1Password 8 for Mac With Improved Interface, Performance, and More Now Available in Early Access

[usagora]

Which is going to appeal more to the consumer: A 1-time $35 payment, good for lifetime, or $3/month for the lifetime of the product, until that product is no longer supported, which you would have to pay for something else, with equal or more per month for the subscription?

The point here is that the price for the subscription NEVER ENDS, where I've had the one time payment only, never having to pay for it again. Take that up to, say, 20 - 30 years, and see the difference in savings. The one to take is an obvious no-brainer here: $720 over the course of 20 years, and $1080 over the course of 30 years, versus $35 one time.

The one time is going to appeal more as they are one and done, versus something recurring all the time that when you are done with it, you may forget that you have it, and keep paying on it until you realize you've lost money from forgetting to cancel. And yes, many a person has done that.

So using that logic, a person using freeware pw manager can call your $35 one-time purchase "ridiculously expensive" compared to free. And somehow I doubt people are going to forget they have a pw manager they're paying for, seeing as most people use it constantly. I understand you want to pay a low price one-time and have the company support that software forever at no additional cost, but that ain't happening here. I don't care how many years you want to multiply the $36 by. $1080 for the daily use of a valuable piece of software for 30 YEARS?! That's an incredible deal, IMO.

Yep. And when you're being investigated for something, and you exert your 4A right to have them require a warrant to get to your phone or something physically in your possession, You then realize that your data in the cloud is in the possession of a 3rd party, who is not privy to your 4A right to needing a warrant. All that the investigators would need is a simple subpoena, which they can right and get executed themselves by simply being a Clerk of the Court, and get that third party to hand over your vault, regardless of what PINs you've put on your vault.

No, they don't have the means to get into your vault (yet), but they have the means to get your vault, without your consent; That is the problem.

No idea what you're going on about here. My post that I linked was talking about an extra suffix (or prefix or prefix + suffix if you really want to be safe) that you add to your passwords (on the websites, but not in 1Password) and MEMORIZE (i.e. you don't store it in the cloud) so that even if a third party was able to hack the password server and decrypt all your passwords, they still wouldn't actually have your passwords.

 

[bradl]

So using that logic, a person using freeware pw manager can call your $35 one-time purchase "ridiculously expensive" compared to free. And somehow I doubt people are going to forget they have a pw manager they're paying for, seeing as most people use it constantly. I understand you want to pay a low price one-time and have the company support that software forever at no additional cost, but that ain't happening here. I don't care how many years you want to multiply the $36 by. $1080 for the daily use of a valuable piece of software for 30 YEARS?! That's an incredible deal, IMO.

$36 for the daily use of a valuable piece of software for 30 YEARS is an even better deal. That is your telling lack, and that is simple math there.

No idea what you're going on about here. My post that I linked was talking about an extra suffix (or prefix or prefix + suffix if you really want to be safe) that you add to your passwords (on the websites, but not in 1Password) and MEMORIZE (i.e. you don't store it in the cloud) so that even if a third party was able to hack the password server and decrypt all your passwords, they still wouldn't actually have your passwords.

The point here is that no matter what safeguards that you put on your vault in the cloud, you do not mitigate the problem that your data in the cloud can be legally seized by the authorities without your consent, by use of a simple subpoena by a lawyer. No sign-off needed by a judge, no judicial approval, nothing. Yes, you can safeguard your passwords in your vault, but that won't stop the authorities from getting and possessing your vault.

You can mitigate that by not putting it up in the cloud at all. Like I said before, the Cloud is for convenience, not security.

BL.

 

[Enlightened Doggo]

Yep. And when you're being investigated for something, and you exert your 4A right to have them require a warrant to get to your phone or something physically in your possession, You then realize that your data in the cloud is in the possession of a 3rd party, who is not privy to your 4A right to needing a warrant. All that the investigators would need is a simple subpoena, which they can right and get executed themselves by simply being a Clerk of the Court, and get that third party to hand over your vault, regardless of what PINs you've put on your vault.

No, they don't have the means to get into your vault (yet), but they have the means to get your vault, without your consent; That is the problem.

BL.

Yeah but it's encrypted with a key that you posses.

 

[bradl]

Yeah but it's encrypted with a key that you posses.

And yet they still have your vault... in which they can use as many means necessary to crack that key to open that vault. Unless they've added it to 1Password 7 and newer, there isn't an option to automatically and securely wipe and delete all passwords in a 1Password vault after a given number of multiple failed attempts.

So, would you want to live with them having your vault let alone the means to crack the key to get into your vault as many times as they want, until they get in?

The issue isn't the key. The issue isn't the password to the vault. The issue is that the vault is in the hands of a 3rd party who is not privy to your 4A right to privacy, and can be compelled by law to give them the vault that holds your passwords.

BL.

 

[The Phazer]

Yeah but it's encrypted with a key that you posses.

Which is inherently less secure than being both encrypted with a key that I possess and the encrypted vault is not physically available to try and exploit by anyone else but me.

If a quantum computer enables brute forcing tomorrow that's no good attempting to attack my standalone vault, because you don't have it. But the cloud storage is screwed.

 

[Enlightened Doggo]

And yet they still have your vault.

BL.

Sure, but the point of an encrypted vault is that even if leaked, then people can't get into it without either a key. The weak points are your main password and probably however the key is stored locally with your fingerprint (if you use that).

 

[jonnysods]

Sounds like they got you where they want you

It’s true!

 

[bradl]

Sure, but the point of an encrypted vault is that even if leaked, then people can't get into it without either a key. The weak points are your main password and probably however the key is stored locally with your fingerprint (if you use that).

The point is why keep your vault in a place where it could be leaked to begin with.

BL.

 

[usagora]

$36 for the daily use of a valuable piece of software for 30 YEARS is an even better deal. That is your telling lack, and that is simple math there.

Yes, and if someone gave me an inexpensive $10,000 brand new car for FREE, that doesn't negate the fact that $10,000 for a brand new car is still a good deal. Also, do you really think software you purchase today with a perpetual license is going to be updated for free for 30 years in order to allow it to continue to run? Doubt it. You'll end up spending more to get new versions.

The point here is that no matter what safeguards that you put on your vault in the cloud, you do not mitigate the problem that your data in the cloud can be legally seized by the authorities without your consent, by use of a simple subpoena by a lawyer. No sign-off needed by a judge, no judicial approval, nothing. Yes, you can safeguard your passwords in your vault, but that won't stop the authorities from getting and possessing your vault.

You can mitigate that by not putting it up in the cloud at all. Like I said before, the Cloud is for convenience, not security.

You're still not understanding what I'm saying. If you have a "secret key" memorized that must be added to all of your passwords to make them work, then no one is going to be able to use your passwords without that key, which isn't stored anywhere except your mind. So they'd basically possess a vault of useless (to them) passwords.

 

[Enlightened Doggo]

The point is why keep your vault in a place where it could be leaked to begin with.

BL.

Because it would cost trillions of dollars in computing power to brute force AES-GCM-256 with PBKDF2-HMAC-SHA256 anyways. If anything, you should be backing up your vault to an off-site location just in case of hardware failure.

 

[msackey]

Lots of people are complaining about the price, but they do offer standalone users a 50% discount for the next 3 years (3x36*0.5=$54 for 3 years) https://1password.community/discussion/comment/601917/#Comment_601917

Nice! Sort of. If they are not going to offer standalone licenses, I would like them to offer the discount above for when 1Password 7 no longer works with updated devices.

Anyway, ship has sailed. I'm hope that 1Password7 works with the next macOS upgrades and devices for a few more years. Then, jumping ship to something else. I do not want to be a perpetual guest in the AgileBits hotel/motel.

 

[MisterSavage]

Plus: Does either app support proper import of 1Pwd vaults (including tags, custom field etc.)?

The answer with Bitwarden was "sort of" for me. Regular logins, identities, credit cards got migrated. Some of the regular logins did have some junk (extra fields) I had to clean up. Other 1Password categories (software licenses, wireless routers, etc) and tags did not get imported properly.

Because it would cost trillions of dollars in computing power to brute force AES-GCM-256 with PBKDF2-HMAC-SHA256 anyways. If anything, you should be backing up your vault to an off-site location just in case of hardware failure.

This. People are glossing over the fact that if you have a very strong master password it could take centuries of retries to get into it.

 

[turbineseaplane]

Nice! Sort of. If they are not going to offer standalone licenses, I would like them to offer the discount above for when 1Password 7 no longer works with updated devices.

I’m pretty sure you’re going to need to take advantage of it now.
I doubt it will be there down the line

 

[msackey]

I’m pretty sure you’re going to need to take advantage of it now.
I doubt it will be there down the line

I agree with you. It's just "wishful" thinking on my part.

 

[Apple_Robert]

So, after reading through all these comments, it comes down to that it's either that we are all nerds and that 1% which doesn't like to be forced into a subscription. Or that „99% of all users prefer the subscription model“ claim is plain marketing bogus. I guess we all know the truth.

Time to move on or at least to prepare. I have plenty of customers which are still using their 5-favorite-password-carousel-scheme, and which I need to introduce to the password manager concept. Guess what: It won't be 1Pwd any longer. The ship has sailed.

So Strongbox and Bitwarden have been suggested a few times here. Both look appealing.
Can someone write down the pros and cons of either app? Does either app have a K.O. criteria?

Plus: Does either app support proper import of 1Pwd vaults (including tags, custom field etc.)?

A side-by-side feature & pricing comparison table would be nice to have.

Bitwarden doesn't specifically state if the import supports tags and custom fields. You will need to contact the developer on that.

Import Data from 1Password | Bitwarden

If you are switching password managers from 1Password to Bitwarden, use this article guide you to export data from 1Password and import into Bitwarden.

bitwarden.com

Strongbox in importing

Support - Strongbox

Helpdesk Read our how-to guides or contact our support team. Contact Us Please search the help articles first, as this will likely allow you resolve your issue much more quickly. The following articles address common problems: My Database Isn’t Syncing I Can’t Unlock My Database Strongbox...

strongboxsafe.com

I took the long route and slowly created my Strongbox and Bitwarden vaults from scratch, even though I could import from 1password. I found that the import to Bitwarden didn't look as clean as I wanted, and believe it or not, creating new was a lot easier than trying to reorganize all the imported entries.

What is a K.O. criteria?

Strongbox has a very nice user interface and if you want to change your master pass, you don't have to jump through all the hoops you do with 1Password.

 

[Apple_Robert]

The answer with Bitwarden was "sort of" for me. Regular logins, identities, credit cards got migrated. Some of the regular logins did have some junk (extra fields) I had to clean up. Other 1Password categories (software licenses, wireless routers, etc) and tags did not get imported properly.



This. People are glossing over the fact that if you have a very strong master password it could take centuries of retries to get into it.

+1 for the strong master password mention. Mine is 41 characters long for Strongbox. Nobody is going to brute force me.

 

[techpr]

Plus: I trust the iCloud drive more than having my password vault sitting on AgileBits’ servers.

First
You are not trusting a service, you are trusting a brand. Apple iCloud (the brand and service you trust) and AgileBits uses the same infrastructure from Amazon AWS for storage. Amazon AWS powers almost every company that rely on global cloud services, including parts of Apple iCloud. Apple also rely much on Google Cloud services for iCloud storage.

This is the biggest paradigm from users without IT education. If you don't trust AgileBits, I invite you to read and learn about the security model of 1Password.

Second
I'm a 1Password user since 2.9 or for 13 years. Have been using vaults from Local, syncing from WiFI, Dropbox, iCloud and for the last 2 years from 1Password.com Sync and in this time in age with lots of devices connected the best experienced I have is from my.1Password.com, very fast sync and very reliable all the time because of the good Amazon AWS infrastructure. My worst 1password experience I had was from iCloud Sync.

People are very happy paying $9.99 subscription for Apple Music for their entertainment but complains about paying $2.99 to protect and storage their own private stuff and online security.

 

[bradl]

Yes, and if someone gave me an inexpensive $10,000 brand new car for FREE, that doesn't negate the fact that $10,000 for a brand new car is still a good deal. Also, do you really think software you purchase today with a perpetual license is going to be updated for free for 30 years in order to allow it to continue to run? Doubt it. You'll end up spending more to get new versions.

Sometimes it doesn't need to be updated to work exactly how you need it. Prime example: I'm on 1Password 6.8.9, and have been since 2018. It hasn't been updated since, and suits all of my needs perfectly. Pair that with the fact that I'm still on a mid-2011 13" MBA on Sierra, which right now still suits my needs. I've been on that Mac for 10 years. Both with those perpetual licenses that are still working fine for me to this day, because It Just Works[tm].

My problem is coming in with needing to get a new Mac this fall, in which if the standalone for 1Password 7.x is still available, I'll get that, because I'll be dealing with an architecture change (x86-64 to M1), in which 1Password 6 will no longer work.

The disconnect you're having is that yes, a $3/month is a good deal for someone new coming into 1Password. But for someone who is coming from 6-10 years prior use of it with a standalone license that they have had for those 6-10 years? Not a good deal.

You're still not understanding what I'm saying. If you have a "secret key" memorized that must be added to all of your passwords to make them work, then no one is going to be able to use your passwords without that key, which isn't stored anywhere except your mind. So they'd basically possess a vault of useless (to them) passwords.

That secret key is still part of a password that has to be added to the password string to open your vault and use what is inside it, making that secret key just another part of what they will get through to get to your vault. That does you no good, either.

So let's ask this: which is more viable to the consumer: Having a vault completely in your possession, in which the authorities would have to require a warrant to get that vault from you (your 4A right), let alone another warrant for the passwords to that vault (violating your 5A right)...

.. Or having your vault stored somewhere else where they can easily get to your vault, and use whatever means necessary to get into your vault to get the data they are looking for, thereby circumventing both your 4A and 5A rights, regardless of any secret key being written down, memorized, or otherwise?

If the latter, then congratulations; you just provided impetus and onus for what the Feds did in the San Bernardino case, as well as Cellebrite.

BL.

 

[JackLeBoul]

Crap! I have used 1Pass since v.4.

My problem is not the fee model but that our company does not allow sensitive data stored outside our self-hosted servers. I sync my MacPro/Macbook vaults which are stored on our Nextcloud server, works perfectly, my iPhone with Wifi sync.

This sucks!

 

[Appleh8er]

Is this update free?

 

[usagora]

The disconnect you're having is that yes, a $3/month is a good deal for someone new coming into 1Password. But for someone who is coming from 6-10 years prior use of it with a standalone license that they have had for those 6-10 years? Not a good deal.

I'd slightly modify that to say "Not AS good of a deal, but still worth it." If it were a bad deal, then the company would be bankrupt because people wouldn't subscribe.

That secret key is still part of a password that has to be added to the password string to open your vault and use what is inside it, making that secret key just another part of what they will get through to get to your vault. That does you no good, either.

No, I'm not talking about your master password. Obviously the master password is what it is. I'm talking about your individual passwords for various websites. Pretty clearly explained in the post I linked you to originally.

 

[JonBOY26]

Meh. Don't bother with 1Password or LastPass, just get BitWarden instead.....for free.

 

[BGPL]

I dropped them like a bad habit when they changed their licensing model to absolutely ream their customers. I went to a self-hosted application called BitWarden. I can add as many users as I want, share with family, all for free, all secure and encrypted. It runs on MacOS using Docker and is pretty straightforward to install. Getting it working over the Internet so you can sync when you're away from home is trickier but there are guides. If you don't want the hassle you can just sync the database when you get home on your WiFi.

 

[Apple_Robert]

I dropped them like a bad habit when they changed their licensing model to absolutely ream their customers. I went to a self-hosted application called BitWarden. I can add as many users as I want, share with family, all for free, all secure and encrypted. It runs on MacOS using Docker and is pretty straightforward to install. Getting it working over the Internet so you can sync when you're away from home is trickier but there are guides. If you don't want the hassle you can just sync the database when you get home on your WiFi.

For those curious about Bitwarden, they offer a premium version which offers a few extra bells and whistles for $12 a year. I think it is worth the price. I have been happy.

 

[aajeevlin]

Sorry for the confusion. In case there were ever to be a problem with getting Strongbox open, I have an identical vault with Bitwarden.

Strongbox Pro - Strongbox

Unlock the Full Power of Strongbox Save time with Biometric Unlock and AutoFill. Sync to your own server via WebDAV or SFTP. Automatically audit your passwords for vulnerabilities. And much more with Strongbox Pro. Convenience Face ID Unlock Unlock your database instantly and securely with Face...

strongboxsafe.com

Oh okay. Make sense. I always thought about storing my 2FA on another vault using another master password. But that might be a bit too much. Haha.