Time to move on [v7 supports standalone and same sync options as v6; Linux support available]

smckaysmckay
edited June 10 in Memberships

Hi 1Password team,

I've thought long and hard about this but after many a long year with 1Password as my poison of choice for password management, I have finally decided to call it a day, albeit with a heavy heart. I've enjoyed using 1Password immensely and have had 100% confidence in the security it provides, but ultimately a convergence of factors has made me decide it's time to move on. For the sake of providing an excellent product and team with hopefully valuable feedback you can use to your advantage, I'd like to share my reasoning with you.

Back in the day, LastPass was my password manager of choice, until they were breached many years ago, and I realised that placing your password data into an online service was exposing it to an attack surface that was available to attackers 24x7. And while LastPass have fixed many of the vulnerabilities that lead to that breach and vastly improved their security posture over the years since, for me it's a case of once bitten, twice shy. Inevitably, syncing your passwords to a cloud service simply means you are playing a waiting game until the next serious breach - which happened happened again for LastPass in 2015, which was already some years into my tenure as a 1Password user.

I could not afford that risk then, and I still cannot afford that risk now. The beauty of 1Password for me lay not in it's underlying encryption technology but in the fact that my password store was local, and I could choose if and how I wanted to synchronise it. As long as my password data was not stored remotely, I could secure it as I saw fit. For me as a technical person, and working with highly secured government customers, this was a fantastic advantage. Unfortunately Agilebits has change direction on this with a new 'cloud first' approach, which provides much improved synchronisation for a majority of users a little less shy of that kind of exposure, but for those of us who need something more controlled and robust, not so great.

Up until 1Password 6 I could keep data local and choose what I wanted to sync, and which if any cloud storage services I wanted to sync it with. I could keep my most sensitive data secured away on an encfs filesystem with a suitably massive random seed and private key, and only sync the (heavily!) encrypted storage to a trusted backup store, like an on-premises Commvault or Avamar backup appliance. I could sync less sensitive data with Google Drive, Dropbox or OneDrive. With 1Passwords new cloud first approach, though, I can no longer choose to avoid exposure to those online risks. It becomes LastPass all over again, and sadly, I can't afford to take that risk.

I work on a Mac primarily, so 1Password was an obvious go to when the first LastPass breach occurred. However, I also work on a variety of - mostly Linux - systems in various environments. Being able to securely sync password data between them and my Mac was always and remains much more important than being able to sync to a Windows operating system. Unfortunately, Agilebits has never taken the *nix technical customer base seriously enough to consider a port to a Linux platform. I understand that their focus needs to be on the largest segment of the customer base, as a relatively small and agile development house. But since it seems to have never made it on to your radar, I have to consider that possibility that I'm not in anything near enough to a key demographic, it never will make it to your "do next" queue. Which I think is likely.

Unfortunately, Apple system quality has noticeably declined in recent years, and Linux systems are becoming more and more useable as a primary developer / devops workstation. And I need to consider the not inconsiderable expense of replacing my aging Macbook Pro with new Apple equipment versus a decent Linux laptop. Quality of Apple hardware is no longer a drawcard, and I can easily find much more powerful hardware from manufacturers like Dell and System76 which are ultimately better suited to my professional needs than an Apple OS. So I need to keep an eye on the future, and 1Password seems to have hitched it's wagon to what is yesterdays platform, as far as my own professional trajectory goes.

Finally, Windows 10 and Mac OS are becoming more and more leaky from a security and privacy perspective. As long as this was mere statistical market analytics several steps removed from any personally invasive creepiness, I could turn a blind eye. But these days, the value of what I do with my laptop is increasing, and the risk of exposing it to potentially hostile and competing corporations working in the IT industry has a very real potential to harm me and those who employ me. I can't seriously consider using Windows 10, and Mojave gives me pause already. I can't see this trend of pervasive surveillance changing anytime soon, and my only alternative is a platform that is leaner, and built on source code that is open to community inspection and critique, such as most Linux distributions.

So this will be my last Mac laptop in all likelihood. And it's a shame, as I have acquired a not insignificant portfolio of useful paid-for applications I won't be able to take with me. Linux doesn't provide good alternatives for all of them, but it does for 1Password. So I'm switching now in anticipation of a possible platform change, and because I need to keep some of my data stored locally under multiple layers of high strength encryption, with no Internet exposure. And 1 Password won't be able to do that when version 6 ends.

Thanks Agilebits for being there and having such a solid and reliable product for as long as you have. It a shame we have moved in opposite directions. But keep in touch.

Cheers
Stephen


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Hi @smckay

    Thanks for sharing your thoughts. I'm sorry to hear you have come to feel that 1Password is no longer a good fit for you. I do hope that you're able to find a password management solution that you're comfortable with and confident in. As you say you've put a lot of thought into this I'm probably not going to say anything you don't already know, but for the benefit of anyone else who may be reading...:

    1. I totally understand your concern for security and privacy. These are things that are very important to us here at 1Password as well. The security of your 1Password data doesn't rely on your chosen sync method. Regardless of how you sync your data, it is encrypted by 1Password before the synchronization process. Because of this neither we nor any other 3rd party ever have access to your data. This may not be the case with all solutions. Not all encryption processes are created equally. The important bit with 1Password is that no one else has access to the keys needed to decrypt your data. As such, even if 1Password.com, Dropbox, or iCloud (whichever you choose to sync with) were breached your 1Password data would not be available to the attacker. Further details on our approach to security can be found here: https://support.1password.com/1password-security/
    2. You mentioned that you felt that "when version 6 ends" there would have to be a shift in how you use 1Password. This is not the case. First, v6 has "ended," in that it is no longer being developed. It will not receive further updates. Second, all of the same sync options that were available in v6 are available in v7: https://support.1password.com/sync-options/
    3. We do support Linux, and have had offerings there for a while now. While it is true that Linux is used by a very small percentage of customers and we do not offer a desktop app like 1Password for Mac or 1Password for Windows we do offer a browser extension, a command line interface, and the 1Password.com web interface. Additional details about our offerings on Linux are available in this guide: https://support.1password.com/explore/linux/

    Best of luck moving forward. If you decide to reconsider in the future we'll be happy to help.

    Ben

  • I think you're over-reacting, but I just want to make one comment. I'm an IT professional with a Master's Degree in Computer Security and over 40 years of experience. I've been an Enterprise IT Architect at major companies for the past 15 years.

    So, my comment is this -- if you think Linux is (1) more secure and (2) going to take over the Desktop/Laptop market, you are terribly wrong. Linux has just as many security holes as any other operating system. And, Linux is NOT going to take over the desktop market. It owns that back-end server market, and that's where it will stay.

  • ag_anaag_ana

    Team Member

    Thank you for sharing your thoughts @Grimper :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file