Isn’t this whole argument that because 1Password is not open source it is less private / secure and therefore should be removed one big appeal to probability? Sure its possible that because the source is not open that there could be something nefarious going on but it does not mean its likely, let alone true.
Shouldn’t the PG standard for removing a recommenced tool or changing a criteria be more evidence based?
It’s not really implying there’s anything wrong with 1Password or that closed source software is necessarily less secure or anything. But with so many options that already meet the criteria we can afford to be a bit pickier. Also tbh, having to give payment information to use it at all isn’t great privacy-wise so that might also be a requirement to think about, letting you use it for free.
Don’t you find it a little silly to say this and still want to remove 1Password as a tool? Nobody seems to have anything negative to say about the tool, and there is no evidence to point to anything negative. There does not seem to be much of a reason at all to revisit this conversation.
When did four options become “so many options”? There are 4 cloud-based password manager recommendations. I think counting cloud-based and local storage as the same is a mistake. They appeal to different types of users.
If we are just getting rid of things because there are to many recommendations, there are whole sections of PG that, to me, are less important then password managers.
In my mind, password managers are one of the best things a new users can do to start their privacy journey and we should be aiming for an abundance of good options so that it appeals to as many users as possible.
The main idea is not to eliminate 1Password because it lacks privacy or is a poor product, but rather to add a criterion that recommended password managers should be open source. This would necessitate removing 1Password, along with Strongbox, if Privacy Guides wants to maintain consistency.
Let me clarify: I personally use 1Password and it has a strong track record and numerous audits that few password managers can match. However, since we have already established the open-source requirement for less privacy-sensitive tools (like note-taking applications or office-suites), we should absolutely apply the same standard to password managers. There are enough alternatives that match this criterion.
Does any of what you said go against the criteria as currently constructed? No.
Should we be removing a tool based on criteria that has not been approved? No.
It seems like this is a cart before the horse conversation. People seem to want to remove 1Password based on a set of criteria that is not used yet. Go get that approved and then revist this.
Get this criteria approved, then lets revisit this. For now, thats irrelevant. This is a thread to remove 1Password, not to change the criteria. Please see
Considering this thread is for 1Password, I don’t get it why some people wants it open source as a mandatory criteria.
1Password has the most security audit completed and they have active bug bounty programs. Bitwarden has less audits compared to 1Password, and Proton Pass has only one audit report.
Maybe some of you are expert software devs but majority of the people have no or not so much software development skills and depend on these security audits to see if an app can be trusted or not.
1Password won‘t close down its doors anytime soon, and have much more funding than Bitwarden and maybe from Proton itself.
App itself is also more polished and much better UI and features compared to Bitwarden and especially Proton Pass.
IMHO asking 1Password to be removed from PG just because they are not open source, is not making any sense
I agree with you. My point being a whole world of audits and other stuff cannot guarantee safe code or make 1Password a better recommendation. Security is not the discussion in this thread. But your original comment was “1Password has the most” as if that is supposed to make it better than others.
A compiled list of reasons why 1Password shouldn’t be listed:
Both the backend and the frontend are proprietary.
Can only create email aliases with Fastmail, which is a paid service, so people are forced into another subscription. Which is intentional because you get -25% off when signing for Fastmail using the link provided by 1Password
Embeds tracking pixels in its newsletters.
No free plan.
Doesn’t have any private payment methods.
Has received $1 billion in VC funding.
The app is only available on the Google Play Store.
QR scanning doesn’t work without Google Play Services.
Security key functionality is also dependent on Google Play Services, which isn’t the case with Bitwarden.
It’s more expensive than both Proton Pass and Bitwarden while not providing any built-in alliasing like Proton Pass.
Audits are completely overrated. The benefits of a group unfamiliar with the code spending a short time doing a shallow review once a year are just criminally overrated. Your audit can also be made useless after one bad update.
If the code was open source, anyone would be free to audit or work with it anytime they want and for however long they want.
To be fair, none of the arguments mentioned justify the removal of 1Password based on the current minimum requirements. In fact, some of these arguments also apply to other services listed in the recommendations.
Did SimpleX receive a billion? SimpleX is also a messenger, not a password manager and here is why that matters:
Password managers don’t have a lot of innovation left in them and the only saving grace behind Bitwarden is its open-source nature. Password managers are a fire-and-forget kind of software. You never even open a password manager except to unlock it. The only real use case of a password manager is to, well, manage your passwords. That’s it.