Z
Story
Apple unveils 'Passwords' manager app at WWDC 2024
Normally I’m conflicted when a big tech company comes to stomp on a market of smaller app makers but the password manager industry has left me with little sympathy.

Years ago I bought 1Password via a one off payment and set it up to sync via my iCloud Drive. It all worked great. Then they took VC investment and quickly every new feature was locked behind a subscription gate. I switched to Bitwarden. Then they took VC investment and I’m sure will end up down the same path (and you could never use a third party storage service with BW AFAIK). A password manager’s remote storage doesn’t need to be anything other than a safely encrypted SQLite file, you ought to be able to save it anywhere.

I think everyone should have a good password manager in 2024 and non tech inclined folks shouldn’t have to battle with upsells and spammy notifications as a price for being secure. If that means they’re using Apple’s offering, so be it.

I don't mind paying for quality software, which I considered 1Password v7 to be. However, their recent v8 launch has soured me on the company pretty severely. The macOS app is a pretty dramatic downstep and their focus on a browser extension over a system/menubar app is frustrating to say the least.

I don't know if Apple Passwords will be a perfect fit for me, I'm hoping someone shares a deep dive on the product soon because I'm not in a position to use the beta, but I'm happy to see some more competition in the space.

What’s the problem with it exactly?

I’m using it on iPad, macOS, iOS and windows 10 and 11. Seems per much the same as it’s always been.

I’ve got the family using it too.

Just curious what issues other people are experiencing.

It's very much a "death by a thousand cuts" situation - I'm not a fan of the removal of 1Password mini which was my primary interaction with 1Password, especially for the common workflow of password generation/account lookup.

It seems their focus is to drive this into the browser extension but that doesn't cover all of my use cases - I very often need to generate a login password _outside_ the context of a browser and doing so now requires me to open the application and create a new password and save that record while before it was one click away in the menubar.

I'm also annoyed that we're no longer able to define which vaults are included in "all vaults" and the inability to simultaneously disable the browser extension from injecting their UI into websites (the login icons, blue input fields, etc) while keeping the prompt to save a login when a new one is detected.

Another classic issue of a "death by a thousand cuts" situation— you cannot hide the Mac menu bar icon and still keep the background agent running unlike 1Password 7 (Discussion from 2022 silently closed without any resolution here: https://1password.community/discussion/129305/latest-1passwo...).

They've constantly been downgrading the quality and the polish of the macOS app, just for "cross-platform" feature parity- leading to a subpar experience everywhere (Windows is a whole another can of worms).

  • s3p
  • ·
  • 9 months ago
  • ·
  • [ - ]
What about the universal shortcut for triggering 1P across the mac? And autofill within applications? I think the newest redesign is extremely powerful. I wanted to hate it at first but I give big kudos to the 1P team for how thoughtfully engineered the Mac version is. iOS and Windows not as much.
> I'm hoping someone shares a deep dive on the product soon

I have the app open in front of me but haven’t used it much. It’s basically the Passwords pane from System Settings ripped out and with some new fixed smart categories. If that’s enough for you, so will the app be. If not, not.

I agree with you. V7 was good enough that I’d have paid for it over using Apple. But v8 has had me looking for an alternative anyway.
…but v8 is perfectly fine! I remember a lot of buzz about v8 being slow “because it’s electron” but it’s not slow. I use it on multiple laptops without any issues at all.
I'm glad it's working for you. I use v8 every day on my work machine. My complaints aren't about the speed of the application, but rather the reduced features and removal of any menubar app functionality that was present in v7. I'm not a fan of the UI changes, personally; I don't know why everything needs to have _so much_ space, but I could ignore that.

Don't get me wrong, I'm not a fan of Electron, and I'd prefer it have remained a native app, but that alone wouldn't be enough for me to jump ship. And I'm not even claiming alternatives are better than v8; it's simply that v7 was much better, and I'm actively looking for alternatives.

  • s3p
  • ·
  • 9 months ago
  • ·
  • [ - ]
Why does every app need a menu bar? Why not just Cmd+Shift+Space to get the universal menu to open?
> anything other than a safely encrypted SQLite file

There is a little bit of subtlety to this https://www.cs.ox.ac.uk/files/6487/pwvault.pdf

keepassxc works for me on android, windows, and mac
The very best thing about keepass is that defines a standard and publishes a reference implementation that anyone can build a compatible client for. I like KeepassXC on MacOS and Keepassium on iOS and I keep the DB in sync between them with NextCloud. If I was working on Linux/Android next week I would pick the best clients there and arrange syncing myself, again, without a third party.
And that would be Keepass2Android for Android. I love it, it's perfectly simple and like you, I sync via my own means but there are "easy" options available.

On the desktop there is even a CLI app for interacting with the database, though I also use KeepassXC.

keepassxc is incredible, truly slept on. I use safari keychain as well, as a copy. But my master store is keepass. It boggles my mind that people pay for 1password.

Btw, is keepassxc on Android now or are you referring to one of the many Android keepass apps? I use keepassium on iOS.

I pay for protonmail and also store a copy in protonpass. Proton pass has a nice web interface and doesn’t require me to copy a keepass file or logon to iCloud on my work computer so I use that sometimes too.

> It boggles my mind that people pay for 1password.

I’ve payed for 1Password for 4 years and am a happy customer. But I would also be willing to try KeepassXC if it really offers feature parity.

These are some features important to me, are they supported by KeePassXC?

- Easy password sharing with my wife. We have separate private vaults and a shared vault, and moving a passwords between these vaults is seamless.

- Sync has been seamless for years. I don’t have to worry about e.g. iCloud corrupting my password database and having to restore from off-site backups.

- Integration with many platforms. Currently, that means autofilling/autosaving/generating passwords in common browsers, on MacOS, and on iOS.

- Generating and filling TOTP tokens (no need for Google Authenticator or similar apps).

- Storing and syncing SSH certificates, including acting as an SSH agent (so I have to scan my fingerprint to allow a new SSH authentication).

- Storing non-password items in the encrypted store, e.g. pictures of passports.

- TouchID or FaceID for quick unlocking with everyday use.

> - Easy password sharing with my wife. We have separate private vaults and a shared vault, and moving a passwords between these vaults is seamless.

Not sure about this one. I don't even collaborate passwords in Apple keychain with my own family.

> - Sync has been seamless for years. I don’t have to worry about e.g. iCloud corrupting my password database and having to restore from off-site backups.

Sync with iCloud Drive, Dropbox, Google Drive have been fine for a long time. Plus theres also the option to just keep a password database copy handy.

> - Integration with many platforms. Currently, that means autofilling/autosaving/generating passwords in common browsers, on MacOS, and on iOS.

KeePass is usable on more platforms than 1Password sorry. You could probably get one keepass app or another running on some ancient power PC box running netbsd..

> - Generating and filling TOTP tokens (no need for Google Authenticator or similar apps).

KeePassXC does this

> - Storing and syncing SSH certificates, including acting as an SSH agent (so I have to scan my fingerprint to allow a new SSH authentication).

I have not tried this one, but would be surprised if KeePassXC doesn't do this as well

> - Storing non-password items in the encrypted store, e.g. pictures of passports.

KeePassXC definitely does notes, not sure about photos etc. This is definitely the realm of an encrypted Apple Note for me though.

> - TouchID or FaceID for quick unlocking with everyday use.

KeePassXC has this on Mac, KeePassium does it on iOS really well...

Thanks for the detailed reply! :)
I had decided a detailed list is better than a typical snarky-ass reply
KeePassXC definitely has a lot of those for sure.
Keepassxc has zero collaborative features and no online sync. I’m a big fan of keepassxc but these reasons are why I pay for 1P. I can add colleagues, guests, family members and have it run on all my devices.
I would instead jokingly say that you would have to pay me to use 1Password.

KeepassXC does have collaborative features and online sync if you just drop the Keepass file in a shared cloud - I use it this way and it's easy to set up. Also, more importantly, the password database is not stored in some server God knows where.

> Also, more importantly, the password database is not stored in some server God knows where.

Well..

I keep my KeepassXC vault stored at my home, on a Nextcloud instance.
It's not perfect, but keepass does have keeshare, basically one or many sub-dbs on different files that integrates into the main one seamlessly, so in my home we have a 'shared' db each and we can read it and update it from our main dbs.
> Keepassxc has zero collaborative features and no online sync.

This is why we use it! Also, it's free. Paying subs for software feels dirty.

My mistake on android i'm using KeePassDX https://www.keepassdx.com/ open source
KeepassXC has been outstanding for me, especially now that it supports passkeys. I use KeepassDX for android as well.
> and you could never use a third party storage service with BW AFAIK

https://github.com/dani-garcia/vaultwarden

I should have been clearer, I meant that it didn’t work with arbitrary cloud storage providers like iCloud, Dropbox, Google Drive and so on.

I’m a tech person and even I don’t want to be responsible for running a Vaultwarden server, the average user definitely doesn’t want to.

Doesn't that mean that at least in theory, if Bitwarden became too abusive an alternative host would crop which you could switch to?
Did you ever look into KeePass? The solution you're looking for already sort of exists, several more than decent apps which offer lifetime one-time purchases. Not sure what else to tell you. Keychain/"Passwords" is way too obfuscated and user-unfriendly and hostile to data portabillity to the extent I could never trust or rely on it.
Apple is one of the few entities I'd trust for password management. Besides relying on them not being breached, devices I physically have make for good auth mechanisms. It's the one thing I really don't want to deal with a third party for. Irks me a bit how Apple knows this.

And it's not that big a deal to occasionally copy a password onto a Linux or Windows device, or better yet, use the iPhone to authenticate for it.

There’s stories of SIM swap just leaving the door wide open though
I haven't seen those, but it wouldn't surprise me.
>and you could never use a third party storage service with BW AFAIK

You can run your own BW server, or at least you could as of a few years ago. It's not well documented, but it was doable. The only reason I don't use BW is because the iOS app doesn't locally cache passwords, and I didn't want to open up my home network or set up a VPN just for a bitwarden server.

  • Uvix
  • ·
  • 9 months ago
  • ·
  • [ - ]
The iOS app does cache passwords locally, and has since before I started using it c. 2021 or 2022.
There's also vaultwarden

https://github.com/dani-garcia/vaultwarden

  • vohk
  • ·
  • 9 months ago
  • ·
  • [ - ]
I don't have a problem with the subscriptions. I've tried out a number of options over the years, including KeePass, LastPass, 1Password, and most recently Bitwarden.

KeePass was a great bit of software but managing the vault syncing myself and having to wait for (and trust) the third-party Firefox extension to update was tiresome. For about a buck a month, LP was a pretty good deal and handled all of that overhead for me.

I eventually moved to 1Password and it's still what I recommend to most people. $45CAD a year is a pittance for how often I use it. The app and extensions are always up to date, they "just work" even for my 70 year old father. At $12CAD a year, Bitwarden is pretty damn reasonable too.

I don't get the hand-wringing when it comes to reasonably priced services. Development and infrastructure costs money. Yes, a power user can manage everything entirely with free software and a portable sqlite db but that isn't sensible approach for the vast majority of people.

Development costs money and that's fine, but I don't like it when companies act like their pricing is based on the cost of providing a service, and the service is "syncs a single sub-megabyte file between a few devices". You can get that service a thousandfold for free. (And even if they give you more space, that's a worthless addon to almost all customers.)

In particular, the reason it's annoying to sync keepass is because of how the program is designed. There are other managers in that ecosystem that let you log in to google/microsoft/dropbox/anything and then you're done. It all syncs perfectly from then on. It's a development problem, not a need for a dedicated service tied to a specific password manager.

And when I'm considering development cost I'm going to look at things on a 5 or 10 year timeline. I think that's a reasonable length to expect a software purchase to last. On that timescale, Bitwarden is okay but 1Password is not at all a good price.

  • eviks
  • ·
  • 9 months ago
  • ·
  • [ - ]
In your thousands of free services, how do you resolve conflicts in edits done on multiple devices?
Shouldn't conflict resolution be in the program itself? It should ask me what to do and be able to keep both versions of the conflicting entry. And if I answer "keep both" or defer to later then it should pack both into the vault and upload that.

(Also I didn't mean thousands of free services, I meant that each one will give you thousands of megabytes for free. Honestly just google and microsoft accounts, and icloud with a device, cover just about everyone. But there are a lot of free storage services if you want them.)

  • eviks
  • ·
  • 9 months ago
  • ·
  • [ - ]
(sorry about my misleading playful paraphrasing)

The program itself might not get information efficiently to do conflict resolution (or not at all): for example, you edit a file offline and sync, Dropbox and friends wouldn't be smart enough to just append both of a few bytes worth of data that a password-manager controlled service could since it would be aware of the data structure but would just dump both files, and then both on another conflict etc

So I guess it's just not the same type of sync service that you get for free in those many services

(also I think it's more than a sub-Mb, you have icons there, but also images of docs and what not)

Though maybe this is not an issue as you mention some of the keepass-based apps that go the "app-sync" route instead of manually placed file?

> Though maybe this is not an issue as you mention some of the keepass-based apps that go the "app-sync" route instead of manually placed file?

Right, my main concern here is programs that talk directly to the service's API, because that's the easiest to implement in a correct way. Dumb file storage, but without the worry of stale versions appearing.

Though most people don't need their vault to be robust against simultaneous offline edits from multiple devices.

> (also I think it's more than a sub-Mb, you have icons there, but also images of docs and what not)

I have usernames/urls/passwords, some notes, some icons, and some ssh and bitlocker key files. In total it's 159KB, including a bunch of version history and the recycle bin.

What kind of documents would I put in a password file?

Though some extra megabytes don't really affect my argument much.

  • eviks
  • ·
  • 9 months ago
  • ·
  • [ - ]
> Though most people don't need their vault to be robust against simultaneous offline edits from multiple devices.

This is one of those very rare cases with potentially huge negative effect to make it into a mandatory feature.

> Dumb file storage

Which still suffers from inefficient incremental updates. Curious whether those other managers deal with that (do they split your vault into parts)?

> What kind of documents would I put in a password file?

Whatever documents you want to securely share with others, various scanned docs, so it's not just a few megs, (e.g., Bitwarden offers up to 1G encrypted file attachments) (though don't use this either, mine is just a few megs)

> This is one of those very rare cases with potentially huge negative effect to make it into a mandatory feature.

The only thing you would need to make mandatory is a direct login to any storage service.

> Which still suffers from inefficient incremental updates. Curious whether those other managers deal with that (do they split your vault into parts)?

If it's a megabyte, who cares? You could have a way to split things or upload an update log, but it's not worth it.

If you need big attachments, then keep them outside the core vault file.

> Whatever documents you want to securely share with others

Sharing is where a dedicated service is useful.

But if a feature like that needs a paid service, it should be an optional upgrade.

I use BitWarden and I prefer having the open source and self hosted options for using BitWarden. 1Password does not have those. Despite that, I've been strongly advocating for it at work because it easily has the most polished and refined UI/UX of all the managers I've tried.
Bitwarden is fantastic. And can even pair up with your own open source 'enterprise vault'. Meaning that if you have a decent VPN setup in your home router, you can host the vault in your rpi (for example). It's great
On that note, a simple point where Bitwarden is lacking is the custom fields feature. It feels disconnected, separated from the main fields, and doesn't integrate very well into web forms that use the extra fields. 1Password, on the other hand, handles the custom fields amazingly, and event lets you creat sections to group them together in entries.
Exactly, secrets management is a really critical need that 1Password meets for me, and I'd much rather they charge me an honest price than sell out to advertisers. These things require upkeep (not just defending against everyone trying to break in, but also keeping current on the latest technologies like passkeys), so I find the yearly price of admission is totally reasonable for 1Password's quality and importance.
> I don't get the hand-wringing when it comes to reasonably priced services. Development and infrastructure costs money.

I have no problem paying for software. But in this case I’d far prefer a one-off purchase. The only reason there are ongoing infrastructure costs are because I’m being forced into using the company’s cloud service. I already pay for infrastructure in the form of my own cloud storage. I want to pay, once, for software that will use that infrastructure.

More generally, while I might see the value in paying $45 a year for a password service a lot of non-tech folks don’t. They’re happy using the same password everywhere they go (until they aren’t, of course), making them pay a few months-worth of Netflix to use software they’re already not inclined to use means they just won’t do it.

> I don't get the hand-wringing when it comes to reasonably priced services.

For me, it has nothing to do with the price and everything to do with the fact that I don't want a service dependency for my most critical passwords. I want them to be available no matter what. The product should be standalone. And this isn't a hypothetical concern, either: my employer is contractually mandated to disallow cloud-based password managers, so I must use standalone ones (yes, this is a stupid policy, but one that I'm bound by).

And on top of that, 1Password 5 was an excellent product and it is just steadily getting worse, in my opinion.

  • gffrd
  • ·
  • 9 months ago
  • ·
  • [ - ]
I'm with you: I'm happy to pay a recurring fee for a good service, usability, and dependability.

I've been a 1password customer for as long as I can recall, and it feels weird dumping my subscription to save a few bucks when it's been such a great service at a fair price the whole time. Why I'd keep it around if the OS solves the same problems, I don't know … just saying it feels weird.

Very good point.
Well, good to know that U.S. feds now just need to send a single ping to get all the world's passwords on Apple devices.
  • urda
  • ·
  • 9 months ago
  • ·
  • [ - ]
I really recommend you stop and read the white papers regarding iOS and Apple's Security and Infrastructure design, instead of just regurgitating a talking point from reddit.
https://support.apple.com/en-us/102651 is a nice overview. The "key storage" column is the part to pay attention to. The keys to user keychains are stored on devices only.
Apple doesn't have access to user keychains
Nothing has changed. This app is just a skin over the existing backend.
  • ipqk
  • ·
  • 9 months ago
  • ·
  • [ - ]
I've been an avid 1Password user for over 10 years, but since they gone full-throttle targeting the enterprise market, I'm getting more and more annoyed. It's increasingly buggy (right now, it thinks I haven't migrated from 1p7 which causes annoying interstitials that I can't close. Over a month and no fix yet.). They killed standalone vaults. Obvious feature requests (e.g archive an entire vault) sit there for years untouched. The value is increasingly not there anymore for me, and here's hoping I can finally jump ship this fall.
My biggest worry about passwords by Apple is that I have even less pull when they screw it up. Not that I have a lot of input in 1Password, of course, but I bet if I get loud enough on HN for long enough, I could get the attention of the CEO. Try that with Apple. As a long time user (sufferer) of Screen Time, I am acutely aware of how badly Apple can screw up software, and how long they can let it go unfixed. Tim Cook ain't ever going to hear my pleas.
  • icee
  • ·
  • 9 months ago
  • ·
  • [ - ]
Keychain Access has been there since the beginning of OSX/macOS. It's quietly been storing email and wifi passwords this entire time. Many, before there was an alternative like 1Password, used the app to store other info within as well through secure notes. Passwords in iOS and Safari, along with Keychain sync in iCloud have expanded the keychain functionality over the years and it's been fine for ~25 years or so. I have faith they won't suddenly screw this up and comparisons to less critical stuff like Screen Time aren't really valid here. And sherlocking? I don't think so. When 1Password came out, it was clearly inspired by Keychain Access that had been there for years prior with similar functionality and even user interfaces.
Keychain Access has not been "fine". It's had multiple unaddressed data loss bugs. For example, Keychain lost all passwords from all Keychains after the Catalina update[1] and this wasn't fixed in the next 3 Catalina minor updates. Multiple users reported the issue to Apple and the response was crickets. Even if you restored the passwords, it helpfully deleted them all again. I switched to 1Password and declared Keychain Access a lost cause. I don't think I'll be giving them a second chance here.

[1] https://discussions.apple.com/thread/250722178

That does seem like one Apple fault, that Microsoft does better -- triaging actual bugs.

Apple has devs. Maybe some teams are short-staffed, but they fix things.

What Apple doesn't seem to have is a functional bugfix priority loop that includes customer input and provides feedback.

It starts with the horrendous thing called “Feedback Assistant”. Black hole if I ever saw one.
  • icee
  • ·
  • 9 months ago
  • ·
  • [ - ]
Depends on how we define "fine," but your own post clarifies that it was "website passwords -- but not app passwords, secure notes, certs, or keys." That's a pretty big difference compared to "all passwords" and seems like it affected a small number of people. In any case, if we're using anecdotes, I haven't had any issues with it so far and it's been decades. Given how 1Password has been getting shittier over time, I've been looking for an alternative, and I for one am going to give this a shot. You can check in with me in a few more decades and ask me if it went okay.
  • rurp
  • ·
  • 9 months ago
  • ·
  • [ - ]
This is definitely a factor and applies to regular support help as well. I sent 1Password an email several years ago about an issue and got a prompt and helpful response back. It was a much better experience than I would ever expect from Apple (or Google/Microsoft/etc).

I'm not really a fan of 1Password overall though. The product is still fine but has gotten gradually worse over the years and their corporate posture does not inspire any confidence. Consumer apps that focus on Enterprise and are only interested in SaaS revenue almost always follow the same path of endlessly degrading the user experience once they reach a certain point. I haven't seen anything that makes me think they will be an exception, but I give them credit for actually having a real support channel, at least as of a few years ago.

Can you expand more on the Screen Time issue?
I've had a bug where unpausing a particular app requires doing so 2+ times before I can access the app. The bug has persisted on multiple devices for multiple years and it makes for a pretty clunky user experience. That's one example that comes to mind for me.
It happens so often for me, I just assumed it was a key feature of how Screen Time worked e.g. 1-click to unpause isn't really a deterrent, but what if unpausing took a random number of clicks to unpause - now that's a deterrent to not unpause.
It doesn't matter how many times you click it, there is a delay before it unpauses. If you click it once it will unpause after about 15-20 seconds. I'm not sure why it does this, it could be syncing with iCloud to also remove the restriction on your phone and iPad or it could be a feature that gives you a short pause to reflect on whether you really do want to continue wasting you life on hacker news.
Anyone get the bug where you can't get away from the Safari tab that's screen timed because anything you type into the address bar gets deleted by another popup?
I have this same issue. I've got to unpause the app multiple times, and wait for upwards of 15 to 30 seconds before the app actually unpauses.
Ugh, where to start. It has all sorts of failures. In no particular order, off the top of my head:

1. It randomly adds in limits for my kids I didn't even put there. I put in an X hour limit, it puts in an Y hour limit, usually duplicated three or four times. Most commonly for the 'All apps' category. I delete those, a few weeks later they start reappearing. Kid complains, I delete them again, rinse & repeat.

2. Somewhat regularly it loses connection to the kids' ipads and doesn't update the settings I change. Usually it'll eventually connect, but it can take a while.

3. Some devices it just refuses to see. iMac? Sure. MacBook Air? Crickets. Why? Who knows. Everything is running the latest software, both computers have the iCloud account authenticated. Sometimes it decides my son has no devices at all. I don't really bother looking at reports any more.

4. Sometimes I get screen time requests (install a new app, ask for more time, buy something, etc), and sometimes ... nothin. I can watch my kid put the request in, I never get it. Sometimes it's flawless.

5. The requests come in via iMessage now, and this tends to be okay on the phone, but it is very destructive on the MacOS Messages app. The requests almost never completely load, for whatever reason, and just spin. I think only once I saw the requests show up on the MacOS Messages app correctly. Eventually the requests conversation gets too many of them spinning, and they drag down Messages until it beach balls. If I'm lucky, I see that one coming as it gets slower and delete the conversation before it gets far enough to hang.

There are probably some things I'm forgetting. It is the buggiest bit of software from Apple that I've ever used. The only other app that routinely annoys me is Music, because it periodically (every day or so) seems to lose authorization or something, and just refuses to play music. But doesn't say why, doesn't reauthorize or ask to reauthorize, just doesn't play anything. I restart the app and it works for another day. That bug has been around for several years now, on multiple computers.

For me it's completely unfit for purpose:

* It's incompatible with some apps, e.g. Roblox, that are full-screened, and you end up in an annoying loop between the Roblox screen and the request more time screen fighting with each other, with no ability to click anything. My kid has learned how to hit the Option-Command-Escape shortcut to force-kill Roblox using just the keyboard and restart.

* Sometimes Screen Time requests come via Notifications (yay), and sometimes they come via Messages (boo). There doesn't appear to be any logic behind which.

* When they come in via Messages, and I leave Messages.app running for too long, it ends up eating all of the memory on my 32GB M1 Max and forcing me to restart the system.

* Sometimes requests do not come through at all.

* Sometimes the user cannot request more time. Clicking the button does nothing.

* Sometimes multiple requests come through for the same app. Approving one of the requests does not satisfy all of them, you have to approve all of them.

* Requests for websites do not work. Every so often Roblox breaks and results in having to re-download the .dmg. You end up in a loop between approving the request for more time and the website saying the user needs to request more time. I ended up writing a shell script to curl it instead (which requires munging User-Agent because the Roblox download page does not have a direct link to the dmg).

It's clear there are no Apple employees who actually use Screen Time to manage kids time. I can only assume they just let their kids have unlimited access, because trying to actually use Screen Time is absolutely infuriating, and only gets worse over time (e.g. the Notifications vs Messages thing is a recent regression).

It's also worth pointing out that I have absolutely zero issues with Android Family Link. It all Just Works for similar purposes.

> * It's incompatible with some apps, e.g. Roblox

Oh this is a good one I forgot. If my kid is playing Roblox and runs out of time, it goes into that screen loop and is impossible to resolve without at least killing Roblox, and sometimes rebooting the silly machine. That's pretty frustrating for the kid for sure, I ended up just whitelisting Roblox so it never happened.

Thanks for the background, there definitely seems to be a lot of clunkiness, and as someone who just started using it for IG, I have not experienced these but will keep an eye out. On a side note, I am always surprised how many products clearly haven't been used by the people making them...
Screen time is definitely designed for iPhone/iPad, and macOS integration is a very distant afterthought.
I tried using Screen Time to manage my daughter’s use of my old MBPro, and eventually gave up – for the reasons you list. The issues were just so crippling and obvious that it felt abandoned to me.
Might be outweighed by the bigger effects when they do screw something up. Like if their passwords mess up for amazon.com, some big airline, Facebook, etc... the noise will get pretty loud pretty quick.
I know that some people were able to successfully get through to a human/support at Google via HN.

I don't remember seeing those for Apple. Are there examples of anyone failing to get meaningful help from official support but were able to find a successful resolution through HN ?

This is exactly why I use 1Password and not the manager in Chrome, and I won't use Apple Passwords either.
I'm only still on it because of team use, but if Apple's thing supports teams I'm gonna be so happy to get rid of it.

I've been using it for nearly 20 years and it's been going down hill fast for the last 5, but 1Password 8 is an absolute clown car. It hijacks your passkey logins meaning that authenticating with Tailscale for me has gone from a single touch of the TouchID button on my Mac, to 1) click button that says "Unlock 1Password", 2) Click it again because it did fuck all the first time, 3) hit the global hotkey for 1Password, 4) open 1Password via Alfred because the hotkey has decided to stop working again, 5) touch the TouchID button to unlock 1Password, 6) switch back to the browser to find that my Tailscale auth has timed out, 7) back to iTerm to initiate the auth again, 8) if I'm lucky, I can now touch the TouchID button to use my Apple passkey, if I'm not, it's back to step 1.

I'd challenge anyone to name an app that has been ruined more by VC money than 1Password.

  • acdha
  • ·
  • 9 months ago
  • ·
  • [ - ]
The password sharing feature is pretty slick:

https://support.apple.com/guide/iphone/share-passwords-iphe6...

I’m with you on 1P. I bought every version starting in 2009, until the constant push to subscribe made me stop. The part their VCs should be afraid of is that switching took about 5 minutes (export + import) and the only change I noticed is that everything is faster. That moat is a trickle of water (I hope it’s water) and they’ve annoyed a lot of the people who used to be telling their friends and family to buy it.

I’m pleased to hear that switching is simple - it has been a major impediment for getting me and my team to switch. We’re currently on 1p as an org and I bought initially back at 6/7. Just changed to 8 reluctantly as I had ‘my’ stuff in my own vault. I had heard that it was not easy
You nailed my 8 step 1P unlock workflow. They've really done a great job standardizing the user experience.
Hah glad I’m not crazy. Used it and loved every version since 3x, but 8 is just so fucking buggy it drives me bananas. It just doesn’t work half the time!
Evernote.
Not a bad shout, but no matter how awful it got, I'd argue there never was a good version of Evernote.
its an apple tool. It will work on Apple products first, and then windows, but with a poorer experience. it may work on chrome, just for 'enterprise' but pretty sure firefox, linux, and android users are going to be ignored.
You’re right on the money but it already works in chromium browsers and windows but none of the others you mentioned.
  • ·
  • 9 months ago
  • ·
  • [ - ]
I have been fighting switching to the SaaS version. Paying a monthly fee for access to my passwords is highway robbery. I do not want/need any of these other "services" they forced upon me. I have trying Apples keychain, but that migration is slow and a total pain in the ass. And it's not even a good replacement.

I'm sure 1Password doesn't care one iota about loosing individual users with attitudes like this. Until the forced to a monthly rent seeking hand in my pocket policy was deployed, I had been a vocal advocate for 1Pass. Now, they're about to loose me altogether

  • troad
  • ·
  • 9 months ago
  • ·
  • [ - ]
> I have been fighting switching to the SaaS version

I felt that way on principle for a long time, but honestly, on reflection, 1P is probably subscription that is most justifiable. I want to outsource online security to people that know what they are doing. I want that to be a viable business for a long time into the future. And I want their funding model to be such that their interests are aligned with those of their paying users (me).

People can get so irrational when it comes to the cost of software. The same person who'd pay hundreds of dollars for a cleaner, or a gym membership, will swear up and down that 70 bucks a year for an online bodyguard is highway robbery.

  • bdzr
  • ·
  • 9 months ago
  • ·
  • [ - ]
> People can get so irrational when it comes to the cost of software. The same person who'd pay hundreds of dollars for a cleaner, or a gym membership, will swear up and down that 70 bucks a year for an online bodyguard is highway robbery.

Often while refusing to work for less than six figures as a SWE, hating on companies for seeking VC funding, dismissing non open-source approaches, and then complaining why there aren't more alternatives :)

I'm not sure a password database is a 'online bodyguard'. I am sure that 1password has been going downhill for a few years now. Getting rid of the ability for me to manage my own vault was the last straw for me. I'm still limping along with 1password7 with a local vault for my 'important/sensitive' passwords but i let keychain manage most of my randomass website passwords. Since I'm primarily in the apple ecosystem this works out for me, I do have some linux in my life too, but since I generally access those linux resources using a mac it's just not much of a problem.

I think this new interface to the password feature in macos will probably put even more of a dent into 1password/bitwarden/etc's consumer business driving them even further into catering to enterprise, it's a pitty, but 'this isn't a product, this a feature'.

  • troad
  • ·
  • 9 months ago
  • ·
  • [ - ]
If you're using a version of 1Password that's several years old and no longer updated, and also splitting your passwords across two solutions, one of which is not accessible on all your devices, I'm not too surprised that you don't enjoy the experience.

The current version of 1Password is pretty much seamless for me across Linux, Mac, and iPhone. It's more seamless than it ever was before, honestly. It works for my technical needs and my parents' non-technical needs alike, and greatly simplifies tech support for the latter. I would sincerely recommend giving it a shot if you haven't already.

> I'm not sure a password database is a 'online bodyguard'.

If that's all 1P is, why not just spin up an SQL db yourself? Because, of course, that's not all 1P is. It's a database, a GUI (for five OSes on two architectures, plus web), extensions to auto-fill (and recognise new passwords, or changed passwords) on a range of ever-changing browsers / websites, a great deal of security hardening for their software and servers, an office full of people that evaluate and consider how to combat emerging threat models, etc. None of this is technically impossible to handle yourself, but that's an extremely inefficient allocation of most people's time.

Keychain is accessible across all my devices, excepting a couple of local linux servers, but since I only access them through terminals from my mac.. shrug

What initially attracted me to 1password was certainly it's browser integration features but after switching to keychain I find the 1password save login/autofill interfaces to be clunky and jarring... and the input/search interface. Those features would be hard for me to write myself, however given that 1password when they killed local vaults also switched to a resource hogging cross platform framework (electron) for it's 'native apps' at the same time.. well two straws that broke my back in that case.

My current 1password vault probably has a dozen entries, I've considered moving them to just an encrypted (doubly encrypted I guess) note inside keychain for break glass emergencies.

I don't think it's so much "paying for an app" as it is the constant rent seeking. It's not that people don't want to pay for 1Password, it's that we're all so damn tired of every company nickel-and-diming us to death. Can't anything just be a one time purchase anymore?

While 1Password probably wouldn't have gotten as popular as it is, if they started as a SaaS, instead of letting everyone think they could just buy it one time and be done, I doubt anyone would be angry about it.

Not defending any particular company here, but writing software for what is essentially a moving target (OS’s and browser extension APIs) is just simply not “one and done” anymore.
> Paying a monthly fee for access to my passwords is highway robber

It would be. Fortunately, 1Password doesn’t do that [1].

You’re paying for an important piece of software to be maintained.

> I'm sure 1Password doesn't care one iota about loosing individual users with attitudes like this

Probably not. Emphasis on attitude.

[1] https://support.1password.com/frozen-account/

This entire assumption that I'm a freeloader is absolute bullshit. I've bought and paid for my copies of 1Password and have even purchased it for others. You can take that freeloader name calling and shove it right back in the place you found it. I'm quite frankly tired of it.

We can have upgrades and working software that gets updates without monthly fees to do it. I also do not need their cloud and only features. They intentionally removed the local vaults specifically to force you to use their cloud. That was the last straw for me.

> We can have upgrades and working software that gets updates without monthly fees to do it.

No, the last twenty years has show us that we can't.

If you want developers to perform ongoing work on their products, you need to accept a model where there's ongoing pay for that work.

> you need to accept a model where there's ongoing pay for that work

Before they switched to subscriptions, it still worked like that: 1Password 4, 1Password 5, 1Password 6 - I paid money each time a new version came out. Sometimes I paid the same day of the release and upgraded immediately. Other times, I may have waited a little bit longer and continued with the version that I had.

Nobody's asking for a free lunch.

They had a model that was ongoing pay for their work. 1password was healthy and happy providing flat fees for major version updates, which were every couple of years. Then some VCs wanted to see more profit so suddenly it's all online, subscription, drop the native clients, and a pivot to enterprise. It got enshittified.
> assumption that I'm a freeloader

Where did I or OP say this?

> can have upgrades and working software that gets updates without monthly fees to do it

It’s a bad financial model.

> intentionally removed the local vaults

This is a valid disagreement.

Subscriptions may be a 'good financial model' for the business, but are rarely a good financial model for the consumer.

If I am required to pay you monthly for a product there becomes less and less reason for the owner of said product to improve the product. With the hassle that comes with switching password managers (even for myself, I provide three families with this product (my parents, my sisters family)) there is a lot of friction involved with leaving a product that is stagnant that I am paying monthly for.

I was much happier with 1password when i was able to evaluate their new major version, see if any features of it were compelling to me and my extended family and make a decision wether or not it was worth the asking price. Generally speaking a major version wouldn't get huge changes over it's lifetime, maybe some bugfixes, maybe some ui improvements around it's new features (could also be considered bugfixes), any security issues that cropped up. At that point their development staff was more focused on brand new features for the next major version.

I think what we ran into, partially, with 1password is them running out of ideas for their next major version. A password manager, to a consumer, is not a super complicated product that requires a bunch features, a lot of the work is in the encryption and security which isn't really consumer facing.

people go back and edit their comments silently after being called out all the time around here
1Password has the most reasonable pricing out of just about any SaaS company. $1/user/month if you're on a family plan. $3/month for individuals. And they provide a great service.

Strongly disagree that they're part of the group of SaaS companies trying to price gouge their users.

Cloud only, and they removed local storage of the vaults. If I'm somewhere that doesn't have internet connectivity, what happens then?

Dislike of SaaS isn't limited to monthly fees, but the lack of features they removed to encourage SaaS adoption

  • beart
  • ·
  • 9 months ago
  • ·
  • [ - ]
If you are using a device that previously accessed your vault, it will be cached and accessible. It just won't sync until you regain network connectivity.
Is there an actual guarantee that all passwords will be cached (and not just e.g. the N most recently accessed ones), and that the cache will not expire at some point?
  • beart
  • ·
  • 9 months ago
  • ·
  • [ - ]
I'm not sure, but I'm also not sure there's a guarantee that my self-hosted password vault won't die in the middle of a busy day.
That failure can be mitigated by having a local backup, though. In general, with local stuff, it's not so much that the guarantees are better, it's that you can dial them in yourself to the level you feel comfortable at.
How many passwords are required if you aren’t connecting to the internet? What would you be signing in to?
Do you only keep online passwords in your manager? I've got all sorts of things in mine, plenty that I might need without connectivity, such as the door code to that AirBnB or bank account numbers and PINs. Then again, I never would have done that without offline availability...
That's some low quality snark. I have plenty of local things with passwords. One example is encrypted external drives. That's all your snark gets from me on the off chance it's not actually snark. (must me the most I've used the word snark in one go)
> That's some low quality snark.

I'm on your side in all the comments I've read so far (especially the "freeloader" one), but this one is a clear "assume the worst" which isn't fair to GP. Their comment could very well have been a legitimate and innocent question. Of course it could have been a majorly failed attempt at a troll (since the question has great answers) but assuming the worst just drags everything down. IMHO better to give benefit of the doubt, even if only for the other people reading it later.

After the initial login all your passwords are cached locally anyway.
Same opinion on 1Password's great service. I've found them to be responsive and accessible anytime I've needed them. I'm not seeing all the bugs and issues others are reporting, but I have noticed a couple of odd UI changes lately that feel a bit like a product manager is bored and looking for work to do.
Interesting. Earlier this year I migrated passwords out of 1Password and a few from LastPass and Apple Keychain supported both easily. Just not more complex types of credentials. Every password and website was imported correctly as expected. If not I have yet to notice.
I tried to do the same and failed. The questions were 1) multi-browser support - I use Safari, Chrome, Firefox and Opera - there is a reason for this and I do not want to authorize some of my browsers everyday to serve passwords, 2) ease of use for family with different level of computer/iOS proficiency amongst them. As of now, they are happily running on 1password, but I will be happy to try again this year and next.
On top of that having to open up system preferences to add a new entry was just insane. Hopefully, this new UI into it will lessen that pain.
I'm in the exact same situation. I'm still on 7 (the last fully local version) but the cracks are starting to show. I can forgive them for iOS forcing you onto their update treadmill but they've intentionally crippled the Firefox extension for this version too, and it flat doesn't work on windows anymore and it's not like Windows or Firefox are deprecating their APIs all of the time.
Ever since Apple added password management to Safari it’s been clear that 1Password was going to get Sherlocked, the switch to enterprise mashes perfect sense from a corporate perspective. Chrome and Firefox offer the same features, so now every browser is competing too.

I’m finding most of the friction with 1Password I run into is actually Apple competing for autofill in Safari creating two completely different UIs above every form element.

The other issue I have is Safari Home apps not supporting extensions so you can only use Safari’s built in manager. I think that’s fixed in Sequoia.

Apple uses 1Password enterprise internally, so I doubt we’ll see it get completely Sherlocked since enterprise will continue using it.

Passwords.app will be used by folks who can’t be bothered to pay for a password manager, which won’t do much to 1Password’s bottom line.

There’s a lot of prior art like Apple uses Cisco WebEx instead of FaceTime for video collaboration. The products Apple produces are just very different than their enterprise counterparts.

Yeah i'm not sure apple wants to tackle things like 'shared vaults' outside of family sharing.
> clear that 1Password was going to get Sherlocked,

I'm actually of the same opinion as the GP comment, modulo that I'm not ever going to jump ship to an Apple password manager, but I'll point out that 1Password will most certainly not get Sherlocked since they are not Apple-centric and thus Apple would have to (gasp) release a Passwords.app client for Windows and Linux plus a cli and kubernetes operator in order to hold a candle to the reach that 1P has

Passwords.app is coming to windows (iCloud is on Windows already)
> I’m finding most of the friction with 1Password I run into is actually Apple competing for autofill in Safari creating two completely different UIs above every form element.

You know that you can disable Safari's autofill, right? I recommend it if you're using another password manager.

I suspect you won't be satisfied with Apple's offering if you enjoy stable software, unfortunately.

I agree regarding 1pass, but at least it's still firmly trying to solve the password management problem. Apple is trying to solve the vendor lock-in problem (i.e. how can they lock more users in to their platform).

I've been using Apple's password manager for more than a decade; and though the last OS update had a new UI, it still offered the old UI at the same time.

Every other password manager I have tried has had continuous churn, nothing consistent after a couple years.

I have passwords for accounts in my Apple keychain that have survived more than decade and about half a dozen different devices, to internal servers that have been dead for a decade.

The only new thing here is opening it up to more platforms.

My last password manager got sold to some guy in Morocco and my passwords put behind a pay wall, and then lost. Bring on the vendor lock in, I’m so done with all that other shit.
What company was this?
Raivo OTP (written by security researcher Tijme Gommers, who really should know better, or just didn't care) got sold to Mobime (some guy in Morocco as far as I can tell).
I've used Bitwarden for a while now and it has been so better than LastPass or 1Password ever was for me. I never understood the 1Password hype, it was easily the worst experience of any password manager I tried.
  • lxgr
  • ·
  • 9 months ago
  • ·
  • [ - ]
Bitwarden gets my vote too.

Besides just working as expected, it importantly supports self-hosting. I don't currently make use of that, but have given it a try and it's great as well.

Having alternatives to the SaaS (currently very reasonably priced) is invaluable.

For a time 1Password had the best integration and UX across Apple devices of any of the password managers. That has become less and less true over time. Integration issues over the last year have me excited to try Apple's Passwords implementation as a replacement. Bitwarden is on my list as well, but haven't pulled the trigger due to switching costs for a family of five who all use 1password currently.
Even when people were raving about 1Passwords integration I found it inferior to LastPass
Same here. I tried them all several years ago, and BW was the only one that gave me anything like a native experience across all of my wildly varying devices.
I miss lastpass auto login. And i wish bitwarden had a merge for duplicate entries. Otherwise, bw is good. I also wish i was able to utilize totp keys like i can with iCloud
I use TOTP keys in bitwarden all the time. Along with passkeys that has recently been added.
Totp is behind a paywall.

https://bitwarden.com/pricing/#:~:text=for%20Organizational%...

I’m still annoyed by the little things — like the fact they switched from a very native looking 1Password toolbar icon in Safari to the ugly full color icon.

https://1password.community/discussion/128524/add-options-to...

Seriously, this is the kind of thing that an intern could knock out in a week. I don’t understand why it hasn’t been addressed.

FWIW, I have had zero issues with 1P version 8.
  • alx__
  • ·
  • 9 months ago
  • ·
  • [ - ]
Is your computer managed by Jamf? I had that 1Password 7 issue because of policy issue
  • ents
  • ·
  • 9 months ago
  • ·
  • [ - ]
Same here. Hoping I can jump ship before next renewal.
What's new that lets you jump ship now?
  • ein0p
  • ·
  • 9 months ago
  • ·
  • [ - ]
This needs to be multiplatform for it to be a viable option for the more tech inclined. I run all three major desktop operating systems plus iOS, so I use Bitwarden
My approach has been to move all of the critical secrets out of the vendor device and embed it in a keyboard. It then works with anything that accepts a keyboard.. I'll be releasing this as open source (hardware & software) soon:

https://www.anomie.tech/products/anigma/ce/

How far out is the phone peripheral?
Sadly, proly not till next year. I'm funding this myself and hardware is hard. Embedding it into a case has a whole lotta mechanical engineering challenges as well.

The desktop and tablet version will be released this year though.

I'd be interested in the phone version just for the keyboard. Closest I've seen is https://www.clicks.tech/ but I do not have an iPhone.
Yeah, I miss the real physical keyboards. I started with the Palm Treo smart phone in 2001 and stuck with Palm till they died. Better even than blackberry keyboards.
It is available across the two major desktop operating systems, but you'd have to read the article to find that out.

> The Passwords app is free to download, available across iOS 18, iPadOS 18, and MacOS 15, and will also work with the Vision Pro and Windows computers, says Apple.

No Linux or Android, which makes it useless for anybody having any devices running those. And since nobody wants to use two password managers, it remains a better solution to use a truly multi-platform one.
The Android one puzzles me a bit. We were Android + Mac for a very long time, more than a decade. I've switched to iOS over the last few years, but my wife remains a dedicated Android user. I don't really want to switch from BitWarden, but if I did Passwords would be a non-starter for us because of this.

I suppose that Apple really considers the iPhone to be the center of its customer's lives, with a Mac or Windows computer... rather than my view, of my computer being the center and my phone tertiary.

I think you might have it the wrong way round, and that you're a good example of why they do it.

You actually care about your computer, and if software isn't available for your OS then you're unlikely to ever switch OS to use it.

But you could be persuaded to move to iPhone, and maybe if enough new Apple services (which aren't available on Android) tempt your wife then she might make her next phone an iPhone, too?

Apple cares more about persuading people to switch from Android to iPhone than about Windows to Mac. But I also suspect there are many more Windows+iPhone people than Mac+Android.

Linux isn't even relevant in this context with it's <1% DWM install base. Android, yes you have a point, though a Mac and Android is a strange combination.
What's strange in it? I've been using macs and android phones for over a decade. And a lot of tech savvy people do the same. Macbooks have been a solid dev platform for a while, and do not really require any mobile platform preference.
  • nsbk
  • ·
  • 9 months ago
  • ·
  • [ - ]
Most of my dev team are Mac + Android users. The same is not true for data or product folks, who are mostly Mac + iPhone users.
What's the % look like for people who use password managers? There's probably a reason they all support Linux.
> though a Mac and Android is a strange combination.

Probably so, but there is one demographic well represented here that does this routinely: Developers. Macs are the default and often mandatory computers issued to developers at tech companies (I strongly disagree with this approach and think employees should get the platform they are most comfortable on, but Macs only is the current state of things in most places).

So many use Macs because of work, but have Android phones due to reasons I won't articulate here, mostly due to time but also with the audience on this article I expect it would melt down into an argument about which flavor of ice cream is better (metaphorically, not literally). Suffice it to say, Android users would agree with the reasons, Apple users will say you shouldn't be doing those things anyway, and we'll have to agree to disagree.

For me it's pragmatic; MacBooks are or have been the best laptops, and Android phones have been the best value for money while also being less locked down. IPhones are just really expensive luxury devices imo. My phone will probably break for some reason out of my control within a few years of getting it, or it'll become outdated, so I want to get the best hardware + software combination I can for around ~$400USD
One point of an iPhone is that it lasts longer, but if you really want new hardware all the time, Android is a cheaper option.
I don't see how that could possibly be true objectively, it's my impression that neither platform has any intrinsic hardware qualities that allow it to last longer, but with a Pixel I do have more control over how long I can keep it running if it doesn't succumb to irreparable physical damage.

Anecdotally, it's also my subtle impression that iPhone users are more inclined to update frequently regardless of how much longevity they could get out of it. I just buy my phone and keep it operational for as long as possible, only buying another if my current one is physically inoperable, and I feel like I'd get to that point more quickly with an iPhone, since parts are more expensive and not as readily available.

Main thing is iPhones get security updates for about 8 years. My iPhone 6S is still fine. Pixel in particular will now get 7 years, but this wasn't the case in the past. Random other Android phones don't have good support, and even third-party repairs might be harder.
That's a fair point, and the 6s is a great piece of hardware imo. I just find it frustrating that after security updates stop for my mac, I can definitely keep using software that's always worked on it, supposing I have the executable and any third-party backend services are still running. On my old iPad 3, since the App Store is the central software distributor, more and more apps have been pulled off of it at the discretion of the publisher. It was never really that useful of a device to begin with, but to use the same software, I'd need to buy a new piece of hardware, despite new iPads offering practically nothing substantial in terms of added value (for me) since mine came out. They're nice I guess, but not hundreds or thousands of dollars nice when I likely wouldn't use them for anything different.
For reasons like this, I've never owned an iPad. Seems like an intentionally gimped version of a PC.
The existence of a port does not guarantee future support of a port. Safari used to run on Windows. They're also somewhat notorious for trash quality Windows ports.
Desktop Linux market share continues to grow and as a part of that group, I rely on 1Password because I can use it across all of my systems.

The other major password managers are on Linux, and Apple will need to support Linux for this new offering to be interesting to me.

  • ein0p
  • ·
  • 9 months ago
  • ·
  • [ - ]
If it’s anything like their other Windows apps, Bitwarden is still going to be a superior option.
Unless Apple treats every major OS as a first class citizen for this password management app, this becomes another form of ecosystem/vendor lock-in. Have all your passwords securely stored in our app? Thinking about buying an Android phone? Think again.

Of the major tech companies, Apple probably has the worst track record of not playing nice with other platforms, walled gardens and all. Passwords are needed on all platforms. Apple would be the last company I would trust to ensure that I would be able to access my passwords anywhere I may need them.

I actually read the article and didn't see this at first. It's mentioned at the very bottom, right above the "featured stuff" and unrelated article below it, and after a lot of text about what Passwords does that Keychain already did.
I've found it easier to use Keychain as my "master database" and selectively copy passwords as needed into whatever browsers on non-Apple devices, granted it's not super often. Also, often I can directly use my phone to authenticate another device (passkeys, TOTP, or custom solutions).
I'm using KeepassXC for similar reasons although there's no official Android port last I checked.
The official site recommends KeePassDX and KeePass2Android: https://keepassxc.org/docs/#faq-platform-mobile
Keepass2Android has been working great for me for almost a decade now

https://github.com/PhilippC/keepass2android

So… this new app does most of what the depreciated “Keychain” app did, except now it’s got a iOS-looking UI. Huzzah, I guess, the “passwords” section in the iOS-restyled system prefs sure wasn’t substituting for Keychain for me. Passwords doesn’t appear to handle secure notes, though, and I still have a few of those, too.

I still really hate the iOS-restyled system prefs. Tiny unresizable text, a long vertical scroll. I can’t find a damn thing in it and just use the search bar every time and feel faintly annoyed about it.

We've been able to lock notes in the Notes app for a while either with a password or Touch/FaceID.
Oh, you can? I should look into that then, thanks. I’ve vaguely settled on Notes as “I guess this is the least shitty replacement for the specific way Evernote fit I to my life” but have never actually sat down with its manual to see what it can actually do.

Hopefully Adobe won’t decide to start shitting a bunch of authorization credentials into private Notes the way they took over the Private Notes section of Keychain.

Notes has become one of the better (best) first-party software offerings from Apple. They seem to have a really good team working on it.
I noticed a "Notes" section in password items. So, I guess in theory you could utilize those.

But my biggest one is wanting to store secure files. Think copies of a drivers license, signed documents or various certs and keys. That's not being covered here either for me sadly. It's not a super common situation for me so I can probably find an alternative app for that purpose.

Edit: Also for notes, I'd just password protect something in the Notes app. But that's just me.

for this requirement i choose to use encrypted sparse files (can be created with the disk manager app) which i store on the icloud. is only of use if you happen to have a laptop with you as mounting them is not supported in iOS
I paid for Disk Decipher for this use case - it was a great purchase! https://disk-decipher.app
  • catoc
  • ·
  • 9 months ago
  • ·
  • [ - ]
For iOS & Mac https://thevault-app.com does exactly that for me. Storing PDFs, or just plain images of passport, drivers license etc (in addition to passwords). It’s a bit on the technical site (eg, also has cmd: prefix for terminal commands etc)
Can’t you just paste the DL image into a Note and then password protect it?

I frankly just have photos of DL and insurance cards in my photos with tags to make finding them easy. Although note with the text searchable images that’s largely not even needed.

I don’t get what the security concern in. My photo reel is way more secure than my actual wallet.

At least now you’ll be able to prompt Siri to figure out where your settings are /s
  • hwc
  • ·
  • 9 months ago
  • ·
  • [ - ]
I've been using Bitwarden for a few years. It seems to do everything I need, and is cross-platform.

I have a soft spot in my heart for `pass` (http://www.passwordstore.org/), but it's a pain to access it from my phone.

I guess it's not every Firefox user, but Bitwarden hasn't been working for many FF users for the last month:

- https://github.com/bitwarden/clients/issues/8873

- https://github.com/bitwarden/clients/issues/9253

I am on FF with Bitwarden and haven't noticed any issues at all.
`pass` is an excellent case for storing passwords locally that you don't need to carry with you. I use a lot of login credentials for work on `pass` and it works great. If/when I need to upgrade laptops I can just back it up in git.

I use BW for all my personal stuff because my wife and I use it.

pass is the best.

If your phone is android, I'd recommend https://passwordstore.app/ plus syncthing :-)

Yes I love love love BitWarden.
I started using Keychain pretty much primarily this year (other than 1Password at work) and it works pretty seamlessly for me (granted Apple devices only). Even the Chrome extension works quickly as if it were a native part of Chrome.

Glad they're splitting it out of System Settings into a dedicated app.

I've also started migrating family members to it. It'll be way easier for the less technical people since it's already tightly integrated in the devices and OS they use everyday.

  • tgv
  • ·
  • 9 months ago
  • ·
  • [ - ]
FireFox doesn't work with KeyChain, at least, not the last time I checked (which was a few years ago, admittedly). There's an extension that goes one way (read only), but that's of course relying on an unknown entity.
Does the Chrome extension still require you to enter a six digit code every day to even use it? When I tried it this was incredibly annoying and I switched back to 1password shortly after.
It’s important, otherwise that means any locally-running binary (maven, npm) can steal all of your passwords, since they are in clear on your computer.
Does macOS sandbox things like maven or npm? Do they need read access for everything the user can see?
MacOS asks when “Terminal” wants to access the Downloads or Documents or the Contacts, etc.

However it asks once, across all Terminal programs, for the entire lifetime. So if you’ve ever used “find ~/Documents -…”, then Maven can access it too.

My opinion about this is that we’ll progressively go towards a Dockerization of the builds, which is the only one that gives developers confidence about the sandboxing.

It should be required by SOC2/PII certifications, though. As in, I already think I’ve seen an insurance ask something like “Are accounting documents present on a machine where compilation is executed” or maybe it was “Is it possible to install new programs on machines where sensitive documents are managed?”

Not sure that it's every day but I haven't been too bothered by it. It's not unlike the security policies where I work. So needing to type in a OTP isn't out of my normal routine.
  • duxup
  • ·
  • 9 months ago
  • ·
  • [ - ]
I often was looking to see "do I have that in keychain" and ... I'd forget where to find it as it wasn't a dedicated app.
You’re both talking about iOS, right? Because on the Mac it’s always been a dedicated app.
  • duxup
  • ·
  • 9 months ago
  • ·
  • [ - ]
Yes, I am for sure thinking of iOS.
Yeah. But even for Mac it's always been more of a technical utility app. When I say that it feels more akin to Disk Utility than the Notes app (in terms of who it's meant for).
  • lxgr
  • ·
  • 9 months ago
  • ·
  • [ - ]
These days it even shows you a popup that asks something along the lines of "are you sure you want this app and not the iCloud Keychain tab in System Preferences".
I wonder if the biggest side benefit to a player like Apple getting into this game is the pressure it puts on web site developers to follow some kind of convention with their login forms. The vast majority of the time I have trouble filling a password, it's because the web developer did some wacky shit with the fields that make them unrecognizable, or in the worst case actively prevent pasting a password. It's one thing to blow off someone like 1Password, but Apple has a huge reach, they are not so easy to ignore.
There is a convention already, and it's quite simple. There's an "autocomplete" property on an input tag, and you can tell the browser what it's for[1]. Use "username", "email", and "current-password" for example when building a login page. ("new-password" is useful for creating an account or changing password, and the password manager can suggest a new password here instead of trying to autofill with your old password).

The autocomplete attribute supports nearly everything you can imagine. Check this for a full list[2].

[1] https://developer.mozilla.org/en-US/docs/Web/HTML/Element/In...

[2] https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes...

I think the GP commenter is aware of that but saying "now that Apple is directly invested in managing and entering your password, it's harder to make excuses for dogshit product specs that, for example, block pasting passwords."
They're saying that Apple bringing this tech in will force developers to follow this convention, ss from their experience they're not. Not that there isn't a convention but people aren't following the conventions that exist.
Is there a way to turn this off entirely? Something like <html autocomplete=“off”>? It’s rather annoying to have 1Password trying to fill my contact info into any form with a Name input. For example, Forum Name, Todo Name, etc.
Ever used the virtual keyboard on treasurydirect.gov? I have resorted to DOM manipulation in DevTools so I can just paste my password in.
I think they finally changed this recently to allow you to paste in- I've resorted to the same workaround in the past though.
It's a real input field now!
What a shitshow that was! I’m pretty sure they’ve deprecated that part of the login process now, though. It’s much smoother, in a relative sense.
> actively prevent pasting a password.

I will NEVER understand this one. Do they want me to pick a shitty password? I'm not gong to type a string of of 20 mixed-case and special characters into a private text box on my phone. It always takes 3 or 4 tries to even get it right.

An alphanumeric password doesn't have to be bad or hard to remember. Mixed case and symbols don't add much security. But still, should be paste-able.
The problem is that I always generate a strong password with KeePassXC on my laptop, and I don't know about how bad the mobile sign in experience is until it's too late. And many systems require mixed case and/or special characters, so my password generator is configured to add these by default.

This user-hostile UX decision is simply unjustifiable. It's baffling how this even gets past code review.

I doubt this will change anything in the space. iOS and macOS (through Safari) has offered password management for years at this point. This is just a more flexible version of that system.
I always feel like these password solutions are there to lock you into their platform. I would never use Apples nor Mozillas password solutions personally.
I used 1Password for years. Last year I decided to try out Apple's built-in manager (for which this new app is a pretty frontend for a feature that already existed). I was able to export all my passwords out of 1P and import them into 1P. Then my company gave us all free personal 1P accounts, and I decided to migrate back. I exported all my data out of Apple's password manager and imported it 1Password, then ran a script to de-dupe entries.

There's not much else to add: it just worked. I wish all "lock in" were that open.

Typo there: I was able to export all my passwords out of 1P and import them into Passwords. I think people got the gist from the context, but just in case.
That's excellent! I'll keep that in mind.
It is very hard to move from iCloud Keychain to KeePassXC. Export functionality does not exist in the "Passwords" section of the settings on iPhone. It is also not available in the iCloud for Web. So, I had to go through all my passwords and reset them + create new entries in KeePassXC, one by one, which is very annoying. :-)
There's a proper export on the Mac if you have access to one, at least.
That's a great reason to not use Apple's, but Mozilla's doesn't lock you in at all.
The way Google's password manager covers websites anywhere I'm logged into Chrome plus native Android apps anywhere I'm logged into Google Play is super convenient though (albeit total lock-in, I won't argue that). Some apps are even developed well enough that a password originally stored via Chrome will be suggested for the app, I guess by cross-referencing the origins in some mutual way. And payment card details will auto-fill pretty smoothly in a very similar way, as well.

It's fantastic, and for some reason I trust OS/browser developers to do this more safely than a company focused on password management that has to figure out OS APIs, write browser extensions, or rely on a clipboard that has nearly unbounded read access.

Not sure people should take password advice from hunter2
The security positive of a browser integration is you eliminate the human part of url validation; effectively stopping phishing.
I love that. Unsolicited but quite possibly authentic email from my bank? No auto-fill means no-go, start over from a known URL. It would be funny if this behavior isn't a guarantee in certain adverse conditions.
> anywhere I'm logged into Chrome plus native Android apps anywhere I'm logged into Google Play is super convenient though

Android's autofill framework is open to everyone to use, and every third-party password manager has a Chrome plugin. I use Bitwarden with exactly this experience, but across Firefox and Chrome and Android.

Interesting! If I used Firefox (et al.) more, and if my passwords stored by Google aren't available there but they would be if stored in Bitwarden, this new-to-me information just might lead me to switch. But I do still intuitively put more trust in Google to not make a mistake; I am ready to be convinced of the opposite, though.
> Some apps are even developed well enough that a password originally stored via Chrome will be suggested for the app

At least on iOS, this works for any password manager.

Yes Mozilla's does - to Firefox. There are cases I need to use Safari or a Chrome based browser. This is the main reason I got 1password in the first place.

and where do you store your passwords for apps?

That's not lock-in, though, since Mozilla makes it very easy to export your saved passwords to a .csv file if you ever do want to switch ecosystems.

I use KeePassXC to store passwords for apps.

So does Apple make it easy to export even now, just one click on the menu in the System Settings. I assume having an app would make it easier.

So you have two password managers one for Firefox and the other for apps. What happens if you have an app login that is also a web site? Two entries of the same thing?

That's apple's entire MO, yes
I've been using KeePassXC on Mac and Windows and sync them between each other with Unison[1]. I'd be curious to learn how others who are using KeePassXC are syncing there databases with iPhone.

[1] https://gist.github.com/jftuga/0265e5403d56373662b9513d8816e...

As a sidebar, Keepass is so good that I don't understand why you wouldn't use it. 1password is bloated and annoying, Bitwarden is finnecky even when you do get it working, but Keepass Just Works.

Keepass is the closest I've ever felt to just having a wallet for my passwords. It should be ratified as a standard, so we can make Google and Apple provide "Export to Keepass" buttons in their apps.

I use the Passlane CLI for accessing and managing my passwords. Passlane stores the data in a keepass file that I have in Dropbox so that I can access it from multiple devices. On my phone I access it with Keepassium.

Check Passlane here (I’m the author of it): https://github.com/anssip/passlane

Very cool!

Would it make sense to use this for storing keys used other shell scripts?

Does it support hardware keys?

About using it for storing keys of other shell scripts/commands: What kind of special functionality this would require? Would you like to, for example, use passlane to extract the password of some script and then pipe it to that script? Perhaps adding that kind of functionality would make sense.
Well say I have U&P or API keys for some network service and I have a little shell script that automates it. I can save the auth info in the script or in a ~/.keys/ file or something and the file system permissions are all that's protecting them.

If my script could retrieve a password from my KeePass DB if it's unlocked, or ask me to unlock it, that would be cool.

Yes, makes sense! I would need to change it to output only the password without all the extra info that only makes sense for humans - could work in this script mode when provided with an additional command line option.
KeePassium + db file on Google Drive through Files app
Strongbox app and storing the database in iCloud Drive.
Dropped 1Password for Strongbox a few weeks ago, really impressed with it.
  • lmz
  • ·
  • 9 months ago
  • ·
  • [ - ]
Dropbox and KeePassium on the phone.
  • sngz
  • ·
  • 9 months ago
  • ·
  • [ - ]
Keepass2android and proton drive along with the keepass windows app
Syncing via NextCloud.
  • sngz
  • ·
  • 9 months ago
  • ·
  • [ - ]
Proton drive and keepassx, keepass2android and keepass
I’ve had my iCloud account corrupted twice since they switched from dot Mac. Zero chance I’ll ever trust Apple with anything serious. I don’t even trust them to keep my contacts safe from corruption. Never going to trust them with my passwords.
  • m_a_g
  • ·
  • 9 months ago
  • ·
  • [ - ]
Wasn't .Mac discontinued in 2008? I think it's time to let go
  • darzu
  • ·
  • 9 months ago
  • ·
  • [ - ]
“Since” could mean yesterday.

But i would like to hear more details of the corruption if parent is willing to share. This is pretty much my worst nightmare scenario.

Letting go has occurred. "Since" means after.
This hasn't happened to me, but enabling iCloud notes deleted all my notes. Kinda ridiculous for an app that had one simple job.
Isn't it all saved locally as well? Were your local files corrupted at the same time?
  • wpm
  • ·
  • 9 months ago
  • ·
  • [ - ]
iTunes Match/Apple Music completely corrupted my music library. Files are all still there with the wrong names and album art.
I want to use this, but this post gave me pause:

https://x.com/blader/status/1800263787746066646

"apple sherlocked 1Password today, so i'd like to remind you that your Apple ID is only as secure as your carrier.

if you have 2FA on and get SIM swapped, attackers can lock you out of it PERMANENTLY.

last month it happened to me. make sure it doesn't happen to you: "

Getting locked out of all my passwords would be pretty disastrous. Did Apple announce a change to the account lockout procedure as well?

You can add security keys as a 2FA method and it will disable use of the trusted phone number for authentication
What happens if you have the RecoveryKey set, like the actual generated Recovery code? If that's set, can you always reestablish access?
This. I don't think most people realize how much eggs they put into one basket. Every service that can be used for MFA (email, token, password manager) should have its own separate barriers of entry to make total compromise as difficult as possible.
Thank god. I think 1pw has been mostly good, but it has frustrating quirks... Like requiring me to input the master password on the iOS app/OSX/Browser extension (on the same device) as if each of these apps have no way of communicating.

I constantly have issues with it not engaging on a form where I have to manually switch to 1pw, though it has gotten a bit better over the years.

I hate to see a company/product get sherlocked but I don't feel like password security was something we should need to have a subscription for.

I have already been using iPhone Passwords for all my passwords. Anyone else doing this? It autofills passwords on the phone and I can copy a password from the phone Passwords and paste it on my MacBook.

Whenever I do a password change, I have to do it on my phone, so that the new one will be stored. But that is fine with me. I’m happy to do that in exchange for being freed from “password managers”.

This and the android equivalent (chrome/google) are very common methods. It’s only in enterprise spaces that they’ve adopted the likes of 1Password, Bitwarden, etc.

Really no big difference, you’re still technically using a password manager.

Also you can access those passwords on Mac as well, it’s in settings just as you would find it in your phone. No need to copy from your phone and paste it, Mac can autofill. It can also autofill on other browsers through the dedicated right click menu, but it’s a bit more clunky than on Safari.

Fun fact, those same passwords can be accessed on windows now, install iCloud for windows and enable passwords. It uses a dedicated app on Windows.

yep, incredibly convenient. big reason i use safari as the default on my MacBook too. honestly safari is great these days for everything except web3.
why except web3?
I use metamask and safari is not supported.
  • pshc
  • ·
  • 9 months ago
  • ·
  • [ - ]
Yup, it's been super convenient to have iCloud sync all the keychain entries including wifi passwords, and quite secure and private.

I also enable keychain sync on my Mac so I can create passwords there too.

Crazy thing is that there's a plugin for windows to use them as well. https://support.apple.com/guide/icloud-windows/set-up-icloud...
It’s what I do but auto fill doesn’t work in chrome on osx :(
  • pshc
  • ·
  • 9 months ago
  • ·
  • [ - ]
Like the sibling commenter I use Safari for almost everything. It just works and saves more battery than Chrome, plus there's Handoff between phone and laptop.
  • ·
  • 9 months ago
  • ·
  • [ - ]
I hope it includes credit cards, rewards programs, IDs/Passports, etc. so that I can cancel my 1Password subscription.
Credit cards are saved separately already, I believe
Timely with how official support for the old 1Password 7 apps probably won’t be continued for too much longer, with 1Password pushing users over to the notably worse v8 apps. I’ll probably switch.
The biggest reason I'm moving away from 1Password is the abysmal support for Safari Profiles. It's so bad it's ridiculous.

Right now for instance I have a Personal profile, and a few work specific ones around admin, development, and my day-to-day work to split things off easily. I have 1Password unlocked in one profile and it works in that, but if I switch to any other profile it needs to be unlocked, then it tells me it needs to reload the extension. Reloading it doesn't do anything but break it again. I have to fully quit Safari then it works again for some unknown amount of time then falls apart completely soon after (probably laptop sleep or something like that).

Just a shitshow all around from 1Password anymore. How the mighty have fallen due to profits and investors.

This is my main gripe as well.

My current workaround is to use Orion as my browser. Its profiles are clunkier than safari and don't exist on iOS (but I don't care about that)

Can you describe what do you mean by 'clunkier'?
Safari feels integrated, Orion is a collection of apps with the same icon, menus and functionality but with different configuration.

Each profile produces a separate Orion.app so you end up with multiple Orion's in your dock - Safari is still the same top level app.

Extensions - in Orion each app is totally separate, in Safari there is one list of extensions and you choose which ones you want in your profile, of course the Safari extensions are clunkier than Orion which is what this thread is about, 1password not working,

It also feels like Safari takes less memory using this approach but I have not measured this.

Bookmarks differ - Orion's are totally separate, Safari's are all one tree and each profile takes a different root in the tree for the Bookmarks Bar so it is easier to move Bookmarks between profiles in Safari. And favourites are the same in all Safari profiles whilst Orion are separate, I prefer Safari here but I can see some justification for Orion's total separation.

Just retried Safari - and discovered it is more difficult to switch profiles than I remebered. The list of profiles are at the bottom of the Window menu which is harder to get to than Orion being an icon or on the tool bar - Safari for iOS is better here as it puts the profile on the toolbar (presumably as there is no menu and only one window) I just rediscovered the quick way for safari - choose the window from the dock icon.

Orions sidebar is better as it removes the tabs from the top and also indents tabs that you open from the parent tab. However the sidebar is not up to the standard of Firefox's Tree Style Tab adding.

Right. 1Password 7 is the last one to have private vaults. After that dies, I have no reason to use 1Password over anything else. SSH? Yeah, need that for work - which absolutely bans storing those on the cloud.
I don't know where this falls on the "storing in the cloud" policy, but if you haven't seen it I really enjoyed KeePassXC's ssh agent to keep SSH keys off disk: https://keepassxc.org/docs/KeePassXC_UserGuide#_ssh_agent_in...
Interesting. I liked the 1Password 6 UI, was frustrated with 1Password 7 and have been loving 1Password 8 so far. Version 7 seemed really clunky when I needed to do certain workflows.
What I dislike about the 7 → 8 transition is that it went from feeling like a handcrafted Mac app to an indistinguishable generic SaaS thing, which is exacerbated by 8 being built with Electron (which brings dozens of little papercuts that are difficult to smooth out, even if the dev cares to try to).
I don’t quite understand how this will be different from what built in iPhone password manager.

Something I’d really like: let my iPhone act as a Bluetooth (obviously encryption will be necessary!) or USB keyboard, and have it hold my passwords/type them. That way I could keep my passwords all in one place, and manage them locally. Currently I use keepass when not on iOS, which is fine, but I don’t really want to have to expose my whole passwords file to a Windows machine, since they are traditionally infested with malware (and apparently MS is flirting with including their own first party malware).

The offline device with a plugin usb keyboard that "types" in your username and password is exactly what i've wanted forever. There are some devices people have made and posted online. I made a POC with an old android phone once but never got past that stage.

I investigated the bluetooth encryption and it didn't really seem up to the task. You could create a dongle that lived on wifi though that would do the same.

I'm getting ready to release ours as open source (hardware and software) soon:

https://www.anomie.tech/products/anigma/ce/

oh wow. i can't wait to see more!
I think it depends on the password, Bluetooth encryption would probably be fine for, like, my forums passwords. If anyone within, like, 50 feet of me right now wants to break into my Hackernews account… IDK, my dog does seem like a real jerk actually, so if I make any dumb posts let’s assume that she’s stolen my passwords.

A dedicated device would be nice and, actually, keeping your passwords on something that never even has to touch the internet would be ideal. But my phone already has a nice big touchscreen to make it easier to pick a password. Reusing an old device could work but that’s limited.

i've thought of all kinds of iterations with varying levels of security. the phone with BT encryption would be fine in general but that would get picked apart for security if you actually tried to market it as secure.

the really secure way I was thinking is a small touch device that could be small enough to slide into your wallet or even as a device that would live in a phone case exposed on the back of your phone. then there would be a small yubi key like dongle that you'd plug in to whatever your target device is and it would communicate over wifi. that would be like the ultra paranoid version. then you could have the iphone/android app that communicates with the dongle, the one that uses BT encryption, the one that uses a USB cable from the phone to emulate a keyboard.. options are endless.

there's some features you could have like computer vision to recognize the login prompt. it's easy to get into an imaginative loop with the ideas.

could you post a link or 2 of the DIY devices? very interesting since this kind of device obviously needs a lot of integration into the PWM software ecosystem.
seems like everyone has this idea now if you search google.

https://www.google.com/search?q=password+manager+with+usb+ke...

https://github.com/tejado/Authorizer

https://hackaday.com/2020/02/08/usb-password-keeper-runs-on-...

https://www.amazon.com/OnlyKey-Stealth-Black-Case-Communicat...

It's a proper app that can be reached in one click rather than hidden in system UIs. Basically Keychain Access but for 2024 rather than 2001
I don't have a full answer for you, but you've hit on the major problem with all client-side PWMs.
My brother convinced me to try a 1Password family account, since it would be cheaper. Ever since, the Chrome plugin takes forever to login. Sometimes up to 5-6 seconds. And it really annoys me that they have so many resources and money, and it's still this expensive for a very very basic application, and slow to boot.

I tried out passwords, and combined with Safari, it's an absolute godsend compared to 1Password. That does mean that I switched from Brave to Safari, and thus have YouTube ads, and so I'm now paying for YouTube haha

  • Hawxy
  • ·
  • 9 months ago
  • ·
  • [ - ]
> Ever since, the Chrome plugin takes forever to login.

This isn't my experience since the recent update that shows up a mini-login panel when trying to sign in. The old experience that opened the desktop app first was fairly slow.

Just to rub it in your face :) (teasingly and with respect) I got Android/LastPass/Firefox and only pay for the LastPass annually (I got it on all my devices), so there you have it ;)
Just so you're aware, LastPass has had some pretty bad security issues, eg. on the latest https://arstechnica.com/information-technology/2022/12/lastp...
Just so you're aware, LastPass has had some pretty bad security issues, eg. on the latest https://arstechnica.com/information-technology/2022/12/lastp...
Check out the StopTheMadness extension. It offers a large number of features, one of which is automatically fast-forwarding YouTube ads

https://underpassapp.com/news/2023-10-19.html

Does it blank all the fake videos in your YouTube home page? There used to be ads separate. Then they started putting one in the upper left corner that pretended to be a real video, with some clickbait title. Now (today?) they have them sprinkled all over, like maybe 15% of all the thumbnails are now ads.

I'm leaving that platform. They've taken shittification to new heights.

I have never had such issues with the Chrome plugin.
I think it needs multiple domains for an account. It appears this hasn’t changed from their current setup from the screenshots in the presentation.

I don’t want to switch from 1pass if I can’t set 2 or 3 separate webdomains for an account as I find this to be the most annoying feature of apple passwords, when a website has a separate register page from it’s login pages. In 1pass you can just delete the subdomain and add domains. Apple doesn’t allow you to edit at all :(

  • pkamb
  • ·
  • 9 months ago
  • ·
  • [ - ]
My annoyance with Keychain has been that items kind of appear there as I type in a username and password on the web. Feels rather ephemeral, like old "saved passwords" in Internet Explorer or whatever. Feels like I'm one browser cookie reset away from losing everything.

Whereas with 1Password I use a separate app to CREATE a new Login file for an app/website/anything. I can save that file with as much or a little information filled out as desired. Can create arbitrary info files for Passports, library membership cards, etc. I know the information for each is forever stored exactly as I created it, always syncing, never overwritten when I type in a different password and accidentally hit "save" in a webform.

I hope the new Apple Passwords app is more like the later; if so I would switch.

My main reason to use this would be to maybe have an easier time adding a login when I'm on mobile - hopefully Apple would make it as easy as with bitwarden's desktop browser extension where you can just click 'save' or 'update' after logging in

My main reason not to use it is because I guess not going to work as well with firefox desktop?

I think this will finally get me to switch from 1Password 7. I was never going to go to the new, subscription-only, electron-based 1Password, so its either hold out on 1P7 for as long as possible or look for something new.
We're BitWarden users in our house. We switched from LastPass after they double the price for the 2nd year in a row. We each have our own accounts, and then a shared organization.

If it were just me, I'd be tempted to just switch everything over. My wife is smart, and technically competent, but isn't interested in switching to new things until the pain points are too much. If I want to move to a new app or a new service, it can't be on a whim of mine, and it can't just be because I want to see what the new features are like.

I moved from lastpass to bitwarden also, but I don't see the reason to move to apple passwords. I'm mostly linux at home, and I use the bitwarden browser plugins for chrome and firefox. I wonder how they plan to integrate browsers, since I imagine they won't have a linux app. Historically, they haven't written great windows apps, so I wonder how this will fair.
And put all the eggs into the same basket? No, thanks. I prefer to spread critical responsibilities among a small group of "little tech" companies that offer clear and concise data portability among them.
  • tmpfs
  • ·
  • 9 months ago
  • ·
  • [ - ]
It's good that Apple have decided to improve their offering for password management but a bit overdue and lacking in cross-platform support. Also, it's risky to allow large corporations control over our most sensitive information.

I have been working on solving password management as a local-first, cross-platform, open-source application[1]. It's a bit rough around the edges still (no browser extension yet!) but is worth trying as an alternative. Any feedback would be much appreciated!

The app is designed for zero vendor lock-in (after all this is our most sensitive data) and a self-hosted server is part of the design. We aim to make money offering a cloud platform for syncing and social recovery (digital inheritance) and eventually would like to also function as a Dropbox/Keybase alternative.

We will be releasing the open-source SDK[2] soon.

All comments or suggestions welcome.

[1]: https://saveoursecrets.com [2]: https://docs.rs/sos-sdk/latest/sos_sdk/

I have to be missing something. Isn’t this just a new coat of paint over keychain? What’s so revolutionary about this?

A lot of people seem to be acting like this is a really big deal. Is it cause it’s available on windows now?

Keychain has been around for decades, but the feature isn't as visible as third-party apps that also advertise themselves. On the Mac, you even had to go into the complicated Keychain Access utility to retrieve them.

I guess Apple just wants it to be more obvious that hey, you have a password manager already.

If Apple restricts db syncing only to iCloud, it will be a pretty keychain for all practical means.
1Password has gotten progressively worse. It's now an Electron app (so it's slower to load), and some features have stopped working well.

They took VC funding to pivot to enterprise, anticipating that OS vendors would integrate basic password management features (what most of their usage at the time) into the OS.

So the consumer experience has been de-prioritized. I will not be renewing my 1Password subscription.

Oh the classic irrational HN hate on JS/Electron... 1Password 8 takes <1s to load from scratch on my machine, and is instant most of the time since it runs in background.
when every app loads an entire duplicate browser stack then your RAM is wasted out of cheapness and negligence.

Moreover, I shouldn’t need a cutting edge microprocessor just to look at my saved passwords. Multiplied across 15 million 1Password users, even 1 second amounts to about six months of collective time wasted for each app launch.

I would never hire any developer who disregarded their users’ time, UI experience, and computing resources so blatantly.

50% of people on HN seems unable to understand that developing UIs using web technologies is 2-3x faster than using Native frameworks. If anything, just from the benefit of not having to develop 5 versions of the UI (MacOS, Windows, Linux, iOS, Android) but just 1 responsive web app.

In my perspective clearly the blatant disregard for UI experience is wanting to develop native apps just for hypothetical RAM savings or similar ideological preconceptions on performance that are not real or relevant in practice.

Electron apps are now everywhere because THEY WIN. Figma, Slack, VSCode all succeed in large part thanks to being Electron apps. HN denial of this simple fact is copium

Something being ubiquitous in the marketplace does not automatically translate into it being objectively or materially "better" for consumers.

Fast food is everywhere because it's cheap and fast. And diabetes and heart disease rates are skyrocketing worldwide. Is that "winning" in your eyes?

It works on Mac -and- Windows? Goodbye 1Password! The browser extension has been SO buggy for me on Safari ever since v8, I'm SO excited that I might finally be able to ditch it. I even mentioned it in a comment before[0]. Looks like the day has come!

[0]: https://news.ycombinator.com/item?id=36427945

Why would I use it over Bitwarder?
  • AnonC
  • ·
  • 9 months ago
  • ·
  • [ - ]
Mainly depends on which platforms you use. If you’re using Bitwarden on Android and/or Linux, then this isn’t a replacement. If you’re on Apple’s iOS/iPadOS/macOS or are on Windows, you can use this. These are also native apps, unlike Bitwarden’s Electron monstrosity on the desktop.

Bitwarden has been lagging in implementing any consumer features for some years now (custom item types has been on the roadmap for six years and is still not done). Except for secure notes in Bitwarden, I don’t think you’d miss anything else in this app. Bitwarden is spending money and focus on the enterprise, just like 1Password has been. For the consumer segment, neither of these are good enough now.

> Bitwarden has been lagging in implementing any consumer features for some years now...

This is actually the reason why I like Bitwarden. They don't seem to be constantly trying to push unwanted features on me. I've always been a fan of the first "rule" of the Unix Philosophy: do one thing well.

I'll be trying this out, but moving me from Bitwarden will prove quite a feat - especially since it was the best option for me after trying over 10 password managers while I was still window shopping for one.
  • nsbk
  • ·
  • 9 months ago
  • ·
  • [ - ]
I’m in the same boat. I really enjoy Bitwarden but I’m willing to give this a try to see if it’s as good as it could be
I will need a tool to transfer over all the pws, doing that manually is a non starter
  • nsbk
  • ·
  • 9 months ago
  • ·
  • [ - ]
Sounds like a fun project to work on
Most pw mangers already have one. That's how I started on BitWarden
  • lawn
  • ·
  • 9 months ago
  • ·
  • [ - ]
You probably shouldn't.

But it might make other people who don't use a password manager start using one.

  • fckgw
  • ·
  • 9 months ago
  • ·
  • [ - ]
Because it's already built into the devices I use
Bitwarden integrates pretty well on Apple devices/apps already, although I guess you could save a tap by using a native app.
They also have TOTP support built-in for free, which is very convenient. With Bitwarden, you need to pay for that.
It's native and not Electron shit?
Considering I only ever use it as a Chrome plugin anyway, that's not much of a sell
What's wrong with Electron?
  • AnonC
  • ·
  • 9 months ago
  • ·
  • [ - ]
Electron apps are usually (not always necessarily) sluggish and don’t support native UI paradigms or keyboard shortcuts or navigation. The Bitwarden desktop app is one of the bad ones.
Disk space for one. The Bitwarden macOS application is around 390 MB. For comparison, Firefox is 388 MB. They're usually much worse from a CPU and RAM perspective too.
I was pleasantly surprised to see they said they would have a Windows app, but it's DOA for me unless they also offer a solution for Android :(

I love my mac and I love my pixel phone but sometimes being a Mac + Android user just sucks.

I was happy using Bitwarden until recent updates that basically block out the entire form input. It's a dark pattern to me, built off fear and that's not the perception I want to see in someone in charge of my passwords.
You can turn this feature off under settings.
Are there APIs to get the iCloud sync into my own app? I'm all for iCloud syncing to my devices I just want a way to also get a backup in a file so if Apple decides to delete my account on a whim, I don't lose everything.
What account are you worried about Apple deleting? If they nuke your iCloud account your info is still on the device.
If I lose access to my Apple account (via hacking, being banned or otherwise), do I also lose access to all my saved password? Thats what I want to know.
No.

Passwords are saved on your device.

I would guess the reality is companies like 1Password make almost all their revenue through B2B relationships. I doubt Apple will encroach too much in that space (lack of sales reps/support etc.)

Curious to see how this ends up impacting competitor's businesses or not though! If Apple gives themselves access to a bunch of integrations and APIs no one else can that sounds like they would be abusing their monopoly power...

I hope there is a cli that will allow access to this like the `security` command, maybe this is just another facade on top of oldschool keychain?
Lack of Linux support and i'm not sure if it handles storing files (eg pdfs) is what would hold me from adopting this.

I use 1pass across all platforms.

I used to use keychain for my passwords. It worked really well until I tried to export data so I could use it on Linux. No dice. The way it looked there used to be an export function but then Apple decided to take it away. I think I'll stick to Bitwarden. Works reasonably well and I can back up my passwords with a simple export.
Companies like 1Password must be having a bad day. They have previously been held back by Apple, resulting in a poor user experience on iOS. And now Cupertino is entering into direct competition. Let’s see if Apple reaches feature parity and in particular, actually offers decent cross-platform support.
One of my biggest feature wishes finally come true. A few updates back they made the Passwords section in Settings one level less deep, and I was very frustrated they realized it should be easily accessible but didn’t bother making it a standalone app when Keychain existed on Mac.
Maybe I don't want "whoever" to be able to get into every one of my accounts by coercing Apple to give access to all my passwords.

There are groups that can do that coercion (eg. US and CPC governments), and there may be support staff et all in Apple that can get the same access.

For the same reason, I was unhappy that Keychain.app is auto synced to iCloud (and as per a past thread, even if you disabled it it may be reset).

So, of course, I don't have to use their app. Except that I suspect it will be built into the OS in a way that makes it hard to avoid, such as Keychain.

I would love it if there was a way I could setup my self-hosted BitWarden instance to be as integrated as Keychain is, and not use Apple or Google for passwords.

iCloud Keychain and Passwords are end to end encrypted; how will coercion help?
A password manager that doesn't have an open-source client cannot be truely checked. Therefore it cannot be trusted to encrypt them before being sent nor to not contain a backdoor.

Apple was part of the PRISM program, we know they gave access to our data for mass spying.

I just hope the next feature is FaceID on the Mac.
If this supports OTP, and ideally profiles, I'd likely cancel my 1Password subscription. I've been waiting for Apple to release something like this for a long time and surprised it took them this long.
Keychain has been built into all apple devices for ages, and all support OTP and seamless sharing across all your devices. Genuinely interested to know why you have been using 1Password when apple will already do it all for you? Did you not know?
iOS already supports OTP, it’s just buried in Settings > Passwords > Set up verification code. Once you do that, it’s seamless - it autofills in all my site and works beautifully in chrome/edge/firefox even in my PCs
Some earlier discussion ahead of the announcement: https://news.ycombinator.com/item?id=40613857
I've never understood why there are some passwords that exist in the macOS keychain app that don't appear in the Passwords section of the macOS System Settings (I think the password for my WiFi hotspot is one of them). Can anyone explain this? Will the new Password app have 'everything' in it?

I always end up looking in the Keychain app to be sure to find what I'm looking for, but I dislike that app because it often takes several password entries to get to see a password.

  • mh-
  • ·
  • 9 months ago
  • ·
  • [ - ]
There are multiple different types of 'password' entries that can be stored in the Keychain. If you open a terminal and run `security -h`, you can see what I mean. Keychain Access.app is accessing the same database as this CLI tool.

I assume the Passwords section of System Settings is only pulling up a subset of these, but I haven't upgraded macOS on my personal laptop in a long time (I'm on 12.4), so can't verify easily.

  • n4r9
  • ·
  • 9 months ago
  • ·
  • [ - ]
> Considering this service would be operated and owned by Apple, likely to have a deeper integration across its iOS, iPadOS, and MacOS platforms, and doesn't have the same track record of security breaches as competitors, it should make for a compelling alternative for many users.

Is the reason for fewer security breaches perhaps that the data wasn't as valuable to attackers (until now) ?

It looks to be a new surface on iCloud Keychain, which has existed and been deeply integrated into Apple OSes for a long time. It doesn't seem intuitively too likely this would make it a much more appealing target than it is already.
I used to use Apple keychain and lost access to it at one point when I switched phones and no longer had a known device associated with my account. Even when I had the correct credentials, I could no longer access the keychain.

It may be my own ineptitude, but I won’t use it again.

For this to catch on it needs to have a Chrome app - that's the only way employers let you use a password manager
  • fckgw
  • ·
  • 9 months ago
  • ·
  • [ - ]
There's been a Keychain/iCloud Passwords chrome extension for years already
really? what's the name?
https://chromewebstore.google.com/detail/icloud-passwords/pe...
  • lxgr
  • ·
  • 9 months ago
  • ·
  • [ - ]
It's worth noting that this is Windows only, and needs you to install the iCloud native client there (which might not be an option on managed devices).

It doesn't work as a standalone Chrome extension in the way that 1Password or Bitwarden do, for example.

You think people will migrate from LastPass to 1password or do you think this just limits new inbound.

Also if those two apps didn't have a product feature map way ahead of apple then they were doomed from the get go. They must have known something like this was a significant business threat if not existential risk...

I'll be interested to see if there is improved support for handling and syncing passkeys to multiple personal devices.

I'm a bit nervous after hearing about people having early adopter issues.

Hopefully there is some sort of fallback if something extreme like a house fire manages to destroy all of your personal devices at once.

> Hopefully there is some sort of fallback if something extreme like a house fire manages to destroy all of your personal devices at once.

This is already addressed and has been since Apple first launched support for passkeys. See the “Recovery security” section of the “About the security of passkeys” support document here: https://support.apple.com/en-us/102195

What's new besides management of passwords being move from Settings, now into it's own dedicated app?
Good. I already switched to iCloud Passwords for all my needs, but it's not very convenient now. No way to store bank card info, no way to store ssh passwords (I'm using fake domain myserver.ssh.com, but that's weird), no way to store key files. Hopefully it'll get better.
  • phito
  • ·
  • 9 months ago
  • ·
  • [ - ]
Why single out lastpass in the title?
  • drx
  • ·
  • 9 months ago
  • ·
  • [ - ]
I didn't want to editorialize the article title, but yeah, it's tacky.
  • fckgw
  • ·
  • 9 months ago
  • ·
  • [ - ]
Because they are the most popular password manager
Maybe once they were, but they suck compared to 1password. I've moved and never looking back.
Bitwarden here, and certainly a lot of people have moved, but we’re anecdotes. What’s the data say?
  • fckgw
  • ·
  • 9 months ago
  • ·
  • [ - ]
Do you know what "most popular" means?
The early v8 release was pretty stained with skepticism from the entire community.

If anything 1password has proved to me that an Electron application can eventually be pretty seamless. I have been very impressed in MacOS and Firefox.

Can you store things other than passwords, e.g. credit cards? I doesn't seem so, but I only gave it a quick look. Would love to switch but that is a hard requirement for me. Also, does it only work well with Safari?
Apple Wallet is for debit/credit cards, it already exists and works.
What if I wanna have a shared card?
Shared with someone else?

Isn't that like against every rule of every bank ever everywhere?

Company cards and expenses exist. Also can’t believe you never once shared a card with someone in your family?
  • ·
  • 9 months ago
  • ·
  • [ - ]
I’m concerned about how secure this will be. What happens, for example, if you experience a sim swap attack?

How will apple protect all of your password data in this case?

Will the setup allow for an additional password to prevent hackers from gaining access?

Good! I've typed ⌘-spacebar + "password" about a million times now
I really enjoy 1password, things, mind node, etc but I never seem to enjoy Apple apps other than Messages or I suppose Finder if you're being very specific. Maybe this one will be different.
Does webauthn have a protocol for username / password retrieval ? It would be nice to have a usb security token that is backward compatible with username + password login.
This is very welcome! I had previously used a Siri shortcut on my desktop that would launch the password setting. (which worked very well, but a dedicated app is better)
This is welcome. Central password management really should be an OS feature. Drives me crazy that every browser I use has a different credentials store and sync service.
Why do you have the need to use different browsers? Use the one you like on all your devices is easy.
  • lxgr
  • ·
  • 9 months ago
  • ·
  • [ - ]
Not everybody appreciates platform lock-in (whether the platform is a browser or an OS).
  • ·
  • 9 months ago
  • ·
  • [ - ]
enpass.io is great.

+ Can't beat convenience.

+ Cross platform

+/- free if you don't need mobile version

- Closed source

(no affiliation)

Bitwarden

+ cross-platform

+ free as in beer

+ free and open-source software

Can't really comment on convenience, I moved from LastPass, but it has worked well for me.

I think I checked this. The self hosted wallet was tricky if I remember right.
You can use vaultwarden for self-hosting: https://github.com/dani-garcia/vaultwarden/. It's easier than the official server.
  • lxgr
  • ·
  • 9 months ago
  • ·
  • [ - ]
There's a Docker image that has worked out of the box for me.
My hoster does not support docker, this is the problem.
So they are reinventing the KeyChain Access app on MacOS?
People should just use a sufficiently complex, memorized, password for their money/identity, and then a (mental) algorithm that allows deriving unique passwords for other services that are less important.

Only have to memorize 2-3 strings and more secure than a password manager since there's no third party in the loop.

Password Managers are a huge man-in-the-middle and liability in other regards (e.g. you don't have it present on a given device or on hand).

SSO from a single set of credentials is a much better solution. Multi-factor biometrics even better (outside of PII sensitivities)

Normal people don’t usually run password generation algorithms in their heads. When they do, the algorithm sucks. This is why we have password managers in the first place.
The formula can be very simple and is applied to less important services.

Unless you are directly, personally, targeted no hacker will waste the time trying to reverse engineer your algorithm... they'll just go on to brute forcing the next hash in the list.

And most people only have a few services that need to be truly secure anyway, which would use non-derived passwords (if they hack your netflix or spotify, who cares? Call support and get it back)

Password managers have had many exploits/failures over the years. You introduce so many points of failures bringing in a third party.

Your gibberish password with random symbols/characters isn't any more secure than a more memorable one of a similar length.

I don't think Apple has built this maliciously for this purpose, but for normal users this will be a strong motivator vendor lock-in.
That's an interesting take because I can see how this reduces lock-in:

1. It's now easier to access passwords on the mac because you no longer are forced to use Safari to view passwords, nor have to sort through the technical entries/certificates in Keychain Access.

2. The app surfaces a prominently positioned button for one-click sharing and exporting of passkeys/passwords, whereas existing methods significantly lack in comparison.

3. It's the opposite of lock in to consolidate all types of passwords into a single consumer-level interface, when the alternative was hunting for them across the various apps and system panels.

4. It works with iCloud for Windows for cross platform support. Which also means you don't need a mac to participate in shared password groups.

> you no longer are forced to use Safari to view passwords

Your passwords haven't been bound to Safari for quite a while. You already had to use the Passwords app found in Settings. Both Safari and Keychain Access have controls to allow you to open the Passwords app (the Settings one) from within them, but it stands independently.

The new Passwords app seems to be the old Passwords app with some refinements, new features, and moving it out into a more familiar location rather than it being hidden away in Settings. You might say this is Passwords v2.

That's my poor word choice as I also mention Keychain access in the same sentence.

I meant this in the sense of addressing people that stated that putting a password manager in Safari is vendor lock in, and accessing passwords via other methods such as the password pane in Settings as a bridge too far, along with describing that panel as "hidden" and using "dark patterns".

On the balance of information it seems clear that moving passwords to a separate app that is easy to access, navigate and share passwords (including across platforms) is the opposite of lock-in.

Those are all good counterpoints I hadn't considered, I think you've changed my mind.
  • ·
  • 9 months ago
  • ·
  • [ - ]
Yeah there is a pretty good chance that once this rolls out I won't be using 1Password anymore.

I only use 1Password instead of native because I needed something that worked on Windows. Will need to see how well that works, but I just don't see a personal reason why I would not just use this when it works so much better on my iOS devices.

I for one will stay away. What if your Apple account get banned? Then you lose all your passwords?

It's the same reason I don't trust Google with all my picture or documents. At any point in time their algos can flag your account for wrong reasons and that's the end of your digital life.

Are they going to remove competitor password manager apps as they did with other things they have incorporated into the iOS?
Password manager apps have been put on notice.
Not while people can't use the Apple one on Linux or Android.
I think for a lot of the password managers out there, the majority of their revenue comes from Apple users. The ones that don't rely on Apple users will be fine.
I mean, my parents will immediately move to this from BitWarden.

There is still a place for password managers, but if I'm the LastPass CEO, writing is on the wall with this announcement... They will see a large exodus of customers that use Apple OS.

Put on notice? What's better about this than 1password?
The article is light on details… what does this do that the current Passwords “app” (setting?) does not?
https://news.ycombinator.com/item?id=40646137
I won't even look at it until I see many years of track record of excellent support on non-Apple systems.
Keepass XC has served me well for nearly 15 years, and will continue to do so.
Is this just a standalone app for the existing password manager in settings, or is there more to it?
  • ·
  • 9 months ago
  • ·
  • [ - ]
I feel like an old man saying it, but does anyone else remember competition law existing?
Here there is no problem.

You have a completely free choice to use 1password, BitWarden, KeePass etc ..... Apple is not stopping you.

Forcing all browsers on iOS to use Safari is a different matter.

Were Microsoft forcing you to use Internet Explorer?
Yes many pages and tools only worked with IE
the platform must rise - if there is functionality that everyone is using, it is natural for it to become included in the platform.
Will they support Android unlike FaceTime, iMessage, etc?
For years, Keychain Access would copy disk image passwords from custom keychains into keychains that opened at login, defeating my attempts at extra security.

I don't trust 'Passwords'.

  • ·
  • 9 months ago
  • ·
  • [ - ]
Yeah please continue your "only on ios" policy. I will have a PW manager server on LAN and use it everywhere via VPN.

These are the reasons why I don't use Apple products despite the great hardware.

  • m3kw9
  • ·
  • 9 months ago
  • ·
  • [ - ]
Good riddence for 1Password, terrible interface
this sounds great as long as law and federal enforcement agencies can also access that password manager app as-needed.
End-to-end encrypted, so no.

https://support.apple.com/guide/security/icloud-keychain-sec...

Not really interested if it’s not cross platform and standards compliant but this will work well for 99% of the market.
Here's Apple's big problem: it's not a replacement for so many alternatives because it isn't supported on all platforms.

Safari? Not on Windows.

Apple Music? This actually has a Windows client. I'm not sure how good it is. But Spotify supports Windows and even Linux.

Apple Password Manager? Will this be tied to iCloud? Will I be able to use it on Android? If I no longer have an iPhone will it be a pain to maintain and use?

A dog cannot serve two masters. A company like Apple doesn't see any of these things as a product. They're a means to an end: to push the iPhone platform (and hardware sales). That priority will always trump the interests of a product like this.

It's also why I refuse to buy more into Google products: it's too much of a risk to lose access to everything if Google wakes up one day and decides to suspend your account with no recourse other than making enough of a stink on social media such that an employee will actually look into it.

People don't want everything tied to one identity, one service, one login.

>> People don't want everything tied to one identity, one service, one login.

I think this is exactly what _most_ people want.

With password management specifically, Apple has had a Chrome extension available for a while now which has allowed me to use it on other browsers/platforms. Not ideal, but good enough for most.

On top of that, they don't lock you in with passwords. You can easily import and export your passwords, just like you can with 1Password.

Apple Music has had a web client for a long time. iTunes has been on Windows for 20+ years and Apple Music was supported via that until recently when they built an Apple Music specific app.

  • lxgr
  • ·
  • 9 months ago
  • ·
  • [ - ]
> On top of that, they don't lock you in with passwords.

Now that many sites are moving to passkeys or TOTPs, it would be great if Apple could not lock users in there as well.

> Apple has had a Chrome extension available for a while now which has allowed me to use it on other browsers/platforms

That's only on Windows and requires you to install iCloud tools locally, right?

Here's the iCloud Passwords extension for Chrome -- works on my Mac happily, and also with Arc (which means I now get to use it just as much as Safari)

https://chromewebstore.google.com/detail/pejdijmoenmkgeppbfl...

What is the adoption for passkeys? I do not get the impression that they will replace passwords or “social” logins anytime soon.
I have yet to notice a site asking me a passkey.
I've found them to be a real pain in the arse because they're implemented so inconsistently. Only the biggest sites are offering them, but it's those big sites where I'm worried about locking myself out because of setting it up wrong.
I've locked myself out of Squarespace by setting up then subsequently removing a passkey. Doing so triggered a bug which "updated" the TOTP (that was already set up) and the backup codes. Support was absolutely deaf to the whole thing being a bug, absolutely impossible to report, and I'm sure it'll keep being an issue for years to come.
They might not ask you to setup a passkey, but many sites already support it: https://passkeys.directory/
There are 3-4 I regularly use. Google offers it for their business accounts, of which I have a couple.
Funny enough, you can use a passkey to log in with Nintendo
Yet if the limit is one then you'll still need a fallback like forgot password. Because the original device may fail.
Really? That’s how I log into GitHub!
I stopped logging in into there since they forced 2FA on me because of an old contribution to an open source project. It's too much of a pain and I don't need to be logged in to look at the code of the modules or libraries I'm using or I could use. As collateral damage, I stopped opening issues on open source projects, that was maybe two or three issues per year. All my customers are on Bitbucket at the moment and it still works with username and password. If it would switch to 2FA, I'd have to comply.
If you have something like 1Password, it takes one or two clicks to set up 2FA for a given site and Passkey setup for a given site is pretty painless. There’s even a decent amount of CLI integration for signing commits, etc. As a federal contractor working in and out of higher security areas, 2FA and Passkey are… really not intrusive or disruptive to my daily life.
It amazes me the lengths people will go to to avoid security.
  • ayewo
  • ·
  • 9 months ago
  • ·
  • [ - ]
It’s not that the gp is trying to avoid being secure.

It’s that for a service that you only have a need for, a few times a year, mandating 2FA is an unnecessary hassle that can lead to user frustration.

I’ve experienced the same with Gitlab. I rarely use Gitlab and don’t have anything important hosted there but when a project I was a member of enabled 2FA for all contributors, it made my Gitlab account completely frustrating to use.

Typical scenario: I’m trying to do something brief on Gitlab that requires me to be logged in so I login then get shown an interstitial page saying I cannot proceed until I enable 2FA on my Gitlab account. Every action I attempt while logged in will fail unless I either enable 2FA or remove myself from the project that enabled mandatory 2FA after I was added.

GitHub’s 2FA implementation is night and day better than Gitlab’s but I imagine the user frustration must be similar if you find yourself suddenly having to enable 2FA because a GitHub org you were already part of mandates it.

True, but the alternative is that people with valuable projects to secure don't do that (because they aren't forced to), and lose things.

That said, the sign-in flow with a Passkey and BitWarden is great. Click "sign in with a passkey", click "confirm", done. No username, password, or 2FA required.

One day I hope BitWarden implement my suggestion of not requiring that second click if you only have one key.

Maybe they could have offered me the choice to "uncontribute" to that project, that is transfer my commits to the admin or to another account of mine that I would create, transfer the commits to and never access again after then. Then no more 2FA for opening issues and commenting on other projects.

I wonder if I can delete my account and create it anew with the same email and (probably) a different username.

I think 2FA is based on your being a member of an organization, no? You could leave, I think.
The Chrome extension also works on macOS.
  • ocodo
  • ·
  • 9 months ago
  • ·
  • [ - ]
> it would be great if Apple could not lock users in there as well.

The king of wishful thinking has entered the chat.

>I think this is exactly what _most_ people want.

This is what they think they want, until something happens and they are forced to move out of the walled garden, and have to replace everything.

But, admittedly, that's Apple's bread and butter, and they've managed to avoid big controversy so far...

Besides the web client,

https://cider.sh exists and is in various distro package managers already too.

...and is miles better than Apple's attempt at providing "support" for other platforms than their own.
> People don't want everything tied to one identity, one service, one login.

> I think this is exactly what _most_ people want.

Until they don't, which always happens sooner than you would think.

  • EGreg
  • ·
  • 9 months ago
  • ·
  • [ - ]
> I think this is exactly what _most_ people want.

Yes, and they should have it. As open source software that a free market of hosting companies can compete on price and quality for. Not as closed source software hosting by a Big Tech oligopoly.

You should be able to host your info on a server of your choice, encrypted end-to-end from your devices. That server is the one which should collect payments, manage subscriptions, do access control checks, and deliver data to others. That server is the one which should send notifications and push news updates to your devices as well as subscribers’ devices. You should always be able to migrate easily to another server, or use several at once, as fallbacks.

People have learned helplessness (“oh I wish Twitter would add feature X”, “oh, I guess we all have to get a Google Plus account”, “oh, sucks that Google Plus and all my data and social connections there are going away”) because open source developers didn’t stick around long enough to make something that is good enough to compete with it, and is decentralized and federated.

I can count on one hand: Mastodon. Bluesky.

I am working on fixing it: https://github.com/Qbix/Platform

Larger vision for 2025 and later: https://qbix.com/ecosystem

> I think this is exactly what _most_ people want.

I see many comments replying to the above statement, and I am no exception.. what about the saying that goes: "Don't put all your eggs in one basket"?

> what about the saying that goes: "Don't put all your eggs in one basket"?

I think it's a lot more important to decide who you want to trust.

The problem is that there are a lot of small apps that end up being scams. Or they end up selling their software to scammers. Or they just don't have the ability to properly secure their system (LastPass).

Apple has kind of made a name for themselves as a big company that cares about privacy and is serious about security. And they don't have the reputation for totally screwing over their customers randomly like Google.

I can see a lot of people making the pragmatic decision to just keep trusting Apple instead of figuring out which other company to trust as well.

> I think this is exactly what _most_ people want.

I couldn't agree more. I use Google's password manager because (1) it syncs everything (2) I already use Chrome everywhere (3) I can't be arsed to set up another password manager that is generally inferior in terms of integration.

I don't care for the FOSS argument. I just want stuff to work and work easily.

Plus, I sincerely believe Google is 'too big to fail'. If somehow Google gets hacked and my plain text passwords all get leaked, it means something huge has happened and we're all massively screwed anyway. So, whatever.

  • jjav
  • ·
  • 9 months ago
  • ·
  • [ - ]
> Plus, I sincerely believe Google is 'too big to fail'

Google might be too big to fail (I don't think so, but could be wrong).

The flip side of that is that google is too big to care. We all know from countless reports that they will evaporate your google account and everything ever associated with it, for no reason at all and zero chance of you ever being able to reach anyone to fix it.

I can't see why anyone would risk anything of value to such a platform that can destroy all your content at any second for no reason with no warning.

> I can't see why anyone would risk anything of value to such a platform that can destroy all your content at any second for no reason with no warning.

The only real solution to this is to self-host, locally. Which isn't feasible for the vast majority of people.

  • jjav
  • ·
  • 9 months ago
  • ·
  • [ - ]
> The only real solution to this is to self-host, locally. Which isn't feasible for the vast majority of people.

While that's a great solution, it is not the only one.

Do business with providers that are not too big to care. The ones where you can call them up and talk to a real human who is empowered to fix your problem.

Why not use Bitwarden?

It's better in every single way.

Luckily, _most_ people don't buy overpriced and closed Apple devices.
  • majke
  • ·
  • 9 months ago
  • ·
  • [ - ]
> In the US, iPhone has a 58.81% market share

There are demographics where Apple has dominance.

  • nicce
  • ·
  • 9 months ago
  • ·
  • [ - ]
Many could disagree about the pricing of MacBooks, for example.

M Pro series are probably the best laptops on the market, and if people keep buying them, is the price too much?

MacBook Air is actually quite well priced for what you get.

In the desktop world people tend to buy cheaper, yet equally as closed Windows machines.
In what ways are desktop Windows boxes as closed as Apple? I would say there are many many things to fault Microsoft for, but closing down the OS has never been one of them (though that is gradually changing outside the EU, to be fair).
Counter point - in what ways is macOS 'closed' and Windows not? And I am specifically talking about macOS, not iOS.
MacOS is only licensed for use in Apple branded hardware, as I understand it. Even running it in a VM could be problematic if that host isn't running MacOS.
So your issue isnt the openness in terms of being limited on what you can do on it, and more that you want it to be bloated with drivers for millions of various pieces of hardware like Windows, got it.
> and more that you want it to be bloated with drivers for millions of various pieces of hardware like Windows, got it.

MacOS is bloated anyways; they might as well use that bloat for something important like backwards-compatibility and not zombie-code left over from the PowerPC era. That's just an objective failure, on Apple's behalf; they break software support more often than Microsoft and even Linux at this point. A professional OS really has no excuse to break someone's software and leave it broken. Even Microsoft gets that.

So... yeah, you know what? I do want it to be bloated with drivers, because whatever they're stuffing it with right now clearly isn't working. I don't trust Apple to write or maintain a long-lived successor, I demand third-party alternatives I can maintain myself. Give me more options for writing and delivering software, or else I am going to continue ignoring MacOS as a build target for the foreseeable future.

True. However I can (and have multiple times) migrate from machine to machine without needing to reinstall everything.

My work MacBook was pulled from an original Air from something like 2015, to a 2017 Pro and currently my 2019 Pro.

So I’ve got apps installed on my Mac that have been installed damn near 10 years ago.

Ditto my home 2015 Pro was later on migrated to a M1 Air. Hell, I’ve still some 32 Bit Steam games that still somehow run on my Air (least Steam tells me they’re 32 bit).

We could play this game ad-infinitum, each finding a level of supposed “openness” but the basic facts are that neither Windows, nor MacOS are truly open.

If you want open, then Linux is always going to be in the answer somewhere. Not MS Windows. And not Apple MacOS.

When using the terms “open” and “closed” with operating systems, one is traditionally talking open the source code.

As such both Windows and MacOS are closed source.

As for “opening up the OS” both are pretty gosh darned flexible and extensible wrt other features.

However being based upon a BSD core, MacOS has had access to the Unix command line natively since forever. For Windows one used to have to rely on CgyWin before the virtualized WSL platform came to be.

Whilst MacOS has the somewhat opaque ~/Library for storing user settings and data, it pales into comparison to the massively Opaque Windows Registry.

I’ve had had very few issues fixing app install issues with my Mac - with Windows I’ve had more than one occasion where I’ve had to do a complete reinstall of the OS due to the Registry being totally hosed to the point I couldn’t reinstall apps again.

I don't think when someone is talking about a "closed device" they usually mean "closed source". I at least took it to refer to whether you can run whatever software you want on that device+OS, and how easy it is to do so.

I think Windows is up there with the open source OSs (Linux, BSDs, etc) on regular PCs are at the same end of "run anything you want from wherever you want it", iOS devices are at the other extreme of "only run things approved by Apple", Android devices are pretty closer to iOS because they make you jump through hoops and potentially lose access to various functionalities to install certain things or gain root access. Modern macOS, as far as I understand, is somewhere in the middle: you have to jump through quite a few hoops to install certain kinds of software, and a few aren't permitted at all I think (unsigned kernel modules?).

  • nicce
  • ·
  • 9 months ago
  • ·
  • [ - ]
I think the keynote here is the closed/open hardware.

You can run Windows almost on any hardware. So it is much more open in general.

You can equally run almost any imaginable software on both operating systems (if we ignore the performance), but you have extreme difficulties to run macOS on most hardware.

You said "equally as closed Windows machines."

In terms of the machine Windows is way more open in that you can use what hardware you want. But yeah the software is closed source.

TBH, the parent also stated “but closing down the OS…”

So waters were indeed muddied.

Easily export passwords, I’m not so sure. I remember trying to script this once and for each item it would prompt a password to extract the entry. Maybe the Passwords app changes this.
> I think this is exactly what _most_ people want.

Like seven people replied to say this, but they're all missing the trick.

Most people want this because they're guided to want it. If you show people the convenience but not the risk, of course they want something with an advantage and no apparent disadvantage. But the disadvantage exists, it's just not immediately obvious.

Then some corporate machine learning algorithm decides that it's your day to have a bad year, or the screws only get tightened after you're already locked in, and the regret comes some time after the decision is made.

Whereas the nerds who can see the inside of the machine are aware that this sort of thing happens and their response is no thank you. A starkly different preference from the people paying the most attention is a troubling sign. It's the early stages of this:

https://xkcd.com/743/

The thing that gets me is that people then defend the practice because it's likely to be successful. Lots of unsophisticated people are going to put all their eggs in one basket and then have a bad time, which is a result we should be trying to prevent, not defend the people causing it because they're likely to turn a profit. Companies making money on information asymmetries and the misfortune of others is a flaw we should be looking for ways to optimize out.

> Most people want this because they're guided to want it. If you show people the convenience but not the risk

I think that what is convenient to you, or to fellow engineers, is not what is convenient to the mass public or non-technical people. Very simple solutions, which are often platform-specific, tend to be a lot easier in many cases -- not necessarily all cases, but when something is built-in to a device or OS, this does remove some burdens from users.

No part of that is intrinsic. Example: Everybody is constantly using Internet Protocol, a standard implemented by vendors the world over, many of which having never encountered one another and yet their devices and programs can still interact with each other. From the perspective of the ordinary user it "just works", but it is in no way vendor or platform-specific.

Indeed, this generally works better than vendor-specific technologies as soon as you encounter the real world where different people have different stuff. Safari works just fine with Linux webservers because they're interacting using open standards. Then you want to get your Mac to work with Active Directory and it's a frustrating mess because it's not open standards and neither vendor wants to facilitate the use of the other's proprietary technology.

I’m curious to know what you’re thinking as far as what bad outcome(s) will or may result from people choosing this over some other password manager.
It's putting password management into the same basket as the device.

Suppose your Apple ID gets compromised. The attacker is a jerk and decides to remote erase your device. Then they use your account for black hat stuff and get it permanently banned, or just erase everything on iCloud too.

If the password manager was a different service then you'd still have the password for that service and could get in and recover your accounts on everything else. If it isn't, where's your stuff? The device and the cloud backups are both gone because they were both tied to the same compromised account.

Or you just break your phone and then realize you don't know your password. You can reset your password with your email, so now you just need your email password, which is iCloud, which is the same password. Uh oh.

Whereas if your eggs aren't all in the same basket, you can get a foothold somewhere. If you use a third party email service and haven't forgotten that password, you can still get your email on another device. If your password manager backs up to a third party service or your very own Raspberry Pi, you have access using a different set of credentials than the ones you forgot.

I think you might be making some assumptions about how this stuff works without looking into it.

- A lot (most?) people’s Apple Account name is actually their main email address (e.g. Gmail), so they would still control their email address even if their Apple Account was compromised.

- You can still recover your Apple Account and iCloud Keychain without any devices (e.g. if phone broke like in your scenario).

- Your passkeys stored in iCloud Keychain are still protected even if your Apple Account has been compromised.

Source: https://support.apple.com/en-us/102195

> A lot (most?) people’s Apple Account name is actually their main email address (e.g. Gmail), so they would still control their email address even if their Apple Account was compromised.

But this is an example of not putting all your eggs in one basket. An all-in Apple customer is using Apple as their main email.

> You can still recover your Apple Account and iCloud Keychain without any devices

This assumes that you remember your password, and that the attacker has not changed your password, and that the account has not been permanently disabled for abuse.

> Your passkeys stored in iCloud Keychain are still protected even if your Apple Account has been compromised.

"Protected" means someone needs more than just the iCloud account to get access to them, not that you can re-download them if you lose access to your iCloud account.

It also depends on how your account was compromised. For example, if a thief observes you entering your unlock code and then steals your phone, they have the device they need to access all your passwords too.

> - A lot (most?) people’s Apple Account name is actually their main email address (e.g. Gmail), so they would still control their email address even if their Apple Account was compromised.

But the login for the Gmail address is a passkey that's on the Apple account...

> - You can still recover your Apple Account and iCloud Keychain without any devices (e.g. if phone broke like in your scenario).

So what's the point of passkeys if you can get access to them without passkeys?

> - Your passkeys stored in iCloud Keychain are still protected even if your Apple Account has been compromised.

How can something be protected when the thing that controls access to it has been compromised?

> But the login for the Gmail address is a passkey that's on the Apple account...

A passkey is just a replacement for a password. Google (and other apps/websites) have account recovery processes for users who get locked out of their accounts. The way you get back into your Google account doesn’t change much just because you’re signing in with a passkey vs. a password.

Account recovery is a problem that service providers have to solve (and do solve) regardless of whether a user authenticates to their account with a password or a passkey.

> So what's the point of passkeys if you can get access to them without passkeys?

Some huge benefits are:

1. They are highly phishing resistant. Unlike passwords and popular forms of 2FA (TOTP and SMS), users can’t be tricked into sending their credential to a fake/malicious server. A passkey is bound to the server domain at the time the credential is created, and your OS/browser will simply not send it to the wrong place.

2. There is no credential for attackers to steal from servers in the case of server breach. This is because only a public key is stored on the server, instead of password hashes (or worse, plaintext, if the app/website developers don’t know what they’re doing).

3. Passkeys are guaranteed to be unique and secure. The same cannot be said for passwords. Even a password manager cannot guarantee that every single credential stored in the password manager is both unique and secure. And password complexity requirements often make it a painful game of trial and error to create a secure password, even when using a password manager.

4. Because of annoying password complexity requirements, the process of creating a new password can be annoying and take up to a minute or two of fiddling around, even when using a password manager. With a passkey, the process takes as long as Face ID or Touch ID (or equivalent on other platforms) every time. Every single credential creation and authentication is a fantastic user experience (both fast and easy).

I suggest watching Apple’s WWDC videos. There you will find a very very in-depth answer to this question.

All of the points I’ve made above (and more) are covered in the linked videos.

Move beyond passwords: https://developer.apple.com/videos/play/wwdc2021/10106/

Meet passkeys: https://developer.apple.com/videos/play/wwdc2022/10092/

Deploy passkeys at work: https://developer.apple.com/videos/play/wwdc2023/10263/

If you won’t watch any of the above then you should at least read the FAQ on passkeys on the FIDO website here, which should answer many of your questions:

https://fidoalliance.org/faqs/#PasskeysFAQs

> How can something be protected when the thing that controls access to it has been compromised?

This is answered in the article I already linked above. Here is the link again.

About the security of passkeys: https://support.apple.com/en-us/102195

Specifically, carefully read the following sections titled “Synchronization security” and “Recovery security”. The short answer is that gaining access to the user’s iCloud Keychain contents requires more than just having access to the Apple Account.

Ok so let's assume passkeys are a form of saved generated password.

> 1. They are highly phishing resistant. Unlike passwords and popular forms of 2FA (TOTP and SMS), users can’t be tricked into sending their credential to a fake/malicious server. A passkey is bound to the server domain at the time the credential is created, and your OS/browser will simply not send it to the wrong place.

So why does my browser or password manager send saved normal passwords to a different domain than the one they were saved for? This is not a limitation of passwords but of the software that encourages saving passwords. It didn't need switching to machine only passwords to fix.

> 2. There is no credential for attackers to steal from servers in the case of server breach. This is because only a public key is stored on the server, instead of password hashes (or worse, plaintext, if the app/website developers don’t know what they’re doing).

What has stopped developers from using irreversible transformations on stored passwords in the past? The math was there.

> 3. Passkeys are guaranteed to be unique and secure. The same cannot be said for passwords. Even a password manager cannot guarantee that every single credential stored in the password manager is both unique and secure. And password complexity requirements often make it a painful game of trial and error to create a secure password, even when using a password manager.

If it's generated by software, any software should be able to assure uniqueness. This is again a failure of saved passwords / password managers.

> 4. Because of annoying password complexity requirements, the process of creating a new password can be annoying and take up to a minute or two of fiddling around, even when using a password manager. With a passkey, the process takes as long as Face ID or Touch ID (or equivalent on other platforms) every time. Every single credential creation and authentication is a fantastic user experience (both fast and easy).

Yes and here we get to the elephant in the room.

You become dependent on an easily stolen or destroyed device for authentication. It is a fantastic user experience until you're a plane flight away from home, your phone gets stolen. Your passkeys are safe in the secure enclave. Too bad you can't access them any more. How do you get home? You don't have any other devices to prove your identity, if you even have backup devices, they're at home. The flight options are in an app that you don't have the passkeys any more for. Your flight may get canceled or rescheduled and you have no way of knowing. If you didn't bring any physical credit cards or backup cash, you can't even eat.

Passkeys are all fine in your average techie environment, but can be a disaster outside it.

> So why does my browser or password manager send saved normal passwords to a different domain than the one they were saved for? This is not a limitation of passwords but of the software that encourages saving passwords. It didn't need switching to machine only passwords to fix.

Any kind of authentication method that relies on a string that can possibly be manually typed into a box by an end-user can never be made to be highly resistant to phishing.

> What has stopped developers from using irreversible transformations on stored passwords in the past? The math was there.

I don’t understand what point you’re making here. Are you saying “why didn’t people create a different standard than WebAuthn?” or are you saying “strong password hashing methods exist, so why do so many websites use bad ones”? Or are you saying something else?

> You become dependent on an easily stolen or destroyed device for authentication.

No, you don’t, because passkeys on Apple platforms are stored in iCloud Keychain, which syncs across all your devices with end-to-end encryption. They’re not solely on your phone.

> It is a fantastic user experience until you're a plane flight away from home, your phone gets stolen. Your passkeys are safe in the secure enclave.

They are stored in iCloud Keychain, not the Secure Enclave. And you can recover access to your iCloud Keychain is even if you lose your phone, and even if you lose all of your devices.

> The flight options are in an app that you don't have the passkeys any more for.

You could just go through the account recovery flow for the airline app to regain access to your account. Whether you use a password or a passkey as your primary credential for logging in has very little to do with account recovery logging into an airline app. The app needs to continue to handle users who get locked out of their airline account for a variety of reasons.

> You could just go through the account recovery flow for the airline app to regain access to your account.

On which device? You can't use a public pc (or a local friend's) because you'd need to get your new passkeys on it and that's not safe.

Buy a new laptop/phone on the spot?

I'm going to make up a new conspiracy theory that says this push for passkeys is there to sell more devices, because shared devices aren't safe any more.

The most basic scenario:

Someone use their phone as their only computing device (e.g. only other device is their school or work computer).

Their phone dies and the shop convinces them to go for a Pixel 9.

How screwed are they if everything was in iCloud, vs they were using 1Password ?

What about any or all among of their contacts, messages, docs, notes, schedules, photos, apps, app contents...?

> How screwed are they if everything was in iCloud, vs they were using 1Password/{own,next}Cloud/Evernote/Meta/Dropbox/web apps...?

That would be a more appropriate picture.

> How screwed are they

Not much. Annoyed maybe but as long as they have access to their email and phone number they can reset their passwords.

What about the other way around? If a person broke their Android phone and a friend convinces them to move to Apple? You could argue that then they may have everything in Google and that they could log in on an Apple device with their Google account and use Chrome and Gmail and whatnot, but then they'd be storing everything in Google.

What if Google sunsets a product? Or Google unilaterally decides to close their account overnight with no human in reach for support?

I'm all for interoperability. I do get the risks at hand. But the hodgepodge of separate solutions forming a duct-tape held system is hardly usable for the "mere mortal", let alone integrating the together in reliable ways.

People want technology to disappear so they can go on with their lives and do stuff that matters to them (which integrating platform-independent third party solutions is not). So "all eggs in same basket" is an extremely valuable feature for most.

> as long as they have access to their email and phone number they can reset their passwords.

At best they spend hours and hours up to days resetting the passwords for all the account they ever had. Looking at my password list, there's 700 or them, it would take me a week of my life, if I ever get to do it at all.

At worst they actually can't access their email and it's the end (or a week or two of back and forth sending official documents to get it back ?)

> Google

As a first point: they don't have to go all Google. They can have a Google account solely for their phone, and have everything elsewhere. That's a nobrainer as long as they have a solid password manager. You call it hodgepodge, but that's just what we've doing for the last centuries.

The issue of a service unilaterally killing an account isn't limited to Google. Apple will also kill your account if they assume you misbehave, and you might get someone on the phone, while not getting any resolution.

Do we hear it more about Google ? sure. But Google is also in the biggest service provider on earth at this point.

No, the most basic scenario is:

Someone uses their phone as their only computing device.

Their phone gets destroyed or stolen while they're far away from home to require a plane flight to get back. Perhaps stolen along with their ID.

How do you recover when your logins are passkey only and the passkeys are gone with the stolen phone?

"The people want the thing that they want because they are wrong"

I never understood how this argument even makes sense. It sounds a whole lot like you're upset that most normal people don't care about and don't want what you want.

It's more of: people want things obviously bad for them because of abusive salesmanship techniques, which exploit information asymmetry and opportunity cost (i.e. that people can't be bothered to do deep research on every one of the thousands things they buy). This includes effective marketing, that is typically deceptive and stops short of direct lies (sometimes not even that).
I feel like I explained it above. People often want things because they don't have all the information and people who are uninformed, especially when they're intentionally uninformed, make poor decisions.

And maybe there are some people who, faced with the risk of losing all their stuff, conclude that maybe all their stuff isn't that important to them and they don't have time for this YOLO! But there are even more people who never even consider the risk, and it seems like somebody should be looking out for them instead of people just saying "shut up nerd, normal people don't care about whatever you're worried about." Uh yeah, that's the problem, they're not made aware of it until it bites them on the ass and anybody who tries to express the concern on their behalf is told to keep their foot away from the hose of the money vacuum.

This is the bell curve meme. People just want the things that work for them, people that know what they are doing want things that work easily and know their way around a little better too.

You're overblowing the harmfulness, I'm not even sure what the argument is.

Prove to me you deserve to be called a "nerd."

GP’s smug superior attitude over non-technical people and general lack of perspective is enough nerd cred for me.
Word
There are hundreds of examples throughout history of people being marketed something horribly harmful to themselves and defending their need for it even after being explicitly shown the downsides. Oftentimes, instead of fixing the individual people society chooses to punish the businesses that abuse this lever.

Same shit with the Microsoft Netscape trial, really. People didn't want alternatives because Microsoft went absurdly far out of their way to stop fair competition on their platform. Now we're seeing the same shtick, again, on a different platform.

  • ·
  • 9 months ago
  • ·
  • [ - ]
Guided to want it. Sure. Everyone else, all those other folks with other lives, opinions and preferences, they are brain washed by my enemies. Come on, man :)

I just wanted Passwords to be its own app because the Settings applet(?) is obnoxious to interact with in some scenarios. My passwords are already all in there.

Now, I use a Windows laptop too and would love for Apple to make the Passwords thing work there too. It probably won't :)

People are driven away from open standards to vendors like Apple because so much open stuff just sucks so goddamn bad. So will Apple one day fuck me over? Perhaps, but in the meantime their shit just works and I am going to use it because I don’t have time to spend hours troubleshooting why manufacturer A doesn’t work with free publisher B when free driver C is loaded.
But have you thought to ask why that is?

The general mechanism for free software to be developed is for the individual users to make modifications. Not all of them, of course, but the ones who know how to. Someone sees something wrong, fixes it.

Apple interferes with this. If you don't like an app on your iPhone, even if it's open source, you can't just make a minor change because for that you have to pay $100/year and buy a Mac and all of this friction that discourages people from doing it. And then upstream doesn't get the little change (times a thousand individual users with an itch to scratch), and the one-time contributor doesn't become a repeat contributor either.

Not only that, you can't distribute a half-finished app to the public -- even if it's free -- because it wouldn't pass review. But then you can't get any users who might help you to finish it. So the state of open source software on the iPhone is a shambles, because Apple neutered the primary mechanism for free-as-in-speech software to become any good on their platform.

Compare this to Linux on a PC where simple things are about as likely to "just work" as they are on a Mac, more likely to do so than on Windows, and weird and complicated things work better than on either of them because even though they're not always easy they're very nearly always possible.

Which is the perpetual sham of "it just works". Simple things are simple everywhere because they're common and well-supported. Complicated things are often difficult, but some platforms make them prohibitively difficult or simply disallowed, and people confuse this with "easy" because you don't remember spending time to make something work when you can't. But that's not actually an advantage, because you're not obligated to spend time on something that doesn't immediately work, but the option to choose to is valuable when sometimes it's worth it.

> Not only that, you can't distribute a half-finished app to the public -- even if it's free -- because it wouldn't pass review.

Ahhh so you want the public to do your QA for you and don’t mind interfering with their productivity when the first iterations of your software are a buggy mess? I am ok with Apple trying to keep the pests out of their garden, or providing a lockable gate like TestFlight where I can go into a testing situation with my eyes wide open and risks well understood. Your open source devs are not always great at disclosing the fact that their software is half baked and people install expecting a robust app and finding instead…a load of crap

> Ahhh so you want the public to do your QA for you and don’t mind interfering with their productivity when the first iterations of your software are a buggy mess?

"Open source" means developed by the public. The public isn't just doing the QA, they're doing the entire thing from the first line of code. Which is exactly the problem with Apple's interference -- they want you to have a finished app before you can share it with all the people who might have been willing to help you build it.

> TestFlight

And we're back to intentionally putting up barriers to exactly what open source needs to succeed.

Maybe 1% of users are programmers, and 1% of those might be contributors. But that's fine if you have a million users -- less than 0.1% of the world population -- because you could have a hundred contributors, which is enough to get something done. Which in turn allows you to improve and then get ten million users etc.

Testflight caps the number of users at 10,000. Now you've got 1 contributor instead of 100 and when that's not enough you're sunk. Meanwhile the "beta" is forced to expire after 90 days which creates friction for the users and makes them more likely to abandon you.

> Your open source devs are not always great at disclosing the fact that their software is half baked

People will figure this out pretty quickly when they try to use it. But then that's the point -- you try to use it, it sucks, but you can fix it yourself. The intention is to have this happen and then the app improves for everyone.

> People will figure this out pretty quickly when they try to use it.

Then you find that it’s uninstallable and you now have a fooked computer where you have to wipe your whole goddamned system to be rid of the POS you just installed. Hopefully you imaged your system right before you DL’d and installed the offending app…so you’ll only lose a few hours instead of a full day this time for your effort. However, you can feel good that you helped “develop” an open source software that almost no one will ever use like the good little netizen you are.

Yeah, no thanks. I’ll take my walled garden and it’s vetted and well behaved apps all day long.

Not sure of your reality, but my apple ecosystem just works. I spend nearly zero time fiddling with my rig just to get to a point of productivity but see Linux using peers in a constant state of tweaking trying to achieve and failing of what I have by just opening a box.
A lot of Linux users like fiddling with things, and then purposely choose the things they'll have to fiddle with. This is not actually required. You can buy a device from e.g. System76 and then use the preinstalled OS or something conservative like Debian Stable. It "just works".

The people compiling everything from source and messing with kernel modules are doing it because that's their hobby.

Same. The only issues I ever have are with non-Apple hardware, like Sony headphones, Acer monitor, etc.

Do I wish they worked better? Of course. Have I experienced those same problems with Android / PC? No, but different problems existed.

Well that's all fun and games until you start putting off paying Internet bill for two weeks because it turns out that you misconfigured your password app and it actually didn't save your password to the utility service provider and you realize you have no internet one day and you have a school assignment ugh and maybe your credit score gets 0.5% lower and yeah it's all very much your fault. "But you can just be more careful! Handle stuff like this as it arises!" Yeah, sure, just like during Communist times you could easily get more than one pound of coffee per half a year if you're just careful and note when it's available in stores as a drop-in

I believe this whole Apple vs Linux debate is perfectly analogous to the West vs East Germany debate, to the point that almost all intuitions/arguments for the latter are perfectly reusable in the former

> Well that's all fun and games until you start putting off paying Internet bill for two weeks because it turns out that you misconfigured your password app and it actually didn't save your password to the utility service provider

As opposed to the centralized service that will kindly misconfigure it for you, or just discontinue it out from under you, or ban you because of a false positive, or ban you because of a true positive because you unwittingly violated their broad and ambiguous terms but you're still just as screwed.

> I believe this whole Apple vs Linux debate is perfectly analogous to the West vs East Germany debate, to the point that almost all intuitions/arguments for the latter are perfectly reusable in the former

The fallacy of Soviet Communism was the fallacy of central planning. The Party decides what's good for you and The Party is infallible so if you try to resist you'll be punished. Freedom of choice is heresy. Divergence is verboten.

Does that sound to you like the typical Linux user, or like Apple?

  • pydry
  • ·
  • 9 months ago
  • ·
  • [ - ]
Ive watched people who swear that Apple "just works" struggle when it doesnt.

The difference is just that because of the halo effect they dont blame Apple for the shit that doesnt work. If there is a 3rd party tangentially involved they blame them instead.

The difference (in my experience) is if it works with Apple, it "just works". If it doesn't work, it will never work.

It's a binary and you generally know the answer straight away.

Some people dislike it because they enjoy looking for answers and the freedom to change how things work. Others like it because they don't want to spend their time searching and mucking about with configurations.

That was a bit part of my move to Mac from Windows back 24 years ago. It was such a pain trying to get all the bits and pieces working together and with the Mac, yes it was more expensive (although honestly, not that much more expensive) but stuff just worked out of the box and I didn’t have regular crashes. I’m sure things have improved in Wintel land since 2000–2001, but my Apple experience has been remarkably stress-free.
More expensive up front but in my experience the hardware lasts longer and is usable for longer. I just recently retired a 15 year old MBP due to a battery swell. I’d still probably have it on my desk and occasionally using it if i wasn’t concerned about it exploding and burning my house down.
  • 015a
  • ·
  • 9 months ago
  • ·
  • [ - ]
This point of view essentially reduces to the same place libertarians are at: Institutions are bad, Apple is bad, Google is bad, we should refuse to support institutions, or maybe even institutions should not exist, depending on how severe the FOSSism is.

And look, I don't feel that libertarians (or, let's kill the analogy, FOSSers) are always wrong. Of course they're right about some things; they're just wrong about so much more than they're right about, its like a 90/10 split, its not close. I think the cognitive dissonance is something similar to chesterton's fence: FOSSers don't respect the massive profit-motivated and closed-source companies and systems which, at best, make pockets of productive, awesome open source possible; but more realistically and worse those pockets are just the software version of "buy a Subaru because we donate money to cancer research", they're free labor/recruiting/tax writeoff/community goodwill campaigns by gigacorps, and its all just profit at the end of the day.

Nerds who can see the inside of the machine and are aware that this sort of thing happens is literally just stating in different terms the stereotype type-As assign to nerds: that they don't understand anything but the technology [1].

[1] https://www.youtube.com/watch?v=hNuu9CpdjIo

Apple and Google aren't institutions. They're for-profit corporations with a long track records of behaving like amoral artificial minds that they are. In this sense, corporations are beasts - society can benefit from putting them to work, but they will also occasionally maul someone because that's what they do.
You should read this piece in the NYT titled “The Tyranny of Convenience” [1]. It asserts that your entire worldview is essentially flawed. En masse, people do what is most convenient, which is completely orthogonal to what is right / wrong / best / worst. For instance, it’s an empirical fact that eating healthy and getting exercise is better than eating poorly and living a sedentary life. Yet, most people live sedentary lives.

1: https://www.nytimes.com/2018/02/16/opinion/sunday/tyranny-co...

But this is precisely the problem. If you want the right thing to happen, you can't allow the wrong thing to be more convenient. "The wrong thing is more convenient so STFU" is the flawed worldview, because it's what causes the wrong thing to continue happening.

Now consider what happens if people do the opposite. Instead of defending convenience as an end unto itself as Moloch would have it, you create friction against bad choices. Complain about them, refuse to assist your allies in making a mistake. Do things that make bad options less convenient and redirect people to better choices.

People will still do what's convenient, but now the more convenient thing is the better thing.

> Now consider what happens if people do the opposite. Instead of defending convenience as an end unto itself as Moloch would have it, you create friction against bad choices. Complain about them, refuse to assist your allies in making a mistake. Do things that make bad options less convenient and redirect people to better choices.

What about making "the right option" better instead of making the "the wrong option" worse?

These things are related. If people don't use the right option then it's starved of resources with which to improve.

Of course, you can also improve the right option independently of that, e.g. by making contributions. But now we're back to "Apple interferes with this by making it harder to tinker."

The flaw in your logic is that you’re taking too myopic a view. In your world “making something worse” is somehow divorced from the tyranny of convenience, but in reality it’s not. Changing society is itself inconvenient, and therefore unlikely to happen unless leaving society as-is is less convenient.
But now you're just defining "convenient" as "worthwhile" which is hardly the same thing.
  • drio0
  • ·
  • 9 months ago
  • ·
  • [ - ]
Is there a way to export all your passwords on a Windows PC, or from iPhone? I do not have a mac
A more important question is, is there a way to export all your passwords after you're locked out? One of the major risks here is you permanently lose access to your One Ring to Rule Them All account and thereby all of the others.

In theory you can export the data to some out-of-ecosystem backup device on a regular basis, but we all know that most people are not going to do that.

  • gumby
  • ·
  • 9 months ago
  • ·
  • [ - ]
Why don’t you just install the windows app they announced?
  • drio0
  • ·
  • 9 months ago
  • ·
  • [ - ]
I want to have a copy of all my passwords and Apple does not provide that

I have been stung a few times by apple locking my data within their ecosystem (eg I can’t export my notes from iPhone out without a Mac, or MANUALLY copy each note which is crazy) so I refuse to use any of their apps or features unless I own my data

No

The backup situation is terrible - Mac only - Only Passwords (no passkeys) - Only items you created (so nothing shared with you, even if you own the shared “group”)

In short your only option is one at a time manual export

  • jajko
  • ·
  • 9 months ago
  • ·
  • [ - ]
> I think this is exactly what _most_ people want.

No. Please stop being speaker for most of the whole world.

There are people, including me or my wife who is not technical at all, who will never use anything similar from Apple. Or any similar SSO/access/security platform. Google and FB tried that decade+ ago, only fools fell for that regretful trap if the service has actually any long term added value.

It's ironic that you suggest they should not speak for the whole world, and then use your own personal opinion as a stand-in for what you think should be the whole world's opinion.
He did say ‘I think’ so not speaking for the whole world
>People don't want everything tied to one identity, one service, one login.

This is EXACTLY what people want. Please remember that HN is not a cross section of the general public.

> Please remember that HN is not a cross section of the general public.

Yup. I need to constantly keep that in mind, when I’m designing my software.

Very often, the fact that I like it, is a negative.

What this forum needs is for its members to volunteer their time at their local library doing tech support. It’d be a rude awakening for a lot of folks.
I can’t begin to count how many hours I’ve spent trying to help my mom untangle passwords for all of her accounts. I can’t help but laugh at the indignance over an approach that isn’t fully decentralized/anonymized/self-hostable/brushes-your-teeth-and-makes-you-toast/whatever.

I don’t need idealism. I need my mom to be able to figure out how to log into her bank without having to call me every time. The more that’s tied to a single ecosystem the better.

My mother actually writes them all down in a booklet. It's very old-fashioned, but it does work for her.
> Very often, the fact that I like it, is a negative.

Incredible insight. Too often I'm building something and it rises in complexity precisely due to me wanting extra features that might be very niche and technical in nature, so I too must remember to not bloat the product and make it much more streamlined.

SWEs build for maximum tinkerability. General users just want the software to work without having to tinker with it at all.
> This is EXACTLY what people want.

You made the same mistake as the person you're refuting, only worse because you added "exactly" as if case closed.

Here's another take: "People" want different things. They listen to different music, have different opinions, buy different cars, have different tolerances of when a car needs washing.

My non-technical Mum refuses to use online banking; my non-technical Dad loves online banking. My non-techie sister loves issuing verbal commands to her smart speaker; my non-techie Mum refuses to speak to devices & switches her TV off at the wall every night.

The only "EXACTLY" is in marketing efforts trying to convince you of that state.

You could fix iy by saying "this is exactly what > 90% of people want"
I think they want one login, but don't want it all controlled by one company. I think they either like or just don't notice that everything they do is controlled by one company at first, until they see something shiny and cool that another company is doing, and realize how difficult it is to switch.
What would they prefer instead? controlled by another company? controlled by many companies? manage it on their own?
I don't think they've thought it through that far.
> Here's Apple's big problem: it's not a replacement for so many alternatives because it isn't supported on all platforms.

I don’t see why that would be a big problem for Apple.

As this article explains, this isn’t new functionality. It’s (mostly) a new UI for existing functionality, to make the hardware they sell and make lots of money on more attractive.

Seems to be the case that commenters do not know that Keychain Access exists.

Apple has tried various approaches of surfacing this functionality (eg the passwords panel in Safari and again in iOS’s settings app). This just seems to be the app-agnostic way of providing this functionality to everyday users, and probably a good thing as platforms move away from passwords.

No, Keychain Access is just a terrible app. It is sufficiently terrible that I'm 100% aware of its existence and instead choose to pay for a less OS-integrated, but far better app.
> No, bla bla irrelevant comment.

No, the commenters I'm referring to are ones that think Apple including a password manager is anticompetitive lock in, and other similar comments that are clearly unaware that this is not new functionality.

Your comment has zero bearing on what I posted. Apple themselves use 1PW

I am not sure what you mean by it’s “terrible”. It works well for me. It saves my passwords, generates secure passwords for me, works with Safari, and works with apps.
  • AnonC
  • ·
  • 9 months ago
  • ·
  • [ - ]
> Here's Apple's big problem: it's not a replacement for so many alternatives because it isn't supported on all platforms.

No, it's not Apple's problem, let alone be a big problem. Apple does not like to provide services for free on other platforms and isn't even very good at doing it for paid services. This passwords app is meant for those who use and depend on Apple's ecosystem, not as a generic competition for other password managers.

How many people use Mac and Windows at the same time? There are some, but I bet most people do not use multiple OS. Usually, people who have a Mac have an iPhone and maybe an iPad. They are entirely in the Apple ecosystem because they see all the benefits when all those devices work seamlessly together.
  • eps
  • ·
  • 9 months ago
  • ·
  • [ - ]
Quite a few. Windows desktop/laptop + an iPhone/iPad is a super common combo.
Especially for gaming
For me the issue is gaming. It remains a central hobby of mine and while Mac has gotten much deeper into gaming in recent years it's a far cry off from Windows. I use Apple ecosystem otherwise (work, mobile). Also, I have left Linux behind after my academic years and don't miss it.

I would immediately leave Windows in the dust if gaming was equally supported on macOS. Maybe in the future, let's see. For enterprise work, MS365 is also really central and it's basically not possible to work without Excel, PowerPoint, Outlook and Teams even if you personally prefer other software (I don't). They're fine on macOS or the web interface but clearly neutered in comparison to Windows native.

> It's also why I refuse to buy more into Google products: it's too much of a risk to lose access to everything if Google wakes up one day and decides to suspend your account

There's a difference between Google's products and Google's services. You can use either one without the other. I am a happy user of Google hardware, and am even happier to be almost entirely extricated from their services.

Do you mean stuff like Pixel but with a degoogled version of Android?
Even without degoogling, you can refuse to log in to a Google account and disable most of their apps. I rather do like GrapheneOS, though.
  • efitz
  • ·
  • 9 months ago
  • ·
  • [ - ]
The other big problem is that in the case that you get on Apple’s bad side for whatever reason, you now lose your passwords to everything.
Terrifies me. I can't really piss 1Password off, so that'll never be a worry. My iCloud Email can at least be re-directed to Fastmail as I own the domain (other than Hide My Email, which is a shame).
You can't piss 1Password off, until you do. There's nothing inherit about Agile Bits that shields them from arbitary account closure.

You can't piss Apple off, until you do.

I personally haven't heard of people's account getting randomly shut down for whatever reason for either company, but I'm sure it happens.

It's a matter of surface area to somehow trigger the automated detection that kills an account.

With 1Password, I can only really think of payment issues (ultimately, everything within your account is just a matter of sharing a binary blob they can't read - maybe if you try to use it as a file store and the size becomes excessive), whereas with Apple, I'm not entirely certain what they could read on my machine that could trigger them (hopefully with Advanced Data Protection, this is a small surface area).

But you are right, both of them could cause headaches.

Off topic: I just saw your comment and I also used the term "surface area" :D

Though, there' a 3 minute gap, I had not seen your comment (hadn't refreshed the page) when I typed mine.

There is a difference - the surface area where you interact with that certain company. As an Apple device owner, your interaction with Apple and it's various services (known; and unknown to you - e.g. watching a certain video on YouTube in Safari) compared to that of Agile Bits (or BitWarden for that matter, which I prefer), where the service is exactly one, is much much bigger. Hence making your chance to trip so much more in case of Apple and Google.
>People don't want everything tied to one identity, one service, one login.

You'd be surprised. People want a neat solution so they don't have to deal with multiple nuissances.

They worry less about vendor lock-in (if they even understand the issue unless it's bitten them, and then they can consider the costs of switching as totally normal and expected, similar to how they just go find app replacements for platform-exclusive software).

  • fckgw
  • ·
  • 9 months ago
  • ·
  • [ - ]
Apple already has an iCloud app for Windows and has had an iCloud Password Chrome extension for years. There is no support for Android.
  • lxgr
  • ·
  • 9 months ago
  • ·
  • [ - ]
> has had an iCloud Password Chrome extension for years

Which is also only available for Windows, as far as I know.

It’s also available on macOS.
And needs iCloud installed for it to work.
  • gumby
  • ·
  • 9 months ago
  • ·
  • [ - ]
They aren’t preventing you from using 1password which requires their cloud service, or any other. I use third party calendar, address book (contacts), text editor, but use Apple mail and safari. And mostly use Dropbox for file storage.

Other people can make different choices. This doesn’t seem like a crisis.

  • chx
  • ·
  • 9 months ago
  • ·
  • [ - ]
It's good that it's not cross platform, we do not need any more product monopolies, we have enough. Still there's a chance this will hurt the password manager market which leads to an even better outcome: we still have a monopoly but it doesn't make the product available on platforms most people use.
> People don't want everything tied to one identity, one service, one login.

This is what OAuth attempts to do, and most users and devs I know like it.

I'm well aware of the risks of putting all eggs into one basket. I'm already doing it with 1Pass (albeit with external MFA for some sites), so I see no difference with letting Apple manage it.

> This is what OAuth attempts to do, and most users and devs I know like it.

Counterpoint from an interesting source:

https://gist.github.com/nckroy/dd2d4dfc86f7d13045ad715377b6a...

> People don't want everything tied to one identity, one service, one login.

People literally want everything tied to one identity, service, and login. You are almost totally wrong. People do sometimes want to switch to something new when they feel what they've bought into hasn't met their expectations or has fallen behind in innovation. And guess what? Apple in very limited ways actually locks people into things like passwords, files, photos, notes etc. Their entire ecosystem is pretty easy to migrate away from, I've done it several times. Theres an import/export tool for most everything.

After this year you probably can't even say they are locking people into their ecosystem with iMessage.

I use Apple Music and Apple Notes every day on my Debian workstation. Works like a charm.
Word. I do the same. The web versions aren't perfect but they do the job. There are way too many Android-only users in these comments that don't have a clue what they are talking about.
Notes web version is pretty limited though, ex: can't attached images.
I use Notion in cases where it's too limited. Unfortunately notion charges for really large attachments.

Trick I do do sometimes is, just WhatsApp the files to myself and attach them from my phone

  • gumby
  • ·
  • 9 months ago
  • ·
  • [ - ]
They have a windows app for it.
  • yreg
  • ·
  • 9 months ago
  • ·
  • [ - ]
Windows app will certainly help adoption.

An Android app would be nice as well, but I doubt that many people use both iOS and Android devices[1] (or concern themselves whether they will be able to switch platforms easily).

[1] Android devices as in devices where password manager is desired, not as in 3 Billion Devices Run Java

I wonder what the number of people who use Macs and Android is. I would guess that it’s a tiny fraction of the marketplace (and likely entirely populated by people with Kindle Fires, not Android phones).
  • yreg
  • ·
  • 9 months ago
  • ·
  • [ - ]
Actually now I'm thinking that there are probably quite a few developers with Macs + Android phones.
  • ·
  • 9 months ago
  • ·
  • [ - ]
  • ttul
  • ·
  • 9 months ago
  • ·
  • [ - ]
If they haven’t already, I won’t be surprised if Apple creates a reasonable password app for Android and Windows specifically to address this concern. Fanning out to other platforms to enable customers to continue using Apple products is a decent strategy that probably does more to retain people within the Apple ecosystem than it does to enable a move away from Apple.
Apple already has a Windows iCloud password app and a Chrome extension https://support.apple.com/guide/icloud-windows/manage-passwo...
Apple Music has a decent web player, so it's technically supported on Linux
Someday I hope a company might emerge that develops things for the sake of developing things to enhance their popularity.
That's contradictory; what you're looking for is a charity.

A company does things for the sake of profit.

It can be profitable to be innovative in my opinion.
  • ·
  • 9 months ago
  • ·
  • [ - ]
They’re releasing an app for Windows that will solve that piece at least. It’ll sync across both.
In the same way I don't trust Google not to cancel whatever it is they just announced, I don't trust apple to keep supporting software on platforms that aren't theirs. They just don't have a good track record and no real incentives. The last widespread Apple sosftware on non-Apple platforms was probably iTunes, which was terrible.
Apple's recent track record (Apple Music, Apple TV) is surprisingly good. The apps on Windows and Xbox have been trending better/gaining features at a good pace with respect to Mac OS and iOS.

There is a sense that Swift has opened up cross-platform app initiatives at Apple that they wouldn't have done just a few years back.

I do trust Google not to cancel one of their core (or most popular) products, like search, Maps, Docs, Android, etc. Anything else I don't. I do use Google Photos, but I wouldn't be too surprised to see them shut it down one day.
  • cjk2
  • ·
  • 9 months ago
  • ·
  • [ - ]
To be fair it was terrible on macOS as well.
I do, because i don't have any windows or android machines
Apple wants it to be a problem so it incentivizes you to switch over.
But Apple knows that there are many reasons why a user who may choose Apple where they make decisions for their dollars, is also a user who is stuck in other ecosystems in other context.

Of course, I'm talking about, for example, work environments where you may be stuck with a Windows PC, or have to use a corporate-owned Android device for your phone...

> Apple Music? This actually has a Windows client. I'm not sure how good it is

It is absolute garbage, but luckily the legacy integration in iTunes for windows still (sort of) works.

  • ·
  • 9 months ago
  • ·
  • [ - ]
[flagged]
>> Oh sweet summer child

I only ever see this expression on nerd sites.

probably because it's was boosted to popularity by game of thrones, a nerd tv show.
Apple thinks "One Ring to rule them all" will work on mindless enough. But otherwise, yeah. Those who aren't mindless wouldn't want that.
People always ignore the simpler explanation: it’s more time and work to make something a second time on a platform you don’t know and control.
I wouldn't look for any excuses for someone who is as often nasty as Apple is.
Sounds like this is a personal problem.
The opposite - it would be a personal problem if someone would trust the likes of Apple giving them undeserved benefit of a doubt.
It's more platform lock-in and it leverages their market position. Unabashed monopolism. Completely unchastened by recent lawsuits.
Except for the fact that you can import from and export to other password managers using built-in functions. That kind of kills the whole lock-in vibe.
Literally not a monopoly.
Sadly this will take off, and be tied to everything apple. From a tech perspective I would never use their tools even if they are the most convenient. But the reality is most people will see this as the only option for password management, and 1password isn't free, so for them they will see no better way out.
I would be happy if more people adopted password managers. We'd all be a lot better off if they did. And personally I don't care which tool they use to get there. But there's still too much friction in using a password manager, not all of which is the fault of the password manager (eg different password requirements, how 2FA verification is handled, the antiquated notion of password expiry, some sites split username and password onto two pages so you have to verify twice, some sites using a third field you have to fill in like surname).

So I'm not sure how many people will actually use this just because of this friction.

Branding a solution as Apple isn't a guarantee of success. If it were, we'd still have Safari for Windows.

We are not always the target demographic. I know many people who use apps because they were the default. Most people used Internet Explorer because it was, and many still don't know that there's an alternative, or even why use an alternative.
Nice
  • ·
  • 9 months ago
  • ·
  • [ - ]
  • m_a_g
  • ·
  • 9 months ago
  • ·
  • [ - ]
I wasn’t expecting this much hate towards 1Password in the comments. I was using Google Passwords, then migrated to Apple, finally to 1P7 and now 1P8. It’s one of the best software I’ve ever used and I don’t know what I’d do without it. Same goes for Fastmail as well.
1password has progressively gotten worse every year for the past 5-10. 1password team if you are reading this, please stop making your software worse. Search which was great for years is now terrible and has jumbled results.

Some software should just be considered "done" and never changed again. 1Password is one of those things.

I don’t really understand this kind of comments that complain without any specifics. Worse how? I use two family subscriptions and a corporate one for many years and haven’t noticed any regression in functionality or UX. They release time to time minor quality of life improvements and continue supporting modern platforms. 1P7 to 1P8 upgrade went without any problems on all platforms I use. IMO this is the best password manager on the market by many measures.

What is your experience exactly?

For me, I paid full price for the app. I attached many important documents such as my ID, SSN Card, my original birth cert, even the deed to my house. If I pass my wife knows where to get this info.

When my son was born I went to add his birth cert and SSN. I couldn’t. The “attach file” button is still there but it simply doesn’t work any more.

After hours of troubleshooting I finally found a discussion on their own support form where they acknowledged they explicitly disabled this feature. The solution is to switch to a paid subscription.

I’ll never buy software from them again. That’s just one example. They’ve removed similar functionality from cloud sync services to compel users to buy a subscription.

Sad indeed but the days of 0 interest rates are gone. Plus, software engineers in many countries are now massively more expensive.
Software that's done doesn't need as many software engineers to look after it.
  • acdha
  • ·
  • 9 months ago
  • ·
  • [ - ]
They have a PR department, don’t give your time bro bono to spin it for them. With as many customers as they have, they’re in no danger of not being able to pay developers.
Every couple of months, without fail, the chrome extension starts failing. It gets to the point where I see the "current popup style" and just know that I have to ignore it, open the actual 1Password app (and login there), and THEN go back to chrome and open the extension again.

Some periods of time I simply went to copy from the app itself because the extension didn't work.

Been a paid customer for over a decade, and I originally bought it because the apps were so nice and they really did work 100%. The last couple of years have been painful at times though.

- 1Password used to support Dropbox syncing without a subscription. They allowed you to keep using the app, but they removed support for auto-filling logins from dropbox in Safari or Firefox. You could only auto-fill from vaults that you paid monthly for. Whatever, they win, I started paying monthly.

- They broke search in the past few months. I have multiple accounts with the same service (i.e. google, mercury) for personal and business. Now when searching it displays gibberish like 2FA backup codes from the notes instead of just having `${title} - ${username}` like it had for years

- They completely changed the left bar and moved around the entire UI multiple times. Credit cards used to be a simple click on the left side. Now I have to click "All Items" on the left side, then find the dropdown for "All Categories", click it, scroll down to Credit Cards and click on that.

It really comes down to the fact that it's a password manager. All it has to do is store passwords and fill them in when I need to sign in somewhere. Why has the UI fundamentally changed multiple times over the years throwing away all learned user behavior.

EDIT: There's also just the intangibles. I can't always remember specifics, but I "Feel" like 1password has been fighting me for years. I don't feel that way about many other pieces of software I use. 1Password just feels hostile in how they change/update things.

Safari extension works half the time at best. Sometimes it doesn't start working without restarting the browser after it crashes.

Cancelled my sub last night after many years.

I don't mind the price, or electron or anything, I just wanted it to fill the passwords in my browser reliably.

I feel your pain. It used to reliably save and fill passwords. It’s a huge mess that doesn’t even work.
I can give specifics.

* Their syncing broke, and their support promised that buying a subscription would make it work. I did. It didn't. A year later I managed to get it fixed. I'm now on a permanent subscription for something I used to own -- that's not bad by itself, but the feeling I've been taken advantage of, and promised something that was false, leaves a bad taste.

* Syncing sometimes doesn't work anyway. I might add an account on my laptop and not be able to access it on my phone for a day or more.

* It's much buggier. Sometimes the Mac app just doesn't appear when you click the menu bar icon (this happened to me just a minute ago.) You have to right-click and select Open 1Password to get the full app, after which the menu bar app will now work. Sometimes. Right now, it's not no matter what I do. Why? No idea, it's random.

* Basic password features seem missing. There is _still_ no way to edit in a 'Remember me' checkbox on a login form. I would like 1P to set that checkbox.

* The UX design gets worse each release. In 1Password 8 they removed the useful menu in the Mac menu bar. I can't check what it is now because of the bug above, but it used to show a list of passwords. Now it has some kind of pseudo-intelligent other menu that has to be invoked via a shortcut and the Mac menu bar app actually does almost nothing useful.

* Not to mention their UX design which comes from the "hide buttons until you mouse over and click a button you didn't realise was there" school of intuitiveness.

* More UX: the iOS app now has a list of favorites, but it's almost impossible to get the info you want. Take a bank card: you can tap it in the list to show the name, card number, etc, but if you want the ATM pin -- which is the number I most forget, and the useful one because my card number is saved everywhere that uses it -- you have to dig into the item itself. How? Via a tiny, tiny untappable arrow.

Worst is that interactions with them show an attitude that they think they're building a better and better app each release. They're not. I cannot wait until I can move away to the new Passwords app.

  • fckgw
  • ·
  • 9 months ago
  • ·
  • [ - ]
1Password has gotten way, way better than it was a few years ago in my opinion. Tons of new features and the redesign a couple years ago was a big improvement.
  • jen20
  • ·
  • 9 months ago
  • ·
  • [ - ]
The electron rewrite was a significant step backwards regardless of features and quality. I cannot wait to ditch 1P.
  • e40
  • ·
  • 9 months ago
  • ·
  • [ - ]
How was it a step backward? I have noticed zero downsides to 8 compared to the previous version. I'm comparing the current version to the last version 7 I used. This electron hate is such a headscratcher for me.
Generally speaking, Electron apps are larger and slower than their native cousins. I just checked on my M1 Mac, and between the Safari extension (which somehow consumes more memory than the app itself) the main app, and various helpers / renderers, it clocks in at 410 MB of RAM. I'll give you that it's also acting as an SSH Agent, but that still seems rather large for the functionality.

Personally, I noticed a slowdown in responsiveness immediately when switching from 7 to 8.

It's clocking in at 120MB on my machine and launches instantly. I don't get this blind hate for Electron, it has made software runnable on more platform than ever with less development resources.
It takes 10+ seconds to load the 1Password extension window in Firefox after some upgrade this year. They really screwed something up.
  • e40
  • ·
  • 9 months ago
  • ·
  • [ - ]
Loads instantly for me on macOS.
  • ·
  • 9 months ago
  • ·
  • [ - ]
  • xnyan
  • ·
  • 9 months ago
  • ·
  • [ - ]
I hear this, and I believe people, but it leaves me in a confused state because I don't understand. I (think) I've used them all, and the only password manager that is in the same class or better is bitwarden, which is also web/electron.
  • jen20
  • ·
  • 9 months ago
  • ·
  • [ - ]
Previous versions of 1p are an existence proofs of something better!
I agree with this a lot.

I miss 1Password Mini in particular still (and no, Quick Access is not a replacement).

> Tons of new features and the redesign

After LastPass lost it I shopped around and avoided 1Password precisely because it looks and is marketed like typical feature-oriented apps powered by VC valuations and growth metrics. I do not like trigger happy product management near critical single-purpose software. It’s already quite challenging, because pw managers need (1) offline support (2) a sync protocol that’s virtually bug free and (3) state of the art crypto/security and (4) wide cross platform support.

I prefer such an app to sit basically dormant until there’s a new industry development (like passkeys) to keep up with the times. And even then, those features should only be added thoughtfully with a defensive mindset to ensure stability going forward.

So tldr, your stated benefits are in fact the very reason a lot of people don’t like it.

  • lghh
  • ·
  • 9 months ago
  • ·
  • [ - ]
I don't understand this sentiment. I'm not attacking, I'm trying to understand.

So if there's opportunity for a feature that adds real value for many people to an application without it affecting the core of the product, it shouldn't be added? I can add passwords and unlock websites just as quickly with 1Password as I could 8 years ago. Why does adding other useful, related features make a difference?

Because they keep on changing the product at the same time. If they added value and left what worked still working, it'd be great. But they change things, and it's buggy, and the UX is worse, and I just want the nice productive utility I had a few years ago.

You say you can do things as fast as you could eight years ago -- but I can _not._

See my comment here: https://news.ycombinator.com/item?id=40644525

It’s based on experience that more features tend to break functionality, change user workflows and changes in product strategy, sometimes even companies get acquired or shut down things.

Of course, these things can happen to any product in theory, but with experience I’ve developed a bit of a radar for what kind of company is behind a product based on their design, website, marketing etc.

> Why does adding other useful, related features make a difference?

Like what? I’ve had the same experience with 2 pw managers for probably a decade, and the only noticeable change has been passkeys. Note that for me it’s personal use only though.

  • e40
  • ·
  • 9 months ago
  • ·
  • [ - ]
I completely disagree. Yeah, the launch of 1PW8 was rocky. They didn't have feature parity on some devices (iOS). I waited a good while to update and when I did I had an issue with my Yubikey, so I went back to 1PW7 on iOS, but it was fantastic on macOS--way better than 7. After a short while, they fixed the Yubikey login issue with 8 on iOS and I have had exactly zero issues on macOS or iOS since, for about a year(ish).

Another data point: my 85 year old mother used to have issues with 7. She'd get confused about things. With 8, it's been clear sailing for her. That's pretty impressive to me.

1password 8 on iOS is fine and I note no issues with it, it just works.

On macOS 1pw 7 worked with no issues, 1pw 8 doesn't

However the big issue is that 1pw8 requires you to use their cloud - so if someone takes over the company and changes things or the company goes bust or even if the company's servers get hit by DDOS you lose all things. 1pw7 allowed you to keep the main db on anything and use multiple sync mechanism. For example you could keep the data all on machines you own, you could be a business and that would matter for security. Yes cloud etc is secure but there are cases where you don't want things to be anywhere not on your machines.

I dislike the new search so much, just make search work like it does in every other application. If you're reinventing the wheel for something so basic that's the first sign you're doing something very wrong.
  • yreg
  • ·
  • 9 months ago
  • ·
  • [ - ]
>1password has progressively gotten worse every year for the past 5-10.

You can still use the standalone 1Password 6…

A lot of the browser integrations are broken if you run older releases I think. Even 7 doesn't work with Chrome anymore.
I still use 1Password 7
Yup. Wish I could go back to 6 because 7 feels noticeable slower, but 8 is a non-starter due to the lack of self-hosting or local vault options. I also hate how a bunch of "babysitting" features are forced on you in later (after 5 or so) 1Password releases. I don't want Watchtower to be pegged to the top of the sidebar - but there it is anyways. I don't want to set a password hint for the master password, but I'm forced to regardless.
Yeah, Watchtower is horrible, also search is sometimes really bad when you have a lot of different logins for the same domain
1Password + Fastmail integration for generating masked email is also great.

Plus a nice UI for handling OTP, notes, credit cards, IDs, bank accounts, etc, it's easily worth the annual price for me.

Omg yes! Fastmail + 1P is soooo good. 1P has an integration with privacy.com to create unique debit cards. With these 3 tools I have a unique email, pw, and debit card for each service. Makes me feel in control over my interaction with a service. Here’s my referral link for privacy if you’re interested

https://privacy.com/join/JCPFN

  • xnyan
  • ·
  • 9 months ago
  • ·
  • [ - ]
> privacy.com

Love the service, the problem is they effectively charge a 1-5% commission to use it because you lose credit card loyalty/rewards programs benefits. Last year I got nearly 3% back, I think that's too high for the service. I don't think there's any way around it unfortunately, credit cards rewards are paid by the fees and interest of those who carry a balance.

Good point, but we still use privacy.com for random stuff online. The majority of our online purchases happen at a handful of stores, and we use our credit card there. But especially for sketchy sites, we use privacy. For example I bought a keyboard from a small company in Russia (right before they invaded) and they’re probably completely legit but I’d rather lose the 1% on that purchase than be concerned they have my real card
Likewise. I think they are making some weird and off putting choices around the enterprise but for consumer stuff (which is squarely where the apple passwords comparison sits I assume) it’s still a great piece of software honestly.
We used 1pwd at my company and I have a paid family account. I love it. Think it's worth every penny.
  • chx
  • ·
  • 9 months ago
  • ·
  • [ - ]
You'd try Bitwarden...
I love the idea, pricing and open source nature of Bitwarden, but it's only good if you haven't used 1Password. Personally I was very critical about 1Passwords migration to Electron, but it has been really good to be honest. My assumption was that they had dropped the Electron plans, because I absolutely did not notice the change.

Bitwarden still fails to correctly identify basic username/password fields, but 1Password gets it right every single time.

  • ·
  • 9 months ago
  • ·
  • [ - ]
I was a BW customer and switched to 1P. 1P is so much better. The clients are better and the syncing of sessions between the browser, desktop, and CLI is amazing. 1P has great integration with Linux and SSH too.
Long, long, long-time 1P user (2007?) increasingly fed up with their anti-consumer practices (dishonestly hiding discussions on their community forum about App Store versions and dismissive “responses” were the final straw).

So I put vaultwarden on the cluster at home, built a backup routine I was comfortable with and started using BitWarden to evaluate it before trying to help the whole family switch (we have 8 users, including a grandmother and grandfather from different sides of the family).

All this to say, I have to agree. I could not, and will not, switch my family to BitWarden (for the foreseeable future). Search is AWFUL, there’s no way to sort my passwords (recently added, recently updated, etc.) and the clients are way way way slower than 1P (sure, probably in part to server on an underpowered compute instance). However, even the “offline behaviour” (when BitWarden clients can’t contact the server) is slow, and sometimes syncing just doesn’t work.

I completely agree, the worst part is just how limited and clumsy the front-end is for secret storing. It’s limited, ugly, and often hard to parse visually. I can’t imagine trying to help my aging father use it on his desktop, much less his smartphone - where he’s had great success with 1P.

While I continue to have great disdain for AgileBits, 1P is still the most user friendly password manager for a group that includes definitely-not-technically-inclined people. I wish it wasn’t, I wish I could stop giving them money, but compared to the competition, there’s just nothing else that comes close.

Same, I'm actually a bit of a late adopter (only started using 1p in earnest once they came out with a Linux client) but it's been so great. I absolutely love the SSH agent in particular, it just works.

On topic, as a primarily Linux user I'm not in the target market for this (or any other Apple products or services really) and that's fine.

  • ·
  • 9 months ago
  • ·
  • [ - ]
It just doesn't work for me for safari mac. Authenticating with fingerprint takes many seconds (and often doesn't work).
the 1password search is horrible, it does fuzzy search and not match exat results etc

there is more, too lazy to write

  • ·
  • 9 months ago
  • ·
  • [ - ]
you really enjoy paying each month for access to your passwords? really?
  • max_
  • ·
  • 9 months ago
  • ·
  • [ - ]
One of the reasons for bad software products & corporations taking advantage of users is this free loader mindset.

What exactly is wrong with paying $10 per year for a well done product?

  • LVB
  • ·
  • 9 months ago
  • ·
  • [ - ]
You get 1P for $10/year?

I'm willing to pay for a lot of software, but the costs are certainly real (especially in aggregate), and I try to be mindful of whether it is worth it to me. I would definitely pay $10/year for a password manager. I currently pay $36/year. Would I pay $100? No. But I'm not sure where the cutoff is.

And then I have to do this for every pricier piece of software. (For all of the lower-cost, one-time payments, little apps, etc. I just pay and move on.)

If it were $10, we might have a conversation.

I paid for my full version of 1Pass way back when, and upgraded all the way through to v7. It was a one time fee and used until they broke it.

I never said refused to pay for it, but a monthly fee in perpetuity is just ridiculous to me.

  • max_
  • ·
  • 9 months ago
  • ·
  • [ - ]
I don't use. One pass, I use Bitwarden.
congratulations. this particular thread is about an app called 1Password.
I'm still on v7, what did they break?
They disabled autofill in the Firefox/Chrome extensions and won't provide an older version that worked or even a download of the 1P7 app.
Turns out I'm actually using 1P6 on mac, and autofill does still work. Here's the download for the 1P7 standalone app https://1password.community/discussion/129962/download-1pass...
  • eknkc
  • ·
  • 9 months ago
  • ·
  • [ - ]
I do. It is a critical software for me. Why would I use something inferior?
> really enjoy paying each month for access to your passwords?

When it comes to a password manager, I appreciate having constant access to updates. That isn’t feasible for one-and-done code.

That said, it’s 1Password’s bugginess that will have me looking at Apple’s offering. (Particularly how it performs on non-Safari browsers, e.g. Orion and Firefox.)

  • e40
  • ·
  • 9 months ago
  • ·
  • [ - ]
I used it with my family and it's worth paying monthly for it. Passwords are so incredibly important. If I was hit by a car tomorrow, I know a huge chunk of my life is there for people to just pick up.
> If I was hit by a car tomorrow, I know a huge chunk of my life is there for people to just pick up.

My wife and I have talked a bit about this recently but haven't implemented anything yet. (I use 1Password, and she doesn't have access other than a shared vault, and vice-versa with iCloud passwords.)

One thing that gives me a bit of hesitation is from a security standpoint - if we have access to each other's accounts and one of us falls victim to, for instance, a password-manager-level phishing scheme, the fallout from both of us having to recover from that at the same time is dramatically more of an inconvenience than if only one of us is affected.

Happy to hear from anyone else who's thought about this and any approaches they may have been taken - there doesn't seem to be much discussion about it online.

If you're worried about banking passwords and accounts, those shouldn't be shared logins. Banks in the US have specific procedures for handling the death of account holders, and someone logging in as the deceased is problematic. Beneficiary designation and percentages needs to be followed, and if a spouse/other logs in and starts moving money around, all that has to be unwound.

My break glass implementation is a printed sheet of all my financial orgs and account numbers (including bills I handle). All the beneficiary designations are done, so my wife would just need to give them the death certificate and she'd have control of the funds.

  • e40
  • ·
  • 9 months ago
  • ·
  • [ - ]
The information in 1PW is the most important information I have. I have a Yubikey because of that.
Yeah. I want to pay the people who look after the thing that stores my most precious information. I want them to be overpaid and look after their golden goose.

It seems nuts to me that you expect someone to provide you a service for free?

I never said free. Did I? Just because someone is revolting against rent seeking companies vs building a solid product and increasing users this forum likes to denigrate them into being freeloaders. You've got the wrong idea and are running with it in the wrong direction.
> vs building a solid product and increasing users this forum likes to denigrate them into being freeloaders

The point is maintenance is an ongoing expense. Pretending it can be baked into a one-off purchase price is nuts, unless one is willing to buy that software caveat emptor, as in if it has a critical bug, sorry, you need to upgrade to have safe software.

For a game, that seems fine. For a password manager, obviously not. That said, enough people don’t like this to give Apple an advantage in amortising payments that users cannot.

Again with this made up concept that I wanted a pay once notion. I kept upgrading with their releases until they went SaaS and removed the ability to store the data locally. If they continued to offer local storage with paid upgrades, I'd continue paying and using. They don't, so I'm not.
I just checked it on my device in airplane mode: everything is available locally and new records can be added. What do you mean saying you cannot store the data locally?
with v8, there are no more local vaults stored on my machine with other devices syncing via WLAN. it's all cloud accounts or bust
Understand. Both your user needs and their approach to the product are reasonable in this regard. It looks like you are simply no longer their target audience and need different product.
Surprised to see Forget LastPass, as if it's the current incumbent. It very much isn't, at least in my perception. LastPass disgraced itself into irrelevance back in 2022.

https://en.wikipedia.org/wiki/LastPass#2022_customer_data_an...

You wouldn't want to give free publicity to a serious competitor like btiwarden, 1password, or keepass.
  • avree
  • ·
  • 9 months ago
  • ·
  • [ - ]
1Password is still around? I used to love it, then they changed the app, pricing schema, UX, and generally made things worse overall.
1Password is both still around and still the benchmark, much as that pains me to say given how much of a UX regression 1P8 was.
Wow. Each to their own I suppose. We have a corporate account and I think 1Password is pretty fantastic. Additionally, all of our employees are given family accounts, that include 5 individuals, for free. I highly recommend 1Password to everyone I know.
For anyone interested in this, Bitwarden also gives away free Families plan (for up to 6 users) to all members of Enterprise plan.
I use 1Password daily but missed anything before this version switch-up I guess. I've got nothing but positive things to say.
  • fanf2
  • ·
  • 9 months ago
  • ·
  • [ - ]
2019: LastPass leaks credentials from previous site. https://bugs.chromium.org/p/project-zero/issues/detail?id=19...

2017: Design flaws in LastPass two factor authentication. http://www.martinvigo.com/design-flaws-lastpass-2fa-implemen...

2016: More LastPass security vulnerabilities. https://palant.de/2016/09/16/more-last-pass-security-vulnera...

2015: Even the LastPass will be stolen. http://www.martinvigo.com/even-the-lastpass-will-be-stolen-d...

Off-topic comment to urge any LastPass users before Sept 16 2022 to please look into parent post's link. LastPass said accounts deleted before June 21 2022 were not affected if that's still up to date.

If I understand:

Attackers got access to LastPass's account data backups directly and in bulk. 2FA doesn't help here.

While LastPass since increased their password rounds for new accounts to 100k+, many users especially long-time users had them set well below and never updated. Reports of 5000 rounds, 500 rounds, ... even 1 round.

URLs were not encrypted. If you had sensitive URLs, I think you have to treat them as compromised. If you had crypto exchange logins or high-value URLs, I'd imagine you might attract extra attention.

[edit for typos].

It's zdnet and the headline is designed as clickbait. LastPass is likely the most recognizable brand (LastPass claims #1 on their homepage) and among the knowledgable, it absolutely has among the highest recognition not to mention clickbait-worthiness.

The article text mentions 1Password as the first listed PWM product.

Maybe that's what they were going for?
Pointless if it doesnt have cross platform. Apple devices already basically have a password manager, the main reason more people don't use it it is because it doesnt also work on android or windows, not because it's not a standalone app called Passwords.
> Pointless if it doesnt have cross platform.

As mentioned in another news article on the topic:

> It also syncs with PCs via the iCloud for Windows app.

* https://www.theverge.com/2024/6/10/24175505/apple-password-a...

and in the keynote itself:

* https://www.youtube.com/watch?v=RXeOiIDNNek&t=59m32s

  • pdpi
  • ·
  • 9 months ago
  • ·
  • [ - ]
Last I tried it, iCloud for Windows didn't integrate with Firefox, though.
Or Linux.
> Or Linux.

I guess Apple does not think that 2024 will be the Year of the Linux Desktop.

I don't think Apple minds.
I would think it would be Firefox which would have to support iCloud for Windows.

If password managers could interfere with password fields in Firefox without its help, malware could do that, too.

Or is there a generic password manager API on Windows that Apple doesn’t implement?

1Password, for example, has a plugin for Firefox. Something that you would expect in MVP for any password manager.
With Firefox at 2.93% [1] percent market share, doesn't seem like many people would put it in the MVP.

1: https://en.wikipedia.org/wiki/Usage_share_of_web_browsers

What is the market share among people who buy and use password managers?
  • amlib
  • ·
  • 9 months ago
  • ·
  • [ - ]
I also don't get why pay for a password manager when there is a free one from a trustworthy entity, Mozilla Firefox, that works on android, windows, linux, iOS and MacOS.
The answer is: features. People who pay for a consumer product usually get some added value with it that you cannot find in freeware.
  • amlib
  • ·
  • 9 months ago
  • ·
  • [ - ]
But what features are unique to the payed ones? The Firefox one already checks if your accounts was found on a leak, it has the complete set of feature you would expect to "CRUD" your passwords, integrates with the virtual keyboards in iOS and Android so it's easy to fill login forms on any app and by virtue of being part of the browser has perfect integration with the browser, autogenerates random passwords for you and finally it syncs all your passwords across all your devices (plus all the other things that firefox sync syncs). And again, works on all relevant platforms no exceptions.
And for those of us without an iPhone?
Being locked into the eco system is my main reason for avoiding Apple products. Switching from an iPhone to an Android phone was painless for me because I didn't use any of the Apple services (iMessage, iCloud, Passwords). If I had to simultaneously switch from Passwords to Bitwarden would've been time consuming and annoying.
Then we're not their target demographic.
Just need to install windows on my phone, duh.
  • boxed
  • ·
  • 9 months ago
  • ·
  • [ - ]
The timestamp you gave talks about Baldurs Gate :P
56 not 59:

* https://www.youtube.com/watch?v=RXeOiIDNNek&t=56m32s

Hardly. While not everyone is entirely within the Apple eco-system a huge number of people are that go beyond the necessary critical mass. Apple already built this into the OS they just kept it under the clunky Settings UI - so seems like a logical and low-effort move.

If the Family Sharing aspects are well done I'd happily say goodbye to my 1Password subscription.

Being in system settings makes sense to me. Having the place to see the same stuff on macOS be Safari’s settings window is the bizarre part.

Regardless, I’ve been using it for years now. Works fine. Better UI will be nice assuming this doesn’t come with a bunch of updates that somehow manage to make it work less-well.

My approach has been to move it out of the vendor OS entirely and embedd it in the keyboard. I'll be releasing this as open source (hardware & software) soon:

https://www.anomie.tech/products/anigma/ce/

Any connection to what bunnie is doing with precursor?
No connection other than being a fan. I started working on my (simpler) approach before precursor was launched and think there is a place for both, but I'm a big fan of all the work he and his team are doing.
It does work on windows; the mentioned that. No word yet on Android.
No dedicated app on Windows though, it'll be part of their existing iCloud Windows application.
The password manager that we have today is terrible, that's why people are not using it.
Agreed, for me it needs a solid webapp too. I reference personal credentials on my corp laptop and can't/won't login to anything that's in the system and am unable to install any unauthorized apps.
They did say there was a windows client in the keynote.
  • ·
  • 9 months ago
  • ·
  • [ - ]
It works on Windows.
  • ·
  • 9 months ago
  • ·
  • [ - ]
The lock-in is the point.

I mean, why else would Apple invest in something like this. They became the richest company in the world by increasing lock-in in every step.

  • ·
  • 9 months ago
  • ·
  • [ - ]
[dead]
  • msie
  • ·
  • 9 months ago
  • ·
  • [ - ]
[flagged]
  • AnonC
  • ·
  • 9 months ago
  • ·
  • [ - ]
Where did you get that impression from? The WWDC keynote mentioned recording calls on iPhone (with transcription) and said that the other end would be notified when you start recording.
  • msie
  • ·
  • 9 months ago
  • ·
  • [ - ]
Oh really? Unfortunately i didn’t see the keynote this time and i didn’t see this in any online summaries. Didn’t expect they’d do it this time! Ive been asking for it in prev years. But does it record audio? This is good if you get to keep audio!
  • cloin
  • ·
  • 9 months ago
  • ·
  • [ - ]
They just announced this:

Record and transcribe a live call directly from the Phone app.21 You can also search call history more easily, dial smarter, and switch SIM cards seamlessly.

they actually showed the option to do that with a full AI (apple intelligence of course) summary made on device.
So are they literally just launching an icon which opens keychain?
No.
I never used 1Pass, I'd suggest ppl to make their own mental template for passwords that can be applied to different sites instead.
  • eknkc
  • ·
  • 9 months ago
  • ·
  • [ - ]
I have 627 items in my 1P vault. That won't work.
there are always edge cases
It's good to see that 1Password is staying several steps ahead here to avoid being "Sherlocked" by Apple.

The new SSH key manager feature is an example of something Apple's unlikely to address for years, if ever. https://developer.1password.com/docs/ssh/manage-keys/

I really tried to like their new non-native app, and if it works well I could probably live with it, but it was so buggy and glitchy, even to the point where browser auto-fill often just... wouldn't. That's a basic feature.

I switched to iCloud Passwords a few months ago and I'm very happy with the product. Looks like this Passwords app is a nice new GUI over the top of that same database.

Same here. I switched from 1P to Passwords a while back, then switched back when I got a free 1P account from my job. I'd already started thinking about returning to Passwords, though. Much as I wish I could love 1Password, the current app is a mess. I have a Mac Studio without Touch ID and the "unlock with Apple Watch" feature almost never works. They also refuse to allow unlocking with YubiKeys (see https://www.reddit.com/r/1Password/comments/ttt2m0/yubikey_i...) for reasons I consider specious.

1P has some wonderful work-oriented features we use constantly. I don't like the direction it's going for personal stuff.

I stick to 1Password 7 for that reason - thankfully it still works for the time being.
  • kredd
  • ·
  • 9 months ago
  • ·
  • [ - ]
If 1P was aiming to get attention of an average consumer, Apple might start eating their lunch. SSH key manager is great, but the amount of people who needs it is very small compared to general market.
They're certainly focusing on a more sophisticated market, especially in the corporate space.
1password is too expensive when compared to Bitwarden or Keeper.

It's almost double the price per user so my company switched to Bitwarden.

We're a Mac shop and if Apple can make it even more affordable then we would definitely consider switching again.

I feel like the people who throw out “Sherlocking” are the same ones who also whine whenever they have to install third-party software for whatever the OS doesn’t do out of the box.
  • avree
  • ·
  • 9 months ago
  • ·
  • [ - ]
Is this not exactly what the Apple Keychain does? Manage keys?
Might sound like a technicality, but: iCloud Keychain can store the passphrase but can't store the key itself. You still need an encrypted private key on-disk to use this: https://apple.stackexchange.com/a/250572 .

1Password saves the key itself in the encrypted vault and implements an SSH agent that can then interact with OpenSSH etc. and provide key operations, like how a physical dongle would function.

  • avree
  • ·
  • 9 months ago
  • ·
  • [ - ]
Ah, that is a very important distinction. Thanks for clarifying! For my purposes, the passphrase storage works fine, but I can see how the vault could be a useful feature.