The items in its database let you define custom fields for them, but there is no literal multi line text field. There's a "File" type, but you can't simply define fields with multi-line text values. However, every item has exactly one built-in "notes" field, but that's actually styled markdown text. And you only get one. And its name is always "notes".
It would obviously be extremely useful to be able to define an arbitrary number of arbitrarily labeled multi line text fields that are not interpreted as markdown text.
It boggles my mind that 1Password doesn't support this. What were they thinking??? It makes it a real pain in the butt to store ssh keys and certificates and a lot of other types of information in 1Password.
A single markdown "notes" field just doesn't cut it. It's not as if it's technically challenging or a security risk. It already has a "notes" field, so just turn off the "rich text" feature and allow me to make my own! I would have thought it was a pretty obvious and often requested feature, but as far as I can tell, it's impossible!
I don't like putting the private key in the notes field, because its name is still "notes" (but I'd prefer the label be the key's file name), it's actually markdown formatted text, not literal text, and what if I still want to write a note, but I've already used the notes field for the key?
HTTPS certificates including multiple certificate chains, and private keys, and those are all multi line files. And each part should go into a separate clearly labeled multi line field. And I don't want to be forced to write a copy of my server's ssh key into a local file on my laptop in order to attach it to a 1Password file field, and remember to delete it quickly before Time Machine backs it up for posterity.
Right now I am forced to concatenate all my certificates and keys into the "notes" field, and write the file name before each part, and put blank lines between each file, which is terribly inconvenient and error prone.
I also put a multi-line list of all the user names and passwords that I set up on a server.
There are millions of other reasons why anyone might want to use a multi line text field beyond ssh keys and certificates, just use your imagination.
My question is why wasn't this obvious feature supported from day 1, like I fully expected it to be with I bought a 1Password license? Why did I have to find that out for myself the hard and disappointing way, because I never noticed a section in the 1Password manual or promotional advertisements about why 1Password made the decision not to support multi line text fields. I'd love to know the reasoning behind that decision.
[Edit in response to "Maybe I don’t understand, but couldn’t you use the notes section? Wrap whatever you need in triple backticks to create a code block?":]
I PAYED for 1Password, and the company I work for standardized on it and requires we use it, so I kind of expect not to have to jump through those kinds of pointless hoops with a commercial product. I should be able to select-all/copy/paste without meticulously selecting just the right text character-by-character. The time I waste doing just that would pay for a yearly subscription to a better product.
Been a happy paying customer since 1Password v4, but I agree this seems like an easy win.
https://1password.com/downloads/command-line/
I am trying it out, and hope it will be as useful for cases like using the Google Cloud CLI's secrets command to retrieve secrets in automated scripts, like "gcloud secrets versions access latest --secret=wildcard_foo_com_pem".
https://support.1password.com/command-line-getting-started/
I've followed the installation and authentication instructions, and ran "op signin my.1password.com foo@bar.com", entered my account's secret key, my account's password, then it prompted for "Enter your six-digit authentication code:". But I didn't receive any text messages with authentication codes on my phone.
So now I am stuck. I don't have 2FA set up on my 1password account, apparently. Do I need to do that in order to use "op", and how do I do that?
More importantly, when I write a script that authenticates using the "op" command line utility, how can it accomplish the two-factor authentication step without me being present behind the keyboard and entering a response manually? And is there a better way to write a script that authenticates somehow without using my literal secret key and password and 2fa code?
This seems to be an open issue since at least March 2019. Has it been fixed yet, or is a fix planned? Should I just give up trying to use "op" to write automated unattended scripts, the way I use "gcloud secrets"?
https://1password.community/discussion/97138/cli-always-requ...
>CLI always requires authentication code
>I am using the op CLI and I also have two-factor authentication enabled. Every time I authenticate to op, it asks for the authentication code. This gets annoying quickly and does not help in my quest to automate CLI signin.
>$ op signin YYY
>Enter the password for XXX at YYY.1password.com:
>Enter your six-digit authentication code:
>Is there a way to convince op that it is running on the same host similar to the way the 1password application and browser extensions do?
>Reply:
>@razorsedge unfortunately the CLI has something of an "incomplete" implementation of 2FA, only in that it does not persist the 2FA secret after the first authentication. All the other apps persist this secret, allowing them to do 2FA "silently" in the background, but that has not yet been implemented on the CLI. It's something we look to do in the future, but I can't give a timeline on when it will be available.
>[...]
https://github.com/dcreemer/1pass/issues/17
>Support TFA for 1password accounts #17
>I have TFA enabled for my 1password account. Unfortunately, 1pass can't handle this and instead of letting me input the token, the TFA prompt instantly returns and fails.
>signing in to xxx.1password.com alpipego@xxx.com
>Enter your six-digit authentication code: [LOG] 2019/03/17 12:53:25 (ERROR) Incorrect One-Time Password length. Expected 6.
>1pass failed to signin to xxx.1password.com
>It'd be great if TFA support could be added.
These days I'm just delighted when 1password doesn't open a totally different browser when invoked from the active one.
And probably can't filter for them as easily too.
I put images of my health insurance card in 1pw.
do this. now, pretend you want to upload those image to a web portal that's asking for your insurance information. To pretend, just try and put the images of your insurance card into an email body to yourself.
See how many clicks it takes.
And in the common case that the text is only on my clipboard, for example if I copied it from a web page or shell, then I have to go to all the effort of first saving it locally into a file somewhere in the file system, before laboriously navigating to it again with 1Password (often having to wait for my USB hard drives to spin up again as my Mac is frozen for 50 seconds showing the file dialog that scans all the attached storage devices) and finally adding it as a file attachment.
And then after all that extra busy work, the plaintext secret file now is floating around unencrypted in my file system somewhere, which is exactly what I didn't need.
It's such an obvious feature that would be so easy for them to implement, it made me feel like it must be possible and super-obvious to most people, but I was just too dumb to figure out how to do it.
(No, pressing shift-return in a single line text field doesn't work. And pasting multi-line text into a text field replaces newlines by spaces, thank you.)
export SSH_AUTH_SOCK=~/.1password/agent.sock
> The standard OpenSSH agent (ssh-agent) that comes preinstalled on most systems requires you to add keys to the agent (ssh-add) every time it launches. After you've added your keys, any process can use any SSH key that the OpenSSH agent is managing. It is then up to you to remove those keys when they're not needed anymore.
> The 1Password SSH agent uses a different approach. 1Password will ask for your consent before an SSH client can use your SSH key. Because of this, there's no concept of adding or removing keys like with the OpenSSH agent.
> When your turn on the SSH agent from the 1Password preferences or settings, every eligible key is automatically available to use for SSH, but your private keys will never be used without your consent.
It's not like I'll ever need to manually interact with the socket, so keeping it out of the way would seem logical.
That's a general theme I see with all this SSO stuff. You have a few companies with root on the universe. Am I weird that this concerns me?
Unless their local client was compromised (not impossible - but if your local is compromised you're in trouble regardless), even if someone hacked them and stole their data, they would not have your clear-text info.
It's everyone's choice to make but I am personally OK with this security/convenience trade-off.. It's "good enough" for me - mostly because I trust them to know how to do this better than I could - if it means I can manage all my passwords in one place and access them from any device.
1Password also has useful (to me) quality-of-life features like integration with HaveIBeenPwned, it can also show you re-used passwords, and if you store credit cards or other info, it will also tell you when they're about to expire etc..
Plus you can store any arbitrary metadata with any record, so I even use it to store non-sensitive, but still private, info associated with logins, docs, ID, etc..
Obviously it's not ideal to share SSH keys, but lots of teams will share the default EC2 keypair for example. This makes it much easier to pop that key into 1Pass, share it with the team, and easily get everyone into the box.
And, frankly, 1Password gui is much more user-friendly than other SSH agents. Personally, I'll stick with the tried and true OpenSSH agent, but I know many will be attracted by this feature.
It does seem like a weirdly specific use-case. I wonder if they're trying to instead target people who need to use ssh keys but aren't comfortable generating or managing them on the command line. With Github requiring SSH keys for command-line pushes, this is probably a growing demographic.
It's unfortunate, because there is some real innovation around the per-application usage permissions:
> 1Password will ask for your consent before an SSH client can use your SSH key. Because of this, there's no concept of adding or removing keys like with the OpenSSH agent.
If an organization wishes to solve the SSH pubkey distribution problem (the main reason one would copy a private key across machines), then they should use SSH certificate authorities like [1]. In fact, I think that would be a far more interesting 1Password product—HashiCorp Vault could use some competition for this kind of use-case.
[0]: https://security.stackexchange.com/a/40061
[1]: https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-cert...
While I agree with the first half of your statement (don't share SSH keys), I cannot agree with the second (don't put SSH keys in a password manager).
For my home use of 1Password, I absolutely want to keep backups of my SSH keys in 1Password. Because, in general, there's exactly 1 SSH key which can get into my cloud instances, and I've had enough laptops die suddenly that I'm not willing to risk getting locked out by not having a backup.
You could say "well, just have a second device with backup keys" but again for home use, why would I buy another laptop just for that? Or maybe just "well keep an offline backup of your keys". Sure. In 1Password. Where I keep pretty much all of my sensitive credentials and info.
> Using the 1Password SSH agent encourages people to have "one" SSH key across devices, which means that any leaks will disproportionately impact them.
Eh. IMO, people who are inclined to use 1 key across machines are going to do it, no matter the process. I doubt this feature is going to make that any worse. But I guess we shall see.
https://community.bitwarden.com/t/implement-ssh-agent-protoc...
That will be the Electron version. No thanks.
Also, they have a nice CLI. I'm sure getting some of these features there is only a matter of time.
* Search is just plain broken. This was the number one reason i scrapped it. * Managing multiple vaults (i have over a dozen) is unusable. * The UI is terrible, it takes way more space to show less information than 7. * The browser integration (FF) seemed to work poorly.
Basically, once 1Password stops supporting 7, they will have lost me and anyone I can influence as a customer.
Has it allowed simple XSS vulnerabilities to turn into full blown RCEs? Absolutely.
> This resultant application is hosted within Electron to ensure we have the exact same platform as our users.
https://www.reddit.com/r/1Password/comments/o0f9cl/were_the_...
I haven't been able to see anything about how this handles agent forwarding over SSH. Does anyone know?
Additionally, now when I do generate a password, it saves that password in my shared vault for all the world to see instead of defaulting to a private vault where only I can see it. It doesn't appear to be possible to tell it where to save that password until it becomes a login, but by that point 1Password has already leaked the password I just generated. That seems like a really terrible default, and the only way I've found around this so far is to try to remember to open the main app, go into my shared vault and delete the password that I never wanted saved in there in the first place.
It’s very simple and works very well. Better than krypt.co did for me, actually — krypt.co would occasionally randomly break, but Secretive has been rock solid. Every time something tries to use your key you get a Touch ID prompt and a notification indicating what triggered it.
This 1Password feature looks nice, but I’m switching away when version 7 stops working. AgileBits just isn’t taking 1Password in a direction that’s appealing for me… they’re clearly more interested in corporate users than individuals, and in the pursuit of a one-size-fits-all-platforms UI they’re losing the attention to detail and polish that used to be a major selling point.
0: https://github.com/PowerShell/Win32-OpenSSH/issues/1804#issu...
From doing some reading though it sounds like I might be wasting my time. Apparently it’s fine to have one key for an individual machine and to use that for everything.
What’s everyone else’s take on that? Are you reusing a single key or generating each time?
Sprinkle in a passphrase and now you have good MFA: something you know (the passphrase) and something you have (the private key).
Personally, I don't see a problem with re-using a key pair across multiple servers. I like to do one key pair per client device. This lets you manage server access per device. You can single out and remove just the key from a lost or compromised device without affecting the others.
OTOH, one key pair for all devices fails at this, plus you also have to worry about protecting the private key during distribution to multiple devices. A private key is best left on the client that generated it. Of course, once you hit enterprise, all this goes out the window. As they will probably have systems in place and compliance rules to follow.
I have considered keeping encrypted keys in my password manager per-service, and decrypt+add them to my SSH agent when they're used to offer almost the same guarantees.
Er, what? The SSH keys are being generated the same way keys for web sites are under FIDO, which is to say they're random - your physical device has no idea how many keys you have, it couldn't mandate that there's only one key if it tried. It only knows how to tell if these are keys it made (otherwise presumably a different FIDO authenticator made them) and if so use them to sign you in once somebody touches the contact.
However sometimes it's practical to use the same (private) key in multiple places. I do this for access to low-risk stuff like ssh access to my raspberry pis. I wouldn't ever move a private key around for anything remotely dangerous though.
It’s really very minor and ssh itself should warn that the servers fingerprint changed.
If something more robust is needed, ssh certs and principals can be used.
Some use Pam modules to require 2nd factor too.
Try thinking of SSH pub keys as identities or usernames and you are more on the right track.
I tend to have 1 pubkey per thing I care about, so 1 per github account, 1 per gitlab account, 1 for work, etc.
It's automatable and one less thing to worry about.
For some context on my bitterness: v6 stopped working with chrome based browsers a few years ago due to an issue with browser signatures, and the official guidance was to ( pay to ) upgrade to v7 rather than fixing the app, and so the software I had paid for was no longer usable in the way that it was when I purchased a license for it, effectively being downgraded through no fault of the end user ; Similarly, the Windows variant of 1pw has... kind of always just been a bad experience compared to the mac version, and while the controversial Electron-based unification for v8 promised to bring the experience in line with the Mac app ( not requiring purchase of another license type this time because I'd since bitten the bullet and paid for a subscription so I could actually use v7 ), it also required migration to the hosted vault system, as support for local vaults was completely dropped in the same version.
I would feel a lot more comfortable using this otherwise legitimately fantastic functionality if it didn't also require me to migrate from a local vault to the hosted version. I already didn't want my passwords hosted online; I definitely don't want my ssh agent and its private keys to be bound to said hosted service, and nothing has yet come out of 1Password's survey for self hosting the vault server in order to maintain a vault that works with 1PW 8 locally.
It's an unfortunate hill to die on, I realize; I just want to maintain control of my own stuff, using a tool that is actually nice to use ( 1Password is and has always been miles ahead of everything else in terms of the day to day user experience, otherwise I'd be able to justify looking at alternatives )
I also feel I should be realistic about the incentive structure. I want 1password to continually work on security, additional features, and quality of life stuff. That requires steady income.
As to your local vault concerns. I think you have a really valid point.
I don't disagree that they should be compensated for new versions, however, I think we have a difference of opinion on what qualifies as a patch; I'm not intrinsically against upgrading license types ( though I don't like the move to subscriptions-only ), but I also expect the software I've already paid for to be updated when a major selling point feature ( browser integration ) breaks, especially if it's only the previous version ( in spirit or in practice ).
To be honest, though, I don't really expect they'll have a similar situation in the future now that they're actively maintaining all platform versions ( and with a unified core! ), so I'm being bitter over the past and letting it seep into how I feel about v8, local vaults, and control of my data.
I've bought their license a couple times as the versions are updated, but they no longer support licenses and only monthly subscriptions. Fine.. I'm happy to pay that to get a great product, but as I was installing it on my new laptop they prompted me to move from my self-managed cloud sync to their hosted password management saying the cloud-sync will no longer be supported. I simply don't want to use the hosted solution, I'm not comfortable with the trust implied.
I imagine they're trying to cut down on the features that allowed someone to use it without paying a membership, but then why not just include cloud-sync in your paid features? Why remove a such a core feature that allows users to use your security product much more trustlessly?
Your vault is only ever decrypted on the client side, and the 1password service only ever stores/syncs the encrypted vault. This is why if you lose access to your secret key, your vault can never be decrypted, even by 1password - your secret key is only ever stored on your local device and never by 1password, not even a hash of it.
1password has a great white-paper on their security model if you're interested, and it's verified by 3rd party auditors.
It just requires absolute blind trust on their client apps...
> Your vault is only ever decrypted on the client side
Which is a closed source blob, so, again, requires absolute blind trust.
I would say in the past 2-3 years it has slowly become an absolute nightmare. I do not recommend it to anyone anymore. They have somehow screwed up the very basic functionality of filling in passwords on any browser I try. They continue to shift features around, break existing workflows, and even the basic tasks I rely on dozens of times a day seems to change with any significant release.
1Password got famous for building a great core product. It managed my logins I stored myself and autofilled them wherever I needed. It was clean and simple. Now they are so focused on growth and Product features like this that they have completely lost their way. As of this week I can no longer right click on a webpage and work with 1pass to find something. If the webpage attached to the original 'save login' prompt is not the one you are on - the auto popup underneath the login field has nothing to show and I cannot manually find and enter it. I have to go to the Desktop app, search, find, and copy. My team regularly wastes minutes on this each day.
Our company reevaluates platforms every couple years, in the next 12-24 months I will strongly advocate we find an alternative.
* to expand on this, the model used to be a desktop app where the magic happened, plus a thin browser extension that hooked into the app. Now, there seems to be a lot more happening in the browser extension, which seems to talk to the cloud service and not directly to the desktop app. (Totally possible this is completely wrong, just my WAG)
I'm sure it reqires less work from the locally installed app (and lets them do away with it altogether, even), but it creates issues - it obscures UI elements in the page with a hard to dismiss overlay (no obvious clickable way to do it) that fits below webpage UI elements when it's heuristics identify it as an appropriate field.
edit: plus I regularly find that when I try to fill form fields in Safari and Firefox that selecting the appropriate login and hitting autofill does absolutely nothing.
UGH YES. When I started using 1P (2015ish?) it was simple and reliable, and I feel like I fight it more than I use it these days.
Developers need to stop disabling the form buttons trying to be clever detecting if fields are dirty.
The issue is, the "core product" has been Sherlocked - i.e. is now an included feature on many operating systems and browsers. Apple's iCloud password manager is available on all Apple platforms plus on Windows. Android/Chrome and Windows are improving their in-built password managers as well.
So 1Password, as a business, has to pivot to selling to businesses, which is where they expect most of their revenue to come from. This has resulted in individual customers being sidelined, so perhaps you should switch to one of the free inbuilt alternatives.
What browser/sites are you having issues with? I've only been using 1Password since the Lastpass changes last year or 2 (I forget) but havent run into a site I can't autofil. I actually found it works in places Lastpass used to let me down such as CapitalOne
That shouldn't be a matter of opinion, yet it doesn't match my experience at all. 1Password 7's UI and workflow did not undergo a dramatic change in the past 2-3 years. Not even once. The UI and controls looks and feels the same as ever as it did back in 2018. I'm sure the periodic updates brought new features here and there, but none of those are even remotely close to being a disruptive change.
> If the webpage attached to the original 'save login' prompt is not the one you are on - the auto popup underneath the login field has nothing to show
That's a legitimate security measure. It's making sure that it's autofilling for the right domain. If you want working autofill, you just need to make sure that your password is associated with the right domain.
> I have to go to the Desktop app, search, find, and copy. My team regularly wastes minutes on this each day.
You only need to make an edit once to associate your password with the right domain. But if you can't be bothered, searching and copying the password is a "Cmd + \" away. It takes less than a second.
Edit: This was not an issue before 1-2 years ago when they pushed massive feature updates. It used to be Ctrl+\ or Cmd+\ to autofill and boom, the login was filled. But NOW they have decided to drop a "1Password X" browser extension that throws itself into every single login item on the web and constantly harasses the user any time they use keyboard shortcuts to navigate. Typing an email address and see your Firefox/Chrome/Safari autofill show up with a dropdown of emails to choose? You can't even use the arrow to go down and choose one; 1Password X will rear its ugly head the minute you hit the arrow down, and it'll either prompt you to autofill something or save what you just typed into 1P.
I actually think the product is well thought-out and designed. There are some website where it refuses to work, but these are in the minority, and I blame the websites for breaking 1Password, not 1Password.
Also "a nightmare" -> this feels like an unnecessary hyperbole
Is it the same URL as what was saved in the login? If not, then this is intended behaviour to stop phishing attacks and has saved my butt several times. If the autofill doesn't work, either the website has changed the base URL, I've misconfigured it, or it is a phishing site
> I have to go to the Desktop app, search, find, and copy
Use the browser extension?
I'm not sure what issues you're having. Personally not only has the product improved every year, trying other password managers makes me realise what a hard problem autofilling is and how little I have to think about it with 1P. The new desktop app has some issues though and some missing features though it's pretty snappy
Now if I open the browser extension in the top right, my Favorites are not my favorites...they're the favorites of my team and one of my shared vaults. My Suggestions tab is empty. And even better, when I search "ycombinator" or "hacker" or "hn" nothing comes up. "No results found in All Vaults" and if I click search everywhere I get "No results found"
Now when I go over to the Desktop app, I search any one of the above and I immediately find my credentials for HN. It's stupid simple just like it used to be in the browser.
This saves users from choosing their “Google” login to use with “G00gle” - why not take the minute or two to update the password entry once with the correct or additional hostnames/websites and be done with it rather than wasting time every time one logs in (as well as encouraging bad security hygene)?
Agreed, the Chrome browser extension and the Safari inline menu are garbage. Fortunately the classic extension is still available and still works great for me, as well as Safari with the inline menu option disabled. Same for the iOS extension, garbage. But luckily the classic password autofill on iOS still does work great.
If you are using the classic autofill don't you have to maintain your password in keychain as well as 1Password?
Not to say that you’re “wrong”, but since we are sharing experiences…
I have found the user experience is much worse in windows than it is in macOS. Same browsers on both.
More modern SSH servers will let you use U2F security keys in the same way, which are cheaper than the full YubiKey.
I've learned recently that YubiKey has really good documentation for how to set up their tokens to achieve different goals, it would be worth reading their docs if you're considering getting a hardware token for your keys.
In short, I see no need for using a password manager for managing ssh keys. The public key is not something that needs protecting. The private key is something that you should not share between multiple devices or generally pass around.
But of course being able to paste your public key from some tool is nice if that is a regular thing in your life. And if you switch between multiple key pairs, it's probably nice to have something more user friendly than very fiddly command line tools. I guess the latter is what 1password is trying to solve here.
The keystore is stored on a nextcloud instance which allows to share the key easily between multiple hosts. It works flawlessly with git, ssh, also Windows tools like Putty will pick it up.
This seems like an excellent way to ensure that you reduce the security of your SSH login to either having a single-factor (password) or at best single-factor + TOTP, where you previously had a phishing-resistant cryptographic protocol.
Is this really an improvement for security, or is it just a usability improvement (i.e. sync of keys) intended to work around policies trying to improve security (i.e. required use of keys)?
(The other option is I skimmed the docs badly and maybe I've misunderstood something, it's possible.)
Edit: I did skim the docs badly, it is possible to use a FIDO2/WebAuthN key for 2FA. https://support.1password.com/security-key/
I'm happy to use only a password for some sensitive things, because I can remember it.
Of course security is a spectrum and 2fa does help for a lot of stuff. Especially against websites that don't know how to hash your passwords properly (usually the ones from where passwords leak the most).
However, for those reading along, initially the 1Password web interface for my account only offered the choice of setting up a TOTP authenticator. I completed that, and still saw no option for enabling a FIDO/YubiKey device. I then went into the 2FA settings for my account, toggled the option for YubiKey support off and then on again, and returned to the 2FA settings page. Only then did I see the option to enable a YubiKey.
I was then able to add my YubiKey and I can confirm that it's working with my 1Password account as a 2FA source.
At that point though, you already have a hardware token capable of holding SSH keys, so I'm still not convinced of the benefit.
I use stow to install them on a computer when I'm setting one up.
Haven't run into any problems with this approach, my Keybase is protected with a Yubikey.
tl;dr: you can pin public keys to hosts
https://developer.1password.com/docs/ssh/agent/advanced#ssh-...
The 1Password 7 app on macOS is a beautiful native app. It "fits" in macOS, it follows macOS design paradigms.
1Password 8 does not. It is a weird self-designed UI toolkit that is well inside the uncanny valley scenario - it is a UI design that feels like it is trying to approximate all of the major platform desktop UIs without committing to actually feeling like any given platform - so it feels wrong everywhere. Honestly it would be better if it was totally different to any of the main platforms instead of vaguely approximating them. I don't care what devtools or toolkits they use to achieve what they do, I care about the end UI feel, and it's just awkward on all platforms to me.
Additionally, 1Password 8 removes the single most used feature for me - 1Password Mini - and replaces it with Quick Access. Quick Access is much more awkward to use, especially with a mouse. Everything with Quick Access involves more UI interactions than it was before. The reasoning for this is that it "feels weird" to implement parts of the app twice - but for me 1Password Mini is essentially a browser extension equivalent for every other app on your system. Quick Access is an awful replacement for that.
I really prefer 1Password 7 on macOS to 1Password 8, and I honestly prefer it on Windows too. The replacement of native apps with something that really feels like a web page in a window - with issues like context menus being stuck inside the window, or web-page style modals - is just not what I expected, and it's not what I want. Yes, it lets AgileBits bring updates to platforms more quickly because it's essentially the same backend & UI on every platform. However, as an individual user I don't need more from my password manager than 1P7 already does.
Sadly, it seems the target for AgileBits (especially with the influx of VC cash) from the outside at least is just growth and the big payouts that come from enterprise deals - individual user usecases don't matter any more. Just look at how much of a production they made out of restoring categories as an option to the sidebar. And their core featureset - form filling - is less reliable than ever for me.
I feel that there's absolutely a hole in the market here for a password manager product aimed at individuals or small families that works on at least macOS, Windows, iOS and Android - and feels native on each platform.
edit: oh, and I utterly abhor the 1Password PR style - trying to make things seem weirdly casual on serious topics, but especially the misdirection/redirection approach they always take to critiques or support queries. Just look at their support forums for any thread on purchasing standalone licenses - they always drive the discussion into "isn't our online product amazing?". Critique of features in 1P8 always becomes "but for me it's amazing" in some way. It's frustrating as hell to engage with as they never seem to actually accept criticism in any way without trying to redirect it to something somehow positive.
Can we use it on WSL?
Is there any advantage of using SSH keys to authenticate against GitHub?
A lot of long term 1Password users bought this and still use it, but the company no longer really do much to support it having pivoted to completely focus on their subscription offering. Many of their long time customers, many of which are HN users, feel they're getting shafted by the lack of updates etc to those older offerings. From what I understand a lot of the older clients and plugins that worked with the local versions don't get updated anymore. However, I'm only a customer of their subscription offering so someone else might be able to elaborate more.
No need for even more in-between software prompting for passwords.
I’m sticking with certificate+publickey SSH
Stick with the publickey and more so the SK certificates.
Each leg of the SSH hops should have their own set of SK certificates with their own distinctive SSH options.
“Learn how to configure the 1Passwrd SSH agent”
I've stopped using 1Password everywhere I can due to their product "focus", and am working my way through a set of alternatives (currently using Secrets on the Mac and looking at the KeePass ecosystem, which keeps improving monthly):
https://taoofmac.com/space/apps/1password
Edit: It's been fun watching this get upvoted and downvoted in successive waves - for those who are curious, I suggest you check previous posts on 1Password and see if you can spot patterns in their advocates, since they were publicly called out on this a few times already (especially on Twitter).
I still have 1password 4 on Windows PC and (apparently) version 7 on Mac; they still work together, but I'm afraid at some point they will decide to drop support for dropbox and force you to use their subscription.
I'll stop paying for Dropbox and using 1password on that date.
(does Syncthing work on iOS devices? I'm not sure yet how to keep my passwords synced across devices)
I'm also worried about 1Password in the long-term with this recent VC investment which likely will create the same kind of pressures, but for now they still have the best product in the space by far and I'm in no hurry to switch to an inferior product in order to save $3/month.
On Android, you want KeePassDX which can be found on f-droid.
I have multiple keepass databases and keep them in sync with a self-hosted Nextcloud instance.
[0] https://news.ycombinator.com/newsguidelines.html#:~:text=Ple...
What do you mean by this?
If _those_ issues could be fixed, I’d probably use Secretive. Unfortunately, it broke almost all of my workflows when I installed it and it appears that the choice to use Secretive is all-or-nothing.
Is there a way I could use this on my devices with my own cloud setup (eg. dropbox/google drive/ etc.,)?
Open up my corporate laptop and login with my smart card and username/pass combo, then I can just log into any Linux machine I have authorization (group permissions) to. Been doing it this way for over a decade at this rate.
It's like all of these password manager tools were created by people who've never seen nor used these existing solutions.
Yes?
>Smart cards!?
Yes!? Or a YubiKey.
>What if I have less than a full team of full time employees able to be put aside to implement a solution?
This used to be something a middling UNIX sysadmin could configure and manage. You can also pay for someone to help you implement/manage a solution for this. Though I admit it may be overkill.
Maybe, but it sounds like your comment was written from a place where you've never had to actually implement one of those existing solutions.
Kerberos is great. It's also a holy terror to implement properly, especially cross-platform, and especially if you need to federate identity.
I've been down that path. While there are trade-offs with any decision, I wholly understand why so many organizations are going to solutions like Okta/Auth0 + Duo + password managers vs the "tried and true" methods of a directory server + Kerberos + SAML federation through Shibboleth
SCIM combined with modern cloud SSO makes life much easier than trying to support Kerberos.
I absolutely have implemented the aforementioned solution. Used to be a right of passage for middling UNIX syaadmins.
>Kerberos is great. It's also a holy terror to implement properly, especially cross-platform, and especially if you need to federate identity.
Not really, especially not really if you Active Directory.
>SCIM combined with modern cloud SSO makes life much easier than trying to support Kerberos.
SCIM with Active Directory (AKA Kerberos) works well.
I have no idea how companies managed to sell this security nightmare as a feature to actually serious people.
A single point of failure. Yeah, great idea!
https://www.troyhunt.com/password-managers-dont-have-to-be-p...
I hear a lot of "cloud password managers are bad!" but I rarely see someone follow up with a better approach. Even better to them.
I've been using a password manager for years and I've always thought I was making a good decision but then I see all these comments and I wonder if I'm missing something.
And my passwords are all, without exception, beyond 10 characters.
What you give:
- a single point of failure (one complex password you memorize that locally unlocks a DB of credentials that is stored encrypted in the cloud).
What you get:
- all passwords are unique and complex (assuming you use a password generator, which all these tools have built-in)
- the convenience of having all your passwords ready for use on any of your devices
- the convenience of auto-fill
- the convenience of being able to share logins e.g. a spouse or across your organization.
- the convenience of being able to also store, share, and auto-fill secrets besides logins (identities, credit cards, free-text notes).
Been using a password manager for 15+ years and I have never suffered fallout from the single-point of failure tradeoff, only benefits from the power and convenience I got as a result.
And why would I replace the openssh agent with 1password agent?
They don't even offer additional functionality over the open tools. "Autofill public keys in your browser for Git and other cloud platforms" - really? cat and copy - paste is now too hard?
(the above logic is why I don't make any serious money)
has it? could you detail them, i'm OOTL.
> They don't even offer additional functionality over the open tools. "Autofill public keys in your browser for Git and other cloud platforms" - really? cat and copy - paste is now too hard?
In the case of browsers cat and copy/paste is often more risky than having code such as a password manager fill the fields. Password managers are less likely to be fooled by sites using tricks with their names to pose as other sites.
If you are sufficiently careful to be sure you will not be tricked by phishing attempts then cat and copy/paste should be fine.
Can you share some info on those serious vulnerabilities?
> They don't even offer additional functionality over the open tools. "Autofill public keys in your browser for Git and other cloud platforms" - really? cat and copy - paste is now too hard?
So they don't offer any additional functionality except for the functionality that you don't think is worth it?
I will never use a 3rd party service to manage my passwords or key phrases. And why in God's name are people generating SSH keys in the browser?
The thought of using it for SSH or GitHub just sounds insane to me. And as you say it doesn't even really offer any benefit over cutting and pasting from the CLI.