On WLAN Sync in 1Password 7

1356715

Comments

  • Hello from Germany,
    since I can not speak English well, I let my request translate with Google, sorry for the mistakes in it.
    I hope you understand me anyway. ;-)

    I use 1PW 4 since the WLAN synchronization was introduced for Windows. I currently use 1PW 4 with Windows 7, iPhone and iPad. The WLAN synchronization between Windows and iOS was for me the main reason why I chose 1PW. Incidentally, I never had any problems with it. (I'm 64 years old ;-))

    Now I was very pleased that 1PW 7 is again offered with a single license for purchase, but unfortunately without wireless synchronization.
    That really disappointed me! :-(

    For me this means that I will use 1PW 4 until it stops working in my system for whatever reason. After that, I'll probably have to look for another password manager, which I really regret very much. :-( A backup of my data outside of my network is out of the question for me, I do not use a cloud or Dropbox for my backups.

    I hope so much that the AgileBits Team 1PW programmed again so that a synchronization via WLAN is possible!
    Please!

    Best regards
    Charlotte

    Here is my german text:

    Hallo aus Deutschland,
    da ich nicht gut Englisch kann, habe ich mein Anliegen mit Google übersetzen lassen, sorry für die Fehler darin. Ich hoffe, man versteht mich trotzdem. ;-)

    Ich nutze 1PW seitdem für Windows die WLAN Synchronisation eingeführt wurde. Ich nutze 1PW 4 mit Windows 7, iPhone und iPad. Die WLAN Synchronisation zwischen Windows und iOS war für mich damals der Hauptgrund, warum ich mich für 1PW entschieden habe. Ich hatte übrigens nie Probleme damit. (Ich bin 64 Jahre alt. ;-) )

    Nun war ich zwar sehr erfreut, dass 1PW 7 wieder mit Einzellizenz zum Kauf angeboten wird, aber leider ohne WLAN Synchronisation.
    Das hat mich sehr enttäuscht! :-(

    Das bedeutet für mich, dass ich nun 1PW 4 solange nutzen werde, bis es aus welchen Gründen auch immer in meinem System nicht mehr funktioniert. Danach werde ich mich wohl nach einem anderen Passwortmanager umsehen müssen, was ich wirklich sehr bedaure. :-( Eine Sicherung meiner Daten außerhalb meines Netzwerkes kommt für mich nicht in Frage. Ich nutze weder eine Cloud noch Dropbox für meine Sicherungen.

    Ich hoffe so sehr, dass das AgileBits Team 1PW doch wieder so programmiert, dass eine Sychronisation über WLAN möglich ist!
    Bitte!

    Viele Grüße
    Charlotte

  • LarsLars Junior Member

    Team Member

    Welcome to the forum, @chasty! Apparently machine translation is getting better, because I understood you quite well. :)

    I'm sorry you were disappointed by the lack of WLAN sync in 1Password 7 for Windows. It's not a decision we made lightly. 1Password 7 for Windows was a large overhaul of the code, combining elements of both the older version 4 (to incorporate standalone vaults) and the newer version 6), and with all the other things that needed to be done on a release of this scale, WLAN just didn't make it into the launch version. What we've done instead - and I encourage you to participate in it if you wish - is subscribe to our WLAN sync mailing list. At this point, we're trying to gauge what the level of interest is in bringing WLAN sync forward to 1Password 7 for Windows, since we're not even certain how many people use such a feature.

    And I understand your concerns about data storage in the cloud. However, 1password.com (our own sync service) is quite different from Dropbox or other cloud-based file storage. For one thing, we have 1password.eu which runs the same software as 1password.com but is located in Frankfurt and conforms to all German data privacy and protections laws.

    Much more than that, however, 1Password's security does not depend upon the strength of the data laws or of the data center in which it's housed. Your 1Password data is end-to-end encrypted with keys which never leave your device. It starts with your Master Password, which only you know, and for 1password.com (and .eu), it's strengthened by your Secret Key. Neither of these secret is ever sent to us; all encryption and decryption of your data is performed only on your local device, so your valuable data is never sent "down the wire" in readable form, only as unreadable ciphertext.

    When combined with Secure Remote Password and all the other things described on our Security page and our White Paper, you can see why it’s easy for me to argue that our 1Password memberships are more secure than WLAN Sync.

    Best of all, every 1password.com (or .eu) includes all four of our native 1Password applications (Mac, iOS, Windows and Android), so no matter what configuration of devices you have now or in the future, you'll be able to run 1Password -- including all future upgrades, for as long as you maintain the membership. If you're interested in checking out a 1password.eu membership, there's a full 30-day free trial. Just visit the main 1Password sign-up page to begin a trial. Thanks for writing in! :)

  • Translated again with Google ...

    Thank you Lars for your detailed answer, which was translated very well by Google! :-)

    I have now entered the mailing list and hope that many other users do. ;-)

    Even if your argument eliminates my security concerns, the monthly cost of membership remains or do I misunderstand? I would like to be able to buy my software if it allows my budget and no permanent additional monthly burden. For example, that's why I turned my back on Adobe Photoshop after 6 purchased versions.

  • LarsLars Junior Member

    Team Member
    edited April 2018

    @chasty - I understand your reasoning; people have different motivations for choosing either standalone OR subscriptions. That's why we continue to offer both -- so users can choose what's best for their individual situation.

    However, let me offer you a brief calculation. If you decide you'd like to stick with standalone licensing and local data, that's fine...but the economic argument may not be as compelling as you think. I know you're a Windows user, but just for example, a new license for the just-released 1Password 7 for Mac is $39.99 right now, during the beta period (as both an incentive and a way to say "thanks" to long-time users who upgrade). When 1Password for Mac is officially released (non-beta), it will cost $64.95 for a single-user license. Obviously, I can't say how long it will be until we release version 8, but if you look at our history, it's typically between a year and two years. Say it's 18 months, for an estimate. An individual 1Password account is $2.99/mo if paid annually, so 18 months would be $53.82. That's still less than the cost of a single license of 1Password for Mac (at regular price), and the subscription includes all four of our native apps (Windows, Android and iOS, not just Mac), including all future upgrades and new versions -- for as long as you maintain the subscription.

    You could choose to just not purchase version 8 to save money, I suppose...but my point with the above exercise is that if you plan to keep 1Password up to date (and that's definitely our recommendation, for security reasons), then it may actually be cheaper - or at least no more expensive - to subscribe than to purchase a standalone license. Just some food for thought; however you want to use 1Password is certainly up to you, and we'll be here to support you either way! :)

  • Hi, everyone. To be clear - I need WLAN sync! :'(

    I've tried to sign up for the WLAN newsletter here with my hotmail.com email address: http://email.agilebits.com/h/r/175B41FBB92E66DB

    It says "Great. We've just sent you an email. Click on the link in there to confirm you want to hear from us." However I never received the link in email. I tried about 3 times over 4 days.

    I tried just now with a gmail.com account and I got the email right away from agilebits.. so it looks like Hotmail isn't accepting your mail for some reason from that email subscription form. Just wanted to let you know.

    I have been using 1Password since October 2014 on Windows and iOS. I need a way to sync passwords between my iPhone (which I use often) and my Windows computer (which I also use quite a lot). If I am using the iPhone I need to have access to my passwords, and the same is true for my computer. WLAN sync allows me to keep the password vault data synchronized between both devices.

    I've read the blog posts about using a subscription service and syncing to Dropbox or 1Password's own cloud service, but I really don't want to use any of that (Dropbox has been hacked before, you know). I just want to manage my vault information locally, on my system. I don't want to entrust it to some provider in a cloud/data center somewhere. I guess I'm just old fashioned. And I would like to continue using single-user standalone licensing; not a subscription model.

    I was all ready to sign up for the 1Password 7 beta on Windows 7, until I saw the blog post that WLAN sync isn't supported. How terrible for me! I'm not able to proceed without WLAN sync. I really hope it is added to the next version of 1Password for Windows; if not, I'll either (a) continue using 1Password version 4 until it doesn't work or (b) migrate to something else that provides the feature set I need.

    I really hope Agile Bits & 1Password continue to support WLAN sync. If not, I'm worried I'll be forced to move to something else, which I really don't want to do. I really like the software. But if it can't meet my requirements, it will force my hand. :p:)

  • brentybrenty

    Team Member

    I've tried to sign up for the WLAN newsletter here with my hotmail.com email address: http://email.agilebits.com/h/r/175B41FBB92E66DB
    It says "Great. We've just sent you an email. Click on the link in there to confirm you want to hear from us." However I never received the link in email. I tried about 3 times over 4 days.
    I tried just now with a gmail.com account and I got the email right away from agilebits.. so it looks like Hotmail isn't accepting your mail for some reason from that email subscription form. Just wanted to let you know.

    @bwood: Thanks for letting us know about the Hotmail issue. But did you check your spam folder? It's been a long time since I used Hotmail, but I definitely remember going through there once a week to weed out all the legitimate messages that were missed because of that...

    I have been using 1Password since October 2014 on Windows and iOS. I need a way to sync passwords between my iPhone (which I use often) and my Windows computer (which I also use quite a lot). If I am using the iPhone I need to have access to my passwords, and the same is true for my computer. WLAN sync allows me to keep the password vault data synchronized between both devices.

    Thanks for the context! It's helpful to know the kinds of setups people are using, as we don't collect information the way many companies do.

    I've read the blog posts about using a subscription service and syncing to Dropbox or 1Password's own cloud service, but I really don't want to use any of that (Dropbox has been hacked before, you know).

    Yep. And no 1Password users were affected by that because the data is end-to-end encrypted. 1Password simply doesn't depend on the sync service to protect your data. 1Password is secure by design, not by chance.

    I just want to manage my vault information locally, on my system. I don't want to entrust it to some provider in a cloud/data center somewhere. I guess I'm just old fashioned. And I would like to continue using single-user standalone licensing; not a subscription model.
    I was all ready to sign up for the 1Password 7 beta on Windows 7, until I saw the blog post that WLAN sync isn't supported. How terrible for me! I'm not able to proceed without WLAN sync. I really hope it is added to the next version of 1Password for Windows; if not, I'll either (a) continue using 1Password version 4 until it doesn't work or (b) migrate to something else that provides the feature set I need.
    I really hope Agile Bits & 1Password continue to support WLAN sync. If not, I'm worried I'll be forced to move to something else, which I really don't want to do. I really like the software. But if it can't meet my requirements, it will force my hand. :p:)

    I hear you. Thank you for letting us know. It's something we'll continue to evaluate.

  • Translated again with Google ...

    Hello @ Lars, thanks again for the detailed answer and the calculation. As a rule, I always skip programs for financial reasons, one or two versions, so a subscription is no savings for me. I accept the security risk, I secure my PC elsewhere.

    Before I look around for another program, I wait for the first time, whether AgileBits remains in his decision to exclude WLAN for Windows. 1PW 4 is still running well on my system and as long as I will use it. An alternative option would be to buy 1PW 7 and manually "sync", but that would be a step back in the Stone Age ... ;-)

    Sunny greetings from spring-like Germany,
    Charlotte

  • LarsLars Junior Member

    Team Member
    edited April 2018

    @chasty - Understood. If you haven't already, I'd recommend hitting the WLAN Sync newsletter link and signing up so that a) your voice is among those counted as wanting this feature and b) you'll have the latest information on this issue specifically, without having to sift through these forum threads to make sure you didn't miss anything we've said.

  • @brenty, thanks for your response. I hope to see WLAN Sync in a future version of 1Password.

    @bwood: Thanks for letting us know about the Hotmail issue. But did you check your spam folder? It's been a long time since I used Hotmail, but I definitely remember going through there once a week to weed out all the legitimate messages that were missed because of that...

    Yes, thanks for the suggestion; I checked there too. I just tried again: Submitted the subscription using my hotmail.com address, checked my hotmail account, no mail from the AgileBits subscription account. Checked junkmail, too; nothing.

    Not the first time I have seen this. Sometimes, hotmail.com doesn't allow mail for some reason. That's why I have a gmail account as a backup.

    Thanks!

  • brentybrenty

    Team Member

    @bwood: That's a bummer about Hotmail, but good to know you've got a workaround. :)

  • primeprime
    edited April 2018

    @jpgoldberg

    From my point of view, if someone believes that 1Password's data encryption isn't good enough to live on "somebody else's computer" then they shouldn't believe that it is good enough to live on their own devices (which get lost or stolen). So I genuinely have a hard time understanding your perspective, and that is why I am asking for your help in explaining your view to me.

    I see your point in this. But maybe some people see they trust 1Passwords encryption, but add the trust of some more encryption on top of it. I have all of my hard drives encrypted on all of my computers. So with the protection of encryption of my hard drives, and the protection of the encryption of 1Password, it’s pretty solid.

    I tried the WLAN a few times, but I felt like I was fighting it. Then I was using more than 1 computer, and I couldn’t use it anymore.

    For the recorded, I was very against the subscription model for a long time. I even beat up @brenty and even @Megan about it. I was doing research on the subscription and Dropbox had issues and I dropped them instantly. I switched everything to iCloud (didn’t have Windows or Linux at the time), and kept reading and resurching about the subscription. I ended up getting the friends day deal (or something) and I love it.

  • brentybrenty

    Team Member

    @prime: Thanks for sharing your perspective! :)

    I see your point in this. But maybe some people see they trust 1Passwords encryption, but add the trust of some more encryption on top of it. I have all of my hard drives encrypted on all of my computers. So with the protection of encryption of my hard drives, and the protection of the encryption of 1Password, it’s pretty solid.

    Totally. But we can't design 1Password around the assumption that everyone will use full disk encryption and not use a weak password to protect it (and there plenty of other considerations). So while I think it's important for anyone to take 1Password on its own when judging its security, it's absolutely critical that we approach it that way. After all, if someone were able to break into a 1Password user's data, "you should have been using full disk encryption on the device!" is not an acceptable response. I know you're not arguing otherwise, but I wanted to go a bit further into the way we approach it.

    I tried the WLAN a few times, but I felt like I was fighting it. Then I was using more than 1 computer, and I couldn’t use it anymore.

    I agree, but I think it used to be much easier actually. Maybe that's the rose-coloured-glasses affect or something, but as home networks have gotten a lot more complex (and, in some ways, more secure) in the past decade, there's a lot more that can interfere with a direct device-to-device connection like this.

    For the recorded, I was very against the subscription model for a long time. I even beat up @brenty and even @Megan about it. I was doing research on the subscription and Dropbox had issues and I dropped them instantly. I switched everything to iCloud (didn’t have Windows or Linux at the time), and kept reading and resurching about the subscription. I ended up getting the friends day deal (or something) and I love it.

    I'm really glad to hear that. Certainly it isn't going to be the option that everyone prefers, but because of the considerations above we're very comfortable not only recommending it to most people, but also using it ourselves.

  • @brenty

    I see your point in this. But maybe some people see they trust 1Passwords encryption, but add the trust of some more encryption on top of it. I have all of my hard drives encrypted on all of my computers. So with the protection of encryption of my hard drives, and the protection of the encryption of 1Password, it’s pretty solid.

    Totally. But we can't design 1Password around the assumption that everyone will use full disk encryption and not use a weak password to protect it (and there plenty of other considerations). So while I think it's important for anyone to take 1Password on its own when judging its security, it's absolutely critical that we approach it that way. After all, if someone were able to break into a 1Password user's data, "you should have been using full disk encryption on the device!" is not an acceptable response. I know you're not arguing otherwise, but I wanted to go a bit further into the way we approach it.

    I was more or less thinking a person might think "I trust the encryption of 1Password, but I trust the encryption of Apple/Ubuntu/Windows too, so a person has to get thought that before even think about getting though 1Password". Just more layers that an attacker has to get though. Just playing devils advocate ;)

  • brentybrenty

    Team Member

    @prime: Yep! That makes sense. It's just our job to make sure that 1Password's security stands up even if all else fails. Cheers! :)

  • edited April 2018

    This entire thread is laughable. I cannot believe these insane decisions you guys keep making. I have been waiting and waiting (daily refreshing your changelog page) for 1p7 to be released. I'm literally waiting to give you guys money and now I read you took away the only way to sync to our devices.

    Your cloud service is only secure until it's not. You will get hacked. It will happen one day. And everyone's data will be downloaded. Once that happens, then what?

    1password7 said: "Oh dropbox being hacked didn't affect us because we have encryption!"

    1password7 said: "The thing is, if we're "hacked", we don't have the keys to anyone's data. That's kind of the point."

    Remember when wpa2 was unhackable? You didn't have the key right, so what did it matter? Oh right, someone exploited it and it's now totally crackable. Or remember when everyone was like "Diffie-Hellman cryptography would take THOUSANDS of years to crack!" Oh, whoops! Turns out an exploit in the way it was implemented led one single prime number being used to encrypt two-thirds of all VPN's and a quarter of SSH servers GLOBALLY and also 20% of the top million HTTPS websites. How about the Apple iPhone that was uncrackable until the FBI hired some dude to just get right in for them.

    Just because you don't have the keys today, doesn't mean someone won't find an exploit or a way to crack it in the future. So when you puff your chests in this thread about how amazing your security is and how you guys don't sleep and we do so "send us your data!" is totally ridiculous. When someone snags your data, then what? You just pray that forever and ever no one will be able to crack it? You email everyone and say "Hey, we were hacked, but good news! We can guarantee you no exploits will ever be found and your data is safe forever in their hands!"

    You know how we don't EVER have to worry about that? Not storing it on your servers. Period.

    You guys gave us the additional security we wanted with 1p7 and local vaults but then REMOVED ALL REAL-LIFE CASE USE FOR THEM.

    Also, if you expect your "newsletter" to be an indication of how much it's used that ridiculous too. You seriously expect people to find that link? I have been keeping up with this on a daily basis and only found it today by accident and reading through all the pages of this thread.

    I'm so disappointed with you guys. Who would have ever imagined that in 2018 no one would still have a good solution/process for this yet. But here we are with 1password leading the way. I've uninstalled the beta. I guess I'll continue to chug along with keepass and continue doing really crappy one way syncs until you guys realize what your customer base needs. Here's hoping in 2019 a good solution to bringing our digital lives with us!

    source: https://nvd.nist.gov/vuln/detail/CVE-2017-13077

    source: https://threatpost.com/prime-diffie-hellman-weakness-may-be-key-to-breaking-crypto/115069/

    source: https://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html?utm_term=.5f26c00b36f9

  • @jpgoldberg: From my point of view, if someone believes that 1Password's data encryption isn't good enough to live on "somebody else's computer" then they shouldn't believe that it is good enough to live on their own devices (which get lost or stolen). So I genuinely have a hard time understanding your perspective, and that is why I am asking for your help in explaining your view to me.

    1Password should be designed with security that is good enough to live on somebody else's computer. It is probably true that 1Password's servers, the 1Password vault secuirty, and the 1Password<-->1Password Cloud sync security are better than the security of the devices on which the average 1Password customer uses 1Password. BUT, there are two important points:

    1. 1Password is a higher risk target. The average 1Password customer might have his or her desktop, laptop, tablet, or phone stolen, but he or she probably isn't being specifically targeted and the bad guy might very well just be interested in wiping and selling the device. Moreover, your average thief is not a sophisticated hacker who would have the skills to mount a brute force attack to gain access to a 1Password vault stored on the device.
    2. A sizable portion of the 1Password constituency is security professionals--people who use 1Password for highly sensitive passwords (or other information) and who make security recommendations to others and have influence over the choices those "average" customers make. For many of those security professionals, storing a password manager database on someone else's computer is a non-starter. No matter how secure 1Password makes its systems, I am confident my systems will remain more secure. First, all of my devices are encrypted with strong passwords. (In fact, my password manager vault is stored inside an encrypted file container with a separate password, which is then stored on my full disk encrypted Windows laptop.) Second, I would know more or less immediately if one of my devices was lost or stolen. I could then take action to change all of my passwords--which I could do LONG before a bad guy could brute force through the layers of security to get to the contents of my password manager. (The security of 1Password matters more in the context of my iPhone, which doesn't have as many layers of protection as my Windows laptop, but an iPhone is inherently more secure than a Windows laptop, it is almost always on or near my person, and it can be remotely wiped.)

    It is clear that there is a contingent of passionate 1Password customers who very much want WLAN / Wi-Fi sync. It seems like it would make business sense to keep those customers--many of whom have influence over the decisions less security conscious people make--happy.

    Question: With 1Password 7, is it possible to manually copy a vault from Windows to iOS via iTunes? Although it would be a nuisance and it would seriously reduce the value of 1Password, if I could use 1Password in such a way that the copy on my Windows PC is the master/original and the copy on my iPhone is essentially a read-only copy, that would at least be something and would let me keep using 1Password.

  • To add to my previous comment (https://discussions.agilebits.com/discussion/comment/425997#Comment_425997):

    Another reason why WLAN / Wi-Fi Sync along with local vaults is valuable is because 1Password could be compromised in some way. I understand the layers of protection provided by TLS, SRP, Secret Key, and Master Password. I think we do have good reasons to trust 1Password--at least as much, if not more, than other password manager providers. But what if a developer (or group of developers) at 1Password--or the server that stores the 1Password .exe for download--was compromised? (Aside: Do you PGP sign the 1Password downloads and provide a way to verify that they are authentic?) A malicious actor could create a corrupted version of 1Password designed to steal Secret Keys and Master Passwords. In that scenario, the bad guy could then access and decrypt the 1Password vault stored in the 1Password Cloud.

    In contrast, with a local vault synced only over WLAN / Wi-Fi, if the user's firewall is configured to prevent 1Password from accessing the Internet (or 1Password is only used when the Internet is disconnected), it would be harder for the corrupted 1Password program to exfiltrate the user's passwords. And it actually isn't too hard to isolate 1Password in that way. For example, on my iPhone, I simply turn on airplane mode before using any password managers.

  • bundtkatebundtkate

    Team Member

    @YellowVista: I'll attack the quickie first.

    Do you PGP sign the 1Password downloads and provide a way to verify that they are authentic?

    All 1Password files are signed with a code signing certificate from AgileBits. You can find this in file properties for 1Password files on Windows.

    1Password is a higher risk target.

    This is certainly true and we're well aware of it. We designed 1Password memberships with full consciousness that our servers would be an attractive target. That's why the Secret Key, as you noted, is such an important component of this system. It's something that strengthens even weak Master Passwords to the point where brute forcing a vault at least borders on impossible. It's also something that, along with your Master Password, we never have meaning malicious actors would need to target y'all directly to decrypt your data, even if taken from us en masse. It is designed for folks who may not be up for maintaining a system like you do, but we certainly hope some folks with more security savvy will choose a 1Password membership as well. And some security professionals have, which is awesome, but like in any field there's certainly some disagreement and we get that. That's one reason among many we continue to support standalone vaults.

    It is clear that there is a contingent of passionate 1Password customers who very much want WLAN / Wi-Fi sync.

    I'd argue what these folks actually want is a means of syncing without data leaving systems they control. WLAN sync has been that means for a long time and (as I'll delve into more in a bit) is still the only viable means under certain circumstances, but I think it's important to keep the ends that means is designed to achieve in mind. Right now, though, you're absolutely right.

    These conversations help us out there. We don't track how y'all use 1Password (something I'm sure you appreciate), so conversations about this are important and certainly will inform our ultimate decision. That there would be some net good from continuing to support WLAN sync isn't even a subject of debate. We know there's a benefit there, but whether that benefit is significant enough to justify the time and resources we'd need to dedicate to it is the question we need to answer.

    With 1Password 7, is it possible to manually copy a vault from Windows to iOS via iTunes?

    In short, no. Circling back to the ends WLAN sync accomplishes, iOS is actually the only operating system that cannot easily provide an alternative to WLAN sync. On other operating systems, it's at least possible to utilize folder sync to keep your vault off "the cloud" without WLAN sync. This isn't possible on iOS. This stinks because folder sync is just better than WLAN sync. It not only allows folks to sync locally, but it's more flexible for folks who fall somewhere in the middle and are okay with cloud syncing so long as it's a server environment they control.

    I don't think we'd even need to talk about WLAN sync if iOS was able to support folder sync like other operating systems. Still, the fact remains that iOS doesn't do that right now, so that's one of the primary reasons we need to at least consider continuing to support WLAN. If iOS were able to support folder sync, I'd wager the decision would have been made and no one would be terribly upset about it. I'll admit that part of me is clinging to some hope that these circumstances will change. I'd much rather (and I'm sure others would agree) be able to tell you we're ending support for WLAN sync, because we can now offer something that's both easier to support and better. Fingers crossed, eh?

  • @bundtkate

    This is certainly true and we're well aware of it. We designed 1Password memberships with full consciousness that our servers would be an attractive target. That's why the Secret Key, as you noted, is such an important component of this system. It's something that strengthens even weak Master Passwords to the point where brute forcing a vault at least borders on impossible. It's also something that, along with your Master Password, we never have meaning malicious actors would need to target y'all directly to decrypt your data, even if taken from us en masse. It is designed for folks who may not be up for maintaining a system like you do, but we certainly hope some folks with more security savvy will choose a 1Password membership as well. And some security professionals have, which is awesome, but like in any field there's certainly some disagreement and we get that. That's one reason among many we continue to support standalone vaults.

    When an attacker is using brute force, wouldn’t they have the get the brute force the correct passwords at the exact same time since there are 2 Passwords (master password and secret key)? Don’t brute force programs try thousands of passwords per second? So to try thousands of passwords per second in 2 different areas to open 1 vault, I can’t see that happened very easily or at all. Am I thinking this correctly?

    Then with the added protection of 2FA now, I feel safe.

  • edited April 2018

    "It is clear that there is a contingent of passionate 1Password customers who very much want WLAN / Wi-Fi sync. It seems like it would make business sense to keep those customers--many of whom have influence over the decisions less security conscious people make--happy."

    The sad thing is they don't see it that way. They base their information by some stupid newsletter link buried deep into this thread. It's not even pinned in the first post. So, that should tell you how much they really care about valuable feedback for a feature used.

    They are intentionally choking out local vaults. Period. There is no other excuse they have. Their excuses are just that. Their comment of "1password was built with security in mind!" is laughable.

    So was WEP
    So was WPA
    So was Sony
    So was Diffie-Hellman
    So was every other encryption that was good enough until it wasn't.

    The solution is to not leave OUR data on THEIR servers. Something much more attractive to be attacked and also with a GUARANTEE of getting important data.

    Their arguments are ludicrous.

    It comes down to this -

    Can you guarantee that the encryption you use is FLAWLESS and will NEVER be exploited ever? The answer is no. So get over yourselves with this "send us your data" nonsense. Our answer is no.

    (Also, I want to mention this with this is NOT an attempt to not pay you money. I am MORE than happy to pay you an annual fee for this. I like your product. It's pretty and works well. This is about peace of mind and being able to take my digital life with me. Something that should be a given in 2018. I don't care if I have to pay you yearly for a license.)

  • Wow, deleting comments now. Stay classy 1password.

  • @2e9rhj2389hfnduafsdn

    Actually the 3 party audits says this:

    https://support.1password.com/security-assessments/

    The Sony issued (hack) was all user error. I think someone high up had a folder called “Passwords”. I have the link someplace and I’ll see if I can find it.

    The other examples are true, but they all got replacements as time goes on. WPA 3 is now in the works to replace WPA 2.

  • edited April 2018

    @prime I addressed that in my post but they deleted it. You know, the same company that claims they want to hear from their customers.

  • Hi everyone,
    As most of the guys here I personally don't approve the choice of removing the WLan Sync Feature.
    My use case is simple, I own all the 4 kind of the devices you mention, and I need a way to sync the data among those devices.

    MacBook Pro used at work,
    iPad and Android Phone for home use,
    and a Windows Laptop for personal projects.

    You basically said that it's not convenient for you to support the Wlan sync feature mostly because you identified that your user base is not confident with that feature, and that is a point.
    But you should also have learned that in fact another large portion of users are leveragin on it completely.
    If your fear it's the approval of the user base, may I suggest you to let the users enable this feature as an advanced option?

    I think that this kind of behaviour will encourage the average user to follow the "main track" of online sync, and still, will enable more advanced users to use the software they bought as they like.
    This is more than just trust, I personally won't like the idea of blaming a company overseas for the theft of my data.
    I'd rather prefer to blame myself for having my phone lost.

    Should you still consider to drop this feature, I'd really appreciate if you at least try to implement some kind of sync feature among all the devices that it's not online based.
    For istance, may I suggest the use of old fashioned cable sync?
    Even file transfer would be ok.
    It may mean that we should hold Master > Slave setups on our opvaults, Or that you'll need to implement some kind of offline merge tool, but the effort in this case should be even more limited.

    Thanks,

    Best Regards

  • @ivans

    MacBook Pro used at work,
    iPad and Android Phone for home use,
    and a Windows Laptop for personal projects.

    How did you get multiple computers to work on this? I have tried many times to do this, and I couldn’t get it. I know AgileBits even said you can’t sync to multiple computer, but I tried anyways to see if I can get it to work.

    The WLAN server can’t sync a mobile device to multiple computers.

  • Hi @prime,
    Well that's a pretty simple setup.
    I've first initialized both win and Mac vaults using the original backup.
    Then I use the wind opvault as an hub ( meaning that it is always the most updated), and use the Android or iOS devices as bridges to sync back to my Mac.
    I never had issues on this.
    I must specify that I'm currently using 1password 4 + 7 on windows
    1password 6 on Mac
    Lastest on mobile devices

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Thank you @ivans. I believe that you have touched upon some core issues.

    If your fear it's the approval of the user base, may I suggest you to let the users enable this feature as an advanced option? I think that this kind of behaviour will encourage the average user to follow the "main track" of online sync, and still, will enable more advanced users to use the software they bought as they like.

    WiFi sync has pretty much always been a advanced option. You may have gotten so used it it, that you don't recognize it as such. The question is just how much we hide it. Everyone in this discussion is fully capable of understanding the implications of various advanced options, but you will not be the only ones seeing it. Plus, as I said, it is yet another sync mechanism to maintain.

    Again, I'm not ruling out us adding WLAN sync for 1Password for Windows 7, but there are good reasons not to, just as there are good reasons to add it.

    This is more than just trust, I personally won't like the idea of blaming a company overseas for the theft of my data. I'd rather prefer to blame myself for having my phone lost.

    This, I think is part of the core of the issue in psychological terms. Are self-driving cars safer than human driven cars? Absolutely! Are people happy with the risks of self-driving cars? Not really.

    People are far more willing to accept the risk when they feel that they are in control than when something else is in control. The same psychological mechanism is at play here. Doing it yourself not only feels safer, but it psychologically shifts the responsibility in a way in which people will accept much greater risks by driving themselves and sharing the road with other such drivers. I believe that some of the feelings about WLAN sync are driven by similar psychological mechanisms.

    But, as I also said earlier, we very much believe that people should be in control of their own data. And adding WLAN sync would certainly put actions behind our words, even if I don't think it is your security interests. These are not easy questions. But as I tried to explain much earlier in this discussion, there are strong code development and maintenance reasons for reducing the number of sync mechanisms, and there are strong reasons in terms of customer support for reducing the number of synchronization mechanisms.

    These are not easy questions.

  • brentybrenty

    Team Member
    edited April 2018

    I addressed that in my post but they deleted it. You know, the same company that claims they want to hear from their customers.
    Wow, deleting comments now. Stay classy 1password.

    @2e9rhj2389hfnduafsdn: No one has deleted your posts, and this is demonstrably false. You appear to have made 12 within the last week (including a new discussion you created, so perhaps that's causing some confusion for you). Scroll up, or you can also find all of them listed in your user profile.

    Please keep in mind that this is a support forum, not an editorial platform where you say whatever you want to the point of falsehood. We're happy to have you here, so long as you can adhere to the guidelines:

    Forum guidelines

    We appreciate your feedback. Just keep it civil so we can all share this place to discuss 1Password. :)

    Their comment of "1password was built with security in mind!" is laughable.
    So was WEP
    So was WPA
    So was Sony
    So was Diffie-Hellman
    So was every other encryption that was good enough until it wasn't.

    You have an interesting sense of humour. I sort of do as well, so I appreciate that. But the trouble with your examples are that the encryption was not broken in those cases; the protocols were — both in the technical sense, with the specs and implementations, but also in the broader sense with Sony of getting around security using people. The tough thing in those cases (except for Sony) is that you're dealing with hardware that is either unpatchable or difficult to do so, and a complex web of vendors. None of that applies to 1Password.com: AgileBits is a single company making the whole thing end-to-end, so we're actually in a position to address problems ourselves — not only with convenience matters like sync, but also technical and security issues. And not having important secrets in the first place (unlike Sony or our routers) means they cannot be taken from us.

    We're not saying 1Password.com is perfect. We know it's not. We're continuously improving it, and having auditors and security researchers hammer on it just as we do allows us to do that better than we could if it worked the way you seem to think it does. You should definitely check out the security white paper so you have a better sense of that. You'll find that we've designed it the way we have so that even if we make mistakes, we're not in a position to allow 1Password users' data to be compromised.

    The solution is to not leave OUR data on THEIR servers. Something much more attractive to be attacked and also with a GUARANTEE of getting important data. Their arguments are ludicrous.

    It's really not. It's quite rational. I can't stress this enough: we simply don't have the "keys" to it. And you don't have to just take my word for it. The code for our SRP (Secure Remote Password protocol) implementation, which is how 1Password.com works even without credentials being transmitted, is publicly available. So you can either audit it yourself or benefit from the analysis of other independent parties.

    It comes down to this - Can you guarantee that the encryption you use is FLAWLESS and will NEVER be exploited ever? The answer is no.

    You're right. That's why 1Password isn't carved into a stone tablet, handed down from on high. We're constantly working to improve it in any way we can. And, if and when a flaw is found that needs to be fixed, it will be addressed and available to our customers, since everything is included with the membership.

    So get over yourselves with this "send us your data" nonsense. Our answer is no.

    That's a pretty rude thing to say, but I appreciate the point you're trying to make. I do hope you will do the research before making up your mind though.

    (Also, I want to mention this with this is NOT an attempt to not pay you money. I am MORE than happy to pay you an annual fee for this. I like your product. It's pretty and works well. This is about peace of mind and being able to take my digital life with me. Something that should be a given in 2018. I don't care if I have to pay you yearly for a license.)

    It's pretty clear that you're just as passionate about 1Password as we are. Even if we disagree about some things, we couldn't agree more about the importance of securing our digital lives. And, after all, we wouldn't use 1Password either if it didn't meet such a high standard for security for us and our families as well. Thank you for your support, and for taking the time to share your thoughts and feelings with us. We can't make any promises about WLAN Server at this time. I think some may assume that it's already coded and tested, but simply commented out, and that we can simply "flip a switch" to allow you to use it. That isn't the case, and we have to seriously consider the costs and benefits of investing the time and energy into developing, testing, and supporting WLAN Server in the new Windows app essentially in perpetuity before we commit to that. But feedback from you and others here better allow us to do that. be sure to sign up for the WLAN newsletter so you'll be notified if and when we have news on this front. With this or anything else, I can't guarantee that we will do what you want every time, but I can promise you that we're listening. :chuffed:

  • brentybrenty

    Team Member

    Well that's a pretty simple setup.
    I've first initialized both win and Mac vaults using the original backup.
    Then I use the wind opvault as an hub ( meaning that it is always the most updated), and use the Android or iOS devices as bridges to sync back to my Mac.
    I never had issues on this.
    I must specify that I'm currently using 1password 4 + 7 on windows
    1password 6 on Mac
    Lastest on mobile devices

    @ivans: I'm glad to hear that works for you. I just want to be clear that WLAN Server is designed with a single server (computer) syncing to multiple clients (mobile devices) in mind.I know others have successfully done what you're doing, but many others have also hosed their data that way (since changing servers destroys the sync state and could result in new data being overwritten with old); so I want to caution that this is not recommended or supported, and making regular backups of important data is crucial. I'm sure you're aware of that already, but I don't want anyone else going into that without knowing the risks. Cheers! :)

  • edited April 2018

    @brenty: No one has deleted your posts, and this is demonstrably false. You appear to have made 12 within the last week (including a new discussion you created, so perhaps that's causing some confusion for you). Scroll up, or you can also find all of them listed in your user profile.

    Yea, I have zero idea what's happening. That post was 100% gone (as verified on several devices) and now it's just magically back.

    You have an interesting sense of humour. I sort of do as well, so I appreciate that. But the trouble with your examples are that the encryption was not broken in those cases; the protocols were — both in the technical sense, with the specs and implementations, but also in the broader sense with Sony of getting around security using people.

    That's why I mentioned in my comment (which you agreed with by the way) that you cannot guarantee you will implement it flawlessly (not encryption broken, but in some manor where how you coded it or deployed it gets exploited) OR that it never gets cracked. You agree that you cannot, yet you still try to convince people 1password.com is the way to go. Remember, you guys just cut and paste encryption code (more on that in a minute.) So this makes my argument even stronger that you cannot guarantee it will never be cracked.

    We're not saying 1Password.com is perfect. We know it's not. We're continuously improving it, and having auditors and security researchers hammer on it just as we do allows us to do that better than we could if it worked the way you seem to think it does. You should definitely check out the security white paper so you have a better sense of that. You'll find that we've designed it the way we have so that even if we make mistakes, we're not in a position to allow 1Password users' data to be compromised.

    The problem is you can't "continually improve it" once the data on your servers has been leaked. So, the fact that you think this is an argument is silly. "Well, all of your data was stolen, but don't worry, we figured out the problem on our last qualys scan and we patched it! So we're good now! Oh... but your data is still stolen. But we're good!" You must live in a dream world where 0days don't exist.

    You will get hacked. It will happen. And when it does you'll have to send out the email of shame and tell everyone that their data was stolen and they should probably change all their passwords. I guess we'll have to wait for that to happen to actually get wlan sync.

    You guys clearly think sending all of our data to your servers is what's best. And you're gauging this on feedback of people clicking on a blog post, then scrolling down to the comments, hopefully finding this one dudes comment, then noticing that one of your guys replied to it, then noticing that he posted a link to a newsletter, then having a click through on that, then signing up. Then you come here with stats like "no one is signing up so clearly no one cares! Told you!" Yea, ok. Make a blog post addressing this with a poll, post it on your social media. Then come back here with some actual feedback. The fact you consider a link buried on a reply, to a comment, on a blogpost actual feedback is ridiculous. You've effectively whispered a question in a loud room them proclaimed that since no one heard you, you must be good. Heck, even the OP to this thread didn't even post a link to it, nor has it been edited and added.

    It's really not. It's quite rational. I can't stress this enough: we simply don't have the "keys" to it. And you don't have to just take my word for it. [The code for our SRP (Secure Remote Password protocol) implementation, which is how 1Password.com works even without credentials being transmitted, is publicly available.(https://blog.agilebits.com/2018/02/14/how-we-use-srp-and-you-can-too/) So you can either audit it yourself or benefit from the analysis of other independent parties.

    You clearly aren't reading what I or others are saying. Your keys argument isn't an argument. As you ALREADY said you cannot guarantee it will never be cracked. So I don't care that you don't have my keys. Once our data gets stolen it's just a waiting game until it is cracked. You already agreed to this, so not sure why you're still trying to make this a good point?

    That's a pretty rude thing to say, but I appreciate the point you're trying to make. I do hope you will do the research before making up your mind though.

    Not rude at all. You're asking us to trust you with zero guarantee. I'm pretty sure if you went to buy a car and they told you we don't guarantee it's actually a car, but give us your money anyway, you'd say no as well.

    You should definitely check out the security white paper so you have a better sense of that.

    I opened it just now, hit ctrl-f and typed in "employee" which returned zero results. So either you didn't address employee theft in this, or you didn't use the word employee but did address it. Regardless, you keep trying to change the argument away from something YOU YOURSELF HAVE ALREADY AGREED UPON. My argument has never been "I don't trust this isn't encrypted!" Keep in mind your company even agrees it knows nothing about encryption and you guys don't want to know about it. You even made a post about how 1password "...must not require a single line of encryption code to be written. Encryption code is tricky and is best left to experts." So again, you're just implementing and trusting that what you've done will never be exploited like hundreds of other encryption methods. I'm sure you guys paid someone a lot of time to make a pretty word doc with lots of clipart on it, but that doesn't address the issue here. And again... the issue you already agreed with me on is a problem.

    It's pretty clear that you're just as passionate about 1Password as we are. Even if we disagree about some things, we couldn't agree more about the importance of securing our digital lives.

    I don't know why you think that's pretty clear, you literally designed one password crippled to force us to use a cloud service to sync.

    And no, I'm not passionate about 1p7 anymore. You guys officially lost me. This is not a product for me.

This discussion has been closed.