How are folks feeling about 1Password these days? I’m still using 7, which is no longer supported, but took to heart concerns that version 8 abandoned storing passwords on a local vault in favor of in the cloud. (Enough people I trust have switched so maybe my concerns are baseless.)
But I have a bigger question: With the increasing use of passkeys and Apple’s own Keychain, are 3rd party password managers going to become obsolete?
Thanks!
I am still using version 8 and am on the old price tier…for now. I still find it valuable, but I will continue to reevaluate its worth every March when the subscription comes due.
I switched a few years ago (couldn’t get my family on board with 1P but they would use Apple Passwords). Apple’s is missing a few features, but I haven’t otherwise missed paying the subscription to 1P.
Password manager expert here.
I’ve tried about 30+ of them and the king is hands down 1Password. It’s just too god damn expensive for the family plan!
Right now still on the 50% off plan for 3 years from my 1PW 7 license (last year!), plus using $125 gift card I got for $100 on special and my account renewed days before the price increase (lucky!).
Puts me at about $2.25 a month for family plan which is pretty damn worth it. At $6-7 a month, not so sure.
All their recent posts about AI make me doubt whether I want to continue using their services, but I frequently use many of their developer features (SSH, Git commit signing, Environments, CLI, SDK, Connect Server, Service Accounts) and I don’t think there’s any competitor offering something similar?
If I’m wrong about that I’d like to learn about my options!
I’m also still on 7, but I use it less and less in favour of Apple Passwords. When 7 stops working, I’ll ditch 1P completely.
I’m on 1Password, latest version (8.12.21) - Apple’s keychain is useless for me since my phone is Android and I still have a Windows laptop that I dust off once in awhile. Just a 1-person plan, wife is on Android and a Chrome tablet using Google Password Manager. I have to do tech support for her enough as it is, adding 1Password as a 3rd party manager would just be too much. And she doesn’t need it. She’s no power user.
I don’t find the price egregious. Everything goes up in price all the time. You choose what you’re comfortable with and go in that direction.
I am switching everything I can over to PassKeys or at least One-time Passwords and having 1Password handle that seamlessly is very enjoyable.
I moved to Strongbox a few years ago. It can be purchased through the App Store, and was recently added to Setapp.
It uses the same format as KeePass so my vault can be opened in Windows, Linux, and Android devices if the need arises. There are syncing options if you wish, or you can just save the database file locally on your machine. Syncing my devices via WebDAV through a VPN is working for me without any issues.
My wife and I are all-in on Apple products, and we still have 1PW.
That’s not to say that I don’t share a number of the concerns. I don’t like that they’re forcing everything into the cloud, and that (IMHO) they’ve explicitly violated the premise of their initial offering - “one strong password that you can remember.” Now it’s that password plus a data recovery key that you have to print out somewhere.
But in the world of passkeys, the real issue is that passkeys are tied to a device. 1PW provides an abstraction layer where it’s the device. This lets me use the same passkey on multiple devices, which (again, IMHO) provides a more robust experience.
That, and I have my less-than-tech-savvy wife trained to use 1Password. So in addition to the convenience, we have some inertia with it. At $6/month, it’s not the end of the world for me.
This is important. Both Bitwarden and Proton Pass do the same thing.
These days I’m self hosting my Bitwarden instance using Vaultwarden. Especially glad that I made that move after learning that Bitwarden’s new CEO is a private equity / mergers & acquisitions guy. Proton Pass is included with my Proton Unlimited account and I use that as a backup just in case.
I understand. I thought long and hard before I switched to Agilebits’s cloud solution. But things have changed in the 18 years since I started using 1PW. And there is no way I could remember a 60+ character password containing at least 34 randomly generated letters and numbers. And I wouldn’t be comfortable using anything less.
Today we are entering a time when we will need to manage not only the passwords/passkeys for our identities but also for the AI agents that are/will be working for us. Even Google Search is becoming an agent. I don’t think I could get by with a simple password manager. YMMV
Didn’t the FIDO Alliance promise to solve that?
I don’t know whether 1Password “already” support this… (“soon”?)
Does anyone have up-to-date info on this?
I must admit that I’ve made a couple of forays into attempting to understand passkeys better, but each time, bailed out on the “unique to device,” issue. Although a 1P user – whereby, if I understand correctly, it acts as the “device” – the price increases have spooked me a bit. So, with one eye on potentially moving away ahead of next renewal, I’m back to square one. If I go all in on passkeys now, does that then mean I’m tied in to 1P, with no means of transferring them out? This CXP/CXF standard seems yet to be implemented as far as I can tell.
I get passkeys are way more secure, but it does fell like if the end user does not do the research groundwork on assessing the potential downsides ahead of embarking, there may be some quite sizeable issues/extra work when it comes to, say, switching password manager, at this time.
Often you can add more than one passkey on a website, so “worst case” you add a new passkey using your new password manager and then delete the old passkey on the website. For every passkey…
So proper export/import is really welcome!
Thanks for clarifying. All feels a bit amorphous to me without the tangible of a password to view/administer.
Passkeys are a PITA. I’m not sure they are device dependent, but app dependent. My 1P passkeys work on macbook, iPad and Pixel phone.
The problem is when a service doesn’t interface with the app your passkeys are in, then you cannot log in.
With AI out in the wild, I wonder how long until 1P gets hacked? This gives me some concern.
I would think this is a legitimate concern for any password manager we trust with our passwords. I am hoping 
that Apple Passwords is more resistant to AI attacks than password managers from smaller companies, but I have no objective technical basis for the assumption. Call it gut instinct or wishful thinking. 
For me it’s the large surface area of the data being in the cloud rather than on device only.
Long story, short. Our 1PW vaults are decrypted on our devices, not on the 1Password servers. It doesn’t contain our passwords or our secret key.
AFAIK, any successful attack would have to occur on my Mac, or iPhone/iPad. Like what happened to the Disney employee who downloaded software that installed a keylogger.
Can you elaborate on AI attacks @bmosbacker?
If you’re referring to inadvertently leaking API keys for your AI Applications/Subscriptions, that’s not really an AI Attack. That’s a credential management issue. API keys should be treated like any other sensitive password and protected accordingly: stored in a secrets manager (Delinea, HashiCorp Vault, 1Password, etc.), never committed to repos, rotated regularly, and scoped with least privilege and RBAC. The fact that the key happens to unlock an LLM endpoint doesn’t change the fundamentals of password hygiene.
But if you’re talking about actual AI attacks, there’s a whole different category worth discussing:
Prompt injection , Data exfiltration, Model Jailbreaks, Data poisoning, Deepfakes and AI generated Social engineering.
So leaked API keys are a problem, but they are some form of classic IAM/secrets problem.
OWASP has a Top 10 for LLM Applications that covers most of this if anyone wants a reference point.