Mastodawn

PSA: 1Password uses “1Password.co” for email links — instead of their usual “1Password.com” domain. Craig isn’t an idiot; it 100% feels like phishing. If you ask me, tracking link clicks and opens in emails is simply not worth the potential freak-out when you think you’ve been phished, please tell the marketing team to pound sand (respectfully)

From: @chockenberry
https://mastodon.social/@chockenberry/112049988291729734

@cabel @chockenberry I mean, I left them in the dust years ago now and glad that I made the longterm best choice.

Sam Schmitt Mar 6, 2024

@cabel @chockenberry
Another way of looking at this: its best practice to use a different domain for stuff like this. If the marketing tool gets compromised, you don't want it to have the ability to send actual phishing domains on the real domain. You'll see it with other stuff, like Microsoft logins being on “microsoftonline.com”. I agree it does mean you do some double takes.

Cabel Sasser Mar 6, 2024

@sam @chockenberry That makes sense too, but I think the real answer here was “We’re using Marketo Engage, the world’s largest marketing automation platform, a singular solution that lets you attract, segment, and nurture customers, and since it can’t be self hosted, what’s a domain name that’s close enough that customers won’t easily notice we’re using this for tracking/marketing reasons”

Sam Schmitt Mar 6, 2024

@cabel @chockenberry probably a nice side effect

Timo Hetzel Mar 6, 2024

@cabel @chockenberry
Here’s Five Guys Germany asking for my location (which then errors out) from Uruguay. Resulting in confusion and no burgers until I manually confirm my location on the "industry’s leading location platform"

Martin Seeger Mar 6, 2024

@cabel Unluckily 1Password went 100% the enshitifcation way. Loved it and happily paid for it. But now there is no trust left.

Rafael “Akai” Masoni Mar 6, 2024

@masek @cabel Care to elaborate? What did they do to lose your trust?

Martin Seeger Mar 7, 2024

@rmasoni @cabel Because they now force me to store my passwords with them.

I always separated storage and software manufacturer in order to avoid problem should one become corrupted.

With version 8 they stopped supporting that: no more local vaults, no vault on DropBox.

They did that in order to receive recurring revenue. I have no problems with them getting money from me on a regular basis. But the way they enforced that is detrimental to the security.

If 1Password falls, I lose too much. This is a cluster risk.

Rafael “Akai” Masoni Mar 7, 2024

@masek @cabel Oh, I see. Thanks for sharing. Did you migrate to another service? I was tempted by Minimalist.

Martin Seeger Mar 7, 2024

@rmasoni @cabel Bitwarden with locally hosted Vaultwarden (as Container on QNAP NAS).

Jan ☕🎼🎹☁️🏋️‍♂️Mar 12, 2024

@masek @rmasoni @cabel please make sure you have working backups. And a working restore.

If your nas dies...

Martin Seeger Mar 12, 2024

@jan @rmasoni @cabel

I sync from my primary NAS to my secondary NAS daily
Once per quarter I make a backup on a disk which I store in a bank safe

Lunatech Mar 6, 2024

@cabel @chockenberry Don't think for a minute that #1Password gives a shit what their customers want - if they did they would not have forced everyone to use their "in the cloud" storage rather than allowing people to store passwords locally on their system, and not connect to 1Password's supposedly secure cloud storage. As a result, they lost quite a few long-time customers that had been dutifully paying for each new major version when it was released. But, they didn't care, and I doubt they will care about your concern. Basically their attitude appears to be that you can use their prodct the way they offer it, and if you don't like it you can just go away and use something else.

am!r Mar 6, 2024

@cabel had the same issue with #aws signin link for password reset. It has changed to something obscure like signin.aws domain in certain cases.

WowSuchCyber Mar 6, 2024

@cabel @chockenberry ok, enshitification goes too far.

Will Panic sell a good password manager (aka how 1password was originally, local transferable vaults, simple no bullshit and beautiful)? Pretty please? 🥺

A. Lee Bennett Jr.Mar 7, 2024

@cabel Related, cocoatech.com uses something else (freshcocoa or something I don’t recall) for their product update mailing list and my office firewall doesn’t like to let out through without manual intervention. Stupid.

Paul McGrane Mar 7, 2024

@cabel @chockenberry A lot of companies do it, but it’s like a domain hack. That is the domain for Colombia. They rely on people having heard about co.uk for decades, to think it is similar to dot com.

I think Apple does it also.

James Mar 7, 2024

@cabel @chockenberry I'll chalk this up to "yet another reason I'm glad I dropped 1Password" [after they went to a subscription model.]

James Mar 7, 2024

@cabel @chockenberry For clarity, I mean that 1Password uses anything but their known domain in any communication, period.

Siff Mar 7, 2024

@baldengineer @cabel @chockenberry They were using agilebits.com and 1password.com before

Alan Bristow Mar 7, 2024

@cabel @chockenberry I sincerely hope someone at 1Password has escalated and set about solving this blurring of what needs to be absolute trust (between a user and a password managing org). This sort of thing is an awful choice on your part (1Password) and you must address it or risk becoming less than trustworthy in users eyes. Marketing pressure MUST NOT usurp security or client confidence.

Josh Calvetti ⛰Mar 7, 2024

@cabel sounds like there’s room for another password manager app, maybe from a small indie studio based in Portland…