No standalone version anymore?

Hi,
I regocnized that the standalone versions will not offered anymore. Am I Right? Does it mean that only a subscription model will be offered in future? What's the status with local vault support? Does it mean that use of local vaults will be only possible with a valid subscription in future? Or did you decide shortly not to provide local vaults in future in 1PW v. 6 for windows?

Comments

  • Kristian
    Kristian
    Community Member

    I read this information too for the MacOSX app: https://www.ifun.de/abo-wird-pflicht-1password-entfernt-den-einmalkauf-104427/

    If AgileBits apply this strategy for the Windows App too, they will lose me as customer.

  • Hey you two,

    Thanks for posting your feedback and questions here.

    Going forward we won't be marketing the standalone versions anymore. If you already have a licence, you most likely won't see any changes but local vaults and licensed versions won't be actively marketed in the future.

    On Windows the situation is slightly different as we have a mature product that only supports local vaults with 1Password 4 and one quickly evolving and incredibly modern application focused on 1Password.com accounts with 1Password 6.

    We haven't made a decision as to whether support for local vaults will be removed for new user completely because we're simply not in a position to do so right now. We know that local vaults and the ability to keep certain data solely on one machine is something many of our advanced users want to see and we're not ruling out adding support for this to 1Password for Windows at a later point.

    @Kristian We understand your sentiment regarding a subscription model and we certainly don't want to lose you as our customer. We'd like to ask you to give it some time and to let us know what it is you wish to see.

    To be perfectly honest, we're seeing how much people love 1Password.com accounts and the additional features offered. Features, increased security & data availability, and other types of improvements that we can only offer by providing everything from the client to the data infrastructure to controlling the syncing process.

    We'd love for you to give this a try and let us know what you think.

    Cheers,

    Alex

  • skerbsf
    skerbsf
    Community Member

    Alex,
    I am a 1Password user on macOS and iOS. I consider myself a more advanced user. I have no desire to have my password sensitive data stored on any cloud service (even if it is encrypted). If the cloud service is successfully attacked, then the attacker now has his/her hands on all your user's vaults. Again I know these are encrypted, but now your cloud service is an attack vector that might have flaws (humans develop the software of course) that make all your customers vulnerable to have heir keychains stolen. I would prefer to keep my keychain locally on my own machine (that might be completely offline).

    As a1Password user, it looks like the writing is on the wall and you are moving away from local keychains. I hope that you guys will change your mind (or the path it looks like you are going down). If not I will also have to find another password manager (or perhaps develop my own). I would prefer to continue using 1Password. You guys currently make a great tool and it would be a shame to alienate part of your user base (especially ones who have helped evangelize your product over the years). Thanks for "listening."

  • skerbsf
    skerbsf
    Community Member

    Also, if this is about revenue, please know I am happy to pay for a 1Password license on any and all machines I use it on. I am not willing to pay a subscription fee for the tool though. This looks just like a money grab IMHO.

  • Finke03
    Finke03
    Community Member

    Thanks Alex. This is very frustrating for several users but true words from your side. I don't understand why an existing functionality like local vaults will be removed in future versions? I fully agree that you will offer your subscriptions and cloud based functionalitys, but the choice should be taken by the user and not by agilebits. I know that you are staying behind the advantages of the cloud based solution. But from my user perspective the vault is in the web and therefore not as secure as encrypted on the local hard disk. Your servers will be very attractive for hackers in future.
    Sorry but I can not fully trust a cloud based solution to put my complete financial life in it. Or do you offer a guarantee which will settle the financial lost of the users if the online vaults will be hacked?
    So I would need another local tool for my very important data.
    I fully agree the posts above - you will lost a lot of users due this kind of step.

  • dwk
    dwk
    Community Member

    Everytime I had doubts about local vault support for 1password 6 for windows, I was told that local vault support is never going away and that it wasn't even something to be debated on. I was always reassured by AgileBits members that local vault was set in stone (timeline was never given but very understanable).

    Reading what @AlexHoffmann wrote above sounds pretty much like 'we are still deciding whether we should work on local vault or not' instead of 'we are working on local vault support but it may take time'.

    Truth to be told, 1Password.com account is better than standalone 1password in many ways. However, it's the nature of 1Password.com that drives me away from using it.

    Imagine you bought a physical safe and placed it inside your house. The seller of the safe was very confident that it would be almost impossible to crack the safe open. One night, a burglar broke in and stole your safe. Knowing what the seller told you, would you be able to sleep better at night ?

    I guess we all know the answer to that question. I have no doubt that AgileBits made 1Password as stong as it could be. My distrust lies with foundation of all cloud services where your data is available 24/7. I wouldn't mind signing up for subscription model of standalone version of 1Password if it supports local vault. So please consider again for paranoid users like me out there.

  • Kristian
    Kristian
    Community Member

    Hello @AlexHoffmann

    thank you for your reply. As @skerbsf said, everyone can make mistakes. Your server systems filled with all the keychains are very attractive targets for hackers. I think, that you give your best to protect the data, but much bigger companies as AgileBits have lost all their customer data.

    Because of that it is essential for me to control the storage place of my 1Password Keychain. You say that AgileBits will support standalone versions in the future. That is great to hear. But if this is true, I wonder why AgileBits removed the standalone MacOSX app version.

  • Hey people!

    I'd like to thank you for this lively discussion and the good point being made by all of you.

    Before I address anything else that's been said, I want to give you a bit of information about the security aspect because some of the assumptions and statements made in this thread are incorrect. To clear this up, I'm going to quote one of our developers, Rob:

    You make a great point about the possibility of our servers being an attractive target for attackers, […]. As I'm typing this, my heart is starting to race, but probably not for the reason you think. I'm actually getting super excited because I get a chance to explain why we are not an attractive target for attackers. In fact, Dropbox is a much more attractive target for potential attackers.

    Why?

    The Account Key

    If you don't have a 1Password.com account yet, you may have never come across this term. But this single thing singlehandedly and drastically reduces the attractiveness of our servers. It's a 128-bit completely random key that is stored on users' devices and never on our servers, and it is used in combination with the Master Password to encrypt users' private data. It's far too long to be memorized, and also far too long to be guessed by brute force cracking methods.

    Now, we take great measures to ensure that no one is breaking into our servers, including a security bug bounty program where we challenge people to break our stuff and pay them for any issues they find. We've also been audited by CloudNative and nVisium. And we're continuing to consider other audits and assessments that will help assure users of our security infrastructure.

    But, let's say, as you mentioned, someone manages to get through our safeguards and can download a raw copy of our full database. What they will get is an assortment of names and email addresses and other metadata and then a bunch of gibberish. For other password managers, they would be able to start guessing passwords to decrypt this gibberish. But for 1Password, they won't even be able to start guessing passwords without guessing Account Keys at the same time. And again, an Account Key is infeasible to guess. The only way someone will decrypt data stored on 1Password.com is if they've managed to obtain a user's Account Key and can guess or obtain their Master Password. An attacker might be able to grab an Account Key off his grandmother's computer, but he won't be able to obtain the hundreds of thousands of Account Keys that exist on user devices around the world.

    He would be better off just launching a password guessing attack directly on his grandmother's computer than launching an attack on our servers to get a bunch of gibberish that he can't even start attempting to crack.

    You can read more about this on our security page and in our white paper.

    In contrast, if someone were to obtain similar access to Dropbox's servers, they could obtain thousands of 1Password vaults and launch password guessing attacks against them directly. Without an Account Key, vaults with a simpler Master Password will be easily cracked.

    You're also right that obscurity offers some measure of security, but it really shouldn't be relied upon as a layer of security. I can guarantee you that 1Password.com with the new encryption protocols is more secure than using the old vault formats on Dropbox or a private server. If you're really into this security stuff, I highly recommend our white paper. It manages to be technical, enlightening, and entertaining all at the same time. :)

    I want to add two things to what Rob said:

    1. Another amazing aspect of the Account Key is that it never leaves your device. It's generated on your machine when you sign up for a 1Password.com account and it is never transmitted over the network, meaning it can't be intercepted.
    2. While 1Password.com takes care of the syncing, the 1Password apps all have an internal database now that works when you're offline, too. That means you'll have access to your data on any given machine, even if it is offline or our servers can't be reached temporarily.
  • As for the comments about 1Password for Windows in general, Dave, one of the founders of the company, has written a comprehensive blog comment about this that I'd like to quote. It gives you a good overview about where 1Password for Windows is headed and where our issue are at the moment.

    I’d like to share with you our Windows plans so you know where we are headed. Before jumping in I need to set the stage and explain where we’ve been. Then we can cover where we’re at and finish off with where we’re headed.

    1Password 4 is our current official version for standalone license holders. Version 4 is based on the same technologies the first version used when it was released in 2011. Designed since the beginning for standalone licenses, it does this quite well and has support for syncing with Dropbox and even allows you to sync completely offline using WLAN Sync. The implementation was done using Delphi, and while this is a very good and capable programming language, Microsoft has introduced several newer technologies that we wanted to take advantage of.

    1Password 6 is our leap into the future that uses these new technologies exclusively and we are in the middle of rewriting everything from version 4 into this brave new world. It’s both very exciting and terrifying. The excitement comes from being able to use all the latest and greatest technologies, and the terror comes from needing to rewrite over 5 years worth of code.

    We knew from the start that 1Password 6 was going to be a monumental undertaking and so we tried to keep the feature set as small as possible. At the time we had zero support for 1Password Teams on Windows (our families and personal memberships didn’t exist yet) and we had full support for standalone licenses in version 4. Since we had a working solution for standalone vaults and given the effort version 6 would require, we made the decision early on to focus exclusively on Teams. To this end, 1Password 6 is currently focused exclusively on our new hosted services and so there is indeed no support for standalone licenses or other sync methods.

    I know a lot of people are using Dropbox and WLAN Sync and want to use this new version, and I certainly don’t want to do anything to upset any of our longtime supporters. At the same time, we have a lot of plates in the air we need to juggle so we needed to choose what to work on. The choice we made for version 6 was a whole new app focused exclusively on 1Password memberships.

    One could question our decision to start from scratch and completely rebuild everything. There are certainly many “post mortem” blog posts from other companies that have taken the same route in the past. Indeed it represents a mammoth undertaking as it takes time to build quality software. In our case, it took over 5 years to make 1Password 4 what it was at the time we decided to start over. We knew this going in and we were indeed a little scared, but our excitement outweighed that. We were excited because we wanted to use the latest and greatest technologies so we could create the best 1Password experience possible on Windows.

    Fast forward a year or so and we announced our beta and after toiling away and working our way through the beta process, I was really excited to announce 1Password 6 for Windows a few months later (back in October of last year). It was a good release, but like any “dot oh” release, there are a lot of things to polish and work through to make it really shine. And with this “dot oh” version being a complete rewrite, it’s no surprise that we’re still working through this process.

    It would have made everyone lives a lot easier if this release had complete support for all the standalone features but it simply wasn’t possible. I think it’s easy to underestimate the amount of effort involved to roll out support for Dropbox. I know I fall into this trap often myself so I think it would be helpful to elaborate on what’s required.

    We can start with the ability to sync your data as it gives a pretty good glimpse of what’s involved to go from a 1Password membership solution to one that also supporting standalone vaults.

    Syncing would require us to add two additional synchronization systems: WLAN Sync and Dropbox. Both of these do things completely differently from one another, and both are completely different than how our 1Password accounts sync (accounts sync much faster and have push notifications for live data reload because we have complete control over both the clients and server so we’re able to optimize the protocol and minimize how much data needs to be exchanged). Syncing is one of the most difficult problems in software today and is very difficult to get right once, let alone three times.

    And once we add these additional sync solutions, there’s also a lot of tricky things we need to do for conflict resolution along with new windows for adding multiple vaults and guarding against all the other crazy scenarios people can find themselves in. For example, what should 1Password do if you remove your data from Dropbox and add a new data file there? Or what happens if the files on Dropbox simply disappear? Did the user mean to delete the files or was it an accident? Should we import a missing file and thereby delete the local copy? And what do we do when a user restores an old backup or imports their files multiple times? All of these scenarios need to be accounted for and tested rigorously to ensure your data remains safe.

    The complexity introduced by distributed data sources is huge. So much so that one of my favourite things about our hosted accounts is 1Password.com is the single source of truth. This allows us to greatly simplify things across the board, both for users, our developers, and support teams.

    Now of course that’s just for syncing. For a complete solution we would also need to wire in license validation, create a new trial expiry window and purchase experience, guard against fraud, update our model to support additional data formats, extend our website to support the new license, document things for new users, and the list goes on from there.

    All of these things may not seem like a very big deal on their own, but they add up quickly. As such I’ve asked our Windows team to make version 6 the best it can be with an exclusive focus on hosted accounts. Once this is completed, we can take a step back and decide where we go from there.

    As much as I would have loved to have had full support for everything, our time is finite so we needed to pick a few priorities and roll with them. There are a lot of additional things going on behind the scenes that we need to complete as well so at this point in time I simply can’t say when we would be able to begin work on this. I’m trying to be as open as possible by saying this is not something we’re working on at this moment, but I can’t pull back the curtain any further than that.

    The easiest way forward is to sign up for a 1Password membership. Doing so will not only get you the latest version of 1Password on Windows, but it will also get you a lot of additional benefits that weren’t available to Windows users in version 4. For example, it’s very easy to have multiple vaults on Windows now (before you had to manually add each additional vault) and you can switch between them without needing to unlock each one separately. You also get the benefits of our hosted service, including data loss protection, item history, web access, built-in sync across all your devices, access to 1Password on all platforms, and free upgrades to every new version.

    I hope everyone reading this will give our new 1Password membership a chance (we have a 30 day free trial and it’s easy to move over your existing data) but of course you’re free to continue using 1Password 4 for as long as you like.

    Anyway, our general plan is clear: we need 1Password to have a consistent feature set and UX across every platform and we’re working our way there. I hesitate to give out any specific ETAs as it’s always hard to make the future reality match today’s plans – but we’re getting closer everyday. I can see the light at the end of the tunnel and I look forward to sharing more with you in the future :)

    Take care,

    ++dave;

  • skerbsf
    skerbsf
    Community Member

    Alex,
    Thanks for taking the time to respond. However, your argument is flawed. You take the time to argue that your cloud solution is more secure than Dropbox (another cloud service). I am not going to about the technical merits of this. Your argument about that is sound and interesting, but I think you are missing my point. The point I am making is that I do not want my sensitive password data on anyone's cloud service (not yours, not Dropbox, not iCloud, etc.). This is a matter of personal preference.

    My password data is inherently more secure in my own local vault. I can choose where that data goes and I can disconnect it from the internet. Your current version of 1Password empowers me to do just this. As I see it, your future versions are beginning to push people into the cloud and that is where the problem lies.

    All I really want to know about it the future direction of the product. I have read several discussions where many AgileBits team members are claiming ignorance on this matter. Of course I have no internal knowledge, but I know a lot about the software development lifecycle and planning. If many of your customers are like me (maybe there aren't many of us, I'm not sure), we would like to know if the future of 1Password is only in the cloud. If so, I will need to find another product that suits me or build one myself.

    I have loved using 1Password over the years. You guys make a great tool. I personally am just reading the tea leaves and don't like the direction the product seems to be heading. I am writing this in the hopes that you guys will continue developing future versions that 1) offer a solution where I always have to option to disable cloud usage and 2) have a standalone version that I can pay for where I do not have to pay a monthly subscription fee.

    These issues are important to me as a user. Thanks again for "listening."

  • Hi @skerbsf,

    Yes, we are encouraging and marketing 1Password.com service first to new customers and existing customers because it is a much better and simpler approach to using 1Password across various platforms. However, at the same time, we do understand some people will not use it and we will continue to offer licenses in that case.

    We are not actively going to remove local vaults from existing 1Password apps that already have support for it and and we don't have current plans to remove it either.

    The core of the issue is that 1Password 6 for Windows is a new codebase, which is different from any other 1Password apps and why they offer both 1Password.com service and local vaults support in the same app. Right now, adding local vaults/licensing/local sync support to 1Password 6 for Windows would exceed all of our available resources on Windows and thus, it is not something we're working on at the moment. We do plan to add this in the future but as to when it is coming, we don't have a timeframe. That's why we keep offering 1Password 4 alongside 1Password 6. We want 1Password 6 to be the upgrade for 1Password 4 as well but it is not going to happen until we implement all features first.

    Just to be clear, there are no separate standalone/subscription versions of 1Password programs. 1Password.com service is a companion service to 1Password programs. 1Password 6 for Windows is not a 1Password.com client, it's just happens to support it. Once we add support for local vaults, no other features has to change, they will work the same way.

    However, we do not know the future. Two years ago, we didn't know we were going to do 1Password.com service or do a new program on Windows, we were planning to upgrade 1Password 4 to 1Password 6 with 1Password.com service when we started to work on 1Password.com but it couldn't be done. We cannot tell you the future because we can't control it, we also cannot claim that in 5 years, local vaults would still be offered to new customers, we simply can't. For existing customers, they'll always be able to use the licensed products they have, there is no time restriction for any sold licenses.

  • skerbsf
    skerbsf
    Community Member

    @MikeT,
    Thanks for the response. I suppose I was hoping to hear something a little stronger. Something like "We hear you and customers like you and will try to devote resources to making sure local vaults don't go away in future versions. If we ever put that on the table, we will give you adequate warning (years) to move to an alternate solution."

    Perhaps that is too much to hope for. I am aware that my license does not expire, but I tend to upgrade to new OSes, etc. (as I imagine many others do). This means that the old version of 1Password I would be using on macOS might not function correctly (bear with me as I know I am usurping the Windows thread)

    Perhaps with the response here, I suppose I am already being given this warning and need to start thinking about an alternate solution. I don't think asking you guys your plans for local vaults in the future is too much to expect. Perhaps you guys can discuss at your next developer planning meeting. I am very curious, though I understand it is tough to make long term promises to customers.

  • Hi @skerbsf,

    Yea, that's not a statement we can reasonably make right now. Keep in mind that we are a small private company with no VC funding or anything like that, we have to be very careful about everything and we need a sustainable business model to keep improving the programs for you and to feed our families.

    We would not remove local vaults from current versions. If we are going to remove it or stop supporting it, it would apply to a new versions only and we will announce it in advance for sure, there is no way we would just pull this out of nowhere, we're not that greedy.

    We rarely ship a new version without announcing it in advance first as well, so you would know exactly what we are doing based on our public beta development.

    For the moment, all we can confirm is what we've said so far already. We do plan to share more details on this in a blog post soon.

  • therioman
    therioman
    Community Member

    I just wanted to add my voice to this.

    I use 1Password across multiple devices, and I control all of those devices, including where the shared password keychains are. That's precisely why I bought 1Password. It's why I've recommended the product to others.

    The hosted/cloud model is a total non-starter and you will NEVER successfully convince me that providing my entire password chain to someone else regardless of the supposed security is a sensible plan. I might as well not bother having a password manager if I just leave things so readily accessible in such an obvious place - it only takes one flaw to be identified and everyone is vulnerable from a single source.

    I was also looking at Teams - would be great for our team - but again, unless there's a supported, no-cloud version, we're out completely.

    I think you should commit properly to not removing the local support and reconsider your position - I've stopped recommending 1Password and won't do so again until you properly understand that one of your best benefits was the lack of forced cloud/hosted environment. I love the product as a standalone product, and I totally dislike it in any other capacity and thus I can't recommend or endorse anyone purchasing it.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2017

    @therioman: If you don't like subscriptions or are anti-cloud, that's a personal choice, and we can take that into account going forward. It's definitely helpful to know your personal preferences. But keep in mind that no matter which "flavour" of 1Password you use, your data is encrypted locally and no one but you ever has the keys.

    If you don't believe in encryption, then I probably won't be able to convince you of that1. Just keep in mind that if you don't trust cryptography and/or don't trust us to get it right (though this is literally our only job, and we've been doing it for over a decade), then having your data only on devices you control is no kind of security, as that depends on them never being stolen, sent in for repair, or otherwise transferred with residual data on them. And if 1Password.com is insufficient to protect our data, so is anything else we produce.

    Fortunately all versions of 1Password are designed under the assumption that someone can get your data if they really want to, whether that be from our servers (hard enough that we're not paying out bounties hand over fist), or from one of your own devices (arguably easier, as security really is a full time job). But regardless, if someone gets your vault from your computer our ours, it needs to remain secure. And unless you give up the secret(s) needed to unlock it, it won't be of any use to an attacker.

    But I suspect that you already know all of that. After all, your own devices are already the most obvious place for you to keep your most important data. And if you're using 1Password already, it's because you understand that that's perfectly fine because your "entire password chain" is not "readily accessible" without your Master Password. The only difference with 1Password.com is that our data is behind an additional layer of security, so that it's even more infeasible for attackers to obtain...yet more conveniently accessible to us when we need it.

    There aren't a lot of cases where we can "have our cake and eat it too", but this is one of them. Otherwise we wouldn't be using 1Password ourselves either. We take your security as seriously as we do our own. And as 1Password users ourselves, it's one in the same. Cheers! :)


    1. Crypto101 and the Applied Cryptography course are great (free) general resources, and our security white paper has information specific to how 1Password.com works. ↩︎

  • skerbsf
    skerbsf
    Community Member

    @brenty,
    I believe I understand the position that AgileBits is taking, but your comments to @therioman take it a bit too far. No one is saying they don't believe in encryption or that you guys are not good at what you do. You seem to be taking an adversarial tone towards some of your customers who prefer a specific model. In particular, I am a software engineer that specializes in security as well. Since I am a software engineer, I know how easy it is to make mistakes even if it is as you say "literally your only job that you have been doing for a decade". Most developers I deal with don't make comments with tone like this. You are basically insinuating that customers with an aversion to your model don't believe in cryptography or simply don't understand. This is not even close to the case.

    Over the years there have been issues with 1Password keychains where you guys updated vault on-disk layout, added more iterations for PBKDF2 to your algorithm, and the like. I expect as problems/flaws are found you guys will fix them. However, since the vaults are in the cloud (and hidden from me) can you guarantee that all versions of all my old vaults are not still laying on your server with vulnerabilities? Again your servers are a MUCH bigger attack vector than my personal computer at home. I expect that you guys do your best, but you guys are not perfect and will definitely have bugs in your implementation.

    Please don't assume that your customer base who has a certain preference just doesn't understand "because whitepaper." I respect AgileBits as a company and hope that you guys will keep features (like local vaults) that I consider invaluable around. Ultimately it is your decision, but we are just letting you know (emphatically) how we feel. Please don't dismiss the argument in the manner you seem to have done. Thank you.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2017

    @skerbsf: You may be right that I misunderstood. I wasn't dismissing these concerns though, quite the contrary. It would have been much easier to ignore or simply say, "Hey, it's cool if you think it works that way", when it doesn't. I don't think we should pretend that it's all just a matter of opinion, but of course then it's totally on us to back that up, rather than just saying "Trust us". Trust is part of it, but there has to be good reason to do so, and I personally respect people's intelligence enough to take the time to explain how things work, both in summary and pointing to additional resources. Arguably everyone using 1Password (and especially participating in discussions like these) cares about security, but it's a continuum. The "abridged version" can be helpful to get an overview of how 1Password protects our data, but some folks really want more detail to make an educated decision with regard to their security. It's hard to read tone and intuit that in text over the internet, so I try to take both into account — but I can see how that might be misinterpreted as talking down to people. But I really believe that it's less a matter of some people not being able to understand how this stuff works, but rather that not everyone has the time to invest in that pursuit.

    And you're absolutely right that people make mistakes. We sure have! Just look at the release notes: plenty of bug fixes in nearly every update! But I guess part of what I'm trying to communicate (and perhaps I've done that poorly) is that, at its core, 1Password's security model is incredibly accessible: only you have the keys to your data, regardless of where you sync or store it. While 1Password.com doesn't yet have the decade-long security track record the standalone version has (if there were a flaw in the security architecture, you'd know it by now and we'd be out of business), it's using this same fundamental design and countless people have been hammering away at it (some we know, and many we don't)

    I apologize if some of my explanation here comes off as "adversarial". I don't see people as the adversary, but rather misinformation. And this just isn't stuff I'm going to joke about, or take a relativist stance. We take security very seriously, and I'd rather come off as a bit detached rather than make light of of something that all of us as 1Password users depend on daily. And I think I'd be negligent if I didn't point out that if the security of "standalone" 1Password is sufficient for someone's needs, 1Password.com is as well, as they're both designed by the same people with the same attention to detail and standards for security, for ourselves and for our customers. At that point, it's just a matter of personal preference where and how any of us syncs our data. Just as you prefer local vaults, others prefer the convenience of 1Password.com since they don't have to compromise on security to get it. I think it's important to keep that in mind, just as you're asking us to consider your preferences. It's a two-way street. :blush:

  • skerbsf
    skerbsf
    Community Member

    @brenty,
    On many respects we agree. I totally believe it is within your right to choose what direction is best for your company.

    However, I'm not sure I can misread the tone when you say something like "If you don't believe in encryption, then I probably won't be able to convince you of that." I do appreciate that you try to explain your stance a bit more clearly, but that is definitely "talking down" to a customer no matter how you may try to slice it.

    I am certain that you guys at AgileBits take security very seriously. However, even with all the claims that are made, we have to trust in the implementation. In my career I have seen very honest mistakes made. A white paper doesn't take things into account like bugs in the random device key generated on a device not actually being so random, etc. These mistakes can be magnified when all my data is going to your cloud service.

    Again I fully respect your opinion on these matters and you can choose to do what is best for AgileBits. I have loved your product over the years and appreciate all that you guys do for us. Thanks.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2017

    @skerbsf: Likewise, thanks for your support and honest feedback! I can see how that sentence really didn't add anything and could be interpreted that way. I'll try to be clearer and do better in that regard the future. :blush:

    With regard to mistakes, you're absolutely right: especially when looking at the things we've designed ourselves, it's easier to overlook something because we know how it's supposed to work. That's why we really benefit significantly from external audits and independent security researchers banging away at things. 1Password.com — and each person who uses it — is better off for it.

  • Tim van der Horst
    Tim van der Horst
    Community Member

    I already pay a subscription service to Dropbox to sync my files across machines via the Internet.

    The fact that the 1Password apps (used to…?) leverage that for syncing, to avoid costing me yet another subscription service is an important feature, and was a good selling point. I happily bought the apps (for both Mac and Windows) and their updates because I was buying the individual apps, which would not arbitrarily die on me if the Internet or More Money is not around. Even Dropbox itself, if Money disappears all of a sudden, would downgrade into regular old non-synchronised files.

    I don't want 1Password to turn into another LastPass. If I wanted to chase the dragon that is "put everything into the cloud", there's already the iCloud Keychain, and I can use that one for free.

    I primarily I bought 1Password for "the vault". Not just for the password management, but the whole assortment of additional things you could store, and the little extras like the generator. It's there for me as a suite of nice, native, standalone apps. And it's my vault, I'm the one managing the ongoing costs of syncing it between devices.

    By discontinuing the offline vaults, you're ripping out the most valuable and rewarding part of 1Password. They've stopped being our vaults anymore, they're just your vaults and we're renting them from you.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited October 2017

    I already pay a subscription service to Dropbox to sync my files across machines via the Internet. The fact that the 1Password apps (used to…?) leverage that for syncing, to avoid costing me yet another subscription service is an important feature, and was a good selling point.

    @Tim van der Horst: Totally. And you're not alone. But I don't now what you're getting at here, as you can keep right on using that setup. I do. Even though 1Password.com is better in a lot of ways, I've still got some vaults in Dropbox. ;)

    I happily bought the apps (for both Mac and Windows) and their updates because I was buying the individual apps, which would not arbitrarily die on me if the Internet or More Money is not around. Even Dropbox itself, if Money disappears all of a sudden, would downgrade into regular old non-synchronised files.

    Absolutely. That's why 1Password always has a local copy of the data. Regardless of whether I'm accessing my local vaults sync'd with iCloud and Dropbox, or in my 1Password.com account, I've got access to them in a subway or when my crappy internet goes out on me. :tongue:

    I don't want 1Password to turn into another LastPass. If I wanted to chase the dragon that is "put everything into the cloud", there's already the iCloud Keychain, and I can use that one for free.

    Yep. iCloud Keychain is free, secure, and very useful for some purposes. If that's enough for you, I'd go with that (however, in the context of this rather old Windows discussion, that isn't even an option). But personally I prefer 1Password since I have more control over my data. If you've ever tried to use iCloud on a non-Apple device, or wanted to manage or export the data there, you'll know what I mean. I prefer Dropbox over it for those same reasons. And 1Password.com offers even more flexibility (and, honestly, better performance) over that for those who want it.

    I primarily I bought 1Password for "the vault". Not just for the password management, but the whole assortment of additional things you could store, and the little extras like the generator. It's there for me as a suite of nice, native, standalone apps. And it's my vault, I'm the one managing the ongoing costs of syncing it between devices.

    Yep. I couldn't even tell you all of the various things I store in 1Password, just because it's secure and convenient. It's indispensable for me too! :chuffed:

    By discontinuing the offline vaults, you're ripping out the most valuable and rewarding part of 1Password. They've stopped being our vaults anymore, they're just your vaults and we're renting them from you.

    I think you're basing this on a lot of assumptions, which explains some of your earlier comments. We have never discontinued "offline vaults" (and even the "online vaults" can be accessed offline). We're not marketing that, as we've got a better solution now, but we've even already announced that 1Password 7, which is a ways off still, will support local vaults. I hope that helps clear things up. Cheers! :)

This discussion has been closed.