On WLAN Sync in 1Password 7

1910121415

Comments

  • brentybrenty

    Team Member

    @Rhodan: It's a bit off topic for this thread, but folder sync is available in all the native apps except for iOS (which is problematic in that regard). While we do not ourselves support OneDrive, you may be able to use that to sync between those local folders.

  • brentybrenty

    Team Member

    @artoor: Thanks for weighing in. We don't have anything to announce in this area though.

  • I'm with the majority of the users here. I like WLAN sync, it's secure and convenient. I do not want my vault on the cloud. If it goes on the cloud I now not only have to worry about my security but also AgileBits security and DropBox's security. I think giving only 1 sync option is a little closed minded. I don't know any other services that only offer 1 option. I want to keep my vault private and on my local network so that it's security is mine and mine alone. I have BIOS security set, Bitlocker set, and full disk encryption. I take my security seriously and it will be such a pain in the butt to reset every password at once if dropbox has a data breach. Also, without WLAN sync and being unwilling to use DropBox I keep an encrypted copy of my vault to share between computers. What this has resulted in is duplicates of every password on all of my machines. It is a real pain. My ios devices will remain out of date with my vault until there is another option for sync'ing that doesn't require me to upload all of my passwords and secure notes to the cloud. Nothing personal but my secure notes contain extremely confidential data and a data breach on my vault would be catastrophic not only to me but also to several people and several businesses. Please provide another option for the sync. I am happy to do a hard sync where I have to plug my phone into a computer and do it through iTunes or the computer if that is easier to code into the current 1P7.

  • dtearedteare Agile Founder

    Team Member

    I hear you, @SethRBeavers, WLAN Sync was pretty cool way back in the day. But we've developed something better now and it's where we're focusing our time and energy. With a 1Password membership your data is never sent to Dropbox and is encrypted not only by your Master Password but also your own personal Secret Key. This additional key adds 128 bits of entropy to your derived key, and by using the Secure Remote Password protocol we ensure that no information about your Secret Key nor Master Password is ever transmitted to our servers. The end result is even if someone manages to steal this encrypted data from our service, it's infeasible for them to ever be able to brute force it.

    Aside from the improved security, the other aspect about hosting your data on our system is syncing is much faster and more reliable. For years we battled hard to make syncing work well with third parties and while we did make it pretty good, things are so much better when we have control of both sides.

    There are just too many benefits for us to ignore and as such we won't be adding additional sync methods.

    ++dave;

  • Dave,

    If nothing is sent to dropbox, OR through dropbox why would I have to create a dropbox account in order to use this service? Having to setup a dropbox account implies that the dropbox infrastructure is being used if not for retention then at least for the sending and receiving of the data. What guarantee of service contract is there that dropbox isn't retaining the data as it is transmitted across their network? Have they provided this type of documentation to say that this isn't or wont happen and if they end up becoming legally obligated by a government or organization they will give an ample heads up and allow this information to be purged before turning over this information? Maybe I am way off base here and their infrastructure isn't used. I am always interested in learning so if I am off base please explain, I understand that this is your system built by y'all so my knowledge of how it's setup is limited. If y'all have a white paper on 1P7 I would be happy to read it but that's usually a guideline and not set in stone so a deviation from that is possible.

    What about the option of doing a hard update from a computer and nixing the wireless sync?

  • brentybrenty

    Team Member

    @SethRBeavers: I'm really sorry for the confusion. You don't need a Dropbox account with a 1Password membership. Dropbox is not involved at all. Instead, you're singing into your 1Password account to setup each device. And we do have a security white paper for you!

    1Password Security

    Be sure to let us know if you have any questions. :)

    As far as law enforcement, we comply with legal requests in accordance with Canadian law...but we don't have access to anyone's data, so it's not great news unless you're a 1Password user. ;)

    Information for Law Enforcement

    It is, of course, possible to sync a local vault with a folder, but then you'd need to copy it between devices, and that has the disadvantage of being a huge inconvenience without any real advantage in the security department. Also, local folder syncing isn't possible on iOS.

  • Is it possible to exclude a certain item or better several from sync in 1Password7? As I wrote I prefer my passwords not to hit the cloud at all, but some are more important than others. If it would be possible to exclude the important ones from syncing, that might be a way for me to live with the current solution of the software. Even if I don't like it that there is no wlan sync option.

  • brentybrenty

    Team Member

    @Rhodan: Individual items cannot be "excluded" from sync. This is handled on the vault level though, so you could keep some items in a local vault which you do not sync, or a 1Password account vault will be removed from all devices by Travel Mode if it is not marked as "safe for travel". Otherwise I'm just not sure what the benefit would be, and it sounds like quite the hassle.

  • I am also very angry. I just switched from 4 to 7 on windows. And I need WLAN-sync. If I had known that before I had not bought that software again and changed to a different one.

    Here are so many customers telling you they want to have back the WLAN-sync option and you totally don't care. That is crazy.

    Now I had to install version 4 again to use WLAN-sync.......that is stupid!!! Do your job and put in WLAN-sync again, otherwise that was the last time that I paid money for any kind of software or upgrade here.

    You can do what you want, I will not pay any cent to get a membership. It cost me 60 euros to use 1password further with chrome because you are not changing anything in 1password 4 that the plugin still works. So I changed to 7 and now you are telling me WLAN-sync is not working with that version..........

  • brentybrenty

    Team Member

    I'm sorry to hear that you feel that way. To be clear, we do care; but we can't do everything everyone wants. There are many, many other features that are requested more than WLAN Server which we're not going to do either because we need to work on things that benefit a much greater number of the millions of 1Password users.

    If you purchased a license within the last 30 days, please reach out to [email protected] and we can give you a refund if you're not satisfied with the features of the app you paid for.

  • edited March 2019

    Folks... We've been going on about WLAN Sync for months. It works between Mac, Android and IOS. But not Windows.

    My subscription ran out recently and now I'm debating whether I want to renew it or not. Keepass has the ability to sync between windows and IOS pretty easily and its free. But its a horrible product. 1password is light years ahead in terms of UI and templates. And I really do appreciate the effort you put in to things like Watchtower. Its worth the money.

    But I can't live without the ability to sync from windows to my iphone*. Right now I have it such that I save my 1password v7 vault to a NAS. Then open that up in 1password v4. That syncs to my iphone. It isn't ideal. But it works. So question... Is there a timeline for getting WLAN syncing working on Windows in version 7? I'd be happy to use my Rube Goldberg approach going forward but can you give me a 1password 4 license as well so I can keep using it? I don't need to sync constantly. So it is fine as is. But I want to ensure that WLAN sync is on the roadmap.

    Thanks,
    Scott

    • Ninja Edit: When I say sync from windows to my phone, I mean without using a cloud provider, including 1password's.
  • dtearedteare Agile Founder

    Team Member

    Hi Scott,

    Thank you for the kind words. I love hearing that you enjoy our UI and templates and Watchtower. 🤗

    When we set out to recreate 1Password on Windows we knew we had a long road ahead of us as we have years of time invested creating the prior versions plus we had a lot of new features we wanted to add as well, so we knew we had to prioritize things. A consequence of this as you know is WLAN Sync was not included in our first release and still isn't available today.

    At this point I doubt that we will ever be adding it. I'm sorry to say that as I know it's a hard pill for you to swallow, but please allow me to explain why I feel this way currently.

    First it's important to remember that we don't know how many people actually use WLAN Sync. We purposely don't collect usage statistics and I'm happy we don't. It's a religious argument to be sure but doing so always felt too Big Brother-ish to me so I was never comfortable adding that. Your data and what you do with it is your business, not ours. This is one of the fundamental tenets on which 1Password was built so while it sometimes ties our hands like in this situation, not having any data that we can lose or abuse or accidentally collect the wrong data is well worth the cost in my opinion.

    All of that is to say we simply don't know if there was enough demand to ever add it back. We had a hunch that there wasn't much demand but we didn't know with certainty and that's why in the original post in this thread and in the announcement blog post and else where we asked folks to sign up to a newsletter if WLAN Sync was important to them.

    It has been over a year now and as of this writing 520 people have taken the two minutes required to sign up. Granted 4 people signed up in the last day so there absolutely are other people like yourself that are still interested in WLAN Sync, but with that said, there simply isn't enough interest to invest the time required to implement WLAN Sync on Windows. And quite frankly, none of the issues @jpgoldberg mentioned in his original post have gotten better:

    1. It's hard to use
    2. It's a nightmare to support
    3. It does not provide the kinds of security that people may imagine it does

    If anything, each of have gotten harder than they were a year ago when Jeff wrote these. Add to that the fact that we're constantly finding ourselves with insufficient time to add all the new and improved features we have ideas for and I think it's a pretty safe bet that we'll never be adding it.

    With that said, I'm curious to know why you don't see our hosted cloud solution as an option for your needs. As @jpgoldberg asks in his post:

    What I'm going to ask you to consider is whether WLAN actually offers you more relevant security or whether it just offers you a greater sense of security.

    This isn't true with all services but we do a lot of things differently with our design that provides a ton of security benefits that allow you to be secure while having the convenience of everything being taken care of for you. You can have your cake and eat it too, so to speak. 🍰

    ++dave;

  • @dteare , thanks for replying back... I only mention WLAN sync because you've already said you won't support Webdav. My requirement is simple... I don't want to use cloud services and there are 12 pages of people trying to convince you to add that ability to your roadmap.

    Is WLAN the only option... No... But its the only one I see as having potential because 3 out of 4 platforms support it. You're right. It does indeed suck and takes a while to get working. But you've ruled out webdav and there seems to be no interest in other protocols like SCP/SFTP. If there was a way on IOS for me to copy files to the phone and 1password to find them I'll happily be responsible for getting the files to the phone.

    Thanks for your time. Maybe y'all will go back to implementing something like webdav which looks strikingly similar enough to dropbox sync that maybe it is easy for you to implement. But for now I'll kick the tires on Keepass. I'll keep an eye on 1password. If you can get sync to work I'll come back in a heart beat.

    Scott

  • dtearedteare Agile Founder

    Team Member
    edited March 2019

    Thanks for the followup, Scott. I appreciate it.

    You're right, we're up to 12 pages now in this thread, so there absolutely is interest in WLAN Sync. I remember our infamous Linux thread that got well beyond 20 pages of user comments before we created 1Password X for them. Perhaps in the long run we'll find a similar solution that works for you. Time will tell. But it very likely won't be WLAN Sync given the demand we're seeing, and it certainly won't be WebDAV. I've already spent enough of my life working on WebDAV syncing code and have no plans on ever going back. 🙂

    Take care and best of luck to you going forward. ❤️

    ++dave;

  • Michael YehMichael Yeh Junior Member

    I'd like to +1 for this feature. Especially now that dropbox is no longer a viable option for me because of the device limit.

  • BenBen AWS Team

    Team Member
    edited March 2019

    Hi @Michael Yeh

    Thanks for taking the time to share your thoughts. 1Password membership is going to provide the best experience going forward. I'd highly recommend checking that option out.

    About 1Password membership

    There is no device limit with membership, and it allows you to keep all of your compatible devices in sync using the latest versions of 1Password. At this point we are not planning to bring back WLAN Sync.

    Ben

  • dtearedteare Agile Founder

    Team Member
    edited March 2019

    Hi Michael,

    I'm curious why you're looking for WLAN Sync now that Dropbox is no longer an option for you. You've been storing your (encrypted) data online with Dropbox for presumably years now so I'm curious why you're now thinking about using WLAN Sync. There's a lot of issues with it and it's something I wouldn't recommend anyone use any longer.

    Ben's right about 1Password memberships. They provide the best experience and have the best security possible. Since we control both sides of the sync equation we're able to provide many more security properties than we otherwise could. And it's much much faster, too!

    Jeff talked about the security benefits in his original post that started this thread, but the Secure Remote Password protocol and the additional factor of the Secret Key for protecting your data while on our servers are my favourite.

    I invite you to take a peek at our security page for an overview of our security design and sign up for a 30 day free trial and see for yourself how much better the experience is.

    Take care,

    ++dave;

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    I've already spent enough of my life working on WebDAV syncing code and have no plans on ever going back.

    @dteare, I can't begin to imagine why you might say that! [Heavy and obvious sarcasm emoji needed here.]

    For those who don't know or recall the history of this from, I think, 2010, WebDAV support was something that was so close to being finished that we did a very rare thing: We'd promised the feature before it was delivered. Well, it turned out that "so close to being finished" wasn't so close after all. I don't know how many months Dave and Roustem spent trying and failing to get it working reliably enough to release.

    While we aren't putting in that much effort into on a different issue today, we've got this weird modify time bug in WLAN sync for iOS/Mac. When we first identified the issue, we thought it would be a quick fix. Well, it hasn't been, and we will only know how much time it will take to fix after it is fixed. Until then it will continue to consume developer time that could be used for other tasks. And now with Dropbox changes, we have new tasks both for our development teams and our customer support teams. So even if many of you don't like our specific choices, I hope that there is at least some sympathy toward us for wanting to maintain fewer sync mechanisms.

  • edited April 2019

    Coming up on a year, wanted to see if you guys added a way to sync a local vault to an iphone yet from a windows machine. Doesn't look like it. Be back in another year. Hopefully one day. 2019 and still cannot have a local vault and sync to my iphone. Pretty amazing. Here's to 2020....

  • @2e9rhj2389hfnduafsdn, have you looked into KeePass? I switched to it from 1Password when they dropped support for WLAN sync with v7, and I've been happy with my new workflow. I can keep my vault synced among my Windows, Mac and iOS devices locally. Plus, it's free.

    The workflow is obviously simpler and smoother using cloud sync through 1Password.com, but if you don't want that option/can't use it for one of the many reasons mentioned in this thread, KeePass is a good option IMO.

  • @kermit4karate I am currently using Keepass - but they don't have a great offline sync option other than me manually copying over my kdbx file to my iphone every so often. This method also pretty much makes it pointless to create or modify anything in the keepass database on my iphone.

    Personally I could care less about wlan - I just want an offline way to sync my database over to my mobile devices offline. The fact that it's 2019 and 1password doesn't consider this a reasonable request is ludicrous. I'm not even trying to avoid paying them. I don't mind paying them yearly for the development of the app (I even bought the iphone app looooooong ago.) They just need to get out of the mindset of "it's encrypted, who cares if it's on our servers!" I've already outlined to them numerous times why that's a ridiculous thought to have.

    Although, after reading their official response to this (https://www.securityevaluators.com/casestudies/password-manager-hacking/) I may not want their app any longer.

  • BenBen AWS Team

    Team Member

    We do not have any plans to add additional sync options. We're focused on our 1Password membership offering, and likely will remain so for the foreseeable future. I'm sorry if that is a deal breaker for you, and hope you're able to find a password management solution that meets your needs.

    Best of luck, and if you change your mind we'll be here to help. Happy Easter. :)

    Ben

  • @kermit4karate I am currently using Keepass - but they don't have a great offline sync option other than me manually copying over my kdbx file to my iphone every so often. This method also pretty much makes it pointless to create or modify anything in the keepass database on my iphone.``

    Hi @2e9rhj2389hfnduafsdn, I agree about KeePass. Sure, it's free and gets the job done, but it still isn't ideal. Of course, the ideal doesn't exist in this case. Ideal for me would be a new version of 1Password that contained a local sync option where I could keep my vault synced across all of my Windows, Mac and iOS devices synced without having to use their cloud, buuuuut that option doesn't exist. So we compromise.

  • @kermit4karate it's a shame that companies think "they know best" so give us your private data. Many companies make this mistake - 1password will regret this decision eventually. Everyone remember when WEP was safe as long as you had your private key? So was WPA.... Sony... Diffie-Hellman, AES, and every other encryption that was good enough until it wasn't.

    @Ben thanks for the clarification! Now I can move on and find a company that actually puts security first and realizes people use mobile devices!

  • brentybrenty

    Team Member
    edited April 2019

    @2e9rhj2389hfnduafsdn: We don't have anyone give us their private data, so you must be talking about other companies. :)

    If you're happier using something else, that's fine. But I hope you'll investigate the security architecture beforehand. Information on ours is available as well, if you decide to look into it:

    1Password security

    (And that also applies to mobile devices.)

    Take care. :)

  • edited April 2019

    @brenty you can be as snarky as you want - but people are sending you their private data, it's just encrypted. The problem with your business model is everything is fine until it's not. Encryption changes. People find exploits. Just like in my examples you conveniently ignored. WEP was encrypted and has a private key structure. So does WEP. AES, VPN diffie-hellman - all exploited that were once "nothing stored is your unencrypted private data!" The fact that you guys dance around this as a convenient way to not develop a more secure method of syncing data is ridiculous. I've even stated before that money isn't even the concern for me, I don't mind paying you guys annually for your product and to help further development. Since you keep pushing the same narrative, then ignorance is your only excuse left. One day you guys will get compromised. I'll come back here and re-post for a "I told you so."

    Also - if it doesn't matter because what's stored on your end is useless... then send it all to me. In fact, just post it all on github. It's garbage info anyway that no one can ever compromise, right?

  • brentybrenty

    Team Member

    @2e9rhj2389hfnduafsdn: I wasn't being snarky, but you're welcome to re-read some of your own comments! :lol: Anyway, your examples are of flawed designs. Unlike the Wi-Fi standards, our documentation is freely available (and always has been), and our security design is open and not bound by NDA so that it can be (and always has been) picked apart by independent researchers. You're welcome to do so yourself. I'd encourage you to look into the specifics rather than hand waving "people find exploits". It's entirely possible that someone will find a flaw in 1Password, and then we'll need to fix it. That's why we do things the way we do.

    I'd also encourage you to research the (long) history of AES. It hasn't changed. There aren't exploits. It's just math. Computing power has increased, but that helps not only attackers but also defenders, since memory-hard functions can be used to increase the difficulty substantially. But, if after researching the Rijndael cyphers in particular (the work that has gone into proving and attempting to find flaws, for decades) and cryptography in general, you are not convinced that encryption can protect your data (with a sufficiently strong "key", Master Password), your problem isn't whether or not 1Password has a certain feature, but rather what you'd use instead, since (as far as I know), other password managers (and OSes, etc.) also rely on these same encryption technologies.

    So while you're right in broad strokes, that security flaws can be found in software, you're wrong about the specifics: 1Password isn't Wi-Fi or DVD/CSS, where secrets much be shared in order for it to work; we can't be "compromised" because we never have the keys to anyone's data. That's true whether you use 1Password.com or WLAN Server, and it's the fact you've been missing all along. :blush: The "narrative" we're "pushing" is reality.

    It's good news either way though: If you're right, then it's worth your while (and ours) for you to prove us wrong. You're welcome to participate in BugCrowd:

    https://bugcrowd.com/agilebits

    And then we can both put our money where our mouths are: If you're able to decrypt user data, as you insinuate is possible, you'll be eligible for some significant cash prizes. Cheers! :sunglasses:

  • edited April 2019

    @brenty you are a really poor communicator. You use the same arguments over and over ignoring what has already been mentioned several times dispelling your current argument. Just because you say the same thing over and over - it doesn’t make your argument stronger. It just means you’ve lost the argument and don’t have a good answer.

    Email me your encrypted database since you’re so confident it’s useless garbage and always will be. Notice you won’t because you know that’s not true.

    And yes, I’m aware of your bug bounty. I’m not smart enough to crack it, but only one of us is smart enough to realize it can be cracked. Fortunately for me, my entire business model doesn’t rely on it.

    Cheers!

  • So while you're right in broad strokes, that security flaws can be found in software, you're wrong about the specifics: 1Password isn't Wi-Fi or DVD/CSS, where secrets much be shared in order for it to work; we can't be "compromised" because we never have the keys to anyone's data.>

    @brenty One reason your comments on this thread have been so frustrating to me over the past months is because of quotes like the one above. It really seems to me, at least, like you aren't listening. I don't think most of the people on this thread are supposing that Agilebits will ever be brute force hacked. That's now how most "compromises" happen. I think the odds are much greater that a bad actor would be a current or former employee -- someone who knows the company's trade secrets -- or a state-sponsored group, business partner, or other third-party than a complete stranger.

    I feel like there's been a disconnect between how you've tried to frame the discussion, and what people are actually saying. I don't think anyone expects a complete stranger to brute force crack anything.

    Humans are the weak link in every security model, and more humans equals more potential points of failure. It's frustrating to hear you repeatedly discount the fact that a company with a much larger attack surface and dozens of employees is safer than me storing my encrypted password vault on my person or in my house.

  • LarsLars Junior Member

    Team Member
    edited April 2019

    Hi @kermit4karate and @2e9rhj2389hfnduafsdn - thanks for the robust discussion here. It's certainly a tribute to the passion for WLAN sync of a small group of users that this thread continues on, some 13 months after jpgoldberg's initial post! We're happy to keep the discussion going with you, but I did want to remind you both of a couple of things related to the Forum Rules & Reminders you agreed to when creating an account on this forum:

    Being respectful includes but is not limited to:

    1. Keeping discussions on topic, and related to 1Password
    2. Not advertising other products or services
    3. No name calling or other abusive or disruptive behaviour

    We're here to help, but the use of this support forum is a privilege, not a right.

    (emphasis added) Thanks for your cooperation! :)

This discussion has been closed.