Why the change in strategy?
I am a long-time 1Password user. I own a license on every platform except Android (though I may have even gotten one for that in a bundle at some point). I followed the forums and discussions now and then, and was always impressed with the software, development, professionalism, and support. I bought into the whole idea that 1Password was different and better than the competition, due in part to its offline storage model. I had seen this touted on the forums as an advantage over the others, and rightfully so: when I would see reports of the centralized services getting hacked, having downtime, etc. I would mention it to friends who might be interested in getting a password manager as a disadvantage.
Now that Teams, Families, and Personal versions of 1Password have been released, I feel myself a bit in limbo. I know that the standard line will be that the classic version is still available, etc., but I have to ask myself if this is the way the industry is going. Should I convert to an online solution? And if so, why should I stick with 1Password at this point? Other services, while perhaps newer, have more experience with storing the vaults online, and even if I give Agile the benefit of the doubt (which I am ready to do with their past experience and professional approach to openness and encryption), other services also offer some features above and beyond that of 1Password.
I am very much a loyal customer to companies, and I believe very much in what 1Password has done in the past. They have always stressed that their encryption is top-notch, and backed it up with facts, and frequent posts. But now that this is moving into a server architecture, I can believe it will be harder for them to justify and remain open with such information.
I guess the main thing I am asking, is what was the motivation between the company's pivot to online vaults, and where is this heading in the future? Also, 1Password now seems a misnomer, since I have to remember two passwords for my online vault (one to authenticate a device, and one to get into the vault, if I understood correctly). :) I would be very interested to hear the company's thoughts on the state of the industry, and what lead to the current situation.
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
The world itself is moving in that direction.
I used to remember every password in my head. Then sites, particular the several dozen applications at work, required we change them every month - and not reuse any combination of the last 12. So I jumped on 1pass. Then comes mobile and there I am one day trying to get onto a site to pay a bill and I can't because my 1pass vault is sitting on the home computer. I would have certainly gone with a competitor had 1pass not evolved.
0 -
Greetings @lonevvolf! Thanks so much for writing this post. :) I appreciate you taking the time to give a bit of background on how you're feeling, too, as that helps give me a better idea of how to help out. Let's jump in.
Now that Teams, Families, and Personal versions of 1Password have been released, I feel myself a bit in limbo. I know that the standard line will be that the classic version is still available, etc., but I have to ask myself if this is the way the industry is going.
I'm sorry we made you feel that way. We didn't want to disrupt your workflow as an existing user. We're offering a subscription as an an alternative for folks who prefer to organize everything in one nice place and not worry about syncing it between their devices. This has been a challenge from the start with 1Password, and we finally decided to do something about it with the concept of an account. The only thing is, accounts have to be stored somewhere, and storage in the cloud is a recurring bill. Subscriptions fit that perfectly. But we are also going to continue supporting the standalone apps and licenses, and they will be getting updates too.
The apps are the core of 1Password. They make it a unique password manager, because most others out there use browser extensions and websites primarily. We believe in having a native experience, and we don't want that to go away anytime soon. Lots of our users, too, are using 1Password because they prefer the standalone experience, not a cloud-based one. That's totally fine — to each their own. :) And you can keep using things just as you always have. Seriously. We're not planning to stop selling licenses or stop supporting that model. If something changes, we'll let you know well ahead of time.
Should I convert to an online solution? And if so, why should I stick with 1Password at this point?
That's entirely up to you. There are some great reasons to switch, but if you like 1Password as it's always been there's no need to change that. If you're curious about what's new in the subscription model, this should help:
The difference between a 1Password subscription and a standalone license
I hope that gives you an idea of what the subscription would do for you.
So there's a bit of background on the decision. It wasn't easy. We had to consider what people really needed, and what we got lots of emails about. Lots of people had trouble with sync, no matter how we boxed it up or made it easier, that a unified experience with an account was just the best option at the end of the day. It's okay if that doesn't fit you — you have a very good idea of what you're looking for. :) Don’t let the subscription get in your way.
0 -
@PhoenixDown I replied to you in your main thread, so let's keep this discussion going there. :)
0 -
@Jacob Thank you for the detailed answer. I just want to stress that it's not my workflow that I'm worried about here. It's more of the overarching strategy for AgileBits. I'm sure you'll recall the following blog posts (among others):
https://blog.agilebits.com/2013/06/07/nsa-prism-1password-security/
https://blog.agilebits.com/2013/09/06/1password-and-the-crypto-wars/In which the decentralized nature of the vault storage is touted as an advantage. Perhaps it's time for an update to such posts? For instance, where it is mentioned:
"Could we be compelled to weaken 1Password or allow for the weakening of 1Password?
Not without substantial risk that such attempt would become public."
I think that this needs to be addressed. To ask it bluntly, what will happen when the NSA asks for someone's vault, even if AgileBits cannot decrypt it? Or if they eventually are asked to weaken the encryption? Will it be handed over? Will the user or others be notified? AgileBits has always been very open about such things, and I think in light of their business plan pivoting, they at least need to address this to the public.Also see the post from an AgileBits employee, commenting on the security of online password managers:
http://security.stackexchange.com/questions/45170/how-safe-are-password-managers-like-lastpass:
"The other questions about trusting the suppliers of the password management system come down to trusting our competence and trusting that we haven't been coerced/bribed/"persuaded" to allow for a back door into the system. This is a lot more complicated. How do the vendors deal with security bugs as they are discovered? How much of the product's behavior and design is independently verifiable? Do the creators understand the crypto that they are using?For systems, like 1Password, that don't have any data from users, there is very little reason for us to even be approached by government agencies (and we haven't been.) At the same time, you should assume that governments do have access to your data stored on sync systems. So again, this comes back to the question of how that data is encrypted."
What would that post look like now?
Again, I understand the costs associated with hosting the vaults, etc. I was simply taken aback by the complete about-face of AgileBits in moving to online cloud storage. I guess if this makes them more competitive, then I understand that they need to do it to stay alive. I'll probably convert over to online at some point anyway, but I like to know what to expect in the near future, as much as possible.
Thanks again for lending an ear, and letting us have some insight into the inner workings of AgileBits! :)
0 -
Hi @lonevvolf
Thank you very much for your answer, and for taking the time talk with us about this. We're glad to have a chance to discuss all these topics and do our best to keep your trust in 1Password :chuffed:
I think there's a key thing that's mentioned a few times across the posts that you linked that is what all this revolves around. 1Password is designed under the assumption that your data could be stolen or acquired by someone undesirable and made in such a way that even if that were to happen you'd still be safe. Actually, with 1Password Accounts your data is even more secure than ever. Not only is it encrypted with your Master Password as it has always been, we also added a very big extra piece of security: an Account Key. Your Account Key is a 128-bit string of random characters that needs to be combined with your Master Password in order to decrypt your data. Your Account Key is generated locally on your computer and never sent over the internet. Your data will never leave your device unencrypted. I can assure you, we wouldn't be offering accounts if we didn't believe that they are secure. You can take a look at the general information about security here: https://1password.com/security/
If you are in the mood for some more technical details, our White Paper will tell you everything about it. It's a very interesting read (I for sure enjoyed it!).
Now, when you ask how we would update these articles, you'll find on them several quotes on the line of:
At the same time, you should assume that governments do have access to your data stored on sync systems. So again, this comes back to the question of how that data is encrypted.
And even more importantly, this one:
As we’ve often said, we designed the data format used in 1Password with the knowledge that some people would have their data stolen. It might get stolen because their computer is stolen or it might get stolen because of a data breach at a service like Dropbox. Either way, we’ve assumed that there would be circumstances where an attacker may get hold of your 1Password data, and so we designed the data formats with encryption to keep your secrets secret.
This is still the case with 1Password Accounts. In order for a third party to have access to your data, not only would they need to know your Master Password, now you'd need to add the Account Key to the things they need. Someone can only have it if they have physical access to your device, in which case they would already have the data stored locally as well. In a worst case scenario, if a government agency were to demand your data from us, there's very little they could do with it, if anything. We see the "dark" side of this every now and then when someone writes to us because they're locked out of their account and we just simply, literally, can't help them regain access.
With all this being said, I want to reassure you that you don't need to move to our new hosted system if you don't want to! While I read the White Paper and was convinced by the math, we completely understand that some of you chose 1Password because it's stored locally, and that option is not going anywhere. However, let me tell you that after a few months using 1Password Accounts, I'd personally would not go back to local vaults ;). About this:
I was simply taken aback by the complete about-face of AgileBits in moving to online cloud storage.
We're not moving as much as expanding to have more options for everyone. Having a hosted service has allowed us to offer some very special things that are imposible otherwise. Our aim is to give everyone a version of 1Password that will suit them best!
I hope to hear back from you with your thoughts on all this!
0