Can I still buy standalone license for the 1password? [no longer being marketed]

145679

Comments

  • I personally oppose this move (for myself only). If others want to go cloud and subscription, it is nice you are offering this choice. I will never use a subscription-based software product, nor will I use a product that stores any information in a cloud. I competely abandoned Adobe over this issue. You may think it is safe, but you may have already been had, and just not know it. Many of the cloud exploits only come to light years later. That is not good enough for me. The main reason I went with 1PW was the local encrypted storage, and a software license I could purchase, rather than pay for over time. Yes, it might cost me more in the long run, but it is worth the peace of mind. When I can no longer renew my stand-alone licenses, then I will find another solution, even if it has to be home brewed. I have absolutely no problem configuring the app the way it is, and has been, for a number of years. Please keep open the option for our stand-alone licensed versions.

  • That probably came across more argumentative than I meant it to. Put it another way - Agile backed off on removing the sharing by iMessage - now you warn and allow users to make the right decision. Why is this different?

  • primeprime
    edited July 14

    Unfortunately that's not sufficient - local vaults need to be a peer feature, not a hidden hack.

    @dougl IMO if a person is getting a subscription, the point of it is the 1Passwoed sync tool. That's why the 1Password sync is the default and the others are not out in the open, local vaults (or other ways to sync iCloud, Dropbox, and others).

    This is like me getting upset that my Outlook app on my computer opens to the inbox. The inbox is the default, and most people use it this way... why it's the default. I don't have mine set up this way at work, and had to work at it to do what I wanted.

  • @prime True, but Outlook doesn't doesn't force you to use Office365 cloud email for example - if you want to use POP and IMAP, you're not first forced to setup an online exchange email account that you'll never later use.

    I don't object to a default, nor recommendations - but having to hack around to make it work, after first having to do in-browser setup and creating a lingering vault that's never intended to be used, is the worst kind of kludge. They had a perfectly serviceable local setup system in place, and it's just been nerf'd. It almost appears that Agile would like to dump everything but the cloud vaults, but is afraid of an even greater backlash, and much as the register headline intimidates, are taking actions to make it hard to stay local. They've tried in the past to drop local sync (though not local vaults), and ended up bringing it back, so there's history here.

    Frankly if that's what they intend, I'd rather they just say so, rip the band-aid off and kill local vaults and sync completely. That'd be their business decision, and it's certainly within their rights to do so. We'll just move on.

    Or, they can embrace local vaults within a subscription model, only provide updates to a subscription client to force the migration, endure some level of complaint about that (mitigated with a lot of notice), convert a large majority of non-revenue customers into revenue ones, and greatly improve their earnings. Adobe did that - CS2,3,4,5 users all complained loudly, but they weren't generating revenue for Adobe anyway. Same thing with Microsoft and Office. I had no functional need to update from Office 2011, but they stopped providing support, so I had no choice - subscription or nothing.

    I hope they vote for both more revenue and better security options.

  • primeprime
    edited July 14

    @dougl

    @prime True, but Outlook doesn't doesn't force you to use Office365 cloud email for example - if you want to use POP and IMAP, you're not first forced to setup an online exchange email account that you'll never later use.

    I meant as an email client and nothing more, and that's my point. I could have used the gmail mail app for an example for all I care or Thunderbird. The point was "default". The "in box" is the default for all email clients, that's a fact. I have a goofy set up for work, and I had a different email in box as the default for various reasons.

    You're "forced" (I use that word very loosely, because I don't think they forced anything) and are looking at the default because that's what 99% of the people are buying the subscription for. Why would they do something different if the whole point of the subscription was to make it easier for the 99% of the people who get it, and who want to use 1Password.com to sync? If a customer is getting a subscription, there is a very, very, high chance they are only going to use 1Password.com to sync... right? You're probably the 1st person ever who got the subscription to use local or other means to sync.

    They said numerous of times in many threads that people wanted an easier way to sync, and I've it and seen it on here. Look at all the issues on here people who can't sync and wanted something easier, it's all here. I've recommended 1Password to many people and they were wondering why they needed to get a Dropbox account to sync (don't get me started using wifi sync with a person who isn't tech savvy at all). It makes sense, and not everyone who uses this is tech savvy.

    I my opinion in the early days of 1Password, only the tech savvy people used it. It was fine, it worked, and people were happy. Now in today's world, more and more people are using password managers... who aren't very tech savvy at all, and want something much easier to use.

    Tech savvy people fiddle and will figure out things. I don't think AgileBits hid anything at all from its users.

    If studies show that 99% (or the majority of the people) do stuff a certain way, guess what, a company will be set up that way by default. Years ago Ford removed CD players from thier vehicles, why? Because majority of the people stopped using them. You're always going to have the one offs who do it a different way, and that's going to happen.

    Dave and AgileBits made a statement and I think it was cool they did. Again, they can't make everyone happy, but I think they are keeping most of their customers happy. If you go though life trying to make everyone happy, you'll just go nuts.

    Edit: something I want to add that something I also see on these forums. I see people coming on here saying they want the license/stand alone blah blah blah and I see customer getting taken care of. I had 1st hand experience that the people at AgileBits went out of their way for me, not once, but twice to help me out. Very few companies go out of their way this much helping a customer.

  • BenBen AWS Team

    AgileBits Team Member
    edited July 14

    @dougl,

    Aside from the fact that no secret key or master passphrase should ever be required to be transmitted via a browser, because it's undocumented, hidden, complex, and leaves stale data in a vulnerable state. Can a user completely remove all cloud vaults after doing the hack-around?

    That is the thing, though:

    1) It isn't transmitted
    2) It is documented ( 1Password Security Design White Paper )

    From a business standpoint, folks will run into exactly what I did. I tried to subscribe, was asked for a master passphrase, and immediately abandoned the session because it looks like I'm being railroaded into the cloud. With no other options presented, it's a poor user experience.

    By signing up for a subscription you are signing up for a 1Password.com account. If you later opt to not use that account other than to give you full access to the apps that is your call.

    Let me flip it around and ask this: Isn't setting the default to cloud with appropriate warnings, recommendations, and guidance enough?

    No.

    Why are you actively trying to hide and make using a local vault and local sync difficult, user hostile, and clunky? Do you not trust your users to take all the facts and data into account and make their own informed decision?

    I think we've been over this quite a bit. :)

    Ben

  • BenBen AWS Team

    AgileBits Team Member

    Hi @HenryAZ,

    Please see this blog post:

    AgileBits Blog | Why We Love 1Password Memberships

    We appreciate the feedback.

    Thanks.

    Ben

  • Ben,
    Thanks for your response and the link. The point I was trying to make, and I am sure there are others out there like me, is that none of Dave's "No More" list applies to me. I have no problem syncing between Macs (rsync), or with my iOS devices (Wi-fi sync), nor have I ever deleted my 1PW database, but if I did, I have backups. I have no doubt Dave's list is valid, and his "No More's" consume a lot of support time, and that offering a simpler cloud-based option may be just the right thing for some users. But don't force me to that as the only option, or we will part ways. I have absolutely no faith in the security of any cloud, even encrypted connections and storage. Quantum computing is on the horizon (or even here already, at No Such Agency). Nothing in the cloud is secure. I do love 1PW, just like it is as a stand alone, locally based, program. The locally based part is why I chose your product to begin with.

  • BenBen AWS Team

    AgileBits Team Member
    edited July 14

    @HenryAZ,

    Thanks again for sharing your thoughts. I'm not sure if you had a chance to read the whole article, but we've explicitly said that we are going to continue to support standalone/local vaults. :)

    Thanks.

    Ben

  • Hi Ben,

    Fair enough, shouldn't have used the word 'transmitted'. The master passphrase is entered into the dirtiest, most compromised piece of code on a computer. At best, then changing to an internal vault and sync is an undocumented, discouraged, hidden kludge that's only available on half the platforms.

    But in any case, we've about exhausted the topic. Agile insists on confusing subscription licensing with cloud vaults - it is absolutely possible for there to be subscriptions without cloud. The lack of local sync and vaults on Windows and Android clearly show where the direction is - I strongly suspect that if major development effort were required to keep them on iOS and OSX (e.g. an OS change), that they'd simply be dropped. If that's not true, and you intend to keep it, then I'll expect to see Windows and Android local vaults and sync in the next release.

    My net is this: I don't have to change today, and won't until the other shoe falls. For new users however, I cannot recommend the product any longer - you've lost the differentiator that lead to the recommendation. Several of my colleagues have now chimed in internally and we all feel the same way. Agile is going to lose some of their best and most effective viral marketing.

    I wish you and Agile all the best. In the past you've been really good about listening to customers, and I hope you'll do so again in this case, and split the cloud and subscription only model apart.

  • Hello AgileBits, days ago I have read this:

    http://appleinsider.com/articles/17/07/11/1password-irks-security-experts-in-push-toward-cloud-based-vaults

    and this:

    https://motherboard.vice.com/en_us/article/evdbdz/why-security-experts-are-pissed-that-1password-is-pushing-users-to-the-cloud

    I encourage you (AgileBits) to take time and read all of those comments of users currently using LOCAL vaults with 1Password: I am one of them. The bottom line in all this is: you are mistaken, in believing that your users are willing to sacrifice strong security we have with local vaults, because of the convenience of uploading all of our credentials to the cloud: you-are-wrong... We do not want, and will never want, not for a second.... use any cloud system to store our credentials.

    When chosing a password manager years ago, I made my mind with 1Password for a reason: the reason that AgileBits made a commitment with us (your customers), that you would NOT store our stuff in cloud, and that you would offer a local sync method for our passwords: this is why I discarted LastPass software and went to 1Password, buying licenses for iOS, macOS and Windows!
    In fact, I still remember how proud AgileBits were, by differentiating themselves of services like LastPass..... arguing the benefits of NOT storing credentials in cloud, but locally. Years later...... for your own shame, you are switching your business to the very same model LastPass had, when you where comparing with them. And by that...... you are betraying your customers.

    If, AgileBits plans in a short/long term to decommish 1Password with local vaults, 2 things will happen:

    1. I (like many, many others) would never pay for any subscription model for storing my credentials in any cloud system.
    2. Your betrayed customers could request Apple to include 1Password-like functionality built into iOS, macOS, etc.

    AgileBits, be smart: Apple has the money and man-power to build 1Password functionality directly into their operating systems, we only have to request in masse to them to build that.

    Please, keep local vaults..... and DO NOT force your customers to upload all of their passwords/credentials to the cloud, just because you are thinking in revenue, and NOT in what your customers want.

    Hope you consider all this, and please take time to read the internet about the strong opposition your customers have about your cloud-subscription-business-model.

    -Mark.

  • BenBen AWS Team

    AgileBits Team Member

    Hi @mark_ux

    Please see this blog post for our response:

    https://blog.agilebits.com/2017/07/13/why-we-love-1password-memberships/

    Thanks!

    Ben

  • brentybrenty

    AgileBits Team Member

    @warpspeed: There's a lot going on here, and I think we may have missed your question. Sorry if that's the case — or if I'm missing something else:

    What about windows? Right now 1Password6 actively does not support local sync or Dropbox.

    1Password 4 supports syncing via Dropbox and WLAN server.

    So your statement is incorrect. A user cannot buy a subscription and use only local sync.

    That depends. If that's something you're seriously interested in doing, shoot me an email at support@1password.com and post the Support ID you receive here. We can discuss the specifics of your situation and see if we can come up with a solution.

    Also is local sync a feature of the subscription plans? It doesn't seem to be. It seems that "local cache" is the feature there.

    The 1Password client apps support local sync. It doesn't use the 1Password.com server (and predates it), so it's not involved at all.

  • brentybrenty

    AgileBits Team Member
    edited July 15

    @dougl: I know we're just not going to agree about some things, but I really appreciate the thought you've put into your comments here. I hope you don't mind, but you brought up some really interesting points and I wanted to clarify a few things that may have been overlooked:

    For users on Windows and Android, local vaults and local sync are not available.

    That's not quite true. The standalone 1Password apps we have on both Android and Windows support syncing via WLAN server.

    I tried to sign up for a subscription (per my word). There doesn't seem to be any way to do so without setting up a web vault. Unfortunately, that's not good enough. Railroading people into a web vault, then allowing them to disable it is going to cause accidental data disclosure, and isn't acceptable.

    You're right, signing up for a 1Password.com account does entail, at the very least, a Personal/Private vault. But given that you don't have to use this and can use a local vault instead with a completely different Master Password, it's sort of irrelevant. The only way it could result in data disclosure is if you 1) store (encrypted) data there and 2) disclose your Master Password and Secret Key yourself, as you're the only one who has those. It's definitely a bit confusing though, since 1Password.com memberships aren't exactly designed with this in mind (i.e. customers didn't ask us to make vaults harder to sync and share, but rather easier).

    I don't disagree with any of your points, and I've been there myself fiddling with local sync to get it working. But forcing a cloud vault setup - especially having the master passphrase entered in the dirtiest piece of code on most folks computers (the browser) is unnecessary and risky. If the master passphrase is never sent the cloud - and that's an advertised security feature - then there's no reason to have folks setup the system with it in the browser. That alone is a complete show stopper for me.

    There's actually a really good reason, though I recognize it doesn't apply in your case: Most people just want this stuff to work. They don't want to have to try to decide between a bunch of different options; they just want to be able to secure their data and access it anywhere. That's why 1Password.com exists. Most people use the 1Password apps and not the web interface; and if you don't use it to store anything at all, you don't have to worry about it, even if you give away the keys.

    Let me paint a different option for you, because the subscriptions and cloud are still getting confused.

    I understand that it's not precisely what you're after, but it isn't a matter of confusion at all. 1Password.com memberships include cloud storage/backup/syncing/sharing as (a) foundational feature(s), since we've been asked for this for a long time. So while you're right that "subscription" and "cloud" are not inherently the same thing, in this case they're very much intertwined by design. The former pays for the latter, which in turn enables a lot of things that aren't possible without a centralized service. And we can't have one without the other without sacrificing the things that people were asking us to offer in the first place, even if you're not in that camp yourself. And since that's something we can offer without taking anything away from people who bought licenses and prefer to stick with local vaults, it's win-win.

    P.P.S @Catalin1p there have been numerous attacks against the cloud-based competitors, including loss of user data. This isn't the same as losing iPhotos or google calendar (hopefully the user had a backup). A compromised password vault is catastrophic.

    How right you are. And that's why we never have the keys to the data. That possibility scares the skin right off of us, so we're not willing to put ourselves in that position in the first place. Otherwise we wouldn't be here talking about 1Password.com at all; we'd all still be using local vaults exclusively ourselves. :scream:

    (It sounds like you gave up on your 1Password.com trial after a few days, but if local sync is something you'd still like to pursue there, shoot me an email at support@1password.com and post the Support ID you receive there; I'll see if I can help.)

    Anyway, I love how passionate you are about the standalone version of 1Password and local vaults, because we've loved building all of that. Whether you end up using a 1Password.com membership, the standalone setup you're used to, or (like many of us here at AgileBits) a little bit of both, we're here for you. And we're grateful for your support and for trusting 1Password not only with your data, but as part of your workflow. That means a lot, because while we make software that we want to use anyway, it feels really great to hear that others enjoy it too. Cheers! :)

  • @brenty Thanks for the thoughts and conversation. Keep in mind that my comments are focused on new users - the groups I speak to on a regular basis, and have historically recommended use 1Password. I'm looking at it from the standpoint of a new customer, who needs local vaults and local sync. I agree that most folks want it to 'just work', but for some significant minority, they also need 'very secure'.

    I guess I'm confused, do the current (1P6) windows and android versions support local-vault and sync options?

    I never got past the 'enter passphrase into browser' part of the sign up process (that's a non-starter), so stopped without going further.
    If most people don't use the web interface, why is using it required to create a vault when just signing up for a subscription? Why not separate the signup part from the setup vault part? If you do that, cloud vs local, is just another Yes/No on the flowchart, since, as you point out, the local pieces already exist. I stand by my offer to sign up for a subscription to support future development, when I can do so without creating a cloud vault. For users who do want the cloud, it needs to be done via the application, not in the browser. We have to assume that a browser has been compromised unless proven clean. That's why banks use web-based antimalware before they let you login.

    I understand that AB's position is that cloud is best, and people should use it. As I've written earlier, security people all too often fall into 'we know best' and shove that down users throats. That's when users start actively working around the solution - in this case, they will simply not use a password manager at all, rather than put sensitive data into the cloud.

    I think one of the fundamental differences in our viewpoints is that you trust your code and I don't. The crypto may be sound, but there are bugs in the code. Some of those will impact security. Full Stop. We don't, and won't, know exactly what they are until they're found and exploited, and by then it's may be late. I help secure enterprise-class cloud environments, and it's damned hard to get right. That's why we spend tons of time and money building SOC's and implementing security intelligence/SIEM solutions. We know the security will fail at some point, and have to have a plan in place when it does.

    In this case, if the cloud is compromised, all the vaults could be captured by the bad guys. At that point we are relying on the software that implements the crypto to not have any bugs that compromise it. We're also relying on users having a complex password resistant to dictionary and hashcat attacked (we had that conversation a while back). The former is a low-probability event. The latter is a moderate-probability event. But the impact to the user is catastrophic. That's all true for local vaults too, so how does putting the vault in the cloud change this? Simple, it makes the capture of my vault far more likely than if it's on my local machine.

    Can we calculate the probability of a code defect rendering vault crypto easier to crack? Nope. Can't do it for FileVault, BitLocker, or PGP either, and I use all of them. Ultimately we have to have some level of trust. I trust the crypto in PGP, FileVault and Bitlocker - and 1Password, but I don't put my PGP archives or drive clones on Dropbox. And right now, I won't put my password vault up there either.

    Do enterprises I work with put their most sensitive data in the cloud? Sure, some do - and some that I'm a customer of. There's contractual penalties in place that mitigate that risk. Enterprise cloud licenses are like that. Consumer cloud licenses aren't. To be fair, consumers get squat when a breach takes place (e.g. the Anthem breach settlement I wrote about on my blog, and how useless it is to the customers who lost their data). That's largely due to a legal/policy gap where they own our data, rather than just being custodians of it. Whole other conversation there, and that'd bring in politics...and this is already convoluted enough :-).

    For many of my audiences, using an unapproved 3rd party cloud service is not permitted by policy. For others, even with a low probability, the impact of a breach is so large, that the overall risk score of having vaults in the cloud (risk=probability*impact) is still high enough that they won't do it. That's why I'm willing to share certain 1P items via iMessage (for convenience), but not others: I make a risk judgement.

    Would I ever use a cloud vault? Probably not, though never say never. Right now, there's enough factors to make me say no - particularly the requirement to set it up in a browser, company policy prohibiting it, and lack of recourse if there's a breach.

    And that was the beauty of 1Password. I could recommend it for all users (I'd missed the dropping of windows and android local support as I don't use those platforms). I knew that you could meet all the use cases. Nice, simple, clean. Now it's really muddy.

  • dougldougl
    edited July 14

    One last note - it's been a long time since I read your teams whitepaper - I did it when a small business asked me for a cloud solution (ironically). I'm going to dig through it again to make sure I'm giving you guys a fare shake. On that note, have a great weekend!

  • brentybrenty

    AgileBits Team Member
    edited July 15

    @brenty Thanks for the thoughts and conversation. Keep in mind that my comments are focused on new users - the groups I speak to on a regular basis, and have historically recommended use 1Password. I'm looking at it from the standpoint of a new customer, who needs local vaults and local sync. I agree that most folks want it to 'just work', but for some significant minority, they also need 'very secure'.

    @dougl: Likewise, thanks for the thoughtful discussion. You make a key point here. Admittedly, we're very much focused on new customers not needing (or, frankly, wanting) local vaults or local sync, as that's overwhelmingly been our experience. We did, however, initially think that we could continue to market standalone licenses and 1Password.com memberships side by side, and did that in both the apps and through our website for a year. We thought we were clever enough to present both options side by side and simply let the user choose. But the reality was quite different, and we received thousands of messages from confused, frustrated, and angry customers who bought the standalone version and couldn't use 1Password seamlessly across all of their devices — to say nothing of those who simply gave up trying to navigate all of the options.

    I guess I'm confused, do the current (1P6) windows and android versions support local-vault and sync options?

    It's not your fault. It's confusing. 1Password for Android has WLAN server for local sync. 1Password for Windows version 4 does as well, but since version 6 does not support local vaults in the first place it does not have this and other features that depend on that. If we could have added support for 1Password.com accounts to 1Password 4 that would have been much simpler. Alas...

    If most people don't use the web interface, why is using it required to create a vault when just signing up for a subscription? Why not separate the signup part from the setup vault part?

    1Password.com is fundamentally built to enable features like seamless access across all platforms (including the web), sharing, backup, etc., and all of that depends on a centralized service. Since we were building a web app anyway for those who want browser access, it made sense to have things like account management as well. We are working on bringing more of this to the native apps though.

    I stand by my offer to sign up for a subscription to support future development, when I can do so without creating a cloud vault.

    That sounds reasonable. :)

    I understand that AB's position is that cloud is best, and people should use it. As I've written earlier, security people all too often fall into 'we know best' and shove that down users throats.

    I think that's something of which we all must be vigilant.

    That's when users start actively working around the solution - in this case, they will simply not use a password manager at all, rather than put sensitive data into the cloud.

    Right. And without 1Password.com a lot of people will never use a password manager at all. It's both too confusing and too much of a hassle for most people. We agree that 1Password isn't perfect and we're committed to continuing to improve it, but let's not toss out the security benefits 1Password.com can offer many people in the the name of ideal security.

    I think one of the fundamental differences in our viewpoints is that you trust your code and I don't.

    You're right that we have a bit of an unfair advantage here. Since it's something we created and we have insight into the work we put into designing, building, testing, and continually looking for ways to improve it, we're confident enough to use it ourselves, especially after the ongoing efforts of outsiders to find weaknesses (which began before even 1Password for Teams was in beta).

    The crypto may be sound, but there are bugs in the code. Some of those will impact security. Full Stop. We don't, and won't, know exactly what they are until they're found and exploited, and by then it's may be late.

    Amen. And if more folks in the security community would spend time testing their hypotheses, we'd all be better off for it — and they could put some money in their pockets for their hard work as well.

    In this case, if the cloud is compromised, all the vaults could be captured by the bad guys.

    Can you elaborate? Given that we don't have the keys to decrypt the data, that seems like a bit of a stretch.

    At that point we are relying on the software that implements the crypto to not have any bugs that compromise it.

    Many have tried and no one has been able to get to the bad poetry. And even that would be a single piece of data. Everything 1Password.com users store in their accounts is encrypted with their own keys, so someone would have to break into AWS, get each separate object store, run it through an AES decrypt tool (infeasible with the Secret Key, but more on that later), only to find out then if that is anything valuable.

    We're also relying on users having a complex password resistant to dictionary and hashcat attacked (we had that conversation a while back).

    We're not. The Secret Key, a 128-bit, randomly-generated string, is also used to encrypt the data.
    So even if my password is monkey123, guessing — or knowing — only that won't get an attacker anything.

    Simple, it makes the capture of my vault far more likely than if it's on my local machine.

    I strongly disagree. Even being a security professional, an attacker would have to target you to get your Master Password and Secret Key anyway. I'm not saying they could. But they'd need to, and at that point they might as well grab the database from you while they're at it.

    Can we calculate the probability of a code defect rendering vault crypto easier to crack? Nope. Can't do it for FileVault, BitLocker, or PGP either, and I use all of them. Ultimately we have to have some level of trust. I trust the crypto in PGP, FileVault and Bitlocker - and 1Password, but I don't put my PGP archives or drive clones on Dropbox. And right now, I won't put my password vault up there either.

    Fair enough, and good points. Without trust, we'd each have to fab our own silicon.

    To be fair, consumers get squat when a breach takes place (e.g. the Anthem breach settlement I wrote about on my blog, and how useless it is to the customers who lost their data). That's largely due to a legal/policy gap where they own our data, rather than just being custodians of it. Whole other conversation there, and that'd bring in politics...and this is already convoluted enough :-).

    Well, you raise an important issue, and I personally knew a lot of people affected by that breach. :(

    For many of my audiences, using an unapproved 3rd party cloud service is not permitted by policy. For others, even with a low probability, the impact of a breach is so large, that the overall risk score of having vaults in the cloud (risk=probability*impact) is still high enough that they won't do it. That's why I'm willing to share certain 1P items via iMessage (for convenience), but not others: I make a risk judgement.

    Absolutely. And I'd love to hear more from you (email might be better) about the sorts of policies and certifications that are critical to you in your business.

    Would I ever use a cloud vault? Probably not, though never say never. Right now, there's enough factors to make me say no - particularly the requirement to set it up in a browser, company policy prohibiting it, and lack of recourse if there's a breach.

    I think there are ways around that, especially if you never actually store data there, but that's perfectly reasonable. We'll continue to work to offer a native app solution for that.

    And that was the beauty of 1Password. I could recommend it for all users (I'd missed the dropping of windows and android local support as I don't use those platforms). I knew that you could meet all the use cases. Nice, simple, clean. Now it's really muddy.

    You're right. It's much too muddy. There really wasn't a way around that given what must be done, but this is a transitional phase we'll get through. The new Windows app will mature, 1Password.com will have better in-app integration for account management, and then we'll have an opportunity to put resources into something else again.

    One last note - it's been a long time since I read your teams whitepaper - I did it when a small business asked me for a cloud solution (ironically). I'm going to dig through it again to make sure I'm giving you guys a fare shake. On that note, have a great weekend!

    I really appreciate it. Even if it ultimately still doesn't meet your needs, constructive feedback is always welcome, both on the white paper itself and 1Password.com in general. And I hope you have an awesome weekend as well. Stay cool! :sunglasses:

  • @brenty Thanks again for the dialog. Let me try to sum up where I think we are:

    The situation:

    1. New users must buy a subscription
    2. New users must create a cloud vault
    3. That vault must be created inside a browser
    4. Windows and android don't support WLAN sync
    5. Windows doesn't support local vaults
    6. We both trust the math. You trust the code more than I do. We have different threat models.
    7. For most people, cloud vault/sync makes the most sense.
    8. For some people, local vault/sync makes the most sense.

    My objections:

    1. Fine with it - even fine with forcing existing users to do it
    2. Want an opt-out path, or secondarily a way to completely delete it after creation
    3. Don't like it for anyone, including people who do want cloud vaults (more below)
    4. Needs to support it
    5. Needs to support it
    6. My threat model is focuses on potential disclosure of vault contents, yours on ease of use. Both are valid, just different.
    7. and 8 are, right now, in an ugly UI middle ground and the focus of much of our disagreement - I believe that both need to be peer paths on setup, and AB's working to hide the local option.

    Regarding web access to the vault, that's something that I would never, ever, recommend someone use. People will do that from public computers, which is akin to licking the seat on a public outhouse. I work with some travel and transportation companies and across the board they state that their single greatest source of compromised accounts are people using the public computers in hotel business centers. I haven't tried it, but hopefully there's a multi-step warning on the web version "Don't do this from a machine that you don't own. Seriously, don't do it. Really, seriously, don't do it"

    Now a lot of people are up in arms with #1. They need to realize that all software is moving towards that model. Businesses don't have enough new customers coming in to be profitable, so it's going to happen. I use very expensive 3D modeling and sculpting software that promises free upgrades for life, and yet I fully expect them to do a cutover, or charge for upgrades at some future point. New versions aren't free to develop.

    The other points can be resolved, and I recognize it'll take time. Hopefully 1P7 will solve them all, though we disagree on how visible the local-only option should be.

  • brentybrenty

    AgileBits Team Member

    @dougl: Just to summarize,

    1. as Dave mentioned in his blog post, we're still selling 1Password for Mac licenses;
    2. local vaults are still available on all platforms;
    3. 1Password.com vaults generally must be created in the browser, but some of the apps now support this natively as well;
    4. 1Password 4 on Windows (and 1Password for Android) supports local sync; 1Password 6 does not;
    5. 1Password 4 on Windows supports local vaults; 1Password 6 does not;
    6. agreed, I've necessarily got more knowledge of how 1Password works than many people outside of AgileBits, and that is an obstacle — but we invite independent security researchers to test our security;
    7. agreed, most folks don't want to deal with sync configuration,
    8. but others accept that tradeoff and prefer local vaults/syncing

    Regarding web access to the vault, that's something that I would never, ever, recommend someone use. People will do that from public computers, which is akin to licking the seat on a public outhouse.

    Wow. I have never heard it put quite that way, but I think that's apt — if a bit graphic. :lol:

    In all seriousness, if you do a Google search of "public computers" on these forums, you'll find post after post where I and others (AgileBits staff and community members alike) repeatedly say variations on things like "Don't" (granted, much more verbose) when people ask "How do I access 1Password from a library/school/friend's computer." It's something we actively recommend against. But like the outhouse, we can't stop people...

    I work with some travel and transportation companies and across the board they state that their single greatest source of compromised accounts are people using the public computers in hotel business centers. I haven't tried it, but hopefully there's a multi-step warning on the web version "Don't do this from a machine that you don't own. Seriously, don't do it. Really, seriously, don't do it"

    Warnings are a touchy subject. Most people simply ignore them, and I disagree that annoying someone is the best way to educate them. Not saying that's what you're suggesting, but in practice that's what it often amounts to. We all know what happened with UAC on Windows. It's something we'll have to consider though.

    Now a lot of people are up in arms with #1. They need to realize that all software is moving towards that model. Businesses don't have enough new customers coming in to be profitable, so it's going to happen. I use very expensive 3D modeling and sculpting software that promises free upgrades for life, and yet I fully expect them to do a cutover, or charge for upgrades at some future point. New versions aren't free to develop. The other points can be resolved, and I recognize it'll take time. Hopefully 1P7 will solve them all, though we disagree on how visible the local-only option should be.

    I wholeheartedly agree with everything you just said there (though I recognize the irony of me agreeing with you saying we disagree — but I think you get my point). While I don't think we want to have a situation where it's easy for people to setup a local vault not understanding the implications, drop their phone in the toilet (see what you did?), and then find out they lost all their data, I do think we can do better with making things clearer to the user. We just need to prioritize those who could most easily get stuck in these pitfalls. The sorts of folks like you and I who understand the implications of local vaults are more than capable of selecting that option from a menu if necessary. :)

  • My1My1

    so let me put some words into this:

    1password isnt too bad, that much I can say for sure but at the very least I will never accept a manager for sensitive data which forces me to sync with them.

    Right now I use a different password manager which syncs with a cloud which I only use for password syncing so it's harder to find and/or steal any data

    1pw web is intresting but it's not just one whole can of worms.
    1) this thing uses a whole lot of javascript, including a "vendor" file, meaning scripts you didnt make, did you guys check all the scripts that nothing bad happens?

    2) you are using a CDN (me.1password.com -> IP -> amazon AWS) , meaning you are not in control of what happens in the transit meaning the CDN has the ability to (it doesnt matter whether they promise not to do so or whatever, just that they have to ability to) add or change scripts in a way that the master password is sent directly to a rogue server, they could even go one step further and just sent a decrypted wallet along the way.

    the nice thing with a password manager which has no traces to the manufacturer aside from a once only License check (which has to happen BEFORE you enter any master password) is that you can firewall this thing right into oblivion after trhat check, and if you want sync with some or another cloud, you can make it so the software can only communicate with the cloud ever after.

    sure an auto sync with the manufacturer is convenient as hell but I have a nextcloud and I also have a few other cloud accounts and I like having control.

    also on page 2 or 3 you said that even if you are offline, 1pw wont revert to trial mode even without internet, I have some SERIOUS doubts about that, especially once your payment period ends, you will definitely need internet again to confirm you are still subscribed, and if agilebits would shut down someday or remove the 1password product because it has been bought by someone else you would be stuck with a read-only wallet as soon as the paid period ends.

    also remember this little piece of text?

    you are pretty much betraying your customers in every way possible and especially with the pretty prices 1password you need some loyal customers, I mean there are other password managers which for example font charge for desktop but only once for the mobile apps, which may even be a bit too cheap on the other side but at least there it doesnt look like we are getting backstabbed very soon, just about half a year and the normal license starts to disappear, perfect (attention: sarcasm inside)

    also one thing you guys could really do to secure your DLs a lot more is throw the checksums of your downloads somewhere else or sign the checksums with a key where publish the public part somewhere else (for example all the social networks you use, hard enough to compromise one, but quite a bit harder attacking them all) so that the tinhat customers (we are talking about password managers, so expect them to exist) can verify the DLs are truly made by you guys.

    the signature by Comodo surely isnt too bad especially since the stuff shows up as more secure on the PCs but it's getting harder and harder to trust CAs and the system they made when those CAs are doing more and more junk all the time. (also revocation checking is a big problem)

    also reading your account advantages page, the secret key shows up "multi-factor security", which is as wrong as it can get. sure it is a nice password hardening method but cannot be compared in any way possible to multi-factor because it's just different also, it isnt too hard to make this without acount or on other password manager by just getting some randomness, building random characters and attach them to the master password
    2FA has its own merit in having a bit more access control, meaning someone who isnt from the server cant even get the database to try ANYTHING, while 2KSD tries to make it harder to crack open the db when the attacker already has the DB file, personally I like both Ideas.

    well that was it for now, sorry for writing so much.

  • BenBen AWS Team

    AgileBits Team Member
    edited July 17

    Hi @My1,

    This is a fairly long thread, so I don't blame you if you haven't read all of it, but did you have a chance to read Brenty's post directly above yours?

    I'm not going to reiterate what Brenty has already commented on, but I'll try to address the points that he hasn't.

    Right now I use a different password manager which syncs with a cloud which I only use for password syncing so it's harder to find and/or steal any data

    How would that be different than 1Password.com? :)

    1) this thing uses a whole lot of javascript, including a "vendor" file, meaning scripts you didnt make, did you guys check all the scripts that nothing bad happens?

    Of course. Not only have we vetted everything internally, it has also been vetted externally by 3rd parties. The JavaScript is available to be reviewed by anyone who wants to do so.

    2) you are using a CDN (me.1password.com -> IP -> amazon AWS) , meaning you are not in control of what happens in the transit meaning the CDN has the ability to (it doesnt matter whether they promise not to do so or whatever, just that they have to ability to) add or change scripts in a way that the master password is sent directly to a rogue server, they could even go one step further and just sent a decrypted wallet along the way.

    Amazon does not have the ability to access decrypted 1Password data, and neither do we. I'd suggest taking a look at our 1Password Security Design White Paper.

    sure an auto sync with the manufacturer is convenient as hell but I have a nextcloud and I also have a few other cloud accounts and I like having control.

    1Password.com isn't "just another cloud account." It provides a number of features not possible with a 3rd party solution:

    What are the benefits of a 1Password membership?

    also one thing you guys could really do to secure your DLs a lot more is throw the checksums of your downloads

    We've discussed this in a few different threads. I'll point you in the direction of a couple:

    2FA has its own merit in having a bit more access control, meaning someone who isnt from the server cant even get the database to try ANYTHING, while 2KSD tries to make it harder to crack open the db when the attacker already has the DB file, personally I like both Ideas.

    You're right: they address different threats. In many cases users have been misinformed or have misunderstood what threats most "2FA" systems actually protect against. We have a blog post about that here:

    AgileBits Blog | Two Factor or not Two Factor

    Thanks!

    Ben

  • Michael TsaiMichael Tsai Junior Member
    edited July 17

    @Ben

    2) you are using a CDN (me.1password.com -> IP -> amazon AWS) , meaning you are not in control of what happens in the transit meaning the CDN has the ability to (it doesnt matter whether they promise not to do so or whatever, just that they have to ability to) add or change scripts in a way that the master password is sent directly to a rogue server, they could even go one step further and just sent a decrypted wallet along the way.

    Amazon does not have the ability to access decrypted 1Password data, and neither do we. I'd suggest taking a look at our 1Password Security Design White Paper.

    The white paper actually confirms the threat that @My1 mentioned. Page 51 says:

    Despite our use of our own transport encryption layer beyond Trans- port Layer Security (TLS), when using 1Password in a web browser, the security is (largely) limited to what is provided by TLS. An attacker who is able to modify the JavaScript client that is sent from the web server to the user’s device will be able to capture the Master Passwords and Secret Keys that a user enters or provides.
    In principle, this problem is no different from any other case in which a user installs and runs a malicious client, but in practice the opportunities for an attacker to deliver a malicious client are greater when that client is delivered anew for each session and its authenticity is ensured only by TLS.

    You don't store the decrypted data or password, but access to your server would make it possible to get these.

  • BenBen AWS Team

    AgileBits Team Member

    I see; yes, there are certainly threats that exist with the web interface that do not exist with the native clients. We are working on a couple things to help with that:

    1) We're working to reduce our reliance on the web interface, especially for signing up and admin tasks
    2) We're considering how we might deliver a codesigned version of the web interface

    Thanks. :)

    Ben

  • Thank you for not having plans to eliminate the standalone apps. I have purchased your apps directly and then through the Apple App Store, iOS and macOS for my devices. I am technically able to manage my sync rules and use iCloud for my depository. I consider your apps the most essential apps on my devices and tell everyone I meet that they should use them. I do not care for subscription based apps which is why I dropped Microsoft Office in favor of Apple's Pages, Numbers and Keynote.

    If I had started with a subscription app for the start then it would not be an issue.

  • My1My1
    edited July 17

    @Ben well the fact that he said that you sell mac licenses implies that you don't sell windows licenses anymore.

    For the difference between an external cloud with only the password and a manufacturer solution is that 1) i can use my own cloud and 2) in case somehow my password and stuff got out, they would first have to get the database which is stored somewhere else, with different credentials for access and crypto including a 2fa on the access portion. With a manufacturer based cloud that cloud is gonna get a big target and sure as hell i dont want to know what happens in case something does go horribly wrong.

    Oh yeah before you go and say "that won't happen because" let me remind you of Murphys law, the one thing that's most important when talking about security stuff. While the manufacturer cloud is convenient, there needs to be a way around for more cautious users, whether that means local only, some cloud they want, or a completely self hosted one like own/nextcloud.

    Codesigned web interface isnt bad but how are you going to show or even enforce it? Also not to forget that unlike the pc's uac or so who immediately tells you who did the signing, browsers don't do so and the browser wouldn't have a way to see who is the proper and who the bad signer. And as i said with revocation being in the state it is in, it's still not easy to trust that stuff.

    another thing you didnt talk about was about being offline at when your payment period runs out, this would definitely revert you to trial, and if you try to say that that's not the case it honestly doesnt make sense.

    regarding the 2 Factor thing, I know what it's about, and while it doesnt help when the database is already stolen, it can at least help prevent it from happening and on the other hand it can also prevent someone from maliciously syncing up an empty wallet to harm the victim (dont ask me how, but weird as hell scenarios should not be completely forgotten.

    in case of 1pw online the database doesnt get a factor, because it's readily available for anyone who enters the password and key (which from a security perspective is just another password as it is written down, can be remembered and copied around)

    while it is one really strong factor, it stays one factor, unless you go and act quick a phisher, keylogger etc will be able to do all sorts of junk, while with a 2FA approach the database isnt immediately available so even if they keylogged you, the 2nd factor is made against keylogging and other stupid Ideas, which gives the thing some nice strength.

    regarding signing and checksums, it really helps to read the sentence completely. as I said, you guys are active on multiple social networks and stuff, checking your site that includes at least twitter, facebook and youtube. which are completely different places owned by completely different entities (and all of them allow 2FA, making outside attacks hard enough) it isnt really hard to post a SHA256 or whatever hash to all of them when you update.

    also, on the bottom line, I am not saying to throw 1pw accounts into oblivion, but instead give users options to have control over their data without having to rely on an all-in-one solution.

    also, I dunno your database format but one thing that really would be awesome would be if it would be an open format so users can snoop around and do all sorts of awesome stuff (for example when the windows software is YET AGAIN not up to date from a feature perspective. or of course directly export all the stuff from that DB if 1pw sadly goes into oblivion for some or another reason)

  • brentybrenty

    AgileBits Team Member

    @NorCalBolt: As you can imagine, we feel the same way. And the setups we use ourselves run the gamut as well. We have no desire to take away something we've worked so hard on that we're proud of and make use of ourselves. Thanks for taking the time to let us know you're enjoying using 1Password, and how essential it is to you. Cheers! :)

  • brentybrenty

    AgileBits Team Member

    @Ben well the fact that he said that you sell mac licenses implies that you don't sell windows licenses anymore.

    @My1: We don't. We've been pretty open about that. Our focus is on the new 1Password 6 Windows desktop app we've built from the ground up, so we're no longer selling licenses for 1Password 4 since it isn't going to be receiving new features*.

    *We actually just released a new version there too, but I don't think most users would consider Native Messaging to support future versions of Chrome and Firefox a new feature, even if it was a lot of work and necessary for browser compatibility going forward.

    For the difference between an external cloud with only the password and a manufacturer solution is that 1) i can use my own cloud and 2) in case somehow my password and stuff got out, they would first have to get the database which is stored somewhere else, with different credentials for access and crypto including a 2fa on the access portion. With a manufacturer based cloud that cloud is gonna get a big target and sure as hell i dont want to know what happens in case something does go horribly wrong.

    If your password "gets out", it won't be because of anyone's "cloud". Your Master Password isn't stored with your data, and is, in fact, never transmitted, whether you're using 1Password.com or another method to sync data. That's always been fundamental to 1Password's design. SO the only way someone can get the "keys" to your encrypted data, regardless of where you keep it, is from you.

    Oh yeah before you go and say "that won't happen because" let me remind you of Murphys law, the one thing that's most important when talking about security stuff. While the manufacturer cloud is convenient, there needs to be a way around for more cautious users, whether that means local only, some cloud they want, or a completely self hosted one like own/nextcloud.

    We can say that it (someone getting your Master Password and/or Secret Key) won't happen because we never have them. 1Password hasn't ever relied on the "security through obscurity" of hiding local vaults from bad guys. If someone wants your stuff, they'll have to get the Master Password from you anyway. They might as well grab the vault from your device while they're at it.

    Codesigned web interface isnt bad but how are you going to show or even enforce it? Also not to forget that unlike the pc's uac or so who immediately tells you who did the signing, browsers don't do so and the browser wouldn't have a way to see who is the proper and who the bad signer. And as i said with revocation being in the state it is in, it's still not easy to trust that stuff.

    UAC isn't something I'd hold up as a good security example. Not saying it is insecure, but for a decade it's trained people to click a button any time they see a similar prompt. And malware and shady websites have used this to great success. But regardless, while the major browser vendors are taking full advantage of code signing and are incredibly aggressive about certificate chain issues, you're right that users can choose to ignore warnings or break this by installing self-signed certificates. Fortunately, we have these great native apps that we sign ourselves that people can use to secure their data, so no one has to rely on the web client fully.

    another thing you didnt talk about was about being offline at when your payment period runs out, this would definitely revert you to trial, and if you try to say that that's not the case it honestly doesnt make sense.

    If you're offline, you still have the data cached on your device, so I'm not sure where that poses a problem for you. And even once you go back online and it seems that the account is frozen, you still have access to the data; you just can't make changes to it at that point.

    regarding the 2 Factor thing, I know what it's about, and while it doesnt help when the database is already stolen, it can at least help prevent it from happening and on the other hand it can also prevent someone from maliciously syncing up an empty wallet to harm the victim (dont ask me how, but weird as hell scenarios should not be completely forgotten.

    Again, if the encrypted database is stolen, it will be useless. They can't get the "keys" from us. An attacker would literally have to go get them from each individual user to be able to decrypt their data. We go to a lot of trouble to prevent any of this from happening, but ultimately the buck stops with you, and you can prevent anyone from accessing your data by guarding your Master Password and Secret Key — and changing them if you have reason to believe that you've revealed them to somebody.

    in case of 1pw online the database doesnt get a factor, because it's readily available for anyone who enters the password and key (which from a security perspective is just another password as it is written down, can be remembered and copied around)
    while it is one really strong factor, it stays one factor, unless you go and act quick a phisher, keylogger etc will be able to do all sorts of junk, while with a 2FA approach the database isnt immediately available so even if they keylogged you, the 2nd factor is made against keylogging and other stupid Ideas, which gives the thing some nice strength.

    We have to remember that two-factor authentication isn't a panacaea. What attack are you trying to defend against exactly? If someone is in a position to steal your Master Password and Secret Key, they either have direct access to you and can offer you and "incentive" to give up the second factor, or they have control over your machine and can capture all of that on the fly as you try to use them. There are definitely some more things we'd like to do in this area, but not for purposes of "security theater"; we need to make sure that it's usable and offers a real benefit. Most two-factor authentication has a backdoor in that it can be deferred or removed in the event of a user temporarily not having or permanently losing access to the second factor.

    Also, the Secret Key is used to actually encrypt the data, so that it would be more resilient to a brute force attack if the database is captured, which is a specific threat you've mentioned. That, of course, is why the Secret Key exists. Something like a one-time password doesn't offer this.

    regarding signing and checksums, it really helps to read the sentence completely. as I said, you guys are active on multiple social networks and stuff, checking your site that includes at least twitter, facebook and youtube. which are completely different places owned by completely different entities (and all of them allow 2FA, making outside attacks hard enough) it isnt really hard to post a SHA256 or whatever hash to all of them when you update.

    I really don't think that social media outlets offer appropriate security for distributing checksums of 1Password.

    also, on the bottom line, I am not saying to throw 1pw accounts into oblivion, but instead give users options to have control over their data without having to rely on an all-in-one solution.

    There are options, but we're going to market the 1Password experience that's best for most users. We can't be all things to all people, so we're focused on where we can do the most good for the greatest number.

    also, I dunno your database format but one thing that really would be awesome would be if it would be an open format so users can snoop around and do all sorts of awesome stuff (for example when the windows software is YET AGAIN not up to date from a feature perspective. or of course directly export all the stuff from that DB if 1pw sadly goes into oblivion for some or another reason)

    It's possible to both access the data on disk and export, but you're right that there's room for improvement in this area. There's a great deal of detail in the security white paper, and there's also more information available to security researchers who participate in the bug bounty program, since they're the ones doing the work apart from our own internal efforts.

  • My1My1

    and why not go the next LOGICAL step sell standalone licenses for 1pw6 on windows? I mean you guys said on twitter that you "wont forget [your] roots" and that "There are no plans to eliminate standalone licenses or existing sync methods".

    I may have wirtten it a bit too complicated but try to read again. I didnt say that the cloud is at fault for getting the pw out, but the problem is that there are more consequences when you encryption data gets out some way or another. because if decryption and access arent tied together it gets a bit harder to get both the db and the decryption data.

    say "Alice" has a dropbox account secured nicely with 2FA and in there a 1pw db secured with a different strong enough password and "Bob" has a 1pw online db also with a strong enough password.

    somehow both get a keylogger on their system.

    Alice logs into dropbox, does 2FA, and enters the decryption password for the database.

    unless the keylogger got itself a file stealer as well, Alice has no immediate danger, but of course should change her password, because an attacker from far away only has the typed password and depending on the 2FA method used, an invalid 2FA Code (in case of methods like U2F or app request, they have nothing) meaning alice can take the computer offline and do stuff to keep the database secure (like changing passwords an stuff), but it not subject to immediate danger.

    in case of Bob, the attacker gets both the password and the Secret Key, and can immediately waltz into the 1pw site, log in, download the wallet, and for the ultimate damage, change the password and master key, or even worse, just close the account, and since you guys are supposed to delete the data securely there's of course no way back.

    of course if they also have a means to grab the db from the computer it's useless, but at least in my opinion, users who want to have finer control over their data should have it, I know that 2FA isnt perfect and the solution for everything but for users who know what they are doing it is a great addition to security

    also I know that the secret key is used to crypt the data, I read a bit of stuff in here but it's not like you can't just dice-roll (or another random method of choice) out some characters, write them down and add them to the password somehow or another, the secret key is essentially just "more password", and I do know that unless you horribly misuse HOTP or similar methods (keypass can do this) you arent getting OTP-based crypto.

    well security of the social media sites is a concern true, and it was more just a more or less stupid side Idea that when you use multiple of these sites from milti-billion dollar companies would raise the security of that posting (aka if they are not all the same, something is wrong)

    truly you cant be everything but with 1pw online you are CLEARLY abandoning previous sync methods, which is laughable in my opinion (especially since you guys said you wont) in favor of 1pw online, and is there such a problem putting these "highly complicated" (veteran users probably laugh here) sync and vault management methods in an "advanced" tab or whatever?

    and finally, is the exporting also possible in trial mode, for example when your subscription ran out and you cant to online to re-check (or aome other weird stuff happened)

  • brentybrenty

    AgileBits Team Member

    and why not go the next LOGICAL step sell standalone licenses for 1pw6 on windows? I mean you guys said on twitter that you "wont forget [your] roots" and that "There are no plans to eliminate standalone licenses or existing sync methods".

    @My1: It's not logical to sell licenses for an app that doesn't have 3rd party sync or local vault support. It may be something we do in the future, but there's a lot of work to be done before we could even consider going that route.

    I may have wirtten it a bit too complicated but try to read again. I didnt say that the cloud is at fault for getting the pw out, but the problem is that there are more consequences when you encryption data gets out some way or another. because if decryption and access arent tied together it gets a bit harder to get both the db and the decryption data.

    I don't think that follows.

    say "Alice" has a dropbox account secured nicely with 2FA and in there a 1pw db secured with a different strong enough password and "Bob" has a 1pw online db also with a strong enough password. somehow both get a keylogger on their system. Alice logs into dropbox, does 2FA, and enters the decryption password for the database.
    unless the keylogger got itself a file stealer as well, Alice has no immediate danger, but of course should change her password, because an attacker from far away only has the typed password and depending on the 2FA method used, an invalid 2FA Code (in case of methods like U2F or app request, they have nothing) meaning alice can take the computer offline and do stuff to keep the database secure (like changing passwords an stuff), but it not subject to immediate danger.
    in case of Bob, the attacker gets both the password and the Secret Key, and can immediately waltz into the 1pw site, log in, download the wallet, and for the ultimate damage, change the password and master key, or even worse, just close the account, and since you guys are supposed to delete the data securely there's of course no way back.
    of course if they also have a means to grab the db from the computer it's useless, but at least in my opinion, users who want to have finer control over their data should have it, I know that 2FA isnt perfect and the solution for everything but for users who know what they are doing it is a great addition to security

    We can't protect people from accessing sensitive data on compromised machines. We always advise against this (public computers, for example), but we can't stop that from happening. No one can. This isn't a 1Password security issue. It's not even a password manager security issue. Regardless of any security measures we have in place now (Secret Key, SRP) or add in the future (two-factor authentication, etc.), if you're accessing your data on a device someone else "owns" they don't even need to worry about any of this. They can just let you bypass these protections for them and grab your data as you access it. So I don't think it's reasonable to expect 1Password to solve this problem for users, as it isn't a problem anyone can solve — you giving someone else access to your data.

    also I know that the secret key is used to crypt the data, I read a bit of stuff in here but it's not like you can't just dice-roll (or another random method of choice) out some characters, write them down and add them to the password somehow or another, the secret key is essentially just "more password", and I do know that unless you horribly misuse HOTP or similar methods (keypass can do this) you arent getting OTP-based crypto.

    There's an important distinction between the Secret Key and a password. A password is something that you're expected to remember. Websites expect you to, even if you use 1Password do do that for you. And the Master Password is very much "something you know". The Secret Key, on the other hand, is effectively unknowable. I don't know anyone who has memorized it. And since it is only present on devices where you've already authorized your account, it becomes, effectively, "something you have", for all practical purposes.

    well security of the social media sites is a concern true, and it was more just a more or less stupid side Idea that when you use multiple of these sites from milti-billion dollar companies would raise the security of that posting (aka if they are not all the same, something is wrong)

    It's not a stupid idea. I'm sure some software developers do something like that, and it is less of a concern. But with 1Password there's a lot more at stake. So it's just not appropriate in this case. But you do make a great point about posting across several channels simultaneously. I think that the bar still has to be higher for 1Password, but you're right that it would be harder to compromise all of them at once...except that generally the same people will have access to all of these accounts to post on social media.

    truly you cant be everything but with 1pw online you are CLEARLY abandoning previous sync methods, which is laughable in my opinion (especially since you guys said you wont) in favor of 1pw online, and is there such a problem putting these "highly complicated" (veteran users probably laugh here) sync and vault management methods in an "advanced" tab or whatever?

    1Password.com offers things that aren't possible with other sync methods, which many people have asked for. While that's our focus, "abandoning" implies that we're not still supporting the older sync methods, yet we are, across all platforms. If you pay attention to the release notes, you'll notice that we've recently updated the mobile apps for Dropbox's new APIs. If we wanted to abandon that, we could certainly find better uses for the development and testing resources we've spent on that.

    and finally, is the exporting also possible in trial mode, for example when your subscription ran out and you cant to online to re-check (or aome other weird stuff happened)

    I'm not sure exactly what you're asking, but the desktop apps all support export, and this works whether you're using an expired trial of the standalone app or a frozen 1Password.com account.

  • My1My1

    well it might have been more helpful in my opinion to first build the new version with the support for the stuff that already works and THEN doing the online database stuff in my opinion.

    you cant do everything true but at least dont kill off features when you make new versions, especially when talking about the user's control of their own data. when they want a database local or synced with a nextcloud, why not?

    also you dont even need a compromised machine to get the keyboard typings, there are weird as hell methods like recording the typing sound, or tapping a badly secured wireless connection, and both are really hard to notice

    "A password is something that you're expected to remember." -> why do we have things like password managers?

    for the factor thing I think a little bit different, while it isnt supposed to be remembered, a static key like this can be written down, copied, keyboard-grabbed and so on, while a true something you have, for example a smartcard, a U2F stick or these nice little air-gapped code generators are things you especially cannot easily copy without leaving traces, if at all. if you accidentially leave your key lying around, someone can take a picture, write it somewhere (or if you are really good, remember it somehow) and no one will notice. when I have my smartcard lying around, an attacker must take THIS ECACT THING with him, meaning you leave traces, you cant just make a code from the generator to lose it later because a) these are one-use and b) these usually only have a tiny timeslot they work in (and then we have explicit challenge-response things like U2F or smartcards which makes the whole "something you have" even safer)

    the problem is that while the key isnt made for memorizing, it has the same weaknesses as an ordinary password written on a piece of paper, this is the point I am making.

    "except that generally the same people will have access to all of these accounts to post on social media." -> well then we are talking about internal attacks we REALLY have a problem.

    "1Password.com offers things that aren't possible with other sync methods, which many people have asked for"
    well there are some things like recovery, which is only available to teams to do mutual recovery of mutually shared data (at least I REALLY hope so, for OBVIOUS REASONS), or that you dont need to setup a cloud account (but then again, you set up a 1pw account, so so much for that), then you have Team Sharing (which is a use case, but none I care about), then we have data restore (something enough major clouds like dropbox have), Travel mode (more convenience for something you could probably also do anyway, same with the secret key basically)

    The only really big benefits that I see is that you have one subscription license for all platform (especially when seeing that the normal license costs 65$, which is a hell of a lot of money compared to others) and the thing with the holdback for features, BUT both of those are benefits of the subscription, not of manufacturer's cloud (especially when it's actually not the canadian AgileBits Cloud, but the US-based Amazon storage, which by the way also renders travel mode useless for anyone traveling to the US because they can get the database from amazon and try to get the password from the user)

    in general all the account is about is convenience for noobs, sorry to say that but anyone who knows what they are doing shouldnt have problems with a normal password manager (also regarding the deletion of the password database, it may be helpful to use meaningful file and foldernames, put temp files in the temp folders and clearly mark the password database as that so we dont have accidential removals. I dont have a big eye on the structure at your folders and so on, but it's quite common for proprietary software to obfuscate anything as much as possible, therefore making it not easy to distinguish)

    wenn nice that you guys updated the mobile apps for dropbox, but mobile is just a part of the ecosystem. stop excluding windows all the time and give out some feature parity.

    regarding the last part, the answer pretty much solves it. long story short, if for whatever reason this thing thinks you have no license subscription or whatever, you can still get your data out.

Sign In or Register to comment.