Require Open Source for Password Managers

Maybe then polling IS the way to go. Can we at least do a polling with appropriate restrictions? That can reveal the consensus over time? Pin it to the top of the forum?

Hopefully democracy solves what arguments couldn’t? (Although I detest voting for critical issues)

1 Like

I agree, and I’m not opposed to requiring password managers to be open-source. I would generally be in favour of such a change, but it needs to be done with special care.

2 Likes

This is what is being considered though. Bear with me, I feel like I have to diagram this but maybe this will make no sense lol

If we are in this imaginary world where we recommend IRC on the site and it’s the only option out there, we’re in a situation like this:

Then Signal comes along and the delta between the two products is highly significant, and very obviously warrants a criteria change. We make a criteria change and delist IRC as a result:


Now… when it comes to our current password manager criteria, I consider our recommendations originally were along these lines:

Eventually Proton Pass and/or Bitwarden caught up in feature-parity to 1Password[1], and are maybe even slightly ahead, but the delta between all of our current password manager recommendations including 1Password is quite insubstantial:

From my perspective, this :arrow_up: is the situation now, and the delta between our current recommendations is clearly not enough to warrant any sort of criteria change.

The only reason we’d want to raise the bar right now, I think, is if a brand new password manager came on the scene that was clearly worse than our existing recommendations, call it X:

If we were in this situation, I would say a criteria change is warranted in order to ensure “X Password Manager” isn’t added to the website, in turn maintaining the quality of our recommendations.


  1. although in reality they haven’t because 1Password still has power-user features like an ssh-agent, but that is besides the point ↩︎

5 Likes

Now that I have looked at it I guess I could have just summed it up as:

  • I am looking at the difference between our recommendations as they currently stand
  • You are looking at the amount Proton Pass has improved relative to where it began

…which I don’t think is a useful way of determining what our criteria should be, really.

2 Likes

3 posts were merged into an existing topic: Remove 1Password

Thanks for investing effort into the graphic. It does capture the point well. All this in consideration, would you allow Nordpass as a recommendation? I checked and it passes all minimum criteria. Or would it warrant changes in the criteria?

This is because I don’t understand the logic of the statement above. The criteria will remain unchanged unless a tool you don’t wish to approve reaches it? That is regressive outlook. Ideal is always progressive, cutting what is left behind. I can cite many password managers which pass criteria but are closed source, would PG add all of them or is 1Password a special case? The criteria should be so that no reasonable choice is left. But the only way to ensure that without reviewing every tool available is to keep tightening the criteria as tech and time evolve.

But again, the difference between our opinions is very fundamental. I think open source is a significant enough plus to warrant a change given reasonable alternatived exist, PG doesn’t. You also say that is the community consensus. I’d be happy to see the consensus in a poll since I have no way to changing the opinion part. If the consensus is against open source, I’d be happy to open cases for more closed source recommendations across categories.


Doesn’t matter if they still have vulnerabilities as simple as this: 1Password Vulnerability Let Attackers Exfiltrate Vault Items

Good point. Do point out where anyone implied security audits are bad, or 1Password has worse security and/or less audits.

Doesn’t matter. Goals and intentions can change, not just the financial condition.

Doesn’t matter, depends on subjective taste. Feature fullness and UI would disqualify every single recommendation. The way forward would be to shut the website and ask everyone to use the apple ecosystem.

It’s less “remove 1Password” for me, and more “raise the minimum standards”. I don’t care if it removes 1Password or whatever else. I don’t think anyone here is against 1Password as a company, and mostly are arguing for the standard.

1 Like

If you are saying open source software is safer than closed source software, then I can point several Linux kernel bugs which existed for several years.

Being open source doesn‘t mean bugs and vulnerabilities will be fixed overnight. And yes having the most audits with remediations mean it is more secure than the others, as well as bug bounty programs.

1 Like

I make no such argument about security anywhere. I am just saying “Number of audits is not directly proportional to security of the system”. Is that a decent argument to make?

On every new audit you can see if the previous vulnerabilities and bugs are fixed or not. So, they are making the software more secure

But who ensures the new code doesn’t add vulnerabilities? Or that the audit missed something? Or if the auditing company does not have expertise to identify issues?

If audits were directly proportional to security, we would have close to invulnerable systems in no time, even accounting for diminishing returns, irrespective of the maturity of codebase.

I didn’t think this would be a controversial take lol. This is like compliance 101, the certificate makes you trusted not secure.


Also again this is becoming off topic. Can a mod split the above conversation into a new thread please. Thanks :slight_smile:

2 Likes

Yeah I never really saw it as anything not listed is an anti-recommendation, privacy is so dependent on your particular threat model that different tools are going to be best for different people. There’s so many great products out there, just because it’s not listed on PG doesn’t make it bad. I guess I always saw the recs on PG as more “highlights”, like here’s some criteria and the best tools that meet that criteria, why we set that criteria, etc so that the reader can see the process involved in picking out software that they want to use and be able to decide their own criteria that they want to go on. I don’t think anyone should view the recs on PG as gospel especially when the definition of what’s private varies so much from person to person.

3 Likes

Requiring open source software in the password manager section makes sense, considering how sensitive data these services are storing. I also think that Privacy Guides should attempt to encourage companies to offer open source solutions instead of signaling that closed source is just fine, which is what we are doing by continuing to recommend 1Password and Strongbox. So yes, if we would require this, we would have to delist 1Password, but we would also need to remove Strongbox, which I think is quite overdue and we haven’t been able to remove it otherwise. But I think this change has more to do with improving the section criteria instead of being a quest to remove any of the current recommendations.

The current open source options for the password manager category are already more than good enough for a majority of people and having some niche features such as SSH keys isn’t enough to justify the 1Password recommendation. I would argue that people who need this are capable of finding another solution that offers it. One reason for listing 1Password was also its superior UI and UX, especially when compared to Bitwarden, but at the moment, I would argue that Proton Pass has the more straightforward and easier to use UI/UX and Bitwarden is currently improving this as well.

And if we change the site criteria as follows, I doubt people would become concerned or confused about this because they could see in the requirements that Privacy Guides now only accepts open source software for this category, so 1Password wouldn’t just disappear from the site without a clear explanation that anyone can find.

5 Likes

@team would it be possible to pin the Poll so more people weigh-in?

We don’t make decisions based on polls they’re just for fun.

3 Likes

Idk I thi k they are a good way to help us decide after all we run based on the community.

Anyway we cannot pin a poll afaik.

2 Likes

Guys seriously wrap this up. Normies that seek our guidance don’t really care about the nitty gritty of licensing: they just want a good enough solution that is preferably not a paid product.

If we cannot settle on a technical merit of the recommendation, maybe we can look at this in another way?

What does a “first, do no harm” solution look like?

2 Likes

Jonah did talk about community consensus. I’d assume polls are how it would be done, although I could be incorrect.

This such a tired argument that is reused all the time. PG does not allow tools just because they meet the min requirement. The tool would never pass community scrutiny, something i think you know.

This. Nobody has gotten close to coming up with a reason why open source meets that justification. Nobody has come close to justifying why open source should be a criteria. Honestly a majority of comments should probably just be moved to the 1password thread.

At this point we seem to be spinning our wheels.

4 Likes

Please don’t misquote me without context. The passage just below Nordpass is:

It reflects poorly on you otherwise. The statement is clearly followed by what the specific logical issue is. But its easier to reduce arguments to whatever is easier to dismiss ig

Not sure how a direct quote can be a misquote. Nothing about the context you provided changes that other then the logic you don’t seem to understand is that criteria is not the only barrier to being recommend.