return to table of content

Apple unveils 'Passwords' manager app at WWDC 2024

cletus
152 replies
22h28m

Here's Apple's big problem: it's not a replacement for so many alternatives because it isn't supported on all platforms.

Safari? Not on Windows.

Apple Music? This actually has a Windows client. I'm not sure how good it is. But Spotify supports Windows and even Linux.

Apple Password Manager? Will this be tied to iCloud? Will I be able to use it on Android? If I no longer have an iPhone will it be a pain to maintain and use?

A dog cannot serve two masters. A company like Apple doesn't see any of these things as a product. They're a means to an end: to push the iPhone platform (and hardware sales). That priority will always trump the interests of a product like this.

It's also why I refuse to buy more into Google products: it's too much of a risk to lose access to everything if Google wakes up one day and decides to suspend your account with no recourse other than making enough of a stink on social media such that an employee will actually look into it.

People don't want everything tied to one identity, one service, one login.

basisword
86 replies
21h53m

> People don't want everything tied to one identity, one service, one login.

I think this is exactly what _most_ people want.

With password management specifically, Apple has had a Chrome extension available for a while now which has allowed me to use it on other browsers/platforms. Not ideal, but good enough for most.

On top of that, they don't lock you in with passwords. You can easily import and export your passwords, just like you can with 1Password.

Apple Music has had a web client for a long time. iTunes has been on Windows for 20+ years and Apple Music was supported via that until recently when they built an Apple Music specific app.

AnthonyMouse
34 replies
16h25m

I think this is exactly what _most_ people want.

Like seven people replied to say this, but they're all missing the trick.

Most people want this because they're guided to want it. If you show people the convenience but not the risk, of course they want something with an advantage and no apparent disadvantage. But the disadvantage exists, it's just not immediately obvious.

Then some corporate machine learning algorithm decides that it's your day to have a bad year, or the screws only get tightened after you're already locked in, and the regret comes some time after the decision is made.

Whereas the nerds who can see the inside of the machine are aware that this sort of thing happens and their response is no thank you. A starkly different preference from the people paying the most attention is a troubling sign. It's the early stages of this:

https://xkcd.com/743/

The thing that gets me is that people then defend the practice because it's likely to be successful. Lots of unsophisticated people are going to put all their eggs in one basket and then have a bad time, which is a result we should be trying to prevent, not defend the people causing it because they're likely to turn a profit. Companies making money on information asymmetries and the misfortune of others is a flaw we should be looking for ways to optimize out.

bandyaboot
9 replies
16h4m

I’m curious to know what you’re thinking as far as what bad outcome(s) will or may result from people choosing this over some other password manager.

AnthonyMouse
4 replies
15h38m

It's putting password management into the same basket as the device.

Suppose your Apple ID gets compromised. The attacker is a jerk and decides to remote erase your device. Then they use your account for black hat stuff and get it permanently banned, or just erase everything on iCloud too.

If the password manager was a different service then you'd still have the password for that service and could get in and recover your accounts on everything else. If it isn't, where's your stuff? The device and the cloud backups are both gone because they were both tied to the same compromised account.

Or you just break your phone and then realize you don't know your password. You can reset your password with your email, so now you just need your email password, which is iCloud, which is the same password. Uh oh.

Whereas if your eggs aren't all in the same basket, you can get a foothold somewhere. If you use a third party email service and haven't forgotten that password, you can still get your email on another device. If your password manager backs up to a third party service or your very own Raspberry Pi, you have access using a different set of credentials than the ones you forgot.

jesseendahl
3 replies
8h51m

I think you might be making some assumptions about how this stuff works without looking into it.

- A lot (most?) people’s Apple Account name is actually their main email address (e.g. Gmail), so they would still control their email address even if their Apple Account was compromised.

- You can still recover your Apple Account and iCloud Keychain without any devices (e.g. if phone broke like in your scenario).

- Your passkeys stored in iCloud Keychain are still protected even if your Apple Account has been compromised.

Source: https://support.apple.com/en-us/102195

nottorp
2 replies
6h4m

- A lot (most?) people’s Apple Account name is actually their main email address (e.g. Gmail), so they would still control their email address even if their Apple Account was compromised.

But the login for the Gmail address is a passkey that's on the Apple account...

- You can still recover your Apple Account and iCloud Keychain without any devices (e.g. if phone broke like in your scenario).

So what's the point of passkeys if you can get access to them without passkeys?

- Your passkeys stored in iCloud Keychain are still protected even if your Apple Account has been compromised.

How can something be protected when the thing that controls access to it has been compromised?

jesseendahl
1 replies
5h9m

But the login for the Gmail address is a passkey that's on the Apple account...

A passkey is just a replacement for a password. Google (and other apps/websites) have account recovery processes for users who get locked out of their accounts. The way you get back into your Google account doesn’t change much just because you’re signing in with a passkey vs. a password.

Account recovery is a problem that service providers have to solve (and do solve) regardless of whether a user authenticates to their account with a password or a passkey.

So what's the point of passkeys if you can get access to them without passkeys?

Some huge benefits are:

1. They are highly phishing resistant. Unlike passwords and popular forms of 2FA (TOTP and SMS), users can’t be tricked into sending their credential to a fake/malicious server. A passkey is bound to the server domain at the time the credential is created, and your OS/browser will simply not send it to the wrong place.

2. There is no credential for attackers to steal from servers in the case of server breach. This is because only a public key is stored on the server, instead of password hashes (or worse, plaintext, if the app/website developers don’t know what they’re doing).

3. Passkeys are guaranteed to be unique and secure. The same cannot be said for passwords. Even a password manager cannot guarantee that every single credential stored in the password manager is both unique and secure. And password complexity requirements often make it a painful game of trial and error to create a secure password, even when using a password manager.

4. Because of annoying password complexity requirements, the process of creating a new password can be annoying and take up to a minute or two of fiddling around, even when using a password manager. With a passkey, the process takes as long as Face ID or Touch ID (or equivalent on other platforms) every time. Every single credential creation and authentication is a fantastic user experience (both fast and easy).

I suggest watching Apple’s WWDC videos. There you will find a very very in-depth answer to this question.

All of the points I’ve made above (and more) are covered in the linked videos.

Move beyond passwords: https://developer.apple.com/videos/play/wwdc2021/10106/

Meet passkeys: https://developer.apple.com/videos/play/wwdc2022/10092/

Deploy passkeys at work: https://developer.apple.com/videos/play/wwdc2023/10263/

If you won’t watch any of the above then you should at least read the FAQ on passkeys on the FIDO website here, which should answer many of your questions:

https://fidoalliance.org/faqs/#PasskeysFAQs

How can something be protected when the thing that controls access to it has been compromised?

This is answered in the article I already linked above. Here is the link again.

About the security of passkeys: https://support.apple.com/en-us/102195

Specifically, carefully read the following sections titled “Synchronization security” and “Recovery security”. The short answer is that gaining access to the user’s iCloud Keychain contents requires more than just having access to the Apple Account.

nottorp
0 replies
3h58m

Ok so let's assume passkeys are a form of saved generated password.

1. They are highly phishing resistant. Unlike passwords and popular forms of 2FA (TOTP and SMS), users can’t be tricked into sending their credential to a fake/malicious server. A passkey is bound to the server domain at the time the credential is created, and your OS/browser will simply not send it to the wrong place.

So why does my browser or password manager send saved normal passwords to a different domain than the one they were saved for? This is not a limitation of passwords but of the software that encourages saving passwords. It didn't need switching to machine only passwords to fix.

2. There is no credential for attackers to steal from servers in the case of server breach. This is because only a public key is stored on the server, instead of password hashes (or worse, plaintext, if the app/website developers don’t know what they’re doing).

What has stopped developers from using irreversible transformations on stored passwords in the past? The math was there.

3. Passkeys are guaranteed to be unique and secure. The same cannot be said for passwords. Even a password manager cannot guarantee that every single credential stored in the password manager is both unique and secure. And password complexity requirements often make it a painful game of trial and error to create a secure password, even when using a password manager.

If it's generated by software, any software should be able to assure uniqueness. This is again a failure of saved passwords / password managers.

4. Because of annoying password complexity requirements, the process of creating a new password can be annoying and take up to a minute or two of fiddling around, even when using a password manager. With a passkey, the process takes as long as Face ID or Touch ID (or equivalent on other platforms) every time. Every single credential creation and authentication is a fantastic user experience (both fast and easy).

Yes and here we get to the elephant in the room.

You become dependent on an easily stolen or destroyed device for authentication. It is a fantastic user experience until you're a plane flight away from home, your phone gets stolen. Your passkeys are safe in the secure enclave. Too bad you can't access them any more. How do you get home? You don't have any other devices to prove your identity, if you even have backup devices, they're at home. The flight options are in an app that you don't have the passkeys any more for. Your flight may get canceled or rescheduled and you have no way of knowing. If you didn't bring any physical credit cards or backup cash, you can't even eat.

Passkeys are all fine in your average techie environment, but can be a disaster outside it.

makeitdouble
3 replies
15h12m

The most basic scenario:

Someone use their phone as their only computing device (e.g. only other device is their school or work computer).

Their phone dies and the shop convinces them to go for a Pixel 9.

How screwed are they if everything was in iCloud, vs they were using 1Password ?

lloeki
1 replies
9h26m

What about any or all among of their contacts, messages, docs, notes, schedules, photos, apps, app contents...?

How screwed are they if everything was in iCloud, vs they were using 1Password/{own,next}Cloud/Evernote/Meta/Dropbox/web apps...?

That would be a more appropriate picture.

How screwed are they

Not much. Annoyed maybe but as long as they have access to their email and phone number they can reset their passwords.

What about the other way around? If a person broke their Android phone and a friend convinces them to move to Apple? You could argue that then they may have everything in Google and that they could log in on an Apple device with their Google account and use Chrome and Gmail and whatnot, but then they'd be storing everything in Google.

What if Google sunsets a product? Or Google unilaterally decides to close their account overnight with no human in reach for support?

I'm all for interoperability. I do get the risks at hand. But the hodgepodge of separate solutions forming a duct-tape held system is hardly usable for the "mere mortal", let alone integrating the together in reliable ways.

People want technology to disappear so they can go on with their lives and do stuff that matters to them (which integrating platform-independent third party solutions is not). So "all eggs in same basket" is an extremely valuable feature for most.

makeitdouble
0 replies
7h20m

as long as they have access to their email and phone number they can reset their passwords.

At best they spend hours and hours up to days resetting the passwords for all the account they ever had. Looking at my password list, there's 700 or them, it would take me a week of my life, if I ever get to do it at all.

At worst they actually can't access their email and it's the end (or a week or two of back and forth sending official documents to get it back ?)

Google

As a first point: they don't have to go all Google. They can have a Google account solely for their phone, and have everything elsewhere. That's a nobrainer as long as they have a solid password manager. You call it hodgepodge, but that's just what we've doing for the last centuries.

The issue of a service unilaterally killing an account isn't limited to Google. Apple will also kill your account if they assume you misbehave, and you might get someone on the phone, while not getting any resolution.

Do we hear it more about Google ? sure. But Google is also in the biggest service provider on earth at this point.

nottorp
0 replies
6h1m

No, the most basic scenario is:

Someone uses their phone as their only computing device.

Their phone gets destroyed or stolen while they're far away from home to require a plane flight to get back. Perhaps stolen along with their ID.

How do you recover when your logins are passkey only and the passkeys are gone with the stolen phone?

kcplate
8 replies
15h38m

People are driven away from open standards to vendors like Apple because so much open stuff just sucks so goddamn bad. So will Apple one day fuck me over? Perhaps, but in the meantime their shit just works and I am going to use it because I don’t have time to spend hours troubleshooting why manufacturer A doesn’t work with free publisher B when free driver C is loaded.

AnthonyMouse
4 replies
13h58m

But have you thought to ask why that is?

The general mechanism for free software to be developed is for the individual users to make modifications. Not all of them, of course, but the ones who know how to. Someone sees something wrong, fixes it.

Apple interferes with this. If you don't like an app on your iPhone, even if it's open source, you can't just make a minor change because for that you have to pay $100/year and buy a Mac and all of this friction that discourages people from doing it. And then upstream doesn't get the little change (times a thousand individual users with an itch to scratch), and the one-time contributor doesn't become a repeat contributor either.

Not only that, you can't distribute a half-finished app to the public -- even if it's free -- because it wouldn't pass review. But then you can't get any users who might help you to finish it. So the state of open source software on the iPhone is a shambles, because Apple neutered the primary mechanism for free-as-in-speech software to become any good on their platform.

Compare this to Linux on a PC where simple things are about as likely to "just work" as they are on a Mac, more likely to do so than on Windows, and weird and complicated things work better than on either of them because even though they're not always easy they're very nearly always possible.

Which is the perpetual sham of "it just works". Simple things are simple everywhere because they're common and well-supported. Complicated things are often difficult, but some platforms make them prohibitively difficult or simply disallowed, and people confuse this with "easy" because you don't remember spending time to make something work when you can't. But that's not actually an advantage, because you're not obligated to spend time on something that doesn't immediately work, but the option to choose to is valuable when sometimes it's worth it.

kcplate
1 replies
6h51m

Not sure of your reality, but my apple ecosystem just works. I spend nearly zero time fiddling with my rig just to get to a point of productivity but see Linux using peers in a constant state of tweaking trying to achieve and failing of what I have by just opening a box.

sgarland
0 replies
5h9m

Same. The only issues I ever have are with non-Apple hardware, like Sony headphones, Acer monitor, etc.

Do I wish they worked better? Of course. Have I experienced those same problems with Android / PC? No, but different problems existed.

kcplate
0 replies
6h12m

Not only that, you can't distribute a half-finished app to the public -- even if it's free -- because it wouldn't pass review.

Ahhh so you want the public to do your QA for you and don’t mind interfering with their productivity when the first iterations of your software are a buggy mess? I am ok with Apple trying to keep the pests out of their garden, or providing a lockable gate like TestFlight where I can go into a testing situation with my eyes wide open and risks well understood. Your open source devs are not always great at disclosing the fact that their software is half baked and people install expecting a robust app and finding instead…a load of crap

_as_text
0 replies
11h31m

Well that's all fun and games until you start putting off paying Internet bill for two weeks because it turns out that you misconfigured your password app and it actually didn't save your password to the utility service provider and you realize you have no internet one day and you have a school assignment ugh and maybe your credit score gets 0.5% lower and yeah it's all very much your fault. "But you can just be more careful! Handle stuff like this as it arises!" Yeah, sure, just like during Communist times you could easily get more than one pound of coffee per half a year if you're just careful and note when it's available in stores as a drop-in

I believe this whole Apple vs Linux debate is perfectly analogous to the West vs East Germany debate, to the point that almost all intuitions/arguments for the latter are perfectly reusable in the former

pydry
1 replies
14h0m

Ive watched people who swear that Apple "just works" struggle when it doesnt.

The difference is just that because of the halo effect they dont blame Apple for the shit that doesnt work. If there is a 3rd party tangentially involved they blame them instead.

rahoulb
0 replies
10h12m

The difference (in my experience) is if it works with Apple, it "just works". If it doesn't work, it will never work.

It's a binary and you generally know the answer straight away.

Some people dislike it because they enjoy looking for answers and the freedom to change how things work. Others like it because they don't want to spend their time searching and mucking about with configurations.

dhosek
0 replies
14h19m

That was a bit part of my move to Mac from Windows back 24 years ago. It was such a pain trying to get all the bits and pieces working together and with the Mac, yes it was more expensive (although honestly, not that much more expensive) but stuff just worked out of the box and I didn’t have regular crashes. I’m sure things have improved in Wintel land since 2000–2001, but my Apple experience has been remarkably stress-free.

zer0zzz
6 replies
15h18m

"The people want the thing that they want because they are wrong"

I never understood how this argument even makes sense. It sounds a whole lot like you're upset that most normal people don't care about and don't want what you want.

AnthonyMouse
3 replies
15h2m

I feel like I explained it above. People often want things because they don't have all the information and people who are uninformed, especially when they're intentionally uninformed, make poor decisions.

And maybe there are some people who, faced with the risk of losing all their stuff, conclude that maybe all their stuff isn't that important to them and they don't have time for this YOLO! But there are even more people who never even consider the risk, and it seems like somebody should be looking out for them instead of people just saying "shut up nerd, normal people don't care about whatever you're worried about." Uh yeah, that's the problem, they're not made aware of it until it bites them on the ass and anybody who tries to express the concern on their behalf is told to keep their foot away from the hose of the money vacuum.

zer0zzz
2 replies
11h40m

This is the bell curve meme. People just want the things that work for them, people that know what they are doing want things that work easily and know their way around a little better too.

You're overblowing the harmfulness, I'm not even sure what the argument is.

Prove to me you deserve to be called a "nerd."

chuckadams
1 replies
3h15m

GP’s smug superior attitude over non-technical people and general lack of perspective is enough nerd cred for me.

zer0zzz
0 replies
2h59m

Word

talldayo
0 replies
13h51m

There are hundreds of examples throughout history of people being marketed something horribly harmful to themselves and defending their need for it even after being explicitly shown the downsides. Oftentimes, instead of fixing the individual people society chooses to punish the businesses that abuse this lever.

Same shit with the Microsoft Netscape trial, really. People didn't want alternatives because Microsoft went absurdly far out of their way to stop fair competition on their platform. Now we're seeing the same shtick, again, on a different platform.

TeMPOraL
0 replies
11h44m

It's more of: people want things obviously bad for them because of abusive salesmanship techniques, which exploit information asymmetry and opportunity cost (i.e. that people can't be bothered to do deep research on every one of the thousands things they buy). This includes effective marketing, that is typically deceptive and stops short of direct lies (sometimes not even that).

4death4
3 replies
14h42m

You should read this piece in the NYT titled “The Tyranny of Convenience” [1]. It asserts that your entire worldview is essentially flawed. En masse, people do what is most convenient, which is completely orthogonal to what is right / wrong / best / worst. For instance, it’s an empirical fact that eating healthy and getting exercise is better than eating poorly and living a sedentary life. Yet, most people live sedentary lives.

1: https://www.nytimes.com/2018/02/16/opinion/sunday/tyranny-co...

AnthonyMouse
2 replies
14h16m

But this is precisely the problem. If you want the right thing to happen, you can't allow the wrong thing to be more convenient. "The wrong thing is more convenient so STFU" is the flawed worldview, because it's what causes the wrong thing to continue happening.

Now consider what happens if people do the opposite. Instead of defending convenience as an end unto itself as Moloch would have it, you create friction against bad choices. Complain about them, refuse to assist your allies in making a mistake. Do things that make bad options less convenient and redirect people to better choices.

People will still do what's convenient, but now the more convenient thing is the better thing.

rrr_oh_man
0 replies
7h6m

> Now consider what happens if people do the opposite. Instead of defending convenience as an end unto itself as Moloch would have it, you create friction against bad choices. Complain about them, refuse to assist your allies in making a mistake. Do things that make bad options less convenient and redirect people to better choices.

What about making "the right option" better instead of making the "the wrong option" worse?

4death4
0 replies
6h31m

The flaw in your logic is that you’re taking too myopic a view. In your world “making something worse” is somehow divorced from the tyranny of convenience, but in reality it’s not. Changing society is itself inconvenient, and therefore unlikely to happen unless leaving society as-is is less convenient.

015a
1 replies
12h28m

This point of view essentially reduces to the same place libertarians are at: Institutions are bad, Apple is bad, Google is bad, we should refuse to support institutions, or maybe even institutions should not exist, depending on how severe the FOSSism is.

And look, I don't feel that libertarians (or, let's kill the analogy, FOSSers) are always wrong. Of course they're right about some things; they're just wrong about so much more than they're right about, its like a 90/10 split, its not close. I think the cognitive dissonance is something similar to chesterton's fence: FOSSers don't respect the massive profit-motivated and closed-source companies and systems which, at best, make pockets of productive, awesome open source possible; but more realistically and worse those pockets are just the software version of "buy a Subaru because we donate money to cancer research", they're free labor/recruiting/tax writeoff/community goodwill campaigns by gigacorps, and its all just profit at the end of the day.

Nerds who can see the inside of the machine and are aware that this sort of thing happens is literally just stating in different terms the stereotype type-As assign to nerds: that they don't understand anything but the technology [1].

[1] https://www.youtube.com/watch?v=hNuu9CpdjIo

TeMPOraL
0 replies
11h46m

Apple and Google aren't institutions. They're for-profit corporations with a long track records of behaving like amoral artificial minds that they are. In this sense, corporations are beasts - society can benefit from putting them to work, but they will also occasionally maul someone because that's what they do.

jb1991
0 replies
9h29m

Most people want this because they're guided to want it. If you show people the convenience but not the risk

I think that what is convenient to you, or to fellow engineers, is not what is convenient to the mass public or non-technical people. Very simple solutions, which are often platform-specific, tend to be a lot easier in many cases -- not necessarily all cases, but when something is built-in to a device or OS, this does remove some burdens from users.

hurril
0 replies
11h37m

Guided to want it. Sure. Everyone else, all those other folks with other lives, opinions and preferences, they are brain washed by my enemies. Come on, man :)

I just wanted Passwords to be its own app because the Settings applet(?) is obnoxious to interact with in some scenarios. My passwords are already all in there.

Now, I use a Windows laptop too and would love for Apple to make the Passwords thing work there too. It probably won't :)

lxgr
17 replies
21h16m

On top of that, they don't lock you in with passwords.

Now that many sites are moving to passkeys or TOTPs, it would be great if Apple could not lock users in there as well.

Apple has had a Chrome extension available for a while now which has allowed me to use it on other browsers/platforms

That's only on Windows and requires you to install iCloud tools locally, right?

hankman86
13 replies
11h39m

What is the adoption for passkeys? I do not get the impression that they will replace passwords or “social” logins anytime soon.

pmontra
12 replies
10h20m

I have yet to notice a site asking me a passkey.

doctor_eval
5 replies
7h45m

Really? That’s how I log into GitHub!

pmontra
4 replies
7h2m

I stopped logging in into there since they forced 2FA on me because of an old contribution to an open source project. It's too much of a pain and I don't need to be logged in to look at the code of the modules or libraries I'm using or I could use. As collateral damage, I stopped opening issues on open source projects, that was maybe two or three issues per year. All my customers are on Bitbucket at the moment and it still works with username and password. If it would switch to 2FA, I'd have to comply.

stavros
2 replies
5h57m

It amazes me the lengths people will go to to avoid security.

ayewo
1 replies
5h27m

It’s not that the gp is trying to avoid being secure.

It’s that for a service that you only have a need for, a few times a year, mandating 2FA is an unnecessary hassle that can lead to user frustration.

I’ve experienced the same with Gitlab. I rarely use Gitlab and don’t have anything important hosted there but when a project I was a member of enabled 2FA for all contributors, it made my Gitlab account completely frustrating to use.

Typical scenario: I’m trying to do something brief on Gitlab that requires me to be logged in so I login then get shown an interstitial page saying I cannot proceed until I enable 2FA on my Gitlab account. Every action I attempt while logged in will fail unless I either enable 2FA or remove myself from the project that enabled mandatory 2FA after I was added.

GitHub’s 2FA implementation is night and day better than Gitlab’s but I imagine the user frustration must be similar if you find yourself suddenly having to enable 2FA because a GitHub org you were already part of mandates it.

stavros
0 replies
5h23m

True, but the alternative is that people with valuable projects to secure don't do that (because they aren't forced to), and lose things.

That said, the sign-in flow with a Passkey and BitWarden is great. Click "sign in with a passkey", click "confirm", done. No username, password, or 2FA required.

One day I hope BitWarden implement my suggestion of not requiring that second click if you only have one key.

nathan_douglas
0 replies
6h26m

If you have something like 1Password, it takes one or two clicks to set up 2FA for a given site and Passkey setup for a given site is pretty painless. There’s even a decent amount of CLI integration for signing commits, etc. As a federal contractor working in and out of higher security areas, 2FA and Passkey are… really not intrusive or disruptive to my daily life.

ciroduran
1 replies
8h18m

Funny enough, you can use a passkey to log in with Nintendo

paulryanrogers
0 replies
6h38m

Yet if the limit is one then you'll still need a fallback like forgot password. Because the original device may fail.

blowski
1 replies
9h53m

I've found them to be a real pain in the arse because they're implemented so inconsistently. Only the biggest sites are offering them, but it's those big sites where I'm worried about locking myself out because of setting it up wrong.

scrollaway
0 replies
4h57m

I've locked myself out of Squarespace by setting up then subsequently removing a passkey. Doing so triggered a bug which "updated" the TOTP (that was already set up) and the backup codes. Support was absolutely deaf to the whole thing being a bug, absolutely impossible to report, and I'm sure it'll keep being an issue for years to come.

drumdance
0 replies
4h45m

There are 3-4 I regularly use. Google offers it for their business accounts, of which I have a couple.

FeelingGood
0 replies
7h52m

They might not ask you to setup a passkey, but many sites already support it: https://passkeys.directory/

ocodo
0 replies
16h4m

it would be great if Apple could not lock users in there as well.

The king of wishful thinking has entered the chat.

58028641
0 replies
16h27m

The Chrome extension also works on macOS.

EVa5I7bHFq9mnYK
13 replies
9h12m

Luckily, _most_ people don't buy overpriced and closed Apple devices.

MissTake
10 replies
8h29m

In the desktop world people tend to buy cheaper, yet equally as closed Windows machines.

tsimionescu
9 replies
8h18m

In what ways are desktop Windows boxes as closed as Apple? I would say there are many many things to fault Microsoft for, but closing down the OS has never been one of them (though that is gradually changing outside the EU, to be fair).

MissTake
4 replies
6h53m

When using the terms “open” and “closed” with operating systems, one is traditionally talking open the source code.

As such both Windows and MacOS are closed source.

As for “opening up the OS” both are pretty gosh darned flexible and extensible wrt other features.

However being based upon a BSD core, MacOS has had access to the Unix command line natively since forever. For Windows one used to have to rely on CgyWin before the virtualized WSL platform came to be.

Whilst MacOS has the somewhat opaque ~/Library for storing user settings and data, it pales into comparison to the massively Opaque Windows Registry.

I’ve had had very few issues fixing app install issues with my Mac - with Windows I’ve had more than one occasion where I’ve had to do a complete reinstall of the OS due to the Registry being totally hosed to the point I couldn’t reinstall apps again.

tim333
1 replies
6h6m

You said "equally as closed Windows machines."

In terms of the machine Windows is way more open in that you can use what hardware you want. But yeah the software is closed source.

MissTake
0 replies
3h24m

TBH, the parent also stated “but closing down the OS…”

So waters were indeed muddied.

tsimionescu
0 replies
1h47m

I don't think when someone is talking about a "closed device" they usually mean "closed source". I at least took it to refer to whether you can run whatever software you want on that device+OS, and how easy it is to do so.

I think Windows is up there with the open source OSs (Linux, BSDs, etc) on regular PCs are at the same end of "run anything you want from wherever you want it", iOS devices are at the other extreme of "only run things approved by Apple", Android devices are pretty closer to iOS because they make you jump through hoops and potentially lose access to various functionalities to install certain things or gain root access. Modern macOS, as far as I understand, is somewhere in the middle: you have to jump through quite a few hoops to install certain kinds of software, and a few aren't permitted at all I think (unsigned kernel modules?).

nicce
0 replies
4h7m

I think the keynote here is the closed/open hardware.

You can run Windows almost on any hardware. So it is much more open in general.

You can equally run almost any imaginable software on both operating systems (if we ignore the performance), but you have extreme difficulties to run macOS on most hardware.

esskay
3 replies
7h57m

Counter point - in what ways is macOS 'closed' and Windows not? And I am specifically talking about macOS, not iOS.

Zach_the_Lizard
2 replies
6h33m

MacOS is only licensed for use in Apple branded hardware, as I understand it. Even running it in a VM could be problematic if that host isn't running MacOS.

esskay
0 replies
5h21m

So your issue isnt the openness in terms of being limited on what you can do on it, and more that you want it to be bloated with drivers for millions of various pieces of hardware like Windows, got it.

MissTake
0 replies
5h46m

True. However I can (and have multiple times) migrate from machine to machine without needing to reinstall everything.

My work MacBook was pulled from an original Air from something like 2015, to a 2017 Pro and currently my 2019 Pro.

So I’ve got apps installed on my Mac that have been installed damn near 10 years ago.

Ditto my home 2015 Pro was later on migrated to a M1 Air. Hell, I’ve still some 32 Bit Steam games that still somehow run on my Air (least Steam tells me they’re 32 bit).

We could play this game ad-infinitum, each finding a level of supposed “openness” but the basic facts are that neither Windows, nor MacOS are truly open.

If you want open, then Linux is always going to be in the answer somewhere. Not MS Windows. And not Apple MacOS.

nicce
0 replies
5h37m

Many could disagree about the pricing of MacBooks, for example.

M Pro series are probably the best laptops on the market, and if people keep buying them, is the price too much?

MacBook Air is actually quite well priced for what you get.

majke
0 replies
9h3m

In the US, iPhone has a 58.81% market share

There are demographics where Apple has dominance.

drio0
3 replies
18h9m

Is there a way to export all your passwords on a Windows PC, or from iPhone? I do not have a mac

gumby
0 replies
16h3m

Why don’t you just install the windows app they announced?

antgiant
0 replies
3h29m

No

The backup situation is terrible - Mac only - Only Passwords (no passkeys) - Only items you created (so nothing shared with you, even if you own the shared “group”)

In short your only option is one at a time manual export

AnthonyMouse
0 replies
16h3m

A more important question is, is there a way to export all your passwords after you're locked out? One of the major risks here is you permanently lose access to your One Ring to Rule Them All account and thereby all of the others.

In theory you can export the data to some out-of-ecosystem backup device on a regular basis, but we all know that most people are not going to do that.

delta_p_delta_x
3 replies
12h9m

I think this is exactly what _most_ people want.

I couldn't agree more. I use Google's password manager because (1) it syncs everything (2) I already use Chrome everywhere (3) I can't be arsed to set up another password manager that is generally inferior in terms of integration.

I don't care for the FOSS argument. I just want stuff to work and work easily.

Plus, I sincerely believe Google is 'too big to fail'. If somehow Google gets hacked and my plain text passwords all get leaked, it means something huge has happened and we're all massively screwed anyway. So, whatever.

jjav
1 replies
11h35m

Plus, I sincerely believe Google is 'too big to fail'

Google might be too big to fail (I don't think so, but could be wrong).

The flip side of that is that google is too big to care. We all know from countless reports that they will evaporate your google account and everything ever associated with it, for no reason at all and zero chance of you ever being able to reach anyone to fix it.

I can't see why anyone would risk anything of value to such a platform that can destroy all your content at any second for no reason with no warning.

Jeremy1026
0 replies
4h43m

I can't see why anyone would risk anything of value to such a platform that can destroy all your content at any second for no reason with no warning.

The only real solution to this is to self-host, locally. Which isn't feasible for the vast majority of people.

adhamsalama
0 replies
7h46m

Why not use Bitwarden?

It's better in every single way.

jajko
2 replies
10h45m

I think this is exactly what _most_ people want.

No. Please stop being speaker for most of the whole world.

There are people, including me or my wife who is not technical at all, who will never use anything similar from Apple. Or any similar SSO/access/security platform. Google and FB tried that decade+ ago, only fools fell for that regretful trap if the service has actually any long term added value.

vegabook
0 replies
10h37m

He did say ‘I think’ so not speaking for the whole world

jb1991
0 replies
9h26m

It's ironic that you suggest they should not speak for the whole world, and then use your own personal opinion as a stand-in for what you think should be the whole world's opinion.

redbell
1 replies
5h0m

I think this is exactly what _most_ people want.

I see many comments replying to the above statement, and I am no exception.. what about the saying that goes: "Don't put all your eggs in one basket"?

nordsieck
0 replies
4h53m

what about the saying that goes: "Don't put all your eggs in one basket"?

I think it's a lot more important to decide who you want to trust.

The problem is that there are a lot of small apps that end up being scams. Or they end up selling their software to scammers. Or they just don't have the ability to properly secure their system (LastPass).

Apple has kind of made a name for themselves as a big company that cares about privacy and is serious about security. And they don't have the reputation for totally screwing over their customers randomly like Google.

I can see a lot of people making the pragmatic decision to just keep trusting Apple instead of figuring out which other company to trust as well.

evilduck
1 replies
21h47m

Besides the web client,

https://cider.sh exists and is in various distro package managers already too.

dxbednarczyk
0 replies
15h4m

...and is miles better than Apple's attempt at providing "support" for other platforms than their own.

the_gipsy
0 replies
12h51m

People don't want everything tied to one identity, one service, one login.

I think this is exactly what _most_ people want.

Until they don't, which always happens sooner than you would think.

itsoktocry
0 replies
5h36m

I think this is exactly what _most_ people want.

This is what they think they want, until something happens and they are forced to move out of the walled garden, and have to replace everything.

But, admittedly, that's Apple's bread and butter, and they've managed to avoid big controversy so far...

commandersaki
0 replies
9h33m

Easily export passwords, I’m not so sure. I remember trying to script this once and for each item it would prompt a password to extract the entry. Maybe the Passwords app changes this.

EGreg
0 replies
5h45m

> I think this is exactly what _most_ people want.

Yes, and they should have it. As open source software that a free market of hosting companies can compete on price and quality for. Not as closed source software hosting by a Big Tech oligopoly.

You should be able to host your info on a server of your choice, encrypted end-to-end from your devices. That server is the one which should collect payments, manage subscriptions, do access control checks, and deliver data to others. That server is the one which should send notifications and push news updates to your devices as well as subscribers’ devices. You should always be able to migrate easily to another server, or use several at once, as fallbacks.

People have learned helplessness (“oh I wish Twitter would add feature X”, “oh, I guess we all have to get a Google Plus account”, “oh, sucks that Google Plus and all my data and social connections there are going away”) because open source developers didn’t stick around long enough to make something that is good enough to compete with it, and is decentralized and federated.

I can count on one hand: Mastodon. Bluesky.

I am working on fixing it: https://github.com/Qbix/Platform

Larger vision for 2025 and later: https://qbix.com/ecosystem

WheatMillington
10 replies
21h36m

People don't want everything tied to one identity, one service, one login.

This is EXACTLY what people want. Please remember that HN is not a cross section of the general public.

ChrisMarshallNY
5 replies
17h4m

> Please remember that HN is not a cross section of the general public.

Yup. I need to constantly keep that in mind, when I’m designing my software.

Very often, the fact that I like it, is a negative.

ascagnel_
2 replies
14h56m

What this forum needs is for its members to volunteer their time at their local library doing tech support. It’d be a rude awakening for a lot of folks.

appplication
1 replies
14h19m

I can’t begin to count how many hours I’ve spent trying to help my mom untangle passwords for all of her accounts. I can’t help but laugh at the indignance over an approach that isn’t fully decentralized/anonymized/self-hostable/brushes-your-teeth-and-makes-you-toast/whatever.

I don’t need idealism. I need my mom to be able to figure out how to log into her bank without having to call me every time. The more that’s tied to a single ecosystem the better.

shiroiushi
0 replies
9h13m

My mother actually writes them all down in a booklet. It's very old-fashioned, but it does work for her.

satvikpendem
1 replies
16h3m

Very often, the fact that I like it, is a negative.

Incredible insight. Too often I'm building something and it rises in complexity precisely due to me wanting extra features that might be very niche and technical in nature, so I too must remember to not bloat the product and make it much more streamlined.

kcplate
0 replies
15h27m

SWEs build for maximum tinkerability. General users just want the software to work without having to tinker with it at all.

wtetzner
1 replies
16h13m

I think they want one login, but don't want it all controlled by one company. I think they either like or just don't notice that everything they do is controlled by one company at first, until they see something shiny and cool that another company is doing, and realize how difficult it is to switch.

sunshinerag
0 replies
15h44m

What would they prefer instead? controlled by another company? controlled by many companies? manage it on their own?

exodust
1 replies
12h21m

This is EXACTLY what people want.

You made the same mistake as the person you're refuting, only worse because you added "exactly" as if case closed.

Here's another take: "People" want different things. They listen to different music, have different opinions, buy different cars, have different tolerances of when a car needs washing.

My non-technical Mum refuses to use online banking; my non-technical Dad loves online banking. My non-techie sister loves issuing verbal commands to her smart speaker; my non-techie Mum refuses to speak to devices & switches her TV off at the wall every night.

The only "EXACTLY" is in marketing efforts trying to convince you of that state.

motoxpro
0 replies
7h36m

You could fix iy by saying "this is exactly what > 90% of people want"

efitz
5 replies
10h26m

The other big problem is that in the case that you get on Apple’s bad side for whatever reason, you now lose your passwords to everything.

pityJuke
4 replies
9h43m

Terrifies me. I can't really piss 1Password off, so that'll never be a worry. My iCloud Email can at least be re-directed to Fastmail as I own the domain (other than Hide My Email, which is a shame).

madeofpalk
3 replies
9h8m

You can't piss 1Password off, until you do. There's nothing inherit about Agile Bits that shields them from arbitary account closure.

You can't piss Apple off, until you do.

I personally haven't heard of people's account getting randomly shut down for whatever reason for either company, but I'm sure it happens.

pityJuke
1 replies
7h14m

It's a matter of surface area to somehow trigger the automated detection that kills an account.

With 1Password, I can only really think of payment issues (ultimately, everything within your account is just a matter of sharing a binary blob they can't read - maybe if you try to use it as a file store and the size becomes excessive), whereas with Apple, I'm not entirely certain what they could read on my machine that could trigger them (hopefully with Advanced Data Protection, this is a small surface area).

But you are right, both of them could cause headaches.

crossroadsguy
0 replies
7h9m

Off topic: I just saw your comment and I also used the term "surface area" :D

Though, there' a 3 minute gap, I had not seen your comment (hadn't refreshed the page) when I typed mine.

crossroadsguy
0 replies
7h10m

There is a difference - the surface area where you interact with that certain company. As an Apple device owner, your interaction with Apple and it's various services (known; and unknown to you - e.g. watching a certain video on YouTube in Safari) compared to that of Agile Bits (or BitWarden for that matter, which I prefer), where the service is exactly one, is much much bigger. Hence making your chance to trip so much more in case of Apple and Google.

fckgw
4 replies
22h16m

Apple already has an iCloud app for Windows and has had an iCloud Password Chrome extension for years. There is no support for Android.

lxgr
3 replies
21h14m

has had an iCloud Password Chrome extension for years

Which is also only available for Windows, as far as I know.

nashashmi
1 replies
16h14m

And needs iCloud installed for it to work.

gumby
0 replies
15h59m

They aren’t preventing you from using 1password which requires their cloud service, or any other. I use third party calendar, address book (contacts), text editor, but use Apple mail and safari. And mostly use Dropbox for file storage.

Other people can make different choices. This doesn’t seem like a crisis.

filmgirlcw
0 replies
16h19m

It’s also available on macOS.

Someone
4 replies
22h18m

Here's Apple's big problem: it's not a replacement for so many alternatives because it isn't supported on all platforms.

I don’t see why that would be a big problem for Apple.

As this article explains, this isn’t new functionality. It’s (mostly) a new UI for existing functionality, to make the hardware they sell and make lots of money on more attractive.

quitit
3 replies
21h50m

Seems to be the case that commenters do not know that Keychain Access exists.

Apple has tried various approaches of surfacing this functionality (eg the passwords panel in Safari and again in iOS’s settings app). This just seems to be the app-agnostic way of providing this functionality to everyday users, and probably a good thing as platforms move away from passwords.

llamaimperative
2 replies
21h16m

No, Keychain Access is just a terrible app. It is sufficiently terrible that I'm 100% aware of its existence and instead choose to pay for a less OS-integrated, but far better app.

quitit
0 replies
20h50m

No, bla bla irrelevant comment.

No, the commenters I'm referring to are ones that think Apple including a password manager is anticompetitive lock in, and other similar comments that are clearly unaware that this is not new functionality.

Your comment has zero bearing on what I posted. Apple themselves use 1PW

StressedDev
0 replies
16h38m

I am not sure what you mean by it’s “terrible”. It works well for me. It saves my passwords, generates secure passwords for me, works with Safari, and works with apps.

mirzap
3 replies
12h32m

How many people use Mac and Windows at the same time? There are some, but I bet most people do not use multiple OS. Usually, people who have a Mac have an iPhone and maybe an iPad. They are entirely in the Apple ecosystem because they see all the benefits when all those devices work seamlessly together.

eps
1 replies
12h26m

Quite a few. Windows desktop/laptop + an iPhone/iPad is a super common combo.

Jcowell
0 replies
3h4m

Especially for gaming

neuronic
0 replies
2h48m

For me the issue is gaming. It remains a central hobby of mine and while Mac has gotten much deeper into gaming in recent years it's a far cry off from Windows. I use Apple ecosystem otherwise (work, mobile). Also, I have left Linux behind after my academic years and don't miss it.

I would immediately leave Windows in the dust if gaming was equally supported on macOS. Maybe in the future, let's see. For enterprise work, MS365 is also really central and it's basically not possible to work without Excel, PowerPoint, Outlook and Teams even if you personally prefer other software (I don't). They're fine on macOS or the web interface but clearly neutered in comparison to Windows native.

gumby
3 replies
16h4m

They have a windows app for it.

yreg
2 replies
15h47m

Windows app will certainly help adoption.

An Android app would be nice as well, but I doubt that many people use both iOS and Android devices[1] (or concern themselves whether they will be able to switch platforms easily).

[1] Android devices as in devices where password manager is desired, not as in 3 Billion Devices Run Java

dhosek
1 replies
14h17m

I wonder what the number of people who use Macs and Android is. I would guess that it’s a tiny fraction of the marketplace (and likely entirely populated by people with Kindle Fires, not Android phones).

yreg
0 replies
4h53m

Actually now I'm thinking that there are probably quite a few developers with Macs + Android phones.

MrDarcy
3 replies
21h53m

I use Apple Music and Apple Notes every day on my Debian workstation. Works like a charm.

Scarbutt
1 replies
15h33m

Notes web version is pretty limited though, ex: can't attached images.

zer0zzz
0 replies
15h7m

I use Notion in cases where it's too limited. Unfortunately notion charges for really large attachments.

Trick I do do sometimes is, just WhatsApp the files to myself and attach them from my phone

zer0zzz
0 replies
15h8m

Word. I do the same. The web versions aren't perfect but they do the job. There are way too many Android-only users in these comments that don't have a clue what they are talking about.

tootie
2 replies
21h56m

It's more platform lock-in and it leverages their market position. Unabashed monopolism. Completely unchastened by recent lawsuits.

kstrauser
0 replies
21h40m

Except for the fact that you can import from and export to other password managers using built-in functions. That kind of kills the whole lock-in vibe.

WheatMillington
0 replies
21h36m

Literally not a monopoly.

johnnyApplePRNG
2 replies
14h29m

Someday I hope a company might emerge that develops things for the sake of developing things to enhance their popularity.

Ferret7446
1 replies
14h10m

That's contradictory; what you're looking for is a charity.

A company does things for the sake of profit.

johnnyApplePRNG
0 replies
11h37m

It can be profitable to be innovative in my opinion.

MrDrMcCoy
2 replies
15h14m

It's also why I refuse to buy more into Google products: it's too much of a risk to lose access to everything if Google wakes up one day and decides to suspend your account

There's a difference between Google's products and Google's services. You can use either one without the other. I am a happy user of Google hardware, and am even happier to be almost entirely extricated from their services.

cuu508
1 replies
12h45m

Do you mean stuff like Pixel but with a degoogled version of Android?

MrDrMcCoy
0 replies
3h35m

Even without degoogling, you can refuse to log in to a Google account and disable most of their apps. I rather do like GrapheneOS, though.

zitterbewegung
1 replies
21h55m

Apple wants it to be a problem so it incentivizes you to switch over.

ariuser8434
0 replies
19h28m

But Apple knows that there are many reasons why a user who may choose Apple where they make decisions for their dollars, is also a user who is stuck in other ecosystems in other context.

Of course, I'm talking about, for example, work environments where you may be stuck with a Windows PC, or have to use a corporate-owned Android device for your phone...

ttul
1 replies
22h14m

If they haven’t already, I won’t be surprised if Apple creates a reasonable password app for Android and Windows specifically to address this concern. Fanning out to other platforms to enable customers to continue using Apple products is a decent strategy that probably does more to retain people within the Apple ecosystem than it does to enable a move away from Apple.

shmerl
1 replies
16h39m

Apple thinks "One Ring to rule them all" will work on mindless enough. But otherwise, yeah. Those who aren't mindless wouldn't want that.

citizen_friend
0 replies
5h9m

People always ignore the simpler explanation: it’s more time and work to make something a second time on a platform you don’t know and control.

sgarland
1 replies
17h3m

People don't want everything tied to one identity, one service, one login.

This is what OAuth attempts to do, and most users and devs I know like it.

I'm well aware of the risks of putting all eggs into one basket. I'm already doing it with 1Pass (albeit with external MFA for some sites), so I see no difference with letting Apple manage it.

Justsignedup
1 replies
21h8m

Sadly this will take off, and be tied to everything apple. From a tech perspective I would never use their tools even if they are the most convenient. But the reality is most people will see this as the only option for password management, and 1password isn't free, so for them they will see no better way out.

cletus
0 replies
20h36m

I would be happy if more people adopted password managers. We'd all be a lot better off if they did. And personally I don't care which tool they use to get there. But there's still too much friction in using a password manager, not all of which is the fault of the password manager (eg different password requirements, how 2FA verification is handled, the antiquated notion of password expiry, some sites split username and password onto two pages so you have to verify twice, some sites using a third field you have to fill in like surname).

So I'm not sure how many people will actually use this just because of this friction.

Branding a solution as Apple isn't a guarantee of success. If it were, we'd still have Safari for Windows.

zer0zzz
0 replies
15h20m

People don't want everything tied to one identity, one service, one login.

People literally want everything tied to one identity, service, and login. You are almost totally wrong. People do sometimes want to switch to something new when they feel what they've bought into hasn't met their expectations or has fallen behind in innovation. And guess what? Apple in very limited ways actually locks people into things like passwords, files, photos, notes etc. Their entire ecosystem is pretty easy to migrate away from, I've done it several times. Theres an import/export tool for most everything.

After this year you probably can't even say they are locking people into their ecosystem with iMessage.

swiftcoder
0 replies
12h22m

Apple Music? This actually has a Windows client. I'm not sure how good it is

It is absolute garbage, but luckily the legacy integration in iTunes for windows still (sort of) works.

superb_dev
0 replies
22h17m

Apple Music has a decent web player, so it's technically supported on Linux

snapcaster
0 replies
5h15m

I do, because i don't have any windows or android machines

coldtea
0 replies
6h45m

People don't want everything tied to one identity, one service, one login.

You'd be surprised. People want a neat solution so they don't have to deal with multiple nuissances.

They worry less about vendor lock-in (if they even understand the issue unless it's bitten them, and then they can consider the costs of switching as totally normal and expected, similar to how they just go find app replacements for platform-exclusive software).

chx
0 replies
16h34m

It's good that it's not cross platform, we do not need any more product monopolies, we have enough. Still there's a chance this will hurt the password manager market which leads to an even better outcome: we still have a monopoly but it doesn't make the product available on platforms most people use.

AnonC
0 replies
10h40m

Here's Apple's big problem: it's not a replacement for so many alternatives because it isn't supported on all platforms.

No, it's not Apple's problem, let alone be a big problem. Apple does not like to provide services for free on other platforms and isn't even very good at doing it for paid services. This passwords app is meant for those who use and depend on Apple's ecosystem, not as a generic competition for other password managers.

m_a_g
61 replies
22h45m

I wasn’t expecting this much hate towards 1Password in the comments. I was using Google Passwords, then migrated to Apple, finally to 1P7 and now 1P8. It’s one of the best software I’ve ever used and I don’t know what I’d do without it. Same goes for Fastmail as well.

rickharrison
29 replies
22h36m

1password has progressively gotten worse every year for the past 5-10. 1password team if you are reading this, please stop making your software worse. Search which was great for years is now terrible and has jumbled results.

Some software should just be considered "done" and never changed again. 1Password is one of those things.

fckgw
11 replies
22h15m

1Password has gotten way, way better than it was a few years ago in my opinion. Tons of new features and the redesign a couple years ago was a big improvement.

jen20
7 replies
22h12m

The electron rewrite was a significant step backwards regardless of features and quality. I cannot wait to ditch 1P.

e40
3 replies
21h39m

How was it a step backward? I have noticed zero downsides to 8 compared to the previous version. I'm comparing the current version to the last version 7 I used. This electron hate is such a headscratcher for me.

sgarland
2 replies
16h57m

Generally speaking, Electron apps are larger and slower than their native cousins. I just checked on my M1 Mac, and between the Safari extension (which somehow consumes more memory than the app itself) the main app, and various helpers / renderers, it clocks in at 410 MB of RAM. I'll give you that it's also acting as an SSH Agent, but that still seems rather large for the functionality.

Personally, I noticed a slowdown in responsiveness immediately when switching from 7 to 8.

lightwords
0 replies
7h25m

It's clocking in at 120MB on my machine and launches instantly. I don't get this blind hate for Electron, it has made software runnable on more platform than ever with less development resources.

Washuu
0 replies
9h51m

It takes 10+ seconds to load the 1Password extension window in Firefox after some upgrade this year. They really screwed something up.

xnyan
1 replies
18h12m

I hear this, and I believe people, but it leaves me in a confused state because I don't understand. I (think) I've used them all, and the only password manager that is in the same class or better is bitwarden, which is also web/electron.

jen20
0 replies
14h53m

Previous versions of 1p are an existence proofs of something better!

fourfour3
0 replies
21h23m

I agree with this a lot.

I miss 1Password Mini in particular still (and no, Quick Access is not a replacement).

klabb3
2 replies
5h23m

Tons of new features and the redesign

After LastPass lost it I shopped around and avoided 1Password precisely because it looks and is marketed like typical feature-oriented apps powered by VC valuations and growth metrics. I do not like trigger happy product management near critical single-purpose software. It’s already quite challenging, because pw managers need (1) offline support (2) a sync protocol that’s virtually bug free and (3) state of the art crypto/security and (4) wide cross platform support.

I prefer such an app to sit basically dormant until there’s a new industry development (like passkeys) to keep up with the times. And even then, those features should only be added thoughtfully with a defensive mindset to ensure stability going forward.

So tldr, your stated benefits are in fact the very reason a lot of people don’t like it.

lghh
1 replies
4h46m

I don't understand this sentiment. I'm not attacking, I'm trying to understand.

So if there's opportunity for a feature that adds real value for many people to an application without it affecting the core of the product, it shouldn't be added? I can add passwords and unlock websites just as quickly with 1Password as I could 8 years ago. Why does adding other useful, related features make a difference?

vintagedave
0 replies
3h31m

Because they keep on changing the product at the same time. If they added value and left what worked still working, it'd be great. But they change things, and it's buggy, and the UX is worse, and I just want the nice productive utility I had a few years ago.

You say you can do things as fast as you could eight years ago -- but I can _not._

See my comment here: https://news.ycombinator.com/item?id=40644525

ivan_gammel
9 replies
22h2m

I don’t really understand this kind of comments that complain without any specifics. Worse how? I use two family subscriptions and a corporate one for many years and haven’t noticed any regression in functionality or UX. They release time to time minor quality of life improvements and continue supporting modern platforms. 1P7 to 1P8 upgrade went without any problems on all platforms I use. IMO this is the best password manager on the market by many measures.

What is your experience exactly?

MrDarcy
3 replies
21h47m

For me, I paid full price for the app. I attached many important documents such as my ID, SSN Card, my original birth cert, even the deed to my house. If I pass my wife knows where to get this info.

When my son was born I went to add his birth cert and SSN. I couldn’t. The “attach file” button is still there but it simply doesn’t work any more.

After hours of troubleshooting I finally found a discussion on their own support form where they acknowledged they explicitly disabled this feature. The solution is to switch to a paid subscription.

I’ll never buy software from them again. That’s just one example. They’ve removed similar functionality from cloud sync services to compel users to buy a subscription.

maigret
2 replies
21h38m

Sad indeed but the days of 0 interest rates are gone. Plus, software engineers in many countries are now massively more expensive.

acdha
0 replies
17h28m

They have a PR department, don’t give your time bro bono to spin it for them. With as many customers as they have, they’re in no danger of not being able to pay developers.

TeMPOraL
0 replies
11h31m

Software that's done doesn't need as many software engineers to look after it.

hakanderyal
1 replies
13h30m

Safari extension works half the time at best. Sometimes it doesn't start working without restarting the browser after it crashes.

Cancelled my sub last night after many years.

I don't mind the price, or electron or anything, I just wanted it to fill the passwords in my browser reliably.

laborcontract
0 replies
10h43m

I feel your pain. It used to reliably save and fill passwords. It’s a huge mess that doesn’t even work.

wingerlang
0 replies
12h19m

Every couple of months, without fail, the chrome extension starts failing. It gets to the point where I see the "current popup style" and just know that I have to ignore it, open the actual 1Password app (and login there), and THEN go back to chrome and open the extension again.

Some periods of time I simply went to copy from the app itself because the extension didn't work.

Been a paid customer for over a decade, and I originally bought it because the apps were so nice and they really did work 100%. The last couple of years have been painful at times though.

vintagedave
0 replies
8h10m

I can give specifics.

* Their syncing broke, and their support promised that buying a subscription would make it work. I did. It didn't. A year later I managed to get it fixed. I'm now on a permanent subscription for something I used to own -- that's not bad by itself, but the feeling I've been taken advantage of, and promised something that was false, leaves a bad taste.

* Syncing sometimes doesn't work anyway. I might add an account on my laptop and not be able to access it on my phone for a day or more.

* It's much buggier. Sometimes the Mac app just doesn't appear when you click the menu bar icon (this happened to me just a minute ago.) You have to right-click and select Open 1Password to get the full app, after which the menu bar app will now work. Sometimes. Right now, it's not no matter what I do. Why? No idea, it's random.

* Basic password features seem missing. There is _still_ no way to edit in a 'Remember me' checkbox on a login form. I would like 1P to set that checkbox.

* The UX design gets worse each release. In 1Password 8 they removed the useful menu in the Mac menu bar. I can't check what it is now because of the bug above, but it used to show a list of passwords. Now it has some kind of pseudo-intelligent other menu that has to be invoked via a shortcut and the Mac menu bar app actually does almost nothing useful.

* Not to mention their UX design which comes from the "hide buttons until you mouse over and click a button you didn't realise was there" school of intuitiveness.

* More UX: the iOS app now has a list of favorites, but it's almost impossible to get the info you want. Take a bank card: you can tap it in the list to show the name, card number, etc, but if you want the ATM pin -- which is the number I most forget, and the useful one because my card number is saved everywhere that uses it -- you have to dig into the item itself. How? Via a tiny, tiny untappable arrow.

Worst is that interactions with them show an attitude that they think they're building a better and better app each release. They're not. I cannot wait until I can move away to the new Passwords app.

rickharrison
0 replies
20h32m

- 1Password used to support Dropbox syncing without a subscription. They allowed you to keep using the app, but they removed support for auto-filling logins from dropbox in Safari or Firefox. You could only auto-fill from vaults that you paid monthly for. Whatever, they win, I started paying monthly.

- They broke search in the past few months. I have multiple accounts with the same service (i.e. google, mercury) for personal and business. Now when searching it displays gibberish like 2FA backup codes from the notes instead of just having `${title} - ${username}` like it had for years

- They completely changed the left bar and moved around the entire UI multiple times. Credit cards used to be a simple click on the left side. Now I have to click "All Items" on the left side, then find the dropdown for "All Categories", click it, scroll down to Credit Cards and click on that.

It really comes down to the fact that it's a password manager. All it has to do is store passwords and fill them in when I need to sign in somewhere. Why has the UI fundamentally changed multiple times over the years throwing away all learned user behavior.

EDIT: There's also just the intangibles. I can't always remember specifics, but I "Feel" like 1password has been fighting me for years. I don't feel that way about many other pieces of software I use. 1Password just feels hostile in how they change/update things.

yreg
1 replies
15h43m

1password has progressively gotten worse every year for the past 5-10.

You can still use the standalone 1Password 6…

AlexandrB
0 replies
5h54m

A lot of the browser integrations are broken if you run older releases I think. Even 7 doesn't work with Chrome anymore.

gregoriol
1 replies
10h52m

I still use 1Password 7

AlexandrB
0 replies
5h55m

Yup. Wish I could go back to 6 because 7 feels noticeable slower, but 8 is a non-starter due to the lack of self-hosting or local vault options. I also hate how a bunch of "babysitting" features are forced on you in later (after 5 or so) 1Password releases. I don't want Watchtower to be pegged to the top of the sidebar - but there it is anyways. I don't want to set a password hint for the master password, but I'm forced to regardless.

e40
1 replies
21h41m

I completely disagree. Yeah, the launch of 1PW8 was rocky. They didn't have feature parity on some devices (iOS). I waited a good while to update and when I did I had an issue with my Yubikey, so I went back to 1PW7 on iOS, but it was fantastic on macOS--way better than 7. After a short while, they fixed the Yubikey login issue with 8 on iOS and I have had exactly zero issues on macOS or iOS since, for about a year(ish).

Another data point: my 85 year old mother used to have issues with 7. She'd get confused about things. With 8, it's been clear sailing for her. That's pretty impressive to me.

pasc1878
0 replies
8h0m

1password 8 on iOS is fine and I note no issues with it, it just works.

On macOS 1pw 7 worked with no issues, 1pw 8 doesn't

However the big issue is that 1pw8 requires you to use their cloud - so if someone takes over the company and changes things or the company goes bust or even if the company's servers get hit by DDOS you lose all things. 1pw7 allowed you to keep the main db on anything and use multiple sync mechanism. For example you could keep the data all on machines you own, you could be a business and that would matter for security. Yes cloud etc is secure but there are cases where you don't want things to be anywhere not on your machines.

pupppet
0 replies
22h8m

I dislike the new search so much, just make search work like it does in every other application. If you're reinventing the wheel for something so basic that's the first sign you're doing something very wrong.

dylan604
20 replies
22h39m

you really enjoy paying each month for access to your passwords? really?

short_sells_poo
6 replies
22h35m

Yeah. I want to pay the people who look after the thing that stores my most precious information. I want them to be overpaid and look after their golden goose.

It seems nuts to me that you expect someone to provide you a service for free?

dylan604
5 replies
22h26m

I never said free. Did I? Just because someone is revolting against rent seeking companies vs building a solid product and increasing users this forum likes to denigrate them into being freeloaders. You've got the wrong idea and are running with it in the wrong direction.

JumpCrisscross
4 replies
22h22m

vs building a solid product and increasing users this forum likes to denigrate them into being freeloaders

The point is maintenance is an ongoing expense. Pretending it can be baked into a one-off purchase price is nuts, unless one is willing to buy that software caveat emptor, as in if it has a critical bug, sorry, you need to upgrade to have safe software.

For a game, that seems fine. For a password manager, obviously not. That said, enough people don’t like this to give Apple an advantage in amortising payments that users cannot.

dylan604
3 replies
22h19m

Again with this made up concept that I wanted a pay once notion. I kept upgrading with their releases until they went SaaS and removed the ability to store the data locally. If they continued to offer local storage with paid upgrades, I'd continue paying and using. They don't, so I'm not.

ivan_gammel
2 replies
21h54m

I just checked it on my device in airplane mode: everything is available locally and new records can be added. What do you mean saying you cannot store the data locally?

dylan604
1 replies
21h44m

with v8, there are no more local vaults stored on my machine with other devices syncing via WLAN. it's all cloud accounts or bust

ivan_gammel
0 replies
9h19m

Understand. Both your user needs and their approach to the product are reasonable in this regard. It looks like you are simply no longer their target audience and need different product.

max_
6 replies
22h35m

One of the reasons for bad software products & corporations taking advantage of users is this free loader mindset.

What exactly is wrong with paying $10 per year for a well done product?

dylan604
4 replies
22h28m

If it were $10, we might have a conversation.

I paid for my full version of 1Pass way back when, and upgraded all the way through to v7. It was a one time fee and used until they broke it.

I never said refused to pay for it, but a monthly fee in perpetuity is just ridiculous to me.

max_
1 replies
22h25m

I don't use. One pass, I use Bitwarden.

dylan604
0 replies
20h41m

congratulations. this particular thread is about an app called 1Password.

brailsafe
1 replies
22h1m

I'm still on v7, what did they break?

PascLeRasc
0 replies
21h49m

They disabled autofill in the Firefox/Chrome extensions and won't provide an older version that worked or even a download of the 1P7 app.

LVB
0 replies
22h18m

You get 1P for $10/year?

I'm willing to pay for a lot of software, but the costs are certainly real (especially in aggregate), and I try to be mindful of whether it is worth it to me. I would definitely pay $10/year for a password manager. I currently pay $36/year. Would I pay $100? No. But I'm not sure where the cutoff is.

And then I have to do this for every pricier piece of software. (For all of the lower-cost, one-time payments, little apps, etc. I just pay and move on.)

e40
3 replies
21h38m

I used it with my family and it's worth paying monthly for it. Passwords are so incredibly important. If I was hit by a car tomorrow, I know a huge chunk of my life is there for people to just pick up.

Marsymars
2 replies
21h21m

If I was hit by a car tomorrow, I know a huge chunk of my life is there for people to just pick up.

My wife and I have talked a bit about this recently but haven't implemented anything yet. (I use 1Password, and she doesn't have access other than a shared vault, and vice-versa with iCloud passwords.)

One thing that gives me a bit of hesitation is from a security standpoint - if we have access to each other's accounts and one of us falls victim to, for instance, a password-manager-level phishing scheme, the fallout from both of us having to recover from that at the same time is dramatically more of an inconvenience than if only one of us is affected.

Happy to hear from anyone else who's thought about this and any approaches they may have been taken - there doesn't seem to be much discussion about it online.

e40
0 replies
20h57m

The information in 1PW is the most important information I have. I have a Yubikey because of that.

briHass
0 replies
5h34m

If you're worried about banking passwords and accounts, those shouldn't be shared logins. Banks in the US have specific procedures for handling the death of account holders, and someone logging in as the deceased is problematic. Beneficiary designation and percentages needs to be followed, and if a spouse/other logs in and starts moving money around, all that has to be unwound.

My break glass implementation is a printed sheet of all my financial orgs and account numbers (including bills I handle). All the beneficiary designations are done, so my wife would just need to give them the death certificate and she'd have control of the funds.

eknkc
0 replies
22h31m

I do. It is a critical software for me. Why would I use something inferior?

JumpCrisscross
0 replies
22h35m

really enjoy paying each month for access to your passwords?

When it comes to a password manager, I appreciate having constant access to updates. That isn’t feasible for one-and-done code.

That said, it’s 1Password’s bugginess that will have me looking at Apple’s offering. (Particularly how it performs on non-Safari browsers, e.g. Orion and Firefox.)

chx
3 replies
16h35m

You'd try Bitwarden...

tristan957
1 replies
13h32m

I was a BW customer and switched to 1P. 1P is so much better. The clients are better and the syncing of sessions between the browser, desktop, and CLI is amazing. 1P has great integration with Linux and SSH too.

davidee
0 replies
12h46m

Long, long, long-time 1P user (2007?) increasingly fed up with their anti-consumer practices (dishonestly hiding discussions on their community forum about App Store versions and dismissive “responses” were the final straw).

So I put vaultwarden on the cluster at home, built a backup routine I was comfortable with and started using BitWarden to evaluate it before trying to help the whole family switch (we have 8 users, including a grandmother and grandfather from different sides of the family).

All this to say, I have to agree. I could not, and will not, switch my family to BitWarden (for the foreseeable future). Search is AWFUL, there’s no way to sort my passwords (recently added, recently updated, etc.) and the clients are way way way slower than 1P (sure, probably in part to server on an underpowered compute instance). However, even the “offline behaviour” (when BitWarden clients can’t contact the server) is slow, and sometimes syncing just doesn’t work.

I completely agree, the worst part is just how limited and clumsy the front-end is for secret storing. It’s limited, ugly, and often hard to parse visually. I can’t imagine trying to help my aging father use it on his desktop, much less his smartphone - where he’s had great success with 1P.

While I continue to have great disdain for AgileBits, 1P is still the most user friendly password manager for a group that includes definitely-not-technically-inclined people. I wish it wasn’t, I wish I could stop giving them money, but compared to the competition, there’s just nothing else that comes close.

mrweasel
0 replies
11h17m

I love the idea, pricing and open source nature of Bitwarden, but it's only good if you haven't used 1Password. Personally I was very critical about 1Passwords migration to Electron, but it has been really good to be honest. My assumption was that they had dropped the Electron plans, because I absolutely did not notice the change.

Bitwarden still fails to correctly identify basic username/password fields, but 1Password gets it right every single time.

tootie
0 replies
21h52m

We used 1pwd at my company and I have a paid family account. I love it. Think it's worth every penny.

sunshowers
0 replies
22h7m

Same, I'm actually a bit of a late adopter (only started using 1p in earnest once they came out with a Linux client) but it's been so great. I absolutely love the SSH agent in particular, it just works.

On topic, as a primarily Linux user I'm not in the target market for this (or any other Apple products or services really) and that's fine.

sooheon
0 replies
15h20m

It just doesn't work for me for safari mac. Authenticating with fingerprint takes many seconds (and often doesn't work).

nstart
0 replies
17h7m

Likewise. I think they are making some weird and off putting choices around the enterprise but for consumer stuff (which is squarely where the apple passwords comparison sits I assume) it’s still a great piece of software honestly.

brainzap
0 replies
7h40m

the 1password search is horrible, it does fuzzy search and not match exat results etc

there is more, too lazy to write

blawson
0 replies
22h34m

1Password + Fastmail integration for generating masked email is also great.

Plus a nice UI for handling OTP, notes, credit cards, IDs, bank accounts, etc, it's easily worth the annual price for me.

ipqk
61 replies
22h59m

I've been an avid 1Password user for over 10 years, but since they gone full-throttle targeting the enterprise market, I'm getting more and more annoyed. It's increasingly buggy (right now, it thinks I haven't migrated from 1p7 which causes annoying interstitials that I can't close. Over a month and no fix yet.). They killed standalone vaults. Obvious feature requests (e.g archive an entire vault) sit there for years untouched. The value is increasingly not there anymore for me, and here's hoping I can finally jump ship this fall.

dylan604
22 replies
22h40m

I have been fighting switching to the SaaS version. Paying a monthly fee for access to my passwords is highway robbery. I do not want/need any of these other "services" they forced upon me. I have trying Apples keychain, but that migration is slow and a total pain in the ass. And it's not even a good replacement.

I'm sure 1Password doesn't care one iota about loosing individual users with attitudes like this. Until the forced to a monthly rent seeking hand in my pocket policy was deployed, I had been a vocal advocate for 1Pass. Now, they're about to loose me altogether

buzzerbetrayed
8 replies
22h25m

1Password has the most reasonable pricing out of just about any SaaS company. $1/user/month if you're on a family plan. $3/month for individuals. And they provide a great service.

Strongly disagree that they're part of the group of SaaS companies trying to price gouge their users.

dylan604
6 replies
22h21m

Cloud only, and they removed local storage of the vaults. If I'm somewhere that doesn't have internet connectivity, what happens then?

Dislike of SaaS isn't limited to monthly fees, but the lack of features they removed to encourage SaaS adoption

musictubes
4 replies
20h44m

How many passwords are required if you aren’t connecting to the internet? What would you be signing in to?

dylan604
1 replies
20h26m

That's some low quality snark. I have plenty of local things with passwords. One example is encrypted external drives. That's all your snark gets from me on the off chance it's not actually snark. (must me the most I've used the word snark in one go)

freedomben
0 replies
4h26m

That's some low quality snark.

I'm on your side in all the comments I've read so far (especially the "freeloader" one), but this one is a clear "assume the worst" which isn't fair to GP. Their comment could very well have been a legitimate and innocent question. Of course it could have been a majorly failed attempt at a troll (since the question has great answers) but assuming the worst just drags everything down. IMHO better to give benefit of the doubt, even if only for the other people reading it later.

sooperserieous
0 replies
20h27m

Do you only keep online passwords in your manager? I've got all sorts of things in mine, plenty that I might need without connectivity, such as the door code to that AirBnB or bank account numbers and PINs. Then again, I never would have done that without offline availability...

LilBytes
0 replies
20h35m

After the initial login all your passwords are cached locally anyway.

beart
0 replies
14h27m

If you are using a device that previously accessed your vault, it will be cached and accessible. It just won't sync until you regain network connectivity.

20wenty
0 replies
3h51m

Same opinion on 1Password's great service. I've found them to be responsive and accessible anytime I've needed them. I'm not seeing all the bugs and issues others are reporting, but I have noticed a couple of odd UI changes lately that feel a bit like a product manager is bored and looking for work to do.

JumpCrisscross
7 replies
22h31m

Paying a monthly fee for access to my passwords is highway robber

It would be. Fortunately, 1Password doesn’t do that [1].

You’re paying for an important piece of software to be maintained.

I'm sure 1Password doesn't care one iota about loosing individual users with attitudes like this

Probably not. Emphasis on attitude.

[1] https://support.1password.com/frozen-account/

dylan604
6 replies
22h23m

This entire assumption that I'm a freeloader is absolute bullshit. I've bought and paid for my copies of 1Password and have even purchased it for others. You can take that freeloader name calling and shove it right back in the place you found it. I'm quite frankly tired of it.

We can have upgrades and working software that gets updates without monthly fees to do it. I also do not need their cloud and only features. They intentionally removed the local vaults specifically to force you to use their cloud. That was the last straw for me.

stouset
2 replies
21h12m

We can have upgrades and working software that gets updates without monthly fees to do it.

No, the last twenty years has show us that we can't.

If you want developers to perform ongoing work on their products, you need to accept a model where there's ongoing pay for that work.

volleygman180
0 replies
3h24m

you need to accept a model where there's ongoing pay for that work

Before they switched to subscriptions, it still worked like that: 1Password 4, 1Password 5, 1Password 6 - I paid money each time a new version came out. Sometimes I paid the same day of the release and upgraded immediately. Other times, I may have waited a little bit longer and continued with the version that I had.

Nobody's asking for a free lunch.

sleepybrett
0 replies
1h37m

They had a model that was ongoing pay for their work. 1password was healthy and happy providing flat fees for major version updates, which were every couple of years. Then some VCs wanted to see more profit so suddenly it's all online, subscription, drop the native clients, and a pivot to enterprise. It got enshittified.

JumpCrisscross
2 replies
21h49m

assumption that I'm a freeloader

Where did I or OP say this?

can have upgrades and working software that gets updates without monthly fees to do it

It’s a bad financial model.

intentionally removed the local vaults

This is a valid disagreement.

sleepybrett
0 replies
1h30m

Subscriptions may be a 'good financial model' for the business, but are rarely a good financial model for the consumer.

If I am required to pay you monthly for a product there becomes less and less reason for the owner of said product to improve the product. With the hassle that comes with switching password managers (even for myself, I provide three families with this product (my parents, my sisters family)) there is a lot of friction involved with leaving a product that is stagnant that I am paying monthly for.

I was much happier with 1password when i was able to evaluate their new major version, see if any features of it were compelling to me and my extended family and make a decision wether or not it was worth the asking price. Generally speaking a major version wouldn't get huge changes over it's lifetime, maybe some bugfixes, maybe some ui improvements around it's new features (could also be considered bugfixes), any security issues that cropped up. At that point their development staff was more focused on brand new features for the next major version.

I think what we ran into, partially, with 1password is them running out of ideas for their next major version. A password manager, to a consumer, is not a super complicated product that requires a bunch features, a lot of the work is in the encryption and security which isn't really consumer facing.

dylan604
0 replies
21h37m

people go back and edit their comments silently after being called out all the time around here

troad
2 replies
12h59m

I have been fighting switching to the SaaS version

I felt that way on principle for a long time, but honestly, on reflection, 1P is probably subscription that is most justifiable. I want to outsource online security to people that know what they are doing. I want that to be a viable business for a long time into the future. And I want their funding model to be such that their interests are aligned with those of their paying users (me).

People can get so irrational when it comes to the cost of software. The same person who'd pay hundreds of dollars for a cleaner, or a gym membership, will swear up and down that 70 bucks a year for an online bodyguard is highway robbery.

bdzr
1 replies
4h32m

People can get so irrational when it comes to the cost of software. The same person who'd pay hundreds of dollars for a cleaner, or a gym membership, will swear up and down that 70 bucks a year for an online bodyguard is highway robbery.

Often while refusing to work for less than six figures as a SWE, hating on companies for seeking VC funding, dismissing non open-source approaches, and then complaining why there aren't more alternatives :)

sleepybrett
0 replies
1h41m

I'm not sure a password database is a 'online bodyguard'. I am sure that 1password has been going downhill for a few years now. Getting rid of the ability for me to manage my own vault was the last straw for me. I'm still limping along with 1password7 with a local vault for my 'important/sensitive' passwords but i let keychain manage most of my randomass website passwords. Since I'm primarily in the apple ecosystem this works out for me, I do have some linux in my life too, but since I generally access those linux resources using a mac it's just not much of a problem.

I think this new interface to the password feature in macos will probably put even more of a dent into 1password/bitwarden/etc's consumer business driving them even further into catering to enterprise, it's a pitty, but 'this isn't a product, this a feature'.

spike021
0 replies
22h36m

Interesting. Earlier this year I migrated passwords out of 1Password and a few from LastPass and Apple Keychain supported both easily. Just not more complex types of credentials. Every password and website was imported correctly as expected. If not I have yet to notice.

ketralnis
0 replies
56m

I'm in the exact same situation. I'm still on 7 (the last fully local version) but the cracks are starting to show. I can forgive them for iOS forcing you onto their update treadmill but they've intentionally crippled the Firefox extension for this version too, and it flat doesn't work on windows anymore and it's not like Windows or Firefox are deprecating their APIs all of the time.

rootusrootus
12 replies
4h40m

My biggest worry about passwords by Apple is that I have even less pull when they screw it up. Not that I have a lot of input in 1Password, of course, but I bet if I get loud enough on HN for long enough, I could get the attention of the CEO. Try that with Apple. As a long time user (sufferer) of Screen Time, I am acutely aware of how badly Apple can screw up software, and how long they can let it go unfixed. Tim Cook ain't ever going to hear my pleas.

mym1990
5 replies
2h10m

Can you expand more on the Screen Time issue?

colingoodman
3 replies
2h2m

I've had a bug where unpausing a particular app requires doing so 2+ times before I can access the app. The bug has persisted on multiple devices for multiple years and it makes for a pretty clunky user experience. That's one example that comes to mind for me.

willyt
0 replies
1h43m

It doesn't matter how many times you click it, there is a delay before it unpauses. If you click it once it will unpause after about 15-20 seconds. I'm not sure why it does this, it could be syncing with iCloud to also remove the restriction on your phone and iPad or it could be a feature that gives you a short pause to reflect on whether you really do want to continue wasting you life on hacker news.

garrickvanburen
0 replies
1h55m

It happens so often for me, I just assumed it was a key feature of how Screen Time worked e.g. 1-click to unpause isn't really a deterrent, but what if unpausing took a random number of clicks to unpause - now that's a deterrent to not unpause.

cianmm
0 replies
1h56m

I have this same issue. I've got to unpause the app multiple times, and wait for upwards of 15 to 30 seconds before the app actually unpauses.

jperkin
0 replies
1h39m

For me it's completely unfit for purpose:

* It's incompatible with some apps, e.g. Roblox, that are full-screened, and you end up in an annoying loop between the Roblox screen and the request more time screen fighting with each other, with no ability to click anything. My kid has learned how to hit the Option-Command-Escape shortcut to force-kill Roblox using just the keyboard and restart.

* Sometimes Screen Time requests come via Notifications (yay), and sometimes they come via Messages (boo). There doesn't appear to be any logic behind which.

* When they come in via Messages, and I leave Messages.app running for too long, it ends up eating all of the memory on my 32GB M1 Max and forcing me to restart the system.

* Sometimes requests do not come through at all.

* Sometimes the user cannot request more time. Clicking the button does nothing.

* Sometimes multiple requests come through for the same app. Approving one of the requests does not satisfy all of them, you have to approve all of them.

* Requests for websites do not work. Every so often Roblox breaks and results in having to re-download the .dmg. You end up in a loop between approving the request for more time and the website saying the user needs to request more time. I ended up writing a shell script to curl it instead (which requires munging User-Agent because the Roblox download page does not have a direct link to the dmg).

It's clear there are no Apple employees who actually use Screen Time to manage kids time. I can only assume they just let their kids have unlimited access, because trying to actually use Screen Time is absolutely infuriating, and only gets worse over time (e.g. the Notifications vs Messages thing is a recent regression).

It's also worth pointing out that I have absolutely zero issues with Android Family Link. It all Just Works for similar purposes.

icee
2 replies
2h22m

Keychain Access has been there since the beginning of OSX/macOS. It's quietly been storing email and wifi passwords this entire time. Many, before there was an alternative like 1Password, used the app to store other info within as well through secure notes. Passwords in iOS and Safari, along with Keychain sync in iCloud have expanded the keychain functionality over the years and it's been fine for ~25 years or so. I have faith they won't suddenly screw this up and comparisons to less critical stuff like Screen Time aren't really valid here. And sherlocking? I don't think so. When 1Password came out, it was clearly inspired by Keychain Access that had been there for years prior with similar functionality and even user interfaces.

davidfischer
1 replies
1h56m

Keychain Access has not been "fine". It's had multiple unaddressed data loss bugs. For example, Keychain lost all passwords from all Keychains after the Catalina update[1] and this wasn't fixed in the next 3 Catalina minor updates. Multiple users reported the issue to Apple and the response was crickets. Even if you restored the passwords, it helpfully deleted them all again. I switched to 1Password and declared Keychain Access a lost cause. I don't think I'll be giving them a second chance here.

[1] https://discussions.apple.com/thread/250722178

ethbr1
0 replies
1h0m

That does seem like one Apple fault, that Microsoft does better -- triaging actual bugs.

Apple has devs. Maybe some teams are short-staffed, but they fix things.

What Apple doesn't seem to have is a functional bugfix priority loop that includes customer input and provides feedback.

tyingq
1 replies
4h36m

Might be outweighed by the bigger effects when they do screw something up. Like if their passwords mess up for amazon.com, some big airline, Facebook, etc... the noise will get pretty loud pretty quick.

devsda
0 replies
3h2m

I know that some people were able to successfully get through to a human/support at Google via HN.

I don't remember seeing those for Apple. Are there examples of anyone failing to get meaningful help from official support but were able to find a successful resolution through HN ?

burnte
0 replies
2h55m

This is exactly why I use 1Password and not the manager in Chrome, and I won't use Apple Passwords either.

drcongo
7 replies
22h48m

I'm only still on it because of team use, but if Apple's thing supports teams I'm gonna be so happy to get rid of it.

I've been using it for nearly 20 years and it's been going down hill fast for the last 5, but 1Password 8 is an absolute clown car. It hijacks your passkey logins meaning that authenticating with Tailscale for me has gone from a single touch of the TouchID button on my Mac, to 1) click button that says "Unlock 1Password", 2) Click it again because it did fuck all the first time, 3) hit the global hotkey for 1Password, 4) open 1Password via Alfred because the hotkey has decided to stop working again, 5) touch the TouchID button to unlock 1Password, 6) switch back to the browser to find that my Tailscale auth has timed out, 7) back to iTerm to initiate the auth again, 8) if I'm lucky, I can now touch the TouchID button to use my Apple passkey, if I'm not, it's back to step 1.

I'd challenge anyone to name an app that has been ruined more by VC money than 1Password.

anonexpat
1 replies
22h22m

Evernote.

drcongo
0 replies
9h10m

Not a bad shout, but no matter how awful it got, I'd argue there never was a good version of Evernote.

acdha
1 replies
17h30m

The password sharing feature is pretty slick:

https://support.apple.com/guide/iphone/share-passwords-iphe6...

I’m with you on 1P. I bought every version starting in 2009, until the constant push to subscribe made me stop. The part their VCs should be afraid of is that switching took about 5 minutes (export + import) and the only change I noticed is that everything is faster. That moat is a trickle of water (I hope it’s water) and they’ve annoyed a lot of the people who used to be telling their friends and family to buy it.

robbiep
0 replies
3h43m

I’m pleased to hear that switching is simple - it has been a major impediment for getting me and my team to switch. We’re currently on 1p as an org and I bought initially back at 6/7. Just changed to 8 reluctantly as I had ‘my’ stuff in my own vault. I had heard that it was not easy

sooheon
0 replies
15h3m

You nailed my 8 step 1P unlock workflow. They've really done a great job standardizing the user experience.

dalyons
0 replies
14h55m

Hah glad I’m not crazy. Used it and loved every version since 3x, but 8 is just so fucking buggy it drives me bananas. It just doesn’t work half the time!

briffle
0 replies
2h59m

its an apple tool. It will work on Apple products first, and then windows, but with a poorer experience. it may work on chrome, just for 'enterprise' but pretty sure firefox, linux, and android users are going to be ignored.

bowsamic
6 replies
22h50m

I've used Bitwarden for a while now and it has been so better than LastPass or 1Password ever was for me. I never understood the 1Password hype, it was easily the worst experience of any password manager I tried.

tstrimple
1 replies
3h50m

For a time 1Password had the best integration and UX across Apple devices of any of the password managers. That has become less and less true over time. Integration issues over the last year have me excited to try Apple's Passwords implementation as a replacement. Bitwarden is on my list as well, but haven't pulled the trigger due to switching costs for a family of five who all use 1password currently.

bowsamic
0 replies
3h45m

Even when people were raving about 1Passwords integration I found it inferior to LastPass

nashashmi
1 replies
16h12m

I miss lastpass auto login. And i wish bitwarden had a merge for duplicate entries. Otherwise, bw is good. I also wish i was able to utilize totp keys like i can with iCloud

briffle
0 replies
3h0m

I use TOTP keys in bitwarden all the time. Along with passkeys that has recently been added.

nativeit
0 replies
4h1m

Same here. I tried them all several years ago, and BW was the only one that gave me anything like a native experience across all of my wildly varying devices.

lxgr
0 replies
21h12m

Bitwarden gets my vote too.

Besides just working as expected, it importantly supports self-hosting. I don't currently make use of that, but have given it a try and it's great as well.

Having alternatives to the SaaS (currently very reasonably priced) is invaluable.

data-ottawa
4 replies
5h53m

Ever since Apple added password management to Safari it’s been clear that 1Password was going to get Sherlocked, the switch to enterprise mashes perfect sense from a corporate perspective. Chrome and Firefox offer the same features, so now every browser is competing too.

I’m finding most of the friction with 1Password I run into is actually Apple competing for autofill in Safari creating two completely different UIs above every form element.

The other issue I have is Safari Home apps not supporting extensions so you can only use Safari’s built in manager. I think that’s fixed in Sequoia.

mdaniel
1 replies
2h5m

clear that 1Password was going to get Sherlocked,

I'm actually of the same opinion as the GP comment, modulo that I'm not ever going to jump ship to an Apple password manager, but I'll point out that 1Password will most certainly not get Sherlocked since they are not Apple-centric and thus Apple would have to (gasp) release a Passwords.app client for Windows and Linux plus a cli and kubernetes operator in order to hold a candle to the reach that 1P has

noahtallen
0 replies
1h24m

Passwords.app is coming to windows (iCloud is on Windows already)

bradgessler
1 replies
2h21m

Apple uses 1Password enterprise internally, so I doubt we’ll see it get completely Sherlocked since enterprise will continue using it.

Passwords.app will be used by folks who can’t be bothered to pay for a password manager, which won’t do much to 1Password’s bottom line.

There’s a lot of prior art like Apple uses Cisco WebEx instead of FaceTime for video collaboration. The products Apple produces are just very different than their enterprise counterparts.

sleepybrett
0 replies
2h7m

Yeah i'm not sure apple wants to tackle things like 'shared vaults' outside of family sharing.

iansinnott
3 replies
15h58m

I suspect you won't be satisfied with Apple's offering if you enjoy stable software, unfortunately.

I agree regarding 1pass, but at least it's still firmly trying to solve the password management problem. Apple is trying to solve the vendor lock-in problem (i.e. how can they lock more users in to their platform).

twixfel
1 replies
4h56m

My last password manager got sold to some guy in Morocco and my passwords put behind a pay wall, and then lost. Bring on the vendor lock in, I’m so done with all that other shit.

ketralnis
0 replies
53m

What company was this?

epistasis
0 replies
14h37m

I've been using Apple's password manager for more than a decade; and though the last OS update had a new UI, it still offered the old UI at the same time.

Every other password manager I have tried has had continuous churn, nothing consistent after a couple years.

I have passwords for accounts in my Apple keychain that have survived more than decade and about half a dozen different devices, to internal servers that have been dead for a decade.

The only new thing here is opening it up to more platforms.

sigzero
0 replies
2h47m

FWIW, I have had zero issues with 1P version 8.

mmanfrin
24 replies
23h42m

Pointless if it doesnt have cross platform. Apple devices already basically have a password manager, the main reason more people don't use it it is because it doesnt also work on android or windows, not because it's not a standalone app called Passwords.

pdpi
10 replies
23h3m

Last I tried it, iCloud for Windows didn't integrate with Firefox, though.

Someone
6 replies
22h8m

I would think it would be Firefox which would have to support iCloud for Windows.

If password managers could interfere with password fields in Firefox without its help, malware could do that, too.

Or is there a generic password manager API on Windows that Apple doesn’t implement?

ivan_gammel
5 replies
21h53m

1Password, for example, has a plugin for Firefox. Something that you would expect in MVP for any password manager.

ivan_gammel
3 replies
9h25m

What is the market share among people who buy and use password managers?

amlib
2 replies
3h50m

I also don't get why pay for a password manager when there is a free one from a trustworthy entity, Mozilla Firefox, that works on android, windows, linux, iOS and MacOS.

ivan_gammel
1 replies
3h32m

The answer is: features. People who pay for a consumer product usually get some added value with it that you cannot find in freeware.

amlib
0 replies
1h33m

But what features are unique to the payed ones? The Firefox one already checks if your accounts was found on a leak, it has the complete set of feature you would expect to "CRUD" your passwords, integrates with the virtual keyboards in iOS and Android so it's easy to fill login forms on any app and by virtue of being part of the browser has perfect integration with the browser, autogenerates random passwords for you and finally it syncs all your passwords across all your devices (plus all the other things that firefox sync syncs). And again, works on all relevant platforms no exceptions.

_JamesA_
2 replies
22h34m

Or Linux.

throw0101d
0 replies
7h25m

Or Linux.

I guess Apple does not think that 2024 will be the Year of the Linux Desktop.

niek_pas
0 replies
11h22m

I don't think Apple minds.

bastawhiz
2 replies
22h35m

And for those of us without an iPhone?

pavel_lishin
0 replies
22h27m

Then we're not their target demographic.

nani8ot
0 replies
22h23m

Being locked into the eco system is my main reason for avoiding Apple products. Switching from an iPhone to an Android phone was painless for me because I didn't use any of the Apple services (iMessage, iCloud, Passwords). If I had to simultaneously switch from Passwords to Bitwarden would've been time consuming and annoying.

boxed
1 replies
7h44m

The timestamp you gave talks about Baldurs Gate :P

wiseowise
0 replies
22h5m

Just need to install windows on my phone, duh.

toddmorey
1 replies
23h41m

It does work on windows; the mentioned that. No word yet on Android.

Hamuko
0 replies
23h22m

No dedicated app on Windows though, it'll be part of their existing iCloud Windows application.

wwalexander
0 replies
23h41m

It works on Windows.

trustno2
0 replies
10h5m

The lock-in is the point.

I mean, why else would Apple invest in something like this. They became the richest company in the world by increasing lock-in in every step.

saithier
0 replies
23h35m

They did say there was a windows client in the keynote.

donohoe
0 replies
23h38m

Hardly. While not everyone is entirely within the Apple eco-system a huge number of people are that go beyond the necessary critical mass. Apple already built this into the OS they just kept it under the clunky Settings UI - so seems like a logical and low-effort move.

If the Family Sharing aspects are well done I'd happily say goodbye to my 1Password subscription.

ein0p
21 replies
1d

This needs to be multiplatform for it to be a viable option for the more tech inclined. I run all three major desktop operating systems plus iOS, so I use Bitwarden

nullindividual
12 replies
23h49m

It is available across the two major desktop operating systems, but you'd have to read the article to find that out.

The Passwords app is free to download, available across iOS 18, iPadOS 18, and MacOS 15, and will also work with the Vision Pro and Windows computers, says Apple.
smsm42
7 replies
23h45m

No Linux or Android, which makes it useless for anybody having any devices running those. And since nobody wants to use two password managers, it remains a better solution to use a truly multi-platform one.

nullindividual
5 replies
22h49m

Linux isn't even relevant in this context with it's <1% DWM install base. Android, yes you have a point, though a Mac and Android is a strange combination.

smsm42
1 replies
21h35m

What's strange in it? I've been using macs and android phones for over a decade. And a lot of tech savvy people do the same. Macbooks have been a solid dev platform for a while, and do not really require any mobile platform preference.

nsbk
0 replies
1h51m

Most of my dev team are Mac + Android users. The same is not true for data or product folks, who are mostly Mac + iPhone users.

freedomben
1 replies
4h17m

though a Mac and Android is a strange combination.

Probably so, but there is one demographic well represented here that does this routinely: Developers. Macs are the default and often mandatory computers issued to developers at tech companies (I strongly disagree with this approach and think employees should get the platform they are most comfortable on, but Macs only is the current state of things in most places).

So many use Macs because of work, but have Android phones due to reasons I won't articulate here, mostly due to time but also with the audience on this article I expect it would melt down into an argument about which flavor of ice cream is better (metaphorically, not literally). Suffice it to say, Android users would agree with the reasons, Apple users will say you shouldn't be doing those things anyway, and we'll have to agree to disagree.

brailsafe
0 replies
1m

[delayed]

neocritter
0 replies
22h29m

What's the % look like for people who use password managers? There's probably a reason they all support Linux.

sircastor
0 replies
1h36m

The Android one puzzles me a bit. We were Android + Mac for a very long time, more than a decade. I've switched to iOS over the last few years, but my wife remains a dedicated Android user. I don't really want to switch from BitWarden, but if I did Passwords would be a non-starter for us because of this.

I suppose that Apple really considers the iPhone to be the center of its customer's lives, with a Mac or Windows computer... rather than my view, of my computer being the center and my phone tertiary.

neocritter
0 replies
23h39m

The existence of a port does not guarantee future support of a port. Safari used to run on Windows. They're also somewhat notorious for trash quality Windows ports.

mrinterweb
0 replies
33m

Unless Apple treats every major OS as a first class citizen for this password management app, this becomes another form of ecosystem/vendor lock-in. Have all your passwords securely stored in our app? Thinking about buying an Android phone? Think again.

Of the major tech companies, Apple probably has the worst track record of not playing nice with other platforms, walled gardens and all. Passwords are needed on all platforms. Apple would be the last company I would trust to ensure that I would be able to access my passwords anywhere I may need them.

haswell
0 replies
23h39m

Desktop Linux market share continues to grow and as a part of that group, I rely on 1Password because I can use it across all of my systems.

The other major password managers are on Linux, and Apple will need to support Linux for this new offering to be interesting to me.

ein0p
0 replies
23h43m

If it’s anything like their other Windows apps, Bitwarden is still going to be a superior option.

jrexilius
4 replies
23h32m

My approach has been to move all of the critical secrets out of the vendor device and embed it in a keyboard. It then works with anything that accepts a keyboard.. I'll be releasing this as open source (hardware & software) soon:

https://www.anomie.tech/products/anigma/ce/

hiatus
3 replies
23h17m

How far out is the phone peripheral?

jrexilius
2 replies
23h12m

Sadly, proly not till next year. I'm funding this myself and hardware is hard. Embedding it into a case has a whole lotta mechanical engineering challenges as well.

The desktop and tablet version will be released this year though.

hiatus
1 replies
22h9m

I'd be interested in the phone version just for the keyboard. Closest I've seen is https://www.clicks.tech/ but I do not have an iPhone.

jrexilius
0 replies
21h41m

Yeah, I miss the real physical keyboards. I started with the Palm Treo smart phone in 2001 and stuck with Palm till they died. Better even than blackberry keyboards.

stvltvs
2 replies
23h33m

I'm using KeepassXC for similar reasons although there's no official Android port last I checked.

myaccountonhn
14 replies
23h52m

I always feel like these password solutions are there to lock you into their platform. I would never use Apples nor Mozillas password solutions personally.

josephcsible
8 replies
23h51m

That's a great reason to not use Apple's, but Mozilla's doesn't lock you in at all.

hunter2_
4 replies
23h47m

The way Google's password manager covers websites anywhere I'm logged into Chrome plus native Android apps anywhere I'm logged into Google Play is super convenient though (albeit total lock-in, I won't argue that). Some apps are even developed well enough that a password originally stored via Chrome will be suggested for the app, I guess by cross-referencing the origins in some mutual way. And payment card details will auto-fill pretty smoothly in a very similar way, as well.

It's fantastic, and for some reason I trust OS/browser developers to do this more safely than a company focused on password management that has to figure out OS APIs, write browser extensions, or rely on a clipboard that has nearly unbounded read access.

watermelon0
0 replies
23h24m

Some apps are even developed well enough that a password originally stored via Chrome will be suggested for the app

At least on iOS, this works for any password manager.

smileysteve
0 replies
22h31m

The security positive of a browser integration is you eliminate the human part of url validation; effectively stopping phishing.

lolinder
0 replies
4h14m

anywhere I'm logged into Chrome plus native Android apps anywhere I'm logged into Google Play is super convenient though

Android's autofill framework is open to everyone to use, and every third-party password manager has a Chrome plugin. I use Bitwarden with exactly this experience, but across Firefox and Chrome and Android.

cozzyd
0 replies
15h36m

Not sure people should take password advice from hunter2

pasc1878
2 replies
4h9m

Yes Mozilla's does - to Firefox. There are cases I need to use Safari or a Chrome based browser. This is the main reason I got 1password in the first place.

and where do you store your passwords for apps?

josephcsible
1 replies
1h39m

That's not lock-in, though, since Mozilla makes it very easy to export your saved passwords to a .csv file if you ever do want to switch ecosystems.

I use KeePassXC to store passwords for apps.

pasc1878
0 replies
1h9m

So does Apple make it easy to export even now, just one click on the menu in the System Settings. I assume having an app would make it easier.

So you have two password managers one for Firefox and the other for apps. What happens if you have an app login that is also a web site? Two entries of the same thing?

senpos
1 replies
12h31m

It is very hard to move from iCloud Keychain to KeePassXC. Export functionality does not exist in the "Passwords" section of the settings on iPhone. It is also not available in the iCloud for Web. So, I had to go through all my passwords and reset them + create new entries in KeePassXC, one by one, which is very annoying. :-)

kemayo
0 replies
2h29m

There's a proper export on the Mac if you have access to one, at least.

kstrauser
1 replies
23h45m

I used 1Password for years. Last year I decided to try out Apple's built-in manager (for which this new app is a pretty frontend for a feature that already existed). I was able to export all my passwords out of 1P and import them into 1P. Then my company gave us all free personal 1P accounts, and I decided to migrate back. I exported all my data out of Apple's password manager and imported it 1Password, then ran a script to de-dupe entries.

There's not much else to add: it just worked. I wish all "lock in" were that open.

myaccountonhn
0 replies
3h15m

That's excellent! I'll keep that in mind.

stemlord
0 replies
23h42m

That's apple's entire MO, yes

astrodust
10 replies
1d

It's good to see that 1Password is staying several steps ahead here to avoid being "Sherlocked" by Apple.

The new SSH key manager feature is an example of something Apple's unlikely to address for years, if ever. https://developer.1password.com/docs/ssh/manage-keys/

avree
2 replies
23h43m

Is this not exactly what the Apple Keychain does? Manage keys?

smileybarry
1 replies
23h34m

Might sound like a technicality, but: iCloud Keychain can store the passphrase but can't store the key itself. You still need an encrypted private key on-disk to use this: https://apple.stackexchange.com/a/250572 .

1Password saves the key itself in the encrypted vault and implements an SSH agent that can then interact with OpenSSH etc. and provide key operations, like how a physical dongle would function.

avree
0 replies
19h45m

Ah, that is a very important distinction. Thanks for clarifying! For my purposes, the passphrase storage works fine, but I can see how the vault could be a useful feature.

LeoPanthera
2 replies
1d

I really tried to like their new non-native app, and if it works well I could probably live with it, but it was so buggy and glitchy, even to the point where browser auto-fill often just... wouldn't. That's a basic feature.

I switched to iCloud Passwords a few months ago and I'm very happy with the product. Looks like this Passwords app is a nice new GUI over the top of that same database.

noprocrasted
0 replies
23h44m

I stick to 1Password 7 for that reason - thankfully it still works for the time being.

kstrauser
0 replies
23h36m

Same here. I switched from 1P to Passwords a while back, then switched back when I got a free 1P account from my job. I'd already started thinking about returning to Passwords, though. Much as I wish I could love 1Password, the current app is a mess. I have a Mac Studio without Touch ID and the "unlock with Apple Watch" feature almost never works. They also refuse to allow unlocking with YubiKeys (see https://www.reddit.com/r/1Password/comments/ttt2m0/yubikey_i...) for reasons I consider specious.

1P has some wonderful work-oriented features we use constantly. I don't like the direction it's going for personal stuff.

kredd
1 replies
1d

If 1P was aiming to get attention of an average consumer, Apple might start eating their lunch. SSH key manager is great, but the amount of people who needs it is very small compared to general market.

astrodust
0 replies
23h55m

They're certainly focusing on a more sophisticated market, especially in the corporate space.

throw29373733
0 replies
23h36m

1password is too expensive when compared to Bitwarden or Keeper.

It's almost double the price per user so my company switched to Bitwarden.

We're a Mac shop and if Apple can make it even more affordable then we would definitely consider switching again.

chuckadams
0 replies
3h8m

I feel like the people who throw out “Sherlocking” are the same ones who also whine whenever they have to install third-party software for whatever the OS doesn’t do out of the box.

willis936
5 replies
23h45m

You wouldn't want to give free publicity to a serious competitor like btiwarden, 1password, or keepass.

avree
4 replies
23h44m

1Password is still around? I used to love it, then they changed the app, pricing schema, UX, and generally made things worse overall.

MobileVet
1 replies
23h37m

Wow. Each to their own I suppose. We have a corporate account and I think 1Password is pretty fantastic. Additionally, all of our employees are given family accounts, that include 5 individuals, for free. I highly recommend 1Password to everyone I know.

watermelon0
0 replies
23h27m

For anyone interested in this, Bitwarden also gives away free Families plan (for up to 6 users) to all members of Enterprise plan.

tiltowait
0 replies
23h42m

1Password is both still around and still the benchmark, much as that pains me to say given how much of a UX regression 1P8 was.

doublepg23
0 replies
23h42m

I use 1Password daily but missed anything before this version switch-up I guess. I've got nothing but positive things to say.

santoshalper
0 replies
23h52m

Maybe that's what they were going for?

jiveturkey
0 replies
23h39m

It's zdnet and the headline is designed as clickbait. LastPass is likely the most recognizable brand (LastPass claims #1 on their homepage) and among the knowledgable, it absolutely has among the highest recognition not to mention clickbait-worthiness.

The article text mentions 1Password as the first listed PWM product.

BXlnt2EachOther
0 replies
23h33m

Off-topic comment to urge any LastPass users before Sept 16 2022 to please look into parent post's link. LastPass said accounts deleted before June 21 2022 were not affected if that's still up to date.

If I understand:

Attackers got access to LastPass's account data backups directly and in bulk. 2FA doesn't help here.

While LastPass since increased their password rounds for new accounts to 100k+, many users especially long-time users had them set well below and never updated. Reports of 5000 rounds, 500 rounds, ... even 1 round.

URLs were not encrypted. If you had sensitive URLs, I think you have to treat them as compromised. If you had crypto exchange logins or high-value URLs, I'd imagine you might attract extra attention.

[edit for typos].

rootusrootus
9 replies
4h44m

I wonder if the biggest side benefit to a player like Apple getting into this game is the pressure it puts on web site developers to follow some kind of convention with their login forms. The vast majority of the time I have trouble filling a password, it's because the web developer did some wacky shit with the fields that make them unrecognizable, or in the worst case actively prevent pasting a password. It's one thing to blow off someone like 1Password, but Apple has a huge reach, they are not so easy to ignore.

bqmjjx0kac
3 replies
4h27m

Ever used the virtual keyboard on treasurydirect.gov? I have resorted to DOM manipulation in DevTools so I can just paste my password in.

hackeman300
1 replies
4h20m

I think they finally changed this recently to allow you to paste in- I've resorted to the same workaround in the past though.

jackson1442
0 replies
1h42m

It's a real input field now!

el_benhameen
0 replies
4h19m

What a shitshow that was! I’m pretty sure they’ve deprecated that part of the login process now, though. It’s much smoother, in a relative sense.

freedomben
2 replies
4h36m

There is a convention already, and it's quite simple. There's an "autocomplete" property on an input tag, and you can tell the browser what it's for[1]. Use "username", "email", and "current-password" for example when building a login page. ("new-password" is useful for creating an account or changing password, and the password manager can suggest a new password here instead of trying to autofill with your old password).

The autocomplete attribute supports nearly everything you can imagine. Check this for a full list[2].

[1] https://developer.mozilla.org/en-US/docs/Web/HTML/Element/In...

[2] https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes...

minton
0 replies
2h48m

Is there a way to turn this off entirely? Something like <html autocomplete=“off”>? It’s rather annoying to have 1Password trying to fill my contact info into any form with a Name input. For example, Forum Name, Todo Name, etc.

digging
0 replies
2h23m

I think the GP commenter is aware of that but saying "now that Apple is directly invested in managing and entering your password, it's harder to make excuses for dogshit product specs that, for example, block pasting passwords."

jackson1442
0 replies
1h41m

I doubt this will change anything in the space. iOS and macOS (through Safari) has offered password management for years at this point. This is just a more flexible version of that system.

babypuncher
0 replies
1h0m

actively prevent pasting a password.

I will NEVER understand this one. Do they want me to pick a shitty password? I'm not gong to type a string of of 20 mixed-case and special characters into a private text box on my phone. It always takes 3 or 4 tries to even get it right.

lotsofpulp
1 replies
22h38m

Strongbox app and storing the database in iCloud Drive.

mjmsmith
0 replies
4h11m

Dropped 1Password for Strongbox a few weeks ago, really impressed with it.

anssip
1 replies
2h4m

I use the Passlane CLI for accessing and managing my passwords. Passlane stores the data in a keepass file that I have in Dropbox so that I can access it from multiple devices. On my phone I access it with Keepassium.

Check Passlane here (I’m the author of it): https://github.com/anssip/passlane

haroldp
0 replies
36m

Very cool!

Would it make sense to use this for storing keys used other shell scripts?

Does it support hardware keys?

talldayo
0 replies
2h58m

As a sidebar, Keepass is so good that I don't understand why you wouldn't use it. 1password is bloated and annoying, Bitwarden is finnecky even when you do get it working, but Keepass Just Works.

Keepass is the closest I've ever felt to just having a wallet for my passwords. It should be ratified as a standard, so we can make Google and Apple provide "Export to Keepass" buttons in their apps.

sngz
0 replies
22h15m

Keepass2android and proton drive along with the keepass windows app

senpos
0 replies
12h35m

KeePassium + db file on Google Drive through Files app

lmz
0 replies
20h54m

Dropbox and KeePassium on the phone.

haroldp
0 replies
39m

Syncing via NextCloud.

bee_rider
9 replies
23h48m

I don’t quite understand how this will be different from what built in iPhone password manager.

Something I’d really like: let my iPhone act as a Bluetooth (obviously encryption will be necessary!) or USB keyboard, and have it hold my passwords/type them. That way I could keep my passwords all in one place, and manage them locally. Currently I use keepass when not on iOS, which is fine, but I don’t really want to have to expose my whole passwords file to a Windows machine, since they are traditionally infested with malware (and apparently MS is flirting with including their own first party malware).

denimnerd42
6 replies
23h45m

The offline device with a plugin usb keyboard that "types" in your username and password is exactly what i've wanted forever. There are some devices people have made and posted online. I made a POC with an old android phone once but never got past that stage.

I investigated the bluetooth encryption and it didn't really seem up to the task. You could create a dongle that lived on wifi though that would do the same.

denimnerd42
0 replies
22h22m

oh wow. i can't wait to see more!

jiveturkey
1 replies
23h37m

could you post a link or 2 of the DIY devices? very interesting since this kind of device obviously needs a lot of integration into the PWM software ecosystem.

bee_rider
1 replies
23h36m

I think it depends on the password, Bluetooth encryption would probably be fine for, like, my forums passwords. If anyone within, like, 50 feet of me right now wants to break into my Hackernews account… IDK, my dog does seem like a real jerk actually, so if I make any dumb posts let’s assume that she’s stolen my passwords.

A dedicated device would be nice and, actually, keeping your passwords on something that never even has to touch the internet would be ideal. But my phone already has a nice big touchscreen to make it easier to pick a password. Reusing an old device could work but that’s limited.

denimnerd42
0 replies
22h28m

i've thought of all kinds of iterations with varying levels of security. the phone with BT encryption would be fine in general but that would get picked apart for security if you actually tried to market it as secure.

the really secure way I was thinking is a small touch device that could be small enough to slide into your wallet or even as a device that would live in a phone case exposed on the back of your phone. then there would be a small yubi key like dongle that you'd plug in to whatever your target device is and it would communicate over wifi. that would be like the ultra paranoid version. then you could have the iphone/android app that communicates with the dongle, the one that uses BT encryption, the one that uses a USB cable from the phone to emulate a keyboard.. options are endless.

there's some features you could have like computer vision to recognize the login prompt. it's easy to get into an imaginative loop with the ideas.

sureIy
0 replies
23h38m

It's a proper app that can be reached in one click rather than hidden in system UIs. Basically Keychain Access but for 2024 rather than 2001

jiveturkey
0 replies
23h36m

I don't have a full answer for you, but you've hit on the major problem with all client-side PWMs.

egypturnash
8 replies
23h38m

So… this new app does most of what the depreciated “Keychain” app did, except now it’s got a iOS-looking UI. Huzzah, I guess, the “passwords” section in the iOS-restyled system prefs sure wasn’t substituting for Keychain for me. Passwords doesn’t appear to handle secure notes, though, and I still have a few of those, too.

I still really hate the iOS-restyled system prefs. Tiny unresizable text, a long vertical scroll. I can’t find a damn thing in it and just use the search bar every time and feel faintly annoyed about it.

selykg
3 replies
23h33m

I noticed a "Notes" section in password items. So, I guess in theory you could utilize those.

But my biggest one is wanting to store secure files. Think copies of a drivers license, signed documents or various certs and keys. That's not being covered here either for me sadly. It's not a super common situation for me so I can probably find an alternative app for that purpose.

Edit: Also for notes, I'd just password protect something in the Notes app. But that's just me.

matt-attack
0 replies
4h26m

Can’t you just paste the DL image into a Note and then password protect it?

I frankly just have photos of DL and insurance cards in my photos with tags to make finding them easy. Although note with the text searchable images that’s largely not even needed.

I don’t get what the security concern in. My photo reel is way more secure than my actual wallet.

lrhegeba
0 replies
9h32m

for this requirement i choose to use encrypted sparse files (can be created with the disk manager app) which i store on the icloud. is only of use if you happen to have a laptop with you as mounting them is not supported in iOS

catoc
0 replies
23h11m

For iOS & Mac https://thevault-app.com does exactly that for me. Storing PDFs, or just plain images of passport, drivers license etc (in addition to passwords). It’s a bit on the technical site (eg, also has cmd: prefix for terminal commands etc)

spike021
2 replies
23h23m

We've been able to lock notes in the Notes app for a while either with a password or Touch/FaceID.

egypturnash
1 replies
20h6m

Oh, you can? I should look into that then, thanks. I’ve vaguely settled on Notes as “I guess this is the least shitty replacement for the specific way Evernote fit I to my life” but have never actually sat down with its manual to see what it can actually do.

Hopefully Adobe won’t decide to start shitting a bunch of authorization credentials into private Notes the way they took over the Private Notes section of Keychain.

jamil7
0 replies
13h22m

Notes has become one of the better (best) first-party software offerings from Apple. They seem to have a really good team working on it.

kylemart
0 replies
7h57m

At least now you’ll be able to prompt Siri to figure out where your settings are /s

shallichange
7 replies
23h39m

Why would I use it over Bitwarder?

Hamuko
3 replies
23h21m

It's native and not Electron shit?

HaZeust
2 replies
23h17m

What's wrong with Electron?

Hamuko
0 replies
23h9m

Disk space for one. The Bitwarden macOS application is around 390 MB. For comparison, Firefox is 388 MB. They're usually much worse from a CPU and RAM perspective too.

AnonC
0 replies
23h12m

Electron apps are usually (not always necessarily) sluggish and don’t support native UI paradigms or keyboard shortcuts or navigation. The Bitwarden desktop app is one of the bad ones.

AnonC
1 replies
23h14m

Mainly depends on which platforms you use. If you’re using Bitwarden on Android and/or Linux, then this isn’t a replacement. If you’re on Apple’s iOS/iPadOS/macOS or are on Windows, you can use this. These are also native apps, unlike Bitwarden’s Electron monstrosity on the desktop.

Bitwarden has been lagging in implementing any consumer features for some years now (custom item types has been on the roadmap for six years and is still not done). Except for secure notes in Bitwarden, I don’t think you’d miss anything else in this app. Bitwarden is spending money and focus on the enterprise, just like 1Password has been. For the consumer segment, neither of these are good enough now.

jimt1234
0 replies
22h4m

Bitwarden has been lagging in implementing any consumer features for some years now...

This is actually the reason why I like Bitwarden. They don't seem to be constantly trying to push unwanted features on me. I've always been a fan of the first "rule" of the Unix Philosophy: do one thing well.

lawn
0 replies
23h5m

You probably shouldn't.

But it might make other people who don't use a password manager start using one.

afavour
7 replies
1h31m

Normally I’m conflicted when a big tech company comes to stomp on a market of smaller app makers but the password manager industry has left me with little sympathy.

Years ago I bought 1Password via a one off payment and set it up to sync via my iCloud Drive. It all worked great. Then they took VC investment and quickly every new feature was locked behind a subscription gate. I switched to Bitwarden. Then they took VC investment and I’m sure will end up down the same path (and you could never use a third party storage service with BW AFAIK). A password manager’s remote storage doesn’t need to be anything other than a safely encrypted SQLite file, you ought to be able to save it anywhere.

I think everyone should have a good password manager in 2024 and non tech inclined folks shouldn’t have to battle with upsells and spammy notifications as a price for being secure. If that means they’re using Apple’s offering, so be it.

dvngnt_
2 replies
1h10m

keepassxc works for me on android, windows, and mac

zer0zzz
0 replies
1h1m

keepassxc is incredible, truly slept on. I use safari keychain as well, as a copy. But my master store is keepass. It boggles my mind that people pay for 1password.

Btw, is keepassxc on Android now or are you referring to one of the many Android keepass apps? I use keepassium on iOS.

I pay for protonmail and also store a copy in protonpass. Proton pass has a nice web interface and doesn’t require me to copy a keepass file or logon to iCloud on my work computer so I use that sometimes too.

haroldp
0 replies
50m

The very best thing about keepass is that defines a standard and publishes a reference implementation that anyone can build a compatible client for. I like KeepassXC on MacOS and Keepassium on iOS and I keep the DB in sync between them with NextCloud. If I was working on Linux/Android next week I would pick the best clients there and arrange syncing myself, again, without a third party.

afavour
0 replies
24m

I should have been clearer, I meant that it didn’t work with arbitrary cloud storage providers like iCloud, Dropbox, Google Drive and so on.

I’m a tech person and even I don’t want to be responsible for running a Vaultwarden server, the average user definitely doesn’t want to.

lenkite
0 replies
5m

Well, good to know that U.S. feds now just need to send a single ping to get all the world's passwords on Apple devices.

Turfie
7 replies
5h7m

My brother convinced me to try a 1Password family account, since it would be cheaper. Ever since, the Chrome plugin takes forever to login. Sometimes up to 5-6 seconds. And it really annoys me that they have so many resources and money, and it's still this expensive for a very very basic application, and slow to boot.

I tried out passwords, and combined with Safari, it's an absolute godsend compared to 1Password. That does mean that I switched from Brave to Safari, and thus have YouTube ads, and so I'm now paying for YouTube haha

HenryBemis
2 replies
5h5m

Just to rub it in your face :) (teasingly and with respect) I got Android/LastPass/Firefox and only pay for the LastPass annually (I got it on all my devices), so there you have it ;)

ngai_aku
1 replies
3h12m

Check out the StopTheMadness extension. It offers a large number of features, one of which is automatically fast-forwarding YouTube ads

https://underpassapp.com/news/2023-10-19.html

JoeAltmaier
0 replies
3h9m

Does it blank all the fake videos in your YouTube home page? There used to be ads separate. Then they started putting one in the upper left corner that pretended to be a real video, with some clickbait title. Now (today?) they have them sprinkled all over, like maybe 15% of all the thumbnails are now ads.

I'm leaving that platform. They've taken shittification to new heights.

samcat116
0 replies
3h28m

I have never had such issues with the Chrome plugin.

Hawxy
0 replies
3h52m

Ever since, the Chrome plugin takes forever to login.

This isn't my experience since the recent update that shows up a mini-login panel when trying to sign in. The old experience that opened the desktop app first was fairly slow.

jwells89
6 replies
23h28m

Timely with how official support for the old 1Password 7 apps probably won’t be continued for too much longer, with 1Password pushing users over to the notably worse v8 apps. I’ll probably switch.

selykg
1 replies
22h59m

The biggest reason I'm moving away from 1Password is the abysmal support for Safari Profiles. It's so bad it's ridiculous.

Right now for instance I have a Personal profile, and a few work specific ones around admin, development, and my day-to-day work to split things off easily. I have 1Password unlocked in one profile and it works in that, but if I switch to any other profile it needs to be unlocked, then it tells me it needs to reload the extension. Reloading it doesn't do anything but break it again. I have to fully quit Safari then it works again for some unknown amount of time then falls apart completely soon after (probably laptop sleep or something like that).

Just a shitshow all around from 1Password anymore. How the mighty have fallen due to profits and investors.

pasc1878
0 replies
4h5m

This is my main gripe as well.

My current workaround is to use Orion as my browser. Its profiles are clunkier than safari and don't exist on iOS (but I don't care about that)

lowbloodsugar
1 replies
23h1m

Right. 1Password 7 is the last one to have private vaults. After that dies, I have no reason to use 1Password over anything else. SSH? Yeah, need that for work - which absolutely bans storing those on the cloud.

baryphonic
1 replies
23h19m

Interesting. I liked the 1Password 6 UI, was frustrated with 1Password 7 and have been loving 1Password 8 so far. Version 7 seemed really clunky when I needed to do certain workflows.

jwells89
0 replies
23h12m

What I dislike about the 7 → 8 transition is that it went from feeling like a handcrafted Mac app to an indistinguishable generic SaaS thing, which is exacerbated by 8 being built with Electron (which brings dozens of little papercuts that are difficult to smooth out, even if the dev cares to try to).

phito
5 replies
1d

Why single out lastpass in the title?

fckgw
3 replies
1d

Because they are the most popular password manager

_zoltan_
2 replies
23h55m

Maybe once they were, but they suck compared to 1password. I've moved and never looking back.

fckgw
0 replies
23h33m

Do you know what "most popular" means?

Filligree
0 replies
23h36m

Bitwarden here, and certainly a lot of people have moved, but we’re anecdotes. What’s the data say?

drx
0 replies
1d

I didn't want to editorialize the article title, but yeah, it's tacky.

godzillabrennus
4 replies
6h16m

I’ve had my iCloud account corrupted twice since they switched from dot Mac. Zero chance I’ll ever trust Apple with anything serious. I don’t even trust them to keep my contacts safe from corruption. Never going to trust them with my passwords.

m_a_g
2 replies
2h58m

Wasn't .Mac discontinued in 2008? I think it's time to let go

recursive
0 replies
2h7m

Letting go has occurred. "Since" means after.

darzu
0 replies
2h27m

“Since” could mean yesterday.

But i would like to hear more details of the corruption if parent is willing to share. This is pretty much my worst nightmare scenario.

herpdyderp
0 replies
1h1m

Isn't it all saved locally as well? Were your local files corrupted at the same time?

everdrive
3 replies
5h2m

I don't think Apple has built this maliciously for this purpose, but for normal users this will be a strong motivator vendor lock-in.

quitit
2 replies
4h43m

That's an interesting take because I can see how this reduces lock-in:

1. It's now easier to access passwords on the mac because you no longer are forced to use Safari to view passwords, nor have to sort through the technical entries/certificates in Keychain Access.

2. The app surfaces a prominently positioned button for one-click sharing and exporting of passkeys/passwords, whereas existing methods significantly lack in comparison.

3. It's the opposite of lock in to consolidate all types of passwords into a single consumer-level interface, when the alternative was hunting for them across the various apps and system panels.

4. It works with iCloud for Windows for cross platform support. Which also means you don't need a mac to participate in shared password groups.

randomdata
1 replies
3h37m

> you no longer are forced to use Safari to view passwords

Your passwords haven't been bound to Safari for quite a while. You already had to use the Passwords app found in Settings. Both Safari and Keychain Access have controls to allow you to open the Passwords app (the Settings one) from within them, but it stands independently.

The new Passwords app seems to be the old Passwords app with some refinements, new features, and moving it out into a more familiar location rather than it being hidden away in Settings. You might say this is Passwords v2.

quitit
0 replies
48m

That's my poor word choice as I also mention Keychain access in the same sentence.

I meant this in the sense of addressing people that stated that putting a password manager in Safari is vendor lock in, and accessing passwords via other methods such as the password pane in Settings as a bridge too far, along with describing that panel as "hidden" and using "dark patterns".

On the balance of information it seems clear that moving passwords to a separate app that is easy to access, navigate and share passwords (including across platforms) is the opposite of lock-in.

toddmorey
2 replies
23h40m

This is welcome. Central password management really should be an OS feature. Drives me crazy that every browser I use has a different credentials store and sync service.

sahila
1 replies
23h37m

Why do you have the need to use different browsers? Use the one you like on all your devices is easy.

lxgr
0 replies
21h7m

Not everybody appreciates platform lock-in (whether the platform is a browser or an OS).

tarentel
2 replies
23h33m

If this supports OTP, and ideally profiles, I'd likely cancel my 1Password subscription. I've been waiting for Apple to release something like this for a long time and surprised it took them this long.

alt227
0 replies
23h23m

Keychain has been built into all apple devices for ages, and all support OTP and seamless sharing across all your devices. Genuinely interested to know why you have been using 1Password when apple will already do it all for you? Did you not know?

Lx1oG-AWb6h_ZG0
0 replies
23h29m

iOS already supports OTP, it’s just buried in Settings > Passwords > Set up verification code. Once you do that, it’s seamless - it autofills in all my site and works beautifully in chrome/edge/firefox even in my PCs

spike021
2 replies
23h41m

I started using Keychain pretty much primarily this year (other than 1Password at work) and it works pretty seamlessly for me (granted Apple devices only). Even the Chrome extension works quickly as if it were a native part of Chrome.

Glad they're splitting it out of System Settings into a dedicated app.

I've also started migrating family members to it. It'll be way easier for the less technical people since it's already tightly integrated in the devices and OS they use everyday.

tgv
0 replies
3h53m

FireFox doesn't work with KeyChain, at least, not the last time I checked (which was a few years ago, admittedly). There's an extension that goes one way (read only), but that's of course relying on an unknown entity.

mdeeks
0 replies
23h39m

Does the Chrome extension still require you to enter a six digit code every day to even use it? When I tried it this was incredibly annoying and I switched back to 1password shortly after.

kgilpin
2 replies
41m

I have already been using iPhone Passwords for all my passwords. Anyone else doing this? It autofills passwords on the phone and I can copy a password from the phone Passwords and paste it on my MacBook.

Whenever I do a password change, I have to do it on my phone, so that the new one will be stored. But that is fine with me. I’m happy to do that in exchange for being freed from “password managers”.

rgbrgb
0 replies
39m

yep, incredibly convenient. big reason i use safari as the default on my MacBook too. honestly safari is great these days for everything except web3.

lovethevoid
0 replies
29m

This and the android equivalent (chrome/google) are very common methods. It’s only in enterprise spaces that they’ve adopted the likes of 1Password, Bitwarden, etc.

Really no big difference, you’re still technically using a password manager.

Also you can access those passwords on Mac as well, it’s in settings just as you would find it in your phone. No need to copy from your phone and paste it, Mac can autofill. It can also autofill on other browsers through the dedicated right click menu, but it’s a bit more clunky than on Safari.

Fun fact, those same passwords can be accessed on windows now, install iCloud for windows and enable passwords. It uses a dedicated app on Windows.

hwc
2 replies
2h2m

I've been using Bitwarden for a few years. It seems to do everything I need, and is cross-platform.

I have a soft spot in my heart for `pass` (http://www.passwordstore.org/), but it's a pain to access it from my phone.

j_hall_in
0 replies
1h19m

Yes I love love love BitWarden.

adam_arthur
2 replies
20h36m

People should just use a sufficiently complex, memorized, password for their money/identity, and then a (mental) algorithm that allows deriving unique passwords for other services that are less important.

Only have to memorize 2-3 strings and more secure than a password manager since there's no third party in the loop.

Password Managers are a huge man-in-the-middle and liability in other regards (e.g. you don't have it present on a given device or on hand).

SSO from a single set of credentials is a much better solution. Multi-factor biometrics even better (outside of PII sensitivities)

chuckadams
1 replies
3h28m

Normal people don’t usually run password generation algorithms in their heads. When they do, the algorithm sucks. This is why we have password managers in the first place.

adam_arthur
0 replies
15m

The formula can be very simple and is applied to less important services.

Unless you are directly, personally, targeted no hacker will waste the time trying to reverse engineer your algorithm... they'll just go on to brute forcing the next hash in the list.

And most people only have a few services that need to be truly secure anyway, which would use non-derived passwords (if they hack your netflix or spotify, who cares? Call support and get it back)

Password managers have had many exploits/failures over the years. You introduce so many points of failures bringing in a third party.

Your gibberish password with random symbols/characters isn't any more secure than a more memorable one of a similar length.

whitepoplar
1 replies
23h31m

I hope it includes credit cards, rewards programs, IDs/Passports, etc. so that I can cancel my 1Password subscription.

quenix
0 replies
11h27m

Credit cards are saved separately already, I believe

virgildotcodes
1 replies
12m

I have to be missing something. Isn’t this just a new coat of paint over keychain? What’s so revolutionary about this?

A lot of people seem to be acting like this is a really big deal. Is it cause it’s available on windows now?

ASalazarMX
0 replies
7m

If Apple restricts db syncing only to iCloud, it will be a pretty keychain for all practical means.

sircastor
1 replies
1h39m

We're BitWarden users in our house. We switched from LastPass after they double the price for the 2nd year in a row. We each have our own accounts, and then a shared organization.

If it were just me, I'd be tempted to just switch everything over. My wife is smart, and technically competent, but isn't interested in switching to new things until the pain points are too much. If I want to move to a new app or a new service, it can't be on a whim of mine, and it can't just be because I want to see what the new features are like.

allenbina
0 replies
57m

I moved from lastpass to bitwarden also, but I don't see the reason to move to apple passwords. I'm mostly linux at home, and I use the bitwarden browser plugins for chrome and firefox. I wonder how they plan to integrate browsers, since I imagine they won't have a linux app. Historically, they haven't written great windows apps, so I wonder how this will fair.

sam_goody
1 replies
21h5m

Maybe I don't want "whoever" to be able to get into every one of my accounts by coercing Apple to give access to all my passwords.

There are groups that can do that coercion (eg. US and CPC governments), and there may be support staff et all in Apple that can get the same access.

For the same reason, I was unhappy that Keychain.app is auto synced to iCloud (and as per a past thread, even if you disabled it it may be reset).

So, of course, I don't have to use their app. Except that I suspect it will be built into the OS in a way that makes it hard to avoid, such as Keychain.

I would love it if there was a way I could setup my self-hosted BitWarden instance to be as integrated as Keychain is, and not use Apple or Google for passwords.

commandersaki
0 replies
9h17m

iCloud Keychain and Passwords are end to end encrypted; how will coercion help?

n4r9
1 replies
1d

Considering this service would be operated and owned by Apple, likely to have a deeper integration across its iOS, iPadOS, and MacOS platforms, and doesn't have the same track record of security breaches as competitors, it should make for a compelling alternative for many users.

Is the reason for fewer security breaches perhaps that the data wasn't as valuable to attackers (until now) ?

throwanem
0 replies
1d

It looks to be a new surface on iCloud Keychain, which has existed and been deeply integrated into Apple OSes for a long time. It doesn't seem intuitively too likely this would make it a much more appealing target than it is already.

megamix
1 replies
5h22m

I never used 1Pass, I'd suggest ppl to make their own mental template for passwords that can be applied to different sites instead.

eknkc
0 replies
5h16m

I have 627 items in my 1P vault. That won't work.

jljljl
1 replies
20h44m

I want to use this, but this post gave me pause:

https://x.com/blader/status/1800263787746066646

"apple sherlocked 1Password today, so i'd like to remind you that your Apple ID is only as secure as your carrier.

if you have 2FA on and get SIM swapped, attackers can lock you out of it PERMANENTLY.

last month it happened to me. make sure it doesn't happen to you: "

Getting locked out of all my passwords would be pretty disastrous. Did Apple announce a change to the account lockout procedure as well?

DuckConference
0 replies
12h27m

You can add security keys as a 2FA method and it will disable use of the trusted phone number for authentication

jimnotgym
1 replies
5h40m

I feel like an old man saying it, but does anyone else remember competition law existing?

pasc1878
0 replies
4h2m

Here there is no problem.

You have a completely free choice to use 1password, BitWarden, KeePass etc ..... Apple is not stopping you.

Forcing all browsers on iOS to use Safari is a different matter.

diebeforei485
1 replies
20h2m

1Password has gotten progressively worse. It's now an Electron app (so it's slower to load), and some features have stopped working well.

They took VC funding to pivot to enterprise, anticipating that OS vendors would integrate basic password management features (what most of their usage at the time) into the OS.

So the consumer experience has been de-prioritized. I will not be renewing my 1Password subscription.

crubier
0 replies
2h25m

Oh the classic irrational HN hate on JS/Electron... 1Password 8 takes <1s to load from scratch on my machine, and is instant most of the time since it runs in background.

boringg
1 replies
23h45m

Password manager apps have been put on notice.

teolandon
0 replies
23h42m

Not while people can't use the Apple one on Linux or Android.

alistairSH
1 replies
6h31m

The article is light on details… what does this do that the current Passwords “app” (setting?) does not?

PlunderBunny
1 replies
21h58m

I've never understood why there are some passwords that exist in the macOS keychain app that don't appear in the Passwords section of the macOS System Settings (I think the password for my WiFi hotspot is one of them). Can anyone explain this? Will the new Password app have 'everything' in it?

I always end up looking in the Keychain app to be sure to find what I'm looking for, but I dislike that app because it often takes several password entries to get to see a password.

mh-
0 replies
17h21m

There are multiple different types of 'password' entries that can be stored in the Keychain. If you open a terminal and run `security -h`, you can see what I mean. Keychain Access.app is accessing the same database as this CLI tool.

I assume the Passwords section of System Settings is only pulling up a subset of these, but I haven't upgraded macOS on my personal laptop in a long time (I'm on 12.4), so can't verify easily.

GeekyBear
1 replies
23h19m

I'll be interested to see if there is improved support for handling and syncing passkeys to multiple personal devices.

I'm a bit nervous after hearing about people having early adopter issues.

Hopefully there is some sort of fallback if something extreme like a house fire manages to destroy all of your personal devices at once.

jesseendahl
0 replies
4h12m

Hopefully there is some sort of fallback if something extreme like a house fire manages to destroy all of your personal devices at once.

This is already addressed and has been since Apple first launched support for passkeys. See the “Recovery security” section of the “About the security of passkeys” support document here: https://support.apple.com/en-us/102195

wwalexander
0 replies
23h40m

One of my biggest feature wishes finally come true. A few updates back they made the Passwords section in Settings one level less deep, and I was very frustrated they realized it should be easily accessible but didn’t bother making it a standalone app when Keychain existed on Mac.

vbezhenar
0 replies
22h7m

Good. I already switched to iCloud Passwords for all my needs, but it's not very convenient now. No way to store bank card info, no way to store ssh passwords (I'm using fake domain myserver.ssh.com, but that's weird), no way to store key files. Hopefully it'll get better.

tonymet
0 replies
3h13m

Does webauthn have a protocol for username / password retrieval ? It would be nice to have a usb security token that is backward compatible with username + password login.

thway15269037
0 replies
20h1m

Are they going to remove competitor password manager apps as they did with other things they have incorporated into the iOS?

theogravity
0 replies
22h40m

Lack of Linux support and i'm not sure if it handles storing files (eg pdfs) is what would hold me from adopting this.

I use 1pass across all platforms.

sleepybrett
0 replies
22h50m

I hope there is a cli that will allow access to this like the `security` command, maybe this is just another facade on top of oldschool keychain?

shironandon
0 replies
22h53m

this sounds great as long as law and federal enforcement agencies can also access that password manager app as-needed.

sgerenser
0 replies
23h44m

I think this will finally get me to switch from 1Password 7. I was never going to go to the new, subscription-only, electron-based 1Password, so its either hold out on 1P7 for as long as possible or look for something new.

rqtwteye
0 replies
56m

I used to use keychain for my passwords. It worked really well until I tried to export data so I could use it on Linux. No dice. The way it looked there used to be an export function but then Apple decided to take it away. I think I'll stick to Bitwarden. Works reasonably well and I can back up my passwords with a simple export.

rodolphoarruda
0 replies
23h34m

And put all the eggs into the same basket? No, thanks. I prefer to spread critical responsibilities among a small group of "little tech" companies that offer clear and concise data portability among them.

rdm_blackhole
0 replies
22h22m

I for one will stay away. What if your Apple account get banned? Then you lose all your passwords?

It's the same reason I don't trust Google with all my picture or documents. At any point in time their algos can flag your account for wrong reasons and that's the end of your digital life.

pocketarc
0 replies
23h41m

It works on Mac -and- Windows? Goodbye 1Password! The browser extension has been SO buggy for me on Safari ever since v8, I'm SO excited that I might finally be able to ditch it. I even mentioned it in a comment before[0]. Looks like the day has come!

[0]: https://news.ycombinator.com/item?id=36427945

pkamb
0 replies
23h10m

My annoyance with Keychain has been that items kind of appear there as I type in a username and password on the web. Feels rather ephemeral, like old "saved passwords" in Internet Explorer or whatever. Feels like I'm one browser cookie reset away from losing everything.

Whereas with 1Password I use a separate app to CREATE a new Login file for an app/website/anything. I can save that file with as much or a little information filled out as desired. Can create arbitrary info files for Passports, library membership cards, etc. I know the information for each is forever stored exactly as I created it, always syncing, never overwritten when I type in a different password and accidentally hit "save" in a webform.

I hope the new Apple Passwords app is more like the later; if so I would switch.

offsky
0 replies
21h17m

If I lose access to my Apple account (via hacking, being banned or otherwise), do I also lose access to all my saved password? Thats what I want to know.

nerdjon
0 replies
23h44m

Yeah there is a pretty good chance that once this rolls out I won't be using 1Password anymore.

I only use 1Password instead of native because I needed something that worked on Windows. Will need to see how well that works, but I just don't see a personal reason why I would not just use this when it works so much better on my iOS devices.

mtillman
0 replies
22h22m

I really enjoy 1password, things, mind node, etc but I never seem to enjoy Apple apps other than Messages or I suppose Finder if you're being very specific. Maybe this one will be different.

m3kw9
0 replies
2h25m

Good riddence for 1Password, terrible interface

jkkorn
0 replies
8h47m

I just hope the next feature is FaceID on the Mac.

jaskaransainiz
0 replies
23h7m

Nice

hankman86
0 replies
11h41m

Companies like 1Password must be having a bad day. They have previously been held back by Apple, resulting in a poor user experience on iOS. And now Cupertino is entering into direct competition. Let’s see if Apple reaches feature parity and in particular, actually offers decent cross-platform support.

epaulson
0 replies
22h47m

Are there APIs to get the iCloud sync into my own app? I'm all for iCloud syncing to my devices I just want a way to also get a backup in a file so if Apple decides to delete my account on a whim, I don't lose everything.

dcchambers
0 replies
2h28m

I was pleasantly surprised to see they said they would have a Windows app, but it's DOA for me unless they also offer a solution for Android :(

I love my mac and I love my pixel phone but sometimes being a Mac + Android user just sucks.

danielecook
0 replies
14h17m

I’m concerned about how secure this will be. What happens, for example, if you experience a sim swap attack?

How will apple protect all of your password data in this case?

Will the setup allow for an additional password to prevent hackers from gaining access?

daft_pink
0 replies
22h47m

I think it needs multiple domains for an account. It appears this hasn’t changed from their current setup from the screenshots in the presentation.

I don’t want to switch from 1pass if I can’t set 2 or 3 separate webdomains for an account as I find this to be the most annoying feature of apple passwords, when a website has a separate register page from it’s login pages. In 1pass you can just delete the subdomain and add domains. Apple doesn’t allow you to edit at all :(

crowcroft
0 replies
1d

I would guess the reality is companies like 1Password make almost all their revenue through B2B relationships. I doubt Apple will encroach too much in that space (lack of sales reps/support etc.)

Curious to see how this ends up impacting competitor's businesses or not though! If Apple gives themselves access to a bunch of integrations and APIs no one else can that sounds like they would be abusing their monopoly power...

bradmcnally
0 replies
2h38m

This is very welcome! I had previously used a Siri shortcut on my desktop that would launch the password setting. (which worked very well, but a dedicated app is better)

boringg
0 replies
23h39m

You think people will migrate from LastPass to 1password or do you think this just limits new inbound.

Also if those two apps didn't have a product feature map way ahead of apple then they were doomed from the get go. They must have known something like this was a significant business threat if not existential risk...

bluSCALE4
0 replies
12h52m

I was happy using Bitwarden until recent updates that basically block out the entire form input. It's a dark pattern to me, built off fear and that's not the perception I want to see in someone in charge of my passwords.

arijun
0 replies
9h38m

Is this just a standalone app for the existing password manager in settings, or is there more to it?

alt227
0 replies
23h25m

So are they literally just launching an icon which opens keychain?

alberth
0 replies
23h29m

What's new besides management of passwords being move from Settings, now into it's own dedicated app?

Syzygies
0 replies
9h41m

For years, Keychain Access would copy disk image passwords from custom keychains into keychains that opened at login, defeating my attempts at extra security.

I don't trust 'Passwords'.

Sprotch
0 replies
23h38m

For this to catch on it needs to have a Chrome app - that's the only way employers let you use a password manager

Hippocrates
0 replies
6h6m

Thank god. I think 1pw has been mostly good, but it has frustrating quirks... Like requiring me to input the master password on the iOS app/OSX/Browser extension (on the same device) as if each of these apps have no way of communicating.

I constantly have issues with it not engaging on a form where I have to manually switch to 1pw, though it has gotten a bit better over the years.

I hate to see a company/product get sherlocked but I don't feel like password security was something we should need to have a subscription for.

FredPret
0 replies
23h2m

Good! I've typed ⌘-spacebar + "password" about a million times now

FalconSensei
0 replies
3h44m

My main reason to use this would be to maybe have an easier time adding a login when I'm on mobile - hopefully Apple would make it as easy as with bitwarden's desktop browser extension where you can just click 'save' or 'update' after logging in

My main reason not to use it is because I guess not going to work as well with firefox desktop?

Canada
0 replies
21h42m

I won't even look at it until I see many years of track record of excellent support on non-Apple systems.

BiteCode_dev
0 replies
22h13m

A password manager that doesn't have an open-source client cannot be truely checked. Therefore it cannot be trusted to encrypt them before being sent nor to not contain a backdoor.

Apple was part of the PRISM program, we know they gave access to our data for mass spying.

Beijinger
0 replies
22h57m

enpass.io is great.

+ Can't beat convenience.

+ Cross platform

+/- free if you don't need mobile version

- Closed source

(no affiliation)

Angostura
0 replies
21h42m

So they are reinventing the KeyChain Access app on MacOS?