The future of local/standalone vaults
Comments
-
My passwords are something I really care about, that is why I don't sync them in any clouds. It was your business decision to move to a cloud and subscription model. It was your decision to move away from local storage.
But sorry, I am not convinced and your above essay does not change my mind. I will not store my password in any cloud. So for me, this year is the last, and I will cancel family account, once I migrated everyone over to my private solution. There are at least solutions out there, which are OpenSource, enabling self-hosting, multi-device sync und last but not least privacy without clouds.
1Password 3 was my first version. It's sad but without local storage, it's time to say goodbye.
0 -
It is my first (and maybe the last) time publishing comments in this forum.
I've been using 1Password since 2015 and experienced every history you mentioned in the post. Back then, there weren't so many password management options in the market. The top reason I chose 1Password over any other alternatives without hesitation is the ability to take control of my sensitive data instead of relying on a provider's server.
Even now, the fantastic quality, design and experiences of 1Password clients offered over all platforms are still unbeatable and attracting me. However, my password matters to me. If taking away standalone vaults is your team's final decision, I'll have to make the sad but necessary decision to say goodbye.
PS. What will happen to 1Password 7? As your team limits the browser support to identified ones only, whenever I switched to a new browser I have to wait for 1Password to support it. Now I'm switching to Orion - which supports both Chromium-based and firefox extensions - and it happened again. Can you at least do us a favour to add that identify support, so I can have some more sweet time with 1Password 7?
0 -
Sad for me too since, been using 1P since V4, but have to say goodbye and regard Schneier´s, Schechter´s,...and other security techs' advice. 1P doesn´t give a damn about us minor standalone users. Goodbye.
0 -
I would be more than happy to pay a subscription for software maintenance and updates, but moving to a cloud vault is not an option. Unfortunately I will have to find another password manager.
0 -
Echoing many here; I have no problem paying a subscription fee. I'd rather pay for competent developers to focus on security than on how to monetize their freemium model. As a long time programmer myself, I am often asked which password program I recommend and why. For years 1pw has been the easy answer. Easy to use, good security model,... but mostly because for sensitive accounts (bank, investment, health...) you shouldn't store passwords in the cloud. All cloud services get breached at some point. The target is just too rich and the systems too complicated. LastPass recently as example. I don't care how good you think your model is, it's not as good as not on the cloud at all.
Our family account has the vast majority of logins synced to 1password.com. It's great, convenient and available across devices. We love it. We're that 97% of people you said want to sync to your cloud server.
For our banking & investment accounts though? I don't even trust my laptop! I have a separate computer that's only used to access the finance accounts. No email, no web browsing & no need for syncing. Its local 1pw vault is backed up to usb sticks that get rotated into a safety deposit box. Minimize exposure for things you don't want to lose.
This dual use model of sync'd Netflix & Amazon for family use, but locked down Vanguard & Schwab for the important stuff has been the primary selling point for many of the customers I've steered your way. It was, but no longer unfortunately.
I'm happy to pay a yearly subscription. Just make it an option to let some vaults continue to be local only please? And no local sync server I have to maintain, just let me use the files. They've been great for years.J
0 -
And here you go why you don’t want to store passwords in the cloud:
“LastPass users: Your info and password vault data are now in hackers’ hands”
I’m happy to pay a subscription fee, but please let me store my passwords locally.
0 -
After having read all the posts here I am non the wiser in what direction to go. Surley localy stored is the best way. From a business point of view 'profits are paramount' to sustain the business, (1P) however just going forward with new ideas such as Cloud off site storage just because it is there to make the companies (1P) operation easier should not be at the cost of customers needs and perception of safety.
I have reduced by 90% my dependency of Dropbox, Google, OneDrive etc in favour of my own safe storage. I would love to revert to a one time payment (no subscription) for the application and pay for upgrades when I want to but this does not pay for the salaries of the large number of staff at 1P. Ho Hum0 -
AgileBits, do you really think the new profit margins from SAAS are going to outweigh the thousands of customers you’re losing by removing standalone vaults?
You once committed to ALWAYS offering standalone vaults until you saw the subscription revenue and walked that back entirely, after users had already entrenched themselves in your product.
Besides the security concerns noted above, you do realize that if every local app on your mac decided to switch to a SAAS model you’d be paying hundreds of dollars a month just in licensing fees? It. Does. Not. Scale.
I came back to post after the lastpass scandal to see if anything had changed. Most companies listen to complains and respond to them by well, being agile.
Yes, your responses are anodyne, but they’re not efficacious, which is really what customers need, a walk back to what worked for the majority of the product’s existence.
0 -
Security is something you feel. The more the risks of cloud are understood and communicated to the populous the more folks will understand that encryption is something they must do for themselves; Something that must happen intentionally, locally and at each step of the data custody chain. As I advocated to management at a startup I worked for 16 years ago, providing "encryption as a service" is 99% marketing - as a user, if you want something to be encrypted on "someone else's computer" you need to do it yourself. You need to understand the threat model; which is the bigger threat? Some business, cloud, software insider walking off with static media, and proprietary code, or armies of nation state funded software penetration engineers leveraging copious numbers of immature, poorly managed, poorly understood, poorly maintained and secured "web" software packages (:cough: ruby, javascript, php, perl :cough:). They way math works, at least where I come from, suggests that the latter will always grow faster, have more opportunity and resource.
It only follows that as a customer, makes not an iota of sense to trust in cloud automation for encryption as a service. Unfortunately 1P/Agile can only go where the software development money is. So like all commercial software it is doomed to circle the gravity well of incompetent, ignorant, mass market users. As the history lesson provided demonstrates, user education is hard. Teaching competent use of a tool as business model, is at best a fool's errand. More money gets made selling tons cheap, fragile, disposable tools than by selling a handful of expensive, durable, versions of the same. And so, as with all commercial software, as it "matures" 1P will inescapably give ever more lip service to its nominal/original goals while leaving those "in the know" ever more dissatisfied. It's oh so easy to move "down market".
Having used 1P for the most of the last decade and a half, the license for 1P7 was the last money agile will ever receive from me. Defense in depth means not putting all the keys in one basket, or--in the case of password management--using additional layers of encryption (keys) between the local data, and the cloud. Keys, provided by distinct implementations & organizations.
"If you want it done right, do it yourself"
0 -
I've posted in this thread a number of times, and I'll say it again. I'm fine with the SAAS model for 1Password. There are some (many?) software packages I would not pay a yearly subscription, in the event those adopted this model - 1Password is not one of them.
And to repeat my major grumble with version 8 - there are some login credentials I will never store in a cloud environment. And as mentioned, these are the ones with the highest value and will cause the biggest problems in the event of a breach. I would add that I have numerous non-critical logins on 1Password's cloud to ease sharing and eliminate sync issues.
Simply stated: I want an uncomplicated local storage option - which is what I have now with version 7, which I will stay on as long as I can, or until such an option is available in version 8 or a future version.
1 -
I was always torn between the benefits of a centralized cloud sync and offline vaults. But the current situation with LastPass clearly showed me the risk that comes with a centralized service. It's so much more appealing to hackers to target the one service which holds millions of customer data. Therefore, I'm now thinking about transferring my data to a different solution with local storage possibilites. Why not 1 Password 7? Well, because the future for this version is totally unclear and I simply want to have the effort twice. I'm sad about this situation for myself, since I've been using 1 Password since, I guess, around 10 years.
**My vote: please bring back local vaults or a self-hosted docker container. **
0 -
After the LastPass breach, there are exactly ZERO excuses for not offering local vaults. I do not care if the vault is encrypted; I want to be the only one in custody of it.
0 -
As many others said, i'd be the only one responsible for my vault(s). In order to decrease your 97% subscription "feeling/stat understanding" i'd like to say that i had no chance to choose anything else than subscription when i wen't from previous (standalone) version and even didn't know that you went into cloud. So sorry to say but i'm also not happy at all and finished my subscription. because here obviously won't be any 1pw7 development/patching anymore and i'm not anyhow interested on features in v8.
0 -
BTW Just recognized 1Password 7 is not available for iOS 16.2. So if you’d like to upgrade your iPhone to stay secure you won’t be able to use local vaults anymore.
0 -
"If you want it done right, do it yourself"
This idiom is applicable if you're a subject matter expert yourself. Most folks are not information security experts. I'd counter:
"If you want it done right, hire a trusted professional with a proven track record."
BTW Just recognized 1Password 7 is not available for iOS 16.2. So if you’d like to upgrade your iPhone to stay secure you won’t be able to use local vaults anymore.
1Password 7 is available in your purchase history if you've downloaded it using your Apple ID prior to its retirement. While it is unsupported and untested on iOS 16.2, my personal experience is that it still runs there.
After the LastPass breach, there are exactly ZERO excuses for not offering local vaults
What makes 1Password different from LastPass, and would prevent the sort of breach that happened to them from having the same impact on 1Password customers, is the Secret Key:
About your Secret Key
As Dave noted in his earliest post in this thread, the type of local vaults that previously existed in 1Password 7 and earlier are no longer a solution we'll be pursuing.
AgileBits, do you really think the new profit margins from SAAS are going to outweigh the thousands of customers you’re losing by removing standalone vaults?
As both an employee and customer myself, there is no doubt in my mind that 1Password.com not only makes better business sense, but it is also the better and more future-proof solution.
You once committed to ALWAYS offering standalone vaults until you saw the subscription revenue and walked that back entirely, after users had already entrenched themselves in your product.
We tried really hard to justify the continuation of standalone. I was on the front lines of this argument internally, even making the comment at one point that I didn't anticipate working here any longer if we went to a 1Password.com-only solution. Ultimately I'm glad I stuck it out because as I said above there is now no doubt in my mind we've chosen the correct path. The lesson we learned was to be less definite in our statements about the future, because ultimately none of us have a crystal ball.
Ben
0 -
Thanks for this hint, Ben. While it states, that version 7 is “unsupported” on 16.2, it still can be downloaded per purchase history.
0 -
Thanks for this hint, Ben. While it states, that version 7 is “unsupported” on 16.2, it still can be downloaded per purchase history.
Happy to help. 🙂
Ben
0 -
We tried really hard to justify the continuation of standalone. I was on the front lines of this argument internally, even making the comment at one point that I didn't anticipate working here any longer if we went to a 1Password.com-only solution. Ultimately I'm glad I stuck it out because as I said above there is now no doubt in my mind we've chosen the correct path. The lesson we learned was to be less definite in our statements about the future, because ultimately none of us have a crystal ball.
Ben>
Fair enough, and thanks for putting that out there. It's obvious you had similar or the same concerns (and maybe some others), rightly so. That said, you can bet that LastPass has (had?) also been saying how secure everything is.
I've been reading through your security white paper and there's a lot there. Including I see you moved to a relation database for the data storage layer - which I believe was not the case prior to version 8. That was the database I worked with for years in my career, specifically for large data warehouse instances.
So how about this for all us cloud-storage-only skeptics: put together and host a webinar to walk through the security model for anyone that's interested. You can record it and whenever one of us grumblers posts a comment, you can link to it. And you and others can fully explain the architecture and all your choices, why you did what you did, answer questions and so on. I think this would be a very customer-focused thing to do.
So, a possibility?
-Joe
0 -
Fair enough, and thanks for putting that out there.
👍🏻
That said, you can bet that LastPass has (had?) also been saying how secure everything is.
For sure. On the other hand, we can (and now have) clearly pointed to where we've done things better. We try really hard not to directly compare ourselves to competitors, at least publicly, but the situation with LastPass has pushed us to having to do that:
Not in a million years
So how about this for all us cloud-storage-only skeptics: put together and host a webinar to walk through the security model for anyone that's interested. You can record it and whenever one of us grumblers posts a comment, you can link to it. And you and others can fully explain the architecture and all your choices, why you did what you did, answer questions and so on. I think this would be a very customer-focused thing to do.
Absolutely. Our business team does regular webinars, many of them security focused.
Business Webinars
Ben
0 -
One thing I think you guys aren't grasping fully I think is that it's the guys like us who are 1password faithfuls asking for a self hosting or local vault option, we're the ones who espouse the virtues of 1pass to less techy people.
Personally I know you've got more than a handful of clients ENTIRELY due to me recommending your company to them, from my experience with your product before 1pw8.
I can tell you, you've had no referrals from me AT ALL since moving cloud only. Zip. Zero.
We're your evangelists, but you've seemingly intentionally taken away our faith in your company by firstly, going cloud hosted only, and to a slightly lesser degree, subscription only.
I can tolerate subscription services, so long as there's regular consistent updates and upgrades (which there has been, so kudos I guess), but not maintaining complete sovereignty over my data? That's too far sorry.
1 -
This content has been removed.
-
As it stands, I cannot use 1Password 8 in a professional capacity. Company policy explicitly forbids it. Any level of corporate licensing for software initiated by employees is a fireable offense, so that's a dead issue as well.
I cannot use 1Password 7 either, again, for policy reasons : it's unsupported, unpatched software. Even if that weren't a problem, I can't use v7 and v8 side by side; they refuse to play together.
The only solution I have is to use two entirely different products, which is a pretty big pain.
The the "poll" about a hosted solution for a local sync for credentials has been around for at least 18 months now? Perhaps it's my despair talking, but I've had an http proxy bug open that hasn't been resolved in 8-10 months, so I'm not hopeful for something with as small of a reach as a sync server.
It breaks my heart; I think much of the anger in the thread is because of how much people love 1Password as well.
I've loved 1Password from the beginning and have been a huge advocate since its first release, but it seems my own needs aren't being addressed. I can't use 1Password where and when I need to use it.
My major use cases which worked fine a year ago are now not available, with no path forward. Using v7 is not an option if I want to stay employed where I'm at (and I'm not leaving over a password manager.)
So yeah: I pretty much have confirmation that migrating away from 1Password is my option now. Obviously that's not what I wanted to hear.
1 -
Where are we in the decision to support a self-hosted 1Password server?
0 -
I've been using 1Password for around 15 years, both for work (as a SW manage and engineer) and home. For a good portion of my career I also worked in security and encryption development. When 1Password went to cloud storage, given the secret-key (which encrypts the content on the cloud) I thought the security was good for both work and home. I currently work in financial tech development. However, I don't "run" our security team, and due to the "LastPass" issues our security team is likely to impose requiring "physical" storage protection (meaning limiting storage to company devices/infrastructure) for sensitive information (i.e. credentials/keys). So without have local vaults, it is likely I will not be able to use 1Password anymore for work (as when we log into VPN, there is a security check that runs to monitor which applications are installed) :-( . Supporting a company based server for 1Password, may be an option, once it becomes available.
1Password has been a great product, and I hope there is some resolution to this in the not to distant future
1 -
Some congratulations is in order, as 1Password appeared on my "Front Page" of the NYTs website today:
https://www.nytimes.com/2023/01/05/technology/personaltech/lastpass-breach-password-safety.html
Nothing new here, but exposure in a publication read by lots, not just techy pubs and blogs many of us spend time on.
Ben, I continue to dig through the security white paper, and I've watched a number of your Business Webinars as you suggested. These seem very sales-oriented and I've yet to find one that goes into full detail on all aspects security as categorized here:
https://1password.com/security/
Is there one you can recommend that speaks specifically to this? And I've been digging through this forum as there are numerous posts dealing with security.
Honestly, I'm beginning to soften just a bit on 1PW 8 and its cloud-based solution. But just a bit. When I think of all the security risks to consider, it may be this one should not be my primary concern. More thinking to do on that. And it may be I implement some kind of hybrid solution where a bunch of stuff with lower importance is in 1PW 8, and important stuff is elsewhere, or important stuff has additional authentication components outside 1PW.
At the end of the day, and as the NYTs article points out, one of the main issues here is trust. The LastPass breach(es) have certainly highlighted that. We all have to trust 1PW to NOT biff it. The reality is that's been the case all along, but the LastPass breach has brought that clearly into focus. And interestingly, the white paper indicates 1Password for Teams is hosted on Amazon Web Services. (Not sure about individual or families?) That means those customers need to trust AWS through you as well. That's a lot of trust.
With 1PW 7, I considered the cloud-sync options, but I immediately eliminated DropBox. No trust (for highly important data). The only one I ever considered was Apple and iCloud, but I couldn't bring myself to do it and never turned that on, despite the convenience it would bring. Now Apple has implemented Advanced Data Protection for iCloud, nothing but a good thing.
So, I'm open to trusting you with your cloud-based solution, but I'm not there yet.
0 -
I’m sure there’s always a lot of room for discussions pro and con local vaults etc. But honestly I’m quite tired of this discussion and getting convinced of something towards cloud storage.
I’m the customer, I’m paying, and my requirement is the ability to store data on premises. Full stop. If this isn’t possible I’ll switch to another solution, since 1P 7 slowly phases out.
It was an awesome time and I enjoyed the usage a lot. Might re-evaluate again when functions fulfill my requirements.
Bye 👋🏻
0 -
@JAC3467 - while we certainly didn't intend to make the NYT's front page, and we're never happy to see anyone's data exposed or breached, we're glad that current circumstances have potentially helped spur some rethinking about what is important in real terms regarding data security and what might be less so. Simply put (as our Chief Defender Against the Dark Arts, jpgoldberg does in his blog post Ben linked to above), encryption is considerably more valuable for reliable data security than authentication, and even than location of data. The advantages/disadvantages debate between local data storage and cloud storage have been gone through, here and elsewhere, repeatedly -- and continue to this day. That's actually a good thing, because conditions continue to change.
But there's little disagreement that if an adversary of any kind gets hold of your data, well-done encryption using a key derived from a well-designed KDF is by far the best chance anyone has of keeping their data from being fully exposed.
KDF is Key Derivation Function, a phrase which you seem as if you may already know, but which some reading this thread might not. Nearly everyone is familiar with passwords, they form the basis of most encryption as well as authentication systems. In password managers, it's often called a Master Password. But what makes us different among password managers is what we call our 2SKD (2-secret key derivation). That is, an encryption key derived from two separate secrets:
- The Account Password you chose when you create your account, which only you (should) know, and
- The Secret Key
Why is this measurably better than a key derived from only a password? Because although our web front-end will not allow you to create an Account Password that is fewer than ten characters, we have no realistic way to stop people from using bad passwords. As Goldberg's blog post goes into detail regarding, human-chosen passwords are orders of magnitude easier to crack/brute force than machine-generated ones, even when we humans are trying to create hard-to-guess secrets. But at the same time, machine-generated passwords are almost always more difficult to remember than one you created yourself, and therein lies the dilemma. We'd love it if everyone generated a 40 or 60 character Account Password using a well-designed CSPRNG and then took the time to memorize it and use it as their Account Password...but realistically, few will do so. Which means that if an attacker comes into possession of a copy of your encrypted data that's protected by a key derived from only a password you created (and which might be as few as ten characters), your most-important data is at significantly higher risk of compromise through focused cracking attempts than it would be if you had a longer, truly randomly generated password. And that's true whether the data is stolen by a RCE on a device of yours from an unwise click on a link or opened attachment, through stealing a physical device and gaining entry to your user account...or by compromising our servers.
So if people are bad at memorizing long, truly random strings, how do you give them the equivalent of a really long, secure, randomly-generated password? The Secret Key: it is created on your device at signup and, via the wonders of SRP, never transmitted to our servers. We don't know it, don't store it, and therefore can't be forced or tricked into divulging it. And its length makes it approximately 128 bits of additional entropy added on top of whatever entropy is present in your chosen password. At that level, as Goldberg details, it would take well into the billions or even trillions of years using all the computing resources on earth to brute-force.
That's why our solution protects you better than any solution which relies only on a Master Password.
The trust issue is something else entirely, and you're not wrong to consider it. That said, anytime you use a computing device of any sophistication, you are trusting multiple parties implicitly, whether you know it or not. You're trusting the developer of the OS to "not biff it." You're trusting the compilers they use to assemble things. You're trusting the hardware on which it all runs, and any first-party software as well. Unless you can build your own computers, not just from parts purchased from Amazon or elsewhere (gotta trust them as well!), but for which you personally oversaw the component manufacture process and transportation chain to your home or business and assembled yourself (or literally fabricated yourself), you cannot be 100% sure it is free not only of errors which might allow attackers a way in, but of malicious hardware or code. So on that scale, no, you can never be 100% certain we aren't making mistakes or corrupt or malicious. Just as you cannot be 100% sure about all those other things I mentioned.
But you can examine our track record. You can read the reports of multiple independent security audits and our responses to the issues they find (though I suppose you would have to trust those pentesters as well). You can read our white paper. You can look at our SOC2 report.
To use your example, though, you do not have to trust AWS or Amazon, at least not in the way I took you to mean. Yes, if AWS is careless or gets breached, we might end up with some variant of the same issue of database theft that LastPass did. I suspect if that happened it wouldn't only be us here at 1Password that would be having a bad day, since much of the world's corporate infrastructure runs at least partly on AWS. Why? Because AWS are currently the best in the business at what they do. Are they impenetrable? Nothing created by humans is. But I would suggest they are probably the least likely of current providers to suffer this kind of breach. And in the unlikely event that it were to happen? Attackers would get a similar kind of encrypted blob of data - just like they would if they took it from your device - but with one key difference if they manage to compromise both AWS' defenses and all the precautions we layer on top of those: your Secret Key. We created it so trust in us isn't required; 1Password has always been designed to continue to offer your data robust protection in dire situations, where one or more failures has already occurred (loss/theft of a device, compromise of sync servers (back from when we used Dropbox/iCloud to today's 1password.com architecture running on AWS).
0 -
@manukst - you're absolutely correct: you are the customer and you're paying. But if your requirement is the ability to store your data locally only, then we're probably not going to be your choice, as that's no longer something we offer, for multiple reasons.
Thanks for the time you spent with us, good luck with discovering a solution that better fits your needs or your job requirements, and we'll be here if you want to return anytime. 🙂
0 -
Without local storage, what happens if my 1Password vault stored on 1Password's servers gets deleted or corrupted? No bad actors could figure out my passwords, which is good. But I would lose all my hundreds of passwords.
I can accept that no hacker (or even the 1Password company) could decrypt my cloud-based vault in a million years, especially given the secret key. But is there a million-year guarantee against fire, bankruptcy, or catastrophic malware that takes down 1Password's storage system? I would feel better with a local copy, even if that didn't sync at all (doing a yearly local backup would satisfy my paranoia about this issue). Is there some solution for this concern?
1 -
Welcome to the 1Password Support Community, @labguy88! Good question. No, you're right, the Secret Key, while excellent at protecting your data against brute-force cracking attempts, offers no protection against fire. 😆
But if AWS (our host) is down due to fire, flooding or other acts of nature or humans, you would have the local cache of the data that resides within the 1Password app on any device you've previously signed in from. This is the same cache that allows you to open and use your data even when offline, such as an on an airplane whose wi-fi is broken, or when you're in a remote area without mobile service, etc. We designed 1P this way intentionally: the first time you sign into your account from a new device using the app for that platform ( 1Password for Mac, 1Password for Windows, 1Password for Android, 1Password for iOS, or 1Password for Linux), the app will download a complete copy of all of your data, and store it encrypted locally on your device.
Obviously, assuming we or AWS are somehow out of commission, there would be no syncing to the server for whatever duration the emergency outage lasts. But you could continue to use your data as you normally do until either service is restored, or you choose to export the data and move to another solution.
0