Security Experts Wary as 1Password Subscriptions Push Users to Cloud-Based Vaults

[manu chao]

1Password is probably the most trustworthy password manager for macOS, but I'll never trust them with storing my passwords online. I wouldn't mind paying for a subscription if they add proper support for self hosting on iOS.

From anecdotal evidence, it would seem the majority of 1Password users already put their vaults into Dropbox or iCloud. Having passwords created on one device available on other devices is half the point of using a password vault.

 

[Chupa Chupa]

I trust more Apple with my data than 1Password. That simple.
Also some people prefer to use LOCAL only vaults and that is the main issue here, them possibly removing it in the future.
Right now you can have a encrypted vault syncing via WIFI, I don't think there is an option for non encrypted. Regarding public wifi, that is a very targeted attack.
A ONLINE password repository is much more yummy for black market hackers. See previous LastPass or OneLogin hacks...

Right, but functionally, thats comes down to how strong the encryption is, be it Apple or Last Past or One Pass. There is nothing inherently safer about storing any data, passwords, docs, video, on local drives than on the cloud. One or the other might be more convenient for a user but each has its own set of vulnerabilities.

 

[silvetti]

Right, but functionally, thats comes down to how strong the encryption is, be it Apple or Last Past or One Pass. There is nothing inherently safer about storing any data, passwords, docs, video, on local drives than on the cloud. One or the other might be more convenient for a user but each has its own set of vulnerabilities.

I agree, but from my perspective I think my database file is safer on apple's servers (iCloud) than on 1Password one.
Still I agree with you that there is no perfect system.

 

[coolfactor]

Another company that's trying to get people to pay many times for the same product.

I gladly pay subscription for something like Netflix, Hulu, Apple Music... things that CONSTANTLY come up with new content. I can't say the same for (almost) all apps.

Let's have some logic here.

The Cloud-based approach allows a company to offer a single, universal product across many platforms, while transparently updating it with fixes and new features.

It must be very expensive for a company to maintain many different apps that all need to sync with each other (Mac, iOS, Android, Windows, etc.). A cloud-based system solves that in one fell swoop, even if it comes with its own downsides, such as lacking native platform integration.

 

[Merode]

So much drama over such little thing. I bet most people complaining here don't even own or ever owned a license.

1Password is the best solution available in its category on the market. It has never been hacked and there has yet to be somebody whose vault's security has been breached. It's engineered in such a way that even in case of hack, it would take eons for somebody to decrypt your vaults by brute force.

I wonder how many people here take care of their passwords themselves: using only varied, long passwords and changing them every couple months. 3$ a month is not a lot for comprehensive security solution. It gets you all the updates and covers maintenance costs.

People think that server-side software is written once and nothing's done about it. I guarantee that 1Password's backend is probably constantly evolving. They probably regularly run pentests and audits which are not cheap.

Why use it over Keychain? There has been plent answers already. The most important - you might use Android, Windows, Mac and it all syncs up.

 

[JetTester]

There will be no new version with local vaults, there will be no offical way of purchasing a license (for new users) and the windows version already does not include a way to even create a local vault.

I have the latest Windows version, and you can create local vaults. Same with Mac and iOS versions.

 

[Wreckus]

I used 1password for years now and I did switch to their subscription model over a year ago. However, I wanted to have another solution that I don't have to subscribe to and my password vault was on a cloud platform that I chose, not forced to using their servers.

Sure, I looked at dashlane and lastpass; however, they were subscription base and I still don't trust lastpass with my info. Enpass was what I was looking for, no subscription and I can use OneDrive as my "cloud" choice to keep all my devices passwords in sync. Less than a week in and I have no issues and I love it and I even bought the Windows 10 version on the windows 10 app store in support (along with the IOS app).

I don't dispute the claim about having it in the cloud...actually I recommend it. But 1password needs to have 2 versions for everyone. First version is their subscription model, which you can subscribe within the app. The other version should be a one-time payment option to use whatever service you want to house your password vault. Whether it is OneDrive, icloud, Dropbox, or another well-known cloud service.

Lastly, I want my passwords to be mine and in a cloud service where I chose, not forced upon 1password, Lastpass ,or dashlane servers.

 

[78Bandit]

More meaningless justification for a subscription model. I've already got existing methods for syncing my password vault across devices and it works perfectly fine without constant assistance from 1Password. It sound like they are cutting the features already in the software in favor or mandating customers use their dedicated service. $36 per year for nothing more than storing files I already have on Dropbox is absolutely worthless.

I'm running a perpetual license on my iPhone and three PCs using Dropbox to sync my vault between devices. It has worked fine for a long time. While I certainly wouldn't object to a new release with additional features for an upgrade fee, as soon as they force a subscription model and don't let me choose whether or not to keep my old, functional software I'll find another password manager.

 

[5105973]

Wow, the evolution of my password keeping history just flashed before my eyes: First my once youthful and phenomenal memory for codes and passwords. Then yellow post it notes on my computer monitor for AOL, Prodigy and Geocities to name a few. Then a little notebook to make room for all of my accounts as I ventured further into the web. Then straight to 1Password.

I think their service has been superb but what I don't like about monthly subscriptions is that they are monthly. If they end up only offering subscriptions, and offer an annual lump sum option to keep track of, I'm for it. It's just a little preference of mine to aggregate most service payments into fewer but larger lumps to track.

 

[Merode]

I think their service has been superb but what I don't like about monthly subscriptions is that they are monthly. If they end up only offering subscriptions, and offer an annual lump sum option to keep track of, I'm for it. It's just a little preference of mine to aggregate most service payments into fewer but larger lumps to track.

They list monthly cost, but when it comes to billing you pay on yearly basis.

 

[5105973]

They list monthly cost, but when it comes to billing you pay on yearly basis.

Ah, thanks. Good to know if they knock off the non subscription version I'm currently using.

 

[netnothing]

Wow, the evolution of my password keeping history just flashed before my eyes: First my once youthful and phenomenal memory for codes and passwords. Then yellow post it notes on my computer monitor for AOL, Prodigy and Geocities to name a few. Then a little notebook to make room for all of my accounts as I ventured further into the web. Then straight to 1Password.

I think their service has been superb but what I don't like about monthly subscriptions is that they are monthly. If they end up only offering subscriptions, and offer an annual lump sum option to keep track of, I'm for it. It's just a little preference of mine to aggregate most service payments into fewer but larger lumps to track.

It's a monthly price but you pay annually. For me it was worth it. $36/year is a no brainer for supporting the company and getting all the apps and updates. For some that $36 is going to be a non-starter. Best to look for some free open source stuff then.

 

[avanpelt]

In my many years of using 1Password, I've found the owner of AgileBits, Dave, to be incredibly down-to-earth and he seems like a good guy. Based on my previous experiences with them, I'm not currently concerned that AgileBits will, in the end, make a decision that allows them to remain profitable and also satisfies me and allows me to remain a customer.

 

[Michaelgtrusa]

I can understand. Hackers are waiting.

 

[5105973]

It's a monthly price but you pay annually. For me it was worth it. $36/year is a no brainer for supporting the company and getting all the apps and updates. For some that $36 is going to be a non-starter. Best to look for some free open source stuff then.

Nah, we would pay if they drop the current non sub version. I have found the hard way in life you often get what you pay for.

For example, as much as I hate and left Facebook for the way it currently is, all intrusive and nosy and in my face, I would pay to use it if it means getting rid of all the crap that's currently used to monetize it. Then it would be a straightforward way of keeping in touch with friends and family with a few words and some visuals. But that's a discussion for another thread.

 

[ChristianVirtual]

Happy user of 1Password in my Macs and iOS devices. If subscription remain the only way one day: sayonara ... hope not because I really like the app.

I also dropped Evernote ... if needed I'm flexible ...

 

[chfilm]

I sent them an angry tweet, and so should you guys!

 

[itguy06]

I told you all this earlier in the year. And was met with "They won't do it" and "you can still buy perpetual licenses".

Luckily I moved over to Enpass earlier in the year. Local stores, as good as OnePassword, and no plans for the subscription nonsense.

 

[trainwrecka]

Only Westerners use this thing. Ridiculous.

Is that an argument? I don't want the subscription either, but not sure where the customer's location comes into play.

 

[CLS9]

Password manager app 1Password caused consternation in some quarters of the security community over the weekend when it emerged that the service's new subscription-based model will push users to adopt a cloud-based password storage system over locally stored password vaults.

Previously, 1Password was offered as a one-time license purchase that enabled users to store their passwords in an encrypted local vault, which security researchers say is more secure than keeping user data in a remote server because hackers are forced to break into a specific device.

Going forward, the service will push customers to monthly subscription plans that serve up remotely stored password vaults through the 1Password.com website. This allows users to access their passwords from any computer by logging into their account, but as noted Motherboard, the change has not been universally welcomed.

​

1Password responded to criticism on Twitter by saying that it had no plans to remove support for locally stored vaults for users who had purchased the app, but that it was advocating subscription-based memberships because "we feel it's the best way to use 1Password".

"We want our customers to get the best. Some people won't agree with that (which is fine!) so we'll work with them to get set up how they want, but for 99.9 percent of people, 1Password.com is absolutely the way to go," Connor Hicks, an engineer at 1Password, told Motherboard.

1Password's new cloud-based option costs $2.99 per month (or $4.99 for an account for up to five people). However, 1Password developer AgileBits reiterated it had no immediate plans to remove support for local/Dropbox/iCloud vaults, and that it was open to speaking with customers to "help them determine if a one-time license is really what's best for them".

Article Link: Security Experts Wary as 1Password Subscriptions Push Users to Cloud-Based Vaults

As much as I've loved and depended upon 1Password since its inception years ago, I will not pay for a subscription service. I think many software companies have turned to subscription services out of pure greed. I am just a personal user and backing up my files with Dropbox is my best option. I would hate to lose 1Password, but there are other products out there that I would choose over a subscription service.

 

[Kabeyun]

As with the last article on 1P, this isn't quite accurate. Users, even new licensees, can still sync (with no money-grabbing monthly fee to AgileBits) via iCloud, DropBox, or a common directory. I trust & choose iCloud for this. They're not quite deceptive but certainly sneaky in trying to steer you towards giving them more money but you don't have to.

In the future AgileBits may drop support for everything but their own servers, at which point I'll drop 1P like a hot rock. I hope they're reading.

 

[dkor]

Did anyone actually read their security explanation: https://1password.com/security/ ? I don't use them but it doesn't appear that even if someone hacks them and obtains your vault will be able to decrypt it.

Right. I'd be interested to see debate based on the actual security design (independent of opinions about the pricing mode). Is there a valid argument that a user's cloud vault could be decrypted by someone without access to the non-cloud 128-bit Secret Key from their devices (plus master password which may or may not be strong itself)?

 

[ryanmcv]

There are some products where you don't want to pay monthly. 1Password is not one of them. They are using AWS S3 object stores for password storage and store each object separately. This means someone would have to break into AWS, get the object, run it through an AES decrypt tool (not possible currently due to the two 'passwords' used in the cloud model) - only to find it's the PIN for your country club locker. Onto the next and so on.

In my opinion, some smaller companies deserve your ongoing support - especially those that manage your most personal items - passwords and PINs. I have switched to a family account. Security isn't about just the product - it's about he company behind it too.

Totally agree, although it seems we're in the minority. For the past 4 years, I used 1Password with my local vault stored in Dropbox for easy syncing. I decided to switch over to their family subscription a few months ago and it's been great. Everyone in my family gets their own vault and access to the iOS, Mac, and Windows apps for $60/year. Definitely worth it to me.

As for security, I would suggest reading up on how 1Password is storing and encrypting your data. I'm no expert, but it seems like it would be an insurmountable task for any hacker to first download your entire vault from AWS and then break the encryption. Not to say it's impossible, but it's not something I'm worried about.

https://1password.com/security/

 

[KennyFan]

I have the latest Windows version, and you can create local vaults. Same with Mac and iOS versions.

Are you sure? https://blog.agilebits.com/2017/06/20/introducing-1password-6-6-for-windows/

The latest version does not support local vaults!

 

[9917282]

Keep dreaming 1Password, you'll never see 36€ annually from me, not even 12€ annually. As soon as the standalone app isn't working anymore I'll go to the next one, I won't pay monthly to store some passwords when Apple does it for free. Goodbye!