Tim BrayJust to report that spouse & I have successfully transferred off 1Password to Bitwarden, relying on sync through Bitwarden.eu. It’s not quite as slick as 1PW but is less American and AFAIK is not fooling around with AI. Also, offers the option to self-host if the company goes sour.
Daniel Terhorst-North@timbray Interesting. By 'successfully', do you have tricksy things like passports, file attachments, secure notes, etc. alongside the passwords and credit cards? How faithfully do things transfer? (I have two in-laws who would take some convincing!)
Kees de Kooter 🍉@timbray I thought 1Password was Canadian?
Garrett@kdekooter @timbray It is, based out of Toronto (address is in the website footer).
@kdekooter Huh, so it is, I had no idea. Although it looks like their infrastructure is US-based. And there's the AI chatter. Also we disliked some of the trade-offs in moving from 1PW versions 7 to 8.
William Oldwin@timbray @kdekooter Yes, 1Password is Canadian and Bitwarden is American!
@willegible @kdekooter Well, they offer explicit sync through a .eu.
@timbray 1Password does too, as well as a .ca, but at least when I used it there wasn't any better migration path from the .com than 'export and import' and once you're doing that you might as well entertain other options. N.B. I'm not advocating for or against either of them, just FYIing! (Bitwarden and 1Password were my last two password managers.)
Hubert Figuière@timbray @willegible @kdekooter they all end up being subject to the CLOUD act, since they are either american or host on american operated server. And they all vibe code.
@hub @timbray @kdekooter I suspect that @timbray understands CLOUD Act jurisdiction and that this helped motivate his desire to make a change in the first place.
@willegible @hub @kdekooter Well actually I didn’t but as a result of this investigation I've now read up considerably on the CLOUD act and yeah, having your data domiciled outside the US does make a difference. I'm going to have to blog this stuff, stand by.
@timbray @hub @kdekooter It doesn't make a difference as long as the data is hosted by a US company. The CLOUD Act gives the US government access to any such data regardless of where it's physically hosted. This is why AWS just spent a lot of money on an 'EU Sovereign Cloud' that's supposedly air-gapped against US control, but this hasn't been tested and there are good reasons to think it won't stand up if push comes to shove because it's still owned by Amazon.
@willegible FWIW, having just read a bunch of discussion of CLOUD, I don't agree with your interpretation of what it says. But IANAL, are you?
In any case, I suspect the real issue isn't so much getting access as whether decryption can be forced.
@timbray No, I'm citing authority. Like the EU's lawyers: 'the Act removed any doubts as to the extraterritorial effect of the probable cause warrants issued under the SCA, by making explicit the obligation of the U.S. service providers to preserve and produce data they control regardless of where it is stored.' https://www.eurojust.europa.eu/sites/default/files/assets/the-cloud-act.pdf
Yes, if the data is encrypted and the keys aren't available to the hosting provider, then the US government gets encrypted data.
@willegible Well, unless the Wikipedia entry and a couple of cloud-provider FAQs are all wrong, the US government's access to extraterritorial data is not a "just ask" unlimited thing, but subject to nontrivial legal process. But anyhow it sounds like we agree that the encryption is a more significant privacy factor than the geography.
@timbray The threat modelling typically includes questions like 'how confident are you of the US courts remaining a reliable brake against executive overreach' and 'how confident are you that the encryption will stand up to potential US attack' and 'are they using their own key management or e.g. AWS KMS, in which case the encryption offers zero protection against AWS themselves'.
chfkch 
@timbray
Sadly BitWarden does use AI on some clients for example.
But it is still good since you can use alternative clients/servers.
ben
Peter Janes@timbray Seems to be AI-friendly, at least, based on a Claude file in the source (via https://codeberg.org/small-hack/open-slopware#password-management)
Ames
Michael Fey 
@timbray Sorry to hear that, Tim. A couple things to clear up: 1Password is a Canada original (though we have folks working from around the world).
1Password has hosting options in the US, Canada, and the EU (1Password.com, 1Password.ca, and 1Password.eu).
Erin Dalzell (He/Him) 🇨🇦@timbray We are working hard to ensure that companies can secure the AI agents they are deploying, which is a natural extension of the type of security we’ve provided to humans for the last two decades.
We don’t have a self-hosting option, but all of your data is resident on your devices and we offer a wide range of export options in case things ever go south.
We also offer a wide range of import options in case you ever want to come back. We’d be thrilled to have you. 🙂
Peter Linss@timbray if you ever decide to go the self-host route, consider Vaultwarden over the Bitwarden server. Fully open source, much lighter on resources, and no licensing fees. I’ve been running it for years and have been very happy with it.
Larry Garfield@timbray Welcome aboard!
Tx1Rx2