Good security hygiene is like a diet or exercise plan: the most effective one is the one you will stick with. Most users don't follow good habits because its a giant pain for non technical users to get set up. 1p's subscription plan is aimed squarely at those people and I think its a great idea. It's reasonably secure and easy to set up everywhere. That is a big deal in my mind. Yes, its not bullet proof but its a 100000% better than what the current status quo is.
Additionally, managing your own password vault is a lot like managing your own email server. There's advantages but I feel that the disadvantages are substantial. For one, the likelihood that you, one person, are going to do a better job of securing your stuff than a dedicated team is optimistic at best. Keeping your password vault safe is literally this companies full time gig and they have entire teams dedicated to it. Do I think they are infallible? Of course not. I'm not an idiot. But I think they are going to do a better job than me at keeping my stuff safe. I happily will pay for that every month.
The authors point about the 1p web portal is a good one. I don't use it out of similar concerns. Besides that, I really could not be happier with 1p as a password management solution. They have a good track record (no hacks that I am aware of) and I want the company I trust with literally the keys to my kingdom to be profitable and motivated to keep improving.
> Additionally, managing your own password vault is a lot like managing your own email server.
As someone who actually does both, this is IMHO backwards. My "password vault" is a GPG file I open in emacs and cut and paste from. It's trivially copied and maintained, extends cleanly to "non-password" secret info (e.g. credit cards, my kids' SSNs), involves no third party systems beyond the operation of the software, is trivially backed up via straightforward file copies that I do all the time anyway, and just in general works better than the rather complicated ecosystem of commercial offerings.
Read what you wrote one more time, and imagine some manager working in a bank, or a 17 year old business student.
It's hard enough to convince people not to use the same e-mail and password combo, and instead use something like 1password or last pass, making them use your proposed "solution" would be a massive step back.
Your point is sort of sideways to mine: yes, I happened to pick tools and idioms (a text editor with GPG integration) that aren't avaialable to typical consumers. Yet the solution is trivial: I open a file and edit it!
Why can't the existing solutions in the market retain that triviality when translating to the consumer? Why must we be inflicted with bad crypto, cloudification, pervasive over-integration, lack of just-edit-the-text extensibility, etc...?
Nothing wrong with what your are doing if it works for you, but I wouldn't describe your workflow as trivial, and I wouldn't call using Password complicated. The value to me of 1Password is: Go to Website, Right click 1Password, enter password, logged in. No copy paste, no switching windows, no launching emacs, no searching through a list. Even the added friction of 1Password took a few starts and stops to get through. For people like me, your solution would quickly devolve into reusing a common password.
The 1Password workflow on iOS is more similar to what you describe because there is no browser integration, and I strongly dislike the experience. I often will abort doing things on mobile so I don't have to bother app switching and copy pasting.
You don't have to "manage your own password vault" thought. I sync my 1Password vault via iCloud. It's like two clicks to turn it on. And surely Apple have an even bigger and better team dedicated to keeping my data safe?
Sure. If you only use mac/iOS then that's a perfectly valid strategy. I use a windows machine at my job, Apple/Linux for my personal projects so no dice. I would imagine that's not a super uncommon scenario outside of the SV bubble where Mac is the only thing people use (not throwing shade, it's just kind of the thing there). To me, a valid password management strategy MUST be cross platform. Also keep in mind that 1p can store more than just logins. It can do SSH creds, software licenses, secure notes, you name it.
Additionally, managing your own password vault is a lot like managing your own email server. There's advantages but I feel that the disadvantages are substantial. For one, the likelihood that you, one person, are going to do a better job of securing your stuff than a dedicated team is optimistic at best. Keeping your password vault safe is literally this companies full time gig and they have entire teams dedicated to it. Do I think they are infallible? Of course not. I'm not an idiot. But I think they are going to do a better job than me at keeping my stuff safe. I happily will pay for that every month.
The authors point about the 1p web portal is a good one. I don't use it out of similar concerns. Besides that, I really could not be happier with 1p as a password management solution. They have a good track record (no hacks that I am aware of) and I want the company I trust with literally the keys to my kingdom to be profitable and motivated to keep improving.