Require Open Source for Password Managers

Let’s do a Poll to help us decide. All votes are PUBLIC to prevent people from faking it with burner accounts.

  • Keep the status-quo (proprietary allowed)
  • Require source-first as a minimum
  • Require open-source
  • Other
0 voters

We have already justified why not open source, when we added 1Password, as all such recommendations are discussed within the community.

Now we are attempting to undo this discussion from 2 years ago based simply on a feeling that open source is always better?

To which I would reiterate everything I said here: Require Open Source for Password Managers - #123 by jonah

I am against unnecessarily undoing existing work.

3 Likes

We can undo a decision that was made before, but only if new information or a new point of view came to light that we have not taken in before.

So far however, I do not really see any arguments mentioned here that were not mentioned before.

Edit to add on this: earlier in this thread I was on board with adding opensource as a requirement, my reason for changing my opinion where @ph00lt0 comments on the open source definition thread.

4 Likes

I agree that proprietary software is inherently less privacy-conscious than open-source alternatives. However, I do think we should prioritize open-source services over their proprietary counterparts.

In my opinion, Privacy Guides should maintain a consistent approach regarding their recommendation criteria. If we set open-source availability as a minimum requirement for tools like Notebooks or Office Suites, and require source availability for MFA, we should also reassess whether we shouldn’t apply similar standards to much more sensitive tools like password managers.

I am firmly against consistent site-wide criteria across different categories for reasons we are currently discussing in this thread: Should Privacy Guides require open-source, source-first or source-available as a criteria for all tools? - #4 by jonah

1 Like

I could have missed it. But I didn’t see any arguments for why not open source outside of personal preferences for specific features. Around 8 people discussed it, and 7ish were fine with it. The points in favor of 1Password was UI and family management mostly, Proton solves this and Keepass clients like DX have also become more UX friendly.

I can see why 1password at that time. This is why I keep repeating “practical and usable” recommendations. But now that Proton pass fills the 1password niche (and slowly reaching parity), I don’t see why PG can’t remove it NOW. So the question can be reframed to: Why not open source now. And this question should keep echoing as tech changes.

Also, as I said in previous comment, why not MacOS and Windows recs then for desktop? Why not obsidian for Notebooks? I strongly feel requirements should be updated as time and tech moves.

Off topic voting

That would assume trust level signifies they have more expertise or more critical insight into this topic. I don’t lol. So voting is meh anyway.

4 Likes

Quickly hopping in here, 1password could be removed even without requiring open source, the listing of 1password and the change of the criteria are two seperate discussions.

2 Likes

The github issue I was pointed to was for 1Password. But yes this makes sense, thanks :slight_smile:

1 Like

I don’t really think so, personally. Without an active/direct reason to change a current criteria I think the recommendations should be left as-is. In other words:


I don’t think we should start removing products with no clear deficiencies purely because other products improved themselves. This kind of churn is confusing to readers.

I see changes like this as promoting instability in the privacy space, which is a common complaint among people learning about the topic and seeking tool recommendations. This is why we add and remove tools cautiously.

Basically, the way I think about it is:

  • When we add new tools, we need a strong justification on why they are substantially better than the alternatives.
  • When we remove existing tools, we need a strong justification on why they are substantially worse than the alternatives.

I don’t think this second justification is met simply based on open source alone.


Yes, but as far as I know there are zero reasons to delist 1Password given in the Remove 1Password thread besides the desire to make the criteria change in this thread.

And on the other hand, making the proposed criteria change here would affect 1Password exclusively.

So these topics are related, this is just a more specific discussion.

4 Likes

A post was merged into an existing topic: Should Privacy Guides require open-source, source-first or source-available as a criteria for all tools?

There are alternatives to 1Password that are at least as good while being open-source. I can understand that in some cases there is no better choice, but here we have competitive alternatives that are open-source. Favouring open-source apps is already the existing policy.

Some people may point out that 1Password has a superior UI, but they are also seriously lacking in some important areas like Email Aliasing, so in my opinion, the alternatives are more competitive than some people think.

off topic voting

Requiring a trust level would prevent burner accounts from voting which was Encounter5729s concern.

Another way to put this is: Would I agree with adding 1Password to the list today if it wasn’t on there already? Probably not.

However, is there a substantial reason to remove 1Password from the list today given that it is already on there? No, I don’t think this is the case either.

Therefore, no changes needed.

2 Likes

Okay, the concern is clearer to me. The issue seems to me about dynamic recommendations that might upset users who trusted the initial recommendation. Thus no changes without solid reasons, right?

My argument is dynamic recommendations is what makes PG a better tool than a static list or a PDF. If there was a “set and forget” tool, I would not need PG. I can go to any top 10 list. But PG is the only one actually ensuring the tools it recommends are the best possible recommendation for the average user. So I rely on PG to change recommendations so that I am not stuck on older, worse recommendation.

If I used IRC on PG recommendation earlier, and then it asks me to shift to Signal or something, I am not angry at PG for enforcing standards, I am angry at the provider for not keeping up. I would be grateful PG pointed me to a better tool. Especially since password managers are not network effect based systems like messenger or social media where a switch would be non-trivial.

Also if you would not add 1Password now, it is unfair to recommend it to new users just because older users are grandfathered in.

If the fundamentals are equal, open source IS the major difference.

3 Likes

I’d only point out that this isn’t a binary. It isn’t a choice between dynamic recommendations, and static recommendations. Its a question of what is the right point on the spectrum between very stable, and always-changing. Lots of space between those two extremes for there to be a happy middleground

2 Likes

See we are still talking about something significantly different here.

I am saying that just because Proton Pass caught up to 1Password, doesn’t mean we should remove 1Password.

In your example with IRC, that is a case of IRC falling behind Signal.

IRC falling behind Signal (and therefore being delisted) is not an equivalent situation to Proton Pass catching up to 1Password (which shouldn’t inherently imply 1Password should be delisted).

So this example is supporting my overall point, which is that in order to remove 1Password I think we need to prove that 1Password has fallen behind the alternatives, and I don’t think that is the case.

So we agree that open source is the only major difference, and what I am saying is that this difference alone is not a substantial enough reason to change our criteria.

3 Likes

You know what, I think your post has inadvertently changed my mind.

We shouldn’t forget that those of us who are active on this forum are probably not very representative of the average user who relies on PrivacyGuides recommendations.

There is certainly an implication (intentional or not) that recommendations which are removed are no longer trustworthy. Given the important role of password managers, I do think it warrants extra caution to avoid giving people the impression that they must switch ASAP.

Moreover, the other options like Bitwarden have been embroiled in their own controversies recently, and it would really be a worst-case scenario for PGs’ reputation to push people from 1Password to Bitwarden only to once again tell them to switch.


All that being said, I would personally support encouraging those users who have not yet switched to one of PGs recommended password managers to choose one of the open-source options.

4 Likes

That is a big “If”. Same fundamentals don’t mean same features.

But if the well known benefits of open source are not compelling enough to the PG team, then any further arguments would not be useful, since I can’t change individual perspective.

An additional question you have also answered is if recommending MacOS or Windows or Obsidian would happen now. The answer there also seems to be no. So the older projects that got in get the benefit of being grandfathered in.

Thanks for all the clarifications :slight_smile:

This is also something PG needs to shed. It is not realistic to get the team to review every single option, and thus non-recommendation should not imply recommendation against. It is the same issue keepassium highlighted. PG is not comprehensive review of tools, its curation of reasonable ones. But I can empathize with this viewpoint.

1 Like

Sure, but a non-recommendation is very different from a withdrawn recommendation. If I have selected a tool based on a recommendation here and it is suddenly gone, I will be concerned, especially when the tool is something as important as a password manager. The information on why tools are removed often isn’t very accessible without digging deep on this forum, which isn’t a realistic expectation of the average user.

2 Likes

I don’t assume to know what the average user would do, but I’d guess they will see the forum exists and ask a question here, which will direct them to the relevant discussion. But again, I do see your line of thought.

And again, its particularly unfair to impose worse tools on new users just because old users are using it.

Different lenses ig. For me, the delta (difference) should always be considered. IRC to signal is increasing delta in favor of Signal so Signal is recommended, 1Pass vs Proton Pass or BW is decreasing delta in favor of Proton Pass (and positive delta in some cases), so the latter should be recommended.

1 Like

Well, this is something that many people within the community and on the team have strongly rallied against historically. And still do.

Personally I could be convinced that open source is a very significant factor when it comes to privacy, but as a steward of this community I also know and can accept that the general consensus is that it isn’t substantial enough for us to require it. It’s a consensus that has been pretty long established now.

So in order to maintain consistency with our past decisions and to implement what I believe the general consensus still overall is, I am going to continue maintaining that no change is necessary here.

6 Likes