1Password 8 for Mac Released With New Design and Features

[Sowelu]

But why would they not come out and say that? Seems like a reasonable justification that could have been added to the press release.

Seems to me like they are hoping to push some people to a direct download for data collection purposes.

I am wondering if they want to hold off on the App Store for a while in hopes of new customers downloading direct and getting 100% of those new subscriptions. Since this is a totally new version that is getting some press, they may see this as an opportunity to go direct until the buzz dies down. When it does, they'll need the App Store's traffic and visibility to pick things up again. Just a theory, and this makes perfect business sense, just wondering why something so obvious (like not submitting a big new release to the App Store) is all hush-hush.

 

[MacHeritage]

It’s really not like that at all. Whether you are using a keychain vault or some other cloud-hosted vault, you are storing/sending encrypted versions of your passwords with 1Password. Such vaults are useless to third parties without access to your master key.

I am fully aware of the encryption part. I am talking about the NSA, CIA etc. not some third-party black hat hacker. They copy and store everything you send over the Internet (Snowden said to assume 100% collection) and crack it open later if they want/choose to. People I personally know, in that world, send nothing over the Internet that they do not want public. Period.

This is about security. So, from a security standpoint, it is a very important part. People these days, even after Snowden, don't seem to care about it but it is very important to at least keep everything client side without sending everything in one nice package, over the internet. Like Snowden said, you make them work for it, as much as you can.

 

[bradl]

Still on 7. I'm going to wait. Thanks.

Did you purchase a standalone license when you got 1P7? If you did, I would not move off of that at all. This way you stay in control of your vaults.

One thing that people also don't realize with this update is that you no longer have a choice of what cloud service you want to store your vaults at. 1Password 8 now not only forces you into the subscription model, but also forces you to store your vaults only on their servers. No-where else. You do not have a choice in that.

The security implications: Since they have sole possession of your data, what happens when you cancel your subscription? Can you be absolutely certain that they will destroy your data? What if you are investigated? By law in most countries, the police would need a warrant to search and seize your property (including your data). With 1Password/AgileBits being in control of it, they are 3rd party to any warrant, so that warrant won't apply, nor will the police need a warrant to search there. All they need is a subpoena, which you would not be privy. So that leaves you with potentially not knowing that your data is in the authorities hands, encrypted, unencrypted, or otherwise.

There are some huge issues with how 1Password is handling this, let alone any SaaS, so right now if you have a way to keep local copies of your vaults and sync to those vaults, that is the best way to do it. That's why I haven't moved past 1Password 6 on my MBA, and will keep that on there until that Mac dies. for my MBP, when Apple drops Rosetta 2 in MacOS, every Intel binary will stop working, introducing a world of trouble to those who didn't update their binaries.

BL.

 

[BobSc]

Did you purchase a standalone license when you got 1P7? If you did, I would not move off of that at all. This way you stay in control of your vaults.

I'm on subscription with 7. But I don't believe 1Password will force me to update to 8. Updates that have been offered by the program, but can be skipped.

 

[bradl]

I'm on subscription with 7. But I don't believe 1Password will force me to update to 8. Updates that have been offered by the program, but can be skipped.

No, they won't force you to update to 8, because 7 is still supported, but if you were on 7 and purchased a standalone license with 7, then you would find yourself in a bit if a bind because not only did they drop support for standalone vaults, but they also shut down the servers provisioning standalone licenses, so you couldn't even purchase one now if you wanted.

In short, what they are doing is forcing everyone to the subscription model. If I wanted to go up to 1Password 7 from 1Password 6 because they are supposed to have a AS/M1 version of it, I couldn't because I couldn't get a standalone license for it. I'd have to purchase a subscription to use 1Password 7 or newer, as it would leave my standalone vault in read-only mode until I purchased that subscription. Reverting back to 1Password 6 wouldn't fix it either, as the vault would still be stuck in read-only mode. The only way I could get back to a functioning standalone vault would be a full TM restore from a backup I took before I tried to update to 1Password 7.

That said, if you are still on 7, the difference with you going up to 1Password 8 is that they would require you to store your vault on their servers, and not a cloud service of your choice (read: Dropbox, iCloud, etc.).

BL.

 

[BatCat]

I can only imagine that the fine people who post on this forum will be delighted by both the new cross-platform app and 1Password's transition to subscription pricing. Something to bring joy for everyone!

Now, if only 1Password would bring back the headphone jack...

(P.S. Call me a heretic, but I like 1Password! It's reasonably priced, has loads of good features, works well across lots of different platforms, and best of all has been absolutely rock solid reliable for years - I can't remember ever having a single outage or glitch with it. I don't know what the future holds with all this new funding they've got, but for now it's an excellent service).

Call me a heretic, but as an early supporter of a full version of their software we were promised it would always carry forward no matter what future version they published. all too quickly that promise was forgotten and trampled on. sure, it may be reasonable etc etc, however, they are showing themselves to be a company that doesn't live up to their promises. hard to trust them with our most sensitive information

 

[noraa]

Yes - you could until version 7 - now its gone.

Right… we know that, we’re talking about 1P8 not 1P7…

 

[BobSc]

No, they won't force you to update to 8, because 7 is still supported, but if you were on 7 and purchased a standalone license with 7, then you would find yourself in a bit if a bind because not only did they drop support for standalone vaults, but they also shut down the servers provisioning standalone licenses, so you couldn't even purchase one now if you wanted.

In short, what they are doing is forcing everyone to the subscription model. If I wanted to go up to 1Password 7 from 1Password 6 because they are supposed to have a AS/M1 version of it, I couldn't because I couldn't get a standalone license for it. I'd have to purchase a subscription to use 1Password 7 or newer, as it would leave my standalone vault in read-only mode until I purchased that subscription. Reverting back to 1Password 6 wouldn't fix it either, as the vault would still be stuck in read-only mode. The only way I could get back to a functioning standalone vault would be a full TM restore from a backup I took before I tried to update to 1Password 7.

That said, if you are still on 7, the difference with you going up to 1Password 8 is that they would require you to store your vault on their servers, and not a cloud service of your choice (read: Dropbox, iCloud, etc.).

BL.

Thanks for the explanation. Other than a few minor issues, I've been quite satisfied with 1PW7. I've never had a password issue. Subscriptions, for better or worse, are the new way of doing software and their price isn't unreasonable for the secure job they do to save my credentials, notes, etc.

 

[chabig]

The security implications: Since they have sole possession of your data, what happens when you cancel your subscription? Can you be absolutely certain that they will destroy your data? What if you are investigated? By law in most countries, the police would need a warrant to search and seize your property (including your data). With 1Password/AgileBits being in control of it, they are 3rd party to any warrant, so that warrant won't apply, nor will the police need a warrant to search there. All they need is a subpoena, which you would not be privy. So that leaves you with potentially not knowing that your data is in the authorities hands, encrypted, unencrypted, or otherwise.

I'm not worried about any of that because the bits on their servers are useless to anyone who does not also possess the key. Nobody knows the master password to my vault except me.

 

[sppunk]

Wait. 1P now no longer inputs passwords natively in Safari and you have to use an extension? LOL it’s like they’re trying to lose customers. The best part originally of 1P was it was seamless.

 

[WeatherWeasel]

i just hope they are secure in their databases.

 

[chabig]

Wait. 1P now no longer inputs passwords natively in Safari and you have to use an extension? LOL it’s like they’re trying to lose customers. The best part originally of 1P was it was seamless.

Safari's architecture changed with Monterey. Extensions are how Safari behavior is "extended" and the new extensions are delivered as small apps from the Mac App Store. I presently have three installed; Magic Lasso, Vinegar and 1Password. They all operate seamlessly.

Yes, 1Password 7 still works in Safari in Monterey. I suspect, though, that Apple will deprecate whatever mechanism that uses in a future macOS.

How to add and manage Safari extensions in macOS Monterey | AppleInsider

If you want to make the most of Apple's Safari browser in macOS Monterey and add some features, you can add some extensions. Here's how to get it done.

appleinsider.com

 

[bradl]

I'm not worried about any of that because the bits on their servers are useless to anyone who does not also possess the key. Nobody knows the master password to my vault except me.

The issue isn't that your data is secure because the authorities wouldn't have your master password; no.. The issue is that the vault itself is your data and it would reside outside of those you entrust to hold your data. It isn't as if only the contents of the vault are yours and the vault is 1Password's; the vault is yours along with the data inside the vault, and you should have a say as to who gets your vault, let alone the data in your vault. If the authorities get your vault, then the breach of trust has already occurred, leaving you compromised with that SaaS provider.

BL.

 

[joecomo]

Safari's architecture changed with Monterey. Extensions are how Safari behavior is "extended" and the new extensions are delivered as small apps from the Mac App Store. I presently have three installed; Magic Lasso, Vinegar and 1Password. They all operate seamlessly.

Yes, 1Password 7 still works in Safari in Monterey. I suspect, though, that Apple will deprecate whatever mechanism that uses in a future macOS.

How to add and manage Safari extensions in macOS Monterey | AppleInsider

If you want to make the most of Apple's Safari browser in macOS Monterey and add some features, you can add some extensions. Here's how to get it done.

appleinsider.com

Yes the extension handling has changed - surprisingly the 1Password plugin works best now in Edge - very smooth experience.

 

[scrm]

What’s the point of using an app that’s Mac/iOS only? You might as well just used iCloud Keychain.

For me, moving from 1P to Secrets was trivial, since it reads 1Password’s file format. It took less than a minute, and all the information from the 1P database, including when a password was last updated, was retained.

IIRC, iCloud Keychain uses CSV, so it’s not a 1:1 import.

Also, Secrets has some additional features.

But use whatever works for you!

 

[joecomo]

I'm on subscription with 7. But I don't believe 1Password will force me to update to 8. Updates that have been offered by the program, but can be skipped.

That is right - at one point in time you will probably have to update though.

So if you want the security of local vaults you should probably move to an open source solution in the year to come.

 

[joecomo]

For me, moving from 1P to Secrets was trivial, since it reads 1Password’s file format. It took less than a minute, and all the information from the 1P database, including when a password was last updated, was retained.

IIRC, iCloud Keychain uses CSV, so it’s not a 1:1 import.

Also, Secrets has some additional features.

But use whatever works for you!

Yes - however secrets seems to address more the subscription vs one-off payment issue.

Allthough I hate subscriptions - up to now Agilebits has delivered sufficient value to justify the cost.

 

[PeteBurgh]

we were promised it would always carry forward no matter what future version they published

Where did they promise that, may I ask?

I have seen them say they have 'no plans' to make such a change (including on this forum), but that's quite different from 'always no matter what'. If they have made such promises, then it's quite reasonable for people to be annoyed.

 

[parameter]

I'm on subscription with 7. But I don't believe 1Password will force me to update to 8. Updates that have been offered by the program, but can be skipped.

I'm using v7 and will stay with 7 until finding a replacement or they change their mind (highly doubtful) and put significant effort into making a new v8 that is actually a Mac native app without any Electron layers.

But a question. When I check for updates manually (just for fun, I wouldn't actually update if it allowed me to) it says there are no updates available and I'm up to date. I'm using the standalone version bought through the Agilebits website.

I would have thought that when checking manually within the 1P 7 app for updates, that it would at least say that v8 is out and that there are updates available.

Is this what others are seeing as well? Or are you actually getting an update notification when you check for them in v7? Once again, I do not plan on updating as I already made that mistake on another computer and yikes. No thank you, v8 is not even a contender anymore for me. But still curious about the "no updates available" message when actually checking for updates within the 1P 7 app. ?‍♂️

 

[sppunk]

Safari's architecture changed with Monterey. Extensions are how Safari behavior is "extended" and the new extensions are delivered as small apps from the Mac App Store. I presently have three installed; Magic Lasso, Vinegar and 1Password. They all operate seamlessly.

Yes, 1Password 7 still works in Safari in Monterey. I suspect, though, that Apple will deprecate whatever mechanism that uses in a future macOS.

How to add and manage Safari extensions in macOS Monterey | AppleInsider

If you want to make the most of Apple's Safari browser in macOS Monterey and add some features, you can add some extensions. Here's how to get it done.

appleinsider.com

But for iOS you don’t need an extension yet for 1P it is inoperable without - with Strongbox for instance it’s native.

 

[elenagen]

They are trying to spin this as just using some basic Electron parts while the main work was done in Rust. Well that really doesn't matter all that much.

It surely matters a lot that the Electron part is merely the user interface and the rest of the application is written in a robust, high performance, modern programming language.

The tons of processes are still spawned and will run the entire time your Mac is on, not just while a specific tab in a browser, for example, is open. No, 1Password will spawn those processes and grow and continue to consume increasing memory as time goes by, until you reboot and things start all over again.

Is this some deficiency of Electron peculiar to MacOS? Neither Visual Studio Code nor Slack spawn large numbers of processes nor do they need to be restarted regularly on Windows. I don't recall any issues with Visual Studio Code on MacOS either.

Your definitely right - and I actually feel confident enough with agilebits to use their cloud-service (also because it is acceptable for some less IT-savvy family members).

Still even given all the mitigations available, offering browser access is a risk.

A simple example is the password/key: On a local machine you could have a complex crytpographic key protected with an insufficient password. If the vault gets into the wrong hands it is still relatively safe because of the complex key.
If it is on the web all the cryptographic information must be reproducible from the password entered - if that is insufficient, there is a bigger risk of a successful cryptographic attack.

To log into the vault from the site you need your e-mail, secret key and master password. Based on the information available the data is decrypted the same way whether you do it in the separate application or the web browser. The only additional risk I can see is the possibility that the browser itself is compromised. But then a compromised browser could probably be used to replicate the local copy of your vault along with the keys to open it.

I am fully aware of the encryption part. I am talking about the NSA, CIA etc. not some third-party black hat hacker. They copy and store everything you send over the Internet (Snowden said to assume 100% collection) and crack it open later if they want/choose to. People I personally know, in that world, send nothing over the Internet that they do not want public. Period.

If they copy and store everything you send over the internet then it really doesn't matter where you store your password database. They'll already have every password in a nice searchable database. Unless of course you've managed to never use a password on the internet. Then you're safe.

So those people you know presumably don't really use the internet. They certainly don't use internet banking or even banks for that matter. They don't need a password manager because they simply have no use for passwords.

This is about security. So, from a security standpoint, it is a very important part. People these days, even after Snowden, don't seem to care about it but it is very important to at least keep everything client side without sending everything in one nice package, over the internet. Like Snowden said, you make them work for it, as much as you can.

Keeping everything client side means never sending any information, including your passwords over the internet. In other words not using the internet.

The security implications: Since they have sole possession of your data, what happens when you cancel your subscription? Can you be absolutely certain that they will destroy your data? What if you are investigated? By law in most countries, the police would need a warrant to search and seize your property (including your data). With 1Password/AgileBits being in control of it, they are 3rd party to any warrant, so that warrant won't apply, nor will the police need a warrant to search there. All they need is a subpoena, which you would not be privy. So that leaves you with potentially not knowing that your data is in the authorities hands, encrypted, unencrypted, or otherwise.

I doubt it matters since the data is encrypted. Frankly I don't care if they have the data if they have no means to decrypt it. And frankly if they have the resources needed to crack it then they'd be able to get at my data even if I had it stored locally. Under those circumstances I'm sure they'd simply physically break in if they had to.

As for what happens if you cancel your subscription you simply lose access to online storage. You can still export your passwords if you wish. They never have sole possession of your data because you always have a local copy on each device. That's why the product continues to be usable even when offline. Literally the only circumstance in which I could actually lose all my password data is if all my devices died and 1Password went offline permanently at the same time.

 

[orbital~debris]

"Show In Large Type" one of the best features of 1Password 7

And inspired by the similar option – via contextual-menu click – in Apple's 'Contacts', I would think.

 

[bradl]

I'm using v7 and will stay with 7 until finding a replacement or they change their mind (highly doubtful) and put significant effort into making a new v8 that is actually a Mac native app without any Electron layers.

But a question. When I check for updates manually (just for fun, I wouldn't actually update if it allowed me to) it says there are no updates available and I'm up to date. I'm using the standalone version bought through the Agilebits website.

I would have thought that when checking manually within the 1P 7 app for updates, that it would at least say that v8 is out and that there are updates available.

Is this what others are seeing as well? Or are you actually getting an update notification when you check for them in v7? Once again, I do not plan on updating as I already made that mistake on another computer and yikes. No thank you, v8 is not even a contender anymore for me. But still curious about the "no updates available" message when actually checking for updates within the 1P 7 app. ?‍♂️

There is this. Are you on an Intel Mac? If so, your time is going to be limited to when Apple drops Rosetta 2 support. When they do, you'll be either stuck on the last Rosetta 2 supported version of MacOS just to keep 1Password 7 going, or having to get a new Mac altogether. So at this point, one may be on borrowed time.

BL.

 

[svenmany]

There is this. Are you on an Intel Mac? If so, your time is going to be limited to when Apple drops Rosetta 2 support. When they do, you'll be either stuck on the last Rosetta 2 supported version of MacOS just to keep 1Password 7 going, or having to get a new Mac altogether. So at this point, one may be on borrowed time.

BL.

I think I'm not parsing what you're saying correctly. You seem to be saying that running 1Password 7 on an Intel Mac requires Rosetta. Is that right?

 

[bradl]

I think I'm not parsing what you're saying correctly. You seem to be saying that running 1Password 7 on an Intel Mac requires Rosetta. Is that right?

No.. quite the opposite. Should you get a new Mac that is running Silicon, you're on borrowed time because when Apple drops Rosetta, the Intel binary will fail.

Ahh, I see. I messed up in that post. What I was meaning was that when Apple drops ALL INTEL SUPPORT from MacOS, the user on the Intel Mac will be stuck on the last version of MacOS that supports Intel CPUs. At that point, the only options are to remain on that version of MacOS, or get a new Mac and visit either going to 1Password 8 and their subscription model, or migrating off of 1Password altogether.

BL.