Recommendations for 1Password 7

SnuffyJen
SnuffyJen
Community Member
edited January 2019 in Mac

I just upgraded to 1Password 7. Usually, this is an easy and clean process to upgrade (I've been using it since version 2). However this is the most disappointing version and it has been very frustrating.

  1. The worst decision was to get rid of folders. I have hundreds of logins and kept them in folders. Great so you kind of support some hierarchy with tags, but issues with this paradigm include:
  • Having to kill old tags that otherwise "pollute" the old folder structure we had to get back what we're use to. Please don't say, "this was is new and better, just get use to it", or that new attitude is fuel to the fire to switch to the other many other (great) solutions that compete with you.
  • The tags can't collapse so you can't "zoom in" to a sub structure to find want you're looking for.
  • You can't "move" one tag to another. This means I can't take all my entries under one structure and move them to another.
  • In order to do this move I must either 1) edit the text of the tag of all entries 2) edit one and the move them all over. Either way it's a super pain.
  1. The next feature you eliminated was to when clicking on the 1password icon in the browser, the login for that specific site to allow a login no longer doesn't auto fill. So now I have to go to a site that I want and find the entry in the popup dialog in order to auto populate the dialog?

  2. Your affinity (and by proxy lack of licensing choices for upgrades etc) around a subscription and cloud based syncing is incredibly naive. Everyone knows bugs and vulnerabilities pop up in code and all it takes is one release for all your passwords to re-sync to a public service as clear text. With all the hacker break-ins to online sites, I find it incredible this direction was chosen. Reasons to not sync passwords include:

  • Multi-tenant cache sharing vulnerabilities including cache context switch clear/flag/populate
  • Lower bit encryption brute force attack for software that isn't updated (i.e. if I stick with 1Password 7 and in 2 years 2048 is vulnerable to brut force attacks, do I get updated re-encrypted 4096 bit protection? No, because I have to pay for the next release to get that protection.
  • Quantum computing is slowly but surely making its way to the mainstream (i.e. IBM cloud computing options). Z-prime (prime number key based encryption in RSA etc) have been proven to be venerable using post-quantum crytographic algorithms (i.e. Shor's algorithm).

I've seen numerous others with these exact same complaints, and the attitude seems to be, "well that's the way we decided to do it. We might reconsider if there are others who complain." Please formally add mine to the complaint. If you upset your power users we WILL cut over to other solutions--it's not hard as you know. These include: LastPass, KeePass, Dashlane, RoboForm to name just a few.


1Password Version: 7.2
Extension Version: Not Provided
OS Version: 10.14
Sync Type: NO!

Comments

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @SnuffyJen! Thanks for the thoughtful and detailed post and suggestions. :) I'm sorry for the frustration. I'm afraid I can't give you any real hope that folders will be making a comeback anytime in the foreseeable future. I appreciate that you prefer folders and the way things were working for you in your existing setup, but this is a change that was made for several reasons, and I just don't see it changing back. It's possible, I suppose...but I don't want to give you false hope that we're seriously considering it at this stage.

    That said, we are looking at several refinements to the nested tags feature for upcoming releases. I don't have anything to share on the topic just now, as we're not in the habit of pre-announcing features or rollout dates. After a quick chat with the development team, I've filed feature-requests internally for your suggestions regarding tags; they're good ones that we think may be able to be added to or improved upon in the current tags structure. While I can't guarantee when or even whether you'll see those specific changes, they seem reasonable, so I've added them. And thanks. :)

    ...when clicking on the 1password icon in the browser, the login for that specific site to allow a login no longer doesn't auto fill.

    It certainly should, if you have only one login for the current site. If that's not happening, then something's going wrong with your specific setup. What browser are you using? And do you have both 1Password and your browser located in /Applications? As of version 7, 1Password is a fully sandboxed application, meaning both need to be only in your main Applications folder; the extension functionality won't work if either is installed anywhere else.

    Everyone knows bugs and vulnerabilities pop up in code and all it takes is one release for all your passwords to re-sync to a public service as clear text.

    Has that ever happened to anyone using any of our existing, cloud-based 3rd party sync solutions (Dropbox, iCloud)? If it has, we're certainly unaware of it, which I doubt would be the case if it had actually occurred. Certainly all software has bugs, but simply adding our own hosted solution to the mix doesn't materially alter the odds of something truly awful happening. If you'd like to see how we keep data secure and private on 1password.com, I'd invite you to read our 1Password security white paper, and feel free to ask any follow-up questions.

    With all the hacker break-ins to online sites, I find it incredible this direction was chosen. Reasons to not sync passwords include...

    Before I dive into any of your specific points, it's worth mentioning that we don't sync your passwords (or any other data you store inside 1Password). What gets synced are encrypted blobs, of no use to anyone who's not in possession of BOTH your Master Password AND your Secret Key, which is new and exclusive to 1password.com accounts specifically to protect you in the event that WE get hacked. Without both of those pieces of information, that encrypted data is useless to both humans and machines.

    Unless you believe that AES256 has been or shortly will be compromised. Again, I feel as if we'd all know if that were the case, as AES256 provides most of the backbone of encryption across the internet today, not just in 1Password. Certainly, the security landscape is always changing, and we monitor it closely. But (since you brought it up), when Shor's algorithm was published around 20 years ago, how quickly development of practical quantum computers would be was anyone's guess, because nobody knew for certain. Twenty years on, progress has been even slower than what all but the most pessimistic envisioned. Even if the pace were to pick up substantially (and it may have), there is still time. Some of the world's best cryptographers have been working on practical post-quantum algorithms for the past 20 years, in fact. And while no one has a crystal ball, it's likely these will be in place long before any practical quantum computer becomes a real-world threat.

    Lower bit encryption brute force attack for software that isn't updated (i.e. if I stick with 1Password 7 and in 2 years 2048 is vulnerable to brut force attacks, do I get updated re-encrypted 4096 bit protection? No, because I have to pay for the next release to get that protection.

    Not quite. First of all, if you have a 1password.com membership, all our applications are included in the cost of your membership, including all full-version upgrades, for as long as you maintain the membership. That means when new versions - even those new full-version upgrades - are released, you don't have to worry about installing new licenses or managing them; just hit "update" within 1Password, and away you go with the latest and greatest. That's one of the many benefits of a 1Password membership. But since you mentioned it, we DO still sell standalone licenses for 1Password, meaning you can still make a one-time purchase of a license for the current version. Done that way, yes, you would need to purchase new licenses for new versions when they are released...but I'm not sure I understand the argument there: are you suggesting a license for any version of 1Password, ever, should automatically grant users the ability to license the current version of 1Password for security reasons? I mean, as a security company, we can't do anything except urge all users to keep their browsers, their OS and their version of 1Password current. Running old, outdated versions of any of those can certainly increase a user's attack surface. That said, it's each user's right to make those kind of choices for themselves; I just don't think that means we need to provide new versions for free to those who don't feel like purchasing them, to keep those them as secure as those who do. Or is that not what you meant?

    If you upset your power users we WILL cut over to other solutions--it's not hard as you know.

    True. But it's not just power users; if we upset or disappoint ANY users sufficiently, they will leave 1Password for other solutions (and yes, we're familiar with the names of our competitors ;) ). That's kind of the beauty of having such a number of choices as a user in this or any space: any given solution/app will not suit every user's needs/wishes/use-case. So if you find yourself thinking that some other solution better suits your needs, as long as you're not reverting to sticky notes on your monitor or a password-protected Excel spreadsheet, we'll be happy. And in the meantime, we'll continue to make the best password manager possible. Thanks again for writing in. :)

This discussion has been closed.