This isn't really a typical Venture funding, and is definitely not a "Series A". Traditionally, at this point, 1Password would probably have just gone Public, without any need for venture funding. But, why go to the hassle of doing that when you can get most of the same benefits ($$$) without any of the pain (public reporting, SOX, etc...).
The VCs at this point would be happy with a 3-4x return, because the risk is minimal - companies at this level of maturity, profitability, market dominance, and growth are highly unlikely to fail. So, if they picked up (for arguments sake) 25% of the company, giving it pre-money valuation of $800mm, all they really need to do over the next 3-4 years is build an $3.2B company, which, given 1Password's dominance/quality of product - should be relatively straightforward.
Their killer organic entry is: "Everyone" is already using them for personal password management, which means cost of training/installation/use is trivial to add the Enterprise element.
As a personal user, I consider 1Password the GitHub of password management - sure, there are lots of GitHub competitors, and you can roll your own - but, when there is one product that has completely nailed it - why bother going with anyone else.
I have been following this company for like 10 years now, if not more. 1Password is anything but a typical software company. When they were small, I forget the year, they emailed us (each) six licenses of 1Password as a thanksgiving gift. A small gesture, but clearly the courage to leave that much money on the table for a small startup is laudable. On the other hand, each of my friends who got it "free" wouldn't have considered any password manager (free or not). They had the uphill task of creating the market. I am sure all the recent password leaks helps a bit.
They sponsored Gophercon in 2018(?). I didn't even know they use Go.
Good luck to them and hopefully they will keep us from password disasters of the future. Now, if only I could convince everyone to use a password manager...
On Nov 23, 2010 (still have the e-mail in my inbox), they sent a "Happy Thanksgiving and 3 Gifts For You!" with free downloads of 2 books and links to give away a license of 1Password for Mac, 1Password for Windows, and Knox for Mac.
Small touch, but my office recently starting 1Password in large part because most of the competition only offer USD billing. While we can pay for services in USD, it's unpalatable given none of our own income or accounting is done in USD.
How did you do that? I can’t find a way to pay 1Password in € rather than $. Every year my bank is stealing^W taking a fee because 1Password is billing in USD.
These also have another distinct change beyond simply pricing, they're actually hosted in those regions. So .ca is hosted in Canada and .eu is hosted in the European Union.
The coverage for even the best password managers miss a ton of key touchpoints where they'd be useful. I use mine very reluctantly. This attitude of 'password managers for everything!' doesn't make any sense to me when half the login prompts I encounter aren't supported
I didn't feel it needed substantiation because I'm interested in discussing 1pass vs lastpass on a business level, not a technical level. I tested it over a year ago, so any complaint could well be out of date. I found it to have less features, was more buggy on android, and didn't really detect usernames and passwords on forms as well as lastpass. I used it for a few days and just couldn't come to terms with it.
I'm really surprised by that. I eventually abandoned Lastpass for 1password around a year ago because I couldn't handle Lastpass's bugs any longer. (And those bugs had eroded my confidence in their ability to keep passwords secure.) I'm also on Android, but the difference is probably that I use Firefox. LP has treated Firefox as an afterthought for quite a while now, with numerous serious bugs languishing for months or even years. Since moving to 1pw I've had very few complaints. The autofill on Android isn't perfect, but it's better than Lastpass was. And the desktop product is flawless aside from a bit of an Apple-centric design.
I use ff exclusively on android and pc/linux. I found 1pass to be inferior on android, but I also use lineageos so maybe that had something to do with it. I dunno, it might be worth another go but lastpass seems to be good enough for me. Even though it does have bugs, as long as I can get the passwords when I need it it's not a big deal for me. The big deal is making sure all forms capture and update passwords as needed, and lastpass seemed to be far better when I was messing with it.
> As a personal user, I consider 1Password the GitHub of password management
Ah, GitHub. The company which was bootstrapped and profitable like 1Password, but then took venture capital, became unprofitable, and had to sell to Microsoft. Let's hope they aren't the GitHub of password management.
GitHub being sold to Microsoft was a huge win for GitHub. They got acquired for $9B which is a staggering valuation - one they never would have gotten on their own.
Not only that, but the GitHub product is getting much better under Microsoft.
So overall I think it was a win for consumers too.
I think you are largely correct about this being a liquidity event vs series A funding; They are likely not looking at massive employee growth or marketing campaign as much as a way to unlock equity without going public.
This is good for users as it likely mean not huge changes to appease corporate overlords, but continues the sad story of limited young, profitable, small-cap Canadian tech companies available for outsider, passive investment. There are quite a few in the category of 10-15 years old, solid revenues/profit and founders that are ready to step back; most choose private equity or sovereign wealth funds investments in the 100M - 1B range over going public because of the hassle and reporting requirements. The average individual investor doesn't have access to these deals which is a shame because they tend to be established, profitable return generators. I don't blame the founders; I'd likely do the same route.
> all they really need to do over the next 3-4 years is build an $3.2B company,
I really did laugh out loud as you make it sound so easy. Having said that the money isn't in the consumer side, but the Enterprise. 1Password is only just entering this market and there are huge potential.
The potential is just as huge Apple and MS add “good enough” solutions. From a biz context, 1pwd is winning in its niche. But it’s just a feature the OS vendors haven’t prioritized from a technical context.
I am grabbing AWS keys from MacOS keychain and can access creds I save in iCloud from any device. Uh oh 1pwd
That is assuming your whole Enterprise is only on macOS, which I think none of the Fortune 500 companies are.
If you have cross platform to support, and want the best experience ( or I should say equal experience ) than a decent third party Password Manager is the only way to go.
I would have thought Google would be interested in this market, but ever since the birth of Android, all the wanted is Chrome or Android Integration.
Right now, it seems like none of the big guys provide interoperability on their password managers by design. Apple's works great for apps and Safari, but won't work on Chrome, Google only works on Chrome, Microsoft's doesn't work on an iPhone.
I switched to bitwarden from 1password when frustration with mac laptop hardware drove me to a thinkpad running fedora workstation as a daily driver and 1password's new stuff wouldn't run well in wine.
I run a self-hosted bitwarden server, which I love.
But the client is, in my opinion, not nearly as good as 1password. Its login detection is often disruptively wrong. The need to unlock the keychain each time you start a client is aggravating. The fact that the keychain doesn't lock itself when I lock the worstation is more aggravating. It's sensitive to server downtime when it should be able to work offline. The desktop app is either electron or something very similar and chews battery for me if I accidentally leave it running. 1password's secure notes are far richer. 1password's storage for software licenses is useful and bitwarden offers nothing similar that I've been able to find.
I'm not saying any of this to shit on bitwarden. I like it, and pay for it both in dollars to bitwarden and in time spent keeping the server running/patched. (Which I know is optional, but I really like having it self-hosted).
If 1password could offer me a decent linux desktop experience and a self hosted server, I'd switch back. I liked it that much better.
I have 1Password and Bitwarden on my screen right now. Bitwarden does not hold a candle to 1Password. There is no Watchtower or MFA availability notification. Yes, BW is a password manager, and that is about it.
Actually, Bitwarden does have its own Watchtower alternative; you'd access Data Breach Report in the menu, and it tells you which accounts need their passwords changed. I'm not sure if it sends a notification when a new breach comes in that includes your account.
Have I Been Pwned partnered directly with 1Password, which is probably why they're able to send out notifications directly; Bitwarden has to worry about being rate-limited.
I'm not too sure what's meant by MFA availability, but Bitwarden also lets you use it as a TOTP generator + use 2FA for logging into your vault, though those are premium features.
Those aren't core to actual password management though. Bitwarden is a very good password manager, and that's what it needs to be to fulfil its raison d'être.
If 1Password's claim to fame is functionality beyond password management, so be it, but that doesn't define it as better but rather broader scoped.
We actually use all those features in addition to password management. Our old password management strategy was an encrypted Excel spreadsheet. This creates problems, obviously. Management, at least to me, mean ACLs, reporting, auditing, and alerting. And that is on top of basic password management.
Bitwarden didn't allow Android fingerprinting when I used it a few months ago (limitation in one of their electron libraries) which pretty much ruined it for me unfortunately. Not sure if this works in IOS.
Bitwarden had a crappy (and slow) android app, a crappy (and slow, touch based interface, poor right click options, poor design, memory hungry, crippled) windows desktop app, and an OK (for a web app) desktop site.
It only beats 1Password on price.
If you don't want to pay for a fucking awesome app, good riddance to you.
Not any more. It used to be a no brainer, but they switched to cloud based subscription at great cost increase, loss of some features, and dark-patterned the native app into invisibility. Native is still available apparently, but you won't find it from the homepage, unless they were persuaded to change recently. Report an error in the native app, and they suggest switching to cloud subscription without addressing the error at all.
When my current native install of 1pw stops working I'll be migrating elsewhere.
Which until someone had to ask the question on the forum, having been unable to find any word, was not revealed at all on their main site, which was all about getting you on the sub. You wouldn't normally download the next (unlicensed) version on the off chance the buying mechanism has been quietly put in there instead. The former significant discounts for buying both phone and desktop, or Mac and Windows at the same time are gone too.
Hence it's there, but intentionally dark patterned to near invisibility. They would prefer everyone on the pointlessly expensive sub.
Yes 100%. I was a lastpass user for years but it always had its quirks for me. I switched to 1P within the last year and it is miles better and "Just Works", everywhere. I or someone in my house use 1P on Ubuntu, Android, iPhone, and macos, and it is a seamless and wonderful experience.
> Service Data (including Session and Usage data):
> When you use our Services, we receive information generated through the use of the Service, either entered by you or others who use the Services with you (for example, schedules, attendee info, etc.), or from the Service infrastructure itself, (for example, duration of session, use of webcams, connection information, etc.) We may also collect usage and log data about how the services are accessed and used, including information about the device you are using the Services on, IP addresses, location information, language settings, what operating system you are using, unique device identifiers and other diagnostic data ...
> Third Party Data: We may receive information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. We may also receive information from other affiliated companies that are a part of our corporate group. This helps us to update, expand and analyze our records, identify new prospects for marketing, and provide products and services that may be of interest to you.
> Location Information: We collect your location-based information for the purpose of providing and supporting the service and for fraud prevention and security monitoring. If you wish to opt-out of the collection and use of your collection information, you may do so by turning it off on your device settings.
> Device Information: When you use our Services, we automatically collect information on the type of device you use, operating system version, and the device identifier (or "UDID").
That's pretty much everything given they put an extension in your browser and can collect all of that info for every page you visit
> 4. Information Sharing
> ... We may share your personal information with (a) third party service providers; (b) business partners; (c) affiliated companies within our corporate structure
> Examples of how we may share information with service providers include:
The above basically says they share your info with anyone they feel like
So I don't know how you think my comment has no basis in fact. They spell out what they can do in their privacy policy. Why would they spell it out if they weren't doing it?
Compare to 1password (note I use neither service and am in no way affiliated with 1password but for comparison it's telling
> Your data is yours, and we don't want to know anything about it. We don't use it, we don't share it, and we don't sell it.
> We only collect the information necessary to provide our services and help you with troubleshooting. Personally identifiable information is never shared with third parties.
People on HN complain about Google collecting and yet we seem to have LastPass with access to all webpages you visit and also able to track every service you use them with an their policy basically says they collect and share your data (something even Google doesn't do. AFAIK google doesn't share data)
I tried 1Password before switching to LastPass in 2015 or so. I hated 1Password. Haven't had a reason to switch, as free LastPass covers my needs nicely.
Even if 1Password is dominant, it’s really in the bubble to think that most people use 1Password. Users are generally happy with their passwords syncing through Google or Apple.
The YC darling DropBox still isn’t profitable and probably never will be as they are becoming “just a feature”.
1Password will doubtfully never be profitable enough to be worth $3.2 billion. Whether they can pawn themselves off to the public markets first is another question.
It doesn't really matter if 1P is dominant across the whole market. It matters a lot if it's dominant across the part of the market that's willing to pay actual cash money for password management.
How did that work out for DropBox? Google and/or Microsoft could announce tomorrow that they are either giving the same functionality away or bundling with their Office product.
That’s originally what I said, if you define “success” as the original investors being able to pawn a money losing company off on the public market, it could be successful.
But if you define success as a company that can actually turn a profit consistently, Dropbox is not a success.
They’re selling Teams at $4/mo per user and I guess if they go after enterprise we’ll see additional tiers with features aimed specifically at that.
It doesn’t take too many deals with huge companies who need cross-platform to get to $200-300 million, and “worth” $3.2bn. Multiples from revenue have been a little interesting lately.
And as soon as they start moving into the enterprise, Microsoft is going to offer a good enough cross platform password manager and bundle it into Office 365.
People made the same argument with Slack. How is that working out?
I don’t know about Android, but iOS supports third party password managers through the extension system.
Slack has a $12bn market cap, therefore “pretty well”.
I think competition in this space is good but I use and like Slack over Teams.
I know at least two companies who pay Slack over $20MM a year, and have over 100k users provisioned onto Enterprise Grid, and who are also happy consumers of Microsoft Office 365.
Most people I know who use password managers beyond Chrome/iCloud use LastPass. All the companies I have worked for in the last 7 years have used it too.
I switched from LastPass to 1Password earlier this year (after 5+ years of use) due to issues with LastPass stopping sync.
1Password fixed that and numerous UI glitches around the actual password filling in that I was just living with. It is night and day a better experience ... and no invested interest in them (unfortunately!)
Similar situation here. Also, anecdotally, I recall hearing numerous tales of people making that switch, but few to none moving in the other direction. (Which doesn't surprise me at all having experienced both products.)
So what is to stop someone else who wants a slice of that 3 billion? We have AWS and Keepass (though it is GPL) for anyone to quickly implement there own competitor, or the already-huge userbases of Google, Apple, and Mozilla's implementations. With such a low barrier to entry, won't it become a commodity? And aren't we moving away from passwords as a whole?
1Password is slowly starting their enterprise game. All employees were offered 'free' 1Password accounts last week for entire family as long as I'm with my current company.
At the smaller level of things I see similar bets in what Earnest Capital and Tiny Seed are doing: non-controlling amount of investment in a profitable company to make a return higher than standard but with a less crazed risk profile than traditional venture capital.
> companies at this level of maturity, profitability, market dominance, and growth are highly unlikely to fail
What happens if Apple implementes their own native password manager into macOS and iOS? I know I would switch to Apple's native assuming it worked as well as 1Password.
Apple have had that since iOS 11 with iCloud Keychain. It suggests passwords for websites on signup, and offers to save them if you log in. It even correctly offers the password you used on a website when logging in on the native app equivalent for the site.
I work for a company in a similar position, which recently did a funding round like this for the sole purpose of letting some existing employees get some cash for their equity, since an IPO is a big question mark.
They might have great software - I don't know. But personally I absolutely refuse to use a paid option for a service of this type. There's just too much risk. What happens if my credit card expires and I forget to update/pay? Or I get hospitalized suddenly and there's a similar payment issue? Is my account just closed and everything deleted?
Then there's the risk of me putting everything in there and them jacking up the price. I'd either have to eat it or manually migrate everything.
There are other concerns as well. And I'm not saying I think they are dishonest. But when there are open source methods that are free and battle-tested for security, I see no reason to go with a paid option.
> Your data is yours. Even if you cancel your subscription and your account is frozen, you can still sign in to 1Password.com or in the apps to view and export your data.
If you are already liking KeePass I highly recommending KeeWeb, which is what I'm using. It reads a KeePass database and the desktop app web app are great in my opinion. And everything is free. Web app also caches in the browser and syncs to Dropbox so everything can sync between mobile and desktop.
> What happens if my credit card expires and I forget to update/pay?
I paid for it once and then used it for years and years without updating. After a few years the browser extension stopped working (was no longer compatible with current browsers) so I decided to buy again. By this time they'd moved to a subscription system and I have no idea how it works.
It used to be simple... there was an app, and if you stored the password file in Dropbox, you got cross platform support. But now the UX is terrible. I don't know where my passwords are stored, I don't know if the entire thing will stop working if I stop paying, etc. What a shame. I used to recommend it all the time but since the update there's no way I could recommend it to anyone I know who isn't a techie.
I basically do that - my core database is encrypted on Dropbox and I use a desktop app and web apps for mobile via KeeWeb which is free. KeeWeb on desktop also backs up locally in the event anything ever happens to my dropbox access, but Dropbox is the central sync point. The web app connects to Dropbox and since it's a web app there isn't even a need for the installation of an Android/iOS app. I just keep the webpage up at all times. The app is cached by design and doesn't send external connections.
If you asked me about 1password a few years ago, I would agree with you. Ever since they went to the cloud, I stopped using and recommending them to friends and family.
I now use Keypss, which is free and doesn't require the cloud.
The only reason they went to the cloud is because most people were buying one copy and sharing it with multiple people. It's a way for them to make more money, which is fine, but I really don't think a cloud-based password solution is necessary.
Edit: The 1password employees must be down voting me. It's ridiculous that I get down voted for a specific opinion about the topic.
> The 1password employees must be down voting me. It's ridiculous that I get down voted for a specific opinion about the topic.
I was going to just disagree with you without downvoting, because I specifically was looking for cross device sync and mobile support (and specifically looked for a mobile app that supported using FIDO as a second factor to protect the vault.
However, attributing downvotes to employees/shills shows an inability to consider that there may be a good counter argument.
I appreciate the subscription model, since it aligns with the fact that secure products must continue to be developed to stay secure. Security is a process, not a destination.
I used to feel very differently about this as a consumer, but when you see things from the other side as an ISV, it's obvious that a one-time fee isn't a sustainable business model - if you want the software to remain available, you need to pay for the duration.
A SaaS model works well for both sides, I think - consumers always have the latest version and their data is highly available and safe against local events (storage failure, fire, flood etc); the business has (relatively) reliay income stream.
The duration of the isv cloud contract you mean. I have ple ty of perfectly running applications where the vendor has long gone. Also, i hate paying for a relatively small feature such as a password manager. Keepass on a webdrive offers the same for free and i get to look at the source as well which in my opinion is a requirement for something zo fundamental.
> I have ple ty of perfectly running applications where the vendor has long gone
Hmm, thinking about it, for simple image editing stuff I still use a version of Paint Shop Pro from something like 10-15 years ago, and it still works great.
I think then that it depends on the kind of software, and the expectations of the user: is it beneficial to store data in the cloud for easy access from multiple devices?; do you want security updates? do you want new features?; do you want support?
I also use Keepass, with passwords stored on a cheap VPS using SFTP. Works great on Android with Keepass2Android too. But of course, this is not something a general comsumer is going to setup.
> I think then that it depends on the kind of software
I agree completely. I never want to pay more than once for Photoshop/Illustrator/etc. -- and the fact that Adobe has turned those into SaaS products really annoys me.
But products like an OS, browser, cloud-synced password manager, mail client, online git hosting, etc. -- for those, I would prefer to pay a subscription fee (to a company I trust to use it well).
well, I can attribute to anything, if there is no explanation.
When I first posted this, I had multiple down votes in the span of a few seconds with barely enough time for someone to read or even process my comments. It just seemed very suspicious.
That’s why you create a free Dropbox account or just use your free iCloud account. This is even what 1Password used to recommend as part of its setup, if I remember correctly.
I’d it was simply storage, the. It would be an add on, but it’s not. It seems like it’s more of a strategy to increase cash flow by converting to ongoing subscriptions instead of one time purchases. This is the same motivation that switched MS Office and Photoshop over to subscriptions. There’s no compelling reason to upgrade, so you get people to fork over a credit card and forget about their reoccurring charge. Cash flow becomes more predictable and possibly increases as well. This why service contract / subscription businesses are popular among investors.
I don’t blame them for trying it, but let’s not pretend this is good for users.
Man you aren't thinking deep enough. Just set up your own FTP server!
The truth is that my grandmother needs a password manager and she barely understands what minimizing a window does. "Just store your vault in dropbox" is friction and that matters much more to the huge majority of users than the fact that the vault is stored on a cloud service.
Yes, completely agree. Dropbox sync has lots of gotchas and edge cases, and was particularly bad if you edited files on multiple systems (my workstation and laptop, for instance -- I use both interchangeably depending on what I'm doing).
I can understand why 1Password built their own sync service instead of playing whack-a-mole with different cloud storage providers' quirks.
So what 1password used to do was charge a higher application fee (think it was like 40 or 50 bucks?) and then also would charge again for larger version releases. Apple (which was/is the largest part of the user base) does not provide a way to do discount pricing on upgrades, and they do provide discounted cuts on their take for subscriptions after the first year. So they absolutely were able to drop the cost to end-users after all of that was factored in, although there are users who have to pay more (people who would stick on old versions). But that’s a nightmare / costly to support, and creates misalignment.
Anyways all of that said, the 3rd party sync solutions all suffered from varying degrees of funkiness that just don’t exist with the native solution. Their switching to monthly pricing was, objectively, very successful and didn’t cost majority of users more money. But there are a small number of people who it rubbed the wrong way, clearly, but any business action is bound to piss some small number of people.
>It’s cloud-based because the majority of password management users want automatic cross-device updates without setting up their own server.
So? You can put the database on gdrive, icloud, dropbox, or any cloud service you want. I think most users understand the concept of creating a file, putting stuff in it, and putting it on a file syncing service (or usb drive).
> I think most users understand the concept of creating a file, putting stuff in it, and putting it on a file syncing service (or usb drive)
Many do, many don't.
Even for those that do, there is a significant hassle in getting a file sharing service (gdrive, icloud, dropbox) etc onto every possible device they have.
I mean, I'm with you in that I'm personally pretty skeptical of the cloud-based pw solution. But I can absolutely understand the story about a much simpler user-experience that it offers.
>there is a significant hassle in getting a file sharing service (gdrive, icloud, dropbox) etc onto every possible device they have.
What is this "significant hassle"? Surely it's not that much harder to install [sync app] + [password app] than it is to install [password app]?
>Many do, many don't.
I suspect the intersection between "people who don't know how to manipulate files" and "people who care enough about passwords and are willing to fork over $36/yr" isn't big.
> Surely it's not that much harder to install [sync app] + [password app] than it is to install [password app]?
It's literally twice as much work. Often more, because I need the password to the sync app's service. Where's that stored?
How many characters is it? Oh, it's a secure, 20-32 character password. What a pain to re-type it. Good thing it uses a ton of symbols which are a pain to type on my mobile keyboard.
> I suspect the intersection between "people who don't know how to manipulate files" and "people who care enough about passwords and are willing to fork over $36/yr" isn't big.
It's not "people who don't know how to manipulate files", it's "people who don't _like_ to manipulate files, and external services, and get them onto all of their devices".
Further, I expect the proportion of the first circle is constant and relatively small (<10%).
I expect the proportion of the second circle _was_ small, but is growing extremely rapidly.
> What is this "significant hassle"? Surely it's not that much harder to install [sync app] + [password app] than it is to install [password app]?
Or no app, just add the browser extension and you're done. Seems a lot easier to me than downloading two other apps, one I have no use for other than syncing the other one.
Or you can build your own pc from open market components, or maybe build your own components by designing your own pcb and sourcing the chips, and write your own drivers, or... etc.
Some people don't want to roll their own. You may, or may not agree with the concept of a fully managed solution, but for any non technical user, they want it to (borrow a phrase) "just work".
Couldn't agree more -- I have limited time in my life, time I don't want to spend maintaining absolutely every service I use. Very happy to pay someone else to build good software and make the pain go away.
I'd wager thousands of dollars that less than 20% of internet users understand this to the point that they won't blame others if they screw something up.
It's cloud-based so they can hold your data hostage and charge a subscription fee.
The cloud synced updating features you're talking about work fine for me already with 1Password's iCloud-backed syncing, which is how most Mac and iOS apps sync data, it's just in that model Apple has control of my data, not 1Password (and I don't pay a subscription fee), so they make it incredibly difficult to configure that way.
Wha..? I'm totally not following, iCloud syncing is completely transparent and built-in to 1Password. There's 0 extra work to support it (outside of finding how to turn it on, because it's buried in the UI), there's literally less work than 1Password's own subscription service, because that requires setting up an account whereas iCloud doesn't.
You can use iCloud without an account? Is iCloud available outside of Apple ecosystem? Otherwise it doesn't seem very relevant since its not a general solution.
Yes, you're right, this only works for Apple devices, so going cross-ecosystem is definitely a benefit of their subscription service! I disagree on that meaning it's the iCloud solution is irrelevant though, skipping the $36/a year, and the additional control over your data not being on a subscription entails, seem like relevant benefits for the people who fit those requirements!
Agreed, those are advantages of the 1Password subscription service. My opinion about 1Password wanting to migrate people to their subscription service for business reasons is based on reading forum threads over the years to figure out where they've buried the option each time there's a new version. E.g., there are two ads for their sync service on the page that describes how to use iCloud[1] (they've toned-down the messaging a ton these days, that support page didn't used exist, and the forum support thread were banging the 1Password Cloud Sync drum much harder than they do today).
Note also I'm replying to this comment "It’s cloud-based because the majority of password management users want automatic cross-device updates without setting up their own server." Seems relevant that "cross-device updates" don't require a server (at least among Apple devices)?
> Ever since they went to the cloud, I stopped using and recommending them to friends and family.
The whole point of using a password manager is that the passwords I create and use on my {desktop, laptop, work machine, phone} are immediately and seamlessly available to me on all of the other platforms.
As far as I know it is Cloud integration which enables this absolutely necessary and table-stakes functionality. Is that not true? Does e.g. Keepass provide this essential functionality without a Cloud integration of some kind?
1password had (maybe still has?) integrations with services like Dropbox where your vault would be stored on a 3rd party service like Dropbox to achieve the cross-device syncing your describing.
IMO this was the more secure implementation (assuming 1password was only storing fully encrypted files on your 3rd party cloud preference) - even if someone broke in your Dropbox, they can’t decrypt your passwords without your master pass.
An end-to-end cloud solution provided natively by 1pass is much more user friendly and easier, but requires putting an order of magnitude more trust in 1password’s security architecture (which of course is closed source).
The fundamentals are still the same, everything is encrypted with your master password before being sent to 1Password's cloud. So even if someone infiltrates 1Password's storage, all they get is encrypted files, same with Dropbox.
If that’s true, than the point I made about better security with Dropbox is moot.
As an end user, it’s abundantly clear that all encryption/decryption is done locally when using the Dropbox integration since you can see the files directly in your Dropbox. I guess I didn’t make the same assumption about the 1pass cloud service for some reason.
Just adding to this accurate statement, you can also sync a vault in iCloud. So there are at least three syncing methods:
1. 1Password Cloud
2. iCloud
3. Dropbox
And at least 2 and 3 can be used simultaneously, which is what I do, with my main vault in iCloud, and temporary vaults, e.g., passwords for a particular job, in Dropbox.
> 1password had (maybe still has?) integrations with services like Dropbox
It's not as seamless as having the functionality built-in. You have to deal with logins, authorizations, etc. I wish it could be as easy as "Do you allow 1Password to use Dropbox? (Y/N)".
> The whole point of using a password manager is that the passwords I create and use on my {desktop, laptop, work machine, phone} are immediately and seamlessly available to me on all of the other platforms.
That isn’t the whole point of 1PW though, or at least it wasn’t at the beginning, as I saw it. It was a way to avoid having to remember a unique, secure (read: probably hard to remember) password for every service that requires one. A place to store them all so you don’t have to remember, or worse, reuse the ones you can remember, and/or use easy-to-remember ones (read: less secure). It’s in the name: one password gets you access to all your passwords. Automatic form filling and cloud sync are definitely selling points and certainly convenient, but they are also risk vectors. I’d not call cloud sync essential; I get by fine without it. I just use the WiFi sync option.
If the goal is to avoid having to remember strong passwords, then a strong password generator + a paper journal is resistant to more threat models and should be preferred.
Password managers without transparent sync and autofill UX are a half-product at best.
It’s probably similar but I’m not convinced it’s preferred. If I lose that journal anyone can read it. If I lose my computer it is most likely locked already, and if not it (as well as 1PW) autolocks itself after a short time.
Also like I mentioned elsewhere, I do sync my vaults, but only using the local WiFi option.
There are nearly infinite vectors to exfiltrate files from your computer, the vast majority of which are currently unknown to you, and would be entirely undetected. And what's more, most of those vectors can be done from anywhere on the planet.
There is only one way to exfiltrate information from a notebook, it requires physical proximity, and it's very likely that you would notice.
Every rational threat model for almost every human on the planet (excepting perhaps major political, cultural, or economic figures) would conclude in the paper journal being the better (safer) choice.
The pain of doing that is nonzero, but much less than the pain of keeping the passwords synced manually, or through an intermediary like Dropbox (permissions, having Dropbox installed and running on my phone, etc.)
I'm not in a rush to put the holy grail of my personal info into someone's cloud service that I can't manage or securely delete. I think that KeePass + [Dropbox,Google Drive,etc] is the best solution. You can easily get these files on to your phone for passwords on the go.
> You can easily get these files on to your phone for passwords on the go.
Something like 80% of the value prop of my password manager use is one-tap login (with FaceID) on mobile.
Handwaving this away is failing to understand the product and market at a fundamental level.
edit: literally a paper notebook with my passwords written in it is a better solution in essentially every dimension than a non-syncing password manager.
I definitely see the benefit of storing my passwords locally and not some single point of failure, but I also wouldn't ever claim it's simple or even a good solution. It does help me ease up on creating new account to places I don't need because I think about having to create and sync up a new password between my devices.
How is that a single point of failure? You have downloaded copies on all your devices and the database is encrypted with your own master key, so even if 1Password is hacked there isn’t really a problem, just like LastPass hasn’t died when it had one.
The concern, which is fair, is that 1password's cloud is a target. And those targeting it have only one intention, which is to steal people's passwords and other information stored in the 1password cloud. In contrast, of course using the dropbox sync approach with 1password does put your information in the cloud as well. But, it's in your personal dropbox account. That dropbox account could absolutely be hacked, but very unlikely by someone with such clear intent to steal your 1password vault. Basically, 1password's cloud is the ultimate target, and your 1password vault in your personal dropbox account is not.
> As far as I know it is Cloud integration which enables this absolutely necessary and table-stakes functionality. Is that not true? Does e.g. Keepass provide this essential functionality without a Cloud integration of some kind?
Just store it in your regular sync solution. Syncthing works great, and I don't remember any issues with Dropbox back when I used that. I'd imagine that iCloud or SkyDrive would work fine too, for the masochistically inclined.
and the reason I went to their cloud solution, is so that I can sync passwords between my iPhone, Mac, PC, and Linux machines. It's $35.88 for an entire year of something that I use constantly, every day, and it works perfectly.
Agreed. It's so nice updating/creating a password on desktop, and being able to use it immediately and seamlessly on my phone or other machines.
This seamlessness is also critical for my less-technical family members on my plan. They want the better security, and recognize that a password manager is necessary. But if it was a pain to use they wouldn't put up with it.
For me, the sync has been less than perfect (Windows + Android user) on more than one occasion. There used to be a force sync button way back when, but it has since been removed as far as I can tell.
I had to Google a workaround (creating a dummy secure note was one workaround) for the times the sync wouldn't work.
I asked why there was no Force Sync button on their support forums, and was told that they took it out because they want their paying customers to report sync issues with an error report instead of giving them an instant fix via the button.
Needless to say, as someone who has been using and paying for 1PW (upgrades and subs) since around 2008, I was not impressed with that response.
To me, the Windows and Android clients seem to be second-class citizens compared to their Apple counterparts.
I agree that the DropBox integration isn't for everyone. Even if you have just Macs and iOS devices as I do, DropBox is much more expensive, so it's not worth getting just to sync passwords.
But on the other hand, for users who have DropBox already—possibly because they aren't using Linux—this does allow them to sync passwords without paying another $40 a year.
The cloud storage isn't mandatory. Just keep using Dropbox (uhh, a different cloud?) if it bothers you. This is what I do, along with a perpetual license.
1Password needs to rename their service. I have told non-technical people "oh you should really use 1Password", have have them respond "Oh I do!", only to later find out they meant they use "one password" for every service, the exact opposite of the right thing to do! It is seriously some "Who's on First?"-level bullshit that leads me to have to be incredibly meticulous and careful when recommending their product.
Imagine naming your product "'password'-as-your-password" then telling people "Oh you should really try using 'password'-as-your-password!".
Am I the only one who considers this a good thing?
I recently started using 1Password, and I love it. I finally jumped in because a colleague gave it glowing praise and my company gave us corporate accounts. After using it for a week through my company account, I created a separate personal account for myself. I happily pay a monthly subscription because it is a service I benefit from daily. It also lets me neatly manage personal and company accounts easily, from the same interface, while still keeping the vaults separate.
I see this as a good thing because someone will become the password manager for large companies, and that someone will likely become the password manager. I'm glad to see it's likely to become a service that I think is a good one.
I understand people are worried that the personal use will suffer, but I don't see how. (I understand why people say that - less emphasis on a smaller market - but I don't see how since the corporate offering is basically the same thing as the personal one, to an individual user.)
> Am I the only one who considers this a good thing?
This company over the years has, multiple times, basically ripped the rug out from under its users (moving to online vaults, hiding native app, switching from a single fee to monthly charge) so I really don't see it as a positive.
From comments in here it seems like they'll be focusing on Enterprise. That just leads me to assume they'll listen to consumer feedback even less.
Aren’t all your examples things that happened at the same time or basically because of one shift? The switch to being a SaaS? So that’s just one time really. The events may be spread out a bit, but it’s really just one event to me.
What do you mean native app? I use the native apps all the time and it’s a pretty prominent thing that you get redirect to when you press get started on their front page
They make it incredibly difficult to still pay the one-time fee for the software vs. doing the monthly charge. Like, hiding it. They have threads on their support forum of users complaining how deceptive it is. It's clear they want your vault on their servers and you paying the monthly fee instead of using Dropbox and paying a one-time fee.
Right. So that was one time they did a shift. And they slowly phased out the one time product which was a strategy they were employing from day one. They didn’t pull rug out from under customers more than once then.
That isn't what the definition of a native app is. They still have native apps, they have effectively deprecated the dropbox sync / local vault features of the app. And single pay licences are going to go away soon.
You are not the only one who considers it a good thing. I love 1Password and the team behind it. They already have a solid team-base offering, and giving them more resources to help improve their enterprise offering makes a lot of sense to me. I can _imagine_ the personal use suffering if they determine that's too small of a slice of pie, but I'll reserve judgement rather than assume that will happen and get preemptively disappointed.
Am I the only one who considers this a good thing?
Why do you see this as a good thing - what good will come of it for you? You’re describing a tool which already does what you want;
With this investment, 1Password need to squeeze half a billion extra dollars out of you just to give to investors. What is it that their tool doesn’t do for you, which needs that kind of trade for them to be able to build it?
Because I want them to continue to exist. They provide a service, not just a software product. This makes me even more confident they will be able to continue providing that service for many years.
I haven't tried to find out from their finances, but this move would worry me; I'd assume that previously they were independent and profitable, and that now they're on a deadline to generate a lot of return on investment and most likely future is to be acquired in a single digit number of years and then absolutely ruined by the acquiring company (because that seems to be what acquiring companies do - buy things and wreck them).
Well, as anecdotal data, LastPass got acquired by LogMeIn a few years ago, and since that time, it has introduced practically no new features, yet the yearly membership price has risen from $12/yr to $36/yr.
That's what happens when the scrappy young company with a valuable product gets acquired. Research and Development stops, Rent-Seeking skyrockets. Every time.
That's not actually what happened here, not to say rent-seeking won't happen in the future. R&D stopped well before acquisition, and since acquisition the main focus has been making the product scalable, reliable, and expanding to business users.
I can only assume based on your comments here and on other threads that you work/ed for LastPass, so I appreciate any insight you might lend.
I am still struggling with the idea that a company that was profitable selling licenses for $12/yr needed to then rise to $24/yr and again to $36/yr within the span of two years and somehow not be considered rent-seeking. You said this is to cater to enterprise users, and yet it's not the enterprise users that are bearing the brunt of the price increase. Absent any visibility into company workings, this feels like corporate overlords acquiring a product and declaring, "You are profitable, but our shareholders demand at least XX% profitability, so you need to make more profit, effective immediately."
> I see this as a good thing because someone will become the password manager for large companies, and that someone will likely become the password manager
A) 1Password was already well on its way to doing this (a lot of large companies seem to be using it);
B) I'm not sure that it follows necessarily that the largest corporate option will become the largest consumer option.
I've been a customer for 10 years (coincidentally, I checked email and I downloaded it from the iOS app store 10 years today) and very happy. The two things I'd love for them to fix are:
1/ Make the Windows version feel more like the macOS one. I switch between the two OS's all the time and it always feels jarring to open the Windows one after using the other.
2/ Add an option to cache everything locally. My phone has plenty of storage and there have been a few times where I have been with cell service or wifi and unable to pull down a document or credential I have stored there.
Mostly though I love it and can't imagine what life must have been like before password managers.
Personally I like that macOS and Windows apps are different. Those are two different platforms, with their own design paradigms, human interface guidelines, etc. They should have different versions, tailored specifically for the OS they're running on. I don't like apps, usually Electron- or something like that-based, that are exactly the same on all platforms, because they feel out of place on all of them, IMHO.
Thats fine and all but there's some things the windows app just doesn't do or do well at all compared to mac. Searching is one of them, along with being able to use 1pass x with the desktop app for auth.
I'm just amazed that they have so many employees yet their window and browser apps are still really lacking.
Side nitpick: it's annoying that they're moving to 1Password X. I really don't want to run the desktop app AND an independent version in my browser. It's not as bad on mac since it can communicate with the desktop app to unlock, but on windows... ugh.
I use the desktop app and browser companion extension on both Mac and Windows. AFAIK, it's not going anywhere, even though they are promoting 1PasswordX pretty heavily.
Yep understood and I agree with most of that. It's been a gripe of mine for a while but I went back now and compared the two and the Windows one, IMHO, is much improved.
Certainly thankful in any case that there is a Windows version and I don't have to manually transcribe from my phone.
I'm pretty sure you can access all your passwords offline. So not sure what os/version you are using... but you might ask 1Password support about why that's not working for you.
Perhaps you are correct, I think the situation might be this:
1. Add a new 1Password item on device 1
2. Do _not_ open the 1Password app on device 2
3. At some point/the next day or whatever, device 2 goes
offline
4. Now, while offline, you do not have access to the new item on device 2 because data wasn't synced because the 1Password app hasn't been opened after #1.
The problem seems, 1Password doesn't sync the data in the background (iCloud in my case.)
However, if you did sync by manually opening the app while online, all data will also be available offline later (including attachments.)
Interesting and sounds very plausible. Typically, for example, I'll add a travel doc for a trip on my desktop and then try to open it in a different location (often country) on my phone for the first time.
Maybe worth me submitting a feature request that facilitates making checked items available offline (like I think Dropbox/Google Docs iOS apps support).
I feel like I've spent an absolute fortune on 1password over the last decade. I'm pretty sure it was, what, $70 when I got it 6+ years ago? Now I'm paying monthly (2.99 or 4.99/mo x .. 3-5 years?) which is pretty ironic considering a lot of us initially left LastPass to go to 1pass because it was 100% offline (I'm aware you can do local vaults still). At least the QOL updates have been coming faster lately, especially with Android.
Anyway, very curious what this means. I'm sure there's a ton of features I've not thought about in years it could use (like LastPass's IP/region blocks) but 1password has never felt like it was a fast moving feature company. Maybe this will get us that.
Kinda feels like the Wal-Mart episode of South Park, where they burn it down and all go back to shopping at a Mom-and-Pop shop: the M&P shop grows to keep up with demand, gets too big, and then they burn it down again.
It seems that the fate of every decent Password Manager is to be acquired by some rent-seeking company and have its userbase gouged.
I suppose we can all start packing up to make the move to Bitwarden. Until it's bought.
Very frustratingly, there's no Linux client and they recommend 1PasswordX for Linux users, which doesn't allow offline vaults, pretty sure it _requires_ 1Password's online service.
I was actually really impressed with 1passwordX, it made me switching off of OSX almost a non-issue but you're right, I didn't realize it didn't support offline vaults. They really don't like that.
It also does not allow you to export, so unless you're willing/can use the osx/windows version, you won't be able to migrate away from it. I personally solved this by writing a short bash script that uses the 1password cli client to dump the json of everything for my backups.
What is the draw to pay a subscription for a product that you have to write scripts to use, when there are free/open-source alternatives that offer a full client (like KeepassXC)?
I pay for 1Password to have the sync to work between Android, Ubuntu, Arch Linux, Windows and macOS which is the systems I usually use. KeepassXC and alternatives mention nothing about syncing passwords or tells users to self-host their syncing. I'd rather pay a company to do that for me, at least because they will probably be able to do and maintain that setup better than me.
Although, it does carry the trade off of me being reliant on a third-party for my password-sync and that I have to pay. Currently it's worth it for me.
I currently use KeepassXC hosted on Dropbox, which takes care of the sync for free. And mobile apps like Keepassium or Strongbox integrate them directly.
I switched to Bitwarden three or four years ago because of the lack of a native Linux browser plugin. I used their Windows plugin via Wine but it was just a crappy option. Bitwarden does a good job.
I bought the family plan (5 licenses, I think) for $100 back in 2013. I can't upgrade past 1Password 6, but I'm ok with that. It works well enough that I can't justify a subscription just to get a few of the newer features that I probably will never use.
I'll probably have to switch if/when the firefox plugin stops working, but hopefully that won't be any time soon.
> I feel like I've spent an absolute fortune on 1password over the last decade. I'm pretty sure it was, what, $70 when I got it 6+ years ago? Now I'm paying monthly (2.99 or 4.99/mo x .. 3-5 years?)
Our pricing intuition around software is so weird. That's $370 over six years. If you went to a theater and watched a movie alone every couple of months, you spent more on tickets than you did on 1Password in that time.
I mean one is giving me tons of entertainment and one is opening an encrypted file on my machine and has a lot of alternatives and was already considered overpriced. If you asked me 6+ years ago if I'd pay for $370 worth of 1password for 5 years I'd laugh you out of the room.
It's a lot easier when it's a monthly fee to get that money out of me.
Saying that $370 is not a lot of money shows just how far removed the tech bubble is from the rest of the world.
"Four in 10 adults in 2017 would either borrow, sell something, or not be able pay if faced with a $400 emergency expense."https://www.federalreserve.gov/publications/files/2017-repor..., page 21. That's a lump sum expense, not paid over time, but I think it illustrates quite well that $370 is a lot of money for something most people don't even know they need.
This is not an unexpected, one-time $370 expense. It's $370 spent over six years.
According to CBS [1], the cheapest city to live in in the US Harlingen, Texas. The Nacho Supreme at Pepe's "homey" Tex-Mex "joint" [2] is $9.95. If you can afford to treat yourself to a plate of those nachos once every two months, then you could have afforded to secure all of your passwords.
4/10 is surprisingly low. Most of us would borrow to pay a $400 emergency expense. Are there really that many people out there paying with cash or check instead of “borrowing” by paying with credit card?
The question is not if you're carrying $400 in cash, but whether you can afford that expense. A credit card paid off in full is considered cash-equivalent: "When faced with a hypothetical expense of only $400, 59 percent of adults in 2017 say they could easily cover it, using entirely cash, savings, or a credit card paid off at the next statement (referred to, altogether, as “cash or its equivalent”)" (from the same page of that report).
The technicality of making the payment by cash or cc is beside the point, the point was that there is not 400 of savings available to immediately pay down the CC
This may become another example of a good company catering well to a specific niche, then taking on money until they are unable to cater well to their original niche anymore.
Solving a specific problem well in a market worth $X is not compatible with taking 10 * $X in funding — you will be forced to start doing something else so you can make ROI. Along the way you’ll probably alienate your existing market by price gouging (like switching to a subscription based service model for a simple app), so there won’t be any turning back either.
> (like switching to a subscription based service model for a simple app)
1Password did this a couple years back, before they even took on funding!
Maybe your choice of example was a sly reference to exactly that, sorry if it was and I'm explaining your joke :). If that was your intent I hope my comment at least makes it clear to people who aren't as familiar with 1Password's history.
There are several competing password managers today of course! My take is that like Dropbox (disclaimer: paying Dropbox customer until iCloud Files is just a bit better), this is a feature, not a product (unless you need team or cross platform functionality, but for teams you should probably be enterprise grade with SSO instead of sharing creds).
I'd switch from BitWarden to a native Apple solution the moment the Keychain UX reached parity with BitWarden, n=1.
It is strictly for website address/passwords, so doesn't work for a more diverse robust security password manager.
And the sync is very flaky (when I create items within the setting application, they don't show up on my phone). And its multi steps to simply launch keychain since its not a true native app on MacOS nor iOS.
I like that keychain is limited, at least it makes me feel like there’s fewer possible vulnerabilities.
KeepassX and minikeepass on iOS are my go to for secure notes. I don’t see the need for super convenience with my credentials, I’m willing to do some work to access them.
Either way, I’m not handing over a database of login info to a SaaS company. Might make sense for large companies though.
As a sole user it's definitely a feature-not-product, but for teams 1Password really is a product with its extensive access controls etc.
Kinda reminds me of identity management / authentication. These also are features, right? But I feel a lot better about delegating that feature to a business whose core competency is that (eg. Okta, Google, …).
"Payment" also is a feature, but I'd never not use Stripe.
Another example is G Suite. They started as "Gmail with your own domain" and switched to a corporate Office suite. Now individuals that use them regret it more and more.
I hope this isn't a bad sign for the future of 1Password. I've been a customer as a consumer for about ten years, and my team has been using it for four years.
The nice thing about them is that they have always had a great consumer product (and the teams product has also been excellent). Since they didn't need to take on the funding, I wonder if having a fund on board will result in focussing on the wrong things (e.g. growth-at-all-costs).
Wanted to piggyback on this thread since I've been thinking about using a password manager for awhile and have never gotten around to it.
What's the best service level for 1password for a small office, like 10 people or so, that want to just share basic passwords for things like social media accounts, mailchimp login, adobe password, and stuff like that?
The article mentions all the things that 1password succeeded in doing on its own: bootstraping themselves, shifted their product to focus on subscriptions, even made their product work well with more enterprise-y needs. All while working out pretty well financially.
And now they need capital funding. For what? The quotes in the article seems to say that a developing a go-to-market strategy and hiring a sales team to do telemarketing requires 200M.
They don't need the money, I assume this is a CEO/founder cash-out. They have an established revenue stream, and have established an enterprise presence, they will be an attractive acquisition target. There's so much VC money floating around that a sure bet like this can attract that kind of money, and who would turn it down?
I'm still on the pre-subscription 1Pass and kudos to them that it still works, but like Dropbox this will become an enterprise service that will be too expensive for consumers. The good news is that password managers are now effectively a commodity, like cloud storage, so there are plenty of options.
> 1Password plans to use its new capital to “aggressively” invest in its product and go-to-market programs so that it can continue to grow its enterprise customer base
Don't know what compensation structure is like at 1pass but suppose you got hired 10 years ago and were offered an equity stake. You've already paid taxes on it but never got any value since a small share of a private company isn't worth anything until a sale or an IPO. A funding round like this can turn that equity into cash for you.
I moved away from 1password when they switched from license to subscription pricing.
There's nothing wrong with subscription pricing, especially when paired with cloud syncing. Bandwidth and cloud storage aren't free and the app is definitely worth the $2.99/mo.
It was a great move for them, just not for me since I don't sync my passwords over the cloud.
The process is increasingly convoluted to figure out. I'm still clinging on to their 1Password 6 license and it's now broken in Safari on Catalina. Life goes on.
it's also broken on all Windows, and for Chrome on Mac. I also have my 1Password 6 license using Dropbox to sync and I just cut and paste my passwords now. I don't want to pay subscription since I paid $80 already for something that doesn't substantially change.
I use v6 on Mac/Chrome and it works as expected. When did it stop working for you? And have you found a work around? I'm dreading the day this stops working. I'll probably bail on this company if they prevent me from using software that I have paid for unless I upgrade.
You can't expect them to keep updating old versions to work with new operating systems. I agree they should not turn off old versions, but thats not whats happening.
I use 1Password 7 and only use a local vault (synced across devices with Resilio Sync). There is no reason you have to pay for a subscription if you don't want to.
I pay for 1Password subscription, but I set my mother up for the free version using Dropbox sync. Super simple and probably what 99% of people need anyway (1 vault).
Does 1Password 7 actually support buying a license instead of a cloud subscription? You mentioned a "free version" using local Dropbox sync –that was definitely not free in 1Password 6 as that's what I'm doing right now. What has changed?
The main thing that's changed is only having 1 vault, but there are probably some other features that my mom wouldn't care for anyway. But yes, in 1Password 7 (or whenever they went with the subscription model) you can now use it for free if you still go with Dropbox sync.
Hmm are you sure? I just installed 1Password 7 for Mac, and it has replaced the 1Password 6 (which I had a license for).
It has detected Dropbox sync out-of-the-box and kept working with existing settings. But it won't refill passwords, unless I either subscribe or buy a license (a pop-up forces me to do so). I'm curious why you're not seeing the same behavior.
I'm happy for them, but I'm worried about what this means for the product and its future. They now need to hit $1BB or die trying. And most of the time that means die.
Maybe they might have some life-changing enterprise thing up their sleeves. I don't know. We don't know. I'm wishing them well, I just am bracing for impact.
What are you basing this off exactly? The only case where failing to hit valuation targets can kill a company, is when the company is reliant on continued funding to operate. A profitable company is free to disappoint it's investors in any way it chooses.
I didn't, actually. Note the usernames. My reply was regarding the more blanket statement of
>A profitable company is free to disappoint it's investors in any way it chooses.
Also, it's not too unreasonable to assume that a controlling stake was obtained considering that the article said "[this is] a gigantic Series A even by today’s standards", and "The company declined to provide its valuation". Elsewhere in the comments someone mentioned that almost 2/3rds of the money was a "cash-out", rather than an investment to the company. Both statements suggest that a large stake was acquired.
I see, so the discussion has simply devolved into pointless generalities.
I don’t see any sources claiming the company has been acquired (other HN comments don’t count), even if it was I haven’t seen any evidence that the investors are interested in undermining the sustainability of the business model.
All of the doom and gloom comments in this thread are completely unsubstantiated, and seem to be mostly based on misunderstandings of how businesses actually operate. A company reliant on funding to operate needs to be very concerned with its valuation, a profitable company doesn’t to be to anywhere near the same level. Comments that amount to nothing more than “VC bad” should probably not get a free pass in a community supposedly devoted to “gratif[ying] one's intellectual curiosity”.
I was surprised too at those values. But then realized that is only about 30,000,000 paying users. Yes that’s a lot of people. But maybe they can get to that many world wide.
Ugh. I have been a happy paying customer for many years now. I went all in on 1p specifically because they didn't do shit like this. When a CEO says things like "we need to grow aggressively" I hear "we need to find ways to foist new trash features no one asked for upon our users and then ignore them to get the big enterprise bucks". Time after time I see great products get ruined by that mindset. See Dropbox. See Evernote.
There are open source solutions that are nearly as good as 1p. I guess its time to start evaluating. Man I _just_ got my partner to starting using 1p too...
in the past i recommended lastpass to people who are just getting started but now I recommend bitwarden instead unless someone needs password sharing. the UI is a lot simpler for a first timer to pick up.
the reason I don't use bitwarden myself anymore is because I started using syncthing and it seemed like a waste that I wasn't using it to sync my passwords as well. so I'm using keepass now. its not as pretty but the autotype feature is great and it means I need one less browser extension that I need installed
Why? I mean, by all means they've always felt like a true bootstrapping success story (I'm a happy 1Password customer for many years). Why take funding and give up control of your company to an outsider now?
You're not wrong. If the friction is low, user harm is minimal because they can move easily (the import from 1Password to Bitwarden was painless), and you're just burning someone else's VC dollars, I ain't even mad. No extra credit for making life harder than it has to be.
It sounds like they could have already done that given the success of the company? A company that's been profitable for 14 years has likely made its owners rich.
Is it really a matter of getting $4X M instead of $X M?
Yet another sustainable and useful business that'll be undone by Venture Capital. They've had sustainable growth with the support of paying customers who truly love the product, and now they'll be on the path to 100x and/or bust in <5 years.
I hope they'll re-release the standalone version before the last person out switches off the servers.
I can only hope that this doesn't have any bad impact on the consumer product. I'm using it since its first version when it was a Mac only password manager without any cloud integration.
I've been using a password manager for almost 10 years now and on the enterprise side there's really none that competes with 1pass. They had some security issues like with their Jira being misconfigured and open to the public, but their marketing and imago is built around them taking security very seriously (for obvious reasons).
personally though, I don't use their offering outside of my work context. Currently, I think bitwarden is maybe the best platform for consumers as its open source, audited by proper security companies and generally very open. I roll with my self-hosted version and I've been nothing but amazed on how good it is to use, even on mobile. Lastpass had way more usability issues (like being totally broken at first on Firefox when they came out with webextensions) and bitwarden's mobile app is at least as good as the one's you'd normally have to pay for. Strong recommendation for bitwarden.
I'd say Okta is pretty much the standard corporate "password manager" (SSO) solution. I'm a consultant and probably half of my (very large) clients use Okta.
There are countless examples of successful businesses (and products, if that's your point of emphasis) that have raised VC, both from a company and consumer standpoint.
VC can corrupt product, and I have intentionally avoided VC funding for my products, but to say it "never ends well" is just hyperbole.
Disappointed to see so much negativity in this thread. Password management is still an unsolved problem in most peoples lives. Think of your parents - are they using a good digital password manager, or do they still have a bunch of sticky notes with their passwords written out on them? Wouldn't it be better if they were using a password manager? Most people I know, especially the ones that aren't tech savvy, won't use a password manager until the UX and product experience are nailed. So far, 1Password is the only password management product I see making progress in that direction.
People complained when they upped their prices and moved to a cloud model (and in all fairness that transition wasn't handled perfectly), but honestly, the product is now way better, works on more platforms, and is totally seamless. I hope they use the investment money to continue to make the product better and to get it into more people's hands.
It is not. 1Password 7 for Mac is a UX regression IMHO. Most of my common workflows have become more clunky. There's useless UI elements I can't get rid of taking up prime real estate (Watchtower). And, while this is subjective, I think it's also uglier than 1Password 6.
I tell friends and family the threat they're under by continuing to use the same password for all their accounts. They know I'm a geek so they ask me what do I do and I have them up on the free and open-source Bitwarden in a few minutes. They love it, I love helping them.
Profit is fine so long as a user always remains in control. Given 1Password's history of pulling the rug, I can't guarantee that control.
I immediately thought this is the worst possible news about 1Password. In order to let the investors cash in, they'll ruin a good product or pivot completely, like selling online ads.
I understand being somewhat cynical about acquisitions under certain circumstances, but expecting ruin or a pivot of this sort feels like quite a leap to me. Are there other examples of profitable SAAS companies, particularly ones with enterprise offerings, later pivoting to that extreme? I understand selling lots of ads happens after an Instagram acquisition. (They're buying eyeballs/attention after all.) But this feels like a totally different beast to me.
I never really understood the appeal of 1Password, why would you send all your passwords to a 3rd party where you can't even read the source code?
I'm using KeePassXC in combination with Syncthing, everything is hosted by me and without the need of any cloud. Am I missing something, or is it just the convinience of one package?
I bought 1Password years ago but balked at a subscription (I pay for tons of subscription software products - this one just didn't feel worth it). Now I pretty much just use MacOS keychain. What am I missing that would lure me back?
It's actually not recommended to keep your 2FA tokens and passwords at the same place (i.e. your 1Password vault). The whole point of 2FA is the separation (something you _know_ and something you _have_).
Just goes to show that how you sell stuff dominates _what_ you sell. 1Password is a relatively primitive CRUD app with multiple $0 competitors (I moved off it to Bitwarden, which is ugly, but works fine). And yet they have (judging by the amount raised) at least tens of millions of paying customers, if not hundreds of millions.
Password managers are still very clunky, and only part of a broader personal cyber security landscape.
I hope they are working towards a more holistic approach for personal security (encrypted drives, cloud backup, monitoring, most things are still very difficult for anyone but prosumer to manager).
KeePass + Dropbox is my preferred option. No centralised access to my passwords, available across all devices. There is a great KeePass app on Android that auto syncs with a file in Dropbox, and all my machines obviously just access it via the Dropbox folder. Entirely free.
Yup I've been using KeePass + OneDrive (and duplicated to my NAS) on all my devices, across all major OSes, for years now. Never had a single issue and love that it's open source with a selection of clients to choose from.
You can also keep your password database offline (airgapped network, USB key/drive, remote/offline devices), and having control of the client + database means you know you can still access those same passwords a decade from now.
I'm really happy for them. I've been using them for almost a decade, since I saw a weird looking icon in Geoffrey Grosenbach's broswer in his PeepCode tutorials and found out it's a password manager.
This app is a huge part of my day and I'm happy to evangelize it.
I love 1Password and I used it after I migrated from the terrible LastPass. But I'm happy with password-store/GPG/Github priv repo solution and definitely not going to pay for a mo/yr subscription. Good luck to them though.
I can't wait for someone to do web based enterprise password management right, because almost no one has yet. I'm still over here clinging to my keepassxc like a life-raft after the Titanic.
I'm laughing at all these people saying they've paid them money already. WOW. There are completely free alternatives. https://www.passwordstore.org/ for instance, which has clients and/or client integrations for all platforms and is completely FOSS.
Sorry, but your passwords are some VCs property now, and how/where you use/access them from are a business metric to be sold.
Bitwarden will be the most recommended. I tried it to move off of 1password a few months ago, there was a time where 1password kept breaking the extension in every OS I was using. I can't remember exactly what was missing but there were several things I was used to in 1password that weren't available in bitwarden that made it feel clunkier to me.
It's UI is definitely the closest you'll get to 1pass. I think a big reason I couldn't use it was the Android app is built off Electron and doesn't currently support Android fingerprinting.. So I'd have to fingerprint into 1pass to grab my Bitwarden pass..
How mature is Bitwarden? I know its open source, but IIRC the business address for Bitwarden is a random house in Jacksonville, Florida? And that was only found on Reddit or something.
If its open source thats great, but most people are not building the clients for iOS and MacOS at home. We trust the builds that they host to be true to the source.
1password lists its physical address on its home page (and I think every page).
Lastpass is part of Logmein, an established tech company in Boston.
I'm very wary of a password manager trojan horse, similar to the Kaspersky incident.
As far as I know, Bitwarden is a one-person company run by a guy who lives in Jacksonville, Florida. So the business address being a random house there would be exactly what I'd expect.
Password management is a privacy and data sync problem.
As a consumer I use an Android device, Windows desktop, Linux laptop so OS or single ecosystem solutions don't work for me. They may be ideal for others.
For a business password manager I'd want to know who is storing my data and how it's being stored. It should be stored where the provider has no access to the passwords (data is encrypted client side before being sent through sync backend ).
Disclosure: TeamPassword is part of the business I run.
1Password almost makes me feel like I'm in the Truman Show or something.
It's a company whose founders live in my small hometown and keeps appearing in my life in the most disconnected ways (despite living hours away). Just recently my sister-in-law was hired to the company. All along I'm super impressed by their model and great culture, but at the same time believing that it's -- in the words of Steve Jobs -- a feature and not a product.
The VCs at this point would be happy with a 3-4x return, because the risk is minimal - companies at this level of maturity, profitability, market dominance, and growth are highly unlikely to fail. So, if they picked up (for arguments sake) 25% of the company, giving it pre-money valuation of $800mm, all they really need to do over the next 3-4 years is build an $3.2B company, which, given 1Password's dominance/quality of product - should be relatively straightforward.
Their killer organic entry is: "Everyone" is already using them for personal password management, which means cost of training/installation/use is trivial to add the Enterprise element.
As a personal user, I consider 1Password the GitHub of password management - sure, there are lots of GitHub competitors, and you can roll your own - but, when there is one product that has completely nailed it - why bother going with anyone else.
They sponsored Gophercon in 2018(?). I didn't even know they use Go.
Good luck to them and hopefully they will keep us from password disasters of the future. Now, if only I could convince everyone to use a password manager...
These also have another distinct change beyond simply pricing, they're actually hosted in those regions. So .ca is hosted in Canada and .eu is hosted in the European Union.
Kyle
[1]: https://support.1password.com/regions/#change-your-region
Why was it not as good as lastpass?
Ah, GitHub. The company which was bootstrapped and profitable like 1Password, but then took venture capital, became unprofitable, and had to sell to Microsoft. Let's hope they aren't the GitHub of password management.
Not only that, but the GitHub product is getting much better under Microsoft.
So overall I think it was a win for consumers too.
There were also rumors of an acquisition at the same time, which were denied.
This is good for users as it likely mean not huge changes to appease corporate overlords, but continues the sad story of limited young, profitable, small-cap Canadian tech companies available for outsider, passive investment. There are quite a few in the category of 10-15 years old, solid revenues/profit and founders that are ready to step back; most choose private equity or sovereign wealth funds investments in the 100M - 1B range over going public because of the hassle and reporting requirements. The average individual investor doesn't have access to these deals which is a shame because they tend to be established, profitable return generators. I don't blame the founders; I'd likely do the same route.
I really did laugh out loud as you make it sound so easy. Having said that the money isn't in the consumer side, but the Enterprise. 1Password is only just entering this market and there are huge potential.
I am grabbing AWS keys from MacOS keychain and can access creds I save in iCloud from any device. Uh oh 1pwd
If you have cross platform to support, and want the best experience ( or I should say equal experience ) than a decent third party Password Manager is the only way to go.
I would have thought Google would be interested in this market, but ever since the birth of Android, all the wanted is Chrome or Android Integration.
I wasn’t implying that at all. I said “OS vendors” and used my anecdote as one example of what I mean.
It allows you to use smart unique passwords, syncs between devices, and uses the OS master key to hide the passwords.
It's not great, but it's probably good enough for many people.
> should be relatively straightforward.
I run a self-hosted bitwarden server, which I love.
But the client is, in my opinion, not nearly as good as 1password. Its login detection is often disruptively wrong. The need to unlock the keychain each time you start a client is aggravating. The fact that the keychain doesn't lock itself when I lock the worstation is more aggravating. It's sensitive to server downtime when it should be able to work offline. The desktop app is either electron or something very similar and chews battery for me if I accidentally leave it running. 1password's secure notes are far richer. 1password's storage for software licenses is useful and bitwarden offers nothing similar that I've been able to find.
I'm not saying any of this to shit on bitwarden. I like it, and pay for it both in dollars to bitwarden and in time spent keeping the server running/patched. (Which I know is optional, but I really like having it self-hosted).
If 1password could offer me a decent linux desktop experience and a self hosted server, I'd switch back. I liked it that much better.
Have I Been Pwned partnered directly with 1Password, which is probably why they're able to send out notifications directly; Bitwarden has to worry about being rate-limited.
I'm not too sure what's meant by MFA availability, but Bitwarden also lets you use it as a TOTP generator + use 2FA for logging into your vault, though those are premium features.
If 1Password's claim to fame is functionality beyond password management, so be it, but that doesn't define it as better but rather broader scoped.
edit: I'm wrong, it didn't support touchID in OSX https://community.bitwarden.com/t/touch-id-support-for-macos...
I think when they switched to subscription model they left people who didn’t switch on an old version
It only beats 1Password on price.
If you don't want to pay for a fucking awesome app, good riddance to you.
https://news.ycombinator.com/item?id=21172569 is a good discussion on it.
When my current native install of 1pw stops working I'll be migrating elsewhere.
I haven't verified this myself, but standalone licences seem to be available for purchase in the app itself: https://discussions.agilebits.com/discussion/92275/how-do-i-...
Hence it's there, but intentionally dark patterned to near invisibility. They would prefer everyone on the pointlessly expensive sub.
> 1. Information We Collect and Receive
> Service Data (including Session and Usage data):
> When you use our Services, we receive information generated through the use of the Service, either entered by you or others who use the Services with you (for example, schedules, attendee info, etc.), or from the Service infrastructure itself, (for example, duration of session, use of webcams, connection information, etc.) We may also collect usage and log data about how the services are accessed and used, including information about the device you are using the Services on, IP addresses, location information, language settings, what operating system you are using, unique device identifiers and other diagnostic data ...
> Third Party Data: We may receive information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. We may also receive information from other affiliated companies that are a part of our corporate group. This helps us to update, expand and analyze our records, identify new prospects for marketing, and provide products and services that may be of interest to you.
> Location Information: We collect your location-based information for the purpose of providing and supporting the service and for fraud prevention and security monitoring. If you wish to opt-out of the collection and use of your collection information, you may do so by turning it off on your device settings.
> Device Information: When you use our Services, we automatically collect information on the type of device you use, operating system version, and the device identifier (or "UDID").
That's pretty much everything given they put an extension in your browser and can collect all of that info for every page you visit
> 4. Information Sharing
> ... We may share your personal information with (a) third party service providers; (b) business partners; (c) affiliated companies within our corporate structure
> Examples of how we may share information with service providers include:
The above basically says they share your info with anyone they feel like
So I don't know how you think my comment has no basis in fact. They spell out what they can do in their privacy policy. Why would they spell it out if they weren't doing it?
Compare to 1password (note I use neither service and am in no way affiliated with 1password but for comparison it's telling
> Your data is yours, and we don't want to know anything about it. We don't use it, we don't share it, and we don't sell it.
> We only collect the information necessary to provide our services and help you with troubleshooting. Personally identifiable information is never shared with third parties.
People on HN complain about Google collecting and yet we seem to have LastPass with access to all webpages you visit and also able to track every service you use them with an their policy basically says they collect and share your data (something even Google doesn't do. AFAIK google doesn't share data)
This is not helpful. Why did you hate it?
The YC darling DropBox still isn’t profitable and probably never will be as they are becoming “just a feature”.
1Password will doubtfully never be profitable enough to be worth $3.2 billion. Whether they can pawn themselves off to the public markets first is another question.
And Google and Microsoft do exactly that already.
But if you define success as a company that can actually turn a profit consistently, Dropbox is not a success.
It doesn’t take too many deals with huge companies who need cross-platform to get to $200-300 million, and “worth” $3.2bn. Multiples from revenue have been a little interesting lately.
People made the same argument with Slack. How is that working out?
I don’t know about Android, but iOS supports third party password managers through the extension system.
I think competition in this space is good but I use and like Slack over Teams.
I know at least two companies who pay Slack over $20MM a year, and have over 100k users provisioned onto Enterprise Grid, and who are also happy consumers of Microsoft Office 365.
Being able to sell $1 for 95 cents is not a successful business strategy.
1Password fixed that and numerous UI glitches around the actual password filling in that I was just living with. It is night and day a better experience ... and no invested interest in them (unfortunately!)
https://1password.com/teams/pricing/
"Free family accounts for all team members - $60 value per person"
What happens if Apple implementes their own native password manager into macOS and iOS? I know I would switch to Apple's native assuming it worked as well as 1Password.
Then there's the risk of me putting everything in there and them jacking up the price. I'd either have to eat it or manually migrate everything.
There are other concerns as well. And I'm not saying I think they are dishonest. But when there are open source methods that are free and battle-tested for security, I see no reason to go with a paid option.
From the link:
> Your data is yours. Even if you cancel your subscription and your account is frozen, you can still sign in to 1Password.com or in the apps to view and export your data.
In the end was more happy with KeePass as 1Password was too user-friendly for me and I wanted something more stupid for passwords.
I paid for it once and then used it for years and years without updating. After a few years the browser extension stopped working (was no longer compatible with current browsers) so I decided to buy again. By this time they'd moved to a subscription system and I have no idea how it works.
It used to be simple... there was an app, and if you stored the password file in Dropbox, you got cross platform support. But now the UX is terrible. I don't know where my passwords are stored, I don't know if the entire thing will stop working if I stop paying, etc. What a shame. I used to recommend it all the time but since the update there's no way I could recommend it to anyone I know who isn't a techie.
Still, if you're willing to handle the availability and security concerns yourself, going self-hosted could work.
With its generated passwords there is no way to lose your passwords in a hilarious backup failure.
yes that's Keepass, cause it's open source and you keep control of your password database instead of on somebody else's server.
I now use Keypss, which is free and doesn't require the cloud.
The only reason they went to the cloud is because most people were buying one copy and sharing it with multiple people. It's a way for them to make more money, which is fine, but I really don't think a cloud-based password solution is necessary.
Edit: The 1password employees must be down voting me. It's ridiculous that I get down voted for a specific opinion about the topic.
I was going to just disagree with you without downvoting, because I specifically was looking for cross device sync and mobile support (and specifically looked for a mobile app that supported using FIDO as a second factor to protect the vault.
However, attributing downvotes to employees/shills shows an inability to consider that there may be a good counter argument.
A SaaS model works well for both sides, I think - consumers always have the latest version and their data is highly available and safe against local events (storage failure, fire, flood etc); the business has (relatively) reliay income stream.
Hmm, thinking about it, for simple image editing stuff I still use a version of Paint Shop Pro from something like 10-15 years ago, and it still works great.
I think then that it depends on the kind of software, and the expectations of the user: is it beneficial to store data in the cloud for easy access from multiple devices?; do you want security updates? do you want new features?; do you want support?
I also use Keepass, with passwords stored on a cheap VPS using SFTP. Works great on Android with Keepass2Android too. But of course, this is not something a general comsumer is going to setup.
I agree completely. I never want to pay more than once for Photoshop/Illustrator/etc. -- and the fact that Adobe has turned those into SaaS products really annoys me.
But products like an OS, browser, cloud-synced password manager, mail client, online git hosting, etc. -- for those, I would prefer to pay a subscription fee (to a company I trust to use it well).
When I first posted this, I had multiple down votes in the span of a few seconds with barely enough time for someone to read or even process my comments. It just seemed very suspicious.
Social vote counters are just sentiment thermometers.
UPDATE: this is now -1 with no comments. I proved my point.
> Please don't comment about the voting on comments. It never does any good, and it makes boring reading.
> The only reason they went to the cloud is because most people were buying one copy and sharing it with multiple people.
It’s cloud-based because the majority of password management users want automatic cross-device updates without setting up their own server.
I’d it was simply storage, the. It would be an add on, but it’s not. It seems like it’s more of a strategy to increase cash flow by converting to ongoing subscriptions instead of one time purchases. This is the same motivation that switched MS Office and Photoshop over to subscriptions. There’s no compelling reason to upgrade, so you get people to fork over a credit card and forget about their reoccurring charge. Cash flow becomes more predictable and possibly increases as well. This why service contract / subscription businesses are popular among investors.
I don’t blame them for trying it, but let’s not pretend this is good for users.
The truth is that my grandmother needs a password manager and she barely understands what minimizing a window does. "Just store your vault in dropbox" is friction and that matters much more to the huge majority of users than the fact that the vault is stored on a cloud service.
Yes, completely agree. Dropbox sync has lots of gotchas and edge cases, and was particularly bad if you edited files on multiple systems (my workstation and laptop, for instance -- I use both interchangeably depending on what I'm doing).
I can understand why 1Password built their own sync service instead of playing whack-a-mole with different cloud storage providers' quirks.
Anyways all of that said, the 3rd party sync solutions all suffered from varying degrees of funkiness that just don’t exist with the native solution. Their switching to monthly pricing was, objectively, very successful and didn’t cost majority of users more money. But there are a small number of people who it rubbed the wrong way, clearly, but any business action is bound to piss some small number of people.
So? You can put the database on gdrive, icloud, dropbox, or any cloud service you want. I think most users understand the concept of creating a file, putting stuff in it, and putting it on a file syncing service (or usb drive).
Many do, many don't.
Even for those that do, there is a significant hassle in getting a file sharing service (gdrive, icloud, dropbox) etc onto every possible device they have.
I mean, I'm with you in that I'm personally pretty skeptical of the cloud-based pw solution. But I can absolutely understand the story about a much simpler user-experience that it offers.
What is this "significant hassle"? Surely it's not that much harder to install [sync app] + [password app] than it is to install [password app]?
>Many do, many don't.
I suspect the intersection between "people who don't know how to manipulate files" and "people who care enough about passwords and are willing to fork over $36/yr" isn't big.
It's literally twice as much work. Often more, because I need the password to the sync app's service. Where's that stored?
How many characters is it? Oh, it's a secure, 20-32 character password. What a pain to re-type it. Good thing it uses a ton of symbols which are a pain to type on my mobile keyboard.
> I suspect the intersection between "people who don't know how to manipulate files" and "people who care enough about passwords and are willing to fork over $36/yr" isn't big.
It's not "people who don't know how to manipulate files", it's "people who don't _like_ to manipulate files, and external services, and get them onto all of their devices".
Further, I expect the proportion of the first circle is constant and relatively small (<10%).
I expect the proportion of the second circle _was_ small, but is growing extremely rapidly.
Or no app, just add the browser extension and you're done. Seems a lot easier to me than downloading two other apps, one I have no use for other than syncing the other one.
Some people don't want to roll their own. You may, or may not agree with the concept of a fully managed solution, but for any non technical user, they want it to (borrow a phrase) "just work".
It's the majority of the addressable market.
The cloud synced updating features you're talking about work fine for me already with 1Password's iCloud-backed syncing, which is how most Mac and iOS apps sync data, it's just in that model Apple has control of my data, not 1Password (and I don't pay a subscription fee), so they make it incredibly difficult to configure that way.
Yes.
Note also I'm replying to this comment "It’s cloud-based because the majority of password management users want automatic cross-device updates without setting up their own server." Seems relevant that "cross-device updates" don't require a server (at least among Apple devices)?
[1]: https://support.1password.com/sync-with-icloud/
The whole point of using a password manager is that the passwords I create and use on my {desktop, laptop, work machine, phone} are immediately and seamlessly available to me on all of the other platforms.
As far as I know it is Cloud integration which enables this absolutely necessary and table-stakes functionality. Is that not true? Does e.g. Keepass provide this essential functionality without a Cloud integration of some kind?
IMO this was the more secure implementation (assuming 1password was only storing fully encrypted files on your 3rd party cloud preference) - even if someone broke in your Dropbox, they can’t decrypt your passwords without your master pass.
An end-to-end cloud solution provided natively by 1pass is much more user friendly and easier, but requires putting an order of magnitude more trust in 1password’s security architecture (which of course is closed source).
As an end user, it’s abundantly clear that all encryption/decryption is done locally when using the Dropbox integration since you can see the files directly in your Dropbox. I guess I didn’t make the same assumption about the 1pass cloud service for some reason.
1. 1Password Cloud
2. iCloud
3. Dropbox
And at least 2 and 3 can be used simultaneously, which is what I do, with my main vault in iCloud, and temporary vaults, e.g., passwords for a particular job, in Dropbox.
It's not as seamless as having the functionality built-in. You have to deal with logins, authorizations, etc. I wish it could be as easy as "Do you allow 1Password to use Dropbox? (Y/N)".
That isn’t the whole point of 1PW though, or at least it wasn’t at the beginning, as I saw it. It was a way to avoid having to remember a unique, secure (read: probably hard to remember) password for every service that requires one. A place to store them all so you don’t have to remember, or worse, reuse the ones you can remember, and/or use easy-to-remember ones (read: less secure). It’s in the name: one password gets you access to all your passwords. Automatic form filling and cloud sync are definitely selling points and certainly convenient, but they are also risk vectors. I’d not call cloud sync essential; I get by fine without it. I just use the WiFi sync option.
Password managers without transparent sync and autofill UX are a half-product at best.
Also like I mentioned elsewhere, I do sync my vaults, but only using the local WiFi option.
There is only one way to exfiltrate information from a notebook, it requires physical proximity, and it's very likely that you would notice.
Every rational threat model for almost every human on the planet (excepting perhaps major political, cultural, or economic figures) would conclude in the paper journal being the better (safer) choice.
For what it's worth, I use it with an ssh plugin, so I only store the database on one machine, and connect using ssh on desktop/Android.
It's also pretty straightforward to set up something like syncthing, making it easier for average person.
Something like 80% of the value prop of my password manager use is one-tap login (with FaceID) on mobile.
Handwaving this away is failing to understand the product and market at a fundamental level.
edit: literally a paper notebook with my passwords written in it is a better solution in essentially every dimension than a non-syncing password manager.
Just store it in your regular sync solution. Syncthing works great, and I don't remember any issues with Dropbox back when I used that. I'd imagine that iCloud or SkyDrive would work fine too, for the masochistically inclined.
This seamlessness is also critical for my less-technical family members on my plan. They want the better security, and recognize that a password manager is necessary. But if it was a pain to use they wouldn't put up with it.
I had to Google a workaround (creating a dummy secure note was one workaround) for the times the sync wouldn't work.
I asked why there was no Force Sync button on their support forums, and was told that they took it out because they want their paying customers to report sync issues with an error report instead of giving them an instant fix via the button.
Needless to say, as someone who has been using and paying for 1PW (upgrades and subs) since around 2008, I was not impressed with that response.
To me, the Windows and Android clients seem to be second-class citizens compared to their Apple counterparts.
They don't have a proper Linux client
You can use the pay-one-price license if you already have the motivation to use DropBox.
But on the other hand, for users who have DropBox already—possibly because they aren't using Linux—this does allow them to sync passwords without paying another $40 a year.
Imagine naming your product "'password'-as-your-password" then telling people "Oh you should really try using 'password'-as-your-password!".
Maybe they can rebrand to "123456"
https://github.com/dropbox/zxcvbn
https://www.youtube.com/watch?v=kTcRRaXV-fg
I recently started using 1Password, and I love it. I finally jumped in because a colleague gave it glowing praise and my company gave us corporate accounts. After using it for a week through my company account, I created a separate personal account for myself. I happily pay a monthly subscription because it is a service I benefit from daily. It also lets me neatly manage personal and company accounts easily, from the same interface, while still keeping the vaults separate.
I see this as a good thing because someone will become the password manager for large companies, and that someone will likely become the password manager. I'm glad to see it's likely to become a service that I think is a good one.
I understand people are worried that the personal use will suffer, but I don't see how. (I understand why people say that - less emphasis on a smaller market - but I don't see how since the corporate offering is basically the same thing as the personal one, to an individual user.)
This company over the years has, multiple times, basically ripped the rug out from under its users (moving to online vaults, hiding native app, switching from a single fee to monthly charge) so I really don't see it as a positive.
From comments in here it seems like they'll be focusing on Enterprise. That just leads me to assume they'll listen to consumer feedback even less.
Why do you see this as a good thing - what good will come of it for you? You’re describing a tool which already does what you want;
With this investment, 1Password need to squeeze half a billion extra dollars out of you just to give to investors. What is it that their tool doesn’t do for you, which needs that kind of trade for them to be able to build it?
That's what happens when the scrappy young company with a valuable product gets acquired. Research and Development stops, Rent-Seeking skyrockets. Every time.
I am still struggling with the idea that a company that was profitable selling licenses for $12/yr needed to then rise to $24/yr and again to $36/yr within the span of two years and somehow not be considered rent-seeking. You said this is to cater to enterprise users, and yet it's not the enterprise users that are bearing the brunt of the price increase. Absent any visibility into company workings, this feels like corporate overlords acquiring a product and declaring, "You are profitable, but our shareholders demand at least XX% profitability, so you need to make more profit, effective immediately."
Please shed whatever light you can on this.
A) 1Password was already well on its way to doing this (a lot of large companies seem to be using it); B) I'm not sure that it follows necessarily that the largest corporate option will become the largest consumer option.
1/ Make the Windows version feel more like the macOS one. I switch between the two OS's all the time and it always feels jarring to open the Windows one after using the other.
2/ Add an option to cache everything locally. My phone has plenty of storage and there have been a few times where I have been with cell service or wifi and unable to pull down a document or credential I have stored there.
Mostly though I love it and can't imagine what life must have been like before password managers.
I'm just amazed that they have so many employees yet their window and browser apps are still really lacking.
Side nitpick: it's annoying that they're moving to 1Password X. I really don't want to run the desktop app AND an independent version in my browser. It's not as bad on mac since it can communicate with the desktop app to unlock, but on windows... ugh.
Well they're lacking an entire platform (Linux), so it's not even just about differences in polish.
Certainly thankful in any case that there is a Windows version and I don't have to manually transcribe from my phone.
I'm sure I've been in situations where I am trying to download a travel permit for example at a check in desk overseas and there is no signal.
I'll see if passwords are the same - maybe those are indeed kept locally.
1. Add a new 1Password item on device 1
2. Do _not_ open the 1Password app on device 2
3. At some point/the next day or whatever, device 2 goes offline
4. Now, while offline, you do not have access to the new item on device 2 because data wasn't synced because the 1Password app hasn't been opened after #1.
The problem seems, 1Password doesn't sync the data in the background (iCloud in my case.)
However, if you did sync by manually opening the app while online, all data will also be available offline later (including attachments.)
Maybe worth me submitting a feature request that facilitates making checked items available offline (like I think Dropbox/Google Docs iOS apps support).
https://discussions.agilebits.com/discussion/108049/ios-iclo...
Anyway, very curious what this means. I'm sure there's a ton of features I've not thought about in years it could use (like LastPass's IP/region blocks) but 1password has never felt like it was a fast moving feature company. Maybe this will get us that.
It seems that the fate of every decent Password Manager is to be acquired by some rent-seeking company and have its userbase gouged.
I suppose we can all start packing up to make the move to Bitwarden. Until it's bought.
Although, it does carry the trade off of me being reliant on a third-party for my password-sync and that I have to pay. Currently it's worth it for me.
I currently use KeepassXC hosted on Dropbox, which takes care of the sync for free. And mobile apps like Keepassium or Strongbox integrate them directly.
I'll probably have to switch if/when the firefox plugin stops working, but hopefully that won't be any time soon.
Our pricing intuition around software is so weird. That's $370 over six years. If you went to a theater and watched a movie alone every couple of months, you spent more on tickets than you did on 1Password in that time.
It's a lot easier when it's a monthly fee to get that money out of me.
"Four in 10 adults in 2017 would either borrow, sell something, or not be able pay if faced with a $400 emergency expense." https://www.federalreserve.gov/publications/files/2017-repor..., page 21. That's a lump sum expense, not paid over time, but I think it illustrates quite well that $370 is a lot of money for something most people don't even know they need.
According to CBS [1], the cheapest city to live in in the US Harlingen, Texas. The Nacho Supreme at Pepe's "homey" Tex-Mex "joint" [2] is $9.95. If you can afford to treat yourself to a plate of those nachos once every two months, then you could have afforded to secure all of your passwords.
[1]: https://www.cbsnews.com/pictures/10-cheapest-places-to-live-... [2]: http://pepesrgv.com/
You can secure all your passwords for free (with Keepass or Bitwarden for example).
1password doesn't have to justify its price versus not securing your passwords, but versus open-source password managers.
Solving a specific problem well in a market worth $X is not compatible with taking 10 * $X in funding — you will be forced to start doing something else so you can make ROI. Along the way you’ll probably alienate your existing market by price gouging (like switching to a subscription based service model for a simple app), so there won’t be any turning back either.
1Password did this a couple years back, before they even took on funding!
Maybe your choice of example was a sly reference to exactly that, sorry if it was and I'm explaining your joke :). If that was your intent I hope my comment at least makes it clear to people who aren't as familiar with 1Password's history.
I'd switch from BitWarden to a native Apple solution the moment the Keychain UX reached parity with BitWarden, n=1.
It is strictly for website address/passwords, so doesn't work for a more diverse robust security password manager.
And the sync is very flaky (when I create items within the setting application, they don't show up on my phone). And its multi steps to simply launch keychain since its not a true native app on MacOS nor iOS.
KeepassX and minikeepass on iOS are my go to for secure notes. I don’t see the need for super convenience with my credentials, I’m willing to do some work to access them.
Either way, I’m not handing over a database of login info to a SaaS company. Might make sense for large companies though.
Kinda reminds me of identity management / authentication. These also are features, right? But I feel a lot better about delegating that feature to a business whose core competency is that (eg. Okta, Google, …).
"Payment" also is a feature, but I'd never not use Stripe.
Once the big horses are in the game, it's over. You cannot overcome the brute force of production and cash. Just look at dropbox impoding.
At least password managers are easy to switch.
The nice thing about them is that they have always had a great consumer product (and the teams product has also been excellent). Since they didn't need to take on the funding, I wonder if having a fund on board will result in focussing on the wrong things (e.g. growth-at-all-costs).
What's the best service level for 1password for a small office, like 10 people or so, that want to just share basic passwords for things like social media accounts, mailchimp login, adobe password, and stuff like that?
You can always change it to 1Password Business later if you need more permission controls, user groups, etc.
If you need help with anything, please get in touch with our business team: business@1password.com
The article mentions all the things that 1password succeeded in doing on its own: bootstraping themselves, shifted their product to focus on subscriptions, even made their product work well with more enterprise-y needs. All while working out pretty well financially.
And now they need capital funding. For what? The quotes in the article seems to say that a developing a go-to-market strategy and hiring a sales team to do telemarketing requires 200M.
I'm still on the pre-subscription 1Pass and kudos to them that it still works, but like Dropbox this will become an enterprise service that will be too expensive for consumers. The good news is that password managers are now effectively a commodity, like cloud storage, so there are plenty of options.
Indeed it seems like only like $70mio go into the company, rest is cashout.
If they get annoying, Bitwarden's not bad https://news.ycombinator.com/item?id=21175332
> 1Password plans to use its new capital to “aggressively” invest in its product and go-to-market programs so that it can continue to grow its enterprise customer base
There's nothing wrong with subscription pricing, especially when paired with cloud syncing. Bandwidth and cloud storage aren't free and the app is definitely worth the $2.99/mo.
It was a great move for them, just not for me since I don't sync my passwords over the cloud.
It has detected Dropbox sync out-of-the-box and kept working with existing settings. But it won't refill passwords, unless I either subscribe or buy a license (a pop-up forces me to do so). I'm curious why you're not seeing the same behavior.
I don't use 1password, but I that's where the costs are.
Maybe they might have some life-changing enterprise thing up their sleeves. I don't know. We don't know. I'm wishing them well, I just am bracing for impact.
What are you basing this off exactly? The only case where failing to hit valuation targets can kill a company, is when the company is reliant on continued funding to operate. A profitable company is free to disappoint it's investors in any way it chooses.
...until those investors are not satisfied with those low returns, and installs a new board/executive focused on milking their existing customers.
> They now need to hit $1BB or die trying
And alluded to “those investors” being able to take over management of the company.
As 1Password is already profitable, and has not been acquired, I’m just trying to figure out what reason you have to make those claims.
>> They now need to hit $1BB or die trying
I didn't, actually. Note the usernames. My reply was regarding the more blanket statement of
>A profitable company is free to disappoint it's investors in any way it chooses.
Also, it's not too unreasonable to assume that a controlling stake was obtained considering that the article said "[this is] a gigantic Series A even by today’s standards", and "The company declined to provide its valuation". Elsewhere in the comments someone mentioned that almost 2/3rds of the money was a "cash-out", rather than an investment to the company. Both statements suggest that a large stake was acquired.
I don’t see any sources claiming the company has been acquired (other HN comments don’t count), even if it was I haven’t seen any evidence that the investors are interested in undermining the sustainability of the business model.
All of the doom and gloom comments in this thread are completely unsubstantiated, and seem to be mostly based on misunderstandings of how businesses actually operate. A company reliant on funding to operate needs to be very concerned with its valuation, a profitable company doesn’t to be to anywhere near the same level. Comments that amount to nothing more than “VC bad” should probably not get a free pass in a community supposedly devoted to “gratif[ying] one's intellectual curiosity”.
There are open source solutions that are nearly as good as 1p. I guess its time to start evaluating. Man I _just_ got my partner to starting using 1p too...
[0] https://news.ycombinator.com/item?id=20417832
We are also considering using Bitwarden for Business at my company
the reason I don't use bitwarden myself anymore is because I started using syncthing and it seemed like a waste that I wasn't using it to sync my passwords as well. so I'm using keepass now. its not as pretty but the autotype feature is great and it means I need one less browser extension that I need installed
Edit: they have 174 staff!
Is it really a matter of getting $4X M instead of $X M?
I hope they'll re-release the standalone version before the last person out switches off the servers.
personally though, I don't use their offering outside of my work context. Currently, I think bitwarden is maybe the best platform for consumers as its open source, audited by proper security companies and generally very open. I roll with my self-hosted version and I've been nothing but amazed on how good it is to use, even on mobile. Lastpass had way more usability issues (like being totally broken at first on Firefox when they came out with webextensions) and bitwarden's mobile app is at least as good as the one's you'd normally have to pay for. Strong recommendation for bitwarden.
Such a shame 1Password caved in.
VC can corrupt product, and I have intentionally avoided VC funding for my products, but to say it "never ends well" is just hyperbole.
People complained when they upped their prices and moved to a cloud model (and in all fairness that transition wasn't handled perfectly), but honestly, the product is now way better, works on more platforms, and is totally seamless. I hope they use the investment money to continue to make the product better and to get it into more people's hands.
It is not. 1Password 7 for Mac is a UX regression IMHO. Most of my common workflows have become more clunky. There's useless UI elements I can't get rid of taking up prime real estate (Watchtower). And, while this is subjective, I think it's also uglier than 1Password 6.
Profit is fine so long as a user always remains in control. Given 1Password's history of pulling the rug, I can't guarantee that control.
I am using Lockwise and it uses the same technology and cross-platform sync. Since I already use Firefox this is a no-brainer to me, and it's free.
Is there an advantage to 1Password over Lockwise?
You also don’t have desktop apps in case you open an app that doesn’t support your password manager.
I really hope this story isn't the first warning sign that the decision was a mistake.
I'm using KeePassXC in combination with Syncthing, everything is hosted by me and without the need of any cloud. Am I missing something, or is it just the convinience of one package?
Apple use 1Password themselves.
I had a paid app that worked fine. But they tried really really hard to force you into subscription service. Thanks but no thanks.
Because I use iPhone and Mac and iCloud Keychain works really well, I don’t even think about it.
In the not-so-distant future, the idea of password management will be laughable.
* 1Password: https://blog.1password.com/accel-partnership/
* Accel: https://www.accel.com/interests/OurSeriesAIn1Password
I hope they are working towards a more holistic approach for personal security (encrypted drives, cloud backup, monitoring, most things are still very difficult for anyone but prosumer to manager).
You can also keep your password database offline (airgapped network, USB key/drive, remote/offline devices), and having control of the client + database means you know you can still access those same passwords a decade from now.
This app is a huge part of my day and I'm happy to evangelize it.
This is called a secondary.
After so many years I am happy for them. But some people think this practice is a sketchy
WDYT?
Sorry, but your passwords are some VCs property now, and how/where you use/access them from are a business metric to be sold.
It's UI is definitely the closest you'll get to 1pass. I think a big reason I couldn't use it was the Android app is built off Electron and doesn't currently support Android fingerprinting.. So I'd have to fingerprint into 1pass to grab my Bitwarden pass..
edit: Err on my part, it's missing TouchID in OSX https://community.bitwarden.com/t/touch-id-support-for-macos...
If its open source thats great, but most people are not building the clients for iOS and MacOS at home. We trust the builds that they host to be true to the source.
1password lists its physical address on its home page (and I think every page).
Lastpass is part of Logmein, an established tech company in Boston.
I'm very wary of a password manager trojan horse, similar to the Kaspersky incident.
I would expect he actually reads Hacker News, so please provide us your backstory, much appreciated.
It's also raised at their official forum but no reply from the author.
https://community.bitwarden.com/t/who-is-hosting-bitwarden/1...
The author did take an interview in 2018.
https://opensource.com/article/18/3/behind-scenes-bitwarden
https://community.bitwarden.com/t/touch-id-support-for-macos...
Password management is a privacy and data sync problem.
As a consumer I use an Android device, Windows desktop, Linux laptop so OS or single ecosystem solutions don't work for me. They may be ideal for others.
For a business password manager I'd want to know who is storing my data and how it's being stored. It should be stored where the provider has no access to the passwords (data is encrypted client side before being sent through sync backend ).
Disclosure: TeamPassword is part of the business I run.
https://bgr.com/2018/07/10/apple-1password-acquisition-deal/
It's a company whose founders live in my small hometown and keeps appearing in my life in the most disconnected ways (despite living hours away). Just recently my sister-in-law was hired to the company. All along I'm super impressed by their model and great culture, but at the same time believing that it's -- in the words of Steve Jobs -- a feature and not a product.
Fantastic to see them doing so well.
https://www.theregister.co.uk/2017/02/28/flaws_in_password_m...