The audit doesn’t defend against malicious developers it’s instead about making sure they’ve done things competently. You’re right if they were malicious they could easily remove the malicious parts for an audit and then continue in their way.
Yes, but things could be done incompetently just after the audit even without being malicious and it would stay that way for a year.
3 Likes
And thats why you do repeated audits, if they have done things competently for multiple years , then its safe to say that the dev team has gained enough trust to maintain their software over thr long term.
3 Likes
Trust as a concept should be abondened when it comes to security and privacy. Technical solutions are what people need.
If Proton would get rid of encryption, I would move on to another mail provider no matter how much I trust Proton, etc.
3 Likes
ALL tech is bound by trust, you trust your cpu is not backdoored for example, as there is no way to verify it.
1 Like
This is not a good comparison. If there was a backdoor in Intel or AMD CPUs, then military, hospitals, goverment, banks and everything else would also have that backdoor and both Intel or AMD wouldn’t allow that to happen, it’s just not a realistic threat.
Also, what choice do we have? We have no choice. Meanwhile with 1Password we can choose to replace it with KeePass, Bitwarden, Proton Pass, etc.
2 Likes
Using 1Password over KeePass, Bitwarden or Proton Pass is like granting root access to all of the apps on your phone just because you trust the developers, it doesn’t make sense, trust should be minimized as much as possible.
3 Likes
Yeah I think open source code with reproducible builds is a big step in being able to verify that the developer is not malicious.
1 Like
Trust is part of a threat model. The degree of trust people are willing to give is variable. A slippery slope of zero trust is becoming a hermit in the woods, and while I don’t think you mean that, I’d say that trust is flexible depending on the person.
2 Likes
Fine, everyone can trust and use whatever they want, but 1Password doesn’t belong on PG recommendations or we could also then recommend Gmail and OutLook for business because they pinky promise to not read or scan your emails in the privacy policy. One could trust Gmail and be fine with it, doesn’t mean it should be recommended.
6 Likes
Alright. I’m going to stir the pot a bit as I’ve been lurking for a while. I would like to propose that a minimum requirement for a password manager be that they have an active bug bounty program. This can help cover bugs or vulnerabilities discovered during between audits.
I’m of the opinion that closed source can be ok as long as they have a history of audits and have a bug bounty (especially if they post at least minimal details of the bounty history like 1Password does).
- There are bug bounties for tons of software that are a lot bigger than what 1Password offers.
- A bug hunter could sell that vulnerability for more to the bad/dark side.
- They could also use that bug themselves.
A password manager would have to pay HUGE bug bounties, and bug hunters would have to be nice enough to disclose it to 1Password.
1 Like
1Password may remain a sensible option for people who already use it, but I agree with the sentiment that continuing to recommend it will ultimately cause more harm in the future. For users looking for a new password manager, there is no legitimate reason to choose 1Password over options like Bitwarden and Proton Pass, and Privacy Guides’ recommendations should reflect that.
5 Likes
My “trust” with 1Password is that the business model of password managers usually goes against leaking customer data. Gmail provides enough utility people look past the rest of the issues. Security exploits and leaks would greatly harm the reputation of 1Password. It is in their interest to not allow that to happen. This isn’t a strong degree of trust, but we also have the history of the application to keep in mind as well.
In general, I am for removing non-FOSS password managers. The devils advocate is that I don’t think we should remove it because 1Password it is bad necessarily, but rather there are simply better FOSS alternatives with good enough UX and features at this point of time. Removing 1Password as recommended is really a celebration that FOSS alternatives can compete with a proprietary one.
1 Like
No, all software has exploits and vulnerabilities. It doesn’t make sense to discard the company just because of it, so their reputation would be fine.
They can’t do anything about this, there is no such thing as flawless code and 100% secure software.
A reminder that there is already a discussion for 1Password.
This topic should of been closed a while ago but, if staff is going to keep it open, at least stay on topic. 
1 Like
To stay on topic the best I can, all of the issues you talk about also persist with FOSS software. Just because someone can view it, doesn’t mean it actually has been audited for issues. An audit will help identify issues in the current version, but new updates will need to be audited again. FOSS is not exempt from any issues or bugs that proprietary software has. More observability, but the bugs will persist.
The only time FOSS has any legal benefits to an end user is if it’s GPL based for client side software, and AGPL based for web applications. Everything else can be tampered with and given to you, though separate FOSS builds could be made (VSCode vs VSCodium). Even then, the only sure way to be the safest is self compilation. For those willing to do so, great, but the average user will not do that.
1 Like
The fact is that 1Password is the password manager at issue when it comes to whether open source should be required for password managers. (Yes, Strongbox is also proprietary, but it’s far less popular, especially among novice users, so removing it doesn’t have the same implication(s).)
I am trying to make the argument that although there may be legitimate reasons for using closed-source options (i.e. 1Password) today, there is no reason to continue recommending closed-source options. Open-source significantly increases trust, especially within the context of a cloud-based password manager and when combined with reproducible builds and regular audits.
Continuing to recommend closed-source options when they are clearly inferior from a privacy, security, and increasingly a usability standpoint (email aliasing) makes little sense to me. I also think it makes the most sense to stop recommending closed-source options immediately so that new users stop adopting them, giving existing users plenty of time to migrate.
Also, the fact that Obsidian isn’t a recommended notebook:
7 Likes
Which has been discussed ad nauseum in like 3 different topics. I thought when @Lukas failed meme protest tool suggestion of NordPass died immediately we would get a break from this.
@jonah already provided a very clear guideline on what would need to occur for the criteria to change, so i just dont see the point in rehashing these same tired arguments.
1 Like
Jonah isn’t the only team member.
1 Like