Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I've been on 1Password since 2007. Unfortunately, software quality seems to have taken a nosedive since version 7 came out (disregarding the subscription issue). Random beachballs and slowdowns, annoying 2FA and duplicate password warnings, and decoupling of stored files from login entries.

I have been considering a replacement but haven't found anything up to the ease of use and Mac/iOS integration of 1Password yet.



I dont like the new safari web extension that adds little in page pop-ups everywhere. When I enter my master password, how can I be sure that the pop-ups are coming from the 1-password web extension and not from the website or another extension? Is it sharing the DOM with the website? If not, how are they separated? I realise I don’t understand how web extensions work but even so I don’t see why these pop-ups couldn’t easily be imitated by the site I’m on and I feel that it’s just asking for trouble doing stuff like that. After a bit of googling I realised that its possible to turn off, so I have.

1password has been feature complete for years now, I think they are changing things for no reason at this point. Just charge me for an update when operating system upgrades break the software. Sounds harsh I know, but TBH I wouldn’t mind if apple added family sharing to passwords and finally finished sherlocking them.


Yup. Since 7.7 my 1Password looks like this (https://imgur.com/a/Zz4WSdx) on my external screen, with the scaling of the background inexplicably broken. I also see other graphical glitches here and there. Meanwhile 1Password 7 for Windows every few months forgets that I registered it and I have to go find the license file (within 1Password!) again.

The paternalistic Watchtower "feature" is a whole other set of annoyances I wish I could disable.


Same boat here. 1Password is now the slowest piece of software I use on a daily basis. 15-30 seconds to get a password out of 1Password mini, laggy and unresponsive keyboard navigation, TouchID prompts that stack under other modals or windows so they don't work, random beachballs, ... the list goes on.

At least sync still works flawlessly?


1Password browser and Mac app work for me without the issues you mention, paying user since version 5. I'm on a late 2013 MacBook with Catalina. I had the beachball issue in Safari but it went way after I restarted once.

I tried LastPass but on the first day it didn't save a password I generated like 5 seconds earlier, and I stopped trying it immediately.


I tried 1Password, but there was a basic missing feature, you can't toggle reading the password.

This was a deal breaker for me when I have a ~90 character password (I often mistype one specific key everytime).

Bitwarden doesn't have this problem.


Why would you type a 90 character password instead of copy / paste or have the manager fill it in?

Also why 90 characters when 2FA would be the safer option? Or half that is already infeasibly long to brute force?

Also what do you mean 'reading the password', like via a screen reader? I mean that would be pretty bad for accessibility, but if you mean displaying the password, my version has buttons for it (regular inline, and a popup with the password pasted large on the screen).

I have so many questions.


I was not clear.

This is the password for the password manager (e.g. 1Password/ lastpass master password). The password to rule them all. It should be extra secure. I also have 2FA, but you must have heard of defense in depth.

Anyway, I want to be able to see the password and check for typos before entering it to unlock the vault. I don't want to retype the whole password in when I only mistyped 1 character.

When I say read, I don't mean screen reader. I mean read with my eyes, I didn't think this would be a sticking point.


Honestly, 90 digit password is only harder to type for you. It’s not more secure than only in theory when compared to, say, 20 digit password.


I choose to have the highest level of security I can afford, of course there are diminishing returns with each layer of security. Im happy to see evidence that a long password is only secure "in theory", until then I will keep my strategy. I can type 100WPM and this password is based off ~uncommon words, so I'm not uncomfortable: I didn't complain about entering, I claimed the issue is 1 wrong character requiring typing the whole thing password. It only takes a few seconds, but it is frustrating to type the whole thing again (regardless of length).

https://xkcd.com/936/


Well, considering the LastPass master password is stored as a 256bit string on the servers, your 90 character master password has 720 bits making it considerably more its that make up the hash thats stored on the servers! 1 ASCII character is 8 bits!


You don't understand encryption. The master password is not "stored as a 256bit string on the servers".


Yeah it is!!

LastPass stores our master password hashes as a SHA-256 bit key.

All I was quipping at, was the fact that the password you enter in length is a whopping 720 bits!

I find it funny that this bit length gets reduced to a hash which is only 256 bits in length.

Your password has more entropy than the hash that gets produced from it.


Try Enpass? Only the mobile app is paid once, everything else is free. No subscriptions, too.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: