Require Open Source for Password Managers

False.

So you think we should recommend NordPass and LastPass because of their UX?

Bitwarden and Proton Pass are good enough for most nontechnical people.

Irrelevant. I was pointing out that UX is actually a factor. You would of known this if you had taken the time to read the thread before commenting.

You should ask @Lukas about NordPass since you two seem to come up with the same misguided comparisons.

You seem to have a concerning pattern for making factually incorrect statements as if they are true. Something that is frowned upon here.

I’m starting to wonder how many votes this will get before this finally gets resolved. We’re already at 43 votes but the 1Password shills won’t go home.

Votes do not have any bearing on the outcome. Its mostly used to gauge interest.

Plus since every account can double vote, any user can create multiple accounts, and users who have left the community still have their votes count. Its hard to say the number of votes has any real meaning.

I also don’t appreciate the hostility and aggro’d tone. Even if you disagree, vehemently, everyone here does have the same goal.

If privacy is that goal then yes but instead of focusing on the actual issue we’re forever stuck debating whether or not open source should be required for password managers, and I’m going to keep this thread going until this gets approved.

Some of us value open source. Others think it doesn’t matter. Some of us want to avoid big tech. Others think that’s stupid. If the others had their way PG wouldn’t recommend open source at all. Whenever some expert writes any kind of article criticizing a piece of open source software, no matter how secure or insecure it really is, people will use that to trash open source projects.

My point stands. If Bitwarden and Proton Pass both have feature parity as 1Password, then because 1Password is proprietary and we have multiple other recommended password managers, then there’s no reason to have it recommended if Bitwarden, Proton Pass, KeePass, and Gopass satisfy everyone’s threat models and use cases. It doesn’t make sense to not require open source in areas where there are many acceptable open source solutions. This wouldn’t be much different than Authy being recommended and us debating about how open source should be required for 2FA.

No one’s arguing to remove KeePassXC or Bitwarden which are FOSS, they don’t have any security issues that stick out.

Then I would agree that 1Password may be redundant, but as of now there are unique 1Password features like browser extension syncing

and the secret key feature

You can vote for Proton Pass to support the latter feature on UserVoice!

You can also vote for this feature!

1Password is also way more stable imo. Bitwarden has a lot of issues autofilling on Android. Which is why I switched to 1Password (now at Proton Pass).

I see you’re the only one downvoting every comment that doesn’t agree with you. Also your tone “I’m going to keep this thread going till someone does what I say” sounds a bit eh….

”It’s been established that while audits are good, they are not a replacement for open source.” They are not a replacement for open source as they are different subjects.. I would however rather have a reputable 3rd party audit code & verify the security than having some open source project that I will have to trust someone in the world might have checked because I cba to do it myself..

I meant PG wouldn’t have open source as a minimum requirement for any category.

An unnecessary “feature” that isn’t needed at all.

Again. Audits are only valid for one version, and they are not 100% proof of security. Even the reputable 3rd parties will miss things. Open source however guarantees the right for anyone to audit and verify code of all versions.

For you, perhaps. Other people can disagree. As nice as it would be for everyone to use KeePass, some people consider local-only too much of a burden and need cloud-based password management. Options aren’t pie - giving more choices to others doesn’t mean fewer choices for you. (on that note, as far as I can tell Proton Pass DOES sync with the browser extension? not sure what feature we’re talking about here.)

It’s unnecessary because browser extensions are unnecessary.

Also, the extension can use passkeys on desktop

I encourage you to take a minute to put yourself into the shoes of someone else. An old woman who is not particularly tech-literate. Do you deserve privacy and security? Personally, I’d argue yes! I’d say that’s a basic human right.

You don’t really understand why a password manager is needed at all. You were doing just fine before, with your password “ilovemygrandkids”. You used it for everything, so you wouldn’t forget it. But your son doesn’t think this is good enough. He really wants you to use a password manager, insisting your current practices are putting you at risk. It seems like a bit of a pointless hassle, but he promises it’ll be easy, and he’ll help you, so you agree.

So he downloads something to your computer and starts talking. “Okay, so when you want to make a new password you click over here…” “so to find your password you click this and start looking for the website” “you can copy paste it from here”. This is a lot to remember. You don’t even know what a “copy paste” is! And the way he presses some of those buttons on the keyboard looks like it would hurt your poor old bones. You silently decide to just keep doing it the old way. He won’t notice.

It’d be a lot easier if there was a way for it to take care of most of this for you. Sadly, no such solution exists!

…Except it does. Browser extensions are absolutely necessary for some people. Even the smallest obstructions can be too much to deal with, especially for people who are non-technical and/or disabled.

I say it again! Options are NOT pie! It is GOOD to have more options! It might not be necessary for you, but you are not representative of everyone.

This can be done with any password manager.

Many people cannot read at all. Should they learn how to read or should they be told it’s okay not to know how to read?

You’ll need to elaborate on your point here, I have no idea what you’re trying to get across. My whole point is that browser extensions often greatly simplify this process and allow less-able users to bypass it completely.

I’m not sure someone with cataracts would respond well to being told “just learn how to read”. Apparently that “isn’t how it works”. Accessibility is a good thing, actually.

Copy + paste passwords

I agree with the bold stance that accessibility and ease of use are important elements of making privacy available to everyone.

I use BitWarden so I can’t speak to whether 1Password’s better UX justifies its inclusion despite not being open source. I can attest that there were significant UI/UX hurdles to getting my family using BitWarden. They’ve (fortunately) improved a lot in the past year but still have a little ways to go.

As someone who can’t read code - either way I’m trusting someone else to audit for me. Open source is preferred, but there is no option for me or most people that doesn’t involve trusting a 3rd party.

Open source is inherently better if there is a large enough community with enough code-reading eyes on it to catch anything. Otherwise regular paid 3rd party audits seem more reliable than just code availability.

I think bitwarden extension supports auto syncing

Items owned by you in the web vault will always remain in-sync. Items owned by an organization will sync across users and client applications every 30 minutes.

Other Bitwarden apps (browser extensions, mobile apps, desktop apps, and CLI) will sync automatically on login, and regularly when unlocked. You can also manually sync your vault to pull changes immediately.

Accessibility and ease of use doesn’t make it more private it just means more people will want to use it so I don’t think it should be a criteria for which password managers offer the best privacy.

And both Bitwarden and KeePass are large enough projects so this isn’t an issue. Again audits aren’t a replacement for open source and cloud password managers should have to be both open source and audited to be included.