Membership without Account Sync (and some pricing questions)

dtomack

So, I've been a 1Password user since 2011. I've really enjoyed using the product all these years, and am at the moment still back on version 6. I'm looking at updating to version 7 because 6 is no longer supported and security threats being what they are, keeping up to date is generally a good idea (barring the introduction of new security issues in new versions of software). So, I'd like to upgrade.

I'm not averse to paying for a subscription to provide myself with major updates and your team with a reliable revenue stream. However, I'm a bit paranoid about security, and specifically the security around my password database. I've looked at your docs, and I think you are likely doing everything right to keep the cloud-stored databases safe. I don't want mine there. That said, if I were to purchase a subscription:

• can I opt out of all of the cloud based features?
• I would like to continue to use local-storage only of my database and manually sync it to my ios devices. Do able?
• Is it easy to ensure that there is no accidental sync of the database to your service?

On pricing:

• I assume that it is a single subscription fee. There is no discount for previous licensees, or is there?
• Is there a discount for the non-member license for 7? (In case going with the membership doesn't work for me).

Lastly, I really like your software. I think you have a great website for someone coming in and starting out with your guys. I found it:

• Hard to find information on the website about what features are missing from the non-membership license for 7 versus the membership. A table would have been great. I assume it is just that the stand alone version offers none of the web-based features. Yes?
• I understand that you are trying really hard to push new folks into subscriptions. I understand the business reasoning behind that. But, it would have been nice if it was easier to find the info about he stand-alone licenses.
• It was also nearly impossible to figure out how to purchase a stand-alone license as there appears to be no way to do this via the website; it must be done from the application.

Thank you!

Darin

---

1Password Version: 6.8.9
Extension Version: Not Provided
OS Version: OS X 10.14.1
Sync Type: local

AGAlumB

can I opt out of all of the cloud based features? I would like to continue to use local-storage only of my database and manually sync it to my ios devices. Do able? Is it easy to ensure that there is no accidental sync of the database to your service?

@dtomack: Yep. You can do all of that. You'd only have encrypted data stored in your account if you put it there yourself. So if you don't want that, don't.

I assume that it is a single subscription fee. There is no discount for previous licensees, or is there? Is there a discount for the non-member license for 7? (In case going with the membership doesn't work for me).

We've offered a number of promotions over time as we launched various 1Password.com services. Nothing like that is running currently, but if you'll contact us at sales@1password.com we can let you know if there's something that might apply to you down the road. As I write this, there is still special pricing on licenses:

1Password 7 for Mac: The Best Ever

1Password 7 for Windows: The Best Ever

Hard to find information on the website about what features are missing from the non-membership license for 7 versus the membership. A table would have been great. I assume it is just that the stand alone version offers none of the web-based features. Yes?

Correct. There are no "missing" features, as the apps are the same regardless of how you pay for them. But only 1Password.com memberships get additional benefits which rely on the hosted service.

I understand that you are trying really hard to push new folks into subscriptions. I understand the business reasoning behind that. But, it would have been nice if it was easier to find the info about he stand-alone licenses. It was also nearly impossible to figure out how to purchase a stand-alone license as there appears to be no way to do this via the website; it must be done from the application.

Indeed. I'm sorry. But we've done that and it sucked. We regret that this caused you some frustration, but -- not to disregard your feelings -- but the level of confusion we've seen before we switched to marketing only memberships pales in comparison to what happened when we marketed both options side by side for over a year. I agree that it isn't ideal that those who want a standalone license cannot find more details about it on our website, but we don't want perfect to be the enemy of the good, and you can still select the standalone license option right within the app during setup to purchase there. Given how few people want to use 1Password only on one platform, and given the lessons we've learned from history, I think this is the best compromise. :blush:

I would, however, be curious to know what additional security measures -- besides not having the keys to decrypt anyone's data -- you would like us to add to 1Password.com to make you feel safe storing encrypted data there, so that you could actually benefit from some of the best features of the service, like secure sharing and seamless sync. Either way though, let me know if you have any other questions. :)

dtomack

Wow, an answer on Sunday! Thank you so much for information you have provided.

I would, however, be curious to know what additional security measures -- besides not having the keys to decrypt anyone's data -- you would like us to add to 1Password.com to make you feel safe storing encrypted data there, so that you could actually benefit from some of the best features of the service, like secure sharing and seamless sync. Either way though, let me know if you have any other questions. :)

Mostly, I'm just paranoid. I understand that in an ideal situation, all of the data and meta data are encrypted in the database and it won't be possible to circumvent that. At this point, I'm a little out-of-date on how the database is encrypted. Regardless, your service, is likely a somewhat enticing target, and regardless of my data being encrypted, it could possibly be stolen and, if there are any flaws in your method, broken later. I do back up my database, and it backed up offsite using a back-up tool that does client-side encryption, but in that case, what gets sent to the server is just an encrypted blob with no relationship to 1password; it is just file data. Someone would need to unencrypt the file segments and put the file back together. Then break your encryption as well. Regardless since the data is stored separate from the trove of other folks data, it is harder to find. Security through obscurity; not great, but it does make me feel a little more secure.

Syncing myself isn't a hardship either.

I will likely go with a subscription; I can always change my mind later on the 1password service based sync.

I'll drop sales a line to see if there is anything coming up soon.

Thank you again,

Darin

P.S. I'm a software developer. I currently work on a web based application that handles customer PII information.

AGAlumB

@dtomack: You're very welcome! :chuffed:

Regardless, your service, is likely a somewhat enticing target, and regardless of my data being encrypted, it could possibly be stolen and, if there are any flaws in your method, broken later. I do back up my database, and it backed up offsite using a back-up tool that does client-side encryption, but in that case, what gets sent to the server is just an encrypted blob with no relationship to 1password; it is just file data. Someone would need to unencrypt the file segments and put the file back together. Then break your encryption as well.

Interestingly, that's roughly what we're doing as well. The server only receives an encrypted blob, which was encrypted locally using a Master Password (of your choosing) and the 128-bit Secret Key (randomly generated locally on your device during signup). Neither of those are ever transmitted to us. We recognize that we're an attractive target, so the only way we're not too terrified to even offer this service is ensuring that we simply never have the "keys" to 1Password users' data. That way even if someone steals everything we have, 1Password users -- including ourselves -- aren't exposed.

An illustration of this is that when something breaks during the signup process, and the user does have the chance to save their Secret Key, it's gone forever. The account is unrecoverable. Fortunately at that point nothing is stored there! I was just helping someone who ran into an issue like this due to using an outdated browser. They just need to start over with a new account, because if they don't have their account credentials, no one does. So whether you use 1Password.com or a local vault stored somewhere else, an attacker would need to actually go through you to get access to your data, by stealing your account credentials from you. At that point, it's not out of their way to grab the encrypted data too. So effectively the risks are exactly the same no matter how you use 1Password, so there's no security downside to taking advantage of the added convenience of 1Password.com, and no benefit to using a local vault instead.

Syncing myself isn't a hardship either.

:) :+1: I'm in the same boat...but man, not having to deal with configuring sync for individual vaults across multiple devices anymore is sweet!

Regardless since the data is stored separate from the trove of other folks data, it is harder to find. Security through obscurity; not great, but it does make me feel a little more secure. [...] I will likely go with a subscription; I can always change my mind later on the 1password service based sync.

That was my thought too. Definitely check out the security whitepaper, if for no other reason than it sounds like this stuff is right up your alley anyway. And we're happy to answer any questions you might have. 1Password is designed so that your data is safe even if someone finds your hiding spot. The only way someone can decrypt it is with the "keys" which only you have, so it's one less thing to have to worry about.

I'll drop sales a line to see if there is anything coming up soon.

Sounds good! While we cannot divulge those sorts of things before their time (and almost never know anyway), that gives us an easy way to let you know when something is available, and we're not at all opposed to applying a coupon retroactively if you happen to just miss something shortly after signing up. ;)

XIII

Syncing myself isn't a hardship either.

Does 1Password 7 offer WiFi sync on all platforms?

Otherwise the OP might still have to use the cloud to sync (Dropbox and iCloud are cloud as well).

AGAlumB

@XIII: Not on Windows, and it's never worked between computers anyway, only between one computer (server) and one or more mobile devices (clients). I guess I misread earlier when it was said that "I do back up my database, and it backed up offsite using a back-up tool that does client-side encryption" and thought they were using some cloud sync service already anyway. But for our purposes, since 1Password data is always end-to-end encrypted and doesn't depend on the sync service to protect the data anyway I don't suppose that it matters whether we call it "sync" or "backup".