> Also, I sincerely have no clue how a password manager could be so expensive. Last time I checked, the excellent KeePassXC was still free open source and developed by volunteers in their free time.
Because 1Password is easy enough to use that my wife and I can share a family plan without her getting frustrated. If one of us has a login the other needs, we can easily share it. When I evaluated KeePass, the Wife-Acceptance Factor (WAF) was not there, though maybe it's improved.
I've had the exact same experience. It took me about 5 minutes to teach my partner how to use 1Password and its been years since I had to help them use the app.
I've stopped worrying about password re-use or compromise. Now I'm teaching my kids to use it and they love it b/c they dont have to make up or remember passwords.
Yes there are other technically equivalent options but the fact I can get it setup on an iOS device in seconds and trust its used is worth every penny.
Agreed, Keepass file synced on Google Drive. Using this for 4+ years now with 0 issues. Syncs across desktop (Keeweb), Android (keepassAndroid) and ioS (StrongBox). Takes 5-10 seconds to sync.
Also zero need to give any application permissions to access my Google Account. Using native google drive apps on all services to sync the file (just using file picker dialogs with drive app installed).
Got my non tech parents setup on this. 0 questions asked once I set it up.
Also have my partner and I on the same setup...just works.
KeePassDX has its own keyboard that lets you securely input usernames, passwords, and other fields without exposing sensitive data to the clipboard (handy when autofill doesn't handle the field).
I tried both KeepassDX and Keepass2Android. In the end I went with Keepass2Android. I don't remember why I chose Keepass2Android in the end, but I can definitely recommend it.
I like Bitwarden too, but can't dismiss the fact that 1Password is superior to Bitwarden in many ways:
- Mobile UI is beautiful on 1Password.
- The UX from creating a password entry to auto-filling is easily better on 1Password. Bitwarden doesn't show autofill entries on login forms yet. That's a deal breaker, at least for me.
- Account recovery via a trusted family member.
- Additional security measure: private key in addition to master password.
Bitwarden has all those features you listed. I use it every day.
You can setup a trusted family member. You get a master password and private key incase you can't access 2fa. You can setup autofill entries. UI/UX are opinions.
You pay $40 dollars a year for Family, $10 a year for an individual. Cheaper than 1password.
I bought Lastpass when it was $12/year. Over the years and after being acquired, they tripled the price. I miss when technology used to decrease in price and provide better functionality.
Hopefully so, but I'd be willing to pay even upto 100 USD. I store a lot of things on 1Password these days that it's very hard to give up, and very convenient. It's not just passwords; medical documents, credit card details, passport, certificates, private notes.
BitWarden is not free if you compare apples to apples, and sign up for the same features including cloud hosting, 2FA, and family or enterprise accounts.
$620M isn’t for a password manager, it’s financing for a business with an enormous and growing user base.
Bitwarden is free for individuals and couples. So, it's free user-friendly (WAF!!) wise [0] in comparison to 1pass [1]. But much more important thing is the fact that bitwarden is open source and 1pass not. Closed source is deal-breaker for me.
"Crippled" is a big word. It does everything that KeePass would do, for example; it only falls short when it comes to sharing passwords among a group or family (you can send a secret via BW Send, but you cannot have a shared store unless you pay for Premium).
Yubikey and its likes are advanced features that the overwhelming majority of regular users will never need.
"Crippled" implies a degree of everyday suffering in the "cripple", or a downgrade from a previous state of health. The advanced features in Bitwarden were never free, in fact I think some of them were eventually added to free plans too. I honestly don't even want stuff like yubikey support, and could see that as feature bloat!
I don't expect everything to be free, I'm perfectly fine with the freemium model when the set of free features is reasonable - as, in my humble opinion, is the case with Bitwarden. So I wouldn't use a word like "crippled" when it's more like "normal for regular users vs enhanced for advanced needs".
I thought that it had all the same features, just not cloud sync. As far as I know the Yubikey is used for authenticating with their sync server. It doesn't actually help with the encryption
Bitwarden's free plan does have end-to-end encrypted cloud sync with no device limit. The free plan lacks TOTP support, but Bitwarden's $10/year plan does include TOTP support and is cheaper than 1Password's $35.88/year plan. Bitwarden is also open source, while 1Password is not.
I'm referring to Bitwarden Authenticator, which stores TOTP secrets and displays 6-digit codes like Google Authenticator does.[1] This feature requires a Bitwarden Premium account, with the $10/year plan being the cheapest option.[2] (Self-hosting through Vaultwarden is another option.[3])
This is separate from having TOTP 2FA on the Bitwarden account itself, which is available on the free plan.[4]
Well let me ask the much more obvious question, for something as important as protecting your passwords, why on earth would you go with a proprietary service where you have no idea about the security, that could take away your access at a whim without any recourse for you?
> Because much like privacy, password security shouldn't always be only a premium option.
So then who foots the bill? Password managers are the duct tape used to protect a user because we don't inherently trust application providers.
> proprietary code is a deal break for lots of people
Sort of. First, "lots of people" seems like "lots of people" because we're on HN. The wider population doesn't care whether your application is proprietary or not - they just want something that works. Apple's wall garden is proof of this. Second, you can still charge for a product and it be open source. An application being open source simply provides an audit log of the code and allows for "wisdom of the crowd" when it comes to bug and security issues. So yes I agree that having a password manager be openly auditable is a great feature, but I (and many others) likely would rather have the features of strong UX and known tenure (OSS tools get abandoned all of the time) then we would having an auditable source code.
Bitwarden does charge for certain features like TOTP support, organizations, and enterprise features. They manage to have subscription income while remaining open source, whereas 1Password chooses to keep its code closed source.
If you are saying that Bitwarden is worse because it offers a free plan, I disagree. It's nice that Bitwarden offers a security-audited* password manager to those who can't afford a subscription, who aren't ready to pay for one, or who don't have the means to make payments online. Unlike 1Password, Bitwarden is not pressured to deliver high returns to venture capital firms, and Bitwarden can focus on providing its product to its users at superior price points.
> Unlike 1Password, Bitwarden is not pressured to deliver high returns to venture capital firms, and Bitwarden can focus on providing its product to its users at superior price points
Well said - and this is the important part of the 'non-proprietary' argument of mine (above) - right now I consider 1Password's real customers being their shareholders/investors, not its users - the users are just another tool they use to bring value to their real customers (investors,etc.).
> If you are saying that Bitwarden is worse because it offers a free plan, I disagree.
For the record, I'm not. The overall discussion was that charging for a product was somehow bad. Bitwarden does charge for their product, just at higher tier levels. My bigger point is that you do want a provider that is going to stay solvent so charging money (which Bitwarden also does) is not some perverse way of satisfying customers.
That’s likely because they are used to BW first and was learned at home. This sort of ”phenom” happens all the time and is not only about the actual product.
There will be exact examples of the opposite happening.
I'm looking forward to Bitwarden implementing multiple account logins ("client profiles") [1] on their roadmap [2], before doing a gradual switch away from 1Password. Any time now!
There is the WAF. There is also the part where when I evaluated KeePassXC two months ago, the browser plug-in would constantly desync and require a full page refresh and entering my master password.
With 1Password, I also have to reauthenticate all the time, but unlike KeePass, TouchID works.
BitWarden works really well for me, for example. It is FOSS and has hosted option; Has autofill plugin, android app, nothing required much in the way of configuration.
The only downside is that I can't currently use my privately hosted instance as passwd safe with the chrome browser extension. This only works for the hosted version.
So I can't habe autofill, automatic saving of new/changed passwords and password creation and also use the same vault for the mobile app (Android). The mobile app can access the self hosted vault without any issue.
I would love to fully migrate to self hosted bitwarden, but the browser extension irks me. Maybe it is possible and I am just too dumb to find the solution.
on the login screen, you have a gear icon on top left corner (at least for the chrome extension), there you can add the custom url for your hosted instance.
What about Bitwarden? Open source and has a free plan for two people. The family plan includes one more seat than 1password and costs 20 € less per year
This exactly. "Selling" a password manager to a non-tech person who either uses the same password everywhere or someone who writes weak passwords on post-its is a hard sell. It's a lot of added complexity and more importantly, a different way to think about passwords: you no longer know any of your passwords, except one for the password manager itself.
1Password does a pretty good job of this; as a user I do not need to worry about syncing the database, keeping an app up to date (the website is always up to date) etc.
I have, since the family plan was first introduced, also gotten my aging parents on the plan (so my brother and I — both _far_ from where my parents live — can assist when required) and my brother.
My wife has shifted from merely using 1Password to advocating the use of password managers in general and 1Password in specific (she had a letter read by Peter Mansbridge on his podcast a couple of months ago where she did exactly that).
Nerds continue to fail to grasp the value of UI/UX. This has always been why FOSS and similar solutions have failed to compete in the market in spite of being "free" and often technically superior.
UI/UX is everything. Apple became the most valuable company in history on the back of UI/UX alone. Their tech is decent but not that much better than anyone else's, but their stuff is at least marginally easier to use and that's worth more than the GDP of quite a few countries combined.
The importance of user experience is only growing as the world becomes more and more time poor and we move more and more into an "attention economy." Saving seconds counts. If it doesn't work instantly it's broken, period.
Here's two ways I can explain it:
(1) If you value your time at $100/hour and you have to spend one hour a month maintaining something "free," that free thing costs $100/month. That's fairly expensive. It only makes sense to do this if you have a lot of surplus time on your hands.
(2) If you have ten million users and make a UI/UX improvement that saves them one minute a month and you value their time at an average of $50/hour, you just created about $8.3 million in value since that's the value of the time you just saved.
A rule of thumb that I use is that every step required to do something halves adoption. So if you have a 10 step install process, only 1 out of 1024 people who look at your product will make it to trying it.
Every developer needs to have "user experience is everything" tattooed on their forehead.
Most users don't want to tweak anything related to their phones, tablets, computers, watches. If everything your app does, isn't reachable within 1-3 clicks/swipes/presses, then forget it.
Someone suggested using two versions KeePass files...one for shared passwords, one for not shared passwords. This is NOT a substitute for clicking Share Password and literally not doing anything else.
Someone suggested storing all your passwords in the browser. This is NOT a substitute for having all of your passwords available at the app level on your iPhone. This is NOT a substitute for sharing passwords with your whole family.
I have been hearing about how X11/MOTIF will "end the Windows/Apple hegemony" for decades.
I don't know how often I've heard "X Windows is just as good as Mac OS."
It's like when your vegan friend keeps telling you that "Falafel tastes just like beef."
They have never tasted beef (or they hated the taste), so they don't have anything to compare it to. X Windows is GUI, written by people that hate GUI.
What could possibly go wrong?
All that said, it's a crazy amount of money, and I really feel that the only real work the password manager needs, is to be rewritten in native. Electron is less-than-excellent.
They must have some kind of strategy that goes beyond just being a password wallet.
Also, for some software "everyone uses" like e-mail or an office suite, you can afford maybe some complexity or annoyance. The alternative "do not use e-mail" or "do not use an office suite" is a no go for almost anyone.
The alternative "do not use a password manager" is however totally common. So if you want to get someone with limited time or affordance for annoyance (like your wife) to use a password manager, the process of setting it up and using it better be very smooth and frictionless.
I made the same argument below but I was downvoted to hell.
Bitwarden is not an alternative to 1Password that passes the wife/parent/elder test because the UX is so bad they need to call me everytime something isnt exactly working as before.
Really? I use both (Bitwarden for personal, 1Password for work) and find the UI for Bitwarden to be more complete and consistent. Like if I want to edit a login item, I must open a new browser tab in 1Password. Not so in Bitwarden. I still can't figure out how to consistently trigger the workflow to add a new login for the current website automatically without opening a new tab in 1Password. You click "Add Login" in Bitwarden.
Agreed, I used lastpass in 2016 and tried to switch to keepass. I'm more than technical enough to use keypass and sync a vault across all my devices, but I needed this to be as easy as possible. I know myself enough to understand if something doesn't feel as easy as humanly possible, I'm much less likely to use it. A decent chunk of people are not like this, which is why I believe there is this huge debate over "Keepass vs 1Password". But anyway, I switched to bitwarden and the UX was more than good enough for me. It "just works".
I even started self hosting it this year and it continues to "just work" - although I don't recommend it to most people since I now have to manage a server. I was already self hosting a lot of other things last year (wanted to move away from google/apple services) so the "cost" of self hosting Bitwarden was negligible.
Anyway I know I rambled a lot, but just wanted to chime in and throw in my opinion about bitwarden
I really hope that Bitwarden improves their UI and UX, because I really want to like it. But their Collections and sharing feature is very unclear, especially once multiple people/orgs are involved.
I'm afraid to use it because they co-mingle everything in UI and I dont accidently want to share a personal password with another org.
Being worried of sharing a password accidently is very scary UX
This seems to be a general characteristic of enthusiasts.
To design a good car for people other than car enthusiasts, you have to hate cars or at least be able to place oneself in the shoes of someone who hates cars. People who don't love cars want a car that makes them think about cars as little as possible. The purpose of a car is to carry you from one point to another, not to make you spend time on cars.
Maybe it’s because Bitwarden’s UX is actually quite good? I found 1password’s to be substantially worse when I tried it a few years ago, especially on non-Apple devices. Perhaps that’s changed, but for something so heavily touted for being well designed, I found it to be very disappointing.
There isn't one. I will continue to say this, people will continue to ignore it, and the computing ecosystem for the average person will continue to be locked down by corporations that do not ignore it. Free, open, and privacy respecting technology will remain irrelevant outside enthusiast techie circles.
It's a bit like climate change. Scientists will warn, people will ignore, and then we will abandon Miami and will probably blame the scientists.
Excellent, problem solved. I was thinking somebody would have to contribute UI changes to an open source project, but it turns out flaming people on the internet is much easier.
I can't stand nerds that fundamentally can't learn this nuance. It's like the biggest blind spot ever. There are just so many of them in the tech industry working as software engineers, which is why we have powerful tools that are a pain in the ass to use. It makes me hate software engineers, and I am one.
> UI/UX is everything. Apple became the most valuable company in history on the back of UI/UX alone. Their tech is decent but not that much better than anyone else's, but their stuff is at least marginally easier to use and that's worth more than the GDP of quite a few countries combined.
Huh, to me it's both. The UI/UX wouldn't be worth shit if their software ate battery like it was free, crashed often, was frequently janky, hogged resources to the point of being a problem, or all the fancy features underlying their UX didn't work pretty damn well without user fixing or intervention. Software quality is part of why their UX is so good, not just design languages or whatever. You don't get their level of auto-magic if you haven't done a whole bunch of things very right in the underlying code & architecture.
They're far from perfect (practically all consumer-facing software is at least kinda bad, IMO) and one can point to a handful of duds that they just can't seem to get right (Xcode, for instance) but I'd put software quality as my number one reason for using them, and I'd point to that as an absolutely vital element in their UX being well above average. It's that combo that no-one else seems able to touch—in fact, it often seems like no-one else is even trying, and I really wish they would.
> Nerds continue to fail to grasp the value of UI/UX.
Or perhaps nerds do grasp the negative value of anti-patterns in UI/UX, and reject attempts to create interfaces and usage models that remove control from the user, create vendor lock-in, or compromise privacy and security.
I think a better way of saying this is that "nerds" (i.e. power users, the type of people typically on HN) want different things out of their UI/UX than the average user. That's the beauty of having different solutions to choose from: the power user is free to use something like KeePass, where it's not as easy to use, but you can set it up exactly the way you like; and the "normal" user can go with something like 1P or LastPass for more of a "set it and forget it" model. The average user doesn't care one bit about the things that you mentioned.
Absolutely; this is the key to the whole thing. It's explained at length in the classic The Design of Everyday Things. Nerds v. normies are given the monikers "Homo logicus" and "Homo normalis". The nerds value control, understanding, and are concerned with edge cases; they accept complexity, workarounds, and the need for preparation as the cost. The latter prioritizes nearly the opposite, preferring simplicity to control, and guaranteed if partial success for the need to understand/invest time.
I think you understate your case. A lot of nerds and nerd culture is actively hostile to making things easy to use and will intentionally erect banners and over complicate systems in order to keep "normies" out and make themselves appear smart.Its rather sad really.
I ditched 1Password in favour of KeePass exactly because of UX issues. 1Password felt too magical and did too much implicit stuff to my taste. KeePass is dumb simple and that's what I need from password manager. I hope that its UX will not change.
> If you value your time at $100/hour and you have to spend one hour a month maintaining something "free," that free thing costs $100/month. That's fairly expensive.
This is quite true, but the counterpoint is that nerds enjoy spending that time. We like opening the box, poking at the wires, seeing how the cogs fit together, and tweaking things endlessly. It would be a liability for a normie, but for a nerd whose interest is piqued it's a fun Saturday project. This is why FOSS survives despite the UI/UX problems.
Not the person you were replying to, but I completely agree. I had fun setting up my Raspberry Pi as a Plex host / torrent box / home server.
Where us hobbyists go wrong is thinking any large percentage of customers want to do that. Any amount of futzing is too much. Most people want it to "just work."
This is accurate. We charge twice as much as our competitor and we consistently hear from customers that UI/UX is a massive part of the reason they choose our system.
Copy that, on the family plan, works on all the devices that need it. We trust their shared vault technology enough. 1password is compelling. Not sure it's a billion dollar thing but it's good.
> When I evaluated KeePass, the Wife-Acceptance Factor (WAF) was not there, though maybe it's improved.
How about you share one KeePass file for all shared passwords and keep another one for your personal ones? KeePassDX on Android can easily handle multiple files. I agree, it's not a perfect solution but it's rather low-tech and something the layperson might still understand.
I use KeePass everyday and I really love it. But I would never recommend it to a non-technical person over something like 1Password or Bitwarden. It's a great piece of software, but the user experience is about 15 years in the past.
It's funny you mention WAF because that's exactly what kept me away from 1password.
I loved almost everything about 1P but their reluctance to authenticate with keychain means it's a PITA for me, and an absolute deal breaker for my wife.
Has this changed or do you still have to enter your 1P password every time you log in or your session times out?
I agree with you that the 1Password UI is superior. I also didn't mean to imply that KeePassXC would be equal in every regard. That said, feature-wise, both of them solve the same problems for me.
But do you believe 7000 years of work is a realistic estimate for how much effort is needed for KeePassXC to catch up?
I'm using KeePassXC on my work computer and it takes around 30 minutes of maintenance every two weeks when the browser extension can't find the desktop app or bare functionality like "copy password" stops working and I need to reinstall.
I always thought the term was at least a little self deprecating; it definitely and doesn't mean "dumbed down so the stupid wife can actually use it."
There are a lot of technical enthusiasts and hobbyists, mostly dudes, who optimize for dumb parameters that nobody in the real world actually cares about. In this case, setting up a clunky, but fully open source password manager, when there are alternatives with objectively better UX available for relatively cheap (considering you use the thing many times each day).
In the home theater world, for a long time guys would brag about the disgusting monstrosities they've jankily hooked up in their living rooms, but a setup with high WAF means building something that's actually aesthetically appealing and congruent with the interior decor, hidden cords, not having to switch between 4 remote controls, etc.
But you're right - it should probably be SAF (Spouse Acceptance Factor).
Yeah, GP's acronym ain't great. But if you sub out "wife" for "significant other" or just "family" then you have to admit that this is a real phenomenon.
I use pass [0]. To me, it is the best password manager that I've ever used. Command-line-first, free & open source, built on git... it's great, and suits all my needs. From the perspective of someone who spends most of their day behind a CLI, it is "simple" and "just works" more than anything else.
But it's not going to work for my significant other, who is very intelligent but isn't a software engineer. They're not going to learn git so that they can manage passwords, and the app doesn't abstract away git enough for them to avoid needing learning it. Hence, despite its merits, it fails the "SO acceptance factor" or whatever you want to call it.
I wouldn't assume the phrase is casting a value judgement.
I hear the phrase from time to time in aviation. "Have to sell the first plane" / "Doesn't pass the WAF" / "Wife thinks owning two planes it too expensive." I have no reason to believe these folks are not in a loving relationship.
Same thing with email. Everyone COULD run their own email server but it's pretty clear most people don't want to. We also see it with tech companies running their own servers. Again they COULD runt heir own hardware (and some do) but it's pretty clear most companies don't want to. There are decades of examples of where people could run something themselves and having very strong preferences for using a centralized and more user friendly alternative. I don't know why we'd expect it to be any different here.
My wife has this problem. I have a bit more tolerance. There is no else I try to convince to use such software. WAF is accurate but because I don't run it by someone else.
>I, a computer programmer who has more than enough intelligence
>Stop blaming/shaming wives.
It seems like it is you who is equating tech illiteracy with intelligence, pal. There is nothing wrong with being technically illiterate (most people are) and I don't think GP is shaming his wife because of it.
If I may chime in, and sorry for acting like an annoying dude, but I also really dislike the term WAF. Of course the term makes sense if we look at IT and the world historically, but I don't get why in 2021 we still have to act like wives are tech illiterate by default, and also, what about women in IT who have tech illiterate husbands.
I've never seen a "share with family member" feature with a browser storing passwords. Also, this means I and all of my family members need to use the same web browser.
Using a 1password family plan is the only way I've been able to wrangle my parents across their slew of iOS, macs, Android, Windows, and Linux machines to stop typing in passwords.
I don't think browsers let you share passwords between users or multiple browsers. They probably don't let you store secure notes or add extra data about logins.
1password lets you share passwords with other people, even if they don't have a 1password account.
Because 1Password is easy enough to use that my wife and I can share a family plan without her getting frustrated. If one of us has a login the other needs, we can easily share it. When I evaluated KeePass, the Wife-Acceptance Factor (WAF) was not there, though maybe it's improved.