Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


1Password's gone bad - recommendations? - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

1Password's gone bad - recommendations?

2456

Comments

  • jiggawattjiggawatt Member
    edited March 2017

    raindog308 said: the idea that I could never stop paying and if I did, my data becomes no longer available (or becomes read-only which I think is the case here) is unacceptable.

    I don't see how this is different than email which is generally sold on a subscription model. If you don't pay your G Suite bill on time, your data disappears 30 days later. Even if you host your own email, your VPS and domain are still essentially subscriptions.

    I think the subscription model is a healthy model for software that is expected to be actively maintained. Previously, commercial software vendors charged you for an upgrade. Of course, you never had to upgrade but Windows 3.11 won't be very useful for you today.

  • akhfaakhfa Member
    edited March 2017

    Use enpass with dropbox or another storage provider to sync the database. Works perfectly here. Even I can say that enpass autofill is better than lastpass, and you have control how your database synced :)

    It also have importer from some password manager including 1 password. I have tried lastpass importer, not perfect, but better than you import your data manually :)

    The most important think is it is multiplatform (windows, mac, linux). We need to make one time purchase for the mobile apps, but it still worth for all you will get. I think that mobile pricing is donation for the developer, little amount of money to keep the project ongoing :)

  • WSSWSS Member

    @jiggawattz said:
    I'm flummoxed that the gracious leader of the LET commentariat class @WSS would even contemplate, let alone suggest, LastPass: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

    Bad regex parsing is an amateur coding mistake. It's unacceptable when CloudFlare does amateur coding - but it's not a problem when it's the company storing all your passwords?

    That certainly was a rather dumb mistake, likely a solution designed by a front-end person. Fix was less than a day. Dumb as hell- and it won't be the last. Of course, using autofill rests upon the laurels of the user moreso than a checkbox in something designed specifically to NOT have you reuse the same damn password everywhere.

  • raindog308raindog308 Administrator, Veteran

    jiggawattz said: I don't see how this is different than email which is generally sold on a subscription model. If you don't pay your G Suite bill on time, your data disappears 30 days later. Even if you host your own email, your VPS and domain are still essentially subscriptions.

    I disagree. Let's put aside the sync part of 1Password as I'm not interested in that. I'm perfectly happy with my safe on Dropbox, and I'd trust their security over AgileBits'.

    • with Gmail, they're providing a service. Servers, network, admin, etc.

    • if Gmail jacks up their rates, I can give them the finger and go over to mxroute. If 1Password jacks up their rates again, I don't have another choice.

    • with traditional software, I get to choose when I pay to upgrade. New version, ok won't be supported in a year or two, but hey it's Christmas and I'd rather live with the old until I get my tax refund, etc. With subscription, you have no choice - you pay now, or you're out.

    • And, you know, it's not like AB raised the rates to give everyone a discount. Cost went up 300% in just a five-year stretch...over my lifetime, thousands of percent.

    Etc.

    I think the subscription model is a healthy model for software that is expected to be actively maintained. Previously, commercial software vendors charged you for an upgrade. Of course, you never had to upgrade but Windows 3.11 won't be very useful for you today.

    I hate subscription software. The people who like it, not surprisingly, are publishers because it's a lot more expensive. That's really the story with subscriptions - it's some hand-waving to cover a price increase.

    Awmusic12635 said: They still very much sell the one time fee version and have said they intend to continue to support it.

    I just can't find that info anywhere. You go to their site, click Pricing, and your only option is $3/mo. I don't see anything in the forums where they're reassuring customers that the old model will stay around.

    If the old model (buy a license, pay for upgrades when/if you need them, host on Dropbox) is staying around, I'm a happy camper. But it looks like they're going in a different direction.

    Thanked by 1JustAMacUser
  • @raindog308 said: [... a bunch of stuff]

    I agree and share your point of view completely. I've purchased software on sale for $15-$30 and had companies switch to a subscription model. At just a few dollars a month it still ends up costing me a lot more. My response is to not sign up and either switch products or code my own solution. I understand the developer's position, but as a consumer I'm resistant to the idea of monthly fees for products.

    If the old model (buy a license, pay for upgrades when/if you need them, host on Dropbox) is staying around, I'm a happy camper. But it looks like they're going in a different direction.

    In looking over AgileBits's marketing material, I get the impression that those who purchased the product(s) are being grandfathered. I see the writing on the wall and would not at all be surprised if in five years there's no alternative but a monthly fee to use their products (sync services aside).

  • jiggawattjiggawatt Member
    edited March 2017

    raindog308 said:

    with Gmail, they're providing a service. Servers, network, admin, etc.

    AgileBits is providing a service: developers, security auditors, website vulnerability monitoring/reporting through Watchtower, etc.

    They might not host anything but they still have developers on payroll working to make sure your product works with latest releases of platforms, browsers and websites.

    Maybe it's not worth $3/mo in your opinion - but I think the Canadians are worth that.

    if Gmail jacks up their rates, I can give them the finger and go over to mxroute. If 1Password jacks up their rates again, I don't have another choice.

    1Password allows you to export your vault in .csv or .txt format for data portability.

    with traditional software, I get to choose when I pay to upgrade. New version, ok won't be supported in a year or two, but hey it's Christmas and I'd rather live with the old until I get my tax refund, etc. With subscription, you have no choice - you pay now, or you're out.

    This is true.

    And, you know, it's not like AB raised the rates to give everyone a discount. Cost went up 300% in just a five-year stretch...over my lifetime, thousands of percent.

    Startups, especially who sell on the app stores, have had a lowball mentality and I think there has been an awakening of selling premium software at premium prices. Password managers are still relatively niche products compared to other things and you need to charge more for niche stuff.

    I hate subscription software. The people who like it, not surprisingly, are publishers because it's a lot more expensive. That's really the story with subscriptions - it's some hand-waving to cover a price increase.

    Commericial software has a capitalist component to it, but the market is competitive and, even though there is no law requiring it, 1Password does allow you to port your vault to a common format.

  • raindog308raindog308 Administrator, Veteran

    jiggawattz said: AgileBits is providing a service: developers, security auditors, website vulnerability monitoring/reporting through Watchtower, etc.

    Right, but you could say that about anything. By that logic, all software should be subscription-based.

    jiggawattz said: Maybe it's not worth $3/mo in your opinion - but I think the Canadians are worth that.

    And I do not, which is a legitimate point of disagreement. But beyond that, I have a strong dislike to subscription-based services because of increased cost, lock-in, and being straight-jacketed into someone's idea of when I should pay.

    Thanked by 1jiggawatt
  • jarjar Patron Provider, Top Host, Veteran

    @raindog308 said:

    jiggawattz said: AgileBits is providing a service: developers, security auditors, website vulnerability monitoring/reporting through Watchtower, etc.

    Right, but you could say that about anything. By that logic, all software should be subscription-based.

    I wish. More than enough devs out there making apps and selling them, then abandoning them. Usually justified too because their sales hit a cap and they backed themselves into a corner by not requiring some kind of recurring cost, or at least a pay for upgrade model.

    Software development is one of the most difficult things you'll ever fail at so easily.

  • @jarland said:

    @raindog308 said:

    jiggawattz said: AgileBits is providing a service: developers, security auditors, website vulnerability monitoring/reporting through Watchtower, etc.

    Right, but you could say that about anything. By that logic, all software should be subscription-based.

    I wish. More than enough devs out there making apps and selling them, then abandoning them. Usually justified too because their sales hit a cap and they backed themselves into a corner by not requiring some kind of recurring cost, or at least a pay for upgrade model.

    Nah, the big mistake is that they didn't have a business plan before they started/finished writing the software. It doesn't have to be a subscription that pays for past and future development, but you do at least have to work out what it'll take to maintain a sustainable project. Or maybe it legitimately is a one-off development that solves a specific problem, and is then open sourced to allow tweaking by anybody who needs it.

    I think that's what offends people most about subscriptions: they're sold as a way to keep getting updates, but companies often treat them as installments for previous development work. And people who bought their software have essentially already made those payments. The smart thing to do would be to offer them a substantially cheaper subscription that does only cover future development.

  • impossiblystupid said: Nah, the big mistake is that they didn't have a business plan before they started

    Are we talking about the tech industry here?

  • jgillichjgillich Member
    edited March 2017

    I use pass: https://www.passwordstore.org/

    It integrates with git, and there is a Firefox plugin and a Android app.

    Thanked by 1quicksilver03
  • Awmusic12635Awmusic12635 Member, Host Rep

    raindog308 said: I just can't find that info anywhere. You go to their site, click Pricing, and your only option is $3/mo. I don't see anything in the forums where they're reassuring customers that the old model will stay around.

    If the old model (buy a license, pay for upgrades when/if you need them, host on Dropbox) is staying around, I'm a happy camper. But it looks like they're going in a different direction.

    They were pretty active on hackernews when people were asking questions after the subscription was announced. One such example: https://news.ycombinator.com/item?id=12376841

    Can buy the time one version here: https://agilebits.com/store/ . The last paid upgrade for the fully owned version was in 2013. The last 3 or so full version upgrades have been free of charge.

    Hope that helps.

    Thanked by 1raindog308
  • abytecuriousabytecurious Member
    edited March 2017

    I would recommend KeeWeb (https://keeweb.info/). All data is stored on Google drive/Dropbox. There is a web version (https://app.keeweb.info/) and desktop versions. Since the backend file is KeePass compatible, you could sync with an app such as Keepass2Android

    PS: And I forgot to mention, it is all free.

    Thanked by 1jaden
  • @jiggawattz said:

    impossiblystupid said: Nah, the big mistake is that they didn't have a business plan before they started

    Are we talking about the tech industry here?

    Heh. Happens in a lot of industries where people are spending money before they have a single customer. Capitalism needs better checks and balances.

  • What about Devolutions Password Vault manager, they have a free version and it also has apps for android and IOS
    https://password.devolutions.net/Home/Features

    $59 to buy a license

  • roboform

  • Been using keepass for many years. Still do. I don't want my entire password database floating around out there, even if it is encrypted.

  • I heard all the arguments about, oh needing expensive developers, and about all that oh so expensive infrastructure ... and I call it bullshit.

    Besides the fact that it escapes my understanding why anyone would actually want and pay for having his passwords stored at some internet service, here's what I think:

    The core of such a service consists of three elements:

    • server software
      which is pretty much written once and that's about it. One might play funny design update games with the front-end but those are cheap. web-"developers" are a dime a dozen and the front-end work is simple.

    • client side
      the core of which is also written one and that's about it. Again, one might add this or that fancy gadget later but that's no big thing.

    • server (as in "hosting")
      What's the big deal? One can host millions and millions of password/passphrase/keys of millions of customers on a single server. Let's add 2 more for resilience and that's about it.
      One could sell secure password store services at 1 cent per year and still earn money on it as far as the hosting concerned.

    That's why it's important to see the software side and there in particular one decisive factor: You DO NOT the fuck "update" that kind of software. I happen to work in that field and I'll repeat: You want to get that kind of software right once - and then not muck with it unless there was reason of major importance, say intel dropping dead plus http 3 becoming commonplace.

    As for "but there are so many browsers and interfaces and ..." - Fuck it. The answer is "use standard html plus css".
    Well noted, I'm not talking about the sales site, which might be jumping and dancing and whatnot. But as for the core interface the customer will actually welcome a simple, clean, standard interface.

    That said, I wouldn't trust any internet company with all my sensitive stuff. Nor would I trust them to properly encrypt and safekeep everything. But for those who do that I tell you that anything above 10$/year is a rip off.

  • Awmusic12635Awmusic12635 Member, Host Rep
    edited March 2017

    bsdguy said: That said, I wouldn't trust any internet company with all my sensitive stuff. Nor would I trust them to properly encrypt and safekeep everything. But for those who do that I tell you that anything above 10$/year is a rip off.

    You don't trust a company, and yet you wouldn't pay more than $10 a year for such a service that does it properly? Perhaps your budget doesn't align with your security and support expectations.

  • @Awmusic12635 said:

    bsdguy said: That said, I wouldn't trust any internet company with all my sensitive stuff. Nor would I trust them to properly encrypt and safekeep everything. But for those who do that I tell you that anything above 10$/year is a rip off.

    You don't trust a company, and yet you wouldn't pay more than $10 a year for such a service that does it properly? Perhaps your budget doesn't align with your security and support expectations.

    Wow, an ad hominem and so quickly.

    What exactly is your professional background and expertise to judge that? I guess none, nada, zilch.

    You see, I actually work in the field, I actually do design secure systems and software, I do write safe code, every line of which runs through static analysis with multiple sat/smt backends. And btw. most of my work is for networks and servers.
    And I happen to know the cost structure of both development and of providing internet services.

    That said, I'm a mere mortal and there are still many, many things I don't know. So I might well be wrong in what I said here. But then, that's the nature of a forum: discussions.
    A simple ad hominem, however, will certainly have one effect only and that is you looking stupid.

    Thanked by 1bugrakoc
  • jgillichjgillich Member
    edited March 2017

    bsdguy said: You want to get that kind of software right once - and then not muck with it unless there was reason of major importance

    Getting to the state of the software being "right" takes a long time though

    bsdguy said: As for "but there are so many browsers and interfaces and ..." - Fuck it. The answer is "use standard html plus css". Well noted, I'm not talking about the sales site, which might be jumping and dancing and whatnot. But as for the core interface the customer will actually welcome a simple, clean, standard interface.

    I would expect a password manager to be end-to-end encrypted, which makes JavaScript mandatory. I also think you have no idea what average consumers want; JavaScript is what enables web applications in the first place. HTML alone is fine for documents, but that's about it.

    bsdguy said: But for those who do that I tell you that anything above 10$/year is a rip off.

    Prices are not based on costs, they are based on what makes the most money.

  • Awmusic12635Awmusic12635 Member, Host Rep

    bsdguy said: Wow, an ad hominem and so quickly.

    What exactly is your professional background and expertise to judge that? I guess none, nada, zilch.

    You see, I actually work in the field, I actually do design secure systems and software, I do write safe code, every line of which runs through static analysis with multiple sat/smt backends. And btw. most of my work is for networks and servers. And I happen to know the cost structure of both development and of providing internet services.

    That said, I'm a mere mortal and there are still many, many things I don't know. So I might well be wrong in what I said here. But then, that's the nature of a forum: discussions. A simple ad hominem, however, will certainly have one effect only and that is you looking stupid.

    Perhaps that was worded poorly, it wasn't intended to be directed at you specifically. Sorry about that.

    I'd like to focus more on what is considered to be a reasonable price for maintaining such a service. Including

    1. Supporting the infrastructure( actual servers, software, security audits etc)
    2. Doing client support
    3. Product Design and development
    4. Business direction and company requirements (accounting, etc)
    5. Any other items i might be missing.

    They do seem to have a decent number of employees: https://1password.com/company/

    The original thought from the $10 per year came from the Lowend industry where many seem to have unrealistic expectations or expect the world for almost nothing.

    What do we consider to be a valid price for providing this service, a password manager, that I know many of us use an extreme amount of times per day and has become a critical part of our working environment?

  • WSSWSS Member

    @jgillich said:
    I would expect a password manager to be end-to-end encrypted, which makes JavaScript mandatory. I also think you have no idea what average consumers want; JavaScript is what enables web applications in the first place. HTML alone is fine for documents, but that's about it.

  • WSSWSS Member

    End to end Node.

  • @WSS Got anything of value to say?

  • WSSWSS Member

    @jgillich said:
    @WSS Got anything of value to say?

    Yes. For you, though, no. I discounted your opinion weeks ago.

    Thanked by 1deadbeef
  • WSS said: Yes. For you, though, no. I discounted your opinion weeks ago.

    Weeks? I've only been posting here for a few days. But I'm starting to enjoy this.

  • WSSWSS Member
    edited March 2017

    It certainly feels longer. Enjoy your javascript-secured data.

    Thanked by 1vimalware
  • raindog308raindog308 Administrator, Veteran

    bsdguy said: The core of such a service consists of three elements:

    No, there's quite a lot more.

    You need desktop and mobile apps because people want to store non-web passwords, too. You need to support all the major browsers on all the major platforms (yep, warm up your Internet Explorer on Windows skills). And iOS and Android. Maybe watches. There's all the hard UI stuff - for your users' sake, hopefully this takes the majority of the time. Then you get to master the APIs for Dropbox, OneDrive, Google Drive, and others, or creating your own service (but cunts on LET will complain about that). Then you can figure out how to make all these clients sync. Oh, and you need to get encryption right in all of this, which is never easy, and at some point the sales department will point out that you can get a lot more sales from companies if you pass audits X and Y.

    bsdguy said: pretty much written once and that's about it

    bsdguy said: which is also written one and that's about it

    That's not how that works. New OS versions come out, new browser versions come out every week it seems like, and there's a never ending stream of user tickets, bugs, and problems. How often is there a new phone? Etc. You can say your code is immortal, but your users would appreciate you testing it and finding bugs before they do. You're in bed with Microsoft, Apple, and Google whether you like it or not, and they change things.

    The hardest part is probably making sure your stuff works on all the web sites. It's up to you to test that it works because your customer isn't going to say "I wanted to use BSDGuyPass to login to my bank, but gosh, they must not be using standards-compliant HTML so I guess I'll change banks"...they're instead going to give you a 1-star review because you're not doing your job. The world is not going to be standards-compliant and as the software publisher, yep, that's your problem.

    There's probably few more things but that's the main. That's not simple, and I of course am willing to pay for it. I was arguing about the subscription service, not the complexity of the problem.

    Thanked by 2WSS deadbeef
  • @jgillich said:

    bsdguy said: You want to get that kind of software right once - and then not muck with it unless there was reason of major importance

    Getting to the state of the software being "right" takes a long time though

    Maybe. Maybe not, Let's look at it. Besides the lala "webdesign" and funny jumping balls javascript shit called "modern look" it's 3 core elements: a proper interface, a proper core engine, and a solid system and database.

    Realistically, any web-mail service demands more work and resources. Designing and specifying the core properly, that is formally (which almost certainly was not done) might take 6 - 8 man weeks. Cost: Below 50K. Implementing the core in an adequate language, e.g. Ada, might take 6-8 weeks, too at similar costs (Rule of thumb: implementation cost is roughly equal to spec. and design costs). All of which is meaningless because the core was almost certainly not done in a formally verifiable way but hacked in C++, java or the like.
    Plus the javascript mumbo jumbo which can be done in parallel and takes less time than the core.

    I would expect a password manager to be end-to-end encrypted, which makes JavaScript mandatory. I also think you have no idea what average consumers want; JavaScript is what enables web applications in the first place. HTML alone is fine for documents, but that's about it.

    a) why? After all the whole she bang goes through ssl anyway. b) So what? Doing encryption in javascript is no secret rocket science.

    Prices are not based on costs, they are based on what makes the most money.

    a) they'd better not completely costs either, b) is that so?, c) aren't they more based on what can be reasonably milked from a given market.
    5 mio customers paying 10$/year is more than 500k customers paying 35$.

Sign In or Register to comment.