Huh? 1Password 7 isn't even written yet, and you're talking about 1Password 8? At some point, this just becomes absurd -- "they're not willing to promise me some feature I like will exist forever and ever, amen!" If AgileBits came out tomorrow and released a statement about 1Password 8 that was just as strong and unequivocal as the one they put out about 1Password 7, would you be back here going "yeah, but what about 1Password NINE???!?!!!?!!?!I believe them, 1Password 6 for Mac is fine....Even 1Password 7
"And you need not worry about 1Password 7 for Mac, either, as it will continue to support standalone vaults just like version 6 does today"
I'm betting 1Password 8 is a different story though. As a company, why offer these 2 models? One makes less money one makes more? The writing is on the wall.
[doublepost=1500129598][/doublepost]
There have been many, many breaches of prestigious commercial and government sites....sites that were touted as totally secure. Recently, onelogin:
https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/
They were secure too... right up till when they were not...now 2000+
companies are busy trying to recover from its impacts
OneLogin made the mistake of storing users' keys in the same place as their data. Bypass authentication gatekeeper, done. They're an SSO provider, not (strictly) a password manager. And because they rely upon authentication instead of solely on encryption, they were vulnerable to this.
Some customers don't see the advantage in the additional risk of hosting their data on a password managers developers web site.
IMO online authentication = extra risk. Clearly, 2FA is no guarantee either.
You're right; it isn't. That's exactly the kind of gatekeeper method that's open to various attack vectors. That's why there is also a second encryption (not authentication) factor in 1Password accounts: the Secret Key. I did a LOT of research on this prior to signing up for it. If you want the full dive, try the latest draft of the security white paper: https://1pw.ca/whitepaper
Lots of folk don't like subscription model software either......If I paid for subscription software for all the applications (27) on my computer it would cost nearly $900 a month. This ain't a model I will support.
I actually agree with this, kinda. I myself was annoyed when Koingo tried to push users to a subscription model, but there's a difference. Koingo makes apps. There is no real reason for them to have a subscription model. Same thing with TextExpander's switch to a subscription -- there wasn't a reason for that, and they didn't offer much additional value.
I know most people these days just have a gmail account, but if you're a person who believes there's value in actually paying for email, like with Fastmail, you pay "a subscription." I have one of these, and I've never heard anyone who's had one complain that there's an annual charge. Why? Because everyone understands that they don't just offer apps/software; they offer a service. One that includes them maintaining and defending a constant online presence. Fastmail have bandwidth costs and storage costs for thousands, probably millions of users. That's just not covered by the completely separate cost of developing and maintaining an app or two.
I think AgileBits have shown their true colours. They had their chance. After nearly a decade I don't use them any more and can no longer recommend them to anyone.
Now I'm truly curious - what do you NOW use/recommend for password management, after abandoning 1P after a decade?
[doublepost=1500130846][/doublepost]
It doesn't matter if they store your password on their servers or not. If they get breached and thousands of peoples vaults are taken the cracking will begin. Many people won't use a super strong password on their 1Password vault and that is the seed which determine your encryption key for your vault.
Actually, it's not. The AES keys that actually encrypt your data are derived from two entirely separate encryption factors. The first is indeed your Master Password. However, the second encryption factor is your Secret Key. AgileBits calls this "2-Secret Key Derivation," and AFAIK, 1Password is the only password manager to employ this additional layer of protection for users.
According to that link, the Secret Key is generated for you locally on your own device when you first sign up for a 1Password account, and is also never sent to 1Password's servers. It is composed of a randomly-generated string of letters and numbers long enough to equate to 128 bits of entropy. And since it's never transmitted to 1Password's servers in any form, that means the AES-256 encryption keys derived in part from even the lamest Master Password which otherwise could be cracked in seconds is combined with the Secret Key which provides 128 bits of entropy on its own.
You have the age of the universe to crack this. Begin!
Last edited: