Security Experts Wary as 1Password Subscriptions Push Users to Cloud-Based Vaults

[TheMacAvenger]

I believe them, 1Password 6 for Mac is fine....Even 1Password 7
"And you need not worry about 1Password 7 for Mac, either, as it will continue to support standalone vaults just like version 6 does today"

I'm betting 1Password 8 is a different story though. As a company, why offer these 2 models? One makes less money one makes more? The writing is on the wall.

Huh? 1Password 7 isn't even written yet, and you're talking about 1Password 8? At some point, this just becomes absurd -- "they're not willing to promise me some feature I like will exist forever and ever, amen!" If AgileBits came out tomorrow and released a statement about 1Password 8 that was just as strong and unequivocal as the one they put out about 1Password 7, would you be back here going "yeah, but what about 1Password NINE???!?!!!?!!?!
[doublepost=1500129598][/doublepost]

There have been many, many breaches of prestigious commercial and government sites....sites that were touted as totally secure. Recently, onelogin:

https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/

They were secure too... right up till when they were not...now 2000+
companies are busy trying to recover from its impacts

OneLogin made the mistake of storing users' keys in the same place as their data. Bypass authentication gatekeeper, done. They're an SSO provider, not (strictly) a password manager. And because they rely upon authentication instead of solely on encryption, they were vulnerable to this.

Some customers don't see the advantage in the additional risk of hosting their data on a password managers developers web site.

IMO online authentication = extra risk. Clearly, 2FA is no guarantee either.

You're right; it isn't. That's exactly the kind of gatekeeper method that's open to various attack vectors. That's why there is also a second encryption (not authentication) factor in 1Password accounts: the Secret Key. I did a LOT of research on this prior to signing up for it. If you want the full dive, try the latest draft of the security white paper: https://1pw.ca/whitepaper

Lots of folk don't like subscription model software either......If I paid for subscription software for all the applications (27) on my computer it would cost nearly $900 a month. This ain't a model I will support.

I actually agree with this, kinda. I myself was annoyed when Koingo tried to push users to a subscription model, but there's a difference. Koingo makes apps. There is no real reason for them to have a subscription model. Same thing with TextExpander's switch to a subscription -- there wasn't a reason for that, and they didn't offer much additional value.

I know most people these days just have a gmail account, but if you're a person who believes there's value in actually paying for email, like with Fastmail, you pay "a subscription." I have one of these, and I've never heard anyone who's had one complain that there's an annual charge. Why? Because everyone understands that they don't just offer apps/software; they offer a service. One that includes them maintaining and defending a constant online presence. Fastmail have bandwidth costs and storage costs for thousands, probably millions of users. That's just not covered by the completely separate cost of developing and maintaining an app or two.

I think AgileBits have shown their true colours. They had their chance. After nearly a decade I don't use them any more and can no longer recommend them to anyone.

Now I'm truly curious - what do you NOW use/recommend for password management, after abandoning 1P after a decade?
[doublepost=1500130846][/doublepost]

It doesn't matter if they store your password on their servers or not. If they get breached and thousands of peoples vaults are taken the cracking will begin. Many people won't use a super strong password on their 1Password vault and that is the seed which determine your encryption key for your vault.

Actually, it's not. The AES keys that actually encrypt your data are derived from two entirely separate encryption factors. The first is indeed your Master Password. However, the second encryption factor is your Secret Key. AgileBits calls this "2-Secret Key Derivation," and AFAIK, 1Password is the only password manager to employ this additional layer of protection for users.

According to that link, the Secret Key is generated for you locally on your own device when you first sign up for a 1Password account, and is also never sent to 1Password's servers. It is composed of a randomly-generated string of letters and numbers long enough to equate to 128 bits of entropy. And since it's never transmitted to 1Password's servers in any form, that means the AES-256 encryption keys derived in part from even the lamest Master Password which otherwise could be cracked in seconds is combined with the Secret Key which provides 128 bits of entropy on its own.

You have the age of the universe to crack this. Begin!

 

[Quu]

Actually, it's not. The AES keys that actually encrypt your data are derived from two entirely separate encryption factors. The first is indeed your Master Password. However, the second encryption factor is your Secret Key. AgileBits calls this "2-Secret Key Derivation," and AFAIK, 1Password is the only password manager to employ this additional layer of protection for users.

According to that link, the Secret Key is generated for you locally on your own device when you first sign up for a 1Password account, and is also never sent to 1Password's servers. It is composed of a randomly-generated string of letters and numbers long enough to equate to 128 bits of entropy. And since it's never transmitted to 1Password's servers in any form, that means the AES-256 encryption keys derived in part from even the lamest Master Password which otherwise could be cracked in seconds is combined with the Secret Key which provides 128 bits of entropy on its own.

You have the age of the universe to crack this. Begin!

If 1Passwords servers are breached, meaning someone has taken the vaults. It is conceivable that the perpetrators also have access to the 1Password infrastructure (such as the web login system) and thus can switch out the Javascript that gets run on your browser to decrypt your vault for one that sends your secret key to the attackers.

Sticking all your eggs in one basket here, sure you can choose not to use their website for accessing your vault and only use the standalone apps but that's one of the major reasons for choosing to use their subscription service which holds your vault on their servers, being able to access it on any platform regardless of your ability to install their standalone software (like at work or at an internet cafe something.)

The model is risky, I don't trust lastpass, I don't trust 1Password. I want my data where it belongs, on my computers. And for that reason I see no reason to pay 1Password per month for a service (hosted vaults) that I don't need from them. I'd rather pay once for the software standalone and use it standalone.

Now I'm not saying they should get rid of hosting peoples vaults and doing subs, I'm saying they should give people the option to be able to have standalone vaults and a standard one time fee. The Windows v6 client offers neither of these features (no more standalone vaults, only hosted ones) and the v4 Windows client is rubbish. Thankfully the Mac one is better but if you intend to use Windows machines at all you need to use either their old buggy client v4 that has lots of issues with other software (like Synergy to name one) or you can pay monthly and host your vault in their cloud to use the v6 client.

All of this is a big hassle, I used 1Password because it made my life easier, that's no longer the case. I've moved to an alternative that costs a lot less, works just as good and looks better. For me that's enpass.

 

[TheMacAvenger]

If 1Password folds, will people on the subscription plan be able to access/retrieve their passwords?

Yup:

If you use the 1Password apps, your data will always be cached locally on your devices, so you can view and edit it without an Internet connection. Any changes you make will become available on your other devices when you next go online.​

(so it works if you don't have an internet connection because the power grid went down, or you traveled outside of service range, or AgileBits evaporated).
[doublepost=1500141850][/doublepost]

If (and I'm not arguing there is one), but IF someone had an exploit to get into 1Password accounts, I'd guess it would be worth far more than $100K.

How? There's basically two types of l337 haxx0r: white hat and black hat. The black hat guys are generally the ones out for themselves (or people who pay them): they're the criminals you want to defend against (note: not always, but I'm speaking in generalities). The white hat guys are people with similar skill-sets, but who want to make the internet a safer place by pointing out vulnerabilities and disclosing them appropriately and securely, so they can be addressed/patched/fixed.

Black hat hackers might not bother trying to go after a $100,000 prize if they thought they could make more money by simply performing the hack for real and selling to the highest bidder...but the white hat hackers will. That's why entire companies like BugCrowd exist: to crowd-source well-intentioned hackers and give them a way to be compensated for their efforts and the benefit they provide. To my knowledge, $100,000 is the largest bounty any developer has ever offered via BugCrowd -- and no one's been able to claim it yet. Your mileage may vary, but that's reassuring to ME.

So let's assume you're talking about the actual bad guys, the black hats. There's two levels to this: could they break into 1Password's servers? And (since data on 1Password's servers is always encrypted): could they either crack AES-256 encryption or obtain the credentials to simply decrypt the data?

I'll leave the first one aside for now (could these l337 haxx0rs gain access to 1Password's servers), partly because I assume a company like AgileBits whose sole focus is security would competently manage their website, but mostly because all of the people predicting doom in this thread seem to be starting from the presumption that someone breaking into 1Password's servers is inevitable. I disagree, but let's say that's already been done.

That leaves what your l337 haxx0rs would actually GET from such a hack. Namely: encrypted blobs. This is no different than what said l337 haxx0rs would get if they'd cracked either Dropbox or iCloud's servers and retrieved some 1Password vaults. 1Password has never depended for its cloud-sync security on the chops of whoever's running the sync service. The 1Password data is end-to-end encrypted.

So, encrypted blobs: your l337 haxx0r's got two choices there once they've got the actual encrypted data itself: either they HAVE the users' credentials already, or they'd need to acquire them somehow. Because 1Password never has users' encryption keys OR the means to acquire them (all de/encryption done locally, on users' devices), your l337 haxx0r's successful hack of 1Password's servers wouldn't also net them those credentials, so they'd need to go the second route, and acquire them.

Again: how? Mr(s) l337 haxx0r could try to socially engineer the account holders into telling them -- but that presumes they could tell which data is whose to begin with, so they could individually target those specific individuals. Time-consuming at best, even if they could tell who was who, and the users they targeted obligingly coughed up their Master Passwords. The hackers could try to crack AES-256 encryption itself, I suppose. I wish them best of luck with that. Other than that, though, if they don't have users' credentials and they acquire them from the users feasibly, they're going to have to brute-force the Master Password to decrypt the data. There are tools that will allow your l337 haxx0r to run "dictionary attacks" (essentially guessing every possible combination) very quickly...but 1Password uses 100,000 rounds of PBKDF2 to slow these attacks way down.

But wait! What if your grandmother's memory isn't what it used to be, and she uses a really, really bad Master Password for her 1Password account that those nefarious l337 haxx0rs have managed to take the encrypted data from? Won't that be easier to brute-force, even with all that PBKDF2, than a good Master Password? Some...but not enough to matter. Why not? Because 1Password uses something no other password manager that I'm aware of does: something called Two-Secret Key Derivation. Instead of just the user-determined Master Password (which might indeed be not the strongest choice, depending on user), the actual encryption key itself to decrypt your data is derived NOT just from that Master Password you chose when you created your account, but also from a second encryption factor: what AgileBits calls your Secret Key. This is a randomly-generated string of upper-case numbers and digits that is equivalent to not less than 128 bits of entropy, making even the weakest Master Password much stronger in practice.

In other words, if the AES-256 key used to encrypt your data is derived only from a Master Password of PrettyFlower1, it's indeed pretty weak. But on every 1Password account in existence (like mine and yours and everyone else's here who has one), that AES encryption key is derived from a combination of PrettyFlower1 PLUS a randomly-generated string that looks like: A3-NKXSTF-RXFHG-X47C5-45SZP-DHUF3-AWK0T. Have a look back at that chart about how long it would take, using a 4-GPU-enhanced hashcat setup (l337 haxx0r rig for brute-forcing passwords), to crack various keys with various bits of entropy. When you start getting into the trillions of years, I don't know about you, but I start feeling relatively safe.
[doublepost=1500142286][/doublepost]

Are you actually serious? 100.000 dollars? You think any professional criminal hacker, would give that away for that low amount of money. That is hilarious. Hilarious!

Breaking into 1Password.com is worth millions of dollars if you sell it on the black market or to some government.

And there is a chance that (like in the case of the Yahoo hack) customers and the public would find out many years later.

Something is certainly hilarious in this thread, but it's not what you're imagining. What's becoming more and more amusing is people who in one breath will say that subscriptions are a money-grab or a particular piece of software is too expensive...and in the next breath suggest that l337 haxx0rs wouldn't and shouldn't get out of bed for $100K.

There are a great many white hat folks who would definitely be motivated by $100K -- unless it's your position that only the bad guys are any good at hacking. That would truly be hilarious...ly insulting to every security researcher out there who isn't an actual criminal.

 

[TheMacAvenger]

One of the security researchers involved in the twitter spat actually tested this. He setup a brand new browser, went to the 1Password website, logged in using one single password and got his vault access. At what point was a secret key used?

I'd love to see that documented. Got a link?
[doublepost=1500144007][/doublepost]

...I see no reason to pay 1Password per month for a service (hosted vaults) that I don't need from them. I'd rather pay once for the software standalone and use it standalone.

Good news, then! You can.

...Thankfully the Mac one is better but if you intend to use Windows machines at all you need to use either their old buggy client v4 that has lots of issues with other software (like Synergy to name one) or you can pay monthly and host your vault in their cloud to use the v6 client.

Interestingly, if you intend to use 1Password on Windows as well as Mac, that would mean (assuming you're not using a 1Password account) that you'd need to use Dropbox to sync your data. Dropbox actually has had issues of the kind similar to what you're only speculating about with 1Password.

I've also used 1Password v4 for Windows plenty and would have to take exception to both "buggy" and "has lots of issues with other software." It is indeed older at this point -- but that doesn't make it buggy by itself. It's installable into Windows OSes from at least 7-10 (might even go back further than that; I wouldn't know).
[doublepost=1500146624][/doublepost]

So I'm read into from the agilebits blog is is that 1Password 6 and 7 are ok but 1Password 8 will force all paid users into a subscription model.

It will? Can you point out where it says anything at all about 1Password 8, let alone that it will force users into a subscription model? I have no idea what 1Password 8 will look like, but that's because 1Password 7 isn't even created yet, and AgileBits are like Apple in that future plans/rollout dates just aren't discussed. It's ready when it's ready. I'd be surprised if AgileBits was already making public pronouncements about 1Password 8.

 

[Quu]

I'd love to see that documented. Got a link?
[doublepost=1500144007][/doublepost]

Good news, then! You can.



Interestingly, if you intend to use 1Password on Windows as well as Mac, that would mean (assuming you're not using a 1Password account) that you'd need to use Dropbox to sync your data. Dropbox actually has had issues of the kind similar to what you're only speculating about with 1Password.

I've also used 1Password v4 for Windows plenty and would have to take exception to both "buggy" and "has lots of issues with other software." It is indeed older at this point -- but that doesn't make it buggy by itself. It's installable into Windows OSes from at least 7-10 (might even go back further than that; I wouldn't know).
[doublepost=1500146624][/doublepost]
It will? Can you point out where it says anything at all about 1Password 8, let alone that it will force users into a subscription model? I have no idea what 1Password 8 will look like, but that's because 1Password 7 isn't even created yet, and AgileBits are like Apple in that future plans/rollout dates just aren't discussed. It's ready when it's ready. I'd be surprised if AgileBits was already making public pronouncements about 1Password 8.

I use Syncthing for syncing, not Dropbox. Syncthing is self hosted, no central server and everything is encrypted AES256 without any passwords (only machines in your sync network can add new peers to the chain).

Also 1Password doesn't sell standalone anymore, Subs only. I already switched.

And I gave an example of how it doesn't work with Synergy. A very well used app for me. And it's quite buggy for me.

 

[tkermit]

https://blog.agilebits.com/2017/07/13/why-we-love-1password-memberships/

Posted today. The first half of the post is rah rah subscription (sigh). BUT: they say flat out after that that standalone vaults will not be going away for Mac users in 1Password 6 or 7.

Which is a start, anyway, though no help for Windows users at this point. Try not to laugh too hard at their insistence that this isn't a money grab.

Pretty amusing:

Please don’t think our excitement for memberships has anything to do with money.

yet

over 95% of our revenues are coming from subscribers

By the way, is it just me or is the comment area for that blog post full of positive messages coming from their very own employees. A lot of employees.

 

[myob1984]

1Password made a blog post
https://blog.agilebits.com/2017/07/13/why-we-love-1password-memberships/

"These worries are compounded by the fact that 1Password 6 for Windows was designed from the ground up to support 1Password Teams customers only (and then later expanded to include family and individual plans), and we are unsure how this adventure will play out on the Windows side of the world, so we haven’t made any public announcements about when support for standalone vaults will be added, if ever. Many Mac users worry that the same fate awaits 1Password 6 for Mac, and that we will remove support for local vaults and force them to pay again.

This isn’t going to happen. First, it would be evil to take away something you’ve already paid for. And evil doesn’t make for a Happy 1Password Customer, which is the cornerstone for a Happy 1Password Maker. It’s simply not who we are.

......

And you need not worry about 1Password 7 for Mac, either, as it will continue to support standalone vaults just like version 6 does today."

But they already have taken something away from windows users. Windows V4 can't upgrade and continue to use local DB.

 

[Quu]

By the way, is it just me or is the comment area for that blog post full of positive messages coming from their very own employees. A lot of employees.

It is indeed most of the comments are from their own employees. Total vacuum chamber over there, of course they're going to say subscriptions are great it directly leads to them earning $$$.

The funniest part to me is they have 80 employees (according to their own blog comments by an employee) and yet they're being outclassed by alternatives with 1/8th that many staff.

Took them years to make a Windows client that is up to snuff with the Mac version in usability and appearance yet it still doesn't have feature parity. Still no Linux version either. Why the heck do they need so many employees for a basic password manager? It boggles my mind how little they get done.

 

[LV426]

1Password made a blog post
https://blog.agilebits.com/2017/07/13/why-we-love-1password-memberships/

"Now of course not everyone is on 1Password memberships yet" kind of lets the cat out of the bag though, doesn't it.

 

[TheMacAvenger]

I use Syncthing for syncing, not Dropbox. Syncthing is self hosted, no central server and everything is encrypted AES256 without any passwords (only machines in your sync network can add new peers to the chain).

Forgive my assumption. There are always unsupported, DIY solutions to nearly everything in the computer realm, and I think it's great you found a way to avoid using the built-in options within 1P to create a customized sync solution for yourself. But I'm certain you know this is an unsupported method (even though it may work), and I also think you would have to admit that this is simply not an option for the vast majority of users, because they have neither the time, the inclination nor the technical expertise to set such a thing up. That's why apps get judged on how "user-friendly" they are: because most people just aren't willing or able to do what you're doing.

Also 1Password doesn't sell standalone anymore, Subs only. I already switched.

Of course you can still buy standalone licenses. Just not on Windows, for the moment. Forgive me if I expect the forums at a site called "MACrumors" to be centered mostly around the Mac/iOS platforms.

However, since you seem to be focusing primarily on both Windows and the hypothetical future, I'd recommend this comment from AgileBits' recent blog post on the subject:

We are really just getting started with 1Password 6 for Windows. We threw out seven years of development by deciding to rebuild. This is exciting, of course, because 1Password 6 is already awesome, and we were able to ensure it was built using the very best modern technologies, but it does mean we have to build everything from scratch[...]the fact that we don’t have those seven years of Windows development to reuse and build on does make the difficult task of predicting the future of 1Password that much harder. We’ve already made that mistake once and don’t want to make it again. We do want to add standalone vaults to 1Password 6 for Windows and in our perfect universe that will happen at some point down the line, but we don’t always live in our perfect universe. We’d ultimately rather make standalone vaults in 1Password 6 for Windows a pleasant surprise and accept whatever pushback we may get in the meantime than make promises we aren’t certain we can keep.​

And I gave an example of how it doesn't work with Synergy. A very well used app for me. And it's quite buggy for me.

You did indeed. And I'm at a disadvantage here, having never used Synergy myself. However, a quick search for Synergy on AgileBits' forums turns up this thread which seems to indicate the problem is limited to using Secure Mode, and that it's NOT limited to 1Password but rather the case across a wide variety of other apps as well (meaning it's not really an argument that 1P's version 4 for Windows is "buggy" - at least, not in any major, disqualifying way; all software has bugs. For example: Cracking Synergy's Bad Cryptography - just for reference. )

Bottom line: everyone's free to choose the solutions that work for them. Since you said you "already switched" to another password manager then all of this may not even be for you. I took the time to reply because so much of the FUD-stirring this past week seems either A) alarmist (standalone vaults sound like they're probably coming (back) to Windows, and still exist in version 4 anyway), B) inaccurate or C) inapplicable to all but a tiny sliver of users.

 

[TonyK]

I still remember when they removed syncing via USB so many years ago. There was such a long and loud rebuke from the users we got a stand alone application for syncing data locally (via WiFi I believe) which is where WLAN came from.

Being part of that rebuke against AgileBits and their arrogant attitude at the time the current action is not surprising. What has changed is there is at least one alternative to 1Password and maybe 2 if we could DataVault or KeePass.

If WLAN were to vanish many years would be hard pressed to continue with 1Password and likely would seek another application. For myself, I've already scoped out DataVault and may actually purchase it to see if it meets my needs. I use KeePass2 at work and like it well enough there and even have the iOS version so I can keep my work and personal passwords separated.

 

[theluggage]

I'd love to see that documented. Got a link?

Yeah, sounds iffy. When you go to the site and sign in it asks for your email, your "private" key and master password but - I believe - they only get as far as the javascript running in your local browser where the password unlocks the private key, which is then used to respond to a challenge from the 1Password server.

There are times when it looks like the 1Password website knows your key (including during the registration process when it generates your 'emergency kit'), but (I hope!) its actually being stored/generated locally.

...that's fine as long as the 1Password website doesn't get pwned, spoofed or MITM'd and your browser doesn't get infested with spyware - but if that did happen your password and private key could get slurped. It's probably your browser (the biggest attack surface on your computer) that's the weakest link.

With the local vaults, the master password never has to go anywhere near the browser (the browser plug-ins are optional and you could always 'unlock' using the app rather than the plug-in).

Oh, and anybody who prefers not to enable Javascript in their browser need not apply, of course...

The bottom line is, with a local vault, a hacker has to get your credentials and a copy of your vault. With the cloud, they just need your credentials.

 

[TonyK]

So you guys that are opposed to this are also opposed to services like LastPass and Dashlane ? Not the price but storing your passwords in the cloud.

Yes, I won't use centrally located remote systems for password management. How many times has Lastpass been compromised? Won't store passwords in Dropbox, iCloud or other cloud type services for the same reason.

By the way, is it just me or is the comment area for that blog post full of positive messages coming from their very own employees. A lot of employees.

Yes, noted this as well. It seemed to be a rah rah section for the AgileBits people. < sigh />

 

[Quu]

Forgive my assumption. There are always unsupported, DIY solutions to nearly everything in the computer realm, and I think it's great you found a way to avoid using the built-in options within 1P to create a customized sync solution for yourself. But I'm certain you know this is an unsupported method (even though it may work), and I also think you would have to admit that this is simply not an option for the vast majority of users, because they have neither the time, the inclination nor the technical expertise to set such a thing up. That's why apps get judged on how "user-friendly" they are: because most people just aren't willing or able to do what you're doing.

1Password supports storing your vault on cloud syncing services. There's not really any special logic in the software that makes it only work on Dropbox. Dropbox monitors the file system for file changes within its directory then syncs those files. Box, iCloud, OwnCloud, One Drive, Syncthing and a whole host of others work the same way. So yeah it's not supported but so what? it's not rocket science to sync a static file database across machines.

The only time 1Password did anything specifically to make 1Password function on Dropbox was with their self hosted vault access pages that could be hosted from a Dropbox public share. And that ended a long time ago (Dropbox doesn't even offer Public folders anymore).

And for sure my personal syncing thing is not normal. But I have the choice, I have the choice with the older versions of 1Password (6 for Mac, 4 for Windows). I do not have that option on v6 for Windows.

You and I both know that v4 for windows sucks. Just using the browser extension in Windows is annoying. For example lets say it doesn't fill out a login form correctly (which it often doesn't) you have to copy and paste the username and login from the browser app into the browser form yourself but each time you click to copy one of these the entire menu dissapears.

It's even worse if you have to search for a login because then you have to type in the entire search again. The mac version is much more fluid and remembers the state you were at when copying things. The search is miles better. Again this is me talking about the browser extension included on both platforms that integrates with the client software. The Windows v4 client itself looks like dog **** and runs very poorly especially when you get into the high hundreds of logins often taking long periods of time to do anything once it's loaded down with a large vault. The Mac version has no such issue and from what I'm reading on 1Passwords forum neither does the new re-written v6 for Windows that I cannot buy or use.

Of course you can still buy standalone licenses. Just not on Windows, for the moment. Forgive me if I expect the forums at a site called "MACrumors" to be centered mostly around the Mac/iOS platforms.

However, since you seem to be focusing primarily on both Windows and the hypothetical future, I'd recommend this comment from AgileBits' recent blog post on the subject:

$64.99 for a single standalone license for macOS. What are they smoking? That is outrageously overpriced. And again no Windows licenses can be bought for v4 and the v6 client doesn't have standalone vaults and is only available by subscription. I use many operating systems, Windows, Mac, Linux, iOS. I want my vault accessible everywhere and I want my data only on my devices. 1Password once offered that, no longer. And I'm not the only one that feels that way.

You did indeed. And I'm at a disadvantage here, having never used Synergy myself. However, a quick search for Synergy on AgileBits' forums turns up this thread which seems to indicate the problem is limited to using Secure Mode, and that it's NOT limited to 1Password but rather the case across a wide variety of other apps as well (meaning it's not really an argument that 1P's version 4 for Windows is "buggy" - at least, not in any major, disqualifying way; all software has bugs. For example: Cracking Synergy's Bad Cryptography - just for reference. )

Synergy doesn't need encryption. It's a local only piece of software. It's pointless to me why they added it in the first place really, if someone is in your home network sniffing your data packets between computers then you've got bigger problems.

Synergy is just a tool to allow me to use one keyboard and one mouse to control multiple computers sat right next to each other. 1Password has problems with the software where other apps like enpass, keepass etc do not.

Bottom line: everyone's free to choose the solutions that work for them. Since you said you "already switched" to another password manager then all of this may not even be for you. I took the time to reply because so much of the FUD-stirring this past week seems either A) alarmist (standalone vaults sound like they're probably coming (back) to Windows, and still exist in version 4 anyway), B) inaccurate or C) inapplicable to all but a tiny sliver of users.

For sure everyone can use whatever solution they want. I was a big proponent of 1Password but it's obvious they only care about the money. They're in my **** list now next to EA and Comcast.

 

[dotnet]

Dropbox monitors the file system for file changes within its directory then syncs those files. Box, iCloud, OwnCloud, One Drive, Syncthing and a whole host of others work the same way. So yeah it's not supported but so what? it's not rocket science to sync a static file database across machines.

From what I seem to remember about 1Password and iCloud, this isn't quite so. IIRC, 1Password uses CloudKit, and record-level syncing (and encryption). There is no filesystem monitoring or replicating database files involved.

If I do remember this incorrectly I'm sure someone will point it out...

 

[tangfish]

$64.99 for a single standalone license for macOS. What are they smoking? That is outrageously overpriced.

I actually don't think it's outrageous. I pay more than that for my homeowner's insurance and I consider 1Password a pretty essential form of insurance. Actually, as a standalone license holder I haven't paid them in quite awhile and I think it's probably time.

What I am not cool with at all is them changing their entire revenue model from that of a safe I buy to keep in my house to that of a service where I leave my valuables with them to look after.

That's not what I want at all and I wouldn't use it no matter how cheaply they offered it, or even if it were free.

 

[Quu]

I actually don't think it's outrageous. I pay more than that for my homeowner's insurance and I consider 1Password a pretty essential form of insurance. Actually, as a standalone license holder I haven't paid them in quite awhile and I think it's probably time.

What I am not cool with at all is them changing their entire revenue model from that of a safe I buy to keep in my house to that of a service where I leave my valuables with them to look after.

That's not what I want at all and I wouldn't use it no matter how cheaply they offered it, or even if it were free.

If they were operating in a vacuum with some kind of monopoly then they can charge that kind of money and get away with it. But there are hoards of alternatives, both paid at 1/6th that price and free. And to be honest 1Password isn't that great outside of Mac and iOS, alternatives that I've mentioned in this thread previously offer a better looking client across more platforms.

I think honestly 1Password has too much code debt, trying to always reshape their previous architecture to fit new goals has made them bloated and slow. Plucky upstarts without any code debt are able to be more nimble and release a unified client across more platforms for 1/6th the price.

 

[griz]

I use lastpass with a memorized 23 character master password and yubikey. Or Touch ID on my phone. How is that not secure? It is encrypted and decrypted locally. Anyone who wants to try to hack an encrypted blob with two factor and a long password can waste their time all they want. The sun will burn out long before they succeed.
Password vaults are only a problem if your master password is 'password'.

 

[throAU]

There have been many, many breaches of prestigious commercial and government sites....sites that were touted as totally secure. Recently, onelogin:

https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/

They were secure too... right up till when they were not...now 2000+
companies are busy trying to recover from its impacts

Some customers don't see the advantage in the additional risk of hosting their data on a password managers developers web site.

IMO online authentication = extra risk. Clearly, 2FA is no guarantee either.

The 1password folk will assure you that they are different and it cannot happen to them blah blah

But then there is this:
https://1password.com/legal/terms-of-service/
AgileBits, Inc. makes no guarantees, representations or warranties of any
kind as regards the website and associated technology. Any purportedly
applicable warranties, terms and conditions are excluded, to the fullest
extent permitted by law. Your use of the Service is at your sole risk.

Lots of folk don't like subscription model software either......If I paid for subscription software for all the applications (27) on my computer it would cost nearly $900 a month. This ain't a model I will support.

But what is really offensive is AgileBits attitude (just read the responses to customer concerns on their user forum throughout this year) to anyone who does not embrace subscription software with users login codes, passwords, credit card details and secure notes hosted on the developers servers. In my opinion it's annoying, condescending, untruthful and just plain rude.

I think AgileBits have shown their true colours. They had their chance. After nearly a decade I don't use them any more and can no longer recommend them to anyone.

You're comparing a website hack - which has many constraints in order to remain fast enough to serve tens or hundreds of thousands of hits per second, to a strongly encrypted password database that can quite happily use enough rounds of encryption on the file to take 1 or more seconds to process for unlock by the end user.

These are two entirely different scenarios with totally different attack surfaces and totally different resource constraints.

Comparing a government website hack with a password database hack is like comparing apples to salami.

Sure, if there is malicious javascript on the web site after they have been hacked, and you use the web version to decrypt your passwords then perhaps that is a vector to getting compromised.

My suggestion would be: do not do that. This is why i don't use lastpass.

Use the app. This however does not invalidate the whole concept of cloud synchronised password DBs.

[doublepost=1500382024][/doublepost]

I still like the xkcd method. However I use several languages instead of just English. I had my Twitter and Netflix accounts attacked several times. After going to xkcd, it has never happened again.

I know some think it's no longer secure but it all depends on what words you're using. The more obscure the better.

The XKCD method will fall to any reasonably competent and determined attacker (i.e., one who has hacked the website and stolen the password hashes from said site and is running a GPU or say amazon cloud resources against them). Combining random words via dictionary attack is a thing done by any competent attacker these days. the only really strong passwords are entirely randomly generated and say 12-14 characters or longer.

However the biggest thing to avoid is password re-use. Now if you're like the typical person on the internet these days you have hundreds of accounts, and remembering hundreds of unique passwords, even if they are like correct horse battery staple is downright impossible.

So you need to record them somewhere.

And if you're going to record them somewhere, then things like sticky notes are easily stolen or lost. Things like text files on your computer are easily stolen (and neither of those options sync). And then if you ever need to change password it is a complete pain in the rear.

So rather than spend time trying to memorise hundreds of unique passwords or try to keep them accessible via a paper pad that, if lost results in you being screwed, or in an unencrypted file on your PC which is easily stolen.... this is what a password manager is for.

To avoid password re-use, unless you have an eidetic memory, all you're going to end up doing is re-inventing an unencrypted password manager that doesn't sync via notepad, excel or whatever. Or store all your passwords on a single copy of paper that can be stolen or destroyed.

If i need to change a password using a password manager it is a total non issue. I generate a new one, run through the password reset process, sync my database and job done. I didn't know the old password, so no need to bother trying to memorise the new one either. It requires zero additional effort and has almost zero impact on my work day to change a password.
[doublepost=1500382377][/doublepost]

The problem is (as a one password customer myself) is that they have not upgraded the app for people who want local vaults synced to dropbox. You are stuck on version 4 while the cloud version is at v6.

I downloaded v6 and when I enquired they told me to downgrade back to v4. They said they didn't have a timeframe for supporting local vaults in v6 and I asked this over 6 months ago.
[doublepost=1500083710][/doublepost]
My objection is paying $60 a year for storing passwords, compared to something like the utility of office 356 which is $120 a year but also gives you 1TB cloud storage. I have so many subscriptions, I'd like to keep a lid on it.

I'd maybe go for it if it was cheaper. I've had 1 password 4 for what seems like years now and only paid something like $30-40 for it on special.

Uh... i have 1password 6.7.2 on this ipad and am syncing to dropbox. I bought it when version 4 was current....
[doublepost=1500382545][/doublepost]

The issue I have is that the version with the local vaults versus the subscription model have different user interfaces. The former one allows you to create nested folders as well as assign tags. The latter one has no folder support, but only the ability to assign tags. The difference may seem subtle or even redundant until you use it for a while. The hierarchical interface provided with nested folders makes organization much easier to me than just assigning tags to one flat, linear list of entries.

Tags in general are better than folders, though it may require a mindset adjustment.

Why? Because an entity can only be in one folder, but it can have multiple tags.

i.e., i have a a password for say, CNET.

Does it go in my computing folder, my news folder, or some other folder?

with tags, i could tag it "Computing" AND "news" and either tag search would find it.

Yes, this is a mindset change. Yes, this is a change to how you will locate things. But it is more flexible if you are willing to adapt.

 

[burgman]

I use lastpass with a memorized 23 character master password and yubikey. Or Touch ID on my phone. How is that not secure? It is encrypted and decrypted locally. Anyone who wants to try to hack an encrypted blob with two factor and a long password can waste their time all they want. The sun will burn out long before they succeed.
Password vaults are only a problem if your master password is 'password'.

Pretty obvious that many posting here haven't a clue what AES 256 is. Some saying keychain was better, must be because Apple sprinkles magic dust on their AES256 salt pile. Others repeating LastPass has been hacked, yes some exploits were found,total passwords or users compromised /zero/. With so many avenues available to hackers to get personal information attacking the repositories isn't a thing. I have switched to using the LastPass Authentication app from yubikey for 2factor, works well for me. But I accept that nothing is 100% and though I'm a snowflake, I'm not the keeper of the key of erebor as many here act like they are.

 

[dilbert99]

Uh... i have 1password 6.7.2 on this ipad and am syncing to dropbox. I bought it when version 4 was current....

What does Uh... mean?

One Password 6 on Windows and Mac does not allow syncing with local vaults/dropbox, that is the issue everyone on here is talking about. Not the iPad version. (Unless that has changed very recently - I raised a ticket with Agile Bits about this and they confirmed they had no timescales for this because they were spending all their efforts on the cloud functionality.)
https://app-updates.agilebits.com/product_history/OPW6 - local vaults still not supported...

 

[Primejimbo]

What does Uh... mean?

One Password 6 on Windows and Mac does not allow syncing with local vaults/dropbox, that is the issue everyone on here is talking about. Not the iPad version. (Unless that has changed very recently - I raised a ticket with Agile Bits about this and they confirmed they had no timescales for this because they were spending all their efforts on the cloud functionality.)
https://app-updates.agilebits.com/product_history/OPW6 - local vaults still not supported...

1Password 6 for Mac will sync to Dropbox and local vaults. I have a good friend who has this set up currently for his 2 Macs, iPhone, and iPad. I maintain his computers for his business, so I know it works.

 

[dilbert99]

1Password 6 for Mac will sync to Dropbox and local vaults. I have a good friend who has this set up currently for his 2 Macs, iPhone, and iPad. I maintain his computers for his business, so I know it works.

Ok, did more digging. It works on Mac because they added the new cloud services to the old v4 app and upped the version number to 6.

For windows it's a different story. They rewrote the v6 app from scratch and decided that other features such a pretty icons were more important than local vaults. The skeptics here will say this is to push users to the cloud subscription model.

The windows v6 of 1Password does not support local vaults/Dropbox.

 

[AvaAdore]

Cynical take on why they seem to be discouraging local vaults: it's easier to justify the subscription model if you're providing a 'cloud' based service.

 

[Jago]

Really? Wow.

Dropbox doesn't use zero knowledge encryption. I would never sync my password database to it. That goes for using the standalone version of 1Password, Keepass or anything.

So if you're afraid of 1passwords cloud-based subscription model, you certainly don't want to be storing any sort of password database on Dropbox.

Uggh, why would I care? I can you give my .kdbx file if you want. Good lucking opening it.