[curun1r]

As a 1Password customer who's been pretty unhappy with how the company took my money for a full version and has, since, been pushing me towards a subscription (making the non-subscription version/features harder to find, no Windows version, etc), I'm seriously considering switching over to Enpass [1]. The UI is pretty similar to 1Password and most of the features are there. It can sync with Dropbox and a few other cloud storage services and their monetization strategy seems pretty reasonable (desktop is free, mobile costs $9.99). I'd encourage any disgruntled 1Password users to give it a test drive.

[1] https://www.enpass.io/

[tptacek]

Have you put much energy into making sure that Enpass is secure? Do you know who's reviewed it, and what their review looked like?

It bothers me when people point to other password managers as alternatives to 1Password because of packaging and pricing issues. It's easy to find other commercial password managers that have attractive packaging and pricing! That's not the hard part!

I happen to like 1Password as a product, but that's not why I recommend it.

[CharlesW]

> Have you put much energy into making sure that Enpass is secure? Do you know who's reviewed it, and what their review looked like?

I'd really like to know this as well.

I'm aware that LastPass doesn't have a perfect security record, but because of its prominence it gets lots of attention from hackers and security researchers, security issues tend to be well-reported, and the responses to them seem to be reasonably transparent and proactive.

In contrast, Enpass appears to be a side-project of a small app development house in India. Did a miss a memo where Security Expert X said Enpass is better than LastPass?

[curun1r]

Since neither of them are open source, I haven't put energy into making sure either of them is secure. Not being a security researcher or having access to either product's code, I'm not sure how I could be expected to perform that level of evaluation, but I've built systems that have passed security reviews and, from a non-privileged access point of view, I see little difference between the two. Enpass does seem to handle security incidents in a pretty responsible fashion. They post blog updates on vulnerabilities (e.g. https://www.enpass.io/blog/an-update-on-the-reported-vulnera...) after releasing fixes. It's great that you recommend 1Password based some other criteria, but I'm not sure why your recommendation should mean anything to me unless you've been given some privileged access to their code that the rest of the world doesn't have and if you have been given that type of access, it's irresponsible of you to denounce other products unless they've denied you similar access.

What I can see is that 1Password is pushing users towards a model that's fundamentally insecure. Their web-based products require a level of trust in 1Password (the company) that none of us should be willing to place in any company. What we've learned from Snowden is that any cloud provider can be secretly made to bend to their governing body's will. Running closed-source software on our own computers involves a level of trust in the authors of that software. That's just a fact of life when software isn't open source. But when code is pushed out into the world, it can, at least, undergo some scrutiny/testing by people outside the company. This is not true of software running on the company's servers. In so much as the security of 1Password requires executing a single, line of code on servers controlled by 1Password, the product is insecure and fundamentally unauditable because that line of code can be changed at any time without users being made aware.

The other point that should probably not get lost is that we're dealing with levels of security. In advocating for password managers, the interface absolutely does matter. Most computer users haven't adopted any password manager yet. When comparing a secure but difficult to use password manager, a potentially insecure password manager with an easy-to-use UI and a combination of insecure passwords, post-it notes and all the other terrible ways that users have of "managing" their passwords, the middle ground is likely to come out ahead for all but the most technically adept users. Need proof? PGP/GPG passes security reviews but has terrible UIs...what percent of emails are PGP/GPG encrypted? We shouldn't let the perfect be the enemy of the good. There can be different classes of security products for those that need protection from state-level actors and those that don't. Because people who are worried about that level of attack are generally willing to undergo a lot more pain to stay secure than your average user is.

[dasil003]

I don't understand this mentality of getting angry that a company wants to migrate to a subscription fee so they can have sustainable income. You have a full version, so continue using it, but it's not fair to expect updates for free in perpetuity across platforms and browsers in today's churning software ecosystem.

1Password is an incredibly complex, solid and polished suite of software products that provides an essential security function. It absolutely boggles the mind that people get up in arms over the idea that they would be forced to pay $36 each year to use it.

[curun1r]

Did I ever say that I expected "updates in perpetuity"? I said (in another comment from the one you replied to) that I expect the software to "work in perpetuity." That's a very different requirement that requires AgileBits to do absolutely nothing except not tie it to their own cloud services. But I did pay them over $60 a little over a year ago, so I think it's fair to expect a few bug fixes. And it's fair to expect them to not hide the download link for when I need to install it, since that's explicitly allowed by the license I purchased. And, since the software auto-updates, I think it's fair to expect them to not push out updates that make it harder to use the software or otherwise push me towards a subscription model that I'm never going to accept.

It boggles my mind that people are so quick to support a company that's making changes solely for their own benefit to the detriment of their customers. I want AgileBits to succeed too. That's why I bought the software despite having access to a license from work. But try this for math...if they release a major update to their software every year and charge, say, $36 to update, it costs the same exact amount to stay on the latest version. As a bonus to them, they get the money all up-front and get to collect what little interest you can get these days. The main difference is that I don't have to worry about their company imploding and taking all my passwords with it. My software will work in perpetuity without any cloud service they provide. That's piece of mind that I need when it comes to my passwords.