Please do not get rid of the license version of 1Password

mirskymirsky
edited March 2017 in Mac

I just came across this article: http://bit.ly/2mF6PHa

The article surmises about the next major upgrade of 1Password: "It appears to be uncertain what will happen at the next major update, whether customers will be able to pay a license fee for the update or be forced to migrate to the subscription scheme."

So I just wanted to post this now, before any major upgrade: Please do not get rid of the license version of 1Password!

I don't want to pay a subscription. I have owned 1Password for probably eight years and I'm happy to pay for upgrades. But I don't like the idea that I will have to pay a monthly or yearly subscription just to have access to my own passwords.

Thanks!

mirsky


1Password Version: 6.6.1
Extension Version: Not Provided
OS Version: 10.12.3
Sync Type: Dropbox

Comments

  • brentybrenty

    Team Member

    @mirsky: Thanks for letting us know! Honestly, we don't have an answer about future versions, as they don't exist. We're very much focused on developing and supporting current versions of 1Password right now, and anything we say about what the future versions of 1Password might bring would be — much like that article — wild speculation, which I personally don't think is particularly helpful when I'm trying to make plans. If we have news in this area, you'll see it first on our site. You can keep up with AgileBits and 1Password news by following us on Facebook, Twitter, our blog, and our email newsletter. Nothing spammy, always just useful 1Password tips and announcements. Cheers! :)

  • @brenty

    I moved from LastPass to the 1Password for Mac and Windows license versions in order to keep all of my password data out of the cloud and off of anyone else's servers. I have never used Dropbox or any other type of cloud sync. If I ever had to migrate to the 1Password subscription version, does that version have a feature that would let me maintain my vault locally, without syncing it to AgileBits' servers?

    If the answer is yes, would I still be able to sync my vault to a local folder, such as a USB flash drive, as I am able to do with the 1Password license versions for Mac and Windows?

    Thank you very much for your response.

  • PilarPilar

    Team Member

    Hi @fourwheelcycle

    Thank you for letting us know what you think about 1Password and how you'd like it's future to look like. As Brenty mentioned, talking about the future would be little more than speculation on our side. In general we can't make promises about whether some features will be available or not, but you can be reassured that we'll listen to yours (and everyone's!) concerns as we work on improving 1Password and making it better :chuffed:

    That being said, if you ever want to learn more about our very hefty security model for the accounts please let me know! The math protecting 1Password data is fascinating and I'd love to discuss it with you if you want to :chuffed:

  • edited March 2017

    I have confidence in AgileBits security features. What I am worried about is the risk that someday, due to human error, 1Password will send us all an update that accidentally leaves out a key component of the security protection, and when we install the update our data will sync back and forth to your servers with no encryption, even if only for a half day or so until you catch your error. Look at what just happened at the Oscars - there is no way to guarantee against plain old human error.

    Also, look at your own recent, much more minor, error caused by "an expired provisioning profile and a format change in the developer certificate". My 1Password did not work until the update, and it occurred to me that update was probably prepared and finalized "under the gun", so it could have introduced even more problems, although it did not.

  • brentybrenty

    Team Member

    @fourwheelcycle: That's an important concern, so I'm glad you brought it up. It's very much something we put a lot of thought into, since an attacker might break into our servers and steal the database.

    There's a lot more detail in our security white paper (which is actually a really fun read, even if you're not into cryptography), but I can appreciate that there's a lot going on behind the scenes when it comes to 1Password securing our data that is not particularly accessible or interesting to many people. I think it's also important that 1Password doesn't shove this technical complexity in our faces. So I'd like to offer a few simple points that summarize how 1Password secures our data:

    1. Your 1Password data is encrypted on your device using your Master Password and Account Key before it is transmitted.
    2. The server receives only an encrypted blob to store in its database.
    3. Your Master Password and Account Key themselves are never transmitted.

    Indeed, when you use 1Password, AgileBits never has access to your data, regardless of the setup you choose. Even with 1Password for Families, your data is encrypted on your device, so all the server ever ends up with is an encrypted blob. And since the Account Key is created locally, your Master Password is only known by you, and neither is ever transmitted, no one — including AgileBits — has the means to decrypt the data. :glasses:

    Suffice to say, if someone gains access to our servers and dumps the full database (we've designed 1Password.com with this in mind), they simply don't have what they need to decrypt it, as each individual user alone has the keys to their data. So an attacker won't have that and can't get it from AgileBits, even if they get everything else. So while there's a lot more that goes into making all of this work smoothly, this is something that I think all of us (I am not mathematician) can understand and appreciate.

    Also, regarding the recent failure of macOS to launch 1Password for Mac 6.5.3, you bring up a really good point. But it's important to keep in mind that even "under the gun", we've got multiple members of the team working on and reviewing the code. And in almost all cases, we're not messing with the security architecture. In that case in particular, the only thing that needed to be done was update the provisioning profile. We're not rewriting the app from scratch each update (thank god!) and in most cases we're using common libraries for important functions like crypto, which aren't something we're going to mess with. If it ain't broke, don't try to fix it. ;)

  • I'm a long-time 1Password user and fan, and I'm just being honest here; while I understand the desirability from a developer's perspective, I personally LOATHE subscription software. I'll assess the 1Password cost plans, but my antenna are already up looking for alternatives.

  • brentybrenty

    Team Member

    @slcarr1960: But it isn't the software's fault that there's a subscription involved! Kidding. I know what you mean, I just felt bad for the software for a second there — until I realized it doesn't have feelings. :lol:

    I think there are good reasons to both like and dislike subscriptions of any kind, so it really comes down to priorities and personal preference. Can you tell me a bit more about your perspective on this? Ultimately it's our job to make a product that people are willing to pay for, so any feedback on what your expectations are would be helpful. :)

This discussion has been closed.