1Password on Mastodon

The future of local/standalone vaults



  • labguy88labguy88
    Community Member

    @Lars -- thanks! That resolves my concern. I'm a longtime Lastpass user (AKA "victim") looking to make the switch, so I'm just learning about 1Password. Hence my fairly ignorant question. With your explanation about the cache, I'm not troubled by version 8's central cloud storage. That's just my personal take on this, not a criticism of others in this thread who think differently.

  • JAC3467JAC3467
    Community Member

    @Lars - thanks for your reply and taking the time. You of course are correct, anytime we do anything, there are multiple parties involved with varying levels of trust. Agreed fully. That said, there are varying levels of trust. Apple for example has a huge and highly-profitable business for lots of reason, one of which is its customer base trusts the company pretty well. I'm sure in no time at all we could name some tech companies we don't trust much.

    I think my trust for 1PW is pretty high - it would have to be given the data I'm entrusting. These last few months digging through documents, forum posts, blog posts, etc., I've become more assured that you've architected and built a cloud-based password manager that's as secure as it can be. That said, if I were on 1PW8 and there was a LastPass-type breach - would I change a bunch of passwords? Probably, important ones at the very least. If you deprecate 7 and I upgrade to 8, as a hedging step, are there some credentials I would no longer store in 8, or would I store some login components elsewhere? Probably.

    The LastPass breach has sorta brought to a head this whole lengthy discussion. Which is really a good thing. Normally when a competitor has a bad day, there's at least some ancillary benefit 1PW would derive, most notably by afflicted customers moving to your platform. In this case however, LastPass's stink is getting on you too. Why? For no reason other than you too are a cloud-only solution, so you're the same. Yes, I know there are key differences and the devil is in the details, but for many customers, they will never dig that deep. Think about the NYTs article - it recommended KeePass. Why? No reason other than local storage. I've not looked at KeePass, but I seriously doubt it's as feature-rich as 1PW.

    I'm really unclear as to why you chose to eliminate local storage from 8? It must have been quite a discussion, and you must have anticipated the grumbling. I am curious about that, if it was a tech consideration, or marketing, or both, or something else all together.

    So where are we? Right now you are supporting two versions that are really quite different: 1PW7 and 1PW8. I'm sure that's expensive and you'd like to get rid of 7, and one day you will. Some existing V7 customers will leave. They simply will not put their data in the cloud. And some existing customers will leave as their employer will not permit a cloud-based login credential storage solution.

    And now the LastPass breach has put a spotlight on your cloud-based architecture. Right now, there are LastPass customers looking to switch. They will look at 1PW8 and see it's cloud-based and say: "nope, already been to that rodeo". Simply look at the last post by labguy88. I doubt his reasoning is unique to him. And there are new customers who will do some digging on password managers, read about it all and find the NYTs article, among others, and also say no thank you and look for a local-storage option.

    So how many existing and new customers does that all add up to?

    Imagine for a moment, if for all those customers, you could say, we have a cloud-based solution and it's solid as a rock, and here's why. And if you're still not quite satisfied with that, here is a local-storage option where you can save your data and it will never see the light of day beyond your local device.

    Sign me up, and I would add, that's what 1PW7 has.

  • LarsLars Junior Member

    Team Member

    @labguy88 - not at all: I'm glad you asked! 😃 "Putting all your eggs in one basket" via a password manager is a big leap under any circumstances. Having to do so precipitously like you are having to switch now makes it even more nerve-wracking. We're here to help. Drop by anytime!

  • LarsLars Junior Member

    Team Member
    edited January 7


    In this case however, LastPass's stink is getting on you too. Why? For no reason other than you too are a cloud-only solution, so you're the same.

    I would argue that any such tendency to associate thusly is more the result of articles such as the one you referred to. This NYT article says in the first sentence of the third paragraph - easily visible in anyone's browser, no matter how small the window:

    When you use a password manager like LastPass or 1Password...

    The NYT is America's paper of record, regardless of what one might feel about them, so what they say in their pages carries a lot more weight than other daily publications. And lumping us together with another competitor when only one of us was breached just because we are similar in that we are both password managers is, frankly, absurd. You can get a sense of it by imagining someone saying:

    When you read a newspaper like the National Enquirer or the New York Times...

    ...to see how problematic and simply inaccurate it is. I am not drawing any comparisons here, and in fact am exaggerating for effect. But the journalism is frankly sloppy, which is what I tried to subtly allude to in my previous response. Sure, publicly-addressable servers are potentially breachable. But in regard to the encrypted payload the attackers came for in the first place, it is the difference between what would occur if we were to suffer a similar server breach despite both our and AWS' efforts and what has already happened to LastPass customers' data as a result of their breach, that matters. And the answer to that is a function of the Secret Key, and how it protects you if we did suffer a similar breach.

    As you say, the devil is in the details, and many people won't dig deep enough. Which is one of the reasons this article's inclusion of us in the same breath as a breached competitor with different security properties than we have grinds my gears just a bit. Vaults pilfered from a successful breach of our servers are in fact orders of magnitude more secure than vaults secured with only a password. They're also more secure than if someone steals a copy of your data by successfully compromising a device of yours (because the Secret Key does live on your device and any competent attacker knows that. On your own device, it is your chosen password which protects you. And there, if you've chosen an easy(er)-to-guess password, you'd be at similar risk to what the attackers got in bulk from LastPass' servers. Vaults pilfered from our servers? Not so much.

    You're not wrong to wonder about the customer confusion/choice issue, but we had a similar thing with 1Password 7: the ability to create both local and 1Password account vaults caused no end of confusion for some customers. It caused duplicated data, and in some much more rare cases even data loss (people would delete a vault without realizing it was their only one, etc). Many more users were simply confused and ultimately put off by that confusion.

    Long story short (well, OK, short-ISH 😂): I'd refer you back to the OP in this thread, from our founder dteare, about the history and reasoning. And I'd hope most people willing to dig in and do research would learn enough from our support pages to understand that the current offering, in terms of the 1Password data on your local device, is no less secure than previous standalone/local storage options, and on our server, it is vastly more secure.

  • Scotty0844Scotty0844
    Community Member

    I just simply cannot wrap my head around why you would essentially remove yourself from a big chunk of the commercial sector. I don't care how "vastly more secure" it is, it still does not trump my and many other companies Information Security Policies, which prohibit cloud storage of any credentials. I find your inability to even consider bringing back local vaults in the wake of the LastPass breach frankly appalling. Is it a money grab? Do you want to harvest and sell the unencrypted data? Seriously, what's your deal?

  • dtearedteare Agile Founder

    Team Member

    Welcome to the forums, @Scotty0844.

    I started this thread with a detailed and very long winded explanation of the "why" behind our decision to go all-in on 1Password Memberships. Please give it a read and let me know any specific questions that remain unanswered.

    Sorry for my verbosity but I had a lot to cover. 🙂

    Take care,

    1Password Founder

  • dtearedteare Agile Founder

    Team Member

    Hello everyone and Happy New Year! 🎉

    I thought it would be great to kick off the new year with an update on self-hosting, how much interest we’ve been seeing in this feature, and what’s in our heads for the coming year and thereafter.

    First and foremost let me thank everyone for their passion on this subject. We wouldn’t be here without passionate customers who cared about 1Password and our future, so thank you so much for continuing to share your thoughts with us. It really means a lot to me and the team. ❤️

    Let’s start with some raw numbers. Since launching the survey we’ve had 5,277 people complete the form. We started the survey when 1Password 8 for Windows entered early access on June 15th, 2021, just over a year and a half ago.

    Each response is stored in a 1Password vault using Secrets Automation so I get to see new responses throughout my workday. Here’s @Ben’s response when testing the survey, as well as letting us know he also wants this feature.

    The responses covered a wide range of passions, from individuals who want their data to never leave their devices, regional restrictions, companies that require their data hosted on-prem, hobbyists who just want to have fun and play, all the way to those who believe subscriptions are the devil incarnate. As diverse as these are, one thing was constant throughout: passion. The passion for this feature is unbelievable.

    As passionate as people are, I’ll be honest and say I was hoping for more responses. Having more would make it much easier to pitch this during our roadmap planning sessions. With that said, over 5,000 people is still a lot of people. Especially if you consider that most people don’t take the time to contact customer support, let alone take a survey. @roustem and I always assumed a 10x factor in situations like these so that starts getting into some big numbers. Still, if you haven’t had a chance to fill out the self-hosting survey yet, please do. It helps us gauge how much interest there is in this feature and I read every response and share the highlights with the team.

    Ultimately we have too many competing priorities on our radar at the moment, and we didn’t see enough interest in this topic to get self-hosting onto the roadmap in the immediate future. That’s unfortunate and I’m sorry to have to break that news to you.

    With that said, I was tremendously invigorated when discussing this feature with our product director and our chief product officer. Mitch got me really excited about the possibilities of a 1Password Community Edition, wherein the ability to host your own server was just one piece of many. And Steve was super excited about how a community edition could fit within our renewed focus on developers and the surrounding ecosystem.

    While there’s a lot of excitement around this feature internally, it’s a big lift. One we haven’t been able to fit into our near-term roadmap, yet I remain optimistic that we’ll be able to find a place for it in the schedule in the future.

    Please continue to share your thoughts in this thread. I’m notified of every response and while I don’t have a chance to always reply, I do read each and every post here.

    Take care and have a wonderful 2023! 🤗

    1Password Founder

  • icywolfyicywolfy
    Community Member

    Our company had to drop 1password support with this; and thus about 5,000 users needed to switch applications.
    It was a pain.

    If there was a local cloud sync process, that would work for the business -- but having already migrated away, it's likely not going to happen. As a private user, while I could run a cloud instance, i'd rather not and rely on local NAS for file storage and backups.

    The argument have been made. The majority of end users are not concerned about security, they want convenience. Which is a shame.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file