[Feature Request] Sync any location (or add support for Owncloud)
Comments
-
Hi @Stonemage ,
FYI, I am one of the developers of 1Password for Mac. I won't repeat what's already been said, except to reiterate that we do listen and take every single request and feedback and consider it carefully. But that doesn't mean we can implement every single feature that is asked for immediately, or even over what seems to be a long time.
I won't speak for Dave directly, but my interpretation of balance is exactly and only for our customers. Cost is just a constraint on how we strike that balance. If all of our customers wanted the same features implemented the same way, our job would be easy. But they do not, so we have to make choices on what features we implement, and how and when we implement them.
Today ownCloud support is not there. That doesn't mean it never will be, it just means that faced with what we need to provide for all of our customers to this point, and the constraints when developing, we had focus our efforts on other parts of the software. That doesn't mean we're not listening, it just means we can not say yes today.
I do hope you understand, and we do appreciate your using 1Password and providing us with your thoughts.
Regards,
Kevin0 -
+1 for OwnCloud
I would love to see a general WebDAV or specific OwnCloud sync option! Right now I have my OwnCloud clients on every device - but I need to have Dropbox just for 1Password to sync my vaults.
0 -
Hi @dazzlebit ,
Thanks so much for the feedback! I’ll add your +1 to the feature request. :)
0 -
Why is there no native solution to storing my passwords on my server?
I love 1password. I find every aspect of it exceedingly well written -- except the syncing.
For me, using 3rd party servers like DropBox, ownCloud or even 1Password Account is unacceptable.
This forces me to use clunky and IMHO inferior solutions such as BtSync using Folder Sync (which 90% of the time doesn't work at all in my networked environment).
WiFi sync is also not a solution as some of the PCs I use are hard wired.So, due to lack of inbuilt syncing support, I found myself purchasing a competing product: Enpass, which has native WebDAV/OwnCloud syncing built it. I must say, that its syncing works brilliantly. That said, I would drop it in a heartbeat if AgileBits would add native support for WebDAV into 1Password, because 1Password is just so much more user-friendly in day-to-day operation!
How about it? I reckon I can put up with Enpass for a few months before tearing my hair out. I would hope by then you'd have WebDAV support up and running... ;)
PS: Did you know that beside OwnCloud, many CPanel installations already have WebDAV support? They call it a "WebDisk"...
The platforms I need solutions on are Mac, Android and Windows, and missing out on one of those platforms is a deal breaker, I'm afraid.
Many thanks,
Craig.1Password Version: 4.4.3
Extension Version: Not Provided
OS Version: OSX 10.10, Android 4.0.3, Windows 7+
Sync Type: Want WebDAV/OwnCloud!
Referrer: kb:sync-options0 -
@cmroanirgo thanks for the feedback! As others have said in this thread, we appreciate hearing from our customers about how we can make 1Password better suit their needs, and it's always nice when someone takes the time to reach out to us on the forums. We can't add support for every requested feature -- we have to choose where to focus -- but we do consider and discuss all of these requests.
0 -
Here's another vote for ownCloud or, frankly, any other automatic way of getting my 1Password vault on my own server. This has become an issue for me with the demise of 1PasswordAnywhere on Dropbox, a feature I used every day because my employer won't let me install the 1Password app on my work computer. One of the suggestions to folks disappointed by the disappearance of 1PasswordAnywhere from Dropbox was to host their vault on their own server. I have my own server and would love to do it, but I don't see how I can, at least not in an automated way. My hosting provider won't let me run the dropboxd on the shared server so I'm doing some crufty stuff with a sync from my desktop as a go-between, but it's far from ideal.
0 -
Thank you for letting us know you would also like to see this, @Mi_S!
Just in case you didn't see it earlier in the thread, or if there is anyone else coming across this in the future, Folder Sync allows you to place your vault anywhere in the file system. However, it does only work on the desktop. You would need to combine it with Wi-Fi Sync for a complete local solution.
I'm not saying that should suffice, but perhaps it may help you or someone else for now.
0 -
I know there have been many voices already that say that OwnCloud support would be great, but still I wanted to mention that this would also be a very helpful feature for me. It's just good to know that the password data is under your own control. So +1 for OwnCloud support!
0 -
:+1: :)
0 -
+1 for OwnCloud
0 -
Hey there!
Well, I'm gonna start by saying that I too would love to see WebDAV support in 1Password, since I run my own self-hosted Linux server which has OwnCloud running on it. Consequently, I do want to add a +1 to this request, as I just like having the possibility of syncing my personal stuff using my own server, this way I have maximum control over privacy and data security, including backups and such.
With that said, however, let me add that I'm not as crazy about this as some other commenters in this thread. I understand that you've been trying to implement this feature in the past and it didn't work in a way that was up to your quality standards, so therefore you decided to remove this feature. I completely understand this step, after all 1Password is a very solid piece of software and you sure wouldn't want to introduce any new feature that isn't up to your standards! Also, I'm not too worried about 1Password security, even though my 1Password vault is currently stored on iCloud. After all, the data is encrypted and hey, if there were any serious vulnerabilities in that encryption, they almost certainly would've been exposed to the public by now! :-) So, I strongly disagree with the opinion of some other users here, who are essentially saying that not being able to sync to your own server makes 1Password an insecure product, that is simply not true. If someone conducted a TLS Man-In-The-Middle attack on my phone's internet connection using a stolen CA root certificate, they could steal my OwnCloud and other credentials and gain access to all the files stored there. In fact, iCloud would probably be a lot more secure in such a situation, as it offers pretty solid 2-step verification for all services, something which to my knowledge is not currently possible in WebDAV. Sure, when using iCloud, Dropbox and so forth, you are trusting a third party with that data and it may be compromised. But thanks to 1Password's strong encryption, I'm honestly not too concerned! If WebDAV does become available at some point in the future I will happily use it, but until then I'll be totally fine using iCloud for storing my 1Password vault.
Keep up the awesome work guys!
0 -
Hi @robin24,
While we almost never say never... WebDAV is a place where we have. We will not be bringing syncing via WebDAV to 1Password. I understand a number of folks want an entirely self-hosted solution, and that may still be something we can improve upon in the future (as Khad mentioned it may already be possible with Folder Sync + WLAN Server).
Ben
0 -
+1 for Owncloud/Nextcloud!!!!
i would really love to see this! And all my Colleges too!0 -
Thanks for letting us know! :) :+1:
0 -
Folder Sync is not really an option unless we can do two or more syncs simultaneously. I can't even use it at work on a separate computer, since the folder in question will be stuck on my network at home. If I could do folder sync + icloud, that could work.
Is there some reason WebDAV is off the table? From what I understand of Nextcloud, this is pretty much saying that you will never be bringing syncing to either platform, which is disappointing.
1Password really has made my life easier (not something I say lightly, there have only been one or two other software products I could say the same of in over 20 years). I will probably have to switch sooner or later, as I have to lock up my vault either on my home lan, or on icloud (for Apple products only).
0 -
Is there some reason WebDAV is off the table?
Simple, economics. WebDAV = free self-hosted solution vs. paying Agile Bits for their yearly subscription fee.
0 -
Hi @DrigoBortensson, @scottjl :)
As @ag_kevin mentioned above, while we listen to everything you ask for, we can't possibly implement every new feature. If we did that, 1Password would become a disaster of an application that strives to be everything to every single existing or potential user. We know that's not an attainable goal. We have to embrace our constraints, and one of those is ensuring that 1Password provides an excellent, intuitive experience for as many of you as we can.
Right now we aren't jumping into WebDAV because it's not the right fit for 1Password. As has been mentioned, it isn't just about finding a library to include in the code base and writing in the right API calls. There's a lot of other work to do in order to design, develop, and implement a new sync service. For example, we have to handle conflicts and that in and of itself can get very complicated, very quickly. We'd have to write that code for multiple platforms, debug it, ship it, and iterate on it continuously. In the end this actually ends up taking us away from our users.
Our intention isn't to make a quick dollar by excluding other options. We have to consider the best solutions for all of you, and the very real complexities of creating and supporting those solutions. WebDAV simply doesn't pass the test right now, but that doesn't mean it won't ever be an option.
I wish we had better news, but if this changes, we'll absolutely be sure to comment here and let you know. :)
0 -
Warning shot #1
https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/Best example why I want to be responsible for my data and don't give my data out of my storages. Please let users sync 1Password with own storage systems as users are allowed to do that. I feel like I'm in a two classes society.
You never ever lost that much customers because they avoid using cloud services. Release WebDAV sync at least on iOS as an one-time In-App purchase. I buy for that.
Or at least an simple one-click import/export to an WebDAV server if you don't want to invest time to solve sync conflicts with WebDAV servers. Even for this I'll pay for it. A no-brainer.0 -
@webdav_sync : We've tried to be as open as possible regarding sync via WebDAV... it's not happening. We don't think we can make a good sync protocol on top of WebDAV.
Export (and maybe import) to/from WebDAV is a more interesting idea.
Rick
0 -
@webdav_sync: If you read the blog post you linked to, you'll know that 1Password user data was not affected because, by design, it doesn't depend on the transport layer or hosting provider for its security. Dave talked more about WebDAV in particular earlier in this very discussion and why we abandoned it years ago, long before initial development even started on 1Password.com.
I know it isn't obvious, but I think the thing that you're missing here is that (with the exception of Wi-Fi Sync), 1Password isn't syncing local vault data; rather, this is handled by Dropbox or iCloud (Folder Sync simply writes a usable vault database to a specific location, and this is also what 1Password for Mac does for Dropbox: it puts the files in a folder, and Dropbox does the rest). So when it comes to data actually being sync'd and conflict resolution, 1Password doesn't have any control over how (well) other software handles this, which is why we can't recommend many solutions.
And this is also a big part of why we've developed 1Password.com, so that we can make it work efficiently and seamlessly — and if it breaks we can fix it. I understand that you're prepared to take responsibility for your sync experience, but the vast majority of users just want it to work, and we need to focus our efforts where we can do the most good for the greatest number of people.
0 -
@brenty: thanks, I completely understand the blog posting. That's why I wrote "warning". But in my opinion it's no argumentation from a security perspective that saving data on a storage the owner don't own, stay secured. The data is lost. I giving my data off my own storage devices. Is lost.
Anyone who get the encrypted data, can brute force the encrypted data with every CPU power. There is no limitation like 5 time wrong password = wait for 1 hour to try again. He can brute force 1000s in milliseconds! Or he can wait for a security flaw in your encryption technology. Heartbleed anyone?
You can use your argumentation if you provide any non-sensitive product, but not a security product. Then you should live security. Never saving data on a foreign cloud storage is one simple security recommendations. It's not my idea. Go to Black Hat conference and ask people what they think. And please don't forget or ignore people who don't want to save their own data anywhere. It's not a painting app for kids, it's a password manager.
0 -
@webdav_sync I think you have some critical misunderstandings with respect to cryptography and programming.
You assertion that, should someone get access to the data, they can attempt to brute force it offline -- that is to say with no time penalty -- is correct. Despite that, you should read up on the encryption used for 1Password's agile keychain. The agile keychain is encrypted using AES128-CBC. To break it down, that is 128-bit AES encryption in Cipher Block Chaining mode. Read up on this mode of AES, there are no known vulnerabilities and brute forcing it even with large clusters of custom-built FPGAs has not been able to brute force a strong password.
Regarding the "heart bleed" vulnerability -- this is a complete non-sequitur. Heartbleed was the result of a code base that did not employ strict stylistic guidelines. Enforcing even rudimentary code style checks would have fixed it as it was simply a case of not using curly braces to properly mark a sub-block of code relative to the if-else statement it was associated with. That said, Heartbleed allowed an extremely small portion of memory to leak -- no testing ever showed it was enough to (outside of random chance) leak potentially sensitive information (i.e., passwords, memory addresses, etc...)
I can sympathize that I would like to control all aspects of the technology that I own (especially the sensitive information), but to try to argue that this is a security issue is just incorrect.
Edit: I would also point out that, as a security expert, I would always recommend that someone use a password manager such as 1Password (assuming, of course, that the proper amount of due-diligence has been performed regarding the security architecture). "Never save data on a foreign cloud storage" is a catchy cliche, but it is a false over-generalization.
0 -
@RED05, @webdav_sync: I think you'd both be interested to know that we moved to AES256 years ago, and not because 128-bit is weak or insecure. AES256 is simply sufficiently efficient for there to be no good reason not to. Therefore, as it stands, so long as you use a long, strong, unique Master Password, you don't have anything to worry about from script kiddies, legit hackers, cloud service breaches, or even government agencies.
I think it's important to note a few other things:
- Heartbleed did not affect 1Password data, as it is encrypted locally on the device before it is transmitted, even if you're syncing your data to the "the cloud".
- It isn't often considered or discussed, but even if there were enough technology available to brute force our data in a reasonable amount of time, the power requirements of doing so are out of reach of the human race.
- Certainly there are web services which are insecure. No one will argue otherwise. But again, going back to #1, we've designed 1Password with the expectation that the data should remain secure even if it fails into the wrong hands. And given that 1Password data is encrypted, where it is stored isn't something our security model is built on.
Anyway, while I think these things are pretty irrelevant to this thread given 1Password's security model, it's absolutely an important topic, so I'd encourage you to start a new discussion if you want to dive into this further. Cheers! :)
0 -
Hey, knowledge is power. Or would you prefer that stuff affecting your security stayed secret? ;)
0 -
+1 for ownCloud synchronisation with 1Password for iPhone and 1Password for iPad
0 -
Thanks for letting us know! We don't currently have any plans to support additional 3rd party sync services, but we'll keep it in mind if we can revisit this in the future. Cheers! :)
0 -
- It isn't often considered or discussed, but even if there were enough technology available to brute force our data in a reasonable amount of time, the power requirements of doing so are out of reach of the human race.
It is ironic that the same response also states: Landauer's Principle might not actually hold up:
http://phys.org/news/2016-07-refutes-famous-physical.htmlIt clearly shows that there is no such minimum energy limit and that a logically irreversible gate can be operated with an arbitrarily small energy expenditure. Simply put, it is not true that logical reversibility implies physical irreversibility, as Landauer wrote.
What does this mean? It means that the standard computations applied to 'How long it will take to break something' do not hold water.
Just sayin'.
Oh.... AND I'm still awaiting better syncing (without requiring the new subscription model), which is what this topic trend was originally about!
0 -
@cmroanirgo: While it's impossible to perfectly quantify the length of time needed, I think the fact that we can argue about this illustrates the infeasibility. Otherwise we wouldn't need to hypothesize about it; we'd just do it. :tongue:
As far as "better syncing", you're not going to like the answer, but we've already built that. Asking us for better syncing with the stipulation that we can't build it ourselves just doesn't make any sense. We simply don't have any control over the quality of the sync experience when it depends on someone else's software or service. :unamused:
0
