a
| password manager, but your points are good ones.
|
| Paying you annually saves me and my family (four people) a
| lot of time and energy in managing passwords, sharing
| passwords, etc.
|
| Just wanted to throw out one "+1" for the 1Password
| subscription offering being a worthwhile expense from my
| perspective.
|
| I do wish you'd figure out the Chrome extensions on macOS,
| though. I don't understand why I have to choose between
| excellent browser integration OR more seamless integration
| with the native app and fingerprint support in the browser
| extension.
| bwoodruff wrote:
| > I do wish you'd figure out the Chrome extensions on
| macOS, though. I don't understand why I have to choose
| between excellent browser integration OR more seamless
| integration with the native app and fingerprint support
| in the browser extension.
|
| We're efforting on that! Thanks for the feedback. We
| currently have better integration with our 1Password for
| Linux beta, and that will be rolling out to other
| platforms as well.
|
| - Ben, 1Password
| ydant wrote:
| Glad to hear!
|
| I use 1Password for family and LastPass for work, and
| vastly prefer 1Password's UI and feature set.
| drcongo wrote:
| I mentioned in my sibling comment about Dropbox sync being
| hampered - since installing 1Password 7 my Dropbox synced
| vaults never sync without me explicitly opening the app
| settings and looking at the "Sync" option. It's like
| Schrodinger's sync. My primary vault now syncs over iCloud
| and is _much_ more reliable, but we use the Dropbox sync for
| work.
| chrisacky wrote:
| Are you confusing this company with LastPass? I made the same
| mistake until I realised they are entirely separate.
| alpha_squared wrote:
| I'm a subscriber, but unfamiliar with what you're referencing.
| Do you mind sharing?
| 1cvmask wrote:
| What are the gimmicks, tricks and dark patterns you are
| referring to?
| wskinner wrote:
| Care to elaborate?
| jagger27 wrote:
| I thought AgileBits was pretty well respected around here. What
| dark patterns are you referring to?
| dastx wrote:
| I'm assuming he's referring to their beginnings of being a
| mostly local password manager (iirc they also had a one-off
| lifetime purchase), to forcing people to migrate to their
| cloud only infrastructure with a relatively high subscription
| price.
|
| I'd never heard of 1Password before they were fully SaaS, but
| as I understand it, some of the original users were pretty
| upset with this move. Either way, I used to be a 1Password
| customer, and their product, at least on the Mac, was the
| most polished password manager.
| bombcar wrote:
| It's exactly this - the original switch to SaaS was a high
| price to pay for basically what you already had if you had
| local sync/dropbox setup.
|
| They finally fixed many of the objections with the "family"
| SaaS subscription and it just works and the price may be
| "low enough" that I don't bother figuring out a way out of
| it - but it is still pretty much the perfect example of
| "locked in".
| ssully wrote:
| What do you mean by locked in? When I think of locked in,
| I imagine it being hard to cancel and move to another
| service. I switched to 1Password last year from LastPass
| and the first thing I checked was the process for
| exporting my data. It seemed on par with LassPass, which
| was very simple, so I made the switch.
| bombcar wrote:
| That's the locked in - they have all your passwords and
| (in theory) could make a change that makes it hard to
| extract.
| djrogers wrote:
| Using the term 'locked in' to mean 'some day something
| maybe might lock me in' is a huuuuuuge stretch. To the
| point that I'd say you're wrong.
| anaerobicover wrote:
| Yes, this. I don't have any problem with paying for
| updates, or even really a subscription. I have a problem
| with their hard push to "use our cloud", burying the
| abilities to not immediately create a cloud account, and
| the way they respond to customers in their forums when they
| ask about non-cloud options.
|
| Ref: https://news.ycombinator.com/item?id=20417832
| xoa wrote:
| > _to forcing people to migrate to their cloud only
| infrastructure ... fully SaaS_
|
| A slight gentle correction. I criticize them elsewhere in
| this thread, but in fairness I have to point out that this
| isn't quite correct yet. It's still possible (though
| they've buried it) to buy a standalone perpetual license
| for the latest 1Password, run purely local vaults, or keep
| syncing via Dropbox, iCloud, or manually over WLAN. There
| isn't any hard tie to the 1Password.com service yet.
|
| Perhaps they'll put the kibosh on that in the future. And
| they can be and I will criticize them for not having better
| local sync options, which they clearly stopped bothering
| with in favor of their own cloud offering. But for the time
| being I've still got a fully local 1Password 7 license that
| works the same as every previous version.
| umacontaparaohn wrote:
| Well, until they intentionally break something like the
| 1password4 integration with the browser extention. And
| after asking why it broke they say: sorry you're out of
| luck but here is a shining new subscription just for you.
|
| Now you're forced to buy the new version just for the
| integration that has always worked fine.
| wferrell wrote:
| What did you switch to if you stopped using 1Password?
| dastx wrote:
| Bitwarden. One of the big reasons for doing so was
| because when I left my company, they took my Mac away
| from me, so I invested in a new laptop, for me there was
| no way I was going for Windows or Mac. So Linux it is.
| 1Password at the time had extremely poor support for
| Linux - no desktop client, their 1PasswordX was missing a
| lot of features and was super slow too.
|
| I switched to Bitwarden because it's open source, and
| because they have a good enough Linux client. Their
| browser extension and desktop client doesn't come close
| to what 1Password provided on Mac, but it does the job.
|
| Bitwarden isn't without its issues, but at $10 a year,
| and its open source nature, it's worth every penny and
| then some.
| philsnow wrote:
| You can self-host this unofficial version
| https://github.com/dani-garcia/bitwarden_rs if you
| prefer. maybe not worth $10/month of your time amortized
| to set up, but it has been fire-and-forget for me.
|
| My kids have started accumulating more passwords than
| they can memorize (and their memorized passwords were
| terrible), so I wanted a family password manager. I
| considered using "1password for familes" which I have
| access to for free from my day job, but if/when I leave
| the company then I'll have to go back to paying for it.
| So far I greatly prefer the experience of bitwarden over
| 1password. I use the web vault, the native mac app, and
| the linux command line app (through a janky homegrown
| dmenu/xclip shell script), and I have no complaints at
| all.
| [deleted]
| dteare wrote:
| Thanks for sharing. I'm sorry it took us so long to
| release a native Linux app. We have a great app for Linux
| now in beta and will move it to an official release
| shortly.
|
| https://blog.1password.com/1password-for-linux-beta-is-
| now-o...
|
| I hope you can give us another chance.
|
| --Dave 1Password Founder
| seppin wrote:
| Hi Dave. I understand that subscription is your future no
| matter what, but please don't cut off options for stand
| alone licenses and local syncing.
| ruph123 wrote:
| I used 1Password for a long time. When they shifted to the
| SaaS model I left angrily. Over time I tried out several
| other programs such as Enpass (came close to the original
| 1pw), keepass varieties, Bitwarden but found myself back at
| 1Password this year. One big thing, which funny enough is
| another dark pattern I guess, is the family account
| feature. I allows me to take family members on and we can
| share certain passwords and I think even help recover an
| account. This is also important because 1PW is the most
| easy to use password manager and my mom was really
| struggling with Enpass.
| npunt wrote:
| A new feature that adds value is not a 'dark pattern'.
| Lets not be dramatic.
|
| Even moving from one-time to subscription isn't a 'dark
| pattern', its a business model move to shift to recurring
| revenue, which we know is something that businesses need
| to keep the lights on. You can debate the merits of it,
| but it's not a dark pattern in and of itself. HOW they
| execute that might be, but the change itself isn't. You
| just have a personal preference to not want to pay for it
| in a particular way.
| ruph123 wrote:
| > A new feature that adds value is not a 'dark pattern'.
| Lets not be dramatic.
|
| Family plans are in my eyes. They log users more into the
| platform and makes it very difficult to switch. If you
| want to move away from Spotify, you now have to convince
| enough of the others to make it feasible.
|
| > Even moving from one-time to subscription isn't a 'dark
| pattern'
|
| I did not claim that it was one. I also was not even mad
| about recurring payments, to me the problematic change
| was that the data was now hosted on some other machine
| owned by the company who is producing the software (e.g.
| in theory single point of entry).
| [deleted]
| varikin wrote:
| What gimmicks, tricks, and dark patterns are you referring to?
|
| I've been using 1Password for my personal accounts for probably
| close to 10 years and have been happy with it. There are some
| things I feel are clunky, but I've never felt like I was being
| tricked or deceived by the company.
| paxys wrote:
| "It used to be free but now you have to pay" is really the
| only dark pattern they are guilty of.
| selykg wrote:
| To be clear, 1Password has never really been "free." It has
| always been a paid product. Aside from the mobile apps
| being made free with limited features, it was previously a
| paid app, then with the massive push to 1Password's service
| they made it a lot less free and back to paid again.
|
| If you really want to complain... complain about how they
| keep pushing for their subscription, making it harder and
| harder to find a one time purchase.
|
| Or their massive issues with multiple browser extensions
| that are a complete mess for the average person.
|
| Or how their usability has decreased substantially.
|
| Or how they're less a consumer product and more a business
| product these days.
| varikin wrote:
| I don't think it was ever free. It went from standalone
| licenses to SaaS, but it was always a paid product.
| umacontaparaohn wrote:
| Where is your source about it being free?
|
| As far as I remember, I've paid for several versions and
| upgrades until they forced their crappy subscription
| service on us.
|
| Not sure about OP but I can see a clearly dark pattern by
| hiding the non subscription option to the point where I had
| to google how to acquire one. At this point I simply gave
| up and choose other option.
|
| If I have to pay yearly at least bitwarden gives me fair
| price and comparable service. Maybe 1pass is better than
| bitwarden but it's certainly not 4x better.
| MrFoof wrote:
| I think I'd better describe it as, "It used to be a one-
| time charge for a license, but now you need to have a
| subscription."
|
| You can still get stand-alone licenses, but they do
| suppress that. Part of that I believe is not running afoul
| of App Store rules, and also because most people are
| finding it via the iOS and Mac app stores.
|
| I'm still using standalone licenses quite happily, and have
| no issue with buying new licenses when major versions get
| bumped.
| drcongo wrote:
| This is getting a lot of downvotes, but I agree with it to a
| certain degree. Have a look through the Agile Bits support
| forums and you'll find all the dark patterns you want - the
| most famous being their hiding of buy outright options to push
| you to subscription, and the crippling of Dropbox sync to try
| to push you to their proprietary sync service. I've used
| 1Password for well over a decade, but a lot of their tactics in
| the last couple of years left a real sour taste and promoted me
| to try out every alternative available. Luckily for Agile Bits,
| the alternatives are all appalling.
| cheerupplease wrote:
| I've never commented on a HN post, but finally you've all got to
| me.
|
| Why are people mostly commenting moaning about something
| completely different to what the article is about? Fine, I get
| it, you don't like 1Password's tactics regarding subscription
| models. But this is about infrastructure secret management. It's
| the same with Google Cloud announcements "hOw LoNg UnTiL tHeY
| dEprEcAtE iT???" ... boooooooring
| jpeeler wrote:
| I've found that HN often chats about something only
| tangentially related to the article. And I think it's actually
| part of the culture here. But I agree that when you are
| passionate about a given topic it is a bit of a letdown when
| the comments are not directly about the article.
|
| Note that we've both commented on something different from the
| article in this case.
| cheerupplease wrote:
| Yes, the irony wasn't lost on me haha!
|
| I do like using 1Password, it does make life a bit easier,
| and I'm grateful for its existence.
|
| I think this is an interesting offering and will take it for
| a spin soon!
| ggm wrote:
| Good comment. I disliked the 1P subscription model and moved to
| paying bitwarden for personal use but I use 1P for work and its
| a perfectly cromulent functional system, and works well.
|
| Secrets management for network systems has been an issue since
| before kerberos. Having different models, isolating secrets
| from the repo and deployment codebase into a 3rd party module
| is one of the rational choices.
|
| I would want to understand a secure secret import and export
| model, much as for an HSM you want to know how to move shrouded
| keys (if its not in FIPS mode i guess)
| cheerupplease wrote:
| Thanks! It seems I started using 1Password after its model
| changed, so I've never had to really think about it, but I
| can appreciate the frustration.
|
| I'm happy to just have another offering in the world of
| secrets management
| bsamuels wrote:
| Here's to hoping there's finally a Hashicorp Vault competitor.
| It's shocking that the only mature option for runtime secret
| delivery is Vault after all these years.
|
| Some companies have created 'competitors', but they aren't even
| remotely mature (google secrets manager, aws secret manager, etc)
| w0m wrote:
| I've had good luck with Azure KeyVault.
| trevorishere wrote:
| KeyVault is ideal when combined with Managed Identities. I
| would not leverage any service that required a connection
| string to access a secret.
| brianhorakh wrote:
| Ditto. The managed service provider VS user assigned rbac was
| confusing at first, but now I am happy that I took the time
| to understand it. Also the azure clouds handling of vaulted
| passwords in log files from services like Logic apps) is
| absolutely bad ass.
| haswell wrote:
| > Also the azure clouds handling of vaulted passwords in
| log files from services like Logic apps) is absolutely bad
| ass.
|
| This is particularly interesting to me. Is there a good doc
| page or blog post that you're aware of that covers these
| capabilities? I'm curious and would love to learn more.
| DangitBobby wrote:
| What are your criticisms of Google secrets manager? It works
| well for me, but it's the only one I've used so I don't know
| much about the competition.
| bsamuels wrote:
| By far the biggest missing control is you can't restrict
| access to google secrets manager by source CIDR.
|
| There were a bunch of other smaller nitpicks, but that was
| the overwhelming reason last time I looked at it.
| frenchman99 wrote:
| Vault is open source, it looks like 1Password Secrets is closed
| source. Not really comparable. Probably not aimed at the same
| people.
| drcongo wrote:
| We use EnvKey [0], it's far friendlier to use than Vault and
| very mature. My only dislike is the Electron based app, but I
| so rarely have to open it that I can live with it.
|
| https://www.envkey.com
| Ozzie_osman wrote:
| Also a big fan of EnvKey here. We used them for over a year
| but ended up moving to AWS parameter store as part of a wider
| migration. Ability to self-host could have helped us stay on
| there longer, we just didn't want external dependencies in
| such a critical path. But otherwise, it served us well with
| zero hiccups.
| whycombagator wrote:
| Still no option to self host.
|
| The founder of Envkey claimed they were working hard on V2
| and self hosting 1.5 years ago[0] so it's anyone's guess as
| to why that's been delayed/isn't happening.
|
| [0] https://news.ycombinator.com/item?id=21226715
| danenania wrote:
| Hi, I can assure you that it's very much still in the
| works! It's taken much longer than we wanted or
| anticipated, as we're addressing a lot more than just self-
| hosting (though that's an important piece). But we're on
| the home stretch. Stay tuned.
| bombcar wrote:
| The two you mentioned have ingrained business reasons to only
| work with "their" ecosystem. You need someone from outside to
| have an incentive to work with all.
| stimur wrote:
| [I work for 1Password] 1Password is not competing with Vault.
| In fact we have very good relationships and mutual respect with
| HashiCorp on many levels.
|
| Also Secret automation integrates (acts as a provider) with HC
| Vault[0]
|
| 0: https://github.com/1Password/vault-plugin-secrets-
| onepasswor...
| bastijn wrote:
| You also have options like https://www.doppler.com/.
| macrael wrote:
| 1Password is great software. I think I've finally switched over
| to their more all-encompassing extension on Safari and I love it.
| Glad to see them doing more, I am happy every time I use their
| software.
| thehermit wrote:
| I've been deep in the k8s on raspberry pi's world recently and
| ran across someone who was doing this with Bitwarden for their
| personal setup. I use 1password as my password manager of choice
| and was immediately trying to find ways to do something similar
| using the 1password CLI, so this is very convenient timing.
| Dedime wrote:
| Why would anyone trust their passwords with closed source
| software, when there's alternatives out there that are?
| dmwallin wrote:
| I trust their business incentives more than my ability to self-
| host securely and I value the convenience more than the extra
| cost.
| Item_Boring wrote:
| Because it works seamlessly on all of my devices and has done
| so for years. Never encountered any issues and syncing happens
| within seconds.
| Dedime wrote:
| I've been quite happy with KeePassXC / KeePass2Android and
| syncing via Google Drive.
| naosouumapessoa wrote:
| Not sure about Android but, for iOS users, it makes no
| sense trusting open source software. So, even if you choose
| strongbox or keepassium as they're open source you're still
| trusting some dude as you have no option to verify that the
| iOS build is the same as the build on github.
|
| This is why I prefer to give my password to a company like
| Bitwarden and 1Password. At least, they have less incentive
| to be malicious than random dude on the store.
| anmipo wrote:
| Bitwarden used to be a "random dude" project for quite a
| while...
| bombcar wrote:
| �Amusingly enough 1Password's main area of pain (for me) has
| been integration with Safari itself. It's much better on
| Chrome until you turn off Apple's password thing in Safari.
|
| It works great to have both enabled on iPhone/iPad however.
| No idea why they can't fix the overlapping fields in Safari.
|
| https://1password.community/discussion/116898/in-big-sur-
| saf...
| 8fingerlouie wrote:
| I purchased my first 1Password license when it was version 3, and
| have faithfully upgraded to every standalone version ever since.
| These days I'm not so sure I will be upgrading again (and I'm not
| sure there will be more stand alone versions).
|
| The latest version is a mess on Big Sur, with unlock fields
| obscuring input fields, conflicting with Apples iCloud Keychain,
| and just not working like I expect it to.
|
| Furthermore, stand-alone versions are buried deeper and deeper
| behind a cloud service subscription that brings me absolutely no
| value over what i already have, and adds the uncertainty of
| having to synchronize my most secret secrets to a cloud service.
|
| While I can certainly forgive software errors, this has been
| going on for so long that I'm beginning to suspect it's either a
| strangler pattern to get people to switch to the cloud solution,
| or it's death by a thousand cuts.
|
| In any case, I've begun evaluating alternatives. Bitwarden looks
| promising (though nowhere as polished), is open source, and
| allows me to synchronize to a service on my LAN.
|
| Password-store uses gpg and git that also allows me to
| synchronize locally (though it leaks website names without the
| vault extension which is not supported on iOS).
|
| Finally I'm evaluating Yubico authenticator for 2FA codes and
| just using iCloud Keychain for the rest.
| Androider wrote:
| I don't understand why people think it's some nefarious dark
| pattern. It's perfectly clear, the old 1Password app is winding
| down, the future is their hosted version.
|
| The only way to even download the app is if you already knew
| about it's existence before. It's not a dark pattern, it's just
| directing people who sign up for 1Password today into their
| actually supported product instead of the end-of-lifed one.
| Your app will continue to work for some reasonable amount of
| time until some version of macOS breaks it, then you can either
| pick another one from numerous competitors or go with their
| hosted version. Sounds to me like you'll need look into the
| alternatives given your requirements. It is what it is, no need
| to attribute it to malice.
| JimBlackwood wrote:
| Just out of curiosity, as someone who selfhosts Bitwarden, how
| is 1Password so much more polished?
|
| I've never used 1Pass. Just, I'm always amazed by how well
| Bitwarden works and how there's not really features I'm
| lacking.
| hirvi74 wrote:
| As someone who switched form 1Password to Bitwarden a year or
| so ago, there are a few features I miss:
|
| 1. The ability to customize keybindings.
|
| 2. If try to autofill a form field, and BW is locked, then
| nothing happens. The same task in 1P will actually prompt me
| to unlock 1P, then I am able to autofill the field.
|
| 3. If create an account for a site not saved in BW, and BW is
| locked, then I am not prompted to save the login. However, 1P
| will prompt to unlock itself so that I may save the login.
| Also, the prompt for saving logins rarely works for me using
| BW, but worked rather well for me using 1P.
|
| 4. BW is not as keen as 1P for auto-filling various form
| fields
|
| 5. I like storing software licenses, wi-fi passwords, bank
| accounts, etc. in 1P vs. secure notes in BW.
|
| 6. I am not a fan of BW's folders for organizing logins.
|
| 7. BW relies too heavily on mouse usage for my liking. I felt
| that 1P had much better keyboard navigation.
|
| There are probably other things I am missing, but with all
| that being said, I still have not left BW to return to 1P nor
| do I plan to anytime soon. Though, I will admit I miss many
| features from 1P still.
| herrvogel- wrote:
| Two things i miss in Bitwarden coming from 1Password are:
|
| 1. One shortcut for unlocking and auto filling. There is a
| long open issue[1].
|
| 2. Not needing to unlock the extension to add a new login
| entry. 1Password just detects new logins even when the vault
| is locked.
|
| Otherwise Bitwarden is really solid.
|
| [1] https://community.bitwarden.com/t/autofill-shortcut-
| should-o...
| dewey wrote:
| You can disable the integration into the form fields. It's the
| first thing I did as it never really worked.
| azinman2 wrote:
| I was hoping this was a way to automate changing my passwords.
| That's something no password manager does, Anna would be great if
| I could rotate my hundreds of passwords on a regular basis.
| haswell wrote:
| LastPass has been auto-changing passwords for quite awhile now
| [0]. I am a 1Password user, but I've considered making the
| switch to LastPass for this feature alone.
|
| - [0] http://blog.lastpass.com/2014/12/introducing-auto-
| password-c...
| azinman2 wrote:
| Wow that's amazing. I had no idea that existed anywhere, let
| alone for years now! Thanks for pointing that out... I wonder
| how many sites now actively support that, how it works with
| 2FA, etc. I have hundreds of passwords, many not from big
| shops. Hopefully 'it just works' with these.
___________________________________________________________________
(page generated 2021-04-13 23:00 UTC)