Hi 1Password team,
I've thought long and hard about this but after many a long year with 1Password as my poison of choice for password management, I have finally decided to call it a day, albeit with a heavy heart. I've enjoyed using 1Password immensely and have had 100% confidence in the security it provides, but ultimately a convergence of factors has made me decide it's time to move on. For the sake of providing an excellent product and team with hopefully valuable feedback you can use to your advantage, I'd like to share my reasoning with you.
Back in the day, LastPass was my password manager of choice, until they were breached many years ago, and I realised that placing your password data into an online service was exposing it to an attack surface that was available to attackers 24x7. And while LastPass have fixed many of the vulnerabilities that lead to that breach and vastly improved their security posture over the years since, for me it's a case of once bitten, twice shy. Inevitably, syncing your passwords to a cloud service simply means you are playing a waiting game until the next serious breach - which happened happened again for LastPass in 2015, which was already some years into my tenure as a 1Password user.
I could not afford that risk then, and I still cannot afford that risk now. The beauty of 1Password for me lay not in it's underlying encryption technology but in the fact that my password store was local, and I could choose if and how I wanted to synchronise it. As long as my password data was not stored remotely, I could secure it as I saw fit. For me as a technical person, and working with highly secured government customers, this was a fantastic advantage. Unfortunately Agilebits has change direction on this with a new 'cloud first' approach, which provides much improved synchronisation for a majority of users a little less shy of that kind of exposure, but for those of us who need something more controlled and robust, not so great.
Up until 1Password 6 I could keep data local and choose what I wanted to sync, and which if any cloud storage services I wanted to sync it with. I could keep my most sensitive data secured away on an encfs filesystem with a suitably massive random seed and private key, and only sync the (heavily!) encrypted storage to a trusted backup store, like an on-premises Commvault or Avamar backup appliance. I could sync less sensitive data with Google Drive, Dropbox or OneDrive. With 1Passwords new cloud first approach, though, I can no longer choose to avoid exposure to those online risks. It becomes LastPass all over again, and sadly, I can't afford to take that risk.
I work on a Mac primarily, so 1Password was an obvious go to when the first LastPass breach occurred. However, I also work on a variety of - mostly Linux - systems in various environments. Being able to securely sync password data between them and my Mac was always and remains much more important than being able to sync to a Windows operating system. Unfortunately, Agilebits has never taken the *nix technical customer base seriously enough to consider a port to a Linux platform. I understand that their focus needs to be on the largest segment of the customer base, as a relatively small and agile development house. But since it seems to have never made it on to your radar, I have to consider that possibility that I'm not in anything near enough to a key demographic, it never will make it to your "do next" queue. Which I think is likely.
Unfortunately, Apple system quality has noticeably declined in recent years, and Linux systems are becoming more and more useable as a primary developer / devops workstation. And I need to consider the not inconsiderable expense of replacing my aging Macbook Pro with new Apple equipment versus a decent Linux laptop. Quality of Apple hardware is no longer a drawcard, and I can easily find much more powerful hardware from manufacturers like Dell and System76 which are ultimately better suited to my professional needs than an Apple OS. So I need to keep an eye on the future, and 1Password seems to have hitched it's wagon to what is yesterdays platform, as far as my own professional trajectory goes.
Finally, Windows 10 and Mac OS are becoming more and more leaky from a security and privacy perspective. As long as this was mere statistical market analytics several steps removed from any personally invasive creepiness, I could turn a blind eye. But these days, the value of what I do with my laptop is increasing, and the risk of exposing it to potentially hostile and competing corporations working in the IT industry has a very real potential to harm me and those who employ me. I can't seriously consider using Windows 10, and Mojave gives me pause already. I can't see this trend of pervasive surveillance changing anytime soon, and my only alternative is a platform that is leaner, and built on source code that is open to community inspection and critique, such as most Linux distributions.
So this will be my last Mac laptop in all likelihood. And it's a shame, as I have acquired a not insignificant portfolio of useful paid-for applications I won't be able to take with me. Linux doesn't provide good alternatives for all of them, but it does for 1Password. So I'm switching now in anticipation of a possible platform change, and because I need to keep some of my data stored locally under multiple layers of high strength encryption, with no Internet exposure. And 1 Password won't be able to do that when version 6 ends.
Thanks Agilebits for being there and having such a solid and reliable product for as long as you have. It a shame we have moved in opposite directions. But keep in touch.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided