Iirc PG never required open source for services, only software. The frontend/client is the software, the backend/server is the service. While I’d prefer open source server code, it’s not feasible to require that because then we wouldn’t only be removing 1Password, but every cloud-based password manager. I wouldn’t mind that but everyone else would.
So Bitwarden and Proton Pass have open source clients and 1Password is completely proprietary.
KeePass should be the first recommendation then.
So, what is the point of having an open source client app when you don’t know what is going on in the backend? If your concern is which data is submitted you can do it via sniffers or wireshark.
Yes, that is point. According to your requirements, every cloud based password manager must be removed but you hate only 1Password and others are exception.
Since these password managers are E2EE, it doesn’t matter so much what’s running on the server. You can’t verify what’s running on the server anyway so it wouldn’t really provide any tangible privacy or security benefit.
It just seems like we are constantly moving the goal post with this criteria thread.
The original post is to require open source for password managers.
Now it seems like the thread actually contains a ton of different criteria change requests to @anon83428815 point
require open source for password managers if there are enough available options
require open source for password managers only for the software side of things
require open source for password managers but make sure they have limited VC funding
etc etc etc
For all the people in favor of this criteria, if you have to add a qualifier at the end of the criteria you are not advocating the criteria that was submitted. full stop.
It would be more then just 1Password that does not qualify as actually open source (not just partially open source) and would need to be removed. Which is probably the biggest no brainer reason, regardless of your thoughts on open source, to reject this criteria change. Re-submit it with a bit more nuance since its obvious its not what anyone actually wants.
People want to keep forcing everyone to make exceptions and keep shouting crap like “Oh you want to remove 1Password? You must not want any options at all!” or “Oh you want to remove 1Password because it’s not open source? Okay we’ll remove Bitwarden too”. They also seem to forget that we think open source should be a requirement instead thinking we only care about 1Password.
Just my opinion but I have strong doubts that if this passed and Bitwarden was also removed (which it would have to be) the reaction from most users would be highly negative.
I am surprised your taking that stance since you keep referring to how popular this post is and how its going to have the most comments while ignoring that without making those exceptions this would most likely be a wildly unpopular criteria. It seems like really only you and possibly @Lukas (same guy who wanted to recommend NordPass) are willing to take the hardliner stance that this category should require open source no exceptions.
It’s really only a convincing criteria when you frame it as supporting FOSS and removing evil 1Password, while ignoring all the other implications.
I think if people look at the whole picture. This prefers Open Source stance PG has taken is a much more elegant solution. It still only ends up with 1 proprietary option, no need for exceptions, no need for absolutist criteria, and its highly unlikely any other proprietary PW manager ever makes it past community scrutiny again, while still keeping the mostly FOSS options that a large majority of users are happy with.
Even @jonah has said if 1Password wasn’t already recommended he doubts it would get recommended but removal is a higher bar.
And 42 other PG users on this forum.
IIrc PG used to have a Open Source only stance until one security researcher decided FOSS didn’t matter at all, and next thing you know, “we recommend Microsoft Office because it supports MDAG”.
That number is dubious at best. Anyone can vote with both a regular account and anon account. It is also counting votes of inactive and deleted users. Its why votes dont have any bearing on these issues.
Also there are thousands of PG users. Do you really think 42 votes is a meaningful amount?
You have a terrible habit of taking a normal situation, such as PG changing a criteria over time, and extropaliting the least likely outcome such as “we recommend Microsoft Office because it supports MDAG”. Its an absurd argument.
My bad… I should of listened to @mika and @overdrawn98901 
This is now the most replied topic in this forum’s history.
Well they used to recommend Office for Windows users, didn’t they?
Please stay on topic.
If you don’t have anything constructive to add it’s best to take a step back and cool off and come back to the discussion another day.
Obviously it was a joke. Everyone here kept calling me a “troll” so I showed them what a “troll” really is.
Of course they aren’t. Most of the links I put contradict LastPass, the LAST PASSword manager I’d ever want to use.
I’d like to point out that this requirement would’ve removed BitWarden for about half a year, during which a mandatory dependency of all their clients was not open-source. Read more in the F-Droid GitLab issue: Bitwarden Password Manager (#114) · Issues · F-Droid / Requests For Packaging · GitLab
Just on the account of that I have to disagree with this idea.
Fine with me.
Wasn’t that related to Xamarin which they don’t use anymore?
Not contributing anything useful to the thread.
No, it’s related to their own SDK package: Desktop version 2024.10.0 is no longer free software · Issue #11611 · bitwarden/clients
Bitwarden’s not being open source is another reason KeePass is preferable. Why isn’t it the top recommendation? Because local storage isn’t convenient enough?
Cloud storage = convenience
Local storage = privacy and security
And some people get mad at us for recommending things for “weird ideological reasons”.
And the very idea 1Password is more private because it’s been audited more times is like saying NordVPN is more private than Tor because it’s been audited more times.
off-topic
The only issue with KeePassXC is it still has network access which can be a security issue. If you’re using Debian (most people here probably don’t for obvious reasons), you can install the
keepassxc-minimalpackage which only includes the bare minimal functionality and no network access or browser integration. For other Linux distros, you can compile from source without networking code.
These serve different purposes, and in a lot of cases people are terrible simply at backing things up. Any benefits of local storage are quickly thrown out the window when said person loses their database because of some mishap. That and also there are simply more devices in general, tablets, phones, computers, where keeping in sync is necessary.
There also simply isn’t a significant loss of privacy for a password manager that has cloud storage if the crypto in the client is sound.
Anyone can connect their phone to their computer with USB and transfer their password database from one device to another. It’s not that hard to make backups.
It’s not much different than creating strong passwords but the higher-ups have spoken. No password is safe anymore no matter how strong or random it may be and we must ditch passwords at all costs in favor for passkeys.
Some of this information might be outdated. There may be open source solutions for passkeys now.
My password is mine. I control my password. I own my password. I am not dependent upon some third party closed proprietary operating system or device to handle my security.
Thus the FIDO2 Passkey implementations still heavily rely on proprietary software embedded into Apple, Google, Microsoft, and others’ devices and solutions. The general strategy results in Big Tech creating and overseeing the key storage. There are no open source software implementations for creating and exchanging keys.
Even if alternative open source solutions appear, most users will most likely just use the solutions from Big Tech as they do with everything else - which is what is expected.
Passkeys also makes you more vulnerable to seizures of electronics and keys. Forcing someone to give up a password is considered a violation of the Fifth Amendment to the United States Constitution by courts in the United States. Forcing someone to unlock biometrically secured devices is entirely legal.
Possession-based systems rely on items, such as a smartphone, that can be misplaced, stolen, or damaged, potentially locking users out of their accounts. And when it happens to you, Google will let you know that they reserve the right to terminate your account for any reason or no reason at all.
The tech industry and the tech press need to face the fact that they have yet again been swept off their feet by Big Tech hype and are now causing massive migrations to this crap!
Not everyone is using a computer. Any task which requires manual action lowers the security due to human factor