how to purchase without subscription?



  • brentybrenty

    Team Member

    @SteveMouzon: Sorry, I guess I'm a bit late coming back to this, and am a bit surprised! I see that Ben and Lars have been communicating these things to you, but you're essentially calling them liars about everything from 1Password running locally on your machine so that it does not need to transmit your password to the server (which is how it has worked since the beginning) to the existence of Dave Teare (he's real! I saw him myself not long ago). :lol: Dave's spending time with his family for the independence holiday week, so you're stuck with me I'm afraid. ;)

    Our security model and how 1Password works is publicly documented. The code for our SRP -- Secure Remote Password -- implementation (which, as Lars mentioned above, is how we are able to verify that you know the "secrets" protecting your data without you actually telling us those secrets) is even open source:

    Developers: How we use SRP, and you can too

    That's the key to the question you asked:

    how is it possible that you're asking for my master password to log in to a membership?

    Which Ben already answered:

    Your Master Password and Secret Key are never transmitted to us. The decryption of your data happens entirely within your web browser or the 1Password client apps.

    But I can offer a few points that summarize how 1Password secures your data:

    1. Your 1Password data is encrypted locally on your device before it is transmitted.
    2. The server receives only an encrypted blob.
    3. Your Master Password is never transmitted.

    You might think I'm talking about specifically there, but that's the case no matter what 1Password setup you use — the only difference being that data is also encrypted using the 128-bit randomly generated Secret Key, which is also never transmitted to us. So there's an additional layer of security there as well. The key is that all of the cryptography happens on your device: data is encrypted locally using your Master Password (and Secret Key); data is decrypted locally. :sunglasses:

    Again, you can find all of the details in the security white paper, or check out SRP in particular (since that seems to be the focus of the questions you're hinting at but not asking directly).

    If you're not willing to read any of that though, I suppose you may just have to take our word for it. But how is that different from trusting that entering your Master Password into the app is safe, which you seem to have been doing for some time already? Either way, if you don't do your homework, using any technology comes down to trusting someone else. We go to great pains to document how we do things in an approachable way, both so end users can use 1Password without having to rely solely on trust, but so that 1Password's behaviours are well-documented so that independent parties can verify that it does what we say as well. We participate in external audits and cooperate with independent security researchers, both to help us improve 1Password and so that users can make informed decisions. But we can't do your due diligence for you. :)

    Lars may not, but I do take some umbrage at the repeated "bald-faced [...] phishing" aspersions. I'll assume that you're being intentionally hyperbolic out of good humour, but phishing attacks involve someone actively trying to get you to send them your secrets; here at 1Password, we're actively doing the opposite: going out of our way to know none of your secrets (both in policy and engineering -- see: SRP), and as little about you as possible in general. That's good for you of course, but also for us, because we don't want to be in a position to lose our livelihoods if someone is successful in breaking into our server. This way, if they do, all they get is encrypted data, none of they "keys" to it, which only the user ever has: the chosen Master Password, and the 128-bit Secret Key randomly generated on the device during setup.

    While there are certainly many layers of complexity with regard to exactly how it's done, I do think that fundamentally "data is encrypted locally and the keys to decrypt it are never transmitted" is a very accessible concept. It was good enough for you before, being how we've done things with 1Password from the beginning. The only thing that's changed is not 1Password's security model, but the power of the tools at our disposal to implement it -- in this case the fact that you can run 1Password and the necessary cryptographic functions, without having to know anything about cryptography, locally in a browser. :)

    I hope this helps clarify things a bit. If you have any questions about 1Password, please let me know. But, if you don't mind, let's dispense with the weird insinuations and accusations. You probably don't mean anything by it, but we do take security very seriously, so I'm sure I'm being a bit defensive here...but that's natural when someone inserts themselves into someone else's conversation and starts tossing around insults. Cheers! :lol:

  • Hi folks

    I have used 1Password for years, and have always liked it. And, I like the new version 7. But I absolutely HATE the fact you can only obtain it through a cheesy monthly subscription (and lets be honest, that really is the case unless you're willing to jump through a number of incredibly awkward hoops).

    I really wish you would make a stand-alone version of Version 7 easily available, which would be a whole lot easier to justify to the powers that be and eliminate the need for me to have to expense it every single month. The subscription model just creates extra work on my end, and is a constant irritant.

    I appreciate there is a cost to developing all this IP, and I'm more than happy to pay for the app. But please - offer an alternative way of getting it. This isn't working - especially with my boss constantly suggesting I find an alternative.


  • brentybrenty

    Team Member

    @cdrca: I'm not sure we can help with your boss, but it is not the case that you can only obtain 1Password 7 with a subscription, or that it's complicated. You just have to do the following: 1. download it, 2. install it, 3. run it, 4. set it up with your existing (local vault) data, and 5. click to purchase the license and remove the read-only restriction. You'd need to do those things to use 1Password anyway, so it's not even out of your way. You can find links to the version you need in my first reply here nearly a year ago. Hope this helps. :)

  • brentybrenty

    Team Member

    This discussion is almost a year old now and has really run its course. Anyone who wants to purchase a license can do so as we've outlined a number of times above. So I'll close this. But if someone needs help using 1Password, feel free to start a new discussion or shoot us an email at [email protected] and we can assist. :)

This discussion has been closed.