Subscription *and* standalone?

I have no problem going to the subscription model; as a former developer, it makes sense to not have to worry about what does and doesn't get included in the "last license". So I'd like to purchase a subscription.

But I'm not going to be putting my password data on your server, thank you very much. I'm running my own MacOS server on my MacMini and can share a directory between it and my laptop, and use WiFi syncing for my iPad and Android phone. So I'm running standalone.

How do I pay you for my subscription and let 1Password know that I've paid without creating a vault on your server? If I try to purchase within the app, it still wants me to pay $64.99, and there's no "purchase a subscription" button anywhere on your website.

Please help.


1Password Version: 6.6.1
Extension Version: Not Provided
OS Version: 10.11.6
Sync Type: WiFi

Comments

  • dancodanco Senior Member Community Moderator

    I'll leave it to the AgileBits people to give a definitive reply.

    But I am fairly sure that the solution is to set up on 1password.com but just not use that vault. You can still keep the old vault, passwords aren't moved automatically. I think the backup and sync options are still available as long as you keep the old vault.

  • To be honest, I am really, really disappointed by the way AgileBits is moving with 1Password.

    Technically, 1Password is the ideal solution for my purposes. I am synchronising my password vault using WebDAV on a secured internal server in my office, and they almost never failed to syncronise (if they do, it can be easily fixed).

    I am not planning to put any sensitive information in any "Cloud". Ever. It's just something I won't do.

    And honestly: I do not want to pay for it either. I don't have a problem with paid upgrades, and I wouldn't even have a problem with a subscription model, but the pricing suggests that I'm paying for a cloud service I do not want. And so I will continue to use 1Password in standalone mode using my reliable existing and secure mechanisms, and will move to a different solution as soon as that isn't feasible anymore. Which will be as soon as AgileBits stop delivering updates to my paid standalone solution.

    To say it in the words of a great thinker only second to the one who decided that the "Cloud" is the way to go for my passwords: "SO SAD. BIG FAIL."

  • FrankFrank

    Team Member
    edited March 2017

    Hi @resnick - Thank you for reaching out to us. @danco is right, you can sign up for an account here - https://1password.com/sign-up/ Since you don't want to migrate your data over or use auto-sync, you will still be able to take advantage of all of our apps including future upgrades. We appreciate the feedback and support :-) Let us know if you have any questions, we'll be happy to help out.

  • FrankFrank

    Team Member

    Hi @Pete42 - Thank you for getting in touch with us to share your thoughts. I'm happy to hear you enjoy using 1Password. You're free to continue using 1Password just as you have been enjoying it. There are many additional benefits included with our 1Password memberships such as having access to all of our apps across platforms even future paid upgrades. For instance, with Families, it's much easier and convenient to set up sharing compared to using Dropbox. But again, we're just happy you're using 1Password. I appreciate you taking the time out of your day to get in touch with us to share your feedback. We're always happy to hear from our customers and thank you again for your continued support over the years :-)

  • BenBen AWS Team

    Team Member
    edited March 2017

    @Pete42

    In addition to what Frank said... I wanted to comment on this line specifically:

    I am not planning to put any sensitive information in any "Cloud". Ever.

    Except for your email, banking details, social media profile(s), taxes, ... etc? ;) Think about the information you're protecting with 1Password. How much of it isn't already in some sort of "cloud" of one form or another, of which many are probably not as secure as 1Password? :)

    You may have some interest in reading about how we secure the information stored in 1Password. For one, even when using our 1Password.com service, we do not store your credentials. All we store is an encrypted blob. Both your Account Key and Master Password are required to access your credentials, and neither of those bits of info are ever transmitted to or stored by us. Only you have access to them.

    Short version: https://support.1password.com/1password-security/
    Long (more technical) version: https://1password.com/teams/white-paper/

    "Cloud" is an extremely nebulous buzzword. Banks have been "in the cloud" for decades (since the '80s). It is only more recently that this sort of online access has gained that term, and because some "clouds" have/had some pretty poor security practices the whole concept has gotten a bad rap. But most folks don't realize their entire digital life is "the cloud."

    Ben

  • Hi Ben,

    regarding your post:

    Banks have been "in the cloud" for decades (since the '80s).

    It's clear that my bank data is stored online. The differences are that 1PW stores the credentials to access the bank data. If my bank will be hacked, all customers of this specified bank are affected. If my 1PW vault has been hacked, someone can make transactions under my name and my bank will not be responsible for the damage.

  • @Ben:

    Well ... I don't use any social media except the ones I need professionally, and there is no (very) sensitive information in there. I do not use Facebook, Google, Instagram, Twitter, iCloud, you name it. I operate my own mail, XMPP, and web server, on premise. And before you ask: My Vault contains something about 500 passwords, so I definitely do have a 'digital life'.

    Unfortunately you're right about taxes, though ... :-)

    Honestly, I don't care how well the information in 1Password is encrypted. So far my impression is very good, but errors do happen. Humans err, and sometimes they even are malevolent. Governments change and sometimes not for the better. An 'encrypted blob' is only secure inasmuch as the encryption is a) reliable, b) flawlessly implemented and c) not backdoored. And, on top of that, as long as d) technological progress doesn't provide means to make a formerly secure encryption algorithm insecure all of a sudden (think quantum computers, in the extreme case).

    Even if I trust in your implementation of encryption (which I do, despite the fact that 1Password is not open source, otherwise I'd never have used it in the first place), there is no technical reason for me to rely on that encryption alone. I do not need to expose the 'encrypted blob' to servers I don't control, so I don't do it. It's a question of quid pro quo - what do I get for running the additional risk? Nothing fancy, in my case.

    We could talk for hours about the more or less well-defined meaning of the word 'Cloud', and I largely agree with you. But being in the IT networking and security business for more than two decades I think I have a fairly firm grasp of what's going on. Trust me, there is much less of my digital life in the 'Cloud' than you think.

    And certainly my passwords won't be there.

    Peter.

  • BenBen AWS Team

    Team Member

    Hi folks,

    The differences are that 1PW stores the credentials to access the bank data.

    But we don't. There is no way to turn what we store into your credentials other than by decrypting it using your Master Password and Account Key, which only you have. As I mentioned these items are never transmitted to or stored by us. AgileBits has no access to your credentials.

    If my 1PW vault has been hacked, someone can make transactions under my name and my bank will not be responsible for the damage.

    Someone would have to get three things before they could "hack" your 1Password vault. They'd have to get the actual encrypted data from our servers (not an easy feat, but as Pete42 points out there is always the possibility). Then they'd have to get your Account Key. This is a mechanism we put in place specifically to protect against someone breaking into our servers. We didn't want there to be any incentive for someone to want to do so, and so there isn't. You can read more about the Account Key here: https://support.1password.com/account-key/ Lastly they would have to get your Master Password, which should only exist in your head and (optionally) on your Emergency Kit.

    Honestly, I don't care how well the information in 1Password is encrypted. So far my impression is very good, but errors do happen.

    Just out of curiosity: have you read the white paper? It isn't just about how the information is encrypted, though that is of course a big part of it. :)

    We've done everything we can to remove the human element. So much so that we do not have access to your data. Even if compelled by a government to hand it over, we couldn't, as we don't have it.

    An 'encrypted blob' is only secure inasmuch as the encryption is a) reliable, b) flawlessly implemented and c) not backdoored.

    If the encryption ends up being the problem then there is a whole lot more to be concerned about than your 1Password data. ;)

    And, on top of that, as long as d) technological progress doesn't provide means to make a formerly secure encryption algorithm insecure all of a sudden (think quantum computers, in the extreme case).

    Sure; but again, if that becomes the problem, think about what the bigger consequences would be. Also there is nothing saying that we couldn't quickly make a change in the event such technology became available.

    We could talk for hours about the more or less well-defined meaning of the word 'Cloud', and I largely agree with you.

    Haha, yes! Very good point. In the end though it is just a new buzzword for a very old concept that is used across almost all industries in some form or another.

    But being in the IT networking and security business for more than two decades I think I have a fairly firm grasp of what's going on.

    Fair enough. And with that level of experience maybe you are comfortable hosting your own data, and handling the challenges (e.x. sync) that come with that. I just want to make sure anyone who is going down that road is aware of that, as I'd hate for someone to come away from 1Password with a negative impression because they opted to try to Folder + WiFi sync their data and can't figure out why their double NAT'd router is causing problems. ;)

    Trust me, there is much less of my digital life in the 'Cloud' than you think.

    Okay. :) I'll have to take your word for it, because even if you were using our service I wouldn't be able to tell! :p

    Ben

  • resnickresnick
    edited March 2017

    @Frank : Thanks for the help. I'm now all set, although I will say that it makes me nervous to have a vault in the 1Password app that I don't want to use. Is there no way to disable it? I really don't want to accidentally put something into that vault. If there's no way to disable it, call it a feature request.

    @Ben : As the saying goes: "There is no cloud; it's just someone else's computer." Unlike @Pete42 , I won't say that I never put anything sensitive in the cloud; I do. But not my email, contacts, calendar, files, or even IM messages. I'm one of those loons who runs my own server, so all of that stays local. Yes, it's on my intranet, but I do have security between it and the rest of the Internet, and I'm far less of a target than some big company. This is all about reducing the attack surface. I am generally uninclined to have my keychain of passwords be on the outside of my perimeter. As for banks and the like, if my bank starts leaking my sensitive information, I've got all sorts of legal recourse. If AgileBits or Google or some other cloud provider starts leaking, I've got far less recourse. Again, I'd rather keep as much as I can inside the walls.

  • FrankFrank

    Team Member

    Hi @resnick - You're very welcome. Sorry there is no way to delete the Personal vault at this time. The request has been noted.

    It's great to hear you're running your own server and taking security into your own hands. Most people (including me) don't have the knowledge level for this which is why I'm thankful for the new 1Password.com accounts. I didn't want to have to manage a third party sync source, I like knowing it "just works" without having to configure anything. But I can understand where you're coming from and kudos to you for being able to do that :+1:

    It's been nice chatting with you and I hope you enjoy the rest of your day!

  • BenBen AWS Team

    Team Member

    It is possible to hide the Personal vault from the All Vaults listing, but as Frank noted it is not possible to remove it.

    1Password > Preferences > All Vaults > Uncheck your account

    Should do it. :)

    Ben

  • Hi guys,

    In this dicussion I want to tell you what was my reason to switch from LastPass to 1Password. In 2012 I used a Lastpass premium account. I used it also on my businessaccount to login on several web-sites I needed. Some day there was a DDos attack and I couldn't login for one and a half day on some of my most needed web accounts. The only way to get a connection was to reset my accounts. That was for me the ultimate sign that a Cloud based Password manager was not my business anymore and my passwordmanager had failed and became useless, because there was also no posible way to view my passwords remote. So I decided to buy 1Password, that supported a stand-alone vault. The only disadvantage was that my employer did not allow to install third-party software. My employer distributed Keepass in their network, so I used that at work.
    Later on in 2015 Lastpass was hacked again and many paswordhashes were stolen. LP-users were instructed to change their masterpassword immediately and were also advised to change the most important bank and email accounts. I was glad this didn't happened to me. In 206 LasstPass a fishing vulnerable was noticed (called LostPass) and could expose real passwords and give full access to all acounts and password, even the two-factor auth code.

    Passwordmanagement in the cloud will always be very attractive to hackers and cybercriminals. There will always be a high risks that any kind of a cyber attack will disturb the service, even if the strength of encryption is safe enough. Customers will lose faith in those services.

    So I believe that Agilebits should continue support stand-alone for ever, beside the wanted cloud solutions for families and teams.

    Greetings

    Willem

    I'm just retired from 30 years experience as an ICT developper including networks and security but I will stay active in security subjects as trendwatcher or security evangelist.

  • mikarkmikark Junior Member

    I use 1Password since 2008 and I have always purchased licenses.
    I currently use it on all my macs, my iphone and my android devices and I bought a license for each platform.
    Moreover, I have recommended to buy it to many friends because I thought that it was one of the most useful software that you need to get.

    Now I'm really disappointed by AgileBits new policy.
    Pratically you want to force your old customers to rent a software that they have already paid and to move their data to your own server.
    In my opinion, this is an unjust and unfair behavior towards your customers.

    I think you should revise your decision and assure the software development and support whether for who decides to purchase the software or for those who wants to rent it.

    Now I don't think that I will be the only one that will start to look around to find an alternative to 1Password.
    Although with much regret, I will be forced to do so.

    Greetings
    mikark

  • BenBen AWS Team

    Team Member

    Hi folks,

    We're having a very similar discussion in another thread. I'd encourage you to read my latest post there:

    If I bought 1Password Pro, am I going to have to subscribe in the future? — AgileBits Support Forum

    We considered merging these threads but there is a fair bit in each of them and I'm afraid merging at this point might cause more confusion and frustration so we're going to leave them separate for now. We're actively monitoring both, so no need to post in both. :)

    Thanks.

    Ben

  • BenBen AWS Team

    Team Member

    Sorry for the double post. To simplify things a bit we're going to continue the conversation in the thread I mentioned in the above post, and close this one. Having two threads on the front page about the same topic seems redundant, so if you have further comments please feel free to post them in the thread I linked above. Thanks!

    Ben

This discussion has been closed.