Require Open Source for Password Managers

This is interesting requirement considering that you recommend 1Password, a closed source password manager that arguably protects even more sensitive data. So, your stricter requirement for these categories makes little sense to me.

We could discuss that in a new thread.

I think we could re-evaluate this once Proton Pass is out and there are multiple open-source cloud-based password managers, if Proton Pass turns out to be good.

Right now there weren’t really good options in this category other than Bitwarden, and 1Password provides advantages over Bitwarden in some respects. If Proton Pass ends up providing the same advantages then it could take its place and we could make this change, but time will tell. I’m also not thrilled with 1Password potentially adding telemetry anyways, no matter how “privacy respecting” it’s claimed to be, but that is a future change.

Bitwarden claims to use Google Analytics. Is that not also a concern?

EDIT: The reply by Bitwarden is not deleted, I’m just a dum-dum. Disregard that part.

In a now seemingly deleted Mastodon post (Bitwarden: "@Jo3@mastodon.social Hey there, Firebase Cloud Me…" - Fosstodon), Bitwarden said (this is not the entirety of their reply, just the part that I was able to quote from another reply I made elsewhere):

Hey there, Firebase Cloud Messaging (often mistaken for a tracker) is used only for push notifications related to sync and performs absolutely no tracking functions. Microsoft Visual Studio App Center is used for crash reporting on a range of mobile devices.

Now, I don’t know whether they removed that post because what is stated there is incorrect, but Bitwarden having a library in the app doesn’t necessarily mean they use the analytics portion of said library.

Someone could reach out and request more specific and up-to-date information.

From their privacy policy:

We use data for analytics and measurement to understand how our the Site and Bitwarden Service are used. For example, we analyze data about your visits to our Site to do things like optimize product design. We use a variety of tools to do this, including Google Analytics. When you visit the Site using Google Analytics, we and Google may link information about your activity from that site with activity from other sites that use Google Analytics services.

They’re not quite clear if Google Analytics are used on the service, they say they use a variety of tools including Google Analytics, but yeah, you’re right, I would assume they do.

Whether that’s relevant to them being listed or not, I don’t know.

I’m just pointing out that if first-party analytics are a point of concern regarding 1Password, then Bitwarden is also affected. I’m not thrilled with analytics either but I’d prefer a first-party approach over Google Analytics any day.

Bitwarden only uses Google Analytics on its website, not on the apps. So, this is not a huge concern, in my opinion. The same goes for 1Password, which also uses Google Analytics on its website. However, 1Password has also recently stated that they will soon start using telemetry on their apps, which is another thing to consider. But if we are talking about website analytics, it is actually next to impossible to find a product that wouldn’t use them. For example, KeePassXC uses cloudflareinsights, and Strongbox uses plausible but also tries to access Canvas. So, there really isn’t a perfect solution in this regard. But then you could also ask how many people have to even revisit these websites in the first place after creating their account or downloading the app. I would assume not many times, if at all.

The difference is that a lot of account settings with Bitwarden are only available through the web vault. This means that people are far more likely to visit the Bitwarden website than they would if they were using another password manager.

Settings such as changing the KDF, enabling/changing 2FA settings, changing the master password, etc., are all only available through the Bitwarden web vault.

And still, if you use any of the browsers PrivacyGuides recommends, this isn’t really a problem, as those trackers would get blocked.

Woah hey. Now this is branching off again, from open source to the use of analytics

Since Proton Pass turned out to be an amazing product and was finally added to Privacy Guides, I think it’s time to require open source for password managers and get rid of 1Password.

Bitwarden:

• Client and server code is open source.

• Can be self-hosted.

Proton Pass:

• Clients are open source.

• Provides built-in hide-my-email alliases.

1Password:

• Both the client and the server code are proprietary.

• Can’t be self-hosted.

• Doesn’t offer any private payment methods.

• Embeds tracking pixels in their newsletters.

• More expensive than Proton Pass and Bitwarden.

• Doesn’t even have an integration with SimpleLogin, only with Fastmail.

Yeah, I’m not really opposed to adding a FOSS criteria to this category.

This change would close this thread and also this one: Remove 1Password

Voted. Proprietary software has no guarantee that it is doing what claims

Not necessarily. And 1Password has been around for nearly 2 decades with no serious issues. With that being said, I can’t really say 1Password does anything better than Bitwarden, KeePassXC (well, maybe UI) or Proton Pass. 1Password does have a discount for journalists which is about the only good thing if you were required to use it. Otherwise KeePassXC and Bitwarden are what I’d prefer if I was a journalist.

Proton apps have started open source and fall out of date. (calendar). Since this change was hinged on the fact that Proton pass was released open source, what would happen if the repo saw no updates after some period of time?

1Password does have a Secret Key feature so your account won’t be accessed even when someone else somehow knows your account and password:

But it’s practically similar to Keepass’ keyfile so it does not affect me much.

I understand the rationale behind this, but I think it still deserves full community input and careful deliberation. As others have mentioned, 1Password has been pretty much unproblematic on the security front for its entire existence (regular audits, great security model, etc.) and I think this continues to make it worthy of recommendation. Additionally, Proton Pass definitely doesn’t have feature parity yet, a notable difference being all the item types that 1Password supports, making it easy to adopt secure practices for more than just credentials.