[pfandrade]

By using an open standard to store your data besides being as transparent as possible on the storage format which you can verify on your own using third party tools (we have a post about that https://outercorner.com/2016/08/01/storage_format.html) we also benefit for the scrutiny OpenPGP as been through.

We also wanted to make a simpler and safer option (and in our eyes, more pleasant to look at) to existing password managers.

[codebeaker]

1Password's format is also documented [1], though I'm not aware of any 3rd party clients to parse/work with it. That's actually a thing I was thinking about writing (I commented about trying to write something in C++14 in another front page thread, this was it)

1Password also uses standard encryption, from the link [1]:

> We use Encrypt-then-MAC authenticated encryption everywhere we use encryption. The MAC is HMAC-SHA256 and encryption is AES-CBC using 256-bit keys. Key derivation is uses PBKDF2-HMAC-SHA512. More detail about these choices will be presented in the relevant sections on key derivation and item encryption.

> In this document we will refer to “blocks of data”. Unless otherwise stated, blocks are the length of AES blocks, 128 bits (16 bytes).

Edit: apparently Github lists [2] four libraries for reading OPVault, one each in Python, Haskell, Go and Ruby

[1]: https://support.1password.com/opvault-design/

[2]: https://github.com/search?q=opvault&ref=opensearch

[homakov]

Using open standard for data isn't proof of quality password generation, it can be biased if code is proprietary.

[codebeaker]

Did you reply to the wrong parent? I wasn't making any statements about the quality of password generation.

I was replying to address two of the three points that these people invested 6 months to build YAPPM (Yet Another Proprietary Password Manager).

As is typical of developers they've solved a problem that _probably_ didn't need to be solved. With a more product orientated mindset a business plan, and some market research probably would have preceded six months of engineering effort.

The "more beautiful" is subjective, I'd argue that having only one platform targeted makes it much easier to build an app in-keeping with one platforms HCI guidelines. I happen to use a Mac, an Android phone, and a Linux desktop, thanks to WINE I can use 1Password everywhere, and knowing that the format is public, and documented, and there are 3rd party implementations I don't need to worry about AgileBits ceasing to exist.

I'm left seeing some developers making the same mistakes that I have made when building a product before finding out if the world really needs a _subtly_ different app to solve an already solved problem.

[nixgeek]

"So… apparently it took me over 5 years to launch Secrets "

https://twitter.com/pfandrade_/status/730681656496001024

I think the developer invested nearly 6 years into it, and the comment about 6 months was time elapsed since initial release and doing the Show HN. It sounds like it was a spare time project for an indie developer.

[pfandrade]

Exactly. I've been building this for years on my free time.

[codebeaker]

Don't take my harsh criticism personally. I too enjoy to build things for the joy of building, and I respect your achievement. I just doubt the world really needs what you built, perhaps because I'm not your target audience, and I understand the trade-offs I made when choosing to commit to 1Password that I don't feel like any alternative is compelling.

[homakov]

No, I just made it clear for everyone, that open or not, data format doesn't matter as long as binary is proprietary. And I would never ever use proprietary things for critical things like password manager, even as pretty as 1password is.

[nixgeek]

Are you able to go into details about implementation, particularly around libraries used in building the iOS and macOS applications, and their pedigrees?

I'd argue that the implementation (or library) matters just as much as the standard (OpenPGP) when considering trust.

[pfandrade]

We've built our own solution (OpenPGP as per RFC 4880) on top of OpenSSL.