Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Experts Wary as 1Password Subscriptions Push Users to Cloud-Based Vaults
- Thread starter MacRumors
- Start date
- Sort by reaction score
No local vault storage possibility + forced subscription model = good bye greedy company. Subscription model for a pwd app is simply ridiculous anyway. Time to start searching for a reasonable alternative.. They are a bunch of liars presenting this as the best option for 99.9% of users. Worse PR ever.
Remember the previous conversation on this community right here when they moved to subbed, and we expressed concern and that their ceo or whatever came here to post to address that our concerns are invalid, and that their current model won't change and things will be the same, that it's just a subscription model, blah blah..
It's hard to find on their site where to get the stand alone, and now they're pushing for a remote hosted solution (EXACTLY THE F* REASON WE DO NOT GO WITH THEIR COMPETITION..sorry) and they have the guts to say "there are no plans to remove local vaults", yeah right, give it another 7 months then I guess..
No, this company is going into the wrong direction, and just like dropbox removing the direct link option in their grandfathered in /public folder that they pulled right from under the noses of their paying pro users (yes, i stopped using dropbox). And I am afraid that instead of almost doing daily recommendations to others, i can no longer support telling people to go there, get the stand alone (NOT THE SUBSCRIPTION) option (if they can even find it) and get it while they can.. that i simply stop recommending it.
They're not getting my money anymore, and we will move as soon as the stand alone option (Actually) gets pulled or we're forced to not host it local.
Give them all our content, encrypted or not .. WHY . .. WHY on earth would you do that.. when *everything* has leaked to the net so far. Why would they be any different.
Idiots. And if they take offense, so what.. we're the ones paying their salary, we're the ones that are actually offended.
Companies never learn, and if anybody think i am wrong or overreacting, .. why is this even news on this site then in the first place? .. I am reacting because I think it's a big shame to see something that works and works well, and does things right, .. makes changes that show they are just like their competition now and can no longer be trusted with our financial investment in their products and services.
Right now "we will keep a stand alone product" will change eventually to "we put more focus on subscriptions and dont update so often" to "nobody is using it anymore, so we are dropping sierra support.." in a few years after.. and eventually we get that apolgoy email that their servers were physically removed from the data center and that we honestly have nooooothing to worry bout, even if they actually have all our data, it's encrypted and we totally dont have to worry.. because everybody their master password is obviously 50+ random characters .. riiight
It's hard to find on their site where to get the stand alone, and now they're pushing for a remote hosted solution (EXACTLY THE F* REASON WE DO NOT GO WITH THEIR COMPETITION..sorry) and they have the guts to say "there are no plans to remove local vaults", yeah right, give it another 7 months then I guess..
No, this company is going into the wrong direction, and just like dropbox removing the direct link option in their grandfathered in /public folder that they pulled right from under the noses of their paying pro users (yes, i stopped using dropbox). And I am afraid that instead of almost doing daily recommendations to others, i can no longer support telling people to go there, get the stand alone (NOT THE SUBSCRIPTION) option (if they can even find it) and get it while they can.. that i simply stop recommending it.
They're not getting my money anymore, and we will move as soon as the stand alone option (Actually) gets pulled or we're forced to not host it local.
Give them all our content, encrypted or not .. WHY . .. WHY on earth would you do that.. when *everything* has leaked to the net so far. Why would they be any different.
Idiots. And if they take offense, so what.. we're the ones paying their salary, we're the ones that are actually offended.
Companies never learn, and if anybody think i am wrong or overreacting, .. why is this even news on this site then in the first place? .. I am reacting because I think it's a big shame to see something that works and works well, and does things right, .. makes changes that show they are just like their competition now and can no longer be trusted with our financial investment in their products and services.
Right now "we will keep a stand alone product" will change eventually to "we put more focus on subscriptions and dont update so often" to "nobody is using it anymore, so we are dropping sierra support.." in a few years after.. and eventually we get that apolgoy email that their servers were physically removed from the data center and that we honestly have nooooothing to worry bout, even if they actually have all our data, it's encrypted and we totally dont have to worry.. because everybody their master password is obviously 50+ random characters .. riiight
InterestingThen either that security researcher is lying or 1P are lying
From the page you mentioned here is the wording:
So I read that as:
1) It’s safely stored in 1Password on your authorized devices - this means it's stored in the 1Password app itself.
2) your web browser, if you sign in to 1Password.com - this means it's stored in that browser only.
3) your iCloud keychain, if you use 1Password on a Mac, iPhone or iPad and have iCloud Drive enabled in Settings - this one confuses me.....as I'm not sure where technically it's stored and where/how it gets used.
-Kevin
Too many variables that we don't know so we can't know unless someone from 1P chimes in.. The poster here specified that security researcher used fresh browser to test this out but didn't mention what OS was he using and if he maybe had a macOS app installed (perhaps browser queries app if it exists for a secret key?). Anyway, it sounds fishy and I don't believe that well known company would just "sell the idea" that secret key contributes to security but doesn't do anything in real life
$36.00 a year is unreasonable to you?
In my opinion, three dollars a month for a quality app that has regular updates and staff that respond promptly to questions and concerns is worth it.
Do you expect the developers to keep working and updating the app for life for free? Don't they deserve some renumeration?
Do you work for free?
Not sure why this is news and why everyone is up in arms. 1Password broke this news close to a year and a half ago. They even had a huge thread on this forum about it. Everyone praised it and loved it. Few didn't like it but nothing like it is now.
This click bait posting crap is getting absurd. One site is "concerned" about this or that and literally has no basis for it. For all we know, it's a competitor slinging mud.
I had 1Password local. It was fine, cool, must have bought it at least 3 times because of different platforms. I ponied up the money for 1 yr sub. and couldn't be happier. Do I care if my passwords are in the cloud? No. It's secure. 1Password is a great company and has never had an issue.
All the "cloud is hackable" people whining about this and going to Apple's Keychain - umm, that's in the cloud too. Lol
Calm down people. You don't want it, don't like it - don't buy it.
This click bait posting crap is getting absurd. One site is "concerned" about this or that and literally has no basis for it. For all we know, it's a competitor slinging mud.
I had 1Password local. It was fine, cool, must have bought it at least 3 times because of different platforms. I ponied up the money for 1 yr sub. and couldn't be happier. Do I care if my passwords are in the cloud? No. It's secure. 1Password is a great company and has never had an issue.
All the "cloud is hackable" people whining about this and going to Apple's Keychain - umm, that's in the cloud too. Lol
Calm down people. You don't want it, don't like it - don't buy it.
1Password was never free unless you were fine with limited functionality on your iPhone only.
The key to creating secure passphrases using this method is that you need to select the words in a truly random fashion (e.g. by rolling dice like in Diceware). If you select the words yourself, you probably get a heavy bias for specific sets of words that can be exploited by password crackers. Remember that everybody tries to pick what they consider obscure.
Yeah, terrible people for updating their app and providing the best security they can at a reasonable price. Why not just buy a password app from the App Store that hasn't been updated in 2 years. Such liars they are!
They only told EVERYONE about this a year and a half a go. ON HERE!
Also, nobody is forcing you to do anything. You always have a choice.
ON HERE... is where they promised over and over agin that the stand alone license version is not going away and that they would continue to develop and offer it.... that subscription os only a second option.
They lied.
No you don't. That's the whole point of this thread.
EDITED: Sorry, gang - as x--x has kindly pointed out to me, I appear to have mistakenly replied to a side-conversation about Enpass. Feel free to ignore the below comments if you like -- though coincidentally much of what I said is still applicable, namely: if you've already trusted an app (by using it) for which you personally haven't reviewed the source code, it's a bit late to worry about them "turning evil" later. I love the work of the FOSS community...but open source isn't a panacea.
For one thing, if YOU don't review the source code, then you're trusting those who did, which seems not that different from trusting the developers themselves. And usually by the time a comprehensive review goes public, the dev in question has made at least one incremental update, rendering the entire exercise moot, as who knows what might've been added in an incremental update.
ORIGINAL POST:
Of course, there have been no reports of AgileBits stealing users' data, nor any breaches of encrypted data, either in the "old" 1Password app or in the new hosted service...so again, not sure what the fuss is about.
For one thing, if YOU don't review the source code, then you're trusting those who did, which seems not that different from trusting the developers themselves. And usually by the time a comprehensive review goes public, the dev in question has made at least one incremental update, rendering the entire exercise moot, as who knows what might've been added in an incremental update.
ORIGINAL POST:
No, it's not an open-source app and never has been. Which is one of the reasons I find all this sudden attention amusing -- people who were perfectly OK trusting a non-open-source app with all their most sensitive/secure data up until last week are now asking if the company making that app are suddenly evil and doing nefarious things. It's like: if AgileBits are evil, that boat's already sailed, man. The time to insist on 100% transparency in your app was before you started using it X years ago.
Of course, there have been no reports of AgileBits stealing users' data, nor any breaches of encrypted data, either in the "old" 1Password app or in the new hosted service...so again, not sure what the fuss is about.
Last edited:
@TheMacAvenger
Please consider deleting your comment #240, because you have by mistake taken a piece from a completely different conversation about enpass.io and privacy laws in India and turned it into a comment about AgileBits, which it was not.
YES! This is why not only AgileBits but many other password managers including KeePass offer or at least refer to cloud syncing: because it's convenient as heck and doesn't depend on the security chops of the cloud service in question, but rather on the math of encryption.
Actually, AgileBits claim to have something no other password manager has, on their online accounts: Two-Secret Key Derivation
Last edited:
Well, if they really claim that no other password manager has this, they are wrong. You can easily replicate this functionality in Keepass by using key files in addition to the password.
It's a matter of time until Agilebits drops features for the 1-time purchase customers and then stops updates altogether with the aim to sell the subscription model. You can see this coming a mile off - every company does this.
It's exactly what the 'free' and paid version of 1Password on a different scale.
Sorry Agilebits, the decline starts here. You'll be another Evernote soon enough.
It's exactly what the 'free' and paid version of 1Password on a different scale.
Sorry Agilebits, the decline starts here. You'll be another Evernote soon enough.
There is one developer that has committed to keeping data on your device, not in the Cloud. It's Ascendo. They have written a blog post about their Distributed Security Model that underscores the inherent weakness of centralized repositories and provides an alternative. http://blog.ascendo.co/distributed-security-model-password-management.html I have been using DataVault Password Manager for many years and I really like it.
https://krebsonsecurity.com/2015/06/password-manager-lastpass-warns-of-breach/ has the details. They didn't get the files, but they got account info like the password hints. And here are 2 interesting comments about lastpass's 2FA:
Hans
June 17, 2015 at 4:28 am
Keep in mind that 2-factor only protects against unauthorized access of the LP infrastructure (website etc). In case your vault is stolen and they are able to crack your master password, the 2-factor will not help you.
AFAIK, your vault is not encrypted with the 2nd factor. At least, I cannot reason how they would do this, as the 2nd factor is a changing number.
LP claims that there is no evidence that the vaults have been copied. (but a very good hacker is able to remove his traces…right? ), so you (and me) will be ok….
June 18, 2015 at 12:11 am
+1
So many lastpass users (of which I am one for my low to medium security passwords) do not understand this. And lastpass marketing doesn’t really do a lot to clear this up. The only protection on your encrypted password list is your passphrase. The second factor just controls whether lastpass gives you the encrypted list.
If the attackers get your encrypted list (which it doesn’t look like they did in this case), then the second factor provides zero extra protection.
Good to know. Thanks.
My bad...the subscription option is the only option for Windows. The stand-alone purchase still exists for Mac OS.
For now.
[doublepost=1499897308][/doublepost]
My bad...it is the Windows version that is subscription only. Since this a forum primarily of Mac users, please disregard my post.
I'm sceptical. It's an Indian company and we don't know anything about their privacy laws. There's no information about the dev team either.
They promised audit Enpass by a 3rd party. That won't happen until version 6 though.
I'll wait.
https://discussion.enpass.io/index.php?/topic/404-security-audit/&
I totally agree with you. If we live in fear we should not use smartphones, text messages, emails, have credit cards, use an electronic identification ("eID") card, biometric passports. Should I remind our lovely users that even hospitals store sensitive data about its citizens? The street lights and traffic lights are connected to the internet. Even the satellite that makes sure you can make a phone call and text messages is connected to the internet. The point is, if you want to be 100% save and secure you would have to go about 500 years back into the past. The power grid that delivers electricity is also connected to the internet. Let's pray we will not be disconnected.
Last edited:
I've gladly payed for all the versions of 1P , on all platforms. If they keep releasing paid updates, i will buy them . I will NOT pay for a subscription, period.