I’d only point out that this isn’t a binary. It isn’t a choice between dynamic recommendations, and static recommendations. Its a question of what is the right point on the spectrum between very stable, and always-changing. Lots of space between those two extremes for there to be a happy middleground
2 Likes
See we are still talking about something significantly different here.
I am saying that just because Proton Pass caught up to 1Password, doesn’t mean we should remove 1Password.
In your example with IRC, that is a case of IRC falling behind Signal.
IRC falling behind Signal (and therefore being delisted) is not an equivalent situation to Proton Pass catching up to 1Password (which shouldn’t inherently imply 1Password should be delisted).
So this example is supporting my overall point, which is that in order to remove 1Password I think we need to prove that 1Password has fallen behind the alternatives, and I don’t think that is the case.
So we agree that open source is the only major difference, and what I am saying is that this difference alone is not a substantial enough reason to change our criteria.
3 Likes
You know what, I think your post has inadvertently changed my mind.
We shouldn’t forget that those of us who are active on this forum are probably not very representative of the average user who relies on PrivacyGuides recommendations.
There is certainly an implication (intentional or not) that recommendations which are removed are no longer trustworthy. Given the important role of password managers, I do think it warrants extra caution to avoid giving people the impression that they must switch ASAP.
Moreover, the other options like Bitwarden have been embroiled in their own controversies recently, and it would really be a worst-case scenario for PGs’ reputation to push people from 1Password to Bitwarden only to once again tell them to switch.
All that being said, I would personally support encouraging those users who have not yet switched to one of PGs recommended password managers to choose one of the open-source options.
4 Likes
Sure, but a non-recommendation is very different from a withdrawn recommendation. If I have selected a tool based on a recommendation here and it is suddenly gone, I will be concerned, especially when the tool is something as important as a password manager. The information on why tools are removed often isn’t very accessible without digging deep on this forum, which isn’t a realistic expectation of the average user.
2 Likes
Well, this is something that many people within the community and on the team have strongly rallied against historically. And still do.
Personally I could be convinced that open source is a very significant factor when it comes to privacy, but as a steward of this community I also know and can accept that the general consensus is that it isn’t substantial enough for us to require it. It’s a consensus that has been pretty long established now.
So in order to maintain consistency with our past decisions and to implement what I believe the general consensus still overall is, I am going to continue maintaining that no change is necessary here.
6 Likes
I agree, and I’m not opposed to requiring password managers to be open-source. I would generally be in favour of such a change, but it needs to be done with special care.
2 Likes
This is what is being considered though. Bear with me, I feel like I have to diagram this but maybe this will make no sense lol
If we are in this imaginary world where we recommend IRC on the site and it’s the only option out there, we’re in a situation like this:
Then Signal comes along and the delta between the two products is highly significant, and very obviously warrants a criteria change. We make a criteria change and delist IRC as a result:
Now… when it comes to our current password manager criteria, I consider our recommendations originally were along these lines:
Eventually Proton Pass and/or Bitwarden caught up in feature-parity to 1Password[1], and are maybe even slightly ahead, but the delta between all of our current password manager recommendations including 1Password is quite insubstantial:
From my perspective, this 
is the situation now, and the delta between our current recommendations is clearly not enough to warrant any sort of criteria change.
The only reason we’d want to raise the bar right now, I think, is if a brand new password manager came on the scene that was clearly worse than our existing recommendations, call it X:
If we were in this situation, I would say a criteria change is warranted in order to ensure “X Password Manager” isn’t added to the website, in turn maintaining the quality of our recommendations.
although in reality they haven’t because 1Password still has power-user features like an ssh-agent, but that is besides the point ↩︎
5 Likes
Now that I have looked at it I guess I could have just summed it up as:
- I am looking at the difference between our recommendations as they currently stand
- You are looking at the amount Proton Pass has improved relative to where it began
…which I don’t think is a useful way of determining what our criteria should be, really.
2 Likes
3 posts were merged into an existing topic: Remove 1Password
If you are saying open source software is safer than closed source software, then I can point several Linux kernel bugs which existed for several years.
Being open source doesn‘t mean bugs and vulnerabilities will be fixed overnight. And yes having the most audits with remediations mean it is more secure than the others, as well as bug bounty programs.
1 Like
On every new audit you can see if the previous vulnerabilities and bugs are fixed or not. So, they are making the software more secure
Yeah I never really saw it as anything not listed is an anti-recommendation, privacy is so dependent on your particular threat model that different tools are going to be best for different people. There’s so many great products out there, just because it’s not listed on PG doesn’t make it bad. I guess I always saw the recs on PG as more “highlights”, like here’s some criteria and the best tools that meet that criteria, why we set that criteria, etc so that the reader can see the process involved in picking out software that they want to use and be able to decide their own criteria that they want to go on. I don’t think anyone should view the recs on PG as gospel especially when the definition of what’s private varies so much from person to person.
3 Likes
Requiring open source software in the password manager section makes sense, considering how sensitive data these services are storing. I also think that Privacy Guides should attempt to encourage companies to offer open source solutions instead of signaling that closed source is just fine, which is what we are doing by continuing to recommend 1Password and Strongbox. So yes, if we would require this, we would have to delist 1Password, but we would also need to remove Strongbox, which I think is quite overdue and we haven’t been able to remove it otherwise. But I think this change has more to do with improving the section criteria instead of being a quest to remove any of the current recommendations.
The current open source options for the password manager category are already more than good enough for a majority of people and having some niche features such as SSH keys isn’t enough to justify the 1Password recommendation. I would argue that people who need this are capable of finding another solution that offers it. One reason for listing 1Password was also its superior UI and UX, especially when compared to Bitwarden, but at the moment, I would argue that Proton Pass has the more straightforward and easier to use UI/UX and Bitwarden is currently improving this as well.
And if we change the site criteria as follows, I doubt people would become concerned or confused about this because they could see in the requirements that Privacy Guides now only accepts open source software for this category, so 1Password wouldn’t just disappear from the site without a clear explanation that anyone can find.
5 Likes
@team would it be possible to pin the Poll so more people weigh-in?
We don’t make decisions based on polls they’re just for fun.
3 Likes
Idk I thi k they are a good way to help us decide after all we run based on the community.
Anyway we cannot pin a poll afaik.
2 Likes
Guys seriously wrap this up. Normies that seek our guidance don’t really care about the nitty gritty of licensing: they just want a good enough solution that is preferably not a paid product.
If we cannot settle on a technical merit of the recommendation, maybe we can look at this in another way?
What does a “first, do no harm” solution look like?
2 Likes
This such a tired argument that is reused all the time. PG does not allow tools just because they meet the min requirement. The tool would never pass community scrutiny, something i think you know.
This. Nobody has gotten close to coming up with a reason why open source meets that justification. Nobody has come close to justifying why open source should be a criteria. Honestly a majority of comments should probably just be moved to the 1password thread.
At this point we seem to be spinning our wheels.
4 Likes
Not sure how a direct quote can be a misquote. Nothing about the context you provided changes that other then the logic you don’t seem to understand is that criteria is not the only barrier to being recommend.
So i was right.
Nord would never get recommended because it would not pass community scrutiny. This would not require a criteria change to prevent.
This seems to be what you misunderstood.
Hopefully we are both more clear on the issue. Thanks!
EDIT: always nice when the example were arguing over happens and I am again proven right.
3 Likes