Standalone Version, Local Vaults, and Such

skerbsfskerbsf
edited February 2017 in Mac

This is my comment from a discussion going on in the Windows thread. I wanted to try to get more eyes on this issue in the hopes that other users care about this issue and can perhaps make sure that AgileBits can see that there are enough users that care about a standalone version and local vaults.

I am a 1Password user on macOS and iOS. I consider myself a more advanced user. I have no desire to have my password sensitive data stored on any cloud service (even if it is encrypted). If the cloud service is successfully attacked, then the attacker now has his/her hands on all your user's vaults. Again I know these are encrypted, but now your cloud service is an attack vector that might have flaws (humans develop the software of course) that make all your customers vulnerable to have heir keychains/vaults stolen. I would prefer to keep my keychain/vaults locally on my own machine (that might be completely offline).

As a1Password user, it looks like the writing is on the wall and you are moving away from local keychains/vaults. I hope that you guys will change your mind (or the path it looks like you are going down). If not I will also have to find another password manager (or perhaps develop my own). I would prefer to continue using 1Password. You guys currently make a great tool and it would be a shame to alienate part of your user base (especially ones who have helped evangelize your product over the years). Thanks for "listening."

Comments

  • Also, if this is about revenue, please know I am happy to pay for a 1Password license on any and all machines I use it on. I am not willing to pay a subscription fee for the tool though. This looks just like a money grab IMHO.

  • brentybrenty

    Team Member
    edited March 2017

    @skerbsf: I'm not sure understand. It sounds like you've already purchased the licenses you need, and we've actually always actively refunded folks who paid for something they didn't need or wouldn't/couldn't use. So if you have a setup that works for you, I wouldn't suggest that you change it unless you feel it gives you value. Certainly 1Password.com has a lot of benefits, both for new customers and long-time 1Password users, and it's the best option for most people. But if your primary goal is to not sync your data anywhere and store it only locally on your device, then it might not be a good fit for you right now.

    "Money grab" just sounds a lot like an inflammatory way of saying "a desire to get paid for one's work" to me though. The reason we've built 1Password.com in the first place is because so many people have requested features like simple sync, easy sharing, and a way to get 1Password for all of their devices without having to deal with multiple license purchase and upgrades. Most people just want this stuff to work. And in order for this to exist, we have to charge subscription fess for it, as there are very real hosting and development costs. And I did want to address a few comments you made:

    If the cloud service is successfully attacked, then the attacker now has his/her hands on all your user's vaults. Again I know these are encrypted, but now your cloud service is an attack vector that might have flaws (humans develop the software of course) that make all your customers vulnerable to have heir keychains/vaults stolen.

    That's actually not the case, but it's laudable that you're not just assuming that everything would be okay. Indeed, when you use 1Password, AgileBits never has access to your data, regardless of the setup you choose. Even with 1Password.com, your data is encrypted on your device, so all the server ever ends up with is an encrypted blob. And since the Account Key is created locally, your Master Password is only known by you, and neither is ever transmitted, no one — including AgileBits — has the means to decrypt the data.

    I would prefer to keep my keychain/vaults locally on my own machine (that might be completely offline).

    That's 100% your prerogative. I just wouldn't want you to go that route based on an honest misunderstanding. It certainly isn't obvious how all of this works, and that's intentional, as most people don't have the time or inclination to understand how their data is secure; they only care that it is. It's awesome that you do think about these things. If you're curious, you can read more details on how all of this works in our white paper, and don't hesitate to ask any other questions you may have! :sunglasses:

  • @brenty,
    Thanks for taking the time to respond. I do appreciate it.

    Most of this discussion has already happened in the windows section. Not sure it was the right place for it given that I am a macOS/iOS user.
    I just want to be clear that there is no misunderstanding. I don't ever want my personal password sensitive data on anyone's cloud service even if you can claim it's an encrypted blob that AgileBits can't decrypt. I just feel strongly about keeping this type of data off of the cloud. It's a matter of preference. In my younger days I was a computer security computer science student, so I also really do understand this stuff. I have read many of your papers and am genuinely interested in this area.

    Perhaps the "money grab" comment was a bit much so sorry if it offend you. I will repeat that I want to pay you guys for your good work. I just don't want to pay a monthly fee for it. I prefer to purchase standalone licenses. I love 1Password and want to continue using it and am writing all this in the hopes that it will help influence some of your future development decisions.

    Take a look at the conversation we are having in the windows thread. Thanks!

  • Drew_AGDrew_AG 1Password Alumni

    Hi @skerbsf,

    Thank you for all your feedback about this! Between this discussion and others you've seen or been part of on our forums, I'm sure you've already read a lot about the benefits of 1Password.com accounts so I don't want to repeat all of that again. But I wanted to make sure I addressed something you mentioned:

    I just want to be clear that there is no misunderstanding. I don't ever want my personal password sensitive data on anyone's cloud service even if you can claim it's an encrypted blob that AgileBits can't decrypt. I just feel strongly about keeping this type of data off of the cloud.

    I could be wrong, but it sounds like you're worried we would suddenly move your data to the cloud at some point without your consent - and that is absolutely not the case! If you don't have a 1Password.com account, we aren't hosting your data on our servers. The only way your 1Password data will ever be on the cloud is if you put it there yourself (i.e. by signing up for a 1Password.com account and moving your data there or setting up a cloud sync option like Dropbox or iCloud).

    As Brenty said, if your current setup is working for you, there's no need for you to change that unless you want to. Nothing has changed as far as your license and setup are concerned - licenses never expire, and we'll continue to support our customers who have them. We're working very hard to support both licenses and accounts because we love our customers!

    Please don't hesitate to let us know if you have more questions about that. Have a great weekend! :)

  • Hi @Drew_AG,

    I could be wrong, but it sounds like you're worried we would suddenly move your data to the cloud at some point without your consent - and that is absolutely not the case! If you don't have a 1Password.com account, we aren't hosting your data on our servers. The only way your 1Password data will ever be on the cloud is if you put it there yourself (i.e. by signing up for a 1Password.com account and moving your data there or setting up a cloud sync option like Dropbox or iCloud).

    No. I am not worried about you suddenly sending my data out to the cloud without my consent.

    As Brenty said, if your current setup is working for you, there's no need for you to change that unless you want to. Nothing has changed as far as your license and setup are concerned - licenses never expire, and we'll continue to support our customers who have them. We're working very hard to support both licenses and accounts because we love our customers!

    What I am worried about is the direction that AgileBits seems to be taking 1Password. I am not worried about my current setup. I am worried about my future setup (and being able to update my operating system while still having a password manager that works). If you guys decide to one day cease support for local vaults, then the time starts ticking for me where I will no longer be willing to use new versions of 1Password and my old version stops functioning on the new OS (due to lack of support). My hope here is that I can convince you guys that some (hopefully enough) of your customers care about local vaults so that you continue to support it in perpetuity.

  • brentybrenty

    Team Member

    Indeed, it definitely helps to know your perspective and preferences. Thank you! We don't have anything new to say on this now, but once things settle down and we start looking more toward planning the future of 1Password we'll be keeping your feedback in mind. :)

  • I will echo @skerbsf 's comments about the direction AgileBits is taking the product.
    I have already seen the fallout on the Windows side of the house which is likely going to inevitably move me away from using 1Password unless local vaults are restored. If it comes to MacOS as well that will be the final straw.

    I've read a lot of AgileBit's responses and it shows they take the time to address respond to each of the comments/complaints about loss of local vaults but when it comes down to it.. I get the sense more and more that AgileBits has a cloud only strategy going forward and is going to ignore the requests of their users. I understand where they may be less ebs and flows on the companies bottom line with a subscription model.. but I rather pay the equivalent of a yearly stand alone price that I will indefinitely be able to use than pay the same price and be held hostage as well as be put more at risk (not just being hacked but access to data when I need it). Not everything needs to be in the cloud and on a subscription model.

  • brentybrenty

    Team Member
    edited April 2017

    I rather pay the equivalent of a yearly stand alone price that I will indefinitely be able to use than pay the same price and be held hostage as well as be put more at risk (not just being hacked but access to data when I need it). Not everything needs to be in the cloud and on a subscription model.

    @crsouser: That's perfectly reasonable. And while this may not be true for you, most people expect their security software to be continually improved. A one-time payment for a standalone license doesn't get your that. You'll get any minor updates (e.g. 4.1-4.2) for free, but major upgrades (4.2-5.0) are paid. Given this expectation, a subscription is more appropriate for most people (in addition to all of the non-licensing benefits). I realize this may not apply to you, but the reality is that most users have expectations that are better met by a subscription service that includes everything they need without the speedbumps of separate purchases, license upgrades, sync configuration, and losing their data because they didn't back it up manually — or realize that they needed to.

  • @brenty I think you missed the point entirely.. I AM perfectly WILLING TO PAY for regular paid upgrades and have every single time Agilebits has come out with a new paid release.. until this crippleware version.

    When it comes down to it my two major issues are
    1) "Crippleware" software, which 1Password is becoming, if it cannot reach the cloud or the subscription lapses for some reason. I want to be able to use software I purchased for the version I purchased as long as that version / OS is running. There are many legitimate reasons for this.
    2) No local vaults, only the subscription Cloud Only strategy.

  • Drew_AGDrew_AG 1Password Alumni

    Hi @crsouser,

    Thank you for your feedback, we truly do appreciate it! I'm not sure I understand a couple things you mentioned though:

    I AM perfectly WILLING TO PAY for regular paid upgrades and have every single time Agilebits has come out with a new paid release.. until this crippleware version.

    Are you referring to 1Password 6 for Mac in general, or perhaps a recent update for it? Is there something about it which isn't working correctly for you? 1Password 6 for Mac has always fully supported local vaults - in fact, it was originally released over a year ago in January 2016, which was before 1Password.com accounts were available. The latest update is 6.6.4, and it fully supports local vaults as well as 1Password.com accounts.

    1) "Crippleware" software, which 1Password is becoming, if it cannot reach the cloud or the subscription lapses for some reason.

    1Password still works even if you lose your internet connection. That's because it keeps a local copy of your data - when you open the 1Password app, you're always seeing the local data, not the cloud data. Of course, it probably goes without saying that cloud-based sync options in 1Password won't work without an internet connection, but your changes will sync as soon as you have a connection again.

    If you use a 1Password.com account the subscription lapses, your account will become frozen until you update your subscription billing, but you'll still have access to all your data even while it's frozen. If you don't want to continue subscribing to the account, you can copy your data to a local vault or export it to a .1pif or .csv file.

    I want to be able to use software I purchased for the version I purchased as long as that version / OS is running.

    If you purchased a standalone license for 1Password, you can absolutely continue using your licensed version of 1Password as long as the OS still supports it.

    2) No local vaults, only the subscription Cloud Only strategy.

    Local vaults are definitely still supported in 1Password 6 for Mac! If you're using a 1Password.com account and would like to enable local vaults, just go to 1Password > Preferences > Advanced and turn on the option for "Allow creation of vaults outside of 1Password accounts".

    I hope this helps to clear up the confusion, but if I misunderstood what you meant, please let us know. Cheers! :)

This discussion has been closed.