The real problem behind 1P8
The biggest problem with the 1password 8 is that AgileBits are pulling a total and complete overhaul on everything. Sure a new code base is a clean break, but they are taking this as license to change anything and everything. So 1P8 is pissing off a lot of people for a lot of unrelated reasons. For example today I found out that if you use multiple accounts, you will now need to use multiple passwords to unlock your 1P client. Personally, I couldn't care less about the Electron thing and the search changes are annoying but not game breaking. However needing to use a bunch of passwords every 30 minutes to get access to the data I need is absolutely a change that would drive me away from 1password. After all it's called ONE Password, not 15Passwords.
Why are they doing this? Because someone thought it was more secure. Who cares what the customers think. Who cares what the customers need. Who cares about the actual use cases of the paying customers. Did anyone even ask the customers? Could it be a preference? Sure, totally. And some may want that. Heck, it something they could make as a business feature flag so that admins can require it. But should it be forced on everyone without any thought to what that actually means? Fark no. That's how you piss people off and drive them off your platform.
And this is one tiny change in a vast ocean of changes known as 1Password 8. So now I'm scared. What else is going to be changed that I (and others) haven't figured out, that is totally going to screw us? I don't know. No one knows. 1Password won't even be truthful about the changes it is making (see also electron and stand alone vault drama).
The only thing that a complete overhaul of an application (and service) accomplishes, is making everyone angry at you for changing the one or two things they cared about. Because you changed it all.
PS. And there is absolutely no way you can convince everyone that "this will be better in the long run". Unless you can address why each "game breaking" change is better, to an extent that makes all the customers happy.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
How about you give this some time to mature? You are looking at the very first early access release.
0 -
Well, it's been out for 2 months now, with several updates. Give us a change log so we can know what to look for.
But that being said, it has nothing to do with the maturity. If you tell me "Well feature X doesn't work because Beta" then cool. I'm game. However what they are doing is changing how many things work fundamentally and it isn't going to "mature". That's how they want it to work now.
0 -
It's still early access, no matter how you twist and turn this. Just take a step back, re-install the production version (7) and wait for a proper beta or final release. I think you will be surprised how much stuff they added back in by then. It's just not feature-complete at this point.
0 -
Again. You're saying that it's not feature complete and I'm not disagreeing with you.
They are making DELIBERATE changes to how things work. That will not change. In my specific usecase, AgileBits staff has said, and I copy/paste quote "The Security team decides it would be best to allow users to unlock only one account at a time."
So how is waiting going to make my life any better? Other than delaying the time until I reach a point where I need to decide if I want to continue to use a product that no longer works for me?
0 -
and I copy/paste quote "The Security team decides it would be best to allow users to unlock only one account at a time."
You forgot to quote the part where they said that unlocking all accounts using biometrics is still possible, and that they are still thinking about this. I read the same thread, you know.
0 -
You are reasonable to state we need to allow the product to mature, but the feedback from these early releases should inform that maturation process. If left unfettered, 1Password may continue to make decisions that users think are bad.
0 -
@FCNV absolutely, agree 100%. But there is a huge difference between constructive feedback and outrage, which is what we have mostly seen so far. And the main point appears to be the shift from "native" to Electron. It's pointless to try and "argue" that decision with the 1P team, as the chances of them reverting this over half a year into the development are more than just slim. It's a done deal, 1P have a business case for this (a good one at that). So instead of hurling complaints and outright insults (I have seen a fair share of those here), the adult thing to do would be to move on. Accept the switch to Electron and make sure that feedback going forward is constructive and helps mature v8 and what it does.
0 -
Again, I think your accusations of "outrage" are unfounded and an attempt to change the narrative and illegitimize valid criticism. There is not evidence of outrage.
I feel like a constructive exercise would be to dissect the concerns around Electron and figure out an action plan. Agilebits has done a great job addressing the security concerns, what they haven't done is address the UX concerns. From reading your posts, it doesn't seem like you value a password app that is fast, elegant, or feels more in place with the OS it is on. That is your opinion and fair for you to hold, but don't come after users because they have different values than you do.
Ultimately 1Password will decide where this platform goes. If they value existing user input as they claim, they will find these discussions useful. If they don't, well, they'll probably lose some customers and move on.
0 -
Again, I think your accusations of "outrage" are unfounded and an attempt to change the narrative and illegitimize valid criticism. There is not evidence of outrage.
I've seen quite a bit of outrage here since the macOS early access version was announced. Heck, I seem to remember you called somebody else a "complete jerk" just a few hours ago. Sounds a lot like coming from someone who is triggered and outraged.
Anyways, you've made your point, I made mine, we're not going to agree, so let's move on.
0 -
I actually never called anybody a complete jerk, I was responding to another poster who used the term "jerk" and said it was inappropriate. Again, for you to throw out baseless accusations like that, or that people are "triggered" without any actual evidence is reckless, wrong, and consistent with troll-like behavior.
I support users' right to have opinions as long as they are supported. While I disagree with your opinion and feel you have not supported it with sound arguments, I respect your right to hold it. I would hope you would extend that to other users of 1Password and this community.
0 -
Hey, folks. I know this is a bit delayed, but I wanted to reiterate that everyone's feedback is valuable, and even when things feel a little heated it's good to know that it's only because people care about this product.
I also wanted to respond to a specific part of @ShakataGaNai's original post about the multiple passwords. We've actually been recommending folks use the same password for each of their 1Password accounts. This might sound ironic given that the typical advice w.r.t. passwords is to use a unique password for everything. The difference is that your 1Password account password is intended to be the one password you remember, and so in theory, if you can only dedicate so much brain space to passwords, if you use only one password for all of your 1Password accounts, you'll be able to make that password stronger than if you have to remember multiple account passwords. So part of the new behavior encourages folks that direction.
It's probably worth mentioning that this has been the behavior of 1Password in Chrome and Firefox for quite some time now, so it's not new in 1Password 8.
0 -
"We've actually been recommending folks use the same password for each of their 1Password accounts. "
Please. No. Please. No. You can't have it both ways.
0 -
Hey @dougl. I'd love to hear more about why you think this advice is a problem. @jpgoldberg and @roustem commented in more detail about this in another thread, which may be helpful:
https://1password.community/discussion/comment/608291/#Comment_608291
0 -
Sure. So I get the nuances, I really do. The problem is that most 1P users aren't professional security people, so having inconsistent messaging complicates training and enablement. If the message is 'password reuse is bad', that's a full stop. As soon as we offer options/nuances, then where does that line end?
I have two 1P accounts, with two different passphrases. One for work, one personal. Since those don't change, remembering two isn't a big deal.
Now if you wanted to implement some type of SSO-esque system, that'd be fine. Because it's One Password (pun intended) that unlocks multiple things like Okta does. But telling people to manually set multiple passwords to be the same is dangerous.
And, there's another issue. In an eDiscovery situation, there's a possibility that the employee may be compelled to give up their work passphrase...but now their personal vault is exposed.
Happy to chat more about this.
0 -
I do understand the concern about having to caveat advice, and I agree it is less than ideal to have to do so.
And, there's another issue. In an eDiscovery situation, there's a possibility that the employee may be compelled to give up their work passphrase...but now their personal vault is exposed.
How is this any different with the 1Password 8 model than with the 1Password 7 model? I would actually argue that with 1Password 8 people now explicitly have the option of not having the same password unlock both accounts, whereas that wasn't possible if you wanted to use both accounts with 1Password 7. With v7 one and only one password unlocked all accounts, regardless of what the passwords for those accounts were. With v8 if you don't want that to happen, and you want your personal data to unlock separately from your work data, you can.
Ben
0 -
You're right, not a 1P8 vs 7 topic - it's about guidance. 1P should be consistent - no reuse. Now if an individual company wants to add nuance, that's fine. But if 1P says reuse as a workaround, and the company has a no-reuse policy, it causes friction. If 1P says no, and the company says do, then that advice trumps. Make sense?
0 -
I would still argue that the situation has improved, rather than gotten worse. The thing is it is totally optional now. It wasn't before. Before you were forced to have a single password that unlocked all added accounts. Period. Now there is a choice. If your company wants to put out a blanket "no password reuse" policy, you can do that, and then folks with multiple accounts can either unlock using entirely separate passwords, or use biometrics to unlock everything together, while obeying that policy.
Ben
0 -
There are many ideas and many painful lessons we learn over the years when helping our customers and using 1Password ourselves. Just wanted to say that we are definitely taking 1Password 8 release as an opportunity to rethink how things are done and make them better.
If we didn't then what would be the point of the release?
0 -
I don't know. Were users telling you they wanted 1Password to be slower, have fewer features, have a UI that doesn't match their OS, and has a ton of bugs? You tell us what the point of the release is. You've not demonstrated any major advantages, just declared that someday there will be some.
The reality is this release makes it easier and more profitable for 1Password. But don't act like this is some huge step forward for users.
0 -
It is amazing how 1Pwd TeamMembers still try to convince us to like v8.
Almost everything what is more than a "common bug" gets blocked.
Still my wish, my hope is that Agile realises that v8 goes in the wrong - the WRONG - direction.
I wonder how/where they get their motivation to continue. Where is this positive feedback? Or is just the money (and pressure) their got some time ago?Sorry, but I am back (decided to leave this EarlyAccess forum some days ago, but I could not stay away).
0 -
Listening and learning
Back when we first launched the service, making it easy for people to be members of different accounts, I was the person who most strongly advocated the use of different account passwords for each. Half a year or so of listening and learning, we learned that following that advice was a serious pain for many users. Yes, there still remain attack scenarios where using the same account password is a problem. That didn't change, but our assessment of the value of telling people to do so did change.
Many people fell into one of two categories. Those who followed the different account password advice, and found it significantly annoying to do so, and those who didn't follow the advice and worried about the danger that they thought they were putting themselves in. Given this, we felt that the small security gain of using different account passwords was not sufficient to justify the problems with that initial advice.
Quite simply, I had been wrong to push for that initial advice, and my colleagues were too nice to later say, "we told you so." (Ok, they didn't need to say it; I knew.)
Knowing what unlocks what
As I described in some other thread, we had also developed (prior to the service) a cute little hack that gave people the effect of being able to open all their vaults (this in the sense of "vault" from before there accounts with multiple vaults). That clever little hack was the right thing at the time, but was designed in the pre-account days. It also had a number of drawbacks, one of which was a lack of transparency to the user of which password unlocked which thing. If you are unlocking the an Agile Keychain vault that you share over Dropbox with a family member while unlocking your OPVault that you sync via iCloud, you might forget that the first actually had a different Master Password. You could have different Master Passwords for those different things and not even know it.
What we have in 1Password 8 resolves that long standing problem. Those accounts that you want to unlock together, you give the same account password to. But if say, your work place (unwisely) insists that account password for your work account must contain exactly two emojis and the latin same for a species of fresh water phish, you can comply with that policy without having to mess things up for your other accounts. Most importantly it puts you in control of what unlocks with which password and it makes that transparent to you which does which. This is an improvement that we have long wanted to make, but before 1Password 8 there was no practical way to roll out such a change for all platforms at the same time.
So from my point of view, this illustrates one of the benefits of 1Password 8. We are in a position to make security improvements more consistently across the board.
0
