Feedback: Wrong decision to stop selling standalone versions

Kristian

Hello,

I am a long time loyal customer of 1Password. In 2012 I read some blog posts at ifun.de about the benefits of using 1Password. ifun.de is one of the biggest blogs covering Apple news in Germany. The ifun.de guys were loving 1Password and they shared that love with their readers. I bought 1Password 1 & 4 for Windows and 1Password for iOS. Indeed, I began to love the work with this great tool, even if we Windows users had to wait decades for features like multi language GUI support. Of course, I began to recommend 1Password to colleagues and friends. Four colleagues and six of my friends adopted my recommendation and bought 1Password, too. You have supported my recommendations by giving me rebate codes for my friends. Thank you again for this support.

For about one year the joy about 1Password is strongly chilling down. We Windows users have been waiting now since 2015 for a version which is comparable to the MacOS version. In my case, 1Password 6 for Windows currently can't replace 1Password 4 because it lacks too many essential features. And now you stopped to sell standalone versions of 1Password 4 for Windows.

I think this is a very bad idea. Take a look in your forums, I see many threads from users that wish to use the standalone version. For many users - including me - it is not an option to save the data on your servers. Why?

• Your servers are a very attractive target for hackers. I am sure you AgileBits guys take your work very seriously and give your best to protect the data but humans make mistakes, and even bigger companies than AgileBits had already lost all their data. If I wanted to save my passwords centralized on cloud servers, I would have chosen LastPass in 2012, not 1Password.

• Friends of me using 1Password work at companies that disallow saving their data on any external servers. For them it is not an option to use the 1Password account.

If you further force your customers to use the 1Password account like you do it now, you will lose more customers including me. ifun.de - whom I mentioned earlier - has written a blog post, why they stopped recommending 1Password and switched to Enpass: https://www.ifun.de/passwort-manager-wir-empfehlen-jetzt-enpass-105640/

It is ok that you focus your marketing on the 1Password account but please don't try to force your customers to use this service. Microsoft with Office 365 and Office 2016 is a good example of providing a good cloud service and even so supporting standalone version using customers.

My wishes:

• Bring back the 1Password 4 for Windows standalone version to your agilebits.com store.
• Add the ability to edit local vaults in 1Password 6 for Windows
• Provide a standalone version of 1Password 6 for Windows - it is okay for me, if you want to hide it in the agilebits.com store. Or you provide a software only subscription without the 1Password account services. That would be nice too.

I really would like to stay a AgileBits customer but if you force me to go, then I have no choice. Luckily, in 2017 there exist many good alternatives on the market.

Kind Regards, Kristian

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Not Provided

btownguy

I agree 110% with this post. It is my personal opinion that AgileBits has made the business decision to move towards a subscription-based model in order to make themselves more attractive as an acquisition target.

Oleksii

Hello Kristian,

First of all, thank you for your loyalty and such a structured and consistent post!

I cannot comment business decisions as I am in dev team and do not deal with them. However, I hope I can help you understand what makes your data safe, even in the cloud.
Actually, we made very simple and straightforward decision to hold only encrypted data. That is why, only the devices that are provided with your Account (Security) Key along with entering your Master password are able to "see" decrypted data. It doesn't leave any of your devices. The cloud server doesn't have the keys to retrieve it, and even if servers are hacked or someone gets access to it in other way, your information will remain safe and secure.
The same concerns data transmission between your device and server, and vise verse: data does not travel unencrypted.
May be somebody from our data security team will add some details here.

Best regards,
Oleksii
WinDev team

crsouser

I've responded to blog posts on this as well and I am not going to repeat all of the points I have made there.. but I am a Mac and PC and iOS version that has bought several stand-alone copies of your software and have no hesitation to buying stand-alone versions when there are updates once or so a year. Being forced to "your cloud" in AWS or whomever hosts its doesn't sell me one bit and everyone saying "oh don't worry it will be safe.. you will just get locked out from making updates to the data once your subscription expires or the subscription server can't be reached". This is unacceptable. If I want to run a computer off the grid for extended periods or even on the grid this is just a LAME f'n excuse.

I will absolutely not purchase any further software from AgileBits if your only strategy is a cloud only strategy.. and I cannot emphasis enough how much I feel you are screwing over lower users and advocates but not listening to feedback.
I rather use open source KeyPassX than be forced to the cloud and at very minimum IF forced to the cloud switch providers purely because AgileBits blew off every single piece of feedback from its existing users.

I thought it was a really cheap shot too to send out an email saying hey Cloudflare was hacked and your other cloud providers may be compromised.. but we weren't this time.

I have just had way way too many bad experiences with every single one-off software maker thinking they need to offer their services just in their own version of cloud hosting provider.. all to have the data compromised, lost, or locked out. Seriously annoyed.

Oleksii

@crsouser, I am sorry that our new policy disappoints you that much! And thank you for your time, spent on providing your feedback!
We - the whole Agilebits team - are here, on the forums all the time to hear every user. And we hear you as well as others. We are taking into consideration every piece of feedback, so your opinion is not unattended. However, business strategy is not a kind of thing that should be revised "twice a day".

According some details in your post:
1. As I said in previous reply here, you data DOES NOT leave your device unencrypted. And even if the server is hacked, it simply CANNOT be disclosed. We have strong encryption with long keys, so it will take decades of processing time to decrypt it by force.
2. The data can be locked forever only if you lost/forgot your Account(Security) key or Master password. Only these pieces together can be used to decrypt the data and you are the only person who has access to it.
3. The total lost of data is almost impossible due to regular back ups in different servers as well as temporary copies on your devices.
4. You CAN update your data WITHOUT internet connection on your device. It will be synchronized when the connection to the server is restored. But of course, until the synchronization happens, every device won't "see" changes made on any other one.

Hope, this will help you to see that our service is not THAT bad as you imagine ;)
Anyway, you can always ask for personal assistance if you have uncommon situation. I can't say it will always be as convenient as using regular service, but we will do our best to resolve your problem.

Regards,
Oleksii
WinDev team

crsouser

@Oleksii Thanks for the response again.. but I am not sure you still understand my posts or my concerns...

I never said anything about being worried about the details leaving my device unencrypted.. the data is locked from editing if you don't have a subscription (yes I can still in theory export it) up until you decide to delete it.. total data loss is a possibility and I have seen it with other one off apps trying to do their own cloud service multiple times despite having backups like going out of business, being acquired, data synchronization and corruption, version incompatibilities, hacked, etc. #4 I want local vaults and a choice of my data storage location so I can impose my own secondary controls on it.. yes I realize it still can cache local copies like the current version but it will disable itself if your subscription is not current and so its not truly local.. I am also not clear if it caches my entire database or just most frequent or recent items... but if this wasn't passwords and other information I wouldn't be so finky but this is sensitive information and I feel like its being just treated as "data" the same way status in a game would be.

I understand what your service has to offer but I like your "software" and do not want your "service".. again not everything needs to be in the cloud and I have been burned way way too many times by apps requiring I store data in "their service".. and if I have to regularly manual export it to protect myself against what has been previously encountered it defeats the purpose of the "service". It is not a control thing.. it is a quality and ease of use thing.

AGAlumB

I thought it was a really cheap shot too to send out an email saying hey Cloudflare was hacked and your other cloud providers may be compromised.. but we weren't this time.

@crsouser: It sounds like you voluntarily signed up to be notified of new AgileBits blog posts. I'm not sure I see where explaining the situation to our customers was inappropriate or a "cheap shot", but please let me know if there's some statement or wording in particular you're referring to. The reason for this blog post is that many of our customers were explicitly asking these important questions:

1. "Was 1Password affected?" (Implicit: "Am I affected?") No, 1Password and its users were not affected by the vulnerability.
2. "Why wasn't 1Password affected?" Data is encrypted locally before being transmitted, and we don't rely on the transport layer for 1Password's security.

I think @jpgoldberg did a great job in the blog post of explaining things without prejudice, and it was important for many of our customers to have this kind of clear reassurance. Even if you yourself weren't particularly interested, I'm sure you can appreciate the importance of knowing that your data is secure and the appeal of understanding the care we put into accomplishing that. Otherwise you probably wouldn't be using 1Password in the first place.

Regarding your concerns about security and data availability, I don't mean to minimize that. They are incredibly important to us, or we wouldn't be here in the first place. And while the statements you're making about how 1Password.com works aren't accurate, keep in mind that the things you're complaining about couldn't actually affect you anyway if you're not using 1Password.com, even if they were true. Please see my next post for more details if you're curious, but for completeness I'd like to offer a few simple points that summarize how 1Password.com secures our data:

1. 1Password data is encrypted locally on the device using the Master Password and Secret Key before it is transmitted.
2. The server receives only an encrypted blob to store in its database.
3. The Master Password and Secret Key themselves are never transmitted.

This is what Oleksii is talking about when he says that a server breach doesn't give someone access to the data; the attacker simply doesn't have what they need to decrypt it — only you do.

I wouldn't be so finky but this is sensitive information and I feel like its being just treated as "data" the same way status in a game would be. [...] I understand what your service has to offer but I like your "software" and do not want your "service".. again not everything needs to be in the cloud and I have been burned way way too many times by apps requiring I store data in "their service".. and if I have to regularly manual export it to protect myself against what has been previously encountered it defeats the purpose of the "service". It is not a control thing.. it is a quality and ease of use thing.

I couldn't agree with you more. This is something we take very seriously. It's the foundation of not only our business and livelihood, but also our own security as 1Password users ourselves. I'm sorry if Oleksii 's friendliness gave you the wrong impression, but I can absolutely understand where you're coming from. Sometimes sober assurances are needed, so I've tried to offer more from that perspective, and will continue to do so if you have any other questions at all. Thanks for sharing your thoughts and feelings, and for engaging with us in this important discussion! :blush:

AGAlumB

@Kristian, @crsouser: A few clarifications:

• You're not "forced" to use our "cloud"; since we haven't removed the ability to use local vaults and advanced sync options from any of the apps, you can continue using 1Password however you have been since before we introduced 1Password.com and afterward.
• We've stopped selling licenses for 1Password for Windows version 4 because it is mature and no longer under active development. For that reason, we don't have any plans to "bring back" 1Password 4 licenses. Anyone who wanted to purchase it has had 3 years to do so (actually much longer, as we had a large free upgrade window for those who purchased the previous version).
• We will consider selling licenses for the new 1Password 6 Windows desktop app, but it isn't at a stage where it's reasonable to do so, given that it doesn't support local vaults. And since this isn't something we're actively working on at the moment we don't have more to say at this time. We'll have to revisit this once our current projects are out the door.
• Even if you choose to use 1Password.com but let your subscription lapse, we don't lock you out of your data. It's still available on your devices (and in the web interface) as read-only. This isn't theory, it works this way in practice. More in this vein below.
• Finally, I agree completely that "Don't worry, it will be safe" is an unacceptable answer when it comes to the security of our most important data. Fortunately, no one here is saying that. So let's get into security:

First and foremost, when you use 1Password, AgileBits never has access to your data, regardless of the setup you choose. Even with 1Password.com, your data is encrypted on your device, so all the server ever ends up with is an encrypted blob. And since Your Secret Key (F.K.A. Account Key) is created locally, your Master Password is chosen by you, and neither is ever transmitted, no one — including AgileBits — has the means to decrypt the data. You can read more details on how all of this works in our white paper.

So with a 1Password Account, three things are needed to do anything useful with your data. We usually think of it as two, but there's one more we can't forget:

1. The encrypted data — without this, well...you're out of luck.
2. The Secret Key
3. The Master Password

Without each of these, it's impossible to access anything you have stored at 1Password.com. With a local vault, only the Master Password and vault are needed. That's not to say it's insecure. But we needed to take it a step further for storing people's data on our servers, so that even if the server is breached, it is impossible for someone to gain access to your data.

So, significantly, with a 1Password.com account, it is impossible for someone to perform a brute force attack on your Master Password to try to decrypt the data, because they also need to guess the (randomly generated, 128-bit) Secret Key.

However, to be completely clear, while we've designed 1Password.com to work in such a way that the attacker can't your data even if they breach the server and dump the database, we invest a lot in ensuring that this doesn't happen in the first place, both internally and with external audits and bug bounties. We don't take any of this lightly, and we're actively working to continue to secure our customers' data. After all, "Security is a process, not a product."

But we can't really talk about security without mentioning data availability, because none of this doesn't you any good if you get locked out of your data somehow — whether by forgetting your Master Password, losing your Secret Key, hardware/software failure, or simply not being able to connect to the server. So 1Password.com also enables family and team administrators to perform account recovery for other members, has automatic offsite backup for your data (with web access) with item history, and keeps a local copy of your data on your authorized devices for when you're offline — or the server is down (we had maintenance for about an hour last night, for example — though it wasn't unavailable during that time).

Ultimately, we live and breathe this stuff. I'm not saying you have to go this route yourselves, but I hope this gives you a better since of the why and how we're offering this service, and that we recognize that these are issues we shouldn't — and can't afford to — ignore.

AGAlumB

I agree 110% with this post. It is my personal opinion that AgileBits has made the business decision to move towards a subscription-based model in order to make themselves more attractive as an acquisition target.

@btownguy: While I can understand why you might make that assumption, this is 180% wrong. Terrible 180º analogy aside, what I mean is that the opposite is true: we're proud to be an independent Canadian software company. We love what we do, and a big part of that is not being beholden to a parent company, outside investors, or advertising dollars. We've turned down offers in the past and will continue to do so, and the only way we can do that is by running a sustainable business.

I recognize that the rest of this may not apply to you, but I hope you'll appreciate that by virtue of participating in internet forum discussions for security software we are self-selecting for being more technical. Given the expectations of most people that 1Password be continually improved and "just work" without having to worry about managing licenses for multiple platforms, purchasing upgrades for each, configuring sync and sharing on a per-device/per-vault basis, and, most importantly, they don't care about the details: they just want to keep their data — and, often, that of their loved ones and/or coworkers — secure and accessible to them everywhere they need it. And almost no one thinks to backup their data until it's too late. 1Password.com solves all of these problems.

But you and I are not most people. I still use Dropbox to sync local vaults and have always been comfortable doing so, even if it's a hassle at times. So for me the primary draw of 1Password.com is to make my life easier by making 1Password more accessible to my family and AgileBits customers. Previously, the only options for any of those people were either to take a lot of time to figure all of this out, to get help from us (also potentially time-consuming), or to forego all of this and use 1Password on a single device, probably not backing up their data, and potentially losing it when they upgrade to a new computer or phone.

Now, I realize that all of this may sound unbelievable or downright exaggerated, but it's the truth. It's something I face every day, and as a company of people who care deeply about making it easier for people to secure their digital lives this has been what we've concerned ourselves with for the past decade. Hopefully this gives you a better sense of where we're coming from at least. Even if you're not interested in 1Password.com yourself, just keep in mind that nothing's been taken away from you. And as a security enthusiast you can probably appreciate the thought we put into all of this.

Julian23

Friends of me using 1Password work at companies that disallow saving their data on any external servers. For them it is not an option to use the 1Password account.

Actually that is also the case for me - so what is the current recommendation, as I cannot use a local vault with 1Password 6 for Windows?

Manaburner

@Julian23 then on Windows, you should use 1Password 4 for Windows. It has local vault support. https://app-updates.agilebits.com/download/OPW4

AlexHoffmann

If you wish to keep using local vaults on Windows, 1Password 4 is your solution.

Thanks, Manaburner for posting the link.

bkh

@AlexHoffmann, @brenty, please clarify. The original poster @Kristian commented that "And now you stopped to sell standalone versions of 1Password 4 for Windows." This issue was re-raised by @btownguy, @crsouser, and @Julian23. And now I'm re-raising it again to see if we can get a responsive answer.

When I go to agilebits.com and click the link for personal pricing, namely https://1password.com/pricing/ , this redirects to https://1password.com/sign-up/ which offers a subscription to 1Password for $2.99 per month, or a subscription to 1Password Families for $4.99 per month. There is no option to buy any kind of perpetual license for 1Password4 for Windows.

Just above my comment, @Manaburner gave the downlink for 1Password4 for Windows, and @AlexHoffmann says 1Password 4 is the solution for users who wish to keep using local vaults on Windows.

So is it the policy of AgileBits that new users are free to use 1Password 4, without restriction and fully functional (not a 30-day trial), without a license and for as long as they wish? If not, then how can they buy a license when it doesn't appear to be offered for sale?

The fact that there's no apparent way to buy a perpetual license for 1Password 4 for Windows is the root cause of the perception (or misperception) that AgileBits has decided to force everyone to use the new cloud solution (with the exception of grandfathered users who already hold a license to 1P4.) That perception is reinforced by @Oleksii, who responds to @crsouser's concerns about being forced to used the cloud version with "I am sorry that our new policy disappoints you that much!"

So please clarify this issue. Can a new user buy 1Password4 for Windows? If so, how?

MikeT

Hi @bkh,

Thanks for writing in.

1. No new customers can buy a Windows version with local vaults support only right now. Only 1Password.com memberships are available on Windows and yes, that means we do not have any local solution for new Windows customers. We do know 1Password.com is not permissible for everyone.
2. We still want to add local vaults/licenses to 1Password 6 down the line.

We just cannot offer new sales to 1Password 4 that will not be getting more updates. It'll continue to get security-related updates and we'll continue to offer support as we always do for current customers but at the same time, we must shift all of our focus on 1Password 6 and the more we add features to 1Password 6 sooner, the faster we can add local vaults/licenses there.

btownguy

This whole situation is just baffling to me. Disappointing on so many levels.

bkh

"We still want to add local vaults/licenses to 1Password 6 down the line."

Then it would seem to be in your best interests to accommodate those who wish to buy 1P4 now.

"We just cannot offer new sales to 1Password 4 that will not be getting more updates."

I put it to you that there are ethical ways to do this. State up front that 1P4 will not be updated and is possible there may never be a version of 1P6 with local vaults. Promise that if in the future there does happen to be 1P6 with local vaults, it will be offered at a discounted price to those who purchased 1P4 after April 5, 2017. This does not introduce a bargain-price for 1P4 that undercuts the cloud version, and it gives a way to satisfy these new customers who otherwise will be lost to alternate password managers.

Please add my name to the list of those who appeal to dteare for a reconsideration of the business decision that no new licenses will be sold for 1P4 for Windows.

MikeT

Hi guys,

@Bkh, Dave is listening to these feedback, I can assure you of that.

We are going to make this very clear very soon with more details than these forum comments. I do agree it is not clear and not fair to anyone.

btownguy

Crossing fingers and praying for a "Our customers spoke, we listened..." post.

Unknown

This content has been removed.

MikeT

Hi @cobaltjacket,

No, that's not happening. First, we support Folder Sync (local vaults only) on both desktop OSes, Windows and macOS. You can use this with any sync services you want. However, the limitations are on the iOS platform, to support even just one sync service, we must basically build the entire sync service using their APIs. We're not talking about just syncing files but also resolving sync conflicts ourselves when you update the same item on multiple computers. Think about sharing a vault with multiple family members and they're all editing at the same time. This isn't a simple thing to do and we have to maintain it all the time. Even this year, Dropbox is killing off their older API version and now, we must update the iOS version to support Dropbox API v2. That's actually why we've removed Dropbox API in 1Password 6.5 update today, we'll use Folder Sync instead where you have to install Dropbox's client to sync the local vaults, just like in 1Password 4 for Windows.

Implementing our own sync service means our own schedule, meaning it is completely under our control. We do not have that control with any other sync services, they must target the mass market and have their own roadmap. It takes up a lot of resources just to support one sync service, to add another one would double the complexity of the app.

Unknown

This content has been removed.

MikeT

Hi @cobaltjacket

If "local folder" sync works via Dropbox (or Box, preferable), then that is good enough.

Yep, that will work via Dropbox or Box.

Will iOS still be able to sync with that folder, or is that going to be deprecated as well?

Only Dropbox, we have support for Dropbox and iCloud in the iOS app. Box will not be supported in the iOS app. There is no Folder Sync because of how the iOS works with its sandboxes, we can't point you to any random folder as there is no user-accessible file system. On Android, we support Folder Sync because it does have one.

warpspeed

Just adding another voice to this thread, it'd be really good to see something official and clear about what the deal is here and what upgrade path those of us stuck using 1Password4 on Windows will have.

AGAlumB

@warpspeed: As Mike mentioned, when we have more information to share, we'll do so publicly.

AGAlumB

@bkh: @ -mentioning more than a half dozen people, most of which you weren't even responding to directly, is just kind of spammy. Right now we're focused on other things, and while we're paying attention to this feedback, keep in mind that going around in circles won't change that. The important thing is that we know you prefer a standalone license / local vault.

We've already stated that 1Password 4 is no longer under active development, which is why it's not available in our store anymore though. If you or anyone else is still interested in purchasing a standalone license, shoot us an email at support+licenses@agilebits.com and we'll see what we can do to help. Just post the Support ID you receive here so we can find it and get back to you quicker.

bkh

"@ -mentioning more than a half dozen people, most of which you weren't even responding to directly, is just kind of spammy."

I apologize. I did not properly understand this connotation of an @ mention; I thought I was just being inclusive in the conversation.

"The important thing is that we know you prefer a standalone license / local vault."

With respect, that is not the important thing at all. The two important things are (1) you have potential new customers who are being turned away because of the message that the only option that new customers can purchase is the cloud implementation, and (2) we are getting contradictory messages from agilebits representatives, namely (a) customers can't get a new license for 1Password with local vaults on Windows, but (b) maybe they can if they email support. I was trying to get clarity on that point, but as of today, the contradictory messages are still asserted by agilebits representatives on the forum.

MikeT

Hi @bkh,

Thank you, we sometime don't see what you guys see and we need to fix that. I've been passing on the feedback to the marketing/docs teams as well as Dave.

essential

@brenty - "The important thing is that we know you prefer a standalone license / local vault."

I've read several times in this thread that local vaults are being considered for implementation into 1Password 6 in the future. You acknowledge above that some of us prefer standalone licenses as well, but I didn't read that standlone licenses are also under consideration in the future for 1Password 6? Are both standalone license and local vault support under consideration for the future, or just local vault support?

Thanks.

MikeT

Hi @essential,

Both.

When we add local vaults support, we will add licensing in addition to it, not tied together.

If there is no 1Password.com account signed into the app, you need a valid license to use local vaults.

If there is one account signed in, you can still use local vaults without any licenses required.

1Password.com comes with all 1Password apps and future versions included at no extra costs.

That's part of the reason why it is not as easy as it sounds to add support for it, licensing alone takes up a lot of development but it is not the sole reason why we don't have it now. In addition to licensing, we also have to add complex sync logic, such as handling sync conflicts when you and/or family members write to the same vault from multiple 1Password apps. That's why we've never added the write support when we are able to add read-only local vaults.

Unknown

This content has been removed.

AGAlumB

@cobaltjacket: I'm not sure I see the logic there. Us no longer selling licenses for a particular version doesn't prevent you from using the license you've already purchased. It will never expire, and you can continue using it for as long as you have a computer that will run it. That said, if you purchased a license recently and decided that a 1Password.com membership would be a better fit for you, there may be something we can do to help. Just shoot us an email at support@1password.com with your purchase details and post the Support ID here and we'll take a look. Cheers! :)