Security Experts Wary as 1Password Subscriptions Push Users to Cloud-Based Vaults

[MacRumors]

Password manager app 1Password caused consternation in some quarters of the security community over the weekend when it emerged that the service's new subscription-based model will push users to adopt a cloud-based password storage system over locally stored password vaults.

Previously, 1Password was offered as a one-time license purchase that enabled users to store their passwords in an encrypted local vault, which security researchers say is more secure than keeping user data in a remote server because hackers are forced to break into a specific device.

Going forward, the service will push customers to monthly subscription plans that serve up remotely stored password vaults through the 1Password.com website. This allows users to access their passwords from any computer by logging into their account, but as noted Motherboard, the change has not been universally welcomed.

Unfortunately, @1Password is betraying their users and moving to a subscription-only service. This is unfortunate. We cannot recommend them. - Crypto Village (@CryptoVillage) July 10, 2017

1Password responded to criticism on Twitter by saying that it had no plans to remove support for locally stored vaults for users who had purchased the app, but that it was advocating subscription-based memberships because "we feel it's the best way to use 1Password".

"We want our customers to get the best. Some people won't agree with that (which is fine!) so we'll work with them to get set up how they want, but for 99.9 percent of people, 1Password.com is absolutely the way to go," Connor Hicks, an engineer at 1Password, told Motherboard.

1Password's new cloud-based option costs $2.99 per month (or $4.99 for an account for up to five people). However, 1Password developer AgileBits reiterated it had no immediate plans to remove support for local/Dropbox/iCloud vaults, and that it was open to speaking with customers to "help them determine if a one-time license is really what's best for them".

Article Link: Security Experts Wary as 1Password Subscriptions Push Users to Cloud-Based Vaults

 

[drumcat]

They won't survive if they don't take the high road. LastPass is $1/mo. We don't want it at that price, either.

 

[X--X]

What a betrayal, what a deeply saddening disappointment.

 

[PilotWoo]

They won't survive if they don't take the high road. LastPass is $1/mo. We don't want it at that price, either.

Couldn't agree more. I don't mind them charging me a fee for upgrading between major versions, but my password data is staying local and isn't going in the cloud. That press release is just a large flag saying "come and hack us".

 

[glowplug]

reaching for the holy grail of a subscription model. the demise of so many great software products/companies.

 

[KALLT]

Perhaps I am missing something here, but what is the criticism actually based on? It seems that AgileBits denies sunsetting either local storage or one-time purchases.

As long as they continue to offer the option to store everything locally, I see no problem. They have always been piggy-backing on other sync services and offered syncing over Wi-Fi, but I can see clear advantages for a server-based solution of their own. Apple is doing this too, after all (e.g. iCloud Keychain and iMessage in iCloud). They even place iCloud prominently in the device setup.

I oppose the subscription model too, but so far they haven’t announced whether this will be the only way to obtain 1Password in the future. They also have not given a ‘cut-off date’ for standalone updates and have been very generous (having paid for 1Password at least 5 years ago – I cannot even remember when). Even if they do require a subscription, to me that would mean that the service would become more expensive and I'd have to consider whether that price is still worth it to me.

reaching for the holy grail of a subscription model. the demise of so many great software products/companies.

However, this is the kind of product you always want to have the latest version of, at least I do. I expect from them to improve the security and fix security bugs. I am already relying on them in terms of a service, not so much a standalone product.

 

[KennyFan]

1Password is probably the most trustworthy password manager for macOS, but I'll never trust them with storing my passwords online. I wouldn't mind paying for a subscription if they add proper support for self hosting on iOS.

 

[Val-kyrie]

If they remove local storage, my family and I are out. Apple's Keychain would work for passwords and that is free.

What other options remain?

 

[X--X]

Perhaps I am missing something here, but what is the criticism actually based on? It seems that AgileBits denies sunsetting either local storage or one-time purchases.

They are b.s.ing - all they are saying is you can keep using your current license.

There will be no new version with local vaults, there will be no offical way of purchasing a license (for new users) and the windows version already does not include a way to even create a local vault.

The way they want to go is clear, they are just trying to lull people into silence.

It's disgusting, I have to say it in those strong words.

 

[Avieshek]

Only Westerners use this thing. Ridiculous.
(Go to Japan, Come to India [and China? Haha] there is no existence of 1Password, America seeks convenience for everything than goes to discover a problem that never existed at first place. The credit card structure have ruined the minds of people.)

 

[HobeSoundDarryl]

"The future"
"Trust the cloud"
"Who needs big local storage when everything can be stored in the cloud?"
"In a few years, we'll need almost no local storage because we'll have unlimited storage in the cloud"
Etc.

 

[err404]

Seems fine to me. In theory this addresses a major limitation that I have with the current version where I can not access my passwords if I misplace my phone. That said, the cost is too high for me to leverage this. I feel they are overstating their own value and uniqueness in the industry and are relying on the inconvenience of switching vendors to entice subscriptions.

 

[dsburdette]

Couldn't agree more. I don't mind them charging me a free for upgrading between major versions, but my password data is staying local and isn't going in the cloud. That press release is just a large flag saying "come and hack us".

+1. And they will get hacked. This isn't a recipe site, it's a freakin' password repository. Where would you place your hacking efforts?

 

[afd]

I’ve used 1Password for years but bought the apps. That last line in the from Agile bits suggests you can still buy the apps but I can’t see anywhere on their site where you can do this.

 

[KALLT]

They are b.s.ing - all they are saying is you can keep using your current license.

There will be no new version with local vaults, there will be no offical way of purchasing a license (for new users) and the windows version already does not include a way to even create a local vault.

The way they want to go is clear, they are just trying to lull people into silence.

It's disgusting, I have to say it in those strong words.

But it is still conjecture and a bit harsh to criticise them in this way without evidence. The Windows version has always been subpar, I am surprised they even bother. That the Windows version lacks features is thus not a reason to assume that the next macOS/iOS versions will drop this too.

If anything, you can criticise them for their really tacky marketing.

 

[X--X]

this addresses a major limitation that I have with the current version where I can not access my passwords if I misplace my phone.

B.S.

I have 1Password on my Mac Pro, my MacbookPro and my iPhone and they all sync via local network and are always up to date AND it's stored LOCALLY (encrypted 1P-Vault and additional encryption via Apple FileVault).

That's why I loved 1Password, it was their USP.

I would never store my passwords on someone else's computer/server.

 

[KennyFan]

Perhaps I am missing something here, but what is the criticism actually based on? It seems that AgileBits denies sunsetting either local storage or one-time purchases.

I don't see any way to purchase the new 1Password app for Windows without online subscription. I doubt the next Mac version will work without their service.

 

[RGPphotog]

If they remove local storage, my family and I are out. Apple's Keychain would work for passwords and that is free.

What other options remain?

iCloud Keychain.

oh wait... that's in the cloud.
But that's probably their reasoning behind this decision; customers want the accessibility of the cloud. And if the cloud reduces friction for customer experience (damm the tradeoff) then perhaps everyday customers (not those who post in security/Mac forums) will more likely buy-in?

 

[KALLT]

I don't see any way to purchase the new 1Password app for Windows without online subscription. I doubt the next Mac version will work without their service.

Last time I checked, they had purchase link in the support section. Can’t find it at the moment. Maybe they did stop offering one-time purchases altogether now, in which case I will concede that point. Still, so far I am receiving updates and I will be reviewing my option when the time comes. Still not seeing any evidence on them discontinuing the local storage though.

 

[err404]

B.S.

I have 1Password on my Mac Pro, my MacbookPro and my iPhone and they all sync via local network and are always up to date AND it's stored LOCALLY (encrypted 1P-Vault and additional encryption via Apple FileVault).

Relax. My limitations are not yours. My main limitation would be from machines that I do. It administer. For example my work machine. Web access would be of value to me. For the record I am not afraid for the hacking boogie man. I expect a site maintained by established security experts to be reasonably safe. Almost every hack that you see online is the result of some amateur mistakes.

 

[miknos]

Another company that's trying to get people to pay many times for the same product.

I gladly pay subscription for something like Netflix, Hulu, Apple Music... things that CONSTANTLY come up with new content. I can't say the same for (almost) all apps.

 

[PilotWoo]

They are already making it harder for you to buy the app and store data locally. The option is hard to find (for most users) and all the defaults point you to a subscription and cloud hosted data.

Give is 6 months or so and their next press release will be "our subscription model is so successful, we are ending support for local vaults". Mark my words.

 

[chrfr]

Last time I checked, they had purchase link in the support section. Can’t find it at the moment. Maybe they did stop offering one-time purchases altogether now, in which case I will concede that point. Still, so far I am receiving updates and I will be reviewing my option when the time comes. Still not seeing any evidence on them discontinuing the local storage though.

Version 6 for Windows is subscription only. It only supports working with vaults saved on 1Password.com so it’d be completely useless without the subscription.
https://discussions.agilebits.com/discussion/comment/374775/#Comment_374775
One has to assume that 1Password for Mac will make this same transition at some time. At that point I’ll abandon 1Password after using it for many years.

 

[glowplug]

I expect a site maintained by established security experts to be reasonably safe.

this wins the Internet for today.

 

[Crosscreek]

This is bad. I want my money back!!!