I'm a longtime user of 1PW (since 2011) and have been the ultimate satisfied user/owner, have bought a multi-platform family license as well as personally paid for licences for relatives/friends just so that they would start using 1PW. I have over 1100 items stored in my 1PW vault (don't know if that's a lot compared to other users but mention it just to show how much I use 1PW). I say all this to show how I am committed to long term use of 1PW.
I'm watching all of the hubbub that is going on both these forums and Twitter regarding your current focus on 1password.com and subscriptions moving away from the licensing system. My initial reaction was "Oh cr*p, we're screwed", but the more that I've studied what you're doing and how you're doing it, I was starting to get think that my use of 1PW would still be ok (safe and secure) in the future.
I understand the need for a continuing revenue stream and have no problem with paying a reasonable subscription fee for a tool that is as critical and useful to me as 1PW.
I signed up for a trial Family 1password.com account and have been testing it for the past day and like most of what I see.
However, I currently have at least one concern about the 1password.com setup.
There appears to be no way to disable web access to the entirety of my unencrypted passwords via 1password.com if I have set my passwords to sync via 1password.com.
Limiting the access of unencrypted passwords to only properly setup 1PW applications would seem to eliminate the possible (probable?) web based attack vector to a 1password.com account.
I don't want any web-based access to my unencrypted password "vault". This is the primary reason I've never considered switching to the many other password managers available that are web browser accessible.
My Dropbox sync'd vaults are probably more vulnerable in encrypted form that what is stored using your service and encrypted with the additional Secret Key, but at least with Dropbox my unencrypted passwords are never accessible via a web browser.
Am I missing something here or is there really nothing to prevent web-based (browser) access via 1password.com to all of my unencrypted passwords if you possess the proper credentials (which I realize include my Secret Key and Master Password that are unfortunately static entities)?
Wouldn't a dynamic 2FA for web login to 1password.com go a long way to further secure my passwords from web-based attack?
1Password Version: mac 6.71
Extension Version: don't use
OS Version: macOS 10.12.5
Sync Type: Dropbox (for now)