Standalone Version at Mac Store?

Goodness Brenty @brenty , you just never give it up do you.

@toasted: When it comes to security, no. We take this very seriously. If we didn't, I wouldn't be using 1Password myself, as it's not "just" customer data that's at stake here: it's our own as well.

I just think its prudent not to put my data on your servers. I don’t appreciate the AB responses that imply I just don’t know what is good for me… colloquially… you don’t understand giving us your passwords is better for you and its just so, so safe and simple

I'm sorry if I offended you, but it would be negligent of me to not address your concerns.

“anyone can understand and appreciate” – but its just talk, Agilebits offer no guarantees (how could they).

You don't have to take my word for it. As I mentioned above, Crypto101 and “A Graduate Course in Applied Cryptography” (written by crypto/security professors) are great resources for understanding this stuff — especially since you seem interested in security to begin with! But ultimately if you're not able to trust AgileBits, you shouldn't use 1Password, because you're implicitly relying on us for your security. That said, we've always been very open about our security model, and with 3rd party audits and security white paper, I think that there are good reasons to trust 1Password with our most sensitive data; but that's something that each of us needs to decide for ourselves. Because it's your data.

Here are a few organisations that failed to keep their customer data safe in the last couple of years. I am sure that every CEO and CTO of these companies said, and still says, they were secure. [...] Criminals are attracted to these sites in part because of the massive trove of valuable data available to be stolen if they are successful….thefts impacted 145 million active users at Ebay, 83 Million at JP Morgan, 177 Million accounts at Linkedin. At DoJ they lost data on 10,000 Department of Homeland Security employees one day, then data on 20,000 FBI employees the next day and so on. But then again, maybe Agilebits have more highly skilled security technicians and depth of resources than the organisations above. If so, good luck to you.

We have good people, but AgileBits is not infallible. So we've designed 1Password.com (and 1Password vaults historically) with the expectation that someone might get the database someday. And you're right that the stakes are much higher with 1Password.com, since we're hosting the data for so many of our customers. We're also using many of the same web technologies which others do, so it's possible that a weakness could be found that would allow someone access to the server to get the database. If such a flaw is found, we want to know before it's exploited, which is why we have 3rd parties auditing our systems and have bounties for those that report issues...but you'd also be right to think that this isn't enough. It goes back to my previous post, but I didn't say this explicitly:

1. 1Password.com does not store "all passwords of 1PW users"; it stores only encrypted databases.
2. The data of any given 1Password user is encrypted locally on their device before it is transmitted.
3. The "keys" used to encrypt this data (and therefore to decrypt it) are never transmitted.

Because these are only possessed by individual 1Password users, someone would need to get the full database from our servers, the individual Account Keys from each user, and find out the Master Passwords of all of them as well in order to not only get the database, but be able to decrypt it. Many of those companies, understandably, don't think of themselves as security companies tasked with protecting customer data (well, perhaps the do now). That's not the business they're in ostensibly. But the reality is that anyone on the internet is sort of in the security business, whether they want to be (or realize it) or not. So if there's a difference between AgileBits and the others in your list, it's not that we're perfect or "better", but perhaps that we're more paranoid. Our customers expect no less.

@laptopleon: I don't think anyone can argue with that. We each have to decide out what works best for us. I just didn't want you to turn your back on something that seems to have served you well due to a misunderstanding. Thanks for listening, and for sharing your own perspective. :)