Are local vaults going to exist for the foreseeable future?

2

Comments

  • brentybrenty

    Team Member

    I'm not afraid of the cloud based model. I think you are going to run into the "I paid for a lifetime license, and eventually that's going to end." For those who might jump ship due to the money they paid for that license, what about a number of months, or a year, free on the cloud based system.

    @haunted59: Indeed, "lifetime licenses" have killed many apps I've loved over the years, so we don't want to go that route. :scream:

    But you're right that there are things that could help folks migrate to 1Password.com if they want to. We've offered a number of promotions since we launched 1Password Families, individual plans, etc. But while those have since ended, I'm sure we'll do something like that again in the future. And definitely shoot us an email at [email protected] if that's something you'd be interested in, post the Support ID you receive here, and we'll see what we can do to help. :)

    It would do away with local vaults for people that don't care about local vaults, and would then encourage people to pay the subscription price when the free period ends, due to it being easier than jumping ship to another service. It might help you retain customers. I've loved your product, and you've been helpful when I had a problem. But I suspect that many people will simply revert to Keychain on the Mac and iOS, or Chrome keeping your passwords stored.

    I think that 1Password offers a lot of benefits over Keychain and browser autofill, but you make some really good points. I guess it's up to us to continue providing a better value since we can't compete with free. :blush:

  • So I'm really sorry and I promise I will just let this die after this one last piece of feedback. Don't want to be a whiner and you all have to make your business decisions just like the rest of us need to make our purchase decisions. As I was reading recent reviews on products in this space, the one distinguishing feature that 1Password is called out for is effectively being taken away (that of having the option for a secure local vault). Beyond that, the price for the new subscription model is 3 times higher than your competition.

    It's all fine and I appreciate the opportunity to pay and use for your quality product over the last few years. I feel like I got my moneys worth. But moving forward, you are forcing us to at least try these other products because of the difference in cost. I mean why wouldn't we?

    Sorry - just needed to say it. Again, sorry and I really will shut up now :-). Good luck!

  • jdshewmanjdshewman
    edited July 2017

    I think it speaks volumes that not one Agilebits Member ever talked about or said the word "cloud" in this thread. On their web page where does is state that the passwords are stored in a cloud? The video is years old. It seems suspicious why they are moving in this direction without saying it upfront. We had to find out through Twitter. I don't want my passwords in a cloud at all. The fact that they say it is safer is comical. Will Agilebits take responsibility and be accountable when they eventually get hacked?

  • BenBen AWS Team

    Team Member

    the one distinguishing feature that 1Password is called out for is effectively being taken away

    It is not being taken away and claims otherwise are simply false. We've said it many times but I'll say it again: we have no plans to remove local vaults as an option.

    But moving forward, you are forcing us to at least try these other products because of the difference in cost. I mean why wouldn't we?

    I would absolutely encourage you to find the best solution for you. We think we've built the best password manager there is, but there are lots of options out there and so obviously not everyone agrees. ;) I still think and hope that you'll agree with us, and that 1Password continues to prove itself as valuable to you.

    I think it speaks volumes that not one Agilebits Member ever talked about or said the word "cloud" in this thread. On their web page where does is state that the passwords are stored in a cloud?

    "Cloud" is a super nebulous and loaded term and so we don't generally use it in our marketing. 1Password.com vaults are stored on the 1Password.com service (as well as being stored locally on each of your authorized devices). That could be described as "a cloud," I suppose. But that is a relatively new term for really old technology that people have been using for ages: a client server platform.

    I don't want my passwords in a cloud at all. The fact that they say it is safer is comical. Will Agilebits take responsibility and be accountable when they eventually get hacked?

    Have you looked at our 1Password Security Design White Paper?

    http://1pw.ca/whitepaper

    If not I'd suggest taking a glance before calling our claims comical. :)

    I don't want my passwords in a cloud at all.

    Your passwords aren't. Encrypted blobs that only you hold the keys to decrypt are. What are these passwords for, mostly? Online services, right? :)

    Ben

  • Here is the difference for me. And maybe you can consider this and let me know what you think. Ignoring business models, pricing etc. Just consider local vaults vs your cloud based vaults (BLOBs).

    If some gov. or anybody else wants access to my data in a local vault, they have to get physical access to my devices. Either with a warrant or a bunch of goons..etc. If a gov. or anybody else wants access to my data via your cloud based services, they will need a warrant (with gag order) or a bunch of cyber goons. The difference is I would never know and could never take appropriate steps in the cloud based scenario.

  • Your passwords aren't. Encrypted blobs that only you hold the keys to decrypt are. What are these passwords for, mostly? Online services, right? :)

    @Ben The comment above shows a shocking level of misunderstanding and frankly flippancy (disrespect?) I am not sure if you were joking or not. If not maybe AgileBits has lost touch with their users.

    What is stored is important to the person storing it. You don't have to understand why. 1Password is trusted to keep what is stored safe from everybody, until it is revealed by the person storing it.

  • BenBen AWS Team

    Team Member
    edited July 2017

    We do have a guide about law enforcement here:

    Law Enforcement - 1Password

    disrespect?

    None intended.

    What is stored is important to the person storing it. You don't have to understand why. 1Password is trusted to keep what is stored safe from everybody, until it is revealed by the person storing it.

    That wasn't at all the point I was trying to make. The point I was trying to make is that these passwords are already in "the cloud" (encrypted or not) if they're for online services, and chances are good we're doing more to protect them than the source, in many cases.

    For example: if a site can send you an email with your password... they aren't protecting it very well.

    Ben

  • Got it. Thanks.

  • edited July 2017

    As much as we felt great being generous with upgrades (e.x. 1Password 4 -> 5 -> 6 for Mac were all released as free upgrades despite our usual upgrade policy),

    I think this is a core of the problem. I bought my licenses in 2010 and paid for upgrade once. Every time you released a free major upgrade I almost felt guilty for not paying you for the upgrade. But you never asked!

    Eventually, I think this has influenced your decision to ditch standalone versions. Or to go from being very generous with upgrades to be extremely strict about them (pay for uses). I am pretty sure that if we were given an option to purchase upgrades, business would look better and you'll be much less tempted to introduce subscriptions.

  • The point I was trying to make is that these passwords are already in "the cloud" (encrypted or not) if they're for online services

    You can't equate the potential of ONE web site getting hacked, causing ONE password of mine to get compromised (since we're password manager users, the assumption is we all have unique passwords on every site) with YOU getting hacked, and ALL my passwords potentially being compromised.

    I trust, to a reasonable extent, you've done a good job ensuring things "aren't crackable", but the Internet is littered with some breaches causing data to be revealed.

    Also, you can't use "the cloud" when it's convenient, and avoid use of the term when it's inconvenient.

    At the end of the day, we'd (the dissenters) be more understanding of your half answers, if you came out and said:

    1) We support local sync and Dropbox, and will continue to develop features. Our intention is if a Dropbox API changes, we'll update our "legacy" users so they can keep syncing.

    2) We understand the Windows standalone client stinks, and that there's some shortcomings with browser support. We will fix it.

    But no, I think we're all understanding that you're actually not going to do those things. It'd just be nice to see a non-PR speak acknowledgment of that.

    I'm not upset that you're abandoning your old business model. I'm upset that you won't say that and dance around things "we're not abandoning you", "local sync still works", "we're not saying we're going to break it".

    You're either going to fundamentally exert developer time for the non-cloud, non-subscription users, or you aren't. Which is it? Are you going to enhance it, maintain it through bug fixes, or just hope it doesn't die on the vine too soon?

  • rickfillionrickfillion Junior Member

    Team Member

    1) We support local sync and Dropbox, and will continue to develop features. Our intention is if a Dropbox API changes, we'll update our "legacy" users so they can keep syncing.

    We just did that with our iOS and Android apps. We just spent quite a bit of time making them both work with the newer Dropbox v2 APIs.

    We're still putting development time towards standalone vaults.

    Rick

  • pickerinpickerin Junior Member

    Can we separate this into three different discussions, as I believe there are in fact three different issues?:

    1. Licensing model direction (clearly moving away from perpetual licenses and into subscription model)
    2. Local vaults -- support for, development for, commitment to have available
    3. Support for 3rd party synchronization of local vaults between devices

    On the point of licensing model, folks purchased a perpetual license, they get to keep that license (and the version of the application it was for) and at some point that will probably stop working for them and they will have to upgrade. If the only option is to "upgrade" to a subscription model, it's easy to see why folks would be miffed (for the record, I'm not; and I'm not going to fault AgileBits for going this direction, much of the software model is moving this direction, for all sorts of reasons, including being able to fund future development of the platform without having to worry if there will be a return on the money invested). I wouldn't really participate in this discussion, other than to say that your earlier statements of: " (e.x. 1Password 4 -> 5 -> 6 for Mac were all released as free upgrades despite our usual upgrade policy)", was totally your choice. Your users certainly appreciated it, but perhaps if you HAD charged for those versions we wouldn't now be having this discussion. (For the record, I purchased 1Passwd for $29.95 on 8/4/2007, purchased 1Password for $29.95 (less a Christmas Special bonus of $11.98) on 12/27/2007, purchase a 1Password Family Upgrade for $32.95 on 9/3/2009, purchased 1Password for Windows for $19.95 on 8/12/2010, purchased 1Password 3.9 via Mac App Store for $19.99 on 9/12/2011, purchased 1Password v4 via Mac App Store for $7.99, received a "free" copy of 1Password 6 via Parallels v11 on 3/21/2016, purchased a "Families Plan" for 1Password for $59.85 on 10/10/2016, All told, I've purchased $188.78 worth of 1Password in the last 10 years. That's significant support, with only the last $59.95 being a subscription model. I loved your software so much, I re-purchased through the App Store because I wanted to support you.

    I also purchased a Knox Family License for $29.98 on 5/28/2010

    On the point of local vaults. This is, literally, the only reason I use 1Password. It's where 1Password started and it's why I've stayed as a 1Password customer (since it was called 1Passwd). I've paid for every upgrade I was offered, in fact purchasing it multiple times for convenience, even though I had a valid license, and I recently leveraged a Family subscription plan so my wife and I can leverage a shared, cloud, vault for accounts we share (this actually solved a big issue we were having). it's truly the best of both worlds.

    For people complaining about the loss of local vaults: No one is saying that 1Password is taking away local vaults.
    For AgileBits: You're also not saying that you will continue to support them, aggressively, in future versions. Quite the opposite was said in fact, "it is possible that in the future an update from a 3rd party will make it more difficult or impossible to do so, and I can't make any promises about what our response would be to that". I frankly have no idea what this sentence means. "Local Vaults" are LOCAL by definition, WTF would a 3rd party have to do with the ability for 1Password to read and modify the vault? Nothing. Perhaps you won't be able to read it from Dropbox, I get that, but hedging on your entire support of local vaults, "or impossible", certainly sends your customers into a tizzy (as seen in this thread).

    This point can be addressed simply by stating, "Local Vaults are strategic to the 1Password family of products and as such are a feature that we have no intention to remove from the product in the future". But you won't say that. That's because it's not actually true, which means you are in fact considering removing them. It wouldn't be hard to remove them. You just did it from the Windows version. We are simply providing you feedback that your core customers will move to a solution that will provide Local Vaults, period. We are not willing to sacrifice convenience for security and we want our favorite password manager to make that same commitment.

    If I wanted a Cloud-Vault solution, I'd be using LastPass.. LastPass was born in the cloud as a cloud vault, that's not what I want.

    Finally, the point on 3rd party tools and synchronization. Again, synchronization is a feature, to me at least, it's not core to the operation of the solution. Yes, it's convenient to have synchronization via iCloud, Dropbox, WebDav, WiFi, etc. That support going away because one of them created a situation where you either couldn't or don't want to support is reasonable. What's not reasonable is eliminating my ability, at any point in the future, to leverage a local vault. All iOS apps can easily have the ability to synch a "document" via iTunes into the application storage sandbox. Perhaps Apple will take that away and force the use of iCloud, perhaps not. If they do, then you'd have to support iCloud, because we have to have the ability to move, replicate, copy a vault between a desktop and a mobile device. That method, in my opinion, does not have to be automatic or easy. It just has to exist for people that want to maintain a local vault. This issue of 3rd party support can be resolved by committing to always having the application be able to read/write a local file vault. There are no 3rd parties in that equation.

    Sorry for the length, but I wanted to voice my opinion on all three issues.

    -Rob
    Proud customer since 8/4/2007

  • I don't know why demographics enter into it. All people deserve security, not just geeks or folks lucky enough to employ or be related to them. Just because 1Password.com makes security more accessible to many people doesn't take anything away from you. You can still rock your local vaults and fly your geek flag high.

    They enter into it because Agilebits is now catering to the mass market who will accept a cloud based solution whereas the original product catered to a difference type of customer. This is Agilebit's decision to adjust their business model based on customer profile. I am just pointing out the decision the company made.

    The real shame is the implication that less technical friends and loved ones are somehow less smart and/or less deserving of security than folks who are comfortable navigating licensing for multiple platforms and configuring sync for individual vaults across multiple devices.

    They're not less deserving. They have a lower bar and fewer requirements. It just sucks for the rest of us who don't want to accept the risk of storing our passwords on a publicly accessible Internet connected system. No matter how much time and money you invest in security there's always the chance that someone gets a copy of millions of encrypted or hashed passwords. It's one thing for LinkedIn.com to lose their customer's passwords (or hashed passwords, I forget). It's a whole other ballgame when a password manager company loses control of every customer's password for every system they use. A cloud-based password manager company is a MAJOR target by civilian and state sponsored hackers.

    I guess Agilebits is still a privately owned company. If you were public, you'd have a heck of time even taking this risk given that once you are hit you will be out of business. There's no plan B and no insurance policy against customers canceling their subscriptions. [I guess you could buy insurance against a class action lawsuit.]

    Good luck.

  • pickerinpickerin Junior Member

    @Ben , you stated: ""the one distinguishing feature that 1Password is called out for is effectively being taken away"
    It is not being taken away and claims otherwise are simply false. We've said it many times but I'll say it again: we have no plans to remove local vaults as an option."

    So, in 1Password for Windows version 6, I can create a new local vault and use it without signing up for any 1Password.com account?
    Or did you in fact take away local vaults in that version? I hope I misunderstood what was stated earlier in the thread (and confirmed by AgileBits as literally taking away local vaults (e.g. if you cannot WRITE to a local vault, you've effectively taken it away)).

    Also, for the record, suggesting that a customer use an old version of the product and not upgrade is not a viable business model (or good security practice), you should really re-think that line of recommendations; unless your intention is to provide continued support for version 4 under Windows even though version 6 is out (which gets back to that bad business model).

    -Rob

  • rfc1918rfc1918
    edited July 2017

    While I'm sad (and confused, frankly, since you can still use the version of 1Password you paid for) to see you go, I hope you find what you're looking for. We'd rather you use something else than nothing at all. Keep it secret; keep it safe.

    Don't be confused. I know the answer. He's got to move on before he's stuck.

    Boxcryptor is an excellent example and direct comparison to 1Password. The original perpetual license product used traditional symmetric key encryption. I can't use the product anymore because the iOS app is out-of-date, the MacOS app is out-of-date after only 1 or 2 major Apple updates, and they finally made all vaults read-only after the last "update".

    The "new" product requires asymmetric public key encryption where I have to trust those guys. They made the same fatal mistake Agilebits is making. They made this change at the same time they moved to a subscription model. They didn't need to take both actions but the new way allows them to deal with forgotten passwords/keys. Just like Agilebits moved to a cloud model for usability reasons, those guys moved to PKI for usability reasons at the expense of additional risk. (Just wait: you'll be dealing with "locked out" users at some point and need to maintain optional escrow keys)

    The problem with waiting to jump ship and find a new solution is that waiting left me with unusable product when I did not expect it. OS X 10.10 or something came out and I could not mount my volumes. Like you said, I kept using the product that I paid for because it works until it did not work.

    Can you remind me if there are open source tools that read decrypt and read the 1Password database? (My boxcryptor story wasn't a tragedy because their product was based on encfs and I did not need them after all.)

  • When 1Password.com came out, there seemed (as I recall) to have been many good reassurances from AgileBits that for those of us who paid $ to purchase the standalone apps on OS X and iOS, we were always going to be free to use our purchased software and not be forced into the subscription model. That was reassuring at the time and I frankly didn’t worry about it at all. Until I opened Flipboard yesterday and was confronted with numerous stories about how 1Password is going to no longer support local or cloud-synced vaults and require everyone to switch to the subscription model. Rather than believe the (bad) press, I came here to get the official line. And I’m no more reassured than I was last night.

    I really love 1PW. And sure, nothing much is changing for me or my family right now. We all continue to use 1PW on our various devices and they sync just fine to iCloud or Dropbox or over WiFi (local sync). But the lack of a firm reassuring statement is a big contrast from a year or so ago when 1Password.com launched. And it does get me concerned. For starters, like many, I really don’t like a subscription model. Not at all. Especially when I’ve already purchased software on two different platforms for much more than a few dollars (I think 1PW was selling for around $50). I’d be happy, like most people, to pay an upgrade fee for a new version. But unlike a year ago when the company messaging was essential,y “don’t worry, you’ll be fine even if you don’t subscribe,” the current messaging is setting the stage for a necessary switch to 1Password.com at some point in what may be a not-so-distant future. That’s a shame. LastPass has been hacked at least once, no? I’m not a security expert, but there is no such thing as a non-hackable system and placing everyone's vaults on the same system seems like a potentially bad idea.

    Sticking with 1PW for now because it best option for me and my family. But I feel like the reassurance we were given not that long ago was disingenuous. I work for a startup;I get the need for revenue and to stay in business. As mentioned, I’d be happy to pay an upgrade fee for the next major release. But please don’t consider forcing us into the subscription, non-locally stored model.

  • I'm reading some comments by one of the moderators trying to make "cloud" sound not as bad as it is. You are not just using a "client/server" platform like it is 1996 again. You're likely using EC2 on AWS [not sure if Route53 names everything correctly] and your security architecture white paper says you're running an Aurora database in AWS.

    Your security white paper is missing a lot of useful data that is glossed over. Do you pay extra for dedicated compute platforms @ AWS? Or is your stuff running next to my workloads potentially on the same hardware? Is your Aurora database being written to the same shared disk array as other applications? What's your strategy for maintaining the internal private keys you use to deal with encryption at rest? (Not talking about 1Password encryption). Do you have a HSM in a colocation cage over in Equinix Ashburn with an AWS DirectConnect private link to your VPC? [In all fairness, I don't recall if Aurora will support an external HSM but I would not use Aurora if it did not support it.] Do you have dedicated compliance and infosec teams or are the developers running the show in the spirt of DevOps? [Ugh, Devops]

    I could keep writing these questions for hours and days. However, unless you're paying someone like me to deal with your infrastructure-level security, it's a waste of time. If you are paying someone like me, I'd wake them up and tell them to get a new security white paper written because CTRL-F tells me "amazon" appears only twice in that document. They're not doing their job well, if they exist. Where is the discussion on infrastructure-level security [non-1Password] that is screwing up lots of companies lately? Please tell me Agilebits has forgotten to write about it but has not really forgotten to take it seriously. [And I pray the developers have very limited access and you have a PITA oversight team who is hated by the developers keeping my mom's passwords safe because she really can't remember them.]

    Read the news today about Verizon's vendor screwing up the AWS S3 permissions that potentially leaked enough data for one to take over someone's phone account which will compromise SMS two factor authentication.

    All it takes is one permissions screw up and someone has a copy of your database. Or some kind of zero day SQL injection attack. I could go on.

  • I strongly agree with the points pickerin has made.

    1. Licensing model direction (clearly moving away from perpetual licenses and into subscription model)
    

    I understand that perpetual licenses cannot sustain continued development by AgileBits. I prefer not to use a simple subscription model because I lose functionality when I decide not to continue paying the subscription fee. I prefer the paid upgrade model because it is a known, fixed cost to me at the time of purchase and the application will continue functioning for some time after the purchase. I believe the paid upgrade model also puts the customer first in the customer/seller relationship -- the customer decides whether he/she is willing to pay $X for extended support or additional features. The subscription model gives the seller more power -- customers continually pay in order to maintain functionality.

    JetBrains offers an interesting take on a subscription model with their perpetual fallback license, which seems to be a compromise between the license and subscription model. It provides both the developers the income necessary to continue development and customers the assurance that they will still own functioning software if they choose to end their subscription.
    https://sales.jetbrains.com/hc/en-gb/articles/206544679-What-is-our-licensing-model-

    2. Local vaults -- support for, development for, commitment to have available
    

    Just like others, local vaults is exactly why I use 1Password.

    pickerin says it really well:

    This point can be addressed simply by stating, "Local Vaults are strategic to the 1Password family of products and as such are a feature that we have no intention to remove from the product in the future".

    Ben has stated:

    Now I will say that even with local vaults being de-emphasized and a large number of customers moving to 1Password.com membership (and membership based vaults) a large amount of the support volume we receive is still for local vaults, and fixing syncing with 3rd party services (which we have limited control over and insight into). That isn't great. It further reinforces our philosophy that most customers should be using a membership, and membership based vaults, and most of the time that fact is going to come up in such a conversation: there is a better way. But for the technically savvy who can manage syncing on their own... more power to you.

    To reduce the support load, has AgileBits considered marketing local vaults as an "advanced" option whose only method of support is the forums? This way, the "technically savvy" folk can manage their own syncing while those that need support to manage syncing can subscribe for 1Password.com membership. If an update has introduced an actual bug with local vaults, the community can perform some of the initial investigation/triaging before the issue is escalated for developers to investigate.

  • I really don't understand why AgileBits doesn't understand the criticism. Nobody thinks that you are going to remove support for local vaults in the current versions. That would be a whole different problem. This is not even about subscriptions.

    The problem is that local vaults are not a core feature for you. Imagine if the title of this discussion would be "Is 1Password.com going to exist for the foreseeable future?". Would you say "we don't typically discuss roadmaps" or "we haven't publicly announced any intention to remove it"? No, of course not. You would say something like "1Password.com is a core feature and we wouldn't even release a new version without it". Do you see the problem now? You can even say if 1Password v6 for Windows, a product that is already released, will be able to use local vaults!1

    And we are talking only about supporting features that already exists. Imagine if I wanted new features related to this (and I do), like support for a new cloud provider. How could I possibly believe that you would add any feature like this if you are unable to even say if local vaults will be supported?

    But anyway, I have read a lot about this and it's absolutely clear that not only you are not going to support local vaults, you don't even understand why anyone wouldn't want to use your cloud2, so I'm starting looking for alternatives. I simply cannot use 1Password without local vaults and if all this shitstorm hasn't make you change your mind, nothing will.

    To end with a positive note, I love 1Password (even with all this) and I sincerely thank you for all this years using this awesome app. I truly doubt that I will find an app as good as 1Password.


    1. By the way, saying "you can use 1Password v4 for Windows if you want local vaults" is almost an insult. I actually use it, but it's a pretty bad app, and more importantly, how is saying to your users "just use the old version, which is so old and unsupported that we don't even sell it anymore" even acceptable? 2 years ago, I bought a 1Password for Windows license and when trying to use 1Password 6, I was shocked, but I thought it would be temporal and just used 1Password v4. Now it's clear that is not temporal. ↩︎

    2. BTW, please stop saying that using your servers is more secure. No matter how good the crypto is, it all depends of your threat model, and to me and a lot of other people it's actually less secure. ↩︎

  • BenBen AWS Team

    Team Member

    Hi folks!

    There is a lot of activity in this thread, and as much as I'd love to continue to reply to every point that is being made it just isn't feasible to continue doing that, so I'm going to try to address the overall message here. We do certainly appreciate that everyone took the time to write in with their thoughts on the subject.

    We do have a separate thread specifically about local vaults and their future here:

    The Future of Local Vaults, Local Folder Sync, Wi-Fi Sync and Local Backups With Subscriptions — AgileBits Support Forum

    If you've already posted your feedback about local vaults in this thread (or other thread(s)) it isn't necessary to repeat it, but there may be some discussion happening there that is of interest to you.

    For people complaining about the loss of local vaults: No one is saying that 1Password is taking away local vaults.

    Some people are saying that, but we are not, so they seem to be making that up. :) I've said it a number of times in various threads in these forums over the last few days but I'll say it again:

    1) We haven't announced any plans to remove local vaults, so anyone claiming that we have is incorrect.
    2) We have no plans to discontinue local vaults. We understand they are important to a lot of more technically oriented customers and are taking that feedback into consideration as we make plans for the future.

    It is one thing to speculate, but it is another to make statements as fact about what we will or will not do in the future when no such announcement has been made.

    The point about Windows is well taken, but I think it is important to understand some history there before passing judgement. I'll share a little bit of the history on Windows, from my perspective. I'm primarily an Apple guy, so my apologies if some of these details are a little fuzzy. We didn't get into the Windows game until late. 1Password was originally, and for a number of years, a Mac only product. As such it has had a solid foundation and an experienced group of developers to build on whereas Windows was in the position of having to play catch up. Not only did they need to catch up, but they also needed to try to keep up with the momentum at the same time. We didn't stop developing on Mac because we were starting Windows. So it has been at an unfortunately disadvantage from the beginning. Then Microsoft did this whole thing with RT and their store and we were faced with having to build a whole new app from the ground up to support that. So we started over. And then Microsoft changed direction again with Metro and we were again faced with starting over. So not only did Windows get a late start, but it has also faced a number of challenges that essentially meant going back to the drawing board.

    1Password 6 for Windows has made it a long way, and is to the point now that I enjoy using it when I use Windows. But there is still a lot to do, and we have to prioritize. 1Password 6 on Windows doesn't have full local vault support because it has never had full local vault support. We didn't remove it -- we just never got the chance to add it. Right now our focus is making the 1Password membership experience in 1Password for Windows the best it can be.

    Can you remind me if there are open source tools that read decrypt and read the 1Password database?

    There are, yes. AgileBits cannot recommend using them as we haven't vetted them, and while we have no reason to believe any of their authors have any malice or negligence we can't say that for certain and as such we cannot recommend entering your Master Password into anything other than 1Password.

    The 1Password data format is open to the public for a reason. :)

    OPVault design - 1Password Support

    When 1Password.com came out, there seemed (as I recall) to have been many good reassurances from AgileBits that for those of us who paid $ to purchase the standalone apps on OS X and iOS, we were always going to be free to use our purchased software and not be forced into the subscription model.

    That is still true.

    Until I opened Flipboard yesterday and was confronted with numerous stories about how 1Password is going to no longer support local or cloud-synced vaults and require everyone to switch to the subscription model.

    It seems a few individuals have gone out of their way to spread news on our behalf that we never announced and did not confirm to them to be true. Nothing changed over the weekend: we're still in the same position we were a year ago. 1Password is being sold as a subscription membership, and the default way to use it is with 1Password.com membership based vaults. It is still possible to purchase standalone licenses for Mac & iOS on request, and it is still possible to use local vaults, even with a subscription, on those platforms. It is also possible to use 1Password 4 for Windows if you're licensed for it, which has full local vault support, though this product is no longer being sold.

    Especially when I’ve already purchased software on two different platforms for much more than a few dollars

    This was one of the motivating factors for building memberships the way we have. They include all of the latest versions of all of our 1Password apps including upgrades. This means you don't have to re-buy 1Password if you switch from Android to iOS or get a new device that has the latest operating system on it. You always get the latest and greatest from us.

    We're also happy to help anyone who has purchased a license with the financial transition to membership. Please drop us an email to [email protected] with receipts for any previous purchases and our sales team will get you squared away.

    To reduce the support load, has AgileBits considered marketing local vaults as an "advanced" option whose only method of support is the forums? This way, the "technically savvy" folk can manage their own syncing while those that need support to manage syncing can subscribe for 1Password.com membership. If an update has introduced an actual bug with local vaults, the community can perform some of the initial investigation/triaging before the issue is escalated for developers to investigate.

    Yes. :) And that is, to some extent, what we have now.

    And we are talking only about supporting features that already exists. Imagine if I wanted new features related to this (and I do), like support for a new cloud provider. How could I possibly believe that you would add any feature like this if you are unable to even say if local vaults will be supported?

    We're agile and just about everything is subject to change but I can tell you that for the foreseeable future we will not be adding additional sync methods or cloud providers. We are still supporting the existing ones. We just made some fairly significant changes to support the new Dropbox v2 APIs.

    Do you see the problem now?

    It has never been that we didn't see what you're getting at. It has always been that we don't make the kind of statements you're asking us to make.

    I have read a lot about this and it's absolutely clear that not only you are not going to support local vaults

    Despite the fact that we're saying the exact opposite and have actually been supporting local vaults right along (including the above mentioned changes we just recently completed for continued Dropbox support of local vaults)? :)

    I simply cannot use 1Password without local vaults and if all this shitstorm hasn't make you change your mind, nothing will.

    There is nothing to change. We already support local vaults. We haven't changed that.

    Ben

    P.S. @rfc1918 -- You've asked some great questions and I want to make sure they are answered properly. I've asked our security team to review your post and comment here.

  • paulInOaklandpaulInOakland Junior Member

    Just wanted to add my 2 cents. I’ve been a paying customer since 2008/9. I have no problem with a subscription model inclusive of opting in/out of selective cloud storage of some of my information. I just want to be clear though. While I understand there are no plans to remove local vaults, if it ever happens down the road, I’ll cease being a customer.

    In the mean time. I love the product and enjoy paying for what I find to be the best password manager out there

  • BenBen AWS Team

    Team Member

    Thanks, @paulInOakland! :)

    Ben

  • BenBen AWS Team

    Team Member

    Please see this blog post for more info:

    AgileBits Blog | Why We Love 1Password Memberships

    Ben

  • "These worries are compounded by the fact that 1Password 6 for Windows was designed from the ground up to support 1Password Teams customers only (and then later expanded to include family and individual plans)"

    This, this, this is the point. 1Password used to support Dropbox all over. Now it's already orphaned on Windows. No edge support, no development for a modern Windows app, but you try to convince me, a multi platform user, that there's no fears of local vaults going away. They already have. Just not on every OS. Maybe v4 still works, but LONG LONG LONG before you went subscription only you went in that direction and stranded guys like me. Wish I only used macs, but I work, and work uses a PC.

    But keep telling me nothing's changing, I guess that's right, because for some of us, it already changed. A long time ago.

  • Catalin1PCatalin1P
    edited July 2017

    I see that a lot of people are worried about this...If you read the last blog post you will see that 1Password is listening to its consumers and I think all the folks that prefer local vaults should have faith in the team. As @rickfillion said.

    "We're still putting development time towards standalone vaults."

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hi @rfc1918, you are correct that details of our hosting and network infrastructure are woefully in adequate in the white paper. I'd love to say that this will be corrected "soon", but for so many things "soon" takes longer than anyone might want.

    I would like to point out that, as you should know from the portions of the white paper that do exist, that a compromise of our database or the compromise of the secrecy of our server's state would not be catastrophic. Obviously we aren't complacent about such things, we have designed 1Password to resist an insider attacks (not that we expect one) under the principle that if we can withstand an insider attack we can also withstand an outsider attack on our infrastructure. Obviously there is a big difference between "resist many types of insider attack" and "are invulnerable to insider attacks", but by taking the approach we do, we limit the damage of any successful attack on our database.

    Some of the details you want about the AWS hosting arrangements and infrastructure are fluid enough that they don't really aren't appropriate for the white paper, but clearly we can say a lot more than we currently do. It will get in there "any day now."

    Cheers
    -j

    Chief Defender Against the Dark Arts @ AgileBits

  • brentybrenty

    Team Member

    This, this, this is the point. 1Password used to support Dropbox all over. Now it's already orphaned on Windows.

    @sglewis100: That's demonstrably false. I still use 1Password 4 and Dropbox on Windows, and not because I have to: development and testing is focused on 1Password 6 right now, so it's a bit more incumbent on me to do work there these days.

    No edge support,

    As both we and Microsoft have mentioned publicly a number of times, we're working together on this.

    no development for a modern Windows app,

    1Password 6. But UWP is part of it as well. I'm sure we'll have more to share in the coming months.

    but you try to convince me, a multi platform user, that there's no fears of local vaults going away. They already have. Just not on every OS.

    Not on any OS, actually. There's always fear of the unknown. The future is scary. But as mentioned previously, in this case at least, all of this is based on some folks discovering a year and a half late that 1Password.com is a thing, and assuming that means that local vaults are going away. If that were the case we'd have pulled that ripcord a year ago (though apparently no one would have noticed). I find strange how many people lately are suggesting that I don't exist, because I still use local vaults every day. It's a bit surreal.

    Maybe v4 still works, but LONG LONG LONG before you went subscription only you went in that direction and stranded guys like me. Wish I only used macs, but I work, and work uses a PC.

    Sometimes I wish I only used Macs too (thanks, Microsoft! :tongue: ), but Windows 10 is growing on me. Whether 1Password 4 works isn't a "maybe" though. We just released an update this month so it can continue to support Chrome and Firefox changes now and coming up later this year.

    But keep telling me nothing's changing, I guess that's right, because for some of us, it already changed. A long time ago.

    Well, we launched 1Password.com over a year ago. That was a pretty big thing for us. But no, as far as those who have purchased licenses, nothing has changed; you still get to use the version you paid for. When we have something else to announce about the new version we'll be excited to do so. ;)

  • Thanks for the response. I'm going to redownload 1Password 6 for Windows and verify the local sync and Dropbox support.

  • brentybrenty

    Team Member

    @sglewis100: I think you meant 1Password 4. Either way, let me know if you have any more questions. :)

  • On 13 July 2017, however, the company’s founder confirmed that clients that currently handle local vaults will continue to do so in version 7, at whatever future date it appears.

    That's why I meant v6. That's a quote from Tidbits. The latest Windows client is v6. It's been around for quite some time, and does NOT support these features. You're on record as saying the next version clients will be supporting local vaults, EXCEPT apparently v7 on Windows.

    So, again, you're not supporting your Windows users, we are stuck on an older client, with apparently less than top tier development activity, and there's NO plans to bring the current app up to supporting things like a local vault.

    But you want me to believe I'm not getting left behind. It's specious an argument at best.

This discussion has been closed.