Password Manager Angst
Our family has used 1Password for many years. Most recently 1Password 7, now at least three years out of date. We didn’t want to upgrade to the latest version, went looking for alternatives, and have been exploring Bitwarden. The best choice isn’t obvious; here’s the story thus far.
Important note: I suspect that most-to-all of the people reading this already are using a password manager. If you’re not, please, PLEASE start now. Your browser probably has an OK one built-in, which is much better than nothing. Here is a good write-up on the basics.
Our needs · They’re not fancy. The house contains Macs and Androids and Windows and an iPad. We have hundreds of accounts (some require an authenticator) and a basketfull of secure notes: Government-ID numbers, recovery codes, and so on.
1Password7 and 8 · 1Password had this nice feature where you could sync between devices without involving any 1Password servers, in a variety of ways. We used one of those and liked it. 1Password8 insists on storing your data (encrypted, more on that later). That always bothered me because, obviously, that repository is a top-priority juicy target for all the bad guys, who range from employees of the Chinese government to geeky narcos.
So we’ve been ignoring 1Password’s increasingly plaintive reminders that we were using years-out-of-date software and chugging along with version 7. But, early this year, they broke our sync mode on the Android app and were pretty blunt that the only way to get it back was to go to 1P8.
Alternatives · There are plenty of password managers (Let’s just say “PMs”) out there, but as a regular scanner of the landscape, it seems to me that 1Password (hereinafter “1P”) and Bitwarden (“Bw”) stand out as leaders. The rest of this piece will focus on those two. If you think I’m wrong, say so below but also please say why.
Note that Bw comes in two flavors: That offered as a subscription service by the company of the same name, or as an open-source software suite you can build and run yourself.
This is not to say that the PMs that are starting to appear built-in to browsers and OSes are worthless or unimportant, just that some of us need a little more.
The threat models · Two are obvious. The first is incompetence, like for example LastPass, who apparently left the doors more or less wide open to those bad guys I mentioned a few paragraphs ago. Complete horror-show.
The second is legal compulsion, where a government applies pressure to a PM provider to cough up our secrets. Anybody who thinks governments won’t try is fooling themselves, because they’ve repeatedly said they want to, and are eager to pass ill-considered legislation such as the CLOUD Act. So we care about that aspect a lot.
1P vs Bw: Security · I think they both have acceptably-good security postures; check out Bitwarden Security Whitepaper and About the 1Password security model.
Both of them offer to host your data outside of the US, specifically in Canada or the EU.
But it doesn’t matter that much if a bad guy or bad government gets their hands on your password store; what matters is whether or not they can decrypt it. I’m not an infosec professional but I know some and listen to them, and both those security postures give me a good feeling. It’s not an accident that they’re pretty similar.
The actual threat isn’t so much that an adversary cracks the crypto; that’s very unlikely. It’s that they find a way to force a PM vendor to build a back door into their software to get access to keys and passwords. For that reason, it would warm my heart if either or both of Bw and 1P were to post a Warrant Canary.
But I’m going to give Bw a very slight edge. First, because of the fact that you can build and run it yourself, if you’re willing to take responsibility for operating a server with strong security requirements. (I’m not.)
The source being open potentially offers a second, and more important I think, advantage: If they were able to get a Reproducible build working, you’d have assurance that the code you can download is the one their service is running. Which reduces the attack surface. (Mind you, not to zero.) Reproducible builds are hard, but if they did that, it would make a difference to me.
On the other hand, Bw’s software development process embraces GenAI generally and Claude specifically. At this stage in the growth of those technologies, this sends a chill up my spine. To be fair, 1P’s website shouts that it’s just the thing for agentic security, whatever that means. And we don’t know anything about 1P’s internal software-dev process.
1P vs Bw: Fit and finish · 1P wins this one. The problem is, do they always pop up when needed and never when they’re not? Can they fill every login field that needs filling? Does the popup show you just what you need and nothing extraneous? I’ve used both and 1P is just better.
Business issues · This one is also pretty well a saw-off. Both of them have taken substantial chunks of VC money and thus are going to come under relentless pressure to enshittify. I worry a little less about this because from what I read, there’s not much lock-in.
Personal experience too: I recently did an export of everything out of 1P and into Bw and it all Just Worked, albeit putting all my stuff into a folder named "No Folder" that I can’t figure out how to rename.
Both Bw and 1P are subscription-only, at prices that seem fair to me.
Death and recovery and pen and paper · As I was reading up on this stuff, the issue of recovering access to your PM after it had been lost came up a couple of times. Here’s a scenario where that could be really important: I die. And then my wife needs to get access to bank accounts and business emails and so on.
Somebody (I’ve lost the link) was horrified that one of the PMs suggested writing the password down on a piece of paper as a last-resort measure, but I’m here to tell you that they’re wrong. My wife has an envelope containing a piece of paper on which appear the passwords for my PM and Mac, my mobile-phone PIN, and a very small number of other secret things she might really need if I’m suddenly gone. I have no idea where she put it, but she’s really smart so I don’t worry.
You should probably do something like this too.
What will we do? · We’ve paid for a year’s worth of both Bw and 1P. At the moment, we’re leaning to 1P because it’s a little more polished. Which matters because my PM is something I use many times every day. Also they’re somewhat Canadian.
If you think we’ve missed something, please do let us know.
Comment feed for ongoing:
From: Paul Bryan (Apr 09 2026, at 17:11)
The easiest and most manageable solution I've landed on is an offline KeePass-compatible password manager (e.g. KeePassXC, KeePassDX, Secrets, etc.) and sync the file between devices (I've elected for my laptop to be master, and replicate to my tablet and mobile phone).
This works well for my untimely death, as I've just written the passphrase to my devices and password database on an index card and put it in my safety deposit box. My wife and son know how to access it, and are familiar enough with the password managers to unlock my devices and access my passwords.
[link]
From: Jed Hartman (Apr 09 2026, at 17:30)
Thanks again for this post!
Side note (feel free to delete this comment, of course—just thought it made more sense to send you this here than on Bsky): the color that you’re using for links (#993333, I think) looks to my partly-color-blind eyes almost identical to the text color (#535353, I think). Could you consider using a link color that has more contrast with the text color? On first read of this post, I didn’t see that most of the links were links.
[link]
From: Jim DeLaHunt (Apr 09 2026, at 19:10)
Thank you for posting this. My family finds itself in a similar situation: holding on to 1Password 7 because we wanted to host our data locally, and 1Password 8 removes that option; and considering Bitwarden as an alternative. It is great to hear what you found in your exploration.
I am not sure from your write-up whether you decided to stick with 1Password 7 despite the Android Sync problem, or whether you gave in and moved to 1Password 8.
For what it's worth, I can still sync between my Android 1Password app and 1Password 7 on macOS.
Also, it's not clear whether you found a way to use Bitwarden which lets you keep your data resident on your local machines and not on their servers. Given that you discussion the security models for server-resident data, maybe you are letting your data reside, encrypted, on their servers?
Thank you so much for sharing your thoughts. It helps me with my choices.
[link]
From: Glyn Normington (Apr 09 2026, at 20:11)
I've been happily using Bitwarden for years after moving from 1Password. The post gives the impression that the only alternative to self-hosting Bitwarden is to take out a subscription, so I think it's worth mentioning there is a "free forever" tier available (although vault item sharing is limited to one other person): https://bitwarden.com/pricing/.
[link]
From: David (Apr 09 2026, at 22:27)
I'm a happy 1Password user, but Proton makes a password manager that is also worth checking out. 1Password integrates with Fastmail for email aliasing, which is nice (if you use and pay for Fastmail) while Proton integrates with SimpleLogin (which they own) and you can get a lifetime subscription there, which is also nice. I use 1Password because I was already on it before Proton released their password manager, but I also use SimpleLogin and just handle setup via swivel chair between the two add-ons in my browser. It's not a huge pain.
Good luck with your decision!
[link]
From: Dirkjan Ochtman (Apr 09 2026, at 22:54)
I’m a long-time Bitwarden subscriber, but they didn’t do well in this recent paper by a group of top tier cryptography researchers.
(This particular paper doesn’t talk about 1Password much, I forget why.)
[link]
From: Aaron Massey (Apr 09 2026, at 23:12)
Any consideration for Proton's Pass? Makers of Proton Mail among many other privacy-focused applications. I would be interested in your thoughts on it.
[link]
From: Anthony Williams (Apr 10 2026, at 01:01)
I use https://www.passwordstore.org/ and strongly recommend it. It uses git for the storage, and PGP for encryption, so keeping devices in sync is just the same as for any other git repo. I host a git repo on one of my VPSs, and sync across linux computers, phone and tablet. The Android App is really nice, and the browserpass Firefox plugin works well on Linux.
Since it uses PGP, you can have different passwords encrypted with different and multiple keys, so different subsets of people can read them, but I've not used that. It also means you don't need to worry about backdoors.
[link]
From: Nathan (Apr 10 2026, at 04:03)
Like Paul, I personally think that you open your options up significantly when you decouple the device sync functionality from the password management functionality. Using software like syncthing or Dropbox or nextcloud to handle the syncing allows you to choose the best password manager without worrying about whether it supports your particular sync use case.
[link]
From: Bradley (Apr 10 2026, at 06:35)
Moving from 1Password to Bitwarden in the last few months, two cautions:
- Importing a 1Password archive with long secure notes is problematic and they do not tell you what the character length limit is, only the encrypted length limit on error. I ended up copying a few old notes to plaintext files and importing smaller fragments as separate notes, managing select others entirely separately.
- Importing a 1Password archive with attachments, at least to the free Bitwarden tier that does not support them, resulted in the attachments being silently stripped from the output. I had some inconsequential text documents and PDFs attached to very old items of little consequence, that were removed. This is a potential data loss situation, so be sure to check the import against the export and not assume everything worked as expected.
So far Bitwarden works fine for my individual needs.
[link]
From: Chetan Kunte (Apr 10 2026, at 09:00)
A few years ago, I rolled up my own using MacOS disk utility to create a dmg file with encryption, unlock, query for a password and then eject, detailed here: https://ckunte.net/2022/spm . I switched to pass in 2024 once I made linux my daily driver. Normally I don't recommend this to people/families. But you're a nerd, and thought, you'd figure this out and test tires, if interested. Good luck. (I left 1Password back in 2022, for the same reasons btw.)
[link]
From: Aurélien Gâteau (Apr 11 2026, at 07:41)
My family use BitWarden, but I use 1Password at work.
Overall I prefer BitWarden. I find 1Password a bit slow when editing entries, and I like that BitWarden can match on hostnam + port, instead of only hostname (but that is a nerdy requirement from the mess that is my home servers...)
[link]
From: Ulf (Apr 15 2026, at 06:55)
I was going to suggest mSecure, which I have been using for a few years now, and which seems to tick most of the boxes you mention. But looking at the web site, it's not available for Windows, only for Mac, Android and iOS.
[link]