I don't wish to be a faceless coward so here's my 2* review.

h00ligan
h00ligan
Community Member
Prefaced with. I like your team. Your blogs. You're clearly bright people. But ....begin review




Cons: No iCloud sync with desktop yet. And the removal of wifi sync. Dropbox security is a joke. But it's STILL the only way to sync desktop clients.

If I wanted to sync with Dropbox I would be already. Ill avoid the company who cares so little about security they breeched they own user database in email - twice.

Despite the efforts of the 1password team to ensure that doesn't matter with a strong master password- it does.

I'm not going to iTunes sync every day or half hour to keep things up to date.

The browser won't remember logins. Why on earth not. C'mon. This is just begging to be added. I need to sign up for a forum. Let me auto fill a fake profile generate a random pass then save it to 1password.

It just seems like such a basic feature.


Pros:
New interface is nice.


Thoughts : this was the teams last effort to get me back from lastpass. Which is hideous visually but far more functional. I believe the agilebits teams have put a great deal of thought into the product. Just not enough into their ecosystem. It just clearly should have been released in tandem with the promised free mas 4. I'm sure the answer is 'we can't discuss upcoming projects' but its not good enough. Every time I interchange data between LP and 1P it's an arduous process. One I'm sick of

Finally, and ill have to confirm. Booarklets. I trust my forum memberships and whatnot with random Passwords to the apple keychain.

However I'm used to using lastpass tab to log into more critical sites. The browser here pales in comparison IMO.


As of now I see no
Compelling reason for anyone to upgrade. I hope that changes because they are clearly a smart people
With good forward thinking regarding security. But to he brutally blunt. They need a better leadership vision.

This is a half baked release and frankly. Useless to me. It doesn't change why I left. And so they got another $7. Hey they deserve it. Great group. The product is simply not there. And not the best. No matter what consumer magazines tell you. We're I them I would have gone the other way round. Get the new mas ready. Then this. Then blow it out as an awesome combo.

Comments

  • h00ligan
    h00ligan
    Community Member
    edited December 2012
    Oh and please do correct me if I'm missing something. But don't bother persuading me about Dropbox and security. There's no hope on that one.

    Oh and btw. If there are any URL hooks can you publish a list please - which may be there and I'm missing.
  • roustem
    edited December 2012
    Thank you for the feedback. I am glad you took the time to review the app and make a decision.

    I agree that it would be great to have the new versions of both Mac and iOS apps ready at the same time. That was our plan a year ago when were starting the development but at some point I started to worry that we are taking the Duke Nukem path and the new apps will never be released. If you remember, 1Password 3 for Mac was published in 2009 and the iOS app was originally released in 2008.

    We were internally using the beta for a couple of months and it became clear that in many aspects it is much easier to use than version 3. This is why we decided that it is time to publish it.

    I understand that you cannot rely on Dropbox and would rather use iCloud to sync data between Mac and iOS. We hope get this done in near future.
  • charlie98
    charlie98
    Community Member
    roustem wrote:

    We were internally using the beta for a couple of months and it became clear that in many aspects it is much easier to use the version 3.

    I'm confused, are you saying that version 3 is easier than version 4 or that version 3 was easier than the beta?
  • charlie98 wrote:

    I'm confused, are you saying that version 3 is easier than version 4 or that version 3 was easier than the beta?


    Thank you, I corrected the message.
  • JDW
    JDW
    Community Member
    Roustem, what's so insecure about synching via DropBox? I thought our 1PSW data was encrypted such that it would be unusable to any hacker that broke into our DropBox account. The fact that you did not defend DropBox synching in this thread has me concerned about my own 1PSW data.

    Also, if Dropbox isn't secure, what makes iCloud (which you appear to advocate more than DropBox) so much more secure?

    Thank you.
  • JDW wrote:

    Roustem, what's so insecure about synching via DropBox?


    Dropbox got quite a bit of bad press some time ago and it is understandable that some customers prefer to not use it.


    1Password data format is secure. I am using both Dropbox and iCloud for syncing my data. It is my personal decision though and I can't force it on anyone.
  • JDW
    JDW
    Community Member
    Roustem, thank you for the clarification. That's pretty much what I thought. Since our data is encrypted, it doesn't matter if DropBox had been hacked in the past, our data is still secure. So I always get bewildered by what some folks are talking about whenever they post negative things on why they don't want to synch with DropBox.

    Please forgive me but I have one final question for you. Since you already sync with DropBox, why then do you also wish to sync with iCloud? In other words, what's the purpose of syncing with both instead of just one of the two?

    Thank you again.
  • jhollington
    jhollington
    Community Member
    edited December 2012
    JDW wrote:
    Roustem, thank you for the clarification. That's pretty much what I thought. Since our data is encrypted, it doesn't matter if DropBox had been hacked in the past, our data is still secure. So I always get bewildered by what some folks are talking about whenever they post negative things on why they don't want to synch with DropBox.


    The short answer is that there are people who don't trust encryption, so the idea of putting anything in a cloud service is anathema to them, regardless of what encryption is being used.

    Please forgive me but I have one final question for you. Since you already sync with DropBox, why then do you also wish to sync with iCloud? In other words, what's the purpose of syncing with both instead of just one of the two.


    To save roustem the trouble of repeating himself (so he can keep busily coding magic 1Password improvements :) ), he addressed it over in this thread: http://forum.agilebi...dpost__p__65671

    As I also noted in that thread, iCloud also provides a background sync capability, and I suppose if you had multiple iOS devices there might be a compelling reason in some situations to sync only one, "primary" device with Dropbox and iCloud, while letting the others only get their data from iCloud. Can't see why that would matter unless there was some reason you couldn't use Dropbox on a particular device, but it's certainly an option.
  • h00ligan
    h00ligan
    Community Member
    edited December 2012
    To be honest I thin that's really downplaying the issue. It wasn't one incident. Not only did they leak user data. They've also opened all accounts publicly and then some. It hasn't been one error. It's been MANY

    and no matter how good the algorithm is. Someone is out to beat it via math or brute force. So why tempt.

    20 million passwords a second cracking and counting - A database ona source repeatedly compromised.

    I know you guys are smart as I stated. Dropbox has ALWAYS been a bad choice. I'm not a tinfoil hat guy.

    @Dholister - Lastpass has a blob and they could be hacked. But they also have options to kill old connections. Change pdkif Iterations. Prohibit for network logins. Two factor authentication.

    I do think you have a plan and I get the duke nuked references. But. The mas version still has numerous issues remembering things. Or offering to, and the Dropbox reliance is just the icing. In no way is this meant personally. He'll every time I deal with you all I feel very happy. But to say Dropbox had bad press once a short bit ago is disingenuous IMO.


    I use effectively. 16 character garbage master password. But at the rate of development. I don't want my database stored on Dropbox. Yes I believe apple security to be better.

    To the other points.

    Why no credential remembering when using the web browser? If I log into my electric company site...why won't it offer to remember those credentials. Is that user error? Again. A feature lastpass has.

    URL hooks for bookmarklet finds or integration with launcher pro?

    Ill always keep an eye on the talent here, I just feel a bit letdown that from a front end we have a very limited resin and a continued reliance on Dropbox. Which in fairness can support two factor....though I haven't ambled it yet due to the agilebits warnings to hold off.

    To be honest this is the first time I've found the tone of this place a bit tense or terse. Valid points were raised here. Reducing the Dropbox to one issue, not addressing other shortcomings, they are all valid things.

    Again. I like the team, I've enjoyed the teams responses and the blogs....but the product is..at this point, lacking important things. For me.

    I think it's a shame these concerns are seemingly brushed under as one paranoid guy. I use plenty of cloud services. Just not Dropbox for anything that matters.
  • benfdc
    benfdc
    Community Member
    h00ligan wrote:

    Every time I interchange data between LP and 1P it's an arduous process. One I'm sick of


    As a devoted user of both 1P (my database for everything) and LP (for easy "away from home" access to a small subset of my passwords, for secure password exchange, and for shared keychains [vaults in LP-speak] ), I have to say that I don't find login interchange to be arduous. I have both browser extensions installed in Firefox, which I seldom use, and logging into a website with the help of one password manager immediately brings up a prompt offering to store the login in the other.
  • JDW
    JDW
    Community Member
    Mr. Hollington, thank you for the informative link. In summary of that discussion thread, it would appear that Dropbox is really the best solution if one also has Windows PCs in the mix. But if there is no Windows PC to contend with then either Dropbox or iCloud would appear to be a good solution; however, I still don't see any reason to use both iCloud and Dropbox at the same time to synch.

    Now as to Mr. Hooligan's excessive worry about Dropbox, I am still bewildered as to why. I am well aware that Dropbox has been accessed by an unauthorized party. But technically speaking that could happen to any cloud service, including iCloud. Furthermore, like I said before, 1PSW data is encrypted. Mr. Hooligan contends such encryption is about as weak as a human being walking atop rice paper, but is that really true?

    Roustem, what kind of encryption is used to secure our data in DropBox? Or more specifically, how many years or centuries would it take for one of the most powerful supercomputers in the world to crack that encryption?

    Going under the assumption that it would take one of the most powerful supercomputers in the world in excess of 100 years to crack, one still has to consider the statistical likelihood of a hacker spending those years trying to crack YOUR 1PSW data, to the exclusion of the tens if thousands of other 1PSW user's data also on DropBox. My guess is that when you work the numbers, you probably have a far better chance of winning Powerball every year for the rest of your life! And if the odds really are such, then why worry? There are no "100% guarantees" in this life, so we must simply live life by choosing "reasonably acceptable odds."
  • jhollington
    jhollington
    Community Member
    edited December 2012
    Here's a great article from Agile about how 1Password's encryption can stand up against a password cracker specifically designed to crack 1Password: http://blog.agilebit...ohn-the-ripper/ Particularly worth noting is the chart about two-thirds of the way into that article.

    The key of course is having a good Master Password (see http://blog.agilebit...ster-passwords/), since that's the vector of attack that hackers are most likely to try against. The idea that the encryption algorithm itself can be compromised is extremely unlikely, barring any obvious glaring deficiencies that are discovered in the algorithm itself (which would have much wider-reaching consequences than merely 1Password, since AES is a common algorithm used these days for just about everything out there).

    With a good enough Master Password, however, we're talking about centuries or millennia based on current technology. Personally, my data changes often enough in 1Password that anything more than a few weeks would render most of the important stuff useless to an attacker anyway.

    I really believe that a lot of people's mistrust of encryption technology comes from a lack of understanding. Movies and TV shows like to show whiz-kids cracking open some government or alien encryption cipher in seconds because it makes for good entertainment value, but the reality is that it's actually a lot harder to crack an encryption algorithm than to pick a lock -- something else that Hollywood makes look trivially easy.

    Dropbox has stumbled a few times in terms of security, but the reality is that as you point out, almost any cloud service can fall afoul of that sort of a problem -- certainly all of the ones commonly used by most people are vulnerable to such things (exceptions are those like Wuala and SpiderOak, which employ client-side encryption). Dropbox definitely has the worst visible track record in this regard, however -- last year they completely "failed open" for several hours -- anybody could have gotten into your Dropbox account with nothing more than your e-mail address and a blank password. Only a relatively small number of users were actually impacted by this, however, and one has hoped that Dropbox has learned its lesson from such mistakes. Certainly the addition of two-factor authentication is a step in the right direction.

    The bottom line is that one shouldn't trust cloud services for actual sensitive data that is in the clear, but the reality is that 1Password does not fit into this category by any stretch of the imagination, since they're using solid encryption technology. There are many people who still trust Dropbox for the purpose of backing up, storing and syncing their files, but simply choose to use their own layers of encryption (e.g. Trucrypt) for anything that they're concerned about the sensitivity of.
  • h00ligan
    h00ligan
    Community Member
    Which at this rate could triple in months. Hence needing a wall around the safe.
  • h00ligan
    h00ligan
    Community Member
    benfdc wrote:



    As a devoted user of both 1P (my database for everything) and LP (for easy "away from home" access to a small subset of my passwords, for secure password exchange, and for shared keychains [vaults in LP-speak] ), I have to say that I don't find login interchange to be arduous. I have both browser extensions installed in Firefox, which I seldom use, and logging into a website with the help of one password manager immediately brings up a prompt offering to store the login in the other.


    I must be doing something wrong then because nothing gets titles, folders, etc upon import.
  • benfdc
    benfdc
    Community Member
    edited December 2012
    h00ligan wrote:

    I must be doing something wrong then because nothing gets titles, folders, etc upon import.


    You may well be right. LastPass is strictly a secondary password manager for me, so the ability to transfer logins accurately and with little effort suffices for my purposes.

    I am not sure that I understand your preference for LastPass over Dropbox as a vehicle for sync. I grant you that Dropbox security leaves something to be desired, but LastPass's servers have also been penetrated in the past. I well recall LastPass forcing me to change my vault's master password on account of one such breach.

    I would no more publish my 1Password keychain online than I would my PGP private key, but when push comes to shove I am of the view that my data is principally protected by strong master passwords. Indeed, the "diceware" method promoted by AgileBits for selecting master passwords was originally devised to protect PGP keys.
This discussion has been closed.