from Hacker News

1Password to Add Telemetry

by zan5hin on 4/24/23, 6:36 PM with 343 comments

by torstenvl on 4/24/23, 10:21 PM
Users: We want standalone non-subscription licenses!
1Password: I really wish we knew what users wanted.
Users: Please don't move to Electron, I don't want Chrome bugs in my password manager.
1Password: I'm just baffled. We never hear from users.
Users: Please, for the love of God, give us control over our vaults. Don't go cloud-only, we're begging you!
1Password: Better turn on telemetry. It's the only way to solve this mystery for the ages.
by squeegee_scream on 4/24/23, 8:02 PM
> Over the years, we’ve relied on our own usage in conjunction with your feedback to inform our decision making. This presents a challenge, though: we don’t know when you run into trouble unless you tell us. And sure, we have an extensive user research program, and listen to all of the feedback you share online and in conversations with our team.
> But there are millions of people using 1Password now, often in cool and innovative ways! If we’re going to keep improving 1Password, we can no longer rely on our own usage and your direct feedback alone.
I wish I were in the room when these arguments were being made. I would like to see the data that led them to this conclusion. I used to work at 1P, I was a happy user before I started working there and I continue to be a happy user. But I can remember so many conversations about telemetry and how we’d never use it…
by wootland on 4/24/23, 7:06 PM
Opt-out telemetry is unacceptable, this also signals that the product team has no vision and the organization is riddled with bureaucracy.
Great products get built by someone with a vision to create them, mediocre products gets created by product managers justifying their positions with data they've gleaned by spying on users.
by rdl on 4/24/23, 8:13 PM
Telemetry in a "trust us, this closed-source application which contains all your secrets, which we provide you and which we update periodically, is only contacting us for "privacy protecting telemetry" and not exfiltration, intentionally or not, of your most sensitive of all data" application is a hard pass for me. This seems like an IQ test kind of question.
(So many times error reporting, etc. have accidentally leaked highly sensitive data, which was then the source of a major compromise, in other systems. Maybe 1Password won't get it wrong, maybe 1Password will never be subject to any pressure to get it wrong...)
by gaws on 4/24/23, 10:00 PM
I've been a 1Password customer for five years. The move to 1password 8 has been beyond disastrous: terrible extension integration, browser constantly crashing when trying to log into the web panel, and the mobile app integration hardly works with mobile browsers.
Add the recent announcements that the company will no longer support their last stable version -- 7 -- and move to using telemetry -- I'm out.
I've jumped to Bitwarden; open source, cheap, and competitive features. It was a no-brainer.
by xyzzy_plugh on 4/24/23, 6:52 PM
Seems fine to me. Opt out is reasonable, I trust 1password to not fuck this up versus, say, LastPass. If you already trust 1password to store your credentials, I see little to no impact to your risk exposure by having them collect anonymized telemetry. Curious if others have thoughts here?
Their UI has changed a lot in recent years, maybe this will enable them to make more informed design decisions so that one day grandparents stop getting lost in their horrible menus.
by rdl on 4/24/23, 8:10 PM
The 1Password "no local/standalone vaults" "upgrade" in 7->8 is what got me to leave it after 15 years or so. They're killing the extensions used by Chrome/Brave/etc. in 3 months, so it became critical to move off Version 7 (which is probably not getting much security maintenance now, either). RIP.
by crossroadsguy on 4/25/23, 12:19 AM
They’re going CrashPlan. You were all dog-fooders and beta testers all these years for their eventual destination - the enterprise. Yes, of course you’ll be able to buy at $XXX/year with a minimum 10 users plan while you are all still singing paeans in the tune of - “oh it has gone shites, but it’s great, happy customer here!”
Mac/Apple only customers have this strong inclination for some kind of Stockholm syndrome when it comes to software and devs going shitty and hostile. I find this weird kind of loyalty added to software as well that somehow starts as Mac only and that loyalty stays even after they go crap. Often blown out of proportion.
I mean I always wonder what is the reason that these people don’t even want to acknowledge BitWarden.
by danpalmer on 4/24/23, 7:00 PM
Telemetry to inform product decisions is fine, in fact I think it's necessary to have confidence that software is performing in the wild (e.g. crash reporting), or that customers know how to use it.
What is not ok is opt-out telemetry for personalisation for advertising, or over-reaching personal data collection, in 1Password's case data from your vault.
There is however a grey area in the middle – data about the performance of product upsells. This is a tricky one, because arguably if I do upgrade (say, to 1Password Family/Teams), I've probably done so because it made sense for me, and I'm probably happier with the product... but I might not have done so without that information on how I or others use the product that helped optimise that flow. When done well I don't have a problem with this, but I hope 1Password are careful about the culture of upsells that this data could create.
by desmondrd on 4/25/23, 4:42 PM
I've used 1Password since 2014 -- almost 10 years! And my company uses it, so I'm both personal and business user.
Product quality, especially with 1Password8 has deteriorated significantly. A big bag refactor to electron with no telemetry is probably the root cause. Not necessarily poor strategy, but certainly poor execution.
Telemetry is actually a good thing for 1Password users who see product quality decreasing bc it gives the PMs there some information to go off. The product surface area is huge now, and it's natural to lose sight of the most important stuff.
If I was in charge, what would I do?
1. Introduce telemetry and get data into hands of PMs + Designers
2. Pause all new feature development until table stakes features are working flawlessly: 1Password opens under 200ms for most users; auto fill in Chrome + Firefox actually F*king works like it used to before v8.
3. Trim down product surface area by killing features. E.g. decide is the default UX for auto-fill based on interacting with a button inside form inputs OR simply hitting the keyboard shortcut to autofill? Kill the other bc the interaction between these choices is painful.
I'll give them a year to figure this out. In the meantime, a Copilot / ChaptGPT enabled bootstrap founder will come along and build out a trimmed down version with just the basics and start eating their lunch.
by hankman86 on 4/25/23, 2:13 AM
This is very, very bad news. Even if their client telemetry ends up being opt-in, the “feature” will be part of the client code base, opening up an attack surface and chance of data leakage. I can already see the apology letter from their CEO coming in (“we let our users down”).
1Password, don’t do it!
Rely on other means to collect usability feedback like surveys, internal usability testing and developer tooling for build-time usability testing. Your app is simple enough that you absolutely, categorically do not need to subject your users to mass surveillance.
I am currently paying for a 1P family subscription and I will be moving to another provider or self-host a free/OSS password manager should your telemetry plans eventuate.
by adoxyz on 4/24/23, 6:51 PM
I've been a 1Password customer for many years. Their product is super solid. The family plan is very generous. I personally don't have an issue with them collecting some telemetry to improve the product. And they've stated they'll offer ways to opt-out.
by nullstyle on 4/24/23, 7:05 PM
I'm disappointed with what 1password has become. To put it in a tone I feel is appropriate given how much time and money I've invested into their product, I don't think abandoning native development for electron to shove telemetry into your product counts as bending over backwards to preserve privacy. It reeks.
by tohnjitor on 4/24/23, 7:39 PM
I dropped 1P the day I ran a suggested update and it locked me out from making changes to my database unless I signed up for a paid subscription. FOSS or bust.
by rcarmo on 4/25/23, 9:37 AM
I’ve completely moved away from 1Password (here’s my list of alternatives: https://taoofmac.com/space/apps/1password)
Right now, the only thing I am missing is something that will sync with a KeePass vault and push TOTP tokens to my Apple Watch (as well as a couple of rarely used credit cards whose PIN codes I would like to have always available for emergencies).
Other than that, if you’re not an enterprise customer I think OS or browser-based password managers (which now sync across machines and platforms and even have the ability to do TOTP, at least on the Mac) are finally good enough for end users.
If you need to store software licenses, recovery codes, etc., KeePass XC is excellent for that as well, and available everywhere (and no, sorry, I don’t want to use Bitwarden because I don’t want to run a dedicated sync service for myself, or use anyone else’s).
by oefrha on 4/24/23, 7:14 PM
If telemetry can tell them 1Password 8 UX is a downgrade from 7, I’m all for it.
by nickvanw on 4/24/23, 6:57 PM
I have my issues with what 1Password has become as a product, but this seems like a very good stance to take. As a product owner, it's essential to know what and how people are using the product, collecting some straightforward telemetry that's anonymized and doesn't contain and Vault data strikes me as reasonable.
by Nicksil on 4/24/23, 7:57 PM
This is very simple: Present a one-time prompt asking to opt-in.
Explain to me how my admittedly naive solution fails to deliver for all consenting parties.
by TkTech on 4/24/23, 7:39 PM
My history with 1Password:
- Purchase a stand-alone license, getting well-performing and feature-complete native clients with several options for vault sync that are under my control.
- Upgrade to 1Password 8, a version that sounds great, but has quietly removed local sync unless you checked forum and blog posts before buying.
- Watch the clients go from being native to Electron and losing many, many features. Get forced into using the web app for simple things like seeing history.
- Watch browser integrations get progressively worse (check out the reviews on the Firefox extension, oh boy)
- Even if you've been using 1password 7 (the version you paid a good chunk of change on for, in 1Password's own words, a life-time license), you won't be able to use it with browsers at all soon https://support.1password.com/kb/202303/.
- Get popups and unwanted opt-out integration with social media logins, when I've gone out of my way to purge garbage like "login with google" from my internet experience.
- Get unwanted opt-out telemetry forced on you, which regardless of their assurance will eventually leak PII like it always does. People make mistakes, c'est la vie. I would have no issue with opt-in telemetry.
I think this is it for me. Forced telemetry is a small thing, but it's just one of many poor decisions. I'm sure it's a smart business decision and their investors will be happy finding more and more ways to extract value out of users. I just want a simple password manager, so after a decade this is it for my family and myself.
by robbiep on 4/24/23, 7:16 PM
The vc funded slide into oblivion started a while ago and continues
by npteljes on 4/25/23, 10:07 AM
I think it's ridiculous to have such functionality in a tool that's supposed to keep secrets. But we won't see meaningful change until a major WTF happens, and maybe not even after that.
by stereoradonc on 4/24/23, 11:34 PM
This is the killer feature I was missing! Pay money for usage and the way the app interacts with users, and they have crossed their hearts that they won't "spy" on us (which can change any other time in their terms and conditions). Who wants to bet they will find a way to stuff "privacy focused apps" in the vault? Why not?
by samcat116 on 4/24/23, 10:32 PM
Just wanted to add my voice that I really like the newer 1Password stuff. I haven't had any issues I've seen people complaining about, and don't have any of the philosophical issues that a lot of others seem to have. If you're one of those people, you should be definitely just move to Bitwarden.
by nikanj on 4/24/23, 6:51 PM
After taking in ridiculous amounts of money, they must figure out what features are most crucial for users – so that those features can be monetized the hardest
by AndyMcConachie on 4/25/23, 9:38 AM
I've never trusted any of these password storage services and only use KeePassXC. I remember having conversations with people years ago when these services were appearing and I told them that eventually these services would screw over their users. To my amazement people continue to believe that storing their most precious information(passwords) with a 3rd party. I truly don't understand.
It's just too much risk exposure for me. Why on God's green earth would anyone trust some random assholes with something as important as passwords? I just don't get it.
They're gonna screw you over. And they're gonna continue screwing you over because you continue to be their customer. Just recognise that and move on.
by piperswe on 4/25/23, 11:59 PM
1Password's recent developments are sad, especially so since I don't know another fully-featured secrets manager I can wholeheartedly recommend to less tech-savvy folks. Bitwarden's UI is nowhere near as polished and end-user-friendly as 1Password's IME, and the password managers built in to phone operating systems manage passwords - nothing else. Also, 1Password's sharing functionality is invaluable - if I want to share a credit card number or something with family, I can just put it in a shared vault.
Is there another user-friendly, powerful password manager out there that I can recommend instead?
by ___dam___ on 4/26/23, 5:34 PM
1Password is the leading cautionary tale of how to make boat loads of happy customers cry in the shower daily.
They took an amazing product that worked better than every competitor and was easy to use then ruined it with the absolute dumbest product decisions I've ever seen.
They gave Apple the green light to put them out of business and I'll be switching as soon as that feature is available.
Their product decisions were almost as bad as Sonos, almost.
by KomoD on 4/24/23, 7:40 PM
I don't like telemetry but I'm a happy 1Password customer, will probably opt-out anyway.
by TheRealDunkirk on 4/25/23, 5:21 PM
US companies, led by VC's, have mastered the art of "shimming" themselves into every consumer interation possible, and then expanding that shim until all we can do is give up and say, "I guess that's just how it is," cede our privacy to yet another 3rd party, and pay $X/mo for the privilege. It's exhausting. Meanwhile, it seems almost everyone in Congress is making BANK on insider trading, probably cooperating with private equity doing this sort of thing, so there's no chance to implement regulations to prevent people from boiling more frogs. If there's one app or service that I use which isn't doing this, I don't know what it would be. Maybe Sublime Text? It's the only thing installed on my computer that I trust to not be transmitting telemetry. I guess that means I should join a VC firm and convince them to do a big investment in it to make it a be-all-things-to-all-people golem like VS Code, and include telemetry and a monthly cost model. We're running out of things to enshittify people!
by AwaAwa on 4/24/23, 9:59 PM
Lock folk in with 'cloud' based 'subscription' models, and then do what you will.
'Climate change' in 'cloud' world.
by bwoodruff on 4/25/23, 3:15 PM
Hi folks,
Thank you for the comments on this important topic. 1Password's mission is to help people safeguard their most important information and to do that, we have always taken a human-centric approach to security. In order to deliver the exceptional product experience our users expect from us, we need to better understand how they use 1Password.
And while our goal is to deliver better 1Password products, we won’t require our community to help us if they don't want to. We're fully committed to transparency and will provide updates coming out of our research and development period. When we are ready for a wider rollout of this functionality, we will provide clear, in-app messaging, and you’ll be able to control whether or not telemetry is active on your account.
In the meantime, thank you for sharing your feedback – these discussions are always valuable to us, and we appreciate your constructive candor.
-Ben, 1Password
by Double_a_92 on 4/25/23, 9:46 AM
I honestly can't understand how anyone would use those cloud services for important passwords and keys. The risk/reward ratio is just too high. And for anything not crucially imporant I would just whatever my web browsers support natively.
by musicale on 4/24/23, 11:03 PM
I wouldn't object to Apple driving another small nail into 1Password's coffin by coming up with a scheme to enable Firefox and Chrome to access iCloud Keychain for certain web site passwords (but not all of them!)
Supporting it on Windows could be another nail.
by 6sp on 4/25/23, 3:08 AM
I’m glad I’m not alone in my thoughts on 1P 8. Unfortunately it’s become completely unusable for me and I’m actively looking into alternatives. Leaning toward Bitwarden although it’s UI is a considerable downgrade imo.
by smileybarry on 4/24/23, 8:01 PM
It sounds like they're planning it to be as general as possible (more just "how much is each feature used"), but it'll also be fully opt-in:
> And, of course, once this functionality rolls out to customers, you’ll be able to control whether or not telemetry is active on your account.
("account" sounds like you can turn it off family-wide or even organization-wide)
[ Reposted my comment from duplicate post: https://news.ycombinator.com/item?id=35685170 ]
by mieubrisse on 4/25/23, 10:46 AM
Unpopular take: this is actually exciting to me.
As development has continued, the 1P app seems to have gained in bugs. I've tried reporting these - I like 1P and the 1P team seems to care about delivering a quality product - but using their forums is very frictionful and I've often given up on reporting bugs because it's not worth the faff. Telemetry holds the promise that they can fix the bugs without me needing to manually report.
by kmfrk on 4/24/23, 8:10 PM
I've had issues where 1Password wouldn't save my new logins properly, lasting for over a day. Maybe that's why they need the telemetry.
Do 1Password do security/privacy audits the way Mullvad do? That's a pretty decent way of building goodwill over time when it comes to decisions like this. It's probably a fine decision, but they should probably have gone to greater lengths to write this blog post in more exhaustive detail.
by johnla on 4/24/23, 7:07 PM
At risk of sounding dumb: what's in the telemetry data?
by MaintenanceMode on 4/24/23, 11:07 PM
The writing has been on the wall for some time. It's clear that they are focused on growing the company and maximizing revenue. Nothing wrong with that, but my family's needs aren't going to satisfy a hungry capitalistic company. So I've had plenty of time to have alternatives, which I've been using. 1Password has been in parallel with another password manager and once they end support for 1Password 7 my family will turn this one off and switch.
The experience with 1Password 7 isn't all that great right now anyway, so I'm not losing much really. The syncing is super useful, but there is a solution to that too.
It's been a good ride. Now it's good riddance.
by vladharbuz on 4/24/23, 7:40 PM
I hope they fix all the issues with unlocking. Sometimes it takes ~20sec to unlock 1Password. Sometimes unlocking the browser plugin causes the app to pop up, other times not. Sometimes it just doesn’t unlock. I think there are two kinds of browser extension, which is confusing. All very frustrating at times and only getting worse.
by MojoLobo on 4/24/23, 11:02 PM
Are there any password managers that provide a similar UX on mobile phones/iOS? If so, I'll move there in an instant.
> At that point, we’ll also provide guidance on how you can opt out if you’d like to.
Better than nothing. But they're moving away from being the #1 choice and a great product step-by-step...
by throwaway5959 on 4/25/23, 4:58 AM
This is garbage. For an application so sensitive, telemetry should be opt-in if present at all.
by 35803288 on 4/24/23, 9:56 PM
This is a big, hard NO. Bye bye 1P.
by roydivision on 4/25/23, 12:41 PM
I’m counting the days before I finally need to find an alternative. I’m hanging on to the non-sub, non-cloud vault, non-telemetry version, but it’s only a matter of time. Shame because otherwise it’s been a great product, rock solid.
by JohnFen on 4/24/23, 7:40 PM
While I am very allergic to such data collection, if you're going to do it, this seems like the way to do it.
I'm not a 1Password user (and won't become one), but if I were, I wouldn't necessarily be in a huge rush to stop as a result of this.
by TheRealDunkirk on 4/25/23, 5:28 PM
I’ve resisted putting my passwords in Apple’s keychain, because it’s the last “egg” I DON’T have in their “basket,” but I think 1Password has finally turned up the heat a bit too far on this frog.
by csubj on 4/25/23, 5:47 PM
For every person here reading and commenting, please also share your opinion with the support email they provided: support+telemetry@1password.com
I have low confidence they will listen, but might as well try.
by sashk on 4/24/23, 10:05 PM
> At that point, we’ll also provide guidance on how you can opt out if you’d like to.
Well, at least there is opt out. Probably, will be on account-by-account basis, not family/organization-wide.
by Arubis on 4/25/23, 2:04 PM
I really don’t want to have to deal with migrating fifteen years of stuff out of 1Password, but this might compel me to out of respect for the clients I work with.
by VincentEvans on 4/24/23, 10:29 PM
How about an ability to resize the width of the column that lists the names of the secrets in the vault so that I can see what they are. That’d be higher on my priority list.
by imwillofficial on 4/24/23, 7:01 PM
This is exactly what I want in my password manager.
by santiagobasulto on 4/24/23, 10:50 PM
What a coincidence. Just yesterday I was discussing 1pwd’s series A with a friend and I remembered about a podcast the founder (David Teare) did with DHH (Rework Podcast). In it, he literally cites this. He says they raised money for a bunch of things, and one, was to add metrics, but he wanted them to make them anonymous. We’ll see how it plays out.
Podcast: https://open.spotify.com/episode/6RZm7V8IcvuMuaCmVBE4EG?si=v...
by openplatypus on 4/26/23, 9:04 AM
Hey 1Password, make sure to set Telemetry as Opt-In ONLY in the EU. You know. Laws and compliance stuff.
by skylurk on 4/25/23, 10:06 AM
What is the random query parameter injected into the open-and-fill feature? Is it not telemetry?
by tptacek on 4/24/23, 7:31 PM
The only reason we're talking about this is that 1Password wrote a blog post about it. They're not dumb, they know that this is the reaction they can expect from a blog post about how they're doing telemetry. They compete with a raft of products that not only use telemetry, but do it sneakily and with SAAS vendors that add attack surface to their products. But nobody talks about telemetry in those products, because those vendors don't want to have the conversation.
by replwoacause on 4/25/23, 11:50 PM
Glad I never moved to 1Password. Been a happy Bitwarden customer for years.