Require Open Source for Password Managers

The SSH agent in particular is kind of a killer 1Password feature for me, although in general that’s probably too niche for most people to care about.

oh wow. I didn’t know of this. so glad you mentioned it, looks super useful.

i have been paying for a 1password family account just for my other family members but maybe now i’ll finally really use it lol.

It’s UI and clients are leagues and bounds beyond what Bitwarden offers, especially for families. I don’t think it’s fair to disregard all of its advantages for making good digital hygiene accessible to so many and probably continuing to do so for the foreseeable future just because it’s proprietary.

Proton Pass UI and UX are very good, and as far as I know, Bitwarden is rewriting their Android client in Kotlin, so the UI and UX will probably improve too. Just look at Bitwarden Authenticator.

Also, if it’s not fair to disregard software just because it’s proprietary, then I guess let’s recommend proprietary solutions in all the categories? Not only in the Password Managers category.

It’s also very important to understand why 1Password is proprietary. 1Password is VC funded, and open sourcing their clients, etc. wouldn’t be a good business idea, and VC investors probably wouldn’t be too happy about it.

I don’t see a reason to recommend a service that prioritizes profit and their VC investors over their users when there are better alternatives like Proton Pass, which is fully independent and whose business model is selling services to customers, which leads to a situation where customers are the priority because the customers are the ones keeping the company alive.

Proton Pass UI and UX are very good, and as far as I know, Bitwarden is rewriting their Android client in Kotlin, so the UI and UX will probably improve too. Just look at Bitwarden Authenticator.

Proton Pass is moving in the right direction, I’ll give it that. When both are on par with 1Password, I’d be the first one championing its removal from the site, but as of now, their feature set is frankly laughable in comparison to 1Password, especially the implementation. If Proton Pass in particular didn’t carry the same price tag as 1Password, it’d be easier to stomach its many shortcomings. There is also no way to get a family subscription for Proton Pass without also paying for their entire suite of apps.

Also, if it’s not fair to disregard software just because it’s proprietary, then I guess let’s recommend proprietary solutions in all the categories? Not only in the Password Managers category.

I never argued for it to this degree, but since we’re on the topic: If they’re clearly better than the FOSS alternatives, then why not? I don’t like the religious obsession with stuff having to be FOSS. Use the right tool for the right purpose, that’s my policy.

It’s also very important to understand why 1Password is proprietary. 1Password is VC funded, and open sourcing their clients, etc. wouldn’t be a good business idea, and VC investors probably wouldn’t be too happy about it.

That’s a valid point, but until they act up - and let’s be honest, their track record does not point in that direction - we should keep them on the site.

like Proton Pass, which is fully independent and whose business model is selling services to customers, which leads to a situation where customers are the priority because the customers are the ones keeping the company alive.

I personally don’t like how they try to push you into buying into an ecosystem. I’m out here trying to avoid vendor lock-in as much as possible and definitely don’t wanna be locked into using their apps. They employ way too many dark patterns for me to simply skip over them and act like they’re so benevolent in comparison to the VC-funded alternative.

Just yesterday, I gave Proton a chance. Seeing how they are VERY intransparent about what feature is paid and which isn’t, in addition to their less than favorable marketing with regards to competitors and the ability of their products as of late, I would not bet on them still prioritizing their users in 5 years. But obviously this is all speculation and I’d be more than happy to be wrong (otherwise we’d be fucked), just like with 1Password. Until then both should stay up, and the FOSS requirement scrapped for the time being.

My point is: there is no good or bad company. They’re all exploitative dip-shits, only vary by degree. If the product is good, it should stay up, if it isn’t anymore, we should take it down. The FOSS requirement in the password manager space is IMO too hasty when the FOSS alternatives aren’t mature enough or have feature parity with their proprietary counterparts.

I gave my vote to this. Not because I think 1password is a bad place to store your passwords, I certainly don’t, but I do have more faith in Proton and Bitwarden in this case.

I am not sure if it even should be a requirement. I think PG should always recommend the best option(s) and not every other solution that is available. Now of course 1password has come along way and has been on the site for a while, I guess those who use it might not even need to change that. It’s more if you would recommend a service today, for me that’s Proton Pass. It’s most user-friendly IMHO and I have more faith in it.

1Password is actually more expensive than Proton Pass. Proton Pass is 1.99 per month, and 1Password is 2.99 per month. Proton Pass also had a lifetime deal, which reduced the price to only 1€ per month, and for those who have Proton Unlimited, they already get access to Proton Pass.

With Proton Pass you get:

• Unlimited hide-my-email aliases

• Access to the Proton Sentinel high-security program

• Pass Monitor

1Password:

• Proprietary

• Doesn’t offer any private payment methods. (Proton does)

• Doesn’t even have an integration with SimpleLogin or other email alliasing services, only with Fastmail.

Also, I’m not sure what features 1Password has that Proton Pass doesn’t.

I’m not going to explain why FOSS movement is important because that would be highly off-topic.

If all of us would use the “right” tool for the “right” job, then we would all be deep into Google’s and Apple’s ecosystems because, let’s be honest, they make some of the best, most usable software out there.

Fortunetly, most of us in here care about security, privacy, FOSS, etc., not only about using the best tool for the job.

I’m sorry, but this is Proton and not Apple. Proton doesn’t try to push or lock users into their ecosystem.

Most Proton customers, including me, want an ethical, private, and secure ecosystem as an alternative to bad ones like Apple’s.

Both Bitwarden and Proton Pass are missing basic features which 1Password has, so I’ll continue to use it for another year at least.
Examples for Bitwarden: No other sorting options than A-Z, no tags, although people have been asking for these features for ages. The UI of the installed client is visually outdated and some features (security reports) are only available on the website.
Proton Pass can’t auto-fill information from custom fields, which the other two can, that’s a feature I don’t want to live without.

1Password is actually more expensive than Proton Pass. Proton Pass is 1.99 per month, and 1Password is 2.99 per month. Proton Pass also had a lifetime deal, which reduced the price to only 1€ per month, and for those who have Proton Unlimited, they already get access to Proton Pass.

You completely disregarded my argument and assumed I would only choose a service for myself. Some of us got families; mind-boggling right?? Proton Pass doesn’t have a family plan unless you pay for the entire Proton suite, which is a no-go for me. I’m not leaving Apple’s walled garden just to be locked into using everything another company uses.

Also judging the affordability of a service by it’s yearly cost divided by 12 months is disingenuous at best. That’s not how much Proton Pass costs a month and you know it. It’s one Euro/US Dollar more than 1Password. And the only reason it costs so little when billed yearly is because Proton is desperately trying to push a mediocre product that has nothing of value that other password managers don’t have already.

Doesn’t offer any private payment methods. (Proton does)

This depends on your threat model.

Also, I’m not sure what features 1Password has that Proton Pass doesn’t.

If you’re not sure, then please (!!!) educate yourself on that before you start a thread about removing a very outstanding product. As @Feradin said, 1Password can autofill custom fields which Proton Pass (and last I checked Bitwarden) can’t do, yet. It also has collections so you can group/hide vaults depending on your needs, lets you attach files to login items, works great for families because of the ability to have shared vaults, and lastly what’s probably its best feature: Travel Mode, potentially a life-saving measure for a variety of people, especially journalists.

Basically, you can choose a vault to be “safe” or not and those who you deem to be “unsafe” get hidden when you enable Travel Mode, so that if you’re forced to unlock your password manager by authorities, you can dupe them by serving them dummy accounts.

If all of us would use the “right” tool for the “right” job, then we would all be deep into Google’s and Apple’s ecosystems because, let’s be honest, they make some of the best, most usable software out there.

No, because deciding if a tool is right depends on many variables that go beyond the optics. They might be convenient, but that doesn’t make them good. The reason I’m having this discussion with you right now, isn’t because 1Password is convenient, but because it’s genuinely an all-around good product with a great track record and one that is regularly externally audited.

I’m sorry, but this is Proton and not Apple. Proton doesn’t try to push or lock users into their ecosystem.

They very much do. Their pricing scheme which pushes you to go all in and pay 12 to 24 months upfront (a dark pattern). Also, you can’t use their products with other clients unless you use their “bridge” - and that is reserved for desktops. On mobile, you’re out of luck and have to find peace with their randomly updated (proprietary) mobile clients. No, thank you.

This is literally what you said:

If Proton Pass in particular didn’t carry the same price tag as 1Password, it’d be easier to stomach its many shortcomings.

Which is false, Proton Pass doesn’t carry the same price tag as 1Password, Proton Pass is cheaper.

And you just became passive aggresive and assumed that I don’t have a family:

This is pretty yucky.

Who in their right mind would pay 4.99 for a month, which is 59.88 per year, when they can just pay 1.99 per month, which is 23.88 per year?

The reason why I compared prices when paying annually is because 1Password can’t be bothered to even show me how much their service costs per month while not paying annually:

And Proton Pass costing 1 Euro/US Dollar more is probably justified by the fact that Proton Pass offers unlimited hide-my-email alliases.

Saying that the password manager that hasn’t even been around for a year and is completely user funded has nothing of value because it doesn’t yet have all the features that a password manager that has been around for about 16 years and has received a total of $920 million in VC funding is completely nuts.

Because Proton puts users above profit, users can suggest or vote for features that they want to be implemented:

https://protonmail.uservoice.com/forums/953584-proton-pass

Some of the missing features are already started or are planned.

1. I personally think we should put a warning :

1 Password is a paid, proprietary service. Always back up your data.

That being said : Security audits of 1Password

2. Why is there no criteria for the password manager section ? We should at very least require open-source clients OR audited clients.

3. There clearly is a discrepancy with the notebook category which requires open-source clients. While this make sense for online, collaborative notebooks, it doesn’t for local notebooks like Obsidian. At least if we follow the narrow view of Privacy (and we forget that Privacy should enable Freedom)

1Pass individual costs 36 USD year, and Proton costs 24 USD / year, but that is the promotional price for the first year. Normal price is 60 USD / year.

There is no family plan for Proton Pass unless buy Proton Family (which I did btw for my mails). Cheapest option is to buy it for 2 years and pay 480 USD.

I wrote many times on this and other platforms about the basic missing features.

• No sorting by name which persists.
• No biometric login
• No connection between desktop app and browser extensions.
• No Passkey, File and item history import from other password managers
• No custom field import, like ID cards, Passports, Software License and SSH keys
• No multi item select, like you can do with 1Password.
• No tags
• No predefined fields and items
• Autofill and field recognition is broken on many sites
• It is also not working in Firefox Private Window
  and many more.

It is a new product and it needs to mature, that is why they are selling it for so cheap, but it will take years to mature it to get closer to 1Password level.

Mmm nope, that’s the recurring price. They reduced the prices a little while ago, and 1.99 is the standard price now, not just promotional.

• Fair.
• Biometrics work fine on mobile, and I don’t think they’re common enough on laptops/desktop to really be a major problem.
• I’m not sure what kind of connection you’re looking for. They both sync just fine, and aren’t limited in functionality.
• Yeah not being able to import those things could be inconvenient, that’s true.
• No set custom ID fields, but notes exist, which can put those things down just fine. It’s not like you really need to worry about autofilling a license key often, so just having it in a note to copy paste it from is perfectly acceptable imo. Having the dedicated feature might be nice for organization, but I don’t think it’s really missing functionality for not having it.
• Multi item select is implemented.
• Yeah, no tags is annoying for larger vault sizes. I augment this by using different vaults for organization, but tags could be nice.
• Predefined fields and items? I’m not quite sure what you mean by this.
• In my experience, autofill has been far better than Bitwarden’s (on mobile especially), so I’ve actually been quite happy with it. I think there are broken sites for autofill for every password manager.
• Interesting that it doesn’t work there. I’ll have to test it myself later. Not excusing it if it doesn’t actually work there, but as an aside, why use private windows in FF over regular windows with sanitize on close? It just seems like an extra step when you could implement similar functionality into regular windows.

All of this to say I don’t think Proton Pass is quite as bad as your impression makes it out to be. I don’t use it myself, but I am against removing 1password at the moment because I see the value it offers; just made this reply to clear up some things about Pass so everything is kept fair.

I hope they will continue to provide services with that price. It is good for a single user but they should provide something for the family accounts.

• Biometrics work fine on mobile, and I don’t think they’re common enough on laptops/desktop to really be a major problem.

It is common. I am using Windows Hello on many applications, not just password manager but with Proton Pass I am forced to use only six digit PIN.

• I’m not sure what kind of connection you’re looking for. They both sync just fine, and aren’t limited in functionality.

When I unlock desktop app, it should unlock all browser extensions. 1Password is using browser’s native messaging protocol to do that.

• No set custom ID fields, but notes exist, which can put those things down just fine. It’s not like you really need to worry about autofilling a license key often, so just having it in a note to copy paste it from is perfectly acceptable imo. Having the dedicated feature might be nice for organization, but I don’t think it’s really missing functionality for not having it.

When you import your logins from another password manager, and you have hundreds if not thousands of entries in your vault, you can’t check everything manually to see if they are imported correctly or not. For example, if a site has two password or two username fields, Proton Pass skips one field. For example PIN codes for my credit cards and bank accounts.

• Multi item select is implemented.

Nope, not implemented. Yes, you can select one by one if you call that multiselect. Try to select items by using Shift key or Ctrl key, or even Ctrl+A. Such basic technology doesn’t exist in Proton Pass. Simple test, open your vault and select all items with first letter of A to D.

• Predefined fields and items? I’m not quite sure what you mean by this.

image601×678 54.2 KB

I’ve given it quite a few chances and it’s simply not there yet which is totally fine - don’t get me wrong! It’s a young product, which is why we need to keep 1Password on the site until Proton Pass has like more than 80% of its features and a standalone family subscription separate from Proton Unlimited.

I generally concur that open-source software is preferable to proprietary alternatives. However, a nearly flawless track record spanning almost two decades, as exemplified by 1Password, holds greater significance than the open-source nature of a password manager, particularly when the latter has only been available for just over a year.

In addition to Proton, Bitwarden, and 1Password, PG also recommends Psono. I do not believe Psono is a superior option to 1Password for the majority of users, especially in terms of functionality. Furthermore, 1Password has undergone more security audits since 2019 [1] than Bitwarden [2], Proton Pass [3], and Psono [4] combined.

While open-source providers are generally preferable, this preference should not result in the exclusion of highly reliable and well-established proprietary providers. For instance, YubiKey [5], which is also proprietary, is also recommended by PG, also there are open source alternatives, e.g., Nitrokey. And many here would still argue that YubiKey is a better choice than Nitrokey despite the fact it is proprietary.

YubiKey situation is vastly different. You should read this: Secure Hardware vs. Open Source - Yubico

YubiKeys are proprietary because they have no choice, 1Password is proprietary because their VC investors wouldn’t be too happy if they went open source.

NitroKeys aren’t open source too, there is no secure element in existence that is entirely open source, and you need one to have a secure key.

Also, you know why you can use SimpleLogin with Proton Pass or SimpleLogin, addy.io, Forward Email, DDG, Firefox Relay, and Fastmail with Bitwarden but you can only use Fastmail with 1Password? Moneyyyyyyyyyyyyy.

You get 25% off Fastmail when registering through this link:
https://www.fastmail.com/signup1password/

Proton Pass has received quite a lot of features in a short amount of time, especially considering that they aren’t VC-funded.

The biggest new feature is probably this one: Identities in Proton Pass puts you in control of your digital identity | Proton

Where are we on this? I think it’s time to enforce this criteria.