Remove 1Password

Isn’t this whole argument that because 1Password is not open source it is less private / secure and therefore should be removed one big appeal to probability? Sure its possible that because the source is not open that there could be something nefarious going on but it does not mean its likely, let alone true.

Shouldn’t the PG standard for removing a recommenced tool or changing a criteria be more evidence based?

It’s not really implying there’s anything wrong with 1Password or that closed source software is necessarily less secure or anything. But with so many options that already meet the criteria we can afford to be a bit pickier. Also tbh, having to give payment information to use it at all isn’t great privacy-wise so that might also be a requirement to think about, letting you use it for free.

Don’t you find it a little silly to say this and still want to remove 1Password as a tool? Nobody seems to have anything negative to say about the tool, and there is no evidence to point to anything negative. There does not seem to be much of a reason at all to revisit this conversation.

When did four options become “so many options”? There are 4 cloud-based password manager recommendations. I think counting cloud-based and local storage as the same is a mistake. They appeal to different types of users.

If we are just getting rid of things because there are to many recommendations, there are whole sections of PG that, to me, are less important then password managers.

In my mind, password managers are one of the best things a new users can do to start their privacy journey and we should be aiming for an abundance of good options so that it appeals to as many users as possible.

1Password:

• Both the client and the server code are proprietary.
• Can’t be self-hosted.
• Doesn’t offer any private payment methods.
• Embeds tracking pixels in their newsletters.
• More expensive than Proton Pass and Bitwarden.
• Doesn’t even have an integration with SimpleLogin or addy.io, only with Fastmail.
• Has received 1 billion in VC funding.
• No free tier.

Does have integration with privacy(.)com

The main idea is not to eliminate 1Password because it lacks privacy or is a poor product, but rather to add a criterion that recommended password managers should be open source. This would necessitate removing 1Password, along with Strongbox, if Privacy Guides wants to maintain consistency.

Let me clarify: I personally use 1Password and it has a strong track record and numerous audits that few password managers can match. However, since we have already established the open-source requirement for less privacy-sensitive tools (like note-taking applications or office-suites), we should absolutely apply the same standard to password managers. There are enough alternatives that match this criterion.

Does any of what you said go against the criteria as currently constructed? No.

Should we be removing a tool based on criteria that has not been approved? No.

It seems like this is a cart before the horse conversation. People seem to want to remove 1Password based on a set of criteria that is not used yet. Go get that approved and then revist this.

Get this criteria approved, then lets revisit this. For now, thats irrelevant. This is a thread to remove 1Password, not to change the criteria. Please see

It’s US only service.

Considering this thread is for 1Password, I don’t get it why some people wants it open source as a mandatory criteria.

1Password has the most security audit completed and they have active bug bounty programs. Bitwarden has less audits compared to 1Password, and Proton Pass has only one audit report.

Maybe some of you are expert software devs but majority of the people have no or not so much software development skills and depend on these security audits to see if an app can be trusted or not.

1Password won‘t close down its doors anytime soon, and have much more funding than Bitwarden and maybe from Proton itself.

App itself is also more polished and much better UI and features compared to Bitwarden and especially Proton Pass.

IMHO asking 1Password to be removed from PG just because they are not open source, is not making any sense

This is already patched, yes? Is it 1Password‘s problem that users are not updating their apps?

A compiled list of reasons why 1Password shouldn’t be listed:

• Both the backend and the frontend are proprietary.
• Can only create email aliases with Fastmail, which is a paid service, so people are forced into another subscription. Which is intentional because you get -25% off when signing for Fastmail using the link provided by 1Password
• Embeds tracking pixels in its newsletters.
• No free plan.
• Doesn’t have any private payment methods.
• Has received $1 billion in VC funding.
• The app is only available on the Google Play Store.
• QR scanning doesn’t work without Google Play Services.
• Security key functionality is also dependent on Google Play Services, which isn’t the case with Bitwarden.
• It’s more expensive than both Proton Pass and Bitwarden while not providing any built-in alliasing like Proton Pass.

Audits are completely overrated. The benefits of a group unfamiliar with the code spending a short time doing a shallow review once a year are just criminally overrated. Your audit can also be made useless after one bad update.

If the code was open source, anyone would be free to audit or work with it anytime they want and for however long they want.

To be fair, none of the arguments mentioned justify the removal of 1Password based on the current minimum requirements. In fact, some of these arguments also apply to other services listed in the recommendations.

The suggestion has basically been rejected twice now. Thread should be closed.

One can find a lot of password managers meeting those minimum requirements, but that doesn’t mean that all of them should be listed.

I don’t see VC funding as a problem, plenty of good projects like SimpleX Chat have VC funding.

Did SimpleX receive a billion? SimpleX is also a messenger, not a password manager and here is why that matters:

Password managers don’t have a lot of innovation left in them and the only saving grace behind Bitwarden is its open-source nature. Password managers are a fire-and-forget kind of software. You never even open a password manager except to unlock it. The only real use case of a password manager is to, well, manage your passwords. That’s it.

That article describes problems, sure, but doesn’t say solutions. It’s click bait. Their recommendation is to use an inferior product in terms of UX (keepass), find other alternatives in a few years (didn’t mention any), or build your own (that’s hardly advice).

Regardless of whether you like them or not, those are solutions. I personally think the “build your own solution” makes a lot of sense coming from a startup like Notesnook. Building a product to address a personal need which they felt could help others is exactly what they’ve done. Why not start a business building a new password manager if there genuinely is an opening in the market?

Maybe if someone makes a product that completely blows 1Password out of the water in all aspects including UI/UX, being open-source, advanced aliasing functionality, and some new USP then 1Password will finally stop being recommended.

There is not a real need for a new password manager in the market. First, who will be your target? Consumers or businesses? Consumers will mostly get whatever is advertised, or free, or whatever comes as a bundles with their ISP tariff or mobile tariff.

Businesses care about pricing, brand-name and functionality.

Yes, PG and privacy enthaustiast want everything to be open-source, but in reality only minority cares about that. I can tell from my multi-billion IT company, they won’t even consider a “normal password manager” for password management. Every password goes into CyberArk Password Vault. You can’t reason with IT team. Same for my old big IT company. They only approved 1Password and Lastpass for personal usage only, and later on I heard they removed Lastpass from the approved list.

Bitwarden has free option because they can compensate the loss from their business clients and they can keep their prices cheap because of that. Proton Pass is just a new player, so they keep their prices low but that will surely change once they manage to mature their app. Even if they mature their app, no big company will buy it, because it is useable in business environment. Keepass and forks are used by some companies but not enough to generate good revenue.

So, creating a new password manager won’t do any good, unless you make it as a hobby or as a side job without expecting a revenue.

If notesnook offered a password manager like solution - sure. But telling lay people to built it their self is handwaving their call to action to ditch Bitwarden. Not everyone is a developer, and not everyone can or wants to start a business for a password manager. It assumes everyone has the capacity to built security critical software themselves.

The article to me reads as:

It is time to abandon ship!!! I suggest to build your own ship, take this dinghy, or lookout for another ship to hop onto. PS, the ship is actually probably good for a few years, as there is an iceberg we may hit in the very far distance, so actually just keep an eye out and be prepared in case something happens.

The only good advice from the article is to keep up to date with what happens to Bitwarden, not to leave Bitwarden. I don’t consider it a good quality piece.