Years ago I bought 1Password via a one off payment and set it up to sync via my iCloud Drive. It all worked great. Then they took VC investment and quickly every new feature was locked behind a subscription gate. I switched to Bitwarden. Then they took VC investment and I’m sure will end up down the same path (and you could never use a third party storage service with BW AFAIK). A password manager’s remote storage doesn’t need to be anything other than a safely encrypted SQLite file, you ought to be able to save it anywhere.

I think everyone should have a good password manager in 2024 and non tech inclined folks shouldn’t have to battle with upsells and spammy notifications as a price for being secure. If that means they’re using Apple’s offering, so be it.

I don't know if Apple Passwords will be a perfect fit for me, I'm hoping someone shares a deep dive on the product soon because I'm not in a position to use the beta, but I'm happy to see some more competition in the space.

I have the app open in front of me but haven’t used it much. It’s basically the Passwords pane from System Settings ripped out and with some new fixed smart categories. If that’s enough for you, so will the app be. If not, not.

I’m using it on iPad, macOS, iOS and windows 10 and 11. Seems per much the same as it’s always been.

I’ve got the family using it too.

Just curious what issues other people are experiencing.

It seems their focus is to drive this into the browser extension but that doesn't cover all of my use cases - I very often need to generate a login password _outside_ the context of a browser and doing so now requires me to open the application and create a new password and save that record while before it was one click away in the menubar.

I'm also annoyed that we're no longer able to define which vaults are included in "all vaults" and the inability to simultaneously disable the browser extension from injecting their UI into websites (the login icons, blue input fields, etc) while keeping the prompt to save a login when a new one is detected.

Don't get me wrong, I'm not a fan of Electron, and I'd prefer it have remained a native app, but that alone wouldn't be enough for me to jump ship. And I'm not even claiming alternatives are better than v8; it's simply that v7 was much better, and I'm actively looking for alternatives.

On the desktop there is even a CLI app for interacting with the database, though I also use KeepassXC.

Btw, is keepassxc on Android now or are you referring to one of the many Android keepass apps? I use keepassium on iOS.

I pay for protonmail and also store a copy in protonpass. Proton pass has a nice web interface and doesn’t require me to copy a keepass file or logon to iCloud on my work computer so I use that sometimes too.

I’ve payed for 1Password for 4 years and am a happy customer. But I would also be willing to try KeepassXC if it really offers feature parity.

These are some features important to me, are they supported by KeePassXC?

- Easy password sharing with my wife. We have separate private vaults and a shared vault, and moving a passwords between these vaults is seamless.

- Sync has been seamless for years. I don’t have to worry about e.g. iCloud corrupting my password database and having to restore from off-site backups.

- Integration with many platforms. Currently, that means autofilling/autosaving/generating passwords in common browsers, on MacOS, and on iOS.

- Generating and filling TOTP tokens (no need for Google Authenticator or similar apps).

- Storing and syncing SSH certificates, including acting as an SSH agent (so I have to scan my fingerprint to allow a new SSH authentication).

- Storing non-password items in the encrypted store, e.g. pictures of passports.

- TouchID or FaceID for quick unlocking with everyday use.

KeepassXC does have collaborative features and online sync if you just drop the Keepass file in a shared cloud - I use it this way and it's easy to set up. Also, more importantly, the password database is not stored in some server God knows where.

I’m a tech person and even I don’t want to be responsible for running a Vaultwarden server, the average user definitely doesn’t want to.

And it's not that big a deal to occasionally copy a password onto a Linux or Windows device, or better yet, use the iPhone to authenticate for it.

KeePass was a great bit of software but managing the vault syncing myself and having to wait for (and trust) the third-party Firefox extension to update was tiresome. For about a buck a month, LP was a pretty good deal and handled all of that overhead for me.

I eventually moved to 1Password and it's still what I recommend to most people. $45CAD a year is a pittance for how often I use it. The app and extensions are always up to date, they "just work" even for my 70 year old father. At $12CAD a year, Bitwarden is pretty damn reasonable too.

I don't get the hand-wringing when it comes to reasonably priced services. Development and infrastructure costs money. Yes, a power user can manage everything entirely with free software and a portable sqlite db but that isn't sensible approach for the vast majority of people.

In particular, the reason it's annoying to sync keepass is because of how the program is designed. There are other managers in that ecosystem that let you log in to google/microsoft/dropbox/anything and then you're done. It all syncs perfectly from then on. It's a development problem, not a need for a dedicated service tied to a specific password manager.

And when I'm considering development cost I'm going to look at things on a 5 or 10 year timeline. I think that's a reasonable length to expect a software purchase to last. On that timescale, Bitwarden is okay but 1Password is not at all a good price.

(Also I didn't mean thousands of free services, I meant that each one will give you thousands of megabytes for free. Honestly just google and microsoft accounts, and icloud with a device, cover just about everyone. But there are a lot of free storage services if you want them.)

The program itself might not get information efficiently to do conflict resolution (or not at all): for example, you edit a file offline and sync, Dropbox and friends wouldn't be smart enough to just append both of a few bytes worth of data that a password-manager controlled service could since it would be aware of the data structure but would just dump both files, and then both on another conflict etc

So I guess it's just not the same type of sync service that you get for free in those many services

(also I think it's more than a sub-Mb, you have icons there, but also images of docs and what not)

Though maybe this is not an issue as you mention some of the keepass-based apps that go the "app-sync" route instead of manually placed file?

Right, my main concern here is programs that talk directly to the service's API, because that's the easiest to implement in a correct way. Dumb file storage, but without the worry of stale versions appearing.

Though most people don't need their vault to be robust against simultaneous offline edits from multiple devices.

> (also I think it's more than a sub-Mb, you have icons there, but also images of docs and what not)

I have usernames/urls/passwords, some notes, some icons, and some ssh and bitlocker key files. In total it's 159KB, including a bunch of version history and the recycle bin.

What kind of documents would I put in a password file?

Though some extra megabytes don't really affect my argument much.

I have no problem paying for software. But in this case I’d far prefer a one-off purchase. The only reason there are ongoing infrastructure costs are because I’m being forced into using the company’s cloud service. I already pay for infrastructure in the form of my own cloud storage. I want to pay, once, for software that will use that infrastructure.

More generally, while I might see the value in paying $45 a year for a password service a lot of non-tech folks don’t. They’re happy using the same password everywhere they go (until they aren’t, of course), making them pay a few months-worth of Netflix to use software they’re already not inclined to use means they just won’t do it.

For me, it has nothing to do with the price and everything to do with the fact that I don't want a service dependency for my most critical passwords. I want them to be available no matter what. The product should be standalone. And this isn't a hypothetical concern, either: my employer is contractually mandated to disallow cloud-based password managers, so I must use standalone ones (yes, this is a stupid policy, but one that I'm bound by).

And on top of that, 1Password 5 was an excellent product and it is just steadily getting worse, in my opinion.

I've been a 1password customer for as long as I can recall, and it feels weird dumping my subscription to save a few bucks when it's been such a great service at a fair price the whole time. Why I'd keep it around if the OS solves the same problems, I don't know … just saying it feels weird.

[1] https://discussions.apple.com/thread/250722178

Apple has devs. Maybe some teams are short-staffed, but they fix things.

What Apple doesn't seem to have is a functional bugfix priority loop that includes customer input and provides feedback.

I'm not really a fan of 1Password overall though. The product is still fine but has gotten gradually worse over the years and their corporate posture does not inspire any confidence. Consumer apps that focus on Enterprise and are only interested in SaaS revenue almost always follow the same path of endlessly degrading the user experience once they reach a certain point. I haven't seen anything that makes me think they will be an exception, but I give them credit for actually having a real support channel, at least as of a few years ago.

I don't remember seeing those for Apple. Are there examples of anyone failing to get meaningful help from official support but were able to find a successful resolution through HN ?

1. It randomly adds in limits for my kids I didn't even put there. I put in an X hour limit, it puts in an Y hour limit, usually duplicated three or four times. Most commonly for the 'All apps' category. I delete those, a few weeks later they start reappearing. Kid complains, I delete them again, rinse & repeat.

2. Somewhat regularly it loses connection to the kids' ipads and doesn't update the settings I change. Usually it'll eventually connect, but it can take a while.

3. Some devices it just refuses to see. iMac? Sure. MacBook Air? Crickets. Why? Who knows. Everything is running the latest software, both computers have the iCloud account authenticated. Sometimes it decides my son has no devices at all. I don't really bother looking at reports any more.

4. Sometimes I get screen time requests (install a new app, ask for more time, buy something, etc), and sometimes ... nothin. I can watch my kid put the request in, I never get it. Sometimes it's flawless.

5. The requests come in via iMessage now, and this tends to be okay on the phone, but it is very destructive on the MacOS Messages app. The requests almost never completely load, for whatever reason, and just spin. I think only once I saw the requests show up on the MacOS Messages app correctly. Eventually the requests conversation gets too many of them spinning, and they drag down Messages until it beach balls. If I'm lucky, I see that one coming as it gets slower and delete the conversation before it gets far enough to hang.

There are probably some things I'm forgetting. It is the buggiest bit of software from Apple that I've ever used. The only other app that routinely annoys me is Music, because it periodically (every day or so) seems to lose authorization or something, and just refuses to play music. But doesn't say why, doesn't reauthorize or ask to reauthorize, just doesn't play anything. I restart the app and it works for another day. That bug has been around for several years now, on multiple computers.

* It's incompatible with some apps, e.g. Roblox, that are full-screened, and you end up in an annoying loop between the Roblox screen and the request more time screen fighting with each other, with no ability to click anything. My kid has learned how to hit the Option-Command-Escape shortcut to force-kill Roblox using just the keyboard and restart.

* Sometimes Screen Time requests come via Notifications (yay), and sometimes they come via Messages (boo). There doesn't appear to be any logic behind which.

* When they come in via Messages, and I leave Messages.app running for too long, it ends up eating all of the memory on my 32GB M1 Max and forcing me to restart the system.

* Sometimes requests do not come through at all.

* Sometimes the user cannot request more time. Clicking the button does nothing.

* Sometimes multiple requests come through for the same app. Approving one of the requests does not satisfy all of them, you have to approve all of them.

* Requests for websites do not work. Every so often Roblox breaks and results in having to re-download the .dmg. You end up in a loop between approving the request for more time and the website saying the user needs to request more time. I ended up writing a shell script to curl it instead (which requires munging User-Agent because the Roblox download page does not have a direct link to the dmg).

It's clear there are no Apple employees who actually use Screen Time to manage kids time. I can only assume they just let their kids have unlimited access, because trying to actually use Screen Time is absolutely infuriating, and only gets worse over time (e.g. the Notifications vs Messages thing is a recent regression).

It's also worth pointing out that I have absolutely zero issues with Android Family Link. It all Just Works for similar purposes.

Oh this is a good one I forgot. If my kid is playing Roblox and runs out of time, it goes into that screen loop and is impossible to resolve without at least killing Roblox, and sometimes rebooting the silly machine. That's pretty frustrating for the kid for sure, I ended up just whitelisting Roblox so it never happened.

I’m finding most of the friction with 1Password I run into is actually Apple competing for autofill in Safari creating two completely different UIs above every form element.

The other issue I have is Safari Home apps not supporting extensions so you can only use Safari’s built in manager. I think that’s fixed in Sequoia.

Passwords.app will be used by folks who can’t be bothered to pay for a password manager, which won’t do much to 1Password’s bottom line.

There’s a lot of prior art like Apple uses Cisco WebEx instead of FaceTime for video collaboration. The products Apple produces are just very different than their enterprise counterparts.

You know that you can disable Safari's autofill, right? I recommend it if you're using another password manager.

I'm actually of the same opinion as the GP comment, modulo that I'm not ever going to jump ship to an Apple password manager, but I'll point out that 1Password will most certainly not get Sherlocked since they are not Apple-centric and thus Apple would have to (gasp) release a Passwords.app client for Windows and Linux plus a cli and kubernetes operator in order to hold a candle to the reach that 1P has

I'm sure 1Password doesn't care one iota about loosing individual users with attitudes like this. Until the forced to a monthly rent seeking hand in my pocket policy was deployed, I had been a vocal advocate for 1Pass. Now, they're about to loose me altogether

I felt that way on principle for a long time, but honestly, on reflection, 1P is probably subscription that is most justifiable. I want to outsource online security to people that know what they are doing. I want that to be a viable business for a long time into the future. And I want their funding model to be such that their interests are aligned with those of their paying users (me).

People can get so irrational when it comes to the cost of software. The same person who'd pay hundreds of dollars for a cleaner, or a gym membership, will swear up and down that 70 bucks a year for an online bodyguard is highway robbery.

Often while refusing to work for less than six figures as a SWE, hating on companies for seeking VC funding, dismissing non open-source approaches, and then complaining why there aren't more alternatives :)

I think this new interface to the password feature in macos will probably put even more of a dent into 1password/bitwarden/etc's consumer business driving them even further into catering to enterprise, it's a pitty, but 'this isn't a product, this a feature'.

The current version of 1Password is pretty much seamless for me across Linux, Mac, and iPhone. It's more seamless than it ever was before, honestly. It works for my technical needs and my parents' non-technical needs alike, and greatly simplifies tech support for the latter. I would sincerely recommend giving it a shot if you haven't already.

> I'm not sure a password database is a 'online bodyguard'.

If that's all 1P is, why not just spin up an SQL db yourself? Because, of course, that's not all 1P is. It's a database, a GUI (for five OSes on two architectures, plus web), extensions to auto-fill (and recognise new passwords, or changed passwords) on a range of ever-changing browsers / websites, a great deal of security hardening for their software and servers, an office full of people that evaluate and consider how to combat emerging threat models, etc. None of this is technically impossible to handle yourself, but that's an extremely inefficient allocation of most people's time.

While 1Password probably wouldn't have gotten as popular as it is, if they started as a SaaS, instead of letting everyone think they could just buy it one time and be done, I doubt anyone would be angry about it.

No, the last twenty years has show us that we can't.

If you want developers to perform ongoing work on their products, you need to accept a model where there's ongoing pay for that work.

Before they switched to subscriptions, it still worked like that: 1Password 4, 1Password 5, 1Password 6 - I paid money each time a new version came out. Sometimes I paid the same day of the release and upgraded immediately. Other times, I may have waited a little bit longer and continued with the version that I had.

Nobody's asking for a free lunch.

Where did I or OP say this?

> can have upgrades and working software that gets updates without monthly fees to do it

It’s a bad financial model.

> intentionally removed the local vaults

This is a valid disagreement.

If I am required to pay you monthly for a product there becomes less and less reason for the owner of said product to improve the product. With the hassle that comes with switching password managers (even for myself, I provide three families with this product (my parents, my sisters family)) there is a lot of friction involved with leaving a product that is stagnant that I am paying monthly for.

I was much happier with 1password when i was able to evaluate their new major version, see if any features of it were compelling to me and my extended family and make a decision wether or not it was worth the asking price. Generally speaking a major version wouldn't get huge changes over it's lifetime, maybe some bugfixes, maybe some ui improvements around it's new features (could also be considered bugfixes), any security issues that cropped up. At that point their development staff was more focused on brand new features for the next major version.

I think what we ran into, partially, with 1password is them running out of ideas for their next major version. A password manager, to a consumer, is not a super complicated product that requires a bunch features, a lot of the work is in the encryption and security which isn't really consumer facing.

Strongly disagree that they're part of the group of SaaS companies trying to price gouge their users.

Dislike of SaaS isn't limited to monthly fees, but the lack of features they removed to encourage SaaS adoption

I'm on your side in all the comments I've read so far (especially the "freeloader" one), but this one is a clear "assume the worst" which isn't fair to GP. Their comment could very well have been a legitimate and innocent question. Of course it could have been a majorly failed attempt at a troll (since the question has great answers) but assuming the worst just drags everything down. IMHO better to give benefit of the doubt, even if only for the other people reading it later.

I agree regarding 1pass, but at least it's still firmly trying to solve the password management problem. Apple is trying to solve the vendor lock-in problem (i.e. how can they lock more users in to their platform).

Every other password manager I have tried has had continuous churn, nothing consistent after a couple years.

I have passwords for accounts in my Apple keychain that have survived more than decade and about half a dozen different devices, to internal servers that have been dead for a decade.

The only new thing here is opening it up to more platforms.

I've been using it for nearly 20 years and it's been going down hill fast for the last 5, but 1Password 8 is an absolute clown car. It hijacks your passkey logins meaning that authenticating with Tailscale for me has gone from a single touch of the TouchID button on my Mac, to 1) click button that says "Unlock 1Password", 2) Click it again because it did fuck all the first time, 3) hit the global hotkey for 1Password, 4) open 1Password via Alfred because the hotkey has decided to stop working again, 5) touch the TouchID button to unlock 1Password, 6) switch back to the browser to find that my Tailscale auth has timed out, 7) back to iTerm to initiate the auth again, 8) if I'm lucky, I can now touch the TouchID button to use my Apple passkey, if I'm not, it's back to step 1.

I'd challenge anyone to name an app that has been ruined more by VC money than 1Password.

https://support.apple.com/guide/iphone/share-passwords-iphe6...

I’m with you on 1P. I bought every version starting in 2009, until the constant push to subscribe made me stop. The part their VCs should be afraid of is that switching took about 5 minutes (export + import) and the only change I noticed is that everything is faster. That moat is a trickle of water (I hope it’s water) and they’ve annoyed a lot of the people who used to be telling their friends and family to buy it.

Besides just working as expected, it importantly supports self-hosting. I don't currently make use of that, but have given it a try and it's great as well.

Having alternatives to the SaaS (currently very reasonably priced) is invaluable.

I use BW for all my personal stuff because my wife and I use it.

I will NEVER understand this one. Do they want me to pick a shitty password? I'm not gong to type a string of of 20 mixed-case and special characters into a private text box on my phone. It always takes 3 or 4 tries to even get it right.

The desktop and tablet version will be released this year though.

> The Passwords app is free to download, available across iOS 18, iPadOS 18, and MacOS 15, and will also work with the Vision Pro and Windows computers, says Apple.

I suppose that Apple really considers the iPhone to be the center of its customer's lives, with a Mac or Windows computer... rather than my view, of my computer being the center and my phone tertiary.

You actually care about your computer, and if software isn't available for your OS then you're unlikely to ever switch OS to use it.

But you could be persuaded to move to iPhone, and maybe if enough new Apple services (which aren't available on Android) tempt your wife then she might make her next phone an iPhone, too?

Apple cares more about persuading people to switch from Android to iPhone than about Windows to Mac. But I also suspect there are many more Windows+iPhone people than Mac+Android.

Probably so, but there is one demographic well represented here that does this routinely: Developers. Macs are the default and often mandatory computers issued to developers at tech companies (I strongly disagree with this approach and think employees should get the platform they are most comfortable on, but Macs only is the current state of things in most places).

So many use Macs because of work, but have Android phones due to reasons I won't articulate here, mostly due to time but also with the audience on this article I expect it would melt down into an argument about which flavor of ice cream is better (metaphorically, not literally). Suffice it to say, Android users would agree with the reasons, Apple users will say you shouldn't be doing those things anyway, and we'll have to agree to disagree.

Anecdotally, it's also my subtle impression that iPhone users are more inclined to update frequently regardless of how much longevity they could get out of it. I just buy my phone and keep it operational for as long as possible, only buying another if my current one is physically inoperable, and I feel like I'd get to that point more quickly with an iPhone, since parts are more expensive and not as readily available.

The other major password managers are on Linux, and Apple will need to support Linux for this new offering to be interesting to me.

Of the major tech companies, Apple probably has the worst track record of not playing nice with other platforms, walled gardens and all. Passwords are needed on all platforms. Apple would be the last company I would trust to ensure that I would be able to access my passwords anywhere I may need them.

I still really hate the iOS-restyled system prefs. Tiny unresizable text, a long vertical scroll. I can’t find a damn thing in it and just use the search bar every time and feel faintly annoyed about it.

Hopefully Adobe won’t decide to start shitting a bunch of authorization credentials into private Notes the way they took over the Private Notes section of Keychain.

But my biggest one is wanting to store secure files. Think copies of a drivers license, signed documents or various certs and keys. That's not being covered here either for me sadly. It's not a super common situation for me so I can probably find an alternative app for that purpose.

Edit: Also for notes, I'd just password protect something in the Notes app. But that's just me.

I frankly just have photos of DL and insurance cards in my photos with tags to make finding them easy. Although note with the text searchable images that’s largely not even needed.

I don’t get what the security concern in. My photo reel is way more secure than my actual wallet.

Glad they're splitting it out of System Settings into a dedicated app.

I've also started migrating family members to it. It'll be way easier for the less technical people since it's already tightly integrated in the devices and OS they use everyday.

Whenever I do a password change, I have to do it on my phone, so that the new one will be stored. But that is fine with me. I’m happy to do that in exchange for being freed from “password managers”.

Really no big difference, you’re still technically using a password manager.

Also you can access those passwords on Mac as well, it’s in settings just as you would find it in your phone. No need to copy from your phone and paste it, Mac can autofill. It can also autofill on other browsers through the dedicated right click menu, but it’s a bit more clunky than on Safari.

Fun fact, those same passwords can be accessed on windows now, install iCloud for windows and enable passwords. It uses a dedicated app on Windows.

I also enable keychain sync on my Mac so I can create passwords there too.

But i would like to hear more details of the corruption if parent is willing to share. This is pretty much my worst nightmare scenario.

I constantly have issues with it not engaging on a form where I have to manually switch to 1pw, though it has gotten a bit better over the years.

I hate to see a company/product get sherlocked but I don't feel like password security was something we should need to have a subscription for.

I have been working on solving password management as a local-first, cross-platform, open-source application[1]. It's a bit rough around the edges still (no browser extension yet!) but is worth trying as an alternative. Any feedback would be much appreciated!

The app is designed for zero vendor lock-in (after all this is our most sensitive data) and a self-hosted server is part of the design. We aim to make money offering a cloud platform for syncing and social recovery (digital inheritance) and eventually would like to also function as a Dropbox/Keybase alternative.

We will be releasing the open-source SDK[2] soon.

All comments or suggestions welcome.

[1]: https://saveoursecrets.com [2]: https://docs.rs/sos-sdk/latest/sos_sdk/

There's not much else to add: it just worked. I wish all "lock in" were that open.

It's fantastic, and for some reason I trust OS/browser developers to do this more safely than a company focused on password management that has to figure out OS APIs, write browser extensions, or rely on a clipboard that has nearly unbounded read access.

Android's autofill framework is open to everyone to use, and every third-party password manager has a Chrome plugin. I use Bitwarden with exactly this experience, but across Firefox and Chrome and Android.

and where do you store your passwords for apps?

I use KeePassXC to store passwords for apps.

So you have two password managers one for Firefox and the other for apps. What happens if you have an app login that is also a web site? Two entries of the same thing?

Keepass is the closest I've ever felt to just having a wallet for my passwords. It should be ratified as a standard, so we can make Google and Apple provide "Export to Keepass" buttons in their apps.

If my script could retrieve a password from my KeePass DB if it's unlocked, or ask me to unlock it, that would be cool.

I tried out passwords, and combined with Safari, it's an absolute godsend compared to 1Password. That does mean that I switched from Brave to Safari, and thus have YouTube ads, and so I'm now paying for YouTube haha

This isn't my experience since the recent update that shows up a mini-login panel when trying to sign in. The old experience that opened the desktop app first was fairly slow.

I'm leaving that platform. They've taken shittification to new heights.