1password seems to be getting worse

tommy_tipper
tommy_tipper
Community Member
edited September 2016 in Mac

1password has been one of my absolute favourite programs (along side Little Snitch) ever since I got a Mac - a true stalwart of software, in which I have true confidence in the dev team, and with great support. However, in the last 6-12 months, I have seen 4 major problems with the software, which are impacting its usability, and my confidence in the direction the team are going:

  1. Since I updated to OS El Capitan, I haven't been able to open the main 1password app without it crashing! I have emailed customer support about this. It crashes less than a second after opening, whichever way I open it, so I can't even tell you the exact version (I updated today, Sept 21 2016, and it still crashes)! Luckily, I can still use the 1pass extension, otherwise the whole thing would be useless, but it limits functionality because: a) I can't manually create new logins, and b) I can't so easily manage my logins/passwords etc. I've done two 1pass updates since ElCap was first installed, and neither have fixed this. I've also sent crash reports to 1pass and Apple.

  2. Updates I make to my iOS 1pass (v6.4.4) do not sync to my vault, thus don't make it to my Mac. Updates I add to my mac DO sync to my phone. I have used Dropbox sync for years with no issue. Why is this starting to break now? Does it have anything to do with 1pass "Accounts"?

  3. (The least annoying, but perhaps the biggest concern for the future). The core feature of 1pass, which has always made me favour it over LastPass (etc), is the approach to vault encryption. I, and ONLY I, know the password for my vault, and that password directly relates to the encryption key for the vault. Even if I gave the vault to the FBI and someone from 1pass gave them the full algorithm, it would take them decades to crack it. So sharing the vault on Dropbox etc. is not a major concern. However the introduction of web-access completely changes the 1pass model. Now, by definition, there MUST be a way to decrypt the vault other than the user directly entering the master password. Sure, this may be in a multi-stage process (I don't know, I'm staying well clear), but the fact that AgileBits have compromised on their model, and written code that lets people decrypt their vaults over the internet makes me very nervous. What have they changed about the vault (we may never know)? How is it possible to communicate the password and/or decryption key over the internet securely -- essentially, it's not. Any form of online authentication +/- decryption is many times more vulnerable than decrypting the vault locally.

  4. Movement to subscription model. Please, no. Just, no.

AgileBits have always been good at replying to forum posts: let's see what they say. Personally, I'm starting to worry that the core values of the dev team are moving from security, to convenience, in order to capture a larger market-share. That's not the POINT of 1password.

Thanks, Tom


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: 10.11.6
Sync Type: Dropbox

Comments

  • Pilar
    Pilar
    1Password Alumni

    Hi @tommy_tipper

    Thank you very much for taking some time to write to us with your concerns. It's always very important to us to know what all of our costumers think about 1Password or struggle with. I'll go through each of your points at a time :chuffed:

    Since I updated to OS El Capitan, I haven't been able to open the main 1password app without it crashing! I have emailed customer support about this. It crashes less than a second after opening, whichever way I open it, so I can't even tell you the exact version (I updated today, Sept 21 2016, and it still crashes)! Luckily, I can still use the 1pass extension, otherwise the whole thing would be useless, but it limits functionality because: a) I can't manually create new logins, and b) I can't so easily manage my logins/passwords etc. I've done two 1pass updates since ElCap was first installed, and neither have fixed this. I've also sent crash reports to 1pass and Apple.

    I'm very sorry to hear that 1Password has been crashing for you! That very much should not be happening. I have looked on our email and we only have a couple of emails from you with this emails address from about 3 years ago. I guess you've used a different email address, so I can't take a look at what you've already tried. I do know that a Diagnostics Report would help us tons in sorting this out, that would get us the version number in addition to other details that will help us see what's wrong.

    Sending Diagnostics Reports (Mac)

    Attach the Diagnostics Report(s) to an email message addressed to support+forum@agilebits.com.

    Please do not post your Diagnostics Report(s) in the forums, but please do include a link to this thread in your email, along with your forum handle so that we can "connect the dots" when we see your Diagnostics Report(s) in our inbox.

    You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here so we can track down the report(s) and ensure that this issue is dealt with quickly.

    Updates I make to my iOS 1pass (v6.4.4) do not sync to my vault, thus don't make it to my Mac. Updates I add to my mac DO sync to my phone. I have used Dropbox sync for years with no issue. Why is this starting to break now? Does it have anything to do with 1pass "Accounts"?

    I'm sorry to hear that you're having some trouble with Syncing as well. It sounds like your previous point and this one are connected. Once we've been able to open 1Password again on your Mac we'll be able to troubleshoot Dropbox sync as well. The Diagnostics Report that I asked for before will also help us figure this problem out as well. One thing I can tell you for sure, there's no connection between the fact that now Accounts are available. We keep on supporting Dropbox sync methods for 1Password and will continue to.

    (The least annoying, but perhaps the biggest concern for the future). The core feature of 1pass, which has always made me favour it over LastPass (etc), is the approach to vault encryption. I, and ONLY I, know the password for my vault, and that password directly relates to the encryption key for the vault. Even if I gave the vault to the FBI and someone from 1pass gave them the full algorithm, it would take them decades to crack it. So sharing the vault on Dropbox etc. is not a major concern. However the introduction of web-access completely changes the 1pass model.

    This is still the case for 1Password Accounts, but at an even higher level of security. Your vault is only ever decrypted on your device. It is never sent unencrypted over the internet, your Master Password is never sent over the internet and you are still the only one who can access your data. Even if (to follow your analogy) the FBI were to get hold of the data stored on our servers, the situation for decrypting it is the same. Actually, it's even better than before: in addition to the Master Password accounts have an extra layer of security called the Account Key. This is also generated locally on your device and never sent over the internet either. You need both pieces to decrypt your data.

    Now, by definition, there MUST be a way to decrypt the vault other than the user directly entering the master password.

    I want to reassure again, this is not the case. We only store the encrypted vault.

    Sure, this may be in a multi-stage process (I don't know, I'm staying well clear), but the fact that AgileBits have compromised on their model, and written code that lets people decrypt their vaults over the internet makes me very nervous. What have they changed about the vault (we may never know)? How is it possible to communicate the password and/or decryption key over the internet securely -- essentially, it's not.

    We have not compromised on our model, we have worked towards strengthening it. We are very open about how we handle security, and you might for sure know how all this is done by reading our security white paper. It will give you every detail about it :chuffed:

    Any form of online authentication +/- decryption is many times more vulnerable than decrypting the vault locally.

    You're right, that's why we still decrypt your data locally.

    Movement to subscription model. Please, no. Just, no.

    We've said it many times but I want to reassure you: we're not moving to subscriptions, we are adding them as an option. We completely understand that some of you don't like the idea of subscriptions but many people do and appreciate what we can offer with them. I know that if you don't like them yourself it's hard to see why others would, but there's a place for everyone in this world and we do our best to give each of you all options to see what fits better. That doesn't mean that the previous way of doing things is going anywhere, just that now you get to pick :chuffed:

    I hope to hear back from you so we can sort out your problem with the main app for 1Password as well as your thoughts on all this. If there's anything else that you'd like to know about how 1Password protects your data, either with local vaults or accounts I'll be glad to get into more details.

  • tommy_tipper
    tommy_tipper
    Community Member

    Hi Pilar,

    Thanks so much for your comprehensive reply.

    I'm very sorry to hear that 1Password has been crashing for you! ...

    Attach the Diagnostics Report(s) to an email message addressed to support+forum@agilebits.com.

    Please do not post your Diagnostics Report(s) in the forums, but please do include a link to this thread in your email, along with your forum handle so that we can "connect the dots" when we see your Diagnostics Report(s) in our inbox.

    You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here so we can track down the report(s) and ensure that this issue is dealt with quickly.

    Many thanks. I have send a diagnostics and crash report. Support ID number has not arrived yet, but will post when it arrives.

    This is still the case for 1Password Accounts, but at an even higher level of security. Your vault is only ever decrypted on your device. It is never sent unencrypted over the internet, your Master Password is never sent over the internet and you are still the only one who can access your data. Even if (to follow your analogy) the FBI were to get hold of the data stored on our servers, the situation for decrypting it is the same. Actually, it's even better than before: in addition to the Master Password accounts have an extra layer of security called the Account Key. This is also generated locally on your device and never sent over the internet either. You need both pieces to decrypt your data.

    ... I want to reassure again, this is not the case. We only store the encrypted vault.

    ... We have not compromised on our model, we have worked towards strengthening it. We are very open about how we handle security, and you might for sure know how all this is done by reading our security white paper. It will give you every detail about it :chuffed:

    ... You're right, that's why we still decrypt your data locally.

    OK that's very reassuring. Thanks for taking time to clarify this. I was hoping that this would be your reply.

    Movement to subscription model. Please, no. Just, no.

    We've said it many times but I want to reassure you: we're not moving to subscriptions, we are adding them as an option. We completely understand that some of you don't like the idea of subscriptions but many people do and appreciate what we can offer with them. I know that if you don't like them yourself it's hard to see why others would, but there's a place for everyone in this world and we do our best to give each of you all options to see what fits better. That doesn't mean that the previous way of doing things is going anywhere, just that now you get to pick :chuffed:

    OK cool, that's also reassuring. I would encourage you to stick to a licence purchase option too, as I and others certainly prefer this approach :)

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited September 2016

    Many thanks. I have send a diagnostics and crash report. Support ID number has not arrived yet, but will post when it arrives.

    @tommy_tipper: If you tried sending it from this email address, we have not received anything.

    It isn't clear from your reply if you're still having trouble with 1Password crashing, so I thought I'd mention something that might help: drag the app to the Trash (do not empty the Trash yet), install a fresh copy from our site, and restart your Mac. It's likely that it was simply damaged, so let me know if that helps.

    But if you're still having trouble, please resend the email with the diagnostics — perhaps from a different address, if you're having trouble with your provider — and then post the Support ID here so we can take a look right away.

    I would encourage you to stick to a licence purchase option too, as I and others certainly prefer this approach :)

    As long as we have people buying licenses, we'll continue to offer them. We're making a single app for each platform which supports both options, and we're happy to support you and the rest of our awesome customers no matter what. :)

  • tommy_tipper
    tommy_tipper
    Community Member

    Hi brenty,
    Yes, still crashing. Have tried a fresh install, as you suggested, and it still crashes as soon as the 'doors' swipe open on the main app. Mini app working fine.
    Yes, sent from my email associated with this forum account.
    I am forwarding the email to support@agilebits.com, as last time I sent to support+forum@agilebits.com
    Thanks, Tom

  • tommy_tipper
    tommy_tipper
    Community Member

    Still not getting response with my gmail. Will try my icloud mail. Tom

  • sjk
    sjk
    1Password Alumni

    Hi @tommy_tipper,

    Your email hasn't shown up here with a Gmail address. Have you checked to see if it was actually sent and maybe 'bounced' back for some reason?

    We'll keep an eye open for it with an iCloud address. Please include your 'tommy_tipper' forum username in the Subject and/or body of the message so we can use it as a search key on this end.

    Thanks again, and sorry for the inconvenience!

  • tommy_tipper
    tommy_tipper
    Community Member

    Hi there. Nah, it's not bouncing. And I've checked spam box. I'll give it an hour and try another email address. But I've never had such an issue with gmail before, let alone 2 email clients. Just to check: support@agilebits.com or support+forum@agilebits.com -- either should work? Chrs, Tom

  • sjk
    sjk
    1Password Alumni

    Thanks for checking on that, Tom ( @tommy_tipper ).

    Either address should work fine. In this case the latter is preferred to help with filtering/locating the email on our end.

  • tommy_tipper
    tommy_tipper
    Community Member

    Nah, nothing in gmail or icloud from you. And no bounces. And nothing in spam/junk.
    I'll try one more email address (.ac.uk), but I think it must be a problem at your end TBH?? Chrs, Tom

  • sjk
    sjk
    1Password Alumni

    Hey Tom ( @tommy_tipper ),

    but I think it must be a problem at your end

    Indeed, after looking into this more on our end it does appear that the incoming email support queue is 'stuck'. Thanks for the extra nudge to check that!

    We're working on getting it fixed and there's no reason to send any further email right now. Once that issue is resolved we'll be looking for the messages you previously sent and let you know if they've arrived or not.

  • tommy_tipper
    tommy_tipper
    Community Member

    OK, you already have three with identical content. gmail, icloud and .ac.uk :) Apologies, Tom

  • sjk
    sjk
    1Password Alumni

    Hat tip to you, @tommy_tipper, for clueing us into where the trouble was. :+1::chuffed:

    No reason to apologize for any duplicate/extra email; we'll get 'em sorted out once they arrive … still waiting for the queue to unclog.

  • tommy_tipper
    tommy_tipper
    Community Member
    edited September 2016

    OK Bot has replied (to original gmail email). support ID is [#JVY-98653-536]
    Chrs, Tom

  • tommy_tipper
    tommy_tipper
    Community Member

    So [#BFB-62576-175] and [#VUA-67257-185] are redundant. T

  • sjk
    sjk
    1Password Alumni

    Hey @tommy_tipper,

    Got all three of your messages, two via Gmail and one via iCloud. Now merged into one ticket (#JVY-98653-536); would you prefer replies be sent to your Gmail, iCloud, or both addresses?

    ref: JVY-98653-536

  • tommy_tipper
    tommy_tipper
    Community Member

    gmail please.
    [#BFB-62576-175] also came in from my .ac.uk address

  • sjk
    sjk
    1Password Alumni

    Howdy Tom,

    gmail please.

    Will do.

    [#BFB-62576-175] also came in from my .ac.uk address

    That one's been bundled with the primary ticket, too. :)

    We'll keep the conversation going through email now, where someone will be replying to as soon as possible. Cheers!

This discussion has been closed.